dgc
dgc copied to clipboard
In-depth validation of certificates
Right now the library only validates a certificate based ONLY on the status of the signature. In reality a certificate can be considered invalid even if the signature is validated correctly.
As far as I understand there are several other factors that we should support in terms of validation:
- Signature validity: already supported ✅
-
Certificate emission time and expiry time. The
DgcContainer
struct already collects these timestamps but we offer no easy way to check the current time against them. - Business Rules (or country-specific rules): see #19 for dedicated issue.
In the context of this issue I think it will important to figure out an ergonomic API that:
- should make it easy to validate the certificate in one single operation (function call)
- Return the certificate data (if we can parse that correctly)
- Return a clear error in case of validation failed (for instance it's very important to distinguish whether a certificate is expired or whether it doesn't satisfy a specific regional rule)
Maybe we could have a dedicated CertificateValidity
struct that can contain various fields like this:
pub struct CertificateValidity {
signature: SignatureValidity,
time: TimeValidity,
business_rules: BusinessRulesValidity
}
SignatureValidity
, TimeValidity
and BusinessRulesValidity
could be enums that can encapsulate all the different state of validation that is relevant for them. For instance:
pub enum TimeValidity {
Valid,
NotValidYet,
Expired
}
Finally we could have a is_valid()
method on the CertificateValidity
struct that simply returns true
or false
if all the conditions are satisfied or not...