]> Cypherpunks.ru repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bb89014)
crypto/x509: match RFC suggested SKID generation method
authorRoland Shoemaker <rolandshoemaker@gmail.com>
Sun, 7 Jun 2020 15:32:28 +0000 (08:32 -0700)
committerFilippo Valsorda <filippo@golang.org>
Mon, 8 Jun 2020 16:09:45 +0000 (16:09 +0000)
Rather than hashing the encoding of the SPKI structure, hash the
bytes of the public key itself.

Fixes #39429

Change-Id: I55a0f8f08ab1f1b5702590b47d8b9a92d1dbcc1f
Reviewed-on: https://go-review.googlesource.com/c/go/+/236878
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
src/crypto/x509/x509.go patch | blob | history

diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
index 288c9c666fa10cbaf6f64eef127d00b9f9e7bb7d..338b48861c92e06604c5579d3e3919dfafc1ed94 100644 (file)
--- a/src/crypto/x509/x509.go
+++ b/src/crypto/x509/x509.go
@@ -2129,16 +2129,13 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv
                authorityKeyId = parent.SubjectKeyId
        }
 
-       encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
-       pki := publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey}
        subjectKeyId := template.SubjectKeyId
        if len(subjectKeyId) == 0 && template.IsCA {
-               // SubjectKeyId generated using method 1 in RFC 5280, Section 4.2.1.2
-               b, err := asn1.Marshal(pki)
-               if err != nil {
-                       return nil, err
-               }
-               h := sha1.Sum(b)
+               // SubjectKeyId generated using method 1 in RFC 5280, Section 4.2.1.2:
+               //   (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
+               //   value of the BIT STRING subjectPublicKey (excluding the tag,
+               //   length, and number of unused bits).
+               h := sha1.Sum(publicKeyBytes)
                subjectKeyId = h[:]
        }
 
@@ -2147,6 +2144,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv
                return
        }
 
+       encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
        c := tbsCertificate{
                Version:            2,
                SerialNumber:       template.SerialNumber,
@@ -2154,7 +2152,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv
                Issuer:             asn1.RawValue{FullBytes: asn1Issuer},
                Validity:           validity{template.NotBefore.UTC(), template.NotAfter.UTC()},
                Subject:            asn1.RawValue{FullBytes: asn1Subject},
-               PublicKey:          pki,
+               PublicKey:          publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey},
                Extensions:         extensions,
        }
 
Go GOST TLS 1.3