mirror/gmsm
1
0
Fork 0
mirror of https://github.com/emmansun/gmsm.git synced 2025-04-26 04:06:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

Revert "#43, crypto/x509: don't allow too long serials"

Browse Source 
This reverts commit b3f10b9a4cfeb8c384282f3e61aaf7356efab636.

# Conflicts:
#	smx509/x509.go
#	smx509/x509_test.go
This commit is contained in:
Emman 2022-04-22 08:28:12 +08:00
parent 88dc7dc8ec
commit 64f522ea1b
2 changed files with 3 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
smx509/x509.go
View File

@ -1284,22 +1284,11 @@ func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub,
return nil, errors.New("x509: no SerialNumber given") return nil, errors.New("x509: no SerialNumber given")
} }
// RFC 5280 Section 4.1.2.2: serial number must positive and should not be longer // RFC 5280 Section 4.1.2.2: serial number must positive
// than 20 octets.
//
// We cannot simply check for len(serialBytes) > 20, because encoding/asn1 may
// pad the slice in order to prevent the integer being mistaken for a negative
// number (DER uses the high bit of the left-most byte to indicate the sign.),
// so we need to double check the composition of the serial if it is exactly
// 20 bytes.
if template.SerialNumber.Sign() == -1 { if template.SerialNumber.Sign() == -1 {
return nil, errors.New("x509: serial number must be positive") return nil, errors.New("x509: serial number must be positive")
} }
serialBytes := template.SerialNumber.Bytes()
if len(serialBytes) > 20 || (len(serialBytes) == 20 && serialBytes[0]&0x80 != 0) {
return nil, errors.New("x509: serial number exceeds 20 octets")
}
if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) { if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen") return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
} }

37
smx509/x509_test.go
View File

@ -2450,39 +2450,6 @@ func TestOmitEmptyExtensions(t *testing.T) {
} }
} }
func TestCreateCertificateLongSerial(t *testing.T) {
k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatal(err)
}
serialBytes := make([]byte, 21)
serialBytes[0] = 0x80
serialBytes[20] = 1
tooLong := big.NewInt(0).SetBytes(serialBytes)
tmpl := &Certificate{
SerialNumber: tooLong,
Subject: pkix.Name{
CommonName: ":)",
},
NotAfter: time.Now().Add(time.Hour),
NotBefore: time.Now().Add(-time.Hour),
}
expectedErr := "x509: serial number exceeds 20 octets"
_, err = CreateCertificate(rand.Reader, tmpl.asX509(), tmpl.asX509(), k.Public(), k)
if err == nil || err.Error() != expectedErr {
t.Errorf("CreateCertificate returned unexpected error: want %q, got %q", expectedErr, err)
}
serialBytes = serialBytes[:20]
tmpl.SerialNumber = big.NewInt(0).SetBytes(serialBytes)
_, err = CreateCertificate(rand.Reader, tmpl.asX509(), tmpl.asX509(), k.Public(), k)
if err == nil || err.Error() != expectedErr {
t.Errorf("CreateCertificate returned unexpected error: want %q, got %q", expectedErr, err)
} }
} }
@ -2565,6 +2532,4 @@ func TestDuplicateExtensionsCSR(t *testing.T) {
} }
_, err := ParseCertificateRequest(b.Bytes) _, err := ParseCertificateRequest(b.Bytes)
if err == nil { if err == nil {
t.Fatal("ParseCertificate should fail when parsing certificate with duplicate extensions") t.Fatal("ParseCertificate should fail when parsing certificate with duplicate extensions")
}
}