Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: CheckSignatureFrom does not verify Issuer matches parent's Subject #14955
However, in the test code linked above,
Thanks for the issue and repro @jsha. I was bored this evening and decided to take a stab at this with https://go-review.googlesource.com/23571 using most of your repro in the tests. I couldn't find your email though @jsha and so far I have requested a review only from @agl. Please free free to join in.
Here's the list of certificates from the Pilot CT log where the chain contains a link that needs canonicalisation before the Subject and Issuer match. It shows the common name of the certificates in that link followed by the common names of each (unexpired) leaf certificate affected by that link.
There's a small number of public certificates affected, mostly by Siemens and WellsFargo's internal CAs. (The UCA root doesn't appear to be in Mozilla yet.)
I'll wait for comments but, based on this, it looks viable that we would want to require a strict match of issuer/subject when checking chains. (I.e. these certificates would break.)