Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: x509 certificate with issuerUniqueID and/or subjectUniqueID parse error #51754

Closed
mic6090 opened this issue Mar 17, 2022 · 6 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@mic6090
Copy link

mic6090 commented Mar 17, 2022

if !tbs.SkipOptionalASN1(cryptobyte_asn1.Tag(1).Constructed().ContextSpecific()) {

if !tbs.SkipOptionalASN1(cryptobyte_asn1.Tag(2).Constructed().ContextSpecific()) {

RFC 5280 quote:

TBSCertificate ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions [3] Extensions OPTIONAL
-- If present, version MUST be v3 -- }

I think Constructed() calls in mentioned strings are erroneous. As a result, all extensions from certificate with issuerUniqueID or subjectUniqueID fields not parsed.

golang 1.17.8, 1,18 affected.

@seankhliao seankhliao changed the title crypto/x509/parser.go: x509 certificate with issuerUniqueID and/or subjectUniqueID parse error crypto/x509: x509 certificate with issuerUniqueID and/or subjectUniqueID parse error Mar 17, 2022
@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 17, 2022
@seankhliao
Copy link
Member

cc @golang/security

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/394297 mentions this issue: crypto/x509: properly handle issuerUniqueID and subjectUniqueID

@rolandshoemaker
Copy link
Member

@gopherbot please open backport issues, this is a regression (albeit extremely minor, since these fields are almost never used.)

@gopherbot
Copy link
Contributor

Backport issue(s) opened: #51858 (for 1.17), #51859 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@dmitshur dmitshur added this to the Go1.19 milestone Apr 6, 2022
@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Apr 6, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/399501 mentions this issue: [release-branch.go1.17] crypto/x509: properly handle issuerUniqueID and subjectUniqueID

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/399500 mentions this issue: [release-branch.go1.18] crypto/x509: properly handle issuerUniqueID and subjectUniqueID

gopherbot pushed a commit that referenced this issue May 4, 2022
…nd subjectUniqueID

Updates #51754
Fixes #51859

Change-Id: I3bfa15db3497de9fb82d6391d87fca1ae9ba6543
Reviewed-on: https://go-review.googlesource.com/c/go/+/394297
Trust: Roland Shoemaker <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
(cherry picked from commit 9a53b47)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399500
Reviewed-by: Russ Cox <[email protected]>
gopherbot pushed a commit that referenced this issue May 4, 2022
…nd subjectUniqueID

Updates #51754
Fixes #51858

Change-Id: I3bfa15db3497de9fb82d6391d87fca1ae9ba6543
Reviewed-on: https://go-review.googlesource.com/c/go/+/394297
Trust: Roland Shoemaker <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
(cherry picked from commit 9a53b47)
Reviewed-on: https://go-review.googlesource.com/c/go/+/399501
@golang golang locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

No branches or pull requests

5 participants