tests: fix webpki CRL test, deprecations.#142
Merged
Conversation
Previously the `test_crl` fn generated a certificate revocation list that had a revoked certificate entry with the serial number `0xC0FFEE` - this constant has a binary representation of `110000001111111111101110`, where the MSB is 1. This makes the serial number negative, in contradiction to RFC 5280's requirements for serial numbers. The Yasna-based encoder that rcgen uses for emitting the serial number accounted for this by prepending 0x00 automatically. This should have resulted in a failure to find the literal serial `0xC0FFEE` in the webpki CRL, except that webpki was incorrectly canonicalizing the serial number for the CRL representation, meaning the `0x00C0FFEE` serial emitted by rcgen was stored as `0xC0FFEE`, matching our lookup and allowing the test to pass. In Webpki v0.101.2 we removed the inappropriate canonicalization, meaning the rcgen emitted serial of `0x00C0FFEE` was stored as-is, and a lookup for `0xC0FFEE` no longer found a revoked certificate, making the test fail. This commit fixes the above by explicitly using `0x00C0FFEE` as the serial number used for encoding of the revoked certificate's serial, and the lookup operation.
The upstream webpki deprecated the per-usage trust anchor representation and end entity certificate verification functions. Instead, we now use the general `TrustAnchor` type and invoke `verify_for_usage` with the intended `KeyUsage`.
Member
Author
|
@est31 Holding off on merging this on your +1 per your expressed preference. |
Merged
This was referenced Aug 24, 2023
Member
|
Mhh yeah it seems that the problem was like the one I described in this old comment: https://github.com/briansmith/webpki/issues/232#issuecomment-862757817 |
est31
approved these changes
Aug 25, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
tests: fix webpki CRL test.
Previously the
test_crlfn generated a certificate revocation list that had a revoked certificate entry with the serial number0xC0FFEE- this constant has a binary representation of110000001111111111101110, where the MSB is 1. This makes the serial number negative, in contradiction to RFC 5280's requirements for serial numbers.The Yasna-based encoder that rcgen uses for emitting the serial number accounted for this by prepending 0x00 automatically. This should have resulted in a failure to find the literal serial
0xC0FFEEin the webpki CRL, except that webpki was incorrectly canonicalizing the serial number for the CRL representation, meaning the0x00C0FFEEserial emitted by rcgen was stored as0xC0FFEE, matching our lookup and allowing the test to pass.In Webpki v0.101.2 we removed the inappropriate canonicalization (rustls/webpki@e9e4955), meaning the rcgen emitted serial of
0x00C0FFEEwas stored as-is, and a lookup for0xC0FFEEno longer found a revoked certificate, making the test fail.This commit fixes the above by explicitly using
0x00C0FFEEas the serial number used for encoding of the revoked certificate's serial, and the lookup operation.Resolves #141
tests: fix webpki deprecations, remove allow.
The upstream webpki deprecated the per-usage trust anchor representation and end entity certificate verification functions. Instead, we now use the general
TrustAnchortype and invokeverify_for_usagewith the intendedKeyUsage.