Create self signed chain from command line #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add functionality to create a test chain from the commandline Refactor things: - Cert chain always in fixed order - `*[]x509.Certificate` -> `[]*x509.Certificate` - `*[][]byte` -> `[][]byte`
stevenvegt
commented
Oct 14, 2024
stevenvegt
commented
Oct 14, 2024
* main: Update README.md with test coverage Add env var Update go.yml Create go test workflow Update mockgen source paths in makefile Remove unused interfaces and simplify parser usage Refactor: remove PemReader interface and simplify usage Remove DidCreator and DidParser interfaces Create dependabot.yml Add Code Climate batch Reverse chain order in the x5c header. Move FixChainHeaders from x509_test_utils.go to x509_cert.go # Conflicts: # did_x509/did_x509.go # did_x509/did_x509_test.go # pem/pem_reader.go # uzi_vc_issuer/ura_issuer.go # x509_cert/x509_cert.go
- Multiple CA roots co-exist when the -t flag is enabled.
Removed two debug print statements that printed extension IDs and other name types. These statements were cluttering the output and are not necessary for the final implementation.
Introduce `allowUziTestCa` and `allowSelfSignedCa` flags to UraValidatorImpl for more flexible certificate chain validation. Refactor the validation logic to handle these new flags appropriately, ensuring better support for various CA configurations.
Re-enable the use of findSigningCertificate to ensure proper certificate validation based on X509 thumbprint. Remove hardcoding of the signingCert as first certificate in the chain and handle potential errors appropriately.
Improved the test-cert command to specify UZI, URA, and AGB parameters instead of a single identifier. This change enhances flexibility and allows for a more precise definition of test certificates. Updated help text for better clarity and added comments to explain the format of the otherName field.
Previously, errors when writing "chain.pem" and "signing_key.pem" were not handled separately. This change ensures that each file write operation checks for errors independently and exits with an error message if a write fails.
Updated `FormatDid` function to use a more descriptive variable `caCert` instead of `ca`. Modified the `FindRootCertificate` function to use the `x509_cert.IsRootCa` helper function for improved readability and consistency in the root CA check.
* main: Fix JSON unmarshalling issue in Validate method.
…ame seems to be the field that identifies the signer and subject. Updated CertTemplate function to accept an additional "organization" parameter, which allows different organization names for certificates. Adjusted related calls and modified default certificate values to reflect these changes.
Introduce a new `subject_did` field in the `TestCert` struct with a default value. Update the `test-cert` command case to handle this new parameter and adjust the VC issuance logic.
|
@stevenvegt Please check if you're happy with the changes I did. |
rolandgroen
changed the title
… method Replaced the string formatting approach with direct JSON marshaling to prevent potentially unsafe quoting.
Renamed the loop variable from 'cert' to 'c' to prevent a naming collision with the cert import.
A comment was added to the DebugUnmarshall method to indicate that it should be retained for future debugging purposes.
rolandgroen
approved these changes
Oct 15, 2024
| @@ -4,19 +4,27 @@ import ( | |||
| "fmt" | |||
| "github.com/alecthomas/kong" | |||
| "github.com/nuts-foundation/uzi-did-x509-issuer/uzi_vc_issuer" | |||
| "github.com/nuts-foundation/uzi-did-x509-issuer/x509_cert" | |||
| "os" | |||
| ) | |||
|
|
|||
| type VC struct { | |||
There was a problem hiding this comment.
I did some refactoring around the concept op "test" and "self signed". The "test" stuff are certificates signed by the Test UZI Root Ca, the "self signed" stuff you added uses a own CA. To determine the latter case, the code checks if the certificates file is len(c) > 1. In that case it will use other validation logic than if not.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add functionality to create a test chain from the commandline Refactor things:
*[]x509.Certificate->[]*x509.Certificate*[][]byte->[][]byte