feat: integrate go-cryptoutil for extensible certificate parsing#335
Merged
masv3971 merged 4 commits intoSUNET:mainfrom Mar 26, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Integrates github.com/sirosfoundation/go-cryptoutil to allow opt-in, extension-aware X.509 certificate parsing (e.g., brainpool curves) by threading a *cryptoutil.Extensions through verification/parsing paths while preserving default stdlib behavior when extensions are nil.
Changes:
- Added
pkg/pki.ParseCertificate(der, ext)helper that delegates toext.ParseCertificatewhen provided, otherwise usesx509.ParseCertificate. - Plumbed optional crypto extensions into SD-JWT (
VerificationOptions), mdoc verifier config (VerifierConfig), and COSE x5chain parsing (GetCertificateChainFromSign1). - Updated issuer/wallet certificate parsing call sites to use the new helper (currently passing
nilextensions).
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/sdjwtvc/verification.go | Adds CryptoExt to options; uses it when parsing x5c headers. |
| pkg/pki/keyloader.go | Adds CryptoExt field and routes PEM chain parsing through pki.ParseCertificate. |
| pkg/pki/cryptoext.go | New shared helper for extension-aware DER certificate parsing. |
| pkg/openid4vp/trust_service.go | Extends ExtractPublicKeyFromX5C to optionally use *cryptoutil.Extensions. |
| pkg/mdoc/verifier.go | Adds CryptoExt to verifier config and passes it to COSE chain extraction. |
| pkg/mdoc/cose.go | Extends GetCertificateChainFromSign1 to optionally parse certs via extensions. |
| internal/wallet/apiv1/vp.go | Switches request-object x5c leaf parsing to pki.ParseCertificate (currently ext=nil). |
| internal/issuer/apiv1/client.go | Switches PEM certificate chain parsing to pki.ParseCertificate (currently ext=nil). |
| go.mod | Adds go-cryptoutil requirement (currently marked // indirect). |
| go.sum | Adds checksum entries for go-cryptoutil. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
leifj
force-pushed
the
feat/go-cryptoutil-integration
branch
from
14d936b to
7171027
Compare
added 3 commits
March 25, 2026 15:29
Add extension-aware certificate parsing across mdoc, SD-JWT VC, OpenID4VP, PKI, and issuer/wallet packages: - pkg/pki/cryptoext.go: shared ParseCertificate helper - pkg/mdoc/cose.go: GetCertificateChainFromSign1 with variadic ext - pkg/mdoc/verifier.go: CryptoExt on VerifierConfig, wired to chain parsing - pkg/sdjwtvc/verification.go: CryptoExt on VerificationOptions - pkg/openid4vp/trust_service.go: extension-aware x5c parsing - pkg/pki/keyloader.go: CryptoExt on KeyLoader - internal/issuer/apiv1/client.go: extension-aware PEM chain parsing - internal/wallet/apiv1/vp.go: extension-aware x5c leaf parsing All sites fall back to stdlib x509.ParseCertificate when extensions are nil. Enables brainpool and other non-standard certificate algorithms.
- Remove // indirect marker from go-cryptoutil in go.mod - Use pki.ParseCertificate in trust_service.go to centralize parsing logic - Add NewKeyLoaderWithExtensions constructor and document thread safety - Add tests for cryptoext.go, keyloader extensions, and jose.ParseX5CHeader - Coverage for new code: cryptoext.go 100%, x5c.go ParseX5CHeader 100%
- Lowercase error string in jws_signature.go (ST1005) - Remove redundant nil checks before len() in claims_extractor.go (S1009) - Add error checking for json.Unmarshal in vc20_vp_builder_test.go (errcheck)
leifj
force-pushed
the
feat/go-cryptoutil-integration
branch
from
1eec103 to
d18f72c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 16 out of 17 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Simplifies test code by using pem.EncodeToMemory rather than manually building PEM with base64 line wrapping.
Contributor
Author
Summary of ChangesThis PR integrates Key Changes:
Test Coverage:
Code Quality:
Ready for merge. |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Integrates go-cryptoutil to enable extensible certificate parsing across the vc codebase. This allows non-standard X.509 algorithms (e.g. brainpool curves used in EU eIDAS trust services) to be handled transparently through a pluggable
*cryptoutil.Extensionsparameter.Changes
New file
ParseCertificate(der, ext)helper that delegates to extensions when available, falls back to stdlibx509.ParseCertificatewhen nil.Updated packages
pkg/mdoc/cose.goGetCertificateChainFromSign1accepts variadic*cryptoutil.Extensionspkg/mdoc/verifier.goCryptoExtfield onVerifierConfig, wired through to certificate chain parsingpkg/sdjwtvc/verification.goCryptoExtfield onVerificationOptions, used in x5c header parsingpkg/openid4vp/trust_service.goExtractPublicKeyFromX5Caccepts variadic extensionspkg/pki/keyloader.goCryptoExtfield onKeyLoaderinternal/issuer/apiv1/client.gointernal/wallet/apiv1/vp.goDesign principles
...*cryptoutil.Extensionsor struct fields, so existing callers work unchanged with nil/zero values.x509.ParseCertificatewhen extensions are nil.*cryptoutil.Extensions(with registered brainpool or other parsers) only when needed.Dependency
Adds
github.com/sirosfoundation/go-cryptoutil v0.2.0— a lightweight module (~500 LOC) providing pluggable certificate parsers, signature verifiers, and a cross-protocol algorithm registry.Testing
All existing tests pass unchanged. The integration is transparent — no behavioral change unless extensions are explicitly configured.