Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: VerifyOptions.KeyUsages went from any required to all required in 1.10 #24162

grittygrease opened this issue Feb 27, 2018 · 7 comments


Copy link

@grittygrease grittygrease commented Feb 27, 2018

The behavior of x509.Verify changed in Go 1.10, which broke a test in CFSSL.

The previous behavior was that when the array of extended key usages in x509.VerifyOptions contains ExtKeyUsageClientAuth, then calling x509.Verify on a valid chain to a leaf certificate with the client certificate auth EKU set results in a valid response, which is the expected behavior. In Go 1.10, this behavior only works when x509.VerifyOptions only contains ExtKeyUsageClientAuth. If x509.VerifyOptions contains both ExtKeyUsageClientAuth and ExtKeyUsageServerAuth, then x509.Verify fails this check for leaf certificate with a client authentication usage.

Is there a new requirement for leaf certificates with Client Auth?

What version of Go are you using (go version)?

go 1.10

Steps to reproduce

The following test fails in cfssl 1.3 (

Output in Go 1.10

go test -v -run TestBundlerClientAuth ./bundler/...
=== RUN   TestBundlerClientAuth
2018/02/27 14:45:30 [INFO] bundling certificate for
2018/02/27 14:45:30 [INFO] the anchoring root is O=Root CA,L=San Francisco,ST=California,C=US
2018/02/27 14:45:30 [INFO] bundling certificate for
--- FAIL: TestBundlerClientAuth (0.02s)
	bundler_test.go:925: {"code":1214,"message":"x509: certificate specifies an incompatible key usage: asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}"}
FAIL	0.034s
@grittygrease grittygrease changed the title crypto/x509: x509.Verify enforces EKU constraints on all certificates in a certificate chain instead of leaf in Go 1.10 crypto/x509: x509.Verify enforces EKU constraints differently on client certificates in Go 1.10 Feb 28, 2018
Copy link
Contributor Author

@grittygrease grittygrease commented Feb 28, 2018

Excuse the edits. I think this can be boiled down to this loop:

for _, eku := range requestedKeyUsages {

in which every EKU in opts.KeyUsages is required to pass the ekuPermittedBy test. Compare this to the previous logic where only one of opts.KeyUsages was required to be valid.

Copy link

@FiloSottile FiloSottile commented Feb 28, 2018

The failure does not reproduce on any tagged cfssl version, checkout commit b9f59aa instead. Longer version (or skip to the <hr>):

cfssl 1.3.0 does not build with Go 1.10, and the test passes in cfssl 1.3.1 because it looks like it was fixed here cloudflare/cfssl@c68df53.

Before that fix Verify was invoked with only x509.ExtKeyUsageClientAuth in VerifyOptions (WithKeyUsages(x509.ExtKeyUsageClientAuth)) on a certificate with only ServerAuth EKU:

        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: ecdsa-with-SHA256
            Not Before: Sep 20 20:06:00 2016 GMT
            Not After : Sep 21 02:06:00 2021 GMT
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

    Signature Algorithm: ecdsa-with-SHA256

So failing is expected behavior AFAICT.

But still I couldn't figure out why it was failing before, because the point of #23884 was to make this specific case fail again. So I checked out c68df53^ (e9bb1b2) and tested with Go 1.10, and indeed it passed, while it failed with tip as expected.

But then again it was failing on the other certificate. WithKeyUsages(x509.ExtKeyUsageClientAuth) was indeed introduced at cloudflare/cfssl@459761c. Rollbacking to before that commit gets us to a test that fails with Go 1.10 on the ServerAuth certificate and with tip on the ClientAuth certificate (or probably both). (#23884 explains the discrepancy.)

Verify is being called with four values in VerifyOptions.KeyUsages.

KeyUsages: []x509.ExtKeyUsage{

The certificates only have ExtKeyUsageServerAuth or ExtKeyUsageClientAuth.

The current behavior is that all VerifyOptions.KeyUsages need to match for verification to pass, so this fails.

for _, eku := range requestedKeyUsages {
for _, leafEKU := range c.ExtKeyUsage {
if ekuPermittedBy(eku, leafEKU, checkingAgainstLeafCert) {
continue NextUsage
oid, _ := oidFromExtKeyUsage(eku)
return nil, CertificateInvalidError{c, IncompatibleUsage, fmt.Sprintf("%#v", oid)}

However the previous behavior was that any VerifyOptions.KeyUsages needed to match for verification to pass.

// We walk down the list and cross out any usages that aren't supported
// by each certificate. If we cross out all the usages, then the chain
// is unacceptable.

The old behavior matches the docs, even if vague.

// KeyUsage specifies which Extended Key Usage values are acceptable.

So this is a pretty bad regression AFAICT, breaking most multi-value uses of VerifyOptions.KeyUsages (which must be pretty rare for no one to notice). Targeting 1.10.1.

(I don't think SANs are involved, nor the root or intermediate lack of EKUs.)

/cc @agl

@FiloSottile FiloSottile added this to the Go1.10.1 milestone Feb 28, 2018
@FiloSottile FiloSottile changed the title crypto/x509: x509.Verify enforces EKU constraints differently on client certificates in Go 1.10 crypto/x509: VerifyOptions.KeyUsages went from any required to all required in 1.10 Feb 28, 2018
Copy link

@gopherbot gopherbot commented Feb 28, 2018

Change mentions this issue: crypto/x509: matching any requested EKU should be sufficient.

Copy link

@agl agl commented Feb 28, 2018

I misremembered this and thought that all specified EKUs needed to match, but the previous behaviour was clearly that any of them was sufficient.

Sending CL to specify that in the docs and restore old behaviour.

@gopherbot gopherbot closed this in dc3a92e Mar 26, 2018
Copy link

@FiloSottile FiloSottile commented Mar 26, 2018

Reopening for cherry-pick.

Copy link

@andybons andybons commented Mar 27, 2018

CL 97720 OK for Go 1.10.1

Copy link

@gopherbot gopherbot commented Mar 27, 2018

Change mentions this issue: [release-branch.go1.10] crypto/x509: matching any requested EKU should be sufficient.

gopherbot pushed a commit that referenced this issue Mar 29, 2018
…d be sufficient.

The documentation was unclear here and I misremembered the behaviour and
changed it in 1.10: it used to be that matching any EKU was enough but
1.10 requires that all EKUs match.

Restore 1.9 behaviour and clarify the documentation to make it official.

Fixes #24162.

Change-Id: Ic9466cd0799cb27ec3a3a7e6c96f10c2aacc7020
Run-TryBot: Adam Langley <>
TryBot-Result: Gobot Gobot <>
Reviewed-by: Filippo Valsorda <>
Run-TryBot: Andrew Bonventre <>
@andybons andybons closed this Mar 29, 2018
@golang golang locked and limited conversation to collaborators Mar 29, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.