From deca33882a8e99a3d08173058b334ef718a4b559 Mon Sep 17 00:00:00 2001 From: Joseph Birr-Pixton Date: Fri, 28 Jul 2023 10:07:29 +0100 Subject: [PATCH] Turn `webpki::SignatureAlgorithm` into a trait Rename it to `SignatureVerificationAlgorithm`. `RingAlgorithm` exists as the previous type, and implements the trait. This is a breaking change: - top level functions now need to pass a &[&dyn SignatureVerificationAlgorithm] - objects like `ECDSA_P256_SHA256` are now a `&dyn SignatureVerificationAlgorithm` so callers don't see the internal `RingAlgorithm` type. --- Cargo.toml | 2 +- src/crl.rs | 10 +- src/end_entity.rs | 10 +- src/lib.rs | 4 +- src/signed_data.rs | 146 ++++++++++++++-------- src/verify_cert.rs | 10 +- tests/better_tls.rs | 2 +- tests/client_auth.rs | 20 +-- tests/client_auth_revocation.rs | 2 +- tests/custom_ekus.rs | 4 +- tests/generate.py | 6 +- tests/integration.rs | 20 +-- tests/signatures.rs | 208 ++++++++++++++++---------------- tests/tls_server_certs.rs | 20 +-- 14 files changed, 258 insertions(+), 206 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 5c9d78b6..82bdbbe6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -21,7 +21,7 @@ license = "ISC" name = "rustls-webpki" readme = "README.md" repository = "https://github.com/rustls/webpki" -version = "0.101.2" +version = "0.102.0-alpha.0" include = [ "Cargo.toml", diff --git a/src/crl.rs b/src/crl.rs index 84c9a233..540ff856 100644 --- a/src/crl.rs +++ b/src/crl.rs @@ -16,7 +16,7 @@ use crate::cert::lenient_certificate_serial_number; use crate::der::{self, Tag, CONSTRUCTED, CONTEXT_SPECIFIC}; use crate::signed_data::{self, SignedData}; use crate::x509::{remember_extension, set_extension_once, DistributionPointName, Extension}; -use crate::{Error, SignatureAlgorithm, Time}; +use crate::{Error, SignatureVerificationAlgorithm, Time}; #[cfg(feature = "alloc")] use std::collections::HashMap; @@ -40,10 +40,10 @@ pub trait CertRevocationList: Sealed { fn find_serial(&self, serial: &[u8]) -> Result, Error>; /// Verify the CRL signature using the issuer's subject public key information (SPKI) - /// and a list of supported signature algorithms. + /// and a list of supported signature verification algorithms. fn verify_signature( &self, - supported_sig_algs: &[&SignatureAlgorithm], + supported_sig_algs: &[&dyn SignatureVerificationAlgorithm], issuer_spki: &[u8], ) -> Result<(), Error>; } @@ -91,7 +91,7 @@ impl CertRevocationList for OwnedCertRevocationList { fn verify_signature( &self, - supported_sig_algs: &[&SignatureAlgorithm], + supported_sig_algs: &[&dyn SignatureVerificationAlgorithm], issuer_spki: &[u8], ) -> Result<(), Error> { signed_data::verify_signed_data( @@ -346,7 +346,7 @@ impl CertRevocationList for BorrowedCertRevocationList<'_> { fn verify_signature( &self, - supported_sig_algs: &[&SignatureAlgorithm], + supported_sig_algs: &[&dyn SignatureVerificationAlgorithm], issuer_spki: &[u8], ) -> Result<(), Error> { signed_data::verify_signed_data( diff --git a/src/end_entity.rs b/src/end_entity.rs index fec55f40..abfdc3c5 100644 --- a/src/end_entity.rs +++ b/src/end_entity.rs @@ -16,7 +16,7 @@ use crate::subject_name::GeneralDnsNameRef; use crate::{ cert, signed_data, subject_name, verify_cert, CertRevocationList, Error, KeyUsage, - SignatureAlgorithm, SubjectNameRef, Time, TrustAnchor, + SignatureVerificationAlgorithm, SubjectNameRef, Time, TrustAnchor, }; /// An end-entity certificate. @@ -91,7 +91,7 @@ impl<'a> EndEntityCert<'a> { /// the certificate against. pub fn verify_for_usage( &self, - supported_sig_algs: &[&SignatureAlgorithm], + supported_sig_algs: &[&dyn SignatureVerificationAlgorithm], trust_anchors: &[TrustAnchor], intermediate_certs: &[&[u8]], time: Time, @@ -130,7 +130,7 @@ impl<'a> EndEntityCert<'a> { /// `DigitallySigned.signature` and `signature_alg` corresponds to TLS's /// `DigitallySigned.algorithm` of TLS type `SignatureAndHashAlgorithm`. In /// TLS 1.2 a single `SignatureAndHashAlgorithm` may map to multiple - /// `SignatureAlgorithm`s. For example, a TLS 1.2 + /// `SignatureVerificationAlgorithm`s. For example, a TLS 1.2 /// `SignatureAndHashAlgorithm` of (ECDSA, SHA-256) may map to any or all /// of {`ECDSA_P256_SHA256`, `ECDSA_P384_SHA256`}, depending on how the TLS /// implementation is configured. @@ -138,10 +138,10 @@ impl<'a> EndEntityCert<'a> { /// For current TLS 1.3 drafts, `signature_alg` corresponds to TLS's /// `algorithm` fields of type `SignatureScheme`. There is (currently) a /// one-to-one correspondence between TLS 1.3's `SignatureScheme` and - /// `SignatureAlgorithm`. + /// `SignatureVerificationAlgorithm`. pub fn verify_signature( &self, - signature_alg: &SignatureAlgorithm, + signature_alg: &dyn SignatureVerificationAlgorithm, msg: &[u8], signature: &[u8], ) -> Result<(), Error> { diff --git a/src/lib.rs b/src/lib.rs index 6535972b..0d682084 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -64,8 +64,8 @@ pub use { end_entity::EndEntityCert, error::Error, signed_data::{ - alg_id, SignatureAlgorithm, ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, - ECDSA_P384_SHA384, ED25519, + alg_id, InvalidSignature, SignatureVerificationAlgorithm, ECDSA_P256_SHA256, + ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519, }, subject_name::{ AddrParseError, DnsNameRef, InvalidDnsNameError, InvalidSubjectNameError, IpAddrRef, diff --git a/src/signed_data.rs b/src/signed_data.rs index fdde8831..8bc13cd8 100644 --- a/src/signed_data.rs +++ b/src/signed_data.rs @@ -149,7 +149,7 @@ impl<'a> SignedData<'a> { /// but generally more common algorithms should go first, as it is scanned /// linearly for matches. pub(crate) fn verify_signed_data( - supported_algorithms: &[&SignatureAlgorithm], + supported_algorithms: &[&dyn SignatureVerificationAlgorithm], spki_value: untrusted::Input, signed_data: &SignedData, ) -> Result<(), Error> { @@ -174,11 +174,11 @@ pub(crate) fn verify_signed_data( // let mut found_signature_alg_match = false; for supported_alg in supported_algorithms.iter().filter(|alg| { - alg.signature_alg_id + alg.signature_alg_id() .matches_algorithm_id_value(signed_data.algorithm) }) { match verify_signature( - supported_alg, + *supported_alg, spki_value, signed_data.data, signed_data.signature, @@ -201,14 +201,14 @@ pub(crate) fn verify_signed_data( } pub(crate) fn verify_signature( - signature_alg: &SignatureAlgorithm, + signature_alg: &dyn SignatureVerificationAlgorithm, spki_value: untrusted::Input, msg: untrusted::Input, signature: untrusted::Input, ) -> Result<(), Error> { let spki = SubjectPublicKeyInfo::from_der(spki_value)?; if !signature_alg - .public_key_alg_id + .public_key_alg_id() .matches_algorithm_id_value(spki.algorithm_id_value) { return Err(Error::UnsupportedSignatureAlgorithmForPublicKey); @@ -231,7 +231,7 @@ struct SubjectPublicKeyInfo<'a> { impl<'a> SubjectPublicKeyInfo<'a> { // Parse the public key into an algorithm OID, an optional curve OID, and the // key value. The caller needs to check whether these match the - // `PublicKeyAlgorithm` for the `SignatureAlgorithm` that is matched when + // `PublicKeyAlgorithm` for the `SignatureVerificationAlgorithm` that is matched when // parsing the signature. fn from_der(input: untrusted::Input<'a>) -> Result { input.read_all(Error::BadDer, |input| { @@ -245,14 +245,63 @@ impl<'a> SubjectPublicKeyInfo<'a> { } } -/// A signature algorithm. -pub struct SignatureAlgorithm { +/// An abstract signature verification algorithm. +/// +/// One of these is needed per supported pair of public key type (identified +/// with `public_key_alg_id()`) and `signatureAlgorithm` (identified with +/// `signature_alg_id()`). Note that both of these `AlgorithmIdentifier`s include +/// the parameters encoding, so separate `SignatureVerificationAlgorithm`s are needed +/// for each possible public key or signature parameters. +pub trait SignatureVerificationAlgorithm: Send + Sync { + /// Return the `AlgorithmIdentifier` that must be present on a `subjectPublicKeyInfo` + /// for this `SignatureVerificationAlgorithm` to be considered for verification. + fn public_key_alg_id(&self) -> alg_id::AlgorithmIdentifier; + + /// Return the `AlgorithmIdentifier` that must be present as the `signatureAlgorithm` + /// on the data to be verified for this `SignatureVerificationAlgorithm` to be considered + /// for this `SignatureVerificationAlgorithm` to be considered. + fn signature_alg_id(&self) -> alg_id::AlgorithmIdentifier; + + /// Verify a signature. + /// + /// `public_key` is the `subjectPublicKey` value from a `SubjectPublicKeyInfo` encoding + /// and is untrusted. + /// + /// `message` is the data over which the signature was allegedly computed. + /// It is not hashed; implementations of this trait function must do hashing + /// if that is required by the algorithm they implement. + /// + /// `signature` is the signature allegedly over `message`. + /// + /// Return `Ok(())` only if `signature` is a valid signature on `message`. + /// + /// Return `Err(InvalidSignature)` if the signature is invalid, including if the `public_key` + /// encoding is invalid. There is no need or opportunity to produce errors + /// that are more specific than this. + fn verify_signature( + &self, + public_key: &[u8], + message: &[u8], + signature: &[u8], + ) -> Result<(), InvalidSignature>; +} + +/// A `SignatureVerificationAlgorithm` implemented using *ring*. +struct RingAlgorithm { public_key_alg_id: alg_id::AlgorithmIdentifier, signature_alg_id: alg_id::AlgorithmIdentifier, verification_alg: &'static dyn signature::VerificationAlgorithm, } -impl SignatureAlgorithm { +impl SignatureVerificationAlgorithm for RingAlgorithm { + fn public_key_alg_id(&self) -> alg_id::AlgorithmIdentifier { + self.public_key_alg_id + } + + fn signature_alg_id(&self) -> alg_id::AlgorithmIdentifier { + self.signature_alg_id + } + fn verify_signature( &self, public_key: &[u8], @@ -266,28 +315,28 @@ impl SignatureAlgorithm { } /// ECDSA signatures using the P-256 curve and SHA-256. -pub static ECDSA_P256_SHA256: SignatureAlgorithm = SignatureAlgorithm { +pub static ECDSA_P256_SHA256: &dyn SignatureVerificationAlgorithm = &RingAlgorithm { public_key_alg_id: alg_id::ECDSA_P256, signature_alg_id: alg_id::ECDSA_SHA256, verification_alg: &signature::ECDSA_P256_SHA256_ASN1, }; /// ECDSA signatures using the P-256 curve and SHA-384. Deprecated. -pub static ECDSA_P256_SHA384: SignatureAlgorithm = SignatureAlgorithm { +pub static ECDSA_P256_SHA384: &dyn SignatureVerificationAlgorithm = &RingAlgorithm { public_key_alg_id: alg_id::ECDSA_P256, signature_alg_id: alg_id::ECDSA_SHA384, verification_alg: &signature::ECDSA_P256_SHA384_ASN1, }; /// ECDSA signatures using the P-384 curve and SHA-256. Deprecated. -pub static ECDSA_P384_SHA256: SignatureAlgorithm = SignatureAlgorithm { +pub static ECDSA_P384_SHA256: &dyn SignatureVerificationAlgorithm = &RingAlgorithm { public_key_alg_id: alg_id::ECDSA_P384, signature_alg_id: alg_id::ECDSA_SHA256, verification_alg: &signature::ECDSA_P384_SHA256_ASN1, }; /// ECDSA signatures using the P-384 curve and SHA-384. -pub static ECDSA_P384_SHA384: SignatureAlgorithm = SignatureAlgorithm { +pub static ECDSA_P384_SHA384: &dyn SignatureVerificationAlgorithm = &RingAlgorithm { public_key_alg_id: alg_id::ECDSA_P384, signature_alg_id: alg_id::ECDSA_SHA384, verification_alg: &signature::ECDSA_P384_SHA384_ASN1, @@ -297,7 +346,7 @@ pub static ECDSA_P384_SHA384: SignatureAlgorithm = SignatureAlgorithm { /// /// Requires the `alloc` feature. #[cfg(feature = "alloc")] -pub static RSA_PKCS1_2048_8192_SHA256: SignatureAlgorithm = SignatureAlgorithm { +pub static RSA_PKCS1_2048_8192_SHA256: &dyn SignatureVerificationAlgorithm = &RingAlgorithm { public_key_alg_id: alg_id::RSA_ENCRYPTION, signature_alg_id: alg_id::RSA_PKCS1_SHA256, verification_alg: &signature::RSA_PKCS1_2048_8192_SHA256, @@ -307,7 +356,7 @@ pub static RSA_PKCS1_2048_8192_SHA256: SignatureAlgorithm = SignatureAlgorithm { /// /// Requires the `alloc` feature. #[cfg(feature = "alloc")] -pub static RSA_PKCS1_2048_8192_SHA384: SignatureAlgorithm = SignatureAlgorithm { +pub static RSA_PKCS1_2048_8192_SHA384: &dyn SignatureVerificationAlgorithm = &RingAlgorithm { public_key_alg_id: alg_id::RSA_ENCRYPTION, signature_alg_id: alg_id::RSA_PKCS1_SHA384, verification_alg: &signature::RSA_PKCS1_2048_8192_SHA384, @@ -317,7 +366,7 @@ pub static RSA_PKCS1_2048_8192_SHA384: SignatureAlgorithm = SignatureAlgorithm { /// /// Requires the `alloc` feature. #[cfg(feature = "alloc")] -pub static RSA_PKCS1_2048_8192_SHA512: SignatureAlgorithm = SignatureAlgorithm { +pub static RSA_PKCS1_2048_8192_SHA512: &dyn SignatureVerificationAlgorithm = &RingAlgorithm { public_key_alg_id: alg_id::RSA_ENCRYPTION, signature_alg_id: alg_id::RSA_PKCS1_SHA512, verification_alg: &signature::RSA_PKCS1_2048_8192_SHA512, @@ -327,7 +376,7 @@ pub static RSA_PKCS1_2048_8192_SHA512: SignatureAlgorithm = SignatureAlgorithm { /// /// Requires the `alloc` feature. #[cfg(feature = "alloc")] -pub static RSA_PKCS1_3072_8192_SHA384: SignatureAlgorithm = SignatureAlgorithm { +pub static RSA_PKCS1_3072_8192_SHA384: &dyn SignatureVerificationAlgorithm = &RingAlgorithm { public_key_alg_id: alg_id::RSA_ENCRYPTION, signature_alg_id: alg_id::RSA_PKCS1_SHA384, verification_alg: &signature::RSA_PKCS1_3072_8192_SHA384, @@ -340,11 +389,12 @@ pub static RSA_PKCS1_3072_8192_SHA384: SignatureAlgorithm = SignatureAlgorithm { /// /// Requires the `alloc` feature. #[cfg(feature = "alloc")] -pub static RSA_PSS_2048_8192_SHA256_LEGACY_KEY: SignatureAlgorithm = SignatureAlgorithm { - public_key_alg_id: alg_id::RSA_ENCRYPTION, - signature_alg_id: alg_id::RSA_PSS_SHA256, - verification_alg: &signature::RSA_PSS_2048_8192_SHA256, -}; +pub static RSA_PSS_2048_8192_SHA256_LEGACY_KEY: &dyn SignatureVerificationAlgorithm = + &RingAlgorithm { + public_key_alg_id: alg_id::RSA_ENCRYPTION, + signature_alg_id: alg_id::RSA_PSS_SHA256, + verification_alg: &signature::RSA_PSS_2048_8192_SHA256, + }; /// RSA PSS signatures using SHA-384 for keys of 2048-8192 bits and of /// type rsaEncryption; see [RFC 4055 Section 1.2]. @@ -353,11 +403,12 @@ pub static RSA_PSS_2048_8192_SHA256_LEGACY_KEY: SignatureAlgorithm = SignatureAl /// /// Requires the `alloc` feature. #[cfg(feature = "alloc")] -pub static RSA_PSS_2048_8192_SHA384_LEGACY_KEY: SignatureAlgorithm = SignatureAlgorithm { - public_key_alg_id: alg_id::RSA_ENCRYPTION, - signature_alg_id: alg_id::RSA_PSS_SHA384, - verification_alg: &signature::RSA_PSS_2048_8192_SHA384, -}; +pub static RSA_PSS_2048_8192_SHA384_LEGACY_KEY: &dyn SignatureVerificationAlgorithm = + &RingAlgorithm { + public_key_alg_id: alg_id::RSA_ENCRYPTION, + signature_alg_id: alg_id::RSA_PSS_SHA384, + verification_alg: &signature::RSA_PSS_2048_8192_SHA384, + }; /// RSA PSS signatures using SHA-512 for keys of 2048-8192 bits and of /// type rsaEncryption; see [RFC 4055 Section 1.2]. @@ -366,14 +417,15 @@ pub static RSA_PSS_2048_8192_SHA384_LEGACY_KEY: SignatureAlgorithm = SignatureAl /// /// Requires the `alloc` feature. #[cfg(feature = "alloc")] -pub static RSA_PSS_2048_8192_SHA512_LEGACY_KEY: SignatureAlgorithm = SignatureAlgorithm { - public_key_alg_id: alg_id::RSA_ENCRYPTION, - signature_alg_id: alg_id::RSA_PSS_SHA512, - verification_alg: &signature::RSA_PSS_2048_8192_SHA512, -}; +pub static RSA_PSS_2048_8192_SHA512_LEGACY_KEY: &dyn SignatureVerificationAlgorithm = + &RingAlgorithm { + public_key_alg_id: alg_id::RSA_ENCRYPTION, + signature_alg_id: alg_id::RSA_PSS_SHA512, + verification_alg: &signature::RSA_PSS_2048_8192_SHA512, + }; /// ED25519 signatures according to RFC 8410 -pub static ED25519: SignatureAlgorithm = SignatureAlgorithm { +pub static ED25519: &dyn SignatureVerificationAlgorithm = &RingAlgorithm { public_key_alg_id: alg_id::ED25519, signature_alg_id: alg_id::ED25519, verification_alg: &signature::ED25519, @@ -381,7 +433,7 @@ pub static ED25519: SignatureAlgorithm = SignatureAlgorithm { /// A detail-less error when a signature is not valid. #[derive(Debug, Copy, Clone)] -struct InvalidSignature; +pub struct InvalidSignature; /// Encodings of the PKIX AlgorithmIdentifier type: /// @@ -881,28 +933,28 @@ mod tests { general_purpose::STANDARD.decode(&base64).unwrap() } - static SUPPORTED_ALGORITHMS_IN_TESTS: &[&signed_data::SignatureAlgorithm] = &[ + static SUPPORTED_ALGORITHMS_IN_TESTS: &[&dyn signed_data::SignatureVerificationAlgorithm] = &[ // Reasonable algorithms. - &signed_data::ECDSA_P256_SHA256, - &signed_data::ECDSA_P384_SHA384, - &signed_data::ED25519, + signed_data::ECDSA_P256_SHA256, + signed_data::ECDSA_P384_SHA384, + signed_data::ED25519, #[cfg(feature = "alloc")] - &signed_data::RSA_PKCS1_2048_8192_SHA256, + signed_data::RSA_PKCS1_2048_8192_SHA256, #[cfg(feature = "alloc")] - &signed_data::RSA_PKCS1_2048_8192_SHA384, + signed_data::RSA_PKCS1_2048_8192_SHA384, #[cfg(feature = "alloc")] - &signed_data::RSA_PKCS1_2048_8192_SHA512, + signed_data::RSA_PKCS1_2048_8192_SHA512, #[cfg(feature = "alloc")] - &signed_data::RSA_PKCS1_3072_8192_SHA384, + signed_data::RSA_PKCS1_3072_8192_SHA384, #[cfg(feature = "alloc")] - &signed_data::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, + signed_data::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, #[cfg(feature = "alloc")] - &signed_data::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, + signed_data::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, #[cfg(feature = "alloc")] - &signed_data::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, + signed_data::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, // Algorithms deprecated because they are annoying (P-521) or because // they are nonsensical combinations. - &signed_data::ECDSA_P256_SHA384, // Truncates digest. - &signed_data::ECDSA_P384_SHA256, // Digest is unnecessarily short. + signed_data::ECDSA_P256_SHA384, // Truncates digest. + signed_data::ECDSA_P384_SHA256, // Digest is unnecessarily short. ]; } diff --git a/src/verify_cert.rs b/src/verify_cert.rs index c88de975..39431b64 100644 --- a/src/verify_cert.rs +++ b/src/verify_cert.rs @@ -14,13 +14,13 @@ use crate::{ cert::{Cert, EndEntityOrCa}, - der, signed_data, subject_name, time, CertRevocationList, Error, SignatureAlgorithm, - TrustAnchor, + der, signed_data, subject_name, time, CertRevocationList, Error, + SignatureVerificationAlgorithm, TrustAnchor, }; pub(crate) struct ChainOptions<'a> { pub(crate) eku: KeyUsage, - pub(crate) supported_sig_algs: &'a [&'a SignatureAlgorithm], + pub(crate) supported_sig_algs: &'a [&'a dyn SignatureVerificationAlgorithm], pub(crate) trust_anchors: &'a [TrustAnchor<'a>], pub(crate) intermediate_certs: &'a [&'a [u8]], pub(crate) crls: &'a [&'a dyn CertRevocationList], @@ -138,7 +138,7 @@ fn build_chain_inner( } fn check_signatures( - supported_sig_algs: &[&SignatureAlgorithm], + supported_sig_algs: &[&dyn SignatureVerificationAlgorithm], cert_chain: &Cert, trust_anchor: &TrustAnchor, crls: &[&dyn CertRevocationList], @@ -189,7 +189,7 @@ impl CertNotRevoked { } fn check_crls( - supported_sig_algs: &[&SignatureAlgorithm], + supported_sig_algs: &[&dyn SignatureVerificationAlgorithm], cert: &Cert, issuer_subject: untrusted::Input, issuer_spki: untrusted::Input, diff --git a/tests/better_tls.rs b/tests/better_tls.rs index 306b283b..14094a42 100644 --- a/tests/better_tls.rs +++ b/tests/better_tls.rs @@ -35,7 +35,7 @@ pub fn path_building() { let now = webpki::Time::from_seconds_since_unix_epoch(1_688_651_734); let result = ee_cert.verify_for_usage( - &[&webpki::ECDSA_P256_SHA256], // All of the BetterTLS testcases use P256 keys. + &[webpki::ECDSA_P256_SHA256], // All of the BetterTLS testcases use P256 keys. roots, intermediates, now, diff --git a/tests/client_auth.rs b/tests/client_auth.rs index dd84e6d4..ac18761f 100644 --- a/tests/client_auth.rs +++ b/tests/client_auth.rs @@ -16,16 +16,16 @@ use webpki::KeyUsage; #[cfg(feature = "alloc")] -static ALL_SIGALGS: &[&webpki::SignatureAlgorithm] = &[ - &webpki::ECDSA_P256_SHA256, - &webpki::ECDSA_P256_SHA384, - &webpki::ECDSA_P384_SHA256, - &webpki::ECDSA_P384_SHA384, - &webpki::ED25519, - &webpki::RSA_PKCS1_2048_8192_SHA256, - &webpki::RSA_PKCS1_2048_8192_SHA384, - &webpki::RSA_PKCS1_2048_8192_SHA512, - &webpki::RSA_PKCS1_3072_8192_SHA384, +static ALL_SIGALGS: &[&dyn webpki::SignatureVerificationAlgorithm] = &[ + webpki::ECDSA_P256_SHA256, + webpki::ECDSA_P256_SHA384, + webpki::ECDSA_P384_SHA256, + webpki::ECDSA_P384_SHA384, + webpki::ED25519, + webpki::RSA_PKCS1_2048_8192_SHA256, + webpki::RSA_PKCS1_2048_8192_SHA384, + webpki::RSA_PKCS1_2048_8192_SHA512, + webpki::RSA_PKCS1_3072_8192_SHA384, ]; #[cfg(feature = "alloc")] diff --git a/tests/client_auth_revocation.rs b/tests/client_auth_revocation.rs index ea6ee216..74c83243 100644 --- a/tests/client_auth_revocation.rs +++ b/tests/client_auth_revocation.rs @@ -25,7 +25,7 @@ fn check_cert( let time = webpki::Time::from_seconds_since_unix_epoch(0x1fed_f00d); cert.verify_for_usage( - &[&webpki::ECDSA_P256_SHA256], + &[webpki::ECDSA_P256_SHA256], anchors, intermediates, time, diff --git a/tests/custom_ekus.rs b/tests/custom_ekus.rs index 0fc094df..84173978 100644 --- a/tests/custom_ekus.rs +++ b/tests/custom_ekus.rs @@ -11,8 +11,8 @@ fn check_cert( ) { let anchors = [webpki::TrustAnchor::try_from_cert_der(ca).unwrap()]; let algs = &[ - &webpki::RSA_PKCS1_2048_8192_SHA256, - &webpki::ECDSA_P256_SHA256, + webpki::RSA_PKCS1_2048_8192_SHA256, + webpki::ECDSA_P256_SHA256, ]; let cert = webpki::EndEntityCert::try_from(ee).unwrap(); diff --git a/tests/generate.py b/tests/generate.py index 3cf55546..17d34e2d 100755 --- a/tests/generate.py +++ b/tests/generate.py @@ -674,7 +674,7 @@ def _test( let message = include_bytes!("%(message_path)s"); let signature = include_bytes!("%(sig_path)s"); assert_eq!( - check_sig(ee, &webpki::%(algorithm)s, message, signature), + check_sig(ee, webpki::%(algorithm)s, message, signature), %(expected)s ); }""" @@ -718,7 +718,7 @@ def bad_algorithms_for_key( cert_path: str = _cert_path(cert_type) test_name_lower: str = test_name.lower() unusable_algs_str: str = ", ".join( - "&webpki::" + alg for alg in sorted(unusable_algs) + "webpki::" + alg for alg in sorted(unusable_algs) ) print( """ @@ -728,7 +728,7 @@ def bad_algorithms_for_key( let ee = include_bytes!("%(cert_path)s"); for algorithm in &[ %(unusable_algs_str)s ] { assert_eq!( - check_sig(ee, algorithm, b"", b""), + check_sig(ee, *algorithm, b"", b""), Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey) ); } diff --git a/tests/integration.rs b/tests/integration.rs index 85d6e0e6..287319e8 100644 --- a/tests/integration.rs +++ b/tests/integration.rs @@ -14,20 +14,20 @@ use webpki::KeyUsage; -static ALL_SIGALGS: &[&webpki::SignatureAlgorithm] = &[ - &webpki::ECDSA_P256_SHA256, - &webpki::ECDSA_P256_SHA384, - &webpki::ECDSA_P384_SHA256, - &webpki::ECDSA_P384_SHA384, - &webpki::ED25519, +static ALL_SIGALGS: &[&dyn webpki::SignatureVerificationAlgorithm] = &[ + webpki::ECDSA_P256_SHA256, + webpki::ECDSA_P256_SHA384, + webpki::ECDSA_P384_SHA256, + webpki::ECDSA_P384_SHA384, + webpki::ED25519, #[cfg(feature = "alloc")] - &webpki::RSA_PKCS1_2048_8192_SHA256, + webpki::RSA_PKCS1_2048_8192_SHA256, #[cfg(feature = "alloc")] - &webpki::RSA_PKCS1_2048_8192_SHA384, + webpki::RSA_PKCS1_2048_8192_SHA384, #[cfg(feature = "alloc")] - &webpki::RSA_PKCS1_2048_8192_SHA512, + webpki::RSA_PKCS1_2048_8192_SHA512, #[cfg(feature = "alloc")] - &webpki::RSA_PKCS1_3072_8192_SHA384, + webpki::RSA_PKCS1_3072_8192_SHA384, ]; /* Checks we can verify netflix's cert chain. This is notable diff --git a/tests/signatures.rs b/tests/signatures.rs index 672292f9..d4ee1638 100644 --- a/tests/signatures.rs +++ b/tests/signatures.rs @@ -17,7 +17,7 @@ extern crate webpki; #[cfg(feature = "alloc")] fn check_sig( ee: &[u8], - alg: &webpki::SignatureAlgorithm, + alg: &dyn webpki::SignatureVerificationAlgorithm, message: &[u8], signature: &[u8], ) -> Result<(), webpki::Error> { @@ -33,7 +33,7 @@ fn ed25519_key_and_ed25519_good_signature() { let ee = include_bytes!("signatures/ed25519.ee.der"); let message = include_bytes!("signatures/message.bin"); let signature = include_bytes!("signatures/ed25519_key_and_ed25519_good_signature.sig.bin"); - assert_eq!(check_sig(ee, &webpki::ED25519, message, signature), Ok(())); + assert_eq!(check_sig(ee, webpki::ED25519, message, signature), Ok(())); } #[test] @@ -44,7 +44,7 @@ fn ed25519_key_and_ed25519_detects_bad_signature() { let signature = include_bytes!("signatures/ed25519_key_and_ed25519_detects_bad_signature.sig.bin"); assert_eq!( - check_sig(ee, &webpki::ED25519, message, signature), + check_sig(ee, webpki::ED25519, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -54,20 +54,20 @@ fn ed25519_key_and_ed25519_detects_bad_signature() { fn ed25519_key_rejected_by_other_algorithms() { let ee = include_bytes!("signatures/ed25519.ee.der"); for algorithm in &[ - &webpki::ECDSA_P256_SHA256, - &webpki::ECDSA_P256_SHA384, - &webpki::ECDSA_P384_SHA256, - &webpki::ECDSA_P384_SHA384, - &webpki::RSA_PKCS1_2048_8192_SHA256, - &webpki::RSA_PKCS1_2048_8192_SHA384, - &webpki::RSA_PKCS1_2048_8192_SHA512, - &webpki::RSA_PKCS1_3072_8192_SHA384, - &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, - &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, - &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, + webpki::ECDSA_P256_SHA256, + webpki::ECDSA_P256_SHA384, + webpki::ECDSA_P384_SHA256, + webpki::ECDSA_P384_SHA384, + webpki::RSA_PKCS1_2048_8192_SHA256, + webpki::RSA_PKCS1_2048_8192_SHA384, + webpki::RSA_PKCS1_2048_8192_SHA512, + webpki::RSA_PKCS1_3072_8192_SHA384, + webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, ] { assert_eq!( - check_sig(ee, algorithm, b"", b""), + check_sig(ee, *algorithm, b"", b""), Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey) ); } @@ -81,7 +81,7 @@ fn ecdsa_p256_key_and_ecdsa_p256_sha384_good_signature() { let signature = include_bytes!("signatures/ecdsa_p256_key_and_ecdsa_p256_sha384_good_signature.sig.bin"); assert_eq!( - check_sig(ee, &webpki::ECDSA_P256_SHA384, message, signature), + check_sig(ee, webpki::ECDSA_P256_SHA384, message, signature), Ok(()) ); } @@ -95,7 +95,7 @@ fn ecdsa_p256_key_and_ecdsa_p256_sha384_detects_bad_signature() { "signatures/ecdsa_p256_key_and_ecdsa_p256_sha384_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::ECDSA_P256_SHA384, message, signature), + check_sig(ee, webpki::ECDSA_P256_SHA384, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -108,7 +108,7 @@ fn ecdsa_p256_key_and_ecdsa_p256_sha256_good_signature() { let signature = include_bytes!("signatures/ecdsa_p256_key_and_ecdsa_p256_sha256_good_signature.sig.bin"); assert_eq!( - check_sig(ee, &webpki::ECDSA_P256_SHA256, message, signature), + check_sig(ee, webpki::ECDSA_P256_SHA256, message, signature), Ok(()) ); } @@ -122,7 +122,7 @@ fn ecdsa_p256_key_and_ecdsa_p256_sha256_detects_bad_signature() { "signatures/ecdsa_p256_key_and_ecdsa_p256_sha256_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::ECDSA_P256_SHA256, message, signature), + check_sig(ee, webpki::ECDSA_P256_SHA256, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -132,19 +132,19 @@ fn ecdsa_p256_key_and_ecdsa_p256_sha256_detects_bad_signature() { fn ecdsa_p256_key_rejected_by_other_algorithms() { let ee = include_bytes!("signatures/ecdsa_p256.ee.der"); for algorithm in &[ - &webpki::ECDSA_P384_SHA256, - &webpki::ECDSA_P384_SHA384, - &webpki::ED25519, - &webpki::RSA_PKCS1_2048_8192_SHA256, - &webpki::RSA_PKCS1_2048_8192_SHA384, - &webpki::RSA_PKCS1_2048_8192_SHA512, - &webpki::RSA_PKCS1_3072_8192_SHA384, - &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, - &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, - &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, + webpki::ECDSA_P384_SHA256, + webpki::ECDSA_P384_SHA384, + webpki::ED25519, + webpki::RSA_PKCS1_2048_8192_SHA256, + webpki::RSA_PKCS1_2048_8192_SHA384, + webpki::RSA_PKCS1_2048_8192_SHA512, + webpki::RSA_PKCS1_3072_8192_SHA384, + webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, ] { assert_eq!( - check_sig(ee, algorithm, b"", b""), + check_sig(ee, *algorithm, b"", b""), Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey) ); } @@ -158,7 +158,7 @@ fn ecdsa_p384_key_and_ecdsa_p384_sha384_good_signature() { let signature = include_bytes!("signatures/ecdsa_p384_key_and_ecdsa_p384_sha384_good_signature.sig.bin"); assert_eq!( - check_sig(ee, &webpki::ECDSA_P384_SHA384, message, signature), + check_sig(ee, webpki::ECDSA_P384_SHA384, message, signature), Ok(()) ); } @@ -172,7 +172,7 @@ fn ecdsa_p384_key_and_ecdsa_p384_sha384_detects_bad_signature() { "signatures/ecdsa_p384_key_and_ecdsa_p384_sha384_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::ECDSA_P384_SHA384, message, signature), + check_sig(ee, webpki::ECDSA_P384_SHA384, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -185,7 +185,7 @@ fn ecdsa_p384_key_and_ecdsa_p384_sha256_good_signature() { let signature = include_bytes!("signatures/ecdsa_p384_key_and_ecdsa_p384_sha256_good_signature.sig.bin"); assert_eq!( - check_sig(ee, &webpki::ECDSA_P384_SHA256, message, signature), + check_sig(ee, webpki::ECDSA_P384_SHA256, message, signature), Ok(()) ); } @@ -199,7 +199,7 @@ fn ecdsa_p384_key_and_ecdsa_p384_sha256_detects_bad_signature() { "signatures/ecdsa_p384_key_and_ecdsa_p384_sha256_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::ECDSA_P384_SHA256, message, signature), + check_sig(ee, webpki::ECDSA_P384_SHA256, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -209,19 +209,19 @@ fn ecdsa_p384_key_and_ecdsa_p384_sha256_detects_bad_signature() { fn ecdsa_p384_key_rejected_by_other_algorithms() { let ee = include_bytes!("signatures/ecdsa_p384.ee.der"); for algorithm in &[ - &webpki::ECDSA_P256_SHA256, - &webpki::ECDSA_P256_SHA384, - &webpki::ED25519, - &webpki::RSA_PKCS1_2048_8192_SHA256, - &webpki::RSA_PKCS1_2048_8192_SHA384, - &webpki::RSA_PKCS1_2048_8192_SHA512, - &webpki::RSA_PKCS1_3072_8192_SHA384, - &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, - &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, - &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, + webpki::ECDSA_P256_SHA256, + webpki::ECDSA_P256_SHA384, + webpki::ED25519, + webpki::RSA_PKCS1_2048_8192_SHA256, + webpki::RSA_PKCS1_2048_8192_SHA384, + webpki::RSA_PKCS1_2048_8192_SHA512, + webpki::RSA_PKCS1_3072_8192_SHA384, + webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, ] { assert_eq!( - check_sig(ee, algorithm, b"", b""), + check_sig(ee, *algorithm, b"", b""), Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey) ); } @@ -236,7 +236,7 @@ fn rsa_2048_key_and_rsa_pkcs1_2048_8192_sha256_good_signature() { "signatures/rsa_2048_key_and_rsa_pkcs1_2048_8192_sha256_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), Ok(()) ); } @@ -250,7 +250,7 @@ fn rsa_2048_key_and_rsa_pkcs1_2048_8192_sha256_detects_bad_signature() { "signatures/rsa_2048_key_and_rsa_pkcs1_2048_8192_sha256_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -264,7 +264,7 @@ fn rsa_2048_key_and_rsa_pkcs1_2048_8192_sha384_good_signature() { "signatures/rsa_2048_key_and_rsa_pkcs1_2048_8192_sha384_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), Ok(()) ); } @@ -278,7 +278,7 @@ fn rsa_2048_key_and_rsa_pkcs1_2048_8192_sha384_detects_bad_signature() { "signatures/rsa_2048_key_and_rsa_pkcs1_2048_8192_sha384_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -292,7 +292,7 @@ fn rsa_2048_key_and_rsa_pkcs1_2048_8192_sha512_good_signature() { "signatures/rsa_2048_key_and_rsa_pkcs1_2048_8192_sha512_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), Ok(()) ); } @@ -306,7 +306,7 @@ fn rsa_2048_key_and_rsa_pkcs1_2048_8192_sha512_detects_bad_signature() { "signatures/rsa_2048_key_and_rsa_pkcs1_2048_8192_sha512_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -322,7 +322,7 @@ fn rsa_2048_key_and_rsa_pss_2048_8192_sha256_legacy_key_good_signature() { assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, message, signature ), @@ -339,7 +339,7 @@ fn rsa_2048_key_and_rsa_pss_2048_8192_sha256_legacy_key_detects_bad_signature() assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, message, signature ), @@ -358,7 +358,7 @@ fn rsa_2048_key_and_rsa_pss_2048_8192_sha384_legacy_key_good_signature() { assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, message, signature ), @@ -375,7 +375,7 @@ fn rsa_2048_key_and_rsa_pss_2048_8192_sha384_legacy_key_detects_bad_signature() assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, message, signature ), @@ -394,7 +394,7 @@ fn rsa_2048_key_and_rsa_pss_2048_8192_sha512_legacy_key_good_signature() { assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, message, signature ), @@ -411,7 +411,7 @@ fn rsa_2048_key_and_rsa_pss_2048_8192_sha512_legacy_key_detects_bad_signature() assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, message, signature ), @@ -424,14 +424,14 @@ fn rsa_2048_key_and_rsa_pss_2048_8192_sha512_legacy_key_detects_bad_signature() fn rsa_2048_key_rejected_by_other_algorithms() { let ee = include_bytes!("signatures/rsa_2048.ee.der"); for algorithm in &[ - &webpki::ECDSA_P256_SHA256, - &webpki::ECDSA_P256_SHA384, - &webpki::ECDSA_P384_SHA256, - &webpki::ECDSA_P384_SHA384, - &webpki::ED25519, + webpki::ECDSA_P256_SHA256, + webpki::ECDSA_P256_SHA384, + webpki::ECDSA_P384_SHA256, + webpki::ECDSA_P384_SHA384, + webpki::ED25519, ] { assert_eq!( - check_sig(ee, algorithm, b"", b""), + check_sig(ee, *algorithm, b"", b""), Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey) ); } @@ -446,7 +446,7 @@ fn rsa_3072_key_and_rsa_pkcs1_2048_8192_sha256_good_signature() { "signatures/rsa_3072_key_and_rsa_pkcs1_2048_8192_sha256_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), Ok(()) ); } @@ -460,7 +460,7 @@ fn rsa_3072_key_and_rsa_pkcs1_2048_8192_sha256_detects_bad_signature() { "signatures/rsa_3072_key_and_rsa_pkcs1_2048_8192_sha256_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -474,7 +474,7 @@ fn rsa_3072_key_and_rsa_pkcs1_2048_8192_sha384_good_signature() { "signatures/rsa_3072_key_and_rsa_pkcs1_2048_8192_sha384_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), Ok(()) ); } @@ -488,7 +488,7 @@ fn rsa_3072_key_and_rsa_pkcs1_2048_8192_sha384_detects_bad_signature() { "signatures/rsa_3072_key_and_rsa_pkcs1_2048_8192_sha384_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -502,7 +502,7 @@ fn rsa_3072_key_and_rsa_pkcs1_2048_8192_sha512_good_signature() { "signatures/rsa_3072_key_and_rsa_pkcs1_2048_8192_sha512_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), Ok(()) ); } @@ -516,7 +516,7 @@ fn rsa_3072_key_and_rsa_pkcs1_2048_8192_sha512_detects_bad_signature() { "signatures/rsa_3072_key_and_rsa_pkcs1_2048_8192_sha512_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -532,7 +532,7 @@ fn rsa_3072_key_and_rsa_pss_2048_8192_sha256_legacy_key_good_signature() { assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, message, signature ), @@ -549,7 +549,7 @@ fn rsa_3072_key_and_rsa_pss_2048_8192_sha256_legacy_key_detects_bad_signature() assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, message, signature ), @@ -568,7 +568,7 @@ fn rsa_3072_key_and_rsa_pss_2048_8192_sha384_legacy_key_good_signature() { assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, message, signature ), @@ -585,7 +585,7 @@ fn rsa_3072_key_and_rsa_pss_2048_8192_sha384_legacy_key_detects_bad_signature() assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, message, signature ), @@ -604,7 +604,7 @@ fn rsa_3072_key_and_rsa_pss_2048_8192_sha512_legacy_key_good_signature() { assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, message, signature ), @@ -621,7 +621,7 @@ fn rsa_3072_key_and_rsa_pss_2048_8192_sha512_legacy_key_detects_bad_signature() assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, message, signature ), @@ -638,7 +638,7 @@ fn rsa_3072_key_and_rsa_pkcs1_3072_8192_sha384_good_signature() { "signatures/rsa_3072_key_and_rsa_pkcs1_3072_8192_sha384_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_3072_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_3072_8192_SHA384, message, signature), Ok(()) ); } @@ -652,7 +652,7 @@ fn rsa_3072_key_and_rsa_pkcs1_3072_8192_sha384_detects_bad_signature() { "signatures/rsa_3072_key_and_rsa_pkcs1_3072_8192_sha384_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_3072_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_3072_8192_SHA384, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -662,14 +662,14 @@ fn rsa_3072_key_and_rsa_pkcs1_3072_8192_sha384_detects_bad_signature() { fn rsa_3072_key_rejected_by_other_algorithms() { let ee = include_bytes!("signatures/rsa_3072.ee.der"); for algorithm in &[ - &webpki::ECDSA_P256_SHA256, - &webpki::ECDSA_P256_SHA384, - &webpki::ECDSA_P384_SHA256, - &webpki::ECDSA_P384_SHA384, - &webpki::ED25519, + webpki::ECDSA_P256_SHA256, + webpki::ECDSA_P256_SHA384, + webpki::ECDSA_P384_SHA256, + webpki::ECDSA_P384_SHA384, + webpki::ED25519, ] { assert_eq!( - check_sig(ee, algorithm, b"", b""), + check_sig(ee, *algorithm, b"", b""), Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey) ); } @@ -684,7 +684,7 @@ fn rsa_4096_key_and_rsa_pkcs1_2048_8192_sha256_good_signature() { "signatures/rsa_4096_key_and_rsa_pkcs1_2048_8192_sha256_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), Ok(()) ); } @@ -698,7 +698,7 @@ fn rsa_4096_key_and_rsa_pkcs1_2048_8192_sha256_detects_bad_signature() { "signatures/rsa_4096_key_and_rsa_pkcs1_2048_8192_sha256_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA256, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -712,7 +712,7 @@ fn rsa_4096_key_and_rsa_pkcs1_2048_8192_sha384_good_signature() { "signatures/rsa_4096_key_and_rsa_pkcs1_2048_8192_sha384_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), Ok(()) ); } @@ -726,7 +726,7 @@ fn rsa_4096_key_and_rsa_pkcs1_2048_8192_sha384_detects_bad_signature() { "signatures/rsa_4096_key_and_rsa_pkcs1_2048_8192_sha384_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA384, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -740,7 +740,7 @@ fn rsa_4096_key_and_rsa_pkcs1_2048_8192_sha512_good_signature() { "signatures/rsa_4096_key_and_rsa_pkcs1_2048_8192_sha512_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), Ok(()) ); } @@ -754,7 +754,7 @@ fn rsa_4096_key_and_rsa_pkcs1_2048_8192_sha512_detects_bad_signature() { "signatures/rsa_4096_key_and_rsa_pkcs1_2048_8192_sha512_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), + check_sig(ee, webpki::RSA_PKCS1_2048_8192_SHA512, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -770,7 +770,7 @@ fn rsa_4096_key_and_rsa_pss_2048_8192_sha256_legacy_key_good_signature() { assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, message, signature ), @@ -787,7 +787,7 @@ fn rsa_4096_key_and_rsa_pss_2048_8192_sha256_legacy_key_detects_bad_signature() assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY, message, signature ), @@ -806,7 +806,7 @@ fn rsa_4096_key_and_rsa_pss_2048_8192_sha384_legacy_key_good_signature() { assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, message, signature ), @@ -823,7 +823,7 @@ fn rsa_4096_key_and_rsa_pss_2048_8192_sha384_legacy_key_detects_bad_signature() assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY, message, signature ), @@ -842,7 +842,7 @@ fn rsa_4096_key_and_rsa_pss_2048_8192_sha512_legacy_key_good_signature() { assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, message, signature ), @@ -859,7 +859,7 @@ fn rsa_4096_key_and_rsa_pss_2048_8192_sha512_legacy_key_detects_bad_signature() assert_eq!( check_sig( ee, - &webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, + webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY, message, signature ), @@ -876,7 +876,7 @@ fn rsa_4096_key_and_rsa_pkcs1_3072_8192_sha384_good_signature() { "signatures/rsa_4096_key_and_rsa_pkcs1_3072_8192_sha384_good_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_3072_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_3072_8192_SHA384, message, signature), Ok(()) ); } @@ -890,7 +890,7 @@ fn rsa_4096_key_and_rsa_pkcs1_3072_8192_sha384_detects_bad_signature() { "signatures/rsa_4096_key_and_rsa_pkcs1_3072_8192_sha384_detects_bad_signature.sig.bin" ); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_3072_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_3072_8192_SHA384, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } @@ -900,14 +900,14 @@ fn rsa_4096_key_and_rsa_pkcs1_3072_8192_sha384_detects_bad_signature() { fn rsa_4096_key_rejected_by_other_algorithms() { let ee = include_bytes!("signatures/rsa_4096.ee.der"); for algorithm in &[ - &webpki::ECDSA_P256_SHA256, - &webpki::ECDSA_P256_SHA384, - &webpki::ECDSA_P384_SHA256, - &webpki::ECDSA_P384_SHA384, - &webpki::ED25519, + webpki::ECDSA_P256_SHA256, + webpki::ECDSA_P256_SHA384, + webpki::ECDSA_P384_SHA256, + webpki::ECDSA_P384_SHA384, + webpki::ED25519, ] { assert_eq!( - check_sig(ee, algorithm, b"", b""), + check_sig(ee, *algorithm, b"", b""), Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey) ); } @@ -921,7 +921,7 @@ fn rsa_2048_key_rejected_by_rsa_pkcs1_3072_8192_sha384() { let signature = include_bytes!("signatures/rsa_2048_key_rejected_by_rsa_pkcs1_3072_8192_sha384.sig.bin"); assert_eq!( - check_sig(ee, &webpki::RSA_PKCS1_3072_8192_SHA384, message, signature), + check_sig(ee, webpki::RSA_PKCS1_3072_8192_SHA384, message, signature), Err(webpki::Error::InvalidSignatureForPublicKey) ); } diff --git a/tests/tls_server_certs.rs b/tests/tls_server_certs.rs index e0d8f2ef..0b901f64 100644 --- a/tests/tls_server_certs.rs +++ b/tests/tls_server_certs.rs @@ -15,16 +15,16 @@ use webpki::KeyUsage; -static ALL_SIGALGS: &[&webpki::SignatureAlgorithm] = &[ - &webpki::ECDSA_P256_SHA256, - &webpki::ECDSA_P256_SHA384, - &webpki::ECDSA_P384_SHA256, - &webpki::ECDSA_P384_SHA384, - &webpki::ED25519, - &webpki::RSA_PKCS1_2048_8192_SHA256, - &webpki::RSA_PKCS1_2048_8192_SHA384, - &webpki::RSA_PKCS1_2048_8192_SHA512, - &webpki::RSA_PKCS1_3072_8192_SHA384, +static ALL_SIGALGS: &[&dyn webpki::SignatureVerificationAlgorithm] = &[ + webpki::ECDSA_P256_SHA256, + webpki::ECDSA_P256_SHA384, + webpki::ECDSA_P384_SHA256, + webpki::ECDSA_P384_SHA384, + webpki::ED25519, + webpki::RSA_PKCS1_2048_8192_SHA256, + webpki::RSA_PKCS1_2048_8192_SHA384, + webpki::RSA_PKCS1_2048_8192_SHA512, + webpki::RSA_PKCS1_3072_8192_SHA384, ]; fn check_cert(