Escape forward slashes in certificate Subject names when used as user…

… quota id strings (google#1059)
breadyzhang · Jun 12, 2023 · 88a932b · 88a932b
1 parent 1c10351
commit 88a932b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,10 @@
 
 ### Chrome CT Policy Update
  * #906: Update chromepolicy.go to follow the updated Chrome CT policy.
-
+
+### Misc
+ * #1059: Escape forward slashes in certificate Subject names when used as user quota id strings.
+
 ## v1.1.6
 
 ## Dependency update
@@ -29,7 +32,7 @@
 
  * Remove v2 log list package files.
 
- ### Misc
+### Misc
 
  * Updated golangci-lint to v1.51.1 (developers should update to this version).
  * Bump Go version from 1.17 to 1.19.

diff --git a/trillian/ctfe/cert_quota.go b/trillian/ctfe/cert_quota.go
@@ -18,6 +18,7 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
+	"strings"
 
 	"github.com/google/certificate-transparency-go/x509"
 )
@@ -38,5 +39,5 @@ const CertificateQuotaUserPrefix = "@intermediate"
 // See tests for examples.
 func QuotaUserForCert(c *x509.Certificate) string {
 	spkiHash := sha256.Sum256(c.RawSubjectPublicKeyInfo)
-	return fmt.Sprintf("%s %s %s", CertificateQuotaUserPrefix, c.Subject.String(), hex.EncodeToString(spkiHash[0:5]))
+	return fmt.Sprintf("%s %s %s", CertificateQuotaUserPrefix, strings.ReplaceAll(c.Subject.String(), "/", "%2F"), hex.EncodeToString(spkiHash[0:5]))
 }