-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rust: add crate skeleton for X.509 path validation #8873
Conversation
Design points:
|
1. No strong views
2. Store should contain only trust parts -- or put another way, it should
be possible to reuse a store across multiple validations.
…On Fri, May 5, 2023 at 12:19 PM William Woodruff ***@***.***> wrote:
Design points:
1. I named the "top" type here Validator, which is a little generic.
Do you have preferences here?
2. Should the trust store (currently Store) hold both trusted and
untrusted parts, or just the trusted parts? My plan was to have it hold
both in separate collections, but it could also be just the trusted
certificates (with the top-level validation step taking in the untrusted
certs separately).
—
Reply to this email directly, view it on GitHub
<#8873 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBDZWEVWJZRE64F4PZTXEUZDLANCNFSM6AAAAAAXXLIBQU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
Related: WDYT about a i.e., the top-level API use would be something like: // Fallibility reflects construction invariants: must be nonempty, must be only CA:true, etc.
let store = Store::try_from(trusted_certs)?;
// Validator defaults to `SystemTime::now`, `Validator::with_time(...)` for control of the validation time.
let validator = Validator::new(store);
let built_chain = validator.validate(leaf, policy)?; where // Fluent-style, or something else?
let policy = Policy::new()
.untrusted_intermediates(...)
.key_usages(...)
.extended_key_usages(...); |
I don't think I understand why time goes on Validator and not policy. But
otherwise this seems fine.
…On Fri, May 5, 2023 at 12:58 PM William Woodruff ***@***.***> wrote:
Related: WDYT about a Policy or Constraints type for the constraints
associated with a particular EE cert validation step?
i.e., the top-level API use would be something like:
// Fallibility reflects construction invariants: must be nonempty, must be only CA:true, etc.let store = Store::try_from(trusted_certs)?;
// Validator defaults to `SystemTime::now`, `Validator::with_time(...)` for control of the validation time.let validator = Validator::new(store);
let built_chain = validator.validate(leaf, policy)?;
where policy would be something like:
// Fluent-style, or something else?let policy = Policy::new()
.untrusted_intermediates(...)
.key_usages(...)
.extended_key_usages(...);
—
Reply to this email directly, view it on GitHub
<#8873 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBCPGBK65BK5ZXW33Z3XEU5SVANCNFSM6AAAAAAXXLIBQU>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
No particular reason, it makes more sense on (My original rationale was based on 5280 specifying that the time is more "intrinsic" to verification than additional user-introduced constraints, but I see no reason to expose that kind of distinction in a public API, given that the user-facing behavior is the same.) |
60f312e
to
212a651
Compare
There's a lot more work to be done, but the end-to-end MVP is now in place: policy = PolicyBuilder(profile=Profile.RFC5280).build()
store = Store([root])
chain = verify(ee, policy, [intermediate], store)
assert chain == [ee, intermediate, root] (I added a small testcase that demonstrates this; I'll rewrite it to be more idiomatic after some rounds of review.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some initial thoughts, I tried to focus on API/design.
There's a lot of code here, and as a general rule we don't land more than a few hundred LoC at a time, so one thing to start thinking about is how you're going to want to split it up.
Yep -- I'm thinking that the |
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Alex Gaynor <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Unclear why this suddenly broke on Windows. Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
if let Time::GeneralizedTime(_) = validity_date { | ||
// NOTE: This is technically wrong for certificates issued before 1950, | ||
// but this does not matter in practice. | ||
if validity_date.as_datetime().year() < GENERALIZED_DATE_CUTOFF_YEAR { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This didn't get fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, replaced with a range check.
} | ||
|
||
/// Checks whether the given EE certificate is compatible with this policy. | ||
pub(crate) fn permits_ee( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can just be merged into permits_leaf
now (or vice-versa)
Just call permits_ee directly. Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
* CHANGELOG: record #8873 Signed-off-by: William Woodruff <[email protected]> * docs/x509/verification: clean up, update note Signed-off-by: William Woodruff <[email protected]> * add module ref Signed-off-by: William Woodruff <[email protected]> * CHANGELOG: Cryptograpy's -> our Signed-off-by: William Woodruff <[email protected]> * CHANGELOG: reflow, better linkage Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: William Woodruff <[email protected]>
This PR adds the core path validation algorithm and policy components, as well as the Python-side verification API.
I'll use this PR to add some basic types as well (and remove the default code), as well as hook this up to the CI's tests and coverage.See #2381.