feat(pki): Allow to verify a certificate against trusted roots

Author: FirelightFlagboy

.cspell/custom-words.txt

@@ -184,6 +184,7 @@ orgname
 parsecdoc
 patchelf
 pdflatex
+peekable
 pemfile
 pems
 perflint

Cargo.lock

@@ -23,6 +23,7 @@ libparsec_types = { workspace = true }
 # Use to decode subject & issuer fields of used x509 certificate.
 x509-cert = { workspace = true, features = ["std"] }
 log = { workspace = true, features = ["kv"] }
+chrono = { workspace = true }
 
 [target.'cfg(target_os = "windows")'.dependencies]
 schannel = { workspace = true }

libparsec/crates/platform_pki/Cargo.toml

@@ -56,6 +56,8 @@ $CAParam = @{
     NotAfter = (Get-Date).AddHours(24)
     # We cannot add it directly to `CA` store as the command only allow for `My` store
     CertStoreLocation = 'Cert:\CurrentUser\My'
+    # Use RSA-PSS-SHA256 over RSASSA-SHA256 for signature
+    AlternateSignatureAlgorithm = $true
 }
 $test_ca = New-SelfSignedCertificate @CAParam
 
@@ -79,6 +81,8 @@ $SharedUserCertificate = @{
     NotBefore = $test_ca.NotBefore
     NotAfter = $test_ca.NotAfter
     CertStoreLocation = 'Cert:\CurrentUser\My'
+    # Use RSA-PSS-SHA256 over RSASSA-SHA256 for signature
+    AlternateSignatureAlgorithm = $true
 }
 
 echo "Create certificate 'cert:\CurrentUser\My\test_ca_alice'"

libparsec/crates/platform_pki/examples/init_windows_credstore.ps1

@@ -1,24 +1,20 @@
 // Parsec Cloud (https://parsec.cloud) Copyright (c) BUSL-1.1 2016-present Scille SAS
 #![allow(clippy::unwrap_used)]
 
-use libparsec_platform_pki::{list_trusted_root_certificate_der, x509};
-use x509_cert::der::{DecodeValue, Header, SliceReader, Tag};
+mod utils;
+
+use libparsec_platform_pki::list_trusted_root_certificate_anchor;
 
 fn main() -> anyhow::Result<()> {
     env_logger::init();
-    let roots = list_trusted_root_certificate_der()?;
+    let roots = list_trusted_root_certificate_anchor()?;
 
     println!("Found {} trusted roots", roots.len());
 
     for (i, anchor) in roots.iter().enumerate() {
         println!(
-            "Root Certificate #{i} subject: {:?}",
-            x509_cert::name::Name::decode_value(
-                &mut SliceReader::new(&anchor.subject).unwrap(),
-                Header::new(Tag::Sequence, anchor.subject.len()).unwrap()
-            )
-            .map(x509::extract_dn_list_from_rnd_seq)
-            .unwrap_or_default()
+            "Root Certificate #{i} subject={}",
+            utils::display_x509_raw_name(anchor.subject.as_ref())
         );
         println!(
             "  raw subject: {}",

libparsec/crates/platform_pki/examples/list_trusted_roots.rs

@@ -7,8 +7,9 @@ use clap::{
     builder::{NonEmptyStringValueParser, TypedValueParser},
     error::{Error, ErrorKind},
 };
-use libparsec_platform_pki::Certificate;
+use libparsec_platform_pki::{x509::DistinguishedNameValue, Certificate};
 use libparsec_types::X509CertificateHash;
+use x509_cert::der::{DecodeValue, Header, SliceReader, Tag};
 
 #[derive(Debug, Clone)]
 pub struct CertificateSRIHashParser;
@@ -98,3 +99,44 @@ impl CertificateOrRef {
         Ok(cert)
     }
 }
+
+/// Used to display x509 certificate subject and issuer field
+// Not all examples need to display x509 name
+#[allow(dead_code)]
+pub fn display_x509_raw_name(raw_name: &[u8]) -> impl std::fmt::Display {
+    struct DisplayName(Vec<DistinguishedNameValue>);
+
+    impl std::fmt::Display for DisplayName {
+        fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+            write!(f, "{:?}", self.0)
+        }
+    }
+
+    let components = x509_cert::name::Name::decode_value(
+        &mut SliceReader::new(raw_name).unwrap(),
+        Header::new(Tag::Sequence, raw_name.len()).unwrap(),
+    )
+    .map(libparsec_platform_pki::x509::extract_dn_list_from_rnd_seq)
+    .unwrap_or_default();
+
+    DisplayName(components)
+}
+
+// Not all example need to display a x509 cert
+#[allow(dead_code)]
+pub fn display_cert<'der>(cert: &'der webpki::Cert<'der>) -> impl std::fmt::Display + use<'der> {
+    struct DisplayCert<'der>(&'der webpki::Cert<'der>);
+
+    impl<'der> std::fmt::Display for DisplayCert<'der> {
+        fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+            write!(
+                f,
+                "subject={subject}, issuer={issuer}",
+                subject = display_x509_raw_name(self.0.subject()),
+                issuer = display_x509_raw_name(self.0.issuer())
+            )
+        }
+    }
+
+    DisplayCert(cert)
+}

libparsec/crates/platform_pki/examples/utils/mod.rs

@@ -0,0 +1,58 @@
+// Parsec Cloud (https://parsec.cloud) Copyright (c) BUSL-1.1 2016-present Scille SAS
+#![allow(clippy::unwrap_used)]
+
+mod utils;
+
+use anyhow::Context;
+use clap::Parser;
+use libparsec_platform_pki::{list_trusted_root_certificate_anchor, verify_certificate};
+use libparsec_types::DateTime;
+
+#[derive(Debug, Parser)]
+struct Args {
+    #[command(flatten)]
+    cert: utils::CertificateOrRef,
+}
+
+pub fn main() -> anyhow::Result<()> {
+    let args = Args::parse();
+    println!("args={args:?}");
+
+    let trusted_roots =
+        list_trusted_root_certificate_anchor().context("Cannot list trusted root certificates")?;
+    let untrusted_certificate = args
+        .cert
+        .get_certificate()
+        .context("Cannot get certificate")?;
+
+    let end_cert = untrusted_certificate
+        .into_end_certificate()
+        .context("Invalid certificate")?;
+    println!("Untrusted certificate: {}", utils::display_cert(&end_cert));
+
+    let path = verify_certificate(
+        &end_cert,
+        &trusted_roots,
+        &[],
+        DateTime::now(),
+        webpki::KeyUsage::client_auth(),
+    )
+    .context("Cannot trust certificate")?;
+
+    println!("trusted path:");
+    println!(
+        "  root: subject={}",
+        utils::display_x509_raw_name(&path.anchor().subject)
+    );
+    let mut intermediate = path.intermediate_certificates().enumerate().peekable();
+    if intermediate.peek().is_some() {
+        println!("  intermediate certificates:");
+        for (i, cert) in intermediate {
+            println!("  {:02}. {}", i + 1, utils::display_cert(cert));
+        }
+    }
+    let trusted_cert = path.end_entity();
+    println!("  leaf: {}", utils::display_cert(trusted_cert));
+
+    Ok(())
+}

libparsec/crates/platform_pki/examples/verify_certificate.rs

@@ -44,4 +44,10 @@ error_set::error_set! {
         InvalidPemContent(rustls_pki_types::pem::Error)
     }
     CreateLocalPendingError := EncryptMessageError
+    VerifyCertificateError := {
+        #[display("Time out of valid range: {0}")]
+        DateTimeOutOfRange(chrono::OutOfRangeError),
+        #[display("The provided certificate cannot be trusted: {0}")]
+        Untrusted(webpki::Error),
+    }
 }

libparsec/crates/platform_pki/src/errors.rs

@@ -35,7 +35,7 @@ mod platform {
         unimplemented!("platform not supported")
     }
 
-    pub fn list_trusted_root_certificate_der(
+    pub fn list_trusted_root_certificate_anchor(
     ) -> Result<Vec<rustls_pki_types::TrustAnchor<'static>>, ListTrustedRootCertificatesError> {
         unimplemented!("platform not supported")
     }
@@ -112,7 +112,7 @@ pub struct CertificateDer {
 }
 
 pub use errors::ListTrustedRootCertificatesError;
-pub use platform::list_trusted_root_certificate_der;
+pub use platform::list_trusted_root_certificate_anchor;
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum SignatureAlgorithm {
@@ -176,3 +176,6 @@ pub use errors::CreateLocalPendingError;
 pub use shared::create_local_pending;
 
 pub use platform::is_available;
+
+pub use errors::VerifyCertificateError;
+pub use shared::verify_certificate;

libparsec/crates/platform_pki/src/lib.rs

@@ -1,25 +1,19 @@
 // Parsec Cloud (https://parsec.cloud) Copyright (c) BUSL-1.1 2016-present Scille SAS
 
+mod signature_verification;
+
 use crate::{
     encrypt_message,
-    errors::{InvalidPemContent, VerifySignatureError},
+    errors::{InvalidPemContent, VerifyCertificateError, VerifySignatureError},
+    shared::signature_verification::{RsassaPssSha256SignatureVerifier, SUPPORTED_SIG_ALGS},
     EncryptedMessage, SignatureAlgorithm,
 };
 use libparsec_types::{
     DateTime, EnrollmentID, LocalPendingEnrollment, ParsecPkiEnrollmentAddr,
     PkiEnrollmentSubmitPayload, PrivateParts, SecretKey, X509CertificateReference,
 };
-use rsa::{
-    pkcs1,
-    pss::{Signature, VerifyingKey},
-    signature::Verifier,
-    RsaPublicKey,
-};
-use rustls_pki_types::{
-    pem::PemObject, CertificateDer, InvalidSignature, SignatureVerificationAlgorithm,
-};
-use sha2::Sha256;
-use webpki::{EndEntityCert, Error as WebPkiError};
+use rustls_pki_types::{pem::PemObject, CertificateDer, TrustAnchor};
+use webpki::{EndEntityCert, Error as WebPkiError, KeyUsage};
 
 pub struct Certificate<'a> {
     internal: CertificateDer<'a>,
@@ -43,6 +37,10 @@ impl<'a> Certificate<'a> {
     pub fn into_owned(&self) -> Certificate<'static> {
         Certificate::new(self.internal.clone().into_owned())
     }
+
+    pub fn into_end_certificate(&self) -> Result<EndEntityCert<'_>, WebPkiError> {
+        EndEntityCert::try_from(&self.internal)
+    }
 }
 
 impl Certificate<'static> {
@@ -80,50 +78,6 @@ pub fn verify_message<'message>(
         })
 }
 
-#[derive(Debug)]
-struct RsassaPssSha256SignatureVerifier;
-
-impl SignatureVerificationAlgorithm for RsassaPssSha256SignatureVerifier {
-    fn verify_signature(
-        &self,
-        public_key: &[u8],
-        message: &[u8],
-        signature: &[u8],
-    ) -> Result<(), InvalidSignature> {
-        // Webpki already checked that the key part correspond to an RSA public key.
-        //
-        // We are not using `pkcs8::DecodePublicKey::from_public_key_der` as
-        // `public_key` is already the unwrapped key from the `subjectPublicKeyInfo` structure
-        // which it's the expected data from the above method.
-        //
-        // Instead, we use `pkcs1::RsaPublicKey::try_from(&[u8])` which only expect the key element
-        // (without the algorithm identifier).
-        let pubkey = pkcs1::RsaPublicKey::try_from(public_key)
-            .map_err(|_| InvalidSignature)
-            // But `rsa` does not provide a conversion between the `pkcs1` and its `RsaPublicKey`, so
-            // we need to perform the manual conversion
-            .and_then(|pubkey| {
-                let n = rsa::BigUint::from_bytes_be(pubkey.modulus.as_bytes());
-                let e = rsa::BigUint::from_bytes_be(pubkey.public_exponent.as_bytes());
-                RsaPublicKey::new(n, e).map_err(|_| InvalidSignature)
-            })?;
-        let verifying_key = VerifyingKey::<Sha256>::new(pubkey);
-
-        let signature = Signature::try_from(signature).map_err(|_| InvalidSignature)?;
-        verifying_key
-            .verify(message, &signature)
-            .map_err(|_| InvalidSignature)
-    }
-
-    fn public_key_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier {
-        rustls_pki_types::alg_id::RSA_ENCRYPTION
-    }
-
-    fn signature_alg_id(&self) -> rustls_pki_types::AlgorithmIdentifier {
-        rustls_pki_types::alg_id::RSA_PSS_SHA256
-    }
-}
-
 pub fn create_local_pending(
     cert_ref: &X509CertificateReference,
     addr: ParsecPkiEnrollmentAddr,
@@ -152,3 +106,31 @@ pub fn create_local_pending(
     };
     Ok(local_pending)
 }
+
+pub fn verify_certificate<'der>(
+    certificate: &'der EndEntityCert<'der>,
+    trusted_roots: &'der [TrustAnchor<'_>],
+    intermediate_certs: &'der [CertificateDer<'der>],
+    now: DateTime,
+    key_usage: KeyUsage,
+) -> Result<webpki::VerifiedPath<'der>, VerifyCertificateError> {
+    let time = rustls_pki_types::UnixTime::since_unix_epoch(
+        now.duration_since_unix_epoch()
+            .map_err(VerifyCertificateError::DateTimeOutOfRange)?,
+    );
+    certificate
+        .verify_for_usage(
+            SUPPORTED_SIG_ALGS,
+            trusted_roots,
+            intermediate_certs,
+            time,
+            key_usage,
+            // TODO: Build the revocation options from a CRLS
+            // webpki::RevocationOptionsBuilder require a non empty list, for now we provide None
+            // instead
+            None,
+            // We do not have additional constrain to reject a valid path.
+            None,
+        )
+        .map_err(VerifyCertificateError::Untrusted)
+}