crypto/x509: accepts DN with all empty values #73021

onepeople158 · 2025-03-24T13:47:33Z

Go version

go version go1.24.1 linux/amd64

Output of `go env` in your module/workspace:

OU=,O=,L=,ST=,C=
2025-01-01 00:00:00 +0000 UTC
2025-12-01 00:00:00 +0000 UTC
1

What did you do?

RFC 5280 specifies that the number of DN values must be greater than or equal to 1, but I successfully printed the issuer name of a CRL file with an empty DN value using Go.

What did you see happen?

Go printed the CRL issuer as: OU=, O=, L=, ST=, C=.

What did you expect to see?

For comparison, when using GnuTLS to print this CRL file, it displayed the error: (error: get_issuer_dn: ASN1 parser: Value is not valid.).

main.zip

The text was updated successfully, but these errors were encountered:

dmitshur · 2025-03-24T21:40:55Z

CC @golang/security.

seankhliao changed the title ~~crypto/X509: Go accepts a CRL with an empty DN value.~~ crypto/x509: accepts DN with all empty values Mar 24, 2025

dmitshur added the NeedsInvestigation label Mar 24, 2025

gabyhelp mentioned this issue Apr 9, 2025

crypto/x509: Go accepts the IDP extension with DER encoding as an empty sequence #73284

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/x509: accepts DN with all empty values #73021

crypto/x509: accepts DN with all empty values #73021

onepeople158 commented Mar 24, 2025 •

edited

Loading

dmitshur commented Mar 24, 2025

crypto/x509: accepts DN with all empty values #73021

crypto/x509: accepts DN with all empty values #73021

Comments

onepeople158 commented Mar 24, 2025 • edited Loading

Go version

Output of go env in your module/workspace:

What did you do?

What did you see happen?

What did you expect to see?

dmitshur commented Mar 24, 2025

onepeople158 commented Mar 24, 2025 •

edited

Loading

Output of `go env` in your module/workspace: