FR: Allow verification of SMIME-Certificates

[prauscher]

Since cryptography supports signing and encrypting mails for smime, there should be an (easy) way to verify smime-certificates before using in encryption.
This is possibly a duplicate of #11165, which would allow custom extension policys. For SMIME-Support it probably would be sufficient to add something like build_smime_verifier. build_client_verifier cannot be used since it requires clientAuth Extended Key Usage.

As #11165 is already there, one discussion here could be weather a "quick access" build_smime_verifier is wanted or not. I believe implementing this feature would be fairly straightforward (and obviously simplier than crafting an API for custom EKU validation). Also I believe it would be beneficiary for "common" use cases to provide pre-configured verifiers to avoid each user having to copy-paste validation code (and making misstakes in the process).

[prauscher]

Just to note it here: The probably only difference between Policy.client and a possible Policy.smime would probably be to use EKU_EMAIL_PROTECTION_OID instead of EKU_CLIENT_AUTH_OID.

[alex]

I think we'd generally be in favor of this, with the first step being to figure out the API.

…

On Thu, Dec 5, 2024 at 4:46 AM Patrick Rauscher ***@***.***> wrote: Just to note it here: The probably only difference between Policy.client and a possible Policy.smime would probably be to use EKU_EMAIL_PROTECTION_OID instead of EKU_CLIENT_AUTH_OID. — Reply to this email directly, view it on GitHub <#12104 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBFBBLJZC5DJCL7VSZT2EAOFXAVCNFSM6AAAAABTCBLCFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMJZG44DCOJZGI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

[prauscher]

Not sure if I understand you correctly, but my Idea of the API would be similar to build_client_verifier:

from pathlib import Path
from cryptography import x509
trusted_cas = x509.load_pem_x509_certificates(Path("cacerts.pem").read_bytes())
intermediates = x509.load_pem_x509_certificates(Path("intermediates.pem").read_bytes())
user_cert = x509.load_pem_x509_certificate(Path("mailcert.pem").read_bytes())

builder = x509.verification.PolicyBuilder()
builder = builder.store(trusted_cas)
# optional other steps like builder.time...
verifier = builder.build_smime_verifier()
verified_client = verifier.verify(user_cert, intermediates)  # or raise VerificationError

[alex]

Sorry, I guess I wanted to take a step back and contemplate: Is the right API an SMIME cert verifier, or is it "verify this S/MIME signed content"?

…

On Thu, Dec 5, 2024 at 9:39 AM Patrick Rauscher ***@***.***> wrote: Not sure if I understand you correctly, but my Idea of the API would be similar to build_client_verifier: from pathlib import Path from cryptography import x509 trusted_cas = x509.load_pem_x509_certificates(Path("cacerts.pem").read_bytes()) intermediates = x509.load_pem_x509_certificates(Path("intermediates.pem").read_bytes()) user_cert = x509.load_pem_x509_certificate(Path("mailcert.pem").read_bytes()) builder = x509.verification.PolicyBuilder() builder = builder.store(trusted_cas) # optional other steps like builder.time... verifier = builder.build_smime_verifier() verified_client = verifier.verify(user_cert, intermediates) # or raise VerificationError — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

[prauscher]

Both could probably be useful, but "verify this S/MIME signed content" would not solve the problem to verify a certificate prior to encrypting a message to its owner. So maybe the Verifier returned by build_smime_verifier could have separate methods for verify_certificate and verify_message?

[alex]

Ok, I think that was the real high order bit: you've got a use case not addressed by some extension to S/MIME parsing, it really needs the dedicated verifier interface.

…

On Thu, Dec 5, 2024 at 10:15 AM Patrick Rauscher ***@***.***> wrote: Both could probably be useful, but "verify this S/MIME signed content" would not solve the problem to verify a certificate prior to encrypting a message to its owner. So maybe the Verifier returned by build_smime_verifier could have separate methods for verify_certificate and verify_message? — Reply to this email directly, view it on GitHub <#12104 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBH7XAU4EIVVDXFU5OT2EBUXVAVCNFSM6AAAAABTCBLCFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRQGU4TINRQGQ> . You are receiving this because you commented.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.