]> Cypherpunks.ru repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 66f03f7)
crypto/x509: omit empty extensions SEQUENCE
authorRoland Shoemaker <roland@golang.org>
Wed, 13 Apr 2022 04:22:22 +0000 (21:22 -0700)
committerGopher Robot <gobot@golang.org>
Wed, 13 Apr 2022 18:05:20 +0000 (18:05 +0000)
In CreateCertificate, if there are no extensions, don't include the
extensions SEQUENCE in the encoded certificate.

Why, you might ask, does the encoding/asn1 tag 'optional' not do
the same thing as 'omitempty'? Good question, no clue, fixing that
would probably break things in horrific ways.

Fixes #52319

Change-Id: I84fdd5ff3e4e0b0a59e3bf86e7439753b1e1477b
Reviewed-on: https://go-review.googlesource.com/c/go/+/399827
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>

src/crypto/x509/x509.go patch | blob | history
src/crypto/x509/x509_test.go patch | blob | history

diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
index bcc14a0056d5e542bd567b6d31fe44c6025da387..e28e213dc123a4f597e607a165274d8e181a4e8d 100644 (file)
--- a/src/crypto/x509/x509.go
+++ b/src/crypto/x509/x509.go
@@ -155,7 +155,7 @@ type tbsCertificate struct {
        PublicKey          publicKeyInfo
        UniqueId           asn1.BitString   `asn1:"optional,tag:1"`
        SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`
-       Extensions         []pkix.Extension `asn1:"optional,explicit,tag:3"`
+       Extensions         []pkix.Extension `asn1:"omitempty,optional,explicit,tag:3"`
 }
 
 type dsaAlgorithmParameters struct {
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index d8dde2501954633c58e58750d376de408ef670dd..818a9750c34c9c9d43a4a53bd2ec505841ef6e6c 100644 (file)
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -3568,3 +3568,27 @@ func TestRevocationListCheckSignatureFrom(t *testing.T) {
                })
        }
 }
+
+func TestOmitEmptyExtensions(t *testing.T) {
+       k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+       if err != nil {
+               t.Fatal(err)
+       }
+       tmpl := &Certificate{
+               SerialNumber: big.NewInt(1),
+               Subject: pkix.Name{
+                       CommonName: ":)",
+               },
+               NotAfter:  time.Now().Add(time.Hour),
+               NotBefore: time.Now().Add(-time.Hour),
+       }
+       der, err := CreateCertificate(rand.Reader, tmpl, tmpl, k.Public(), k)
+       if err != nil {
+               t.Fatal(err)
+       }
+
+       emptyExtSeq := []byte{0xA3, 0x02, 0x30, 0x00}
+       if bytes.Contains(der, emptyExtSeq) {
+               t.Error("DER encoding contains the an empty extensions SEQUENCE")
+       }
+}
Go GOST TLS 1.3