Allow certs with negative serial numbers

Not sure why the asus certs have a negative serial number but they do. If the asus box had that others might too, so we should better support it. The alternative would be to generate certs with positive serial number for the tests. https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018 microsoft/mssql-docker#895 (comment) Signed-off-by: Dimitris Karakasilis <[email protected]>
kairos-io · Nov 12, 2024 · 203f255 · 203f255
1 parent 485fd30
commit 203f255
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/go.mod b/go.mod
@@ -1,8 +1,10 @@
 module github.com/kairos-io/AuroraBoot
 
-go 1.23.1
+go 1.23.3
 
-toolchain go1.23.3
+// https://github.com/golang/go/blob/583d750fa119d504686c737be6a898994b674b69/src/crypto/x509/parser.go#L1014-L1018
+// For keys with negative serial number:
+godebug x509negativeserial=1
 
 require (
 	github.com/cavaliergopher/grab/v3 v3.0.1
@@ -23,7 +25,6 @@ require (
 	github.com/otiai10/copy v1.14.0
 	github.com/spectrocloud-labs/herd v0.4.2
 	github.com/spectrocloud/peg v0.0.0-20240405075800-c5da7125e30f
-	github.com/spf13/viper v1.19.0
 	github.com/u-root/u-root v0.14.0
 	github.com/urfave/cli/v2 v2.27.5
 	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c
@@ -169,6 +170,7 @@ require (
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/swaggest/jsonschema-go v0.3.62 // indirect
 	github.com/swaggest/refl v1.3.0 // indirect

diff --git a/internal/cmd/genkey.go b/internal/cmd/genkey.go
@@ -247,8 +247,11 @@ func prepareCustomDerDir(l sdkTypes.KairosLogger, customCertDir string) (string,
 				l.Infof("	Signature Owner: %s\n", sigEntry.Owner.Format())
 				switch sig.SignatureType {
 				case signature.CERT_X509_GUID, signature.CERT_SHA256_GUID:
-					cert, _ := x509.ParseCertificate(sigEntry.Data)
-					if cert != nil {
+					cert, err := x509.ParseCertificate(sigEntry.Data)
+					if err != nil {
+						l.Errorf("cert error: %s", err)
+						continue
+					} else {
 						keyDir := filepath.Join(tmpDir, "custom", keyType)
 						err := os.MkdirAll(keyDir, 0755)
 						if err != nil {