From 9e258bad935b5bc36cf9f2ba720b3cd21f25a227 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Mon, 30 Jul 2018 03:14:15 +0200 Subject: [PATCH] Add a SubjectKeyId to the root CA Not really useful for #47, but good to have and a RFC 5280 MUST. See https://twitter.com/FiloSottile/status/1023564776834826240 --- cert.go | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/cert.go b/cert.go index 02f927e..fd15414 100644 --- a/cert.go +++ b/cert.go @@ -7,8 +7,10 @@ package main import ( "crypto/rand" "crypto/rsa" + "crypto/sha1" "crypto/x509" "crypto/x509/pkix" + "encoding/asn1" "encoding/pem" "io/ioutil" "log" @@ -134,17 +136,31 @@ func (m *mkcert) loadCA() { func (m *mkcert) newCA() { priv, err := rsa.GenerateKey(rand.Reader, 3072) fatalIfErr(err, "failed to generate the CA key") + pub := priv.PublicKey serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) fatalIfErr(err, "failed to generate serial number") + spkiASN1, err := x509.MarshalPKIXPublicKey(&pub) + fatalIfErr(err, "failed to encode public key") + + var spki struct { + Algorithm pkix.AlgorithmIdentifier + SubjectPublicKey asn1.BitString + } + _, err = asn1.Unmarshal(spkiASN1, &spki) + fatalIfErr(err, "failed to decode public key") + + skid := sha1.Sum(spki.SubjectPublicKey.Bytes) + tpl := &x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ Organization: []string{"mkcert development CA"}, OrganizationalUnit: []string{userAndHostname}, }, + SubjectKeyId: skid[:], NotAfter: time.Now().AddDate(10, 0, 0), NotBefore: time.Now(), @@ -156,7 +172,6 @@ func (m *mkcert) newCA() { MaxPathLenZero: true, } - pub := priv.PublicKey cert, err := x509.CreateCertificate(rand.Reader, tpl, tpl, &pub, priv) fatalIfErr(err, "failed to generate CA certificate")