From 203f25521826095813945209cccbffe308f8ad35 Mon Sep 17 00:00:00 2001
From: Dimitris Karakasilis <dimitris@karakasilis.me>
Date: Mon, 11 Nov 2024 18:23:31 +0200
Subject: [PATCH] Allow certs with negative serial numbers

Not sure why the asus certs have a negative serial number but they do.
If the asus box had that others might too, so we should better support
it. The alternative would be to generate certs with positive serial
number for the tests.

https://github.com/golang/go/blob/master/src/crypto/x509/parser.go#L1014-L1018
https://github.com/microsoft/mssql-docker/issues/895#issuecomment-2327988940

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
---
 go.mod                 | 8 +++++---
 internal/cmd/genkey.go | 7 +++++--
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/go.mod b/go.mod
index 26a1d77..350fa4d 100644
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,10 @@
 module github.com/kairos-io/AuroraBoot
 
-go 1.23.1
+go 1.23.3
 
-toolchain go1.23.3
+// https://github.com/golang/go/blob/583d750fa119d504686c737be6a898994b674b69/src/crypto/x509/parser.go#L1014-L1018
+// For keys with negative serial number:
+godebug x509negativeserial=1
 
 require (
 	github.com/cavaliergopher/grab/v3 v3.0.1
@@ -23,7 +25,6 @@ require (
 	github.com/otiai10/copy v1.14.0
 	github.com/spectrocloud-labs/herd v0.4.2
 	github.com/spectrocloud/peg v0.0.0-20240405075800-c5da7125e30f
-	github.com/spf13/viper v1.19.0
 	github.com/u-root/u-root v0.14.0
 	github.com/urfave/cli/v2 v2.27.5
 	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c
@@ -169,6 +170,7 @@ require (
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/swaggest/jsonschema-go v0.3.62 // indirect
 	github.com/swaggest/refl v1.3.0 // indirect
diff --git a/internal/cmd/genkey.go b/internal/cmd/genkey.go
index d79a37c..7eb6420 100644
--- a/internal/cmd/genkey.go
+++ b/internal/cmd/genkey.go
@@ -247,8 +247,11 @@ func prepareCustomDerDir(l sdkTypes.KairosLogger, customCertDir string) (string,
 				l.Infof("	Signature Owner: %s\n", sigEntry.Owner.Format())
 				switch sig.SignatureType {
 				case signature.CERT_X509_GUID, signature.CERT_SHA256_GUID:
-					cert, _ := x509.ParseCertificate(sigEntry.Data)
-					if cert != nil {
+					cert, err := x509.ParseCertificate(sigEntry.Data)
+					if err != nil {
+						l.Errorf("cert error: %s", err)
+						continue
+					} else {
 						keyDir := filepath.Join(tmpDir, "custom", keyType)
 						err := os.MkdirAll(keyDir, 0755)
 						if err != nil {