Pass presented chain to Verifiers #54
Conversation
This approach is thread safe and allows the intermediate set used by a Verifier to be appended with the chain presented by the host.
|
This depends on #53. |
| @@ -127,7 +128,11 @@ type Verifier struct { | |||
| func (v *Verifier) convertOptions(opt *VerificationOptions) (out x509.VerifyOptions) { | |||
| out.CurrentTime = opt.VerifyTime | |||
| out.Roots = v.Roots | |||
| out.Intermediates = v.Intermediates | |||
| if opt.PresentedChain != nil && opt.PresentedChain.Size() > 0 { | |||
| out.Intermediates = v.Intermediates.Sum(opt.PresentedChain) | |||
There was a problem hiding this comment.
It's not clear to me that this is the correct approach. What performance impact does this have? Is this better or worse than adding and removing the chain from the cert pool?
There was a problem hiding this comment.
We can't add and remove the chain from the cert pool while being thread safe in the current setup.
There was a problem hiding this comment.
Alright. What's the performance impact?
There was a problem hiding this comment.
Remove logic would have to reindex everything "after" the certificate being removed in two maps. In the common case this would be quick (remove the last certificate), but it's still pretty gnarly. There's a bunch of edge cases in the removal code (what if multiple certs have the same subject and you're removing only one of them) and in it's usage (what if the presented chain certificate was already in the pool and we remove it?)
There was a problem hiding this comment.
We have no idea what the performance impact of this change is, in the same way we have no idea what the performance of this code before the change is. If we're too slow, we can profile. This feels like optimizing too early.
This approach is thread safe and allows the intermediate set used by a
Verifier to be appended with the chain presented by the host.