-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UI: catch error when verifying certificates with unsupported signature algorithms #21926
UI: catch error when verifying certificates with unsupported signature algorithms #21926
Conversation
ui/app/utils/parse-pki-cert.js
Outdated
// ed25519 is an unsupported signature algorithm | ||
// catch the error and instead check the AKID (authority key ID) includes the SKID (subject key ID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should i move this comment to the catch block? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think moving it makes sense!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the quick turnaround! Just one small change, otherwise looks good (and thanks for the test!)
I think maybe we could also add one more acceptance test ensuring that viewing a ed25519
issuer renders fine on the page
try { | ||
// ed25519 is an unsupported signature algorithm | ||
// catch the error and instead check the AKID (authority key ID) includes the SKID (subject key ID) | ||
return await child.verify(parent); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't need await
here, we can just return child.verify
directly and even remove async
on the method since we're just returning the promise
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't hit the error block without the await 🤔
Build Results: |
const skidExtension = parent.extensions.find((ext) => ext.extnID === OTHER_OIDs.subject_key_identifier); | ||
const akidExtension = parent.extensions.find((ext) => ext.extnID === OTHER_OIDs.authority_key_identifier); | ||
const skid = new Uint8Array(skidExtension.parsedValue.valueBlock.valueHex); | ||
const akid = new Uint8Array(akidExtension.extnValue.valueBlock.valueHex); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wanna add the note about why we did this? :-)
SKID is just the byte array of the key identifier, but AKID is a SEQUENCE-type extension which does include the key identifier but also potentially includes other information. This saves us a parse of AKID and is unlikely to return false-positives.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes! I was going to consult you about how to concisely explain :) thank you!
// catch the error and instead check the AKID (authority key ID) includes the SKID (subject key ID) | ||
return await child.verify(parent); | ||
} catch (error) { | ||
const skidExtension = parent.extensions.find((ext) => ext.extnID === OTHER_OIDs.subject_key_identifier); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do think there's some (imported) certificates this could fail on due to them not conforming with RFC 5280; do we want to safe-guard this if there's a missing SKID or AKID extension? I think failing and returning false
is fine here, IMO? At worse we have a false-negative, which should be less likely than the false-positive case if we return true
.
Or, do the plumbing to make this return an unknown status, which seems like more work than its worth, tbh (since that's what this exception was doing, technically, and would mean handling that).
Just some thoughts :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that's a good idea, will return false
as a fallback
CI Results: All Go tests passed! ✅ |
The pki.js library doesn't support the
ed25519
key type source code so ourverify()
function was failing when checking whether or not a certificate is a root.This wraps the verify function in a
try...catch
so if the verify function fails, we instead check the authority key ID includes the signature key ID.