Low-level revocation checking #9
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
djc
reviewed
Dec 21, 2025
Comment on lines
+196
to
+217
| cert_serial: String, | ||
|
|
||
| /// The SHA256 hash of the issuer's SubjectPublicKeyInfo structure. | ||
| /// | ||
| /// This must be the base64 encoding of precisely 32 bytes. | ||
| issuer_spki_hash: String, | ||
|
|
||
| /// The Certificate Transparency logs and inclusion timestamps extracted | ||
| /// from the end-entity certificate. | ||
| /// | ||
| /// Ths option should be supplied once for each log. | ||
| /// | ||
| /// The format should be the base64 encoding of the CT log id, followed by | ||
| /// a colon, followed by the decimal encoding of the timestamp. | ||
| ct_timestamps: Vec<String>, | ||
|
|
||
| /// Return an error, and exit with code 2, if the certificate is not covered | ||
| /// by the filter set. | ||
| /// | ||
| /// The default behaviour is to treat the certificate as unrevoked. | ||
| #[arg(long)] | ||
| error_if_uncovered: bool, |
Member
There was a problem hiding this comment.
How about we use more specific types here and wire up clap to understand how to parse these?
For error-if-uncovered, maybe a more concise and less specific name like strict?
| @@ -0,0 +1,74 @@ | |||
| import base64 | |||
Member
There was a problem hiding this comment.
Would you like me to port this to Rust?
Member
Author
There was a problem hiding this comment.
Yes please, eventually I would like to stuff everything into a singular rust program in revoke-test with the same output JSON, so switching over from the python version produces no change in output (which also checks that our rust code agrees with pyca's rust code).
| @@ -0,0 +1,36 @@ | |||
| //! NB. these tests require an up-to-date `revoke-test/decorated.json` input, and | |||
| //! a that the fetched revocation data set matches. They run `upki fetch` into | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.