Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: certificates with AKID don't chain to parents without SKID [1.11 backport] #30081

Closed
gopherbot opened this issue Feb 4, 2019 · 2 comments

Comments

@gopherbot
Copy link

commented Feb 4, 2019

@FiloSottile requested issue #30079 to be considered for backport to the next 1.11 minor release.

@gopherbot please open both backport issues. This is a regression introduced in a minor release

@gopherbot

This comment has been minimized.

Copy link
Author

commented Feb 25, 2019

Change https://golang.org/cl/163739 mentions this issue: [release-branch.go1.11] crypto/x509: consider parents by Subject if AKID has no match

@gopherbot

This comment has been minimized.

Copy link
Author

commented Feb 26, 2019

Closed by merging aa95a1e to release-branch.go1.11.

@gopherbot gopherbot closed this Feb 26, 2019

gopherbot pushed a commit that referenced this issue Feb 26, 2019
[release-branch.go1.11] crypto/x509: consider parents by Subject if A…
…KID has no match

If a certificate somehow has an AKID, it should still chain successfully
to a parent without a SKID, even if the latter is invalid according to
RFC 5280, because only the Subject is authoritative.

This reverts to the behavior before #29233 was fixed in 7701306. Roots
with the right subject will still be shadowed by roots with the right
SKID and the wrong subject, but that's been the case for a long time, and
is left for a more complete fix in Go 1.13.

Updates #30079
Fixes #30081

Change-Id: If8ab0179aca86cb74caa926d1ef93fb5e416b4bb
Reviewed-on: https://go-review.googlesource.com/c/161097
Reviewed-by: Adam Langley <agl@golang.org>
(cherry picked from commit 95e5b07)
Reviewed-on: https://go-review.googlesource.com/c/163739
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.