diff options
author | Roland Shoemaker <roland@golang.org> | 2024-02-07 12:10:58 -0800 |
---|---|---|
committer | Gopher Robot <gobot@golang.org> | 2024-05-09 23:09:41 +0000 |
commit | 671696a22dd98c0fafcaea2d159c284367b24aa0 (patch) | |
tree | a493a1cf054895500dcef6409c18ca8eddf021e3 /src/crypto | |
parent | 2064413b545876ff93d5e985824986c2e06a619a (diff) | |
download | go-671696a22dd98c0fafcaea2d159c284367b24aa0.tar.gz go-671696a22dd98c0fafcaea2d159c284367b24aa0.zip |
crypto/x509: reject critical AKI
Updates #65085
Change-Id: I8cc60990737d582edf4f7f85ec871f5e42f82b78
Reviewed-on: https://go-review.googlesource.com/c/go/+/562341
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Diffstat (limited to 'src/crypto')
-rw-r--r-- | src/crypto/x509/parser.go | 4 | ||||
-rw-r--r-- | src/crypto/x509/x509_test.go | 25 |
2 files changed, 29 insertions, 0 deletions
diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go index 001b001775..4202991f47 100644 --- a/src/crypto/x509/parser.go +++ b/src/crypto/x509/parser.go @@ -723,6 +723,10 @@ func processExtensions(out *Certificate) error { case 35: // RFC 5280, 4.2.1.1 + if e.Critical { + // Conforming CAs MUST mark this extension as non-critical + return errors.New("x509: authority key identifier incorrectly marked critical") + } val := cryptobyte.String(e.Value) var akid cryptobyte.String if !val.ReadASN1(&akid, cryptobyte_asn1.SEQUENCE) { diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go index a29f914c8e..a9dc145265 100644 --- a/src/crypto/x509/x509_test.go +++ b/src/crypto/x509/x509_test.go @@ -4011,6 +4011,31 @@ func TestGob(t *testing.T) { } } +func TestRejectCriticalAKI(t *testing.T) { + template := Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{CommonName: "Cert"}, + NotBefore: time.Unix(1000, 0), + NotAfter: time.Unix(100000, 0), + ExtraExtensions: []pkix.Extension{ + { + Id: asn1.ObjectIdentifier{2, 5, 29, 35}, + Critical: true, + Value: []byte{1, 2, 3}, + }, + }, + } + certDER, err := CreateCertificate(rand.Reader, &template, &template, rsaPrivateKey.Public(), rsaPrivateKey) + if err != nil { + t.Fatalf("CreateCertificate() unexpected error: %v", err) + } + expectedErr := "x509: authority key identifier incorrectly marked critical" + _, err = ParseCertificate(certDER) + if err == nil || err.Error() != expectedErr { + t.Fatalf("ParseCertificate() unexpected error: %v, want: %s", err, expectedErr) + } +} + func TestRejectCriticalAIA(t *testing.T) { template := Certificate{ SerialNumber: big.NewInt(1), |