Skip to content

crypto/x509: certificate validation issues #67024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
joyantaDebnath opened this issue Apr 24, 2024 · 4 comments
Closed

crypto/x509: certificate validation issues #67024

joyantaDebnath opened this issue Apr 24, 2024 · 4 comments
Labels
WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.

Comments

@joyantaDebnath
Copy link

Go version

Go-Crypto v1.21rc2

Output of go env in your module/workspace:

Go-Crypto v1.21rc2

What did you do?

  1. The library allows empty DirectoryString (e.g., " ") in Distinguished name structures of Issuer and Subject name. (RFC 5280 non-compliant)
  2. You should not allow 0 (zero) as certificate serial number. RFC 5280 says, "The serial number MUST be a positive integer assigned by the CA to each cer- tificate...CAs MUST force the serial Number to be a non-negative integer...Non- conforming CAs may issue certificates with serial numbers that are negative or zero. Certificate users SHOULD be prepared to gracefully handle such certificates."
  3. Crypto allows presence of (version 3) extensions even if the certificate version is 1 or 2.

What did you see happen?

All certificates were accepted

What did you expect to see?

The library should reject such noncompliant certificates
@seankhliao seankhliao changed the title import/path: Reporting Bugs in Certificate Chain Validation crypto/x509: certificate validation issues Apr 24, 2024
@seankhliao
Copy link
Member

does this reproduce against the latest released version?
do you have self contained reproducers to demonstrate the issue?

@seankhliao seankhliao added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Apr 24, 2024
@joyantaDebnath
Copy link
Author

joyantaDebnath commented Apr 24, 2024
edited
Loading

I do not have self-contained reproducer, but I have sample certificates and the test harness.

certs.zip

This is the test harness I have used:

https://github.com/joyantaDebnath/ARMOR/blob/main/evaluation/Diff_test_setup/test-harness/go-crypto/test_verify.go

Yes, these are issues of the latest version as well.

@seankhliao
Copy link
Member

We'd still need a root cert to test those certs.

@seankhliao seankhliao added WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. and removed WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels May 11, 2024
@gopherbot
Copy link
Contributor

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@gopherbot gopherbot closed this as not planned Won't fix, can't repro, duplicate, stale Jun 11, 2024
@gabyhelp gabyhelp mentioned this issue Apr 9, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @seankhliao @joyantaDebnath