Validation #30
Merged
Validation #30
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Added initial, synchronous validexp responders in starttls.c * Added generic, synchronous support for online querying in new file online.c
- dns_ip_xxx() for retrieval of AAAA and A records from DNS or DNSSEC - dns_srv_xxx() for retrieval of SRV records from DNS or DNSSEC - dns_tlsa_xxx() for retrieval of TLSA records from DNSSEC - ldap_connect_xxx() to connect to an LDAP server - ldap_getattr_xxx() to retrieve a named attribute from LDAP - ldap_attrcmp_eval() for a binary check with an LDAP attribute Current issues: - no ldap_start_tls() used yet - DANE records are retrieved, but not checked against anything yet - LDAP compilation against RFC 1823 is partly deprecated
- only certusage 1,3 because for now only the end cert is supplied - only selector 0 because for now the certificate is just a blob - only matchtype 0 because for now external hashing is a dependency
- Can now support both hashes that were defined in RFC 6698 - Can now support all forms of certusage defined in RFC 6698 - Can now support all forms of selector defined in RFC 6698 - Can now support all forms of matchtype defined in RFC 6698
Profiles are linked data structures that explain how to validate online. The components defined by preceding commits were meant to be used here. The online_run_profile() is meant for this, and called with the top profile.
… DANE)
--> Note on DANE: This requires doing starttls() on the LDAP connection,
in a way that collects the server certificate for checking. There is
no facility to do this in the LDAP API, AFAIK. We may however pass it
through an internal procedure and check this later on.
…d PGP Note that PGP code is in its infancy, it will compare pubkeys binary, which is a gross distortion to what is really needed: recognising pubkey blocks, and possibly withdrawal signals.
- PGP message parsing (new formats only) - Mapping radix64 to binary while going through it
- download PGP keys from LDAP (which is radix64-encoded) - compare to binary provided PGP key (as GnuTLS would do) - verify key equivalence _and_ revocation absense in key block - use this in the online.c profile of online_globaldir_pgp_profile - do all this throught the online_globaldir_pgp() routine - incorporated the routine call in test/onlinecheck.c - automated this as part of test/Makefile
Also, valexp handling in starttls.c is, though still with replicated code
- root X.509 certs, for clients as well as servers, test-ca and -flying-signer
* Not yet tested (or even run)
* DONE: 2ND: Either add `remote_flags` or remove chains without any root cert
* DONE: Setup `remote_cert_raw` in `fetch_remote_credentials()`
* DONE: Reference `remote_cert_raw` from cmd (use in `valexp_`{`Oo`,`Gg`}`_start`)
* DONE: Validation expression predicates can use `cmd->remote_xxx`
* DONE: Make adjustments in `valexp_Tt_start` for correct handling of self-signed etc.
* DONE: Cleanup `cmd->remote_xxx` when done with `starttls_thread()` + takeover
* DONE: Invoke validation expression logic
Not all the work has been done yet:
* DEFER: Load a PGP key ring for validation under `valexp_Tt_start()`
* DEFER: Process `SIGUSR1` by re-reading the PGP key ring, and possibly more
* DEFER: Process `valexp_Dd_start()` with an `online.c` profile
* DEFER: Consider taking the validation expression out of the `disclose.db`
Link to DoNAI definition for user friendlyness
Conflicts: src/Makefile src/starttls.c
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a first release of the validation framework. Please note GitHUB issues #27, #28 and #29 that detail functionality yet to be implemented or tested.