Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509/pkix does parse "1.2.840.113549.1.9.1" (emailAddress) in Subject/Issuer data #63148

Open
sweharris opened this issue Sep 21, 2023 · 2 comments
Open

crypto/x509/pkix does parse "1.2.840.113549.1.9.1" (emailAddress) in Subject/Issuer data #63148

sweharris opened this issue Sep 21, 2023 · 2 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@sweharris
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.21.1 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/sweh/.cache/go-build'
GOENV='/home/sweh/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/sweh/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/sweh/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go_versions/go1.21.1'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go_versions/go1.21.1/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.1'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/gobuild1494015273=/tmp/go-build -gno-record-gcc-switches'

What did you do?

My organisation uses Active Directory Cert Services for cert issuance. The root CA and intermediate certs have Subject and Issuer entries with emailAddress=support@team type data in it as an extra field

e.g.
C=US,ST=...,L=...,O=...,OU=...,CN=...,emailAddress=support@team

This email address appears to be created with the (deprecated) 1.2.840.113549.1.9.1 oid.

When parsing this information (e.g from a client cert passed to a server as a mTLS session) this attribute is not decoded and is left as a BER encoded oid field.

What did you expect to see?

CN=...,OU=...,O=...,L=...,ST=...,C=...,emailAddress=support@team

What did you see instead?

CN=...,OU=...,O=...,L=...,ST=...,C=...,1.2.840.113549.1.9.1=#berdata

Possible fix

For testing I was able to add
"1.2.840.113549.1.9.1": "emailAddress",
to attributeTypeNames in crypto/x509/pkix.go and that was sufficient to make my certs display properly. I don't know if this is sufficient, though, so I'm not proposing it with a PR.

It's also possible ADCS is doing the wrong thing, here, but since it's a common tool for generating certificates it probably needs to be handled gracefully.
@rittneje
Copy link

related to #33093, which causes the unrecognized DN to render as hex instead of text

@thanm thanm added this to the Backlog milestone Sep 25, 2023
@thanm thanm added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 25, 2023
@thanm
Copy link
Contributor

thanm commented Sep 25, 2023

@FiloSottile @rolandshoemaker @golang/security per owners

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@sweharris @thanm @rittneje