-
Notifications
You must be signed in to change notification settings - Fork 553
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify embedded SCTs #1731
Verify embedded SCTs #1731
Conversation
Thanks for getting this started! |
566c421
to
5f39c86
Compare
@mattmoor - I'm getting depcheck failures due a logging framework being pulled in with Trillian. I think you originally added the depcheck. Do you have concerns about this being removed? |
ace5b8c
to
62af999
Compare
Codecov Report
@@ Coverage Diff @@
## main #1731 +/- ##
==========================================
+ Coverage 30.13% 30.86% +0.72%
==========================================
Files 143 144 +1
Lines 8607 8778 +171
==========================================
+ Hits 2594 2709 +115
- Misses 5712 5740 +28
- Partials 301 329 +28
Continue to review full report at Codecov.
|
@haydentherapper The history here is that |
I suspect the Honestly, the Trillian / certificate-transparency-go dependency graph is a nightmare, so if we can factor out the pieces we need from there into their own module without these dependencies, everyone downstream of them (and us) will have a much better time. I was just talking to @dlorenc about this yesterday because I was battling its dependency graph which pulls in a fairly old version of |
and
|
Thanks for the context, I'll take a look at pulling out what we need.
This is what was used previously without issue. I added |
62af999
to
96e6d93
Compare
Excellent, got it working! I don't love this approach, but I made a copy of two files that we rely on, to avoid pulling in the rest of the package (I'll copy in the tests too). Any concerns with this approach? |
8fa13d6
to
944ddb1
Compare
PR is ready to go! |
Added a flag to enforce an SCT on verification. This defaults to not requiring the SCT to not break existing clients. |
71fb752
to
26f873f
Compare
Any comments @bobcallaway @asraa? |
This adds support for verifying SCTs embedded in certificates in addition to being detached. Embedded SCTs will be verified while parsing the certificate on verification (for verify, verify-blob, and verify-attestation), and on signing if a certificate chain is provided. Signed-off-by: Hayden Blauzvern <[email protected]>
Signed-off-by: Hayden Blauzvern <[email protected]>
Signed-off-by: Hayden Blauzvern <[email protected]>
e71c9ac
to
ac2b0af
Compare
@dlorenc I think this is ready to go! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nicely done!
* Add verification for embedded SCTs This adds support for verifying SCTs embedded in certificates in addition to being detached. Embedded SCTs will be verified while parsing the certificate on verification (for verify, verify-blob, and verify-attestation), and on signing if a certificate chain is provided. Signed-off-by: Hayden Blauzvern <[email protected]> * Add policy flag to enforce SCT Signed-off-by: Hayden Blauzvern <[email protected]> * Added comment for imported package Signed-off-by: Hayden Blauzvern <[email protected]>
Signed-off-by: Hayden Blauzvern [email protected]
Summary
This adds support for verifying SCTs embedded in certificates in
addition to being detached. Embedded SCTs will be verified while parsing
the certificate on verification (for verify, verify-blob, and
verify-attestation), on signing if a certificate chain is provided, and on signing
when a certificate is returned from Fulcio.
This also includes a policy flag to enforce an embedded SCT.
This maintains support for verifying detached SCTs.
Verified this is working with:
Ticket Link
Fixes #1730
Release Note