af9c5e5dbc
When building a x509 chain the algorithm currently looks for parents that have a subject key identifier (SKID) that matches the child authority key identifier (AKID), if it is present, and returns all matches. If the child doesn't have an AKID, or there are no parents with matching SKID it will instead return all parents that have a subject DN matching the child's issuer DN. Prioritizing AKID/SKID matches over issuer/subject matches means that later in buildChains we have to throw away any pairs where these DNs do not match. This also prevents validation when a child has a SKID with two possible parents, one with matching AKID but mismatching subject DN, and one with a matching subject but missing AKID. In this case the former will be chosen and the latter ignored, meaning a valid chain cannot be built. This change alters how possible parents are chosen. Instead of doing a two step search it instead only consults the CertPool.byName subject DN map, avoiding issues where possible parents may be shadowed by parents that have SKID but bad subject DNs. Additionally it orders the list of possible parents by the likelihood that they are in fact a match. This ordering follows this pattern: * AKID and SKID match * AKID present, SKID missing / AKID missing, SKID present * AKID and SKID don't match In an ideal world this should save a handful of cycles when there are multiple possible matching parents by prioritizing parents that have the highest likelihood. This does diverge from past behavior in that it also means there are cases where _more_ parents will be considered than in the past. Another version of this change could just retain the past behavior, and only consider parents where both the subject and issuer DNs match, and if both parent and child have SKID and AKID also compare those, without any prioritization of the candidate parents. This change removes an existing test case as it assumes that the CertPool will return a possible candidate where the issuer/subject DNs do not match. Fixes #30079 Change-Id: I629f579cabb0b3d0c8cae5ad0429cc5a536b3e58 Reviewed-on: https://go-review.googlesource.com/c/go/+/232993 Trust: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> |
||
|---|---|---|
| .github | ||
| api | ||
| doc | ||
| lib/time | ||
| misc | ||
| src | ||
| test | ||
| .gitattributes | ||
| .gitignore | ||
| AUTHORS | ||
| CONTRIBUTING.md | ||
| CONTRIBUTORS | ||
| favicon.ico | ||
| LICENSE | ||
| PATENTS | ||
| README.md | ||
| robots.txt | ||
| SECURITY.md | ||
The Go Programming Language
Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.
Gopher image by Renee French, licensed under Creative Commons 3.0 Attributions license.
Our canonical Git repository is located at https://go.googlesource.com/go. There is a mirror of the repository at https://github.com/golang/go.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Download and Install
Binary Distributions
Official binary distributions are available at https://golang.org/dl/.
After downloading a binary release, visit https://golang.org/doc/install or load doc/install.html in your web browser for installation instructions.
Install From Source
If a binary distribution is not available for your combination of operating system and architecture, visit https://golang.org/doc/install/source or load doc/install-source.html in your web browser for source installation instructions.
Contributing
Go is the work of thousands of contributors. We appreciate your help!
To contribute, please read the contribution guidelines: https://golang.org/doc/contribute.html
Note that the Go project uses the issue tracker for bug reports and proposals only. See https://golang.org/wiki/Questions for a list of places to ask questions about the Go language.