Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: ParseCertificate returns a certificate with MaxPathLen of -1 if pathLenConstraint is not set #19285

Closed
cyli opened this issue Feb 25, 2017 · 2 comments
Closed

crypto/x509: ParseCertificate returns a certificate with MaxPathLen of -1 if pathLenConstraint is not set #19285

cyli opened this issue Feb 25, 2017 · 2 comments
Labels
Documentation FrozenDueToAge NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made.
Milestone
Go1.9

Comments

@cyli
Copy link

cyli commented Feb 25, 2017
edited

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.7.4 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/cyli/Go"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.7.4/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.7.4/libexec/pkg/tool/darwin_amd64"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/v9/wzpq8hm56b943960j1qrnblm0000gp/T/go-build860790401=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"

What did you do?

I parsed a CA certificate which did not have pathLenConstraint set: https://play.golang.org/p/lFCQJQPRLh

What did you expect to see?

Given the following comment in https://golang.org/pkg/crypto/x509/#Certificate:

        // MaxPathLenZero indicates that BasicConstraintsValid==true and
        // MaxPathLen==0 should be interpreted as an actual maximum path length
        // of zero. Otherwise, that combination is interpreted as MaxPathLen
        // not being set.

and that RFC5280 4.2.1.9 specifies that the pathLenConstraint must be >= 0, I expected to see MaxPathLen as 0 and MaxPathLenZero as false.

What did you see instead?

MaxPathLen was -1 and MaxPathLenZero was false.

I don't oppose using -1 to indicate that it wasn't set, but comments for MaxPathLen, etc. imply that -1 is not valid. If -1 is a valid value, should the docs be updated and possibly MaxPathLenZero be deprecated?
@odeke-em odeke-em changed the title x509.ParseCertificate returns a certificate with a -1 MaxPathLen if pathLenConstraint is not set crypto/x509: ParseCertificate returns a certificate with MaxPathLen of -1 if pathLenConstraint is not set Feb 25, 2017
@odeke-em
Copy link
Member

/cc @agl

@bradfitz bradfitz added Documentation NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. labels Mar 21, 2017
@bradfitz bradfitz added this to the Go1.9 milestone Mar 21, 2017
@gopherbot
Copy link

CL https://golang.org/cl/46092 mentions this issue.

@golang golang locked and limited conversation to collaborators Jun 20, 2018
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Documentation FrozenDueToAge NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made.
Projects
None yet
Milestone
Go1.9
Development

No branches or pull requests
5 participants
@bradfitz @agl @cyli @odeke-em @gopherbot