Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: clarify CertChecker.CheckCert usage #58840

Open
rolandshoemaker opened this issue Mar 2, 2023 · 1 comment
Open

x/crypto/ssh: clarify CertChecker.CheckCert usage #58840

rolandshoemaker opened this issue Mar 2, 2023 · 1 comment
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@rolandshoemaker
Copy link
Member

CertChecker.CheckCert has a slightly confusing API, as it appears on the surface as the primary method on the type, but it doesn't actually authenticate the certificate at all, rather it validates the contents and should generally be called after CertChecker.Authenticate. In particular the doc comment refers to checking "the signature of the certificate" is perhaps somewhat misleading, since this simply checks that the self-signature on the certificate is valid (both signature and key are attacker controlled, so don't actually impart any trust).

At the minimum we should update the doc comment to be clearer about what it actually does, and that it succeeding does not infer any trust.

cc @FiloSottile

@rolandshoemaker rolandshoemaker added the NeedsFix The path to resolution is known, but the work has not been done. label Mar 2, 2023
@rolandshoemaker rolandshoemaker added this to the Backlog milestone Mar 2, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/570955 mentions this issue: ssh: clarify CertChecker.CheckCert usage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

No branches or pull requests

2 participants