-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509/pkix: Name.String() hex-encodes string-type ExtraNames #33093
Comments
/cc @FiloSottile |
I read the previous spec paragraph as saying that this is the correct form when the type is unknown and expressed as a dotted decimal.
There is even an example for it in Section 5.
Can you provide an example certificate? |
Here is a sample CSR:
OpenSSL shows the custom distinguished name as a string:
The OpenSSL output is preferable over the current Go output because it is human readable. |
@FiloSottile Wanted to follow up on this. The example you copied is specifically for an "octet string", hence the |
ping @FiloSottile |
@FiloSottile Is this something you will consider fixing, given what I mentioned? |
@FiloSottile is there someone else I should CC? |
I agree with @rittneje . Here is a simple example. Create a certificate with openssl: openssl req -new -x509 -subj '/UID=foobar/' -nodes -outform DER -out cert.crt The ASN.1 structure of the Subject DN in cert.crt: SEQUENCE (1 elem) SET (1 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 0.9.2342.19200300.100.1.1 userID UTF8String foobar The type is UTF8String (not for example an octect string). Requoting @rittneje from RFC 2253:
UTF8String has a string representation and does not even need conversion, so it should be printed as: 0.9.2342.19200300.100.1.1=foobar Not like go1.18.1 does: 0.9.2342.19200300.100.1.1=#1306666f6f626172 In #39924 @FiloSottile says:
But this is not what RFC 2253 says. RFC 2253 does not mention "non-standard attributes"; it says "does not have a string representation" which is a different thing:
|
ping @FiloSottile |
I don't think @FiloSottile is working on this project anymore. I guess the fastest way to fix this is to fix it ourselves and request a pull. |
Thanks @bjanders for doing the spec analysis in #33093 (comment), I think you're right and I was interpreting it wrong. We can probably get this into Go 1.21. |
Change https://go.dev/cl/549075 mentions this issue: |
Thank you for the discourse @rittneje @FiloSottile @bjanders, I am working on triaging plus fixing issues and I just stumbled upon this issue and it nerd snipped me and I've gone through parts of the specification and to accomplish a probable working fix for this, I examined expectations for ASN1 printable strings per the quoted RFCs and I've mailed out CL https://go-review.googlesource.com/c/go/+/549075 which can be a start for the fix but otherwise moved to the Go1.23 milestone. |
Kind ping @rolandshoemaker @FiloSottile and others, I did mail a fix for this issue in CL https://go-review.googlesource.com/c/go/+/549075 |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I created a pkix.Name containing a custom ExtraName, and converted it to a string.
https://play.golang.org/p/1hyqwP_RTBs
What did you expect to see?
1.2.3.4=sample,CN=foobar
What did you see instead?
1.2.3.4=#130673616d706c65,CN=foobar
This is because Go always hex-encodes the asn.1 encoding of the value, even though RFC 2253 states that the value is supposed to just be used as its own string encoding. https://tools.ietf.org/html/rfc2253#section-2.4
Note that OpenSSL gives the expected output when viewing a certificate or CSR with a custom name.
The text was updated successfully, but these errors were encountered: