Skip to content

scan: check for revocation in PKI ChainValidation #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kisom merged 1 commit into from
May 26, 2015
Merged

scan: check for revocation in PKI ChainValidation #219

kisom merged 1 commit into from
May 26, 2015

Conversation

@0xhaven
Copy link

@0xhaven 0xhaven commented May 21, 2015

Mainly for use in a "Strict SSL"-compatibility checker. (CFSSL-149)

@coveralls
Copy link

coveralls commented May 21, 2015

Coverage Status

Coverage decreased (-0.08%) to 52.64% when pulling 32afbc3 on jacob/scan-pki-revocation into f088f39 on master.

@grittygrease
Copy link
Contributor

grittygrease commented May 26, 2015

LGTM

kisom
kisom reviewed May 26, 2015
View reviewed changes
scan/pki.go Outdated
Copy link
Contributor

@kisom kisom May 26, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Style nitpicks: this should be a complete sentence. It would also be useful to explain why it might be redundant and why it's been kept in (even if the answer is just that the comment serves as a marker to go back and look at the code later).

Copy link
Author

@0xhaven 0xhaven May 26, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't dive deep into all the checks x509#Certificate.VerifyHostname is doing, but I think cfssl/revoke#VerifyCertificate is covers a superset of them (obviously adding CRL and OCSP revocation checks).

I think it's probably best to just remove this "quick-fail" method, as it will give less descriptive errors.

@kisom
Copy link
Contributor

kisom commented May 26, 2015

One nit about a comment, other than that LGTM.

@0xhaven 0xhaven force-pushed the jacob/scan-pki-revocation branch from 32afbc3 to f4a1e87 Compare May 26, 2015 20:02
@coveralls
Copy link

coveralls commented May 26, 2015

Coverage Status

Coverage decreased (-0.01%) to 53.04% when pulling f4a1e87 on jacob/scan-pki-revocation into 9c0793f on master.

kisom added a commit that referenced this pull request May 26, 2015
@kisom
Merge pull request #219 from cloudflare/jacob/scan-pki-revocation
09f3458 
scan: check for revocation in PKI ChainValidation
@kisom kisom merged commit 09f3458 into master May 26, 2015
@kisom kisom deleted the jacob/scan-pki-revocation branch May 26, 2015 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@0xhaven @coveralls @grittygrease @kisom