refactor: generalize cert sig preference handling #4379
Conversation
jmayclin
force-pushed
the
cert-sig-refactor
branch
from
a9b978b to
ead852b
Compare
This commit rearranges our logic for handling certificate signature preferences. This work is being done to simplify applying certificate signature preferences to the local side of a connection.
jmayclin
force-pushed
the
cert-sig-refactor
branch
from
ead852b to
cc4ce15
Compare
- add const qualifiers to test descriptions - add deference to pointer construction
- accidentally commited my CMake changes :(
- assert not null arguments - preserve comments - remove unused pkey - result guard rather than result ensure - add comment for sigalgs - rename s2n_cert_description -> s2n_cert_info - remove s2n_cert_info comment
- finish cert description rename - move expect_error to also assert on errno
- reword comment for SHA1 check
- add comments to test - remove extra scope in test
- remove print statement - manually format test structures
- move test description down to for loop - remove validate-cert method
- remove unused variable - add in SHA1 TLS version unit tests
tests/unit/s2n_cert_info_test.c
Outdated
| DEFER_CLEANUP(X509 *intermediate = NULL, X509_free_pointer); | ||
| DEFER_CLEANUP(X509 *root = NULL, X509_free_pointer); | ||
|
|
||
| /* read in cert chain */ |
There was a problem hiding this comment.
Just wondering if it would be simpler to use s2n_test_cert_permutation_load_server_chain() and read each x509 with s2n_cert_get_der().
There was a problem hiding this comment.
I think it'd definitely be simpler, but this felt a bit "cleaner" in that I am very sure there isn't any s2n_cert parsing side-effect things going on. But happy to change it if you think that makes sense!
| }; | ||
|
|
||
| /* s2n_is_certificate_sig_scheme_supported() */ |
There was a problem hiding this comment.
Shouldn't all of these tests work with s2n_validator_check_cert_preferences()? I see you've added new tests for s2n_security_policy_validate_sig_scheme_supported(), but having tests for s2n_validator_check_cert_preferences() with real certs could be useful, unless you don't think they're valuable anymore.
There was a problem hiding this comment.
Shouldn't all of these tests work with s2n_validator_check_cert_preferences()
Yes
but having tests for s2n_validator_check_cert_preferences() with real certs could be useful, unless you don't think they're valuable anymore.
I think it seems a little redundant? E.g. We'd be copy-pasting the same tests cases for two different functions. While I do agree that having tests cases using only higher level functions can be useful, I'd actually prefer to just make those integration tests and e.g. do a handshake using only public APIs and check that the client failed with the appropriate error.
There was a problem hiding this comment.
It can be dangerous to remove tests during a refactor. You might miss a behavior change.
If the setup is repetitive, can you fix that without removing the test?
There was a problem hiding this comment.
I preserved all test cases, but let me know if I it looks like I missed any functionality.
- Certificate signature algorithm is in test certificate signature preferences list
- Certificate signature algorithm is not in test certificate signature preferences list
- Certificates signed with an RSA PSS signature can be validated
were all moved to s2n_security_policy_cert_preferences_test.c since the functionality of s2n_validate_sig_scheme_supported now lives in s2n_security_policy_validate_sig_scheme_supported
- Certificate signature algorithm is in the test certificate signature preferences list but signature is SHA-1 and TLS 1.3 has been negotiated.
- Certificate signature algorithm is in the test certificate signature preferences list and signature is SHA-1 and TLS 1.2 has been negotiated.
have both been added as new tests cases for s2n_validator_check_cert_preferences. Previously s2n_validate_sig_scheme_supported/s2n_security_policy_validate_sig_scheme_supported was responsible for handling the TLS1.3/SHA-1 restriction, but to make things more general that validator specific logic has been moved out of s2n_security_policy_validate_sig_scheme_supported and into s2n_validator_check_cert_preferences
- correct spelling mistake - move s2n_cert_get_info to openssl and rename - move s2n_cert_info_test to the openssl namespace - manually indent clang-formatted code - use s2n_read_test_pem_and_len over alternative - remove left over header definition - switch argument ordering for s2n_security_policy - NULL initialize pointer - prefer result ensure over result bail
| }; | ||
|
|
||
| /* s2n_is_certificate_sig_scheme_supported() */ |
There was a problem hiding this comment.
It can be dangerous to remove tests during a refactor. You might miss a behavior change.
If the setup is repetitive, can you fix that without removing the test?
- switch test method to S2N_RESULT - add trailing commas for test struct - rename s2n_security_policy_ -> s2n_signature_preferences_ - rename validator method
- change arguments of cert validator - change the name again - spearate out the checks for the self-signed
- change the name again
- switch to result_ensure_ref bcause of cppcheck
This commit rearranges our logic for handling certificate signature preferences. This work is being done to simplify applying certificate signature preferences to the local side of a connection.
Resolved issues:
Related to #4339
Description of changes:
To apply cert signatures both to peer certs and local certs, we need to be able to work with
X509*ands2n_certstructures. Thes2n_cert_descriptionstruct is used to abstract out the information that is used for the validation. It also provides an easy was to validate against certificate key preferences, which will be added in a later PR.Call-outs:
Having both
s2n_security_policy_validate_certificateands2n_security_policy_validate_sig_scheme_supportedprobably seems a little overwrought right now, but the separation makes it much easier to add as2n_security_policy_validate_sig_key_supportedmethod in the future.Formatting was done with
Testing:
New unit tests are added for new functionality. Additionally, all existing CI should pass.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.