Validate issuing dp #357
Validate issuing dp #357
Conversation
go/rootprogram/issuers.go
Outdated
| @@ -233,7 +234,7 @@ func (mi *MozIssuers) LoadEnrolledIssuers(filePath string) error { | |||
| if err != nil { | |||
| return err | |||
| } | |||
| mi.InsertIssuerFromCertAndPem(cert, ei.Pem, nil) | |||
| mi.InsertIssuerFromCertAndPem(cert, ei.Pem, nil, false) | |||
There was a problem hiding this comment.
Does go have a maybe/option type? It would be nice to ensure we're not accidentally using the value of usesPartitionedCrls when we don't load from the ccadb.
There was a problem hiding this comment.
I updated this so now we pipe the usesPartitionedCrls flag through the enrolled.json file for use here.
| crl, _ := x509.ParseCertificateListDER(crlBlock.Bytes) | ||
|
|
||
| fetchUrl := "http://example.com/1.crl" | ||
| if !crlIssuingDPMatches(crl, fetchUrl) { |
There was a problem hiding this comment.
Am I missing something? I'm not seeing where this is defined... (is the review UI messing me up?)
There was a problem hiding this comment.
Whoops, refactored and forgot to update this test.
a374df0 to
c320747
Compare
| for _, url := range crl.TBSCertList.IssuingDPFullNames.URIs { | ||
| urls = append(urls, url) | ||
| _, exists := aPartitionedCrlUrlSet[url] | ||
| if exists { |
There was a problem hiding this comment.
If I'm understanding correctly, the effect of this check is that there could be a completely unrelated URL in the issuingDistributionPoints, but as long as it's not listed in aPartitionedCrlUrlSet, that's okay?
There was a problem hiding this comment.
Right, it's ok for there to be multiple URLs for the same CRL in issuingDistributionPoints. But only one URL from issuingDistributionPoints should appear in aPartitionedCrlUrlSet since the URLs in that set must point to distinct CRLs.
Add a new CRL audit entry type for when a Partitioned CRL's
issuingDistributionPointextension does not match the URL that the CRL was fetched from.Resolves #356.