Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X.509 path building follow-ups #10034

Open
19 of 22 tasks
alex opened this issue Dec 22, 2023 · 2 comments
Open
19 of 22 tasks

X.509 path building follow-ups #10034

alex opened this issue Dec 22, 2023 · 2 comments
Labels
x509

Comments

@alex
Copy link
Member

alex commented Dec 22, 2023
edited

For 42.0
Beta Give feedback
  1. CHANGELOG: record #8873 #10035
  2. x509/verification: add an API usage example #10036
  3. Rename x509-validation crate to verification for consistency with the Python API #10039
  4. verification: add test_verify_tz_aware #10229

Functionality
Beta Give feedback
  1. add automatic PRs for new commits on x509-limbo and wycheproof #10044
  2. Added a benchmark for x.509 verification #10042
  3. Allow verifying an x509 cert chain without making assertions about the subject name #10276

Performance
Beta Give feedback
  1. Remove a Vec that's not needed #10050
  2. Avoid duplicate work building store on every verification #10047
  3. Avoid insert(0), it's O(n^2) when done repeatedly #10051
  4. Avoid linear scan of the entire trust store #10052
  5. Avoid re-parsing certificates after building chain #10056
  6. Make extension handling in x.509 verifier less meta-programmed #10054
  7. Cache public keys on VerificationCertificate #10100
  8. Migrate PolicyBuilder to Rust #10069
  9. Make a direct rust call for parsing SPKIs #10092
  10. Migrate SPKI parsing from OpenSSL to Rust #10121
  12. Avoid allocating a Vec -- directly create a list #10217
  13. Reduce the amount of data that needs to be hashed to check if a cert is in a trust store #10218
@alex alex added this to the Forty Second Release milestone Dec 22, 2023
@alex alex added the x509 label Dec 22, 2023
@woodruffw woodruffw mentioned this issue Dec 22, 2023
Merged
@alex alex removed this from the Forty Second Release milestone Dec 23, 2023
@alex alex added this to the Forty Second Release milestone Jan 3, 2024
@alex alex mentioned this issue Jan 3, 2024
Merged
@alex alex removed this from the Forty Second Release milestone Jan 22, 2024
@woodruffw
Copy link
Contributor

Another functionality follow-up: CRLs and CRL checking. This will likely require its own non-trivial design and planning period.

@reaperhulk
Copy link
Member

Added as Revocation (CRL, OCSP) 👍

@alex alex mentioned this issue Feb 14, 2024
Open
@vEpiphyte vEpiphyte mentioned this issue Feb 15, 2024
Merged
vEpiphyte added a commit to vertexproject/synapse that referenced this issue Feb 28, 2024
@vEpiphyte @Cisphyx
Update cryptography to 42.0.4 and update certdir (SYN-3552, SYN-6860) (
5a60657 
…#3568)

- Cryptography update addresses older version of cryptography package containing CVE-2023-50782 & CVE-2024-26130
- certdir now uses cryptography X509 objects and RSA private key objects, instead of PyOpenSSL X509 and Pkey objects. This is largely due to the removal of APIs from PyOpenSSL which we were utilizing for PKCS12 support and the guidance from PyOpenSSL project to not utilize the ``Crypto`` module in new projects as it is considered deprecated in
favor of Cryptography. Per prior discussion, there should be no API stability concerns related to this change since the CertDir class is not exposed via telepath or storm apis.
- certdir is now fully typed. This identified issues where we were declaring bytes as inputs on certdir and Cortex was passing in PEM strings instead of bytes.
- Remove PyOpenSSL use where it is possible to do so. We now only use it for doing X509 path building and certificate verification, eventually we'll be able to remove this in favor of APIs provided by Cryptography ( see pyca/cryptography#10393 pyca/cryptography#10034 )

---------

Co-authored-by: Cisphyx <cisphyx@vertex.link>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
x509
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alex @reaperhulk @woodruffw