How do we verify certificate chains?

[glasserc]

I am comparing the Remote Settings cert verification chain code against Normandy's to try to resolve mozilla/normandy#1890. The Normandy code is quite a bit more complicated than the x5u-checking code we have in this repository. In particular, it looks like the Normandy code parses a series of certificates. I'm not sure how the cryptography library works, but it seems like we only get one cert. What happens to the rest of the chain?

[leplatrem]

We don't verify the whole chain in our Python signature verification code.

Our code only verifies the signature using the first entry of the PEM file (leaf?). I could confirm by adding some crap in the cert of the tests, and signature verification passes :)
If I understand this correctly, this means it uses an «intermediate» certificate (the root is the last I imagine). And we don't verify the «chain of trust».

According to the comments here and there verifying using an intermediate certificate (ie. not verifying the whole chain using trusted certificates) is like performing no check at all! 😱

Seeing the split/parsing code in Normandy does not inspire me much, I would strongly vote for a high-level style this in this article, using a library, especially one of reference like cryptography.
But cryptography does not provide that «chain verification» feature. There seems to be stuff out there to do it, but no consensus nor official stuff.

@jvehent @g-k could you please help us here? In our context, is it enough to verify that the collection signature and data is valid using the first entry only in the x5u file?

[g-k]

In our context, is it enough to verify that the collection signature and data is valid using the first entry only in the x5u file?

Ideally, we would verify each cert in the chain back to a known trusted root cert like the dev or prod Moz cert hashes that ship with Fx. We do this in the autograph monitor https://github.com/mozilla-services/autograph/blob/master/tools/autograph-monitor/contentsignaturepki.go#L33 against the hardcoded hashes like https://github.com/mozilla-services/autograph/blob/cddc4b07e200dd080f0125b4e2006ebce20d127f/tools/autograph-monitor/xpi.go#L22

We could probably hardcode the intermediate and verify against that too, but since it sounds like we'd need to build out the chain verification feature (at least for 3 cert chains) we might as well verify against the root.

There's an upstream issue in cryptography for chain validation, but it might be considered out of scope. There are a few links to other libraries that implement the feature at pyca/cryptography#2381 (comment)

Regardless, it'd be useful to wrap up the feature in a library for other python services using content signature to reuse (cc @jvehent re: finding time to build or help build that library).