Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement IP address validation #260

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Implement IP address validation #260

wants to merge 7 commits into from

Commits on Oct 9, 2022

  1. Implement IP address validation 

    Introduce `IpAddressRef`, `DnsNameOrIpRef` and the owned type
`IpAddress`.

Introduce a new public function `verify_is_valid_for_dns_name_or_ip`
that validates a given host name or IP address against a
certificate. IP addresses are only compared against Subject
Alternative Names.

It's possible to convert the already existing types `DnsNameRef` and
`IpAddressRef` into a `DnsNameOrIpRef` for better ergonomics when
calling to `verify_cert_dns_name_or_ip`.

The behavior of `verify_cert_dns_name` has not been altered, and works
in the same way as it has done until now, so that if `webpki` gets
bumped as a dependency, it won't start accepting certificates that
would have been rejected until now without notice.

Neither `IpAddressRef`, `DnsNameOrIpRef` nor `IpAddress` can be
instantiated directly. They must be instantiated through the
`try_from_ascii` and `try_from_ascii_str` public functions. This
ensures that instances of these types are correct by construction.

IPv6 addresses are only validated and supported in their uncompressed
form.

Signed-off-by: Rafael Fernández López <ereslibre@ereslibre.es>
    @ereslibre
    ereslibre committed Oct 9, 2022
    Configuration menu
    Copy the full SHA
    ccc6426 View commit details
    Browse the repository at this point in the history

  2. Fix panic in ipv4 validation 

    current_textual_octet is [u8; 3] but it was indexed by an
unbounded count of octets if they matched 1..9.
    @ctz @ereslibre
    ctz authored and ereslibre committed Oct 9, 2022
    Configuration menu
    Copy the full SHA
    6477d82 View commit details
    Browse the repository at this point in the history

  3. ipv6: allow upper case hex 

    rfc5952 says both are allowed.
    @ctz @ereslibre
    ctz authored and ereslibre committed Oct 9, 2022
    Configuration menu
    Copy the full SHA
    7bb2899 View commit details
    Browse the repository at this point in the history

  4. Add basic tests for ipv4/ipv6 SANs

    @ctz @ereslibre
    ctz authored and ereslibre committed Oct 9, 2022
    Configuration menu
    Copy the full SHA
    f285cd2 View commit details
    Browse the repository at this point in the history

  5. textual_octets_to_octet: simplify and satisfy clippy 

    Seems better to convert from ascii to radix-10 at the time that is
known, rather than doing that validation twice (and skipping a digit
as an error handling strategy).
    @ctz @ereslibre
    ctz authored and ereslibre committed Oct 9, 2022
    Configuration menu
    Copy the full SHA
    542ab4d View commit details
    Browse the repository at this point in the history

  6. Add name.rs to package

    @ctz @ereslibre
    ctz authored and ereslibre committed Oct 9, 2022
    Configuration menu
    Copy the full SHA
    036fdfa View commit details
    Browse the repository at this point in the history

  7. Appease clippy explicit-auto-deref

    @ctz @ereslibre
    ctz authored and ereslibre committed Oct 9, 2022
    Configuration menu
    Copy the full SHA
    61cd0b2 View commit details
    Browse the repository at this point in the history