Skip to content

OpenSSL 1.1.1 cert verification port #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 63 commits into from
Oct 25, 2021
Merged

OpenSSL 1.1.1 cert verification port #239

merged 63 commits into from
Oct 25, 2021

Conversation

kares
Copy link
Member

@kares kares commented Oct 17, 2021
edited
Loading

an attempt to port over verify_chain (build_chain) and all related bits from OpenSSL 1.1.1.

JOSSL current certificate verification algorithm is rather straightforward and dates back to OpenSSL 0.9 days.

Several times we tried porting over newer code to enhance verification (e.g. to consider alternate chains) but failed due the magnitude of the task.

The PR is an attempt for a minimal viable product in terms of OpenSSL 1.1.1 compatible chain verification.
No relevant security features should be missing - if so than they are likely not present in the legacy algorithm as well.

The WiP here skips dane support completely (as well as a few other parts) - full port is far from complete.
There's also a number of (OpenSSL 1.1.1) features which are slightly changed or disabled :

  • EXFLAG_SS isn't working - switched cert_self_signed to only check EXFLAG_SI
    • this what legacy does to check self-signed - acceptable for now
    • should be investigated why tighter checks aren't working for JOSSL
    • unify/refactor EXFLAG_XXX checks to do less work?
  • drop duplicate check_chain_extension
    • check if OpenSSL still works with ENV['OPENSSL_ALLOW_PROXY_CERTS']
  • check_cert checking not ported - using old legacy checks
  • OpenSSL 1.1.1 check_crl differences - not passing when enabled
    • support/implement current_crl_score and current_reasons ?
  • review/implement auth_level checks
  • review/implement check_id

kares added 29 commits October 5, 2021 13:21
@kares
prepare for support of V_FLAG_TRUSTED_FIRST
e7f8f29
@kares
port over build_chain etc (from OpenSSL 1.1)
49c2a2c
@kares
Refactor: house-keeping
ab2f06f
@kares
missing num_untrusted field + more porting from 1.1
36e835f
@kares
Refactor: use a LinkedList instead
99f9611
@kares
port check_trust + refactor and hide checkCertificateTime
99b76d8
@kares
more upstream sync with C OpenSSL 1.1.1
550eb19
@kares
[refactor] align X509_STORE_CTX_get_by_subject
b460840
@kares
review (the public) X509_verify_cert
19a6562
@kares
[refactor] re-use field for untrusted count
fe5568c
@kares
[refactor] a no-op
45185c8
@kares
prepare for ctx->parent + align check_revocation
7bd2579
@kares
ported OpenSSL 1.1.1 verify_chain logic
64f2007
@kares
[refactor] extract dummy policy check
c18704e
@kares
port lookup_cert_match w X509_STORE_CTX_get1_certs (DRAFT)
1988f7f
@kares
[refactor] and move around duplicate helpers
caf7d07 
deprecated ones are for the current (legacy) verify_chain
@kares
TEMP: verify chain switch w a -Dverify_legacy
18eb94a
@kares
[refactor] simplify - get rid of extra checks
b985c84
@kares
restore old internal_verify and do not use new in legacy
c63c9d2
@kares
[refactor] drop all EMPTY fns
41ce9d2
@kares
[fix] fns that might be inherited from store
082aab7
@kares
a toString helper for debugging
950d806
@kares
implement some ex_flags on certificate
9d17bb7
@kares
review cert_self_signed usage for new verification
b7ef6ae
@kares
[refactor] get rid of remaining (confusing) NULL FNs
e947019
@kares
[refactor] reviewed message mappings
b86c549
@kares
[fix] return + proper (OSSL 1.1.1) lookup_certs impl
e6cd6d5
@kares
[refactor] confusing naming
6d3fe27
@kares
DRAFT: 'minimal' legacy multi-path cert verification
8bbd897 
an attempt to retrofit verification to consider alt-chains
@kares kares mentioned this pull request Oct 17, 2021
Closed
4 tasks
kares added 14 commits October 20, 2021 17:37
@kares
ported bits for check_crl (wip) unused for now
e228362 
due test fails but we're still plan using the new time checks
@kares
[refactor] impl and use EXFLAG_PROXY in ported code
a125175
@kares
[refactor] debug assertion failures
cb65b34
@kares
reviewed X509_check_issued ~ matches 1.1.1 version
dd58f66
@kares
port get_issuer - we might need it later
6e67713
@kares
[refactor] minor - style used to resemble OpenSSL
2435a43
@kares
use ported check_crl_time (in legacy as well)
0613e6e 
this should be fine since it just does more checks
@kares
[todo] EXFLAG_SS isn't working for JOSSL atm
220c82f
@kares
[refactor] align legacy check_crl with 1.1.1
eddaa35
@kares
[fix] do not assume object == in check_issued
c14ed43
@kares
[todo] auxiliary checks aren't the same as in OpenSSL
bf735b4
@kares
[refactor] remove commented code
7f99d1f
@kares
[test] adjust store tests (based on OSSL updates)
ced912a
@kares
[test] use fixed time so tests pass in few months
42a4b6a
@kares kares force-pushed the cert-verify-trusted branch from 28d5106 to 42a4b6a Compare October 20, 2021 15:38
@kares kares changed the title WiP: OpenSSL 1.1.1 cert verification port OpenSSL 1.1.1 cert verification port Oct 20, 2021
@kares kares linked an issue Oct 20, 2021 that may be closed by this pull request
bundle install affected by DST Root CA X3 expiration #236
Closed
@kares kares marked this pull request as ready for review October 20, 2021 16:15
@kares kares merged commit 387ec05 into master Oct 25, 2021
This was referenced Oct 25, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bundle install affected by DST Root CA X3 expiration
1 participant
@kares