--- /dev/null
+diff --git a/src/cert.rs b/src/cert.rs
+index 7c76f2e..8a7c33e 100644
+--- a/src/cert.rs
++++ b/src/cert.rs
+@@ -66,7 +66,7 @@ pub(crate) fn parse_cert_internal<'a>(
+ // TODO: In mozilla::pkix, the comparison is done based on the
+ // normalized value (ignoring whether or not there is an optional NULL
+ // parameter for RSA-based algorithms), so this may be too strict.
+- if signature != signed_data.algorithm {
++ if signature.as_slice_less_safe() != signed_data.algorithm.as_slice_less_safe() {
+ return Err(Error::SignatureAlgorithmMismatch);
+ }
+
+diff --git a/src/lib.rs b/src/lib.rs
+index ce9e71a..d0bb038 100644
+--- a/src/lib.rs
++++ b/src/lib.rs
+@@ -41,6 +41,8 @@
+ #[cfg(any(test, feature = "alloc"))]
+ #[cfg_attr(test, macro_use)]
+ extern crate alloc;
++extern crate ring;
++extern crate untrusted;
+
+ #[macro_use]
+ mod der;
+diff --git a/src/name/verify.rs b/src/name/verify.rs
+index 6082c19..63f73bd 100644
+--- a/src/name/verify.rs
++++ b/src/name/verify.rs
+@@ -234,7 +234,7 @@ fn presented_directory_name_matches_constraint(
+ subtrees: Subtrees,
+ ) -> bool {
+ match subtrees {
+- Subtrees::PermittedSubtrees => name == constraint,
++ Subtrees::PermittedSubtrees => name.as_slice_less_safe() == constraint.as_slice_less_safe(),
+ Subtrees::ExcludedSubtrees => true,
+ }
+ }
+diff --git a/src/signed_data.rs b/src/signed_data.rs
+index 834f907..bd94c68 100644
+--- a/src/signed_data.rs
++++ b/src/signed_data.rs
+@@ -312,7 +312,7 @@ struct AlgorithmIdentifier {
+
+ impl AlgorithmIdentifier {
+ fn matches_algorithm_id_value(&self, encoded: untrusted::Input) -> bool {
+- encoded == self.asn1_id_value
++ encoded.as_slice_less_safe() == self.asn1_id_value.as_slice_less_safe()
+ }
+ }
+
+diff --git a/src/verify_cert.rs b/src/verify_cert.rs
+index c68e6cf..fca933e 100644
+--- a/src/verify_cert.rs
++++ b/src/verify_cert.rs
+@@ -55,7 +55,7 @@ pub fn build_chain(
+
+ match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
+ let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
+- if cert.issuer != trust_anchor_subject {
++ if cert.issuer.as_slice_less_safe() != trust_anchor_subject.as_slice_less_safe() {
+ return Err(Error::UnknownIssuer);
+ }
+
+@@ -85,15 +85,15 @@ pub fn build_chain(
+ let potential_issuer =
+ cert::parse_cert(untrusted::Input::from(*cert_der), EndEntityOrCa::Ca(&cert))?;
+
+- if potential_issuer.subject != cert.issuer {
++ if potential_issuer.subject.as_slice_less_safe() != cert.issuer.as_slice_less_safe() {
+ return Err(Error::UnknownIssuer);
+ }
+
+ // Prevent loops; see RFC 4158 section 5.2.
+ let mut prev = cert;
+ loop {
+- if potential_issuer.spki.value() == prev.spki.value()
+- && potential_issuer.subject == prev.subject
++ if potential_issuer.spki.value().as_slice_less_safe() == prev.spki.value().as_slice_less_safe()
++ && potential_issuer.subject.as_slice_less_safe() == prev.subject.as_slice_less_safe()
+ {
+ return Err(Error::UnknownIssuer);
+ }
+@@ -302,7 +302,7 @@ fn check_eku(
+ Some(input) => {
+ loop {
+ let value = der::expect_tag_and_get_value(input, der::Tag::OID)?;
+- if value == required_eku_if_present.oid_value {
++ if value.as_slice_less_safe() == required_eku_if_present.oid_value.as_slice_less_safe() {
+ input.skip_to_end();
+ break;
+ }
+@@ -322,7 +322,7 @@ fn check_eku(
+ // important that id-kp-OCSPSigning is explicit so that a normal
+ // end-entity certificate isn't able to sign trusted OCSP responses
+ // for itself or for other certificates issued by its issuing CA.
+- if required_eku_if_present.oid_value == EKU_OCSP_SIGNING.oid_value {
++ if required_eku_if_present.oid_value.as_slice_less_safe() == EKU_OCSP_SIGNING.oid_value.as_slice_less_safe() {
+ return Err(Error::RequiredEkuNotFound);
+ }
+
--- /dev/null
+# Generated by rust2rpm 23
+%global _rpm_strip_disable 1
+%global debug_package %{nil}
+
+%global crate webpki
+%global real_crate_name webpki
+%global rustc_edition 2018
+
+Name: rust-webpki
+Version: 0.22.0
+Release: 1
+Summary: Web PKI X.509 Certificate Verification
+
+# Upstream license specification: None
+License: # FIXME
+
+URL: https://crates.io/crates/webpki
+Source: %{crate}-%{version}.tar.gz
+Source1: %{name}.manifest
+Source2: extern.patch
+
+# ==========================================================
+# BuildRequires
+# specifies build-time dependencies for the package
+# ==========================================================
+BuildRequires: rust
+BuildRequires: rust-ring
+BuildRequires: rust-untrusted
+
+# ==========================================================
+# dev-dependencies
+# ==========================================================
+# BuildRequires: rust-base64
+
+
+%description
+Web PKI X.509 Certificate Verification.
+
+%prep
+%setup -q
+cp %{SOURCE1} .
+%{__patch} -p1 < %{SOURCE2}
+
+# ==========================================================
+# build section
+# crate-type : dylib, proc-macro, cdylib, bin, etc.
+# ==========================================================
+%build
+ %{rustc_std_build} --crate-type=dylib \
+ --crate-name=%{real_crate_name} \
+ %{?rustc_edition:--edition=%{rustc_edition}} \
+ --cfg='feature="std"' \
+ --cfg='feature="alloc"' \
+ ./src/lib.rs
+
+# ==========================================================
+# install section
+# ==========================================================
+%install
+ install -d -m 0755 %{buildroot}%{_rust_dylibdir}
+ install -m 0644 lib%{real_crate_name}.so %{buildroot}/%{_rust_dylibdir}/lib%{real_crate_name}.so
+
+%clean
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+# ==========================================================
+# files section
+# ==========================================================
+%files
+%manifest %{name}.manifest
+ %license LICENSE
+ %{_rust_dylibdir}/lib%{real_crate_name}.so
projects / platform / upstream / rust-webpki.git / commitdiff