#44, crypto/x509: omit empty extensions SEQUENCE

2025-04-26 20:26:19 +08:00 · 2022-04-15 11:05:14 +08:00 · 2022-04-15 11:05:14 +08:00 · 155ef2943d
commit 155ef2943d
parent b3f10b9a4c
2 changed files with 25 additions and 1 deletions
--- a/smx509/x509.go
+++ b/smx509/x509.go
@ -146,7 +146,7 @@ type tbsCertificate struct {
 	PublicKey          publicKeyInfo
 	UniqueId           asn1.BitString   `asn1:"optional,tag:1"`
 	SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`
-	Extensions         []pkix.Extension `asn1:"optional,explicit,tag:3"`
+	Extensions         []pkix.Extension `asn1:"omitempty,optional,explicit,tag:3"`
 }

 type dsaAlgorithmParameters struct {
--- a/smx509/x509_test.go
+++ b/smx509/x509_test.go
@ -2430,6 +2430,30 @@ func TestDisableSHA1ForCertOnly(t *testing.T) {
 	}
 }

+func TestOmitEmptyExtensions(t *testing.T) {
+	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tmpl := &Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: ":)",
+		},
+		NotAfter:  time.Now().Add(time.Hour),
+		NotBefore: time.Now().Add(-time.Hour),
+	}
+	der, err := CreateCertificate(rand.Reader, tmpl.asX509(), tmpl.asX509(), k.Public(), k)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	emptyExtSeq := []byte{0xA3, 0x02, 0x30, 0x00}
+	if bytes.Contains(der, emptyExtSeq) {
+		t.Error("DER encoding contains the an empty extensions SEQUENCE")
+	}
+}
+
 func TestCreateCertificateLongSerial(t *testing.T) {
 	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {