This introduces a small new package, `precert`, with one function `Correspond` that checks a precertificate against a final certificate to see if they correspond in the relationship described in RFC 6962. This also modifies the `issuance` package so that RequestFromPrecert generates an IssuanceRequest that keeps a reference to the precertificate's bytes. The allows `issuance.Prepare` to do a correspondence check when preparing to sign the final certificate. Note in particular that the correspondence check is done against the _linting_ version of the final certificate. This allows us to catch correspondence problems before the real, trusted signature is actually made. Fixes #6945 |
||
---|---|---|
.. | ||
bad | ||
good | ||
README.md |
README.md
The data in this directory consists of real certificates issued by Let's
Encrypt in 2023. The ones under the bad
directory were issued during
the Duplicate Serial Numbers incident (https://bugzilla.mozilla.org/show_bug.cgi?id=1838667)
and differ in the presence / absence of a second policyIdentifier in the
Certificate Policies extension.
The ones under the good
directory were issued shortly after recovery
from the incident and represent a correct correspondence relationship.