Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

verify_cert: check name constraints after sig. validation #278

Closed

Conversation

cpu
Copy link
Contributor

@cpu cpu commented Sep 19, 2023

Prior to this branch parsing and processing certificate name constraints was done before validating a chain of signatures to a known trust anchor. This increases the attack surface of these features, allowing an adversary to force webpki to process name constraints on a crafted certificate without needing to have that certificate issued by a trusted entity.

This branch moves the parsing and processing of name constraints to after building and verifying the chain of signatures to reduce the potential for mischief. It's a backport of part of the work from rustls/webpki#165, however test coverage and constraining the number of comparisons using a budget limit are omitted due to the general state of name constraint support (c.f. #226).

Prior to this commit parsing and processing certificate name constraints
was done before validating a chain of signatures to a known trust
anchor. This increases the attack surface of these features, allowing an
adversary to force webpki to process name constraints on a crafted
certificate without needing to have that certificate issued by a trusted
entity.

This commit moves the parsing and processing of name constraints to
after building and verifying the chain of signatures to reduce the
potential for mischief.
@codecov
Copy link

codecov bot commented Sep 19, 2023

Codecov Report

Merging #278 (5bf67ff) into main (4a71d47) will increase coverage by 0.23%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #278      +/-   ##
==========================================
+ Coverage   50.62%   50.86%   +0.23%     
==========================================
  Files          18       18              
  Lines        3751     3769      +18     
==========================================
+ Hits         1899     1917      +18     
  Misses       1852     1852              
Files Changed Coverage Δ
src/signed_data.rs 100.00% <ø> (ø)
src/verify_cert.rs 94.40% <100.00%> (+0.33%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@cpu
Copy link
Contributor Author

cpu commented Sep 19, 2023

ci / test (--all-features, x86_64-unknown-linux-gnu, nightly) (pull_request) Failing after 45s

 warning: unexpected character `.`
  --> src/signed_data.rs:40:1

Two things here:

  1. Missing the closing fence for some ASN.1 in docs, fixed in 5bf67ff
  2. Some nightly warnings in flux: Nightly warning for codeblock languages with non-alphanumeric characters rust-lang/rust#115938

@briansmith
Copy link
Owner

Thanks! I rebased this on main in #280 so I could merge it. I'm closing this one.

@briansmith briansmith closed this Sep 30, 2023
@cpu cpu deleted the cpu-rustls-backport-name-constraints-post-sigs branch September 30, 2023 12:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants