You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are trying to upgrade our bullds from go 1.14.4 to latest release. However, blocked by this issue: creating an x509.Certificate with valid signed by a CA w/ BasicConstraints: true set using a self-signed RSA keypair. The certificate has some custom ASN.1 keypair/values under ExtraExtensions. The certificate fails to parse because there is always an extra pkix.Extension element containing some unparseable ASN.1 data which was not being added in go 1.14.x along with the enbdedded ASN.1 blocks . This issue is observed w/ all releases go 1.15 onwards.
Note: the issue is observed with Windows builds as well:
go version
go1.16.6 windows/amd64
manuullas
changed the title
go.1.15 onwards x509.CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.extensions
go.1.15 onwards x509.CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.Certificate.Extensions
Aug 4, 2021
manuullas
changed the title
go.1.15 onwards x509.CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.Certificate.Extensions
crypto/x509: go.1.15 onwards CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.Certificate.Extensions
Aug 4, 2021
This is the X509v3 Authority Key Identifier or authorityKeyIdentifier and you really should be checking the id (since the value could contain anything) before unmarshaling
@seankhliao this behavior was not seen in go 1.14. I've been through the documentation but not able to figure out what has changed in x509.
x509.Certificate.AuthorityKeyId is not initialized explicitly and is taken from the x509.Certificate.SubjectKeyId of the parent as per. Currently it is being set to the default sha1 hash of PublicKey per this from x509.CreateCertificate.
The only way I can work around this is to explicitly drop the new pkix.Extension elements in the final x509.Certificate after the certificate is generated. Would appreciate some guidance on this. I haven't been able to figure out why this is failing in go 1.15 and upwards. Am I creating the certificate wrong?
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
We are trying to upgrade our bullds from go 1.14.4 to latest release. However, blocked by this issue: creating an x509.Certificate with valid signed by a CA w/ BasicConstraints: true set using a self-signed RSA keypair. The certificate has some custom ASN.1 keypair/values under ExtraExtensions. The certificate fails to parse because there is always an extra pkix.Extension element containing some unparseable ASN.1 data which was not being added in go 1.14.x along with the enbdedded ASN.1 blocks . This issue is observed w/ all releases go 1.15 onwards.
Playground link
Note: Issue is not observed when:
IsCA: false
What did you expect to see?
No error
What did you see instead?
Failure unmarshalling ASN1 Attributes: asn1: structure error: tags don't match (19 vs {class:2 tag:0 length:20 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} string @2
The text was updated successfully, but these errors were encountered: