Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: ParseCertificate error: PrintableString contains invalid character #21339

Closed
tonyjt opened this issue Aug 8, 2017 · 18 comments
Closed

Comments

@tonyjt
Copy link

@tonyjt tonyjt commented Aug 8, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.8

What operating system and processor architecture are you using (go env)?

mac

What did you do?

parse certificate

If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.

https://play.golang.org/p/txkxbM56OI

What did you expect to see?

parse certificate success

What did you see instead?

asn1: syntax error: PrintableString contains invalid character

@tonyjt
Copy link
Author

@tonyjt tonyjt commented Aug 8, 2017

the certificate can be parsed in php...

`// isPrintable reports whether the given b is in the ASN.1 PrintableString set.
func isPrintable(b byte) bool {

bb := 'a' <= b && b <= 'z' ||
	'A' <= b && b <= 'Z' ||
	'0' <= b && b <= '9' ||
	'\'' <= b && b <= ')' ||
	'+' <= b && b <= '/' ||
	b == ' ' ||
	b == ':' ||
	b == '=' ||
	b == '?' ||
	// This is technically not allowed in a PrintableString.
	// However, x509 certificates with wildcard strings don't
	// always use the correct string type so we permit it.
	b == '*' ||
            //clone the asn1 and x509 packages and add this line for fixing the issue 
	b == 180 || b == 243 ||b == 193 ||b == 172 ||b == 181 ||b == 231 ||b == 208 ||b == 197**
return bb

}`

@davecheney
Copy link
Contributor

@davecheney davecheney commented Aug 8, 2017

screen shot 2017-08-08 at 19 05 47
An online certificate decoder suggest that the organisation name is not a valid PrintableString. A PrintableString may only contain certain characters, https://en.wikipedia.org/wiki/PrintableString, no Big-5, Punycode, or UTF-8.

How did you generate this certificate?

@tonyjt tonyjt changed the title x509t.ParseCertificate error: PrintableString contains invalid character x509.ParseCertificate error: PrintableString contains invalid character Aug 8, 2017
@tonyjt
Copy link
Author

@tonyjt tonyjt commented Aug 8, 2017

not my certificate...i can't change it

@davecheney
Copy link
Contributor

@davecheney davecheney commented Aug 8, 2017

I'm sorry, this certificate is not valid. Some implementations may accept it, but Go's strict implementation will not accept it.

@davecheney
Copy link
Contributor

@davecheney davecheney commented Aug 8, 2017

Which device or manufacturer generated this certificate? /cc @agl

@tonyjt
Copy link
Author

@tonyjt tonyjt commented Aug 8, 2017

I know it contains gbk characters, but the certificate is generated by another company...

@davecheney
Copy link
Contributor

@davecheney davecheney commented Aug 8, 2017

It was also generated 16 years ago, and expired 14 years ago. It's not valid even if it could be parsed.

@tonyjt
Copy link
Author

@tonyjt tonyjt commented Aug 8, 2017

............

@davecheney
Copy link
Contributor

@davecheney davecheney commented Aug 8, 2017

@tonyjt i'm just trying to help mate. Please be mindful that there is a live human on the other side of this discussion. I appreciate you are frustrated, but as a volunteer, it is not appropriate to direct that frustration at others.

@tonyjt
Copy link
Author

@tonyjt tonyjt commented Aug 8, 2017

I ask them to regenerate the certificate, but they say no...

@tonyjt
Copy link
Author

@tonyjt tonyjt commented Aug 8, 2017

looks like clone the asn1 and x509 packages is the only solution for me, appericate for you help

@davecheney
Copy link
Contributor

@davecheney davecheney commented Aug 8, 2017

Why won't they regenerate the certificate? It expired 14 years ago.

@mvdan
Copy link
Member

@mvdan mvdan commented Aug 8, 2017

I went to have a look at the RFC: https://www.ietf.org/rfc/rfc5280.txt

At page 113, it seems to say that X520OrganizationName can be any valid utf-8 string, unless I'm reading it wrong:

X520OrganizationName ::= CHOICE {
      teletexString     TeletexString
                          (SIZE (1..ub-organization-name)),
      printableString   PrintableString
                          (SIZE (1..ub-organization-name)),
      universalString   UniversalString
                          (SIZE (1..ub-organization-name)),
      utf8String        UTF8String
                          (SIZE (1..ub-organization-name)),
      bmpString         BMPString
                          (SIZE (1..ub-organization-name))  }
@davecheney
Copy link
Contributor

@davecheney davecheney commented Aug 8, 2017

Correct, but their certificate indicates that this is a PrintableString. They could choose to use another encoding, but they chose PrintableString.

@davecheney
Copy link
Contributor

@davecheney davecheney commented Aug 8, 2017

Why won't they regenerate the certificate? What use is a certificate that expired 14 years ago, even if you could decode it, you'd have to tell the TLS package to ignore the fact it is expired. At that point, why use a certificate at all?

@tonyjt
Copy link
Author

@tonyjt tonyjt commented Aug 8, 2017

i don't know, maybe they think it works in java and php...

@mvdan
Copy link
Member

@mvdan mvdan commented Aug 8, 2017

I can't see a bug here. If you're asking that the parser be more lenient, other saner cases would break; programs relying on the parser erroring on invalid certificates of this kind, for example.

Is there a good reason to consider this change, other than "it makes my program work with an old certificate whose issuer won't fix it"?

@mvdan mvdan added the WaitingForInfo label Aug 9, 2017
@mvdan mvdan changed the title x509.ParseCertificate error: PrintableString contains invalid character crypto/x509: ParseCertificate error: PrintableString contains invalid character Aug 9, 2017
@gopherbot
Copy link

@gopherbot gopherbot commented Sep 9, 2017

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@gopherbot gopherbot closed this Sep 9, 2017
@golang golang locked and limited conversation to collaborators Sep 9, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.