Closed bedinotti closed 7 years ago
Oh! A consequence of this is that we're not checking the issuer's address in pre-v2.0a certificates. This should be fine, since for all of those certificates, you should only have been able to issue to the chain you're on. In other words, we only introduced the ability to issue a testnet cert to a main net address while developing 2.0.
This change is a little more complicated than I thought, mostly to retain backwards compatibility with validation back to v1.1 certificates. It also exposed that I was handling the verify data wrong in v2.0a+ certificates.
So! This PR does a few things:
publicKey
property onVerify
objects. This will be the key itself, rather than a URL to go fetch the key fromcreator
andpublicKey
fields as a key, rather than as a URL. This went uncaught because technicallyecdsa-koblitz-pubkey:mtr98kany9G1XYNU74pRnfBQmaCg2FZLmc
parses as a valid URL. Who knew?CertificateValidationRequest
, we check the issuer's chain before the recipient's. This was refactored to be a bit more readable.