API for allowing signature validation given a SPKI/RPK #275
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #275 +/- ##
==========================================
+ Coverage 97.30% 97.33% +0.03%
==========================================
Files 19 20 +1
Lines 4234 4283 +49
==========================================
+ Hits 4120 4169 +49
Misses 114 114 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Hi there. Thanks for getting the ball rolling :-)
I think this would also benefit from the equivalent of a tests/signatures.rs integration test using the generate.py script to output tests/testdata for doing a signature verification using a raw public key entity across all the supported algorithms (e.g. ecdsa p256, p384, p521, ed25519, rsa 2048, 3072 and 4096). Right now there's just one ed25519 test being used from a unit test, and not an integration test.
57327fd to
8fc9ba9
Compare
|
Nevermind, looks like a different root cause. |
@ctz seems you were right, this did seem to be the root cause. After removing the existing signature test files and rerunning |
|
The deny failure is addressed in #277. |
|
@djc that solved the deny failure indeed. I've also added |
Yes, in a separate commit please! |
Needs a rebase? 🤔 |
src/rpk_entity.rs
Outdated
| //Try to read an end entity certificate into a RawPublicKeyEntity. | ||
| //It will fail to parse the key value since we expect no unused bits. |
There was a problem hiding this comment.
nit: I think these comments would benefit from a space between the // and the text (surprised cargo fmt isn't doing that automagically tbh...)
Co-authored-by: Adolfo Ochagavía <github@adolfo.ochagavia.nl>
Co-authored-by: Adolfo Ochagavía <github@adolfo.ochagavia.nl>
Co-authored-by: Adolfo Ochagavía <github@adolfo.ochagavia.nl>
|
Thanks! |
This PR creates a new public API which allows for signature validation given a SPKI or a Raw Public Key. This aids the implementation of RFC 7250 (Raw Public Key support) in rustls.
Public API Changes
RawPublicKeyEntity, which creates aSubjectPublicKeyInfofrom a `SubjectPublicKeyInfoDer.RawPublicKeyEntityonly has averify_signaturefunction, which verifies the signature with the spki.API Changes
SubjectPublicKeyInfotype we've added the methodsubject_public_key_info. This method returns the DER ofSubjectPublicKeyInfo.Open Questions
SubjectPublicKeyInfoback into properly encoded ASN.1 we need to prepend thekey_valueandalgorithm_valuewith the correct ASN.1 tag. For this we are usingder::asn1_wrap, this function works as expected for the sequencealgorithm_value, but not for the bitstringkey_value. I assume the reason being that bit strings also need a byte for the number of unused bits. My current workaround is to manually add a 0 byte to thekey_valueand only then useasn1_wrap(). If this is not the expected behaviour forasn1_wrap()I can also open a PR for to update this.signed_data::verify_signaturefunction expects a SPKI, but without the ASN.1 tag wrapping the algorithm value AND the key value.That's why I added a boolean
for_verificationtosubject_public_key_info(). Iffor_verificationistruethe output DER can be used insigned_data::verify_signature, else it's a properly ASN.1 encoded SPKI. Is this a good way to go about this difference?EDIT: Instead of using the
subject_public_key_info()function to get a key that can be used for verification, it might be better to add aderfield to theSubjectPublicKeyInfostruct. In that way we don't need thesubject_public_key_info() function anymore and are we not dependent on thealloc` feature.Contributors:
This PR is made in collaboration with @aochagavia.