Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: parse SAN DirectoryName #47618

Closed
tracefinder opened this issue Aug 10, 2021 · 1 comment
Closed

crypto/x509: parse SAN DirectoryName #47618

tracefinder opened this issue Aug 10, 2021 · 1 comment
Labels
FrozenDueToAge

Comments

@tracefinder
Copy link

tracefinder commented Aug 10, 2021
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.16.6 linux/amd64

Does this issue reproduce with the latest release?

Yes, according to the sources.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/user/.cache/go-build"
GOENV="/home/user/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/user/repos/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/user/repos/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16.6"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build169247540=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I'm playing around TPM Endorsement Key certificates. One of the things I want to archive is to verify a EK certificate against the root CA. The function looks like

func (v *Verifier) VerifyEK(ekPem []byte) (bool, error) {
	block, _ := pem.Decode(ekPem)
	if block == nil {
		return false, errors.New("failed to parse certificate PEM")
	}

	ek, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return false, fmt.Errorf("failed to parse certificate: %w", err)
	}

	opts := x509.VerifyOptions{
		Roots: v.ekRoots,
		Intermediates: v.ekIntermediates,
	}
	if _, err := ek.Verify(opts); err != nil {
		return false, fmt.Errorf("failed to verify certificate: %w", err)
	}

	return true, nil
}

What did you expect to see?

I expect the verification process to complete.

What did you see instead?

Verification fails with x509: unhandled critical extension . The unhandled critical extension is SubjectAltName.

The reason

RFC 5280, 4.2.1.6 defines 9 types of general names. However, parseSANExtension function (crypto/x509) supports only 4 (email, dns, uri, ip).

The proposal

Support other types of general names for SubjectAltName (or add some of them).
@seankhliao
Copy link
Member

Duplicate of #15196

@seankhliao seankhliao marked this as a duplicate of #15196 Aug 10, 2021
@golang golang locked and limited conversation to collaborators Aug 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tracefinder @gopherbot @seankhliao