Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

expand webpki verifier CRL support #1547

Merged
merged 21 commits into from
Oct 25, 2023
Merged

expand webpki verifier CRL support #1547

merged 21 commits into from
Oct 25, 2023

Conversation

cpu
Copy link
Member

@cpu cpu commented Oct 20, 2023

This branch achieves three top-level goals:

  1. It expands the existing webpki client certificate verifier builder to allow configuring the revocation checking depth (by default, full chain when CRLs are provided, optionally only end-entity), and to control how unknown revocation status is handled (by default, treating unknown revocation status as an error when CRLs are provided, optionally allowing unknown).
  2. It reworks the webpki server certificate verifier to be constructed using a builder, matching the client verifier.
  3. It adds optional CRL support to the server certificate verifier, allowing users to opt in to providing CRLs and controlling how revocation will be handled (depth, unknown status, etc). This support will be helpful towards resolving Revocation checking by clients #1541.

@codecov
Copy link

codecov bot commented Oct 20, 2023
edited
Loading

Codecov Report

Merging #1547 (73c846d) into main (19d5eda) will increase coverage by 0.02%.
Report is 1 commits behind head on main.
The diff coverage is 97.83%.

❗ Current head 73c846d differs from pull request most recent head f839f18. Consider uploading reports for the commit f839f18 to get more accurate results

@@            Coverage Diff             @@
##             main    #1547      +/-   ##
==========================================
+ Coverage   96.49%   96.51%   +0.02%     
==========================================
  Files          74       75       +1     
  Lines       15113    15355     +242     
==========================================
+ Hits        14583    14820     +237     
- Misses        530      535       +5
Files Coverage Δ
rustls/src/client/builder.rs 88.00% <100.00%> (+0.32%) ⬆️
rustls/src/error.rs 97.01% <100.00%> (+0.49%) ⬆️
rustls/src/verifybench.rs 100.00% <100.00%> (ø)
rustls/src/webpki/mod.rs 97.43% <100.00%> (+11.22%) ⬆️
rustls/src/webpki/verify.rs 99.25% <100.00%> (-0.16%) ⬇️
rustls/src/webpki/client_verifier.rs 97.74% <97.74%> (ø)
rustls/src/webpki/server_verifier.rs 96.77% <96.77%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

cpu
cpu commented Oct 20, 2023
View reviewed changes
rustls/tests/common/mod.rs Outdated Show resolved Hide resolved
cpu
cpu commented Oct 20, 2023
View reviewed changes
rustls/src/error.rs Outdated Show resolved Hide resolved
@cpu
Copy link
Member Author

cpu commented Oct 20, 2023

codecov/patch — 95.15% of diff hit (target 96.46%)

I'll see if I can address some of these coverage gaps (likely ~Mon).

ctz
ctz reviewed Oct 23, 2023
View reviewed changes
rustls/src/webpki/verify.rs Outdated Show resolved Hide resolved
djc
djc reviewed Oct 23, 2023
View reviewed changes
Copy link
Member

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven't looked at the testing commits much yet, here's a first round of feedback.

rustls/src/webpki/client_verifier_builder.rs Outdated Show resolved Hide resolved
rustls/src/webpki/client_verifier_builder.rs Outdated Show resolved Hide resolved
rustls/src/error.rs Outdated Show resolved Hide resolved
rustls/src/webpki/client_verifier_builder.rs Outdated Show resolved Hide resolved
rustls/src/webpki/verify.rs Outdated Show resolved Hide resolved
provider-example/src/lib.rs Show resolved Hide resolved
rustls/src/webpki/verify.rs Show resolved Hide resolved
rustls/src/webpki/verifier_builders.rs Outdated Show resolved Hide resolved
rustls/src/webpki/verify.rs Outdated Show resolved Hide resolved
rustls/src/webpki/verify.rs Outdated Show resolved Hide resolved
cpu added 17 commits October 23, 2023 10:34
@cpu
webpki: move ServerCertVerifier impl below inherent impl
fa4b2b8
@cpu
webpki: move crate-internal type below pub types
3e32e62
@cpu
webpki: move Debug impl below inherent impl
fb0bb6c
@cpu
webpki: move pub struct above pub(crate) types
b23187c
@cpu
webpki: fix up ParsedCertificate rustdoc
2083fbb 
* Capitalize first word.
* Break out headline sentence.
* Wrap the rest.
@cpu
webpki: clarify verifier builder test names
302d004 
In the future we'll have similar unit tests for the server certificate
verifiers. This commit clarifies the tests that are specific to the
client certificate verifier.
@cpu
webpki: add revocation depth control to client verifier
17c2bd1 
This commit exposes support for configuring client certificate
revocation checking depth when building a webpki client certificate
verifier. By default when CRLs are provided revocation status checks
will be performed for all certificates in the verified chain to a trust
anchor (minus the trust anchor itself). Optionally users of the verifier
builder may opt to relax this behaviour to check only the end entity
certificate's revocation status.
@cpu
webpki: add unknown revocation status control to client verifier
2afd0aa 
This commit exposes support for configuring client certificate
revocation behaviour for the case where revocation status can not be
determined. By default the webpki client certificate verifier built by
the `ClientCertVerifierBuilder` will treat unknown revocation status as
an error. Users of the builder may optionally relax this behaviour to
allow unknown revocation status.
@cpu
webpki: rename client_verifier_builder -> client_verifier
a64f869 
This commit renames the `client_verifier_builder.rs` module to be named
`client_verifier.rs`. In a subsequent commit we'll move the verifier
impl that is built by the verifier builder into the same module. This
will make it easier to create a `server_verifier.rs` module for the
server certificate verifier equivalents, and keeps the builder and the
type it builds in the same module for clarity.
@cpu
webpki: move WebPkiClientVerifier to client_verifier
de172f8 
This commit moves the `WebPkiClientVerifier` type (and associated bits)
from `verify.rs` into `client_verifier.rs` to live alongside its builder
type.
@cpu
webpki: move crl_error and pki_error tests
36b2384 
This commit moves the unit tests for the `crl_error` and `pki_error`
helpers to be defined alongside the helpers themselves, in `mod.rs`, as
opposed to `verify.rs`.
@cpu
webpki: ClientCertVerifierBuilderError -> VerifierBuilderError
1f17c03 
This commit renames the existing `ClientCertVerifierBuilderError` to be
called `VerifierBuilderError`. The top-level rustdoc comment is also
updated to better reflect the usage of the type.
@cpu
webpki: lift VerifierBuilderError to mod.rs
7988627 
This commit moves the `VerifierBuilderError` from `client_verifier.rs`
to `mod.rs` where it can be shared between both the client and server
verifiers in the future.
@cpu
webpki: lift out helper for borrowing owned CRLs
501699b 
This commit lifts out a private `borrow_crls` fn that can be used to
convert a `&Vec<webpki::OwnedCertRevocationList>` to a `Vec<&dyn
webpki::CertRevocationList>`.

Presently there is only one call-site, but in future commits we will add
a second and it's helpful to not have to duplicate the code + clippy
allow.
@cpu
webpki: move WebPkiServerVerifier to server_verifier.rs
282da94 
This commit moves the existing `WebPkiServerVerifier` type out of
`verify.rs` and into `server_verifier.rs`. This matches the new
`client_verifier.rs` module introduced in a previous commit and paves
the way for having a single module location for both the verifier type
and a builder for making it.
@cpu
webpki: builder for server cert verifier, CRL support
3067a6b 
This commit reworks the `WebPkiServerCertVerifier` type to use
a builder model similar to the `WebPkiClientCertVerifier` type. The new
`ServerCertVerifierBuilder` additionally exposes support for configuring
the depth of revocation status checking, and how to handle unknown
revocation status.
@cpu
test-ca: make CRLs revoking intermediate, server EE certs
cc09c0c 
Previously the test-ca `build-a-pki.sh` script would revoke each key
type's client certificate to produce a `client.revoked.crl.pem` CRL.

In this commit we update the script to do the same for each key type's
intermediate cert (`inter.cert`) to produce a `inter.revoked.crl.pem`,
as well as the server ee cert (`end.cert`) to produce
a `end.revoked.crl.pem` file. This will be useful for testing the chain
depth revocation controls, and the server verifier CRL support.
@cpu cpu force-pushed the cpu-1541-crl-for-server-cert branch 2 times, most recently from 8fd505a to a442247 Compare October 23, 2023 17:32
@cpu
tests: coverage for client revocation depth/unknown status
14e8d5c 
This commit updates the existing client certificate revocation testing
to also exercise the two new verifier options for controlling the depth
of revocation checking, and deciding how to handle unknown revocation
status.
@cpu
tests: coverage for server revocation depth/unknown status
076c1bf 
This commit adds test coverage for a client connecting to a server with
a webpki server certificate verifier configured to do CRL revocation
checking.
@cpu cpu force-pushed the cpu-1541-crl-for-server-cert branch from a442247 to 076c1bf Compare October 23, 2023 17:37
@cpu
error: use UnknownCA alert for Error:UnknownRevocationStatus
155fbd6 
This matches OpenSSL, BoringSSL and AWS-LC. Since the existing
functionality was heavily referencing these projects it seems sensible
to do the same here.
@cpu
Copy link
Member Author

cpu commented Oct 24, 2023

codecov/patch — 95.15% of diff hit (target 96.46%)

I'll see if I can address some of these coverage gaps

I took a look at where coverage was missing and it seemed to only be from the change to separate the public API helper for verifying a certificate chains to a trust anchor from the crate internal one. Our existing test coverage now only uses the crate internal _impl variant, so I added a separate smoke test for the public version and coverage is happy again.

This was referenced Oct 24, 2023
Merged
Merged
ctz
ctz approved these changes Oct 25, 2023
View reviewed changes
rustls/tests/api.rs Outdated Show resolved Hide resolved
@cpu cpu force-pushed the cpu-1541-crl-for-server-cert branch from 73c846d to f839f18 Compare October 25, 2023 13:33
@cpu
Copy link
Member Author

cpu commented Oct 25, 2023

Djc indicated he's going to hold doing a second pass on this until the ergonomic refactorings are rebased on top, so I'm going to go ahead and merge this one with the +1 from Ctz.

Thanks for the reviews!

@cpu
Copy link
Member Author

cpu commented Oct 25, 2023
edited
Loading

icount bench / Run icount benchmarks (pull_request) Failing after 2m

The diffs here are either very small, or speedups, so I think we're OK here.

@cpu cpu added this pull request to the merge queue Oct 25, 2023
Merged via the queue into rustls:main with commit 60420c5 Oct 25, 2023
20 of 21 checks passed
@cpu cpu deleted the cpu-1541-crl-for-server-cert branch October 25, 2023 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc left review comments

@ctz ctz ctz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cpu @djc @ctz