Comments (4)
One absolutely MUST NOT treat an end-entity certificate as a TrustAnchor
, because a TrustAnchor is trusted for issuing other certificates; i.e. a TrustAnchor is a "root CA" and so it would be trusted to issue certificates for other websites. The way to implement "certificate error overrides" and TOFU and similar is NOT to do anything with TrustAnchor
.
To further clarify, constructing a TrustAnchor
from a self-signed certificate for the purpose of "accepting self-signed certificates" is absolutely NOT a safe way to implement such things.
from webpki.
Any time you are thinking of using "self-signed certificate" or "end-entity certificate" and TrustAnchor
together, you are almost surely on the verge of something that is very dangerous. webpki (and similar things, AFAICT) does not provide any facilities for helping with self-signed certificates or certificate error overrides.
from webpki.
"Trust anchor" is defined in RFC 5280, in https://datatracker.ietf.org/doc/html/rfc5280#section-6.1.1 and other parts.
from webpki.
Any time you are thinking of using "self-signed certificate" or "end-entity certificate" and TrustAnchor together, you are almost surely on the verge of something that is very dangerous. webpki (and similar things, AFAICT) does not provide any facilities for helping with self-signed certificates or certificate error overrides.
What would be your recommendation for webpki users who want to use TOFU approaches for their app or similar?
Maybe if the Certificate is found as user-added exception, they should skip doing the verify_is_valid_tls_server_cert
check and only do verify_is_valid_for_dns_name
and verify_signature
? Is there a security benefit for such users in not doing verify_is_valid_tls_server_cert
?
from webpki.
Related Issues (20)
- Version 0.22.0 is not pushed / tagged HOT 4
- Help debugging an UnknownIssuer error in PyOxidizer HOT 2
- Wrong license identification on crates.io breaks guix importer HOT 3
- Make it easy to make test cases for PR authors
- Provide an extensible and usable configuration API HOT 3
- From here forward, use git tags for all releases
- Export fields of `cert::Cert` - get certificate alt names
- Is there a version of webpki that builds with ring version "0.17.0-not-released-yet" HOT 2
- Deviations from RFC5280
- Rustls is unable to handle TLS certificates with IP addresses in SAN DNS names HOT 6
- Would be helpful to have support for unrecognized extensions
- TLS error: webpki error: UnsupportedCriticalExtension HOT 1
- Err(UnknownIssuer) occurred when verifying certificate chain HOT 1
- Handling of certificate revocation lists (CRLs)
- Question about BadDer(DNS name) HOT 2
- v1 Certs not being supported? HOT 1
- Support anyPolicy Certificate Policy
- Archive the repository HOT 2
- verify cert run long time when given one faked cert with large intermediate_certs that can't be verified by any anchors HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webpki.