mirror/gmsm
1
0
Fork 0
mirror of https://github.com/emmansun/gmsm.git synced 2025-04-26 04:06:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

x509: Reallow duplicate attributes in CSRs.

Browse Source
This commit is contained in:
Sun Yimin 2022-11-18 10:28:22 +08:00 committed by GitHub
parent 289bfe16c0
commit 94087a6660
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
smx509/x509.go
View File

@ -1653,18 +1653,14 @@ func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error)
} }
var ret []pkix.Extension var ret []pkix.Extension
seenExts := make(map[string]bool) requestedExts := make(map[string]bool)
for _, rawAttr := range rawAttributes { for _, rawAttr := range rawAttributes {
var attr pkcs10Attribute var attr pkcs10Attribute
if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 { if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 {
// Ignore attributes that don't parse. // Ignore attributes that don't parse.
continue continue
} }
oidStr := attr.Id.String()
if seenExts[oidStr] {
return nil, errors.New("x509: certificate request contains duplicate extensions")
}
seenExts[oidStr] = true
if !attr.Id.Equal(oidExtensionRequest) { if !attr.Id.Equal(oidExtensionRequest) {
continue continue
} }
@ -1673,7 +1669,7 @@ func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error)
if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil { if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil {
return nil, err return nil, err
} }
requestedExts := make(map[string]bool)
for _, ext := range extensions { for _, ext := range extensions {
oidStr := ext.Id.String() oidStr := ext.Id.String()
if requestedExts[oidStr] { if requestedExts[oidStr] {

26
smx509/x509_test.go
View File

@ -3212,10 +3212,32 @@ VLOVx0i+/Q7fikp3hbN1JwuMTU0v2KL/IKoUcZc02+5xiYrnOIt5
func TestDuplicateExtensionsCSR(t *testing.T) { func TestDuplicateExtensionsCSR(t *testing.T) {
b, _ := pem.Decode([]byte(dupExtCSR)) b, _ := pem.Decode([]byte(dupExtCSR))
if b == nil { if b == nil {
t.Fatalf("couldn't decode test certificate") t.Fatalf("couldn't decode test CSR")
} }
_, err := ParseCertificateRequest(b.Bytes) _, err := ParseCertificateRequest(b.Bytes)
if err == nil { if err == nil {
t.Fatal("ParseCertificate should fail when parsing certificate with duplicate extensions") t.Fatal("ParseCertificateRequest should fail when parsing CSR with duplicate extensions")
}
}
const dupAttCSR = `-----BEGIN CERTIFICATE REQUEST-----
MIIBbDCB1gIBADAPMQ0wCwYDVQQDEwR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQCj5Po3PKO/JNuxr+B+WNfMIzqqYztdlv+mTQhT0jOR5rTkUvxeeHH8
YclryES2dOISjaUOTmOAr5GQIIdQl4Ql33Cp7ZR/VWcRn+qvTak0Yow+xVsDo0n4
7IcvvP6CJ7FRoYBUakVczeXLxCjLwdyK16VGJM06eRzDLykPxpPwLQIDAQABoB4w
DQYCKgMxBwwFdGVzdDEwDQYCKgMxBwwFdGVzdDIwDQYJKoZIhvcNAQELBQADgYEA
UJ8hsHxtnIeqb2ufHnQFJO+wEJhx2Uxm/BTuzHOeffuQkwATez4skZ7SlX9exgb7
6jRMRilqb4F7f8w+uDoqxRrA9zc8mwY16zPsyBhRet+ZGbj/ilgvGmtZ21qZZ/FU
0pJFJIVLM3l49Onr5uIt5+hCWKwHlgE0nGpjKLR3cMg=
-----END CERTIFICATE REQUEST-----`
func TestDuplicateAttributesCSR(t *testing.T) {
b, _ := pem.Decode([]byte(dupAttCSR))
if b == nil {
t.Fatalf("couldn't decode test CSR")
}
_, err := ParseCertificateRequest(b.Bytes)
if err != nil {
t.Fatal("ParseCertificateRequest should succeed when parsing CSR with duplicate attributes")
} }
} }