Skip to content

Commit

Permalink
Allow additional critical extensions to be used during validate_path
Browse files Browse the repository at this point in the history
Some certificates will contain critical extensions that certvalidator
doesn't know about. If the caller knows those critical extensions, it
can pass them into ValidationContext so that validate_path doesn't error
when it gets to the critical extensions check.
  • Loading branch information
achow101 committed Dec 15, 2020
1 parent 27283e4 commit e5bdb4b
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 17 deletions.
32 changes: 31 additions & 1 deletion certvalidator/context.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ class ValidationContext():
# options include: "md2", "md5", "sha1"
weak_hash_algos = None

# A set of unicode strings of critical extensions. If an intermediate certificate
# has a critical extension not in this set, it will fail validation.
critical_extensions = None

# A set of byte strings of the SHA-1 hashes of certificates that are whitelisted
_whitelisted_certs = None

Expand Down Expand Up @@ -102,7 +106,7 @@ class ValidationContext():
def __init__(self, trust_roots=None, extra_trust_roots=None, other_certs=None,
whitelisted_certs=None, moment=None, allow_fetching=False, crls=None,
crl_fetch_params=None, ocsps=None, ocsp_fetch_params=None,
revocation_mode="soft-fail", weak_hash_algos=None):
revocation_mode="soft-fail", weak_hash_algos=None, additional_critical_extensions=None):
"""
:param trust_roots:
If the operating system's trust list should not be used, instead
Expand Down Expand Up @@ -329,6 +333,31 @@ def __init__(self, trust_roots=None, extra_trust_roots=None, other_certs=None,
else:
weak_hash_algos = set(['md2', 'md5'])

supported_critical_extensions = set([
'authority_information_access',
'authority_key_identifier',
'basic_constraints',
'crl_distribution_points',
'extended_key_usage',
'freshest_crl',
'key_identifier',
'key_usage',
'ocsp_no_check',
'certificate_policies',
'policy_mappings',
'policy_constraints',
'inhibit_any_policy',
])
if additional_critical_extensions is not None:
if not isinstance(additional_critical_extensions, set):
raise TypeError(pretty_message(
'''
additional_critical_extensions must be a set of unicode strings, not %s
''',
type_name(additional_critical_extensions)
))
supported_critical_extensions |= additional_critical_extensions

self.certificate_registry = CertificateRegistry(
trust_roots,
extra_trust_roots,
Expand Down Expand Up @@ -362,6 +391,7 @@ def __init__(self, trust_roots=None, extra_trust_roots=None, other_certs=None,
self._revocation_mode = revocation_mode
self._soft_fail_exceptions = []
self.weak_hash_algos = weak_hash_algos
self.critical_extensions = supported_critical_extensions

@property
def crls(self):
Expand Down
17 changes: 1 addition & 16 deletions certvalidator/validate.py
Original file line number Diff line number Diff line change
Expand Up @@ -664,22 +664,7 @@ def _validate_path(validation_context, path, end_entity_name_override=None):

# Step 3 o
# Check for critical unsupported extensions
supported_extensions = set([
'authority_information_access',
'authority_key_identifier',
'basic_constraints',
'crl_distribution_points',
'extended_key_usage',
'freshest_crl',
'key_identifier',
'key_usage',
'ocsp_no_check',
'certificate_policies',
'policy_mappings',
'policy_constraints',
'inhibit_any_policy',
])
unsupported_critical_extensions = cert.critical_extensions - supported_extensions
unsupported_critical_extensions = cert.critical_extensions - validation_context.critical_extensions
if unsupported_critical_extensions:
raise PathValidationError(pretty_message(
'''
Expand Down

0 comments on commit e5bdb4b

Please sign in to comment.