Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

encoding/asn1: requiring DER for Boolean is too strict for some certificates #11091

Closed
dtertman opened this issue Jun 5, 2015 · 3 comments
Closed
Assignees
Milestone

Comments

@dtertman
Copy link

@dtertman dtertman commented Jun 5, 2015

ASN.1 / X.690 has two very different standards for Boolean in BER and DER. BER says

If the boolean value is
TRUE
the octet shall have any non-zero value, as a sender's option.
(8.2)
and DER says
If the encoding represents the boolean value TRUE, its single contents octet shall have all eight bits set to one.
(11.1)

Go 1.4.2 follows the DER rule (see https://github.com/golang/go/blob/master/src/encoding/asn1/asn1.go#L57) , with the additional requirement (not stated in the spec) that FALSE is 0x00.

All certificate authorities I have seen generate DER-compliant values. Some tools, though, generate certificates that seem to follow BER here, instead. Here is an example PEM:

-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIQOgJHM+7r/xvxxeliFvXjeDANBgkqhkiG9w0BAQUFADAq
MRMwEQYDVQQKEwpXV0dyYWluZ2VyMRMwEQYDVQQDEwpHcmFpbmdlckNBMB4XDTA5
MTAwNjE5MjYyN1oXDTE0MTAwNjE5MjYyN1owKjETMBEGA1UEChMKV1dHcmFpbmdl
cjETMBEGA1UEAxMKR3JhaW5nZXJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAK9f9Sd0psEPBeu4nbbLMfSoKXz/kEmX2RAQfMTemYs9XK9VtOGI8eSg
dLUoF5XIk0fztiaNdHc7mBsgF4Ji94k804kN171knxCpYP2VVDgDH4q9/lU8ZfnT
lHOWyzTjlq8UwoA56Ss5rBVH/6mHESNgVumSAWpZgWPZjicfwyItXPBePIjZTP0C
iWh4Ay23EHPvVvQiPGzFQXgDtRE6AriQltY7/F+KNvlb/Ha8VI5dgGB2RHRwA2Xx
fLsidCN05G3Jo8RkCjN/Wr3epder32/cjGFrmWk8TfJWxkYew8KX+hbBewNfBsCC
Dmcj3KCkCp1Waee/uw8ATw8cHpRsik0CAwDh3aMjMCEwDgYDVR0PAQH/BAQDAgGG
MA8GA1UdEwEB/wQFMAMBAQEwDQYJKoZIhvcNAQEFBQADggEBAEg2pybpiFgdc7dz
Yku+Pf87cZbKMY6IEFwCIa0t+SUQ2R/gjzoWFJgkGmg0haoCBjD0bO+CROOoS/k0
z+hTvhHQsGIZVExguP9hOzgHEYQFpPPO5pmveJVqP6AD94DCfOFBSPu6F+fmo4Jl
SilbQhZ87SkF0MG3+Js1df1JTm083sCJvGSKD/kmy/8AtCyrTW/e9cYw3TLUdGY7
E230B9A5EcWpzZreO1qBcwuA7hmvhyGDQmz6yx16mgpr23tgMpGVs/JnRiOS+xDV
5rjYnn8DpSc7qr7LoZtfLjZZ/JUyrt4AIx+ZuvUjuNTZN7+IU4l2W5V+wHjuIrRt
A+MgdxE=
-----END CERTIFICATE-----

This certificate has the value 0x01 for TRUE in the critical extension BasicConstraints. asn1.go throws a syntax error on it and prevents connection to any server using this CA.

OpenSSL's x509 mode, Python, and Java all successfully evaluate this certificate. Checking source for them shows that they are following the more relaxed BER rules for booleans - anything other than a 0 is TRUE. I believe Go should be able to as well.

@bradfitz bradfitz changed the title asn1.go - Requiring DER for Boolean is too strict for some certificates encoding/asn1: requiring DER for Boolean is too strict for some certificates Jun 5, 2015
@bradfitz bradfitz added this to the Go1.5Maybe milestone Jun 5, 2015
@dtertman
Copy link
Author

@dtertman dtertman commented Jun 8, 2015

@gopherbot
Copy link

@gopherbot gopherbot commented Jun 8, 2015

CL https://golang.org/cl/10802 mentions this issue.

@agl
Copy link
Contributor

@agl agl commented Jun 8, 2015

No thanks. We've parsed millions of certificates with Go and this issue hasn't come up before. While I don't doubt that some certificates have encoding bugs, this isn't so prevalent that we should mirror the bug in Go. The fact that OpenSSL is lax is due to it's fundamental confusion between DER and BER going back many years. That's something that I'll have to remember to test when we update the certificate building in Chrome.

@agl agl closed this Jun 8, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.