New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How do we verify certificate chains? #106
Comments
We don't verify the whole chain in our Python signature verification code. Our code only verifies the signature using the first entry of the PEM file (leaf?). I could confirm by adding some crap in the cert of the tests, and signature verification passes :) According to the comments here and there verifying using an intermediate certificate (ie. not verifying the whole chain using trusted certificates) is like performing no check at all! 😱 Seeing the split/parsing code in Normandy does not inspire me much, I would strongly vote for a high-level style this in this article, using a library, especially one of reference like @jvehent @g-k could you please help us here? In our context, is it enough to verify that the collection signature and data is valid using the first entry only in the x5u file? |
Ideally, we would verify each cert in the chain back to a known trusted root cert like the dev or prod Moz cert hashes that ship with Fx. We do this in the autograph monitor https://github.com/mozilla-services/autograph/blob/master/tools/autograph-monitor/contentsignaturepki.go#L33 against the hardcoded hashes like https://github.com/mozilla-services/autograph/blob/cddc4b07e200dd080f0125b4e2006ebce20d127f/tools/autograph-monitor/xpi.go#L22 We could probably hardcode the intermediate and verify against that too, but since it sounds like we'd need to build out the chain verification feature (at least for 3 cert chains) we might as well verify against the root. There's an upstream issue in Regardless, it'd be useful to wrap up the feature in a library for other python services using content signature to reuse (cc @jvehent re: finding time to build or help build that library). |
I am comparing the Remote Settings cert verification chain code against Normandy's to try to resolve mozilla/normandy#1890. The Normandy code is quite a bit more complicated than the
x5u
-checking code we have in this repository. In particular, it looks like the Normandy code parses a series of certificates. I'm not sure how thecryptography
library works, but it seems like we only get one cert. What happens to the rest of the chain?The text was updated successfully, but these errors were encountered: