x/crypto/pkcs12: SSL certificate decode validation error #14015
Comments
tipycalFlow
changed the title
ianlancetaylor
changed the title
|
CC @agl |
|
@tipycalFlow If you comment out that validation and
For a project I'm working on, I would like to include an intermediate certificate in the .p12 (2 certs, one private key). I'd prefer not to use ToPEM to Marshal keys if it's unnecessary. |
|
This issue isn't tied to the release cycle, but I'm planning to wait until after Go 1.6 is released and things settle down. Adding a func DecodeAll(pfxData []byte, password string) (privateKeys []interface{}, certificates []*x509.Certificate, err error) {Right now the keys or interface{} because they may be RSA or another format. I don't know that there is any better option, but I'd like to look into that. I'd also like to include an example of using this method with TLS, which isn't immediately obvious. P.S. I think there is a bug in the current implementation where it continues to decode bags after an "pkcs12: expected exactly one certificate bag" error. There should be a return statement and tests around this. In reality this is unlikely to be triggered thanks to an earlier check. The p12 would need to be contain exactly two certs and no keys. |
|
Same error in 1.7. 1 |
|
@zhengying Sorry, I haven't worked on this yet. The x/crypto library isn't tied to a Go release, so once this issue is closed you will be able to just update x/crypto. If anyone else wants to contribute a CL (change list), please don't wait for me. NOTE: Another consideration is whether to contribute to x/crypto at all, or just patch an independent repository. See Azure/go-pkcs12#28. |
|
I am sorry to bring up this old issue again. Is there a decision about DecodeAll function and x/crypto/pkcs12? If DecodeAll won't be added into x/crypto/pkcs12, which fork one should use? https://github.com/lotus-wu/go-pkcs12 ? My use case is to decode certificate chain from p12 for use with the crypto/tls. I don't need encoding of p12. |
|
I ran into a similar problem (#23499) with the other |
|
For the record, I just submitted a PR that adds the |
Addition of a DecodeAll function as it was mentioned in #14015. This solves a need many people seem to have, where there is no effective way loading PKCS12 files that contain more than one certificate and one private key. The utility functions used by Decode are all internal, which makes implementing this on the user-side tedious, hence the suggestion of providing a more liberal version of the function: DecodeAll. Fixes golang/go#14015
|
Change https://golang.org/cl/105876 mentions this issue: |
|
Why is this code review still open? There is a remark about the commit message but I don't understand if that is a question or just an edit? |
|
Change https://golang.org/cl/160257 mentions this issue: |
|
Change https://golang.org/cl/160258 mentions this issue: |
This reverts commit bf88e3f. Reason for revert: https://go-review.googlesource.com/c/crypto/+/105876/12#message-0dad31af2b487e895ee6926ded82f85ac81c74f8 Updates golang/go#14015 Change-Id: I8eb3ed73f78ac11841ad73435bba00a330d59b58 Reviewed-on: https://go-review.googlesource.com/c/160257 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
As explained in https://go-review.googlesource.com/c/crypto/+/105876/12#message-0dad31af2b487e895ee6926ded82f85ac81c74f8 I reverted this PR. If you need to extract multiple certificates/keys, you can use ToPEM which will give you all the contents of the file. If you do want to add a helper for that operation, I suggest sending a PR to software.sslmate.com/src/go-pkcs12 (https://github.com/SSLMate/go-pkcs12). |
|
Maintainer of |
Updates golang/go#14015 Change-Id: Iffe73540c5d74e4b3d0664035a1bdce5b47663ee Reviewed-on: https://go-review.googlesource.com/c/160258 Reviewed-by: Bryan C. Mills <bcmills@google.com>
Addition of a DecodeAll function as it was mentioned in #14015. This solves a need many people seem to have, where there is no effective way loading PKCS12 files that contain more than one certificate and one private key. The utility functions used by Decode are all internal, which makes implementing this on the user-side tedious, hence the suggestion of providing a more liberal version of the function: DecodeAll. Fixes golang/go#14015 Change-Id: I03c541553b6cb488c2c59d39575342a43136e592 GitHub-Last-Rev: 05f6847ff80ca34c92a01a688c7b81e874af3009 GitHub-Pull-Request: golang/crypto#38 Reviewed-on: https://go-review.googlesource.com/c/105876 Reviewed-by: Adam Shannon <adamkshannon@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Addition of a DecodeAll function as it was mentioned in #14015. This solves a need many people seem to have, where there is no effective way loading PKCS12 files that contain more than one certificate and one private key. The utility functions used by Decode are all internal, which makes implementing this on the user-side tedious, hence the suggestion of providing a more liberal version of the function: DecodeAll. Fixes golang/go#14015 Change-Id: I03c541553b6cb488c2c59d39575342a43136e592 GitHub-Last-Rev: 05f6847ff80ca34c92a01a688c7b81e874af3009 GitHub-Pull-Request: golang/crypto#38 Reviewed-on: https://go-review.googlesource.com/c/105876 Reviewed-by: Adam Shannon <adamkshannon@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Addition of a DecodeAll function as it was mentioned in #14015. This solves a need many people seem to have, where there is no effective way loading PKCS12 files that contain more than one certificate and one private key. The utility functions used by Decode are all internal, which makes implementing this on the user-side tedious, hence the suggestion of providing a more liberal version of the function: DecodeAll. Fixes golang/go#14015 Change-Id: I03c541553b6cb488c2c59d39575342a43136e592 GitHub-Last-Rev: 05f6847ff80ca34c92a01a688c7b81e874af3009 GitHub-Pull-Request: golang/crypto#38 Reviewed-on: https://go-review.googlesource.com/c/105876 Reviewed-by: Adam Shannon <adamkshannon@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Addition of a DecodeAll function as it was mentioned in #14015. This solves a need many people seem to have, where there is no effective way loading PKCS12 files that contain more than one certificate and one private key. The utility functions used by Decode are all internal, which makes implementing this on the user-side tedious, hence the suggestion of providing a more liberal version of the function: DecodeAll. Fixes golang/go#14015 Change-Id: I03c541553b6cb488c2c59d39575342a43136e592 GitHub-Last-Rev: 05f6847ff80ca34c92a01a688c7b81e874af3009 GitHub-Pull-Request: golang/crypto#38 Reviewed-on: https://go-review.googlesource.com/c/105876 Reviewed-by: Adam Shannon <adamkshannon@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Addition of a DecodeAll function as it was mentioned in #14015. This solves a need many people seem to have, where there is no effective way loading PKCS12 files that contain more than one certificate and one private key. The utility functions used by Decode are all internal, which makes implementing this on the user-side tedious, hence the suggestion of providing a more liberal version of the function: DecodeAll. Fixes golang/go#14015 Change-Id: I03c541553b6cb488c2c59d39575342a43136e592 GitHub-Last-Rev: 05f6847 GitHub-Pull-Request: golang#38 Reviewed-on: https://go-review.googlesource.com/c/105876 Reviewed-by: Adam Shannon <adamkshannon@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
This is in continuation with #13855
I'm trying to use the
x/crypto/pkcs12package'sDecodemethod to read this p12 file (public-certificate + private-key pair) with passwordgooglerto further generate a TLS certificate but get the following error:pkcs12: expected exactly two safe bags in the PFX PDUHere's how I'm reading the certificate file:
p12, err := ioutil.ReadFile("filename")and I'm passing the read binary data to
Decode(p12, "password")I logged the number of safe bags returned from
getSafeContentsbefore line 219:if len(bags) != 2 {and it returned 4, which is whyDecodeis failing. Now I'm usinggo1.6beta1 darwin/amd64on OS X Yosemite version 10.10.5 (14F1509) and I generate the certificate by exporting both certificate and private key to a.p12as shown below:I suspect the validation at line 219:
if len(bags) != 2 {might be either incomplete or maybe I'm missing something. I've attached the certificate in question here with passwordgooglerfor testing...The text was updated successfully, but these errors were encountered: