-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verification: client verification APIs #10345
Conversation
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
That makes sense to me
…On Sun, Feb 4, 2024, 4:20 PM William Woodruff ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In src/cryptography/hazmat/bindings/_rust/x509.pyi
<#10345 (comment)>:
> + ) -> tuple[
+ x509.Name, x509.SubjectAlternativeName | None, list[x509.Certificate]
+ ]: ...
Named type makes sense!
Re: subject: in that case, perhaps client verification should enforce the
presence of a SAN? That should be trivial to do.
—
Reply to this email directly, view it on GitHub
<#10345 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBGNRZWSBXWE4IGIEZDYR73QLAVCNFSM6AAAAABCY4GHUGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTQNRRGU3DCOBQGE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
src/rust/cryptography-x509-verification/src/policy/extension.rs
Outdated
Show resolved
Hide resolved
PS: Yes, there should be limbo tests for this. In principle the schema was designed in a way to incorporate them. |
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
I'll work on the limbo tests for this shortly ( |
For tracking: C2SP/x509-limbo#196 has the initial client cases. I'm going to poke at email NC handling in a separate PR first, and then align those tests here. |
Email NC bits are merged, so I'll take another poke at this tonight or tomorrow. |
This will be at 100% coverage once C2SP/x509-limbo#221 lands. After that, I'll also look at filtering the set of subjects returned by the API to just ones that we currently have NC support for. |
This is what we should have been doing originally, per RFC 5280 4.2.1.10: > If a name constraints extension that is marked as critical > imposes constraints on a particular name form, and an instance of > that name form appears in the subject field or subjectAltName > extension of a subsequent certificate, then the application MUST > either process the constraint or reject the certificate.
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
This should be good for a review! |
Still WIP -- the public APIs are not fully filled in yet. Outstanding tasks:build_client_verifier
ClientVerifier.verify
Closes #10276.