Skip to content

refactor: implement match the same for all pkeys #5224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 2, 2025
Merged

refactor: implement match the same for all pkeys #5224

merged 1 commit into from
Apr 2, 2025
+317 −275

Conversation

lrstewart
Copy link
Contributor

Release Summary:

Resolved issues:

related to #5149

Description of changes:

Step one of cleaning up the legacy pkey logic: move the match method out of the individual pkey implementations and into the main shared logic. match should always be implemented the same, rather than each implementation re-writing the same sign/verify logic.

Call-outs:

RSA-PSS was doing some additional validation, not just sign/verify. However, I don't believe that logic is necessary if we're going to sign/verify anyway. Seems unnecessary. But let me know if you think I'm missing something that makes it necessary / useful.

Testing:

Added a new unit test. Future PRs will add more tests to the new s2n_pkey_test file.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Mar 28, 2025
lrstewart
lrstewart commented Mar 28, 2025
View reviewed changes
tests/unit/s2n_cert_chain_and_key_load_test.c
Copy link
Contributor Author

@lrstewart lrstewart Mar 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't a new test, I just renamed it. Previously this test was called s2n_pkey_test. I can't seem to communicate that to github :(

This test does technically test s2n_pkey_match, but in a non-obvious way. s2n_cert_chain_and_key_load_pem calls s2n_pkey_match while loading the certificate. But since this is a unit test, we should really be calling s2n_pkey_match directly. What if we changed the implementation of s2n_cert_chain_and_key_load_pem so that s2n_pkey_match isn't called?

I renamed this test rather than delete it bc I don't think it's doing any harm, but I can always just delete it instead.

@lrstewart lrstewart force-pushed the openssl3fips_evp_3c_1 branch 2 times, most recently from 03e1e9a to f38bc40 Compare March 28, 2025 01:02
@lrstewart lrstewart force-pushed the openssl3fips_evp_3c_1 branch from f38bc40 to df618e2 Compare March 28, 2025 01:05
@lrstewart lrstewart marked this pull request as ready for review March 28, 2025 10:27
@lrstewart lrstewart mentioned this pull request Mar 28, 2025
Merged
@lrstewart lrstewart added this pull request to the merge queue Apr 1, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 1, 2025
@lrstewart lrstewart added this pull request to the merge queue Apr 1, 2025
Merged via the queue into aws:main with commit eca2a8e Apr 2, 2025
45 checks passed
@lrstewart lrstewart deleted the openssl3fips_evp_3c_1 branch April 2, 2025 00:42
@BrewTestBot BrewTestBot mentioned this pull request Apr 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmayclin jmayclin jmayclin approved these changes

@boquan-fang boquan-fang boquan-fang approved these changes

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lrstewart @jmayclin @boquan-fang