crypto/x509: AKI is left blank even for non-self-signed cert when subject matches CA's subject field #20002
Comments
|
Switching to checking the key pair could be done relatively easily as well: https://gist.github.com/mikesmitty/82591b12b7bdafcebe54db96de9a17fa |
|
/cc @agl @mikesmitty I don't know much about x509 nor cryptography, but is the issue here that the AKI field is left blank even on non self signed certs? Am asking in order to formulate a title that is easy to diagnose the issue and is direct. Thanks. |
|
Yeah, that's the gist of it. If the Subject field of the certificate to be signed matches the CA's Subject field then the AKI is left blank, as is done with self-signed certificates. |
odeke-em
changed the title
|
Thank you @mikesmitty. I have modified the title accordingly. Also we welcome contributions, please feel free to send a CL if you have a fix or some ideas on how to fix this. |
|
Just to clarify, the situation here is that you're issuing a certificate whose Subject is equal to the Subject of the parent, but it's not self-signed? If so, that use, while odd, is probably valid and I can certainly see crypto/x509 going wrong there. |
|
@agl That's correct. I was hesitant to submit because it is an unusual use for sure, but I think it would be more correct to check if a cert is self-signed based on the key pair used than the Subject on the template. |
|
I submitted this CL as a possible fix for the issue: https://go-review.googlesource.com/c/40866/ |
|
CL https://golang.org/cl/40866 mentions this issue. |
|
/cc @FiloSottile |
andybons
added
the
NeedsInvestigation
What version of Go are you using (
go version)?1.8.1
What operating system and processor architecture are you using (
go env)?GOARCH="amd64"
GOBIN="/home/dev/go/bin"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/dev/go"
GORACE=""
GOROOT="/usr/lib/golang"
GOTOOLDIR="/usr/lib/golang/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build983119777=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
What did you do?
Signing any TLS certificates with a matching Subject hits the self-signed cert AKI logic, ignoring the key pairs used, serial number, extensions, and SAN fields. This potentially leaves the AKI field blank even on non-self-signed certs.
What did you expect to see?
The AKI field on a signed certificate should match the CA's SKI
What did you see instead?
The AKI is left blank:
https://play.golang.org/p/MPSqzlITG7
The text was updated successfully, but these errors were encountered: