libdigidocpp icon indicating copy to clipboard operation
libdigidocpp copied to clipboard
verified publisher icon open-eid

Add ConfV6 class with validateSigningCert method

Open fl-ido opened this issue 4 months ago • 4 comments

validateSigningCert method allows to bypass certificate trust check during signature verification.

Fixes #678

Signed-off-by: Florian Dargère [email protected]

fl-ido avatar Sep 02 '25 08:09 fl-ido

Can you explain the reason?

metsma avatar Sep 02 '25 08:09 metsma

It allows to avoid checking the trust status of the signing certificate during signature verification, thus allowing the user to verify the trust status by himself, possibly using another store than TSL. The aim is to be able to verify signatures which have been signed with a certificate trusted from another source than TSL. It is an answer to #678 and #556 as well. I think it has to be a configuration parameter, in order to be customizable. Thus, I guess it needs a new configuration class, for binary compatibility.

fl-ido avatar Sep 02 '25 08:09 fl-ido

Maybe we should figure out how to make X509CertStore usable as public API?

metsma avatar Sep 02 '25 09:09 metsma

Do you mean by making the X509CertStore::verify function virtual so that custom implementations could override the method with their own verification process ?

fl-ido avatar Sep 02 '25 09:09 fl-ido