New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to parse CRL: Error(InvalidExtensions) #120
Comments
Hi, Thanks for the report and all the details. Would it be possible to either attach it to this issue (drag and drop in the text area), or send it to me using whatever method? It would help a lot. Thanks! |
Thanks for taking a look quickly @chifflier , much appreciated! Sure thing - I'll attach them for you |
Thanks, that helps a lot. A very quick check shows that the error happens here:
According to RFC 5280, the extensions should be an explicit tagged 0 sequence:
Instead of the tagged value, this seems to be a sequence containing the tagged value. This is confirmed by comparing to other .crl files I have locally. I only had a quick look, so at this point I am not sure why openssl accepts the CRL, and if I didn't miss anything in the specifications, but I'm not sure the encoding is entirely valid. I'll continue investigating. |
Ok, got it. |
Thanks so much for investigating - it wouldn't surprise me if we were also doing something a little out of the ordinary, but great to know we've found a potential way forward here 😄 |
Hi,
We are looking to use this library as part of an Envoy WASM filter which does CA/CRL parsing. We're mostly there, however we are having some trouble parsing one of our Issuer's CRL files.
When attempting to parse the DER contents of the CRL, we receive the following (somewhat cryptic) error -
Error(InvalidExtensions)
Not exactly sure what it is failing on, as we are able to successfully parse this in openssl (see below) and don't appear to be adding any unusual Extensions onto the CRL itself (we're using some go code to generate the CA / CRL):
OpenSSL Output:
Let me know if anything else is helpful, and the best way to supply them to you. Thanks for your work, much appreciated!
The text was updated successfully, but these errors were encountered: