x509.ParseCertificate return err

201 views
Skip to first unread message

Wei Tang

unread,
Jul 24, 2019, 5:30:41 AM7/24/19
to golang-nuts
Hi, I have a problem with x509.ParseCertificate.

My code is:
package main

import (
"crypto/x509"
"encoding/pem"
"fmt"
)

func main() {
certPEM := `
-----BEGIN CERTIFICATE-----
MIID7jCCAtigAwIBAgIBATALBgkqhkiG9w0BAQswHTEbMBkGA1UEAxMSSHVhd2Vp
IEtleVN0b3JlICAgMB4XDTE5MDcyNDA4NTQ0NFoXDTI5MDcyNDA4NTQ0NFowGjEY
MBYGA1UEAxMPQSBLZXltYXN0ZXIgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA8WS+DnC9JzGytDPpe3/GVY4xQx0bsPVP1Drf0n3eD+wq6U91QnjX
vhyRXtguDBu8OM5Qc5h8wFIOAUTD4+U/QGLQ3pZN+DXVmwlSJjbx8yMjuiUwInhG
uJ+xzhuEsNFCdxdyaNPmGhUycu09olL2/mcgDQFxusfr5jnnhU9VFv3/x1Y+7mVh
kICFnCE3YQ4ufHOHroQIE0kxnfJF+DkgK1tkdIMHEvX5rJvaqtd0M7RY/PRrE0dE
bYSlAlSAVqdjfLb0LF8tRTcjnIh4lg5NhqCWeAkGw8egUaNW1vFX6SeXrW6uJv2N
OeHxi9VFG7ymaOqB4URS0wGQ6dzoYsx/iwIDAQABo4IBPjCCATowCwYDVR0PBAQD
AgAAMAgGA1UdHwQBADCB9QYKKwYBBAHWeQIBEQSB5jCB4wIBAgoBAQIBAwoBAQR3
eyJjcHVfaWQiOiJIVUFXRUlfSFdITUFfNmYwNzk3ZTQtMWFjNS00YjM3LWEyZTgt
YzY2ZjQ2MTM0YjhlLTIyMzE5ZjcxIiwiY291bnRlciI6MTMsInVpZCI6IjEwNDE3
IiwicnNhX3Bzc19zYWx0bGVuIjozMn0EADASv4N3AgUAv4U9CAIGAWwjMJ1KMEah
CTEHAgUA/wEAAaIDAgEBowQCAggApQUxAwIBBKYFMQMCAQO/gUgFAgMBAAG/hT4D
AgEAv4VBBQIDAV+Qv4VCBQIDAxSxMCkGCSsGAQQBj1seAgEBAAQZMBcCAQCiAwEB
Ab+BSAswCaEHAwUABoAAgDALBgkqhkiG9w0BAQsDggEBAFZRjVpDqujJrwaZqycw
VgrM/J1b2VcVKUPJ39eJXs2S/ur7yUlgSxRcpOufa3IF0XekOUyHTNIroWUz/xLb
X6pv32PCMeavI/6ldl/zEJyy11PKX8ZrVfE05WiWUIJ6BwmDX+RtNjJSJ/xmwfDu
dn0CAx5apWsCMYpcGXQ2g8DRGQpYVdJS/aOTlDHGdSdSesx0TbGL39gjfdDb851L
spVFtcdoxw5nb0obwRItPBF+gHIh3xsYGGDN/EKSNN9YMja4MzgjTeLjNXjs1pXO
f4Fm3OiOfSFnTJuJk/rKQ0TiW+p3EvuZ+tRT+iffJvhdvDAIp7I3pJjaoZw4xwHH
Tr8=
-----END CERTIFICATE-----`
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
panic("failed to parse certificate PEM")
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
panic("failed to parse certificate: " + err.Error())
}
fmt.Println(cert)
}


but x509.ParseCertificate return err:
panic: failed to parse certificate: asn1: syntax error: truncated tag or length


What's wrong? 

Please help.


Wei Tang

unread,
Jul 24, 2019, 6:08:51 AM7/24/19
to golang-nuts
But in Java, the code below can parse the pem content, is there some difference in x509 implemention between golang and java?

import java.io.ByteArrayInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;


public class SoterServerDemo {
    public static void main(String[] args) {
        
        try {
            
            CertificateFactory factory = CertificateFactory.getInstance("X.509");
            X509Certificate askCertificate = (X509Certificate) factory.generateCertificate(new ByteArrayInputStream("content of pem file".getBytes()));
            
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}



在 2019年7月24日星期三 UTC+8下午5:30:41,Wei Tang写道:

Amar Akshat

unread,
Jul 24, 2019, 9:28:55 AM7/24/19
to Wei Tang, golang-nuts
I think the extensions in your certificate might be invalid. Namely CRL Distribution Points: 2.5.29.31

X509v3 CRL Distribution Points: 
SEQUENCE {
 437    3:           OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
 442    1:           OCTET STRING 00 
: }                .

Per the RFC https://www.ietf.org/rfc/rfc5280.txt, the cRLDistributionPoints has to respect a certain definition and is sequence of distributionPoint(s). In your case it seems to be empty.
I could parse this certificate with Python's x509 library and openssl command as well, but I think these implementations might be lenient in parsing non-critical extensions.

An example of valid cRLDistributionPoints extension would be:

X509v3 CRL Distribution Points:
 
                Full Name:
                  URI:ldap://www.example.com/ldap?DN=TEST
 
                Full Name:
                  URI:http://www.example.com/crl/test.crl



--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/d571a3cd-4d45-4373-b6e9-ad7b55b104ae%40googlegroups.com.


--
- Cheers, Amar.

Wei Tang

unread,
Jul 24, 2019, 9:46:31 PM7/24/19
to golang-nuts
Thank you very much! 

I think golang implement might be strict. Maybe I should use openssl or cgo calling other language implement to parse it.

在 2019年7月24日星期三 UTC+8下午9:28:55,Amar Akshat写道:
To unsubscribe from this group and stop receiving emails from it, send an email to golan...@googlegroups.com.


--
- Cheers, Amar.
Reply all
Reply to author
Forward
0 new messages