feat(x509): verify certificate chains (linkage / ordering / expiry)#152
Merged
Conversation
Extends the X.509 PKI toolset from decoding into verification — the #1 real-world PKI debugging task ("the chain is present but not trusted"). Complements x509_certificate_decode (single cert) / csr_decode / crl_decode / ocsp_decode. x509_chain_verify (Low risk, offline, read-only) takes a PEM bundle (leaf -> root order) or a hex-DER concatenation and checks the signature linkage between adjacent certificates via crypto/x509.CheckSignatureFrom (the parent must cryptographically sign the child AND be a CA permitted to sign certificates). Reports: - ordered: every adjacent link verifies in the supplied order; - reaches_self_signed_root: a self-signed trust-anchor terminates the chain; - any_expired: any cert past NotAfter (a common "looks right but rejected" cause; expiry is reported, not folded into link validity); - per-certificate subject / issuer / self-issued / is_ca / expiry and per-link validity with the exact error on a broken link. Diagnoses the three usual failures: wrong ordering, a missing intermediate, and an expired link. Scope is signature + CA-constraint linkage, NOT full RFC 5280 path validation against a trust store (stated in the description). new internal/x509decode.VerifyChain (parses every CERTIFICATE block / DER concatenation) + internal/tools. No new dependency. Verified: tests build a real root -> intermediate -> leaf chain and cover ordered-to-root, wrong-order (links don't verify), single-cert, expired-link (linkage still valid), and bad-input cases; tool handler + discoverability tests; registry 701 -> 702 + risk coverage. task ci green (lint 0 / vet / build / test:full 0 fail / govulncheck clean); task eval 17/17.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the X.509 PKI toolset from decoding into verification — the #1 real-world PKI debugging task ("the chain is present but not trusted"). Complements
x509_certificate_decode/csr_decode/crl_decode/ocsp_decode.x509_chain_verify(Low risk, offline, read-only) takes a PEM bundle (leaf→root order) or a hex-DER concatenation and checks the signature linkage between adjacent certificates viacrypto/x509.CheckSignatureFrom(the parent must cryptographically sign the child and be a CA permitted to sign certificates). Reports:Diagnoses the three usual failures: wrong ordering, missing intermediate, expired link.
Design / scope
CheckSignatureFrom), not full RFC 5280 path validation against a trust store — stated plainly in the tool description. Expiry is surfaced per-cert but deliberately not folded into link validity (so a chain that links correctly but has an expired member is diagnosable as exactly that).internal/x509decode.VerifyChainparses everyCERTIFICATEblock (PEM) or DER concatenation. No new dependency.Verification
task cigreen (lint 0 / vet / build /test:full0 fail / govulncheck clean);task eval17/17.Feature — anchors v0.772.0.