Use serial number as unique certificate ID

author: Rasmus Dahlberg <rgdd@glasklarteknik.se> 2024-05-16 08:21:13 +0200
committer: Rasmus Dahlberg <rgdd@glasklarteknik.se> 2024-05-16 08:37:49 +0200
commit: 469c79e469556f9815f6456b8c08fcc9c8d54479 (patch)
tree: 8c59bc4a7eefcf3f7c9de6ca899b200959d1a0ac /pkg
parent: e0cb52d2929fb0ef2080bb67cc7128d293b975ac (diff)
1 files changed, 8 insertions, 3 deletions
diff --git a/pkg/crtutil/crt_util.go b/pkg/crtutil/crt_util.go
index 11bcd7e..1708834 100644
--- a/pkg/crtutil/crt_util.go
+++ b/pkg/crtutil/crt_util.go
@@ -2,7 +2,6 @@
 package crtutil
 
 import (
-	"crypto/sha256"
 	"encoding/pem"
 	"fmt"
 
@@ -66,6 +65,12 @@ func CertificateFromLogEntry(leafData, extraData []byte) (x509.Certificate, erro
 // UniqueID derives a unique certificate ID.  The same value is derived
 // regardless of if the (pre-)certificate is logged multiple times.
 func UniqueID(crt x509.Certificate) string {
-	h := sha256.Sum256([]byte(crt.SerialNumber.String()))
-	return fmt.Sprintf("FIXME:%x", h[:]) // not a secure mapping
+	// The CAB BRs state in §7.1.2.7 that serial numbers "MUST be a
+	// non‐sequential number greater than zero (0) and less than 2^159".
+	// https://cabforum.org/working-groups/server/baseline-requirements/documents/TLSBRv2.0.4.pdf
+	//
+	// So, we can assume that serial numbers are unique across CAs.  It would be
+	// an improvement to derive this from the certificate bytes though, such
+	// that the identifier is the same for certificates and pre-certificates.
+	return crt.SerialNumber.String()
 }
author	Rasmus Dahlberg <rgdd@glasklarteknik.se>	2024-05-16 08:21:13 +0200
committer	Rasmus Dahlberg <rgdd@glasklarteknik.se>	2024-05-16 08:37:49 +0200
commit	469c79e469556f9815f6456b8c08fcc9c8d54479 (patch)
tree	8c59bc4a7eefcf3f7c9de6ca899b200959d1a0ac /pkg
parent	e0cb52d2929fb0ef2080bb67cc7128d293b975ac (diff)