Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
encoding/asn1: requiring DER for Boolean is too strict for some certificates #11091
ASN.1 / X.690 has two very different standards for Boolean in BER and DER. BER says
Go 1.4.2 follows the DER rule (see https://github.com/golang/go/blob/master/src/encoding/asn1/asn1.go#L57) , with the additional requirement (not stated in the spec) that FALSE is 0x00.
All certificate authorities I have seen generate DER-compliant values. Some tools, though, generate certificates that seem to follow BER here, instead. Here is an example PEM:
This certificate has the value 0x01 for TRUE in the critical extension BasicConstraints. asn1.go throws a syntax error on it and prevents connection to any server using this CA.
OpenSSL's x509 mode, Python, and Java all successfully evaluate this certificate. Checking source for them shows that they are following the more relaxed BER rules for booleans - anything other than a 0 is TRUE. I believe Go should be able to as well.
No thanks. We've parsed millions of certificates with Go and this issue hasn't come up before. While I don't doubt that some certificates have encoding bugs, this isn't so prevalent that we should mirror the bug in Go. The fact that OpenSSL is lax is due to it's fundamental confusion between DER and BER going back many years. That's something that I'll have to remember to test when we update the certificate building in Chrome.