Fix `verifyServerCertificateChain` failing to pass with old nodeId
tegefaulkes opened this issue · comments
Specification
The verifyServerCertificateChain
in client/utils.ts
needs to be fixed. By design it should pass verification for a cert chain that contains the desired NodeId
anywhere in the valid chain. Currently this is failing.
The function needs to checked and the exact issue found and a fix applied. Ultimately you should be able to verify a server with any valid NodeId
inside it's cert chain.
Additional context
- Related #551
- Related #551 (comment)
Tasks
- 1. Find the root cause of the verify function failing to verify with an older
NodeId
within it's chain. - 2. Apply a fix.
Found the problem. At some point the order the certs were provided in had changed. So it was checking the chain backwards. Not the order is expected to be leaf -> root.
I'm applying this fix to all of the verify functions.
I'm also thinking of moving the agent level verify functions from network to nodes domain. They're not actually shared anywhere.
Standardise is so that first element of the array is always leaf.
So leaf, intermediate, root.
The only issue is that if you need to add a new leaf it's a unshift operation. But this is rare.
Generally you care about the leaf first so left to right is more regular.
Ok, both the client and nodes verify functions have been fixes. I added tests for each of them showing that they work as expected. I also moved the nodes verify functions from network to the nodes domain.
If the default order of this arrays is always leaf, intermediate, root
.
Then make sure when you are printing them out, you need reverse the order. Because when you print in pem chain format, it is always root first, then leaf last.