Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FR: Allow verification of SMIME-Certificates #12104

Open
prauscher opened this issue Dec 5, 2024 · 6 comments
Open

FR: Allow verification of SMIME-Certificates #12104

prauscher opened this issue Dec 5, 2024 · 6 comments

Comments

@prauscher
Copy link
Contributor

Since cryptography supports signing and encrypting mails for smime, there should be an (easy) way to verify smime-certificates before using in encryption.
This is possibly a duplicate of #11165, which would allow custom extension policys. For SMIME-Support it probably would be sufficient to add something like build_smime_verifier. build_client_verifier cannot be used since it requires clientAuth Extended Key Usage.

As #11165 is already there, one discussion here could be weather a "quick access" build_smime_verifier is wanted or not. I believe implementing this feature would be fairly straightforward (and obviously simplier than crafting an API for custom EKU validation). Also I believe it would be beneficiary for "common" use cases to provide pre-configured verifiers to avoid each user having to copy-paste validation code (and making misstakes in the process).

@prauscher
Copy link
Contributor Author

Just to note it here: The probably only difference between Policy.client and a possible Policy.smime would probably be to use EKU_EMAIL_PROTECTION_OID instead of EKU_CLIENT_AUTH_OID.

@alex
Copy link
Member

alex commented Dec 5, 2024 via email

@prauscher
Copy link
Contributor Author

Not sure if I understand you correctly, but my Idea of the API would be similar to build_client_verifier:

from pathlib import Path
from cryptography import x509
trusted_cas = x509.load_pem_x509_certificates(Path("cacerts.pem").read_bytes())
intermediates = x509.load_pem_x509_certificates(Path("intermediates.pem").read_bytes())
user_cert = x509.load_pem_x509_certificate(Path("mailcert.pem").read_bytes())

builder = x509.verification.PolicyBuilder()
builder = builder.store(trusted_cas)
# optional other steps like builder.time...
verifier = builder.build_smime_verifier()
verified_client = verifier.verify(user_cert, intermediates)  # or raise VerificationError

@alex
Copy link
Member

alex commented Dec 5, 2024 via email

@prauscher
Copy link
Contributor Author

Both could probably be useful, but "verify this S/MIME signed content" would not solve the problem to verify a certificate prior to encrypting a message to its owner. So maybe the Verifier returned by build_smime_verifier could have separate methods for verify_certificate and verify_message?

@alex
Copy link
Member

alex commented Dec 5, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants