Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: CommonName truncated at slash #15256

Closed
huang195 opened this issue Apr 12, 2016 · 7 comments
Closed

crypto/x509: CommonName truncated at slash #15256

huang195 opened this issue Apr 12, 2016 · 7 comments

Comments

@huang195
Copy link

@huang195 huang195 commented Apr 12, 2016

Please answer these questions before submitting your issue. Thanks!

  1. What version of Go are you using (go version)?
    go version go1.5 linux/amd64
  2. What operating system and processor architecture are you using (go env)?
    GOARCH="amd64"
    GOHOSTOS="linux"
  3. What did you do?
    I created a client certificate with CN field set to "test/abc=1234"
  4. What did you expect to see?
    chains, _ := mycert.Verify(options)
    cn := chains[0].Subject.CommonName
    , where mycert is the certificate I created in the above step. I was expecting cn to be set to "test/abc=1234"
  5. What did you see instead?
    cn was actually set to "test". I lost the trailing part.
    However, if I do a openssl x509 -in mycert -text, I can see the CN field is properly set to "test/abc=1234"
@bradfitz bradfitz changed the title crypto/x509 crypto/x509: CommonName truncated at slash Apr 12, 2016
@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Apr 12, 2016

Please provide a complete program demonstrating the problem.

Also, please include the OpenSSL cert as well.

@bradfitz bradfitz added this to the Unplanned milestone Apr 12, 2016
@huang195
Copy link
Author

@huang195 huang195 commented Apr 15, 2016

Having some machine problems. Will report back in a few.

@huang195
Copy link
Author

@huang195 huang195 commented Apr 21, 2016

package main

import (
    "crypto/x509"
    "encoding/pem"
    "fmt"
)

const (
    rootPEM = `-----BEGIN CERTIFICATE-----
MIIFAzCCAuugAwIBAgIJAKz32tiViz0mMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
BAMMDWt1YmVybmV0ZXMtY2EwHhcNMTYwNDEyMTczMDUzWhcNNDMwODI5MTczMDUz
WjAYMRYwFAYDVQQDDA1rdWJlcm5ldGVzLWNhMIICIjANBgkqhkiG9w0BAQEFAAOC
Ag8AMIICCgKCAgEAy9lt2HQuLwO/r1aAI8JiucwHnJpKFKWbkkXHMvwVkX0xXAGZ
TKYWK7sUb/EppkI646Dioj3/Prs55XTXL8j7TXzAhZt8cb/+iztxRs1BsPZVE1KS
BgYEoViu1304T0LBnSPF1B3+2Y+9TpfSFA5Xjww3901xqrfHWAiV1pqJCX9IeqUA
War2aKWSz2Gd1mDlTST9BLp3eQJizR9XYIsudb2nvDj4IRfRg4yOJ4ObD02qv3sr
X90DUTbsD2FJYGHUF5XClyjTW9cazVwEsDa3qw6yfAJxoOhQ26vaZP1AiuIvnFXX
N+nQ+5i6u9qe+67L/ycbDXQrkHm5s8yhsAUxbvvYOITKa5P0fj+1B9cRKDO20hVl
NR6gHguQF4EHTOMdroH0XGzHsGT6S9WGrdpUcVk6j8WWZzquPednli2tDr8iYpbY
75n20APp23/rBWLcz+7PB2S/CRa9UlEWQI2lyOYbSb011sMuQ7ifxomU0qe5MpFH
SN1gmQkuTaFMA81lQMLWr4/bFYs+mS7c84zOpeGKLU6xa41kw2fEnBvplAkgGdQu
AmSNfPUwdHqRDa7hL31gxGsHn6IefOQFaX6hUu8QQmdz5QMDpFdPQCdmkf2dQX2p
C3R5rrAqrmybxHhOei1SFbQFIbwFsuuu63Bv7tu/HbCBXznwFPKodTLuUiMCAwEA
AaNQME4wHQYDVR0OBBYEFA01sBq/HwalGXUiPuze2ps2zZ/GMB8GA1UdIwQYMBaA
FA01sBq/HwalGXUiPuze2ps2zZ/GMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggIBAG2xfevRdJTq/bPCnuN+Zifz3OBnXRkYfaeRvjnItqG0pdk0kJU/zE1d
6crPDXqo2/gUkR2XVRqT+cqvcB5Zb4LvfKFU86uQdIhxmsEwM2WG2ZCyaJJhbUaO
3AgWP6NvvwIkpNBAheyfS9Ur84I2uEjmaZ/JKy7VPxWVCrMp2angF8SkJLBnIaqe
WsfHsAbYqPRdQVAycvhzSiwpt2uke6D+PXaVJzIVHLuOm0ASh/CmFl5BJPtMNHIG
Vw7AcDilSLZtXVKS2CU+nKiFzRAFMCCIBMMNWGfxfB6f5yXc4FxpLNLcFZRhlzqT
ftdVtgYb6aLsij/SKYX+BucdtM2RoF2Z+BbrK38PUVmcJkqwTunh2/xJYz2P3jHv
wXSGFa00WOsp482OwA565i6MK6NE8NeTlKOoPWq9tu45UblwIlpUr3bkB38BEJiI
wue5kyUn0qbR2z5Pv7evqwpG+dbra9kGUXd/3kbbSclyruq1VzFHgtczNdzr+tSA
M8P1Peh+GK4DtTtOcNhG5Qw8ZWvKpNhzdMpqsNeeVPdT2U/wPYdSFDI4iU1qK2Tk
eNJ+g1CBCzMqfLPj/71SA0f1w7CkVw/M8+NEhSB9B69ONlzsa79Q2Ww/4eWXB5iC
ktOtUpQojpzkO7+zgUzIWtTYgn8cOPwss5ddN95JzDKtEskl11+n
-----END CERTIFICATE-----`

    certPEM = `-----BEGIN CERTIFICATE-----
MIIFBDCCAuygAwIBAgIJALkqNYr4cRp7MA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
BAMMDWt1YmVybmV0ZXMtY2EwHhcNMTYwNDEyMTczMTAwWhcNMjAwNTIxMTczMTAw
WjBSMQ8wDQYDVQQDDAZjbGllbnQxPzA9BgkqhkiG9w0BCQEWMGRlOWM1ZWMxYzRh
ZjJkOWJkYmJlZmNiYzcxMzRmOTAzMmUzYjVkYjg4YmVhNTZhMzCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAO7wJiK0BddedeKg2gjExTfzloPmae+0us7s
MPIsRtVzmXLCjj2iTmv/+12hYbGruX6F5owUW9ugOwChLZLhc2zRuau83GSEstCU
sK/qbmPWX+3l18rxUvNE9QFy15AelTzDzy3DfV4dhJhO5kc4Hd3O20ZeKevnBgPb
Ztngo9nxNthiXT1RQpLOmSjUdPK3uwKwF1+rKqCmBJLumghdzLUNgzIaN97u60jz
+mTW43dfCq99ggofL654x6jWGyRNreQODSAbwF0d50YAabIjgObvRm3zWYijlGf/
Nl+Y3OtlRj/gHnXbJ/L1uDjtlFpk6Zgn+/x3+KQ+5YPpI/JmbfoOPYjhce7pft8J
5Q7fG9BTsTw/fubIf3FCj/yKZrqkySBzR+/TvRGukH8bDaDZDX7yXcL7LG1uwssZ
5ByhPUHrfEQU/Pa2W7xKUY685rWAocOY9DY2g5eusBsG1kYc+CorfDew44B1KeU/
YQywap2Iw5RB1tSAK/JO/ckzEYBEBhV+o1M/PtDg/1511LyBy3mx3KroyAE5Ipee
aeJABllP02mDmj6mnWQ3Z6+LAmPThSCBZDdwLAaQOiwvqa1XJ7pcXJ5l5iS/kLIL
FDbAdxhcrStLdtsvW7KqLBBAkzA7qL47HUDU0d2MtaP5HeED0HIa1dqEwo+78ye8
XcmxsqtzAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB
CwUAA4ICAQCQD4txBFLvpKoaYYOvUlYgQqTbuxE0bR+ACqZMAIGDM9O6+WAxnKss
90Y1NtMLHkAtO8V8ShepH8Xx1opKBsPHgEGsQuUgufdY1Cvqc0S3tG45VJqfj0qw
wX8VeKTlF9p33Anr2OGCDl+6fBiOrdSrayV0Az405ZK7GU1ReKlcGL0Ako/QMBOM
n1EUGnnGg+YPQK0x120TRUElxY7GmAXl6qiG9PFecC8ZrCeZQu/KohwfSz3r5+lJ
o2XFRfOrhqVXpWJn76/qEeFZPt6s6hUxK7/SePKtDFmkbViF9FF0m7OJgWRCXB6j
yVkz/Yd975psziOXSdSRSo6LsfQPh7QEL8Va33sm7SWgESgCFummQm/xcqxhPPs1
9QKf7jMB8blRXnDNaoZxAOH7Kx7WShDJcc6vc2JRI7sm2+RmdXIh41Wbg/TnCOHB
YqLxnTcsc6/SnnJRNl+VGNvNnjHjvUPYx6r9iWm5il17PBi3mUioT2KByKyDOTc1
yzE3hgzibIxEoDTQSlyxngoNuCHRf09zvOD/Ayd3ATqEYdHG2IO2wxGzDEyHCmt2
9uMheuBFrYEjQ1PWGfvr02Zuqm+K2jVPIZRF4UT0zz5td2R3Hjdnjf3xgIRrF1xZ
5Fo3w92ReqSYLRAXE/1vSyUusn11vc4DsODvfB8Z8hEZQhanbjI9ag==
-----END CERTIFICATE-----`
)

func main() {
    roots := x509.NewCertPool()
    ok := roots.AppendCertsFromPEM([]byte(rootPEM))
    if !ok {
        panic("failed to parse root cert")
    }

    block, _ := pem.Decode([]byte(certPEM))
    if block == nil {
        panic("failed to parse cert")
    }

    cert, err := x509.ParseCertificate(block.Bytes)
    if err != nil {
        panic("failed to parse cert: " + err.Error())
    }

    opts := x509.VerifyOptions{
        KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
        Roots:     roots,
    }

    chains, err := cert.Verify(opts)
    if err != nil {
        panic("failed to verify cert: " + err.Error())
    }

    for _, chain := range chains {
        fmt.Printf("%+v\n", chain[0].Subject.CommonName)
    }
}
@huang195
Copy link
Author

@huang195 huang195 commented Apr 21, 2016

@bradfitz sorry for the long delay. Finally got my machine back. Here's the sample code I was using. If you use openssl to check the CommonName of certPEM, you will see it properly reports it as client/emailAddress=de9c5ec1c4af2d9bdbbefcbc7134f9032e3b5db88bea56a3. However, the code is only reporting the CommonName as client and throws away the rest. Let me know if you are having any problems reproducing this problem.

@szank
Copy link

@szank szank commented Apr 29, 2016

The common name in the certPEM is 'client'. Please don't confuse what is printed by openssl with the actual structure of the certificate.
openssl asn1parse -in cert.PEM

  0:d=0  hl=4 l=1284 cons: SEQUENCE          
    4:d=1  hl=4 l= 748 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   9 prim: INTEGER           :B92A358AF8711A7B
   24:d=2  hl=2 l=  13 cons: SEQUENCE          
   26:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   37:d=3  hl=2 l=   0 prim: NULL              
   39:d=2  hl=2 l=  24 cons: SEQUENCE          
   41:d=3  hl=2 l=  22 cons: SET               
   43:d=4  hl=2 l=  20 cons: SEQUENCE          
   45:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   50:d=5  hl=2 l=  13 prim: UTF8STRING        :kubernetes-ca
   65:d=2  hl=2 l=  30 cons: SEQUENCE          
   67:d=3  hl=2 l=  13 prim: UTCTIME           :160412173100Z
   82:d=3  hl=2 l=  13 prim: UTCTIME           :200521173100Z
   97:d=2  hl=2 l=  82 cons: SEQUENCE          
   99:d=3  hl=2 l=  15 cons: SET               
  101:d=4  hl=2 l=  13 cons: SEQUENCE          
  103:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  108:d=5  hl=2 l=   6 prim: UTF8STRING        :client
  116:d=3  hl=2 l=  63 cons: SET               
  118:d=4  hl=2 l=  61 cons: SEQUENCE          
  120:d=5  hl=2 l=   9 prim: OBJECT            :emailAddress
  131:d=5  hl=2 l=  48 prim: IA5STRING         :de9c5ec1c4af2d9bdbbefcbc7134f9032e3b5db88bea56a3
  181:d=2  hl=4 l= 546 cons: SEQUENCE          
  185:d=3  hl=2 l=  13 cons: SEQUENCE          
  187:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  198:d=4  hl=2 l=   0 prim: NULL              
  200:d=3  hl=4 l= 527 prim: BIT STRING        
  731:d=2  hl=2 l=  23 cons: cont [ 3 ]        
  733:d=3  hl=2 l=  21 cons: SEQUENCE          
  735:d=4  hl=2 l=  19 cons: SEQUENCE          
  737:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
  742:d=5  hl=2 l=  12 prim: OCTET STRING      [HEX DUMP]:300A06082B06010505070302
  756:d=1  hl=2 l=  13 cons: SEQUENCE          
  758:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  769:d=2  hl=2 l=   0 prim: NULL              
  771:d=1  hl=4 l= 513 prim: BIT STRING

Common name and email address are separate SEQUENCE instances. The email address value should be found in the certificate. Subject.Names slice, with the corresponding oid 1.2.840.113549.1.9.1 if I remember correctly.

@huang195
Copy link
Author

@huang195 huang195 commented Apr 29, 2016

@szank You're right about the oid of the emailAddress. Is that oid defined somewhere as a constant that's more human readable so that I can use in the code that says "when this sequence is an emailAddress, extract its value".

@huang195
Copy link
Author

@huang195 huang195 commented Apr 29, 2016

OK, I just resorted to creating a []int{...} as emailAddressOID. I'm sure there's a better way than this, but this gets me over the problem for now. Closing it as this is not a problem with the x509 package.

@huang195 huang195 closed this Apr 29, 2016
@golang golang locked and limited conversation to collaborators Apr 29, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.