Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding -verify and expanding -x509 options for our OpenSSL tool #1951

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Adding -verify and expanding -x509 options for our OpenSSL tool #1951

wants to merge 18 commits into from

Conversation

smittals2
Copy link
Contributor

@smittals2 smittals2 commented Oct 26, 2024
edited
Loading

Issues:

CryptoAlg-2679

Description of changes:

  • -subject, -fingerprint, -inform, -enddate, -subject_hash, -subject_hash_old options added to the x509 tool
  • refactored the x509 tool to read from stdin
  • A new verify tool with -CAfile
    • The verify tool takes a file as input or defaults to reading from stdin

Callouts:

The subject field differs in OpenSSL master and versions <= 3.2. A normalization function that removes whitespaces is used to compare output.

Testing:

Added option tests for new functionality and OpenSSL comparison tests for the new options.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@codecov-commenter
Copy link

codecov-commenter commented Oct 26, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 55.48780% with 146 lines in your changes missing coverage. Please review.

Project coverage is 79.01%. Comparing base (8d9809e) to head (9043a2d).
Report is 40 commits behind head on main.

Files with missing lines Patch % Lines
tool-openssl/x509_test.cc 35.03% 85 Missing and 4 partials ⚠️
tool-openssl/verify_test.cc 42.85% 28 Missing ⚠️
tool-openssl/verify.cc 75.00% 20 Missing ⚠️
tool-openssl/x509.cc 85.48% 9 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #1951       +/-   ##
===========================================
  Coverage        ?   79.01%               
===========================================
  Files           0      595      +595     
  Lines           0   102255   +102255     
  Branches        0    14485    +14485     
===========================================
+ Hits            0    80800    +80800     
- Misses          0    20809    +20809     
- Partials        0      646      +646

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@smittals2 smittals2 marked this pull request as ready for review October 28, 2024 23:38
@smittals2 smittals2 requested a review from a team as a code owner October 28, 2024 23:38
@justsmth justsmth requested review from skmcgrail, andrewhop and justsmth and removed request for skmcgrail October 29, 2024 12:56
justsmth
justsmth reviewed Nov 5, 2024
View reviewed changes
tool-openssl/verify.cc Outdated Show resolved Hide resolved
tool-openssl/verify.cc Outdated Show resolved Hide resolved
tool-openssl/verify.cc Outdated Show resolved Hide resolved
tool-openssl/verify.cc Outdated Show resolved Hide resolved
andrewhop
andrewhop reviewed Nov 13, 2024
View reviewed changes
tool-openssl/verify.cc Outdated Show resolved Hide resolved
tool-openssl/verify.cc Outdated Show resolved Hide resolved
tool-openssl/verify.cc Show resolved Hide resolved
tool-openssl/verify.cc Show resolved Hide resolved
tool-openssl/verify.cc Show resolved Hide resolved
tool-openssl/x509.cc Outdated Show resolved Hide resolved
tool-openssl/x509_test.cc Outdated Show resolved Hide resolved
tool-openssl/x509_test.cc Show resolved Hide resolved
tool-openssl/x509_test.cc Show resolved Hide resolved
tool-openssl/x509_test.cc Show resolved Hide resolved
justsmth
justsmth previously approved these changes Nov 15, 2024
View reviewed changes
tool-openssl/verify.cc Outdated Show resolved Hide resolved
andrewhop
andrewhop reviewed Nov 16, 2024
View reviewed changes
tool-openssl/verify.cc Show resolved Hide resolved
tool-openssl/verify.cc Outdated Show resolved Hide resolved
tool-openssl/verify_test.cc
RunCommandsAndCompareOutput(tool_command, openssl_command, out_path_tool, out_path_openssl, tool_output_str, openssl_output_str);

ASSERT_EQ(tool_output_str, openssl_output_str);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a test that verify verifies a public cert (like amazon.com), this will verify that we are correctly loading the default system trust store certs. Traps to avoid:

  1. Don't create a time bomb
  2. Not everywhere that runs our CI has network access

tool-openssl/x509_test.cc
ASSERT_EQ(tool_output_str, openssl_output_str);
}

// Test against OpenSSL output "openssl x509 -in file -inform DER -enddate"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a test for using the wrong inform.

Copy link
Contributor Author

@smittals2 smittals2 Nov 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you suggesting a test to check that the output for the error case of using a wrong inform is the same as openssl?

I have an erroneous usage test case for this option here: https://github.com/aws/aws-lc/pull/1951/files#diff-8b8002fb4d9429e7a3d9c3b9f2fddee7d50b81db27af7321ab566d0a1359b430R283

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewhop andrewhop andrewhop left review comments

@justsmth justsmth justsmth left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@smittals2 @codecov-commenter @andrewhop @justsmth