Oh bleh, I forgot x509.ParseCertificate is also used for parsing precert tbsCertificates... I think this can probably be made to work together with that, but it's going to be a bit more complicated.

Codecov Report

Merging #702 into master will increase coverage by 2.46%.
The diff coverage is 66.66%.

@@            Coverage Diff             @@
##           master     #702      +/-   ##
==========================================
+ Coverage   71.75%   74.22%   +2.46%     
==========================================
  Files          90       81       -9     
  Lines        9879     8946     -933     
==========================================
- Hits         7089     6640     -449     
+ Misses       2295     1870     -425     
+ Partials      495      436      -59     

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9d40ef1...b150747. Read the comment docs.

@Martin2112 @AlCutter do you folks have a strong opinion on this? It's a bit of a spam opportunity hole I'd like to close, but I don't think it's super urgent.

Hey @rolandshoemaker thanks for sending - looks ok to me in principle.
RFC5280 says This field [TBSCertificate.signature] MUST contain the same algorithm identifier as the signatureAlgorithm field in the sequence Certificate (Section 4.1.1.2).

@FiloSottile wdyt? Is this something that could/should be fixed upstream? I know you folks have historically been very keen to make the golang x509 library err on the side of correctness.

Heh, I actually have a similar upstream change https://go-review.googlesource.com/c/go/+/235118.

Hehe, excellent :)