Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: parser should error on Subject Information Access and Policy Constraints being makred as critical #70278

Open
dulanshuangqiao opened this issue Nov 11, 2024 · 4 comments
Open

crypto/x509: parser should error on Subject Information Access and Policy Constraints being makred as critical #70278

dulanshuangqiao opened this issue Nov 11, 2024 · 4 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@dulanshuangqiao
Copy link

Go version

go version go1.23.2 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/liu/.cache/go-build'
GOENV='/home/liu/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/liu/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/liu/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/snap/go/10730'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/snap/go/10730/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.2'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/liu/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3084352486=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Use x509.ParseCertificate(derBytes) to parse the der certificate

What did you see happen?

A critical examine of the aia extension:authority info access incorrectly marked critical
Authority Information Access is described in RFC5280: Conforming CAs MUST mark this extension as non-critical.
Other extensions with the same description in RFC5280 are not checked, such as:
Subject Information Access: Conforming CAs MUST mark this extension as non-critical.
Policy Constraints: Conforming CAs MUST mark this extension as non-critical.

What did you expect to see?

For certificates marked as critical, such as Subject Information Access and Policy Constraints, parsing errors will also occur.
@gabyhelp
Copy link

Related Issues

Related Code Changes

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@seankhliao seankhliao changed the title import/crypto/x509:Extension critical check crypto/x509: should ignore Authority Information Access being marked critical Nov 11, 2024
@mateusz834 mateusz834 changed the title crypto/x509: should ignore Authority Information Access being marked critical crypto/x509: parser should error on Subject Information Access and Policy Constraints being makred as critical Nov 11, 2024
@mateusz834
Copy link
Member

AFAIK, we do not support subjectInfoAccess, and policyConstraints in the crypto/x509 parser.

@cherrymui
Copy link
Member

@dulanshuangqiao do you have a reproducer, like a short code snippet, to demonstrate the issue, what happens and what you expect? Thanks.

cc @golang/security

@cherrymui cherrymui added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 11, 2024
@cherrymui cherrymui added this to the Backlog milestone Nov 11, 2024
@dulanshuangqiao
Copy link
Author

@dulanshuangqiao您是否有一个重现器(例如一个简短的代码片段)来演示该问题、发生了什么以及您期望什么?谢谢。

抄送@golang/security

I have provided the program I used in the attachment. I used it to convert der to pem format. This program reported an error when processing the Authority Information Access extension marked as critical: incorrectly marked critical. So I looked up RFC5280 about Authority Information Access and found the description: Conforming CAs MUST mark this extension as non-critical.
So I continued to test other extensions with the same description, such as Subject Information Access, Policy Constraints, etc., but even if they were marked as critical, the program did not throw an error like the Authority Information Access, but successfully completed the conversion.
program.zip

@gabyhelp gabyhelp mentioned this issue Nov 30, 2024
Open
@gabyhelp gabyhelp mentioned this issue Jan 31, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@cherrymui @mateusz834 @dulanshuangqiao @gabyhelp