go: crypto/x509: error parsing large ASN.1 identifiers

What version of Go are you using (go version)?

$ go version
go1.17.3 windows/amd64

Does this issue reproduce with the latest release?

Issue observed while connecting to LDAPS serwer with certificate generated by Microsoft Active Directory with Microsoft’s specific X509v3 Certificate Policies error message is “x509: invalid certificate policies” it comes from parseCertificatePoliciesExtension in x509 parser

Output of "openssl x509 -in my.crt --text"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4d:00:04:9b:44:6f:c6:43:9c:d8:f5:3a:00:00:03:00:04:9b:44
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = pl, DC = com, DC = <edited>, CN = <edited>    Subordinate CA
        Validity
            Not Before: Sep 20 11:05:54 2021 GMT
            Not After : Sep 20 11:05:54 2023 GMT
        Subject: CN = <edited>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:dd:fd:8b:7e:bd:e7:50:f0:c1:bd:8f:37:d6:e0:
<edited>
                    e8:13:8a:ae:c7:26:73:b5:81:4e:c7:ab:39:2a:ef:
                    fb:9d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.7:
                0..&+.....7.........M...".......nK...M...b..e...
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, Signing KDC Response, TLS Web Server Authentication, Microsoft Smartcard Login
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.311.21.8.3719450.11115469.11946914.3506198.8878958.75.1492336001.1138714952

            1.3.6.1.4.1.311.21.10:
                010
..+.......0...+......0
..+.......0..
+.....7...
            X509v3 Subject Key Identifier:
                04:7B:E7:F9:21:DB:92:0E:21:DE:70:B2:CD:FC:16:49:0D:11:46:92
<edited>

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=D:\Projekty\go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=D:\Projekty\go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.17.3
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=D:\Projekty\go\bin\go.mod
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\luty4\AppData\Local\Temp\go-build1235732887=/tmp/go-build -gno-record-
gcc-switches

What did you do?

https://play.golang.org/p/WI9bl64Z6wU

What did you expect to see?

**** OID with 4 bytes
Object Identifier: 1.3.6.1.4.1.311.21.8.1492336001
ASN.1 Encoding:   060e2b060104018237150885c7ccfb01
Decode result: true
Object Identifier: 1.3.6.1.4.1.311.21.8.1492336001

What did you see instead?

**** OID with 4 bytes
Object Identifier: 1.3.6.1.4.1.311.21.8.1492336001
ASN.1 Encoding:    060e2b060104018237150885c7ccfb01
Decode result: false
Object Identifier:

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16 (4 by maintainers)

Commits related to this issue

Most upvoted comments

@gopherbot please open a backport issue to Go 1.17. This is a regression due to Go 1.17 changes without workaround that makes it impossible to parse some valid (if a little weird) certificates.

+1
FiloSottile on Dec 14, 2021
Read more comments on GitHub
← go: crypto/x509: "certificate is not standards compliant" on MacOS
go: crypto/x509: failed to load system roots and no roots provided →