Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

encoding/asn1: correctly rejects @ char in PrintableString in invalid cert #12767

Closed
abelino opened this issue Sep 28, 2015 · 7 comments
Closed

encoding/asn1: correctly rejects @ char in PrintableString in invalid cert #12767

abelino opened this issue Sep 28, 2015 · 7 comments

Comments

@abelino
Copy link

@abelino abelino commented Sep 28, 2015

I am currently working on porting an internal https based service that uses client certificates to establish secure connections and am running into problems where the client certificate fails to be parsed by tls.X509KeyPair(cert, key) because the char @ is used in the client certificate... With current master, X509KeyPair returns error PrintableString contains invalid character

Quick fix: (asn1.go isPrintable func)

b == '*' ||
b == '@'

But not sure how well this will be accepted. Please advice. Thanks.

@davecheney
Copy link
Contributor

@davecheney davecheney commented Sep 28, 2015

ASN1 PrintableStrings must not contain @, https://en.wikipedia.org/wiki/PrintableString.

Can you please explain more about your problem, preferably showing code or a failing test case.

@abelino
Copy link
Author

@abelino abelino commented Sep 28, 2015

The client certificate I was given to use has a @ in the PRINTABLESTRING :commonName

e.g.

(output from openssl asn1parse -in client_cert.pem)

  367:d=3  hl=2 l=  32 cons: SET               
  369:d=4  hl=2 l=  30 cons: SEQUENCE          
  371:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  376:d=5  hl=2 l=  23 prim: PRINTABLESTRING   :BLAH BLAH @US SOFT CA v3

^^ Not sure how in the world that got in there.

@abelino
Copy link
Author

@abelino abelino commented Sep 28, 2015

It's interesting how other libs and langs handle this ugly issue gracefully. I've tried: curl, objective-c, nodejs, php, and openssl s_client and they all seem to be parsing the the cert without strictly validating the strings. I can easily change the encoding type in the binary blob from 0x13 to 0x0c but that will change the cert signature and decryption of data will fail at a later point. Any ideas?

@davecheney
Copy link
Contributor

@davecheney davecheney commented Sep 28, 2015

I think the go behaviour is correct, and arguments that other languages don't validate don't really feel appropriate where security is involved.

/cc @agl

@abelino
Copy link
Author

@abelino abelino commented Sep 28, 2015

I totally agree.

@rsc
Copy link
Contributor

@rsc rsc commented Oct 23, 2015

Can you get a valid certificate?

In general we don't want to cater to all possible ways a certificate might be broken. If this kind of thing is endemic in the wild then we might make an exception, but if it's just a one-time mistake, it's not appropriate for the Go standard library to sanction it.

It sounds like you know a workaround (recompile your version of Go).

Unless there is evidence this kind of problem affects many many users, I think we'll stick with spec compatibility.

@rsc rsc changed the title asn1.go `isPrintable` func does not play well with `@` char encoding/asn1: correctly rejects @ char in PrintableString in invalid cert Oct 23, 2015
@rsc rsc closed this Oct 23, 2015
@abelino
Copy link
Author

@abelino abelino commented Oct 30, 2015

Unfortunately, I can't get a valid certificate 😒 But anyways, deff stick with spec compatibility... I don't expect an exception for a single anomaly. Thanks for the support.

@golang golang locked and limited conversation to collaborators Nov 4, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.