Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: CreateCertificate should mark SubjectAltName as critical iff Subject is empty #22249

Closed
optnfast opened this issue Oct 13, 2017 · 2 comments
Assignees

Comments

@optnfast
Copy link

@optnfast optnfast commented Oct 13, 2017

What version of Go are you using (go version)?

go version go1.9.1 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/rjk/go"
GORACE=""
GOROOT="/usr/local/go-1.9.1"
GOTOOLDIR="/usr/local/go-1.9.1/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build715387515=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you do?

RFC5280 4.2.1.6 requires: "If the subject field contains an empty sequence, then the issuing CA MUST include a subjectAltName extension that is marked as critical."

x509.CreateCertificate fails to mark subjectAltName as critical in this case.

https://play.golang.org/p/8BeKYea_77 exercises the bug.

What did you expect to see?

Certificate generated with empty Subject and SubjectAltName marked critical, test program ran to completion.

What did you see instead?

Certificate generated with empty Subject and SubjectAltName NOT marked critical, test program panics.

@odeke-em odeke-em changed the title x509.CreateCertificate should mark SubjectAltName as critical iff Subject is empty crypto/x509: CreateCertificate should mark SubjectAltName as critical iff Subject is empty Oct 13, 2017
@odeke-em
Copy link
Member

@odeke-em odeke-em commented Oct 13, 2017

@agl agl self-assigned this Oct 13, 2017
@gopherbot
Copy link

@gopherbot gopherbot commented Oct 13, 2017

Change https://golang.org/cl/70852 mentions this issue: crypto/x509: always emit a critical SAN extension if the Subject is empty.

@gopherbot gopherbot closed this in 3a395e2 Nov 17, 2017
@golang golang locked and limited conversation to collaborators Nov 17, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.