Fix certificate type identification

2026-01-27 10:18:34 +00:00 · 2022-02-16 18:09:20 -08:00
parent b3316c4a56
commit d424159200
1 changed files with 12 additions and 5 deletions
--- a/cas/vaultcas/vaultcas.go
+++ b/cas/vaultcas/vaultcas.go
@@ -1,7 +1,6 @@
 package vaultcas

 import (
-	"bytes"
 	"context"
 	"crypto/sha256"
 	"crypto/x509"
@@ -162,12 +161,12 @@ func getCertificateAndChain(certb certutil.CertBundle) (*Certificate, error) {
 				continue
 			}
 			used[cert.SerialNumber.String()] = true
-			if cert.IsCA && bytes.Equal(cert.RawIssuer, cert.RawSubject) {
+			if isRoot(cert) {
 				root = cert
-			} else if !cert.IsCA {
-				leaf = cert
-			} else {
+			} else if cert.BasicConstraintsValid && cert.IsCA {
 				intermediates = append(intermediates, cert)
+			} else {
+				leaf = cert
 			}
 		}
 	}
@@ -402,3 +401,11 @@ func unmarshalMap(m map[string]interface{}, v interface{}) error {

 	return json.Unmarshal(b, v)
 }
+
+// isRoot returns true if the given certificate is a root certificate.
+func isRoot(cert *x509.Certificate) bool {
+	if cert.BasicConstraintsValid && cert.IsCA {
+		return cert.CheckSignatureFrom(cert) == nil
+	}
+	return false
+}