Reject identities with unrecognised critical extensions

We don't know how to correctly use these identities. In particular, some
identities store parts of their private key material in certificate
extensions to work around hardware limitations. Not understanding these
extensions could lead to encrypting with the wrong protocol and
violating security assumptions.
This commit is contained in:
Jack Grigg
2026-04-08 04:12:35 +01:00
parent 307f5396a8
commit 9503f406ae
2 changed files with 39 additions and 6 deletions
+6
View File
@@ -8,6 +8,12 @@ to 0.3.0 are beta releases.
## [Unreleased]
## [0.3.4] - PLANNED
### Fixed
- `age-plugin-yubikey` now completely ignores any identity that has unrecognised
critical extensions in its certificate, to ensure it doesn't misuse a newer
identity type.
## [0.3.3] - 2023-02-11
### Fixed
- When `age-plugin-yubikey` assists the user in changing their PIN from the