Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve name constraints testing and fix bugs found #18

Merged
merged 12 commits into from
Jan 10, 2023
Merged

Improve name constraints testing and fix bugs found #18

merged 12 commits into from
Jan 10, 2023

Conversation

ctz
Copy link
Member

@ctz ctz commented Dec 13, 2022
edited
Loading

@ctz ctz marked this pull request as draft December 13, 2022 14:59
@codecov-commenter
Copy link

codecov-commenter commented Dec 13, 2022
edited
Loading

Codecov Report

Merging #18 (8e9de6e) into main (0e93500) will increase coverage by 7.93%.
The diff coverage is 97.33%.

@@            Coverage Diff             @@
##             main      #18      +/-   ##
==========================================
+ Coverage   86.00%   93.94%   +7.93%     
==========================================
  Files          15       15              
  Lines        2351     2542     +191     
==========================================
+ Hits         2022     2388     +366     
+ Misses        329      154     -175
Impacted Files Coverage Δ
src/error.rs 25.00% <ø> (ø)
src/subject_name/dns_name.rs 90.42% <81.81%> (+19.83%) ⬆️
src/der.rs 94.28% <95.83%> (+0.26%) ⬆️
src/subject_name/verify.rs 95.31% <95.83%> (+61.31%) ⬆️
src/subject_name/ip_address.rs 98.41% <99.25%> (+0.11%) ⬆️
src/verify_cert.rs 89.84% <100.00%> (+1.24%) ⬆️
src/cert.rs 96.96% <0.00%> (+0.75%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@ctz ctz force-pushed the jbp-improve-name-constraints-testing branch from 445e1a8 to f5db345 Compare December 22, 2022 13:03
@ctz
Copy link
Member Author

ctz commented Dec 22, 2022

I also plan to shortly pull in briansmith#131 and provide test cases for it.

On this one I have reimplemented the change, as the original one had a reachable panic in ipv6 addresses and fixing it wasn't easy without 128-bit integer support. However there is a test that acts as a regression case for it.

@ctz ctz changed the base branch from main to feat-ip-address December 22, 2022 13:08
@ctz ctz marked this pull request as ready for review December 23, 2022 11:14
@ctz ctz requested a review from djc December 23, 2022 11:14
@ctz ctz force-pushed the jbp-improve-name-constraints-testing branch 2 times, most recently from c4c10e6 to e1e8d98 Compare December 26, 2022 14:02
@ctz ctz mentioned this pull request Dec 26, 2022
Merged
3 tasks
djc
djc reviewed Dec 27, 2022
View reviewed changes
Copy link
Member

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel very out of my depth here so I'm hoping this review is somewhat useful.

src/name/dns_name.rs Outdated Show resolved Hide resolved
tests/name_constraints/generate.py Show resolved Hide resolved
tests/name_constraints/generate.py Outdated Show resolved Hide resolved
tests/name_constraints/generate.py Show resolved Hide resolved
src/name/verify.rs Outdated Show resolved Hide resolved
src/name/verify.rs Outdated Show resolved Hide resolved
src/name/verify.rs Outdated Show resolved Hide resolved
src/name/verify.rs Outdated Show resolved Hide resolved
src/name/ip_address.rs Outdated Show resolved Hide resolved
src/name/verify.rs Outdated Show resolved Hide resolved
@ctz ctz force-pushed the jbp-improve-name-constraints-testing branch from e1e8d98 to f861fcb Compare December 29, 2022 15:31
djc
djc reviewed Dec 30, 2022
View reviewed changes
tests/name_constraints/generate.py Show resolved Hide resolved
tests/name_constraints/generate.py Show resolved Hide resolved
src/name/verify.rs Outdated Show resolved Hide resolved
src/name/ip_address.rs Outdated Show resolved Hide resolved
src/name/ip_address.rs Outdated Show resolved Hide resolved
@djc
Copy link
Member

djc commented Dec 30, 2022

(Note, there's a conflict to fix up.)

djc
djc reviewed Jan 3, 2023
View reviewed changes
src/error.rs Show resolved Hide resolved
@ctz ctz force-pushed the jbp-improve-name-constraints-testing branch from f861fcb to 6d91c38 Compare January 4, 2023 20:17
@ctz ctz changed the base branch from feat-ip-address to main January 4, 2023 20:17
@ctz ctz force-pushed the jbp-improve-name-constraints-testing branch 2 times, most recently from 7de4f3e to ae25632 Compare January 9, 2023 16:09
@ctz
Copy link
Member Author

ctz commented Jan 9, 2023

I think this is ready to go now.

AlessandroBono and others added 9 commits January 10, 2023 14:45
@AlessandroBono @ctz
dns_name: Update assert string to new API
29a112d 
We don't call anymore `presented_dns_id_matches_reference_dns_id`.
@AlessandroBono @ctz
dns_name: Add tests for presented_id_matches_constraint
89569af
@AlessandroBono @ctz
ip_address: Add tests for presented_id_matches_constraint
1536dba
@bnoordhuis @ctz
Fix name constraints check
53d7dc0 
There were two bugs. webpki didn't:

1. read the X.509 Name Constraints field in its entirety, nor

2. check the certificate subject against the constraints correctly

(1) is a simple fix, (2) requires reading the Common Name from the
certificate.

Requires lifting some DER parsing logic from ring to parse UTF8String
and Set fields. Ring doesn't support those and isn't likely to in the
near future, see briansmith/ring#1265.

Closes #3.
@ctz
common_name: do not require a commonName to be present
4b50a38
@ctz
Generate tests for name constraints
698daef 
This uses cryptography.io and can likely to be extended to test
other features.
@ctz
Fix name constraints matching further
2b0105a 
For -- and limited to -- server end-entity certificates, subject commonName
can be a DNS name that should be subject to DNS name constraints.  Name
constraints can and should have an impact on path building and certificate
validity, even if we don't actually use the commonName for name validation
after this.

This is annoying, though, because:

- not all end-entity certs have a commonName, because it's no longer required,
  and a missing one shouldn't be considered a name constraints strike.
- only server end-entity certs should be given this treatment: clients don't
  typically have DNS names (see: https://bugzilla.mozilla.org/show_bug.cgi?id=1523484)
@ctz
Reject non-contiguous netmasks
8f491a8 
Add a specific error for this, and avoid use of BadDER for
cases where the DER encoding is actually fine but the
syntax of the messages is incorrect.
@ctz
Document and test directoryName constraints not being implemented
18d5c60
@ctz
Clarify ip_address name constraint length checks
5a09c07
@ctz
Make Error non_exhaustive
9281ec5 
This means adding new errors is not a breaking change, at the
cost of disabling exhaustive matching of all errors in downstream
code.
@ctz
Add changelog items for this branch.
8e9de6e
@ctz ctz force-pushed the jbp-improve-name-constraints-testing branch from 8579e91 to 8e9de6e Compare January 10, 2023 14:56
@ctz ctz merged commit 0bc3474 into main Jan 10, 2023
@ctz ctz deleted the jbp-improve-name-constraints-testing branch March 13, 2023 19:01
@cpu cpu mentioned this pull request Sep 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ctz @codecov-commenter @djc @AlessandroBono @bnoordhuis