revocation: more sophisticated revocation checking.

[cpu]

This branch resolves the issues highlighted in #121, enforcing that certificate CRL coverage is handled properly, and unknown revocation status can be treated as an error condition when appropriate.

revocation: policy for unknown revocation status.

This commit reworks the CRL revocation checking interface to allow specifying more policy for how CRLs should be used with a builder-based API.

In particular:

• The depth of revocation checking can be controlled, allowing users to only check the revocation status of end entity certificates.
• Handling of unknown revocation status can be controlled, allowing users to decide if unknown status should be treated as an error or not.
• We can ensure that when revocation options are provided, there is always at least one CRL to use.

revocation: use cert CRL DP and CRL IDP extensions.

This commit updates the CRL validation process so that when selecting a CRL we consider more than just whether the cert issuer matches the CRL issuer.

As of this commit we consider a CRL authoritative for a certificate when:

• The certificate issuer matches the CRL issuer and,
• The certificate has no CRL distribution points, and the CRL has no issuing distribution point extension.
• Or, the certificate has no CRL distribution points, but the the CRL has an issuing distribution point extension with a scope that includes the certificate.
• Or, the certificate has CRL distribution points, and the CRL has an issuing distribution point extension with a scope that includes the certificate, and at least one distribution point full name is a URI type general name that can also be found in the CRL issuing distribution point full name general name sequence.

In all other circumstances the CRL is not considered authoritative. If we can't find an authoritative CRL from the set of loaded CRLs the certificate will be considered as having unknown revocation status. Whether this is an error or not is controlled by the user provided revocation policy.

tests: integration tests for new revocation logic.

Extends existing integration tests for new revocation logic. Also de-duplicates the owned/borrowed test generation.

misc: clippy fixes

Addresses some clippy findings that bubbled up while working on this branch.

[codecov]

Codecov Report

Merging #138 (3b4f7ad) into main (97f841d) will increase coverage by 0.13%.
The diff coverage is 99.04%.

@@            Coverage Diff             @@
##             main     #138      +/-   ##
==========================================
+ Coverage   96.08%   96.21%   +0.13%     
==========================================
  Files          15       15              
  Lines        4108     4304     +196     
==========================================
+ Hits         3947     4141     +194     
- Misses        161      163       +2     

Files Changed	Coverage Δ
src/cert.rs	96.91% <ø> (ø)
src/x509.rs	97.91% <ø> (ø)
src/crl.rs	99.53% <98.07%> (-0.13%)	⬇️
src/verify_cert.rs	96.61% <99.35%> (+1.44%)	⬆️
src/end_entity.rs	100.00% <100.00%> (ø)
src/error.rs	50.00% <100.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[cpu]

I rebased this branch and addressed the first round of feedback but I've left is a draft because it's still missing test coverage. Will land that coverage ASAP and then flip this out of draft.

[cpu]

Rebased and added some initial test coverage. I'm going to keep this as a draft for a little bit longer, the coverage isn't 100% there yet and the Python is getting pretty messy. Closer to its final form if someone is feeling eager to review :-)

[cpu]

I think this branch is now ready for review. It's freshly rebased & there's now sufficient test coverage.

[cpu]

cpu marked this pull request as draft 2 minutes ago

Messed up my rebase and over-squashed. Fixing that up now.

[cpu]

Fixing that up now.

Done.

[cpu]

ci / Build+test (--no-default-features, stable, ubuntu-20.04) (pull_request) Failing after 2m

Looks like a network flake:

Caused by:
  failed to download from `[https://index.crates.io/3/s/syn`](https://index.crates.io/3/s/syn%60)

Caused by:
  [28] Timeout was reached (Operation too slow. Less than 10 bytes/sec transferred the last [30](https://github.com/rustls/webpki/actions/runs/5727388816/job/15519692580?pr=138#step:4:31) seconds)

Going to kick that task.

[cpu]

cpu force-pushed the cpu-221-enforce-coverage branch from 9ed69c4 to 3b4f7ad

Rebased and fixed conflicts. Queuing for merge. Thanks for the reviews!