Skip to content

crypto/x509: should error if non-CA certificate contains name constraints #71795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dulanshuangqiao opened this issue Feb 17, 2025 · 3 comments
Open

crypto/x509: should error if non-CA certificate contains name constraints #71795

dulanshuangqiao opened this issue Feb 17, 2025 · 3 comments
Labels
BugReport Issues describing a possible bug in the Go implementation. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@dulanshuangqiao
Copy link

Go version

go version go1.23.2 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/liu/.cache/go-build'
GOENV='/home/liu/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/liu/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/liu/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/snap/go/10730'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/snap/go/10730/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.2'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/liu/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build578094757=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Perform certificate verification
go run go_verify.go

certs&program.zip

What did you see happen?

The execution result is passed verification
Certificate is valid!

What did you expect to see?

According to RFC 5280, Section 4.2.1.10, the Name Constraints extension is permitted only in CA certificates, not in end-entity certificates.
Cryptography fails to verify the certificate and throws the relevant error according to RFC5280: Certificate verification failed: validation failed: invalid extension: 2.5.29.30: Certificate contains prohibited extension
@seankhliao seankhliao changed the title crypto/x509: Accept non-CA certificates with name constraints crypto/x509: should error if non-CA certificate contains name constraints Feb 17, 2025
@gabyhelp
Copy link

Related Issues

Related Code Changes

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp added the BugReport Issues describing a possible bug in the Go implementation. label Feb 17, 2025
@mknyszek
Copy link
Contributor

CC @golang/security

@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 18, 2025
@mknyszek mknyszek added this to the Backlog milestone Feb 18, 2025
@gabyhelp gabyhelp mentioned this issue Feb 19, 2025
Open
@gabyhelp gabyhelp mentioned this issue Mar 3, 2025
Open
@dulanshuangqiao
Copy link
Author

CC @golang/security

There is no staff to handle this report for a long time.I hope a developer can review my report,This is very important for my work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BugReport Issues describing a possible bug in the Go implementation. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@mknyszek @dulanshuangqiao @gabyhelp