encoding/asn1: accepts non-minimal OID encoding #36881

jsha · 2020-01-29T23:24:20Z

go version go1.13.4 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (`go env`)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/jsha/.cache/go-build"
GOENV="/home/jsha/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/jsha/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/jsha/go1.13"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/jsha/go1.13/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build221529794=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Passed an invalidly-encoded OID to asn1.Unmarshal

What did you expect to see?

Parse error.

What did you see instead?

Successful parse.

Here's an example program demonstrating the problem, along with a reference to the ASN.1 spec:

https://play.golang.org/p/ETqZ6Kxz16G

package main

import (
	"encoding/asn1"
	"encoding/hex"
	"fmt"
	"log"
)

func main() {
	var o asn1.ObjectIdentifier
	// Correct encoding; each component of the ObjectIdentifier is encoded
	// minimally.
	s, err := hex.DecodeString("06092a864886f70d01010b")
	if err != nil {
		log.Fatal(err)
	}
	_, err = asn1.Unmarshal(s, &o)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println(o)
	// Incorrect encoding; the 0x80 byte encodes a zero prefix in base 128, which
	// violate's X.690's requirement to minimally-encode OIDs (which applies
	// to both BER and DER). Ref: X.690 2015, §8.19.2 "The subidentifier shall be
	// encoded in the fewest possible octets, that is, the leading octet of the
	// subidentifier shall not have the value [0x80]"
	s, err = hex.DecodeString("060a2a80864886f70d01010b")
	if err != nil {
		log.Fatal(err)
	}
	_, err = asn1.Unmarshal(s, &o)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println(o)
}

The text was updated successfully, but these errors were encountered:

cagedmantis · 2020-02-07T16:18:31Z

/cc @FiloSottile @agl

FiloSottile · 2020-02-19T22:30:19Z

Do we know of frequent occurrences of this in the wild? (Trying to understand if we'll cause breakage.)

jsha · 2020-02-19T22:35:38Z

I haven't seen this in the wild, but I also haven't looked. Just occurred to me to try out Go's behavior when I read that section of the spec.

FiloSottile · 2020-02-19T22:37:06Z

Let's fix this early so it has time to bake. I'd take a CL for it!

Reject base 128 encoded integers that aren't using minimal encoding, specifically if the leading octet of an encoded integer is 0x80. This only affects parsing of tags and OIDs, both of which expect this encoding (see X.690 8.1.2.4.2 and 8.19.2). Fixes golang#36881 Change-Id: I969cf48ac1fba7e56bac334672806a0784d3e123

gopherbot · 2020-04-06T18:23:38Z

Change https://golang.org/cl/227320 mentions this issue: encoding/asn1: only accept minimally encoded base 128 integers

odeke-em · 2020-06-30T08:15:49Z

@rolandshoemaker @FiloSottile @jsha could we perhaps send a release note documenting this update? It is a new change that'll surprise some folks.

rolandshoemaker · 2020-06-30T14:54:53Z

Yup, will do.

cagedmantis added this to the Backlog milestone Feb 7, 2020

cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 7, 2020

FiloSottile added the NeedsFix The path to resolution is known, but the work has not been done. label Feb 19, 2020

gopherbot removed the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 19, 2020

FiloSottile modified the milestones: Backlog, Go1.15 Feb 19, 2020

FiloSottile added the early-in-cycle A change that should be done early in the 3 month dev cycle. label Feb 19, 2020

rolandshoemaker mentioned this issue Apr 6, 2020

encoding/asn1: only accept minimally encoded base 128 integers #38281

Closed

sebastien-rosset mentioned this issue Apr 29, 2020

encoding/asn1, crypto/x509: failed to parse Intermediate CA certificate #38737

Open

gopherbot closed this as completed in 1764819 May 7, 2020

nickysemenza mentioned this issue Nov 13, 2020

Tests fail in go 1.15 cloudflare/cfssl#1147

Closed

golang locked and limited conversation to collaborators Jun 30, 2021

gopherbot added the FrozenDueToAge label Jun 30, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

encoding/asn1: accepts non-minimal OID encoding #36881

encoding/asn1: accepts non-minimal OID encoding #36881

jsha commented Jan 29, 2020 •

edited

Loading

cagedmantis commented Feb 7, 2020

FiloSottile commented Feb 19, 2020

jsha commented Feb 19, 2020

FiloSottile commented Feb 19, 2020

gopherbot commented Apr 6, 2020

odeke-em commented Jun 30, 2020 •

edited

Loading

rolandshoemaker commented Jun 30, 2020

encoding/asn1: accepts non-minimal OID encoding #36881

encoding/asn1: accepts non-minimal OID encoding #36881

Comments

jsha commented Jan 29, 2020 • edited Loading

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

What did you do?

What did you expect to see?

What did you see instead?

cagedmantis commented Feb 7, 2020

FiloSottile commented Feb 19, 2020

jsha commented Feb 19, 2020

FiloSottile commented Feb 19, 2020

gopherbot commented Apr 6, 2020

odeke-em commented Jun 30, 2020 • edited Loading

rolandshoemaker commented Jun 30, 2020

jsha commented Jan 29, 2020 •

edited

Loading

What operating system and processor architecture are you using (`go env`)?

odeke-em commented Jun 30, 2020 •

edited

Loading