golang
crypto/x509: ParseCertificate fails with "net/url: invalid userinfo"
Go version
go version go1.18.1 linux/amd64
Output of go env in your module/workspace:
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/liu/.cache/go-build"
GOENV="/home/liu/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/liu/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/liu/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.18"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.18/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3649475886=/tmp/go-build -gno-record-gcc-switches"
What did you do?
Use cert, err := x509.ParseCertificate(derBytes) to process the certificate
What did you see happen?
Error message:cannot parse URI "https://1kYj\[@.cfZGv3T_Tr.D?/zrm3/4WA/Ir}BQ/yR]/0[g?<tX=uR?&K'O={d2}&sG?rLi=<}e>": parse "https://1kYj\[@.cfZGv3T_Tr.D?/zrm3/4WA/Ir}BQ/yR]/0[g?<tX=uR?&K'O={d2}&sG?rLi=<}e>": net/url: invalid userinfo
What did you expect to see?
The results are different from Openssl and Gnutls. Openssl's openssl x509 -noout -text -in filename and gnutls's certtool -i --infile=filename --inraw successfully viewed the certificate.Both successfully resolved SAN
Related Issues and Documentation
- crypto/x509: invalid certificate policies #65990 (closed)
- crypto/x509: malformed x509 certificate is accepted since 1.17 #51369
- crypto/x509: cannot parse certificate IP & net/http cannot ignore this certificate error #65829 (closed)
- x/crypto: x509: invalid certificate policies #53773 (closed)
- crypto/x509: certificate validation in Windows fails to validate IP in SAN #37176
- crypto/x509: ParseCertificate and ParseCertificates return different errors with a single bad certificate supplied #43113
- crypto/x509: parse SAN DirectoryName #47618 (closed)
- crypto/x509: unable to parse certificate parsable by Java #33259
- crypto/tls: LoadX509KeyPair fails to parse some keys, yet they are accepted by OpenSSL #21807 (closed)
- crypto/x509: Verification of ECDSA signed x509 cert, sanitized to LowS certs fails verification with go 1.19 #54549
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
This seems to happen here:
https://github.com/golang/go/blob/6853d89477e0886c7c96b08e7efaf74abedfcf71/src/crypto/x509/parser.go#L389-L397
And the URL seems to be invalid, see simpler reproducer https://go.dev/play/p/IMYvwnRjF7F
CC @neild (as per https://dev.golang.org/owners for net/url) not sure how to judge that URL. I guess openssl x509 does not validate URLs and just display them, so it works there.
See https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
When the subjectAltName extension contains a URI, the name MUST be stored in the uniformResourceIdentifier (an IA5String). The name MUST NOT be a relative URI, and it MUST follow the URI syntax and encoding rules specified in [RFC3986].
The other tools may be for more general x509 usage, crypto/x509 targets the Web PKI where URIs are more restricted.
