Verify signing chain fix

dzmitry-kankalovich commented 3 years ago

This PR takes on the raised issue https://github.com/Dexus/pem/issues/303.

Basically, there were 3 problems:

An entire certificate chain had been supplied to the openssl verify making openssl to silently read just the first one of the chain. Read why is that here
The corresponding -untrusted param of openssl verify was never used, therefore the trust chain was never passed for verification.
Looking at unit tests, the correct certificate order had been reversed. It should've been leaf -> int ca -> root ca, while in reality it was backwards. Also, the CA certificates were missing quite a critical part: the CA:TRUE attribute.

So verifySigningChain was never working correctly in the general case. The simplest forms like Root CA -> Leaf or Root CA -> Int CA -> Leaf might be verified correctly, but anything more complicated than that - won't.

Dexus commented 3 years ago

Thank you, will review this after my vacation.

dzmitry-kankalovich commented 3 years ago

Cheers. I've also added a specific unit test to demo how the fix will allow trust in more complex cases.

Dexus / pem

Verify signing chain fix #306