Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CRL lookup callback #3501

Closed
wants to merge 6 commits into from
Closed

Add CRL lookup callback #3501

wants to merge 6 commits into from

Conversation

goatgoose
Copy link
Contributor

@goatgoose goatgoose commented Sep 19, 2022
edited
Loading

Resolved issues:

Part of #3499

Description of changes:

This PR adds a new async callback, s2n_crl_lookup, that's triggered in s2n_x509_validator_validate_cert_chain. This callback is triggered once for each received certificate to retrieve all of the required CRLs needed to perform CRL validation. These CRLs are passed to the libcrypto, and a CRL validation check is performed in the existing call to X509_verify_cert.

Call-outs:

No public API was added to set this callback. This, as well as public API documentation, will be added in a future PR, when the CRL feature is finished.

The max_connection_size was increased from 4150 to 4182. This is to account for 4 additional pointers added to s2n_connection:

  • crl_lookup
  • data_for_crl_for_cert
  • crl_stack in s2n_x509_validator
  • crl_for_cert_contexts in s2n_x509_validator

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?

  • New unit tests were added in s2n_x509_validator_test that test this callback and related helper functions.

Is this a refactor change? If so, how have you proved that the intended behavior hasn't changed?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Sep 19, 2022
@goatgoose goatgoose mentioned this pull request Sep 19, 2022
Closed
9 tasks
@goatgoose goatgoose force-pushed the crl-lookup2 branch 3 times, most recently from 4e614e8 to 8525a9b Compare September 22, 2022 22:19
@goatgoose goatgoose mentioned this pull request Sep 27, 2022
Merged
@goatgoose
Squashed commit of the following:
768e061 
commit 295194f
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 12:00:58 2022 -0400

    Add wrapper structs for X509/X509_CRL

commit 49c3345
Merge: 5347cfa 7f8a951
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 10:30:24 2022 -0400

    Merge branch 'main' into refactor-x509-validate-async

commit 5347cfa
Merge: b9aa377 f2ef307
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Tue Sep 27 18:47:04 2022 -0400

    Merge branch 'main' into refactor-x509-validate-async

commit b9aa377
Merge: fd87c6c e6e8b6a
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Tue Sep 27 12:03:34 2022 -0400

    Merge branch 'main' into refactor-x509-validate-async

commit fd87c6c
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 21 19:01:06 2022 -0400

    EXPECT_TRUE -> EXPECT_EQUAL

commit 876a33b
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 21 18:59:55 2022 -0400

    CERT_CHAIN_PROCESSED -> READY_TO_VERIFY

commit 2b5f26e
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 21 18:52:31 2022 -0400

    add comment for processing leaf certificate extensions

commit 5d07513
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 21 16:26:35 2022 -0400

    fixes

commit 8043a37
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 21 13:48:17 2022 -0400

    check for INIT state in s2n_x509_validator_read_cert_chain

commit 5f7443e
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 21 11:07:51 2022 -0400

    fixes

commit a9c024e
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 21 11:00:00 2022 -0400

    refactor validate_cert_chain into functions per state

commit 567385d
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Tue Sep 20 16:27:12 2022 -0400

    prepend s2n_x509_validator

commit bb86ad4
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Tue Sep 20 14:42:53 2022 -0400

    check for S2N_PKEY_TYPE_UNKNOWN on error

commit c9870a6
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Fri Sep 16 11:39:08 2022 -0400

    don't check for pkey_type on error in x509_validator tests

commit 665a692
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Thu Sep 15 11:05:13 2022 -0400

    Refactor s2n_x509_validator_validate_cert_chain to support async callback
@goatgoose goatgoose force-pushed the crl-lookup2 branch 3 times, most recently from 9a3337d to 87291a8 Compare September 28, 2022 17:00
@goatgoose goatgoose force-pushed the crl-lookup2 branch 3 times, most recently from 2a25e05 to c08dd6a Compare September 28, 2022 19:08
@goatgoose
hide public API
c0ad926
@goatgoose
Squashed commit of the following:
373745b 
commit c08dd6a
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 15:03:15 2022 -0400

    fixes

commit b18a116
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 14:31:45 2022 -0400

    remove unnecessary CRL timestamp errors

commit 7dc1a42
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 14:09:49 2022 -0400

    crl_for_cert -> crl_lookup

commit 011a51b
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 14:04:02 2022 -0400

    fixes

commit 092384e
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 14:06:04 2022 -0400

    Squashed commit of the following:

    commit 6e27724
    Merge: 768e061 07e62a4
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 28 12:55:21 2022 -0400

        Merge branch 'crl-lookup2' into crl-lookup3

    commit 768e061
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 28 12:15:43 2022 -0400

        Squashed commit of the following:

        commit 295194f
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Wed Sep 28 12:00:58 2022 -0400

            Add wrapper structs for X509/X509_CRL

        commit 49c3345
        Merge: 5347cfa 7f8a951
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Wed Sep 28 10:30:24 2022 -0400

            Merge branch 'main' into refactor-x509-validate-async

        commit 5347cfa
        Merge: b9aa377 f2ef307
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Tue Sep 27 18:47:04 2022 -0400

            Merge branch 'main' into refactor-x509-validate-async

        commit b9aa377
        Merge: fd87c6c e6e8b6a
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Tue Sep 27 12:03:34 2022 -0400

            Merge branch 'main' into refactor-x509-validate-async

        commit fd87c6c
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Wed Sep 21 19:01:06 2022 -0400

            EXPECT_TRUE -> EXPECT_EQUAL

        commit 876a33b
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Wed Sep 21 18:59:55 2022 -0400

            CERT_CHAIN_PROCESSED -> READY_TO_VERIFY

        commit 2b5f26e
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Wed Sep 21 18:52:31 2022 -0400

            add comment for processing leaf certificate extensions

        commit 5d07513
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Wed Sep 21 16:26:35 2022 -0400

            fixes

        commit 8043a37
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Wed Sep 21 13:48:17 2022 -0400

            check for INIT state in s2n_x509_validator_read_cert_chain

        commit 5f7443e
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Wed Sep 21 11:07:51 2022 -0400

            fixes

        commit a9c024e
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Wed Sep 21 11:00:00 2022 -0400

            refactor validate_cert_chain into functions per state

        commit 567385d
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Tue Sep 20 16:27:12 2022 -0400

            prepend s2n_x509_validator

        commit bb86ad4
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Tue Sep 20 14:42:53 2022 -0400

            check for S2N_PKEY_TYPE_UNKNOWN on error

        commit c9870a6
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Fri Sep 16 11:39:08 2022 -0400

            don't check for pkey_type on error in x509_validator tests

        commit 665a692
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Thu Sep 15 11:05:13 2022 -0400

            Refactor s2n_x509_validator_validate_cert_chain to support async callback

    commit 07e62a4
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Tue Sep 27 18:46:01 2022 -0400

        add new api definitions to bindgen test list

    commit 05fcf2f
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 16:42:11 2022 -0400

        fixes

    commit 59b8533
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Tue Sep 20 10:48:18 2022 -0400

        cppcheck

    commit 881821e
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 28 11:59:03 2022 -0400

        Squashed commit of the following:

        commit f683d96
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Mon Sep 19 11:01:23 2022 -0400

            more tests

        commit 3f5b677
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Sun Sep 18 19:21:13 2022 -0400

            get crl/cert issuer hash

        commit add1654
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Fri Sep 16 11:12:04 2022 -0400

            account for 4 additional pointers in s2n_connection_test

        commit 7d7fe48
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Fri Sep 16 10:52:48 2022 -0400

            fix memory

        commit d757f16
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Fri Sep 16 01:37:19 2022 -0400

            previous tests passing

        commit c9870a6
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Fri Sep 16 11:39:08 2022 -0400

            don't check for pkey_type on error in x509_validator tests

        commit 665a692
        Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
        Date:   Thu Sep 15 11:05:13 2022 -0400

            Refactor s2n_x509_validator_validate_cert_chain to support async callback

    commit 33a74ef
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 28 11:49:59 2022 -0400

        Add wrapper structs for X509/X509_CRL

    commit 49c3345
    Merge: 5347cfa 7f8a951
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 28 10:30:24 2022 -0400

        Merge branch 'main' into refactor-x509-validate-async

    commit 5347cfa
    Merge: b9aa377 f2ef307
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Tue Sep 27 18:47:04 2022 -0400

        Merge branch 'main' into refactor-x509-validate-async

    commit b9aa377
    Merge: fd87c6c e6e8b6a
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Tue Sep 27 12:03:34 2022 -0400

        Merge branch 'main' into refactor-x509-validate-async

    commit fd87c6c
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 19:01:06 2022 -0400

        EXPECT_TRUE -> EXPECT_EQUAL

    commit 876a33b
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 18:59:55 2022 -0400

        CERT_CHAIN_PROCESSED -> READY_TO_VERIFY

    commit 2b5f26e
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 18:52:31 2022 -0400

        add comment for processing leaf certificate extensions

    commit 5d07513
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 16:26:35 2022 -0400

        fixes

    commit 8043a37
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 13:48:17 2022 -0400

        check for INIT state in s2n_x509_validator_read_cert_chain

    commit 5f7443e
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 11:07:51 2022 -0400

        fixes

    commit a9c024e
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 11:00:00 2022 -0400

        refactor validate_cert_chain into functions per state

    commit 567385d
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Tue Sep 20 16:27:12 2022 -0400

        prepend s2n_x509_validator

    commit bb86ad4
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Tue Sep 20 14:42:53 2022 -0400

        check for S2N_PKEY_TYPE_UNKNOWN on error

    commit c9870a6
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Fri Sep 16 11:39:08 2022 -0400

        don't check for pkey_type on error in x509_validator tests

    commit 665a692
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Thu Sep 15 11:05:13 2022 -0400

        Refactor s2n_x509_validator_validate_cert_chain to support async callback

commit 3937b07
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 14:20:34 2022 -0400

    update aws-verification-model-for-libcrypto to latest commit

commit 63fd891
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 14:04:30 2022 -0400

    fixes

commit ba33741
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 13:55:38 2022 -0400

    add new structs to bindgen test list

commit 768e061
Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Date:   Wed Sep 28 12:15:43 2022 -0400

    Squashed commit of the following:

    commit 295194f
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 28 12:00:58 2022 -0400

        Add wrapper structs for X509/X509_CRL

    commit 49c3345
    Merge: 5347cfa 7f8a951
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 28 10:30:24 2022 -0400

        Merge branch 'main' into refactor-x509-validate-async

    commit 5347cfa
    Merge: b9aa377 f2ef307
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Tue Sep 27 18:47:04 2022 -0400

        Merge branch 'main' into refactor-x509-validate-async

    commit b9aa377
    Merge: fd87c6c e6e8b6a
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Tue Sep 27 12:03:34 2022 -0400

        Merge branch 'main' into refactor-x509-validate-async

    commit fd87c6c
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 19:01:06 2022 -0400

        EXPECT_TRUE -> EXPECT_EQUAL

    commit 876a33b
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 18:59:55 2022 -0400

        CERT_CHAIN_PROCESSED -> READY_TO_VERIFY

    commit 2b5f26e
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 18:52:31 2022 -0400

        add comment for processing leaf certificate extensions

    commit 5d07513
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 16:26:35 2022 -0400

        fixes

    commit 8043a37
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 13:48:17 2022 -0400

        check for INIT state in s2n_x509_validator_read_cert_chain

    commit 5f7443e
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 11:07:51 2022 -0400

        fixes

    commit a9c024e
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Wed Sep 21 11:00:00 2022 -0400

        refactor validate_cert_chain into functions per state

    commit 567385d
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Tue Sep 20 16:27:12 2022 -0400

        prepend s2n_x509_validator

    commit bb86ad4
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Tue Sep 20 14:42:53 2022 -0400

        check for S2N_PKEY_TYPE_UNKNOWN on error

    commit c9870a6
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Fri Sep 16 11:39:08 2022 -0400

        don't check for pkey_type on error in x509_validator tests

    commit 665a692
    Author: Sam Clark <3758302+goatgoose@users.noreply.github.com>
    Date:   Thu Sep 15 11:05:13 2022 -0400

        Refactor s2n_x509_validator_validate_cert_chain to support async callback
@goatgoose
Copy link
Contributor Author

Too many force pushes. Moving to #3546.

@goatgoose goatgoose closed this Oct 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@goatgoose