Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maintain context for key usage mismatch errors #337

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Maintain context for key usage mismatch errors #337

wants to merge 1 commit into from
+111 −22

Conversation

djc
Copy link
Member

@djc djc commented Mar 27, 2025

No description provided.

@djc djc requested review from cpu and ctz March 27, 2025 12:44
@djc djc force-pushed the eku-not-found-context branch from 88559a5 to ff5f073 Compare March 27, 2025 12:44
@codecov Codecov
Copy link

codecov bot commented Mar 27, 2025

Codecov Report

Attention: Patch coverage is 43.33333% with 17 lines in your changes missing coverage. Please review.

Project coverage is 97.55%. Comparing base (ab50614) to head (ff5f073).

Files with missing lines Patch % Lines
src/verify_cert.rs 41.37% 17 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #337      +/-   ##
==========================================
- Coverage   97.76%   97.55%   -0.22%     
==========================================
  Files          20       20              
  Lines        4343     4369      +26     
==========================================
+ Hits         4246     4262      +16     
- Misses         97      107      +10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

djc
djc commented Mar 27, 2025
View reviewed changes
src/verify_cert.rs
///
/// The contents of this type depend on whether the `alloc` feature is enabled.
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct RequiredEkuNotFoundContext {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've fiddled with this a fair bunch. The challenge here is that most of the internals of KeyUsage are private API.

  • KeyUsage (the public API surface) also represents the Required vs RequiredIfPresent dichotomy, which is relevant for required but not for present so much.
  • Internally we currently use KeyPurposeId which uses an internal Input (which means the only way to make it 'static is with a '&static [u8] which isn't feasible here).
  • We might want to represent EKU_CLIENT_AUTH and EKU_SERVER_AUTH in a way that are actually usable with the public API, which is KeyUsage::client_auth() and KeyUsage::server_auth(), and represent other OIDs in a somewhat readable representation.

cpu
cpu approved these changes Mar 28, 2025
View reviewed changes
tests/client_auth.rs
Comment on lines +67 to +79
let err = check_cert(ee, ca).unwrap_err();
assert_eq!(
err,
webpki::Error::RequiredEkuNotFoundContext(RequiredEkuNotFoundContext {
required: KeyUsage::client_auth(),
present: vec![vec![43, 6, 1, 5, 5, 7, 3, 1]],
})
);

assert_eq!(
format!("{err}"),
"RequiredEkuNotFoundContext(RequiredEkuNotFoundContext { required: KeyUsage { inner: RequiredIfPresent(KeyPurposeId { oid_value: Input }) }, present: [[43, 6, 1, 5, 5, 7, 3, 1]] })"
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes need to be made in the Python test generator code. Right now CI is flagging the diff that results from regenerating.

src/error.rs
@@ -141,8 +143,13 @@ pub enum Error {

/// The certificate is not valid for the Extended Key Usage for which it is
/// being validated.
#[deprecated(since = "0.103.2", note = "use RequiredEkuNotFoundContext instead")]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a Cargo.toml commit to the branch that bumps the version to 0.103.2 ?

src/verify_cert.rs
@@ -485,18 +501,38 @@ impl ExtendedKeyUsage {
let input = match (input, self) {
(Some(input), _) => input,
(None, Self::RequiredIfPresent(_)) => return Ok(()),
(None, Self::Required(_)) => return Err(Error::RequiredEkuNotFound),
(None, Self::Required(_)) => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

codecov is flagging missing coverage for L505..512 - that seems worth having IMO.

@djc
Copy link
Member Author

djc commented Mar 28, 2025

I think we should probably figure out the rustls part of this before we merge/release it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpu cpu cpu approved these changes

@ctz ctz Awaiting requested review from ctz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@djc @cpu