Open
Conversation
sjaeckel
force-pushed
the
x509_import
branch
8 times, most recently
from
a342826 to
d9b0684
Compare
sjaeckel
force-pushed
the
some-improvements
branch
2 times, most recently
from
028775e to
6fe53a5
Compare
sjaeckel
force-pushed
the
x509_import
branch
from
d9b0684 to
13cb123
Compare
sjaeckel
force-pushed
the
some-improvements
branch
from
6fe53a5 to
ae50082
Compare
sjaeckel
force-pushed
the
x509_import
branch
from
13cb123 to
6ae30f2
Compare
Merged
sjaeckel
force-pushed
the
x509_import
branch
from
6ae30f2 to
c99b81a
Compare
sjaeckel
force-pushed
the
x509_import
branch
from
c99b81a to
60ddcf5
Compare
sjaeckel
force-pushed
the
new-rsa-api
branch
from
71d72b2 to
9e47b3a
Compare
Member
|
@sjaeckel Why was the CI pipeline with tests and builds not triggered after my last commit? |
…1 on equality; which was misleading - thus renamed to x509_name_eq
…00:0000:0000:0000:0000:0001 (it will be less surprising)
Member
|
I've just reviewed this PR and pushed a few commits. Two issues I’m still not happy with:
I also managed to break the CI tests somehow; however, it is too late tonight for me to fix that now. |
They will only be called with valid args.
So we don't have to do that manually.
sjaeckel
commented
Apr 17, 2026
Member
Author
sjaeckel
left a comment
sjaeckel
left a comment
There was a problem hiding this comment.
- We are not rejecting certificates that contain unrecognized critical extensions, as required by RFC 5280 section 4.2. I've just added a comment to code about this.
Good point!
- It is a bit surprising that x509_free takes ltc_x509_certificate ** as its argument. Other _free functions take a single pointer (rsa_free, ecc_free, pka_key_free ...) so x509_free is currently the odd one out.
Because I like the pattern more. I prefer to be on the safe side, see also the commit I just added which introduces the same pattern for s_free().
Comment on lines
+649
to
+653
| /* TODO: RFC 5280 4.2 requires rejecting certs with unrecognized critical extensions | ||
| but currently it cannot be rejected here as some critical extensions are not decoded | ||
| like: Name Constraints, Inhibit Any Policy, No Revocation Available, OCSP No Check, | ||
| Proxy Certificate Information, ac-auditEntity | ||
| */ |
Member
Author
There was a problem hiding this comment.
While adding some of them as dummy I came to the conclusion: this is just parsing and not validation. Should we maybe track this as "yes, it's a valid topic, but not now"?
I've collected the following infos on the extensions you mentioned which are tracked outside RFC 5280:
- No Revocation Available is
CRITICALITY { FALSE } - OCSP No Check The RFC says:
The CA does so by including the extension id-pkix-ocsp-nocheck. This SHOULD be a non-critical extension. The value of the extension SHALL be NULL. - Proxy Certificate Information is indeed critical
ac-auditEntityI couldn't find anything
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Start implemeting X.509 APIs.
In #693 this was requested and I was already at it and now we have the first part: Parsing of an X.509 certificate and the cryptographic validation of such a certificate.
NB: This does not yet contain the logic that is required to determine whether a CA is eligible to sign a certificate etc.
Checklist