Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support custom certificate verification #326

Closed
Demi-Marie opened this issue Jan 16, 2020 · 5 comments · Fixed by #332
Closed

Support custom certificate verification #326

Demi-Marie opened this issue Jan 16, 2020 · 5 comments · Fixed by #332

Comments

@Demi-Marie
Copy link

This is needed for libp2p, among other uses.
@ghedo
Copy link
Member

ghedo commented Jan 16, 2020

Can you please provide more details of what is needed? Can't promise it will be implemented, but knowing what's needed would help.

@Demi-Marie
Copy link
Author

libp2p needs complete control of the certificate verification process. Certificates used in libp2p have a bespoke critical extension, which contains both the peer’s identity key and the a signature (of the certificate’s key) by the corresponding secret key. The data in the extension must be made available to the application. All libp2p certificates are self-signed.

Ideally, the only checks that quiche would make are that the certificate is syntactically valid, that its self-signature is valid (if needed for security), and that its public key matches the signature made during the handshake. libp2p will handle verifying that the certificate is correct for the peer.

ghedo added a commit that referenced this issue Jan 22, 2020
@ghedo
tls: expose peer certificate
d31f0d0 
Fixes #326.
@ghedo ghedo mentioned this issue Jan 22, 2020
Merged
@ghedo
Copy link
Member

ghedo commented Jan 22, 2020

@demimarie-parity I made #332 to let applications see the peer's leaf certificate (as a DER blob). You can then disable certificate verification using config.verify_peer(false), and use the new API to get the certificate and do your own verification.

How does that sound?

@ghedo
Copy link
Member

ghedo commented Jan 28, 2020

@demimarie-parity ping?

@Demi-Marie
Copy link
Author

@ghedo That works, thanks!

ghedo added a commit that referenced this issue Jan 30, 2020
@ghedo
tls: expose peer certificate
34c0b77 
Fixes #326.
ghedo added a commit that referenced this issue Jan 30, 2020
@ghedo
tls: expose peer certificate
2f427cd 
Fixes #326.
@LPardue LPardue mentioned this issue Jan 4, 2022
Closed
@CMCDragonkai CMCDragonkai mentioned this issue Nov 24, 2022
Closed
7 tasks
@CMCDragonkai CMCDragonkai mentioned this issue Apr 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tls: expose peer certificate cloudflare/quiche
2 participants
@ghedo @Demi-Marie