crypto/x509/pkix does parse "1.2.840.113549.1.9.1" (emailAddress) in Subject/Issuer data #63148
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
My organisation uses Active Directory Cert Services for cert issuance. The root CA and intermediate certs have Subject and Issuer entries with emailAddress=support@team type data in it as an extra field
e.g.
C=US,ST=...,L=...,O=...,OU=...,CN=...,emailAddress=support@team
This email address appears to be created with the (deprecated) 1.2.840.113549.1.9.1 oid.
When parsing this information (e.g from a client cert passed to a server as a mTLS session) this attribute is not decoded and is left as a BER encoded oid field.
What did you expect to see?
CN=...,OU=...,O=...,L=...,ST=...,C=...,emailAddress=support@team
What did you see instead?
CN=...,OU=...,O=...,L=...,ST=...,C=...,1.2.840.113549.1.9.1=#berdata
Possible fix
For testing I was able to add
"1.2.840.113549.1.9.1": "emailAddress",
to
attributeTypeNames
incrypto/x509/pkix.go
and that was sufficient to make my certs display properly. I don't know if this is sufficient, though, so I'm not proposing it with a PR.It's also possible ADCS is doing the wrong thing, here, but since it's a common tool for generating certificates it probably needs to be handled gracefully.
The text was updated successfully, but these errors were encountered: