New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x509/policy: add WebPKI permitted algorithms #9548
Conversation
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
xref https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf pages 97 ff. for the canonical encodings here. |
ac2c634
to
3dcc8a7
Compare
|
||
/// Permitted algorithms, from CA/B Forum's Baseline Requirements, section 7.1.3.2 (pages 96-98) | ||
/// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf | ||
pub static WEBPKI_PERMITTED_ALGORITHMS: Lazy<HashSet<AlgorithmIdentifier<'_>>> = Lazy::new(|| { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do you envision this being used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I envisoned it as part of the algorithms restriction functionality added with #9405: https://github.com/pyca/cryptography/pull/9405/files#diff-b15c4ba048c4bbef3e3e40afef6eaf31c7edcdd7d46627cb470c3c8db684a040R223-R254
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok we might need to take a step back here, because when we spoke I think we agreed to move away from the profiles idea, so I'm struggling a bit to understand how the pieces fit together here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, there are no more profiles in the current design -- there's only one "policy," and in our last discussion we came to the conclusion (IIRC) that the right way to offer configurability here was to allow "helper" instantiations like Policy::webpki()
that pre-fill the things that would otherwise go under a full "profile."
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
This is another breakout from #8873 and #9405.
WIP while we work out some unexpected encodings.CC @facutuesca to take over.