fix encoding/asn1 marshaling of pkix types

See the added comment and test, which failed before the fix when the encoded certificate was decoded. It took a while to find the culprit in asn1, but in hindsight it's easy: case reflect.Slice: if t.Elem().Kind() == reflect.Uint8 { return false, TagOctetString, false, true } if strings.HasSuffix(t.Name(), "SET") { return false, TagSet, true, true } return false, TagSequence, true, true Fixes #711.
3 years ago · b0ff2fb133
parent 9044b1d31c
commit b0ff2fb133
2 changed files with 41 additions and 0 deletions
--- a/main.go
+++ b/main.go
@ -1930,6 +1930,15 @@ func (tf *transformer) transformGoFile(file *ast.File) *ast.File {
 				tf.recursivelyRecordAsNotObfuscated(obj.Type())
 				return true
 			}
+		case "crypto/x509/pkix":
+			// For better or worse, encoding/asn1 detects a "SET" suffix on slice type names
+			// to tell whether those slices should be treated as sets or sequences.
+			// Do not obfuscate those names to prevent breaking x509 certificates.
+			// TODO: we can surely do better; ideally propose a non-string-based solution
+			// upstream, or as a fallback, obfuscate to a name ending with "SET".
+			if strings.HasSuffix(name, "SET") {
+				return true
+			}
 		}

 		// The package that declared this object did not obfuscate it.
--- a/testdata/script/reflect.txtar
+++ b/testdata/script/reflect.txtar
@ -19,8 +19,14 @@ go 1.20
 package main

 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
 	"fmt"
+	"math/big"
 	"os"
 	"reflect"
 	"strings"
@ -107,6 +113,8 @@ func main() {
 	variadic := VariadicReflection{ReflectionField: "variadic"}
 	_ = importedpkg.VariadicReflect("foo", 1, variadic, false)
 	printfWithoutPackage("%#v\n", variadic)
+
+	testx509()
 }

 type EmbeddingIndirect struct {
@ -163,6 +171,30 @@ var _ = func() uintptr {
 	return field.Offset
 }()

+// encoding/x509 uses encoding/asn1, which uses reflect.
+// In one place it depends on field names; that used to be broken by garble.
+func testx509() {
+	priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{Organization: []string{"Acme Co"}},
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		panic(err)
+	}
+
+	_, err = x509.ParseCertificate(derBytes)
+	if err != nil {
+		panic(err)
+	}
+}
+

 -- importedpkg/imported.go --
 package importedpkg