You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ASN.1 BER encoding specifies that for booleans, false is encoded as 0 and true as any non-0 value. However, for DER (which is a subset of BER) true has only one legal value: 255. Meaning the above certificate is not using the correct value (01 instead of FF).
Now the issue is that many applications are wrongly using 01 and clients accept that (Curl, Chrome etc.). One could argue that it should be fixed in the application issuing the cert, but this is difficult to justify when thousands of devices have been deployed with this certificate and other clients interpret 01 as true and it has worked fine for years.
With the current Go crypto implementation the validation is very strict, preventing us from using Go's http client to validate tls connection unless InsecureSkipVerify is set to true.
For the sake of compatibility with other languages and legacy setups I propose we add "case 1: *out = true" to crypto/cryptobyte/asn1.go ReadASN1Boolean() which solves the problem.
Hi,
When parsing a private root certificate I get following error:
x509: invalid basic constraints b
Decoding the certificate we can see:
ASN.1 BER encoding specifies that for booleans, false is encoded as 0 and true as any non-0 value. However, for DER (which is a subset of BER) true has only one legal value: 255. Meaning the above certificate is not using the correct value (01 instead of FF).
Now the issue is that many applications are wrongly using 01 and clients accept that (Curl, Chrome etc.). One could argue that it should be fixed in the application issuing the cert, but this is difficult to justify when thousands of devices have been deployed with this certificate and other clients interpret 01 as true and it has worked fine for years.
With the current Go crypto implementation the validation is very strict, preventing us from using Go's http client to validate tls connection unless InsecureSkipVerify is set to true.
For the sake of compatibility with other languages and legacy setups I propose we add "case 1: *out = true" to crypto/cryptobyte/asn1.go ReadASN1Boolean() which solves the problem.
https://github.com/golang/go/blob/master/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go#L249-L265
The text was updated successfully, but these errors were encountered: