Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: failed to parse X509 certificate #52742

Closed
alxchk opened this issue May 6, 2022 · 2 comments
Closed

crypto/x509: failed to parse X509 certificate #52742

alxchk opened this issue May 6, 2022 · 2 comments
Labels
FrozenDueToAge

Comments

@alxchk
Copy link

alxchk commented May 6, 2022 

package main

import (
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"io/ioutil"
	"log"
)

func main() {
	certPEMBlock, err := ioutil.ReadFile("test.pem")
	if err != nil {
		log.Fatal(err)
	}

	var blocks [][]byte
	for {
		var certDERBlock *pem.Block
		certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
		if certDERBlock == nil {
			break
		}

		if certDERBlock.Type == "CERTIFICATE" {
			blocks = append(blocks, certDERBlock.Bytes)
		}
	}

	for _, block := range blocks {
		cert, err := x509.ParseCertificate(block)
		if err != nil {
			log.Println(err)
			continue
		}

		fmt.Println("Certificate:")
		fmt.Printf("\tSubject: %+v\n", cert.Subject)
		fmt.Printf("\tDNS Names: %+v\n", cert.DNSNames)
		fmt.Printf("\tEmailAddresses: %+v\n", cert.EmailAddresses)
		fmt.Printf("\tIPAddresses: %+v\n", cert.IPAddresses)
	}
}

> ./test
2022/05/06 17:55:11 x509: invalid version

Certificate:
    Data:
        Version: Unknown (3)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = VGoemFIEcw
        Validity
            Not Before: May  6 14:38:11 2022 GMT
            Not After : May  6 14:38:11 2023 GMT
        Subject: O = VGoemFIEcw
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:95:b2:31:21:69:af:8a:e2:39:c2:c4:cf:09:99:
                    82:09:bd:3d:ad:f7:90:88:62:b5:07:9d:eb:7d:38:
                    ee:ee:6d:c1:41:89:ab:6a:7b:36:9b:34:50:3e:4f:
                    2a:74:90:a1:8c:b5:00:68:ce:f7:2e:5b:da:8a:4c:
                    81:61:51:cb:2f:07:77:ad:22:16:a6:27:35:b2:22:
                    e7:90:27:8c:8c:4d:dc:aa:ff:f2:ba:4a:b3:08:a1:
                    23:0a:a1:72:7b:73:83:ae:cd:27:71:3a:9f:2d:d9:
                    80:2f:e6:c2:04:8e:f4:c0:b4:6c:26:e8:5f:aa:91:
                    50:8b:78:f3:03:15:07:b4:af:20:a9:df:86:6e:d0:
                    a8:e6:12:0b:3c:39:3e:1d:91:d1:b2:ff:ac:4f:fd:
                    d8:16:f7:44:5f:55:17:40:1c:cf:b8:51:4e:6b:ca:
                    be:f4:b0:40:d3:42:d8:a3:27:96:73:5f:e9:ea:1a:
                    7d:02:2f:64:2a:56:4c:48:f2:67:9e:8f:2e:6f:cf:
                    66:6c:d6:3e:d3:79:51:64:17:16:25:75:48:0c:00:
                    72:cc:3c:62:91:ec:f8:33:c2:19:78:45:df:12:50:
                    37:0c:3c:ec:c9:a6:40:42:fc:d6:93:1a:d5:c9:83:
                    ba:de:b7:e1:7b:ab:e0:b8:a0:0d:8a:6e:c9:10:89:
                    d4:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Key Identifier: 
                77:BA:A5:E0:98:3C:12:50:43:4D:20:8A:74:46:6A:D8
    Signature Algorithm: sha256WithRSAEncryption
         0e:0a:68:bc:71:c0:be:1d:51:5a:f7:3d:e8:0d:16:c0:3c:b1:
         33:3a:48:14:0c:a9:86:17:16:24:8c:b8:f1:3c:4c:06:90:fa:
         24:09:f7:d9:c0:d8:ad:37:12:83:68:06:69:2a:5e:46:a7:b1:
         2f:e4:4b:cc:13:10:4e:88:53:55:49:73:e0:06:b1:a4:69:0f:
         63:d8:7c:e6:dd:c5:86:e8:63:04:b8:a1:08:16:ef:d9:70:6e:
         49:9f:e8:6d:b6:1d:19:24:1d:63:29:4a:33:9b:8d:ff:2a:67:
         11:f0:88:dd:0e:74:6a:d3:e8:79:11:2c:ce:2b:ba:08:a3:64:
         cd:d2:c7:61:12:89:00:f3:26:57:72:c4:ea:ca:b6:22:54:3b:
         dc:2b:d3:ef:76:8a:59:33:cf:41:8e:3f:81:02:4f:c3:a2:6e:
         88:14:2f:11:bf:f5:95:23:04:44:5c:74:9a:ed:a6:c4:7e:6d:
         65:8e:bb:df:5d:2a:31:a3:20:c4:21:4c:f6:84:2d:20:2f:2d:
         52:a4:fe:20:3c:76:2e:65:3b:83:85:dc:75:f9:79:86:61:c2:
         60:30:ee:08:8b:7c:c5:93:9f:f9:25:b3:49:8f:4b:f2:f2:33:
         bd:8a:24:73:93:3f:bd:e7:8b:ed:05:dd:73:72:76:fa:3a:65:
         60:8c:0c:7d
-----BEGIN CERTIFICATE-----
MIIC0DCCAbigAwIBAwIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApWR29l
bUZJRWN3MB4XDTIyMDUwNjE0MzgxMVoXDTIzMDUwNjE0MzgxMVowFTETMBEGA1UE
CgwKVkdvZW1GSUVjdzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJWy
MSFpr4riOcLEzwmZggm9Pa33kIhitQed63047u5twUGJq2p7Nps0UD5PKnSQoYy1
AGjO9y5b2opMgWFRyy8Hd60iFqYnNbIi55AnjIxN3Kr/8rpKswihIwqhcntzg67N
J3E6ny3ZgC/mwgSO9MC0bCboX6qRUIt48wMVB7SvIKnfhm7QqOYSCzw5Ph2R0bL/
rE/92Bb3RF9VF0Acz7hRTmvKvvSwQNNC2KMnlnNf6eoafQIvZCpWTEjyZ56PLm/P
ZmzWPtN5UWQXFiV1SAwAcsw8YpHs+DPCGXhF3xJQNww87MmmQEL81pMa1cmDut63
4Xur4LigDYpuyRCJ1BcCAwEAAaMrMCkwDAYDVR0TBAUwAwEB/zAZBgNVHQ4EEgQQ
d7ql4Jg8ElBDTSCKdEZq2DANBgkqhkiG9w0BAQsFAAOCAQEADgpovHHAvh1RWvc9
6A0WwDyxMzpIFAyphhcWJIy48TxMBpD6JAn32cDYrTcSg2gGaSpeRqexL+RLzBMQ
TohTVUlz4AaxpGkPY9h85t3FhuhjBLihCBbv2XBuSZ/obbYdGSQdYylKM5uN/ypn
EfCI3Q50atPoeREsziu6CKNkzdLHYRKJAPMmV3LE6sq2IlQ73CvT73aKWTPPQY4/
gQJPw6JuiBQvEb/1lSMERFx0mu2mxH5tZY67310qMaMgxCFM9oQtIC8tUqT+IDx2
LmU7g4Xcdfl5hmHCYDDuCIt8xZOf+SWzSY9L8vIzvYokc5M/veeL7QXdc3J2+jpl
YIwMfQ==
-----END CERTIFICATE-----

> go version 
go version go1.18.1 linux/amd64
@ZekeLu
Copy link
Contributor

ZekeLu commented May 6, 2022

Version: Unknown (3)

The version is invalid indeed.

This is where the error is returned:

go/src/crypto/x509/parser.go

Lines 821 to 826 in 119da63

// for backwards compat reasons Version is one-indexed,
// rather than zero-indexed as defined in 5280
cert.Version++
if cert.Version > 3 {
return nil, errors.New("x509: invalid version")
}

Reference: https://beta.openssl.org/docs/man3.0/man3/X509_get_version.html

X509_get_version() returns the numerical value of the version field of certificate x. These correspond to the constants X509_VERSION_1, X509_VERSION_2, and X509_VERSION_3. Note: the values of these constants are defined by standards (X.509 et al) to be one less than the certificate version. So X509_VERSION_3 has value 2 and X509_VERSION_1 has value 0.

@ianlancetaylor
Copy link
Contributor

Thanks @ZekeLu. Closing because it sounds like this is working as expected.

@golang golang locked and limited conversation to collaborators May 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alxchk @ZekeLu @ianlancetaylor @gopherbot