From c0c03201d34c0ba830214996d4dc2ad419d04a5f Mon Sep 17 00:00:00 2001
From: Kikuo Emoto <kemoto@codemonger.io>
Date: Thu, 23 Nov 2023 15:52:06 +0900
Subject: [PATCH 1/3] feat: return trust anchor of verified path

- `verify_cert::build_chain` returns the trust anchor of the verified
  path if it succeeds. `ChainOptions` needs to have another lifetime for
  the contents of `TrustAnchor` to return `TrustAnchor` without
  restricting lifetimes of other parameters.

  `TrustAnchor` carries the reference to the underlying DER
  representation so that users of this package can derive additional
  information from the results. `TrustAnchor` implements `Clone` to
  simplify lifetime management. The clone operation should not be
  expensive; four copies of references.

  The following public methods of `EndEntityCert` return the trust
  anchor of the verified path:
    - `verify_for_usage`
    - `verify_for_usage_with_policy_check`
    - `verify_is_valid_tls_server_cert`
    - `verify_is_valid_tls_client_cert`
---
 src/end_entity.rs               | 62 ++++++++++-----------
 src/trust_anchor.rs             | 99 ++++++++++++++++++++++++++++++---
 src/verify_cert.rs              | 38 +++++++------
 tests/client_auth.rs            |  2 +-
 tests/client_auth_revocation.rs |  2 +-
 tests/custom_ekus.rs            |  2 +-
 tests/integration.rs            | 16 +++---
 7 files changed, 152 insertions(+), 69 deletions(-)

diff --git a/src/end_entity.rs b/src/end_entity.rs
index fd44db58..7eecb0ab 100644
--- a/src/end_entity.rs
+++ b/src/end_entity.rs
@@ -77,16 +77,16 @@ impl<'a> EndEntityCert<'a> {
     }
 
     #[allow(clippy::too_many_arguments)]
-    fn verify_is_valid_cert(
+    fn verify_is_valid_cert<'b, 'c>(
         &self,
-        supported_sig_algs: &[&SignatureAlgorithm],
-        trust_anchors: &[TrustAnchor],
-        intermediate_certs: &[&[u8]],
+        supported_sig_algs: &'c [&SignatureAlgorithm],
+        trust_anchors: &'b [TrustAnchor<'b>],
+        intermediate_certs: &'c [&[u8]],
         time: Option<Time>,
         eku: KeyUsage,
-        crls: &[&dyn CertRevocationList],
-        user_initial_policy_set: &[&[u8]],
-    ) -> Result<(), Error> {
+        crls: &'c [&dyn CertRevocationList],
+        user_initial_policy_set: &'c [&[u8]],
+    ) -> Result<TrustAnchor<'b>, Error> {
         verify_cert::build_chain(
             &verify_cert::ChainOptions {
                 eku,
@@ -116,15 +116,15 @@ impl<'a> EndEntityCert<'a> {
     ///   of usage we're verifying the certificate for.
     /// * `crls` is the list of certificate revocation lists to check
     ///   the certificate against.
-    pub fn verify_for_usage(
+    pub fn verify_for_usage<'b, 'c>(
         &self,
-        supported_sig_algs: &[&SignatureAlgorithm],
-        trust_anchors: &[TrustAnchor],
-        intermediate_certs: &[&[u8]],
+        supported_sig_algs: &'c [&SignatureAlgorithm],
+        trust_anchors: &'b [TrustAnchor<'b>],
+        intermediate_certs: &'c [&[u8]],
         time: Option<Time>,
         usage: KeyUsage,
-        crls: &[&dyn CertRevocationList],
-    ) -> Result<(), Error> {
+        crls: &'c [&dyn CertRevocationList],
+    ) -> Result<TrustAnchor<'b>, Error> {
         self.verify_is_valid_cert(
             supported_sig_algs,
             trust_anchors,
@@ -146,16 +146,16 @@ impl<'a> EndEntityCert<'a> {
     ///   method is equivalent to [`EndEntityCert::verify_for_usage`] if this
     ///   slice is empty.
     #[allow(clippy::too_many_arguments)]
-    pub fn verify_for_usage_with_policy_check(
+    pub fn verify_for_usage_with_policy_check<'b, 'c>(
         &self,
-        supported_sig_algs: &[&SignatureAlgorithm],
-        trust_anchors: &[TrustAnchor],
-        intermediate_certs: &[&[u8]],
+        supported_sig_algs: &'c [&SignatureAlgorithm],
+        trust_anchors: &'b [TrustAnchor<'b>],
+        intermediate_certs: &'c [&[u8]],
         time: Option<Time>,
         usage: KeyUsage,
-        crls: &[&dyn CertRevocationList],
-        user_initial_policy_set: &[&[u8]],
-    ) -> Result<(), Error> {
+        crls: &'c [&dyn CertRevocationList],
+        user_initial_policy_set: &'c [&[u8]],
+    ) -> Result<TrustAnchor<'b>, Error> {
         self.verify_is_valid_cert(
             supported_sig_algs,
             trust_anchors,
@@ -185,13 +185,13 @@ impl<'a> EndEntityCert<'a> {
         The new `verify_for_usage` function expresses trust anchor and end entity purpose with the \
         key usage argument."
     )]
-    pub fn verify_is_valid_tls_server_cert(
+    pub fn verify_is_valid_tls_server_cert<'b, 'c>(
         &self,
-        supported_sig_algs: &[&SignatureAlgorithm],
-        &TlsServerTrustAnchors(trust_anchors): &TlsServerTrustAnchors,
-        intermediate_certs: &[&[u8]],
+        supported_sig_algs: &'c [&SignatureAlgorithm],
+        &TlsServerTrustAnchors(trust_anchors): &'b TlsServerTrustAnchors<'b>,
+        intermediate_certs: &'c [&[u8]],
         time: Option<Time>,
-    ) -> Result<(), Error> {
+    ) -> Result<TrustAnchor<'b>, Error> {
         self.verify_is_valid_cert(
             supported_sig_algs,
             trust_anchors,
@@ -222,14 +222,14 @@ impl<'a> EndEntityCert<'a> {
         The new `verify_for_usage` function expresses trust anchor and end entity purpose with the \
         key usage argument."
     )]
-    pub fn verify_is_valid_tls_client_cert(
+    pub fn verify_is_valid_tls_client_cert<'b, 'c>(
         &self,
-        supported_sig_algs: &[&SignatureAlgorithm],
-        &TlsClientTrustAnchors(trust_anchors): &TlsClientTrustAnchors,
-        intermediate_certs: &[&[u8]],
+        supported_sig_algs: &'c [&SignatureAlgorithm],
+        &TlsClientTrustAnchors(trust_anchors): &'b TlsClientTrustAnchors<'b>,
+        intermediate_certs: &'c [&[u8]],
         time: Option<Time>,
-        crls: &[&dyn CertRevocationList],
-    ) -> Result<(), Error> {
+        crls: &'c [&dyn CertRevocationList],
+    ) -> Result<TrustAnchor<'b>, Error> {
         self.verify_is_valid_cert(
             supported_sig_algs,
             trust_anchors,
diff --git a/src/trust_anchor.rs b/src/trust_anchor.rs
index 21287646..39e4bfea 100644
--- a/src/trust_anchor.rs
+++ b/src/trust_anchor.rs
@@ -10,7 +10,10 @@ use crate::{der, Error};
 /// essential elements of trust anchors. The `TrustAnchor::try_from_cert_der`
 /// function allows converting X.509 certificates to to the minimized
 /// `TrustAnchor` representation, either at runtime or in a build script.
-#[derive(Debug)]
+///
+/// `PartialEq` for `TrustAnchor` compares only the pointer values of the
+/// underlying DER data.
+#[derive(Clone, Debug)]
 pub struct TrustAnchor<'a> {
     /// The value of the `subject` field of the trust anchor.
     pub subject: &'a [u8],
@@ -21,6 +24,9 @@ pub struct TrustAnchor<'a> {
     /// The value of a DER-encoded NameConstraints, containing name
     /// constraints to apply to the trust anchor, if any.
     pub name_constraints: Option<&'a [u8]>,
+
+    /// Underlying DER representation.
+    pub(crate) underlying: &'a [u8],
 }
 
 /// Trust anchors which may be used for authenticating servers.
@@ -51,6 +57,7 @@ impl<'a> TrustAnchor<'a> {
     /// certificate is self-signed or even that the certificate has the cA basic
     /// constraint.
     pub fn try_from_cert_der(cert_der: &'a [u8]) -> Result<Self, Error> {
+        let underlying = cert_der;
         let cert_der = untrusted::Input::from(cert_der);
 
         // XXX: `EndEntityOrCA::EndEntity` is used instead of `EndEntityOrCA::CA`
@@ -63,7 +70,12 @@ impl<'a> TrustAnchor<'a> {
         // parser doesn't allow extensions, so there's no need to worry about
         // embedded name constraints in a v1 certificate.
         match Cert::from_der(cert_der, EndEntityOrCa::EndEntity) {
-            Ok(cert) => Ok(Self::from(cert)),
+            Ok(cert) => Ok(TrustAnchor {
+                subject: cert.subject.as_slice_less_safe(),
+                spki: cert.spki.value().as_slice_less_safe(),
+                name_constraints: cert.name_constraints.map(|nc| nc.as_slice_less_safe()),
+                underlying,
+            }),
             Err(Error::UnsupportedCertVersion) => {
                 Self::from_v1_der(cert_der).or(Err(Error::BadDer))
             }
@@ -73,6 +85,7 @@ impl<'a> TrustAnchor<'a> {
 
     /// Parses a v1 certificate directly into a TrustAnchor.
     fn from_v1_der(cert_der: untrusted::Input<'a>) -> Result<Self, Error> {
+        let underlying = cert_der.as_slice_less_safe();
         // X.509 Certificate: https://tools.ietf.org/html/rfc5280#section-4.1.
         cert_der.read_all(Error::BadDer, |cert_der| {
             der::nested(cert_der, der::Tag::Sequence, Error::BadDer, |cert_der| {
@@ -90,6 +103,7 @@ impl<'a> TrustAnchor<'a> {
                         subject: subject.as_slice_less_safe(),
                         spki: spki.as_slice_less_safe(),
                         name_constraints: None,
+                        underlying,
                     })
                 });
 
@@ -101,18 +115,85 @@ impl<'a> TrustAnchor<'a> {
             })
         })
     }
+
+    /// Returns the underlying DER data.
+    pub fn as_der(&self) -> &[u8] {
+        self.underlying
+    }
 }
 
-impl<'a> From<Cert<'a>> for TrustAnchor<'a> {
-    fn from(cert: Cert<'a>) -> Self {
-        Self {
-            subject: cert.subject.as_slice_less_safe(),
-            spki: cert.spki.value().as_slice_less_safe(),
-            name_constraints: cert.name_constraints.map(|nc| nc.as_slice_less_safe()),
-        }
+impl<'a> PartialEq<TrustAnchor<'_>> for TrustAnchor<'a> {
+    fn eq(&self, other: &TrustAnchor<'_>) -> bool {
+        self.underlying.as_ptr() == other.underlying.as_ptr()
     }
 }
 
 fn skip(input: &mut untrusted::Reader, tag: der::Tag) -> Result<(), Error> {
     der::expect_tag_and_get_value(input, tag).map(|_| ())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn trust_anchors_should_be_equal_if_underlying_data_are_identical() {
+        let underlying = &[0u8, 1u8, 2u8, 3u8];
+        let subject = &[0u8, 1u8];
+        let spki = &[2u8, 3u8];
+        let name_constraints: Option<&[u8]> = Some(&[4u8, 5u8]);
+        assert_eq!(
+            TrustAnchor {
+                subject,
+                spki,
+                name_constraints,
+                underlying,
+            },
+            TrustAnchor {
+                subject,
+                spki,
+                name_constraints,
+                underlying,
+            },
+        );
+    }
+
+    #[test]
+    fn trust_anchors_should_not_be_equal_if_underlying_data_are_non_identical() {
+        // wraps with Vec to make sure distinct memory blocks are allocated
+        let underlying1 = &vec![0u8, 1u8, 2u8, 3u8];
+        let underlying2 = &vec![0u8, 1u8, 2u8, 3u8];
+        let subject = &[0u8, 1u8];
+        let spki = &[2u8, 3u8];
+        let name_constraints: Option<&[u8]> = Some(&[4u8, 5u8]);
+        assert_ne!(
+            TrustAnchor {
+                subject,
+                spki,
+                name_constraints,
+                underlying: underlying1,
+            },
+            TrustAnchor {
+                subject,
+                spki,
+                name_constraints,
+                underlying: underlying2,
+            },
+        );
+    }
+
+    #[test]
+    fn clone_trust_anchor_should_equal_the_original() {
+        let underlying = &[0u8, 1u8, 2u8, 3u8];
+        let subject = &[0u8, 1u8];
+        let spki = &[2u8, 3u8];
+        let name_constraints: Option<&[u8]> = Some(&[4u8, 5u8]);
+        let trust_anchor = TrustAnchor {
+            subject,
+            spki,
+            name_constraints,
+            underlying,
+        };
+        assert_eq!(trust_anchor, trust_anchor.clone());
+    }
+}
diff --git a/src/verify_cert.rs b/src/verify_cert.rs
index 0b80f445..41acad27 100644
--- a/src/verify_cert.rs
+++ b/src/verify_cert.rs
@@ -22,10 +22,12 @@ use crate::{
     SignatureAlgorithm, TrustAnchor,
 };
 
-pub(crate) struct ChainOptions<'a> {
+pub(crate) struct ChainOptions<'a, 'b> {
     pub(crate) eku: KeyUsage,
     pub(crate) supported_sig_algs: &'a [&'a SignatureAlgorithm],
-    pub(crate) trust_anchors: &'a [TrustAnchor<'a>],
+    // TrustAnchor's contents have a distinct lifetime
+    // because they are returned from `build_chain`
+    pub(crate) trust_anchors: &'a [TrustAnchor<'b>],
     pub(crate) intermediate_certs: &'a [&'a [u8]],
     pub(crate) crls: &'a [&'a dyn CertRevocationList],
     /// OIDs of acceptable certificate policies.
@@ -33,24 +35,24 @@ pub(crate) struct ChainOptions<'a> {
     pub(crate) user_initial_policy_set: &'a [&'a [u8]],
 }
 
-pub(crate) fn build_chain(
-    opts: &ChainOptions,
+pub(crate) fn build_chain<'a, 'b>(
+    opts: &ChainOptions<'a, 'b>,
     cert: &Cert,
     time: Option<time::Time>,
-) -> Result<(), Error> {
+) -> Result<TrustAnchor<'b>, Error> {
     build_chain_inner(opts, cert, time, 0, &mut Budget::default()).map_err(|e| match e {
         ControlFlow::Break(err) => err,
         ControlFlow::Continue(err) => err,
     })
 }
 
-fn build_chain_inner(
-    opts: &ChainOptions,
+fn build_chain_inner<'a, 'b>(
+    opts: &ChainOptions<'a, 'b>,
     cert: &Cert,
     time: Option<time::Time>,
     sub_ca_count: usize,
     budget: &mut Budget,
-) -> Result<(), ControlFlow<Error, Error>> {
+) -> Result<TrustAnchor<'b>, ControlFlow<Error, Error>> {
     let used_as_ca = used_as_ca(&cert.ee_or_ca);
 
     check_issuer_independent_properties(cert, time, used_as_ca, sub_ca_count, opts.eku.inner)?;
@@ -95,12 +97,12 @@ fn build_chain_inner(
                 check_policy_tree(cert, opts.user_initial_policy_set)?;
             }
 
-            Ok(())
+            Ok(trust_anchor.clone())
         },
     );
 
     let err = match result {
-        Ok(()) => return Ok(()),
+        Ok(trust_anchor) => return Ok(trust_anchor),
         // Fatal errors should halt further path building.
         res @ Err(ControlFlow::Break(_)) => return res,
         // Non-fatal errors should be carried forward as the default_error for subsequent
@@ -681,18 +683,18 @@ impl KeyUsageMode {
     }
 }
 
-fn loop_while_non_fatal_error<V>(
+fn loop_while_non_fatal_error<T, V>(
     default_error: Error,
     values: V,
-    mut f: impl FnMut(V::Item) -> Result<(), ControlFlow<Error, Error>>,
-) -> Result<(), ControlFlow<Error, Error>>
+    mut f: impl FnMut(V::Item) -> Result<T, ControlFlow<Error, Error>>,
+) -> Result<T, ControlFlow<Error, Error>>
 where
     V: IntoIterator,
 {
     let mut error = default_error;
     for v in values {
         match f(v) {
-            Ok(()) => return Ok(()),
+            Ok(res) => return Ok(res),
             // Fatal errors should halt further looping.
             res @ Err(ControlFlow::Break(_)) => return res,
             // Non-fatal errors should be ranked by specificity and only returned
@@ -800,7 +802,7 @@ mod tests {
             &intermediates,
             &make_end_entity(&issuer),
             None,
-        )
+        ).map(|_| ())
     }
 
     #[test]
@@ -902,12 +904,12 @@ mod tests {
     }
 
     #[cfg(feature = "alloc")]
-    fn verify_chain(
-        trust_anchor_der: &[u8],
+    fn verify_chain<'a>(
+        trust_anchor_der: &'a [u8],
         intermediates_der: &[Vec<u8>],
         ee_cert_der: &[u8],
         budget: Option<Budget>,
-    ) -> Result<(), ControlFlow<Error, Error>> {
+    ) -> Result<TrustAnchor<'a>, ControlFlow<Error, Error>> {
         use crate::ECDSA_P256_SHA256;
         use crate::{EndEntityCert, Time};
 
diff --git a/tests/client_auth.rs b/tests/client_auth.rs
index 7de55ea8..77cb699a 100644
--- a/tests/client_auth.rs
+++ b/tests/client_auth.rs
@@ -41,7 +41,7 @@ fn check_cert(ee: &[u8], ca: &[u8]) -> Result<(), webpki::Error> {
         Some(time),
         KeyUsage::client_auth(),
         &[],
-    )
+    ).map(|_| ())
 }
 
 // DO NOT EDIT BELOW: generated by tests/generate.py
diff --git a/tests/client_auth_revocation.rs b/tests/client_auth_revocation.rs
index 3ef0c6d7..9e134a65 100644
--- a/tests/client_auth_revocation.rs
+++ b/tests/client_auth_revocation.rs
@@ -31,7 +31,7 @@ fn check_cert(
         Some(time),
         KeyUsage::client_auth(),
         crls,
-    )
+    ).map(|_| ())
 }
 
 // DO NOT EDIT BELOW: generated by tests/generate.py
diff --git a/tests/custom_ekus.rs b/tests/custom_ekus.rs
index 506133f9..5ab5554d 100644
--- a/tests/custom_ekus.rs
+++ b/tests/custom_ekus.rs
@@ -19,7 +19,7 @@ fn check_cert(
 
     assert_eq!(
         cert.verify_for_usage(algs, &anchors, &[], Some(time), eku, &[]),
-        result
+        result.map(|_| anchors[0].clone())
     );
 }
 
diff --git a/tests/integration.rs b/tests/integration.rs
index 64e71692..5751dac5 100644
--- a/tests/integration.rs
+++ b/tests/integration.rs
@@ -45,7 +45,7 @@ pub fn netflix() {
 
     let cert = webpki::EndEntityCert::try_from(ee).unwrap();
     assert_eq!(
-        Ok(()),
+        Ok(anchors[0].clone()),
         cert.verify_for_usage(
             ALL_SIGALGS,
             &anchors,
@@ -71,7 +71,7 @@ pub fn cloudflare_dns() {
 
     let cert = webpki::EndEntityCert::try_from(ee).unwrap();
     assert_eq!(
-        Ok(()),
+        Ok(anchors[0].clone()),
         cert.verify_for_usage(
             ALL_SIGALGS,
             &anchors,
@@ -130,7 +130,7 @@ pub fn win_hello_attest_tpm() {
 
     let cert = webpki::EndEntityCert::try_from(ee).unwrap();
     assert_eq!(
-        Ok(()),
+        Ok(anchors[0].clone()),
         cert.verify_for_usage_with_policy_check(
             ALL_SIGALGS,
             &anchors,
@@ -156,7 +156,7 @@ pub fn win_hello_attest_tpm() {
         )
     );
     assert_eq!(
-        Ok(()),
+        Ok(anchors[0].clone()),
         cert.verify_for_usage_with_policy_check(
             ALL_SIGALGS,
             &anchors,
@@ -184,7 +184,7 @@ pub fn wpt() {
 
     let cert = webpki::EndEntityCert::try_from(ee).unwrap();
     assert_eq!(
-        Ok(()),
+        Ok(anchors[0].clone()),
         cert.verify_for_usage(
             ALL_SIGALGS,
             &anchors,
@@ -207,7 +207,7 @@ pub fn ed25519() {
 
     let cert = webpki::EndEntityCert::try_from(ee).unwrap();
     assert_eq!(
-        Ok(()),
+        Ok(anchors[0].clone()),
         cert.verify_for_usage(
             ALL_SIGALGS,
             &anchors,
@@ -239,7 +239,7 @@ fn critical_extensions() {
             &[],
         )
     });
-    assert_eq!(res, Ok(()), "accept non-critical unknown extension");
+    assert_eq!(res, Ok(anchors[0].clone()), "accept non-critical unknown extension");
 
     let ee = include_bytes!("critical_extensions/ee-cert-crit-unknown-ext.der");
     let res = webpki::EndEntityCert::try_from(&ee[..]).and_then(|cert| {
@@ -284,7 +284,7 @@ fn read_ee_with_neg_serial() {
 
     let cert = webpki::EndEntityCert::try_from(ee).unwrap();
     assert_eq!(
-        Ok(()),
+        Ok(anchors[0].clone()),
         cert.verify_for_usage(
             ALL_SIGALGS,
             &anchors,

From 4a1b87f81b72fb7a2740aaeab440b2c9dab0ed99 Mon Sep 17 00:00:00 2001
From: Kikuo Emoto <kemoto@codemonger.io>
Date: Thu, 23 Nov 2023 16:07:46 +0900
Subject: [PATCH 2/3] style: fix cargo fmt and clippy errors

---
 src/verify_cert.rs              | 11 ++++++-----
 tests/client_auth.rs            |  3 ++-
 tests/client_auth_revocation.rs |  3 ++-
 tests/integration.rs            |  6 +++++-
 4 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/src/verify_cert.rs b/src/verify_cert.rs
index 41acad27..fda85018 100644
--- a/src/verify_cert.rs
+++ b/src/verify_cert.rs
@@ -35,8 +35,8 @@ pub(crate) struct ChainOptions<'a, 'b> {
     pub(crate) user_initial_policy_set: &'a [&'a [u8]],
 }
 
-pub(crate) fn build_chain<'a, 'b>(
-    opts: &ChainOptions<'a, 'b>,
+pub(crate) fn build_chain<'b>(
+    opts: &ChainOptions<'_, 'b>,
     cert: &Cert,
     time: Option<time::Time>,
 ) -> Result<TrustAnchor<'b>, Error> {
@@ -46,8 +46,8 @@ pub(crate) fn build_chain<'a, 'b>(
     })
 }
 
-fn build_chain_inner<'a, 'b>(
-    opts: &ChainOptions<'a, 'b>,
+fn build_chain_inner<'b>(
+    opts: &ChainOptions<'_, 'b>,
     cert: &Cert,
     time: Option<time::Time>,
     sub_ca_count: usize,
@@ -802,7 +802,8 @@ mod tests {
             &intermediates,
             &make_end_entity(&issuer),
             None,
-        ).map(|_| ())
+        )
+        .map(|_| ())
     }
 
     #[test]
diff --git a/tests/client_auth.rs b/tests/client_auth.rs
index 77cb699a..58eeb52c 100644
--- a/tests/client_auth.rs
+++ b/tests/client_auth.rs
@@ -41,7 +41,8 @@ fn check_cert(ee: &[u8], ca: &[u8]) -> Result<(), webpki::Error> {
         Some(time),
         KeyUsage::client_auth(),
         &[],
-    ).map(|_| ())
+    )
+    .map(|_| ())
 }
 
 // DO NOT EDIT BELOW: generated by tests/generate.py
diff --git a/tests/client_auth_revocation.rs b/tests/client_auth_revocation.rs
index 9e134a65..8c946293 100644
--- a/tests/client_auth_revocation.rs
+++ b/tests/client_auth_revocation.rs
@@ -31,7 +31,8 @@ fn check_cert(
         Some(time),
         KeyUsage::client_auth(),
         crls,
-    ).map(|_| ())
+    )
+    .map(|_| ())
 }
 
 // DO NOT EDIT BELOW: generated by tests/generate.py
diff --git a/tests/integration.rs b/tests/integration.rs
index 5751dac5..d299c6d6 100644
--- a/tests/integration.rs
+++ b/tests/integration.rs
@@ -239,7 +239,11 @@ fn critical_extensions() {
             &[],
         )
     });
-    assert_eq!(res, Ok(anchors[0].clone()), "accept non-critical unknown extension");
+    assert_eq!(
+        res,
+        Ok(anchors[0].clone()),
+        "accept non-critical unknown extension"
+    );
 
     let ee = include_bytes!("critical_extensions/ee-cert-crit-unknown-ext.der");
     let res = webpki::EndEntityCert::try_from(&ee[..]).and_then(|cert| {

From 130de8efc04d16c76b3eeba9355d02eed49c8ecd Mon Sep 17 00:00:00 2001
From: Kikuo Emoto <kemoto@codemonger.io>
Date: Thu, 23 Nov 2023 16:23:38 +0900
Subject: [PATCH 3/3] feat: loose lifetime constraints

- See comment: https://github.com/codemonger-io/webpki/pull/1/files#r1402986145
---
 src/end_entity.rs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/end_entity.rs b/src/end_entity.rs
index 7eecb0ab..2aecbfba 100644
--- a/src/end_entity.rs
+++ b/src/end_entity.rs
@@ -80,7 +80,7 @@ impl<'a> EndEntityCert<'a> {
     fn verify_is_valid_cert<'b, 'c>(
         &self,
         supported_sig_algs: &'c [&SignatureAlgorithm],
-        trust_anchors: &'b [TrustAnchor<'b>],
+        trust_anchors: &'c [TrustAnchor<'b>],
         intermediate_certs: &'c [&[u8]],
         time: Option<Time>,
         eku: KeyUsage,
@@ -119,7 +119,7 @@ impl<'a> EndEntityCert<'a> {
     pub fn verify_for_usage<'b, 'c>(
         &self,
         supported_sig_algs: &'c [&SignatureAlgorithm],
-        trust_anchors: &'b [TrustAnchor<'b>],
+        trust_anchors: &'c [TrustAnchor<'b>],
         intermediate_certs: &'c [&[u8]],
         time: Option<Time>,
         usage: KeyUsage,
@@ -149,7 +149,7 @@ impl<'a> EndEntityCert<'a> {
     pub fn verify_for_usage_with_policy_check<'b, 'c>(
         &self,
         supported_sig_algs: &'c [&SignatureAlgorithm],
-        trust_anchors: &'b [TrustAnchor<'b>],
+        trust_anchors: &'c [TrustAnchor<'b>],
         intermediate_certs: &'c [&[u8]],
         time: Option<Time>,
         usage: KeyUsage,
@@ -188,7 +188,7 @@ impl<'a> EndEntityCert<'a> {
     pub fn verify_is_valid_tls_server_cert<'b, 'c>(
         &self,
         supported_sig_algs: &'c [&SignatureAlgorithm],
-        &TlsServerTrustAnchors(trust_anchors): &'b TlsServerTrustAnchors<'b>,
+        &TlsServerTrustAnchors(trust_anchors): &'c TlsServerTrustAnchors<'b>,
         intermediate_certs: &'c [&[u8]],
         time: Option<Time>,
     ) -> Result<TrustAnchor<'b>, Error> {
@@ -225,7 +225,7 @@ impl<'a> EndEntityCert<'a> {
     pub fn verify_is_valid_tls_client_cert<'b, 'c>(
         &self,
         supported_sig_algs: &'c [&SignatureAlgorithm],
-        &TlsClientTrustAnchors(trust_anchors): &'b TlsClientTrustAnchors<'b>,
+        &TlsClientTrustAnchors(trust_anchors): &'c TlsClientTrustAnchors<'b>,
         intermediate_certs: &'c [&[u8]],
         time: Option<Time>,
         crls: &'c [&dyn CertRevocationList],