From d58747802d1b52cadc135449e05774443ed9e7ef Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Wed, 18 Dec 2024 03:39:05 +0100 Subject: [PATCH 1/2] feat: generate a subject key identifier when creating a certificate If a subject key id is omitted, go will generate one using sha1. This is described as method 1 in RFC 5280 Section 4.2.1.2. When sha1 is not available (e.g. fips only mode) this method will panic. Update the code to explicitly pass a subject key id to avoid calling sha1 functions. The new SubjectKeyId is generated using method 1 in RFC 7093 Section 2 which takes 160-bits of the SHA-256 hash. --- internal/pkg/core/authority/ca.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/internal/pkg/core/authority/ca.go b/internal/pkg/core/authority/ca.go index ce6e33b94b5..078f14bd4a2 100644 --- a/internal/pkg/core/authority/ca.go +++ b/internal/pkg/core/authority/ca.go @@ -9,6 +9,7 @@ import ( "crypto" "crypto/rand" "crypto/rsa" + "crypto/sha256" "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -54,6 +55,9 @@ func NewCA() (*CertificateAuthority, error) { privateKey, _ := rsa.GenerateKey(rand.Reader, 2048) publicKey := &privateKey.PublicKey + + ca.SubjectKeyId = generateSubjectKeyID(publicKey) + caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, publicKey, privateKey) if err != nil { log.Println("create ca failed", err) @@ -96,6 +100,16 @@ func NewCA() (*CertificateAuthority, error) { }, nil } +func generateSubjectKeyID(publicKey *rsa.PublicKey) []byte { + // SubjectKeyId generated using method 1 in RFC 7093, Section 2: + // 1) The keyIdentifier is composed of the leftmost 160-bits of the + // SHA-256 hash of the value of the BIT STRING subjectPublicKey + // (excluding the tag, length, and number of unused bits). + publicKeyBytes := x509.MarshalPKCS1PublicKey(publicKey) + h := sha256.Sum256(publicKeyBytes) + return h[:20] +} + // GeneratePair generates child certificate func (c *CertificateAuthority) GeneratePair() (*Pair, error) { return c.GeneratePairWithName("localhost") @@ -119,6 +133,8 @@ func (c *CertificateAuthority) GeneratePairWithName(name string) (*Pair, error) privateKey, _ := rsa.GenerateKey(rand.Reader, 2048) publicKey := &privateKey.PublicKey + certTemplate.SubjectKeyId = generateSubjectKeyID(publicKey) + // Sign the certificate certBytes, err := x509.CreateCertificate(rand.Reader, certTemplate, c.caCert, publicKey, c.privateKey) if err != nil { From 61cd3521da8ce7ce5bef50db729748e7b41dfba8 Mon Sep 17 00:00:00 2001 From: kruskall <99559985+kruskall@users.noreply.github.com> Date: Tue, 22 Apr 2025 16:25:09 +0200 Subject: [PATCH 2/2] Update ca.go --- internal/pkg/core/authority/ca.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/pkg/core/authority/ca.go b/internal/pkg/core/authority/ca.go index a01324765cf..0ef0dc65cbd 100644 --- a/internal/pkg/core/authority/ca.go +++ b/internal/pkg/core/authority/ca.go @@ -57,7 +57,6 @@ func NewCA() (*CertificateAuthority, error) { privateKey, _ := rsa.GenerateKey(rand.Reader, 2048) publicKey := &privateKey.PublicKey - ca.SubjectKeyId = generateSubjectKeyID(publicKey) caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, publicKey, privateKey) if err != nil {