Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: CertificateRequest does not support attributes not covered by pkix.AttributeTypeAndValueSET #15995

Open
groob opened this issue Jun 7, 2016 · 1 comment

Comments

@groob
Copy link
Contributor

commented Jun 7, 2016

Prior to Go 1.5 it was not possible to parse CSRs which included single attributes like challenge password( OID 1.2.840.113549.1.9.7) See cloudflare/cfssl#115

This issue was addressed in CL #8160 cloudflare/go@23fca3d by ignoring those attributes.

Currently there is no good way to parse and marshal a CSR with attributes that don't fit in the structure defined by pkix.AttributeTypeAndValueSET. Challenge Password is a necessary attribute when implementing the SCEP Protocol which is widely used in IoT and Mobile Device Management environments like the Apple MDM spec.
To extract or add a challenge password attribute, the CSR has to be unmarshalled and modified separately from the x509/crypto. Here's an example workaround which reimplements parsing and marshaling the CertificateRequest type.

The x509/crypto library should have a method for handling special attributes in the CSR. As CL #8160 mentions in the review comments, one possible solution is to add a RawAttributes field to the CertificateRequest struct.

@ianlancetaylor ianlancetaylor changed the title crypto/x509 CertificateRequest does not support attributes not covered by pkix.AttributeTypeAndValueSET crypto/x509: CertificateRequest does not support attributes not covered by pkix.AttributeTypeAndValueSET Jun 7, 2016

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Jun 7, 2016

CC @agl

@ianlancetaylor ianlancetaylor added this to the Unplanned milestone Jun 7, 2016

@agl agl self-assigned this Aug 19, 2016

groob added a commit to groob/scep that referenced this issue Jul 9, 2017
add x509util package
x509util.CreateCertificateRequest wraps x509.CreateCertificateRequest and adds
support for challengePassword attribute.

Adding a new attribute means re-signing the whole CSR, which means importing
private methods and types from the x509 package.  I hope to eventually submit a CL to the stdlib.

Go Issue: golang/go#15995
groob added a commit to groob/scep that referenced this issue Jul 9, 2017
add x509util package
x509util.CreateCertificateRequest wraps x509.CreateCertificateRequest and adds
support for challengePassword attribute.

Adding a new attribute means re-signing the whole CSR, which means importing
private methods and types from the x509 package.  I hope to eventually submit a CL to the stdlib.

Go Issue: golang/go#15995

For micromdm#44.
groob added a commit to groob/scep that referenced this issue Jul 9, 2017
add x509util package
x509util.CreateCertificateRequest wraps x509.CreateCertificateRequest and adds
support for challengePassword attribute.

Adding a new attribute means re-signing the whole CSR, which means importing
private methods and types from the x509 package.  I hope to eventually submit a CL to the stdlib.

Go Issue: golang/go#15995

For micromdm#44.
For micromdm#22.
groob added a commit to groob/scep that referenced this issue Jul 9, 2017
add x509util package
x509util.CreateCertificateRequest wraps x509.CreateCertificateRequest and adds
support for challengePassword attribute.

Adding a new attribute means re-signing the whole CSR, which means importing
private methods and types from the x509 package.  I hope to eventually submit a CL to the stdlib.

Go Issue: golang/go#15995

For micromdm#44.
For micromdm#22.
groob added a commit to micromdm/scep that referenced this issue Jul 9, 2017
add x509util package
x509util.CreateCertificateRequest wraps x509.CreateCertificateRequest and adds
support for challengePassword attribute.

Adding a new attribute means re-signing the whole CSR, which means importing
private methods and types from the x509 package.  I hope to eventually submit a CL to the stdlib.

Go Issue: golang/go#15995

For #44.
For #22.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.