diff options
-rw-r--r-- | pkg/crtutil/crt_util.go | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/pkg/crtutil/crt_util.go b/pkg/crtutil/crt_util.go index 11bcd7e..1708834 100644 --- a/pkg/crtutil/crt_util.go +++ b/pkg/crtutil/crt_util.go @@ -2,7 +2,6 @@ package crtutil import ( - "crypto/sha256" "encoding/pem" "fmt" @@ -66,6 +65,12 @@ func CertificateFromLogEntry(leafData, extraData []byte) (x509.Certificate, erro // UniqueID derives a unique certificate ID. The same value is derived // regardless of if the (pre-)certificate is logged multiple times. func UniqueID(crt x509.Certificate) string { - h := sha256.Sum256([]byte(crt.SerialNumber.String())) - return fmt.Sprintf("FIXME:%x", h[:]) // not a secure mapping + // The CAB BRs state in §7.1.2.7 that serial numbers "MUST be a + // non‐sequential number greater than zero (0) and less than 2^159". + // https://cabforum.org/working-groups/server/baseline-requirements/documents/TLSBRv2.0.4.pdf + // + // So, we can assume that serial numbers are unique across CAs. It would be + // an improvement to derive this from the certificate bytes though, such + // that the identifier is the same for certificates and pre-certificates. + return crt.SerialNumber.String() } |