From ef7a640d42cbf9746ed16abeeaea14efcd2c6e1e Mon Sep 17 00:00:00 2001 From: Michael Spiegel Date: Tue, 5 Dec 2023 09:07:26 -0500 Subject: [PATCH] create wepki-ccadb crate Change the webpki-roots repo to be a workspace that includes a crate that pulls the CCADB stuff and exposes an API. --- Cargo.toml | 10 +- README.md | 6 +- webpki-ccadb/Cargo.toml | 22 ++ webpki-ccadb/LICENSE | 373 ++++++++++++++++++ webpki-ccadb/README.md | 9 + .../src}/data/DigiCertGlobalRootCA.pem | 0 webpki-ccadb/src/lib.rs | 252 ++++++++++++ webpki-roots/Cargo.toml | 19 +- webpki-roots/tests/codegen.rs | 244 +----------- 9 files changed, 678 insertions(+), 257 deletions(-) create mode 100644 webpki-ccadb/Cargo.toml create mode 100644 webpki-ccadb/LICENSE create mode 100644 webpki-ccadb/README.md rename {webpki-roots/tests => webpki-ccadb/src}/data/DigiCertGlobalRootCA.pem (100%) create mode 100644 webpki-ccadb/src/lib.rs diff --git a/Cargo.toml b/Cargo.toml index 03b815b..5abdc90 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,8 +1,14 @@ [workspace] -members = [ "webpki-roots" ] +members = [ "webpki-ccadb", "webpki-roots" ] [workspace.package] edition = "2018" -license = "MPL-2.0" homepage = "https://github.com/rustls/webpki-roots" repository = "https://github.com/rustls/webpki-roots" + +[workspace.dependencies] +hex = "0.4.3" +pki-types = { package = "rustls-pki-types", version = "1", default-features = false } +webpki = { package = "rustls-webpki", version = "0.102", features = ["alloc"] } +x509-parser = "0.15.1" +yasna = "0.5.2" diff --git a/README.md b/README.md index 8373383..5ecff03 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,9 @@ -This workspace contains the crate webpki-roots. +This workspace contains the crates webpki-roots and webpki-ccadb. The webpki-roots crate contains Mozilla's root certificates for use with the [webpki](https://github.com/rustls/webpki) or [rustls](https://github.com/rustls/rustls) crates. + +The webpki-ccadb crate populates the root certificates for the webpki-roots crate +using the data provided by the [Common CA Database (CCADB)](https://www.ccadb.org/). +Inspired by [certifi.io](https://certifi.io/en/latest/). diff --git a/webpki-ccadb/Cargo.toml b/webpki-ccadb/Cargo.toml new file mode 100644 index 0000000..3a477ee --- /dev/null +++ b/webpki-ccadb/Cargo.toml @@ -0,0 +1,22 @@ +[package] +name = "webpki-ccadb" +version = "0.1.0" +edition = { workspace = true } +readme = "README.md" +license = "MPL-2.0" +homepage = { workspace = true } +repository = { workspace = true } +description = "Common CA Database (CCADB) interface for use with webpki-roots" + +[dependencies] +chrono = { version = "0.4.26", default-features = false, features = ["clock"] } +csv = "1.2.2" +hex = { workspace = true } +num-bigint = "0.4.3" +pki-types = { workspace = true } +reqwest = { version = "0.11", features = ["rustls-tls-manual-roots"] } +rustls-pemfile = "2.0.0" +serde = { version = "1.0.183", features = ["derive"] } +webpki = { workspace = true } +x509-parser = { workspace = true } +yasna = { workspace = true } diff --git a/webpki-ccadb/LICENSE b/webpki-ccadb/LICENSE new file mode 100644 index 0000000..14e2f77 --- /dev/null +++ b/webpki-ccadb/LICENSE @@ -0,0 +1,373 @@ +Mozilla Public License Version 2.0 +================================== + +1. Definitions +-------------- + +1.1. "Contributor" + means each individual or legal entity that creates, contributes to + the creation of, or owns Covered Software. + +1.2. "Contributor Version" + means the combination of the Contributions of others (if any) used + by a Contributor and that particular Contributor's Contribution. + +1.3. "Contribution" + means Covered Software of a particular Contributor. + +1.4. "Covered Software" + means Source Code Form to which the initial Contributor has attached + the notice in Exhibit A, the Executable Form of such Source Code + Form, and Modifications of such Source Code Form, in each case + including portions thereof. + +1.5. "Incompatible With Secondary Licenses" + means + + (a) that the initial Contributor has attached the notice described + in Exhibit B to the Covered Software; or + + (b) that the Covered Software was made available under the terms of + version 1.1 or earlier of the License, but not also under the + terms of a Secondary License. + +1.6. "Executable Form" + means any form of the work other than Source Code Form. + +1.7. "Larger Work" + means a work that combines Covered Software with other material, in + a separate file or files, that is not Covered Software. + +1.8. "License" + means this document. + +1.9. "Licensable" + means having the right to grant, to the maximum extent possible, + whether at the time of the initial grant or subsequently, any and + all of the rights conveyed by this License. + +1.10. "Modifications" + means any of the following: + + (a) any file in Source Code Form that results from an addition to, + deletion from, or modification of the contents of Covered + Software; or + + (b) any new file in Source Code Form that contains any Covered + Software. + +1.11. "Patent Claims" of a Contributor + means any patent claim(s), including without limitation, method, + process, and apparatus claims, in any patent Licensable by such + Contributor that would be infringed, but for the grant of the + License, by the making, using, selling, offering for sale, having + made, import, or transfer of either its Contributions or its + Contributor Version. + +1.12. "Secondary License" + means either the GNU General Public License, Version 2.0, the GNU + Lesser General Public License, Version 2.1, the GNU Affero General + Public License, Version 3.0, or any later versions of those + licenses. + +1.13. "Source Code Form" + means the form of the work preferred for making modifications. + +1.14. "You" (or "Your") + means an individual or a legal entity exercising rights under this + License. For legal entities, "You" includes any entity that + controls, is controlled by, or is under common control with You. For + purposes of this definition, "control" means (a) the power, direct + or indirect, to cause the direction or management of such entity, + whether by contract or otherwise, or (b) ownership of more than + fifty percent (50%) of the outstanding shares or beneficial + ownership of such entity. + +2. License Grants and Conditions +-------------------------------- + +2.1. Grants + +Each Contributor hereby grants You a world-wide, royalty-free, +non-exclusive license: + +(a) under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or + as part of a Larger Work; and + +(b) under Patent Claims of such Contributor to make, use, sell, offer + for sale, have made, import, and otherwise transfer either its + Contributions or its Contributor Version. + +2.2. Effective Date + +The licenses granted in Section 2.1 with respect to any Contribution +become effective for each Contribution on the date the Contributor first +distributes such Contribution. + +2.3. Limitations on Grant Scope + +The licenses granted in this Section 2 are the only rights granted under +this License. No additional rights or licenses will be implied from the +distribution or licensing of Covered Software under this License. +Notwithstanding Section 2.1(b) above, no patent license is granted by a +Contributor: + +(a) for any code that a Contributor has removed from Covered Software; + or + +(b) for infringements caused by: (i) Your and any other third party's + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + +(c) under Patent Claims infringed by Covered Software in the absence of + its Contributions. + +This License does not grant any rights in the trademarks, service marks, +or logos of any Contributor (except as may be necessary to comply with +the notice requirements in Section 3.4). + +2.4. Subsequent Licenses + +No Contributor makes additional grants as a result of Your choice to +distribute the Covered Software under a subsequent version of this +License (see Section 10.2) or under the terms of a Secondary License (if +permitted under the terms of Section 3.3). + +2.5. Representation + +Each Contributor represents that the Contributor believes its +Contributions are its original creation(s) or it has sufficient rights +to grant the rights to its Contributions conveyed by this License. + +2.6. Fair Use + +This License is not intended to limit any rights You have under +applicable copyright doctrines of fair use, fair dealing, or other +equivalents. + +2.7. Conditions + +Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted +in Section 2.1. + +3. Responsibilities +------------------- + +3.1. Distribution of Source Form + +All distribution of Covered Software in Source Code Form, including any +Modifications that You create or to which You contribute, must be under +the terms of this License. You must inform recipients that the Source +Code Form of the Covered Software is governed by the terms of this +License, and how they can obtain a copy of this License. You may not +attempt to alter or restrict the recipients' rights in the Source Code +Form. + +3.2. Distribution of Executable Form + +If You distribute Covered Software in Executable Form then: + +(a) such Covered Software must also be made available in Source Code + Form, as described in Section 3.1, and You must inform recipients of + the Executable Form how they can obtain a copy of such Source Code + Form by reasonable means in a timely manner, at a charge no more + than the cost of distribution to the recipient; and + +(b) You may distribute such Executable Form under the terms of this + License, or sublicense it under different terms, provided that the + license for the Executable Form does not attempt to limit or alter + the recipients' rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + +You may create and distribute a Larger Work under terms of Your choice, +provided that You also comply with the requirements of this License for +the Covered Software. If the Larger Work is a combination of Covered +Software with a work governed by one or more Secondary Licenses, and the +Covered Software is not Incompatible With Secondary Licenses, this +License permits You to additionally distribute such Covered Software +under the terms of such Secondary License(s), so that the recipient of +the Larger Work may, at their option, further distribute the Covered +Software under the terms of either this License or such Secondary +License(s). + +3.4. Notices + +You may not remove or alter the substance of any license notices +(including copyright notices, patent notices, disclaimers of warranty, +or limitations of liability) contained within the Source Code Form of +the Covered Software, except that You may alter any license notices to +the extent required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + +You may choose to offer, and to charge a fee for, warranty, support, +indemnity or liability obligations to one or more recipients of Covered +Software. However, You may do so only on Your own behalf, and not on +behalf of any Contributor. You must make it absolutely clear that any +such warranty, support, indemnity, or liability obligation is offered by +You alone, and You hereby agree to indemnify every Contributor for any +liability incurred by such Contributor as a result of warranty, support, +indemnity or liability terms You offer. You may include additional +disclaimers of warranty and limitations of liability specific to any +jurisdiction. + +4. Inability to Comply Due to Statute or Regulation +--------------------------------------------------- + +If it is impossible for You to comply with any of the terms of this +License with respect to some or all of the Covered Software due to +statute, judicial order, or regulation then You must: (a) comply with +the terms of this License to the maximum extent possible; and (b) +describe the limitations and the code they affect. Such description must +be placed in a text file included with all distributions of the Covered +Software under this License. Except to the extent prohibited by statute +or regulation, such description must be sufficiently detailed for a +recipient of ordinary skill to be able to understand it. + +5. Termination +-------------- + +5.1. The rights granted under this License will terminate automatically +if You fail to comply with any of its terms. However, if You become +compliant, then the rights granted under this License from a particular +Contributor are reinstated (a) provisionally, unless and until such +Contributor explicitly and finally terminates Your grants, and (b) on an +ongoing basis, if such Contributor fails to notify You of the +non-compliance by some reasonable means prior to 60 days after You have +come back into compliance. Moreover, Your grants from a particular +Contributor are reinstated on an ongoing basis if such Contributor +notifies You of the non-compliance by some reasonable means, this is the +first time You have received notice of non-compliance with this License +from such Contributor, and You become compliant prior to 30 days after +Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent +infringement claim (excluding declaratory judgment actions, +counter-claims, and cross-claims) alleging that a Contributor Version +directly or indirectly infringes any patent, then the rights granted to +You by any and all Contributors for the Covered Software under Section +2.1 of this License shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all +end user license agreements (excluding distributors and resellers) which +have been validly granted by You or Your distributors under this License +prior to termination shall survive termination. + +************************************************************************ +* * +* 6. Disclaimer of Warranty * +* ------------------------- * +* * +* Covered Software is provided under this License on an "as is" * +* basis, without warranty of any kind, either expressed, implied, or * +* statutory, including, without limitation, warranties that the * +* Covered Software is free of defects, merchantable, fit for a * +* particular purpose or non-infringing. The entire risk as to the * +* quality and performance of the Covered Software is with You. * +* Should any Covered Software prove defective in any respect, You * +* (not any Contributor) assume the cost of any necessary servicing, * +* repair, or correction. This disclaimer of warranty constitutes an * +* essential part of this License. No use of any Covered Software is * +* authorized under this License except under this disclaimer. * +* * +************************************************************************ + +************************************************************************ +* * +* 7. Limitation of Liability * +* -------------------------- * +* * +* Under no circumstances and under no legal theory, whether tort * +* (including negligence), contract, or otherwise, shall any * +* Contributor, or anyone who distributes Covered Software as * +* permitted above, be liable to You for any direct, indirect, * +* special, incidental, or consequential damages of any character * +* including, without limitation, damages for lost profits, loss of * +* goodwill, work stoppage, computer failure or malfunction, or any * +* and all other commercial damages or losses, even if such party * +* shall have been informed of the possibility of such damages. This * +* limitation of liability shall not apply to liability for death or * +* personal injury resulting from such party's negligence to the * +* extent applicable law prohibits such limitation. Some * +* jurisdictions do not allow the exclusion or limitation of * +* incidental or consequential damages, so this exclusion and * +* limitation may not apply to You. * +* * +************************************************************************ + +8. Litigation +------------- + +Any litigation relating to this License may be brought only in the +courts of a jurisdiction where the defendant maintains its principal +place of business and such litigation shall be governed by laws of that +jurisdiction, without reference to its conflict-of-law provisions. +Nothing in this Section shall prevent a party's ability to bring +cross-claims or counter-claims. + +9. Miscellaneous +---------------- + +This License represents the complete agreement concerning the subject +matter hereof. If any provision of this License is held to be +unenforceable, such provision shall be reformed only to the extent +necessary to make it enforceable. Any law or regulation which provides +that the language of a contract shall be construed against the drafter +shall not be used to construe this License against a Contributor. + +10. Versions of the License +--------------------------- + +10.1. New Versions + +Mozilla Foundation is the license steward. Except as provided in Section +10.3, no one other than the license steward has the right to modify or +publish new versions of this License. Each version will be given a +distinguishing version number. + +10.2. Effect of New Versions + +You may distribute the Covered Software under the terms of the version +of the License under which You originally received the Covered Software, +or under the terms of any subsequent version published by the license +steward. + +10.3. Modified Versions + +If you create software not governed by this License, and you want to +create a new license for such software, you may create and use a +modified version of this License if you rename the license and remove +any references to the name of the license steward (except to note that +such modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary +Licenses + +If You choose to distribute Source Code Form that is Incompatible With +Secondary Licenses under the terms of this version of the License, the +notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice +------------------------------------------- + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular +file, then You may include the notice in a location (such as a LICENSE +file in a relevant directory) where a recipient would be likely to look +for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - "Incompatible With Secondary Licenses" Notice +--------------------------------------------------------- + + This Source Code Form is "Incompatible With Secondary Licenses", as + defined by the Mozilla Public License, v. 2.0. diff --git a/webpki-ccadb/README.md b/webpki-ccadb/README.md new file mode 100644 index 0000000..6a58da6 --- /dev/null +++ b/webpki-ccadb/README.md @@ -0,0 +1,9 @@ +# webpki-ccadb +This is a crate to fetch Mozilla's root certificates for use with +[webpki-roots](https://github.com/rustls/webpki-roots) crate. + +This crate is inspired by [certifi.io](https://certifi.io/en/latest/) and +uses the data provided by the [Common CA Database (CCADB)](https://www.ccadb.org/). + +[![webpki-ccadb](https://github.com/rustls/webpki-roots/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/rustls/webpki-roots/actions/workflows/build.yml) +[![Crate](https://img.shields.io/crates/v/webpki-ccadb.svg)](https://crates.io/crates/webpki-ccadb) diff --git a/webpki-roots/tests/data/DigiCertGlobalRootCA.pem b/webpki-ccadb/src/data/DigiCertGlobalRootCA.pem similarity index 100% rename from webpki-roots/tests/data/DigiCertGlobalRootCA.pem rename to webpki-ccadb/src/data/DigiCertGlobalRootCA.pem diff --git a/webpki-ccadb/src/lib.rs b/webpki-ccadb/src/lib.rs new file mode 100644 index 0000000..4b883a4 --- /dev/null +++ b/webpki-ccadb/src/lib.rs @@ -0,0 +1,252 @@ +use std::cmp::Ordering; +use std::collections::{BTreeMap, HashSet}; + +use chrono::{NaiveDate, Utc}; +use num_bigint::BigUint; +use pki_types::CertificateDer; +use serde::Deserialize; + +// Fetch root certificate data from the CCADB server. +// +// Returns an ordered BTreeMap of the root certificates, keyed by the SHA256 fingerprint of the +// certificate. Panics if there are any duplicate fingerprints. +pub async fn fetch_ccadb_roots() -> BTreeMap { + // Configure a Reqwest client that only trusts the CA certificate expected to be the + // root of trust for the CCADB server. + // + // If we see Unknown CA TLS validation failures from the Reqwest client in the future it + // likely indicates that the upstream service has changed certificate authorities. In this + // case the vendored root CA will need to be updated. You can find the current root in use with + // Chrome by: + // 1. Navigating to `https://ccadb-public.secure.force.com/mozilla/` + // 2. Clicking the lock icon. + // 3. Clicking "Connection is secure" + // 4. Clicking "Certificate is valid" + // 5. Clicking the "Details" tab. + // 6. Selecting the topmost "System Trust" entry. + // 7. Clicking "Export..." and saving the certificate to `webpki-roots/webpki-ccadb/src/data/`. + // 8. Committing the updated .pem root CA, and updating the `include_bytes!` path. + let root = include_bytes!("data/DigiCertGlobalRootCA.pem"); + let root = reqwest::Certificate::from_pem(root).unwrap(); + let client = reqwest::Client::builder() + .user_agent(format!("webpki-ccadb/v{}", env!("CARGO_PKG_VERSION"))) + .add_root_certificate(root) + .build() + .unwrap(); + + let ccadb_url = + "https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV"; + eprintln!("fetching {ccadb_url}..."); + + let req = client.get(ccadb_url).build().unwrap(); + let csv_data = client + .execute(req) + .await + .expect("failed to fetch CSV") + .text() + .await + .unwrap(); + + // Parse the CSV metadata. + let metadata = csv::ReaderBuilder::new() + .has_headers(true) + .from_reader(csv_data.as_bytes()) + .into_deserialize::() + .collect::, _>>() + .unwrap(); + + // Filter for just roots with the TLS trust bit that are not distrusted as of today's date. + let trusted_tls_roots = metadata + .into_iter() + .filter(|root| root.trusted_for_tls(&Utc::now().naive_utc().date())) + .collect::>(); + + // Create an ordered BTreeMap of the roots, panicking for any duplicates. + let mut tls_roots_map = BTreeMap::new(); + for root in trusted_tls_roots { + match tls_roots_map.get(&root.sha256_fingerprint) { + Some(_) => { + panic!("duplicate fingerprint {}", root.sha256_fingerprint); + } + None => { + tls_roots_map.insert(root.sha256_fingerprint.clone(), root); + } + } + } + + tls_roots_map +} + +#[derive(Debug, Clone, Hash, Eq, PartialEq, Deserialize)] +pub struct CertificateMetadata { + #[serde(rename = "Common Name or Certificate Name")] + pub common_name_or_certificate_name: String, + + #[serde(rename = "Certificate Serial Number")] + pub certificate_serial_number: String, + + #[serde(rename = "SHA-256 Fingerprint")] + pub sha256_fingerprint: String, + + #[serde(rename = "Trust Bits")] + pub trust_bits: String, + + #[serde(rename = "Distrust for TLS After Date")] + pub distrust_for_tls_after_date: String, + + #[serde(rename = "Mozilla Applied Constraints")] + pub mozilla_applied_constraints: String, + + #[serde(rename = "PEM Info")] + pub pem_info: String, +} + +impl CertificateMetadata { + /// Returns true iff the certificate has valid TrustBits that include TrustBits::Websites, + /// and the certificate has no distrust for TLS after date, or has a valid distrust + /// for TLS after date that is in the future compared to `now`. In all other cases this function + /// returns false. + fn trusted_for_tls(&self, now: &NaiveDate) -> bool { + let has_tls_trust_bit = self.trust_bits().contains(&TrustBits::Websites); + + match (has_tls_trust_bit, self.tls_distrust_after()) { + // No website trust bit - not trusted for tls. + (false, _) => false, + // Has website trust bit, no distrust after - trusted for tls. + (true, None) => true, + // Trust bit, populated distrust after - need to check date to decide. + (true, Some(tls_distrust_after)) => { + match now.cmp(&tls_distrust_after).is_ge() { + // We're past the distrust date - skip. + true => false, + // We haven't yet reached the distrust date - include. + false => true, + } + } + } + } + + /// Return the Mozilla applied constraints for the certificate (if any). The constraints + /// will be encoded in the DER form expected by the webpki crate's TrustAnchor representation. + pub fn mozilla_applied_constraints(&self) -> Option> { + if self.mozilla_applied_constraints.is_empty() { + return None; + } + + // NOTE: To date there's only one CA with a applied constraints value, and it has only one + // permitted subtree constraint imposed. It's not clear how multiple constraints would be + // expressed. This method makes a best guess but may need to be revisited in the future. + // https://groups.google.com/a/ccadb.org/g/public/c/TlDivISPVT4/m/jbWGuM4YAgAJ + let included_subtrees = self.mozilla_applied_constraints.split(','); + + // Important: the webpki representation of name constraints elides: + // - the outer BITSTRING of the X.509 extension value. + // - the outer NameConstraints SEQUENCE over the permitted/excluded subtrees. + // + // See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10 + let der = yasna::construct_der(|writer| { + // permittedSubtrees [0] + writer.write_tagged_implicit(yasna::Tag::context(0), |writer| { + // GeneralSubtrees + writer.write_sequence(|writer| { + for included_subtree in included_subtrees { + // base GeneralName + writer.next().write_sequence(|writer| { + writer + .next() + // DnsName + .write_tagged_implicit(yasna::Tag::context(2), |writer| { + writer + .write_ia5_string(included_subtree.trim_start_matches('*')) + }) + }) + // minimum [0] (absent, 0 default) + // maximum [1] (must be omitted). + } + }) + }) + }); + + Some(der) + } + + /// Return the NaiveDate after which this certificate should not be trusted for TLS (if any). + /// Panics if there is a distrust for TLS after date value that can not be parsed. + fn tls_distrust_after(&self) -> Option { + match &self.distrust_for_tls_after_date { + date if date.is_empty() => None, + date => Some( + NaiveDate::parse_from_str(date, "%Y.%m.%d") + .unwrap_or_else(|_| panic!("invalid distrust for tls after date: {:?}", date)), + ), + } + } + + /// Returns the DER encoding of the certificate contained in the metadata PEM. Panics if + /// there is an error, or no certificate in the PEM content. + pub fn der(&self) -> CertificateDer<'static> { + rustls_pemfile::certs(&mut self.pem().as_bytes()) + .next() + .unwrap() + .expect("invalid PEM") + } + + /// Returns the serial number for the certificate. Panics if the certificate serial number + /// from the metadata can not be parsed as a base 16 unsigned big integer. + pub fn serial(&self) -> BigUint { + BigUint::parse_bytes(self.certificate_serial_number.as_bytes(), 16) + .expect("invalid certificate serial number") + } + + /// Returns the colon separated string with the metadata SHA256 fingerprint for the + /// certificate. Panics if the sha256 fingerprint from the metadata can't be decoded. + pub fn sha256_fp(&self) -> String { + x509_parser::utils::format_serial( + &hex::decode(&self.sha256_fingerprint).expect("invalid sha256 fingerprint"), + ) + } + + /// Returns the set of trust bits expressed for this certificate. Panics if the raw + /// trust bits are invalid/unknown. + fn trust_bits(&self) -> HashSet { + self.trust_bits.split(';').map(TrustBits::from).collect() + } + + /// Returns the PEM metadata for the certificate with the leading/trailing single quotes + /// removed. + pub fn pem(&self) -> &str { + self.pem_info.as_str().trim_matches('\'') + } +} + +impl PartialOrd for CertificateMetadata { + fn partial_cmp(&self, other: &Self) -> Option { + Some(self.sha256_fingerprint.cmp(&other.sha256_fingerprint)) + } +} + +impl Ord for CertificateMetadata { + fn cmp(&self, other: &Self) -> Ordering { + self.sha256_fingerprint.cmp(&other.sha256_fingerprint) + } +} + +#[derive(Debug, Hash, Eq, PartialEq, Clone, Copy)] +#[non_exhaustive] +/// TrustBits describe the possible Mozilla root certificate trust bits. +pub enum TrustBits { + /// certificate is trusted for Websites (e.g. TLS). + Websites, + /// certificate is trusted for Email (e.g. S/MIME). + Email, +} + +impl From<&str> for TrustBits { + fn from(value: &str) -> Self { + match value { + "Websites" => TrustBits::Websites, + "Email" => TrustBits::Email, + val => panic!("unknown trust bit: {:?}", val), + } + } +} diff --git a/webpki-roots/Cargo.toml b/webpki-roots/Cargo.toml index 1a5368e..518b437 100644 --- a/webpki-roots/Cargo.toml +++ b/webpki-roots/Cargo.toml @@ -3,27 +3,22 @@ name = "webpki-roots" version = "0.26.0" edition = { workspace = true } readme = "README.md" -license = { workspace = true } +license = "MPL-2.0" homepage = { workspace = true } repository = { workspace = true } description = "Mozilla's CA root certificates for use with webpki" [dependencies] -pki-types = { package = "rustls-pki-types", version = "1", default-features = false } +pki-types = { workspace = true } [dev-dependencies] -chrono = { version = "0.4.26", default-features = false, features = ["clock"] } -csv = "1.2.2" -hex = "0.4.3" -num-bigint = "0.4.3" +hex = { workspace = true } percent-encoding = "2.3" rcgen = "0.11.1" -reqwest = { version = "0.11", features = ["rustls-tls-manual-roots"] } ring = "0.17.0" -rustls-pemfile = "2.0.0" rustls = "0.22" -serde = { version = "1.0.183", features = ["derive"] } tokio = { version = "1", features = ["macros", "rt-multi-thread"] } -webpki = { package = "rustls-webpki", version = "0.102", features = ["alloc"] } -x509-parser = "0.15.1" -yasna = "0.5.2" +webpki = { workspace = true } +webpki-ccadb = { path = "../webpki-ccadb" } +x509-parser = { workspace = true } +yasna = { workspace = true } diff --git a/webpki-roots/tests/codegen.rs b/webpki-roots/tests/codegen.rs index 927387e..fb67dbc 100644 --- a/webpki-roots/tests/codegen.rs +++ b/webpki-roots/tests/codegen.rs @@ -1,83 +1,17 @@ use std::ascii::escape_default; -use std::cmp::Ordering; -use std::collections::{BTreeMap, HashSet}; use std::fmt::Write; use std::fs; -use chrono::{NaiveDate, Utc}; -use num_bigint::BigUint; use pki_types::CertificateDer; use ring::digest; -use serde::Deserialize; use webpki::anchor_from_trusted_cert; +use webpki_ccadb::fetch_ccadb_roots; use x509_parser::prelude::AttributeTypeAndValue; use x509_parser::x509::X509Name; #[tokio::test] async fn new_generated_code_is_fresh() { - // Configure a Reqwest client that only trusts the CA certificate expected to be the - // root of trust for the CCADB server. - // - // If we see Unknown CA TLS validation failures from the Reqwest client in the future it - // likely indicates that the upstream service has changed certificate authorities. In this - // case the vendored root CA will need to be updated. You can find the current root in use with - // Chrome by: - // 1. Navigating to `https://ccadb-public.secure.force.com/mozilla/` - // 2. Clicking the lock icon. - // 3. Clicking "Connection is secure" - // 4. Clicking "Certificate is valid" - // 5. Clicking the "Details" tab. - // 6. Selecting the topmost "System Trust" entry. - // 7. Clicking "Export..." and saving the certificate to `webpki-roots/tests/data/`. - // 8. Committing the updated .pem root CA, and updating the `include_bytes!` path. - let root = include_bytes!("data/DigiCertGlobalRootCA.pem"); - let root = reqwest::Certificate::from_pem(root).unwrap(); - let client = reqwest::Client::builder() - .user_agent(format!("webpki-roots/v{}", env!("CARGO_PKG_VERSION"))) - .add_root_certificate(root) - .build() - .unwrap(); - - let ccadb_url = - "https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV"; - eprintln!("fetching {ccadb_url}..."); - - let req = client.get(ccadb_url).build().unwrap(); - let csv_data = client - .execute(req) - .await - .expect("failed to fetch CSV") - .text() - .await - .unwrap(); - - // Parse the CSV metadata. - let metadata = csv::ReaderBuilder::new() - .has_headers(true) - .from_reader(csv_data.as_bytes()) - .into_deserialize::() - .collect::, _>>() - .unwrap(); - - // Filter for just roots with the TLS trust bit that are not distrusted as of today's date. - let trusted_tls_roots = metadata - .into_iter() - .filter(|root| root.trusted_for_tls(&Utc::now().naive_utc().date())) - .collect::>(); - - // Create an ordered BTreeMap of the roots, panicking for any duplicates. - let mut tls_roots_map = BTreeMap::new(); - for root in trusted_tls_roots { - match tls_roots_map.get(&root.sha256_fingerprint) { - Some(_) => { - panic!("duplicate fingerprint {}", root.sha256_fingerprint); - } - None => { - tls_roots_map.insert(root.sha256_fingerprint.clone(), root); - } - } - } - + let tls_roots_map = fetch_ccadb_roots().await; let mut code = String::with_capacity(256 * 1_024); code.push_str(HEADER); code.push_str("pub const TLS_SERVER_ROOTS: &[TrustAnchor] = &[\n"); @@ -201,180 +135,6 @@ fn name_to_string(name: &X509Name) -> String { ret } -#[derive(Debug, Clone, Hash, Eq, PartialEq, Deserialize)] -pub struct CertificateMetadata { - #[serde(rename = "Common Name or Certificate Name")] - pub common_name_or_certificate_name: String, - - #[serde(rename = "Certificate Serial Number")] - pub certificate_serial_number: String, - - #[serde(rename = "SHA-256 Fingerprint")] - pub sha256_fingerprint: String, - - #[serde(rename = "Trust Bits")] - pub trust_bits: String, - - #[serde(rename = "Distrust for TLS After Date")] - pub distrust_for_tls_after_date: String, - - #[serde(rename = "Mozilla Applied Constraints")] - pub mozilla_applied_constraints: String, - - #[serde(rename = "PEM Info")] - pub pem_info: String, -} - -impl CertificateMetadata { - /// Returns true iff the certificate has valid TrustBits that include TrustBits::Websites, - /// and the certificate has no distrust for TLS after date, or has a valid distrust - /// for TLS after date that is in the future compared to `now`. In all other cases this function - /// returns false. - fn trusted_for_tls(&self, now: &NaiveDate) -> bool { - let has_tls_trust_bit = self.trust_bits().contains(&TrustBits::Websites); - - match (has_tls_trust_bit, self.tls_distrust_after()) { - // No website trust bit - not trusted for tls. - (false, _) => false, - // Has website trust bit, no distrust after - trusted for tls. - (true, None) => true, - // Trust bit, populated distrust after - need to check date to decide. - (true, Some(tls_distrust_after)) => { - match now.cmp(&tls_distrust_after).is_ge() { - // We're past the distrust date - skip. - true => false, - // We haven't yet reached the distrust date - include. - false => true, - } - } - } - } - - /// Return the Mozilla applied constraints for the certificate (if any). The constraints - /// will be encoded in the DER form expected by the webpki crate's TrustAnchor representation. - fn mozilla_applied_constraints(&self) -> Option> { - if self.mozilla_applied_constraints.is_empty() { - return None; - } - - // NOTE: To date there's only one CA with a applied constraints value, and it has only one - // permitted subtree constraint imposed. It's not clear how multiple constraints would be - // expressed. This method makes a best guess but may need to be revisited in the future. - // https://groups.google.com/a/ccadb.org/g/public/c/TlDivISPVT4/m/jbWGuM4YAgAJ - let included_subtrees = self.mozilla_applied_constraints.split(','); - - // Important: the webpki representation of name constraints elides: - // - the outer BITSTRING of the X.509 extension value. - // - the outer NameConstraints SEQUENCE over the permitted/excluded subtrees. - // - // See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10 - let der = yasna::construct_der(|writer| { - // permittedSubtrees [0] - writer.write_tagged_implicit(yasna::Tag::context(0), |writer| { - // GeneralSubtrees - writer.write_sequence(|writer| { - for included_subtree in included_subtrees { - // base GeneralName - writer.next().write_sequence(|writer| { - writer - .next() - // DnsName - .write_tagged_implicit(yasna::Tag::context(2), |writer| { - writer - .write_ia5_string(included_subtree.trim_start_matches('*')) - }) - }) - // minimum [0] (absent, 0 default) - // maximum [1] (must be omitted). - } - }) - }) - }); - - Some(der) - } - - /// Return the NaiveDate after which this certificate should not be trusted for TLS (if any). - /// Panics if there is a distrust for TLS after date value that can not be parsed. - fn tls_distrust_after(&self) -> Option { - match &self.distrust_for_tls_after_date { - date if date.is_empty() => None, - date => Some( - NaiveDate::parse_from_str(date, "%Y.%m.%d") - .unwrap_or_else(|_| panic!("invalid distrust for tls after date: {:?}", date)), - ), - } - } - - /// Returns the DER encoding of the certificate contained in the metadata PEM. Panics if - /// there is an error, or no certificate in the PEM content. - fn der(&self) -> CertificateDer<'static> { - rustls_pemfile::certs(&mut self.pem().as_bytes()) - .next() - .unwrap() - .expect("invalid PEM") - } - - /// Returns the serial number for the certificate. Panics if the certificate serial number - /// from the metadata can not be parsed as a base 16 unsigned big integer. - pub fn serial(&self) -> BigUint { - BigUint::parse_bytes(self.certificate_serial_number.as_bytes(), 16) - .expect("invalid certificate serial number") - } - - /// Returns the colon separated string with the metadata SHA256 fingerprint for the - /// certificate. Panics if the sha256 fingerprint from the metadata can't be decoded. - pub fn sha256_fp(&self) -> String { - x509_parser::utils::format_serial( - &hex::decode(&self.sha256_fingerprint).expect("invalid sha256 fingerprint"), - ) - } - - /// Returns the set of trust bits expressed for this certificate. Panics if the raw - /// trust bits are invalid/unknown. - fn trust_bits(&self) -> HashSet { - self.trust_bits.split(';').map(TrustBits::from).collect() - } - - /// Returns the PEM metadata for the certificate with the leading/trailing single quotes - /// removed. - fn pem(&self) -> &str { - self.pem_info.as_str().trim_matches('\'') - } -} - -impl PartialOrd for CertificateMetadata { - fn partial_cmp(&self, other: &Self) -> Option { - Some(self.sha256_fingerprint.cmp(&other.sha256_fingerprint)) - } -} - -impl Ord for CertificateMetadata { - fn cmp(&self, other: &Self) -> Ordering { - self.sha256_fingerprint.cmp(&other.sha256_fingerprint) - } -} - -#[derive(Debug, Hash, Eq, PartialEq, Clone, Copy)] -#[non_exhaustive] -/// TrustBits describe the possible Mozilla root certificate trust bits. -pub enum TrustBits { - /// certificate is trusted for Websites (e.g. TLS). - Websites, - /// certificate is trusted for Email (e.g. S/MIME). - Email, -} - -impl From<&str> for TrustBits { - fn from(value: &str) -> Self { - match value { - "Websites" => TrustBits::Websites, - "Email" => TrustBits::Email, - val => panic!("unknown trust bit: {:?}", val), - } - } -} - const HEADER: &str = r#"//! A compiled-in copy of the root certificates trusted by Mozilla. //! //! To use this library with rustls 0.22: