Closed glasserc closed 4 years ago
https://github.com/alex/x509-validator/blob/master/validator.py demonstrates how this might look if we need to support multiple different signature algorithms. It's not that difficult to add them.
https://opendev.org/x/cursive/src/branch/master/cursive/verifiers.py is another sort of demonstration, although it's a little heavier because it explicitly feeds the hash itself.
OK, I think this is due for another round of review. In addition to being rebased onto master, I also added support for ECDSA cert keys, and implemented the checks @jvehent said. Edited to add: The cert chain I had pulled from dev did not have the name constraints that Julien was talking about, so I also pulled in a cert chain from stage. This chain happens to have ECDSA keys already, so that's why I implemented support for them. Now some tests rely on stage and others on dev; is it worth cleaning this up?
I have commits that address this feedback but am unable to update the PR because of https://github.com/mozilla-services/github-management/issues/40.
OK, I think I have addressed your feedback @leplatrem. @jvehent ?
Shall we release a preview version on Pypi so that we can start working on integrating this library?
I was hoping to hear from Julien but yeah, I guess we should get moving on this. I'll merge it and cut a release.
Sorry folks, haven't had a chance to review. Code looked good last I checked so I'd say just ship it :)
On Mon, Nov 11, 2019, 19:21 Ethan Glasser-Camp notifications@github.com wrote:
Merged #5 https://github.com/mozilla-services/python-autograph-utils/pull/5 into master.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mozilla-services/python-autograph-utils/pull/5?email_source=notifications&email_token=AADFPAI4JGNGDM2TOX5VEPDQTHZKJA5CNFSM4JFETF62YY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGOUZEAYHA#event-2789739548, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADFPALBJP7PIIGZ2DOGDQLQTHZKJANCNFSM4JFETF6Q .
This is a feature that's been missing as far as I can tell from all of the extant server-side implementations of Autograph signature verification. It's implemented using the code from https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate.tbs_certificate_bytes. It seems to work on the test certificate chain I've been using in the tests. However, the docs note:
@jvehent: What are the "other checks needed for secure certificate validation"? This is the last one I thought I had to implement but I'm worried I'm missing something else. Also, should I be adding code to try to figure out what signature algorithm is used on every cert in the chain? The test chain is RSA + SHA384 throughout but maybe that's something you foresee changing.