crypto/x509: ParseCertificate fails with "net/url: invalid userinfo"

[dulanshuangqiao]

Go version

go version go1.18.1 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/liu/.cache/go-build"
GOENV="/home/liu/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/liu/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/liu/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.18"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.18/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3649475886=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Use cert, err := x509.ParseCertificate(derBytes) to process the certificate

What did you see happen?

Error message：cannot parse URI "https://1kYj\\[@.cfZGv3T_Tr.D?/zrm3/4WA/Ir}BQ/yR]/0[g?<tX=uR?&K'O={d2}&sG?rLi=<}e>": parse "https://1kYj\\[@.cfZGv3T_Tr.D?/zrm3/4WA/Ir}BQ/yR]/0[g?<tX=uR?&K'O={d2}&sG?rLi=<}e>": net/url: invalid userinfo

What did you expect to see?

The results are different from Openssl and Gnutls. Openssl's openssl x509 -noout -text -in filename and gnutls's certtool -i --infile=filename --inraw successfully viewed the certificate.Both successfully resolved SAN

[gabyhelp]

Related Issues and Documentation

• crypto/x509: invalid certificate policies #65990 (closed)
• crypto/x509: malformed x509 certificate is accepted since 1.17 #51369
• crypto/x509: cannot parse certificate IP & net/http cannot ignore this certificate error #65829 (closed)
• x/crypto: x509: invalid certificate policies #53773 (closed)
• crypto/x509: certificate validation in Windows fails to validate IP in SAN #37176
• crypto/x509: ParseCertificate and ParseCertificates return different errors with a single bad certificate supplied #43113
• crypto/x509: parse SAN DirectoryName #47618 (closed)
• crypto/x509: unable to parse certificate parsable by Java #33259
• crypto/tls: LoadX509KeyPair fails to parse some keys, yet they are accepted by OpenSSL #21807 (closed)
• crypto/x509: Verification of ECDSA signed x509 cert, sanitized to LowS certs fails verification with go 1.19 #54549

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[mateusz834]

This seems to happen here:

go/src/crypto/x509/parser.go

Lines 389 to 397 in 6853d89

	case nameTypeURI:
	uriStr := string(data)
	if err := isIA5String(uriStr); err != nil {
	return errors.New("x509: SAN uniformResourceIdentifier is malformed")
	}
	uri, err := url.Parse(uriStr)
	if err != nil {
	return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err)
	}

And the URL seems to be invalid, see simpler reproducer https://go.dev/play/p/IMYvwnRjF7F

CC @neild (as per https://dev.golang.org/owners for net/url) not sure how to judge that URL. I guess openssl x509 does not validate URLs and just display them, so it works there.

[seankhliao]

See https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6

When the subjectAltName extension contains a URI, the name MUST be
stored in the uniformResourceIdentifier (an IA5String). The name
MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in [RFC3986].

The other tools may be for more general x509 usage, crypto/x509 targets the Web PKI where URIs are more restricted.