Add support for certificate chains #4
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jvehent
force-pushed
the
verifycertchain
branch
3 times, most recently
from
dc1ac19 to
d1f2542
Compare
This patch adds the ability to both sign and verify signatures that contain a certificate chain. The root of the chain is expected to be provided separately via an x509.CertPool passed to the Verifier. The added FirefoxAddon test case uses a certificate chain to check the addon signature against the Firefox Root CA.
jvehent
force-pushed
the
verifycertchain
branch
from
d1f2542 to
4031966
Compare
jvehent
force-pushed
the
verifycertchain
branch
from
a35228f to
66db327
Compare
jentfoo
pushed a commit
to gravitational/pkcs7
that referenced
this pull request
Jul 24, 2023
* Refactor verification to handle passing multiple cert pools (#2) * pass VerifyOptions instead of one cert pool Signed-off-by: Meredith Lancaster <[email protected]> * add eku usage to test Signed-off-by: Meredith Lancaster <[email protected]> * add new method for non breaking changes Signed-off-by: Meredith Lancaster <[email protected]> * add default EKU settings Signed-off-by: Meredith Lancaster <[email protected]> * verifySignatureAtTime should be used Signed-off-by: Meredith Lancaster <[email protected]> Signed-off-by: Meredith Lancaster <[email protected]> * remove print statements made during testing Signed-off-by: Meredith Lancaster <[email protected]> * fix tests that were accidentally updated Signed-off-by: Meredith Lancaster <[email protected]> * comment out use of more insecure algorithms Signed-off-by: Meredith Lancaster <[email protected]> * use GODEBUG so tests can run with sha1 algorithm Signed-off-by: Meredith Lancaster <[email protected]> * add sha1 algorithms back Signed-off-by: Meredith Lancaster <[email protected]> * update comment Signed-off-by: Meredith Lancaster <[email protected]> * Cleanup tests (#3) * remove print statements made during testing Signed-off-by: Meredith Lancaster <[email protected]> * comment out use of more insecure algorithms Signed-off-by: Meredith Lancaster <[email protected]> * use GODEBUG so tests can run with sha1 algorithm Signed-off-by: Meredith Lancaster <[email protected]> * add sha1 algorithms back Signed-off-by: Meredith Lancaster <[email protected]> * update comment Signed-off-by: Meredith Lancaster <[email protected]> Signed-off-by: Meredith Lancaster <[email protected]> --------- Signed-off-by: Meredith Lancaster <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch adds the ability to both sign and verify
signatures that contain a certificate chain. The root
of the chain is expected to be provided separately via
an x509.CertPool passed to the Verifier.
The added FirefoxAddon test case uses a certificate
chain to check the addon signature against the Firefox
Root CA.