panzi
commented
3 years ago I think this should fix it. :smile:
Closed dirkx closed 3 years ago
panzi
commented
3 years ago I think this should fix it. :smile:
dirkx
commented
3 years ago Looks like it - not entirely sure it won't get fooled by a naughty loop put in by a naughty person. But I guess your early check for the trusted 'root' should make it nog go near such a naughty chain. And you sort of have to trust the root entity fairly axiomatically.
Just a minor note to self; currently there is the implied assumption that the trust chain is complete, in the right order (in verify_pkcs7_detached_signature), and linear/single-line.
While this is best practice - it is not always the case (e.g. for some reason most German CA's do the reverse), and cross signing is also somewhat common.
For this reason one should really construct a chain between the two endpoints - somewhat as an exhaustive search to see if any path matches (that is why there is just an issuer/serial going 'up' -- so you can in fact have multiple paths/graph of cross signing).
Totally not urgent to fix. As it is fairly unlikely to happen in the DCC context.