Goal

PyCA cryptography upstream has added a new, experimental X.509 path building and chain verification API in latest upstream release 42.0. Version 42.0 will land in Fedora 40 and therefore in c10s and RHEL 10. I do not want to enable and support the feature until upstream considers the feature stable and Red Hat's crypto team approves the new feature.

Besides alpha status of the implementation, the crypto team (hkario@redhat.com et al) and I have several concerns with the current state of the feature. For example it hasn't been tested against mozilla::pkix verifier (NSS), yet, We do not want any RHEL 10 software to rely on the code, until upstream considers it stable and we as downstream had time to vet it.

My plan is to disable cryptography.x509.verification.PolicyBuilder in c10s and RHEL 10 builds for now. Eventually we want to support and enable the feature after upstream considers the feature stable and production-ready. I expect that other projects will start using the feature. We need to define acceptance criteria and a test plan.

Acceptance Criteria

• cryptography.x509.verification.PolicyBuilder is disabled in c10 and RHEL 10 builds. Instantiation of PolicyBuilder() raises an exception that informs the user that the feature is disabled.
• Fedora builds are not affected.
• Test suite is adjusted and verifies that the feature is disabled.
• RHEL docs mention that the feature is not available, because it's unstable and not yet vetted by RHEL.

References

Blog post: https://blog.trailofbits.com/2024/01/25/we-build-x-509-chains-so-you-dont-have-to/

https://cryptography.io/en/latest/changelog/#v42-0-0 changelog:

Added the X.509 path validation APIs for Certificate chains. These APIs should be considered unstable and not subject to our stability guarantees until documented as such in a future release.