-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.13.z
-
Moderate
-
No
-
CFE Sprint 254
-
1
-
False
-
Description of problem:
Cert-manager fails to parse certificates with certain extension policies: $ omc logs -n openshift-cert-manager cert-manager-5bc4bc88f9-8r9kj|less <...> 2023-10-06T09:46:35.313929210Z I1006 09:46:35.313903 1 sync.go:60] cert-manager/issuers "msg"="Error initializing issuer: Get \"https://<issuer_endpoint>/pgwy/acme/servercert\": tls: failed to parse certificate from server: x509: invalid certificate policies" "resource_kind"="Issuer" "resource_name"="<redacted>" "resource_namespace"="<redacted>" "resource_version"="v1" This occurs when registering an account [1] and seems related to the way crypto/x509 parses certificate policies [2]. [1] https://github.com/cert-manager/cert-manager/blob/b53527eb787c508a2dc0a27853cd4eb4b138faf6/pkg/issuer/acme/setup.go#L258-L265 [2] https://github.com/golang/go/issues/60665
Version-Release number of selected component (if applicable):
v1.7.1
How reproducible:
100% with certain certificate policies
Steps to Reproduce:
1. openssl parses the cert correctly:
$ cat <<EOF| openssl x509 -ext certificatePolicies -subject -noout
-----BEGIN CERTIFICATE-----
<cert>
-----END CERTIFICATE-----
EOF
X509v3 Certificate Policies:
<policy_output>
subject=C = <subj>, O = <org>, CN = <cn>
2. An example golang snippet fails to parse the same certificate:
$ cat list_cert_extensions.go
package main
import (
"crypto/x509"
"encoding/pem"
"fmt"
"io"
"os"
)func main() {
certer, _ := io.ReadAll(os.Stdin)
der, _ := pem.Decode([]byte(certer))
cert, err := x509.ParseCertificate(der.Bytes)
if err != nil {
fmt.Print(err)
} else {
for _, e := range cert.Extensions {
fmt.Println(e.Id)
}
}
}
$ go run list_cert_extensions.go <<EOF
-----BEGIN CERTIFICATE-----
<same_cert_as_above>
-----END CERTIFICATE-----
EOF
x509: invalid certificate policies
Actual results:
Expected results:
Additional info:
