Skip to content

crypto/x509: ParseRevocationList accepts invalid AKI extension in CRL #73030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
onepeople158 opened this issue Mar 25, 2025 · 2 comments
Open

crypto/x509: ParseRevocationList accepts invalid AKI extension in CRL #73030

onepeople158 opened this issue Mar 25, 2025 · 2 comments
Labels
BugReport Issues describing a possible bug in the Go implementation. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Comments

@onepeople158
Copy link

Go version

go version go1.24.1 linux/amd64

Output of go env in your module/workspace:

CN=US,OU=US,O=US,L=US,ST=US,C=US
2025-01-01 00:00:00 +0000 UTC
2025-12-01 00:00:00 +0000 UTC
134026152402537916809419830168838464
1
Extension OID: 2.5.29.35
No Key Identifier
No Authority Cert Issuer
Authority Cert Serial Number (decimal): 123456

What did you do?

RFC 5280 specifies that the AKI extension, i.e., the Authority Key Identifier, is based on either keyIdentifier or a combination of both authorityCertIssuer and authorityCertSerialNumber. That is, authorityCertIssuer and authorityCertSerialNumber must either both appear together or both be None. However, I was able to successfully parse a CRL file with an AKI extension that only contains the authorityCertSerialNumber field using Go.

What did you see happen?

The AKI extension was successfully parsed, and the Authority Cert Serial Number value was printed.

What did you expect to see?

main.zip
@gabyhelp
Copy link

Related Issues

Related Code Changes

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp added the BugReport Issues describing a possible bug in the Go implementation. label Mar 25, 2025
@seankhliao seankhliao changed the title crypto/X509:Go accepted a CRL file with an invalid AKI extension. crypto/x509: accepts invalid AKI extension in CRL Mar 25, 2025
@dmitshur
Copy link
Contributor

CC @golang/security.

@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 25, 2025
@gabyhelp gabyhelp mentioned this issue Apr 9, 2025
Open
@seankhliao seankhliao changed the title crypto/x509: accepts invalid AKI extension in CRL crypto/x509: ParseRevocationList accepts invalid AKI extension in CRL Apr 10, 2025
@gabyhelp gabyhelp mentioned this issue Apr 18, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BugReport Issues describing a possible bug in the Go implementation. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmitshur @onepeople158 @gabyhelp