Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: certificates with AKID don't chain to parents without SKID [1.11 backport] #30081

gopherbot opened this issue Feb 4, 2019 · 2 comments


Copy link

@gopherbot gopherbot commented Feb 4, 2019

@FiloSottile requested issue #30079 to be considered for backport to the next 1.11 minor release.

@gopherbot please open both backport issues. This is a regression introduced in a minor release

Copy link

@gopherbot gopherbot commented Feb 25, 2019

Change mentions this issue: [release-branch.go1.11] crypto/x509: consider parents by Subject if AKID has no match

Copy link

@gopherbot gopherbot commented Feb 26, 2019

Closed by merging aa95a1e to release-branch.go1.11.

@gopherbot gopherbot closed this Feb 26, 2019
gopherbot pushed a commit that referenced this issue Feb 26, 2019
…KID has no match

If a certificate somehow has an AKID, it should still chain successfully
to a parent without a SKID, even if the latter is invalid according to
RFC 5280, because only the Subject is authoritative.

This reverts to the behavior before #29233 was fixed in 7701306. Roots
with the right subject will still be shadowed by roots with the right
SKID and the wrong subject, but that's been the case for a long time, and
is left for a more complete fix in Go 1.13.

Updates #30079
Fixes #30081

Change-Id: If8ab0179aca86cb74caa926d1ef93fb5e416b4bb
Reviewed-by: Adam Langley <>
(cherry picked from commit 95e5b07)
Run-TryBot: Filippo Valsorda <>
TryBot-Result: Gobot Gobot <>
Reviewed-by: Brad Fitzpatrick <>
@golang golang locked and limited conversation to collaborators Feb 26, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.