Skip to content

crypto/x509: invalid certificate policies #65990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fancycode opened this issue Feb 28, 2024 · 2 comments
Closed

crypto/x509: invalid certificate policies #65990

fancycode opened this issue Feb 28, 2024 · 2 comments
Labels
FrozenDueToAge

Comments

@fancycode
Copy link

Go version

go1.22.0 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/user/.cache/go-build'
GOENV='/home/user/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/user/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/user/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/user/devel/go-1.22'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/user/devel/go-1.22/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.0'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD=''
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2225582694=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Test program:

package main

import (
	"crypto/x509"
	"log"
	"os"
)

func main() {
	data, err := os.ReadFile("cert.crt")
	if err != nil {
		log.Fatal(err)
	}

	crt, err := x509.ParseCertificate(data)
	if err != nil {
		log.Fatal(err)
	}

	log.Printf("Certificate: %s", crt.Subject)
}

Sample certificate (uncompress with gunzip):
cert.crt.gz

Run:

go run test.go

What did you see happen?

2024/02/28 11:40:48 x509: invalid certificate policies
exit status 1

Decoding with openssl works:

openssl x509 -in cert.crt -inform der -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7c:6d:cd:78:18:4a:91:c6:05:9b:b7:24:55:38:d5:36
...

What did you expect to see?

2024/02/28 11:40:48 Certificate: <the-subject-of-the-certificate>
@mateusz834
Copy link
Member

mateusz834 commented Feb 28, 2024
edited
Loading

It looks like a badly encoded certificate, this error is returned from this branch

go/src/crypto/x509/parser.go

Lines 446 to 448 in 33013e8

if !der.ReadASN1(&cp, cryptobyte_asn1.SEQUENCE) || !cp.ReadASN1(&OIDBytes, cryptobyte_asn1.OBJECT_IDENTIFIER) {
return nil, errors.New("x509: invalid certificate policies")
}

@mateusz834 mateusz834 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 28, 2024
@mateusz834 mateusz834 reopened this Feb 28, 2024
@mateusz834
Copy link
Member

mateusz834 commented Feb 28, 2024
edited
Loading

Yep, it is badly encoded it hits this case:

https://github.com/golang/crypto/blob/0aab8d07aefab378c763e8f36aa007544a862aa9/cryptobyte/asn1.go#L800-L802

The last ObjectIdentifier has the length encoded using two bytes, but it should be encoded with one byte.

30810e060c2b0601040181e82d01010b01

@mateusz834 mateusz834 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 28, 2024
@gabyhelp gabyhelp mentioned this issue Jul 17, 2024
Closed
@gabyhelp gabyhelp mentioned this issue Oct 18, 2024
Closed
@gabyhelp gabyhelp mentioned this issue Oct 31, 2024
Closed
This was referenced Nov 7, 2024
Open
Open
Open
@gabyhelp gabyhelp mentioned this issue Dec 11, 2024
Closed
@gabyhelp gabyhelp mentioned this issue Jan 31, 2025
Closed
This was referenced Feb 17, 2025
Open
Open
@golang golang locked and limited conversation to collaborators Feb 27, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fancycode @gopherbot @mateusz834