Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: Parse CSR not containing Extensions Request Attribute #56140

Closed
TheJimmyBlaze opened this issue Oct 11, 2022 · 3 comments
Closed

crypto/x509: Parse CSR not containing Extensions Request Attribute #56140

TheJimmyBlaze opened this issue Oct 11, 2022 · 3 comments
Assignees
@rolandshoemaker
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@TheJimmyBlaze
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.18.4 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOOS="linux"
GOARCH="amd64"
GOHOSTOS="linux"
GOHOSTARCH="amd64"

What did you do?

Attempt to parse a CSR PEM that does not contain an Extensions Request Attribute ( 1.2.840.113549.1.9.14 ).
The PKCS10 RFC doesn't specifically state that a PKCS10 must have, or may not have an Extension Request Attribute.
However the x509 RFC does state that:
If present, this field is a SEQUENCE of one or more certificate extensions.
I would expect that I must only include an Extension Request Attribute, when it contains one or more extensions.

Go Play demo:
https://go.dev/play/p/6YJ2CxnKtIw

What did you expect to see?

An x509.CertificateRequest struct with an empty array of pkix.Extension structs.

What did you see instead?

The error:
asn1: syntax error: sequence truncated
@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 12, 2022
@seankhliao seankhliao added this to the Unplanned milestone Oct 12, 2022
@seankhliao
Copy link
Member

cc @FiloSottile @golang/security

@rolandshoemaker rolandshoemaker self-assigned this Oct 12, 2022
@rolandshoemaker
Copy link
Member

The ASN.1 syntax for the CertificateRequestInfo object does not mark attributes as OPTIONAL, and as such it is required, even if it is empty.

   CertificationRequestInfo ::= SEQUENCE {
        version       INTEGER { v1(0) } (v1,...),
        subject       Name,
        subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
        attributes    [0] Attributes{{ CRIAttributes }}
   }

In the two examples you provide, one has attributes containing a extensionRequest attribute, and one is completely missing the attributes field. We support CSRs that lack extensionRequest (i.e. https://go.dev/play/p/zFkdR60fy8B), but they still must contain an empty attributes SET.

Closing since this is working as intended.

@TheJimmyBlaze
Copy link
Author

Thanks for the clarification.

@golang golang locked and limited conversation to collaborators Oct 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rolandshoemaker rolandshoemaker

Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
4 participants
@rolandshoemaker @gopherbot @TheJimmyBlaze @seankhliao