Skip to content

crypto/x509: Parser support for extensions #71499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dulanshuangqiao opened this issue Jan 31, 2025 · 3 comments
Closed

crypto/x509: Parser support for extensions #71499

dulanshuangqiao opened this issue Jan 31, 2025 · 3 comments
Labels
LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool

Comments

@dulanshuangqiao
Copy link

Go version

go version go1.23.2 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/liu/.cache/go-build'
GOENV='/home/liu/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/liu/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/liu/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/snap/go/10730'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/snap/go/10730/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.2'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/liu/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3084352486=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Use x509.ParseCertificate(derBytes) to parse the der certificate
For X.509 extensions with incorrect tags, golang only checks the correctness of Authority Key Identifier, Subject Key Identifier, Key Usage, Certificate Policies, Subject Alternative Name, Basic Constrains, Name Constraints, Extended key usage, CRL Distribution Points, and AIA extensions, and identifies invalid extensions, while Policy Mappings, Policy Constrains, Inhibit anyPolicy, Freshest CRL, and Subject Information Access lack this check.

What did you see happen?

Some invalid extensions were accepted

What did you expect to see?

Correctly detect invalid extensions and reject them
@gabyhelp
Copy link

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp added the LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool label Jan 31, 2025
@seankhliao
Copy link
Member

See #68484 and #70728.

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Jan 31, 2025
@dulanshuangqiao
Copy link
Author

See #68484 and #70728.

I didn't find any answers about Freshest CRL.

@gabyhelp gabyhelp mentioned this issue Feb 17, 2025
Open
@gabyhelp gabyhelp mentioned this issue Mar 25, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@seankhliao @dulanshuangqiao @gabyhelp