Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: does not implement other hash algorithms then SHA1WithRSA #988

Closed
gopherbot opened this issue Aug 1, 2010 · 6 comments
Closed
Assignees

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented Aug 1, 2010

by jdnurmi:

crypto/x509 does not actually use any algorithms but SHA1WithRSA, and any attempt to
create or validate one will fail.

I've attached a patch that expands its capabilities to include RSA+MD5,SHA256,384 &
512.

It is a breaking patch, in that anyone using CreateCertificate without having specified
SignatureAlgorithm will get an error.

It's a rough patch that just implements that bare functionality (and test fixes).  I am
completely open to fixing this for style or functionality as needed, or you can just run
with it;  I have verified go can verify its own generated certs, and that openSSL can
parse them -- though I've not done extensive validation tests.

I'm also by no means a crypto expert, but the places I needed to patch seemed pretty
straight forward.

Attachments:

  1. x509-patch.1 (4480 bytes)
@gopherbot
Copy link
Author

@gopherbot gopherbot commented Aug 1, 2010

Comment 1 by jdnurmi:

The bored might also want a DSA patch
@gopherbot
Copy link
Author

@gopherbot gopherbot commented Aug 1, 2010

Comment 2 by jdnurmi:

One last note for you;  Utilizing:
grep -v --  '-----' /etc/ssl/certs/Equifax_Secure_CA.pem | base64 -d | dumpasn1 -
and 
dumpasn1 - < go-generated.der
I noticed some potential ASN.1 rendering errors relating to (I think) the boolean type. 
I don't know enough about ASN.1 to know what the error is, but I don't see anything
obvious since the rest of the object seems to dump fine.
I don't see similar ASN.1 errors in any other certs I tested in the standard
ca-certificates bundle, so my inclination is to say this should be examined more closely
and fixed.
@rsc
Copy link
Contributor

@rsc rsc commented Aug 6, 2010

Comment 3:

Thanks for the patch.  Could you please send it in using
the code review tools as described at
http://golang.org/doc/contribute.html ?
That makes it easier for us to comment and
eventually apply it.  In the change list description
you can end with the line
Fixes issue #988.
and when it is submitted it will close this issue.
Thanks very much.
Russ

Owner changed to r...@golang.org.

Status changed to Started.

@rsc
Copy link
Contributor

@rsc rsc commented Aug 12, 2010

Comment 4:

Status changed to WaitingForReply.

@rsc
Copy link
Contributor

@rsc rsc commented Sep 11, 2010

Comment 5:

jdnurmi:  Are you interested in sending this code via the code review process?
See http://golang.org/doc/contribute.html.  We need to do it that way for
our records and also to get your name in the commit log.
Thanks.
@rsc
Copy link
Contributor

@rsc rsc commented Dec 16, 2010

Comment 6:

Status changed to TimedOut.

@mikioh mikioh changed the title crypto/x509 does not implement other hash algorithms then SHA1WithRSA crypto/x509: does not implement other hash algorithms then SHA1WithRSA Jan 14, 2015
@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.