aboutsummaryrefslogtreecommitdiff
path: root/pkg/crtutil
diff options
context:
space:
mode:
authorRasmus Dahlberg <rgdd@glasklarteknik.se>2024-05-16 08:21:13 +0200
committerRasmus Dahlberg <rgdd@glasklarteknik.se>2024-05-16 08:37:49 +0200
commit469c79e469556f9815f6456b8c08fcc9c8d54479 (patch)
tree8c59bc4a7eefcf3f7c9de6ca899b200959d1a0ac /pkg/crtutil
parente0cb52d2929fb0ef2080bb67cc7128d293b975ac (diff)
Use serial number as unique certificate ID
Diffstat (limited to 'pkg/crtutil')
-rw-r--r--pkg/crtutil/crt_util.go11
1 files changed, 8 insertions, 3 deletions
diff --git a/pkg/crtutil/crt_util.go b/pkg/crtutil/crt_util.go
index 11bcd7e..1708834 100644
--- a/pkg/crtutil/crt_util.go
+++ b/pkg/crtutil/crt_util.go
@@ -2,7 +2,6 @@
package crtutil
import (
- "crypto/sha256"
"encoding/pem"
"fmt"
@@ -66,6 +65,12 @@ func CertificateFromLogEntry(leafData, extraData []byte) (x509.Certificate, erro
// UniqueID derives a unique certificate ID. The same value is derived
// regardless of if the (pre-)certificate is logged multiple times.
func UniqueID(crt x509.Certificate) string {
- h := sha256.Sum256([]byte(crt.SerialNumber.String()))
- return fmt.Sprintf("FIXME:%x", h[:]) // not a secure mapping
+ // The CAB BRs state in §7.1.2.7 that serial numbers "MUST be a
+ // non‐sequential number greater than zero (0) and less than 2^159".
+ // https://cabforum.org/working-groups/server/baseline-requirements/documents/TLSBRv2.0.4.pdf
+ //
+ // So, we can assume that serial numbers are unique across CAs. It would be
+ // an improvement to derive this from the certificate bytes though, such
+ // that the identifier is the same for certificates and pre-certificates.
+ return crt.SerialNumber.String()
}