Allow pinned device certs without a registered CA #839

jjcarstens · 2022-07-01T17:18:13Z

Fixes #838

We were previously requiring that the signer CA to be registered even if the
device certificate was already pinned, which was incorrect. This fixes that to
skip the check if we're being presented with a signer CA so that validation of the
device certificate can happen.

If the device cert is pinned, the check will pass. If not, it will go through the
normal validation flow and fail due to an expired, unregistered signer CA anyway

Fixes #838 We were previously requiring that the signer CA to be registered even if the device certificate was already pinned, which was incorrect. This fixes that to skip the check if we're being presented with a signer CA so that validation of the device certificate can happen. If the device cert is pinned, the check will pass. If not, it will go through the normal validation flow and fail due to an expired, unregistered signer CA anyway

apps/nerves_hub_device/lib/nerves_hub_device/ssl.ex

dnrce · 2022-07-01T21:10:11Z

Thanks, folks!!

jjcarstens requested a review from dnrce July 1, 2022 17:18

fhunleth reviewed Jul 1, 2022

View reviewed changes

apps/nerves_hub_device/lib/nerves_hub_device/ssl.ex Show resolved Hide resolved

fhunleth approved these changes Jul 1, 2022

View reviewed changes

jjcarstens merged commit 9d4d6ad into main Jul 1, 2022

jjcarstens deleted the certs-no-ca branch July 1, 2022 21:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow pinned device certs without a registered CA #839

Allow pinned device certs without a registered CA #839

jjcarstens commented Jul 1, 2022

dnrce commented Jul 1, 2022

Allow pinned device certs without a registered CA #839

Allow pinned device certs without a registered CA #839

Conversation

jjcarstens commented Jul 1, 2022

dnrce commented Jul 1, 2022