Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Export the outer (unsigned) signatureAlgorithm of a Certificate #213

Open
sleevi opened this issue Mar 11, 2020 · 0 comments
Open

Export the outer (unsigned) signatureAlgorithm of a Certificate #213

sleevi opened this issue Mar 11, 2020 · 0 comments

Comments

@sleevi
Copy link

sleevi commented Mar 11, 2020

parseCertificate currently only exposes the TBSCertificate.SignatureAlgorithm on the exported x509.Certificate, as captured in the following lines:

zcrypto/x509/x509.go

Lines 1508 to 1512 in 2177ed1

out.Signature = in.SignatureValue.RightAlign()
out.SignatureAlgorithm =
GetSignatureAlgorithmFromAI(in.TBSCertificate.SignatureAlgorithm)
out.SignatureAlgorithmOID = in.TBSCertificate.SignatureAlgorithm.Algorithm

While unsigned (and thus freely malleable), it would be useful to also access the signatureAlgorithm on the certificate, defined here:

zcrypto/x509/x509.go

Line 134 in 2177ed1

SignatureAlgorithm pkix.AlgorithmIdentifier

This would be useful for linting tools to ensure that the outer and the inner signature algorithms are consistent. While the outer algorithm is fully maleable, and unsigned, this can be used by CAs to signal concerns with the production of their certificates in-house.

See the discussion in zmap/zlint#377 (comment) for added context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sleevi