Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

verification: client verification APIs #10345

Merged
merged 29 commits into from
Mar 21, 2024

Conversation

woodruffw
Copy link
Contributor

@woodruffw woodruffw commented Feb 4, 2024

Still WIP -- the public APIs are not fully filled in yet. Outstanding tasks:

  • Fill in build_client_verifier
  • Add and implement ClientVerifier.verify
  • Unit tests (including limbo tests?)

Closes #10276.

Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
src/rust/src/x509/verify.rs Outdated Show resolved Hide resolved
src/rust/src/x509/verify.rs Outdated Show resolved Hide resolved
@alex
Copy link
Member

alex commented Feb 4, 2024 via email

Signed-off-by: William Woodruff <william@yossarian.net>
src/rust/src/x509/verify.rs Outdated Show resolved Hide resolved
src/rust/src/x509/verify.rs Outdated Show resolved Hide resolved
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
docs/x509/verification.rst Outdated Show resolved Hide resolved
docs/x509/verification.rst Outdated Show resolved Hide resolved
src/rust/cryptography-x509-verification/src/policy/mod.rs Outdated Show resolved Hide resolved
src/rust/src/x509/verify.rs Outdated Show resolved Hide resolved
src/rust/src/x509/verify.rs Show resolved Hide resolved
@alex alex added this to the Forty Third Release milestone Feb 10, 2024
@alex
Copy link
Member

alex commented Feb 10, 2024

PS: Yes, there should be limbo tests for this. In principle the schema was designed in a way to incorporate them.

Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw woodruffw marked this pull request as ready for review February 11, 2024 14:36
@woodruffw
Copy link
Contributor Author

I'll work on the limbo tests for this shortly (✈️)

@woodruffw
Copy link
Contributor Author

For tracking: C2SP/x509-limbo#196 has the initial client cases. I'm going to poke at email NC handling in a separate PR first, and then align those tests here.

@woodruffw
Copy link
Contributor Author

Email NC bits are merged, so I'll take another poke at this tonight or tomorrow.

@woodruffw
Copy link
Contributor Author

This will be at 100% coverage once C2SP/x509-limbo#221 lands. After that, I'll also look at filtering the set of subjects returned by the API to just ones that we currently have NC support for.

This is what we should have been doing originally, per
RFC 5280 4.2.1.10:

> If a name constraints extension that is marked as critical
> imposes constraints on a particular name form, and an instance of
> that name form appears in the subject field or subjectAltName
> extension of a subsequent certificate, then the application MUST
> either process the constraint or reject the certificate.
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw woodruffw changed the title verification: WIP client verification skeleton verification: client verification APIs Mar 13, 2024
@woodruffw
Copy link
Contributor Author

This should be good for a review!

@alex alex merged commit 4a3e7dc into pyca:main Mar 21, 2024
57 checks passed
@woodruffw woodruffw deleted the ww/client-verification branch March 21, 2024 01:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

Allow verifying an x509 cert chain without making assertions about the subject name
2 participants