Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/pkcs12: unknown attribute with OID 1.3.6.1.4.1.311.17.3.92 #24325

Open
leeview opened this issue Mar 9, 2018 · 6 comments

Comments

@leeview
Copy link

commented Mar 9, 2018

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.10

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

windows 10 amd64

What did you do?

I was converting a PFX file to pem.Block using the golang.org/x/crypto/pkcs12.ToPEM() function

What did you expect to see?

the certificate and the key PEM bytes

What did you see instead?

error: pkcs12: unknown attribute with OID 1.3.6.1.4.1.311.17.3.92

http://oid-info.com/get/1.3.6.1.4.1.311.17.3.92

Apparently PFX files (on windows) can contain an OID which is not handled by pkcs12 parser.

https://github.com/golang/crypto/blob/master/pkcs12/pkcs12.go#L177

Is there a way to handle this OID or just ignore it if it's not relevant to the output ?
Thank you

@gopherbot gopherbot added this to the Unreleased milestone Mar 9, 2018

@andybons

This comment has been minimized.

Copy link
Member

commented Mar 9, 2018

@sooryaprakash99

This comment has been minimized.

Copy link

commented Oct 16, 2018

I am also getting the above error with go lang version 1.8.7 . Is there any solution

@adamdecaf

This comment has been minimized.

Copy link
Contributor

commented Oct 16, 2018

It looks like we would need to decode the blob they send (CRYPT_INTEGER_BLOB ).

Docs: https://docs.microsoft.com/en-us/windows/desktop/api/wincrypt/nf-wincrypt-certsetcertificatecontextproperty#cert_subject_pub_key_bit_length_prop_id

FWIW I don't see that specific OID on their page, but are there lots of others we'd need to worry about?

https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography

@andrewstuart

This comment has been minimized.

Copy link

commented Oct 17, 2018

Interestingly, a very similar issue has cropped up in our environment just yesterday (for OID 1 3 6 1 4 1 311 17 2). Not sure if there was a Microsoft update or what that recently caused us to start seeing this issue, but we've also had a really hard time tracking down documentation on this particular OID. In our case, the attribute.Value.Bytes is a bunch of \0 bytes, so we've created a mirror as a temporary workaround that ignores empty (after bytes.Trim) OIDs.

It's really hard to figure out what to do with the bytes in our case if they ever are not empty (though honestly in my case, we don't care, we just want the cert, but in the general case that may not be true depending on what they mean).

The best I've been able to come up with as an action plan is to dive into OpenSSL and see how they're handling it, but I'm pretty unfamiliar with both the language and codebase.

@FiloSottile FiloSottile changed the title x/crypto: pkcs12 unknown attribute with OID 1.3.6.1.4.1.311.17.3.92 x/crypto/pkcs12: unknown attribute with OID 1.3.6.1.4.1.311.17.3.92 Feb 9, 2019

@paulmey

This comment has been minimized.

Copy link

commented Mar 19, 2019

Ran into 1.3.6.1.4.1.311.17.2 as well... OpenSSL seems to decode that OID as Microsoft Local Key set and I've only seen <No Values> as the value so far.

@gopherbot

This comment has been minimized.

Copy link

commented Mar 22, 2019

Change https://golang.org/cl/166520 mentions this issue: pkcs12: updates certificate parsing with attribute 'Microsoft Local Key set'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.