enables identification of root certificate if subject and issuer iden…

…tical in spite of defined authority key id. (#30)
pete911 · May 20, 2023 · b85f701 · b85f701
1 parent fe0279e
commit b85f701
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/pkg/cert/cert_test.go b/pkg/cert/cert_test.go
@@ -69,6 +69,26 @@ func Test_expiryFormat(t *testing.T) {
 	})
 }
 
+func Test_rootIdentification(t *testing.T) {
+	t.Run("given certificate issuer is identical to subject but authority key id is set then identify as root", func(t *testing.T) {
+		certificate, err := FromBytes(loadTestFile(t, "root_with_authority_key_id.pem"))
+		require.NoError(t, err)
+		require.Len(t, certificate, 1)
+		require.Equal(t, certificate[0].x509Certificate.RawSubject, certificate[0].x509Certificate.RawIssuer)
+		require.NotEmpty(t, certificate[0].x509Certificate.AuthorityKeyId)
+		require.Equal(t, "root", CertificateType(certificate[0].x509Certificate))
+	})
+
+	t.Run("given certificate authority key id is unset then identify as root", func(t *testing.T) {
+		certificate, err := FromBytes(loadTestFile(t, "cert.pem"))
+		require.NoError(t, err)
+		require.Len(t, certificate, 1)
+		assert.Len(t, certificate[0].x509Certificate.AuthorityKeyId, 0)
+		assert.True(t, certificate[0].x509Certificate.IsCA)
+		require.Equal(t, "root", CertificateType(certificate[0].x509Certificate))
+	})
+}
+
 // --- helper functions ---
 
 func loadTestCertificates(t *testing.T, file string) Certificates {

diff --git a/pkg/cert/testdata/root_with_authority_key_id.pem b/pkg/cert/testdata/root_with_authority_key_id.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
+RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
++9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
+PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
+xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
+Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
+hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
+EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
+FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
+nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
+eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
+hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
+Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
+vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
++OkuE6N36B9K
+-----END CERTIFICATE-----
diff --git a/pkg/cert/util.go b/pkg/cert/util.go
@@ -1,6 +1,7 @@
 package cert
 
 import (
+	"bytes"
 	"crypto/x509"
 	"time"
 )
@@ -45,9 +46,10 @@ func ValidityFormat(t time.Time) string {
 
 func CertificateType(cert *x509.Certificate) string {
 
-	if cert.AuthorityKeyId == nil {
+	if bytes.Equal(cert.RawSubject, cert.RawIssuer) || cert.AuthorityKeyId == nil {
 		return "root"
 	}
+
 	if cert.IsCA {
 		return "intermediate"
 	}