rust: add crate skeleton for X.509 path validation #8873

Signed-off-by: William Woodruff <william@trailofbits.com>

* rust: WIP code to verify name constraints * rust: get DNS name constraints working * rust: fix DNS pattern match check * lib: clippage Signed-off-by: William Woodruff <william@trailofbits.com> * lib: fmt Signed-off-by: William Woodruff <william@trailofbits.com> * WIP to store `GeneralName` directly * lib: fmt Signed-off-by: William Woodruff <william@trailofbits.com> * lib: reuse Chain type Signed-off-by: William Woodruff <william@trailofbits.com> * extensions: drop unnecessary self lifetime bound (pyca#9650) Signed-off-by: William Woodruff <william@trailofbits.com> * validation: fix lifetimes Signed-off-by: William Woodruff <william@trailofbits.com> * certificate: increase lifetime precisions (pyca#9651) Similar to pyca#9650: adding explicit lifetimes here prevents Rust from binding `&self` to the placeholder lifetime, which it does by default. The in turn allows the return values here to outlive `&self`. Signed-off-by: William Woodruff <william@trailofbits.com> * Rename chain result to something more idiomatic * Use default annotation for name constraints * Simplify constraint subtree collection * Create separate `DNSConstraint` type * Add CA and EE name constraint checks * rust: Revert `permits_leaf` refactor * rust: Make name constraint matching slightly more correct * rust: Fix `IPAddress._packed` call * rust: Account for the case when an IP SAN doesn't represent a range * rust: Refine name constraint logic for SANs * rust: Use `matches!` macro * rust: Don't apply name constraints to self-issued certs unless its the leaf * DNSConstraint: newtype pattern Signed-off-by: William Woodruff <william@trailofbits.com> * oops Signed-off-by: William Woodruff <william@trailofbits.com> * types: refactor, test DNSConstraint Signed-off-by: William Woodruff <william@trailofbits.com> * types: another constraint test for good measure Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

* rust: check for malformed `AuthorityInformationAccess` extension * policy: do AIA check as an ExtensionPolicy Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: William Woodruff <william@trailofbits.com>

More expressive. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

* tests: Add `x509-limbo` test tests: Use subtests in `test_limbo` Use the correct peer name types tests: Flip the Limbo validation kind to `SERVER` * tests: Update `limbo.json` * tests: Fix Limbo tests that exercise unsupported features * test: Use new server verifier API * test: Don't allow empty peer name since the API requires it * rust: Add name constraints OID to critical extensions list * rust: Fix check for leaf certificates when applying name constraints * test: Remove assert for `extended_key_usage` Limbo data since we're populating it now * test: Update `limbo.json` * test: Skip EKU Limbo tests * test: Add comments to explain why we're skipping certain Limbo tests * rust: Leave comment explaining `is_leaf` parameter

…l extensions (#6) * rust: Use extension policy mechanism to check for unaccounted critical extensions * validation/policy: slightly more efficient critical matching Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Free coverage. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

This reverts commit 8d9d223.

Signed-off-by: William Woodruff <william@trailofbits.com>

CABF asserts this for all certs, not just CA certs. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

This should be easier to get coverage for. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

* validation: Add `max_chain_depth` parameter to `ServerVerifier` * test: Bump `limbo.json` and support `max_chain_depth` in the harness * Bump `limbo.json` * rust: Fix bad merge * Bump `limbo.json`

Signed-off-by: William Woodruff <william@trailofbits.com>

Not hooked up to anything yet. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Now covered by limbo. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

This is consistent with how other path validation libraries behave. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Oops. Signed-off-by: William Woodruff <william@trailofbits.com>

Plumb penultimate errors through the validation cycle. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Effectively means that we'll prefer shorter chains. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

This makes us handle EKU constraints in CAs, which the Web PKI stipulates. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com> tests: debugging assistance Signed-off-by: William Woodruff <william@trailofbits.com> validation: only accumulate NC if applied Need to refactor this a bit, but it's functionally correct. Signed-off-by: William Woodruff <william@trailofbits.com> validation: cleanup, docs Signed-off-by: William Woodruff <william@trailofbits.com>

Self-issued intermediates are now counted for pathlen and max chain length purposes. This is nominally an RFC 5280 violation, but one that is widely performed by path validation implementations. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Easier to reuse PublicKeyErrorOps, since we're not relying on its APIs. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Unclear why this suddenly broke on Windows. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

Just call permits_ee directly. Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>

rust: add crate skeleton for X.509 path validation #8873

rust: add crate skeleton for X.509 path validation #8873

Commits on Sep 7, 2023

Commits on Oct 2, 2023

Commits on Oct 3, 2023

Commits on Oct 5, 2023

Commits on Oct 6, 2023

Commits on Oct 7, 2023

Commits on Oct 16, 2023

Commits on Oct 18, 2023

Commits on Oct 19, 2023

Commits on Oct 22, 2023

Commits on Oct 24, 2023

Commits on Oct 26, 2023

Commits on Oct 28, 2023

Commits on Oct 29, 2023

Commits on Oct 30, 2023

Commits on Oct 31, 2023

Commits on Nov 2, 2023

Commits on Nov 3, 2023

Commits on Nov 6, 2023

Commits on Nov 9, 2023

Commits on Nov 10, 2023

Commits on Nov 13, 2023

Commits on Nov 14, 2023

Commits on Nov 15, 2023

Commits on Nov 16, 2023

Commits on Nov 17, 2023

Commits on Nov 18, 2023

Commits on Nov 20, 2023

Commits on Nov 21, 2023

Commits on Nov 22, 2023

Commits on Nov 23, 2023

Commits on Nov 24, 2023

Commits on Nov 25, 2023

Commits on Nov 26, 2023

Commits on Nov 30, 2023

Commits on Dec 1, 2023

Commits on Dec 18, 2023

Commits on Dec 19, 2023

Commits on Dec 20, 2023

Commits on Dec 21, 2023

Commits on Dec 22, 2023