1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2025-01-11 16:42:21 -05:00

fix(ext/tls): upgrade webpki version (#20285)

This removes a webpki version that was showing up as vulnerable to
https://github.com/briansmith/webpki/issues/69.

Needed to upgrade `reqwest` as part of this.
This commit is contained in:
Matt Mastracci 2023-08-25 15:40:25 -06:00 committed by Bartek Iwańczuk
parent 8ab0ca076b
commit d34c23b8f3
No known key found for this signature in database
GPG key ID: 0C6BCDDC3B3AD750
5 changed files with 47 additions and 47 deletions

67
Cargo.lock generated
View file

@ -1495,8 +1495,8 @@ dependencies = [
"rustls",
"rustls-native-certs",
"rustls-pemfile",
"rustls-webpki",
"serde",
"webpki",
"webpki-roots",
]
@ -2752,7 +2752,7 @@ dependencies = [
"socket2",
"widestring",
"winapi",
"winreg",
"winreg 0.10.1",
]
[[package]]
@ -3980,9 +3980,9 @@ checksum = "4bf2521270932c3c7bed1a59151222bd7643c79310f2916f01925e1e16255698"
[[package]]
name = "reqwest"
version = "0.11.18"
version = "0.11.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cde824a14b7c14f85caff81225f411faacc04a2013f41670f41443742b1c1c55"
checksum = "3e9ad3fe7488d7e34558a2033d45a0c90b72d97b4f80705666fea71472e2e6a1"
dependencies = [
"async-compression",
"base64 0.21.0",
@ -4018,7 +4018,7 @@ dependencies = [
"wasm-streams",
"web-sys",
"webpki-roots",
"winreg",
"winreg 0.50.0",
]
[[package]]
@ -4160,9 +4160,9 @@ dependencies = [
[[package]]
name = "rustls"
version = "0.21.0"
version = "0.21.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "07180898a28ed6a7f7ba2311594308f595e3dd2e3c3812fa0a80a47b45f17e5d"
checksum = "1d1feddffcfcc0b33f5c6ce9a29e341e4cd59c3f78e7ee45f4a40c038b1d6cbb"
dependencies = [
"log",
"ring",
@ -4172,9 +4172,9 @@ dependencies = [
[[package]]
name = "rustls-native-certs"
version = "0.6.2"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0167bac7a9f490495f3c33013e7722b53cb087ecbe082fb0c6387c96f634ea50"
checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00"
dependencies = [
"openssl-probe",
"rustls-pemfile",
@ -4193,9 +4193,9 @@ dependencies = [
[[package]]
name = "rustls-webpki"
version = "0.100.2"
version = "0.101.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e98ff011474fa39949b7e5c0428f9b4937eda7da7848bbb947786b7be0b27dab"
checksum = "7d93931baf2d282fff8d3a532bbfd7653f734643161b87e3e01e59a04439bf0d"
dependencies = [
"ring",
"untrusted",
@ -4266,11 +4266,11 @@ dependencies = [
[[package]]
name = "schannel"
version = "0.1.21"
version = "0.1.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "713cfb06c7059f3588fb8044c0fad1d09e3c01d225e25b9220dbfdcf16dbb1b3"
checksum = "0c3733bf4cf7ea0880754e19cb5a462007c4a8c1914bff372ccc95b464f1df88"
dependencies = [
"windows-sys 0.42.0",
"windows-sys 0.48.0",
]
[[package]]
@ -4356,9 +4356,9 @@ dependencies = [
[[package]]
name = "security-framework"
version = "2.8.2"
version = "2.9.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a332be01508d814fed64bf28f798a146d73792121129962fdf335bb3c49a4254"
checksum = "05b64fb303737d99b81884b2c63433e9ae28abebe5eb5045dcdd175dc2ecf4de"
dependencies = [
"bitflags 1.3.2",
"core-foundation",
@ -4369,9 +4369,9 @@ dependencies = [
[[package]]
name = "security-framework-sys"
version = "2.8.0"
version = "2.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "31c9bb296072e961fcbd8853511dd39c2d8be2deb1e17c6860b1d30732b323b4"
checksum = "e932934257d3b408ed8f30db49d85ea163bfe74961f017f405b025af298f0c7a"
dependencies = [
"core-foundation-sys",
"libc",
@ -6056,9 +6056,9 @@ checksum = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d"
[[package]]
name = "wasm-streams"
version = "0.2.3"
version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6bbae3363c08332cadccd13b67db371814cd214c2524020932f0804b8cf7c078"
checksum = "b4609d447824375f43e1ffbc051b50ad8f4b3ae8219680c94452ea05eb240ac7"
dependencies = [
"futures-util",
"js-sys",
@ -6077,24 +6077,11 @@ dependencies = [
"wasm-bindgen",
]
[[package]]
name = "webpki"
version = "0.22.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
dependencies = [
"ring",
"untrusted",
]
[[package]]
name = "webpki-roots"
version = "0.22.6"
version = "0.25.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87"
dependencies = [
"webpki",
]
checksum = "14247bb57be4f377dfb94c72830b8ce8fc6beac03cf4bf7b9732eadd414123fc"
[[package]]
name = "which"
@ -6328,6 +6315,16 @@ dependencies = [
"winapi",
]
[[package]]
name = "winreg"
version = "0.50.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "524e57b2c537c0f9b1e69f1965311ec12182b4122e45035b1508cd24d2adadb1"
dependencies = [
"cfg-if",
"windows-sys 0.48.0",
]
[[package]]
name = "winres"
version = "0.1.12"

View file

@ -115,11 +115,14 @@ prost-build = "0.11"
rand = "=0.8.5"
regex = "^1.7.0"
lazy-regex = "2.5.0"
reqwest = { version = "0.11.18", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli", "socks", "json"] }
reqwest = { version = "0.11.20", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli", "socks", "json"] }
ring = "=0.16.20"
rusqlite = { version = "=0.29.0", features = ["unlock_notify", "bundled"] }
rustls = "0.21.0"
rustls-pemfile = "1.0.0"
rustls-webpki = "0.101.4"
rustls-native-certs = "0.6.2"
webpki-roots = "0.25.2"
serde = { version = "1.0.149", features = ["derive"] }
serde_bytes = "0.11"
serde_json = "1.0.85"

View file

@ -486,8 +486,8 @@ pub fn get_root_cert_store(
for store in ca_stores.iter() {
match store.as_str() {
"mozilla" => {
root_cert_store.add_server_trust_anchors(
webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
root_cert_store.add_trust_anchors(
webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,

View file

@ -17,8 +17,8 @@ path = "lib.rs"
deno_core.workspace = true
once_cell.workspace = true
rustls = { workspace = true, features = ["dangerous_configuration"] }
rustls-native-certs = "0.6.2"
rustls-native-certs.workspace = true
rustls-pemfile.workspace = true
rustls-webpki.workspace = true
serde.workspace = true
webpki = "0.22"
webpki-roots = "0.22"
webpki-roots.workspace = true

View file

@ -145,15 +145,15 @@ pub struct BasicAuth {
pub fn create_default_root_cert_store() -> RootCertStore {
let mut root_cert_store = RootCertStore::empty();
// TODO(@justinmchase): Consider also loading the system keychain here
root_cert_store.add_server_trust_anchors(
webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(
|ta| {
rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject,
ta.spki,
ta.name_constraints,
)
}),
);
},
));
root_cert_store
}
@ -187,7 +187,7 @@ pub fn create_client_config(
let client =
if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key {
client_config
.with_single_cert(cert_chain, private_key)
.with_client_auth_cert(cert_chain, private_key)
.expect("invalid client key or certificate")
} else {
client_config.with_no_client_auth()
@ -223,7 +223,7 @@ pub fn create_client_config(
let client = if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key
{
client_config
.with_single_cert(cert_chain, private_key)
.with_client_auth_cert(cert_chain, private_key)
.expect("invalid client key or certificate")
} else {
client_config.with_no_client_auth()