bz1290472 Accept x509 certs with negative serial

This commit is contained in:
Jakub Čajka 2015-12-11 12:51:16 +01:00
parent c524af8454
commit 8b92652b24
2 changed files with 65 additions and 1 deletions

55
bz1290543.patch Normal file
View File

@ -0,0 +1,55 @@
From a0ea93dea5f5741addc8c96b7ed037d0e359e33f Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@golang.org>
Date: Fri, 27 Nov 2015 13:50:36 -0800
Subject: [PATCH] crypto/x509: permit serial numbers to be negative.
Some software that produces certificates doesn't encode integers
correctly and, about half the time, ends up producing certificates with
serial numbers that are actually negative.
This buggy software, sadly, appears to be common enough that we should
let these errors pass. This change allows a Certificate.SerialNumber to
be negative.
Fixes #8265.
Change-Id: Ief35dae23988fb6d5e2873e3c521366fb03c6af4
Reviewed-on: https://go-review.googlesource.com/17247
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---
src/crypto/x509/x509.go | 4 ----
src/crypto/x509/x509_test.go | 6 +++++-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
index bbc63241..126432d 100644
--- a/src/crypto/x509/x509.go
+++ b/src/crypto/x509/x509.go
@@ -909,10 +909,6 @@ func parseCertificate(in *certificate) (*Certificate, error) {
return nil, err
}
- if in.TBSCertificate.SerialNumber.Sign() < 0 {
- return nil, errors.New("x509: negative serial number")
- }
-
out.Version = in.TBSCertificate.Version + 1
out.SerialNumber = in.TBSCertificate.SerialNumber
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 61b1773..2c01ec7 100644
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -343,7 +343,11 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
for _, test := range tests {
commonName := "test.example.com"
template := Certificate{
- SerialNumber: big.NewInt(1),
+ // SerialNumber is negative to ensure that negative
+ // values are parsed. This is due to the prevalence of
+ // buggy code that produces certificates with negative
+ // serial numbers.
+ SerialNumber: big.NewInt(-1),
Subject: pkix.Name{
CommonName: commonName,
Organization: []string{"Σ Acme Co"},

View File

@ -89,7 +89,7 @@
Name: golang
Version: 1.5.2
Release: 1%{?dist}
Release: 2%{?dist}
Summary: The Go Programming Language
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
License: BSD and Public Domain
@ -122,6 +122,10 @@ Patch0: golang-1.2-verbose-build.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1038683
Patch1: golang-1.2-remove-ECC-p224.patch
# Accept x509 certs with negative serial
# https://bugzilla.redhat.com/show_bug.cgi?id=1290543
# https://github.com/golang/go/issues/8265
Patch2: bz1290543.patch
# use the arch dependent path in the bootstrap
Patch212: golang-1.5-bootstrap-binary-path.patch
@ -256,6 +260,8 @@ Summary: Golang shared object libraries
# remove the P224 curve
%patch1 -p1
%patch2 -p1
# use the arch dependent path in the bootstrap
%patch212 -p1
@ -472,6 +478,9 @@ fi
%endif
%changelog
* Fri Dec 11 2015 Jakub Čajka <jcajka@redhat.com> - 1.5.2-2
- bz1290472 Accept x509 certs with negative serial
* Tue Dec 08 2015 Jakub Čajka <jcajka@redhat.com> - 1.5.2-1
- bz1288263 rebase to 1.5.2
- spec file clean up