multipaz/org.multipaz.webtoken/basicCertificateChainValidator

basicCertificateChainValidator

suspend fun basicCertificateChainValidator(certificateChain: X509CertChain, now: Instant): Boolean

Performs basic certificate chain validation.

Specifically, these checks are performed:

  • every certificate in the chain is signed by the next one,

  • signer certificate's subject matches signed certificate's issuer,

  • certificates are not expired,

  • signer certificate have CERT_SIGN key usage

  • if the lst certificate is self-signed (root) and has basic constrains extension

    • CA flag is set to true

    • number of certificates in the chain satisfies path length constraint

Return

false (meaning this function cannot find the root certificate and establish trust)

Throws

if the certificate chain is not valid