address comments

Author: MS-megliu

Cargo.toml

@@ -16,9 +16,7 @@ no-default-features = true
 
 [dependencies]
 rustls = { version = "0.23", default-features = false, features = ["std"] }
-sha2 = "0.10"
 windows-sys = { version = "0.59", features = ["Win32_Foundation", "Win32_Security_Cryptography"] }
-aws-lc-rs = { version = "1", optional = true }
 
 [dev-dependencies]
 anyhow = "1"
@@ -29,7 +27,6 @@ rustls-pki-types = "1"
 default = ["logging", "tls12", "aws-lc-rs"]
 aws-lc-rs = ["rustls/aws_lc_rs"]
 early-data = []
-aws-lc-bindgen = ["aws-lc-rs/bindgen"]
 fips = ["rustls/fips"]
 logging = ["rustls/logging"]
 ring = ["rustls/ring"]

src/cert.rs

@@ -90,7 +90,7 @@ impl CertContext {
     }
 
     /// Return DER-encoded X.509 certificate chain.
-    /// (1) exclude the root. (2) check leaf cert to determin to use HKLM engine or HKCU engine
+    // (1) exclude the root. (2) check leaf cert to determine to use HKLM engine or HKCU engine
     pub fn as_chain_der(&self) -> Result<Vec<Vec<u8>>> {
         unsafe {
             let param = CERT_CHAIN_PARA {
@@ -135,14 +135,9 @@ impl CertContext {
                         (*chain_ptr).cElement as usize,
                     );
 
-                    let mut first = true;
-                    for element in elements {
-                        if first {
-                            first = false;
-                        } else {
-                            if 0 != ((**element).TrustStatus.dwInfoStatus
-                                & CERT_TRUST_IS_SELF_SIGNED)
-                            {
+                    for (index, element) in elements.iter().enumerate() {
+                        if index != 0 {
+                            if 0 != ((**element).TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED) {
                                 break;
                             }
                         }
@@ -153,7 +148,6 @@ impl CertContext {
                 }
 
                 CertFreeCertificateChain(&*context);
-
                 Ok(chain)
             } else {
                 Err(CngError::from_win32_error())

src/signer.rs

@@ -104,7 +104,7 @@ struct CngSigner {
 }
 
 impl CngSigner {
-    // new hash function using BCryptHash function which uses FIPS certified SymCrypt
+    // hash function using BCryptHash function which uses FIPS certified SymCrypt
     fn hash(&self, message: &[u8]) -> Result<(Vec<u8>, SignaturePadding), Error> {
         let (alg, padding) = match self.scheme {
             SignatureScheme::RSA_PKCS1_SHA256 => {

src/store.rs

@@ -136,12 +136,12 @@ impl CertStore {
         unsafe { self.do_find(CERT_FIND_HASH, &hash_blob as *const _ as _) }
     }
 
-    /// On later OS releases, we added CERT_FIND_SHA256_HASH.
-    /// However, rustls-cng could be installed on earlier OS release where this FIND_SHA256 isn't present.
-    /// But the CERT_SHA256_HASH_PROP_ID is present.
-    /// So will need to add a new internal find function that gets and compares the SHA256 property.
-    /// Also, since SHA1 is being deprecated, Windows components should not use.
-    /// Therefore, the need to find via SHA256 instead of SHA1.
+    // On later OS releases, we added CERT_FIND_SHA256_HASH.
+    // However, rustls-cng could be installed on earlier OS release where this FIND_SHA256 isn't present.
+    // But the CERT_SHA256_HASH_PROP_ID is present.
+    // So will need to add a new internal find function that gets and compares the SHA256 property.
+    // Also, since SHA1 is being deprecated, Windows components should not use.
+    // Therefore, the need to find via SHA256 instead of SHA1.
 
     /// Find list of certificates matching the SHA256 hash
     pub fn find_by_sha256<D>(&self, hash: D) -> Result<Vec<CertContext>>