-
Notifications
You must be signed in to change notification settings - Fork 227
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Race condition on creating a full chain for a certificate #1255
Comments
2 tasks
Not at all. That PR simply disabled this functionality to work around the bug. The real solution requires making a trust anchor per log endpoint, or potentially getting rid of this feature entirely. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've come across a race with how
certificate-transparency-go/submission/distributor.go
Lines 254 to 258 in a82fc3e
rootedChain
.ctfe.ValidateChain
takes in the global root pool. This pool contains every single root that the application started with. Those get populated here:certificate-transparency-go/submission/distributor.go
Lines 163 to 170 in a82fc3e
The race condition is that
PEMCertPool
gets populated in an arbitrary order since the loop is over a map.ctfe.ValidateChain
builds various chains, and picks the first valid one:certificate-transparency-go/trillian/ctfe/cert_checker.go
Lines 166 to 173 in a82fc3e
However, not every CT log necessarily has the same trust store, and the RootCompatible method will filter that CT log out.
The fix for this would be to consider the root pool per log so the constructed chain can be different per log.
The text was updated successfully, but these errors were encountered: