Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: Certificates with an Email ... failed parsing cause of @ versus ASN1 + InsecureSkipVerify never check #52964

Open
OlivierMary opened this issue May 18, 2022 · 5 comments
Labels
NeedsInvestigation
Milestone

Comments

@OlivierMary
Copy link

@OlivierMary OlivierMary commented May 18, 2022

What version of Go are you using (go version)?

$ go version
go version go1.18.2 darwin/amd64

Does this issue reproduce with the latest release?

Yes, it's the latest

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="on"
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/oliviermary/Library/Caches/go-build"
GOENV="/Users/oliviermary/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/oliviermary/go/pkg/mod"
GONOPROXY="github.com/xxxx/*"
GONOSUMDB="github.com/xxxx/*"
GOOS="darwin"
GOPATH="/Users/oliviermary/go"
GOPRIVATE="github.com/xxxx/*"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/Users/oliviermary/go/go1.18.2"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/Users/oliviermary/go/go1.18.2/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.18.2"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/oliviermary/GolandProjects/charge-tester/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/4x/2x5djhh5019dxh6745yx5j7h0000gn/T/go-build3025453168=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

I want test my code with postman proxy feature for capture the requests for debugging calls

set postman proxy enable
set env:

https_proxy="http://localhost:5555"
http_proxy="http://localhost:5555"

Use this code: https://go.dev/play/p/-ZSKEDqWyL8
You will get an output like this:

response <nil>
error Get "https://www.google.com": tls: failed to parse certificate from server: x509: invalid RDNSequence: invalid attribute value: invalid PrintableString

What did you expect to see?

This certificate is valid for many tools (check below), so the parsing of this certificate must be ok.
"Or" InsecureSkipVerify maybe bypass the handshake ???
With the current implementation I have no way to bypass this check.

What did you see instead?

Certificate not parsed, cause an email with an "@" is not parsed.
Failure in this method:

// isPrintable reports whether the given b is in the ASN.1 PrintableString set.
// This is a simplified version of encoding/asn1.isPrintable.
func isPrintable(b byte) bool {
return 'a' <= b && b <= 'z' ||
'A' <= b && b <= 'Z' ||
'0' <= b && b <= '9' ||
'\'' <= b && b <= ')' ||
'+' <= b && b <= '/' ||
b == ' ' ||
b == ':' ||
b == '=' ||
b == '?' ||
// This is technically not allowed in a PrintableString.
// However, x509 certificates with wildcard strings don't
// always use the correct string type so we permit it.
b == '*' ||
// This is not technically allowed either. However, not
// only is it relatively common, but there are also a
// handful of CA certificates that contain it. At least
// one of which will not expire until 2027.
b == '&'
}

Which not accept "@"

When I see the comments, I think we can add a block for '@'

Additionals informations

The certificate:
postman-proxy-ca.original.crt.zip

The detail of this certificate
openssl x509 -in ~/Library/Application\ Support/Postman/proxy/postman-proxy-ca.crt -text -noout                                                                                               
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7a:6b:25:a2:a9:53:c2:36:c9
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Postman Proxy CA, C=US, OU=Postman, O=Postman Inc./emailAddress=info@getpostman.com, ST=CA, L=San Francisco
        Validity
            Not Before: May 18 13:19:36 2022 GMT
            Not After : Sep 30 13:19:36 2023 GMT
        Subject: CN=Postman Proxy CA, C=US, OU=Postman, O=Postman Inc./emailAddress=info@getpostman.com, ST=CA, L=San Francisco
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:58:d5:bc:0f:d4:9c:1a:e6:de:5e:9b:78:fe:
                    d8:39:e1:5a:56:85:84:2b:f5:03:fe:40:af:8e:7a:
                    01:d1:ad:a4:c9:cd:f9:02:3c:6d:ed:c0:f0:48:eb:
                    2b:b1:44:65:e3:1a:f2:ce:ac:00:f5:47:af:2e:e4:
                    a4:ed:0c:b1:6d:b8:ac:8f:37:1a:2d:e3:80:8c:18:
                    20:15:2e:d5:32:61:71:10:91:58:6c:0e:c9:4e:fe:
                    58:44:7e:aa:93:d6:77:f6:dc:80:6a:bc:f5:cf:a4:
                    de:f3:be:56:b9:12:e3:25:cc:ac:23:96:e2:c5:66:
                    d4:a0:7b:71:2a:a4:5e:76:93:e9:b4:4c:22:ea:3b:
                    4f:62:08:e9:55:1e:29:d4:16:7c:37:05:41:58:5f:
                    e0:b1:92:aa:7d:63:fb:5b:06:5c:eb:27:00:2f:39:
                    af:10:89:f0:8e:07:5a:4a:6a:a4:93:ea:91:9d:56:
                    3c:a5:71:7e:14:2e:92:ff:f7:ab:87:36:89:45:f5:
                    c6:aa:df:54:cf:59:ba:61:d6:f1:9a:34:d2:d2:58:
                    4c:c5:ac:61:07:b5:62:aa:9c:23:33:5f:5a:6b:f4:
                    67:a9:1c:07:78:58:83:c5:0e:b5:10:b3:5c:b2:c9:
                    18:16:54:e4:42:cb:c7:e9:1c:d4:87:35:d5:dd:b4:
                    8c:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         1b:b6:c4:dd:cc:f5:61:cf:dd:65:b0:4f:9d:9c:fa:13:91:04:
         b3:8a:ac:30:fa:de:af:0e:bd:22:71:5d:eb:a9:98:34:8d:9e:
         67:89:7b:d0:04:45:7a:b8:4b:a7:01:79:46:97:52:a7:2e:fc:
         f2:92:04:5b:9f:bd:83:03:01:c3:f0:29:00:e3:73:3f:4c:34:
         87:a1:3f:31:31:c7:f4:fd:e5:08:99:1d:4f:cb:9f:20:c5:cc:
         0c:30:30:8c:ee:ff:55:e5:05:8f:12:7f:4d:7d:f2:9d:d0:60:
         5d:1c:ff:e3:87:d7:16:ee:19:b7:75:2e:fb:01:e0:29:c3:a8:
         b0:25:1c:74:05:9a:22:b0:76:b2:e8:10:ec:73:c8:eb:f8:28:
         f9:13:1e:c0:21:f0:85:25:67:8d:fe:70:ce:3a:83:ab:fe:ac:
         97:22:44:2c:a4:43:4a:57:10:95:5f:a7:70:fb:02:85:ef:40:
         22:8e:10:56:4f:2e:b3:d7:e7:35:92:af:95:9f:98:20:f1:ac:
         45:25:b5:23:16:9d:ba:af:c2:57:5b:f0:c5:88:ff:b9:0a:9e:
         26:ff:cb:6f:9d:39:31:5e:a6:87:bc:71:f0:f4:77:4b:58:00:
         48:19:72:7d:58:76:c7:6d:a4:a0:02:7b:6d:96:6c:2f:6d:ee:
         8b:6b:00:8c

the openssl asn1parse result of this cert
openssl asn1parse -in ~/Library/Application\ Support/Postman/proxy/postman-proxy-ca.crt                                                                                                       
    0:d=0  hl=4 l= 969 cons: SEQUENCE
    4:d=1  hl=4 l= 689 cons: SEQUENCE
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   9 prim: INTEGER           :7A6B25A2A953C236C9
   24:d=2  hl=2 l=  13 cons: SEQUENCE
   26:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   37:d=3  hl=2 l=   0 prim: NULL
   39:d=2  hl=3 l= 154 cons: SEQUENCE
   42:d=3  hl=2 l=  25 cons: SET
   44:d=4  hl=2 l=  23 cons: SEQUENCE
   46:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   51:d=5  hl=2 l=  16 prim: PRINTABLESTRING   :Postman Proxy CA
   69:d=3  hl=2 l=  11 cons: SET
   71:d=4  hl=2 l=   9 cons: SEQUENCE
   73:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   78:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
   82:d=3  hl=2 l=  16 cons: SET
   84:d=4  hl=2 l=  14 cons: SEQUENCE
   86:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
   91:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :Postman
  100:d=3  hl=2 l=  21 cons: SET
  102:d=4  hl=2 l=  19 cons: SEQUENCE
  104:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  109:d=5  hl=2 l=  12 prim: PRINTABLESTRING   :Postman Inc.
  123:d=3  hl=2 l=  34 cons: SET
  125:d=4  hl=2 l=  32 cons: SEQUENCE
  127:d=5  hl=2 l=   9 prim: OBJECT            :emailAddress
  138:d=5  hl=2 l=  19 prim: PRINTABLESTRING   :info@getpostman.com
  159:d=3  hl=2 l=  11 cons: SET
  161:d=4  hl=2 l=   9 cons: SEQUENCE
  163:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
  168:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :CA
  172:d=3  hl=2 l=  22 cons: SET
  174:d=4  hl=2 l=  20 cons: SEQUENCE
  176:d=5  hl=2 l=   3 prim: OBJECT            :localityName
  181:d=5  hl=2 l=  13 prim: PRINTABLESTRING   :San Francisco
  196:d=2  hl=2 l=  30 cons: SEQUENCE
  198:d=3  hl=2 l=  13 prim: UTCTIME           :220518131936Z
  213:d=3  hl=2 l=  13 prim: UTCTIME           :230930131936Z
  228:d=2  hl=3 l= 154 cons: SEQUENCE
  231:d=3  hl=2 l=  25 cons: SET
  233:d=4  hl=2 l=  23 cons: SEQUENCE
  235:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  240:d=5  hl=2 l=  16 prim: PRINTABLESTRING   :Postman Proxy CA
  258:d=3  hl=2 l=  11 cons: SET
  260:d=4  hl=2 l=   9 cons: SEQUENCE
  262:d=5  hl=2 l=   3 prim: OBJECT            :countryName
  267:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
  271:d=3  hl=2 l=  16 cons: SET
  273:d=4  hl=2 l=  14 cons: SEQUENCE
  275:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  280:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :Postman
  289:d=3  hl=2 l=  21 cons: SET
  291:d=4  hl=2 l=  19 cons: SEQUENCE
  293:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  298:d=5  hl=2 l=  12 prim: PRINTABLESTRING   :Postman Inc.
  312:d=3  hl=2 l=  34 cons: SET
  314:d=4  hl=2 l=  32 cons: SEQUENCE
  316:d=5  hl=2 l=   9 prim: OBJECT            :emailAddress
  327:d=5  hl=2 l=  19 prim: PRINTABLESTRING   :info@getpostman.com
  348:d=3  hl=2 l=  11 cons: SET
  350:d=4  hl=2 l=   9 cons: SEQUENCE
  352:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
  357:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :CA
  361:d=3  hl=2 l=  22 cons: SET
  363:d=4  hl=2 l=  20 cons: SEQUENCE
  365:d=5  hl=2 l=   3 prim: OBJECT            :localityName
  370:d=5  hl=2 l=  13 prim: PRINTABLESTRING   :San Francisco
  385:d=2  hl=4 l= 290 cons: SEQUENCE
  389:d=3  hl=2 l=  13 cons: SEQUENCE
  391:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  402:d=4  hl=2 l=   0 prim: NULL
  404:d=3  hl=4 l= 271 prim: BIT STRING
  679:d=2  hl=2 l=  16 cons: cont [ 3 ]
  681:d=3  hl=2 l=  14 cons: SEQUENCE
  683:d=4  hl=2 l=  12 cons: SEQUENCE
  685:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  690:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF
  697:d=1  hl=2 l=  13 cons: SEQUENCE
  699:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  710:d=2  hl=2 l=   0 prim: NULL
  712:d=1  hl=4 l= 257 prim: BIT STRING

we can see the mail didn't cause any problem

  316:d=5  hl=2 l=   9 prim: OBJECT            :emailAddress
  327:d=5  hl=2 l=  19 prim: PRINTABLESTRING   :info@getpostman.com

I dont know why this problem is not for all certificate, all CA are without email ???? or mayby i'm doing something wrong :)

At least If someone have a way to bypass this check ?

@mknyszek mknyszek added the NeedsInvestigation label May 18, 2022
@mknyszek mknyszek added this to the Backlog milestone May 18, 2022
@mknyszek
Copy link
Contributor

@mknyszek mknyszek commented May 18, 2022

CC @golang/security

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented May 18, 2022

Whatever is generating that certificate is broken. The @ character is explicitly not allowed in PrintableStrings, it should be using IA5String, which does allow inclusion of @. This is specified in RFC 5280.

@OlivierMary
Copy link
Author

@OlivierMary OlivierMary commented May 18, 2022

Hi @rolandshoemaker thanks for your reply.

why openssl asn1parse works ? How we set an email so in asn1?

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented May 18, 2022

openssl asn1parse is just showing the encoding of the input, it does no validation of the contents.

Assuming this certificate was generated by postman, you should report this bug to them so they can re-generate the certificate using the correct encoding. There is no work around in Go to accept this invalid encoding.

@OlivierMary
Copy link
Author

@OlivierMary OlivierMary commented May 18, 2022

yes @rolandshoemaker already done :)

Any way to bypass the parsing atm?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation
Projects
None yet
Development

No branches or pull requests

3 participants