use rustls-webpki instead of linkerd/webpki (#2465)

This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.

Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.

Author: hawkw

Cargo.lock

@@ -1408,11 +1408,11 @@ dependencies = [
  "linkerd-tls-test-util",
  "ring",
  "rustls-pemfile",
+ "rustls-webpki",
  "thiserror",
  "tokio",
  "tokio-rustls",
  "tracing",
- "webpki",
 ]
 
 [[package]]
@@ -2462,6 +2462,15 @@ dependencies = [
  "base64",
 ]
 
+[[package]]
+name = "rustls-webpki"
+version = "0.101.5"
+source = "git+https://github.com/cpu/webpki?rev=702d57f444e3f7d743277524e832a2363290ec4d#702d57f444e3f7d743277524e832a2363290ec4d"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "rustversion"
 version = "1.0.11"
@@ -3149,8 +3158,9 @@ dependencies = [
 
 [[package]]
 name = "webpki"
-version = "0.22.0"
-source = "git+https://github.com/linkerd/webpki?branch=cert-dns-names-0.22#a26def03ec88d3b69542ccd2f0073369ecedc4f9"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0e74f82d49d545ad128049b7e88f6576df2da6b02e9ce565c6f533be576957e"
 dependencies = [
  "ring",
  "untrusted",

Cargo.toml

@@ -82,4 +82,5 @@ debug = false
 lto = true
 
 [patch.crates-io]
-webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.22" }
+# remove this patch when https://github.com/rustls/webpki/pull/170 is published!
+rustls-webpki = { git = "https://github.com/cpu/webpki", rev = "702d57f444e3f7d743277524e832a2363290ec4d" }

deny.toml

@@ -72,8 +72,7 @@ skip-tree = [
 unknown-registry = "deny"
 unknown-git = "deny"
 allow-registry = ["https://github.com/rust-lang/crates.io-index"]
-
-[sources.allow-org]
-github = [
-    "linkerd",
+allow-git = [
+    # remove this when https://github.com/rustls/webpki/pull/170 is published!
+    "https://github.com/cpu/webpki",
 ]

linkerd/meshtls/rustls/Cargo.toml

@@ -19,11 +19,11 @@ linkerd-tls = { path = "../../tls" }
 linkerd-tls-test-util = { path = "../../tls/test-util", optional = true }
 ring = { version = "0.16", features = ["std"] }
 rustls-pemfile = "1.0"
+rustls-webpki = { version = "0.101.5", features = [ "std"] }
 thiserror = "1"
 tokio = { version = "1", features = ["macros", "rt", "sync"] }
 tokio-rustls = { version = "0.23", features = ["dangerous_configuration"] }
 tracing = "0.1"
-webpki = "0.22"
 
 [dev-dependencies]
 linkerd-tls-test-util = { path = "../../tls/test-util" }

linkerd/meshtls/rustls/src/creds/store.rs

@@ -239,9 +239,11 @@ impl rustls::server::ResolvesServerCert for CertResolver {
         hello: rustls::server::ClientHello<'_>,
     ) -> Option<Arc<rustls::sign::CertifiedKey>> {
         let server_name = match hello.server_name() {
-            Some(name) => webpki::DnsNameRef::try_from_ascii_str(name)
-                .expect("server name must be a valid server name"),
-
+            Some(name) => {
+                let name = webpki::DnsNameRef::try_from_ascii_str(name)
+                    .expect("server name must be a valid server name");
+                webpki::SubjectNameRef::DnsName(name)
+            }
             None => {
                 debug!("no SNI -> no certificate");
                 return None;
@@ -251,7 +253,7 @@ impl rustls::server::ResolvesServerCert for CertResolver {
         // Verify that our certificate is valid for the given SNI name.
         let c = self.0.cert.first()?;
         if let Err(error) = webpki::EndEntityCert::try_from(c.as_ref())
-            .and_then(|c| c.verify_is_valid_for_dns_name(server_name))
+            .and_then(|c| c.verify_is_valid_for_subject_name(server_name))
         {
             debug!(%error, "Local certificate is not valid for SNI");
             return None;

linkerd/meshtls/rustls/src/server.rs

@@ -130,18 +130,13 @@ fn client_identity<I>(tls: &tokio_rustls::server::TlsStream<I>) -> Option<Client
     let certs = session.peer_certificates()?;
     let c = certs.first().map(Certificate::as_ref)?;
     let end_cert = webpki::EndEntityCert::try_from(c).ok()?;
-    let dns_names = end_cert.dns_names().ok()?;
-
-    match dns_names.first()? {
-        webpki::GeneralDnsNameRef::DnsName(n) => {
-            let s: &str = (*n).into();
-            s.parse().ok().map(ClientId)
-        }
-        webpki::GeneralDnsNameRef::Wildcard(_) => {
-            // Wildcards can perhaps be handled in a future path...
-            None
-        }
+    let name: &str = end_cert.dns_names().ok()?.next().map(Into::into)?;
+    if name == "*" {
+        // Wildcards can perhaps be handled in a future path...
+        return None;
     }
+
+    name.parse().ok().map(ClientId)
 }
 
 // === impl ServerIo ===