alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Removed calculating SubjectKeyIdentifier on Rekey

Browse source
This commit is contained in:
dharanikumar-s 2020-07-08 12:52:53 +05:30
parent dfda497929
commit 57fb0c80cf
1 changed files with 15 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
authority/tls.go
View file

@ -3,10 +3,8 @@ package authority
import ( import (
"context" "context"
"crypto" "crypto"
"crypto/sha1"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix"
"encoding/asn1" "encoding/asn1"
"encoding/base64" "encoding/base64"
"encoding/pem" "encoding/pem"
@ -139,7 +137,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
// Renew creates a new Certificate identical to the old certificate, except // Renew creates a new Certificate identical to the old certificate, except
// with a validity window that begins 'now'. // with a validity window that begins 'now'.
func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error) { func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error) {
return a.Rekey(oldCert, oldCert.PublicKey) return a.Rekey(oldCert, nil)
} }
// Func is used for renewing or rekeying based on the public key passed. // Func is used for renewing or rekeying based on the public key passed.
@ -157,7 +155,6 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5
now := time.Now().UTC() now := time.Now().UTC()
newCert := &x509.Certificate{ newCert := &x509.Certificate{
PublicKey: pk,
Issuer: a.x509Issuer.Subject, Issuer: a.x509Issuer.Subject,
Subject: oldCert.Subject, Subject: oldCert.Subject,
NotBefore: now.Add(-1 * backdate), NotBefore: now.Add(-1 * backdate),
@ -189,28 +186,27 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5
PolicyIdentifiers: oldCert.PolicyIdentifiers, PolicyIdentifiers: oldCert.PolicyIdentifiers,
} }
if pk == nil {
newCert.PublicKey = oldCert.PublicKey
} else {
newCert.PublicKey = pk
}
// Copy all extensions except: // Copy all extensions except:
// 1. Authority Key Identifier - This one might be different if we rotate the intermediate certificate // 1. Authority Key Identifier - This one might be different if we rotate the intermediate certificate
// and it will cause a TLS bad certificate error. // and it will cause a TLS bad certificate error.
// 2. Subject Key Identifier - This should be calculated for the public key passed to this function. // 2. Subject Key Identifier, if rekey - For rekey, SubjectKeyIdentifier extension will be calculated
// for the new public key by NewLeafProfilewithTemplate()
for _, ext := range oldCert.Extensions { for _, ext := range oldCert.Extensions {
if (!ext.Id.Equal(oidAuthorityKeyIdentifier)) && (!ext.Id.Equal(oidSubjectKeyIdentifier)) { if ext.Id.Equal(oidAuthorityKeyIdentifier) {
continue
}
if ext.Id.Equal(oidSubjectKeyIdentifier) && (pk != nil) {
newCert.SubjectKeyId = nil
continue
}
newCert.ExtraExtensions = append(newCert.ExtraExtensions, ext) newCert.ExtraExtensions = append(newCert.ExtraExtensions, ext)
} }
if ext.Id.Equal(oidSubjectKeyIdentifier) {
pubBytes, err := x509.MarshalPKIXPublicKey(pk)
if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err,
"authority.Rekey; error marshaling public key", opts...)
}
hash := sha1.Sum(pubBytes)
skiExtension := pkix.Extension{
Id: oidSubjectKeyIdentifier,
Value: append([]byte{4, 20}, hash[:]...),
}
newCert.ExtraExtensions = append(newCert.ExtraExtensions, skiExtension)
}
}
leaf, err := x509util.NewLeafProfileWithTemplate(newCert, a.x509Issuer, a.x509Signer) leaf, err := x509util.NewLeafProfileWithTemplate(newCert, a.x509Issuer, a.x509Signer)
if err != nil { if err != nil {