Optionally allow expired signing certificates? #51
Comments
|
Don't know if you still need this or not, but I've got a call in my fork of this project that includes this ability. It's in version 1.2.0 |
|
Awesome @pboyd04 ! I have an ugly workaround that works for my own needs, but it would be nice to get rid of that. This was for https://github.com/crewjam/saml/ , I don't know if they'd be interested in changing package. There doesn't seem to be much activity in russellhaering/goxmldsig so perhaps it's a good idea to change to something actively maintained. Ping @crewjam |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When validating a signature, the function verifyCertificate verifies that the certificate hasn't expired. Since we've already verified that the certificate is one we trust, it would be nice if we could as an option skip the check of the certificate's notBefore/notAfter.
I can get around it by setting a fake clock to the cert's notBefore in the validation context (and calling Validate multiple times if there are multiple certificates). But it would be nice if you could set a flag in ValidationContext instead.
For context, see also crewjam/saml#234
Would you consider such a feature? I can provide a PR if you wish.
The text was updated successfully, but these errors were encountered: