-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix verifyServerCertificateChain
failing to pass with old nodeId
#593
Comments
Found the problem. At some point the order the certs were provided in had changed. So it was checking the chain backwards. Not the order is expected to be leaf -> root. I'm applying this fix to all of the verify functions. I'm also thinking of moving the agent level verify functions from network to nodes domain. They're not actually shared anywhere. |
Standardise is so that first element of the array is always leaf. So leaf, intermediate, root. The only issue is that if you need to add a new leaf it's a unshift operation. But this is rare. Generally you care about the leaf first so left to right is more regular. |
Ok, both the client and nodes verify functions have been fixes. I added tests for each of them showing that they work as expected. I also moved the nodes verify functions from network to the nodes domain. |
If the default order of this arrays is always Then make sure when you are printing them out, you need reverse the order. Because when you print in pem chain format, it is always root first, then leaf last. |
Specification
The
verifyServerCertificateChain
inclient/utils.ts
needs to be fixed. By design it should pass verification for a cert chain that contains the desiredNodeId
anywhere in the valid chain. Currently this is failing.The function needs to checked and the exact issue found and a fix applied. Ultimately you should be able to verify a server with any valid
NodeId
inside it's cert chain.Additional context
Tasks
NodeId
within it's chain.The text was updated successfully, but these errors were encountered: