rust: handle the case where the leaf cert is a CA #3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
woodruffw
reviewed
Sep 5, 2023
Comment on lines
399
to
409
| // If keyCertSign is true, the BasicConstraints extension must be present with cA set to true. | ||
| if key_usage.key_cert_sign() { | ||
| if let Some(basic_constraints) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) { | ||
| let basic_constraints: BasicConstraints = basic_constraints.value()?; | ||
| if !basic_constraints.ca { | ||
| return Err("KeyUsage.keyCertSign can only be true when BasicConstraints.cA is true".into()); | ||
| } | ||
| } else { | ||
| return Err("KeyUsage.keyCertSign can only be true when a BasicConstraints extension is present".into()); | ||
| } | ||
| } |
There was a problem hiding this comment.
I might be misunderstanding, but isn't this checked under permits_ca?
There was a problem hiding this comment.
Whoops, looks like I did indeed misunderstand a bit: I think what we need here is not to add this in permits_basic, but instead to add a new permits_leaf that calls either permits_ca or permits_ee depending on the state of these extensions.
tetsuo-cpp
commented
Sep 6, 2023
| if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) { | ||
| let key_usage: KeyUsage = key_usage.value()?; | ||
| if key_usage.key_cert_sign() { | ||
| return self.permits_ca(leaf); |
There was a problem hiding this comment.
The permits_ca function already checks the name constraints extension so I don't think we need to dispatch based on that.
We unfortunately need to leave the key usage check in side permits_ca since it gets used directly in chain building when finding issuers.
tetsuo-cpp
changed the title
BasicConstraints extension when KeyUsage.keyCertSign is set
Signed-off-by: William Woodruff <[email protected]>
EEs are not CAs. Signed-off-by: William Woodruff <[email protected]>
woodruffw
referenced
this pull request
Sep 7, 2023
Signed-off-by: William Woodruff <[email protected]>
alex
referenced
this pull request
in pyca/cryptography
Sep 16, 2023
* src, tests: flatten all changes Signed-off-by: William Woodruff <[email protected]> validation: remove Profile abstract from public APIs One step towards removing it entirely Signed-off-by: William Woodruff <[email protected]> policy: disambiguate references Signed-off-by: William Woodruff <[email protected]> policy: remove separate rfc5280 profile Signed-off-by: William Woodruff <[email protected]> policy: remove profile abstraction entirely Signed-off-by: William Woodruff <[email protected]> rust: permitted_algorithms filtering Signed-off-by: William Woodruff <[email protected]> verify: simplify policy API substantially No more manual monomorphization. Signed-off-by: William Woodruff <[email protected]> src, tests: remove verification code Signed-off-by: William Woodruff <[email protected]> validation: remove more validation code Signed-off-by: William Woodruff <[email protected]> * cryptography, rust: lintage Signed-off-by: William Woodruff <[email protected]> * cryptography, rust: lintage, add Policy.subject API Signed-off-by: William Woodruff <[email protected]> * src, tests: initial PolicyBuilder tests Signed-off-by: William Woodruff <[email protected]> * verify: Policy.validation_time getter Signed-off-by: William Woodruff <[email protected]> * push Store into rust Signed-off-by: William Woodruff <[email protected]> * cleanup, fixup Signed-off-by: William Woodruff <[email protected]> * tests: lintage Signed-off-by: William Woodruff <[email protected]> * src: lintage Signed-off-by: William Woodruff <[email protected]> * tests: fix linter warning * policy: apply the relevant parts of trail-of-forks/cryptography/pull/3 Signed-off-by: William Woodruff <[email protected]> * policy: typo Signed-off-by: William Woodruff <[email protected]> * fixup type hints Signed-off-by: William Woodruff <[email protected]> * drop dep Not used, yet. Signed-off-by: William Woodruff <[email protected]> * Revert "drop dep" This reverts commit a5154e1. * mod: remove permits_* bodies Will include these in a subsequent PR. Signed-off-by: William Woodruff <[email protected]> * src: drop certificate helpers as well Not needed yet. Signed-off-by: William Woodruff <[email protected]> * verify: remove unneeded explicit lifetimes Signed-off-by: William Woodruff <[email protected]> * tests: builder API coverage Signed-off-by: William Woodruff <[email protected]> * tests: more coverage Signed-off-by: William Woodruff <[email protected]> * type hints Signed-off-by: William Woodruff <[email protected]> * unused derives Signed-off-by: William Woodruff <[email protected]> * validation: more coverage Signed-off-by: William Woodruff <[email protected]> * policy: more cov Signed-off-by: William Woodruff <[email protected]> * policy: more coverage Signed-off-by: William Woodruff <[email protected]> * policy: add some known bad testcases Signed-off-by: William Woodruff <[email protected]> * policy: coverage Signed-off-by: William Woodruff <[email protected]> * validation: remove trust_store Not yet used. Signed-off-by: William Woodruff <[email protected]> * ops: add NullOps test Signed-off-by: William Woodruff <[email protected]> * x509: reimplement verify_directly_issued_by via CryptoOps Tests fail, but this gets the right coverage. Signed-off-by: William Woodruff <[email protected]> * ops: use results Signed-off-by: William Woodruff <[email protected]> * src, tests: last cov, hopefully Signed-off-by: William Woodruff <[email protected]> * test: lintage Signed-off-by: William Woodruff <[email protected]> * docs: fill in API docs Signed-off-by: William Woodruff <[email protected]> * rust: uniform imports Signed-off-by: William Woodruff <[email protected]> * minimize for MVP No configurable profile, Web PKI only. Signed-off-by: William Woodruff <[email protected]> * verify: remove old NOTE Signed-off-by: William Woodruff <[email protected]> * verify: remove another old NOTE Signed-off-by: William Woodruff <[email protected]> * src, tests: fixup tests Signed-off-by: William Woodruff <[email protected]> * docs: cleanup Signed-off-by: William Woodruff <[email protected]> * src, tests: drop support for missing subjects As part of the MVP. Signed-off-by: William Woodruff <[email protected]> * profile: remove old comments Signed-off-by: William Woodruff <[email protected]> * policy: remove some verify-adjacent APIs Paring down for review. Signed-off-by: William Woodruff <[email protected]> * policy: remove more verify-adjacent APIs Signed-off-by: William Woodruff <[email protected]> * policy: remove some From impls Signed-off-by: William Woodruff <[email protected]> * policy: remove rfc5280 constructor Signed-off-by: William Woodruff <[email protected]> * docs: declutter diff Signed-off-by: William Woodruff <[email protected]> * profile: prune even more state Signed-off-by: William Woodruff <[email protected]> * policy: remove old TODO Signed-off-by: William Woodruff <[email protected]> * policy: remove PolicyError For now. Signed-off-by: William Woodruff <[email protected]> * docs: typo Signed-off-by: William Woodruff <[email protected]> * ops: remove NullOps Signed-off-by: William Woodruff <[email protected]> * rust: remove dev-dep, don't use import Signed-off-by: William Woodruff <[email protected]> * rust: fix IP_ADDRESS rename Signed-off-by: William Woodruff <[email protected]> * docs: clarify time behavior Signed-off-by: William Woodruff <[email protected]> * rename webpki() to new() Since it doesn't actually do anything WebPKI related at the moment. Signed-off-by: William Woodruff <[email protected]> * docs: relocate Signed-off-by: William Woodruff <[email protected]> * verify: FixedPolicy -> PyCryptoPolicy Signed-off-by: William Woodruff <[email protected]> * verify: simplify SubjectOwner substantially Signed-off-by: William Woodruff <[email protected]> * verify: remove getter helper Signed-off-by: William Woodruff <[email protected]> * verify: reloc TODO Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: William Woodruff <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]>
tetsuo-cpp
commented
Sep 27, 2023
| pub(crate) fn permits_leaf(&self, leaf: &Certificate) -> Result<(), PolicyError> { | ||
| // NOTE: Perform `permits_ee` first, since 99% of path validations should have | ||
| // an EE certificate in the leaf position. | ||
| self.permits_ee(leaf).or_else(|_| self.permits_ca(leaf)) |
There was a problem hiding this comment.
@woodruffw Do you mind if I revert this change back to how it used to be?
let extensions = leaf.extensions()?;
if let Some(key_usage) = extensions.get_extension(&KEY_USAGE_OID) {
let key_usage: KeyUsage = key_usage.value()?;
if key_usage.key_cert_sign() {
return self.permits_ca(leaf);
}
}
return self.permits_ee(leaf);There are two things here:
- In the case of a CA certificate, we end up doing a bunch of irrelevant
permits_eefirst. As you point out, it's not the common case so it's not that big a deal, but it's still something. - When an EE cert fails validation for whatever reason, it calls
permits_caand then errors out (since it's not a CA). The error message that gets propagated out of the API ends up being a check frompermits_caand can be pretty confusing (it got me while I was debugging).
There was a problem hiding this comment.
Yeah, that's fine by me 🙂 -- the combinator form is arguably more idiomatic, but your point about the error being masked is a good one.
If you revert this, would you mind adding a short comment explaining? That way I don't try and get clever and refactor it again.
alex
referenced
this pull request
in pyca/cryptography
Sep 30, 2023
* src, tests: flatten all changes Signed-off-by: William Woodruff <[email protected]> validation: remove Profile abstract from public APIs One step towards removing it entirely Signed-off-by: William Woodruff <[email protected]> policy: disambiguate references Signed-off-by: William Woodruff <[email protected]> policy: remove separate rfc5280 profile Signed-off-by: William Woodruff <[email protected]> policy: remove profile abstraction entirely Signed-off-by: William Woodruff <[email protected]> rust: permitted_algorithms filtering Signed-off-by: William Woodruff <[email protected]> verify: simplify policy API substantially No more manual monomorphization. Signed-off-by: William Woodruff <[email protected]> src, tests: remove verification code Signed-off-by: William Woodruff <[email protected]> validation: remove more validation code Signed-off-by: William Woodruff <[email protected]> * cryptography, rust: lintage Signed-off-by: William Woodruff <[email protected]> * cryptography, rust: lintage, add Policy.subject API Signed-off-by: William Woodruff <[email protected]> * src, tests: initial PolicyBuilder tests Signed-off-by: William Woodruff <[email protected]> * verify: Policy.validation_time getter Signed-off-by: William Woodruff <[email protected]> * push Store into rust Signed-off-by: William Woodruff <[email protected]> * cleanup, fixup Signed-off-by: William Woodruff <[email protected]> * tests: lintage Signed-off-by: William Woodruff <[email protected]> * src: lintage Signed-off-by: William Woodruff <[email protected]> * tests: fix linter warning * policy: apply the relevant parts of trail-of-forks/cryptography/pull/3 Signed-off-by: William Woodruff <[email protected]> * policy: typo Signed-off-by: William Woodruff <[email protected]> * fixup type hints Signed-off-by: William Woodruff <[email protected]> * drop dep Not used, yet. Signed-off-by: William Woodruff <[email protected]> * Revert "drop dep" This reverts commit a5154e1. * mod: remove permits_* bodies Will include these in a subsequent PR. Signed-off-by: William Woodruff <[email protected]> * src: drop certificate helpers as well Not needed yet. Signed-off-by: William Woodruff <[email protected]> * verify: remove unneeded explicit lifetimes Signed-off-by: William Woodruff <[email protected]> * tests: builder API coverage Signed-off-by: William Woodruff <[email protected]> * tests: more coverage Signed-off-by: William Woodruff <[email protected]> * type hints Signed-off-by: William Woodruff <[email protected]> * unused derives Signed-off-by: William Woodruff <[email protected]> * validation: more coverage Signed-off-by: William Woodruff <[email protected]> * policy: more cov Signed-off-by: William Woodruff <[email protected]> * policy: more coverage Signed-off-by: William Woodruff <[email protected]> * policy: add some known bad testcases Signed-off-by: William Woodruff <[email protected]> * policy: coverage Signed-off-by: William Woodruff <[email protected]> * validation: remove trust_store Not yet used. Signed-off-by: William Woodruff <[email protected]> * ops: add NullOps test Signed-off-by: William Woodruff <[email protected]> * x509: reimplement verify_directly_issued_by via CryptoOps Tests fail, but this gets the right coverage. Signed-off-by: William Woodruff <[email protected]> * ops: use results Signed-off-by: William Woodruff <[email protected]> * src, tests: last cov, hopefully Signed-off-by: William Woodruff <[email protected]> * test: lintage Signed-off-by: William Woodruff <[email protected]> * docs: fill in API docs Signed-off-by: William Woodruff <[email protected]> * rust: uniform imports Signed-off-by: William Woodruff <[email protected]> * minimize for MVP No configurable profile, Web PKI only. Signed-off-by: William Woodruff <[email protected]> * verify: remove old NOTE Signed-off-by: William Woodruff <[email protected]> * verify: remove another old NOTE Signed-off-by: William Woodruff <[email protected]> * src, tests: fixup tests Signed-off-by: William Woodruff <[email protected]> * docs: cleanup Signed-off-by: William Woodruff <[email protected]> * src, tests: drop support for missing subjects As part of the MVP. Signed-off-by: William Woodruff <[email protected]> * profile: remove old comments Signed-off-by: William Woodruff <[email protected]> * verification: deconflict docs Signed-off-by: William Woodruff <[email protected]> * validation: bump pem dev-dep Signed-off-by: William Woodruff <[email protected]> * validation: drop PolicyError Not part of these changes. Signed-off-by: William Woodruff <[email protected]> * validation: drop Policy::rfc5280 Not needed yet; not part of MVP. Signed-off-by: William Woodruff <[email protected]> * `Policy::webpki` -> `Policy::new` Bad merge. Signed-off-by: William Woodruff <[email protected]> * validation/policy: remove configuration APIs Rust-only, unused, non-MVP. Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: William Woodruff <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.