crypto/x509: CreateCertificate should mark SubjectAltName as critical iff Subject is empty #22249
Labels
Comments
odeke-em
changed the title
|
/cc @agl @FiloSottile |
|
Change https://golang.org/cl/70852 mentions this issue: |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What version of Go are you using (
go version)?go version go1.9.1 linux/amd64
Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env)?GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/rjk/go"
GORACE=""
GOROOT="/usr/local/go-1.9.1"
GOTOOLDIR="/usr/local/go-1.9.1/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build715387515=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
What did you do?
RFC5280 4.2.1.6 requires: "If the subject field contains an empty sequence, then the issuing CA MUST include a subjectAltName extension that is marked as critical."
x509.CreateCertificate fails to mark subjectAltName as critical in this case.
https://play.golang.org/p/8BeKYea_77 exercises the bug.
What did you expect to see?
Certificate generated with empty Subject and SubjectAltName marked critical, test program ran to completion.
What did you see instead?
Certificate generated with empty Subject and SubjectAltName NOT marked critical, test program panics.
The text was updated successfully, but these errors were encountered: