-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: fix the certs validation in trust store #147
Conversation
72ae651
to
395b083
Compare
verification/store.go
Outdated
if len(certs) == 1 { | ||
// if there is only one certificate, it must be a self-signed cert or |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Single certificate in trust store doesn't means that its a self signed signing certificate. Trust store can have multiple certificate and one out of them can be a self signed signing certificate.
Logic:
func validateCerts(certs[] * x509.Certificate, path string) error {
// to prevent any trust store misconfigurations, ensure there is at least
// one certificate from each file.
if len(certs) < 1 {
return fmt.Errorf("could not parse a certificate from %q, every file in a trust store must have a PEM or DER certificate in it", path)
}
for _, cert: = range certs {
if !cert.IsCA {
if err: = cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature);
err != nil {
fmt.Errorf("certificate with subject %q from file %q is not a CA certificate or self-signed signing certificate", cert.Subject, joinedPath)
}
}
}
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the comment! Updated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I found https://pkg.go.dev/crypto/x509#Certificate.CheckSignatureFrom might better fit this case, and it uses CheckSignature
under the hood. Let me know if you have any concerns on it. thanks! @priteshbandi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We cannot use CheckSignatureFrom because it imposes some extra constraints that are not valid for self signed signing certificate, instead we should use CheckSignature which only performs self signed check.
200da4f
to
c35efb7
Compare
Codecov Report
@@ Coverage Diff @@
## main #147 +/- ##
==========================================
+ Coverage 72.66% 72.79% +0.13%
==========================================
Files 36 36
Lines 2491 2503 +12
==========================================
+ Hits 1810 1822 +12
Misses 544 544
Partials 137 137
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
c35efb7
to
d77278a
Compare
069183a
to
077ba69
Compare
Signed-off-by: Binbin Li <libinbin@microsoft.com>
Signed-off-by: Binbin Li <libinbin@microsoft.com>
077ba69
to
96e02c0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Binbin Li <libinbin@microsoft.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Follow up change from #147 (comment) Signed-off-by: Pritesh Bandi <pritesb@amazon.com>
What?
Change the certificates validation in a trust store.
As described in spec: https://github.com/notaryproject/notaryproject/blob/main/trust-store-trust-policy-specification.md#trust-store, certs in trust store can be either root certs or intermediate certs though the intermediate certs are not recommended. And it's possible that users put a self-signed root cert in the trust store as well.
The current implementation checks if all certs under a trust store directory are CA certs which misses the case that a self-signed root cert in the trust store.
Test
Updated and added unit tests.
Signed-off-by: Binbin Li libinbin@microsoft.com