Skip to content

feat: add additional certificate field for the trustchain#109

Merged
mvdhoek1 merged 8 commits into
masterfrom
feat/trust-chain
May 27, 2026
Merged

feat: add additional certificate field for the trustchain#109
mvdhoek1 merged 8 commits into
masterfrom
feat/trust-chain

Conversation

@Rovasch
Copy link
Copy Markdown
Contributor

@Rovasch Rovasch commented Apr 10, 2026

Allows for adding a root certificate in the call, this way we don't have to add additional certificates to the truststore.

Copilot AI review requested due to automatic review settings April 10, 2026 21:59
@Rovasch Rovasch requested a review from a team as a code owner April 10, 2026 21:59
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for configuring a custom root/CA certificate to be used for DigiD-related outbound TLS calls, so deployments can trust non-standard certificate chains without modifying the system truststore.

Changes:

  • Add a new Gravity Forms plugin setting to select a root certificate file.
  • Pass the selected root certificate into Guzzle TLS verification (verify) for outbound HTTP calls.
  • Expose the new root certificate setting via config/digid.php.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
src/DigiD/GravityFormsAddon.php Adds a new “root certificate” select field and a helper to list .pem certificates.
src/DigiD/DigiDServiceProvider.php Builds a Guzzle client with optional verify pointing at the configured root certificate and injects it into metadata resolution.
src/DigiD/Binding/Artifact.php Adds optional verify to the SOAP artifact resolve request options.
config/digid.php Adds digid.certificate.root to configuration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/DigiD/GravityFormsAddon.php
Comment thread src/DigiD/GravityFormsAddon.php
Comment thread src/DigiD/DigiDServiceProvider.php Outdated
Comment thread src/DigiD/Binding/Artifact.php Outdated
mvdhoek1
mvdhoek1 reviewed Apr 13, 2026
View reviewed changes
Comment thread src/DigiD/Binding/Artifact.php Outdated
Comment thread src/DigiD/GravityFormsAddon.php
mvdhoek1
mvdhoek1 reviewed Apr 14, 2026
View reviewed changes
Comment thread src/DigiD/Foundation/Helpers.php Outdated
Comment thread src/DigiD/Foundation/Helpers.php

function rootCertificate(): ?String
{
$root = config('digid.certificate.root');
Copy link
Copy Markdown
Contributor

@mvdhoek1 mvdhoek1 Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

De andere certificaten worden sinds jaar en dag niet gecontroleerd op het bestaan daarvan, denk wel mooi om toe te voegen:

$root = (string) config('digid.certificate.root', '');

if (! file_exists($root)) {
    throw new Exception('')
}

Dan kun je het gebruik van deze functie wrappen in een try catch block om vervolgens in de klasse de logException methode gebruiken van de Logger trait.
Deze trait voert ook een do_action() uit om de exception te loggen naar Sentry.

Comment thread src/DigiD/GravityFormsAddon.php
*/
private function getRootCertificates(): array
{
return $this->formatListOfCertificates(glob($this->getCertificateLocation() . '/*.{pem}', GLOB_BRACE));
Copy link
Copy Markdown
Contributor

@mvdhoek1 mvdhoek1 Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Voor de zekerheid, een .pem is correct? Ik kom ook wel eens tegen dat hiervoor een .cer/.crt voor wordt gebruikt.

Copy link
Copy Markdown
Contributor Author

@Rovasch Rovasch Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, heb geprobeerd met een .cer, maar aangezien dit valt onder een hele keten moet je een .pem hebben (wat in principe gestackte .cers zijn van de chain).

SimonvanWijhe
SimonvanWijhe previously approved these changes Apr 24, 2026
View reviewed changes
@mvdhoek1 mvdhoek1 force-pushed the feat/trust-chain branch from b22f9b9 to e11000c Compare May 27, 2026 13:21
@mvdhoek1 mvdhoek1 merged commit e11000c into master May 27, 2026
3 checks passed
@mvdhoek1 mvdhoek1 deleted the feat/trust-chain branch May 27, 2026 13:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mvdhoek1 mvdhoek1 mvdhoek1 left review comments

Copilot code review Copilot Copilot left review comments

@SimonvanWijhe SimonvanWijhe SimonvanWijhe left review comments

@ShunLuk ShunLuk Awaiting requested review from ShunLuk ShunLuk is a code owner automatically assigned from yardinternet/wordpress-backend

@dtakken dtakken Awaiting requested review from dtakken dtakken is a code owner automatically assigned from yardinternet/wordpress-backend

@ictbeheer ictbeheer Awaiting requested review from ictbeheer ictbeheer is a code owner automatically assigned from yardinternet/wordpress-backend

@rivanuff rivanuff Awaiting requested review from rivanuff rivanuff is a code owner automatically assigned from yardinternet/wordpress-backend

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Rovasch @mvdhoek1 @SimonvanWijhe