crypto/x509: ParsePKIXPublicKey parses invalid RSA public keys without errors #16166

szank · 2016-06-23T13:38:22Z

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?
go version go1.6.2 darwin/amd64
What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/mgalkowski/work/go"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.6.2/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.6.2/libexec/pkg/tool/darwin_amd64"
GO15VENDOREXPERIMENT="1"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fno-common"
CXX="clang++"
CGO_ENABLED="1"

What did you do?
If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.
https://play.golang.org/p/qMQ1aqX5Ox
What did you expect to see?
Last line should say:
Error parsing incorrect RSA public key
What did you see instead?
INCORRECT public key have been parsed

According to
RFC3279 https://tools.ietf.org/html/rfc3279#section-2.3.1 :

The rsaEncryption OID is intended to be used in the algorithm field
of a value of type AlgorithmIdentifier.  The parameters field MUST
have ASN.1 type NULL for this algorithm identifier.

Could you please fix it ?

The text was updated successfully, but these errors were encountered:

szank · 2016-06-23T13:45:34Z

I am happy to fix it myself if I find some time this weekend.

ianlancetaylor · 2016-06-23T15:03:49Z

CC @agl

This meant regenerating a lot of certs. For background, golang/go#16166.

The RFC is clear that the Parameters in an AlgorithmIdentifer for an RSA public key must be NULL. BoringSSL enforces this so we have strong evidence that this is a widely compatible change. Embarrassingly enough, the major source of violations of this is us. Go used to get this correct in only one of two places. This was only fixed in 2013 (with 4874bc9). That's why lots of test certificates are updated in this change. Fixes golang#16166. Change-Id: Ib9a4551349354c66e730d44eb8cee4ec402ea8ab Reviewed-on: https://go-review.googlesource.com/27312 Reviewed-by: Brad Fitzpatrick <[email protected]>

ianlancetaylor changed the title ~~crypto/x509 ParsePKIXPublicKey parses invalid RSA public keys without errors~~ crypto/x509: ParsePKIXPublicKey parses invalid RSA public keys without errors Jun 23, 2016

ianlancetaylor added this to the Go1.8 milestone Jun 23, 2016

agl self-assigned this Jun 23, 2016

gopherbot closed this as completed in 59aeac2 Aug 17, 2016

bprashanth mentioned this issue Feb 16, 2017

Update to Go 1.8; eval 1.8beta1 kubernetes/kubernetes#38228

Closed

joeshaw added a commit to fastly/go-utils that referenced this issue Mar 6, 2017

fix TLS tests for Go 1.8.

db0c4df

This meant regenerating a lot of certs. For background, golang/go#16166.

golang locked and limited conversation to collaborators Aug 17, 2017

gopherbot added the FrozenDueToAge label Aug 17, 2017

rsc unassigned agl Jun 23, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/x509: ParsePKIXPublicKey parses invalid RSA public keys without errors #16166

crypto/x509: ParsePKIXPublicKey parses invalid RSA public keys without errors #16166

szank commented Jun 23, 2016

szank commented Jun 23, 2016

ianlancetaylor commented Jun 23, 2016

crypto/x509: ParsePKIXPublicKey parses invalid RSA public keys without errors #16166

crypto/x509: ParsePKIXPublicKey parses invalid RSA public keys without errors #16166

Comments

szank commented Jun 23, 2016

szank commented Jun 23, 2016

ianlancetaylor commented Jun 23, 2016