certificate verification improvements #1122

mikehelmick · 2020-10-29T03:27:50Z

Proposed Changes

Cache not found issuers the same as found issuers
Give an advisory warning for mismatched audience fields
Prep for next release where audience fields are missing
also, considerably speeds up the pha verify tests by reusing the database for all test cases

Release Note

ATTENTION SERVER OPERATORS:
This release will print ERROR level log messages if there are verification certificates where the issuer matches, but the audience field does not match. In the next release these mismatches will be hard failures. If you find a mismatch, work with your verification server operators to resolve any issues before deploying the release after this one.

sethvargo · 2020-10-29T14:00:41Z

internal/verification/phaverify.go

@@ -94,8 +102,19 @@ func (v *Verifier) VerifyDiagnosisCertificate(ctx context.Context, authApp *aamo
 			return nil, err
 		}

+		if cacheVal == nil {


This should never happen? I don't think we cache nil values.

See line 93 - the primary lookup function can return nil as a valid cached value now
the in memory cache implementation allows it.

internal/verification/phaverify.go

sethvargo

/lgtm

@mikehelmick can you create an issue to remove this in the next release and block it on that milestone so we don't forget?

google-oss-robot · 2020-10-29T20:48:42Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mikehelmick, sethvargo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [mikehelmick,sethvargo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

mikehelmick added 2 commits October 28, 2020 20:18

certificate verification improvements

f1dfd24

tidy

5ab3f09

google-oss-robot requested review from jeremyfaller and sethvargo October 29, 2020 03:27

google-oss-robot added the approved Auto: added by prow when enough reviewers approve. label Oct 29, 2020

google-cla bot added the cla: yes Auto: added by CLA bot when all committers have signed a CLA. label Oct 29, 2020

google-oss-robot added the size/M Auto: Medium number of changes. label Oct 29, 2020

sethvargo reviewed Oct 29, 2020

View reviewed changes

add flag guard for aud enforcement

3ba0d0e

google-oss-robot added size/L Auto: large number of changes. and removed size/M Auto: Medium number of changes. labels Oct 29, 2020

mikehelmick added 2 commits October 29, 2020 11:39

fix missed call site

2b26d41

don't use british spellings

c1aa2e8

sethvargo approved these changes Oct 29, 2020

View reviewed changes

google-oss-robot assigned sethvargo Oct 29, 2020

google-oss-robot added the lgtm Auto: added by prown with a reviewer LGTMs label Oct 29, 2020

google-oss-robot merged commit d6b6371 into google:main Oct 29, 2020

github-actions bot locked as resolved and limited conversation to collaborators Oct 30, 2020

mikehelmick deleted the enforceAud branch November 6, 2020 22:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

certificate verification improvements #1122

certificate verification improvements #1122

mikehelmick commented Oct 29, 2020

sethvargo Oct 29, 2020

mikehelmick Oct 29, 2020

sethvargo left a comment

google-oss-robot commented Oct 29, 2020

certificate verification improvements #1122

certificate verification improvements #1122

Conversation

mikehelmick commented Oct 29, 2020

Proposed Changes

sethvargo Oct 29, 2020

Choose a reason for hiding this comment

mikehelmick Oct 29, 2020

Choose a reason for hiding this comment

sethvargo left a comment

Choose a reason for hiding this comment

google-oss-robot commented Oct 29, 2020