Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: check that private key matches the issuer #37845

Open
shoobyban opened this issue Mar 13, 2020 · 3 comments
Open

crypto/x509: check that private key matches the issuer #37845

shoobyban opened this issue Mar 13, 2020 · 3 comments
Labels
Milestone

Comments

@shoobyban
Copy link

@shoobyban shoobyban commented Mar 13, 2020

I have checked several examples and couldn't find out why my client certificate was invalid, until @FiloSottile pointed out that I'm trying to sign the cert with its own key.

A check is possible as we pass the public key.

func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error) {

Behaviour: after successful creation of certificate on connection checks fail with "x509: ECDSA verification failure"

Expected behaviour: CreateCertificate would return an error stating signing with own key will not be a successful tactic.

@toothrot toothrot modified the milestones: Backlog, Unreleased Mar 13, 2020
@toothrot toothrot changed the title CreateCertificate last argument is slightly confusing for untrained eyes x/crypto: x509.CreateCertificate last argument is slightly confusing for untrained eyes Mar 13, 2020
@FiloSottile FiloSottile changed the title x/crypto: x509.CreateCertificate last argument is slightly confusing for untrained eyes crypto/x509: check that private key matches the issuer Mar 13, 2020
@FiloSottile FiloSottile modified the milestones: Unreleased, Go1.15 Mar 13, 2020
@FiloSottile FiloSottile self-assigned this Mar 13, 2020
@gopherbot
Copy link

@gopherbot gopherbot commented Mar 19, 2020

Change https://golang.org/cl/224157 mentions this issue: crypto/x509: check the private key passed to CreateCertificate

@odeke-em
Copy link
Member

@odeke-em odeke-em commented May 23, 2020

@FiloSottile shall we move this perhaps to the Go1.16 milestone or are thinking of more work on this during Go1.15? Thank you!

@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Jun 23, 2020

Yep, definitely slipped to Go 1.16.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.