Go version
go version go1.24.2 linux/amd64
Output of go env in your module/workspace:
empty
What did you do?
Hello Developer, I successfully parsed a CRL file with an empty Key Identifier using Go.When I used GnuTLS to parse this CRL file, it returned an error: error: gnutls_x509_ext_import_authority_key_id: ASN1 parser: Error in DER parsing. Is this considered an error?
What did you see happen?
Code:
package main
import (
"crypto/x509"
"encoding/asn1"
"encoding/hex"
"flag"
"fmt"
"os"
"math/big"
)
func main() {
crlFilePath := flag.String("crl", "", "Path to the CRL file")
flag.Parse()
if *crlFilePath == "" {
fmt.Println("CRL file path is required")
os.Exit(1)
}
derBytes, err := os.ReadFile(*crlFilePath)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
crl, err := x509.ParseRevocationList(derBytes)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
oidAuthorityKeyIdentifier := asn1.ObjectIdentifier{2, 5, 29, 35}
for _, ext := range crl.Extensions {
if ext.Id.Equal(oidAuthorityKeyIdentifier) {
var aki struct {
KeyIdentifier []byte `asn1:"optional,tag:0"`
AuthorityCertIssuer []asn1.RawValue `asn1:"optional,tag:1"`
AuthorityCertSerialNumber *big.Int `asn1:"optional,tag:2"`
}
if _, err := asn1.Unmarshal(ext.Value, &aki); err != nil {
fmt.Printf("AKI error: %v\n", err)
continue
}
if aki.KeyIdentifier != nil {
fmt.Printf("%s\n", toColonHex(aki.KeyIdentifier))
}
}
}
}
func toColonHex(data []byte) string {
if len(data) == 0 {
return ""
}
buf := make([]byte, 0, len(data)*3)
for i, b := range data {
if i > 0 {
buf = append(buf, ':')
}
buf = append(buf, hex.EncodeToString([]byte{b})...)
}
return string(buf)
}
What did you expect to see?
Test Case:
Comment From: gabyhelp
Related Issues
- crypto/x509: the ParseRevocationList() doesn't seem to populate the AuthorityKeyId correctly #57461 (closed)
- crypto/x509: certificate with empty Authority Key Identifier extension considered invalid #70619
- crypto/x509: ParseRevocationList accepts invalid AKI extension in CRL #73030
- crypto/x509: ParseRevocationList accepts authorityCertSerialNumber set to 0 #73293
- crypto/x509: wrong value of RevocationList.AuthorityKeyId #67571 (closed)
- crypto/x509: ParseRevocationList accepts DN with all empty values #73021
- crypto/x509: ParseRevocationList accepts the IDP extension with DER encoding as an empty sequence #73284
- crypto/x509: crlSign key missing for CreateRevocationList #49414 (closed)
- crypto/x509: Verify should reject certificates with empty issuers #71832
- crypto/x509: parse CSR with elided Attributes #56901 (closed)
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
Comment From: mateusz834
RFC 5280:
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
KeyIdentifier ::= OCTET STRING
At least RFC 5280 does not seem to restrict that, so i believe it is fine.
Comment From: onepeople158
RFC 5280:
``` AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] KeyIdentifier OPTIONAL, authorityCertIssuer [1] GeneralNames OPTIONAL, authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
KeyIdentifier ::= OCTET STRING ```
At least RFC 5280 does not seem to restrict that, so i believe it is fine.
Hello, I created an empty AuthorityKeyIdentifier (AKI) extension where all three subfields are nil. Go accepted this CRL file. Does this violate the following statement in RFC 5280:
Comment From: cherrymui
This seems similar to #73030, #73293, #73284, and #73021, with slightly different variances. Perhaps we can combine them into a single issue for ParseRevocationList strictness.
cc @golang/security