verification/policy: tweak key checks (#10311)

* verification/policy: tweak key checks Needs C2SP/x509-limbo#185. Signed-off-by: William Woodruff <william@trailofbits.com> * bump limbo Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com>
pyca · Feb 24, 2024 · 724f329 · 724f329
1 parent 0baf908
commit 724f329
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs
@@ -468,9 +468,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> {
         self.permits_ca(issuer.certificate(), current_depth, issuer_extensions)?;
 
         // CA/B 7.1.3.1 SubjectPublicKeyInfo
+        // NOTE: We check the issuer's SPKI here, since the issuer is
+        // definitionally a CA and thus subject to CABF key requirements.
         if !self
             .permitted_public_key_algorithms
-            .contains(&child.tbs_cert.spki.algorithm)
+            .contains(&issuer.certificate().tbs_cert.spki.algorithm)
         {
             return Err(ValidationError::Other(format!(
                 "Forbidden public key algorithm: {:?}",
@@ -479,6 +481,11 @@ impl<'a, B: CryptoOps> Policy<'a, B> {
         }
 
         // CA/B 7.1.3.2 Signature AlgorithmIdentifier
+        // NOTE: We check the child's signature here, since the issuer's
+        // signature is not necessarily subject to signature checks (e.g.
+        // if it's a root). This works out transitively, as any non root-issuer
+        // will be checked in its recursive step (where it'll be in the child
+        // position).
         if !self
             .permitted_signature_algorithms
             .contains(&child.signature_alg)

diff --git a/tests/x509/verification/test_limbo.py b/tests/x509/verification/test_limbo.py
@@ -30,7 +30,7 @@
     # Most CABF validators do not enforce the CABF key requirements on
     # subscriber keys (i.e., in the leaf certificate).
     "pedantic-webpki-subscriber-key",
-    # Similarly: contains tests that fail based on a strict reading of RFC 5280
+    # Tests that fail based on a strict reading of RFC 5280
     # but are widely ignored by validators.
     "pedantic-rfc5280",
     # In rare circumstances, CABF relaxes RFC 5280's prescriptions in
@@ -65,14 +65,14 @@
     # forbidden under CABF. This is consistent with what
     # Go's crypto/x509 and Rust's webpki crate do.
     "webpki::aki::root-with-aki-ski-mismatch",
+    # We allow RSA keys that aren't divisible by 8, which is technically
+    # forbidden under CABF. No other implementation checks this either.
+    "webpki::forbidden-rsa-not-divisable-by-8-in-root",
     # We disallow CAs in the leaf position, which is explicitly forbidden
     # by CABF (but implicitly permitted under RFC 5280). This is consistent
     # with what webpki and rustls do, but inconsistent with Go and OpenSSL.
     "rfc5280::ca-as-leaf",
     "pathlen::validation-ignores-pathlen-in-leaf",
-    # We allow RSA keys that aren't divisible by 8, which is technically
-    # forbidden under CABF. No other implementation checks this either.
-    "webpki::forbidden-rsa-not-divisable-by-8-in-root",
     # Implemented on main, but not backported to this branch.
     "webpki::forbidden-p192-root",
     "webpki::forbidden-weak-rsa-key-in-root",