Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: go.1.15 onwards CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.Certificate.Extensions #47526

Closed
manuullas opened this issue Aug 4, 2021 · 3 comments
Closed

crypto/x509: go.1.15 onwards CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.Certificate.Extensions #47526

manuullas opened this issue Aug 4, 2021 · 3 comments
Labels
FrozenDueToAge

Comments

@manuullas
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.16.6 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/golang"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/golang/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build757437385=/tmp/go-build -gno-record-gcc-switches"

What did you do?

We are trying to upgrade our bullds from go 1.14.4 to latest release. However, blocked by this issue: creating an x509.Certificate with valid signed by a CA w/ BasicConstraints: true set using a self-signed RSA keypair. The certificate has some custom ASN.1 keypair/values under ExtraExtensions. The certificate fails to parse because there is always an extra pkix.Extension element containing some unparseable ASN.1 data which was not being added in go 1.14.x along with the enbdedded ASN.1 blocks . This issue is observed w/ all releases go 1.15 onwards.

Playground link

Note: Issue is not observed when:
IsCA: false

What did you expect to see?

No error

What did you see instead?

Failure unmarshalling ASN1 Attributes: asn1: structure error: tags don't match (19 vs {class:2 tag:0 length:20 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} string @2

@manuullas
Copy link
Author

Note: the issue is observed with Windows builds as well:

go version
go1.16.6 windows/amd64

@manuullas manuullas changed the title go.1.15 onwards x509.CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.extensions go.1.15 onwards x509.CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.Certificate.Extensions Aug 4, 2021
@manuullas manuullas changed the title go.1.15 onwards x509.CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.Certificate.Extensions crypto/x509: go.1.15 onwards CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.Certificate.Extensions Aug 4, 2021
@seankhliao
Copy link
Member

This is the X509v3 Authority Key Identifier or authorityKeyIdentifier and you really should be checking the id (since the value could contain anything) before unmarshaling

@manuullas
Copy link
Author

@seankhliao this behavior was not seen in go 1.14. I've been through the documentation but not able to figure out what has changed in x509.

x509.Certificate.AuthorityKeyId is not initialized explicitly and is taken from the x509.Certificate.SubjectKeyId of the parent as per. Currently it is being set to the default sha1 hash of PublicKey per this from x509.CreateCertificate.

The only way I can work around this is to explicitly drop the new pkix.Extension elements in the final x509.Certificate after the certificate is generated. Would appreciate some guidance on this. I haven't been able to figure out why this is failing in go 1.15 and upwards. Am I creating the certificate wrong?

@golang golang locked and limited conversation to collaborators Aug 6, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @seankhliao @manuullas