[release-1.4] Fix check for self-signed certs in EncodeX509Chain #4238
Commits on Jul 21, 2021
-
fix check for self-signed certs in EncodeX509Chain
see also cert-manager#4142 EncodeX509Chain checked for self-signed certs by comparing the subject and issuer of the cert in question, which is invalid since it's perfectly fine for those to match. the correct behavior is to use cert.CheckSignatureFrom(cert). this bug was exposed in 1.4 when ParseSingleCertificateChain started using EncodeX509Chain in the critical path of several issuers; when end-users had leaf certificates with subjects matching their issuer's subject, the bug was triggered. includes newly written tests for EncodeX509Chain and a test for ParseSingleCertificateChain Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.