Skip to content

Chain validation cleanup #120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lukevalenta merged 9 commits into from
Sep 26, 2025
Merged

Chain validation cleanup #120

lukevalenta merged 9 commits into from
Sep 26, 2025

Conversation

@lukevalenta
Copy link
Contributor

@lukevalenta lukevalenta commented Sep 26, 2025

Various cleanup and documentation improvements, mostly related to chain validation and addressing review comments from #113. Please see individual commit messages for details.

@lukevalenta
Move certificate well-formedness check to general chain validation
29c16ad
@lukevalenta
Pass intermediates by reference in validator hook
8ab85e7 
Currently the inferred root is not yet appended, but we'll do that next.
@lukevalenta
Append found root to intermediates passed into validator hook
e5c647e 
Rename intermediates to chain_certs as well, to help highlight where the chain is used.
@lukevalenta
Refactor to remove unnecessary unwraps
81f65d8
@lukevalenta
Fix comment in ct_worker/build.rs
43a1f21
@lukevalenta
Move build_chain to x509_util crate
095e220
@lukevalenta
Ensure that found roots are uploaded to /issuers and present in boots…
48640e3 
…trap entry

Ensure found roots are properly accounted for, mirroring a change to the
static CT worker.

Also rename validation_hook to validator_hook for consistency, and
improve function documentation.
@lukevalenta
Simplify logic for precerts and precert signing certs
5eaefdc 
Also rename is_pre_issuer to is_precert_signing_cert for clarity.
@lukevalenta
Simplify logic for parsing leaf from raw chain
46a2b69
@lukevalenta lukevalenta self-assigned this Sep 26, 2025
rozbb
rozbb approved these changes Sep 26, 2025
View reviewed changes
crates/x509_util/src/lib.rs

hook(leaf, chain_certs_owned, chain_fingerprints, found_root_idx)
.map_err(HookOrValidationError::Hook)
hook(leaf, chain_certs, chain_fingerprints, found_root_idx).map_err(HookOrValidationError::Hook)
Copy link
Contributor

@rozbb rozbb Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job managing to rewrite the hooks to work with Vec<&Certificate>. I think getting the full chain including root is much cleaner

Copy link
Contributor Author

@lukevalenta lukevalenta Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah! After moving the well-formedness check to validate_chain_lax I didn't get many complaints about ownership.

@lukevalenta lukevalenta merged commit e0ba976 into main Sep 26, 2025
1 check passed
@lukevalenta lukevalenta deleted the lvalenta/chain-validation-cleanup branch September 26, 2025 17:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rozbb rozbb rozbb approved these changes

@bwesterb bwesterb Awaiting requested review from bwesterb

@cjpatton cjpatton Awaiting requested review from cjpatton

Assignees

@lukevalenta lukevalenta

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukevalenta @rozbb