Add cross signed root support#8
Open
rkoopmans wants to merge 4 commits into
Open
Conversation
rkoopmans
force-pushed
the
dev/cross-signed
branch
2 times, most recently
from
76854b8 to
d603205
Compare
Codecov Report✅ All modified and coverable lines are covered by tests.
🚀 New features to boost your workflow:
|
rkoopmans
force-pushed
the
dev/cross-signed
branch
from
d603205 to
f649153
Compare
There was a problem hiding this comment.
Pull request overview
Adds first-class support for discovering cross-signed root variants from CA AIA bundles, exposing them via the Python API and optionally emitting them from the CLI for “compatibility bundle” use-cases.
Changes:
- Resolver now parses AIA downloads as multi-cert bundles, records cross-signed siblings on
CertificateChain.cross_signs, and deduplicates them. - Models/utilities add multi-certificate PKCS7 loaders plus cross-sign detection via Subject + SPKI fingerprint.
- CLI/docs/tests updated for
--include-cross-signs, plus version bump + changelog entry.
Reviewed changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
tox.ini |
Expands tox matrix / mypy interpreter configuration. |
cert_chain_resolver/utils.py |
Adds *_to_x509_all loaders and routes existing single-cert loaders through them. |
cert_chain_resolver/resolver.py |
Parses AIA bundles, detects cross-sign siblings, stores them on the chain, and recurses. |
cert_chain_resolver/models.py |
Adds public_key_fingerprint, is_cross_sign_of, and CertificateChain.cross_signs storage/dedup. |
cert_chain_resolver/cli.py |
Adds --include-cross-signs, prints cross-sign info, and optionally appends them to bundle output. |
cert_chain_resolver/castore/file_system.py |
Minor typing/comment refactor for _cache. |
cert_chain_resolver/castore/base_store.py |
Minor whitespace cleanup. |
cert_chain_resolver/__init__.py |
Bumps version to 1.5.0. |
tests/test_utils.py |
Adds tests for multi-cert loader behavior and junk-input failures. |
tests/test_resolver.py |
Adds tests for cross-sign recording + dedup behavior during resolution. |
tests/test_models.py |
Adds tests for SPKI fingerprinting, cross-sign predicate, and chain cross-sign container behavior. |
tests/test_cli.py |
Adds arg parsing + output behavior tests for --include-cross-signs and info-mode reporting. |
tests/_utils.py |
Minor formatting tweak. |
README.md |
Documents --include-cross-signs and expected output ordering. |
docs/cli_usage.rst |
Documents new CLI flag and behavior in --info. |
docs/api.rst |
Documents API usage of chain.cross_signs. |
CHANGELOG.md |
Adds 1.5.0 release notes describing cross-sign support. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| depends = | ||
| {py27,py312}: clean | ||
| {py27,py314}: clean | ||
| report: py27,py312 |
Comment on lines
+59
to
+64
| primary = Cert(parents[0]) | ||
| for extra_x509 in parents[1:]: | ||
| extra = Cert(extra_x509) | ||
| if extra.is_cross_sign_of(primary): | ||
| _chain.add_cross_sign(extra) | ||
| parent_bytes = bundle_bytes |
Comment on lines
+37
to
+45
| def load_bytes_to_x509(bytes_input): | ||
| # type: (bytes) -> x509.Certificate | ||
| """Converts Certificate / PKCS7 in ASCII or DER to :py:class:`cryptography.x509.Certificate` object. | ||
|
|
||
| Kept for backwards compatibility; returns only the first certificate when the | ||
| input contains multiple. Prefer :py:func:`load_bytes_to_x509_all` when you need | ||
| every cert in the input. | ||
| """ | ||
| return load_bytes_to_x509_all(bytes_input)[0] |
Comment on lines
+59
to
+63
| return [x509.load_pem_x509_certificate(bytes_input)] | ||
| raise ImproperlyFormattedCert("Cert can not be read! It is not a valid PEM") | ||
|
|
||
|
|
||
| def load_der_to_x509(bytes_input): | ||
| # type: (bytes) -> x509.Certificate | ||
| """Converts bytes formatted DER (PKCS7 or Cert) to :py:class:`cryptography.x509.Certificate` object""" | ||
| def load_der_to_x509_all(bytes_input): |
| print("NotBefore:".ljust(20) + cert.not_valid_before.isoformat()) | ||
| print("NotAfter:".ljust(20) + cert.not_valid_after.isoformat()) | ||
| print("Serial:".ljust(20) + str(cert.serial)) | ||
| print("Sha256Fingeprint:".ljust(20) + str(cert.fingerprint)) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.