Migrate away from c-t-go/x509 and c-t-go/asn1 #198
Conversation
# Conflicts: # internal/scti/storage.go # Conflicts: # internal/scti/ctlog.go # Conflicts: # internal/scti/chain_validation.go # internal/scti/handlers_test.go # internal/scti/signatures_test.go # Conflicts: # ctlog.go
# Conflicts: # internal/scti/requestlog.go
# Conflicts: # ctlog.go # Conflicts: # ctlog.go # Conflicts: # internal/scti/chain_validation_test.go
# Conflicts: # internal/x509util/x509util.go # Conflicts: # internal/x509util/x509util.go
# Conflicts: # internal/scti/handlers.go
# Conflicts: # internal/x509util/ct.go # internal/x509util/ct_test.go
| // - allow pre-certificates and chains with pre-issuers | ||
| // - allow certificate without policing them since this is not CT's responsibility | ||
| // See /internal/x509fork/README.md for further information. | ||
| verifyOpts := x509fork.VerifyOptions{ |
There was a problem hiding this comment.
Naming idea for this fork package: lax509 :)
There was a problem hiding this comment.
Sending a different PR to avoid making this one even larger.
| @@ -690,7 +692,7 @@ func TestPreIssuedCert(t *testing.T) { | |||
| t.Fatalf("failed to ValidateChain: %v", err) | |||
| } | |||
| for i, c := range chain { | |||
| t.Logf("chain[%d] = \n%s", i, x509util.CertificateToString(c)) | |||
| t.Logf("chain[%d] = \n%s", i, md5.Sum(c.Raw)) | |||
There was a problem hiding this comment.
md5?
Would printing the Subject make it easier to tie back to the certs in the chain?
| func isPreIssuer(cert *x509.Certificate) bool { | ||
| // Look for the extension in the Extensions field and not ExtKeyUsage | ||
| // since crypto/x509 does not recognize this extension as an ExtKeyUsage. | ||
| for _, ext := range cert.Extensions { | ||
| if types.OIDExtKeyUsageCertificateTransparency.Equal(ext.Id) { | ||
| return true | ||
| } | ||
| } | ||
| return false |
There was a problem hiding this comment.
I've seen this in a couple of places, feels like it might reasonably live exported in x509util?
There was a problem hiding this comment.
Yeah - there's a TODO to merge them, I'll do this in a followup PR. This PR was 90% done before the other isPreissuer was added.
| var ( | ||
| oidExtensionAuthorityKeyId = asn1.ObjectIdentifier{2, 5, 29, 35} | ||
| // These extensions are defined in RFC 6962 s3.1. | ||
| oidExtensionCTPoison = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} | ||
| oidExtensionKeyUsageCertificateTransparency = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 4} | ||
| ) |
There was a problem hiding this comment.
could/should these live next to the other RFC6962 OIDs currently in types?
There was a problem hiding this comment.
They could, yes: but what's the benefit?
I decided to leave them here because:
- we're only talking about two vars, defined in the RFC that and haven't changed in 10+ years
- it makes this file more readable
x509utilis really what it says: it's a util forx509and it does not import anything else, it just depends on standard libraries.
| for i, ext := range tbs.Extensions { | ||
| if ext.Id.Equal(oid) { | ||
| if extAt != -1 { | ||
| return nil, errors.New("multiple extensions of specified type present") | ||
| } | ||
| extAt = i | ||
| } | ||
| } |
There was a problem hiding this comment.
I think you may be able to use slices.IndexFunc here?
There was a problem hiding this comment.
I can yeah. I'll leave it for now in this PR since these methods are being copied from c-t-go, and can send a followup PR.
I find that the end result is not necessarily easier to read though, especially here since we need to use the function twice to find duplicate extensions. The current implementation only requires one loop iteration, this one two. Plus, the base implementation of slices.Index slices.IndexFunc aren't really bringing any magic. I've done a fair amount of function programming before, and I really really really like and the slice package, but for very simple usecases like this I find it way less readable.
There was a problem hiding this comment.
Ack - will do in a followup PR, this PR is trying no to change the implementation of these functions too much and to copy them over from c-t-go.
| for i, ext := range tbs.Extensions { | ||
| if ext.Id.Equal(oidExtensionAuthorityKeyId) { | ||
| keyAt = i | ||
| break | ||
| } | ||
| } |
There was a problem hiding this comment.
might be able to use slices.IndexFunc here?
There was a problem hiding this comment.
Ack - will do in a followup PR, this PR is trying no to change the implementation of these functions too much and to copy them over from c-t-go.
internal/x509fork/cert_pool.go
Outdated
| // | ||
| // Deprecated: if s was returned by [SystemCertPool], Subjects | ||
| // will not include the system roots. | ||
| // Undeprecated in this fork. |
There was a problem hiding this comment.
It would be weird to have only "Undeprecated in this fork" after merging this PR. Can we mention this is deprecated in the original package and add a link to that?
| seenCTEKU := false | ||
| for _, ext := range preIssuer.Extensions { | ||
| if ext.Id.Equal(oidExtensionKeyUsageCertificateTransparency) { | ||
| seenCTEKU = true | ||
| break | ||
| } | ||
| } | ||
| if !seenCTEKU { |
There was a problem hiding this comment.
Could slices.ContainsFunc be used here?
There was a problem hiding this comment.
Ack - will do in a followup PR, this PR is trying no to change the implementation of these functions too much and to copy them over from c-t-go.
Towards #44
This PR migrates away from
certificate-transparency-go/x509andcertificate-transparency-go/asn1. A follow up PR will drop dependency on certificate-transparency-go/tls.To allow for such a transition, this PR does a few things:
c-t-go/x509has a lot of methods to print certificates and their fields.crypto/x509does not have methods to print full certs anymore, but individual fields that implement the stringer interface can be printed. We only every used full certificate printing inchain_validation_test.go, so I've simply replaced this with printing its md5sum for now. This allows to delete the full certificate printing methods. If we need them again, we can use other libraries.BuildPrecertTBSfromc-t-go/x509tox509util/ctisPreIssuerworks, since thecrypto/x509library won't parse CT extended key usage extensions.