From: Roland Shoemaker <roland@golang.org>
Date: Wed, 7 Feb 2024 20:12:14 +0000 (-0800)
Subject: crypto/x509: reject critical AIA extensions
X-Git-Tag: go1.23rc1~404
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=f4bb7b9186ecfa6dc0ce31891b87dd8a9831476f;p=gostls13.git

crypto/x509: reject critical AIA extensions

Updates #65085

Change-Id: I86d8a85130286e1ec2aca3249808ec1dc8ec97ca
Reviewed-on: https://go-review.googlesource.com/c/go/+/562342
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
---

diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go
index 800cc6620c..726409e988 100644
--- a/src/crypto/x509/parser.go
+++ b/src/crypto/x509/parser.go
@@ -764,6 +764,10 @@ func processExtensions(out *Certificate) error {
 			}
 		} else if e.Id.Equal(oidExtensionAuthorityInfoAccess) {
 			// RFC 5280 4.2.2.1: Authority Information Access
+			if e.Critical {
+				// Conforming CAs MUST mark this extension as non-critical
+				return errors.New("x509: authority info access incorrectly marked critical")
+			}
 			val := cryptobyte.String(e.Value)
 			if !val.ReadASN1(&val, cryptobyte_asn1.SEQUENCE) {
 				return errors.New("x509: invalid authority info access")
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 548b8d940e..0f528d4cc2 100644
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -4010,3 +4010,28 @@ func TestGob(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestRejectCriticalAIA(t *testing.T) {
+	template := Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: "Cert"},
+		NotBefore:    time.Unix(1000, 0),
+		NotAfter:     time.Unix(100000, 0),
+		ExtraExtensions: []pkix.Extension{
+			{
+				Id:       asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1},
+				Critical: true,
+				Value:    []byte{1, 2, 3},
+			},
+		},
+	}
+	certDER, err := CreateCertificate(rand.Reader, &template, &template, rsaPrivateKey.Public(), rsaPrivateKey)
+	if err != nil {
+		t.Fatalf("CreateCertificate() unexpected error: %v", err)
+	}
+	expectedErr := "x509: authority info access incorrectly marked critical"
+	_, err = ParseCertificate(certDER)
+	if err == nil || err.Error() != expectedErr {
+		t.Fatalf("ParseCertificate() unexpected error: %v, want: %s", err, expectedErr)
+	}
+}