Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: ParseCertificate returns a certificate with MaxPathLen of -1 if pathLenConstraint is not set #19285

Closed
cyli opened this issue Feb 25, 2017 · 2 comments

Comments

@cyli
Copy link

@cyli cyli commented Feb 25, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.7.4 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/cyli/Go"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.7.4/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.7.4/libexec/pkg/tool/darwin_amd64"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/v9/wzpq8hm56b943960j1qrnblm0000gp/T/go-build860790401=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"

What did you do?

I parsed a CA certificate which did not have pathLenConstraint set: https://play.golang.org/p/lFCQJQPRLh

What did you expect to see?

Given the following comment in https://golang.org/pkg/crypto/x509/#Certificate:

        // MaxPathLenZero indicates that BasicConstraintsValid==true and
        // MaxPathLen==0 should be interpreted as an actual maximum path length
        // of zero. Otherwise, that combination is interpreted as MaxPathLen
        // not being set.

and that RFC5280 4.2.1.9 specifies that the pathLenConstraint must be >= 0, I expected to see MaxPathLen as 0 and MaxPathLenZero as false.

What did you see instead?

MaxPathLen was -1 and MaxPathLenZero was false.

I don't oppose using -1 to indicate that it wasn't set, but comments for MaxPathLen, etc. imply that -1 is not valid. If -1 is a valid value, should the docs be updated and possibly MaxPathLenZero be deprecated?

@odeke-em odeke-em changed the title x509.ParseCertificate returns a certificate with a -1 MaxPathLen if pathLenConstraint is not set crypto/x509: ParseCertificate returns a certificate with MaxPathLen of -1 if pathLenConstraint is not set Feb 25, 2017
@odeke-em
Copy link
Member

@odeke-em odeke-em commented Feb 25, 2017

/cc @agl

@gopherbot
Copy link

@gopherbot gopherbot commented Jun 19, 2017

CL https://golang.org/cl/46092 mentions this issue.

@gopherbot gopherbot closed this in 3ca8ee1 Jun 20, 2017
@golang golang locked and limited conversation to collaborators Jun 20, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.