Skip to content

Replace SHA-1 with SHA-256 for X.509 SubjectKeyIdentifier computation#41

Open
G-Gobi wants to merge 1 commit into
cloudfoundry:masterfrom
G-Gobi:fix/replace-sha1-with-sha256-subjectkeyid
Open

Replace SHA-1 with SHA-256 for X.509 SubjectKeyIdentifier computation#41
G-Gobi wants to merge 1 commit into
cloudfoundry:masterfrom
G-Gobi:fix/replace-sha1-with-sha256-subjectkeyid

Conversation

@G-Gobi

@G-Gobi G-Gobi commented Jun 18, 2026

Copy link
Copy Markdown

Summary

Fixes #39

  • Removes the deprecated crypto/sha1 import and bigIntHash(*big.Int) method, which hashed only the RSA key modulus (privateKey.N) using SHA-1.
  • Introduces computeSubjectKeyId(*rsa.PublicKey) implementing RFC 7093 Method 4: SHA-256 of the full DER-encoded SubjectPublicKeyInfo structure via x509.MarshalPKIXPublicKey.
  • All 52 existing unit tests pass without modification.

Why this matters

SHA-1 is deprecated by NIST SP 800-131A Rev 2 and is explicitly disallowed under FIPS 140-2/3 compliance requirements. Any deployment of config-server in a FIPS-enforcing environment (e.g. US Government, regulated industries) will fail cert generation at runtime with the current implementation.

What changed and why

Before After
Hash algorithm SHA-1 SHA-256
Hash input privateKey.N (modulus only) Full SubjectPublicKeyInfo DER
Output size 20 bytes 32 bytes
RFC alignment Non-standard (missing exponent + algorithm OID) RFC 7093 Method 4

The previous implementation was doubly incorrect: beyond using SHA-1, it only hashed the RSA modulus N, omitting the public exponent E and the algorithm identifier. Two keys with the same modulus but different exponents could produce the same SubjectKeyId. The new implementation hashes the complete SubjectPublicKeyInfo as defined in RFC 5280 / RFC 7093.

Impact on existing deployments

  • Existing certificates in the database are not affected — only newly generated certs are changed.
  • Chain validation is unaffected — TLS chain verification uses cryptographic signatures, not SKI/AKI values.
  • Mixed environments (new certs signed by old SHA-1-SKI CAs): the AKI on the new cert is copied directly from the signing CA's SubjectKeyId field, so it correctly reflects the CA's original 20-byte value. RFC 5280 does not require AKI and SKI to be the same size.

Test plan

  • go build ./types/... compiles cleanly
  • go test ./types/... 52/52 specs pass
  • Verified SubjectKeyId is non-nil on generated certs
  • Verified self-signed CA SubjectKeyId == AuthorityKeyId
  • Verified leaf cert AuthorityKeyId == signingCA.SubjectKeyId

References

@G-Gobi
Replace SHA-1 with SHA-256 for X.509 SubjectKeyIdentifier computation
85fa45a 
SHA-1 is deprecated by NIST (SP 800-131A Rev 2) and disallowed under
FIPS 140-2/3. This change replaces the SHA-1-based bigIntHash method
with computeSubjectKeyId, which implements RFC 7093 Method 4: SHA-256
of the full DER-encoded SubjectPublicKeyInfo structure.

The previous implementation also only hashed privateKey.N (the RSA
modulus), missing the public exponent and algorithm identifier. The new
implementation uses x509.MarshalPKIXPublicKey to hash the complete
SubjectPublicKeyInfo, which is cryptographically correct.

Fixes cloudfoundry#39
@linux-foundation-easycla

linux-foundation-easycla Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: G-Gobi / name: Gobi Ganesan (85fa45a)

@beyhan beyhan requested review from a team, colins and ragaskar and removed request for a team June 18, 2026 15:12
@beyhan beyhan moved this from Inbox to Pending Review | Discussion in Foundational Infrastructure Working Group Jun 18, 2026
@aramprice aramprice requested a review from Copilot June 18, 2026 17:38
Copilot AI reviewed Jun 18, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates X.509 certificate generation to compute SubjectKeyId using SHA-256 over the full DER-encoded SubjectPublicKeyInfo (via x509.MarshalPKIXPublicKey), replacing the previous SHA-1 hash over only the RSA modulus.

Changes:

  • Replaced SHA-1–based SubjectKeyId generation with SHA-256 over DER-encoded SubjectPublicKeyInfo.
  • Removed the old modulus-only hashing helper and added a dedicated computeSubjectKeyId helper with error handling.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@ragaskar ragaskar Awaiting requested review from ragaskar ragaskar was automatically assigned from cloudfoundry/wg-foundational-infrastructure-vm-deployment-lifecycle-bosh-approvers
@colins colins Awaiting requested review from colins colins was automatically assigned from cloudfoundry/wg-foundational-infrastructure-vm-deployment-lifecycle-bosh-approvers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Foundational Infrastructure Working Group
Status: Pending Review | Discussion

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Replace SHA-1 with SHA-256 for X.509 SubjectKeyId computation in certificate_generator.go

3 participants

@G-Gobi @beyhan