From 4f80b976b640d773fb025d981bf85bcc8190815b Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Tue, 27 Apr 2021 00:27:04 +0300 Subject: [PATCH] fix: verify CSR signature before issuing a certificate This is required to make sure that the CSR was generated by the owner of the private key. Signed-off-by: Andrey Smirnov --- x509/x509.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/x509/x509.go b/x509/x509.go index 38506a7..36895e2 100644 --- a/x509/x509.go +++ b/x509/x509.go @@ -459,6 +459,10 @@ func (k *RSAKey) GetPublicKeyPEM() []byte { func NewCertificateFromCSR(ca *x509.Certificate, key interface{}, csr *x509.CertificateRequest, setters ...Option) (crt *Certificate, err error) { opts := NewDefaultOptions(setters...) + if err = csr.CheckSignature(); err != nil { + return nil, fmt.Errorf("failed verifying CSR signature: %w", err) + } + serialNumber, err := NewSerialNumber() if err != nil { return nil, err