-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This PR adds cross signatures to TRCs. #1023
Conversation
@pszalach Can you review, please? |
Review status: 0 of 2 files reviewed at latest revision, 10 unresolved discussions, some commit checks failed. lib/crypto/trc.py, line 27 at r1 (raw file):
as we decided to use cryptography.io (see #1003), I'm wondering whether this lib is needed... lib/crypto/trc.py, line 315 at r1 (raw file):
it makes sense to describe formats here lib/crypto/trc.py, line 317 at r1 (raw file):
local signatures are not captured here? lib/crypto/trc.py, line 322 at r1 (raw file):
check for CA elif ... == "CA": ... else logging.error(...) lib/crypto/trc.py, line 325 at r1 (raw file):
local, remote, or any AS/ lib/crypto/trc.py, line 388 at r1 (raw file):
would it verify TRC chains longer than 2? lib/crypto/trc.py, line 429 at r1 (raw file):
error lib/crypto/trc.py, line 473 at r1 (raw file):
logging.error/warning? lib/crypto/trc.py, line 475 at r1 (raw file):
error topology/generator.py, line 418 at r1 (raw file):
assign Comments from Reviewable |
@sezergueler a few comments after the first round. Review status: 0 of 2 files reviewed at latest revision, 10 unresolved discussions, some commit checks failed. Comments from Reviewable |
Review status: 0 of 2 files reviewed at latest revision, 10 unresolved discussions, some commit checks failed. lib/crypto/trc.py, line 27 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
I am using the verify function from OpenSSL here. It looks like cryptography.io does not support this yet: pyca/cryptography#2381. They have a PR for this opened almost 2 years ago, but looks like it will take some time until it will be supported: pyca/cryptography#2460. lib/crypto/trc.py, line 315 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. lib/crypto/trc.py, line 317 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
All signatures are captured, this function only parses the 3 different subject types(CA, RAINS, AS). I added some additional checks such that it does not fail if a subject string can not be parsed. lib/crypto/trc.py, line 322 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. lib/crypto/trc.py, line 325 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. lib/crypto/trc.py, line 388 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
This is a good point. The idea is the following: All TRCs that are already verified would be provided by the caller of The problem here is, that we do not have topology information. We do not know, which intermediate TRCs we need to verify TRC 4. I think this is the best we can do here. lib/crypto/trc.py, line 429 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. lib/crypto/trc.py, line 473 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. lib/crypto/trc.py, line 475 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. topology/generator.py, line 418 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. Comments from Reviewable |
@pszalach Thanks for review! I addressed the comments. |
Review status: 0 of 2 files reviewed at latest revision, 10 unresolved discussions, some commit checks failed. lib/crypto/trc.py, line 388 at r1 (raw file): Previously, sezergueler wrote…
@PSZ I changed this a little bit. It is not necessary to construct the complete tree, but one can of course take only the neighbors of the remote TRC and try to verify only based on those instead of my previous brute-force approach where I tried to verify with every TRC in the list. Comments from Reviewable |
@pszalach Online keys added. |
Review status: 0 of 3 files reviewed at latest revision, 8 unresolved discussions, some commit checks failed. lib/crypto/trc.py, line 322 at r1 (raw file): Previously, sezergueler wrote…
lib/crypto/trc.py, line 386 at r3 (raw file):
maybe: "Cannot parse the subject: %s" % subject lib/crypto/trc.py, line 394 at r3 (raw file):
ditto lib/crypto/trc.py, line 446 at r3 (raw file):
I'd be consistent with lib/crypto/trc.py, line 461 at r3 (raw file):
parentheses instead of sub/web, line 1 at r3 (raw file):
update submodules topology/generator.py, line 178 at r3 (raw file):
single line topology/generator.py, line 471 at r3 (raw file):
single line Comments from Reviewable |
Review status: 0 of 3 files reviewed at latest revision, 8 unresolved discussions, some commit checks failed. lib/crypto/trc.py, line 322 at r1 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Yes, there is a whitespace in the subject string before "CA". lib/crypto/trc.py, line 386 at r3 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. lib/crypto/trc.py, line 394 at r3 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. lib/crypto/trc.py, line 446 at r3 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. lib/crypto/trc.py, line 461 at r3 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. sub/web, line 1 at r3 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
I will update when rebasing. topology/generator.py, line 178 at r3 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. topology/generator.py, line 471 at r3 (raw file): Previously, pszalach (Paweł Szałachowski) wrote…
Done. Comments from Reviewable |
Review status: 0 of 3 files reviewed at latest revision, 10 unresolved discussions, some commit checks failed. lib/crypto/trc.py, line 55 at r4 (raw file):
Look at how lib/crypto/trc.py, line 292 at r4 (raw file):
Comments from Reviewable |
Review status: 0 of 3 files reviewed at latest revision, 10 unresolved discussions. lib/crypto/trc.py, line 55 at r4 (raw file): Previously, shitz wrote…
Done. lib/crypto/trc.py, line 292 at r4 (raw file): Previously, shitz wrote…
Done. Comments from Reviewable |
When generating TRC in generator.py the cross signatures from neighboring ISDs (1 CA, 1 root ASes, RAINS) are added to the TRC. Functionality for checking those cross-signatures and verification of trust chains from one TRC to a different TRC was added.
I'm going to close this, since it's highly unlikely this will ever get merged. |
When generating TRC in generator.py the cross signatures from neighboring ISDs
(1 CA, 1 root ASes, RAINS) are added to the TRC. Functionality for checking
those cross-signatures and verification of trust chains from one TRC to a
different TRC was added.
Also:
This change is