dgc
dgc copied to clipboard
rust-italia
In-depth validation of certificates
Right now the library only validates a certificate based ONLY on the status of the signature. In reality a certificate can be considered invalid even if the signature is validated correctly.
As far as I understand there are several other factors that we should support in terms of validation:
- Signature validity: already supported ✅
-
Certificate emission time and expiry time. The
DgcContainerstruct already collects these timestamps but we offer no easy way to check the current time against them. - Business Rules (or country-specific rules): see #19 for dedicated issue.
In the context of this issue I think it will important to figure out an ergonomic API that:
- should make it easy to validate the certificate in one single operation (function call)
- Return the certificate data (if we can parse that correctly)
- Return a clear error in case of validation failed (for instance it's very important to distinguish whether a certificate is expired or whether it doesn't satisfy a specific regional rule)
Maybe we could have a dedicated CertificateValidity struct that can contain various fields like this:
pub struct CertificateValidity {
signature: SignatureValidity,
time: TimeValidity,
business_rules: BusinessRulesValidity
}
SignatureValidity, TimeValidity and BusinessRulesValidity could be enums that can encapsulate all the different state of validation that is relevant for them. For instance:
pub enum TimeValidity {
Valid,
NotValidYet,
Expired
}
Finally we could have a is_valid() method on the CertificateValidity struct that simply returns true or false if all the conditions are satisfied or not...
