sumit-bose
2021-03-29 08:47:21 UTC
URL: https://github.com/SSSD/sssd/pull/5558
Title: #5558: p11_child: Add partial verification support
sumit-bose commented:
"""
Hi,
thank you for the patches and especially for the extensive tests. I think both `partial_chain` and `pam_cert_verification` are useful. I will run some tests, but at a first glace you patches are looking quite complete.
Recently I came across a similar issue with respect to a CRL check. Currently there is
X509_VERIFY_PARAM_set_flags(verify_param, (X509_V_FLAG_CRL_CHECK
| X509_V_FLAG_CRL_CHECK_ALL));
and here `X509_V_FLAG_CRL_CHECK_ALL` enforces a CRL check of the whole chain, i.e. you need the CRL of each CA in the chain. I wonder if `partial_chain` should have an effect on the CRL check as well or if it would be better to have a separate option to toggle the `X509_V_FLAG_CRL_CHECK_ALL` flag?
bye,
Sumit
"""
See the full comment at https://github.com/SSSD/sssd/pull/5558#issuecomment-809194963
Title: #5558: p11_child: Add partial verification support
sumit-bose commented:
"""
Hi,
thank you for the patches and especially for the extensive tests. I think both `partial_chain` and `pam_cert_verification` are useful. I will run some tests, but at a first glace you patches are looking quite complete.
Recently I came across a similar issue with respect to a CRL check. Currently there is
X509_VERIFY_PARAM_set_flags(verify_param, (X509_V_FLAG_CRL_CHECK
| X509_V_FLAG_CRL_CHECK_ALL));
and here `X509_V_FLAG_CRL_CHECK_ALL` enforces a CRL check of the whole chain, i.e. you need the CRL of each CA in the chain. I wonder if `partial_chain` should have an effect on the CRL check as well or if it would be better to have a separate option to toggle the `X509_V_FLAG_CRL_CHECK_ALL` flag?
bye,
Sumit
"""
See the full comment at https://github.com/SSSD/sssd/pull/5558#issuecomment-809194963