cryptography
cryptography copied to clipboard
pyca
verification: WIP client verification skeleton
Still WIP -- the public APIs are not fully filled in yet. Outstanding tasks:
- [x] Fill in
build_client_verifier - [x] Add and implement
ClientVerifier.verify - [ ] Unit tests (including limbo tests?)
Closes #10276.
That makes sense to me
On Sun, Feb 4, 2024, 4:20 PM William Woodruff @.***> wrote:
@.**** commented on this pull request.
In src/cryptography/hazmat/bindings/_rust/x509.pyi https://github.com/pyca/cryptography/pull/10345#discussion_r1477441539:
- ) -> tuple[
x509.Name, x509.SubjectAlternativeName | None, list[x509.Certificate]- ]: ...
Named type makes sense!
Re: subject: in that case, perhaps client verification should enforce the presence of a SAN? That should be trivial to do.
— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/pull/10345#discussion_r1477441539, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBGNRZWSBXWE4IGIEZDYR73QLAVCNFSM6AAAAABCY4GHUGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTQNRRGU3DCOBQGE . You are receiving this because you commented.Message ID: @.***>
PS: Yes, there should be limbo tests for this. In principle the schema was designed in a way to incorporate them.
For tracking: https://github.com/C2SP/x509-limbo/pull/196 has the initial client cases. I'm going to poke at email NC handling in a separate PR first, and then align those tests here.
Email NC bits are merged, so I'll take another poke at this tonight or tomorrow.
This will be at 100% coverage once https://github.com/C2SP/x509-limbo/pull/221 lands. After that, I'll also look at filtering the set of subjects returned by the API to just ones that we currently have NC support for.