Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove duplicate leaf cert parse in x509 validator #4176

Closed
wants to merge 1 commit into from
Closed

Remove duplicate leaf cert parse in x509 validator #4176

wants to merge 1 commit into from

Conversation

goatgoose
Copy link
Contributor

@goatgoose goatgoose commented Aug 30, 2023
edited
Loading

Resolved issues:

Resolves #4163

Description of changes:

s2n-tls processes received certificates in s2n_x509_validator_validate_cert_chain(). Among other things, this function performs the following:

  • Each of the received asn1-encoded certificates are parsed via the d2i_X509() libcrypto API. The parsed X509 libcrypto objects are provided to the libcrypto to validate the certificate chain.
  • The public key and public key type are retrieved from the leaf certificate, and returned via the output arguments.

Currently, the leaf certificate is parsed when parsing all of the other received certificates in s2n_x509_validator_read_cert_chain(), and then parsed again later when getting the public key and public key type in s2n_x509_validator_read_leaf_info().

The libcrypto API used to parse certificates, d2i_X509(), isn't free. The duplicate d2i_X509() call can be observed in following flamegraph:

Pre-fix flamegraph Screenshot 2023-08-30 at 13 09 34

This PR refactors s2n_x509_validator_validate_cert_chain() and s2n_asn1der_to_public_key_and_type() to remove the duplicate leaf cert parse, improving total handshake performance by 8.4% in the example shown above.

The refactor involves splitting up s2n_asn1der_to_public_key_and_type() into a separate function that gets the public key and type from an already parsed cert, so that the x509 validator can call this version instead. However, this is complicated by some additional validation performed in s2n_asn1der_to_public_key_and_type() which checks the number of trailing bytes after parsing the cert. To ensure no behavior change, this validation was kept, and moved to when the leaf cert was parsed for the first time.

Call-outs:

  • My intent was to not change any observable existing behavior in this PR.

Testing:

New unit tests were added to make sure the existing behavior of s2n_x509_validator_validate_cert_chain() and s2n_asn1der_to_public_key_and_type() were preserved. I've confirmed that all of the new tests also succeed on the unmodified code.

There are existing tests that ensure trailing bytes are checked when validating received leaf certificates in s2n_x509_validator_validate_cert_chain():

s2n-tls/tests/unit/s2n_x509_validator_test.c

Line 1763 in 5d5400a

/* Test one trailing byte in cert validator */

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Aug 30, 2023
@goatgoose goatgoose force-pushed the leaf-cert-fix branch 7 times, most recently from d05b772 to 51e8186 Compare August 30, 2023 22:18
@goatgoose
Remove duplicate leaf cert parse in x509 validator
cac7e81 
Squashed commit of the following:

commit 80e4852
Author: Sam Clark <[email protected]>
Date:   Wed Aug 30 11:11:11 2023 -0400

    clang-format

commit 5cb354e
Author: Sam Clark <[email protected]>
Date:   Wed Aug 30 11:04:18 2023 -0400

    add test for validating empty cert chain

commit 18898dc
Author: Sam Clark <[email protected]>
Date:   Wed Aug 30 10:42:39 2023 -0400

    change length validate error to S2N_ERR_DECODE_CERTIFICATE

commit ac44a47
Author: Sam Clark <[email protected]>
Date:   Tue Aug 29 17:04:52 2023 -0400

    fixes

commit 382077b
Author: Sam Clark <[email protected]>
Date:   Tue Aug 29 16:54:58 2023 -0400

    s2n_asn1der_to_public_key_and_type tests

commit 3a28208
Author: Sam Clark <[email protected]>
Date:   Tue Aug 29 15:54:48 2023 -0400

    test for checking trailing bytes with multiple certs

commit 5a45a57
Author: Sam Clark <[email protected]>
Date:   Tue Aug 29 11:32:38 2023 -0400

    refactor cert parsing functions

commit b3bc30a
Merge: ff40e48 5d5400a
Author: Sam Clark <[email protected]>
Date:   Tue Aug 29 10:16:34 2023 -0400

    Merge branch 'main' into leaf-cert-fix

commit ff40e48
Author: Sam Clark <[email protected]>
Date:   Tue Aug 29 10:15:55 2023 -0400

    wip

commit 4e6a05a
Author: Sam Clark <[email protected]>
Date:   Fri Aug 25 22:10:22 2023 -0400

    expects leaf cert parse even with tls 1.2

commit a6236ba
Author: Sam Clark <[email protected]>
Date:   Thu Aug 24 19:09:42 2023 -0400

    wip
@goatgoose goatgoose marked this pull request as ready for review August 31, 2023 16:23
@github-actions
Copy link

This PR has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@jmayclin jmayclin mentioned this pull request Jan 10, 2024
Merged
@maddeleine
Copy link
Contributor

Closing this as #4351 was merged.

@maddeleine maddeleine closed this Jan 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@camshaft camshaft Awaiting requested review from camshaft

@lrstewart lrstewart Awaiting requested review from lrstewart

Assignees
No one assigned
Labels
s2n-core team status/stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Leaf cert is parsed twice in s2n_x509_validator
2 participants
@goatgoose @maddeleine