golang/go

x509: Certificate chain with policy mismatch does not throw error while doing x509.Verify()

Closed this issue · 1 comments

satsrini commented

Go version

go1.24.9

Output of go env in your module/workspace:

AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/root/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1916020196=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/root/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/root/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/root/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.9'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

Image

x509: Certificate chain with policy mismatch does not throw error while doing x509.Verify().

cert chain:
leafCert.pem --> signed by --> interemediateCAcert.pem --signed by --> rootCACert.pem

interemediateCAcert.pem has critical certificate policy(2.5.29.32) as 1.2.3.4
leafCert.pem has critical certificate policy(2.5.29.32) as 4.3.2.1

Then I call x509.Verify() with x509.VerifyOptions -
interemediateCAcert.pem assigned to Roots.

Issue:
There is no error thrown eventhough there is a policy mismatch between intermediate.pem and leafCert.pem

Note:
However when we do the same by adding the rootCert(interemediateCAcert's issuer), then it throws the 'invalid policies' error.
Here in this case - x509.VerifyOptions is defined as
rootCACert.pem assigned to Roots
interemediateCAcert.pem assigned to Intermediates

Cert details:
a. rootCACert.pem: -
no cert policy defined
b. interemediateCAcert.pem:
...
X509v3 Certificate Policies: critical
Policy: 1.2.3.4
X509v3 Policy Constraints: critical
Require Explicit Policy:0
...

c. leafCert.pem:
...
X509v3 Certificate Policies: critical
Policy: 4.3.2.1
...

What did you see happen?

go run certChainVerify.go

What did you expect to see?

Expecting to see the error:
x509: no valid chains built: all candidate chains have invalid policies

Output got:
But found the actual output - cert chain verification successful

Why is the current output incorrect ?
Because leafCert's cert policy (4.3.2.1) did not match the intermediateCACert policy (1.2.3.4) and the cert policies were marked as Critical on both the certs.

seankhliao commented

please don't use screenshots for code, and include a runnable example with certs included