Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: invalid RDNSequence: invalid attribute value: unsupported string type: 4 #48371

Open
c00w opened this issue Sep 14, 2021 · 3 comments
Open

crypto/x509: invalid RDNSequence: invalid attribute value: unsupported string type: 4 #48371

c00w opened this issue Sep 14, 2021 · 3 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@c00w
Copy link

c00w commented Sep 14, 2021
edited
Loading

What version of Go are you using (go version)?

 % go version
go version go1.17.1 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
 % go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/colin/.cache/go-build"
GOENV="/home/colin/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/colin/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/colin"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/nix/store/5mp1rvzzmawm68f2gkcrg1b46g2wim9n-go-1.17.1/share/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/nix/store/5mp1rvzzmawm68f2gkcrg1b46g2wim9n-go-1.17.1/share/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17.1"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/colin/brood/src/cert/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1102055071=/tmp/go-build -gno-record-gcc-switches"

What did you do?

https://play.golang.org/p/lJBj4om1QJ7

What did you expect to see?

No error - with go 1.16.8, this works

What did you see instead?

x509: invalid RDNSequence: invalid attribute value: unsupported string type: 4
@c00w
Copy link
Author

c00w commented Sep 14, 2021
edited
Loading

This seems like a variation of #48171 cc @FiloSottile

@cagedmantis cagedmantis changed the title x509: invalid RDNSequence: invalid attribute value: unsupported string type: 4 crypto/x509: invalid RDNSequence: invalid attribute value: unsupported string type: 4 Sep 14, 2021
@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 15, 2021
@seankhliao seankhliao added this to the Unplanned milestone Aug 20, 2022
@strideynet
Copy link

Hey @seankhliao - can you recall why this ticket was marked "Unplanned" whilst the other ticket #48171 was resolved ?

@jethrogb
Copy link

jethrogb commented Feb 5, 2025
edited
Loading

The problem is the x509 parseName function assumes that any X.509 Name attribute value is some kind of human-readable string:

https://github.com/golang/go/blob/e8d9561/src/crypto/x509/parser.go#L139-L142

However, this isn't the case. Looking at the spec:

   AttributeTypeAndValue ::= SEQUENCE {
     type     AttributeType,
     value    AttributeValue }

   AttributeType ::= OBJECT IDENTIFIER

   AttributeValue ::= ANY -- DEFINED BY AttributeType

So, assuming that the parser doesn't know what the correct ASN.1 type is for the current attr.Type, it shouldn't error out if it doesn't parse as a string.

The reporter reported this for the ASN.1 type OCTET STRING (type 4), which is unusual to see in a X.509 Name. For example, OpenSSL and MbedTLS also don't support parsing an OCTET STRING as part of a Name (this should also be considered a bug in those libraries, I might add). However, both of them do support BITSTRING (type 3). So this certificate works perfectly fine with OpenSSL and MbedTLS, but not in Go:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: 1.3.6.1.4.1.49690.1.1.7 = #03020001
        Validity
            Not Before: Jan  1 00:00:00 1970 GMT
            Not After : Jan  1 00:00:00 1970 GMT
        Subject: 1.3.6.1.4.1.49690.1.1.7 = #03020001
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:dc:e3:67:d2:0b:5d:1a:30:c1:90:ac:c4:01:da:
                    58:9b:76:95:d3:75:40:09:99:57:97:a9:ed:11:89:
                    7a:2f:04:ee:3e:53:82:a9:74:3e:12:a1:7c:29:df:
                    f9:74:25:d0:9e:eb:72:80:4c:e8:61:d2:b3:c8:7b:
                    45:f0:37:4b:7e:51:5c:e1:bd:b9:5c:34:f8:80:b6:
                    9a:b3:44:02:27:ff:22:0a:a9:e6:5c:f8:71:39:29:
                    ee:1b:c1:ad:58:38:ce:8a:2b:cf:5f:84:fb:c4:ae:
                    4b:31:43:54:70:e4:2f:e3:f7:4e:cf:13:b6:ad:09:
                    88:ae:40:05:0c:0c:16:c3:21:e3:d6:e6:be:5a:63:
                    d2:3f:a3:eb:04:08:13:9f:01:cd:8b:e2:07:ca:52:
                    86:9d:9b:38:e7:2e:60:f9:dd:a9:9a:dc:03:01:40:
                    ff:8c:06:cc:cd:b1:b4:78:bc:22:50:4b:62:26:85:
                    a9:03:b4:ee:bf:29:08:21:78:be:2f:26:6b:81:f4:
                    87:36:1e:2e:d1:07:c1:76:e0:1b:1e:5f:7b:b0:90:
                    bd:49:b9:6c:4b:e7:38:0f:eb:72:94:c1:77:ae:85:
                    9a:65:c0:ae:3f:55:ab:d3:6f:21:9e:07:3e:21:1f:
                    dc:2e:0a:1e:54:00:fd:ca:09:fd:41:9f:d5:34:13:
                    8f:47
                Exponent: 3 (0x3)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         5f:e5:49:22:f2:71:da:48:45:40:a6:be:97:14:36:c8:96:55:
         d3:f5:d5:d0:dc:7c:09:8b:ec:36:43:5f:a4:52:69:8b:80:ea:
         9e:36:49:d7:54:61:a5:37:a7:5d:f2:b5:02:72:e7:b4:cc:c4:
         dd:e7:ab:71:5b:51:f3:0c:6f:30:9e:22:fc:92:9a:15:71:ca:
         aa:78:5b:a1:16:54:ae:56:a2:ff:cb:e1:39:69:a2:9d:ca:f0:
         11:e5:5a:e7:8f:db:52:10:f2:eb:e6:f8:4a:21:7f:d6:76:17:
         f4:6f:b9:df:81:05:0b:f9:6e:58:2f:eb:08:1a:e7:70:aa:3e:
         9b:3a:6a:13:6c:2c:d3:cb:4b:52:4a:1f:f2:63:d2:9a:4b:a8:
         0c:11:f1:08:46:33:d8:c9:5e:c1:b1:7b:d4:23:d9:06:fb:87:
         cd:47:cf:b7:3c:52:7e:12:c2:e1:a0:ea:a0:d7:cf:54:ca:30:
         6f:7b:55:c5:5f:49:29:d1:ce:60:0f:32:85:47:8d:ae:ca:19:
         f1:94:5e:da:72:0c:f5:c9:ae:0e:87:93:9b:38:6a:12:1c:ec:
         16:58:2c:d6:c5:f7:8b:39:6c:c0:67:fd:a3:41:b8:d7:cd:d7:
         1e:0a:2d:97:66:7b:83:fc:e0:51:ce:e1:a0:07:8c:9b:b1:2f:
         5e:75:91:e0
-----BEGIN CERTIFICATE-----
MIICszCCAZugAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYLKwYBBAGDhBoB
AQcDAgABMB4XDTcwMDEwMTAwMDAwMFoXDTcwMDEwMTAwMDAwMFowFTETMBEGCysG
AQQBg4QaAQEHAwIAATCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEBANzj
Z9ILXRowwZCsxAHaWJt2ldN1QAmZV5ep7RGJei8E7j5Tgql0PhKhfCnf+XQl0J7r
coBM6GHSs8h7RfA3S35RXOG9uVw0+IC2mrNEAif/Igqp5lz4cTkp7hvBrVg4zoor
z1+E+8SuSzFDVHDkL+P3Ts8Ttq0JiK5ABQwMFsMh49bmvlpj0j+j6wQIE58BzYvi
B8pShp2bOOcuYPndqZrcAwFA/4wGzM2xtHi8IlBLYiaFqQO07r8pCCF4vi8ma4H0
hzYeLtEHwXbgGx5fe7CQvUm5bEvnOA/rcpTBd66FmmXArj9Vq9NvIZ4HPiEf3C4K
HlQA/coJ/UGf1TQTj0cCAQOjEDAOMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEL
BQADggEBAF/lSSLycdpIRUCmvpcUNsiWVdP11dDcfAmL7DZDX6RSaYuA6p42SddU
YaU3p13ytQJy57TMxN3nq3FbUfMMbzCeIvySmhVxyqp4W6EWVK5Wov/L4Tlpop3K
8BHlWueP21IQ8uvm+Eohf9Z2F/Rvud+BBQv5blgv6wga53CqPps6ahNsLNPLS1JK
H/Jj0ppLqAwR8QhGM9jJXsGxe9Qj2Qb7h81Hz7c8Un4SwuGg6qDXz1TKMG97VcVf
SSnRzmAPMoVHja7KGfGUXtpyDPXJrg6Hk5s4ahIc7BZYLNbF94s5bMBn/aNBuNfN
1x4KLZdme4P84FHO4aAHjJuxL151keA=
-----END CERTIFICATE-----

@jethrogb jethrogb mentioned this issue Feb 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
4 participants
@c00w @jethrogb @seankhliao @strideynet