Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/x509: expose hash algorithm for SignatureAlgorithm #33317

Open
bodgit opened this issue Jul 27, 2019 · 3 comments · May be fixed by #33318

Comments

@bodgit
Copy link

commented Jul 27, 2019

What version of Go are you using (go version)?

$ go version
go version go1.12.7 darwin/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/matt/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/matt/Documents/work"
GOPROXY=""
GORACE=""
GOROOT="/opt/local/lib/go"
GOTMPDIR=""
GOTOOLDIR="/opt/local/lib/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="/usr/bin/clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/_k/xdj1vdy51gb4pbncgvq0p03w0000gn/T/go-build134256866=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

As part of generating TLS channel bindings (RFC 5929) it is necessary to generate a hash of a given certificate using the hashing algorithm used in its SignatureAlgorithm, (with some exceptions documented in the RFC). So for example a SignatureAlgorithm of x509.SHA256WithRSA should use crypto.SHA256 to generate its tls-server-end-point channel binding type, etc.

What did you expect to see?

I was hoping to have a method on SignatureAlgorithm to return its associated crypto.Hash. This information is available in the unexported signatureAlgorithmDetails struct.

What did you see instead?

For now, I have made my own map[x509.SignatureAlgorithm]crypto.Hash but as new algorithms are added this needs to be kept in sync, (x509.PureEd25519 for example has been added to the source since 1.12.7).

I propose adding a simple method along the lines of:

func (algo SignatureAlgorithm) Hash() crypto.Hash {                                 
        for _, details := range signatureAlgorithmDetails {                         
                if details.algo == algo {                                           
                        return details.hash                                         
                }                                                                   
        }                                                                           
        return crypto.Hash(0)                                                       
}                                                                                   
bodgit added a commit to bodgit/go that referenced this issue Jul 27, 2019
crypto/x509: add SignatureAlgorithm.Hash()
Add method to return the hashing algorithm associated with a
certificates signature algorithm. This is useful when generating TLS
channel bindings as documented in RFC 5929.

Fixes golang#33317
@bodgit bodgit referenced a pull request that will close this issue Jul 27, 2019
@gopherbot

This comment has been minimized.

Copy link

commented Jul 27, 2019

Change https://golang.org/cl/187778 mentions this issue: crypto/x509: add SignatureAlgorithm.Hash()

@julieqiu

This comment has been minimized.

Copy link

commented Jul 27, 2019

@odeke-em odeke-em changed the title crypto/x509: expose hash algorithm for SignatureAlgorithm proposal: crypto/x509: expose hash algorithm for SignatureAlgorithm Sep 1, 2019

@gopherbot gopherbot added this to the Proposal milestone Sep 1, 2019

@gopherbot gopherbot added the Proposal label Sep 1, 2019

@odeke-em

This comment has been minimized.

Copy link
Member

commented Sep 1, 2019

Thank you for this request @bodgit and welcome to the Go project!
Thank you @julieqiu for the triage and tag.

While this request and its corresponding CL are simple and straight forward, and it follows pretty much what we did for (SignatureAlgorithm).String() https://golang.org/pkg/crypto/x509/#SignatureAlgorithm.String, I have tagged it as a proposal because it increases the API surface.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.