open-eid
Allow disabling of certificate check during signature verification
Hello,
I am using libdigidocpp for XADES signature verification, and I would like to be able to check the trust status of the certificate by myself, with another certificate store than TSL. Thus, I would like to tell libdigidocpp to verify only the signature itself, and not the signing certificate. Is there any way to do it ?
It would be a great flexibility enhancement for the library, right ? It would also be an answer to #556.
I imagine it could be done by using a parameter for skipping certificate verification in the Conf, and by checking this parameter before each call to X509CertStore::instance()->verify.
I think this new Conf parameter could be also used for disabling certificate check during timestamp verification, i.e avoid giving TS_VFY_SIGNATURE flag if we want to disable certificate check:
https://github.com/open-eid/libdigidocpp/blob/3cff576f1c47226b2385d1cbeca1f63a0b29d701/src/crypto/TS.cpp#L239C1-L239C92
Or perhaps it should be two different parameters, one for disabling certificate check during signature verification, and another for disabling it during timestamp verification.
I would like to contribute to the library on this if it is considered as a good enhancement.