crl: rm Budget from verify_signature fn

The `CertificateRevocationList` trait is part of our public API and so the `verify_signature` fn within it can't have new arguments introduced in a semver compatible way in this 0.101.x release stream. We broke this contract when we added the `Budget` argument. This commit removes the `Budget` argument and updates `verify_cert` to consume signature budget before calling `verify_signature`. This maintains semver and we can implement better long term solutions in the next release.
rustls · Sep 21, 2023 · 7f8208e · 7f8208e
1 parent 7cb6c64
commit 7f8208e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/src/crl.rs b/src/crl.rs
@@ -43,7 +43,6 @@ pub trait CertRevocationList: Sealed {
         &self,
         supported_sig_algs: &[&SignatureAlgorithm],
         issuer_spki: &[u8],
-        budget: &mut Budget,
     ) -> Result<(), Error>;
 }
 
@@ -87,13 +86,12 @@ impl CertRevocationList for OwnedCertRevocationList {
         &self,
         supported_sig_algs: &[&SignatureAlgorithm],
         issuer_spki: &[u8],
-        budget: &mut Budget,
     ) -> Result<(), Error> {
         signed_data::verify_signed_data(
             supported_sig_algs,
             untrusted::Input::from(issuer_spki),
             &self.signed_data.borrow(),
-            budget,
+            &mut Budget::default(),
         )
     }
 }
@@ -333,13 +331,12 @@ impl CertRevocationList for BorrowedCertRevocationList<'_> {
         &self,
         supported_sig_algs: &[&SignatureAlgorithm],
         issuer_spki: &[u8],
-        budget: &mut Budget,
     ) -> Result<(), Error> {
         signed_data::verify_signed_data(
             supported_sig_algs,
             untrusted::Input::from(issuer_spki),
             &self.signed_data,
-            budget,
+            &mut Budget::default(),
         )
     }
 }

diff --git a/src/verify_cert.rs b/src/verify_cert.rs
@@ -205,7 +205,7 @@ fn check_signed_chain_name_constraints(
     Ok(())
 }
 
-pub struct Budget {
+pub(crate) struct Budget {
     signatures: usize,
     build_chain_calls: usize,
     name_constraint_comparisons: usize,
@@ -294,7 +294,11 @@ fn check_crls(
     // TODO(XXX): consider whether we can refactor so this happens once up-front, instead
     //            of per-lookup.
     //            https://github.com/rustls/webpki/issues/81
-    crl.verify_signature(supported_sig_algs, issuer_spki.as_slice_less_safe(), budget)
+    // Note: The `verify_signature` method is part of a public trait in the exported API.
+    //       We can't add a budget argument to that fn in a semver compatible way and so must
+    //       consume signature budget here before calling verify_signature.
+    budget.consume_signature()?;
+    crl.verify_signature(supported_sig_algs, issuer_spki.as_slice_less_safe())
         .map_err(crl_signature_err)?;
 
     // Verify that if the issuer has a KeyUsage bitstring it asserts cRLSign.