Skip to content

fix: fix the timestamp cert chain validation to be independent of the order #1600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: fix the timestamp cert chain validation to be independent of the order #1600

wants to merge 3 commits into from

Conversation

@jin-gyu-kim
Copy link

@jin-gyu-kim jin-gyu-kim commented Nov 14, 2025
edited
Loading

Timestamp certificates, which are part of the SignedData, are structured differently from CBOR when forming a chain. Specifically, they are composed as a SET OF type, and the order is not considered. (Refer to RFC5652)
The existing implementation assumes that the certificate chain is structured from leaf to root, which causes some TSA to fail in processing it correctly. (example: Microsoft Timestamp Server, Java Bouncy Castle)
To address this issue, the certificate chain will be sorted into an interpretable format.

Related Issue : #1590

Changes in this pull request

Before validating the timestamp certificate chain, rearrange it from leaf to root.

Checklist

  • This PR represents a single feature, fix, or change.
  • All applicable changes have been documented.
  • Any TO DO items (or similar) have been entered as GitHub issues and the link to that issue has been included in a comment.

@jin-gyu-kim jin-gyu-kim mentioned this pull request Nov 14, 2025
Open
@jin-gyu-kim jin-gyu-kim reopened this Nov 14, 2025
@jin-gyu-kim jin-gyu-kim reopened this Nov 17, 2025
@jin-gyu-kim jin-gyu-kim reopened this Nov 17, 2025
@tmathern tmathern changed the title fix : fix the timestamp cert chain validation to be independent of the order fix: fix the timestamp cert chain validation to be independent of the order Nov 17, 2025
@tmathern tmathern added the check-release Add this label to any PR to invoke a larger suite of tests. label Nov 17, 2025
@codspeed-hq
Copy link

codspeed-hq bot commented Nov 17, 2025
edited
Loading

CodSpeed Performance Report

Merging #1600 will not alter performance

Comparing jin-gyu-kim:fix_timestamp_validation (92efc0f) with main (4e82245)

Summary

✅ 16 untouched
⏩ 2 skipped1

Footnotes

  1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@ribhavh
Copy link
Contributor

ribhavh commented Nov 17, 2025

@jin-gyu-kim Is it ok if we review this next week? Gavin and Maurice are out for a conference this week.

@jin-gyu-kim
Copy link
Author

jin-gyu-kim commented Nov 20, 2025

@jin-gyu-kim Is it ok if we review this next week? Gavin and Maurice are out for a conference this week.

Yes, that's fine. I will review the feedback next week as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mauricefisher64 mauricefisher64 Awaiting requested review from mauricefisher64

@scouten-adobe scouten-adobe Awaiting requested review from scouten-adobe

@gpeacock gpeacock Awaiting requested review from gpeacock

@ok-nick ok-nick Awaiting requested review from ok-nick

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

check-release Add this label to any PR to invoke a larger suite of tests. safe to test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jin-gyu-kim @ribhavh @tmathern