mirror of
https://github.com/golang/go
synced 2024-11-11 19:11:35 -07:00
crypto/x509: don't fail on optional auth key id fields
If a certificate contains an AuthorityKeyIdentifier extension that lacks the keyIdentifier field, but contains the authorityCertIssuer and/or the authorityCertSerialNumber fields, don't return an error and continue parsing. Fixes #46854 Change-Id: I82739b415441f639a722755cc1f449d73078adfc Reviewed-on: https://go-review.googlesource.com/c/go/+/331689 Trust: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
parent
f9d50953b9
commit
c45e800e0c
@ -734,10 +734,12 @@ func processExtensions(out *Certificate) error {
|
||||
if !val.ReadASN1(&akid, cryptobyte_asn1.SEQUENCE) {
|
||||
return errors.New("x509: invalid authority key identifier")
|
||||
}
|
||||
if !akid.ReadASN1(&akid, cryptobyte_asn1.Tag(0).ContextSpecific()) {
|
||||
return errors.New("x509: invalid authority key identifier")
|
||||
if akid.PeekASN1Tag(cryptobyte_asn1.Tag(0).ContextSpecific()) {
|
||||
if !akid.ReadASN1(&akid, cryptobyte_asn1.Tag(0).ContextSpecific()) {
|
||||
return errors.New("x509: invalid authority key identifier")
|
||||
}
|
||||
out.AuthorityKeyId = akid
|
||||
}
|
||||
out.AuthorityKeyId = akid
|
||||
case 37:
|
||||
out.ExtKeyUsage, out.UnknownExtKeyUsage, err = parseExtKeyUsageExtension(e.Value)
|
||||
if err != nil {
|
||||
|
@ -3174,3 +3174,45 @@ func TestSigAlgMismatch(t *testing.T) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
const optionalAuthKeyIDPEM = `-----BEGIN CERTIFICATE-----
|
||||
MIIFEjCCBHugAwIBAgICAQwwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh
|
||||
bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIElu
|
||||
Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
|
||||
QXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAe
|
||||
BgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MDYyOTE3MzkxNloX
|
||||
DTI0MDYyOTE3MzkxNlowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0YXJmaWVs
|
||||
ZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBDbGFzcyAy
|
||||
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0A
|
||||
MIIBCAKCAQEAtzLI/ulxpgSFrQwRZN/OTe/IAxiHP6Gr+zymn/DDodrU2G4rU5D7
|
||||
JKQ+hPCe6F/s5SdE9SimP3ve4CrwyK9TL57KBQGTHo9mHDmnTfpatnMEJWbrd3/n
|
||||
WcZKmSUUVOsmx/N/GdUwcI+vsEYq/63rKe3Xn6oEh6PU+YmlNF/bQ5GCNtlmPLG4
|
||||
uYL9nDo+EMg77wZlZnqbGRg9/3FRPDAuX749d3OyXQZswyNWmiuFJpIcpwKz5D8N
|
||||
rwh5grg2Peqc0zWzvGnK9cyd6P1kjReAM25eSl2ZyR6HtJ0awNVuEzUjXt+bXz3v
|
||||
1vd2wuo+u3gNHEJnawTY+Nbab4vyRKABqwIBA6OCAfMwggHvMB0GA1UdDgQWBBS/
|
||||
X7fRzt0fhvRbVazc1xDCDqmI5zCB0gYDVR0jBIHKMIHHoYHBpIG+MIG7MSQwIgYD
|
||||
VQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ldHdvcmsxFzAVBgNVBAoTDlZhbGlD
|
||||
ZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2VydCBDbGFzcyAyIFBvbGljeSBWYWxp
|
||||
ZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYaHR0cDovL3d3dy52YWxpY2VydC5j
|
||||
b20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhbGljZXJ0LmNvbYIBATAPBgNVHRMB
|
||||
Af8EBTADAQH/MDkGCCsGAQUFBwEBBC0wKzApBggrBgEFBQcwAYYdaHR0cDovL29j
|
||||
c3Auc3RhcmZpZWxkdGVjaC5jb20wSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL2Nl
|
||||
cnRpZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5L3Jvb3QuY3Js
|
||||
MFEGA1UdIARKMEgwRgYEVR0gADA+MDwGCCsGAQUFBwIBFjBodHRwOi8vY2VydGlm
|
||||
aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkwDgYDVR0PAQH/BAQD
|
||||
AgEGMA0GCSqGSIb3DQEBBQUAA4GBAKVi8afCXSWlcD284ipxs33kDTcdVWptobCr
|
||||
mADkhWBKIMuh8D1195TaQ39oXCUIuNJ9MxB73HZn8bjhU3zhxoNbKXuNSm8uf0So
|
||||
GkVrMgfHeMpkksK0hAzc3S1fTbvdiuo43NlmouxBulVtWmQ9twPMHOKRUJ7jCUSV
|
||||
FxdzPcwl
|
||||
-----END CERTIFICATE-----`
|
||||
|
||||
func TestAuthKeyIdOptional(t *testing.T) {
|
||||
b, _ := pem.Decode([]byte(optionalAuthKeyIDPEM))
|
||||
if b == nil {
|
||||
t.Fatalf("couldn't decode test certificate")
|
||||
}
|
||||
_, err := ParseCertificate(b.Bytes)
|
||||
if err != nil {
|
||||
t.Fatalf("ParseCertificate to failed to parse certificate with optional authority key identifier fields: %s", err)
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user