Validate spkac signature #1

merged 3 commits into from Feb 15, 2017


None yet

3 participants


This PR does a few things, two minor and one kinda major:

  • It updates some of the code to use the newer go's types as available (crypto.PublicKey, which might not be much use for typechecking but provides an interesting type hint for the user of this package)

  • It fixes a few linter errors in tests - using t.Errorf.

  • And finally (and majorly), it introduces a function ValidateSPKAC, which not only extracts the public key from an SPKAC, but will also validate the signature on it, provided go lets you (it will refuse to validate RSA+MD5 and RSA+MD2 signatures, which I guess is fine, and if you expect those you should probably be using the plain ParseSPKAC method.

I've updated docstrings and added two tests (one for a validating signature, and one for a non-validating one, both constructed from the same blob as returned by google's Verified Access API).

I hope you find this change acceptable - please let me know if there's anything that I can adjust (:

asf-stripe added some commits Feb 15, 2017
@asf-stripe asf-stripe Fix test lint problems: Use t.Errorf for format strings 257e496
@asf-stripe asf-stripe Update return types to be crypto.PublicKey
Type checking will not be any more strict, but we can at least
communicate to the user of this package what they can expect back.
@asf-stripe asf-stripe New function: ValidateSPKAC: parse SPKACs and check their signatures
Given a sufficiently-modern SPKAC (provided you're not using one with
an outdated/broken message digest), you can have go validate the
signature on it, so this gives us that capability.

The main annoyance with this is that openssl can't generate these
SPKACs as far as I can tell - for testing, you have to take ones from
a source that is known to generate "good" ones.
@longsleep longsleep merged commit ec42af0 into longsleep:master Feb 15, 2017

Thanks for those high quality changes. I thought this module to be kind of obsolete - if you tell me there are still some use cases for pkac/spkac then i will gladly come back to it from time to time and ensure compatibility as go/crypto evolves - just let me know :)


I'm glad you like these! I myself had never heard of SPKAC before, but it turns out that the google verified access api returns SPKAC blobs from their "user validation" endpoint (even though their documentation hints it might be a PKCS#10 CSR).

I suspect that a bunch of organizations are backed by G Suite, and they're probably interested in validating user/machine identities on chromebooks, so this repo might see renewed interest ((:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment