Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: certificates with AKID don't chain to parents without SKID [1.11 backport] #30081

Closed
gopherbot opened this issue Feb 4, 2019 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge
Milestone

Comments

@gopherbot
Copy link

@FiloSottile requested issue #30079 to be considered for backport to the next 1.11 minor release.

@gopherbot please open both backport issues. This is a regression introduced in a minor release

@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Feb 4, 2019
@gopherbot gopherbot added this to the Go1.11.6 milestone Feb 4, 2019
@FiloSottile FiloSottile added the CherryPickApproved Used during the release process for point releases label Feb 5, 2019
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Feb 5, 2019
@gopherbot
Copy link
Author

Change https://golang.org/cl/163739 mentions this issue: [release-branch.go1.11] crypto/x509: consider parents by Subject if AKID has no match

@gopherbot
Copy link
Author

Closed by merging aa95a1e to release-branch.go1.11.

gopherbot pushed a commit that referenced this issue Feb 26, 2019
…KID has no match

If a certificate somehow has an AKID, it should still chain successfully
to a parent without a SKID, even if the latter is invalid according to
RFC 5280, because only the Subject is authoritative.

This reverts to the behavior before #29233 was fixed in 7701306. Roots
with the right subject will still be shadowed by roots with the right
SKID and the wrong subject, but that's been the case for a long time, and
is left for a more complete fix in Go 1.13.

Updates #30079
Fixes #30081

Change-Id: If8ab0179aca86cb74caa926d1ef93fb5e416b4bb
Reviewed-on: https://go-review.googlesource.com/c/161097
Reviewed-by: Adam Langley <agl@golang.org>
(cherry picked from commit 95e5b07)
Reviewed-on: https://go-review.googlesource.com/c/163739
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@golang golang locked and limited conversation to collaborators Feb 26, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge
Projects
None yet
Development

No branches or pull requests

2 participants