crypto/x509: support OIDs for tcg-kp (2.23.133.8)

[tracefinder]

What version of Go are you using (go version)?

$ go version
go version go1.16.6 linux/amd64

Does this issue reproduce with the latest release?

Yes, according to the sources.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/user/.cache/go-build"
GOENV="/home/user/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/user/repos/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/user/repos/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16.6"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build169247540=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I'm playing around TPM Endorsement Key certificates. One of the things I want to archive is to verify a EK certificate against the root CA. The function looks like

func (v *Verifier) VerifyEK(ekPem []byte) (bool, error) {
	block, _ := pem.Decode(ekPem)
	if block == nil {
		return false, errors.New("failed to parse certificate PEM")
	}

	ek, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return false, fmt.Errorf("failed to parse certificate: %w", err)
	}

	opts := x509.VerifyOptions{
		Roots: v.ekRoots,
		Intermediates: v.ekIntermediates,
	}
	if _, err := ek.Verify(opts); err != nil {
		return false, fmt.Errorf("failed to verify certificate: %w", err)
	}

	return true, nil
}

What did you expect to see?

I expect all ExtKeyUsages to be correctly parsed with ParseCertificate.

What did you see instead?

UnknownExtKeyIsage of the x509.Certificate object (ek) is not empty. It contains asn1.ObjectIdentifier 2.23.133.8.1. Verification fails with x509: certificate specifies an incompatible key usage. The latter can be fixed by adding KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny} to x509.VerifyOptions.

The reason

crypto.x509 has extKeyUsageOIDs.

extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID

There is no any tcg-kp OID.

The proposal

Add tcg-kp OIDs to extKeyUsageOIDs. However, I understand that it can be excessive as there are plenty of other OIDs people may wish to add.

[seankhliao]

cc @FiloSottile

[AlexandreEXFO]

Partial PR (support EK OID): #15196

[seankhliao]

This is out of scope for crypto/x509, from the package docs:

The package targets the X.509 technical profile defined by the IETF (RFC 2459/3280/5280), and as further restricted by the CA/Browser Forum Baseline Requirements.