Update Mozilla SPKI and SignatureAlgorithm encoding lints#950
Update Mozilla SPKI and SignatureAlgorithm encoding lints#950christopher-henderson merged 8 commits intozmap:masterfrom
Conversation
christopher-henderson
left a comment
christopher-henderson
left a comment
There was a problem hiding this comment.
Thank you @digirenpeter! The implementation of this lint is one of the more esoteric ones, so I appreciate you doing the legwork to find all of the correct encodings.
The linter is complaining that it doesn't like the new else block due to cyclomatic complexity.
I believe that the following annotation on the Execute method should convince the linter to calm down.
//nolint:nestif
func (l *ecdsaSignatureAidEncoding) Execute(c *x509.Certificate) *lint.LintResult {| const maxP256SigByteLen = 72 | ||
| // len <= 2+2+2+49+49 (= 104) | ||
| const maxP384SigByteLen = 104 | ||
| // len <= 2+2+2+67+67 (= 140) |
There was a problem hiding this comment.
It took me a bit to confirm this, which means it took you longer than that to write it 😆 thank you!
|
Could I propose a change? I suggest adding an IneffectiveDate (i.e., the point in time when P-521 becomes allowed) to the old lints, and duplicating the PR implementation into new lints with an EffectiveDate (i.e., when P-521 becomes allowed). This way, we can avoid false negatives for P-521 certificates issued before that date. While this approach duplicates some code, I believe it is the simplest way to address the issue. We could also keep the new implementation and set the date when P-521 becomes allowed as the EffectiveDate. If linting older certificates is not required, this approach would work as well. I suppose this touches on a more general issue with linting: if only forward linting is needed, then this solution should suffice. However, if retrospective linting is also necessary, then the first proposal would address that. Any thoughts? |
|
@mtgag In the old version the policy had this line (It still does, but just for Curve25519 and 448):
So I would argue that the lint was being overly strict before by returning an error for P-521. In this case I think it's fine for this specific lint to be forward linting, since before it should've probably been returning a warning for P-521. |
The original lint refers to version 2.7 of the Mozilla policy (see: https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md#512-ecdsa). In my opinion, either option 1, adding MozillaPolicy30Date as the ineffective date to the original lint and moving the PR implementation to a new lint with MozillaPolicy30Date as its effective date, or option 2, simply updating the effective date of the new lint to MozillaPolicy30Date, reflects the situation more accurately than option 3, which updates the implementation while keeping the original MozillaPolicy27Date. |
|
I see what you mean, I'll update the effective date. |
|
Howdy @digirenpeter, it looks like you went with @mtgag thank you for chiming in! Does the change now reflect your vision? |
|
That's right, I feel like option 2 is the cleanest, but I'm open to option 3 if people feel strongly enough about it. |
Yes, option 2 is perfectly fine. |
3 participants
It looks like Mozilla updated their Root Store policy to allow for P-521 so I'm updating the 2 related Mozilla lints.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#5-certificates
Updated SPKI section:
Updated SignatureAlgorithm section: