Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: support OIDs for tcg-kp (2.23.133.8) #47620

Open
tracefinder opened this issue Aug 10, 2021 · 1 comment
Open

crypto/x509: support OIDs for tcg-kp (2.23.133.8) #47620

tracefinder opened this issue Aug 10, 2021 · 1 comment
Labels
NeedsInvestigation

Comments

@tracefinder
Copy link

@tracefinder tracefinder commented Aug 10, 2021

What version of Go are you using (go version)?

$ go version
go version go1.16.6 linux/amd64

Does this issue reproduce with the latest release?

Yes, according to the sources.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/user/.cache/go-build"
GOENV="/home/user/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/user/repos/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/user/repos/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16.6"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build169247540=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I'm playing around TPM Endorsement Key certificates. One of the things I want to archive is to verify a EK certificate against the root CA. The function looks like

func (v *Verifier) VerifyEK(ekPem []byte) (bool, error) {
	block, _ := pem.Decode(ekPem)
	if block == nil {
		return false, errors.New("failed to parse certificate PEM")
	}

	ek, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return false, fmt.Errorf("failed to parse certificate: %w", err)
	}

	opts := x509.VerifyOptions{
		Roots: v.ekRoots,
		Intermediates: v.ekIntermediates,
	}
	if _, err := ek.Verify(opts); err != nil {
		return false, fmt.Errorf("failed to verify certificate: %w", err)
	}

	return true, nil
}

What did you expect to see?

I expect all ExtKeyUsages to be correctly parsed with ParseCertificate.

What did you see instead?

UnknownExtKeyIsage of the x509.Certificate object (ek) is not empty. It contains asn1.ObjectIdentifier 2.23.133.8.1. Verification fails with x509: certificate specifies an incompatible key usage. The latter can be fixed by adding KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny} to x509.VerifyOptions.

The reason

crypto.x509 has extKeyUsageOIDs.

extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID

There is no any tcg-kp OID.

The proposal

Add tcg-kp OIDs to extKeyUsageOIDs. However, I understand that it can be excessive as there are plenty of other OIDs people may wish to add.

@seankhliao seankhliao added the NeedsInvestigation label Aug 10, 2021
@seankhliao
Copy link
Member

@seankhliao seankhliao commented Aug 10, 2021

cc @FiloSottile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation
Projects
None yet
Development

No branches or pull requests

2 participants