Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 7fd64f60c607878c60e8c9eff2f21139fe389d6e^! / . / osbase
commit7fd64f60c607878c60e8c9eff2f21139fe389d6e[log] [tgz]
authorTim Windelschmidt <tim@monogon.tech>Sun Jun 29 02:32:31 2025 +0200
committerTim Windelschmidt <tim@monogon.tech>Mon Jun 30 00:02:45 2025 +0000
tree41634730b730156b62f92e00d0aa2841eb700f0b
parent8fd51cd0cb06584bdfe2e7884662276d0c7bfe9b [diff]
osbase/pki: remove SKID workaround

We are way newer than Go 1.15.

Closes #476

Change-Id: I876d2974598b7daadc9c99e452f57dd6b97a02cb
Reviewed-on: https://review.monogon.dev/c/monogon/+/4351
Reviewed-by: Leopold Schabel <leo@monogon.tech>
Tested-by: Jenkins CI

diff --git a/osbase/pki/BUILD.bazel b/osbase/pki/BUILD.bazel
index c7087d1..ba1cbc7 100644
--- a/osbase/pki/BUILD.bazel
+++ b/osbase/pki/BUILD.bazel

@@ -6,7 +6,6 @@
         "ca.go",
         "certificate.go",
         "crl.go",
-        "x509.go",
     ],
     importpath = "source.monogon.dev/osbase/pki",
     visibility = ["//visibility:public"],

diff --git a/osbase/pki/ca.go b/osbase/pki/ca.go
index ff6d639..4bc637b 100644
--- a/osbase/pki/ca.go
+++ b/osbase/pki/ca.go

@@ -15,6 +15,11 @@
 	clientv3 "go.etcd.io/etcd/client/v3"
 )
 
+var (
+	// From RFC 5280 Section 4.1.2.5
+	UnknownNotAfter = time.Unix(253402300799, 0)
+)
+
 // Issuer is an entity that can issue certificates. This interface is
 // implemented by SelfSigned, which is an issuer that emits self-signed
 // certificates, and any other Certificate that has been created with CA(),
@@ -40,16 +45,10 @@
 		return
 	}
 
-	skid, err := calculateSKID(req.PublicKey)
-	if err != nil {
-		return nil, err
-	}
-
 	req.Template.SerialNumber = serialNumber
 	req.Template.NotBefore = time.Now()
 	req.Template.NotAfter = UnknownNotAfter
 	req.Template.BasicConstraintsValid = true
-	req.Template.SubjectKeyId = skid
 
 	// Set the AuthorityKeyID to the SKID of the signing certificate (or self,
 	// if self-signing).

diff --git a/osbase/pki/x509.go b/osbase/pki/x509.go
deleted file mode 100644
index 2db1b19..0000000
--- a/osbase/pki/x509.go
+++ /dev/null

@@ -1,44 +0,0 @@
-// Copyright The Monogon Project Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package pki
-
-import (
-	"crypto"
-	"crypto/sha1"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"time"
-)
-
-var (
-	// From RFC 5280 Section 4.1.2.5
-	UnknownNotAfter = time.Unix(253402300799, 0)
-)
-
-// Workaround for https://github.com/golang/go/issues/26676 in Go's
-// crypto/x509. Specifically Go violates Section 4.2.1.2 of RFC 5280 without
-// this. Fixed for 1.15 in https://go-review.googlesource.com/c/go/+/227098/.
-//
-// Taken from https://github.com/FiloSottile/mkcert/blob/master/cert.go#L295
-// Written by one of Go's crypto engineers
-//
-// TODO(lorenz): remove this once we migrate to Go 1.15.
-func calculateSKID(pubKey crypto.PublicKey) ([]byte, error) {
-	spkiASN1, err := x509.MarshalPKIXPublicKey(pubKey)
-	if err != nil {
-		return nil, err
-	}
-
-	var spki struct {
-		Algorithm        pkix.AlgorithmIdentifier
-		SubjectPublicKey asn1.BitString
-	}
-	_, err = asn1.Unmarshal(spkiASN1, &spki)
-	if err != nil {
-		return nil, err
-	}
-	skid := sha1.Sum(spki.SubjectPublicKey.Bytes)
-	return skid[:], nil
-}