crypto/x509: panics on invalid curve instead of returning error [1.19 backport] #54295

gopherbot · 2022-08-05T14:46:58Z

@FiloSottile requested issue #54288 to be considered for backport to the next 1.19 minor release.

Ah, yeah, functions with an error return value should definitely return an error, not panic. I'll do a pass of all the marshal-side paths, and see if there are other issues like this.

@gopherbot please open a backport issue to Go 1.19. I don't think this is a security issue because the attacker can't control the curve of a certificate being marshaled, but panic'ing where we were returning an error is a regression and we should quash it.

gopherbot · 2022-08-25T19:59:15Z

Change https://go.dev/cl/425634 mentions this issue: [release-branch.go1.19] crypto/x509: don't panic marshaling invalid ECDSA keys

gopherbot · 2022-08-29T19:14:58Z

Closed by merging 2553a09 to release-branch.go1.19.

…CDSA keys MarshalPKIXPublicKey, CreateCertificate, CreateCertificateRequest, MarshalECPrivateKey, and MarshalPKCS8PrivateKey started raising a panic when encoding an invalid ECDSA key in Go 1.19. Since they have an error return value, they should return an error instead. Updates #54288 Fixes #54295 Change-Id: Iba132cd2f890ece36bb7d0396eb9a9a77bdb81df Reviewed-on: https://go-review.googlesource.com/c/go/+/422298 Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: David Chase <drchase@google.com> (cherry picked from commit f64f12f) Reviewed-on: https://go-review.googlesource.com/c/go/+/425634

…CDSA keys MarshalPKIXPublicKey, CreateCertificate, CreateCertificateRequest, MarshalECPrivateKey, and MarshalPKCS8PrivateKey started raising a panic when encoding an invalid ECDSA key in Go 1.19. Since they have an error return value, they should return an error instead. Updates golang#54288 Fixes golang#54295 Change-Id: Iba132cd2f890ece36bb7d0396eb9a9a77bdb81df Reviewed-on: https://go-review.googlesource.com/c/go/+/422298 Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: David Chase <drchase@google.com> (cherry picked from commit f64f12f) Reviewed-on: https://go-review.googlesource.com/c/go/+/425634

gopherbot added the CherryPickCandidate Used during the release process for point releases label Aug 5, 2022

gopherbot mentioned this issue Aug 5, 2022

crypto/x509: panics on invalid curve instead of returning error #54288

Closed

gopherbot added this to the Go1.19.1 milestone Aug 5, 2022

joedian added the CherryPickApproved Used during the release process for point releases label Aug 10, 2022

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Aug 10, 2022

gopherbot closed this as completed Aug 29, 2022

golang locked and limited conversation to collaborators Aug 29, 2023

gopherbot added the FrozenDueToAge label Aug 29, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/x509: panics on invalid curve instead of returning error [1.19 backport] #54295

crypto/x509: panics on invalid curve instead of returning error [1.19 backport] #54295

gopherbot commented Aug 5, 2022

gopherbot commented Aug 25, 2022

gopherbot commented Aug 29, 2022

crypto/x509: panics on invalid curve instead of returning error [1.19 backport] #54295

crypto/x509: panics on invalid curve instead of returning error [1.19 backport] #54295

Comments

gopherbot commented Aug 5, 2022

gopherbot commented Aug 25, 2022

gopherbot commented Aug 29, 2022