asn1: syntax error: trailling data #40545

GopherJ · 2020-08-03T09:44:56Z

What version of Go are you using (`go version`)?

$ go version
go version go1.14.4 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (`go env`)?

go env Output

$ go env
GO111MODULE="on"
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/cheng/.cache/go-build"
GOENV="/home/cheng/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/cheng/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build326830914=/tmp/go-build -gno-record-gcc-switches"

What did you do?

use paho.mqtt.golang's example code for tls and add my own root-ca, client-cert, client-key etc
https://github.com/eclipse/paho.mqtt.golang/blob/master/cmd/ssl/main.go
it gives an error on this certificate

asn1: syntax error: trailing data

What did you expect to see?

It works

What did you see instead?

It doesn't work

The text was updated successfully, but these errors were encountered:

GopherJ · 2020-08-03T09:45:41Z

It worth mentioning the same certificate works using: https://github.com/eclipse/paho.mqtt.rust, I can connect to my broker and subscribe/publish without any problem, but doesn't work in golang

The original certificate is:

-----BEGIN TRUSTED CERTIFICATE-----
MIIDTDCCAjQCFBVkElzevM5tqOIoJxMSJnzPvc1MMA0GCSqGSIb3DQEBCwUAMGMx
CzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFyaXMxDjAM
BgNVBAoMBVVidWR1MQ4wDAYDVQQLDAVVYnVkdTEUMBIGA1UEAwwLU0RBIFJPT1Qg
Q0EwHhcNMjAwNjExMTUzNTIyWhcNMzAwNjA5MTUzNTIyWjBiMQswCQYDVQQGEwJG
UjEOMAwGA1UECAwFUGFyaXMxDjAMBgNVBAcMBVBhcmlzMQ4wDAYDVQQKDAVVQnVk
dTEOMAwGA1UECwwFVWJ1ZHUxEzARBgNVBAMMClNEQSBDTElFTlQwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmDo5b/iLyNfColCwB15pvUDUkYzp5ungr
BCPb5H9Sw7ymcfsiTeBtgADXHyRli+YtfAPjC/55wkkgfBgKRKS8xG8zas0XXt/f
Wpnl2d8oYGXhGBZPdfaPP/fTANSTWIKVF7+My9LKrulJ+CTKNSnTWKsXFzZivN4H
a9aaBdP3s5CjVtJ456Egu5g2EfStBtNJwXzCjPSZyD69v1G0yWx6M8zhvY6+EV+T
uqycAsNfvcf9K0nR83RXkZnNnSNy6ptNg0fMpa5JrCHYirtGU5O7CSBCpA52fy9R
c12NYxl7qFSCTMC/SzZXjGUpIohxNmTzwCttT292A0yc3Bi8aPl/AgMBAAEwDQYJ
KoZIhvcNAQELBQADggEBAIvLrCOMedGTg4oSCYI+HdWB6E4uhG5UFxNnv3QEib0p
GV71S+wrU443ZAfZvxlHFKjkvZDoV8hXT8VIuWOxA9TvaLksoIHeOKdDiGntjVfL
aDMBnYXPXSDEqFDtAXjtUuIua74fkJ/guCJiX+t7fPctWZPo6J89XtgRZrZcnFIF
1RQZg6cMDoVb3aMUWKvKo6YDsoxiP6rM8xNHqxW788oLTyDeu9ceJkv31jIUYIgJ
t4i3bkqf54FAIMdKn/mXmprrqW0b4tvR0fCThD4pgXxVw/Egm3tro/z6/y+qLJ9U
oZa28h/VYGyoJnEOSl09nZhcfOwWUaXxl94n93dBwXIwDDAKBggrBgEFBQcDAg==
-----END TRUSTED CERTIFICATE-----

since golang tls doesn't like TRUSTED so I removed it from certificate but got another asn1 error as I posted above

ulikunitz · 2020-08-03T12:25:41Z

This is not a bug. The DER structure of the certificate contains an X509v1 certificate and an additional sequence with usage information. You need to verify your certificate generation procedure and ensure that x509v3 certificates are produced that include the usage information or omit the usage information.

You can check that with openssl asn1parse -in issue40545.pem. It indicates that the certificate contains two top level sequences. Go doesn't parse the second sequence and reports an error. Here is the asn1parse output for the second sequence:

  848:d=0  hl=2 l=  12 cons: SEQUENCE          
  850:d=1  hl=2 l=  10 cons: SEQUENCE          
  852:d=2  hl=2 l=   8 prim: OBJECT            :TLS Web Client Authentication

If those 14 bytes (hl+l=2+12=14) are removed, then the certificate can be parsed. Here is a test program:
https://play.golang.org/p/fcT_Eqct2kx

I regard the Go behavior as correct even if openssl seems to support this structure. It should not be possible to add information to a certificate that the Certificate Authority has not signed.

GopherJ · 2020-08-03T16:18:24Z

@ulikunitz thanks for your great info. I'll check how to generate valid certificate which can be used by parsed correctly by go

GopherJ closed this as completed Aug 3, 2020

golang locked and limited conversation to collaborators Aug 3, 2021

gopherbot added the FrozenDueToAge label Aug 3, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

asn1: syntax error: trailling data #40545

asn1: syntax error: trailling data #40545

GopherJ commented Aug 3, 2020

GopherJ commented Aug 3, 2020 •

edited

ulikunitz commented Aug 3, 2020

GopherJ commented Aug 3, 2020

asn1: syntax error: trailling data #40545

asn1: syntax error: trailling data #40545

Comments

GopherJ commented Aug 3, 2020

What version of Go are you using (go version)?

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

What did you do?

What did you expect to see?

What did you see instead?

GopherJ commented Aug 3, 2020 • edited

ulikunitz commented Aug 3, 2020

GopherJ commented Aug 3, 2020

What version of Go are you using (`go version`)?

What operating system and processor architecture are you using (`go env`)?

GopherJ commented Aug 3, 2020 •

edited