cloudflare / cfssl

A change in x509.CreateCertificate released with Go 1.17 (https://go-review.googlesource.com/c/go/+/224157/) checks if the private key and the public key used for signing are matching.

This is an issue when performing pre-issuance linting with cfssl, since the private key is randomly generated but the public key of the parent certificate is used.
This means that the signing of the lintCertificate fails with x509: provided PrivateKey doesn't match parent's PublicKey.

cfssl/signer/local/local.go

Lines 168 to 172 in e6502bb

    
           prelintBytes, err := x509.CreateCertificate(rand.Reader, &template, s.ca, template.PublicKey, s.lintPriv) 
        
           if err != nil { 
        
           	return cferr.Wrap(cferr.CertificateError, cferr.Unknown, err) 
        
           }

Unfortunately, this breaks certificate signing when Linting is enabled. To fix this, it should be possible to copy the attributes of the parent certificate and generate a new matching keypair to sign the lintCertificate


	prelintBytes, err := x509.CreateCertificate(rand.Reader, &template, s.ca, template.PublicKey, s.lintPriv)
	if err != nil {
	return cferr.Wrap(cferr.CertificateError, cferr.Unknown, err)
	}

Linting is broken starting with Go 1.17+