FR: Allow verification of SMIME-Certificates #12104
Comments
|
Just to note it here: The probably only difference between |
|
I think we'd generally be in favor of this, with the first step being to
figure out the API.
…On Thu, Dec 5, 2024 at 4:46 AM Patrick Rauscher ***@***.***> wrote:
Just to note it here: The probably only difference between Policy.client
and a possible Policy.smime would probably be to use
EKU_EMAIL_PROTECTION_OID instead of EKU_CLIENT_AUTH_OID.
—
Reply to this email directly, view it on GitHub
<#12104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBFBBLJZC5DJCL7VSZT2EAOFXAVCNFSM6AAAAABTCBLCFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMJZG44DCOJZGI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
|
Not sure if I understand you correctly, but my Idea of the API would be similar to from pathlib import Path
from cryptography import x509
trusted_cas = x509.load_pem_x509_certificates(Path("cacerts.pem").read_bytes())
intermediates = x509.load_pem_x509_certificates(Path("intermediates.pem").read_bytes())
user_cert = x509.load_pem_x509_certificate(Path("mailcert.pem").read_bytes())
builder = x509.verification.PolicyBuilder()
builder = builder.store(trusted_cas)
# optional other steps like builder.time...
verifier = builder.build_smime_verifier()
verified_client = verifier.verify(user_cert, intermediates) # or raise VerificationError |
|
Sorry, I guess I wanted to take a step back and contemplate: Is the
right API an SMIME cert verifier, or is it "verify this S/MIME signed
content"?
…On Thu, Dec 5, 2024 at 9:39 AM Patrick Rauscher ***@***.***> wrote:
Not sure if I understand you correctly, but my Idea of the API would be similar to build_client_verifier:
from pathlib import Path
from cryptography import x509
trusted_cas = x509.load_pem_x509_certificates(Path("cacerts.pem").read_bytes())
intermediates = x509.load_pem_x509_certificates(Path("intermediates.pem").read_bytes())
user_cert = x509.load_pem_x509_certificate(Path("mailcert.pem").read_bytes())
builder = x509.verification.PolicyBuilder()
builder = builder.store(trusted_cas)
# optional other steps like builder.time...
verifier = builder.build_smime_verifier()
verified_client = verifier.verify(user_cert, intermediates) # or raise VerificationError
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
|
Both could probably be useful, but "verify this S/MIME signed content" would not solve the problem to verify a certificate prior to encrypting a message to its owner. So maybe the Verifier returned by |
|
Ok, I think that was the real high order bit: you've got a use case not
addressed by some extension to S/MIME parsing, it really needs the
dedicated verifier interface.
…On Thu, Dec 5, 2024 at 10:15 AM Patrick Rauscher ***@***.***> wrote:
Both could probably be useful, but "verify this S/MIME signed content"
would not solve the problem to verify a certificate prior to encrypting a
message to its owner. So maybe the Verifier returned by
build_smime_verifier could have separate methods for verify_certificate
and verify_message?
—
Reply to this email directly, view it on GitHub
<#12104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBH7XAU4EIVVDXFU5OT2EBUXVAVCNFSM6AAAAABTCBLCFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRQGU4TINRQGQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Since cryptography supports signing and encrypting mails for smime, there should be an (easy) way to verify smime-certificates before using in encryption.
This is possibly a duplicate of #11165, which would allow custom extension policys. For SMIME-Support it probably would be sufficient to add something like
build_smime_verifier.build_client_verifiercannot be used since it requiresclientAuthExtended Key Usage.As #11165 is already there, one discussion here could be weather a "quick access"
build_smime_verifieris wanted or not. I believe implementing this feature would be fairly straightforward (and obviously simplier than crafting an API for custom EKU validation). Also I believe it would be beneficiary for "common" use cases to provide pre-configured verifiers to avoid each user having to copy-paste validation code (and making misstakes in the process).The text was updated successfully, but these errors were encountered: