Unable to parse CRL: Error(InvalidExtensions)

[acarlson0000]

Hi,

We are looking to use this library as part of an Envoy WASM filter which does CA/CRL parsing. We're mostly there, however we are having some trouble parsing one of our Issuer's CRL files.

When attempting to parse the DER contents of the CRL, we receive the following (somewhat cryptic) error - Error(InvalidExtensions)

Not exactly sure what it is failing on, as we are able to successfully parse this in openssl (see below) and don't appear to be adding any unusual Extensions onto the CRL itself (we're using some go code to generate the CA / CRL):

https://pkg.go.dev/crypto/x509/pkix?utm_source=gopls#Extension

	// Authority Key Id
	if len(issuer.Cert.SubjectKeyId) > 0 {
		var aki pkix.Extension
		aki.Id = []int{2, 5, 29, 35}
		aki.Value, err = asn1.Marshal(authKeyID{ID: issuer.Cert.SubjectKeyId})
		if err != nil {
			return
		}
		tbsCertList.Extensions = append(tbsCertList.Extensions, aki)
	}

	var crlNumberExtension pkix.Extension
	crlNumberExtension.Id = []int{2, 5, 29, 20}
	crlNumberExtension.Value, err = asn1.Marshal(int64(crlNumber))
	if err != nil {
		return
	}
	tbsCertList.Extensions = append(tbsCertList.Extensions, crlNumberExtension)

OpenSSL Output:

> openssl crl -noout -text -in rustica-x509-parser-test-crl.pem
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: ecdsa-with-SHA384
        Issuer: /CN=rustica-x509-parser-test
        Last Update: Mar 11 08:29:28 2022 GMT
        Next Update: Mar  5 08:29:28 2047 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:A2:7B:86:1F:3C:6C:86:B0:E5:52:B7:6A:6B:D6:C9:88:F1:4F:E4:61

            X509v3 CRL Number:
                0
No Revoked Certificates.
    Signature Algorithm: ecdsa-with-SHA384
         30:66:02:31:00:f9:af:1e:c8:61:1b:33:31:92:d9:08:90:f4:
         e4:f8:09:66:e2:27:28:83:7b:04:d2:5a:94:bf:35:1b:09:25:
         da:ee:a8:73:01:18:1c:9a:f4:b1:db:df:bb:02:f9:a5:16:02:
         31:00:c4:77:b7:79:49:94:9c:30:c7:38:67:70:66:26:c1:ea:
         67:e7:e5:d2:4d:26:c8:ca:48:5c:ef:7b:b4:39:c4:7e:25:2b:
         a5:5f:15:12:d9:c3:be:0d:3c:84:3d:a0:86:4d

❯ openssl asn1parse -in rustica-x509-parser-test-crl.pem
    0:d=0  hl=3 l= 255 cons: SEQUENCE
    3:d=1  hl=3 l= 133 cons: SEQUENCE
    6:d=2  hl=2 l=   1 prim: INTEGER           :01
    9:d=2  hl=2 l=  10 cons: SEQUENCE
   11:d=3  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA384
   21:d=2  hl=2 l=  35 cons: SEQUENCE
   23:d=3  hl=2 l=  33 cons: SET
   25:d=4  hl=2 l=  31 cons: SEQUENCE
   27:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   32:d=5  hl=2 l=  24 prim: PRINTABLESTRING   :rustica-x509-parser-test
   58:d=2  hl=2 l=  13 prim: UTCTIME           :220311082928Z
   73:d=2  hl=2 l=  13 prim: UTCTIME           :470305082928Z
   88:d=2  hl=2 l=   0 cons: SEQUENCE
   90:d=2  hl=2 l=  47 cons: cont [ 0 ]
   92:d=3  hl=2 l=  45 cons: SEQUENCE
   94:d=4  hl=2 l=  31 cons: SEQUENCE
   96:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
  101:d=5  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014A27B861F3C6C86B0E552B76A6BD6C988F14FE461
  127:d=4  hl=2 l=  10 cons: SEQUENCE
  129:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Number
  134:d=5  hl=2 l=   3 prim: OCTET STRING      [HEX DUMP]:020100
  139:d=1  hl=2 l=  10 cons: SEQUENCE
  141:d=2  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA384
  151:d=1  hl=2 l= 105 prim: BIT STRING

❯ openssl crl -noout -text -in rustica-x509-parser-test-online-crl.pem
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: ecdsa-with-SHA384
        Issuer: /CN=rustica-x509-parser-test-online
        Last Update: Mar 11 08:34:26 2022 GMT
        Next Update: Mar  5 08:34:26 2047 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:54:A8:78:2E:EC:9C:AF:2D:41:3F:38:47:97:6A:CE:EA:99:14:F5:7D

            X509v3 CRL Number:
                0
No Revoked Certificates.
    Signature Algorithm: ecdsa-with-SHA384
         30:65:02:31:00:cf:77:da:5f:88:8c:a9:a7:24:26:ee:42:4a:
         f5:31:0b:ae:3d:e5:c6:97:7a:26:9b:cc:8e:bc:6d:b9:5d:9b:
         b0:89:69:74:93:d8:3a:b4:9f:3e:e8:70:ce:cd:00:95:12:02:
         30:77:88:d2:c3:64:cd:6b:92:57:e8:ec:82:8c:1a:ad:e9:0e:
         a3:e7:a2:69:26:5a:62:3f:06:d5:ee:34:34:94:c7:21:ec:1b:
         d4:45:29:8f:d3:65:26:a6:14:33:0a:54:c4


❯ openssl asn1parse -in rustica-x509-parser-test-online-crl.pem
    0:d=0  hl=4 l= 261 cons: SEQUENCE
    4:d=1  hl=3 l= 140 cons: SEQUENCE
    7:d=2  hl=2 l=   1 prim: INTEGER           :01
   10:d=2  hl=2 l=  10 cons: SEQUENCE
   12:d=3  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA384
   22:d=2  hl=2 l=  42 cons: SEQUENCE
   24:d=3  hl=2 l=  40 cons: SET
   26:d=4  hl=2 l=  38 cons: SEQUENCE
   28:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   33:d=5  hl=2 l=  31 prim: PRINTABLESTRING   :rustica-x509-parser-test-online
   66:d=2  hl=2 l=  13 prim: UTCTIME           :220311083426Z
   81:d=2  hl=2 l=  13 prim: UTCTIME           :470305083426Z
   96:d=2  hl=2 l=   0 cons: SEQUENCE
   98:d=2  hl=2 l=  47 cons: cont [ 0 ]
  100:d=3  hl=2 l=  45 cons: SEQUENCE
  102:d=4  hl=2 l=  31 cons: SEQUENCE
  104:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
  109:d=5  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:3016801454A8782EEC9CAF2D413F3847976ACEEA9914F57D
  135:d=4  hl=2 l=  10 cons: SEQUENCE
  137:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Number
  142:d=5  hl=2 l=   3 prim: OCTET STRING      [HEX DUMP]:020100
  147:d=1  hl=2 l=  10 cons: SEQUENCE
  149:d=2  hl=2 l=   8 prim: OBJECT            :ecdsa-with-SHA384
  159:d=1  hl=2 l= 104 prim: BIT STRING

Let me know if anything else is helpful, and the best way to supply them to you. Thanks for your work, much appreciated!

[chifflier]

Hi,

Thanks for the report and all the details.
I was suspecting that the encoding of some extensions is wrong, but I cannot check without the file.

Would it be possible to either attach it to this issue (drag and drop in the text area), or send it to me using whatever method? It would help a lot.

Thanks!

[acarlson0000]

Thanks for taking a look quickly @chifflier , much appreciated!

Sure thing - I'll attach them for you
rustica-x509-parser-crl-issue.zip

[chifflier]

Thanks, that helps a lot.

A very quick check shows that the error happens here:

   96:d=2  hl=2 l=   0 cons: SEQUENCE
   98:d=2  hl=2 l=  47 cons: cont [ 0 ]
  100:d=3  hl=2 l=  45 cons: SEQUENCE
  102:d=4  hl=2 l=  31 cons: SEQUENCE

According to RFC 5280, the extensions should be an explicit tagged 0 sequence:

crlExtensions           [0]  EXPLICIT Extensions OPTIONAL

Instead of the tagged value, this seems to be a sequence containing the tagged value.

This is confirmed by comparing to other .crl files I have locally.

I only had a quick look, so at this point I am not sure why openssl accepts the CRL, and if I didn't miss anything in the specifications, but I'm not sure the encoding is entirely valid. I'll continue investigating.

[chifflier]

Ok, got it.
The encoding is not invalid, but weird. This is not a sequence of tagged, but in fact an empty sequence preceding the tag. Though unusual, it is valid.
I can confirm this is indeed a bug and will work on a fix.

[acarlson0000]

Thanks so much for investigating - it wouldn't surprise me if we were also doing something a little out of the ordinary, but great to know we've found a potential way forward here 😄