-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verification: enable ip subj. validation on android. #28
Conversation
7e1f5c5
to
bd4668b
Compare
ea7097b
to
043c62a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ended up much easier then I expected based on when I last tried this, so this is great to see. I wonder if your first point about compressed IPv6 addresses was what was messing this up in the last attempt, since I think that I did try roundtripping it through string parsing.
While the Android verifier defers to the platform verifier for most certificate validation options, it relies on `webpki` for ensuring that a certificate is valid for a given subject name. Since Webpki v0.100.x it's been possible to use `webpki` to validate IP address subject names, and so we want this capability to be enabled for the Android verifier. This commit updates the Android `verifier` to accomplish this. Additionally it enables the mock IP address subject test cases in the mock test suite to ensure things work as expected. In order to support this change the function signature of the inner `Verifier.verify_certificate` fn has to change from accepting a `&str` server name, to also accepting the `&rustls::ServerName` that the trait based `ServerCertVerifier.verify_server_cert` was already accepting. There are two main reasons for this: 1. If we try to pull out a `String` to pass forward from the `rustls::ServerName::IpAddress(&IpAddr)` using `IpAddr.to_string()` we'll get back a "compressed" address for IPv6 addresses. This is problematic when later trying to convert to a `webpki::IpAddrRef` for the validation call using `IpAddrRef::try_from_ascii_str`, because it doesn't support the compressed form. 2. By passing through the `rustls::ServerName` directly we can defer the actual process of interacting with `webpki` to the newly exposed `rustls::client::verify_server_name` fn offered with the `dangerous_configuration` feature. This will ensure the logic for name validation is applied consistently between Rustls and the platform verifier.
043c62a
to
a02ff32
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to go now, LGTM.
Thanks for all the help :-) |
While the Android verifier defers to the platform verifier for most certificate validation options, it relies on
webpki
for ensuring that a certificate is valid for a given subject name. Since Webpki v0.100.x it's been possible to usewebpki
to validate IP address subject names, and so we want this capability to be enabled for the Android verifier.This commit updates the Android
verifier
to accomplish this. Additionally it enables the mock IP address subject test cases in the mock test suite to ensure things work as expected.In order to support this change the function signature of the inner
Verifier.verify_certificate
fn has to change from accepting a&str
server name, to also accepting the&rustls::ServerName
that the trait basedServerCertVerifier.verify_server_cert
was already accepting. There are two main reasons for this:String
to pass forward from therustls::ServerName::IpAddress(&IpAddr)
usingIpAddr.to_string()
we'll get back a "compressed" address for IPv6 addresses. This is problematic when later trying to convert to awebpki::IpAddrRef
for the validation call usingIpAddrRef::try_from_ascii_str
, because it doesn't support the compressed form.rustls::ServerName
directly we can defer the actual process of interacting withwebpki
to the newly exposedrustls::client::verify_server_name
fn offered with thedangerous_configuration
feature. This will ensure the logic for name validation is applied consistently between Rustls and the platform verifier. It also allows removing the Android specificpki_name_error
helper, and the Android target's usage of the generalcrate::verification::invalid_certificate
helper.Resolves #15