Use signature algorithm from the wpr-go root cert.

MintServerCert creates a template based on the origin's signature algorithm, but the public key is taken from wpr-go's root certificate. In some cases, these may be incompatible, which results in seeing the error: """ TLS handshake error from 127.0.0.1:43524: create cert failed: x509: requested SignatureAlgorithm does not match private key type. """ It's impossible to use a single root certificate that has a public key that works for any possible signature algorithm. Instead, we override the signature algorithm from the wpr-go root certificate. Bug: catapult:#4272 Change-Id: I1ca74d0ae2ecb230f9e03143d385830a2367398b Reviewed-on: https://chromium-review.googlesource.com/922891 Commit-Queue: Tom Bergan <tombergan@chromium.org> Reviewed-by: Tom Bergan <tombergan@chromium.org>
catapult-project · Feb 16, 2018 · 5c342a9 · 5c342a9
1 parent 015fbdb
commit 5c342a9
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/web_page_replay_go/src/webpagereplay/certs.go b/web_page_replay_go/src/webpagereplay/certs.go
@@ -94,6 +94,7 @@ func MintServerCert(serverName string, rootCert *x509.Certificate, rootKey crypt
 	template.NotBefore = time.Now()
 	// Certs cannot be valid for longer than 39 mths.
 	template.NotAfter = template.NotBefore.Add(39 * 30 * 24 * time.Hour)
+	template.SignatureAlgorithm = rootCert.SignatureAlgorithm
 	template.PublicKey = rootCert.PublicKey
 	var buf [20]byte
 	if _, err := io.ReadFull(rand.Reader, buf[:]); err != nil {