Define api for delegated credentials #67 #69
Conversation
|
@armfazh @lukevalenta @Lekensteyn ready for review now. Thanks! |
claucece
changed the title
|
@cjpatton addressed now. Let me know what you think now ;)
When you get a DC from storage you check which one you will used based on the other's peer signature algorithm advertised by either the clientHelloInfo or certificateRequestInfo, so it will not be able to use anything that wasn't advertised there in the handshake. |
There was a problem hiding this comment.
If I understand correctly, the point of this change is to provide the DC in a single callback via GetCertificate rather than two (GetCertificate followed by GetDelegatedCredential)?
Could you include the motivation for the change in the commit message? Thanks, it looks good with minor comments!
| @@ -446,7 +462,9 @@ func testServerGetCertificate(ch *ClientHelloInfo) (*Certificate, error) { | |||
| } | |||
|
|
|||
| if versOk && ch.SupportsDelegatedCredential { | |||
| return dcTestCerts["dcP256"], nil | |||
| serverCert := dcTestCerts["dcP256"] | |||
| serverCert.DelegatedCredentials = serverDC[dcCount:] | |||
There was a problem hiding this comment.
(Note for my understanding: initDCTest resets dcTestCerts and dcTestCerts["dcCertP256"] which is why it is okay for testServerGetCertificate to have side-effects such as overwriting dcTestCerts["dcP256"].DelegatedCredentials.)
I was wondering why serverDC[dcCount:] was used. Would serverDC[dcCount:dcCount+1] be sufficient to limit the test to a specific DC? Or is there a reason to include more than one?
There was a problem hiding this comment.
It is more for testing with each specific DC and algorithm (a DC with ed25519, a Dc with eddsa256, etc). I'll prefer if the tests were only using one DC (it simplifies all) but is was requested by reviewers to test with them all.
There was a problem hiding this comment.
So based on a private chat with Sofía, my understanding is that it deliberately includes more than one to test this code path:
go/src/crypto/tls/handshake_server_tls13.go
Lines 464 to 472 in 1777b4c
Yes, the idea is to unify into single callback. I'll include in the commit message ;) |
…using the same mechanisms used to fetch certificates #67 Refactor new API Address comments from review Address comments from review 2 Address comments from review 3
|
Commit message has been changed. Merging now. |
crypto/tls: Implement draft-ietf-tls-subcerts-10 crypto/tls: fixes individual testing by adding insecure verify #62 crypto/tls: define api for delegated credentials so they are fetched using the same mechanisms used to fetch certificates #67 (#69) Refactor new API Address comments from review Address comments from review 2 Address comments from review 3 crypto/tls: allow the usage of other keyUsage when checking for the dc extension #72 (#73)
crypto/tls: Implement draft-ietf-tls-subcerts-10 crypto/tls: fixes individual testing by adding insecure verify #62 crypto/tls: define api for delegated credentials so they are fetched using the same mechanisms used to fetch certificates #67 (#69) Refactor new API Address comments from review Address comments from review 2 Address comments from review 3 crypto/tls: allow the usage of other keyUsage when checking for the dc extension #72 (#73)
crypto/tls: Implement draft-ietf-tls-subcerts-10 crypto/tls: fixes individual testing by adding insecure verify #62 crypto/tls: define api for delegated credentials so they are fetched using the same mechanisms used to fetch certificates #67 (#69) Refactor new API Address comments from review Address comments from review 2 Address comments from review 3 crypto/tls: allow the usage of other keyUsage when checking for the dc extension #72 (#73)
crypto/tls: Implement draft-ietf-tls-subcerts-10 crypto/tls: fixes individual testing by adding insecure verify #62 crypto/tls: define api for delegated credentials so they are fetched using the same mechanisms used to fetch certificates #67 (#69) Refactor new API Address comments from review Address comments from review 2 Address comments from review 3 crypto/tls: allow the usage of other keyUsage when checking for the dc extension #72 (#73)
crypto/tls: Implement draft-ietf-tls-subcerts-10 crypto/tls: fixes individual testing by adding insecure verify #62 crypto/tls: define api for delegated credentials so they are fetched using the same mechanisms used to fetch certificates #67 (#69) Refactor new API Address comments from review Address comments from review 2 Address comments from review 3 crypto/tls: allow the usage of other keyUsage when checking for the dc extension #72 (#73)
crypto/tls: Implement draft-ietf-tls-subcerts-10 crypto/tls: fixes individual testing by adding insecure verify #62 crypto/tls: define api for delegated credentials so they are fetched using the same mechanisms used to fetch certificates #67 (#69) Refactor new API Address comments from review Address comments from review 2 Address comments from review 3 crypto/tls: allow the usage of other keyUsage when checking for the dc extension #72 (#73)
crypto/tls: Implement draft-ietf-tls-subcerts-10 crypto/tls: fixes individual testing by adding insecure verify #62 crypto/tls: define api for delegated credentials so they are fetched using the same mechanisms used to fetch certificates #67 (#69) Refactor new API Address comments from review Address comments from review 2 Address comments from review 3 crypto/tls: allow the usage of other keyUsage when checking for the dc extension #72 (#73)
crypto/tls: Implement draft-ietf-tls-subcerts-10 crypto/tls: fixes individual testing by adding insecure verify #62 crypto/tls: define api for delegated credentials so they are fetched using the same mechanisms used to fetch certificates #67 (#69) Refactor new API Address comments from review Address comments from review 2 Address comments from review 3 crypto/tls: allow the usage of other keyUsage when checking for the dc extension #72 (#73)
Ready for review.
This should solve #63 as well.