LG-3043: map bridge certs #154
Conversation
| @@ -18,6 +18,7 @@ def chain(set = []) | |||
| @chain ||= begin | |||
| signer = store[certificate.signing_key_id] | |||
| while signer | |||
| break if set.include? signer | |||
There was a problem hiding this comment.
is signer a key or a whole certificate object? IIRC certificate objects are like instance comparisons in ruby so they are rarely == to each other, it's better to compare some sort of ID?
There was a problem hiding this comment.
Our Certificate class actually overrides ==. It should be safe to compare 2 Certificate objects, but not 2 OpenSSL::X509::Certificate objects.
Ref: https://github.com/18F/identity-pki/blob/master/app/models/certificate.rb#L37-L41
There was a problem hiding this comment.
oh perfect, thanks for that!
solipet
force-pushed
the
dprice-lg-3043-map-bridge-certs
branch
from
692c7cf
to
9755691
Compare
config/application.yml.example
Outdated
| # DoD root identifiers: | ||
| # 49:74:BB:0C:5E:BA:7A:FE:02:54:EF:7B:A0:C6:95:C6:09:80:70:96 - DoD Root CA 2 | ||
| # 6C:8A:94:A2:77:B1:80:72:1D:81:7A:16:AA:F2:DC:CE:66:EE:45:C0 - DoD Root CA 3 | ||
| # BD:C1:B9:6B:4D:F4:1D:EC:30:90:BF:62:73:C0:84:33:F2:71:24:85 - DoD Root CA 5 |
There was a problem hiding this comment.
Isn't this DoD Root CA 3?
There was a problem hiding this comment.
I put these in here to be helpful and then I got them all wrong. I just pushed a commit to fix this comment.
Significantly reduces the number of root CA's required and ensures that we don't end up in an infinite loop when building up the signatory chain.