Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
crypto/x509: certificates with AKID don't chain to parents without SKID #30079
The fix for #29233 broke certificate chains where a certificate has an AKID but the parent doesn't.
These chains are weird (where did the AKID come from if there's no SKID?) and invalid by RFC 5280 (parents MUST have AKID) but they are out there, and as much of the X.509 ecosystem, we need to live with them.
In the review @sleevi pointed out that the old code was also subtly broken (if a parent with wrong subject but right AKID and one with right subject but no SKID were available, only the former would be considered, failing to build a chain) but that was a way rarer scenario.
We broke this in a minor (security!) release, which is not good, so we should backport a revert, and fix also the subtle case above in Go 1.13.