Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: Go should be lenient in parsing CRL Distribution Points that do not conform to RFC 5280 4.2.1.13 #23403

Closed
christopher-henderson opened this issue Jan 10, 2018 · 5 comments
Assignees
Milestone

Comments

@christopher-henderson
Copy link
Contributor

@christopher-henderson christopher-henderson commented Jan 10, 2018

At minimum, the following 30 intermediate CA certificates do not encode their CRLs as per RFC 5280 4.2.1.13. Rather than being a sequence of DistributionPoints they are simply a sequence of a single sequence that is a flat list of URIs.

The effect of this is that any certificate that is encoded this way will only ever return a slice with, at most, one CRL URI in it.

0FD99AAE1FFCD5D9F0AD76EDDDCBEF6B884CC85C16BFCFA4B5246155D6597ED6
    ASN.1 Decoding
    crt.sh
117869A76AD9AD92A515F85890437274634394502CB4E226665FCF1FB75A4575
    ASN.1 Decoding
    crt.sh
18A43C51D08174C3A6D85F1C1318BD2909753E75D91CF6599F73347B00702890
    ASN.1 Decoding
    crt.sh
207CECE038B9826A120A919D4B41BCA8F37F2E994621BF5A993A04087D556DC6
    ASN.1 Decoding
    crt.sh
262A9569D60FB8DE5EA518B8A716226FA74EB00DCCEBECDFAB87B7704AF52B1A
    ASN.1 Decoding
    crt.sh
356A5F4D994E9EFA7CAEFC491768911D65EC25977465B610E2F29AA4472631C3
    ASN.1 Decoding
    crt.sh
38E9473772F633C9DCB743BE271DB9248810613A9F8B287E2DDF0DB3597C8CDB
    ASN.1 Decoding
    crt.sh
44C50AC80EDBE9E552E3C96CE5BD11C837C70F56A33ACABCF18D8D7A9B350E07
    ASN.1 Decoding
    crt.sh
4A40D4BE7FB0B05F9BDCA60BCE383FB592C49206DBC5C784F819CD74F2A07BE3
    ASN.1 Decoding
    crt.sh
4CB5CB705D4952497B4ED7C46A8564EA5C9137279F38C86B7BCA8E8883868B09
    ASN.1 Decoding
    crt.sh
56E0349E090CD573889F96DFA83758BEE7F9109D41B3CAE46CCB9D4BBD78B6E2
    ASN.1 Decoding
    crt.sh
592C508E39D7665F844586C3B9E765AFD5D80BBE05F9289CB0DED5711AC9C10A
    ASN.1 Decoding
    crt.sh
601293CA20B09A03295D196256C6953FF9EBA811DB8E3CE140413C1BFFE9A869
    ASN.1 Decoding
    crt.sh
60636BE2F294EC078F4C726964B4DD502B1C82E099CF775631E883FEEE45F951
    ASN.1 Decoding
    crt.sh
7099A66117825FDABAE48CB19AFE3137D813A0B673FD591D229E261963D3D61B
    ASN.1 Decoding
    crt.sh
73F82955F931DC6802BD07C5D1DF9404113F3C224F7A5E72040BE442E41F32FC
    ASN.1 Decoding
    crt.sh
748639EE75623D6E15C48B7C317CB516513BDD1143A8F5E90FF1A665A3314676
    ASN.1 Decoding
    crt.sh
830FF205AE69485059C3FB2376A7F2F9EE1C2A61DE259DD09D0BB6AD69F88832
    ASN.1 Decoding
    crt.sh
8700D047E5071116F67551A4393998D629E66F02C7B52E618EF4F9496E734756
    ASN.1 Decoding
    crt.sh
8AAC53FBFC861137ECA7D5061B81031F8EF3AA007D4FD344834EA859386FB23D
    ASN.1 Decoding
    crt.sh
8FD16A179944D5D1D420AF09405EDA7ABF2A9C742883E8C2F89E0D90AFAF754B
    ASN.1 Decoding
    crt.sh
954B889223498AED51AA7A29B62EED24BE03CD481D182E03EB83BAE8DD7BD71B
    ASN.1 Decoding
    crt.sh
9858CEB7B72F296B9C8CEE355F92B4E0D18DECAAF2C3696E6244A2E203EF6345
    ASN.1 Decoding
    crt.sh
A4652ED243DACC3FEEE1F0ED7C91BDB19A9BC225E72A5C97FDA4F1F00125BAA3
    ASN.1 Decoding
    crt.sh
AFCA33DAC544389E3D230DB12AD8BA3EE7C1A9E4CCF0CAFFD7E16C2A2F35CEE5
    ASN.1 Decoding
    crt.sh
B01A8DC9426D48767157FFCB46BEFA193175BBC981B57D47BC6C7FF71B94A35C
    ASN.1 Decoding
    crt.sh
B95D483F73177034DCE1C51FFE1CB9972CAFFE4FA1E1AD7412D03D6BA5B04751
    ASN.1 Decoding
    crt.sh
DB0DA16032F1643A2496FDE742E2BBE81DACA58CD7612061420E154CE1BCE2BD
    ASN.1 Decoding
    crt.sh
E5C2A9DA1AB2CF46691DEBF2477A9E35143521FA4117CF8ABD153B9667DCBD86
    ASN.1 Decoding
    crt.sh
F038421F07F20D63A20D3691E5A178AB8459EBE570C1647B7690554EF23876AB
    ASN.1 Decoding
    crt.sh

@titanous
Copy link
Member

@titanous titanous commented Jan 10, 2018

/cc @agl

@titanous titanous added this to the Go1.11 milestone Jan 10, 2018
@gopherbot
Copy link

@gopherbot gopherbot commented Jan 10, 2018

Change https://golang.org/cl/87235 mentions this issue: crypto/x509: Leniently parse malformed CRL lists

@gopherbot
Copy link

@gopherbot gopherbot commented Jan 10, 2018

Change https://golang.org/cl/87299 mentions this issue: crypto/x509: parse multiple URLs in a single CRLDP.

@agl
Copy link
Contributor

@agl agl commented Jan 10, 2018

I think blaming these certificates may be premature. fullName is a GeneralNames—i.e. a sequence of names. Thus I think these certificates (or, at least, the first) are valid and Go is at fault here for only reading the first of the names. Am I reading things wrong?

If not, I've uploaded an alternative fix.

@christopher-henderson
Copy link
Contributor Author

@christopher-henderson christopher-henderson commented Jan 10, 2018

Oh yeah, I see it now. I can back out my change in favor of yours, I think.

An interest side bit:

If the DistributionPointName contains multiple values, each name
describes a different mechanism to obtain the same CRL. For example,
the same CRL could be available for retrieval through both LDAP and
HTTP.

Which not all of these are doing - many are multiple HTTP, the first one being an example. But that is neither here-nor-there for this change.

@gopherbot gopherbot closed this in 4458a35 Jan 11, 2018
@golang golang locked and limited conversation to collaborators Jan 11, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.