crypto/x509: error parsing large ASN.1 identifiers

[umlublin]

What version of Go are you using (go version)?

$ go version
go1.17.3 windows/amd64

Does this issue reproduce with the latest release?

Issue observed while connecting to LDAPS serwer with certificate generated by Microsoft Active Directory with Microsoft's specific X509v3 Certificate Policies
error message is "x509: invalid certificate policies"
it comes from parseCertificatePoliciesExtension in x509 parser

Output of "openssl x509 -in my.crt --text"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4d:00:04:9b:44:6f:c6:43:9c:d8:f5:3a:00:00:03:00:04:9b:44
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = pl, DC = com, DC = <edited>, CN = <edited>    Subordinate CA
        Validity
            Not Before: Sep 20 11:05:54 2021 GMT
            Not After : Sep 20 11:05:54 2023 GMT
        Subject: CN = <edited>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:dd:fd:8b:7e:bd:e7:50:f0:c1:bd:8f:37:d6:e0:
<edited>
                    e8:13:8a:ae:c7:26:73:b5:81:4e:c7:ab:39:2a:ef:
                    fb:9d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.7:
                0..&+.....7.........M...".......nK...M...b..e...
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, Signing KDC Response, TLS Web Server Authentication, Microsoft Smartcard Login
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.311.21.8.3719450.11115469.11946914.3506198.8878958.75.1492336001.1138714952

            1.3.6.1.4.1.311.21.10:
                010
..+.......0...+......0
..+.......0..
+.....7...
            X509v3 Subject Key Identifier:
                04:7B:E7:F9:21:DB:92:0E:21:DE:70:B2:CD:FC:16:49:0D:11:46:92
<edited>

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=D:\Projekty\go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=D:\Projekty\go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.17.3
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=D:\Projekty\go\bin\go.mod
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\luty4\AppData\Local\Temp\go-build1235732887=/tmp/go-build -gno-record-
gcc-switches

What did you do?

https://play.golang.org/p/WI9bl64Z6wU

What did you expect to see?

**** OID with 4 bytes
Object Identifier: 1.3.6.1.4.1.311.21.8.1492336001
ASN.1 Encoding:   060e2b060104018237150885c7ccfb01
Decode result: true
Object Identifier: 1.3.6.1.4.1.311.21.8.1492336001

What did you see instead?

**** OID with 4 bytes
Object Identifier: 1.3.6.1.4.1.311.21.8.1492336001
ASN.1 Encoding:    060e2b060104018237150885c7ccfb01
Decode result: false
Object Identifier: 

[umlublin]

Bug is inside golang.org/x/crypto/cryptobyte/asn1.go
in func (s *String) readBase128Int(out *int) bool {
"if i == 4 {" should be replaced by "if i == 5 {"

[gopherbot]

Change https://golang.org/cl/365674 mentions this issue: Fixes golang/go#49678 x/crypto/cryptobyte/asn1: Error parsing ASN1 identifiers

[heschi]

cc @FiloSottile @agl @katiehockman @rolandshoemaker

[MarekPelka]

Hi, i have the same problem when i try to pull image from our internal docker repository:

docker pull private_repo/myimage:latest
Error response from daemon: Get "https://private_repo/v2/": tls: failed to parse certificate from server: x509: invalid certificate policies

Our private CA certificate’s are added to system. And wget/curl connects to https://private_repo/v2/ without problems.

[umlublin]

@heschi How long can an investigation take?
The operation of one of the banks depends on this fix. We have a "sick" certificate that cannot be changed quickly.
Recompilation of all kubernetes related software is not a solution.

[FiloSottile]

@gopherbot please open a backport issue to Go 1.17. This is a regression due to Go 1.17 changes without workaround that makes it impossible to parse some valid (if a little weird) certificates.