crypto/x509: ParseCertificate and ParseCertificateRequest should return an error when there are duplicate x509 extensions

[aaomidi]

What version of Go are you using (go version)?

go version: 1.17.6

Does this issue reproduce with the latest release? Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
go version go1.17.6 windows/amd64
PS C:\Users\private\GolandProjects\awesomeProject> go env
set GO111MODULE=auto
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\private\AppData\Local\go-build
set GOENV=C:\Users\private\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\private\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\private\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.17.6
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=C:\Users\private\GolandProjects\awesomeProject\go.mod
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\private\AppData\Local\Temp\go-build554477491=/tmp/go-build -gno-record-gcc-switches

What did you do?

Create a malformed CSR with multiple SAN extensions manually. Then I tried to parse the malformed CSR.

Proof of Concepts:

• https://go.dev/play/p/t_jcGJ9esqc
• https://go.dev/play/p/a1QmUMfkq4C

What did you expect to see?

Per RFC5280, Section 4.2 I expected to see a failure in parsing CSRs and Certificates that contain any specific extension more than once.

A certificate MUST NOT include more than one instance of a particular extension.

What did you see instead?

Go did not create any errors parsing malformed CSRs and Certificates.

[gopherbot]

Change https://golang.org/cl/383215 mentions this issue: crypto/x509: reject duplicate extensions

[gopherbot]

Change https://go.dev/cl/398314 mentions this issue: crypto/x509: reject duplicate extensions

[Radranic]

Hello,

I've encountered the result of this and just wanted to double check on the expected behavior.

The RFC linked indicates there are no duplicate extensions allowed in certificates, this also seems reasonable to imply that there can be no duplicate extensions requested in a CSR.

The changes made also consider it an error to have duplicate attributes in a CSR, not extensions which I can't find anything in PKCS #10 RFC which would indicate that this should be the case but I could be reading that wrong.

Section 2.1 in RFC 2985 has: Some attribute types are restricted in their definition to have a single value; others may have multiple values. Not sure if that has meaning context.

Aside from that, the duplicate attribute case is also not covered in the unit tests that were included.

Can I get a confirmation/correction on the interpretation of the RFC?

[FiloSottile]

Duplicate attributes in CSRs were re-allowed in https://go.dev/cl/428636.