crypto/x509: x509 certificate with issuerUniqueID and/or subjectUniqueID parse error

[mic6090]

go/src/crypto/x509/parser.go

Line 944 in c379c3d

if !tbs.SkipOptionalASN1(cryptobyte_asn1.Tag(1).Constructed().ContextSpecific()) {

go/src/crypto/x509/parser.go

Line 947 in c379c3d

if !tbs.SkipOptionalASN1(cryptobyte_asn1.Tag(2).Constructed().ContextSpecific()) {

RFC 5280 quote:

TBSCertificate ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions [3] Extensions OPTIONAL
-- If present, version MUST be v3 -- }

I think Constructed() calls in mentioned strings are erroneous. As a result, all extensions from certificate with issuerUniqueID or subjectUniqueID fields not parsed.

golang 1.17.8, 1,18 affected.

[seankhliao]

cc @golang/security

[gopherbot]

Change https://go.dev/cl/394297 mentions this issue: crypto/x509: properly handle issuerUniqueID and subjectUniqueID

[rolandshoemaker]

@gopherbot please open backport issues, this is a regression (albeit extremely minor, since these fields are almost never used.)

[gopherbot]

Backport issue(s) opened: #51858 (for 1.17), #51859 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/399501 mentions this issue: [release-branch.go1.17] crypto/x509: properly handle issuerUniqueID and subjectUniqueID

[gopherbot]

Change https://go.dev/cl/399500 mentions this issue: [release-branch.go1.18] crypto/x509: properly handle issuerUniqueID and subjectUniqueID