Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: AKI is left blank even for non-self-signed cert when subject matches CA's subject field #20002

Open
mikesmitty opened this issue Apr 16, 2017 · 9 comments

Comments

@mikesmitty
Copy link

commented Apr 16, 2017

What version of Go are you using (go version)?

1.8.1

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN="/home/dev/go/bin"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/dev/go"
GORACE=""
GOROOT="/usr/lib/golang"
GOTOOLDIR="/usr/lib/golang/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build983119777=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

Signing any TLS certificates with a matching Subject hits the self-signed cert AKI logic, ignoring the key pairs used, serial number, extensions, and SAN fields. This potentially leaves the AKI field blank even on non-self-signed certs.

What did you expect to see?

The AKI field on a signed certificate should match the CA's SKI

What did you see instead?

The AKI is left blank:
https://play.golang.org/p/MPSqzlITG7

@mikesmitty

This comment has been minimized.

Copy link
Author

commented Apr 16, 2017

Switching to checking the key pair could be done relatively easily as well: https://gist.github.com/mikesmitty/82591b12b7bdafcebe54db96de9a17fa

@odeke-em

This comment has been minimized.

Copy link
Member

commented Apr 17, 2017

/cc @agl

@mikesmitty I don't know much about x509 nor cryptography, but is the issue here that the AKI field is left blank even on non self signed certs? Am asking in order to formulate a title that is easy to diagnose the issue and is direct. Thanks.

@mikesmitty

This comment has been minimized.

Copy link
Author

commented Apr 17, 2017

Yeah, that's the gist of it. If the Subject field of the certificate to be signed matches the CA's Subject field then the AKI is left blank, as is done with self-signed certificates.

@odeke-em odeke-em changed the title crypto/x509: Non-self-signed certs hitting self-signed cert logic crypto/x509: AKI is left blank even for non-self-signed cert when subject matches CA's subject field Apr 17, 2017

@odeke-em

This comment has been minimized.

Copy link
Member

commented Apr 17, 2017

Thank you @mikesmitty. I have modified the title accordingly.

Also we welcome contributions, please feel free to send a CL if you have a fix or some ideas on how to fix this.

@agl

This comment has been minimized.

Copy link
Contributor

commented Apr 17, 2017

Just to clarify, the situation here is that you're issuing a certificate whose Subject is equal to the Subject of the parent, but it's not self-signed? If so, that use, while odd, is probably valid and I can certainly see crypto/x509 going wrong there.

@agl agl self-assigned this Apr 17, 2017

@mikesmitty

This comment has been minimized.

Copy link
Author

commented Apr 17, 2017

@agl That's correct. I was hesitant to submit because it is an unusual use for sure, but I think it would be more correct to check if a cert is self-signed based on the key pair used than the Subject on the template.

@mikesmitty

This comment has been minimized.

Copy link
Author

commented Apr 17, 2017

I submitted this CL as a possible fix for the issue: https://go-review.googlesource.com/c/40866/

@gopherbot

This comment has been minimized.

Copy link

commented Apr 17, 2017

CL https://golang.org/cl/40866 mentions this issue.

@andybons

This comment has been minimized.

Copy link
Member

commented Apr 11, 2018

@andybons andybons added this to the Unplanned milestone Apr 11, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.