Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(connect): authenticateDevice verify CA cert extensions #13173

Merged
merged 3 commits into from
Jul 19, 2024

Conversation

szymonlesisz
Copy link
Contributor

Description

  • add parseExtensions function to x509certificate and parse known/expected extension fields
  • validate CA cert extensions following trezorlib
    KeyUsage must be present and allow certificate signing.
    BasicConstraints must be present, have the cA flag and a pathLenConstraint.
    Any unrecognized non-critical extension is allowed. Any unrecognized critical extension is disallowed.
    

Related Issue

Resolve #13071

@szymonlesisz szymonlesisz force-pushed the feat/connect-x509-validate-cert branch from a85a80b to 97a321a Compare July 12, 2024 15:46
@szymonlesisz szymonlesisz force-pushed the feat/connect-x509-validate-cert branch from f4bae56 to a0a3378 Compare July 16, 2024 14:17
@szymonlesisz szymonlesisz marked this pull request as ready for review July 16, 2024 15:33
Copy link
Contributor

@mroz22 mroz22 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack

@mroz22 mroz22 merged commit bc13fe2 into develop Jul 19, 2024
71 checks passed
@mroz22 mroz22 deleted the feat/connect-x509-validate-cert branch July 19, 2024 11:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Improve device certificate chain validation
3 participants