Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: reading certificates from PKCS12 files #10621

Closed
paulmey opened this issue Apr 29, 2015 · 19 comments
Closed

crypto/x509: reading certificates from PKCS12 files #10621

paulmey opened this issue Apr 29, 2015 · 19 comments
Assignees
Milestone

Comments

@paulmey
Copy link

@paulmey paulmey commented Apr 29, 2015

There is some interest to have a capability to read certificates from PKCS12 (.pfx/.p12) files in the golang standard library or the crypto sub repo. We have a package at https://github.com/Azure/go-pkcs12 that provides this capability and I'm looking for feedback on the API design. Moving Azure/go-pkcs12#9 here.

CC: @agl @rakyll @dgryski @nathany @ahmetalpbalkan

@nathany
Copy link
Contributor

@nathany nathany commented May 27, 2015

@agl @rakyll What's the next step? Would it make sense to contribute to x/crypto as is, and go through the code review process?

@ianlancetaylor ianlancetaylor added this to the Unplanned milestone Jun 3, 2015
@agl
Copy link
Contributor

@agl agl commented Jun 14, 2015

I don't think this would be suitable for the standard library. It might be suitable for x/crypto.

It would really be best for the world if all the PKCS standards disappeared so there is a long-term cost to making it easier to use them. However, that doesn't remove the need that some people have to deal with them today.

It looks like an RC2 implementation would also have to be pulled in, which is fine, although it should probably be a subpackage of the PKCS#12 package—hopefully PKCS#12 is the last thing in the world that needs it.

The interface of the proposed package (https://godoc.org/github.com/Azure/go-pkcs12) looks plausible. As you can probably tell by the latency of my reply, I only get to work on this stuff on the odd weekend so it may take a while to get around to it, but the next step would be to create a code review to add the package to x/crypto.

@nathany
Copy link
Contributor

@nathany nathany commented Jun 14, 2015

Should the package also be able to write PKCS12 certs? Can that sort of thing be added later?

@agl
Copy link
Contributor

@agl agl commented Jun 14, 2015

It's certainly not necessary that the package be able to write PKCS#12 files in the initial revision. If it never needs to then so much the better.

@paulmey
Copy link
Author

@paulmey paulmey commented Jun 20, 2015

It looks like an RC2 implementation would also have to be pulled in, which is fine, although it should probably be a subpackage of the PKCS#12 package—hopefully PKCS#12 is the last thing in the world that needs it.

@dgryski: would it be possible for you to contribute the RC2 code to the pkcs12 repo, so that I can contribute it to x/crypto? It would require a Microsoft CLA if you don't have one yet (much like contributing to Go requires a Google CLA).
Alternatively you can contribute your rc2 package to the x/crypto repo first and I'll follow with the pkcs12 package. I'd even prefer that, but I'm not sure how that works if rc2 is to be a subpackage of the pkcs12 package?

@dgryski
Copy link
Contributor

@dgryski dgryski commented Jun 20, 2015

Either route is fine with me. I just signed the Microsoft CLA. I can file a pull request against go-pkcs12 later today and then this issue can move forward.

@paulmey
Copy link
Author

@paulmey paulmey commented Jun 20, 2015

Thanks, that would be awesome. it will take me some time to get the Go CLA signed on behalf of MS...

@dgryski
Copy link
Contributor

@dgryski dgryski commented Jun 20, 2015

Just filed Azure/go-pkcs12#24 to merge go-rc2 into go-pkcs12.

@nathany
Copy link
Contributor

@nathany nathany commented Jun 20, 2015

@agl There is an open pull request to write PKCS12 files.
Azure/go-pkcs12#22

@paulmey
Copy link
Author

@paulmey paulmey commented Jul 8, 2015

@agl code review opened: https://go-review.googlesource.com/#/c/11986/
Contribution signed off by Microsoft legal, CLA signed

@mattn
Copy link
Member

@mattn mattn commented Aug 3, 2015

any update on this or CL?

@dgryski
Copy link
Contributor

@dgryski dgryski commented Aug 3, 2015

@paulmey is on vacation until Aug 24. Progress is stalled until then. Will need to be updated for Azure/go-pkcs12#25 at least.

@paulmey
Copy link
Author

@paulmey paulmey commented Aug 3, 2015

I'm keeping an eye on my email, but I haven't seen any review comments yet. @agl was assigned as reviewer, but he's very busy these days, I think.

@paultag
Copy link

@paultag paultag commented Sep 1, 2015

This would really rock. I'd love to see this merged. I've been needing to R/W PKCS#12

@nathany
Copy link
Contributor

@nathany nathany commented Sep 12, 2015

@paultag For now you can use https://github.com/Azure/go-pkcs12 to read PKCS#12, and I believe there is an open pull request for writing them as well.

@paultag
Copy link

@paultag paultag commented Sep 12, 2015

@nathany Thanks for that! Looks great!

agl added a commit to golang/crypto that referenced this issue Oct 4, 2015
Package pkcs12 provides some Go implementations of PKCS#12.
This implementation is distilled from https://tools.ietf.org/html/rfc7292 and
referenced documents. It is intented for decoding P12/PFX-stored certificate+key
for use with the crypto/tls package.

Package includes @dgryski's RC2 implementation as a sub package as requested in
golang/go#10621.

Change-Id: I78401241e39cd0099e9082a3a227cf0a3a36e6d1
Reviewed-on: https://go-review.googlesource.com/11986
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
@paulmey
Copy link
Author

@paulmey paulmey commented Oct 5, 2015

Closed by golang/crypto@c8b9e63
Thanks @agl!

@paulmey paulmey closed this Oct 5, 2015
@xh3b4sd
Copy link

@xh3b4sd xh3b4sd commented Oct 4, 2016

I stumbled upon this Issue due to some research. Sorry to misuse this as mailing list now. Maybe somebody hears me anyway. There was a question about writing PKCS12 certs, which does not look like it is possible, but I want to do exactly that. My question is how. Consider the following openssl command:

openssl pkcs12 -export -clcerts -inkey input.key -in input.crt -out output.p12 -name "foo"

How to achieve this in go? Thanks for listening.

@nathany
Copy link
Contributor

@nathany nathany commented Oct 4, 2016

Yah, it isn't currently supported. See Azure/go-pkcs12#28.

@golang golang locked and limited conversation to collaborators Oct 4, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
9 participants
You can’t perform that action at this time.