Upgrade to latest webpki and pemfile alphas

Cargo.toml

@@ -20,9 +20,9 @@ percent-encoding = "2.3"
 rcgen = "0.11.1"
 reqwest = { version = "0.11", features = ["rustls-tls-manual-roots"] }
 ring = "0.17.0"
-rustls-pemfile = "1"
+rustls-pemfile = "2.0.0-alpha.1"
 serde = { version = "1.0.183", features = ["derive"] }
 tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
-webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.3" }
+webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.6" }
 x509-parser = "0.15.1"
 yasna = "0.5.2"

tests/codegen.rs

@@ -308,15 +308,11 @@ impl CertificateMetadata {
 
     /// Returns the DER encoding of the certificate contained in the metadata PEM. Panics if
     /// there is an error, or no certificate in the PEM content.
-    fn der(&self) -> Vec<u8> {
-        let certs = rustls_pemfile::certs(&mut self.pem().as_bytes()).expect("invalid PEM");
-        if certs.len() > 1 {
-            panic!("more than one certificate in metadata PEM");
-        }
-        certs
-            .first()
-            .expect("missing certificate in metadata PEM")
-            .clone()
+    fn der(&self) -> CertificateDer<'static> {
+        rustls_pemfile::certs(&mut self.pem().as_bytes())
+            .next()
+            .unwrap()
+            .expect("invalid PEM")
     }
 
     /// Returns the serial number for the certificate. Panics if the certificate serial number

tests/verify.rs

@@ -30,22 +30,23 @@ fn name_constraints() {
                     time,
                     KeyUsage::server_auth(),
                     None,
+                    None,
                 )
                 .unwrap();
         }
 
         // Each forbidden EE should fail to verify with the expected name constraint error.
         for forbidden_ee in test_case.forbidden_certs {
-            let result = webpki::EndEntityCert::try_from(&forbidden_ee)
-                .unwrap()
-                .verify_for_usage(
-                    ALL_ALGORITHMS,
-                    trust_anchors,
-                    &[],
-                    time,
-                    KeyUsage::server_auth(),
-                    None,
-                );
+            let ee = EndEntityCert::try_from(&forbidden_ee).unwrap();
+            let result = ee.verify_for_usage(
+                ALL_ALGORITHMS,
+                trust_anchors,
+                &[],
+                time,
+                KeyUsage::server_auth(),
+                None,
+                None,
+            );
             assert!(matches!(result, Err(Error::NameConstraintViolation)));
         }
     }
@@ -174,6 +175,7 @@ fn tubitak_name_constraint_works() {
         now,
         KeyUsage::server_auth(),
         None,
+        None,
     )
     .unwrap();
 
@@ -182,15 +184,15 @@ fn tubitak_name_constraint_works() {
 }
 
 static ALL_ALGORITHMS: &[&dyn SignatureVerificationAlgorithm] = &[
-    webpki::ECDSA_P256_SHA256,
-    webpki::ECDSA_P256_SHA384,
-    webpki::ECDSA_P384_SHA256,
-    webpki::ECDSA_P384_SHA384,
-    webpki::RSA_PKCS1_2048_8192_SHA256,
-    webpki::RSA_PKCS1_2048_8192_SHA384,
-    webpki::RSA_PKCS1_2048_8192_SHA512,
-    webpki::RSA_PKCS1_3072_8192_SHA384,
-    webpki::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
-    webpki::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
-    webpki::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
+    webpki::ring::ECDSA_P256_SHA256,
+    webpki::ring::ECDSA_P256_SHA384,
+    webpki::ring::ECDSA_P384_SHA256,
+    webpki::ring::ECDSA_P384_SHA384,
+    webpki::ring::RSA_PKCS1_2048_8192_SHA256,
+    webpki::ring::RSA_PKCS1_2048_8192_SHA384,
+    webpki::ring::RSA_PKCS1_2048_8192_SHA512,
+    webpki::ring::RSA_PKCS1_3072_8192_SHA384,
+    webpki::ring::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
+    webpki::ring::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
+    webpki::ring::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
 ];