Merge pull request #273 from sfackler/macos-chain

sfackler · web-flow · commit adca3b76f1d6 · 2023-06-23T15:49:14.000-07:00
Exclude the leaf certificate from the chain when parsing PKCS#8 identities
diff --git a/build.rs b/build.rs
@@ -1,3 +1,4 @@
+#![allow(clippy::unusual_byte_groupings)]
 use std::env;
 
 fn main() {
diff --git a/src/imp/openssl.rs b/src/imp/openssl.rs
@@ -159,14 +159,14 @@ pub struct Identity {
 impl Identity {
     pub fn from_pkcs12(buf: &[u8], pass: &str) -> Result<Identity, Error> {
         let pkcs12 = Pkcs12::from_der(buf)?;
-        let parsed = pkcs12.parse(pass)?;
+        let parsed = pkcs12.parse2(pass)?;
         Ok(Identity {
-            pkey: parsed.pkey,
-            cert: parsed.cert,
+            pkey: parsed.pkey.ok_or_else(|| Error::EmptyChain)?,
+            cert: parsed.cert.ok_or_else(|| Error::EmptyChain)?,
             // > The stack is the reverse of what you might expect due to the way
             // > PKCS12_parse is implemented, so we need to load it backwards.
             // > https://github.com/sfackler/rust-native-tls/commit/05fb5e583be589ab63d9f83d986d095639f8ec44
-            chain: parsed.chain.into_iter().flatten().rev().collect(),
+            chain: parsed.ca.into_iter().flatten().rev().collect(),
         })
     }
 
diff --git a/src/imp/security_framework.rs b/src/imp/security_framework.rs
@@ -106,13 +106,13 @@ impl Identity {
             .filename("key.pem")
             .items(&mut items)
             .keychain(&keychain)
-            .import(&key)?;
+            .import(key)?;
 
         ImportOptions::new()
             .filename("chain.pem")
             .items(&mut items)
             .keychain(&keychain)
-            .import(&pem)?;
+            .import(pem)?;
 
         let cert = items
             .certificates
@@ -121,7 +121,7 @@ impl Identity {
         let ident = SecIdentity::with_certificate(&[keychain], cert)?;
         Ok(Identity {
             identity: ident,
-            chain: items.certificates,
+            chain: items.certificates.into_iter().skip(1).collect(),
         })
     }
 
@@ -507,11 +507,7 @@ impl<S: io::Read + io::Write> TlsStream<S> {
             _ => return Ok(None),
         };
 
-        let algorithm = match section
-            .iter()
-            .filter(|p| p.label().to_string() == "Algorithm")
-            .next()
-        {
+        let algorithm = match section.iter().find(|p| p.label() == "Algorithm") {
             Some(property) => property,
             None => return Ok(None),
         };

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+#![allow(clippy::unusual_byte_groupings)]`
`1`	`2`	`use std::env;`
`2`	`3`
`3`	`4`	`fn main() {`