rust: add crate skeleton for X.509 path validation #8873
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Design points:
|
|
1. No strong views
2. Store should contain only trust parts -- or put another way, it should
be possible to reuse a store across multiple validations.
…On Fri, May 5, 2023 at 12:19 PM William Woodruff ***@***.***> wrote:
Design points:
1. I named the "top" type here Validator, which is a little generic.
Do you have preferences here?
2. Should the trust store (currently Store) hold both trusted and
untrusted parts, or just the trusted parts? My plan was to have it hold
both in separate collections, but it could also be just the trusted
certificates (with the top-level validation step taking in the untrusted
certs separately).
—
Reply to this email directly, view it on GitHub
<#8873 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBDZWEVWJZRE64F4PZTXEUZDLANCNFSM6AAAAAAXXLIBQU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
|
Related: WDYT about a i.e., the top-level API use would be something like: // Fallibility reflects construction invariants: must be nonempty, must be only CA:true, etc.
let store = Store::try_from(trusted_certs)?;
// Validator defaults to `SystemTime::now`, `Validator::with_time(...)` for control of the validation time.
let validator = Validator::new(store);
let built_chain = validator.validate(leaf, policy)?;where // Fluent-style, or something else?
let policy = Policy::new()
.untrusted_intermediates(...)
.key_usages(...)
.extended_key_usages(...); |
|
I don't think I understand why time goes on Validator and not policy. But
otherwise this seems fine.
…On Fri, May 5, 2023 at 12:58 PM William Woodruff ***@***.***> wrote:
Related: WDYT about a Policy or Constraints type for the constraints
associated with a particular EE cert validation step?
i.e., the top-level API use would be something like:
// Fallibility reflects construction invariants: must be nonempty, must be only CA:true, etc.let store = Store::try_from(trusted_certs)?;
// Validator defaults to `SystemTime::now`, `Validator::with_time(...)` for control of the validation time.let validator = Validator::new(store);
let built_chain = validator.validate(leaf, policy)?;
where policy would be something like:
// Fluent-style, or something else?let policy = Policy::new()
.untrusted_intermediates(...)
.key_usages(...)
.extended_key_usages(...);
—
Reply to this email directly, view it on GitHub
<#8873 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBCPGBK65BK5ZXW33Z3XEU5SVANCNFSM6AAAAAAXXLIBQU>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
No particular reason, it makes more sense on (My original rationale was based on 5280 specifying that the time is more "intrinsic" to verification than additional user-introduced constraints, but I see no reason to expose that kind of distinction in a public API, given that the user-facing behavior is the same.) |
woodruffw
force-pushed
the
tob-x509-cv-skeleton
branch
3 times, most recently
from
60f312e
to
212a651
Compare
woodruffw
commented
May 10, 2023
woodruffw
commented
May 10, 2023
woodruffw
commented
May 10, 2023
woodruffw
commented
May 10, 2023
woodruffw
commented
Jun 23, 2023
|
There's a lot more work to be done, but the end-to-end MVP is now in place: policy = PolicyBuilder(profile=Profile.RFC5280).build()
store = Store([root])
chain = verify(ee, policy, [intermediate], store)
assert chain == [ee, intermediate, root](I added a small testcase that demonstrates this; I'll rewrite it to be more idiomatic after some rounds of review.) |
woodruffw
commented
Jul 7, 2023
woodruffw
commented
Jul 7, 2023
woodruffw
commented
Jul 7, 2023
woodruffw
commented
Jul 7, 2023
alex
reviewed
Jul 8, 2023
Yep -- I'm thinking that the |
This was referenced Jul 10, 2023
woodruffw
commented
Jul 17, 2023
Merged
This was referenced Jul 26, 2023
woodruffw
commented
Jul 27, 2023
alex
reviewed
Dec 20, 2023
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
alex
reviewed
Dec 20, 2023
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Unclear why this suddenly broke on Windows. Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
woodruffw
commented
Dec 21, 2023
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
alex
reviewed
Dec 21, 2023
| if let Time::GeneralizedTime(_) = validity_date { | ||
| // NOTE: This is technically wrong for certificates issued before 1950, | ||
| // but this does not matter in practice. | ||
| if validity_date.as_datetime().year() < GENERALIZED_DATE_CUTOFF_YEAR { |
There was a problem hiding this comment.
Done, replaced with a range check.
| } | ||
|
|
||
| /// Checks whether the given EE certificate is compatible with this policy. | ||
| pub(crate) fn permits_ee( |
There was a problem hiding this comment.
This can just be merged into permits_leaf now (or vice-versa)
Just call permits_ee directly. Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
alex
approved these changes
Dec 22, 2023
woodruffw
added a commit
to woodruffw-forks/cryptography
that referenced
this pull request
Dec 22, 2023
Signed-off-by: William Woodruff <william@yossarian.net>
alex
pushed a commit
that referenced
this pull request
Dec 22, 2023
* CHANGELOG: record #8873 Signed-off-by: William Woodruff <william@yossarian.net> * docs/x509/verification: clean up, update note Signed-off-by: William Woodruff <william@yossarian.net> * add module ref Signed-off-by: William Woodruff <william@yossarian.net> * CHANGELOG: Cryptograpy's -> our Signed-off-by: William Woodruff <william@yossarian.net> * CHANGELOG: reflow, better linkage Signed-off-by: William Woodruff <william@yossarian.net> --------- Signed-off-by: William Woodruff <william@yossarian.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds the core path validation algorithm and policy components, as well as the Python-side verification API.
I'll use this PR to add some basic types as well (and remove the default code), as well as hook this up to the CI's tests and coverage.See #2381.