-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add a method to collect DNS names from a certificate #42
Conversation
Oops, looks like I picked a stale base branch and need to resolve conflicts. Setting this as WIP to fix that up. |
All fixed up. |
Would be nice to squash this all into a single commit (with a whole bunch of co-author lines). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thanks for picking up this work!
I had one small suggestion that occurred to me while skimming this code.
Thanks for the review!
Done ☑️ |
Codecov Report
@@ Coverage Diff @@
## main #42 +/- ##
==========================================
- Coverage 94.17% 93.78% -0.40%
==========================================
Files 14 14
Lines 2505 2573 +68
==========================================
+ Hits 2359 2413 +54
- Misses 146 160 +14
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
This commit adds an `EndEntityCert::dns_names` method, which returns a list of the DNS names provided in the subject alternative names extension of the certificate. Authored-by: Geoffroy Couprie geo.couprie@gmail.com Co-authored-by: Sean McArthur sean@seanmonstar.com Co-authored-by: Eliza Weisman eliza@buoyant.io Co-authored-by: Daniel McCarney daniel@binaryparadox.net Signed-off-by: Daniel McCarney daniel@binaryparadox.net
I'm amazed to see this merged, it took a few detours, but it's there!! Thanks! |
This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream.
This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream. Currently, we must take a Git dependency on `rustls-webpki`, since a release including a fix for an issue (rustls/webpki#167) which prevents `rustls-webpki` from parsing our test certificates has not yet been published. Once v0.101.5 of `rustls-webpki` is published (PR see rustls/webpki#170), we can remove the Git dep. For now, I've updated `cargo-deny` to allow the Git dependency.
This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream. Currently, we must take a Git dependency on `rustls-webpki`, since a release including a fix for an issue (rustls/webpki#167) which prevents `rustls-webpki` from parsing our test certificates has not yet been published. Once v0.101.5 of `rustls-webpki` is published (PR see rustls/webpki#170), we can remove the Git dep. For now, I've updated `cargo-deny` to allow the Git dependency. --- * use `rustls-webpki` instead of `linkerd/webpki` (linkerd/linkerd2-proxy#2465) Signed-off-by: Eliza Weisman <eliza@buoyant.io>
This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream. Currently, we must take a Git dependency on `rustls-webpki`, since a release including a fix for an issue (rustls/webpki#167) which prevents `rustls-webpki` from parsing our test certificates has not yet been published. Once v0.101.5 of `rustls-webpki` is published (PR see rustls/webpki#170), we can remove the Git dep. For now, I've updated `cargo-deny` to allow the Git dependency. --- * use `rustls-webpki` instead of `linkerd/webpki` (linkerd/linkerd2-proxy#2465) Signed-off-by: Eliza Weisman <eliza@buoyant.io>
This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream. Currently, we must take a Git dependency on `rustls-webpki`, since a release including a fix for an issue (rustls/webpki#167) which prevents `rustls-webpki` from parsing our test certificates has not yet been published. Once v0.101.5 of `rustls-webpki` is published (PR see rustls/webpki#170), we can remove the Git dep. For now, I've updated `cargo-deny` to allow the Git dependency.
This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream. Currently, we must take a Git dependency on `rustls-webpki`, since a release including a fix for an issue (rustls/webpki#167) which prevents `rustls-webpki` from parsing our test certificates has not yet been published. Once v0.101.5 of `rustls-webpki` is published (PR see rustls/webpki#170), we can remove the Git dep. For now, I've updated `cargo-deny` to allow the Git dependency.
This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream. Currently, we must take a Git dependency on `rustls-webpki`, since a release including a fix for an issue (rustls/webpki#167) which prevents `rustls-webpki` from parsing our test certificates has not yet been published. Once v0.101.5 of `rustls-webpki` is published (PR see rustls/webpki#170), we can remove the Git dep. For now, I've updated `cargo-deny` to allow the Git dependency. --- * use `rustls-webpki` instead of `linkerd/webpki` (linkerd/linkerd2-proxy#2465) Signed-off-by: Eliza Weisman <eliza@buoyant.io>
This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream. Currently, we must take a Git dependency on `rustls-webpki`, since a release including a fix for an issue (rustls/webpki#167) which prevents `rustls-webpki` from parsing our test certificates has not yet been published. Once v0.101.5 of `rustls-webpki` is published (PR see rustls/webpki#170), we can remove the Git dep. For now, I've updated `cargo-deny` to allow the Git dependency. --- * use `rustls-webpki` instead of `linkerd/webpki` (linkerd/linkerd2-proxy#2465) Signed-off-by: Eliza Weisman <eliza@buoyant.io> Signed-off-by: Adam Shaw <adam.shaw@vipps.no>
This branch adds an
EndEntityCert::dns_names
method, which returns a list of the DNS names provided in the subject alternative names extension of the certificate.This branch is based on work done by @seanmonstar in briansmith/webpki#91, by @Geal in briansmith/webpki#103 and @hawkw in #6. The development train keeps chugging along in this branch :-)
In #6 @hawkw updated the changeset to track the
main
branch of therustls/webpki
repository. Since I wasn't able to push commits to the linkerd fork to continue develop in #6 I have addressed the feedback on that branch in this separate PR. The new changes are:list_cert_dns_names
to returnimpl Iterator
instead of aVec
based on @djc's feedback.Eq
,PartialEq
, etc flagged by @samlh in a drive-by review. Brian Smith implementedEq
,PartialEq
andHash
for theDNSName
type in briansmith/webpki@96de094 but the comments referring to not implementing them slipped through.cargo fmt
, fixingcargo clippy
findings, import drifts.alloc
requirement onDebug
impls with an allocation-free strategy for lowercasing.RefCell
by changing the name iterator helper to accept animpl FnMut
argument instead ofdyn Fn
.WildcardDnsName
type.GeneralDnsNameRef
type, and whyDnsNameRef
can't contain wildcards whileWildcardDnsNameRef
may.AsRef<str>
forGeneralDnsNameRef
.Any bugs/errors are mine :-P
Closes #2
Replaces #6
Authored-by: Geoffroy Couprie geo.couprie@gmail.com
Co-authored-by: Sean McArthur sean@seanmonstar.com
Co-authored-by: Eliza Weisman eliza@buoyant.io
Co-authored-by: Daniel McCarney daniel@binaryparadox.net
Signed-off-by: Daniel McCarney daniel@binaryparadox.net