crypto/x509: store stripped down trust anchors #44298
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Comments
rolandshoemaker
added
NeedsInvestigation
|
cc @bradfitz |
|
This issue is currently labeled as early-in-cycle for Go 1.17. |
FiloSottile
removed
the
early-in-cycle
|
There hasn't been much activity here, and by now it's likely late for Go 1.17. I'll move this to Backlog, but please feel free to update it as needed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rather than storing full
x509.Certificates in the root pool we could instead store only the information that we require to accomplish chain building (SPKI, subject, name constraints), significantly reducing the memory footprint for the pool.When returning certificate chains from Verify we'd need to construct a stand-in
x509.Certificatewhich is only partially populated (we'd need to decide what fields to set, and what we can get away with setting based on a typical root profile, i.e. is it safe to consistently set the issuer to match the subject, even for roots where the issuer does not actually match?). Depending on what users are doing with certificates it is possible that this could break some things. As such we should try to land this change early in the 1.17 cycle so any significant breakages are signaled early.This would also reduce binary sizes on iOS where we bundle roots, and also make things like #43958 somewhat more appealing from a binary bloat perspective.
The text was updated successfully, but these errors were encountered: