-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LG-3043: map bridge certs #154
Conversation
@@ -18,6 +18,7 @@ def chain(set = []) | |||
@chain ||= begin | |||
signer = store[certificate.signing_key_id] | |||
while signer | |||
break if set.include? signer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is signer
a key or a whole certificate object? IIRC certificate objects are like instance comparisons in ruby so they are rarely ==
to each other, it's better to compare some sort of ID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our Certificate
class actually overrides ==
. It should be safe to compare 2 Certificate
objects, but not 2 OpenSSL::X509::Certificate
objects.
Ref: https://github.com/18F/identity-pki/blob/master/app/models/certificate.rb#L37-L41
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh perfect, thanks for that!
692c7cf
to
9755691
Compare
config/application.yml.example
Outdated
# DoD root identifiers: | ||
# 49:74:BB:0C:5E:BA:7A:FE:02:54:EF:7B:A0:C6:95:C6:09:80:70:96 - DoD Root CA 2 | ||
# 6C:8A:94:A2:77:B1:80:72:1D:81:7A:16:AA:F2:DC:CE:66:EE:45:C0 - DoD Root CA 3 | ||
# BD:C1:B9:6B:4D:F4:1D:EC:30:90:BF:62:73:C0:84:33:F2:71:24:85 - DoD Root CA 5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this DoD Root CA 3
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I put these in here to be helpful and then I got them all wrong. I just pushed a commit to fix this comment.
Significantly reduces the number of root CA's required and ensures that we don't end up in an infinite loop when building up the signatory chain.