PKI.js icon indicating copy to clipboard operation
PKI.js copied to clipboard

Published 20 hours ago verified publisher icon PeculiarVentures

Honor CheckDate Optionality in the CertificateChainValidationEngine

Open sujith-k-s opened this issue 3 years ago • 2 comments

We have a case where we do not want to verify the Validity Periods of the Certificates. Passing an undefined to the CheckDate Parameter should honor this and should not check for the validity of the certificates. I understand that this could break current implementations, therefore we could add an additional argument (validateDate) to parameters which would produce the same result. The only change required for this on line 415, where you do:

if (this.validateDate && (crl.nextUpdate && crl.nextUpdate.value < this.checkDate)) {

sujith-k-s avatar Aug 24 '22 11:08 sujith-k-s

What is the use case?

rmhrisk avatar Aug 25 '22 05:08 rmhrisk

Looks very strange. You don't want to verify the Validity Periods of the Certificate, but use CRLs for path building (which require checkDate argument). Would it be easier to build the chain without Revocation Lists and use the date (notBefore or notAfter) from the leaf certificate?

microshine avatar Aug 25 '22 06:08 microshine