search

rust-italia / dgc

A parser and validator for the EU Digital Green Certificate (dgc) a.k.a. greenpass
https://github.com/rust-italia/dgc
MIT License
26 stars 11 forks source link

Add RSA support #33

Closed Rimpampa closed 2 years ago

Rimpampa commented 2 years ago

Based on the work made by @dodomorandi and @lu-zero and the discussion we had on Telegram, I came up with an implementation for the RSA support that, in my opinion, is clean and effective. All test that use the PS256 alg now don't fail.

There were some test that were excluded because they used RSA but in reality the problem is that they use a NIST P-384 public key.

There is still some work to do on the verification of the certificates as most of the certificates used in the test schemas are part of a bigger certificate chain that (at least for me) is nowhere to be found. Currently is disabled.

I had to change the public key data used in parse::tests::it_validates because before it included some DER encoding "metadata" (the ASN1 tag and the length of the key) that the current implementation doesn't1 need.

Now public keys are stored without checking the validity and that's because it cannot be done at that stage: the key must be validated based on the alg field of the DGC, and we can't know that when building the TrustList.

The key validation is now done automatically by the ring functions at the moment of signature verification.

Closes #2, #14

codecov-commenter commented 2 years ago

Codecov Report

Merging #33 (1ba7506) into main (1c767d0) will increase coverage by 0.79%. The diff coverage is 74.19%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main      #33      +/-   ##
==========================================
+ Coverage   85.42%   86.22%   +0.79%     
==========================================
  Files          10       10              
  Lines        1077     1016      -61     
==========================================
- Hits          920      876      -44     
+ Misses        157      140      -17
Impacted Files Coverage Δ
src/parse.rs 74.80% <64.70%> (+3.15%) :arrow_up:
src/trustlist.rs 58.33% <81.81%> (-0.54%) :arrow_down:
src/cwt.rs 80.00% <100.00%> (+0.58%) :arrow_up:
src/lib.rs 95.74% <0.00%> (+8.82%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 1c767d0...1ba7506. Read the comment docs.

lmammino commented 2 years ago

I am not really sure i can suggest anything on the following point:

There is still some work to do on the verification of the certificates as most of the certificates used in the test schemas are part of a bigger certificate chain that (at least for me) is nowhere to be found. Currently is disabled.

Other than that I really like where this PR is going!

Thanks for the awesome work @Rimpampa! 🙌🏽