languages/go
languages/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-02 13:42:29 +00:00
Code Issues Projects Releases Packages Wiki Activity

crypto/x509: fix Certificate.Verify crash

Browse source 
(Primarily from Josh)

Fixes #51759

Co-authored-by: Josh Bleecher Snyder <josharian@gmail.com>
Change-Id: I0a6f2623b57750abd13d5e194b5c6ffa3be6bf72
Reviewed-on: https://go-review.googlesource.com/c/go/+/393655
Trust: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
This commit is contained in:
Brad Fitzpatrick 2022-03-17 09:39:46 -07:00
parent c379c3d58d
commit 0fca8a8f25
2 changed files with 40 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/crypto/x509/root_darwin.go
View file

@ -13,6 +13,9 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
certs := macOS.CFArrayCreateMutable() certs := macOS.CFArrayCreateMutable()
defer macOS.ReleaseCFArray(certs) defer macOS.ReleaseCFArray(certs)
leaf := macOS.SecCertificateCreateWithData(c.Raw) leaf := macOS.SecCertificateCreateWithData(c.Raw)
if leaf == 0 {
return nil, errors.New("invalid leaf certificate")
}
macOS.CFArrayAppendValue(certs, leaf) macOS.CFArrayAppendValue(certs, leaf)
if opts.Intermediates != nil { if opts.Intermediates != nil {
for _, lc := range opts.Intermediates.lazyCerts { for _, lc := range opts.Intermediates.lazyCerts {
@ -21,9 +24,11 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
return nil, err return nil, err
} }
sc := macOS.SecCertificateCreateWithData(c.Raw) sc := macOS.SecCertificateCreateWithData(c.Raw)
if sc != 0 {
macOS.CFArrayAppendValue(certs, sc) macOS.CFArrayAppendValue(certs, sc)
} }
} }
}
policies := macOS.CFArrayCreateMutable() policies := macOS.CFArrayCreateMutable()
defer macOS.ReleaseCFArray(policies) defer macOS.ReleaseCFArray(policies)

34
src/crypto/x509/verify_test.go
View file

@ -1876,3 +1876,37 @@ func TestSystemRootsErrorUnwrap(t *testing.T) {
t.Error("errors.Is failed, wanted success") t.Error("errors.Is failed, wanted success")
} }
} }
func TestIssue51759(t *testing.T) {
// badCertData contains a cert that we parse as valid
// but that macOS SecCertificateCreateWithData rejects.
const badCertData = "0\x82\x01U0\x82\x01\a\xa0\x03\x02\x01\x02\x02\x01\x020\x05\x06\x03+ep0R1P0N\x06\x03U\x04\x03\x13Gderpkey8dc58100b2493614ee1692831a461f3f4dd3f9b3b088e244f887f81b4906ac260\x1e\x17\r220112235755Z\x17\r220313235755Z0R1P0N\x06\x03U\x04\x03\x13Gderpkey8dc58100b2493614ee1692831a461f3f4dd3f9b3b088e244f887f81b4906ac260*0\x05\x06\x03+ep\x03!\x00bA\xd8e\xadW\xcb\xefZ\x89\xb5\"\x1eR\x9d\xba\x0e:\x1042Q@\u007f\xbd\xfb{ks\x04\xd1£\x020\x000\x05\x06\x03+ep\x03A\x00[\xa7\x06y\x86(\x94\x97\x9eLwA\x00\x01x\xaa\xbc\xbd Ê]\n(΅!ف0\xf5\x9a%I\x19<\xffo\xf1\xeaaf@\xb1\xa7\xaf\xfd\xe9R\xc7\x0f\x8d&\xd5\xfc\x0f;Ϙ\x82\x84a\xbc\r"
badCert, err := ParseCertificate([]byte(badCertData))
if err != nil {
t.Fatal(err)
}
t.Run("leaf", func(t *testing.T) {
opts := VerifyOptions{}
_, err = badCert.Verify(opts)
if err == nil {
t.Fatal("expected error")
}
})
goodCert, err := certificateFromPEM(googleLeaf)
if err != nil {
t.Fatal(err)
}
t.Run("intermediate", func(t *testing.T) {
opts := VerifyOptions{
Intermediates: NewCertPool(),
}
opts.Intermediates.AddCert(badCert)
_, err = goodCert.Verify(opts)
if err == nil {
t.Fatal("expected error")
}
})
}