Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate #247

Merged
merged 39 commits into from
Jun 12, 2024
Merged

Validate #247

merged 39 commits into from
Jun 12, 2024

Conversation

Adamk93
Copy link
Contributor

@Adamk93 Adamk93 commented May 23, 2024
edited
Loading

It passes tests on the server side.
Tests on:

  • Structural wellformedness of the chain;
  • Date validity;
  • Certificates not in the CRLs declared in the chain;
    These tests are test the 2 different combos of inputs:
  • Only certificates unique identifiers
  • Only certificates
  • with and without data
  • Chain partially stored on the KMS, meaning that the rest are provided as an input(Vector of certificates).

On the client side I am not very sure to how to do it. Anyway, if you could give me a hint would be a big plus.

Adam Khayam and others added 28 commits May 13, 2024 14:07
creating repo and file validate.rs
c413d65
reimplementing validate. issues with openssl
c6b41be
having a better structure on the function. Still missing interfacing …
7b95b05 
…with openssl
checking time when certificate requested from kms
e507516
implementing verification of serial number
2cb3662
to implement some optional cases
eb85664
implementation of function for manipulating X509 objects
f13658c
crl gives problems. TD: how to get them without using the network
92893ee
quick fix
8d52235
definition of an iterable indexed data structure
dd5fd04
tests awkward to implement. refactoring code
07521ce
tests awkward to implement. refactoring code
6a15a76
removing an org file
7198ea5
fixing serilization problem
abc8584
last week and todays fixes. removed unwraps, signing CRL verification…
4075260 
… and modification to indexing
some improvements
248a87c
parsing uri. ready to test
ca71330
first group of test implemented and passing.
dd40550
first group of test implemented and passing.
14eb1af
adding the test file and the bash script for generating the certifica…
441f3cb 
…te chain
adding two missing files
c431736
adding certificates and keys. if not It won't pass tests
7548b68
passing tests
d45c476
passing tests der
f47c470
passing tests der
4da832f
kms tests done
4be0103
pushing cli part. It does not test.
c13f5ad
cannot run cli tests
d88a4ba
@Adamk93 Adamk93 requested review from bgrieder and Manuthor May 23, 2024 12:16
@Adamk93 Adamk93 requested a review from tbrezot May 23, 2024 12:16
tbrezot
tbrezot reviewed May 24, 2024
View reviewed changes
crate/kmip/src/crypto/generic/kmip_requests.rs
) -> Result<Validate, KmipError> {
let certificates = {
if certificates.is_empty() {
None
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the semantic of this option? Isn't the empty vector enough?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Idk I prefer to deal with Option. I can change if you don't really like it

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As you prefer. IMHO, an empty collection is what you want: you can then iterate on it without handling the None case.

Manuthor
Manuthor requested changes Jun 4, 2024
View reviewed changes
@Adamk93
Copy link
Contributor Author

Adamk93 commented Jun 12, 2024

@tbrezot @Manuthor I think the PR is ready. If you've other comments, please do.

@Adamk93 @Manuthor
adding manu changes
7fabcdf 
Co-authored-by: Manuthor <32013169+Manuthor@users.noreply.github.com>
@Manuthor Manuthor merged commit 260196a into develop Jun 12, 2024
33 of 38 checks passed
@Manuthor Manuthor deleted the validate branch June 12, 2024 13:02
@itchenrenfu
Copy link

How to use gui Certificate validate?

@itchenrenfu
Copy link

1724210428014

@Manuthor
Copy link
Contributor

Hello,
The certificate chain must be given either using unique identifiers either DER string arrays, or both eventually (as specified in https://docs.oasis-open.org/kmip/kmip-spec/v2.0/os/kmip-spec-v2.0-os.html#_Toc6497577).
But for simplicity, I would recommend to only use unique identifiers to give all certificates of the chain in the Validate operation (ids of root, intermediate and leaf certificates for example).
In 4.17.0 KMS server version, validation of certificate is a bit restrictive (self-signed certificate cannot be validate for example).

Screenshot 2024-08-21 at 09 42 09

About your certificate, can you confirm the certificate behind your id is DER encoded (not PEM). OpenSSL error gives a format problem.

@itchenrenfu
Copy link

hello,
Does AES support rotation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tbrezot tbrezot tbrezot left review comments

@Manuthor Manuthor Manuthor approved these changes

@bgrieder bgrieder Awaiting requested review from bgrieder

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Adamk93 @itchenrenfu @Manuthor @tbrezot