From 27280d8c14331c1c46cd90206be9f3c924f6b4c4 Mon Sep 17 00:00:00 2001 From: Paschalis Tsilias Date: Wed, 2 Sep 2020 13:44:36 +0300 Subject: [PATCH] crypto/x509: return errors instead of panicking Eliminate a panic in x509.CreateCertificate when passing templates with unknown ExtKeyUsage; return an error instead. Fixes #41169 Change-Id: Ia229d3b0d4a1bdeef05928439d97dab228687b3c Reviewed-on: https://go-review.googlesource.com/c/go/+/252557 Reviewed-by: Roland Shoemaker Reviewed-by: Filippo Valsorda Run-TryBot: Roland Shoemaker TryBot-Result: Go Bot --- src/crypto/x509/x509.go | 3 ++- src/crypto/x509/x509_test.go | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go index 16655a3c70..5fd4f6fa17 100644 --- a/src/crypto/x509/x509.go +++ b/src/crypto/x509/x509.go @@ -1689,7 +1689,8 @@ func buildExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId if oid, ok := oidFromExtKeyUsage(u); ok { oids = append(oids, oid) } else { - panic("internal error") + err = errors.New("x509: unknown extended key usage") + return } } diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go index d0315900e4..6345c3f5ab 100644 --- a/src/crypto/x509/x509_test.go +++ b/src/crypto/x509/x509_test.go @@ -2754,3 +2754,22 @@ func TestRSAPSAParameters(t *testing.T) { } } } + +func TestUnknownExtKey(t *testing.T) { + const errorContains = "unknown extended key usage" + + template := &Certificate{ + SerialNumber: big.NewInt(10), + DNSNames: []string{"foo"}, + ExtKeyUsage: []ExtKeyUsage{ExtKeyUsage(-1)}, + } + signer, err := rsa.GenerateKey(rand.Reader, 1024) + if err != nil { + t.Errorf("failed to generate key for TestUnknownExtKey") + } + + _, err = CreateCertificate(rand.Reader, template, template, signer.Public(), signer) + if !strings.Contains(err.Error(), errorContains) { + t.Errorf("expected error containing %q, got %s", errorContains, err) + } +} -- 2.51.0