Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for custom cert validation #332

Open
ggwpez opened this issue Dec 18, 2024 · 1 comment
Open

Support for custom cert validation #332

ggwpez opened this issue Dec 18, 2024 · 1 comment

Comments

@ggwpez
Copy link

ggwpez commented Dec 18, 2024
edited
Loading

Hey I needed a way to inspect a cert before accepting a connection and implemented it on this fork by adding four things:

  • Always include QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED and QUIC_CREDENTIAL_FLAG_REQUIRE_CLIENT_AUTHENTICATION into the CredConfig returned by parse_verify_options.
  • Send an event ATOM_PEER_CERT_RECEIVED to the connection owner in handle_connection_event_peer_certificate_received to notify them of a received cert.
  • Added function complete_cert_validation2(conn, bool) to accept / reject an inbound cert.
  • Changed handle_connection_event_peer_certificate_received to return QUIC_STATUS_PENDING instead of success.

This makes it possible to asynchronously inspect a cert and accept or reject it before the connection is established (possibly also interesting for @danicuki).

Do you think this is generally the right direction? The parse_verify_options would probably need to have some arguments changed to make it possible to indicate the custom cert checking instead of always enabling it. And I would do some other cleanups.
@qzhuyan
Copy link
Collaborator

qzhuyan commented Dec 19, 2024
edited
Loading

Great! thanks! Yes I think it is right direction! PR is welcomed!

just some thoughts listed below:

  • Always include QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED and QUIC_CREDENTIAL_FLAG_REQUIRE_CLIENT_AUTHENTICATION into the CredConfig returned by parse_verify_options.

YES, we could do that now but perfer to make it configurable later
(to set QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED).

  • Send an event ATOM_PEER_CERT_RECEIVED to the connection owner in handle_connection_event_peer_certificate_received to notify them of a received cert.

YES.
About the cert itself, it is unnecessary be included in the message, we already store it in the c_ctx->peer_cert, we could use quicer:peercert/1 to read it because there is usecase if when the system is overloaded we could close it directly.
if you want to include the peer cert in the message, pls make it configurable.

  • Added function complete_cert_validation2(conn, bool) to accept / reject an inbound cert.

YES

  • Changed handle_connection_event_peer_certificate_received to return QUIC_STATUS_PENDING instead of success.

YES.
I think we still need to conditionally return QUIC_STATUS_PENDING or QUIC_STATUS_SUCCESS for different usecases.

This makes it possible to asynchronously inspect a cert and accept or reject it before the connection is established (possibly also interesting for @danicuki).

Do you think this is generally the right direction? The parse_verify_options would probably need to have some arguments changed to make it possible to indicate the custom cert checking instead of always enabling it. And I would do some other cleanups.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qzhuyan @ggwpez