linter: Remove SignatureAlgorithm field from makeIssuer (#7049)

Removes the SignatureAlgorithm field while constructing the lint issuer. Depending on the realIssuer, which could be either an intermediate or cross-signed intermediate, the SignatureAlgorithm of that certificate may differ from the root certificate that had signed it causing the following error during CA startup. ``` Starting service boulder-ca-a 16:49:29.437776 3 boulder-ca qM-tDQA [AUDIT] Couldn't load issuers: failed to create lint issuer: x509: requested SignatureAlgorithm does not match private key type ``` Related to work done in #7005. --------- Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
letsencrypt · Aug 31, 2023 · bd8558d · bd8558d
1 parent 7bed24a
commit bd8558d
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/linter/linter.go b/linter/linter.go
@@ -152,10 +152,17 @@ func makeSigner(realSigner crypto.Signer) (crypto.Signer, error) {
 
 func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.Certificate, error) {
 	lintIssuerTBS := &x509.Certificate{
-		// This is the full list of attributes that x509.CreateCertificate() says it
-		// carries over from the template. Constructing this TBS certificate in
-		// this way ensures that the resulting lint issuer is as identical to the
-		// real issuer as we can get, without sharing a public key.
+		// This is nearly the full list of attributes that
+		// x509.CreateCertificate() says it carries over from the template.
+		// Constructing this TBS certificate in this way ensures that the
+		// resulting lint issuer is as identical to the real issuer as we can
+		// get, without sharing a public key.
+		//
+		// We do not copy the SignatureAlgorithm field while constructing the
+		// lintIssuer because the lintIssuer is self-signed. Depending on the
+		// realIssuer, which could be either an intermediate or cross-signed
+		// intermediate, the SignatureAlgorithm of that certificate may differ
+		// from the root certificate that had signed it.
 		AuthorityKeyId:              realIssuer.AuthorityKeyId,
 		BasicConstraintsValid:       realIssuer.BasicConstraintsValid,
 		CRLDistributionPoints:       realIssuer.CRLDistributionPoints,
@@ -183,7 +190,6 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
 		PermittedURIDomains:         realIssuer.PermittedURIDomains,
 		PolicyIdentifiers:           realIssuer.PolicyIdentifiers,
 		SerialNumber:                realIssuer.SerialNumber,
-		SignatureAlgorithm:          realIssuer.SignatureAlgorithm,
 		Subject:                     realIssuer.Subject,
 		SubjectKeyId:                realIssuer.SubjectKeyId,
 		URIs:                        realIssuer.URIs,