search

PeculiarVentures / PKI.js

PKI.js is a pure JavaScript library implementing the formats that are used in PKI applications (signing, encryption, certificate requests, OCSP and TSP requests/responses). It is built on WebCrypto (Web Cryptography API) and requires no plug-ins.
http://pkijs.org
Other
1.25k stars 204 forks source link

Honor CheckDate Optionality in the CertificateChainValidationEngine #362

Open sujith-k-s opened 1 year ago

sujith-k-s commented 1 year ago

We have a case where we do not want to verify the Validity Periods of the Certificates. Passing an undefined to the CheckDate Parameter should honor this and should not check for the validity of the certificates. I understand that this could break current implementations, therefore we could add an additional argument (validateDate) to parameters which would produce the same result. The only change required for this on line 415, where you do:

if (this.validateDate && (crl.nextUpdate && crl.nextUpdate.value < this.checkDate)) {

rmhrisk commented 1 year ago

What is the use case?

microshine commented 1 year ago

Looks very strange. You don't want to verify the Validity Periods of the Certificate, but use CRLs for path building (which require checkDate argument). Would it be easier to build the chain without Revocation Lists and use the date (notBefore or notAfter) from the leaf certificate?