crypto/x509: Verify should reject certificates with empty issuers

[dulanshuangqiao]

Go version

go version go1.23.2 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/liu/.cache/go-build'
GOENV='/home/liu/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/liu/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/liu/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/snap/go/10730'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/snap/go/10730/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.2'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/liu/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build578094757=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Perform certificate verification
go run go_verify.go

certs.zip

What did you see happen?

The execution result is passed verification
Certificate is valid!

What did you expect to see?

RFC5280 mentions: The issuer field MUST contain a non-empty distinguished name (DN). This means that the certificate I provided should not pass the validation.
Gnutls threw an error when validating it：
Loaded CAs (1 available)
gnutls_x509_crt_get_issuer_dn: The requested data were not available.

[gabyhelp]

Related Issues

• crypto/x509: should error if non-CA certificate contains name constraints #71795
• crypto/x509: NameConstraintsWithoutSANs when checking signing certificate #24151 (closed)
• crypto/x509: certificate with empty Authority Key Identifier extension considered invalid #70619
• crypto/x509: ParseCertificate fails with "net/url: invalid userinfo" #69930 (closed)
• crypto/x509: Certificate.Verify does not consistently return UnknownAuthorityError #58777
• crypto/x509: CheckSignatureFrom does not verify Issuer matches parent's Subject #14955 (closed)
• crypto/x509: invalid certificate policies #65990 (closed)
• crypto/x509: certificate verification does not correctly compare subject and issuer names for equality #36027 (closed)
• affected/package: crypto/tls cert.Verify does not work on Ubuntu 22.04 #59915 (closed)

Related Code Changes

• crypto/x509: return better error when a certificate contains no names.

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[rlanhellas]

@dulanshuangqiao , I'm investigating your problem, but would be good to update your code, since this certificate is not valid anymore, you need to set custom CurrentTime in order to execute it again:

// this ensure your code will execute always, regardless of current time, since your certificate has a short valid period
customNow := time.Date(2024, 04, 01, 0, 0, 0, 0, time.Now().UTC().Location()) 
	opts := x509.VerifyOptions{
		Roots:       rootCertPool,
		CurrentTime: customNow,
	}

[dulanshuangqiao]

@dulanshuangqiao , I'm investigating your problem, but would be good to update your code, since this certificate is not valid anymore, you need to set custom CurrentTime in order to execute it again:

// this ensure your code will execute always, regardless of current time, since your certificate has a short valid period
customNow := time.Date(2024, 04, 01, 0, 0, 0, 0, time.Now().UTC().Location()) 
	opts := x509.VerifyOptions{
		Roots:       rootCertPool,
		CurrentTime: customNow,
	}

OK, I'll wait for your results.

[gopherbot]

Change https://go.dev/cl/655715 mentions this issue: crypto/x509: improve Certificate validation avoiding empty issuers