Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

webpki: improve pedantic "forbidden leaf key" tests #185

Merged
merged 4 commits into from
Jan 31, 2024
Merged

webpki: improve pedantic "forbidden leaf key" tests #185

merged 4 commits into from
Jan 31, 2024

Conversation

woodruffw
Copy link
Collaborator

Following #184, this expands upon the existing pedantic WebPKI tests for leafs with forbidden keys:

  • Forbidden RSA leaf (below security margin)
  • Forbidden RSA leaf (modulus not divisible by 8)

It also removes a duplicate test (forbidden_signature_algorithm_in_leaf).

@woodruffw
limbo: weak RSA EE case
9449293 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
webpki: improve "forbidden leaf key" tests
596ef32 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw self-assigned this Jan 31, 2024
@woodruffw
more key cases
61f24a6 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Copy link
Collaborator Author

I've also added forbidden_dsa_root and forbidden_p192_root, which enforce that these keys are rejected in root CAs.

woodruffw added a commit to trail-of-forks/cryptography-old that referenced this pull request Jan 31, 2024
@woodruffw
verification/policy: tweak key checks
4b66b49 
Needs C2SP/x509-limbo#185.

Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw mentioned this pull request Jan 31, 2024
Merged
@woodruffw
models: update feature docs
e147973 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw added the component:tests 🧪 Unit and integration tests label Jan 31, 2024
@reaperhulk reaperhulk merged commit e7b8885 into main Jan 31, 2024
6 checks passed
@reaperhulk reaperhulk deleted the ww/rsa-leaf branch January 31, 2024 16:14
alex pushed a commit to pyca/cryptography that referenced this pull request Feb 1, 2024
@woodruffw
verification/policy: tweak key checks (#10311)
e80f3ee 
* verification/policy: tweak key checks

Needs C2SP/x509-limbo#185.

Signed-off-by: William Woodruff <william@trailofbits.com>

* bump limbo

Signed-off-by: William Woodruff <william@trailofbits.com>

---------

Signed-off-by: William Woodruff <william@trailofbits.com>
alex pushed a commit to alex/cryptography that referenced this pull request Feb 24, 2024
@woodruffw @alex
verification/policy: tweak key checks (pyca#10311)
724f329 
* verification/policy: tweak key checks

Needs C2SP/x509-limbo#185.

Signed-off-by: William Woodruff <william@trailofbits.com>

* bump limbo

Signed-off-by: William Woodruff <william@trailofbits.com>

---------

Signed-off-by: William Woodruff <william@trailofbits.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reaperhulk reaperhulk reaperhulk approved these changes

@alex alex Awaiting requested review from alex

Assignees

@woodruffw woodruffw

Labels
component:tests 🧪 Unit and integration tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@woodruffw @reaperhulk