Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow additional critical extensions to be used during validate_path #33

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

achow101
Copy link

Some certificates will contain critical extensions that certvalidator
doesn't know about. If the caller knows those critical extensions, it
can pass them into ValidationContext so that validate_path doesn't error
when it gets to the critical extensions check.

@chrisdlangton
Copy link

@achow101 💯 agree

I came across the same issue which led me to raise #36 as it seems there are at least 3 certificate chain validation issues with this library.

i.e. 3 concerns that I looked into, I stopped due to 3 of 3 failures identified. There are very likely more cert chain validation issues present

The facts of this whole issue:

  • This is the most mature attempt in the entire python ecosystem
  • It is seemingly no longer maintained
  • pyOpenSSL are just bindings for OpenSSL for this issue
  • OpenSSL (and everything using it I would hazard a guess) doesn't even to attempt to validate the certificate chain, just the root CA and server cert host and expiry - that's it..
  • certifi and everything based from it urlib requests etc. doesn't do validation at all, period (if the https response was validated by OpenSSL and has data, then no one cares about actually validating any certs)
  • asn1crypto similar to pyOpenSSL which this library knows well as it is built upon asn1crypto to add the missing validations..
  • cryptography again similar to pyOpenSSL however they at least debated this for quite a few years to no plan to start a solution
  • No other programming language that I have investigated before python (C#, Ruby, Java, .NET, nodejs, PHP, Golang, Rust) even comes close to having an option even close to the level of maturity as this library, and none have validation built into the programming language or any popular http modules/libs/packages (same situation as python, only they don't have this lib)

So it is a very sorry state for certification validation, and why we are seeing so many breaches, no one actually uses TLS properly anywhere, it's all smoke and mirrors.

Some certificates will contain critical extensions that certvalidator
doesn't know about. If the caller knows those critical extensions, it
can pass them into ValidationContext so that validate_path doesn't error
when it gets to the critical extensions check.
@achow101 achow101 force-pushed the allow-more-criticals branch from e5bdb4b to a145bf2 Compare January 31, 2022 18:39
@fanquake
Copy link

fanquake commented Aug 4, 2022

@wbond any chance you'd be interested in reviewing / merging this change?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants