Add verification function with custom EKU #119
Conversation
Codecov Report
@@ Coverage Diff @@
## main #119 +/- ##
==========================================
+ Coverage 95.69% 95.74% +0.04%
==========================================
Files 15 15
Lines 3346 3431 +85
==========================================
+ Hits 3202 3285 +83
- Misses 144 146 +2
... and 2 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Hi @sietseringers, thanks for the PR :-)
I had a couple initial comments. It would also be nice to see a unit test added that covers this new validation function if that's something you would be willing to implement.
|
Thanks for your comments! I'll answer them, and I'll also be sure to write some unit tests. |
|
@sietseringers cool to see you're using this project, presumably for parts of IRMA? Wondering about the use case. Is the OID you're using registered with IANA or are you using a private namespace? Are you using webpki to build a verifier for rustls or for some other purpose? Apart from the EKU, is there other stuff that you're using x509-parser for? |
|
No, this is not for IRMA, but for the EUDI NL wallet, which is a separate project. It aims to provide an implementation of mdoc credentials (among others), that the user can (1) obtain from a trusted issuer, (2) store in their EUDI NL wallet app, and then (3) use them to authenticate themselves to relying parties (a website, say).
Not as far as I know, no. oidref.com is unaware of it, anyway.
No, we have a different purpose. The relying party (RP) that receives an mdoc credential from the user has to verify it against the public key of the organization that issued the mdoc, which comes in the form of an X509 certificate (chain). The RP has a trust root, and so we need to verify that certificate chain against the trust root. That's the purpose in our case.
I used it to get the subject of the certificate, as well as the public key to verify the mdoc with -- although for the latter I may decide to use I see that the CI is still not happy with the PR; I'll have a look at that. |
|
Thanks for the review! Good suggestions. I implemented them and added some more tests; I hope the CI is happy now. |
Well, almost. Looks like the |
Almost! Looks like there's a couple constants you'll need to gate on the alloc feature to avoid them being considered dead code in the no-default-features build. FWIW I think if you allow GitHub actions on your fork you can iterate on CI in separate branches as needed. Just mentioning in case one of us misses pressing the "Allow workflows to run" button here after an update. |
Hmmm the errors I see in this failed task are specific to |
Oh right, that's very useful, thanks! Didn't know that 😅
Ah yes, I read it wrong. Should be all good now. |
There was a problem hiding this comment.
This looks good to me, thanks for addressing my earlier feedback.
@ctz Could you give this a pass and see if you have any reservations?
I think we'll want to squash-merge this in-tree since the commit history has gotten a little bit long from the iteration.
|
Ideally we would land this with a clean commit history that has a separate commit introducing the new data type and refactoring needed to pass that around before in another commit adding the new high-level API (and changing existing API to rely on it). I noticed (reviewing on mobile so somewhat constrained by the number of available pixels) that the new method has a different way of taking the trust anchors. Is that well-motivated? In the absence of explicit motivation otherwise I'd be inclined to have them receive arguments the same way. Not for this PR, but I do wonder if we shouldn't change the top level API here to build a verifier object using a builder API which then gets the EndEntityCert as an argument to a verify method, similar to what @jsha is proposing for the client verifier API in rustls (someone please link in the relevant issue/comment) here, potentially taking ownership of an Arc<[TrustAnchor]> or similar. |
|
Thanks @djc (I didn't tag you explicitly to review only because I knew you're on vacation 🤪)
This was motivated by my feedback to implement
|
My motivation was that while the other two functions take
Couldn't I do what I suggested above, and keep the function structure as is by wrapping the anchors in the new
I could close this PR, and open a new one with the commit structure you suggest. While we're at this, am I right in that you prefix the commit messages with the module name that had all or at least most of the changes? |
Sounds reasonable to me 👍
I think you could also rebase your work in this branch and force push an update, but if a new PR is easier for you I don't think anyone would mind. It's slightly nicer IMO to have all the discussion history in one place.
I think that's a nice habit but I don't think it's a practice we apply universally. |
sietseringers
force-pushed
the
verify-with-custom-eku
branch
from
89923d4 to
d16bf97
Compare
|
Alright, done (with force push). I also rebased onto the current |
Looks like a transient error on coveralls side. Can be ignored |
Apologies, in #118 I moved around some CI tasks. If you rebase this branch on main the run+expected checks should line up again. |
sietseringers
force-pushed
the
verify-with-custom-eku
branch
from
d16bf97 to
8ca70d9
Compare
|
@ctz Did you have any additional feedback for this branch? |
sietseringers
force-pushed
the
verify-with-custom-eku
branch
from
8ca70d9 to
92fd1ba
Compare
|
@djc Thanks! I implemented your suggestions. |
sietseringers
force-pushed
the
verify-with-custom-eku
branch
from
92fd1ba to
8f582c7
Compare
The new method is similar to verify_is_valid_tls_server_cert() and verify_is_valid_tls_client_cert(), but allows the caller to specify its own EKU. Using the new ExtendedKeyUsage enum, the caller can choose if the EKU is required to be present, or if verification also passes if no EKUs are present (normal behaviour for server and client certificates).
sietseringers
force-pushed
the
verify-with-custom-eku
branch
from
8f582c7 to
091588a
Compare
|
Great, thanks! 🎉 |
This adds a new method called
verify_is_valid_cert_with_eku()toEndEntityCert, similar toverify_is_valid_tls_server_cert()andverify_is_valid_tls_client_cert()but allowing the caller to specify its own EKU.We intend to use this crate in our upcoming implementation of the mdoc standard (ISO 18013-5), for use in the EUDI NL wallet. That standard uses its own EKUs, such as
1.0.18013.5.1.2. This change would allow us to use this crate to verify certificate chains having such EKUs.This PR is loosely based on this older PR before this project was forked.