Skip to content

feat: Add option for configuring trust when validating identity assertions (CAI-7980) #1239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 30 commits into from
Aug 14, 2025
Merged

feat: Add option for configuring trust when validating identity assertions (CAI-7980) #1239

merged 30 commits into from
Aug 14, 2025

Conversation

@scouten-adobe
Copy link
Collaborator

No description provided.

@scouten-adobe
CertificateTrustPolicy impl Clone
ae8948d
@scouten-adobe
feat!: Change Verifier to hold a Cow<'a, CertificateTrustPolicy r…
a8670d7 
…ather than a reference

(Supports upcoming work I'm planning around configuring trust for reading CAWG identity assertions.)
@scouten-adobe
Verifier impl Default
d70f575
@scouten-adobe
Add cose_verifier to X509SignatureVerifier
19fb29d
@scouten-adobe scouten-adobe self-assigned this Jul 16, 2025
@scouten-adobe
Copy link
Collaborator Author

This builds on #1238.

@codecov
Copy link

codecov bot commented Jul 16, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 98.01980% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.33%. Comparing base (b5b07ec) to head (1b296eb).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
sdk/src/identity/identity_assertion/assertion.rs 93.75% 1 Missing ⚠️
sdk/src/identity/x509/x509_signature_verifier.rs 98.33% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1239      +/-   ##
==========================================
+ Coverage   78.28%   78.33%   +0.05%     
==========================================
  Files         153      153              
  Lines       39157    39243      +86     
==========================================
+ Hits        30653    30742      +89     
+ Misses       8504     8501       -3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@scouten-adobe
Merge branch 'main' into scouten/cai-7980-cawg-trust-config
ac168a0
@scouten-adobe
Add new fn CertificateTrustPolicy::add_default_valid_ekus
daeda5e
@scouten-adobe
Update test suite to expect CAWG cert success status log
ce819b6
@scouten-adobe
WIP to test the untrusted cert in CAWG identity assertion case
9f69400 
I would _expect_ cose_verifier.verify_signature_async to log an error but not abort out if the cert is untrusted.
@scouten-adobe
Remove TODO items – we'll use the same status in CAWG
8fbf79c
@scouten-adobe
WIP on testing signature failure scenario
f2e9d14 
Need to plumb assertion label through to sig validation
@scouten-adobe
Merge branch 'main' into scouten/cai-7980-cawg-trust-config
97286d1
@scouten-adobe
Merge branch 'main' into scouten/cai-7980-cawg-trust-config
46f4371
@scouten-adobe
Merge branch 'main' into scouten/cai-7980-cawg-trust-config
35c71bd
@scouten-adobe
Merge branch 'main' into scouten/cai-7980-cawg-trust-config
0fa8ba4
@scouten-adobe
Merge branch 'main' into scouten/cai-7980-cawg-trust-config
8fcc500
@scouten-adobe
Merge branch 'main' into scouten/cai-7980-cawg-trust-config
2083371
@scouten-adobe
Fix up test cases to reflect identity assertion URI flowing through
34535a9
@scouten-adobe
Disable c2patool tests that fail the new trusted-cert cert test
4b7c620 
Will have to consult with Gavin to figure out how to re-enable these.
@scouten-adobe scouten-adobe changed the title feat: Add option for configuring trust when validating identity assertions (CAI-7980) [BLOCKED] feat: Add option for configuring trust when validating identity assertions (CAI-7980) Aug 7, 2025
@scouten-adobe scouten-adobe requested a review from gpeacock August 7, 2025 13:32
@scouten-adobe
Copy link
Collaborator Author

@gpeacock when you're back, I'll need your advice on how to approach the c2patool tests that I disabled.

scouten-adobe
scouten-adobe commented Aug 7, 2025
View reviewed changes
tmathern
tmathern reviewed Aug 7, 2025
View reviewed changes
cli/tests/integration.rs Outdated
Ok(())
}

// DO NOT MERGE with this test disabled. The problem is that the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not let if fail then to block merging?

tmathern
tmathern reviewed Aug 7, 2025
View reviewed changes
gpeacock
gpeacock reviewed Aug 13, 2025
View reviewed changes
cli/tests/integration.rs Outdated
// underlying CAWG code now enforces trust list checks on any X.509
// certificate used in an identity assertion. I _think_ this test
// asset uses a test-quality cert and that isn't enabled by default.
// Will need to consult with Gavin on a new fix approach before
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated this recently I created it with the cawg_identity example,
cargo r --example cawg_identity tests/fixtures/C.jpg target/C_with_CAWG_data.jpg
It uses test certs like this:
For testing we allow test certs to be in the trust list. Ask Maurice about that.

const CAWG_CERTS: &[u8] = include_bytes!("../../sdk/tests/fixtures/certs/ed25519.pub");
const CAWG_PRIVATE_KEY: &[u8] = include_bytes!("../../sdk/tests/fixtures/certs/ed25519.pem");

@scouten-adobe scouten-adobe changed the title [BLOCKED] feat: Add option for configuring trust when validating identity assertions (CAI-7980) feat: Add option for configuring trust when validating identity assertions (CAI-7980) Aug 14, 2025
mauricefisher64
mauricefisher64 reviewed Aug 14, 2025
View reviewed changes
sdk/src/cose_sign.rs Outdated
let mut passthrough_cap = CertificateTrustPolicy::default();

// allow user EKUs through this check if configured
// TODO: Need to determine if we're using C2PA or CAWG trust config here.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a different set of EKUs?

@scouten-adobe
Copy link
Collaborator Author

Per conversation with @gpeacock and @mauricefisher64, this is ready to go once the c2patool issues are resolved. Use --settings (path) in c2patool invocations to pass in the appropriate new settings file.

@scouten-adobe scouten-adobe mentioned this pull request Aug 14, 2025
Open
@scouten-adobe scouten-adobe mentioned this pull request Aug 14, 2025
Open
@scouten-adobe scouten-adobe marked this pull request as ready for review August 14, 2025 21:19
@scouten-adobe scouten-adobe added the check-release Add this label to any PR to invoke a larger suite of tests. label Aug 14, 2025
@scouten-adobe scouten-adobe merged commit b026443 into main Aug 14, 2025
70 of 71 checks passed
@scouten-adobe scouten-adobe deleted the scouten/cai-7980-cawg-trust-config branch August 14, 2025 21:37
@caiopensrc caiopensrc mentioned this pull request Aug 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpeacock gpeacock gpeacock left review comments

@tmathern tmathern tmathern left review comments

@mauricefisher64 mauricefisher64 mauricefisher64 left review comments

Assignees

@scouten-adobe scouten-adobe

Labels

check-release Add this label to any PR to invoke a larger suite of tests.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@scouten-adobe @gpeacock @tmathern @mauricefisher64