Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: reject SHA-1 signatures in Verify [1.18 backport] #51852

Closed
gopherbot opened this issue Mar 21, 2022 · 4 comments
Closed

crypto/x509: reject SHA-1 signatures in Verify [1.18 backport] #51852

gopherbot opened this issue Mar 21, 2022 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge
Milestone
Go1.18.1

Comments

@gopherbot
Copy link

@FiloSottile requested issue #41682 to be considered for backport to the next 1.18 minor release.

If crypto/x509 aims to be compatible with the WebPKI, then I'm afraid this change has to be rolled back or limited to just certificate signatures.

You are, as always, correct :) we'll limit it to just certificates in Go 1.18.1.

Change https://go.dev/cl/394294 mentions this issue: crypto/x509: only disable SHA-1 verification for certificates

@gopherbot please open a backport issue for Go 1.18, we need to fix what's effectively a regression in WebPKI compatibility.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 21, 2022
@gopherbot gopherbot mentioned this issue Mar 21, 2022
Open
@gopherbot gopherbot added this to the Go1.18.1 milestone Mar 21, 2022
@toothrot toothrot added the CherryPickApproved Used during the release process for point releases label Mar 23, 2022
@toothrot
Copy link
Contributor

Approved. This is a serious issue without a good workaround.

@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Mar 23, 2022
@dims dims mentioned this issue Mar 25, 2022
Closed
@cherrymui
Copy link
Member

This is approved and targeting Go 1.18.1, but doesn't have a CL attached to it. @FiloSottile would you like to make a CL, or do we want to delay it? Thanks.

@gopherbot
Copy link
Author

Change https://go.dev/cl/398074 mentions this issue: [release-branch.go1.18] crypto/x509: only disable SHA-1 verification for certificates

@gopherbot
Copy link
Author

Closed by merging abb3f05 to release-branch.go1.18.

gopherbot pushed a commit that referenced this issue Apr 5, 2022
@rolandshoemaker @cherrymui
[release-branch.go1.18] crypto/x509: only disable SHA-1 verification …
abb3f05 
…for certificates

Disable SHA-1 signature verification in Certificate.CheckSignatureFrom,
but not in Certificate.CheckSignature. This allows verification of OCSP
responses and CRLs, which still use SHA-1 signatures, but not on
certificates.

Updates #41682
Fixes #51852

Change-Id: Ia705eb5052e6fc2724fed59248b1c4ef8af6c3fe
Reviewed-on: https://go-review.googlesource.com/c/go/+/394294
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Jordan Liggitt <liggitt@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 35998c0)
Reviewed-on: https://go-review.googlesource.com/c/go/+/398074
Reviewed-by: Cherry Mui <cherryyz@google.com>
@golang golang locked and limited conversation to collaborators Apr 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge
Projects
None yet
Milestone
Go1.18.1
Development

No branches or pull requests
3 participants
@toothrot @gopherbot @cherrymui