Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

verification/policy: make subject optional internally #10335

Merged
merged 1 commit into from
Feb 3, 2024
Merged

verification/policy: make subject optional internally #10335

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion src/rust/cryptography-x509-verification/src/policy/extension.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,7 +304,11 @@ pub(crate) mod ee {
};

let san: SubjectAlternativeName<'_> = extn.value()?;
if !policy.subject.matches(&san) {
if !policy
.subject
.as_ref()
.map_or_else(|| false, |sub| sub.matches(&san))
{
Comment on lines +307 to +311
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NB: This fails closed if the surrounding Policy doesn't have a configured subject. AFAICT this is the only reasonable behavior, since the SAN extension verifier here only makes sense when a subject is supplied by the user.

(In the context of a new ClientVerifier API, we'll need a different SAN extension verifier.)

return Err(ValidationError::Other(
"leaf certificate has no matching subjectAltName".into(),
));
Expand Down
4 changes: 2 additions & 2 deletions src/rust/cryptography-x509-verification/src/policy/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ pub struct Policy<'a, B: CryptoOps> {

/// A subject (i.e. DNS name or other name format) that any EE certificates
/// validated by this policy must match.
pub subject: Subject<'a>,
pub subject: Option<Subject<'a>>,

/// The validation time. All certificates validated by this policy must
/// be valid at this time.
Expand Down Expand Up @@ -245,7 +245,7 @@ impl<'a, B: CryptoOps> Policy<'a, B> {
Self {
ops,
max_chain_depth: max_chain_depth.unwrap_or(DEFAULT_MAX_CHAIN_DEPTH),
subject,
subject: Some(subject),
validation_time: time,
extended_key_usage: EKU_SERVER_AUTH_OID.clone(),
minimum_rsa_modulus: WEBPKI_MINIMUM_RSA_MODULUS,
Expand Down
Loading