repeated extension

[dulanshuangqiao]

Go version

go version go1.18.1 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/liu/.cache/go-build"
GOENV="/home/liu/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/liu/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/liu/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.18"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.18/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3649475886=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I use x509.ParseCertificate(derBytes) to parse a der certificate which has two aki extensions Test Cases.zip

What did you see happen?

The test case was parsed successfully

What did you expect to see?

This test case does not comply with the RFC5280 specification: 4.2 Introduction: "A certificate MUST NOT include more than one instance of a particular extension. For example, a certificate may contain only one authority key identifier extension (Section 4.2.1.1)." Is this a defect? ​​As a comparison, the Bouncycastle function X509CertificateHolder(derBytes) in the Java language throws an error: repeated extension found: 2.5.29.35

[gabyhelp]

Related Issues and Documentation

• crypto/x509: ParseCertificate and ParseCertificateRequest should return an error when there are duplicate x509 extensions #50988 (closed)
• crypto does not recognize the extension "authority key identifier" #43868 (closed)
• crypto/x509: ParseCertificate duplicate extensions errors should include OID of the affected extension #66880 (closed)
• crypto/x509: go.1.15 onwards CreateCertificate signed by CA cert adds unparseable ASN1 blocks under x509.Certificate.Extensions #47526 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[Re2906]

Go version

go version go1.18.1 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/liu/.cache/go-build"
GOENV="/home/liu/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/liu/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/liu/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.18"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.18/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3649475886=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I use x509.ParseCertificate(derBytes) to parse a der certificate which has two aki extensions Test Cases.zip

What did you see happen?

The test case was parsed successfully

What did you expect to see?

This test case does not comply with the RFC5280 specification: 4.2 Introduction: "A certificate MUST NOT include more than one instance of a particular extension. For example, a certificate may contain only one authority key identifier extension (Section 4.2.1.1)." Is this a defect? ​​As a comparison, the Bouncycastle function X509CertificateHolder(derBytes) in the Java language throws an error: repeated extension found: 2.5.29.35

[seankhliao]

Duplicate of #50988