bz1290472 Accept x509 certs with negative serial
This commit is contained in:
parent
c524af8454
commit
8b92652b24
55
bz1290543.patch
Normal file
55
bz1290543.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From a0ea93dea5f5741addc8c96b7ed037d0e359e33f Mon Sep 17 00:00:00 2001
|
||||
From: Adam Langley <agl@golang.org>
|
||||
Date: Fri, 27 Nov 2015 13:50:36 -0800
|
||||
Subject: [PATCH] crypto/x509: permit serial numbers to be negative.
|
||||
|
||||
Some software that produces certificates doesn't encode integers
|
||||
correctly and, about half the time, ends up producing certificates with
|
||||
serial numbers that are actually negative.
|
||||
|
||||
This buggy software, sadly, appears to be common enough that we should
|
||||
let these errors pass. This change allows a Certificate.SerialNumber to
|
||||
be negative.
|
||||
|
||||
Fixes #8265.
|
||||
|
||||
Change-Id: Ief35dae23988fb6d5e2873e3c521366fb03c6af4
|
||||
Reviewed-on: https://go-review.googlesource.com/17247
|
||||
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
||||
---
|
||||
src/crypto/x509/x509.go | 4 ----
|
||||
src/crypto/x509/x509_test.go | 6 +++++-
|
||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
|
||||
index bbc63241..126432d 100644
|
||||
--- a/src/crypto/x509/x509.go
|
||||
+++ b/src/crypto/x509/x509.go
|
||||
@@ -909,10 +909,6 @@ func parseCertificate(in *certificate) (*Certificate, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
- if in.TBSCertificate.SerialNumber.Sign() < 0 {
|
||||
- return nil, errors.New("x509: negative serial number")
|
||||
- }
|
||||
-
|
||||
out.Version = in.TBSCertificate.Version + 1
|
||||
out.SerialNumber = in.TBSCertificate.SerialNumber
|
||||
|
||||
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
|
||||
index 61b1773..2c01ec7 100644
|
||||
--- a/src/crypto/x509/x509_test.go
|
||||
+++ b/src/crypto/x509/x509_test.go
|
||||
@@ -343,7 +343,11 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
|
||||
for _, test := range tests {
|
||||
commonName := "test.example.com"
|
||||
template := Certificate{
|
||||
- SerialNumber: big.NewInt(1),
|
||||
+ // SerialNumber is negative to ensure that negative
|
||||
+ // values are parsed. This is due to the prevalence of
|
||||
+ // buggy code that produces certificates with negative
|
||||
+ // serial numbers.
|
||||
+ SerialNumber: big.NewInt(-1),
|
||||
Subject: pkix.Name{
|
||||
CommonName: commonName,
|
||||
Organization: []string{"Σ Acme Co"},
|
11
golang.spec
11
golang.spec
@ -89,7 +89,7 @@
|
||||
|
||||
Name: golang
|
||||
Version: 1.5.2
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: The Go Programming Language
|
||||
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
|
||||
License: BSD and Public Domain
|
||||
@ -122,6 +122,10 @@ Patch0: golang-1.2-verbose-build.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1038683
|
||||
Patch1: golang-1.2-remove-ECC-p224.patch
|
||||
# Accept x509 certs with negative serial
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1290543
|
||||
# https://github.com/golang/go/issues/8265
|
||||
Patch2: bz1290543.patch
|
||||
|
||||
# use the arch dependent path in the bootstrap
|
||||
Patch212: golang-1.5-bootstrap-binary-path.patch
|
||||
@ -256,6 +260,8 @@ Summary: Golang shared object libraries
|
||||
# remove the P224 curve
|
||||
%patch1 -p1
|
||||
|
||||
%patch2 -p1
|
||||
|
||||
# use the arch dependent path in the bootstrap
|
||||
%patch212 -p1
|
||||
|
||||
@ -472,6 +478,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Dec 11 2015 Jakub Čajka <jcajka@redhat.com> - 1.5.2-2
|
||||
- bz1290472 Accept x509 certs with negative serial
|
||||
|
||||
* Tue Dec 08 2015 Jakub Čajka <jcajka@redhat.com> - 1.5.2-1
|
||||
- bz1288263 rebase to 1.5.2
|
||||
- spec file clean up
|
||||
|
Loading…
Reference in New Issue
Block a user