Support certificates with invalid RDN attribute values #214
+27
−18
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some certificate authorities issue certificates with invalid RDN attribute values. Certificates must use UTF8String instead of PrintableString to represent strings that contains `*` or `@`, but mistakes happen. When a RDN attribute value is a PrintableString or UTF8String with an invalid content, rather than rejecting the certificate, fall back to storing the value as an Any.
baarde
force-pushed
the
invalid-rdn-attribute
branch
from
4ae45be to
664d0af
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some certificate authorities issue certificates with invalid RDN attribute values. Certificates must use UTF8String instead of PrintableString to represent strings that contains
*or@, but mistakes happen.When a RDN attribute value is a PrintableString or UTF8String with an invalid content, rather than rejecting the certificate, fall back to storing the value as an Any.
Rationale
Certificate authorities using the wrong string type is a common mistake. For example, DigiCert issued intermediate certificates with invalid ampersands to Wells Fargo & Company (golang/go#22970).
This PR adds partial support for certificates that contain invalid PrintableString or UTF8String (less likely) values. When failing to parse a PrintableString or UTF8String, the raw bytes are stored as an Any (same as IA5String, BMPString, ...).
Though those certificates are now parsed without any error, they aren't fully supported yet. Trying to convert the value to a String returns
nil, so the CN doesn't match. I don't know whether we should add support for converting invalid PrintableString values (and IA5String/BMPString/...) to String in the future. In the meantime, developers who want to read the CN have access the raw Any value.