v0.101.5 broke semver for CertificateRevocationList.verify_signature

[cpu]

ac2faa7 was backported to the v0.101.x release in v0.101.5. This work originated in #164, but shouldn't have been backported to the 0.101.x release stream, because it changes the CertificateRevocationList trait in a semver breaking way, adding a new argument to the verify_signature fn. This trait and its fns are part of the public API, e.g. in rcgen's webpki tests (reported by est31).

Let's fix this in a point release and leave this note in place until then so the issue is discoverable.

[djc]

Sorry for missing this in review. 😞 Seems surprising that our semver check in CI didn't catch this?

[cpu]

Sorry for missing this in review. 😞

It happens :-( I missed it reviewing the orignal work, and in the backport too.

Seems surprising that our semver check in CI didn't catch this?

Agreed. I thought initially the rel-0.101 branch might not have that in its CI, but it does:

webpki/.github/workflows/ci.yml

Lines 230 to 240 in 7cb6c64

	semver:
	name: Check semver compatibility
	runs-on: ubuntu-latest
	steps:
	- name: Checkout sources
	uses: actions/checkout@v3
	with:
	persist-credentials: false
	- name: Check semver
	uses: obi1kenobi/cargo-semver-checks-action@v2

[cpu]

v0.101.6 resolves this issue.

[hawkw]

Just to make sure I understand this change correctly, does v0.101.6 still contain a fix for GHSA-fh2r-99q2-6mmg/RUSTSEC-2023-0053, or does reverting the semver-breaking change once again make v0.101.6 vulnerable to the CPU exhaustion DoS? Thanks in advance.

[cpu]

Just to make sure I understand this change correctly, does v0.101.6 still contain a fix for https://github.com/advisories/GHSA-fh2r-99q2-6mmg/[RUSTSEC-2023-0053](https://rustsec.org/advisories/RUSTSEC-2023-0053.html)

That's correct: we're still limiting the number of signature validation operations that can occur during path building (including CRL signature validation operations) in v0.101.6. The only change is that the mechanism for doing that hasn't bled into the API.

[hawkw]

Okay, cool, thanks for confirming!