wip

wireapp · Oct 13, 2023 · a6318ff · a6318ff
1 parent 765c611
commit a6318ff
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 15 deletions.
diff --git a/openmls/src/credentials/certificate.rs b/openmls/src/credentials/certificate.rs
@@ -1,6 +1,5 @@
 use std::io::{Read, Write};
 
-use rustls_platform_verifier::CertificateDer;
 use serde::{Deserialize, Serialize};
 use tls_codec::VLBytes;
 use x509_cert::der::Decode;
@@ -64,35 +63,36 @@ impl Certificate {
         })
     }
 
-    fn get_end_entity(&self) -> Result<CertificateDer, CredentialError> {
+    fn get_end_entity(&self) -> Result<&[u8], CredentialError> {
         self.certificates
             .first()
             .map(VLBytes::as_slice)
-            .map(CertificateDer::from)
             .ok_or(CredentialError::InvalidCertificateChain)
     }
 
-    fn get_intermediates(&self) -> Result<Vec<CertificateDer>, CredentialError> {
+    fn get_intermediates(&self) -> Result<Vec<&[u8]>, CredentialError> {
         if self.certificates.len() < 2 {
             return Err(CredentialError::InvalidCertificateChain);
         }
         let intermediates = self.certificates.as_slice()[1..]
             .iter()
             .map(VLBytes::as_slice)
-            .map(CertificateDer::from)
             .collect::<Vec<_>>();
         Ok(intermediates)
     }
 
     pub fn verify(&self) -> Result<(), CredentialError> {
         let verifier = rustls_platform_verifier::WireClientVerifier::new();
 
-        let now = rustls_platform_verifier::UnixTime::now();
         let end_entity = self.get_end_entity()?;
         let intermediates = self.get_intermediates()?;
 
-        use rustls_platform_verifier::ClientCertVerifier as _;
-        verifier.verify_client_cert(&end_entity, &intermediates[..], now)?;
+        use rustls_platform_verifier::WireVerifier as _;
+        verifier.verify_client_cert(
+            &end_entity,
+            &intermediates[..],
+            rustls_platform_verifier::VerifyOptions::default(),
+        )?;
 
         Ok(())
     }

diff --git a/x509_credential/src/lib.rs b/x509_credential/src/lib.rs
@@ -4,7 +4,6 @@
 
 use base64::Engine;
 use openmls_basic_credential::SignatureKeyPair;
-use rustls_platform_verifier::CertificateDer;
 use x509_cert::der::Decode;
 
 use openmls_traits::{
@@ -27,19 +26,21 @@ impl CertificateKeyPair {
 
         let end_entity = cert_chain
             .get(0)
-            .map(|c| CertificateDer::from(c.as_slice()))
+            .map(|c| c.as_slice())
             .ok_or(CryptoError::IncompleteCertificateChain)?;
 
         let intermediates = cert_chain.as_slice()[1..]
             .into_iter()
-            .map(|c| CertificateDer::from(c.as_slice()))
+            .map(|c| c.as_slice())
             .collect::<Vec<_>>();
 
-        let now = rustls_platform_verifier::UnixTime::now();
-
-        use rustls_platform_verifier::ClientCertVerifier as _;
+        use rustls_platform_verifier::WireVerifier as _;
         verifier
-            .verify_client_cert(&end_entity, &intermediates[..], now)
+            .verify_client_cert(
+                &end_entity,
+                &intermediates[..],
+                rustls_platform_verifier::VerifyOptions::default(),
+            )
             .map_err(|_| CryptoError::InvalidCertificateChain)?;
 
         // We use x509_cert crate here because it is better at introspecting certs compared rustls which