-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: Support critical Apple extension for Development and Submission signing #10459
Comments
We cannot skip extensions marked critical.
|
In that case, maybe there is a way I can strip out some extensions before sending it through to tls.X509KeyPair. Or what would need to be done to support these extensions? |
Where is the definition of APPLE_EXTENSION_ADC_APPLE_SIGNING? /cc @agl |
Googling for "1.2.840.113635.100.6.1.2.0.0" turned up this source file. I'll see if I can find some better info. |
Here we go: Update: newer version of that document http://images.apple.com/certificateauthority/pdf/Apple_WWDR_CPS_v1.12.pdf
I'm assuming it's marked critical because it is flagging this as a development certificate. |
In addition to critical extensions for iPhone certs: iPhone Software Submission Signing (1.2.840.113635.100.6.1.4) There are critical extensions for Safari, Mac, etc. listed in that document. Extended Key Usage - Safari Extension Signing (1.2.840.113635.100.4.8) But I'm not seeing information on what the values mean. My development cert contained |
I think a reasonable change here might be for X509KeyPair to ignore errors in the certificate. As a server, it doesn't really matter to you what's in the certificate that you send to the clients except for sanity checks and for SNI matching. Would that be sufficient for you? Another option would be that unknown critical extensions were no longer a parse-time error, but rather caused validation to fail. |
Upon further investigation, I think I was using the wrong cert, as a push notification cert doesn't have critical extensions based on the docs. I need to check with a colleague that I have the right certs and double check if this is still an issue for me. [Update: Confirmed, this isn't an issue for me right now, but it would be something nice to resolve for future use.] Also, I think the error handling could be improved. If instead of:
It could include the ID
It would've been a lot easier to hunt down the issue. |
CL https://golang.org/cl/9390 mentions this issue. |
What version of Go are you using (go version)?
go version devel +eced964 Tue Apr 14 17:19:36 2015 +0000 darwin/amd64
What operating system and processor architecture are you using?
darwin/amd64
What did you do?
I am using the Azure go-pkcs12 package to load a .p12 file exported from my Mac keychain. The PEM data from this library looks good and is without error, but X509KeyPair fails with:
What did you expect to see?
A valid tls.X509KeyPair without error.
I would like to be able to load .p12 files directly to use with https://github.com/timehop/apns for push notifications. Currently I need to use OpenSSL (bindings) to do the conversion to a format Go understands.What did you see instead?
x509: unhandled critical extension
This is failing because there are "Unknown extensions cause an error if marked as critical." (src)
In this case, the failing extension is
1.2.840.113635.100.6.1.2.0.0
APPLE_EXTENSION_ADC_APPLE_SIGNING which is flagged as critical.The text was updated successfully, but these errors were encountered: