Move all pki-verification calls from sdk-Verify() to pki-specific (#29342)

* Move all pki-verification calls from sdk-Verify() to pki-specific VerifyCertifcate(...); update sdk-Verify to allow multiple chains, but validate that at least one of those chains is valid. * Updates to Validate on Parse PEMBlock, so that a single cert or a single key parses (test fixes). * Add changelog. * Make test certificate expire in a while, not at linux epoch. * Remove duplicate code. * Fix header file + go mod tidy. * Updates based on review.
2025-11-02 03:27:54 +00:00 · 2025-01-29 11:05:55 -05:00
parent fbd28dff23
commit 371ffc4bd4
13 changed files with 232 additions and 206 deletions
--- a/sdk/helper/certutil/helpers.go
+++ b/sdk/helper/certutil/helpers.go
@@ -312,8 +312,12 @@ func ParsePEMBundle(pemBundle string) (*ParsedCertBundle, error) {
 		}
 	}

-	if err := parsedBundle.Verify(); err != nil {
-		return nil, errutil.UserError{Err: fmt.Sprintf("verification of parsed bundle failed: %s", err)}
+	if len(certPath) > 1 {
+		// Don't validate the certificate chain if no certificate exists eg. only a key is given
+		// And don't validate a chain if it isn't given (eg. only one certificate)
+		if err := parsedBundle.Verify(); err != nil {
+			return nil, errutil.UserError{Err: fmt.Sprintf("verification of parsed bundle failed: %s", err)}
+		}
 	}

 	return parsedBundle, nil