Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ocsp: asn1 marshal failed with ocsp #19212

Open
minaevmike opened this issue Feb 21, 2017 · 2 comments

Comments

@minaevmike
Copy link
Contributor

commented Feb 21, 2017

I am not sure that it is bug in go asn1 or it's in x/ocsp

What version of Go are you using (go version)?

i am using go version go1.8 linux/amd64 and go version go1.7.5 linux/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/root/prog/GO"
GORACE=""
GOROOT="/root/tgo/go"
GOTOOLDIR="/root/tgo/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build808732534=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

i am generating ocsp response with golang.org/x/crypto/ocsp witch use asn1 inside. And after upgrading to go1.8 i have this problems.

package main

import (
	"golang.org/x/crypto/ocsp"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"log"
	"crypto/x509"
	"time"
	"math/big"
	"flag"
	"io/ioutil"
	"os"
)

func main() {
	o := flag.String("o", "output.ocsp", "file to save ocsp response")
	flag.Parse()
	priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
	if err != nil {
		log.Fatalf("can't crate key: %v", err)
	}
	issuer := &x509.Certificate{
		RawSubjectPublicKeyInfo: []byte{48, 130 ,1 ,34 ,48, 13 ,6 ,9 ,42 ,134 ,72 ,134 ,247 ,13 ,1 ,1 ,1 ,5 ,0 ,3 ,130 ,1 ,15 ,0 ,48 ,130 ,1 ,10 ,2 ,130 ,1 ,1 ,0 ,189 ,125 ,218 ,247 ,195 ,162 ,125 ,131 ,246 ,91 ,130 ,253 ,219 ,91 ,95 ,174 ,30 ,27 ,117 ,192 ,181 ,25 ,175 ,152 ,36 ,172 ,187 ,87 ,121 ,216 ,53 ,236 ,9 ,30 ,124 ,204 ,148 ,27 ,10 ,208 ,118 ,252 ,14 ,110 ,22 ,163 ,113 ,89 ,167 ,41 ,92 ,97 ,173 ,76 ,36 ,100 ,245 ,209 ,3 ,6 ,89 ,162 ,196 ,71 ,124 ,66 ,34 ,228 ,81 ,251 ,199 ,164 ,149 ,255 ,196 ,169 ,230 ,86 ,68 ,186 ,35 ,39 ,188 ,193 ,70 ,216 ,204 ,203 ,3 ,206 ,9 ,233 ,107 ,57 ,79 ,131 ,95 ,93 ,157 ,42 ,159 ,132 ,207 ,130 ,122 ,247 ,95 ,107 ,207 ,85 ,46 ,117 ,51 ,181 ,26 ,246 ,114, 9 ,130 ,127 ,35 ,189 ,58 ,218 ,225 ,236 ,178 ,67 ,60 ,111 ,184 ,15 ,198 ,103 ,2 ,160 ,237 ,84 ,31 ,12 ,41 ,130 ,75 ,233 ,8 ,10 ,201 ,88 ,97 ,104 ,23 ,56 ,203 ,118 ,198 ,91 ,18 ,178 ,92 ,75 ,113 ,237 ,2 ,25 ,100 ,108 ,79 ,193 ,41 ,51 ,43 ,117 ,136 ,55 ,229 ,74 ,53 ,217 ,34 ,193 ,59 ,155 ,91 ,147 ,200 ,118 ,138 ,102 ,202 ,76 ,47 ,34 ,50 ,207 ,169 ,178 ,74 ,239 ,35 ,240 ,21 ,150 ,30 ,144 ,161 ,52 ,215 ,147 ,172 ,91 ,161 ,85 ,250 ,206 ,3 ,32 ,207 ,20 ,149 ,84 ,188 ,166 ,66 ,44 ,160 ,97 ,137 ,180 ,203 ,150 ,140 ,178 ,248 ,182 ,173 ,161 ,97 ,11 ,174 ,55 ,72 ,225 ,175 ,18 ,181 ,150 ,60 ,249 ,210 ,17 ,246 ,222 ,0 ,61 ,113 ,179 ,2 ,3 ,1 ,0, 1},
		RawSubject: []byte{48, 117 ,49 ,11 ,48 ,9 ,6 ,3 ,85 ,4 ,6 ,19 ,2 ,73 ,76 ,49 ,22 ,48 ,20 ,6 ,3 ,85 ,4 ,10 ,19 ,13 ,83 ,116 ,97 ,114 ,116 ,67 ,111 ,109 ,32 ,76 ,116 ,100 ,46 ,49 ,41 ,48 ,39 ,6 ,3 ,85 ,4 ,11 ,19 ,32 ,83 ,116 ,97 ,114 ,116 ,67 ,111 ,109 ,32 ,67 ,101 ,114 ,116 ,105 ,102 ,105 ,99 ,97 ,116 ,105 ,111 ,110 ,32 ,65 ,117 ,116 ,104 ,111 ,114 ,105 ,116 ,121 ,49 ,35 ,48 ,33 ,6 ,3 ,85 ,4 ,3 ,19 ,26 ,83 ,116 ,97 ,114 ,116 ,67 ,111 ,109 ,32 ,67 ,108 ,97 ,115 ,115 ,32 ,49 ,32 ,67 ,108 ,105 ,101 ,110 ,116 ,32 ,67 ,65},
	}
	responder := &x509.Certificate{
		RawSubject:[]byte{48, 84 ,49 ,37 ,48 ,35 ,6 ,3 ,85 ,4 ,3 ,12 ,28 ,99 ,101 ,114 ,116 ,105 ,102 ,105 ,101 ,100 ,95 ,117 ,115 ,101 ,114 ,95 ,48 ,48 ,64 ,115 ,112 ,117 ,116 ,110 ,105 ,107 ,46 ,114 ,117 ,49 ,43 ,48 ,41 ,6 ,9 ,42 ,134 ,72 ,134 ,247 ,13 ,1 ,9 ,1 ,22 ,28 ,99 ,101 ,114 ,116 ,105 ,102 ,105 ,101 ,100 ,95 ,117 ,115 ,101 ,114 ,95 ,48 ,48 ,64 ,115 ,112 ,117 ,116 ,110 ,105 ,107 ,46 ,114 ,117},
	}
	serial := &big.Int{}
	serial.SetInt64(int64(123321))
	temp := ocsp.Response{
		Status:       ocsp.Revoked,
		SerialNumber: serial,
		ThisUpdate:   time.Now().AddDate(0, 0, -1),
		NextUpdate:   time.Now().AddDate(0, 0, 7),
	}
	b, err := ocsp.CreateResponse(issuer, responder, temp, priv)
	if err != nil {
		log.Fatalf("Can't create response: %v", err)
	}
	err = ioutil.WriteFile(*o, b, os.ModeType)
	if err != nil {
		log.Fatalf("Error at writing file: %v", err)
	}
}

when i run this code on go 1.8 i have no errors, but when i am trying to read this response with openssl i have an error

# openssl ocsp -respin output.ocsp -text
OCSP Response Data:
    OCSP Response Status: successful (0x0)
Error parsing response
140378471253656:error:0D07808F:asn1 encoding routines:ASN1_ITEM_EX_D2I:no matching choice type:tasn_dec.c:350:Type=OCSP_CERTSTATUS
140378471253656:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=certStatus, Type=OCSP_SINGLERESP
140378471253656:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:669:Field=responses, Type=OCSP_RESPDATA
140378471253656:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=tbsResponseData, Type=OCSP_BASICRESP
140378471253656:error:0D0C706E:asn1 encoding routines:ASN1_item_unpack:decode error:asn_pack.c:205:
    Response Type: Basic OCSP Response

but if i run same code with go1.7 it works fine and openssl run without errors.

Also i found that if i set remplate.RevocationReason to non zero value it also works good on go1.8

@ALTree ALTree changed the title asn1 marshal failed with ocsp x/crypto/ocsp: asn1 marshal failed with ocsp Feb 21, 2017

@ALTree ALTree added this to the Unreleased milestone Feb 21, 2017

@szank

This comment has been minimized.

Copy link

commented Mar 3, 2017

Revocation time in the template is not set. This is not an optional field.
Now, I can't remember how asn1 package handled zero time value. Maybe it have changed in 1.8

Also, could you please post the ans1 encoded blob (output.ocsp) ? And result of openssl asn1parse -inform DER -i -in output.ocsp
It would be nice to have the blobs from go 1.7 and 1.8, but the 1.8 one should be enough.

@minaevmike

This comment has been minimized.

Copy link
Contributor Author

commented Mar 3, 2017

After i set revocation time to ocsp response template it works fine on 1.8.
go 1.8

# openssl asn1parse -inform DER -i -in output.ocsp 
    0:d=0  hl=4 l= 395 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim:  ENUMERATED        :00
    7:d=1  hl=4 l= 388 cons:  cont [ 0 ]        
   11:d=2  hl=4 l= 384 cons:   SEQUENCE          
   15:d=3  hl=2 l=   9 prim:    OBJECT            :Basic OCSP Response
   26:d=3  hl=4 l= 369 prim:    OCTET STRING      [HEX DUMP]:3082016D3081CFA15630543125302306035504030C1C6365727469666965645F757365725F303040737075746E696B2E7275312B302906092A864886F70D010901161C6365727469666965645F757365725F303040737075746E696B2E7275180F32303137303330333131303930305A30643062303C300906052B0E03021A05000414DF5285CF5D3A227FA6C1DA395A17E2240BC2DD6F041424816C3961BE490F8FB71B462BC928B527486D68020301E1B9180F32303137303330323131303931325AA011180F32303137303331303131303931325A300A06082A8648CE3D04030403818C00308188024200FE9B0ED7D52A401779CCF11087E1E5B37ABCD60F0D0B98B135F04407AC9E762DDBAA7B4A1379C430BC7783BB21945EE39AEA90E92C24D35C8DFB92025B4A19CEE6024201725141D272B823FC1B1C5D3F8C6CC7B1D76A5A8B993D6C31B49CC0098BFE97D1E5E86DBEC68D72EDCA796B96C41A1D7F7E2F55D7C48ED56948256C31A887BA4E1D

go 1.7

# openssl asn1parse -inform DER -i -in go17output.ocsp
    0:d=0  hl=4 l= 413 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim:  ENUMERATED        :00
    7:d=1  hl=4 l= 406 cons:  cont [ 0 ]        
   11:d=2  hl=4 l= 402 cons:   SEQUENCE          
   15:d=3  hl=2 l=   9 prim:    OBJECT            :Basic OCSP Response
   26:d=3  hl=4 l= 387 prim:    OCTET STRING      [HEX DUMP]:3082017F3081E2A15630543125302306035504030C1C6365727469666965645F757365725F303040737075746E696B2E7275312B302906092A864886F70D010901161C6365727469666965645F757365725F303040737075746E696B2E7275180F32303137303330333131313430305A30773075303C300906052B0E03021A05000414DF5285CF5D3A227FA6C1DA395A17E2240BC2DD6F041424816C3961BE490F8FB71B462BC928B527486D68020301E1B9A111180F30303031303130313030303030305A180F32303137303330323131313430335AA011180F32303137303331303131313430335A300A06082A8648CE3D04030403818B003081870241394250CE9E9F60FC2B720923810F700E4041BF23973AD015829FF6E5DAF66F2F68F0BE0CC6A25AA1AA6F78F3FC90FC6791B189EA03F141E32E7F906322F8E6DEFD024200F5A61C7AAAB234DE14E01EDDD4F1230138E68723E479D1B6052357C0064B0AF30A17EC1A68DC0C16ECEC6F265B975F5140D735FD77C2461F18C2F944B6A3428E03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.