New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: buildExtensions issues certificates rejected by Mozilla NSS #22616
Comments
Issue confirmed, "fixed" cert generator is included @ https://bugzilla.mozilla.org/show_bug.cgi?id=1415181 |
/cc @agl @FiloSottile |
Already have a fix for this in https://go-review.googlesource.com/c/go/+/74271 |
Awesome foresight @agl! |
Change https://golang.org/cl/74270 mentions this issue: |
Change https://golang.org/cl/74271 mentions this issue: |
This change adds the cryptobyte package from x/crypto at git revision faadfbd. Updates #22616, #15196 Change-Id: Iffd0b022ca129d340ef429697e05b581f04e5c4f Reviewed-on: https://go-review.googlesource.com/74270 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?What did you do?
Generated a CA and used it to issue a server certificate using main.go shared @ https://bugzilla.mozilla.org/show_bug.cgi?id=1415181 ; installed the root CA in Firefox by navigating to it; tried to visit an HTTPS website using the server certificate.
What did you expect to see?
Connections going through.
What did you see instead?
Firefox erroring out with
SEC_ERROR_BAD_DER
.Based on Firefox's feedback, the problem is in the following snippet:
If
ExcludedDNSDomains
is empty, the DER shouldn't contain a second empty sequence.out.Excluded
should benil
instead of[]generalSubtree{}
.Apparently Mozilla's strict DER checking rejects the certificate chain as a result.
I will update this ticket once confirmed.
The text was updated successfully, but these errors were encountered: