Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: store stripped down trust anchors #44298

Open
rolandshoemaker opened this issue Feb 16, 2021 · 3 comments
Open

crypto/x509: store stripped down trust anchors #44298

rolandshoemaker opened this issue Feb 16, 2021 · 3 comments
Labels
NeedsInvestigation
Milestone

Comments

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented Feb 16, 2021

Rather than storing full x509.Certificates in the root pool we could instead store only the information that we require to accomplish chain building (SPKI, subject, name constraints), significantly reducing the memory footprint for the pool.

When returning certificate chains from Verify we'd need to construct a stand-in x509.Certificate which is only partially populated (we'd need to decide what fields to set, and what we can get away with setting based on a typical root profile, i.e. is it safe to consistently set the issuer to match the subject, even for roots where the issuer does not actually match?). Depending on what users are doing with certificates it is possible that this could break some things. As such we should try to land this change early in the 1.17 cycle so any significant breakages are signaled early.

This would also reduce binary sizes on iOS where we bundle roots, and also make things like #43958 somewhat more appealing from a binary bloat perspective.

@rolandshoemaker rolandshoemaker added NeedsInvestigation early-in-cycle labels Feb 16, 2021
@rolandshoemaker rolandshoemaker added this to the Go1.17 milestone Feb 16, 2021
@josharian
Copy link
Contributor

@josharian josharian commented Feb 16, 2021

cc @bradfitz

@gopherbot
Copy link

@gopherbot gopherbot commented Feb 24, 2021

This issue is currently labeled as early-in-cycle for Go 1.17.
That time is now, so a friendly reminder to look at it again.

@FiloSottile FiloSottile removed the early-in-cycle label Mar 17, 2021
@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented May 21, 2021

There hasn't been much activity here, and by now it's likely late for Go 1.17. I'll move this to Backlog, but please feel free to update it as needed.

@dmitshur dmitshur removed this from the Go1.17 milestone May 21, 2021
@dmitshur dmitshur added this to the Backlog milestone May 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation
Projects
None yet
Development

No branches or pull requests

5 participants