Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce maximum signature count #273

Merged
merged 2 commits into from
Aug 30, 2023
Merged

Enforce maximum signature count #273

merged 2 commits into from
Aug 30, 2023

Conversation

briansmith
Copy link
Owner

See the individual commit messages.

@cpu @briansmith
Cherry pick f0259b9: verify: break out build_chain recursion.
179e0db 
[`git cherry-pick f0259b9`, merged by Brian Smith.]

Crate-internal consumers of `build_chain` always pass `0` as the sub CA
count, only the `verify_cert.rs` internal recursion changes this
parameter.

This commit separates the external interface from the internal
recursion to remove one extra parameter from an already complicated
interface.
@briansmith briansmith self-assigned this Aug 30, 2023
@codecov
Copy link

codecov bot commented Aug 30, 2023
edited
Loading

Codecov Report

Merging #273 (5512b6e) into main (0cd0b31) will decrease coverage by 6.52%.
The diff coverage is 96.77%.

@@            Coverage Diff             @@
##             main     #273      +/-   ##
==========================================
- Coverage   57.13%   50.62%   -6.52%     
==========================================
  Files          18       18              
  Lines        2326     3751    +1425     
==========================================
+ Hits         1329     1899     +570     
- Misses        997     1852     +855
Files Changed Coverage Δ
src/end_entity.rs 35.61% <ø> (+3.61%) ⬆️
src/verify_cert.rs 94.07% <96.77%> (+5.36%) ⬆️

... and 3 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@briansmith
Copy link
Owner Author

@cpu @djc @ctz PTAL. Read the commit message on the last commit for an explanation of why I changed the stop-on-fatal-error looping logic.

cpu
cpu approved these changes Aug 30, 2023
View reviewed changes
Copy link
Contributor

@cpu cpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. Thank you!

The change to the error handling you called out seems like a sensible way to address the needs of the fix without breaking the Error compatibility guarantees in this release stream.

src/verify_cert.rs Outdated Show resolved Hide resolved
@cpu @briansmith
verify_cert: enforce maximum number of signatures.
5512b6e 
Cherry-picked from e473ee1 and modified
by Brian Smith. The main modifications were:

1. Maintain API compatibility with webpki 0.22.0.
2. (In `build_chain_inner`), stop immediately on fatal error, without
   considering any more paths. The point of having such fatal errors
   is to fail ASAP and avoid unneeded work in the failure case.
3. The test uses rcgen which requires Rust 1.67.0 or later. (I don't
   think the non-test MSRV of webpki changes though.)

The original commit message is below:

Pathbuilding complexity can be quadratic, particularly when the set of
intermediates all have subjects matching a trust anchor. In these cases
we need to bound the number of expensive signature validation operations
that are performed to avoid a DoS on CPU usage.

This commit implements a simple maximum signature check limit inspired
by the approach taken in the Golang x509 package. No more than 100
signatures will be evaluated while pathbuilding. This limit works in
practice for Go when processing real world certificate chains and so
should be appropriate for our use case as well.
@briansmith briansmith merged commit 30a108e into main Aug 30, 2023
211 of 212 checks passed
@briansmith briansmith deleted the b/signature-count branch August 30, 2023 21:08
@cpu cpu mentioned this pull request Sep 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpu cpu cpu approved these changes

Assignees

@briansmith briansmith

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@briansmith @cpu