cryptography icon indicating copy to clipboard operation
cryptography copied to clipboard

Published 20 hours ago verified publisher icon pyca

FR: Allow verification of SMIME-Certificates

Open prauscher opened this issue 1 year ago • 6 comments

Since cryptography supports signing and encrypting mails for smime, there should be an (easy) way to verify smime-certificates before using in encryption. This is possibly a duplicate of #11165, which would allow custom extension policys. For SMIME-Support it probably would be sufficient to add something like build_smime_verifier. build_client_verifier cannot be used since it requires clientAuth Extended Key Usage.

As #11165 is already there, one discussion here could be weather a "quick access" build_smime_verifier is wanted or not. I believe implementing this feature would be fairly straightforward (and obviously simplier than crafting an API for custom EKU validation). Also I believe it would be beneficiary for "common" use cases to provide pre-configured verifiers to avoid each user having to copy-paste validation code (and making misstakes in the process).

prauscher avatar Dec 05 '24 09:12 prauscher

Just to note it here: The probably only difference between Policy.client and a possible Policy.smime would probably be to use EKU_EMAIL_PROTECTION_OID instead of EKU_CLIENT_AUTH_OID.

prauscher avatar Dec 05 '24 09:12 prauscher

I think we'd generally be in favor of this, with the first step being to figure out the API.

On Thu, Dec 5, 2024 at 4:46 AM Patrick Rauscher @.***> wrote:

Just to note it here: The probably only difference between Policy.client and a possible Policy.smime would probably be to use EKU_EMAIL_PROTECTION_OID instead of EKU_CLIENT_AUTH_OID.

— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/12104#issuecomment-2519781992, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBFBBLJZC5DJCL7VSZT2EAOFXAVCNFSM6AAAAABTCBLCFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMJZG44DCOJZGI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

alex avatar Dec 05 '24 12:12 alex

Not sure if I understand you correctly, but my Idea of the API would be similar to build_client_verifier:

from pathlib import Path
from cryptography import x509
trusted_cas = x509.load_pem_x509_certificates(Path("cacerts.pem").read_bytes())
intermediates = x509.load_pem_x509_certificates(Path("intermediates.pem").read_bytes())
user_cert = x509.load_pem_x509_certificate(Path("mailcert.pem").read_bytes())

builder = x509.verification.PolicyBuilder()
builder = builder.store(trusted_cas)
# optional other steps like builder.time...
verifier = builder.build_smime_verifier()
verified_client = verifier.verify(user_cert, intermediates)  # or raise VerificationError

prauscher avatar Dec 05 '24 14:12 prauscher

Sorry, I guess I wanted to take a step back and contemplate: Is the right API an SMIME cert verifier, or is it "verify this S/MIME signed content"?

On Thu, Dec 5, 2024 at 9:39 AM Patrick Rauscher @.***> wrote:

Not sure if I understand you correctly, but my Idea of the API would be similar to build_client_verifier:

from pathlib import Path from cryptography import x509 trusted_cas = x509.load_pem_x509_certificates(Path("cacerts.pem").read_bytes()) intermediates = x509.load_pem_x509_certificates(Path("intermediates.pem").read_bytes()) user_cert = x509.load_pem_x509_certificate(Path("mailcert.pem").read_bytes())

builder = x509.verification.PolicyBuilder() builder = builder.store(trusted_cas)

optional other steps like builder.time...

verifier = builder.build_smime_verifier() verified_client = verifier.verify(user_cert, intermediates) # or raise VerificationError

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

alex avatar Dec 05 '24 14:12 alex

Both could probably be useful, but "verify this S/MIME signed content" would not solve the problem to verify a certificate prior to encrypting a message to its owner. So maybe the Verifier returned by build_smime_verifier could have separate methods for verify_certificate and verify_message?

prauscher avatar Dec 05 '24 15:12 prauscher

Ok, I think that was the real high order bit: you've got a use case not addressed by some extension to S/MIME parsing, it really needs the dedicated verifier interface.

On Thu, Dec 5, 2024 at 10:15 AM Patrick Rauscher @.***> wrote:

Both could probably be useful, but "verify this S/MIME signed content" would not solve the problem to verify a certificate prior to encrypting a message to its owner. So maybe the Verifier returned by build_smime_verifier could have separate methods for verify_certificate and verify_message?

— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/12104#issuecomment-2520594604, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBH7XAU4EIVVDXFU5OT2EBUXVAVCNFSM6AAAAABTCBLCFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRQGU4TINRQGQ . You are receiving this because you commented.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

alex avatar Dec 05 '24 18:12 alex