New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: cannot generate version 1 or 2 certificates #21593
Comments
CC @agl |
The |
|
|
OK cool, that makes sense. Thanks! Is there a formal process for making those sorts of doc updates? Or is it just a matter of submitting a change updating the function comment? |
It's just a CL changing the comment in the code. Everything flows from there. |
Change https://golang.org/cl/79876 mentions this issue: |
Questionarie
What version of Go are you using (
go version
)?1.9rc2_cl165246139
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?GOARCH="amd64"
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
What did you do?
What did you expect to see?
The preceding Go program (shared here as source instead of a play.golang.org link since the crypto work takes too long and the tool times out) should generate a Version 1 x509 self singed certificate.
What did you see instead?
As can be seen by running
openssl x509 -in cert.pem -inform der -text -noout
on the resulting certificate file, this will instead generate a version 3 certificate.Observations
x509 versions 2 & 3 merely support extra fields, on top of those provided by preceding versions. And so a version 3 certificate which does not use any version 2 or 3 specific fields would still be functionally identical to a version 1 certificate. However, I would expect that the crypto/x509 library should support applying the specified version to the certificate, as well as ensure that no fields which are not supported by a given version are being used.
Upon inspection of the x509.CreateCertificate() function's source code it appears that the version is simply hard-coded to v3
Proposed Fix
As near as I can tell, all that needs to be done here is to provide a check that only fields supported by the specified version are being used, and then pass the value of template.Version to the tbsCertificate struct.
Or rather, passing
template.Version - 1
to the struct, so that we may use the more readable version values of 1 - 3 instead of the zero-index value used by the tbsCertificate. This also allows us to not break existing functionality and continue to use v3 if no value for Version is specified (and thus set to 0).Something along the lines of:
within the x509.CreateCertificate() function and prior to the creation of the tbsCertificate struct.
I've tested this on my own branch and found that it does allow for non v3 labeled certificates to be created (providing they do not use fields unsupported by the speficied version). But I wanted to file an issue first and see what people thought, and make sure I'm not way off base here, before submitting my changes for review.
The text was updated successfully, but these errors were encountered: