X509lax #157
X509lax #157
Conversation
There was a problem hiding this comment.
This is really cool, I like the direction - huge thanks for putting the substantial effort in here to drop the dep on the old fork!
We should probably be explicit in the pkg doc about the intention here for future folks coming along - e.g.
- not a full validating x509 impl for TLS use, but bare bones for running a CT log; should not be reused elsewhere for safety reasons.
- Not likely to be frequently/if at all updated from the upstream stdlib x509
etc.
| } | ||
| } | ||
| // CANotAuthorizedForThisName check deleted. | ||
| // Allow to log all certificates, even if they have been isued by a CA that |
There was a problem hiding this comment.
nit: "Allow logging of all ..."
| } | ||
| } | ||
| // CANotAuthorizedForThisName check deleted. | ||
| // Allow to log all certificates, even if they have been isued by a CA that |
There was a problem hiding this comment.
I thought the verify.go was deleted in the next commit.
| } | ||
| // CANotAuthorizedForThisName check deleted. | ||
| // Allow to log all certificates, even if they have been isued by a CA that | ||
| // is not auhotized to issue certs for a given domain. |
There was a problem hiding this comment.
/auhotized/authorized/ :)
| package x509util | ||
|
|
||
| var ( | ||
| oidExtensionSubjectAltName = []int{2, 5, 29, 17} |
There was a problem hiding this comment.
Is this going to be used?
There was a problem hiding this comment.
If this is going to be used, please add the doc comment to add the OID description.
| package x509util | ||
|
|
||
| var ( | ||
| oidExtensionSubjectAltName = []int{2, 5, 29, 17} |
There was a problem hiding this comment.
If this is going to be used, please add the doc comment to add the OID description.
Toward #120.
This PR copies the smallest amount of code we can, allowing to build Tesseract without a dep on c-t-go/x509, and using "crypto/x509" wherever it can.
It is WIP, but ready for someone to take a first pass, and confirm that this PR can easily be reviewed.
A followup PR will migrate the codebase to this fork + "crypto/x509". You can have a sneak peek here: https://github.com/phbnf/static-ct/tree/evenmoreold.
This PR has two commits. To review this PR, review commits independtly.
verify.goandcert_pool.gofrom "crypto/x509" Not much to review there, it's a copy.- changes package name
- takes a dep on "crypto/x509" whenever we can
(c *Certificate) func(args)tofunc(c x509.Certificate, args)to re-use thex509.Certificateobject without redefining itCertificateInvalidError{c} --> CertificateInvalidError{Cert: c}x509.go. I've left it in a smallx509.gofile just to avoid extra modifications.TODO(phboneff):