From 685ffbbc404102e413974d4be632b216f2077996 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 30 Oct 2024 11:39:37 -0400 Subject: [PATCH] Pass VerificationCertificate slightly deeper in the callstack refs #11160 --- src/rust/cryptography-x509-verification/src/lib.rs | 2 +- .../cryptography-x509-verification/src/policy/mod.rs | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 5ae8ef90fe12..39b3da98a1b6 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -340,7 +340,7 @@ impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { let issuer_extensions = issuing_cert_candidate.certificate().extensions()?; match self.policy.valid_issuer( issuing_cert_candidate, - working_cert.certificate(), + working_cert, current_depth, &issuer_extensions, ) { diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index 5616a83a8ceb..cb526ac04357 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -504,7 +504,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { pub(crate) fn valid_issuer( &self, issuer: &VerificationCertificate<'_, B>, - child: &Certificate<'_>, + child: &VerificationCertificate<'_, B>, current_depth: u8, issuer_extensions: &Extensions<'_>, ) -> Result<(), ValidationError> { @@ -520,7 +520,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { { return Err(ValidationError::Other(format!( "Forbidden public key algorithm: {:?}", - &child.tbs_cert.spki.algorithm + &issuer.certificate().tbs_cert.spki.algorithm ))); } @@ -532,11 +532,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> { // position). if !self .permitted_signature_algorithms - .contains(&child.signature_alg) + .contains(&child.certificate().signature_alg) { return Err(ValidationError::Other(format!( "Forbidden signature algorithm: {:?}", - &child.signature_alg + &child.certificate().signature_alg ))); } @@ -559,7 +559,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> { let pk = issuer .public_key(&self.ops) .map_err(|_| ValidationError::Other("issuer has malformed public key".to_string()))?; - if self.ops.verify_signed_by(child, pk).is_err() { + if self.ops.verify_signed_by(child.certificate(), pk).is_err() { return Err(ValidationError::Other( "signature does not match".to_string(), ));