Closed Bug 1709291 Opened 3 years ago Closed 3 years ago

Add high level API to verify a whole certificate chain and signature

Categories

(NSS :: Libraries, enhancement, P1)

3.66
enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: leplatrem, Assigned: keeler)

Details

Attachments

(1 file)

In order to unify our bespoke implementations of signature verification across our products, we could benefit from having a high-level API that would be in charge of:

  • parse the PEM
  • verify the chain of trust (validity, signature, root hash)
  • verify the content signature

Input parameters could be:

  • PEM bytes
  • SHA fingerprint of root certificate
  • Subject alternative name
  • Message bytes
  • Signature bytes
  • Seconds since Unix Epoch (used for before/after validity, clock skew included)
Assignee: nobody → dkeeler
Severity: -- → N/A
Status: NEW → ASSIGNED
Priority: -- → P1

In case folks are interested, we recently merged some code that is our stop gap until this work is ready. That PR is here: https://github.com/mozilla-mobile/mozilla-vpn-client/pull/993

We want to handle the networking side of things in our own app so we handle getting the data from the x5u url.

We then want to pass that information on and:

  • verify the chain
  • verify the root hash
  • verify the leaf cert (which we do by matching the subject common name)
  • verify the content signature

For our stop gap we're using the ParseChain and Verify methods from https://pkg.go.dev/github.com/mozilla-services/autograph/verifier/contentsignature.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Version: trunk → 3.66
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: