}
var ret []pkix.Extension
- seenExts := make(map[string]bool)
+ requestedExts := make(map[string]bool)
for _, rawAttr := range rawAttributes {
var attr pkcs10Attribute
if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 {
// Ignore attributes that don't parse.
continue
}
- oidStr := attr.Id.String()
- if seenExts[oidStr] {
- return nil, errors.New("x509: certificate request contains duplicate extensions")
- }
- seenExts[oidStr] = true
if !attr.Id.Equal(oidExtensionRequest) {
continue
if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil {
return nil, err
}
- requestedExts := make(map[string]bool)
for _, ext := range extensions {
oidStr := ext.Id.String()
if requestedExts[oidStr] {
func TestDuplicateExtensionsCSR(t *testing.T) {
b, _ := pem.Decode([]byte(dupExtCSR))
if b == nil {
- t.Fatalf("couldn't decode test certificate")
+ t.Fatalf("couldn't decode test CSR")
}
_, err := ParseCertificateRequest(b.Bytes)
if err == nil {
- t.Fatal("ParseCertificate should fail when parsing certificate with duplicate extensions")
+ t.Fatal("ParseCertificateRequest should fail when parsing CSR with duplicate extensions")
+ }
+}
+
+const dupAttCSR = `-----BEGIN CERTIFICATE REQUEST-----
+MIIBbDCB1gIBADAPMQ0wCwYDVQQDEwR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQCj5Po3PKO/JNuxr+B+WNfMIzqqYztdlv+mTQhT0jOR5rTkUvxeeHH8
+YclryES2dOISjaUOTmOAr5GQIIdQl4Ql33Cp7ZR/VWcRn+qvTak0Yow+xVsDo0n4
+7IcvvP6CJ7FRoYBUakVczeXLxCjLwdyK16VGJM06eRzDLykPxpPwLQIDAQABoB4w
+DQYCKgMxBwwFdGVzdDEwDQYCKgMxBwwFdGVzdDIwDQYJKoZIhvcNAQELBQADgYEA
+UJ8hsHxtnIeqb2ufHnQFJO+wEJhx2Uxm/BTuzHOeffuQkwATez4skZ7SlX9exgb7
+6jRMRilqb4F7f8w+uDoqxRrA9zc8mwY16zPsyBhRet+ZGbj/ilgvGmtZ21qZZ/FU
+0pJFJIVLM3l49Onr5uIt5+hCWKwHlgE0nGpjKLR3cMg=
+-----END CERTIFICATE REQUEST-----`
+
+func TestDuplicateAttributesCSR(t *testing.T) {
+ b, _ := pem.Decode([]byte(dupAttCSR))
+ if b == nil {
+ t.Fatalf("couldn't decode test CSR")
+ }
+ _, err := ParseCertificateRequest(b.Bytes)
+ if err != nil {
+ t.Fatal("ParseCertificateRequest should succeed when parsing CSR with duplicate attributes")
}
}