Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rust: add crate skeleton for X.509 path validation #8873
rust: add crate skeleton for X.509 path validation #8873
Changes from 169 commits
69eb9a1
cb8a316
7e1f72a
ade49a1
30509a8
4658f70
1420533
43999ac
c220117
25655ad
7c77155
352d9cf
b7205be
d663c07
0af2218
5285a9a
9713022
4de63fc
2adf177
7f550db
71bd69d
625fa41
4745642
ba37c80
21b8026
2232868
d91f976
9e04a6a
0f21360
9ff4070
8d9d223
5ef5ecb
9d46d04
f02458e
95ac2e7
5153a69
f54ce64
8a702a9
f59cbed
a356e05
9d5a313
457df90
c54bced
5e72f8b
c91e13f
7b8f5a3
e8b4fbc
7aefd2a
504dd59
34202c4
fb362bd
ce4e907
daa512d
53e6761
0259030
a9a380f
a9d8dc9
199ba0d
956c1b8
52977bd
a163676
b0d8477
a4f4ea9
58261a2
0282239
c086393
107c082
be6d3d8
36654c1
6bed9db
6d3714c
5afa0a7
7546674
af0d43b
acdf068
e5d62a3
06e1be5
fe39fb9
329eed5
4017871
c0ec72f
c270e4a
7434373
363dee3
efc8f29
3e838c7
79fe0b4
f7fdeaf
913f723
ab7de49
421594a
8fd2684
ef9061f
bf3b3cb
ea88d53
7bfab59
97c551f
db05265
669bb22
af14ec4
eac3a07
af29fec
4168322
062a64b
ace8142
9793bb2
d498f67
2f52dd0
c40761f
e0c377d
269ef79
90162e4
adc7333
0c5ff83
2ce7a34
0f6214f
55e82f7
bf12b48
e665d3b
a14634d
ba7dbf3
8d06d26
0d98eaf
6be1f50
76abe1f
09377a5
1a4cf74
e93bc07
0cf2e52
c9642e9
6c577be
a860232
d231e1e
7b4c2c0
5ee09e5
bd1553f
89067e2
adeb62d
518da01
f964ce7
48af1c5
c79f40b
a29c73e
bab3d2a
8135121
b3ae108
31d7d81
d294958
d1b0a33
6c2eafe
f591c12
1adf14f
9ce06d0
030b79f
b6de1f9
6e6d7c7
120daf5
6607e75
24ecf76
3060a70
e1ee967
642e72e
c6d502e
e26feb8
b1e8d2a
91c30d5
dcc7069
1ed7c2b
e4c33bb
98d5502
baaeeb2
6c886b5
a167fd2
9926b98
d4a876f
474a925
8152578
5244884
be84030
27b2b0d
0220e93
35de5fd
07f2445
d5b8a45
c52b597
6e7379a
7830bad
e16a347
1e00199
fee2aa3
b65d12f
6aa642c
0fc7327
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this check required, if we simply left self-signed intermediates in here, does that cause a problem later, or is it simply "this could never be correct"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it causes a potential cycle: if the user passes a self-signed cert in the intermediate set, we'll end up recursing infinitely (since self-signed certs don't increase the validation depth per 5280).
Another option here would be to instead have a separate "physical" depth counter that doesn't follow the 5280 counting rules, and instead gives up after a fixed
N
chaining attempts. That feels a little more indirect to me, but I think that would also work fine here.(Either way, I can document this in comments.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about this a bit more, and I think we could achieve the same thing here by moving the
cert_is_self_signed
check intobuild_chain_inner
, after the trust store check -- that should be behaviorally equivalent, without the need to pre-iterate over the intermediate set. WDYT @alex?