Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
crypto/x509: parse all names in an RDN.
The Subject and Issuer names in a certificate look like they should be a list of key-value pairs. However, they're actually a list of lists of key-value pairs. Previously we only looked at the first element of each sublist and the vast majority of certificates only have one element per sublist. However, it's possible to have multiple elements and some 360 certificates from the “Pilot” log are so constructed. This change causes all elements of the sublists to be processed. Fixes #16836. Change-Id: Ie0a5159135b08226ec517fcf251aa17aada37857 Reviewed-on: https://go-review.googlesource.com/30810 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
- Loading branch information
Showing
2 changed files
with
81 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
809a1de
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@agl While this code successfully parses a multi-value RDN, it strips the set grouping. That is, ToRDNSequence after parsing such a certificate will not result in a multi-value RDN.
Without a breaking change to pkix.Name or the introduction of new fields/methods, I do not see an obvious way to preserve the multi-value nature of the RDN.
While multi-valued RDNs may not be common, they are clearly part of the RDN standard in RFC 5280, not erroneous certificate constructions like Bug #16836 seems to suggest.
If you decide to keep the parsing logic, I would at least add a note documenting the loss of information about the multi-value nature of an RDN.