Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

miscellaneous changes (minus support for pre-release formats crates) #57

Merged
merged 38 commits into from
Jul 3, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
e440dca
pre-releases
baloo Mar 14, 2024
2a7edf2
support for x509-limbo
baloo May 12, 2024
844794a
limbo mods
carl-wallace May 12, 2024
bea7aaa
make setter / getter methods of `CertificationPathSettings`
baloo May 13, 2024
e4d0b74
Some visibility changes, process key usage in TA constraints and hand…
carl-wallace May 13, 2024
b7b5b6c
Merge remote-tracking branch 'refs/remotes/origin/limbo_mods' into li…
carl-wallace May 13, 2024
9f2c12f
Merge pull request #37 from baloo/limbo_mods
carl-wallace May 13, 2024
4bfeb5f
adds CI
baloo May 14, 2024
23495a5
test all features of subcrates
baloo May 14, 2024
627fdd4
fixup getter/setter
baloo May 14, 2024
38ebd29
clippy
carl-wallace May 14, 2024
518e838
- Added support for IP address name constraints in std builds (which …
carl-wallace May 14, 2024
c9ac724
Merge pull request #38 from baloo/baloo/ci
carl-wallace May 14, 2024
689ed16
Merge branch 'cert_limbo' into ip
carl-wallace May 14, 2024
9344a2d
address some issues when building with no default features
carl-wallace May 14, 2024
71346c0
address issues running cargo test with no default features
carl-wallace May 14, 2024
37d888d
update limbo and set branch to certval
carl-wallace May 14, 2024
1aebae5
update submodule
carl-wallace May 14, 2024
00f55ba
Revert "update submodule"
carl-wallace May 14, 2024
9ed0763
Revert "update limbo and set branch to certval"
carl-wallace May 14, 2024
ff5005d
apply changes to harness
carl-wallace May 14, 2024
453ce76
update expected results file
carl-wallace May 14, 2024
a04f07a
Merge pull request #39 from carl-wallace/ip
carl-wallace May 14, 2024
b390438
make `populate_5280_pki_environment` a method of `PkiEnvironment`
baloo May 14, 2024
7204a40
add getter/setter for `CertificationPathResults`
baloo May 14, 2024
3d1fe38
make `add_processed_extension` a method of `CertificationPathResults`
baloo May 14, 2024
e4cb7c7
limit quadratic blowup
baloo May 14, 2024
0896182
name constraints: missing IP field in computation
baloo May 14, 2024
cd64758
x509-limbo: move back to main
baloo May 14, 2024
bf0dfc8
Merge pull request #40 from baloo/baloo/quadratic-blowup
carl-wallace May 14, 2024
207fdee
Merge pull request #41 from baloo/baloo/api-rework
carl-wallace May 14, 2024
15affa4
Merge pull request #42 from baloo/baloo/x509-limbo-main
carl-wallace May 14, 2024
8c93502
features changes from cert_limbo branch minus the changes to align wi…
carl-wallace May 15, 2024
8709c3f
change PkiEnvironment's get_paths_for_target so that all sources are …
carl-wallace Jun 27, 2024
dd7ea72
pull over some changes from cert_limbo
carl-wallace Jun 30, 2024
7c59878
add feature to enable validating certs with RSA w/SHA1. fmt.
carl-wallace Jul 1, 2024
60e4cd6
modify tests to handle different representation of file paths on windows
carl-wallace Jul 2, 2024
5c769a7
Merge remote-tracking branch 'origin/main' into rel_with_mods
carl-wallace Jul 2, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
make add_processed_extension a method of CertificationPathResults
  • Loading branch information
baloo committed May 14, 2024
commit 3d1fe38dcb89862588fd2efd484aa36163955fa9
14 changes: 2 additions & 12 deletions certval/src/util/pdv_utilities.rs
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,8 @@ use x509_cert::{

use crate::{
environment::pki_environment::PkiEnvironment, name_constraints_set::UID,
path_results::CertificationPathResults, path_settings::PS_MAX_PATH_LENGTH_CONSTRAINT,
pdv_certificate::*, pdv_extension::*, util::error::*, util::pdv_alg_oids::*,
path_settings::PS_MAX_PATH_LENGTH_CONSTRAINT, pdv_certificate::*, pdv_extension::*,
util::error::*, util::pdv_alg_oids::*,
};

/// `is_self_signed_with_buffer` returns true if the public key in the parsed certificate can be
Expand Down Expand Up @@ -159,16 +159,6 @@ pub fn valid_at_time(target: &TbsCertificateInner<Raw>, toi: u64, stifle_log: bo
}
}

/// `add_processed_extension` takes a [`CertificationPathResults`] and retrieves (or adds then retrieves)
/// an entry for [`PR_PROCESSED_EXTENSIONS`] to which the oid is added if not already present.
pub(crate) fn add_processed_extension(cpr: &mut CertificationPathResults, oid: ObjectIdentifier) {
let mut oids = cpr.get_processed_extensions();
if !oids.contains(&oid) {
oids.insert(oid);
cpr.set_processed_extensions(oids);
}
}

/// `get_inhibit_any_policy_from_trust_anchor` returns true if the trust anchor inhibits the use of any policy
/// during certification path processing.
///
Expand Down
12 changes: 12 additions & 0 deletions certval/src/validator/path_results.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
use alloc::collections::{BTreeMap, BTreeSet};
use alloc::{vec, vec::Vec};

use der::asn1::ObjectIdentifier;

use pkiprocmacros::*;

use crate::path_settings::*;
Expand Down Expand Up @@ -292,6 +294,16 @@ impl CertificationPathResults {
self.set_crl_entry(vec![vec![]; num_certs]);
Ok(())
}

/// `add_processed_extension` takes a [`CertificationPathResults`] and retrieves (or adds then retrieves)
/// an entry for [`PR_PROCESSED_EXTENSIONS`] to which the oid is added if not already present.
pub(crate) fn add_processed_extension(&mut self, oid: ObjectIdentifier) {
let mut oids = self.get_processed_extensions();
if !oids.contains(&oid) {
oids.insert(oid);
self.set_processed_extensions(oids);
}
}
}

#[test]
Expand Down
12 changes: 6 additions & 6 deletions certval/src/validator/path_validator.rs
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ pub fn check_basic_constraints(
cp: &mut CertificationPath,
cpr: &mut CertificationPathResults,
) -> Result<()> {
add_processed_extension(cpr, ID_CE_BASIC_CONSTRAINTS);
cpr.add_processed_extension(ID_CE_BASIC_CONSTRAINTS);
let mut path_len_constraint = cps.get_initial_path_length_constraint();

for ca_cert in cp.intermediates.iter() {
Expand Down Expand Up @@ -250,7 +250,7 @@ pub fn check_names(
cp: &mut CertificationPath,
cpr: &mut CertificationPathResults,
) -> Result<()> {
add_processed_extension(cpr, ID_CE_NAME_CONSTRAINTS);
cpr.add_processed_extension(ID_CE_NAME_CONSTRAINTS);

// Read input variables from path settings
let mut pbufs = BTreeMap::new();
Expand Down Expand Up @@ -326,7 +326,7 @@ pub fn check_names(

let pdv_ext: Option<&PDVExtension> = ca_cert.get_extension(&ID_CE_SUBJECT_ALT_NAME)?;
let san = if let Some(PDVExtension::SubjectAltName(san)) = pdv_ext {
add_processed_extension(cpr, ID_CE_SUBJECT_ALT_NAME);
cpr.add_processed_extension(ID_CE_SUBJECT_ALT_NAME);
Some(san)
} else {
None
Expand All @@ -352,7 +352,7 @@ pub fn check_names(
if pos + 1 != certs_in_cert_path {
let pdv_ext: Option<&PDVExtension> = ca_cert.get_extension(&ID_CE_NAME_CONSTRAINTS)?;
if let Some(PDVExtension::NameConstraints(nc)) = pdv_ext {
add_processed_extension(cpr, ID_CE_NAME_CONSTRAINTS);
cpr.add_processed_extension(ID_CE_NAME_CONSTRAINTS);

if let Some(excl) = &nc.excluded_subtrees {
excluded_subtrees.calculate_union(excl);
Expand Down Expand Up @@ -384,7 +384,7 @@ pub fn check_key_usage(
cp: &mut CertificationPath,
cpr: &mut CertificationPathResults,
) -> Result<()> {
add_processed_extension(cpr, ID_CE_KEY_USAGE);
cpr.add_processed_extension(ID_CE_KEY_USAGE);
for ca_cert in cp.intermediates.iter() {
let pdv_ext: Option<&PDVExtension> = ca_cert.get_extension(&ID_CE_KEY_USAGE)?;
let ku = match pdv_ext {
Expand Down Expand Up @@ -438,7 +438,7 @@ pub fn check_extended_key_usage(
cp: &mut CertificationPath,
cpr: &mut CertificationPathResults,
) -> Result<()> {
add_processed_extension(cpr, ID_CE_EXT_KEY_USAGE);
cpr.add_processed_extension(ID_CE_EXT_KEY_USAGE);

let target_ekus: Option<ObjectIdentifierSet> = cps.get_extended_key_usage_as_oid_set();
let process_ekus_across_path = cps.get_extended_key_usage_path();
Expand Down
16 changes: 8 additions & 8 deletions certval/src/validator/policy_graph.rs
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,10 @@ pub fn check_certificate_policies_graph(
cp: &mut CertificationPath,
cpr: &mut CertificationPathResults,
) -> Result<()> {
add_processed_extension(cpr, ID_CE_CERTIFICATE_POLICIES);
add_processed_extension(cpr, ID_CE_INHIBIT_ANY_POLICY);
add_processed_extension(cpr, ID_CE_POLICY_CONSTRAINTS);
add_processed_extension(cpr, ID_CE_POLICY_MAPPINGS);
cpr.add_processed_extension(ID_CE_CERTIFICATE_POLICIES);
cpr.add_processed_extension(ID_CE_INHIBIT_ANY_POLICY);
cpr.add_processed_extension(ID_CE_POLICY_CONSTRAINTS);
cpr.add_processed_extension(ID_CE_POLICY_MAPPINGS);

let certs_in_cert_path: u32 = (cp.intermediates.len() + 1) as u32;
// vector to own nodes that appear in the valid_policy_tree
Expand Down Expand Up @@ -302,7 +302,7 @@ pub fn check_certificate_policies_graph(
//prepare for next certificate (always occurs in this loop given target is processed later)
let pdv_ext: Option<&PDVExtension> = ca_cert.get_extension(&ID_CE_POLICY_MAPPINGS)?;
if let Some(PDVExtension::PolicyMappings(policy_mappings)) = pdv_ext {
add_processed_extension(cpr, ID_CE_POLICY_MAPPINGS);
cpr.add_processed_extension(ID_CE_POLICY_MAPPINGS);

// collect everything that maps to a given issuer domain policy for convenience while
// looking for anyPolicy in the extension
Expand Down Expand Up @@ -424,7 +424,7 @@ pub fn check_certificate_policies_graph(
let pdv_ext: Option<&PDVExtension> =
ca_cert.get_extension(&ID_CE_POLICY_CONSTRAINTS)?;
if let Some(PDVExtension::PolicyConstraints(pc)) = pdv_ext {
add_processed_extension(cpr, ID_CE_POLICY_CONSTRAINTS);
cpr.add_processed_extension(ID_CE_POLICY_CONSTRAINTS);
if let Some(rep) = pc.require_explicit_policy {
explicit_policy = explicit_policy.min(rep)
}
Expand All @@ -435,7 +435,7 @@ pub fn check_certificate_policies_graph(
let pdv_ext: Option<&PDVExtension> =
ca_cert.get_extension(&ID_CE_INHIBIT_ANY_POLICY)?;
if let Some(PDVExtension::InhibitAnyPolicy(iap)) = pdv_ext {
add_processed_extension(cpr, ID_CE_INHIBIT_ANY_POLICY);
cpr.add_processed_extension(ID_CE_INHIBIT_ANY_POLICY);
inhibit_any_policy = inhibit_any_policy.min(iap.0);
}
}
Expand All @@ -452,7 +452,7 @@ pub fn check_certificate_policies_graph(
// (b) If a policy constraints extension is included in the
// certificate and requireExplicitPolicy is present and has a
// value of 0, set the explicit_policy state variable to 0.
add_processed_extension(cpr, ID_CE_POLICY_CONSTRAINTS);
cpr.add_processed_extension(ID_CE_POLICY_CONSTRAINTS);
if let Some(rep) = pc.require_explicit_policy {
explicit_policy = explicit_policy.min(rep)
}
Expand Down
16 changes: 8 additions & 8 deletions certval/src/validator/policy_tree.rs
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,10 @@ pub fn check_certificate_policies(
cp: &mut CertificationPath,
cpr: &mut CertificationPathResults,
) -> Result<()> {
add_processed_extension(cpr, ID_CE_CERTIFICATE_POLICIES);
add_processed_extension(cpr, ID_CE_INHIBIT_ANY_POLICY);
add_processed_extension(cpr, ID_CE_POLICY_CONSTRAINTS);
add_processed_extension(cpr, ID_CE_POLICY_MAPPINGS);
cpr.add_processed_extension(ID_CE_CERTIFICATE_POLICIES);
cpr.add_processed_extension(ID_CE_INHIBIT_ANY_POLICY);
cpr.add_processed_extension(ID_CE_POLICY_CONSTRAINTS);
cpr.add_processed_extension(ID_CE_POLICY_MAPPINGS);

let certs_in_cert_path: u32 = (cp.intermediates.len() + 1) as u32;

Expand Down Expand Up @@ -291,7 +291,7 @@ pub fn check_certificate_policies(
//prepare for next certificate (always occurs in this loop given target is processed later)
let pdv_ext: Option<&PDVExtension> = ca_cert.get_extension(&ID_CE_POLICY_MAPPINGS)?;
if let Some(PDVExtension::PolicyMappings(policy_mappings)) = pdv_ext {
add_processed_extension(cpr, ID_CE_POLICY_MAPPINGS);
cpr.add_processed_extension(ID_CE_POLICY_MAPPINGS);

// collect everything that maps to a given issuer domain policy for convenience while
// looking for anyPolicy in the extension
Expand Down Expand Up @@ -413,7 +413,7 @@ pub fn check_certificate_policies(
let pdv_ext: Option<&PDVExtension> =
ca_cert.get_extension(&ID_CE_POLICY_CONSTRAINTS)?;
if let Some(PDVExtension::PolicyConstraints(pc)) = pdv_ext {
add_processed_extension(cpr, ID_CE_POLICY_CONSTRAINTS);
cpr.add_processed_extension(ID_CE_POLICY_CONSTRAINTS);
if let Some(rep) = pc.require_explicit_policy {
explicit_policy = explicit_policy.min(rep)
}
Expand All @@ -424,7 +424,7 @@ pub fn check_certificate_policies(
let pdv_ext: Option<&PDVExtension> =
ca_cert.get_extension(&ID_CE_INHIBIT_ANY_POLICY)?;
if let Some(PDVExtension::InhibitAnyPolicy(iap)) = pdv_ext {
add_processed_extension(cpr, ID_CE_INHIBIT_ANY_POLICY);
cpr.add_processed_extension(ID_CE_INHIBIT_ANY_POLICY);
inhibit_any_policy = inhibit_any_policy.min(iap.0);
}
}
Expand All @@ -441,7 +441,7 @@ pub fn check_certificate_policies(
// (b) If a policy constraints extension is included in the
// certificate and requireExplicitPolicy is present and has a
// value of 0, set the explicit_policy state variable to 0.
add_processed_extension(cpr, ID_CE_POLICY_CONSTRAINTS);
cpr.add_processed_extension(ID_CE_POLICY_CONSTRAINTS);
if let Some(rep) = pc.require_explicit_policy {
explicit_policy = explicit_policy.min(rep)
}
Expand Down
Loading