fix: Harden x509 validation & revocation checks

emil-wire · Feb 20, 2024 · 8984fc5 · 8984fc5
1 parent d9891ac
commit 8984fc5
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 12 deletions.
diff --git a/crypto/src/e2e_identity/init_certificates.rs b/crypto/src/e2e_identity/init_certificates.rs
@@ -135,20 +135,17 @@ impl MlsCentral {
     /// # Returns
     /// A [CrlRegistration] with the dirty state of the new CRL (see struct) and its expiration timestamp
     pub async fn e2ei_register_crl(&self, crl_dp: String, crl_der: Vec<u8>) -> CryptoResult<CrlRegistration> {
-        // Parse/decode DER CRL
-        let crl = PkiEnvironment::decode_der_crl(crl_der).map_err(|e| CryptoError::E2eiError(e.into()))?;
-
-        // Validate CRL
-        {
+        // Parse & Validate CRL
+        let crl = {
             let auth_service_arc = self.mls_backend.authentication_service().clone();
             let auth_service = auth_service_arc.borrow()?;
             let Some(pki_env) = auth_service.as_ref() else {
                 return Err(CryptoError::ConsumerError);
             };
             pki_env
-                .validate_crl(&crl)
-                .map_err(|e| CryptoError::E2eiError(e.into()))?;
-        }
+                .validate_crl_with_raw(&crl_der)
+                .map_err(|e| CryptoError::E2eiError(e.into()))?
+        };
 
         let expiration = extract_expiration_from_crl(&crl);
 
@@ -241,7 +238,6 @@ pub mod tests {
         if case.is_x509() {
             run_test_with_client_ids(case.clone(), ["alice"], move |[alice_central]| {
                 Box::pin(async move {
-                    let id = conversation_id();
                     let alice_test_chain = alice_central.x509_test_chain.as_ref().as_ref().unwrap();
                     let alice_ta = alice_test_chain
                         .trust_anchor

diff --git a/crypto/src/test_utils/x509.rs b/crypto/src/test_utils/x509.rs
@@ -240,11 +240,11 @@ impl X509TestChain {
             })
             .collect();
 
-        let local_crl_dp = local_intermediate.crl_dps.first().unwrap().clone();
+        let local_crl_dp = trust_anchor.crl_dps.first().unwrap().clone();
 
-        let crl = local_intermediate
+        let crl = trust_anchor
             .pki_keypair
-            .revoke_certs(&local_intermediate.certificate, revoked_serial_numbers)
+            .revoke_certs(&trust_anchor.certificate, revoked_serial_numbers)
             .unwrap();
 
         crls.insert(local_crl_dp, crl);