crypto/x509: don't panic when asn1.ObjectIdentifier is shorter than x509.OID

Change-Id: Ia08673450edc93fe1a9c7c05b7e69a05cd5ac8b9
GitHub-Last-Rev: c396197cb1f94b7fe8405d89c805c0566aa07fda
GitHub-Pull-Request: golang/go#64655
Reviewed-on: https://go-review.googlesource.com/c/go/+/548915
Reviewed-by: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>

diff --git a/src/crypto/x509/oid.go b/src/crypto/x509/oid.go
index b00c35e6967ae24221556165070bd2b0a79ce7c7..fd438eacf95420f50fb0aee8f292f4e8d4ce4fdb 100644 (file)
--- a/src/crypto/x509/oid.go
+++ b/src/crypto/x509/oid.go
@@ -268,7 +268,7 @@ func (oid OID) EqualASN1OID(other asn1.ObjectIdentifier) bool {
                        // the OID, but better safe than sorry.
                        return false
                }
-               if v != other[i] {
+               if i >= len(other) || v != other[i] {
                        return false
                }
        }

diff --git a/src/crypto/x509/oid_test.go b/src/crypto/x509/oid_test.go
index cbb3406424656b818736ec4edad12fd850d0ad82..270dca0bb5866363e2babac0b47f1d9751e4fbfd 100644 (file)
--- a/src/crypto/x509/oid_test.go
+++ b/src/crypto/x509/oid_test.go
@@ -127,6 +127,27 @@ func TestInvalidOID(t *testing.T) {
        }
 }
 
+func TestOIDEqual(t *testing.T) {
+       var cases = []struct {
+               oid  OID
+               oid2 OID
+               eq   bool
+       }{
+               {oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: mustNewOIDFromInts(t, []uint64{1, 2, 3}), eq: true},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: mustNewOIDFromInts(t, []uint64{1, 2, 4}), eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: mustNewOIDFromInts(t, []uint64{1, 2, 3, 4}), eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{2, 33, 22}), oid2: mustNewOIDFromInts(t, []uint64{2, 33, 23}), eq: false},
+               {oid: OID{}, oid2: OID{}, eq: true},
+               {oid: OID{}, oid2: mustNewOIDFromInts(t, []uint64{2, 33, 23}), eq: false},
+       }
+
+       for _, tt := range cases {
+               if eq := tt.oid.Equal(tt.oid2); eq != tt.eq {
+                       t.Errorf("(%v).Equal(%v) = %v, want %v", tt.oid, tt.oid2, eq, tt.eq)
+               }
+       }
+}
+
 var (
        _ encoding.BinaryMarshaler   = OID{}
        _ encoding.BinaryUnmarshaler = new(OID)
@@ -224,6 +245,50 @@ func TestOIDMarshal(t *testing.T) {
        }
 }
 
+func TestOIDEqualASN1OID(t *testing.T) {
+       maxInt32PlusOne := int64(math.MaxInt32) + 1
+       var cases = []struct {
+               oid  OID
+               oid2 asn1.ObjectIdentifier
+               eq   bool
+       }{
+               {oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: asn1.ObjectIdentifier{1, 2, 3}, eq: true},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: asn1.ObjectIdentifier{1, 2, 4}, eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 2, 3}), oid2: asn1.ObjectIdentifier{1, 2, 3, 4}, eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 22}), oid2: asn1.ObjectIdentifier{1, 33, 23}, eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 23}), oid2: asn1.ObjectIdentifier{1, 33, 22}, eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 127}), oid2: asn1.ObjectIdentifier{1, 33, 127}, eq: true},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 128}), oid2: asn1.ObjectIdentifier{1, 33, 127}, eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 128}), oid2: asn1.ObjectIdentifier{1, 33, 128}, eq: true},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 129}), oid2: asn1.ObjectIdentifier{1, 33, 129}, eq: true},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 128}), oid2: asn1.ObjectIdentifier{1, 33, 129}, eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 129}), oid2: asn1.ObjectIdentifier{1, 33, 128}, eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 255}), oid2: asn1.ObjectIdentifier{1, 33, 255}, eq: true},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 256}), oid2: asn1.ObjectIdentifier{1, 33, 256}, eq: true},
+               {oid: mustNewOIDFromInts(t, []uint64{2, 33, 257}), oid2: asn1.ObjectIdentifier{2, 33, 256}, eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{2, 33, 256}), oid2: asn1.ObjectIdentifier{2, 33, 257}, eq: false},
+
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33}), oid2: asn1.ObjectIdentifier{1, 33, math.MaxInt32}, eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, math.MaxInt32}), oid2: asn1.ObjectIdentifier{1, 33}, eq: false},
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, math.MaxInt32}), oid2: asn1.ObjectIdentifier{1, 33, math.MaxInt32}, eq: true},
+               {
+                       oid:  mustNewOIDFromInts(t, []uint64{1, 33, math.MaxInt32 + 1}),
+                       oid2: asn1.ObjectIdentifier{1, 33 /*convert to int, so that it compiles on 32bit*/, int(maxInt32PlusOne)},
+                       eq:   false,
+               },
+
+               {oid: mustNewOIDFromInts(t, []uint64{1, 33, 256}), oid2: asn1.ObjectIdentifier{}, eq: false},
+               {oid: OID{}, oid2: asn1.ObjectIdentifier{1, 33, 256}, eq: false},
+               {oid: OID{}, oid2: asn1.ObjectIdentifier{}, eq: false},
+       }
+
+       for _, tt := range cases {
+               if eq := tt.oid.EqualASN1OID(tt.oid2); eq != tt.eq {
+                       t.Errorf("(%v).EqualASN1OID(%v) = %v, want %v", tt.oid, tt.oid2, eq, tt.eq)
+               }
+       }
+}
+
 func TestOIDUnmarshalBinary(t *testing.T) {
        for _, tt := range oidTests {
                var o OID