Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: AuthorityKeyId on self-signed certificates #15194

Closed
vanbroup opened this issue Apr 8, 2016 · 2 comments
Closed

crypto/x509: AuthorityKeyId on self-signed certificates #15194

vanbroup opened this issue Apr 8, 2016 · 2 comments
Assignees
Milestone

Comments

@vanbroup
Copy link
Contributor

@vanbroup vanbroup commented Apr 8, 2016

The crypto/x509 package is setting the AuthorityKeyId by default for all certificates including CA certificates. While this is not wrong according to RFC5280 section 4.2.1.1, it states that setting the authorityKeyIdentifier is optional for self-signed certificates.

The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs to
facilitate certification path construction. There is one exception;
where a CA distributes its public key in the form of a "self-signed"
certificate, the authority key identifier MAY be omitted.
The
signature on a self-signed certificate is generated with the private
key associated with the certificate's subject public key. (This
proves that the issuer possesses both the public and private keys.)
In this case, the subject and authority key identifiers would be
identical, but only the subject key identifier is needed for
certification path building.

I would like to remove the AuthorityKeyId from self-signed certificates to save about 20+ bytes in these certificates which is useful in constraint environments.

To adopt this change a small change to the following condition is required:
https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1590

I'm happy to submit this change if agreed that this is an improvement to Go.

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Apr 9, 2016

Feel free to send a change. @agl can review.

@bradfitz bradfitz added this to the Unplanned milestone Apr 9, 2016
@agl agl self-assigned this Apr 12, 2016
@gopherbot
Copy link

@gopherbot gopherbot commented Apr 12, 2016

CL https://golang.org/cl/21895 mentions this issue.

@gopherbot gopherbot closed this in b623b71 Apr 14, 2016
@golang golang locked and limited conversation to collaborators Apr 15, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.