Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

properly test build chain call budget #179

Merged
merged 9 commits into from
Sep 19, 2023
Merged

properly test build chain call budget #179

merged 9 commits into from
Sep 19, 2023

Conversation

cpu
Copy link
Member

@cpu cpu commented Sep 15, 2023

Previously (#168) we fixed the test case that used the build_degenerate_chain helper to test the build chain call budget (introduced in #163) by artificially inflating the signature validation limit. This was crummy for a few reasons:

  1. It required faking the budget, both to increase the signature validation limit (to avoid hitting that limit first) and to decrease the build chain call budget (to avoid the test taking ~6s to run).
  2. It didn't demonstrate very well why two separate limits are required, as it gave the sense under normal circumstances the signature validation limit would reject the pathological chain.

This branch reworks build_degenerate_chain so that it can reproduce a pathological chain that only has quadratic runtime prevented by the build chain call budget. E.g. the signature validation limit is not sufficient for this test case. The test demonstrates this with the default budget for both signature validations and build chain calls.

Along the way I did some small refactoring of the test_utils to make it easier to adjust certificate parameters for tests that require that without burdening tests that don't.

@cpu cpu self-assigned this Sep 15, 2023
@cpu
Copy link
Member Author

cpu commented Sep 15, 2023
edited
Loading

For fun (and a warm laptop) you can apply this commit to see the quadratic runtime when the build chain budget is neutered (but the signature validation limit left in-effect). The pathological chain size is also increased for maximum effect.

djc
djc approved these changes Sep 18, 2023
View reviewed changes
src/test_utils.rs Outdated Show resolved Hide resolved
src/test_utils.rs Show resolved Hide resolved
src/verify_cert.rs Show resolved Hide resolved
@cpu
test_utils: alloc feature gate at module level
28aa2ea 
Presently all of the helpers in this module require the `alloc` feature
to be present. Rather than sprinkling the feature requirement on all
members let's just put at the module level. If we add helpers that don't
require `alloc` we can revisit.
@cpu
test_utils: break out issuer CertificateParams
c8374b9 
Rather than having `make_issuer` support all possible parameters as
arguments we should have a helper that provides a base
`CertificateParams` with defaults that are sensible for an issuer, and
then customize it as required.

This commit adds `issuer_params` for generating the base
`rcgen::CertificateParams` for an issuer, and then updates `make_issuer`
to use it.
@cpu
test_utils: rm make_issuer name constraint arg
83cfa2b 
This was only used by one test, and now that there's a convenient way to
get a `rcgen::CertificateParams` that describes sensible issuer defaults
we can use that to customize the name constraints in only that one test,
avoiding passing `None` from many others.
@cpu
test_utils: break out end entity CertificateParams
11c4d09 
This commit updates `make_end_entity` similar to `make_issuer`: there's
a new `end_entity_params` helper that returns sensible default
`rcgen::CertificateParams` for an end-entity certificate when further
customization is helpful, and leaves `make_end_entity` for when any old
`rcgen::Certificate` for an end-entity issued by a specific issuer is
required.
@cpu
end_entity: use test_utils::end_entity_params
83100d9 
The `printable_string_common_name` unit test only needs to customize the
end entity distinguished name, so let's use the new
`test_utils::end_entity_params` fn and only provide that customization.
@cpu
test_utils: unexport RCGEN_SIGNATURE_ALG
7b1c067 
There aren't any consumers outside of the `test_utils` module and now
that we're exposing `rcgen::CertificateParams` it's unlikely there will
be new usages for creating params from scratch. For other use-cases it's
possible to dig the value out of `rcgen::Certificate` and
`rcgen::CertificateParams` instances.
@cpu
verify_cert: fix build_degenerate_chain
4213bba 
This commit updates the `build_degenerate_chain` helper to properly
reproduce the path building complexity budget issue that was reported
upstream in briansmith/webpki. The previous implementation only
reproduced the issue when the signature validation budget was
artificially inflated.

The new formulation is able to reproduce the issue with the default
signature validation budget, and default build chain call budget (and
completes in reasonable time). This better demonstrates the both limits
are needed as its possible to make pathological certificate chains that
avoid the one limit and are caught by the other.
@cpu
verify_cert: rename TrustAnchorIsActualIssuer
0de1705
@cpu
verify_cert: remove unused build_degenerate_chain arg
5575fa2 
The budget argument for `build_degenerate_chain` is no longer necessary.
We always use the default budget with this helper.
@cpu cpu mentioned this pull request Sep 18, 2023
Merged
@cpu
Copy link
Member Author

cpu commented Sep 19, 2023

Going to administratively merge this while the nightly docs & coverage CI is borked pending upstream updates.

@cpu cpu merged commit 429d42d into rustls:main Sep 19, 2023
16 of 23 checks passed
@cpu cpu deleted the cpu-flails branch September 19, 2023 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cpu @djc