Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: invalid certificate policies #65990

Closed
fancycode opened this issue Feb 28, 2024 · 2 comments
Closed

crypto/x509: invalid certificate policies #65990

fancycode opened this issue Feb 28, 2024 · 2 comments

Comments

@fancycode
Copy link

Go version

go1.22.0 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/user/.cache/go-build'
GOENV='/home/user/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/user/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/user/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/user/devel/go-1.22'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/user/devel/go-1.22/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.0'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD=''
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2225582694=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Test program:

package main

import (
	"crypto/x509"
	"log"
	"os"
)

func main() {
	data, err := os.ReadFile("cert.crt")
	if err != nil {
		log.Fatal(err)
	}

	crt, err := x509.ParseCertificate(data)
	if err != nil {
		log.Fatal(err)
	}

	log.Printf("Certificate: %s", crt.Subject)
}

Sample certificate (uncompress with gunzip):
cert.crt.gz

Run:

go run test.go

What did you see happen?

2024/02/28 11:40:48 x509: invalid certificate policies
exit status 1

Decoding with openssl works:

openssl x509 -in cert.crt -inform der -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7c:6d:cd:78:18:4a:91:c6:05:9b:b7:24:55:38:d5:36
...

What did you expect to see?

2024/02/28 11:40:48 Certificate: <the-subject-of-the-certificate>
@mateusz834
Copy link
Member

mateusz834 commented Feb 28, 2024
edited

It looks like a badly encoded certificate, this error is returned from this branch

go/src/crypto/x509/parser.go

Lines 446 to 448 in 33013e8

if !der.ReadASN1(&cp, cryptobyte_asn1.SEQUENCE) || !cp.ReadASN1(&OIDBytes, cryptobyte_asn1.OBJECT_IDENTIFIER) {
return nil, errors.New("x509: invalid certificate policies")
}

@mateusz834 mateusz834 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 28, 2024
@mateusz834 mateusz834 reopened this Feb 28, 2024
@mateusz834
Copy link
Member

mateusz834 commented Feb 28, 2024
edited

Yep, it is badly encoded it hits this case:

https://github.com/golang/crypto/blob/0aab8d07aefab378c763e8f36aa007544a862aa9/cryptobyte/asn1.go#L800-L802

The last ObjectIdentifier has the length encoded using two bytes, but it should be encoded with one byte.

30810e060c2b0601040181e82d01010b01

@mateusz834 mateusz834 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fancycode @mateusz834