Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: invalid character " " in host name #43954

Closed
elgohr opened this issue Jan 27, 2021 · 9 comments
Closed

crypto/x509: invalid character " " in host name #43954

elgohr opened this issue Jan 27, 2021 · 9 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Comments

@elgohr
Copy link

elgohr commented Jan 27, 2021

What version of Go are you using (go version)?

$ go version
1.15.5

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="on"
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/x/Library/Caches/go-build"
GOENV="/Users/x/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/x/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/x/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.15.5/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.15.5/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/p1/h3wr666s6g3c9qmpfwtzsvt00000gn/T/go-build774142841=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

_, err := tls.Dial("tcp", "oftpv2.volkswagen.de:6619", &tls.Config{})
if err != nil {
   log.Println(err)
}

What did you expect to see?

A connection happening, as OpenSSL

openssl s_client -connect oftpv2.volkswagen.de:6619  
CONNECTED(00000005)
depth=2 DC = com, DC = vwg, DC = VWPKI, CN = VW-CA-ROOT-05
verify error:num=19:self signed certificate in certificate chain
verify return:0

and other certificate checker (https://www.sslshopper.com/ssl-checker.html#hostname=oftpv2.volkswagen.de:6619) see a space in the certificate-URI as no issue .

What did you see instead?

tls: failed to parse certificate from server: x509: cannot parse URI "oftp://O0013000001VW KOI": parse "oftp://O0013000001VW KOI": invalid character " " in host name
@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 27, 2021
@davecheney
Copy link
Contributor

It looks like the Subject alternate name contains this hostname: URI:oftp://O0013000001VW KOI

how was this certificate generated, it looks like the name of the machine leaked into the CSR

@elgohr
Copy link
Author

elgohr commented Jan 28, 2021
edited

It's not the name of the machine, but the Identification Code (https://tools.ietf.org/html/rfc5024#section-5.4).
Will try to find out how it was generated.

@davecheney
Copy link
Contributor

my mistake, it looked like an auto generated windows hostname

@elgohr
Copy link
Author

elgohr commented Jan 28, 2021

The certificate was generated, using a proprietary tool, with the Uri as „Subject: alternative applicant“.
I was looking through the Uri RFCs for the validity of the „ „ character. Couldn’t find a definition that denies that. When I got it correct, it’s preferred to be URL-encoded(%20), which is interesting to me, as it’s a URI.

@davecheney
Copy link
Contributor

The googling I did says that SANs should be valid hostnames; no space, not %, I guess PUNY code is ok, but probably not useful in this situation.

@rolandshoemaker
Copy link
Member

crypto/tls and crypto/x509 targets the web PKI, and as such we treat URIs as following the extremely common URL-like scheme. As such we reject any authority components that contain characters that are invalid for hostnames (in this case whitespace).

@elgohr
Copy link
Author

elgohr commented Feb 1, 2021

Could you please provide the resources?

W3 declares spaces as unsafe characters (https://www.w3.org/Addressing/URL/4_URI_Recommentations.html) - but possible.

Didn’t find the definition that URIs are using the URL-scheme in WebPKI. Any reference to that?

Isn’t this a contradiction, as there’re OpenSSL compatibility tests in the code and OpenSSL is ok with these certificates?

@conradoplg
Copy link
Contributor

The URI must follow RFC 3986, per RFC 5280.

If I'm reading it right, RFC 3986 does not allow the space character in the host name, see URI -> hier-part -> authority -> host -> reg-name

@elgohr
Copy link
Author

elgohr commented Feb 6, 2021

Thank you for pointing that out. Guess we can close this here

@elgohr elgohr closed this as completed Feb 6, 2021
@golang golang locked and limited conversation to collaborators Feb 6, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@davecheney @conradoplg @rolandshoemaker @gopherbot @seankhliao @elgohr