Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass "certificate policies" extension to callback #3419

Merged
merged 3 commits into from Jun 23, 2020
Merged

Pass "certificate policies" extension to callback #3419

merged 3 commits into from Jun 23, 2020

Conversation

ndilieto
Copy link
Contributor

@ndilieto ndilieto commented Jun 11, 2020
edited

Description

Pass the "certificate policies" extension to the callback supplied to mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported policies.

This allows the callback to fully replicate the behaviour of the deprecated MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION configuration.

Signed-off-by: Nicola Di Lieto nicola.dilieto@gmail.com

Status

READY

Requires Backporting

NO

@gilles-peskine-arm
Copy link
Contributor

I'm afraid we can't remove this option now. That would be considered an incompatible change and we don't do that in minor versions of Mbed TLS. (We might make an exception for security, and even so, we still haven't removed the transition option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES!) We'll definitely remove MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION in Mbed TLS 3.0.

Since we plan to release Mbed TLS 3.0 this year, I don't think it's worth it to touch MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION until then. We could change MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION to cause mbedtls_x509_crt_parse_der to invoke mbedtls_x509_crt_parse_der_with_ext_cb with an allow-everything callback, but that would make it more complex and I don't see any benefit.

@ndilieto
Copy link
Contributor Author

Ok thanks. I understand. What about the handling of unsupported policies? Currently the "certificate policies" extension is known by mbedTLS and therefore never passed to the callback, even if it contains unsupported policies. I am not sure how common these policies are - do you think there is any value in making the callback handle them as I did in this PR, even if the deprecated option isn't removed?

@gilles-peskine-arm
Copy link
Contributor

Passing some known extensions to the callback does make sense. It contradicts the current documentation for mbedtls_x509_crt_parse_der_with_ext_cb, so if we change that, we need to do it before the next release (currently scheduled for early July).

I wonder if this should be just for certificatePolicy with unknown policies, or possibly for other extensions? Maybe the documentation of mbedtls_x509_crt_parse_der_with_ext_cb could state that the callback may be called for known extensions and the exact list of extensions may change in future versions of the library? Or maybe the callback should be called for every extension?

@ndilieto
Copy link
Contributor Author

ndilieto commented Jun 11, 2020
edited

I wonder if this should be just for certificatePolicy with unknown policies, or possibly for other extensions?

My view was only those that being potentially critical can make the parsing fail.

Maybe the documentation of mbedtls_x509_crt_parse_der_with_ext_cb could state that the callback may be called for known extensions and the exact list of extensions may change in future versions of the library?

I already changed it tn the PR to reflect the change I made: https://github.com/ARMmbed/mbedtls/pull/3419/files#diff-97f260303207ad6227a973dbe90fcc39

Or maybe the callback should be called for every extension?

I don't particularly like the sound of that, but I'm not sure.

@danh-arm danh-arm added this to To do in Mbed TLS PRs via automation Jun 11, 2020
@ndilieto ndilieto changed the title Remove MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION Pass "certificate policies" extension to callback Jun 13, 2020
@ndilieto
Copy link
Contributor Author

ndilieto commented Jun 13, 2020
edited

I have reworked and force-pushed this. The deprecated option is no longer removed and I've only kept the passing of "certificate policies" to the callback if it contains unsupported policies.

@gilles-peskine-arm gilles-peskine-arm self-assigned this Jun 13, 2020
@gilles-peskine-arm gilles-peskine-arm added component-x509 enhancement needs-review Every commit must be reviewed by at least two team members, labels Jun 13, 2020
@ronald-cron-arm ronald-cron-arm self-requested a review June 15, 2020 13:35
ronald-cron-arm
ronald-cron-arm requested changes Jun 17, 2020
View reviewed changes
library/x509_crt.c Outdated Show resolved Hide resolved
Mbed TLS PRs automation moved this from To do to In progress Jun 17, 2020
@ndilieto
Pass "certificate policies" extension to callback
c84b1e6 
Pass the "certificate policies" extension to the callback supplied to
mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
policies. This allows the callback to fully replicate the behaviour
of the deprecated MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
configuration.

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
@ndilieto
test_suite_x509parse.function improvement
b77fad8 
as suggested in
Mbed-TLS#3419 (comment)

also removed two no longer necessary void casts

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
ronald-cron-arm
ronald-cron-arm previously approved these changes Jun 19, 2020
View reviewed changes
Copy link
Contributor

@ronald-cron-arm ronald-cron-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing my comments. LGTM.

@ronald-cron-arm ronald-cron-arm moved this from In progress to 1 Approval in Mbed TLS PRs Jun 19, 2020
gilles-peskine-arm
gilles-peskine-arm requested changes Jun 22, 2020
View reviewed changes
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks good to me. But please add a note about possible API evolution.

include/mbedtls/x509_crt.h Show resolved Hide resolved
Mbed TLS PRs automation moved this from 1 Approval to In progress Jun 22, 2020
@gilles-peskine-arm gilles-peskine-arm added needs-work and removed needs-review Every commit must be reviewed by at least two team members, labels Jun 22, 2020
@ndilieto
add comment about potential future extension
511bc8c 
as requested, see
Mbed-TLS#3419 (comment)

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Mbed TLS PRs automation moved this from In progress to Approved Jun 23, 2020
@gilles-peskine-arm gilles-peskine-arm added approved Design and code approved - may be waiting for CI or backports and removed needs-work labels Jun 23, 2020
@gilles-peskine-arm gilles-peskine-arm merged commit dda1045 into Mbed-TLS:development Jun 23, 2020
Mbed TLS PRs automation moved this from Approved to Done Jun 23, 2020
@gilles-peskine-arm gilles-peskine-arm mentioned this pull request Aug 13, 2020
Closed
@daverodgman daverodgman removed this from Done in Mbed TLS PRs Mar 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gilles-peskine-arm gilles-peskine-arm gilles-peskine-arm approved these changes

@ronald-cron-arm ronald-cron-arm ronald-cron-arm approved these changes

Assignees

@gilles-peskine-arm gilles-peskine-arm

Labels
approved Design and code approved - may be waiting for CI or backports component-x509 enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ndilieto @gilles-peskine-arm @ronald-cron-arm