-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a crypto.x509.parse_and_verify_certificates_with_keys
builtin
#5882
Comments
crypto.x509.parse_and_verify_certificates_with_ext
builtincrypto.x509.parse_and_verify_certificates_with_keys
builtin
Currently OPA sets |
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue. |
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue. |
Hi @ashutosh-narkar , Can I pick this ? |
Sure @yogisinha! |
Hi @ashutosh-narkar ,
I will maintain the map of this strings to actual Go constants defined in x509.go in std lib and pass the actual key usages in verifyOptions struct Users can pass empty array also in which case I will apply the KeyUsageServerAuth which is default in std lib. lmk what you think ? |
@yogisinha what if we create a new builtin called something like |
Ok, so the usage will be something like this, exposing the remaining options given by x509.VerifyOptions.
thats how you are envisioning it ? |
Yeah something like that. |
Hi @ashutosh-narkar , Following is the code snippets of my main changes. I have some questions also abt main function. Please lmk what do you think. Thanks.. Declaring the builtin :
Function implementing the functionality. I just wanted to know that the approach of collecting the json info is right, or is there any other way. I am implementing the built in function first time. And another thing is function
|
@yogisinha it's difficult to give feedback this way. I would recommend you open a draft PR and folks can chime in. Thanks. |
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue. |
…options. Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
@ashutosh-narkar I created a Draft PR for this . #6583 |
…ion. Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
…options. Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue. |
Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
…options. Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
…options. Fixes open-policy-agent#5882 Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com>
…options. Fixes open-policy-agent#5882 (open-policy-agent#6643) Signed-off-by: Yogesh Sinha <sinhayogi@gmail.com> Signed-off-by: Thomas Sidebottom <thomas.sidebottom@va.gov>
What is the underlying problem you're trying to solve?
The current version of
crypto.x509.parse_and_verify_certificates
builtin does not provide a way to check against which key usage the certificate is validated. Due to the golang implementation of verify it will default to (see code)serverAuth
.However, some validations may need a different key usage to be handled. In my case it would be
clientAuth
since I am trying to validate a certificate sent by an http client.Describe the ideal solution
Ideally it would be perfect to add an optional argument to the
crypto.x509.parse_and_verify_certificates
which is an array of key usages we want to check against (and default toserverAuth
if not provided to keep the current behavior).Describe a "Good Enough" solution
I think an additional builtin
crypto.x509.parse_and_verify_certificates_with_keys
with an additional argument which is an array of string would be totally sufficient to address most of the problems.Additional Context
None for the moment, I may edit this later
The text was updated successfully, but these errors were encountered: