Use more meaningful type for test roots

Author: djc

rustls-platform-verifier/src/lib.rs

@@ -2,9 +2,12 @@
 #![doc = include_str!("../README.md")]
 #![warn(missing_docs)]
 
-use rustls::{client::WantsClientCert, ClientConfig, ConfigBuilder, WantsVerifier};
 use std::sync::Arc;
 
+#[cfg(feature = "dbg")]
+use rustls::pki_types::CertificateDer;
+use rustls::{client::WantsClientCert, ClientConfig, ConfigBuilder, WantsVerifier};
+
 mod verification;
 pub use verification::Verifier;
 
@@ -84,7 +87,9 @@ pub fn tls_config_with_provider(
 ///
 /// This is not intended for production use, you should use [tls_config] instead.
 #[cfg(feature = "dbg")]
-pub fn verifier_for_dbg(root: &[u8]) -> Arc<dyn rustls::client::danger::ServerCertVerifier> {
+pub fn verifier_for_dbg(
+    root: CertificateDer<'static>,
+) -> Arc<dyn rustls::client::danger::ServerCertVerifier> {
     Arc::new(Verifier::new_with_fake_root(root))
 }
 

rustls-platform-verifier/src/tests/verification_mock/mod.rs

@@ -80,7 +80,8 @@ macro_rules! no_error {
     };
 }
 
-const ROOT1: &[u8] = include_bytes!("root1.crt");
+const ROOT1: pki_types::CertificateDer<'static> =
+    pki_types::CertificateDer::from_slice(include_bytes!("root1.crt"));
 const ROOT1_INT1: &[u8] = include_bytes!("root1-int1.crt");
 const ROOT1_INT1_EXAMPLE_COM_GOOD: &[u8] = include_bytes!("root1-int1-ee_example.com-good.crt");
 const ROOT1_INT1_LOCALHOST_IPV4_GOOD: &[u8] = include_bytes!("root1-int1-ee_127.0.0.1-good.crt");
@@ -340,7 +341,7 @@ fn test_with_mock_root<E: std::error::Error + PartialEq + 'static>(
     let verifier = match root_src {
         Roots::OnlyExtra => Verifier::new_with_fake_root(ROOT1), // TODO: time
         #[cfg(not(target_os = "android"))]
-        Roots::ExtraAndPlatform => Verifier::new_with_extra_roots([ROOT1.into()]).unwrap(),
+        Roots::ExtraAndPlatform => Verifier::new_with_extra_roots([ROOT1]).unwrap(),
     };
     let mut chain = test_case
         .chain

rustls-platform-verifier/src/verification/android.rs

@@ -46,7 +46,7 @@ const AUTH_TYPE: &str = "RSA";
 pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing"))]
-    test_only_root_ca_override: Option<Vec<u8>>,
+    test_only_root_ca_override: Option<pki_types::CertificateDer<'static>>,
     pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
 }
 
@@ -85,9 +85,9 @@ impl Verifier {
 
     /// Creates a test-only TLS certificate verifier which trusts our fake root CA cert.
     #[cfg(any(test, feature = "ffi-testing"))]
-    pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
+    pub(crate) fn new_with_fake_root(root: pki_types::CertificateDer<'static>) -> Self {
         Self {
-            test_only_root_ca_override: Some(root.into()),
+            test_only_root_ca_override: Some(root),
             crypto_provider: OnceCell::new(),
         }
     }

rustls-platform-verifier/src/verification/apple.rs

@@ -1,7 +1,5 @@
 use std::sync::Arc;
 
-use super::log_server_cert;
-use crate::verification::invalid_certificate;
 use core_foundation::date::CFDate;
 use core_foundation_sys::date::kCFAbsoluteTimeIntervalSince1970;
 use once_cell::sync::OnceCell;
@@ -16,6 +14,9 @@ use security_framework::{
     trust::SecTrust,
 };
 
+use super::log_server_cert;
+use crate::verification::invalid_certificate;
+
 mod errors {
     pub(super) use security_framework_sys::base::{
         errSecCertificateRevoked, errSecCreateChainFailed, errSecHostNameMismatch,
@@ -92,10 +93,10 @@ impl Verifier {
 
     /// Creates a test-only TLS certificate verifier which trusts our fake root CA cert.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
-    pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
+    pub(crate) fn new_with_fake_root(root: pki_types::CertificateDer<'static>) -> Self {
         Self {
             extra_roots: Vec::new(),
-            test_only_root_ca_override: Some(SecCertificate::from_der(root).unwrap()),
+            test_only_root_ca_override: Some(SecCertificate::from_der(root.as_ref()).unwrap()),
             crypto_provider: OnceCell::new(),
         }
     }

rustls-platform-verifier/src/verification/others.rs

@@ -2,7 +2,6 @@ use super::log_server_cert;
 use once_cell::sync::OnceCell;
 use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
 use rustls::client::WebPkiServerVerifier;
-use rustls::pki_types;
 use rustls::{
     crypto::CryptoProvider, CertificateError, DigitallySignedStruct, Error as TlsError, OtherError,
     SignatureScheme,
@@ -28,7 +27,7 @@ pub struct Verifier {
 
     /// Testing only: an additional root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
-    test_only_root_ca_override: Option<Vec<u8>>,
+    test_only_root_ca_override: Option<pki_types::CertificateDer<'static>>,
 
     pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
 }
@@ -73,11 +72,11 @@ impl Verifier {
 
     /// Creates a test-only TLS certificate verifier which trusts our fake root CA cert.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
-    pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
+    pub(crate) fn new_with_fake_root(root: pki_types::CertificateDer<'static>) -> Self {
         Self {
             inner: OnceCell::new(),
             extra_roots: Vec::new().into(),
-            test_only_root_ca_override: Some(root.into()),
+            test_only_root_ca_override: Some(root),
             crypto_provider: OnceCell::new(),
         }
     }

rustls-platform-verifier/src/verification/windows.rs

@@ -486,7 +486,7 @@ fn call_with_last_error<T, F: FnMut() -> Option<T>>(mut call: F) -> Result<T, Tl
 pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
-    test_only_root_ca_override: Option<Vec<u8>>,
+    test_only_root_ca_override: Option<pki_types::CertificateDer<'static>>,
     pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
     /// Extra trust anchors to add to the verifier above and beyond those provided by
     /// the system-provided trust stores.
@@ -529,9 +529,9 @@ impl Verifier {
 
     /// Creates a test-only TLS certificate verifier which trusts our fake root CA cert.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
-    pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
+    pub(crate) fn new_with_fake_root(root: pki_types::CertificateDer<'static>) -> Self {
         Self {
-            test_only_root_ca_override: Some(root.into()),
+            test_only_root_ca_override: Some(root),
             crypto_provider: OnceCell::new(),
             extra_roots: None,
         }