]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2064413)
crypto/x509: reject critical AKI
authorRoland Shoemaker <roland@golang.org>
Wed, 7 Feb 2024 20:10:58 +0000 (12:10 -0800)
committerGopher Robot <gobot@golang.org>
Thu, 9 May 2024 23:09:41 +0000 (23:09 +0000)
Updates #65085

Change-Id: I8cc60990737d582edf4f7f85ec871f5e42f82b78
Reviewed-on: https://go-review.googlesource.com/c/go/+/562341
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
src/crypto/x509/parser.go patch | blob | history
src/crypto/x509/x509_test.go patch | blob | history

diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go
index 001b0017750f76e0c3fe4cd6a6fef4aded01b724..4202991f47ef22db8c91792bd3eea0886111c8fc 100644 (file)
--- a/src/crypto/x509/parser.go
+++ b/src/crypto/x509/parser.go
@@ -723,6 +723,10 @@ func processExtensions(out *Certificate) error {
 
                        case 35:
                                // RFC 5280, 4.2.1.1
+                               if e.Critical {
+                                       // Conforming CAs MUST mark this extension as non-critical
+                                       return errors.New("x509: authority key identifier incorrectly marked critical")
+                               }
                                val := cryptobyte.String(e.Value)
                                var akid cryptobyte.String
                                if !val.ReadASN1(&akid, cryptobyte_asn1.SEQUENCE) {
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index a29f914c8ea49920a9cbcb96dc748201f3203a99..a9dc14526519ee376dd2d9cacfb953cf68ffb274 100644 (file)
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -4011,6 +4011,31 @@ func TestGob(t *testing.T) {
        }
 }
 
+func TestRejectCriticalAKI(t *testing.T) {
+       template := Certificate{
+               SerialNumber: big.NewInt(1),
+               Subject:      pkix.Name{CommonName: "Cert"},
+               NotBefore:    time.Unix(1000, 0),
+               NotAfter:     time.Unix(100000, 0),
+               ExtraExtensions: []pkix.Extension{
+                       {
+                               Id:       asn1.ObjectIdentifier{2, 5, 29, 35},
+                               Critical: true,
+                               Value:    []byte{1, 2, 3},
+                       },
+               },
+       }
+       certDER, err := CreateCertificate(rand.Reader, &template, &template, rsaPrivateKey.Public(), rsaPrivateKey)
+       if err != nil {
+               t.Fatalf("CreateCertificate() unexpected error: %v", err)
+       }
+       expectedErr := "x509: authority key identifier incorrectly marked critical"
+       _, err = ParseCertificate(certDER)
+       if err == nil || err.Error() != expectedErr {
+               t.Fatalf("ParseCertificate() unexpected error: %v, want: %s", err, expectedErr)
+       }
+}
+
 func TestRejectCriticalAIA(t *testing.T) {
        template := Certificate{
                SerialNumber: big.NewInt(1),
Go GOST TLS 1.3