-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FR: Allow verification of SMIME-Certificates #12104
Comments
Just to note it here: The probably only difference between |
I think we'd generally be in favor of this, with the first step being to
figure out the API.
…On Thu, Dec 5, 2024 at 4:46 AM Patrick Rauscher ***@***.***> wrote:
Just to note it here: The probably only difference between Policy.client
and a possible Policy.smime would probably be to use
EKU_EMAIL_PROTECTION_OID instead of EKU_CLIENT_AUTH_OID.
—
Reply to this email directly, view it on GitHub
<#12104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBFBBLJZC5DJCL7VSZT2EAOFXAVCNFSM6AAAAABTCBLCFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMJZG44DCOJZGI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
Not sure if I understand you correctly, but my Idea of the API would be similar to from pathlib import Path
from cryptography import x509
trusted_cas = x509.load_pem_x509_certificates(Path("cacerts.pem").read_bytes())
intermediates = x509.load_pem_x509_certificates(Path("intermediates.pem").read_bytes())
user_cert = x509.load_pem_x509_certificate(Path("mailcert.pem").read_bytes())
builder = x509.verification.PolicyBuilder()
builder = builder.store(trusted_cas)
# optional other steps like builder.time...
verifier = builder.build_smime_verifier()
verified_client = verifier.verify(user_cert, intermediates) # or raise VerificationError |
Sorry, I guess I wanted to take a step back and contemplate: Is the
right API an SMIME cert verifier, or is it "verify this S/MIME signed
content"?
…On Thu, Dec 5, 2024 at 9:39 AM Patrick Rauscher ***@***.***> wrote:
Not sure if I understand you correctly, but my Idea of the API would be similar to build_client_verifier:
from pathlib import Path
from cryptography import x509
trusted_cas = x509.load_pem_x509_certificates(Path("cacerts.pem").read_bytes())
intermediates = x509.load_pem_x509_certificates(Path("intermediates.pem").read_bytes())
user_cert = x509.load_pem_x509_certificate(Path("mailcert.pem").read_bytes())
builder = x509.verification.PolicyBuilder()
builder = builder.store(trusted_cas)
# optional other steps like builder.time...
verifier = builder.build_smime_verifier()
verified_client = verifier.verify(user_cert, intermediates) # or raise VerificationError
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
Both could probably be useful, but "verify this S/MIME signed content" would not solve the problem to verify a certificate prior to encrypting a message to its owner. So maybe the Verifier returned by |
Ok, I think that was the real high order bit: you've got a use case not
addressed by some extension to S/MIME parsing, it really needs the
dedicated verifier interface.
…On Thu, Dec 5, 2024 at 10:15 AM Patrick Rauscher ***@***.***> wrote:
Both could probably be useful, but "verify this S/MIME signed content"
would not solve the problem to verify a certificate prior to encrypting a
message to its owner. So maybe the Verifier returned by
build_smime_verifier could have separate methods for verify_certificate
and verify_message?
—
Reply to this email directly, view it on GitHub
<#12104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBH7XAU4EIVVDXFU5OT2EBUXVAVCNFSM6AAAAABTCBLCFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRQGU4TINRQGQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
Since cryptography supports signing and encrypting mails for smime, there should be an (easy) way to verify smime-certificates before using in encryption.
This is possibly a duplicate of #11165, which would allow custom extension policys. For SMIME-Support it probably would be sufficient to add something like
build_smime_verifier
.build_client_verifier
cannot be used since it requiresclientAuth
Extended Key Usage.As #11165 is already there, one discussion here could be weather a "quick access"
build_smime_verifier
is wanted or not. I believe implementing this feature would be fairly straightforward (and obviously simplier than crafting an API for custom EKU validation). Also I believe it would be beneficiary for "common" use cases to provide pre-configured verifiers to avoid each user having to copy-paste validation code (and making misstakes in the process).The text was updated successfully, but these errors were encountered: