use key instead of subject to check root cert (#31)

pete911 · May 22, 2023 · 42d0d71 · 42d0d71
1 parent 9e1bc55
commit 42d0d71
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 1 deletion.
diff --git a/pkg/cert/cert_test.go b/pkg/cert/cert_test.go
@@ -89,6 +89,17 @@ func Test_rootIdentification(t *testing.T) {
 	})
 }
 
+func Test_intermediateIdentification(t *testing.T) {
+	t.Run("given intermediate certificate issuer is identical to subject but authority and subject keys are different then identify as intermediate", func(t *testing.T) {
+		certificate, err := FromBytes(loadTestFile(t, "intermediate_same_issuer_and_subject.pem"))
+		require.NoError(t, err)
+		require.Len(t, certificate, 1)
+		require.Equal(t, certificate[0].x509Certificate.RawSubject, certificate[0].x509Certificate.RawIssuer)
+		require.NotEmpty(t, certificate[0].x509Certificate.AuthorityKeyId)
+		require.Equal(t, "intermediate", CertificateType(certificate[0].x509Certificate))
+	})
+}
+
 // --- helper functions ---
 
 func loadTestCertificates(t *testing.T, file string) Certificates {

diff --git a/pkg/cert/testdata/intermediate_same_issuer_and_subject.pem b/pkg/cert/testdata/intermediate_same_issuer_and_subject.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpzCCAo+gAwIBAgIUcIb+kg9o1L8z1boqCRj+wHtRlYYwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjMwNTIyMjAwMzEzWhcNMjgw
+NTIwMjAwMzQzWjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKLmE6eul1IaAfkN1KOxGeCHlmRghRJBmHUCKKZj
+B3wu9ACH2qV9fEiUf+8LunX7yTj/L1ez22Tj1Fnwz4UROH/cIr0/+sgy2ski/btZ
+oMkCbr/dv9oU5PNJKWFBJrNw8KaKiA3NCpri7YI7UdH0FDQu2xjZz11wQp2qlgcF
+LrtbiRzjANrjFu130BHOlU8d4laigQjFLv1t9NmzMaGyEXRSotHjK/0tUzdBbMBD
+ZAIyikzXQJh1uiqu36mc1pjYyByq3+JEL34FLMbxqt+sXpR+bVnFZ3TvmADwoGRY
+1fk3wSmq774E8+wXRkIAqY2yRrAWKSOn8QUfToRpC21GOEECAwEAAaOB7DCB6TAO
+BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUjjGsrYGp
+OVxRX17zeZP3olYePeQwHwYDVR0jBBgwFoAUczPHYaeWxmeyNxTEd4ELZX5M5+ow
+OwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4xOjgy
+MDAvdjEvcGtpL2NhMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMDEGA1UdHwQqMCgw
+JqAkoCKGIGh0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY3JsMA0GCSqGSIb3
+DQEBCwUAA4IBAQB8LSBYOJdoDHlESFjLKXSD5ZhydlKaNLdMV7F7EIG52MXMW9iS
+gBxkOWo5a8MfnD1QORWT36R4drJO1QVsfJf4bhinuhlaGFVOLBUzBi8VAmmBH4qe
+T2LorQxrWHf8WoycwZIzHc9KcT/xPMedo9NwdiYnPX8c6kpUWI0SMs8lTXnCZf9f
+NSyIV4ILPyGpLlKNjcTmCDa+8gQol7kgqDpyGSni/mf4MYaoU8CsTQdAak8IiiOT
+JsZ8ZfSqH5pXWDs1/15+owhITUWc5CsmMGjQ55H1YIKbkQrXW2NmDde5zCDicfFN
+58SuYX+K9o7qZCwZoS5zc9eoE4tQuurQWU84
+-----END CERTIFICATE-----
diff --git a/pkg/cert/util.go b/pkg/cert/util.go
@@ -46,7 +46,7 @@ func ValidityFormat(t time.Time) string {
 
 func CertificateType(cert *x509.Certificate) string {
 
-	if bytes.Equal(cert.RawSubject, cert.RawIssuer) || cert.AuthorityKeyId == nil {
+	if cert.AuthorityKeyId == nil || bytes.Equal(cert.AuthorityKeyId, cert.SubjectKeyId) {
 		return "root"
 	}