Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add IssuerAuth, MdocAuth, ReaderAuth checks #75

Merged
merged 13 commits into from
Dec 20, 2024
Merged

Add IssuerAuth, MdocAuth, ReaderAuth checks #75

merged 13 commits into from
Dec 20, 2024

Conversation

justAnIdentity
Copy link
Contributor

@justAnIdentity justAnIdentity commented Nov 22, 2023

This PR adds support for the mdoc holder to validate the ReaderAuth, and the mdoc reader to validate the mdoc auth and issuer auth.

Remaining outstanding work items:

  • Check CRL of DS and IACA certificates.
  • Check CRL/OCSP for reader and reader CA certificates.
  • Add support for producing ReaderAuth secured document requests.
  • Add support for key curves other than P-256.
  • Perform validation of particular mDL attributes (e.g. country name matches certificate).

Copy link
Contributor

@cobward cobward left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Preliminary suggestions to improve the code. I think we need a couple of iterations to make this clearer. Since this is very security sensitive code it is really important that it is obvious what it is doing, it is easy to follow, and it is well documented. That way we can have confidence that it is implemented correctly.

To that effect encapsulating code so that we don't have multi-hundred line validation functions, and adding lots of comments would be very welcome.

src/issuance/x5chain.rs Outdated Show resolved Hide resolved
src/issuance/x5chain.rs Outdated Show resolved Hide resolved
src/issuance/x5chain.rs Outdated Show resolved Hide resolved
src/presentation/mdoc_auth.rs Outdated Show resolved Hide resolved
src/presentation/reader.rs Outdated Show resolved Hide resolved
src/presentation/trust_anchor.rs Outdated Show resolved Hide resolved
src/presentation/trust_anchor.rs Outdated Show resolved Hide resolved
src/presentation/reader.rs Outdated Show resolved Hide resolved
src/presentation/reader.rs Outdated Show resolved Hide resolved
src/presentation/trust_anchor.rs Outdated Show resolved Hide resolved
@sbihel sbihel changed the title Feat/mdoc auth Add mDoc auth and iaca validation Nov 27, 2023
src/definitions/x509/extensions.rs Outdated Show resolved Hide resolved
src/definitions/x509/error.rs Outdated Show resolved Hide resolved
src/definitions/x509/extensions.rs Outdated Show resolved Hide resolved
src/definitions/x509/extensions.rs Outdated Show resolved Hide resolved
src/definitions/x509/mod.rs Outdated Show resolved Hide resolved
src/definitions/x509/x5chain.rs Outdated Show resolved Hide resolved
src/definitions/x509/x5chain.rs Outdated Show resolved Hide resolved
src/presentation/reader.rs Outdated Show resolved Hide resolved
src/presentation/reader.rs Outdated Show resolved Hide resolved
src/presentation/reader.rs Outdated Show resolved Hide resolved
@justAnIdentity justAnIdentity changed the title Add mDoc auth and iaca validation Add mDoc auth Reader auth Mar 25, 2024
author Arjen van Veen <arjen.van.veen@spruceid.com> 1701187280 +0100
committer Arjen van Veen <arjen.van.veen@spruceid.com> 1717744754 +0200

refactor for readability WIP

clean up comments and duplicates

clean up, add some comments

cargo fmt

clippy fix

fmt

assert on tests

address pr comments

refactor handle_response to return a validated_response, submit parsing and decryption errors under errors

support creating a trust_anchor_registry from pem strings

Fix x5chain encoding.

X5Chain decoding fixes and version checking

Improve reader validation code.

- Also add a CLI tool for validating issuer certificates.

Fix public key parsing

Feat/reader auth cn (#79)

* rebase onto feat/mdoc-auth

* rebase and use mdoc-auth functions

* wip experiment with cert building

* small clean up

* Fix inconsistency. (#78)

* validated request improvements

---------

Co-authored-by: Jacob <jacob.ward@spruceid.com>

remove duplicate code

clippy fix
Ryanmtate and others added 2 commits November 16, 2024 12:14
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
Co-authored-by: Jacob <jacob.ward@spruceid.com>
Signed-off-by: Ryan Tate <ryan.tate@spruceid.com>
- Moved and renamed to 'src/presentation/authentication'.
- Added doc comments.
- Removed 'decryption' and 'parsing' from ResponseAuthenticationOutcome,
  as these are errors, not part of validating the response.
Copy link
Contributor

@cobward cobward left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wrapping up this work, just need a bit of help from @justAnIdentity on identifying these TODOs

src/presentation/authentication/mdoc.rs Outdated Show resolved Hide resolved
src/definitions/x509/extensions.rs Outdated Show resolved Hide resolved
src/definitions/x509/trust_anchor.rs Outdated Show resolved Hide resolved
* Remove unnecessary TODO regarding 18013-7: work will be underway soon.
* Remove unnecessary TODO regarding reader certificate checks - already
  implemented.
* Ensure that all critical extensions are checked and understood.
Refactored the x5chain validation code to help debug an issue with the
chain validation. Added an e2e positive test for DS->IACA validation.
@cobward cobward changed the title Add mDoc auth Reader auth Add IssuerAuth, MdocAuth, ReaderAuth checks. Dec 18, 2024
@cobward cobward changed the title Add IssuerAuth, MdocAuth, ReaderAuth checks. Add IssuerAuth, MdocAuth, ReaderAuth checks Dec 18, 2024
src/definitions/x509/validation/extensions/mod.rs Outdated Show resolved Hide resolved
"CrlDistributionPoints"
}

fn validate(&self, extension: &Extension) -> Vec<Error> {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not 100% that I'm fully following the entire flow, but I think you should still check here that the CrlDistributionPoint extension is marked as non-critical.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is that the critical flag indicates that the consumer MUST understand the extension, otherwise it should fail the transaction. In these cases, the 18013-5 spec says that these extensions shall not be critical. But from a practical perspective we do understand these extensions, so I don't think it matters whether or not the extension is actually marked as critical. I'm leaning more toward a slightly more permissive implementation in cases where security isn't impacted, rather than strictly enforcing every requirement.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see what you mean. My point of view is that since this is open source, developers may use this to validate their own certificates' iso compliance and this still leaves some room for them to do it incorrectly. Not a hill I'd die on though.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. We probably want a "strict" mode and "permissive" mode to allow for that as we've discussed before. I think that's out of the scope of this work, but I'll make sure we have a task that captures this.

}

fn validate(&self, extension: &Extension) -> Vec<Error> {
let bytes = extension.extn_value.as_bytes();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same here. IAN should never be critical, so you could check here that it's not set as critical.

}

fn validate(&self, extension: &Extension) -> Vec<Error> {
let bytes = extension.extn_value.as_bytes();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

non-critical check here too

@cobward cobward merged commit b3a0317 into main Dec 20, 2024
1 check passed
@cobward cobward deleted the feat/mdoc-auth branch December 20, 2024 13:26
@cobward cobward restored the feat/mdoc-auth branch December 20, 2024 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants