crypto/x509: malformed signature algorithm identifier error while version and serialNumber swapped #70269

dulanshuangqiao · 2024-11-09T13:55:04Z

Go version

go version go1.23.2 linux/amd64

Output of `go env` in your module/workspace:

GO111MODULE=''

GOARCH='amd64'

GOBIN=''

GOCACHE='/home/liu/.cache/go-build'

GOENV='/home/liu/.config/go/env'

GOEXE=''

GOEXPERIMENT=''

GOFLAGS=''

GOHOSTARCH='amd64'

GOHOSTOS='linux'

GOINSECURE=''

GOMODCACHE='/home/liu/go/pkg/mod'

GONOPROXY=''

GONOSUMDB=''

GOOS='linux'

GOPATH='/home/liu/go'

GOPRIVATE=''

GOPROXY='https://proxy.golang.org,direct'

GOROOT='/snap/go/10730'

GOSUMDB='sum.golang.org'

GOTMPDIR=''

GOTOOLCHAIN='auto'

GOTOOLDIR='/snap/go/10730/pkg/tool/linux_amd64'

GOVCS=''

GOVERSION='go1.23.2'

GODEBUG=''

GOTELEMETRY='local'

GOTELEMETRYDIR='/home/liu/.config/go/telemetry'

GCCGO='gccgo'

GOAMD64='v1'

AR='ar'

CC='gcc'

CXX='g++'

CGO_ENABLED='1'

GOMOD='/dev/null'

GOWORK=''

CGO_CFLAGS='-O2 -g'

CGO_CPPFLAGS=''

CGO_CXXFLAGS='-O2 -g'

CGO_FFLAGS='-O2 -g'

CGO_LDFLAGS='-O2 -g'

PKG_CONFIG='pkg-config'

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build578094757=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Use x509.ParseCertificate to parse the der certificate.
The version and serial number of the certificate are swapped.

case.zip

What did you see happen?

Parse error:malformed signature algorithm identifier

What did you expect to see?

Swap the positions of serialnumber and version, and the value of serialnumber is the same as version. Since the type of version is OPTIONAL[0] + INTEGER, and the type of serialnumber is INTEGER, the invalid version should be checked first instead of throwing an alformed signature algorithm identifier.

The text was updated successfully, but these errors were encountered:

gabyhelp · 2024-11-09T13:55:19Z

Related Issues

crypto/x509: invalid certificate policies #65990 (closed)
crypto/x509: ParseCertificate should error on invalid tag for PolicyMappings #70074 (closed)
crypto/x509: ParseCertificate and ParseCertificates return different errors with a single bad certificate supplied #43113
crypto/x509: malformed x509 certificate is accepted since 1.17 #51369
x/crypto/cryptobyte: "x509: invalid key usage" error caused by strict asn1 bit string parsing #70242
crypto/x509: ParseCertificate fails with "net/url: invalid userinfo" #69930
crypto/x509: ParseCertificate fails for ECDSA certificate, gives asn1 unmarshal error #21502 (closed)
x509.ParsePKIXPublicKey failed to parse X.509 DER format public key #69012 (closed)
x509: invalid RDNSequence: invalid attribute value: invalid PrintableString #62607 (closed)
x/crypto: error parsing even large ASN.1 identifiers #58821

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

mateusz834 · 2024-11-09T15:31:46Z

The TBSCertificate is your certificate looks like this: serialNumber, version, signature. The spec does not allow this kind of order of fields:

RFC 5280:

    TBSCertificate  ::=  SEQUENCE  {
        version         [0]  EXPLICIT Version DEFAULT v1,
        serialNumber         CertificateSerialNumber,
        signature            AlgorithmIdentifier,
        -- (...)
    }

The version is checked first, but it is optional (has a DEFAULT), thus we are skipping it (because of an unexpected tag). After that the parser is still at the same spot, it does not skip the badly-placed serialNumber field, so now the sertialNumber parsing succeeds. After that, the AlgorithmIdentifier parsing fails, because it contains an unexpected tag (badly placed version). I think that the error is correct.

See the implementation for reference:

go/src/crypto/x509/parser.go

Lines 829 to 883 in 5123f38

    
           func parseCertificate(der []byte) (*Certificate, error) { 
        
           	cert := &Certificate{} 
        
           	input := cryptobyte.String(der) 
        
           	// we read the SEQUENCE including length and tag bytes so that 
        
           	// we can populate Certificate.Raw, before unwrapping the 
        
           	// SEQUENCE so it can be operated on 
        
           	if !input.ReadASN1Element(&input, cryptobyte_asn1.SEQUENCE) { 
        
           		return nil, errors.New("x509: malformed certificate") 
        
           	} 
        
           	cert.Raw = input 
        
           	if !input.ReadASN1(&input, cryptobyte_asn1.SEQUENCE) { 
        
           		return nil, errors.New("x509: malformed certificate") 
        
           	} 
        
           	var tbs cryptobyte.String 
        
           	// do the same trick again as above to extract the raw 
        
           	// bytes for Certificate.RawTBSCertificate 
        
           	if !input.ReadASN1Element(&tbs, cryptobyte_asn1.SEQUENCE) { 
        
           		return nil, errors.New("x509: malformed tbs certificate") 
        
           	} 
        
           	cert.RawTBSCertificate = tbs 
        
           	if !tbs.ReadASN1(&tbs, cryptobyte_asn1.SEQUENCE) { 
        
           		return nil, errors.New("x509: malformed tbs certificate") 
        
           	} 
        
           	if !tbs.ReadOptionalASN1Integer(&cert.Version, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific(), 0) { 
        
           		return nil, errors.New("x509: malformed version") 
        
           	} 
        
           	if cert.Version < 0 { 
        
           		return nil, errors.New("x509: malformed version") 
        
           	} 
        
           	// for backwards compat reasons Version is one-indexed, 
        
           	// rather than zero-indexed as defined in 5280 
        
           	cert.Version++ 
        
           	if cert.Version > 3 { 
        
           		return nil, errors.New("x509: invalid version") 
        
           	} 
        
           	serial := new(big.Int) 
        
           	if !tbs.ReadASN1Integer(serial) { 
        
           		return nil, errors.New("x509: malformed serial number") 
        
           	} 
        
           	if serial.Sign() == -1 { 
        
           		if x509negativeserial.Value() != "1" { 
        
           			return nil, errors.New("x509: negative serial number") 
        
           		} else { 
        
           			x509negativeserial.IncNonDefault() 
        
           		} 
        
           	} 
        
           	cert.SerialNumber = serial 
        
           	var sigAISeq cryptobyte.String 
        
           	if !tbs.ReadASN1(&sigAISeq, cryptobyte_asn1.SEQUENCE) { 
        
           		return nil, errors.New("x509: malformed signature algorithm identifier")

mateusz834 changed the title ~~ANS1 Parse~~ crypto/x509: malformed signature algorithm identifier error while version and serialNumber swapped Nov 9, 2024

mateusz834 added the NeedsInvestigation label Nov 9, 2024

gabyhelp mentioned this issue Feb 7, 2025

crypto/x509: negative serial number disallowed by default #71606

Closed

gabyhelp mentioned this issue Mar 3, 2025

crypto/x509: Verify allows serialNumber larger than 20 octets #72076

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/x509: malformed signature algorithm identifier error while version and serialNumber swapped #70269

crypto/x509: malformed signature algorithm identifier error while version and serialNumber swapped #70269

dulanshuangqiao commented Nov 9, 2024

gabyhelp commented Nov 9, 2024

mateusz834 commented Nov 9, 2024

crypto/x509: malformed signature algorithm identifier error while version and serialNumber swapped #70269

crypto/x509: malformed signature algorithm identifier error while version and serialNumber swapped #70269

Comments

dulanshuangqiao commented Nov 9, 2024

Go version

Output of go env in your module/workspace:

What did you do?

What did you see happen?

What did you expect to see?

gabyhelp commented Nov 9, 2024

mateusz834 commented Nov 9, 2024

Output of `go env` in your module/workspace: