]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5856162)
crypto/x509: reject critical AIA extensions
authorRoland Shoemaker <roland@golang.org>
Wed, 7 Feb 2024 20:12:14 +0000 (12:12 -0800)
committerRoland Shoemaker <roland@golang.org>
Thu, 9 May 2024 22:42:58 +0000 (22:42 +0000)
Updates #65085

Change-Id: I86d8a85130286e1ec2aca3249808ec1dc8ec97ca
Reviewed-on: https://go-review.googlesource.com/c/go/+/562342
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
src/crypto/x509/parser.go patch | blob | history
src/crypto/x509/x509_test.go patch | blob | history

diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go
index 800cc6620c696a81c2c5f167eda4e0b98a835423..726409e988a00b8eff3e992bdbb5dd56bef90f1a 100644 (file)
--- a/src/crypto/x509/parser.go
+++ b/src/crypto/x509/parser.go
@@ -764,6 +764,10 @@ func processExtensions(out *Certificate) error {
                        }
                } else if e.Id.Equal(oidExtensionAuthorityInfoAccess) {
                        // RFC 5280 4.2.2.1: Authority Information Access
+                       if e.Critical {
+                               // Conforming CAs MUST mark this extension as non-critical
+                               return errors.New("x509: authority info access incorrectly marked critical")
+                       }
                        val := cryptobyte.String(e.Value)
                        if !val.ReadASN1(&val, cryptobyte_asn1.SEQUENCE) {
                                return errors.New("x509: invalid authority info access")
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 548b8d940e1b347fc9e605e33b5603f49d9bbf71..0f528d4cc29d7b739b0b47d2106dac6d8a8cc37f 100644 (file)
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -4010,3 +4010,28 @@ func TestGob(t *testing.T) {
                t.Fatal(err)
        }
 }
+
+func TestRejectCriticalAIA(t *testing.T) {
+       template := Certificate{
+               SerialNumber: big.NewInt(1),
+               Subject:      pkix.Name{CommonName: "Cert"},
+               NotBefore:    time.Unix(1000, 0),
+               NotAfter:     time.Unix(100000, 0),
+               ExtraExtensions: []pkix.Extension{
+                       {
+                               Id:       asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1},
+                               Critical: true,
+                               Value:    []byte{1, 2, 3},
+                       },
+               },
+       }
+       certDER, err := CreateCertificate(rand.Reader, &template, &template, rsaPrivateKey.Public(), rsaPrivateKey)
+       if err != nil {
+               t.Fatalf("CreateCertificate() unexpected error: %v", err)
+       }
+       expectedErr := "x509: authority info access incorrectly marked critical"
+       _, err = ParseCertificate(certDER)
+       if err == nil || err.Error() != expectedErr {
+               t.Fatalf("ParseCertificate() unexpected error: %v, want: %s", err, expectedErr)
+       }
+}
Go GOST TLS 1.3