Skip to content

std.crypto.Certificate.verify: additionally verify "key usage" #14175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Tracked by #14178
andrewrk opened this issue Jan 3, 2023 · 1 comment
Open
Tracked by #14178

std.crypto.Certificate.verify: additionally verify "key usage" #14175

andrewrk opened this issue Jan 3, 2023 · 1 comment
Labels
bug Observed behavior contradicts documented or intended behavior enhancement Solving this issue will likely involve adding new logic or components to the codebase. standard library This issue involves writing Zig code for the standard library.
Milestone
0.16.0

Comments

@andrewrk
Copy link
Member

andrewrk commented Jan 3, 2023

RFC 5280 section 4.2.1.3

zig/lib/std/crypto/Certificate.zig

Lines 197 to 201 in c9ef277

/// This function verifies:
/// * That the subject's issuer is indeed the provided issuer.
/// * The time validity of the subject.
/// * The signature.
pub fn verify(parsed_subject: Parsed, parsed_issuer: Parsed, now_sec: i64) VerifyError!void {

@andrewrk andrewrk added bug Observed behavior contradicts documented or intended behavior enhancement Solving this issue will likely involve adding new logic or components to the codebase. standard library This issue involves writing Zig code for the standard library. labels Jan 3, 2023
@andrewrk andrewrk added this to the 0.11.0 milestone Jan 3, 2023
This was referenced Jan 3, 2023
Merged
Open
@andrewrk andrewrk modified the milestones: 0.11.0, 0.12.0 Jun 19, 2023
@clickingbuttons clickingbuttons mentioned this issue Mar 14, 2024
Closed
19 tasks
clickingbuttons added a commit to clickingbuttons/zig that referenced this issue Apr 24, 2024
@clickingbuttons
std.crypto: enhance Certificate security
066ef4e 
Enhanced security:
	- Add and use more secure DER parser which prevents
		previously possible buffer overflows and OOB reads.
	- Fail on unknown critical extensions.
	- Verify key usage and extended key usage (closes ziglang#14175).
	- Verify policy (needs future work + validation).
	- Verify basic constraints.
	- Verify that Certificates loaded into bundles are indeed CAs.
	- Correctly handle certificate dates before 1970.

Enhanced compatibility:
	- Allow any SHA2 hash function with RSA and ECDSA public keys.
@clickingbuttons clickingbuttons mentioned this issue Apr 24, 2024
Closed
@clickingbuttons
Copy link
Contributor

clickingbuttons commented Apr 26, 2024
edited
Loading

Not only should key usage be verified, but also:

  • Additional key usage
  • Policy chain
  • Basic constraints
  • All critical extensions are parsed
  • Correctly parse dates before 1950 (currently they are all parsed as 1970)

@andrewrk andrewrk modified the milestones: 0.14.0, 0.16.0 Feb 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Observed behavior contradicts documented or intended behavior enhancement Solving this issue will likely involve adding new logic or components to the codebase. standard library This issue involves writing Zig code for the standard library.
Projects
None yet
Milestone
0.16.0
Development

Successfully merging a pull request may close this issue.

std.crypto: enhance Certificate security clickingbuttons/zig
2 participants
@andrewrk @clickingbuttons