Closed
Description
What version of Go are you using (go version
)?
go version go1.9.2 linux/amd64
Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (go env
)?
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/pcarrier/go"
GORACE=""
GOROOT="/home/pcarrier/opt/go"
GOTOOLDIR="/home/pcarrier/opt/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build684866675=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
What did you do?
Generated a CA and used it to issue a server certificate using main.go shared @ https://bugzilla.mozilla.org/show_bug.cgi?id=1415181 ; installed the root CA in Firefox by navigating to it; tried to visit an HTTPS website using the server certificate.
What did you expect to see?
Connections going through.
What did you see instead?
Firefox erroring out with SEC_ERROR_BAD_DER
.
Based on Firefox's feedback, the problem is in the following snippet:
if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0) &&
!oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) {
ret[n].Id = oidExtensionNameConstraints
ret[n].Critical = template.PermittedDNSDomainsCritical
var out nameConstraints
out.Permitted = make([]generalSubtree, len(template.PermittedDNSDomains))
for i, permitted := range template.PermittedDNSDomains {
out.Permitted[i] = generalSubtree{Name: permitted}
}
out.Excluded = make([]generalSubtree, len(template.ExcludedDNSDomains))
for i, excluded := range template.ExcludedDNSDomains {
out.Excluded[i] = generalSubtree{Name: excluded}
}
ret[n].Value, err = asn1.Marshal(out)
if err != nil {
return
}
n++
}
If ExcludedDNSDomains
is empty, the DER shouldn't contain a second empty sequence.
out.Excluded
should be nil
instead of []generalSubtree{}
.
Apparently Mozilla's strict DER checking rejects the certificate chain as a result.
I will update this ticket once confirmed.