qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-18 08:44:43 -07:00
Code Releases Activity

crypto/x509: match RFC suggested SKID generation method

Browse Source 
Rather than hashing the encoding of the SPKI structure, hash the
bytes of the public key itself.

Fixes #39429

Change-Id: I55a0f8f08ab1f1b5702590b47d8b9a92d1dbcc1f
Reviewed-on: https://go-review.googlesource.com/c/go/+/236878
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
Roland Shoemaker 2020-06-07 08:32:28 -07:00 committed by Filippo Valsorda
parent bb8901456c
commit 5b9304e0be
1 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/crypto/x509/x509.go
View File

@ -2129,16 +2129,13 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv
authorityKeyId = parent.SubjectKeyId authorityKeyId = parent.SubjectKeyId
} }
encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
pki := publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey}
subjectKeyId := template.SubjectKeyId subjectKeyId := template.SubjectKeyId
if len(subjectKeyId) == 0 && template.IsCA { if len(subjectKeyId) == 0 && template.IsCA {
// SubjectKeyId generated using method 1 in RFC 5280, Section 4.2.1.2 // SubjectKeyId generated using method 1 in RFC 5280, Section 4.2.1.2:
b, err := asn1.Marshal(pki) // (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
if err != nil { // value of the BIT STRING subjectPublicKey (excluding the tag,
return nil, err // length, and number of unused bits).
} h := sha1.Sum(publicKeyBytes)
h := sha1.Sum(b)
subjectKeyId = h[:] subjectKeyId = h[:]
} }
@ -2147,6 +2144,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv
return return
} }
encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
c := tbsCertificate{ c := tbsCertificate{
Version: 2, Version: 2,
SerialNumber: template.SerialNumber, SerialNumber: template.SerialNumber,
@ -2154,7 +2152,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv
Issuer: asn1.RawValue{FullBytes: asn1Issuer}, Issuer: asn1.RawValue{FullBytes: asn1Issuer},
Validity: validity{template.NotBefore.UTC(), template.NotAfter.UTC()}, Validity: validity{template.NotBefore.UTC(), template.NotAfter.UTC()},
Subject: asn1.RawValue{FullBytes: asn1Subject}, Subject: asn1.RawValue{FullBytes: asn1Subject},
PublicKey: pki, PublicKey: publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey},
Extensions: extensions, Extensions: extensions,
} }