x509: disallow mismatching signature algorithm identifiers #702
Conversation
|
Oh bleh, I forgot x509.ParseCertificate is also used for parsing precert tbsCertificates... I think this can probably be made to work together with that, but it's going to be a bit more complicated. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #702 +/- ##
==========================================
+ Coverage 71.75% 74.22% +2.46%
==========================================
Files 90 81 -9
Lines 9879 8946 -933
==========================================
- Hits 7089 6640 -449
+ Misses 2295 1870 -425
+ Partials 495 436 -59 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@Martin2112 @AlCutter do you folks have a strong opinion on this? It's a bit of a spam opportunity hole I'd like to close, but I don't think it's super urgent. |
|
Hey @rolandshoemaker thanks for sending - looks ok to me in principle. @FiloSottile wdyt? Is this something that could/should be fixed upstream? I know you folks have historically been very keen to make the golang |
|
Heh, I actually have a similar upstream change https://go-review.googlesource.com/c/go/+/235118. |
|
Hehe, excellent :) |
|
Yep, happy to look at it for Go 1.16!
… |
|
This was recently surfaced in https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/p1JoBkfRhOQ/m/pF8ZdjRzCQAJ, let's merge this in. |
This prevents an easy method for spamming a log by modifying one of the malleable fields in the certificate structure. Fixes google#699
|
/gcbrun |
This prevents an easy method for spamming a log by modifying one of the
malleable fields in the certificate structure.
Fixes #699