fix: fix the certs validation in trust store #147
Conversation
binbin-li
force-pushed
the
fix-cert-validation
branch
from
72ae651
to
395b083
Compare
verification/store.go
Outdated
| if len(certs) == 1 { | ||
| // if there is only one certificate, it must be a self-signed cert or |
There was a problem hiding this comment.
Single certificate in trust store doesn't means that its a self signed signing certificate. Trust store can have multiple certificate and one out of them can be a self signed signing certificate.
Logic:
func validateCerts(certs[] * x509.Certificate, path string) error {
// to prevent any trust store misconfigurations, ensure there is at least
// one certificate from each file.
if len(certs) < 1 {
return fmt.Errorf("could not parse a certificate from %q, every file in a trust store must have a PEM or DER certificate in it", path)
}
for _, cert: = range certs {
if !cert.IsCA {
if err: = cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature);
err != nil {
fmt.Errorf("certificate with subject %q from file %q is not a CA certificate or self-signed signing certificate", cert.Subject, joinedPath)
}
}
}
}
}There was a problem hiding this comment.
thanks for the comment! Updated.
There was a problem hiding this comment.
Actually, I found https://pkg.go.dev/crypto/x509#Certificate.CheckSignatureFrom might better fit this case, and it uses CheckSignature under the hood. Let me know if you have any concerns on it. thanks! @priteshbandi
There was a problem hiding this comment.
We cannot use CheckSignatureFrom because it imposes some extra constraints that are not valid for self signed signing certificate, instead we should use CheckSignature which only performs self signed check.
binbin-li
force-pushed
the
fix-cert-validation
branch
from
200da4f
to
c35efb7
Compare
Codecov Report
@@ Coverage Diff @@
## main #147 +/- ##
==========================================
+ Coverage 72.66% 72.79% +0.13%
==========================================
Files 36 36
Lines 2491 2503 +12
==========================================
+ Hits 1810 1822 +12
Misses 544 544
Partials 137 137
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
binbin-li
force-pushed
the
fix-cert-validation
branch
from
c35efb7
to
d77278a
Compare
binbin-li
force-pushed
the
fix-cert-validation
branch
from
069183a
to
077ba69
Compare
Signed-off-by: Binbin Li <libinbin@microsoft.com>
Signed-off-by: Binbin Li <libinbin@microsoft.com>
binbin-li
force-pushed
the
fix-cert-validation
branch
from
077ba69
to
96e02c0
Compare
Signed-off-by: Binbin Li <libinbin@microsoft.com>
Follow up change from #147 (comment) Signed-off-by: Pritesh Bandi <pritesb@amazon.com>
What?
Change the certificates validation in a trust store.
As described in spec: https://github.com/notaryproject/notaryproject/blob/main/trust-store-trust-policy-specification.md#trust-store, certs in trust store can be either root certs or intermediate certs though the intermediate certs are not recommended. And it's possible that users put a self-signed root cert in the trust store as well.
The current implementation checks if all certs under a trust store directory are CA certs which misses the case that a self-signed root cert in the trust store.
Test
Updated and added unit tests.
Signed-off-by: Binbin Li libinbin@microsoft.com