New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/asn1: Unmarshal rejects PrintableString containing ampersand #22970

Closed

christopher-henderson opened this issue Dec 1, 2017 · 2 comments

Labels

FrozenDueToAge NeedsDecision

Milestone

Contributor

christopher-henderson commented Dec 1, 2017

Ampersands are not technically allowed in an ASN.1 PrintableString. However, DigiCert has (recently)(for example) issued a number of intermediate certificates to Wells Fargo & Company (crt.sh).

A handful such CA certs include...

-----BEGIN CERTIFICATE-----
MIIEuDCCA6CgAwIBAgIQDn3kbM04dGYpYMWEN9lNFzANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xNzExMDIxMjI1MzJaFw0yNzExMDIxMjI1MzJaMHwxCzAJBgNVBAYTAlVT
MR4wHAYDVQQKExVXZWxscyBGYXJnbyAmIENvbXBhbnkxIzAhBgNVBAsTGk9yZ2Fu
aXphdGlvbiBWYWxpZGF0ZWQgVExTMSgwJgYDVQQDEx9XZWxscyBGYXJnbyBUTFMg
UHVibGljIFRydXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xSzZ8LuvWrH7dHSc4Ll91HkTMGimX77axiq5jgTZbfKekmQ85vJbwg/6/Z97qoF+
9r0HcY9NOJj/GJwR35z9F5OHog6+XRxL6rKpAJ1+QcCdAGszzE0viMSt3iSTtu17
5AHCNQvwtkYanMi0pECsKzytijqWbRHZkQsbNnvI3EEU7347B1zm7t8A4snb89du
1PGNFpYA1nlQAOUvndCisxpBvvKcZEk4LlDRpE+fmhYTHtHTEeuFuo/+3dQ+zjPS
0/p1AYBYd5Bl865Kg3Ta2q+HIJ6gxgeEYLf6dkJ843YUFRnxuWTw+HqMd5n6herT
3vlzJ/79stba10ZiBoqTxQIDAQABo4IBTzCCAUswHQYDVR0OBBYEFIuihgfl8PtG
z+fV3B7CkRcnNlcIMB8GA1UdIwQYMBaAFE4iVCAYlebjbuYP+vq5Eu0GF485MA4G
A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYD
VR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290RzIuY3JsMEwGA1Ud
IARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRp
Z2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMA0GCSqGSIb3DQEBCwUAA4IBAQCDmmf8
h86OXlB9K0slGwlA2T80l6x9z4Tui7PP10cRYB/qFpYpBqOxfkDSUTRuibZsQtD+
93gmcfY3vArB3jCYOCIgz8HEURPfYc+7fOFFS3UDKQG/cjBEnIlwjIVE/yoaWfgi
UAZEhg4GmE/tjToYMzJKzTzyGFDXujPJ2CXa+tRfxfyuayEMj0qwWkamYxjOvDVM
8INskuPGfMtB8eh406Ne3RIrb926oB/0U6THrBYriCZPv1Ze6O87pR+2E1j2EdVh
UUsxON0sN4M4trNBozwyHbdgNTDblAJCnxZarsHABepYGPQQYEuXwreFyhaBmATQ
7CLI/UYpg6bWqEF8
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEuDCCA6CgAwIBAgIQDn3kbM04dGYpYMWEN9lNFzANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xNzExMDIxMjI1MzJaFw0yNzExMDIxMjI1MzJaMHwxCzAJBgNVBAYTAlVT
MR4wHAYDVQQKExVXZWxscyBGYXJnbyAmIENvbXBhbnkxIzAhBgNVBAsTGk9yZ2Fu
aXphdGlvbiBWYWxpZGF0ZWQgVExTMSgwJgYDVQQDEx9XZWxscyBGYXJnbyBUTFMg
UHVibGljIFRydXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xSzZ8LuvWrH7dHSc4Ll91HkTMGimX77axiq5jgTZbfKekmQ85vJbwg/6/Z97qoF+
9r0HcY9NOJj/GJwR35z9F5OHog6+XRxL6rKpAJ1+QcCdAGszzE0viMSt3iSTtu17
5AHCNQvwtkYanMi0pECsKzytijqWbRHZkQsbNnvI3EEU7347B1zm7t8A4snb89du
1PGNFpYA1nlQAOUvndCisxpBvvKcZEk4LlDRpE+fmhYTHtHTEeuFuo/+3dQ+zjPS
0/p1AYBYd5Bl865Kg3Ta2q+HIJ6gxgeEYLf6dkJ843YUFRnxuWTw+HqMd5n6herT
3vlzJ/79stba10ZiBoqTxQIDAQABo4IBTzCCAUswHQYDVR0OBBYEFIuihgfl8PtG
z+fV3B7CkRcnNlcIMB8GA1UdIwQYMBaAFE4iVCAYlebjbuYP+vq5Eu0GF485MA4G
A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYD
VR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290RzIuY3JsMEwGA1Ud
IARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRp
Z2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMA0GCSqGSIb3DQEBCwUAA4IBAQCDmmf8
h86OXlB9K0slGwlA2T80l6x9z4Tui7PP10cRYB/qFpYpBqOxfkDSUTRuibZsQtD+
93gmcfY3vArB3jCYOCIgz8HEURPfYc+7fOFFS3UDKQG/cjBEnIlwjIVE/yoaWfgi
UAZEhg4GmE/tjToYMzJKzTzyGFDXujPJ2CXa+tRfxfyuayEMj0qwWkamYxjOvDVM
8INskuPGfMtB8eh406Ne3RIrb926oB/0U6THrBYriCZPv1Ze6O87pR+2E1j2EdVh
UUsxON0sN4M4trNBozwyHbdgNTDblAJCnxZarsHABepYGPQQYEuXwreFyhaBmATQ
7CLI/UYpg6bWqEF8
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIQCSBH6lLcNFtGyTwmGjUPtjANBgkqhkiG9w0BAQsFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBUcmFuc2l0aW9uIFJT
QSBSb290MB4XDTE3MTEwMjEyMTgyMVoXDTI3MTEwMjEyMTgyMVoweDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFVdlbGxzIEZhcmdvICYgQ29tcGFueTEjMCEGA1UECxMa
T3JnYW5pemF0aW9uIFZhbGlkYXRlZCBUTFMxJDAiBgNVBAMTG1dlbGxzIEZhcmdv
IFB1YmxpYyBUcnVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALtxe6BrkP4HrEFAl4dTXaRFHn0dGG5Pg7wypVIZranQKIocB8Ie5++nI3nZr1xu
+ZSN887CJhX7WmcL7caK8CHHF8DmGOb0tFXlEi46Myz5VgT0ZNKjCYpj0dlQo+JE
QOmyxnKy0nFMytjbTajAeW8XxAR6lgvRe55QqAM6hzdjD/8hoVsAHws/TLuW9tMG
c6v32rQodcmb27MZRPYm7iwoZjAK3zFB23OJmP2X87ewBD/neTW6TbUuqPG2V01n
D3BL9h6v4soDBWkqLQ30Ck0lJ8fHeAEqRS40nG56Skk/D6D0sp984DtnfHbTumGq
SZPO+m/q4LgMU7C/SH9XwkECAwEAAaOCAVQwggFQMB0GA1UdDgQWBBR74aPo5+WE
JmYhaFl2tCJnebqYeTAfBgNVHSMEGDAWgBSQR4obhNOg36Qk1hm0F/Uho7KbqDAO
BgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIG
A1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhho
dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDov
L2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJhbnNpdGlvblJTQVJvb3QuY3Js
MEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMA0GCSqGSIb3DQEBCwUAA4IB
AQB0PSxC3UvDKnz+/+IR40EvAVpGRWUVcCTpzJv5D9JRyHz3c8+Zc+NQysIbqXmh
Jzfg824Y/2lQO8rDsTbDAmg2WGely2FtRHXYoTd/o7ZgQaO8ib2RPN+AYtvMlLND
tnD3HCYiwexvhwMziZs8cnc2e+kKsyob0SLUKrVNmo8BG8CRHECkEM4+pBaLbArt
3urpkHOjdev1oz3k8/4wGQIetULjbFFeLjmZKyn1gzuQRPyJp91L9vIXMzT2LLXB
DBLCXONAZyXc3gW3Ep8l7iJjyf7DL7p4cmMwVZ8v+MLCT56ZJmxZLPbZAJfSuixt
eMu4jXcO9gUhG9ay9CUxr8ol
-----END CERTIFICATE-----

The text was updated successfully, but these errors were encountered:

gopherbot commented Dec 1, 2017

Change https://golang.org/cl/81635 mentions this issue: encoding/asn1: allow '&' in PrintableString fields

bradfitz added the NeedsDecision label

bradfitz added this to the Go1.11 milestone

bradfitz assigned agl

Contributor

bradfitz commented Dec 2, 2017

Leaving for @agl to decide.

christopher-henderson mentioned this issue

The TLS-Observatory fails to parse certificates that have PrintableString fields with invalid ASN.1 characters. mozilla/tls-observatory#271

Open

gopherbot closed this as completed in

eb441e6

adamdecaf mentioned this issue

Build the Observatory using Go 1.11 mozilla/tls-observatory#288

Closed

golang locked and limited conversation to collaborators

gopherbot added the FrozenDueToAge label

rsc unassigned agl

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.