Re: [go-nuts] Re: x509.ParseCertificate return err

Wed, 24 Jul 2019 06:28:55 -0700 

I think the extensions in your certificate might be invalid. Namely CRL
Distribution Points: 2.5.29.31

X509v3 CRL Distribution Points:

SEQUENCE {
 437    3:           OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
 442    1:           OCTET STRING 00

: }                .

Per the RFC https://www.ietf.org/rfc/rfc5280.txt, the cRLDistributionPoints
has to respect a certain definition and is sequence of distributionPoint(s).
In your case it seems to be empty.
I could parse this certificate with Python's x509 library and openssl
command as well, but I think these implementations might be lenient in
parsing non-critical extensions.

An example of valid cRLDistributionPoints extension would be:

X509v3 CRL Distribution Points:

                Full Name:
                  URI:ldap://www.example.com/ldap?DN=TEST

                Full Name:
                  URI:http://www.example.com/crl/test.crl



On Wed, 24 Jul 2019 at 11:09, Wei Tang <tomjame...@gmail.com> wrote:

> But in Java, the code below can parse the pem content, is there some
> difference in x509 implemention between golang and java?
>
> import java.io.ByteArrayInputStream;
> import java.security.cert.CertificateFactory;
> import java.security.cert.X509Certificate;
>
>
> public class SoterServerDemo {
>     public static void main(String[] args) {
>
>         try {
>
>             CertificateFactory factory =
> CertificateFactory.getInstance("X.509");
>             X509Certificate askCertificate = (X509Certificate)
> factory.generateCertificate(new ByteArrayInputStream("content of pem
> file".getBytes()));
>
>         } catch (Exception e) {
>             e.printStackTrace();
>         }
>     }
> }
>
>
>
> 在 2019年7月24日星期三 UTC+8下午5:30:41,Wei Tang写道:
>>
>> Hi, I have a problem with x509.ParseCertificate.
>>
>> My code is:
>> package main
>>
>> import (
>> "crypto/x509"
>> "encoding/pem"
>> "fmt"
>> )
>>
>> func main() {
>> certPEM := `
>> -----BEGIN CERTIFICATE-----
>> MIID7jCCAtigAwIBAgIBATALBgkqhkiG9w0BAQswHTEbMBkGA1UEAxMSSHVhd2Vp
>> IEtleVN0b3JlICAgMB4XDTE5MDcyNDA4NTQ0NFoXDTI5MDcyNDA4NTQ0NFowGjEY
>> MBYGA1UEAxMPQSBLZXltYXN0ZXIgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
>> MIIBCgKCAQEA8WS+DnC9JzGytDPpe3/GVY4xQx0bsPVP1Drf0n3eD+wq6U91QnjX
>> vhyRXtguDBu8OM5Qc5h8wFIOAUTD4+U/QGLQ3pZN+DXVmwlSJjbx8yMjuiUwInhG
>> uJ+xzhuEsNFCdxdyaNPmGhUycu09olL2/mcgDQFxusfr5jnnhU9VFv3/x1Y+7mVh
>> kICFnCE3YQ4ufHOHroQIE0kxnfJF+DkgK1tkdIMHEvX5rJvaqtd0M7RY/PRrE0dE
>> bYSlAlSAVqdjfLb0LF8tRTcjnIh4lg5NhqCWeAkGw8egUaNW1vFX6SeXrW6uJv2N
>> OeHxi9VFG7ymaOqB4URS0wGQ6dzoYsx/iwIDAQABo4IBPjCCATowCwYDVR0PBAQD
>> AgAAMAgGA1UdHwQBADCB9QYKKwYBBAHWeQIBEQSB5jCB4wIBAgoBAQIBAwoBAQR3
>> eyJjcHVfaWQiOiJIVUFXRUlfSFdITUFfNmYwNzk3ZTQtMWFjNS00YjM3LWEyZTgt
>> YzY2ZjQ2MTM0YjhlLTIyMzE5ZjcxIiwiY291bnRlciI6MTMsInVpZCI6IjEwNDE3
>> IiwicnNhX3Bzc19zYWx0bGVuIjozMn0EADASv4N3AgUAv4U9CAIGAWwjMJ1KMEah
>> CTEHAgUA/wEAAaIDAgEBowQCAggApQUxAwIBBKYFMQMCAQO/gUgFAgMBAAG/hT4D
>> AgEAv4VBBQIDAV+Qv4VCBQIDAxSxMCkGCSsGAQQBj1seAgEBAAQZMBcCAQCiAwEB
>> Ab+BSAswCaEHAwUABoAAgDALBgkqhkiG9w0BAQsDggEBAFZRjVpDqujJrwaZqycw
>> VgrM/J1b2VcVKUPJ39eJXs2S/ur7yUlgSxRcpOufa3IF0XekOUyHTNIroWUz/xLb
>> X6pv32PCMeavI/6ldl/zEJyy11PKX8ZrVfE05WiWUIJ6BwmDX+RtNjJSJ/xmwfDu
>> dn0CAx5apWsCMYpcGXQ2g8DRGQpYVdJS/aOTlDHGdSdSesx0TbGL39gjfdDb851L
>> spVFtcdoxw5nb0obwRItPBF+gHIh3xsYGGDN/EKSNN9YMja4MzgjTeLjNXjs1pXO
>> f4Fm3OiOfSFnTJuJk/rKQ0TiW+p3EvuZ+tRT+iffJvhdvDAIp7I3pJjaoZw4xwHH
>> Tr8=
>> -----END CERTIFICATE-----`
>> block, _ := pem.Decode([]byte(certPEM))
>> if block == nil {
>> panic("failed to parse certificate PEM")
>> }
>> cert, err := x509.ParseCertificate(block.Bytes)
>> if err != nil {
>> panic("failed to parse certificate: " + err.Error())
>> }
>> fmt.Println(cert)
>> }
>>
>>
>> but x509.ParseCertificate return err:
>> panic: failed to parse certificate: asn1: syntax error: truncated tag or
>> length
>>
>>
>> What's wrong?
>>
>> Please help.
>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/golang-nuts/d571a3cd-4d45-4373-b6e9-ad7b55b104ae%40googlegroups.com
> <https://groups.google.com/d/msgid/golang-nuts/d571a3cd-4d45-4373-b6e9-ad7b55b104ae%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>


-- 
- Cheers, Amar.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CAHwRF1qvOLOX7X9PBg0sDCWExPi1ueArQeU7ajUnUBPbXPYpSA%40mail.gmail.com.

Reply via email to