Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC: When verifying, only use data after it is considered acceptable #2482

Closed
wants to merge 43 commits into from
Closed

RFC: When verifying, only use data after it is considered acceptable #2482

wants to merge 43 commits into from

Commits on Dec 7, 2022

  1. Rename sig to untrustedSignature 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    f8299e8 View commit details
    Browse the repository at this point in the history

  2. Rename cert to untrustedCert 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    a155a19 View commit details
    Browse the repository at this point in the history

  3. Rename chain to untrustedChain 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    cb0f9eb View commit details
    Browse the repository at this point in the history

  4. Rename CheckOpts.IntermediateCerts to UntrustedIntermediateCerts 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    2ce0cd0 View commit details
    Browse the repository at this point in the history

  5. Rename pool to untrustedPool 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    f44d639 View commit details
    Browse the repository at this point in the history

  6. Rename cert to untrustedCert 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    17cad99 View commit details
    Browse the repository at this point in the history

  7. Rename parameters to TrustedCert to indicate untrusted... 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    58380e3 View commit details
    Browse the repository at this point in the history

  8. Rename TrustedCert to CertificateSignedByTrustedRoot 

    Let's not dangerously overpromise.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    21d19e8 View commit details
    Browse the repository at this point in the history

  9. Introduce a correctlySignedCert variable 

    ... to track the trust state.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    5ae11b5 View commit details
    Browse the repository at this point in the history

  10. Rename cert to correctlySignedCert 

    Document the requirement.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    5de8a27 View commit details
    Browse the repository at this point in the history

  11. Rename validateCertIdentity to validateCertSubject 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    9831a1d View commit details
    Browse the repository at this point in the history

  12. Rename cert to correctlySignedCert 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    e3d4d9e View commit details
    Browse the repository at this point in the history

  13. Split validateIssuerPolicy from CheckCertificatePolicy 

    Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    9286e3a View commit details
    Browse the repository at this point in the history

  14. Validate the certificate issuer before worrying about the subject 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    b8ad87a View commit details
    Browse the repository at this point in the history

  15. Rename CheckCertificatePolicy to CheckCertificateIssuerAndSubject 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    784d491 View commit details
    Browse the repository at this point in the history

  16. Only create a verifier from a certificate _after_ it passes conditions. 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    d4a62a5 View commit details
    Browse the repository at this point in the history

  17. Only worry about certificate issuer and subject if the SCT is acceptable 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    5120f37 View commit details
    Browse the repository at this point in the history

  18. Split ValidateAndUnpackCert 

    ... into validateCertIssuanceAndSubject and verifierFromTrustedCertificate.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    8aa0f7d View commit details
    Browse the repository at this point in the history

  19. Replace ValidateAndUnpackCert in verifyInternal by its components 

    We will want to delay verifierFromTrustedCertificate much further.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    bc50a08 View commit details
    Browse the repository at this point in the history

  20. Warn more explicitly in some functions that ignore certificate validi… 

    …ty restrictions.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    91c6593 View commit details
    Browse the repository at this point in the history

  21. Rename sig to untrustedSig 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    0d4bda1 View commit details
    Browse the repository at this point in the history

  22. Rename ts to untrustedTimestamp 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    8b4421e View commit details
    Browse the repository at this point in the history

  23. Rename b64sig to untrustedB64Sig 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    e7b3199 View commit details
    Browse the repository at this point in the history

  24. Rename signedPayload to untrustedPayload 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    43564e8 View commit details
    Browse the repository at this point in the history

  25. Rename rawSig to untrustedRawSig 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    0ace845 View commit details
    Browse the repository at this point in the history

  26. Rename tsBytes to untrustedTSAArtifact 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    07ffbb8 View commit details
    Browse the repository at this point in the history

  27. Rename sig to untrustedSig 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    c37d3f8 View commit details
    Browse the repository at this point in the history

  28. Rename bundle to untrustedBundle 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    d7028e7 View commit details
    Browse the repository at this point in the history

  29. Rename parameters of VerifySET 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    7136f69 View commit details
    Browse the repository at this point in the history

  30. Introduce acceptableBundleBody 

    ... to track the trust status of the Rekor bundle

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    c9c92e2 View commit details
    Browse the repository at this point in the history

  31. Only validate the public key and signature _after_ we accept the SET 

    And validate the public key first, the signature second, just for
consistency with the flow of trust (although that really doesn't
mattere here, we want all of (key, signature, payload) to match).

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    5aa2e8e View commit details
    Browse the repository at this point in the history

  32. Rename payload to untrustedPayload 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    b150bcf View commit details
    Browse the repository at this point in the history

  33. Rename signature to untrustedSignature 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    7428fc3 View commit details
    Browse the repository at this point in the history

  34. Document VerifyBundle a bit more 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    ea498b2 View commit details
    Browse the repository at this point in the history

  35. Rename pemBytes to untrustedPEMBytes 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    0321492 View commit details
    Browse the repository at this point in the history

  36. Rename sig to untrustedSig 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    0771a5a View commit details
    Browse the repository at this point in the history

  37. Rename pem to untrustedPEM 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    28cb652 View commit details
    Browse the repository at this point in the history

  38. Rename b64sig to untrustedB64sig 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    5c35a52 View commit details
    Browse the repository at this point in the history

  39. Rename payload to untrustedPayload 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    66a6644 View commit details
    Browse the repository at this point in the history

  40. BEHAVIOR CHANGE: Don't check against current time if we have a RFC 31… 

    …61 timestamp

Reorganize the certificate expiry checks, so that we check against
the accepted timestamps if any, and only fall back to current time
if there is no data.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    75cd9e8 View commit details
    Browse the repository at this point in the history

  41. Eliminate the redundant cert variable 

    Use certWithUnverifiedExpiry , which we already have,
and which we care about.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    2c2f0da View commit details
    Browse the repository at this point in the history

  42. Introduce acceptableCert 

    Finally, only create the verifier based on an actually acceptable certificate,
instead of creating it first and then hoping not to forget to validate preconditions.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    36f9fa1 View commit details
    Browse the repository at this point in the history

  43. Update comments in verifyInternal 

    ... to document the individual stages.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed Dec 7, 2022
    Configuration menu
    Copy the full SHA
    deebfc5 View commit details
    Browse the repository at this point in the history