From 469c79e469556f9815f6456b8c08fcc9c8d54479 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Thu, 16 May 2024 08:21:13 +0200 Subject: Use serial number as unique certificate ID --- pkg/crtutil/crt_util.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pkg/crtutil/crt_util.go b/pkg/crtutil/crt_util.go index 11bcd7e..1708834 100644 --- a/pkg/crtutil/crt_util.go +++ b/pkg/crtutil/crt_util.go @@ -2,7 +2,6 @@ package crtutil import ( - "crypto/sha256" "encoding/pem" "fmt" @@ -66,6 +65,12 @@ func CertificateFromLogEntry(leafData, extraData []byte) (x509.Certificate, erro // UniqueID derives a unique certificate ID. The same value is derived // regardless of if the (pre-)certificate is logged multiple times. func UniqueID(crt x509.Certificate) string { - h := sha256.Sum256([]byte(crt.SerialNumber.String())) - return fmt.Sprintf("FIXME:%x", h[:]) // not a secure mapping + // The CAB BRs state in §7.1.2.7 that serial numbers "MUST be a + // non‐sequential number greater than zero (0) and less than 2^159". + // https://cabforum.org/working-groups/server/baseline-requirements/documents/TLSBRv2.0.4.pdf + // + // So, we can assume that serial numbers are unique across CAs. It would be + // an improvement to derive this from the certificate bytes though, such + // that the identifier is the same for certificates and pre-certificates. + return crt.SerialNumber.String() } -- cgit v1.2.3