From c377b4349d3077d8dd3fad649d98ad1c55aa5a15 Mon Sep 17 00:00:00 2001 From: Megan Liu Date: Wed, 11 Dec 2024 13:00:56 -0800 Subject: [PATCH] address comments --- Cargo.toml | 3 --- src/cert.rs | 14 ++++---------- src/signer.rs | 2 +- src/store.rs | 12 ++++++------ 4 files changed, 11 insertions(+), 20 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 9ddd7ff..d52a1ee 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -16,9 +16,7 @@ no-default-features = true [dependencies] rustls = { version = "0.23", default-features = false, features = ["std"] } -sha2 = "0.10" windows-sys = { version = "0.59", features = ["Win32_Foundation", "Win32_Security_Cryptography"] } -aws-lc-rs = { version = "1", optional = true } [dev-dependencies] anyhow = "1" @@ -29,7 +27,6 @@ rustls-pki-types = "1" default = ["logging", "tls12", "aws-lc-rs"] aws-lc-rs = ["rustls/aws_lc_rs"] early-data = [] -aws-lc-bindgen = ["aws-lc-rs/bindgen"] fips = ["rustls/fips"] logging = ["rustls/logging"] ring = ["rustls/ring"] diff --git a/src/cert.rs b/src/cert.rs index ebbf34b..4eb4a02 100644 --- a/src/cert.rs +++ b/src/cert.rs @@ -90,7 +90,7 @@ impl CertContext { } /// Return DER-encoded X.509 certificate chain. - /// (1) exclude the root. (2) check leaf cert to determin to use HKLM engine or HKCU engine + // (1) exclude the root. (2) check leaf cert to determine to use HKLM engine or HKCU engine pub fn as_chain_der(&self) -> Result>> { unsafe { let param = CERT_CHAIN_PARA { @@ -135,14 +135,9 @@ impl CertContext { (*chain_ptr).cElement as usize, ); - let mut first = true; - for element in elements { - if first { - first = false; - } else { - if 0 != ((**element).TrustStatus.dwInfoStatus - & CERT_TRUST_IS_SELF_SIGNED) - { + for (index, element) in elements.iter().enumerate() { + if index != 0 { + if 0 != ((**element).TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED) { break; } } @@ -153,7 +148,6 @@ impl CertContext { } CertFreeCertificateChain(&*context); - Ok(chain) } else { Err(CngError::from_win32_error()) diff --git a/src/signer.rs b/src/signer.rs index 9799d7b..3cb73d8 100644 --- a/src/signer.rs +++ b/src/signer.rs @@ -104,7 +104,7 @@ struct CngSigner { } impl CngSigner { - // new hash function using BCryptHash function which uses FIPS certified SymCrypt + // hash function using BCryptHash function which uses FIPS certified SymCrypt fn hash(&self, message: &[u8]) -> Result<(Vec, SignaturePadding), Error> { let (alg, padding) = match self.scheme { SignatureScheme::RSA_PKCS1_SHA256 => { diff --git a/src/store.rs b/src/store.rs index c911dcb..36a1eb3 100644 --- a/src/store.rs +++ b/src/store.rs @@ -136,12 +136,12 @@ impl CertStore { unsafe { self.do_find(CERT_FIND_HASH, &hash_blob as *const _ as _) } } - /// On later OS releases, we added CERT_FIND_SHA256_HASH. - /// However, rustls-cng could be installed on earlier OS release where this FIND_SHA256 isn't present. - /// But the CERT_SHA256_HASH_PROP_ID is present. - /// So will need to add a new internal find function that gets and compares the SHA256 property. - /// Also, since SHA1 is being deprecated, Windows components should not use. - /// Therefore, the need to find via SHA256 instead of SHA1. + // On later OS releases, we added CERT_FIND_SHA256_HASH. + // However, rustls-cng could be installed on earlier OS release where this FIND_SHA256 isn't present. + // But the CERT_SHA256_HASH_PROP_ID is present. + // So will need to add a new internal find function that gets and compares the SHA256 property. + // Also, since SHA1 is being deprecated, Windows components should not use. + // Therefore, the need to find via SHA256 instead of SHA1. /// Find list of certificates matching the SHA256 hash pub fn find_by_sha256(&self, hash: D) -> Result>