crypto/x509: parse CSR with elided Attributes #56901
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Go's CSR parsing capabilities does not support CSRs with incorrectly elided Attributes.
See also: hashicorp/vault#17918
In particular, while RFC 2986 (dated Nov. 2000) required the inner
CertificationRequestInfo
to have four elements (the last of which is an explicitAttributes
), the earlier RFC 2314 (dated Mar. 1998) allowed this to haveIMPLICIT
type tagging. I believe some people incorrectly took this to beOPTIONAL
. In the CSR included with the issue, it'll parse successfully with bothopenssl asn1parse
andopenssl req
:OpenSSL invocations
However, the same fails with Golang:
https://go.dev/play/p/nAyLYuDZWQh
Notably, OpenSSL includes this comment:
OpenJDK 7+ does as well:
So it might be worthwhile to add such parsing to Go as well. I'm not sure if simply adding
optional
to the ASN1 info is sufficient on the struct, or if we'll need to need to modify the marshaling code to always provision it, even if empty (so we do not become part of the problem as well).(Just marking it
optional
does allow parsing, but I figured I'd open up the issue first for discussion before finalizing a patch approach).What did you expect to see?
Successful parsing of the CSR.
What did you see instead?
The text was updated successfully, but these errors were encountered: