Skip to content

Fix PreIssuer detection #554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 9, 2025
Merged

Fix PreIssuer detection #554

merged 5 commits into from
Sep 9, 2025

Conversation

@phbnf
Copy link
Collaborator

@phbnf phbnf commented Sep 8, 2025
edited
Loading

Fixes #553

@phbnf phbnf requested a review from AlCutter September 8, 2025 18:17
@phbnf phbnf force-pushed the ekus branch 2 times, most recently from 6a9cb06 to 1e18ded Compare September 8, 2025 18:43
@phbnf phbnf added the bug Something isn't working label Sep 8, 2025
@AGWA
Copy link

AGWA commented Sep 8, 2025

Since it seems really unfortunate that UnknownExtKeyUsage can't be relied on for this, I've filed golang/go#75325

@AGWA
Copy link

AGWA commented Sep 8, 2025

Technically RFC 6962 specifies that a Precertificate Signing Certificate needs to also have CA:true. I'm assuming that's already checked when the whole chain is validated, but maybe it's a good idea to check it in isPreIssuer also in case the function gets used elsewhere?

@phbnf phbnf force-pushed the ekus branch 2 times, most recently from 5b8afe8 to 9ed34cc Compare September 9, 2025 08:46
@phbnf phbnf marked this pull request as ready for review September 9, 2025 09:54
@phbnf phbnf requested a review from a team as a code owner September 9, 2025 09:54
AlCutter
AlCutter approved these changes Sep 9, 2025
View reviewed changes
internal/x509util/ct_test.go Outdated
`)

var preIssuerExt = func() pkix.Extension {
func EKUOIDToExt(ekus []asn1.ObjectIdentifier) pkix.Extension {
Copy link
Collaborator

@AlCutter AlCutter Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ekuExtWithOIDs?

internal/x509util/ct_test.go Outdated
}()
}

var preIssuerExt = EKUOIDToExt([]asn1.ObjectIdentifier{rfc6962.OIDExtKeyUsageCertificateTransparency})
Copy link
Collaborator

@AlCutter AlCutter Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about preIssuerEKUExt?

Probably worth a comment on here about why this rather than using x509 support directly.

Copy link
Collaborator Author

@phbnf phbnf Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Note that we might be able to use x509 support when we build the certificates in tests... Test might even be useful to detect if the x509 library ever changes its behavior. But I decided not to pursue this option, to stay away from any trouble, and to stay consistent with the base implementation.

@phbnf phbnf merged commit bb7cbe0 into transparency-dev:main Sep 9, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlCutter AlCutter AlCutter approved these changes

Assignees

@AlCutter AlCutter

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

isPreIssuer is incorrect

3 participants

@phbnf @AGWA @AlCutter