Skip to content

net/http/internal: testcert.go contains private key and cert that gets into go binary #46677

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
shgsky opened this issue Jun 10, 2021 · 5 comments
Closed

net/http/internal: testcert.go contains private key and cert that gets into go binary #46677

shgsky opened this issue Jun 10, 2021 · 5 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.17

Comments

@shgsky
Copy link

shgsky commented Jun 10, 2021

What version of Go are you using (go version)?

$ go version
go version go1.16.4 windows/amd64

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

go env Output
$ go env

set GO111MODULE=on

set GOARCH=amd64

set GOBIN=

set GOCACHE=C:\Users\sss\AppData\Local\go-build

set GOENV=C:\Users\sss\AppData\Roaming\go\env

set GOEXE=.exe

set GOFLAGS=

set GOHOSTARCH=amd64

set GOHOSTOS=windows

set GOINSECURE=

set GOMODCACHE=C:\Users\sss\go\pkg\mod

set GONOPROXY=

set GONOSUMDB=*

set GOOS=windows

set GOPATH=C:\Users\sss\go

set GOPRIVATE=

set GOPROXY=

set GOROOT=C:\Go

set GOSUMDB=off

set GOTMPDIR=

set GOTOOLDIR=C:\Go\pkg\tool\windows_amd64

set GOVCS=

set GOVERSION=go1.16.4

set GCCGO=gccgo

set AR=ar

set CC=gcc

set CXX=g++

set CGO_ENABLED=1

set GOMOD=NUL

set CGO_CFLAGS=-g -O2

set CGO_CPPFLAGS=

set CGO_CXXFLAGS=-g -O2

set CGO_FFLAGS=-g -O2

set CGO_LDFLAGS=-g -O2

set PKG_CONFIG=pkg-config

set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\sss\AppData\Local\Temp\go-build91218420=/tmp/go-build -gno-record-gcc-switches

What did you do?

Run the command
strings <go_binary> | sed -n '/-----BEGIN/,/-----END/p'

If a program is using net/http library (package internal), it will contain a private key and certificate.
This is perceived as a security issue in the binary.

The key/certificate is coming from https://github.com/golang/go/blob/master/src/net/http/internal/testcert.go

So, In my code, httptest.Server.StartTLS is not called. Why is the private key linked to the binary?

What did you expect to see?

No test cert and private key in the binary.

What did you see instead?

Private key and cert in binary.
@bcmills
Copy link
Contributor

bcmills commented Jun 10, 2021

So, In my code, httptest.Server.StartTLS is not called. Why is the private key linked to the binary?

Which standard-library packages and functions is your binary using?

@neild
Copy link
Contributor

neild commented Jun 10, 2021

This is a test certificate for 127.0.0.1/[::1], used by the net/http/httptest package and several tests. This is not an actual security issue--nothing references the cert--but it's confusing and needless binary bloat.

This key used to be stripped out by the linker, but CL 178178 changed the key to be initialized through a function, which prevents it from being stripped.

@rsc
Copy link
Contributor

rsc commented Jun 10, 2021

We could move that into its own package only imported by tests.

@dmitshur dmitshur changed the title net/http/internal/testcert.go contains private key and cert that gets into go binary net/http/internal: testcert.go contains private key and cert that gets into go binary Jun 10, 2021
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/326771 mentions this issue: net/http: remove test-only private key from production binaries

@seankhliao seankhliao added the NeedsFix The path to resolution is known, but the work has not been done. label Jun 10, 2021
@shgsky
Copy link
Author

shgsky commented Jun 29, 2021

@gopherbot Can this issue be reversed to Go 16.x ?

@dmitshur dmitshur added this to the Go1.17 milestone Jan 26, 2022
@golang golang locked and limited conversation to collaborators Jan 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.17
Development

No branches or pull requests
7 participants
@neild @rsc @dmitshur @bcmills @gopherbot @seankhliao @shgsky