Open glasserc opened 4 years ago
Here's a potential API:
class SignatureVerifier:
"Pure verifier"
def __init__(self, cache):
self.cache = cache
def verify(self, data, signature, cert_chain):
"cert_chain is bytes, retrieved for an x5u"
ending_cert = self.cache.get(cert_chain)
if not ending_cert:
ending_cert = self.validate_cert_chain(cert_chain)
self.cache.set(cert_chain, ending_cert)
return self._verify_signature(data, signature, ending_cert)
def _verify_signature(self, data, signature, cert):
"Private function. Do not call this from outside this class"
pass
class X5UVerifier:
"Network-attached verifier"
def __init__(self, network_cache, signature_verifier):
self.network_cache = network_cache
self.signature_verifier = signature_verifier
async def verify_signature(self, data, signature, x5u):
pass
The hypothetical/proposed
SignatureVerifier
class does more than just verifying signatures, but also retrieves X509 chains from URLs. It would be nice to have two classes, one which does the verification itself and another which is network-connected.What do we do with the certificate chain validity checks? (Stuff like -- verifying that it chains up to the root hash, verifying that dates are correct, verifying that the cert chains correctly.) Do we do them on every signature check? Do we cache results?