boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

CA: Add lint/check that leaf Issuer bytes match issuer's Subject bytes

Open aarongable opened this issue 2 years ago • 2 comments

This idea came out of remediation for https://bugzilla.mozilla.org/show_bug.cgi?id=1838667

One of the x509 requirements is that every cert's Issuer field must be byte-for-byte identical to its issuer's Subject field. The go crypto/x509 CreateCertfiicate function is supposed to guarantee this.

However, we do not have a lint that checks this, because the zlint lints are contextless: we don't have a way to supply the issuer cert to compare the new cert's Issuer bytes against.

Since we're already thinking about lint-like checks which require more context to operate (see #6964 and #6945), we should consider this one too.

aarongable avatar Jun 28 '23 22:06 aarongable

We're accomplishing this in the ceremony tool. We'd want basically the same thing?

pgporada avatar Apr 26 '24 19:04 pgporada

Yep. We could do it directly inside the CA or Issuance package, or we could do it as a zlint, in which case it would need to be configurable.

aarongable avatar Apr 29 '24 23:04 aarongable