deps: rcgen 0.12 -> 0.13

* updates rcgen dev dependency to 0.13 * fixes breaking upstream changes * reworks tests to remove some duplication/improve member ordering
rustls · Mar 29, 2024 · 3f3610d · 3f3610d
1 parent f9b41e5
commit 3f3610d
Show file tree

Hide file tree

Showing 6 changed files with 254 additions and 230 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -89,7 +89,7 @@ base64 = "0.22"
 bencher = "0.1.5"
 bzip2 = "0.4.4"
 once_cell = "1.17.2"
-rcgen = { version = "0.12.0" }
+rcgen = { version = "0.13", default-features = false, features = ["aws_lc_rs"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 

diff --git a/benches/benchmark.rs b/benches/benchmark.rs
@@ -1,9 +1,9 @@
 use bencher::{benchmark_group, benchmark_main, Bencher};
 use once_cell::sync::Lazy;
 use rcgen::{
- date_time_ymd, BasicConstraints, Certificate, CertificateParams, CertificateRevocationList,
- CertificateRevocationListParams, IsCa, KeyIdMethod, KeyUsagePurpose, RevocationReason,
- RevokedCertParams, SerialNumber, PKCS_ECDSA_P256_SHA256,
+ date_time_ymd, BasicConstraints, CertificateParams, CertificateRevocationListParams,
+ CertifiedKey, IsCa, KeyIdMethod, KeyPair, KeyUsagePurpose, RevocationReason, RevokedCertParams,
+ SerialNumber, PKCS_ECDSA_P256_SHA256,
 };
 
 use std::fs::File;
@@ -16,15 +16,18 @@ use webpki::{BorrowedCertRevocationList, CertRevocationList, OwnedCertRevocation
 
 /// Lazy initialized CRL issuer to be used when generating CRL data. Includes
 /// `KeyUsagePurpose::CrlSign` key usage bit.
-static CRL_ISSUER: Lazy<Mutex<Certificate>> = Lazy::new(|| {
- let mut issuer_params = CertificateParams::new(vec!["crl.issuer.example.com".to_string()]);
+static CRL_ISSUER: Lazy<Mutex<CertifiedKey>> = Lazy::new(|| {
+ let mut issuer_params =
+ CertificateParams::new(vec!["crl.issuer.example.com".to_string()]).unwrap();
  issuer_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
  issuer_params.key_usages = vec![
  KeyUsagePurpose::KeyCertSign,
  KeyUsagePurpose::DigitalSignature,
  KeyUsagePurpose::CrlSign,
  ];
- Mutex::new(Certificate::from_params(issuer_params).unwrap())
+ let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap();
+ let cert = issuer_params.self_signed(&key_pair).unwrap();
+ Mutex::new(CertifiedKey { cert, key_pair })
 });
 
 /// Number of revoked certificates to include in the small benchmark CRL. Produces a CRL roughly
@@ -83,14 +86,15 @@ fn generate_crl(revoked_count: usize) -> Vec<u8> {
  this_update: date_time_ymd(2023, 6, 17),
  next_update: date_time_ymd(2024, 6, 17),
  crl_number: SerialNumber::from(1234),
- alg: &PKCS_ECDSA_P256_SHA256,
  key_identifier_method: KeyIdMethod::Sha256,
  issuing_distribution_point: None,
  revoked_certs,
  };
- let crl = CertificateRevocationList::from_params(crl).unwrap();
  let issuer = CRL_ISSUER.lock().unwrap();
- crl.serialize_der_with_signer(&issuer).unwrap()
+ crl.signed_by(&issuer.cert, &issuer.key_pair)
+ .unwrap()
+ .der()
+ .to_vec()
 }
 
 /// Benchmark parsing a small CRL file into a borrowed representation.

diff --git a/src/end_entity.rs b/src/end_entity.rs
@@ -197,23 +197,22 @@ mod tests {
 
  let issuer = test_utils::make_issuer("Test");
 
- let ee_cert_der = {
+ let ee_cert = {
  let mut params = test_utils::end_entity_params(vec![DNS_NAME.to_string()]);
  // construct a certificate that uses `PrintableString` as the
  // common name value, rather than `UTF8String`.
  params.distinguished_name.push(
  rcgen::DnType::CommonName,
- rcgen::DnValue::PrintableString("example.com".to_string()),
+ rcgen::DnValue::PrintableString(
+ rcgen::PrintableString::try_from("example.com").unwrap(),
+ ),
  );
- let cert = rcgen::Certificate::from_params(params)
- .expect("failed to make ee cert (this is a test bug)");
- let bytes = cert
- .serialize_der_with_signer(&issuer)
- .expect("failed to serialize signed ee cert (this is a test bug)");
- CertificateDer::from(bytes)
+ params
+ .signed_by(&test_utils::make_keypair(), &issuer.cert, &issuer.key_pair)
+ .expect("failed to make ee cert (this is a test bug)")
  };
 
- expect_dns_name(&ee_cert_der, DNS_NAME);
+ expect_dns_name(ee_cert.der(), DNS_NAME);
  }
 
  // This test reproduces https:/rustls/webpki/issues/167 --- an

diff --git a/src/test_utils.rs b/src/test_utils.rs
@@ -1,20 +1,26 @@
 #![cfg(feature = "alloc")]
 use std::prelude::v1::*;
 
-use crate::types::CertificateDer;
-
 /// Signature algorithm used by certificates and parameters generated using the test utils helpers.
 static RCGEN_SIGNATURE_ALG: &rcgen::SignatureAlgorithm = &rcgen::PKCS_ECDSA_P256_SHA256;
 
-pub(crate) fn make_issuer(org_name: impl Into<String>) -> rcgen::Certificate {
- rcgen::Certificate::from_params(issuer_params(org_name)).unwrap()
+pub(crate) fn make_issuer(org_name: impl Into<String>) -> rcgen::CertifiedKey {
+ let key_pair = make_keypair();
+ rcgen::CertifiedKey {
+ cert: issuer_params(org_name).self_signed(&key_pair).unwrap(),
+ key_pair,
+ }
+}
+
+pub(crate) fn make_keypair() -> rcgen::KeyPair {
+ rcgen::KeyPair::generate_for(RCGEN_SIGNATURE_ALG).unwrap()
 }
 
 /// Populate a [CertificateParams] that describes an unconstrained issuer certificate capable
 /// of signing other certificates and CRLs, with the given `org_name` as an organization distinguished
 /// subject name.
 pub(crate) fn issuer_params(org_name: impl Into<String>) -> rcgen::CertificateParams {
- let mut ca_params = rcgen::CertificateParams::new(Vec::new());
+ let mut ca_params = rcgen::CertificateParams::new(Vec::new()).unwrap();
  ca_params
  .distinguished_name
  .push(rcgen::DnType::OrganizationName, org_name);
@@ -24,23 +30,25 @@ pub(crate) fn issuer_params(org_name: impl Into<String>) -> rcgen::CertificatePa
  rcgen::KeyUsagePurpose::DigitalSignature,
  rcgen::KeyUsagePurpose::CrlSign,
  ];
- ca_params.alg = RCGEN_SIGNATURE_ALG;
  ca_params
 }
 
 #[cfg_attr(not(feature = "ring"), allow(dead_code))]
-pub(crate) fn make_end_entity(issuer: &rcgen::Certificate) -> CertificateDer<'static> {
- CertificateDer::from(
- rcgen::Certificate::from_params(end_entity_params(vec!["example.com".into()]))
- .unwrap()
- .serialize_der_with_signer(issuer)
+pub(crate) fn make_end_entity(
+ issuer: &rcgen::Certificate,
+ issuer_key: &rcgen::KeyPair,
+) -> rcgen::CertifiedKey {
+ let key_pair = make_keypair();
+ rcgen::CertifiedKey {
+ cert: end_entity_params(vec!["example.com".into()])
+ .signed_by(&key_pair, issuer, issuer_key)
  .unwrap(),
- )
+ key_pair,
+ }
 }
 
 pub(crate) fn end_entity_params(subject_alt_names: Vec<String>) -> rcgen::CertificateParams {
- let mut ee_params = rcgen::CertificateParams::new(subject_alt_names);
+ let mut ee_params = rcgen::CertificateParams::new(subject_alt_names).unwrap();
  ee_params.is_ca = rcgen::IsCa::ExplicitNoCa;
- ee_params.alg = RCGEN_SIGNATURE_ALG;
  ee_params
 }