bz1290472 Accept x509 certs with negative serial

2015-12-11 12:51:16 +01:00 · 2015-12-11 12:51:16 +01:00 · 8b92652b24
parent c524af8454
commit 8b92652b24
2 changed files with 65 additions and 1 deletions
--- a/bz1290543.patch
+++ b/bz1290543.patch
@ -0,0 +1,55 @@
+From a0ea93dea5f5741addc8c96b7ed037d0e359e33f Mon Sep 17 00:00:00 2001
+From: Adam Langley <agl@golang.org>
+Date: Fri, 27 Nov 2015 13:50:36 -0800
+Subject: [PATCH] crypto/x509: permit serial numbers to be negative.
+
+Some software that produces certificates doesn't encode integers
+correctly and, about half the time, ends up producing certificates with
+serial numbers that are actually negative.
+
+This buggy software, sadly, appears to be common enough that we should
+let these errors pass. This change allows a Certificate.SerialNumber to
+be negative.
+
+Fixes #8265.
+
+Change-Id: Ief35dae23988fb6d5e2873e3c521366fb03c6af4
+Reviewed-on: https://go-review.googlesource.com/17247
+Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
+---
+ src/crypto/x509/x509.go      | 4 ----
+ src/crypto/x509/x509_test.go | 6 +++++-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
+index bbc63241..126432d 100644
+--- a/src/crypto/x509/x509.go
+++ b/src/crypto/x509/x509.go
+@@ -909,10 +909,6 @@ func parseCertificate(in *certificate) (*Certificate, error) {
+ 		return nil, err
+ 	}
+ 
+-	if in.TBSCertificate.SerialNumber.Sign() < 0 {
+-		return nil, errors.New("x509: negative serial number")
+-	}
+-
+ 	out.Version = in.TBSCertificate.Version + 1
+ 	out.SerialNumber = in.TBSCertificate.SerialNumber
+ 
+diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
+index 61b1773..2c01ec7 100644
+--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
+@@ -343,7 +343,11 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
+ 	for _, test := range tests {
+ 		commonName := "test.example.com"
+ 		template := Certificate{
+-			SerialNumber: big.NewInt(1),
+			// SerialNumber is negative to ensure that negative
+			// values are parsed. This is due to the prevalence of
+			// buggy code that produces certificates with negative
+			// serial numbers.
+			SerialNumber: big.NewInt(-1),
+ 			Subject: pkix.Name{
+ 				CommonName:   commonName,
+ 				Organization: []string{"Σ Acme Co"},
--- a/golang.spec
+++ b/golang.spec
@ -89,7 +89,7 @@

 Name:           golang
 Version:        1.5.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@ -122,6 +122,10 @@ Patch0:         golang-1.2-verbose-build.patch

 # https://bugzilla.redhat.com/show_bug.cgi?id=1038683
 Patch1:         golang-1.2-remove-ECC-p224.patch
+# Accept x509 certs with negative serial
+# https://bugzilla.redhat.com/show_bug.cgi?id=1290543
+# https://github.com/golang/go/issues/8265
+Patch2:         bz1290543.patch

 # use the arch dependent path in the bootstrap
 Patch212:       golang-1.5-bootstrap-binary-path.patch
@ -256,6 +260,8 @@ Summary:        Golang shared object libraries
 # remove the P224 curve
 %patch1 -p1

+%patch2 -p1
+
 # use the arch dependent path in the bootstrap
 %patch212 -p1

@ -472,6 +478,9 @@ fi
 %endif

 %changelog
+* Fri Dec 11 2015 Jakub Čajka <jcajka@redhat.com> - 1.5.2-2
+- bz1290472 Accept x509 certs with negative serial
+
 * Tue Dec 08 2015 Jakub Čajka <jcajka@redhat.com> - 1.5.2-1
 - bz1288263 rebase to 1.5.2
 - spec file clean up