Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate lints about keyIdentifier in certificates #726

Merged
merged 10 commits into from
Jul 9, 2023
Merged

Duplicate lints about keyIdentifier in certificates #726

merged 10 commits into from
Jul 9, 2023

Conversation

christopher-henderson
Copy link
Member

@christopher-henderson christopher-henderson commented Jun 11, 2023
edited
Loading

@mtgag to bring this review to your attention.

Removes a duplicate lint regarding RFC 5280: 4.2.1.1.

Additionally, I believe that the lint itself was slightly inaccurate vis-a-vis RFC 5280.

RFC 5280: 4.2.1.1
The keyIdentifier field of the authorityKeyIdentifier extension MUST
   be included in all certificates generated by conforming CAs to
   facilitate certification path construction.  There is one exception;
   where a CA distributes its public key in the form of a "self-signed"
   certificate, the authority key identifier MAY be omitted.  The
   signature on a self-signed certificate is generated with the private
   key associated with the certificate's subject public key.  (This
   proves that the issuer possesses both the public and private keys.)
   In this case, the subject and authority key identifiers would be
   identical, but only the subject key identifier is needed for
   certification path building.

I've attempted to encode this language a bit more precisely in this lint update.

Integration Test Failures

I'm working through smoke checking these fingerprints, but so far it looks reasonable.

For example, fe716ff3996cd6561b6b63a8c440fdf5489cf48f7834283eebd19b380f3fbc22 features a certificate that is indeed a CA, but is not self signed and does not have the authority key id (well, it has the common name and serial, but not the actual identifier).

004e85ef9f15f74e99904e475d2f79060b6476fe770efa78a3420ac04e1a0dd1
01e87af0c5b740c8b1ccca07192a4284923b3f27672f6e1a64d7a61dac503627
062a76e5196e4c6220aca7d32aa419761101374c11866c3627d5f8a055ece2ce
07ea00e7a2674b25ceceb40d087e4ae943a198c6b8f39861ec3485899b89273f
0b48d55cac84fdee15d81aff9907bb9a5711a95ce23a8d4d5e8862bf15a76a75
0f57b96fa7b31247ec39cb307d38ca2bf3b29f54afd50a351d18533529517b46
1092c43d57bcda0af70291e37fdde88b02de83e3f4013272d4ca2ae3c7498fe4
14239787e8fec7dffa5f4c570b721b96c169acca3f4e95bc3057a3f8a60d7eef
14422a1bd5a91edba7397b8698922369b6af6984ff87acf6139daa919e795a14
15bd3b5690d42f194d60025d607e8babd9479844a6f2a258c53c58a188082a5a
1e4e87ef91cf86303f42b56b50faa6975829f41d3cbe6dd705874e455b72bcf3
2103089af8a390fdb6413b0f1217216ba9f586b599a8bd1c0212c173e4f680de
227ac6e5aebb0a356d4c87317cc8cd683d1c4c67129cee2aa394ad38c0725c93
25ced10a7e5adde5f478cddee3ca51195fa5074b700ea1e1131aa4a86a066b02
2d87ff20fe8ad2305dfb6f3992867ed2bf4fe3e1346212c4345991aac02266e9
2e43f0866626db867502286bbc28b99c8b2dd194ebe474194e4ad98e354c2d3c
2e481ff3a53d293bd49f3cd83976583682b3bd79a160fd6e9ca58725d93b945b
2fa315dc154c213dc0c16fd12fa021ba9974f0c9ae142e24bf3aed150a7ce6fc
330260a69c0887f1b9a498302aecfda17de89a819c7e57e28c40a53080be10e8
33f959714b8fa7ab272bea2ca239403a879044d83a8fd008534d7ee65fa0d42b
383d52436135da76c600da47a0408e3654a571f27164013f49a07ef24042bcc8
3b6d701331a8cb809443e42a732bad675f225b15cc439acf26a09587c885ecfd
3f93569f13812a0ff4735d97eaca84c290d227df394678257e08518c781e7e6c
4aa4641706d04220b6bb08add302094e56bfcacf145d623e3ae8aae72e0e1dfa
4b890bfbbe669090928707351de6149765aefc5505b203b305a9e57fe6c089a9
4bf76d3e3b792bc65785429f314bfd8068924a1b5efe5a9ebcda415d7c7864a7
505d0c2efe18cbfa85d88a1dae3b2e4c21a4516cf20289236944c105f23f06df
52001bf6c2dcf9c5af2a99063fcb172814fb21b2e67e491fc520f07a7068d161
54ee7cea17acd6d0ab21b5bb755cb03fb2c353534c37b5a034a9b79e4b3a19dc
55bb45d85f2157403db9baa033ed2cad7ec9a0c490cc4c5ca8c5399e6eacb7d0
564dbc6a76550fd2d4f4bac6448a1157b33cbd8e0b3fd76d72107540964a85b5
5735a8d44cf917b4d1475673629c5e094d02c1767c43dca7991cf1ffae4e72da
5b690e1cd2bc0016e4db2aabab503745e41f86b2448f2ec06d29f24999debca2
5b9f350c2a76be64bb3c2c6e2a414aeddd0ef0a26d7c97fa7af57d520c60b2e9
5cb9e9de32b187e40ba14fdf200fda62c7b4fbf88d64f77ce02dd6ebe6bcc1b0
5d81d0aa3476f48a5a675d6d3e6ab766bdc8aa167a1a94d79df91b4251082fa4
5e718a3a04d390e280baf893e0761044af2776f5f205f8d56c6755b93755939d
5fc82f5beecaaa2e56dcac515d60b22af4fe4c2da382d70ef1e5c890fe387979
63127643b1ab626a6b6adb968552c835c5dbcde6b85219c74e4b435362393bc9
6a96c4e624607113eb18b521102722956d3283bb83a723efa1eb9b578eac47b5
6d0bd6e1ac0ec398ee8537906d98f378fc7ab49c1e296af233374fa5a271db34
6f6b2d4a309a156c61977fbccf7d2ac9f59623ffcceac3e4ee5a83a18d895275
70831b3fa7c882898e52bb709ca643767339c543213a71b7bbf5d160c430cb09
74eb307a78ac7e8570cc1bae1c51102a6053c96f3332d703285a743bcbd35d9e
7bda50131ea7e55c8fdda63563d12314a7159d5621333ba8bcdad0b8a3a50e6c
8d516d66d1d169005b0854be0c2ad741c7d195bbfa8c4103f89fbc36f5f7f103
8ffedab0cc80a91c04c244ac2a79e0b80072e5563bcf36f0a99ff7eb0b89d793
a3f33c9127889a9cf8d9b596663dcdb36ea9e0ad23d0ba90fafd03ee79258787
a7ffad289ed36fbba729621207504a8055614a5551ae2d580870326985b2ef9d
a829444ad2fb48079a595fbbd88c4e658ee2089a5e129b89aaacce851198ffd7
b3f4b16f8ecebb41474f924feef9b0bd979b3636c34ff2723f673c8eee2af152
c76f70980598c66a8e327e17b495a2276265c4b9a3575efa1d550502a823d591
cf9850ad9aa34ab5cae3e91f651fc470f0fa6c5dac0ae34ca9cd2dc21d9bc8f3
d0d672c2547d574ae055d9e78a993ddbcc74044c4253fbfaca573a67d368e1db
d84c21d568bcadfef335dc897d9b6f9d8059782f9ba05113cc45923bf9c98969
d9bc973f88909696da10833197944ca58ac4a88847779c9133374267100eec58
daffd4056fc368fa648d0ed89b5de0ee931f1b338478abf56929a94d3bd61d46
dcc817f5fe82604d4804fae58b2b72826393e1083d7721d411001fb1346339a0
e22e6b25908e1107a607af060e0b24e50c6d9562ff04f455be0f8df41a5032c0
e3710f0c667e589de8e4aea37e701afaf3fbb6275762e6fea3fd6629544279d6
e71db3a6fe82c4c8b78a6d6a5befda5279082e2fac0cc7ee7878c04ac9a59263
eb04cf5eb1f39afa762f2bb120f296cba520c1b97db1589565b81cb9a17b7244
f2861d7cf7774286f7fdd4c916339f60a5848cec5b64b1057494e93046ff9930
f45b643649788dc0c75f5510c59c7ace0299aa9df911c72049e731b631f94ee9
f5068c4293a26a0e420d02ae4bef27008377e3e7ecd8e5cf194428162e3c40f4
fe716ff3996cd6561b6b63a8c440fdf5489cf48f7834283eebd19b380f3fbc22

Addresses #725

mtgag
mtgag reviewed Jun 13, 2023
View reviewed changes
v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go Outdated
@@ -57,7 +59,23 @@ func (l *authorityKeyIdNoKeyIdField) CheckApplies(c *x509.Certificate) bool {
}

func (l *authorityKeyIdNoKeyIdField) Execute(c *x509.Certificate) *lint.LintResult {
if c.AuthorityKeyId == nil && !util.IsSelfSigned(c) { //will be nil by default if not found in x509.parseCert
if util.IsCACert(c) && util.IsSelfSigned(c) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can remove util.IsCACert(c)? Only if it is self-signed it may be omitted.

Copy link
Member Author

@christopher-henderson christopher-henderson Jun 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not quite convinced of that based on the language.

There is one exception; where a CA distributes its public key in the form of a "self-signed" certificate, the authority key identifier MAY be omitted.

It seems to me that this clause is stating that this does apply, specifically to CA certs and not just to any self signed.

Although what exists in practice may of course differ.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is fine.

@christopher-henderson christopher-henderson merged commit 40f2b32 into master Jul 9, 2023
8 checks passed
@christopher-henderson christopher-henderson deleted the duplicate_key_identifier branch July 9, 2023 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zakird zakird zakird approved these changes

@mtgag mtgag Awaiting requested review from mtgag

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@christopher-henderson @zakird @mtgag