From 720c6b5d423661a1e479ee86141ba477e445cc10 Mon Sep 17 00:00:00 2001
From: Kelly Brazil <kellyjonbrazil@gmail.com>
Date: Tue, 19 Jul 2022 17:15:54 -0700
Subject: [PATCH] add note about jc not checking the certificate integrity

---
 docs/parsers/x509_cert.md | 5 +++++
 jc/parsers/x509_cert.py   | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/docs/parsers/x509_cert.md b/docs/parsers/x509_cert.md
index f1538a2f..ad4ee7b5 100644
--- a/docs/parsers/x509_cert.md
+++ b/docs/parsers/x509_cert.md
@@ -11,6 +11,11 @@ You can convert other certificate formats (e.g. PKCS #7, PKCS #12, etc.) by
 processing them through a program like `openssl` and sending the output to
 `jc`. (See examples below)
 
+> Note: `jc` does not verify the integrity of the certificate, which
+> requires calculating the hash of the certificate body and comparing it to
+> the the hash in the certificate's signature after it is decrypted with the
+> issuer certificate's public key.
+
 Usage (cli):
 
     $ cat certificate.pem | jc --x509-cert
diff --git a/jc/parsers/x509_cert.py b/jc/parsers/x509_cert.py
index e83e325d..ef7187d9 100644
--- a/jc/parsers/x509_cert.py
+++ b/jc/parsers/x509_cert.py
@@ -6,6 +6,11 @@ You can convert other certificate formats (e.g. PKCS #7, PKCS #12, etc.) by
 processing them through a program like `openssl` and sending the output to
 `jc`. (See examples below)
 
+> Note: `jc` does not verify the integrity of the certificate, which
+> requires calculating the hash of the certificate body and comparing it to
+> the the hash in the certificate's signature after it is decrypted with the
+> issuer certificate's public key.
+
 Usage (cli):
 
     $ cat certificate.pem | jc --x509-cert