Skip to content

feat(x509): verify certificate chains (linkage / ordering / expiry)#152

Merged
xunholy merged 1 commit into
mainfrom
feat/x509-chain-verify
Jun 28, 2026
Merged

feat(x509): verify certificate chains (linkage / ordering / expiry)#152
xunholy merged 1 commit into
mainfrom
feat/x509-chain-verify

Conversation

@xunholy

@xunholy xunholy commented Jun 28, 2026

Copy link
Copy Markdown
Owner

Summary

Extends the X.509 PKI toolset from decoding into verification — the #1 real-world PKI debugging task ("the chain is present but not trusted"). Complements x509_certificate_decode / csr_decode / crl_decode / ocsp_decode.

x509_chain_verify (Low risk, offline, read-only) takes a PEM bundle (leaf→root order) or a hex-DER concatenation and checks the signature linkage between adjacent certificates via crypto/x509.CheckSignatureFrom (the parent must cryptographically sign the child and be a CA permitted to sign certificates). Reports:

  • ordered — every adjacent link verifies in the supplied order;
  • reaches_self_signed_root — a self-signed trust-anchor terminates the chain;
  • any_expired — any cert past NotAfter (a common "looks right but rejected" cause; reported, not folded into link validity);
  • per-cert subject / issuer / self-issued / is_ca / expiry, and per-link validity with the exact error on a break.

Diagnoses the three usual failures: wrong ordering, missing intermediate, expired link.

Design / scope

  • Linkage is signature + CA-constraint only (CheckSignatureFrom), not full RFC 5280 path validation against a trust store — stated plainly in the tool description. Expiry is surfaced per-cert but deliberately not folded into link validity (so a chain that links correctly but has an expired member is diagnosable as exactly that).
  • internal/x509decode.VerifyChain parses every CERTIFICATE block (PEM) or DER concatenation. No new dependency.

Verification

  • Tests build a real root → intermediate → leaf chain and cover ordered-to-root, wrong-order (links don't verify), single-cert, expired-link (linkage still valid), and bad-input cases; tool handler + discoverability tests; registry 701→702 + risk coverage.
  • task ci green (lint 0 / vet / build / test:full 0 fail / govulncheck clean); task eval 17/17.

Feature — anchors v0.772.0.

Extends the X.509 PKI toolset from decoding into verification — the #1
real-world PKI debugging task ("the chain is present but not trusted").
Complements x509_certificate_decode (single cert) / csr_decode / crl_decode /
ocsp_decode.

x509_chain_verify (Low risk, offline, read-only) takes a PEM bundle
(leaf -> root order) or a hex-DER concatenation and checks the signature
linkage between adjacent certificates via crypto/x509.CheckSignatureFrom
(the parent must cryptographically sign the child AND be a CA permitted to
sign certificates). Reports:
- ordered: every adjacent link verifies in the supplied order;
- reaches_self_signed_root: a self-signed trust-anchor terminates the chain;
- any_expired: any cert past NotAfter (a common "looks right but rejected"
  cause; expiry is reported, not folded into link validity);
- per-certificate subject / issuer / self-issued / is_ca / expiry and
  per-link validity with the exact error on a broken link.

Diagnoses the three usual failures: wrong ordering, a missing intermediate,
and an expired link. Scope is signature + CA-constraint linkage, NOT full
RFC 5280 path validation against a trust store (stated in the description).

new internal/x509decode.VerifyChain (parses every CERTIFICATE block / DER
concatenation) + internal/tools. No new dependency.

Verified: tests build a real root -> intermediate -> leaf chain and cover
ordered-to-root, wrong-order (links don't verify), single-cert, expired-link
(linkage still valid), and bad-input cases; tool handler + discoverability
tests; registry 701 -> 702 + risk coverage. task ci green (lint 0 / vet /
build / test:full 0 fail / govulncheck clean); task eval 17/17.
@xunholy
xunholy merged commit 2518141 into main Jun 28, 2026
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant