Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: CertificateRequest does not support attributes not covered by pkix.AttributeTypeAndValueSET #15995

Open
groob opened this issue Jun 7, 2016 · 2 comments
Open

crypto/x509: CertificateRequest does not support attributes not covered by pkix.AttributeTypeAndValueSET #15995

groob opened this issue Jun 7, 2016 · 2 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@groob
Copy link
Contributor

groob commented Jun 7, 2016

Prior to Go 1.5 it was not possible to parse CSRs which included single attributes like challenge password( OID 1.2.840.113549.1.9.7) See cloudflare/cfssl#115

This issue was addressed in CL #8160 cloudflare/go@23fca3d by ignoring those attributes.

Currently there is no good way to parse and marshal a CSR with attributes that don't fit in the structure defined by pkix.AttributeTypeAndValueSET. Challenge Password is a necessary attribute when implementing the SCEP Protocol which is widely used in IoT and Mobile Device Management environments like the Apple MDM spec.
To extract or add a challenge password attribute, the CSR has to be unmarshalled and modified separately from the x509/crypto. Here's an example workaround which reimplements parsing and marshaling the CertificateRequest type.

The x509/crypto library should have a method for handling special attributes in the CSR. As CL #8160 mentions in the review comments, one possible solution is to add a RawAttributes field to the CertificateRequest struct.
@ianlancetaylor ianlancetaylor changed the title crypto/x509 CertificateRequest does not support attributes not covered by pkix.AttributeTypeAndValueSET crypto/x509: CertificateRequest does not support attributes not covered by pkix.AttributeTypeAndValueSET Jun 7, 2016
@ianlancetaylor
Copy link
Member

CC @agl

@ianlancetaylor ianlancetaylor added this to the Unplanned milestone Jun 7, 2016
@agl agl self-assigned this Aug 19, 2016
groob added a commit to groob/scep that referenced this issue Jul 9, 2017
@groob
add x509util package
e4de8a0 
x509util.CreateCertificateRequest wraps x509.CreateCertificateRequest and adds
support for challengePassword attribute.

Adding a new attribute means re-signing the whole CSR, which means importing
private methods and types from the x509 package.  I hope to eventually submit a CL to the stdlib.

Go Issue: golang/go#15995
@groob groob mentioned this issue Jul 9, 2017
Merged
groob added a commit to groob/scep that referenced this issue Jul 9, 2017
@groob
add x509util package
9b56863 
x509util.CreateCertificateRequest wraps x509.CreateCertificateRequest and adds
support for challengePassword attribute.

Adding a new attribute means re-signing the whole CSR, which means importing
private methods and types from the x509 package.  I hope to eventually submit a CL to the stdlib.

Go Issue: golang/go#15995

For micromdm#44.
groob added a commit to groob/scep that referenced this issue Jul 9, 2017
@groob
add x509util package
56f38fa 
x509util.CreateCertificateRequest wraps x509.CreateCertificateRequest and adds
support for challengePassword attribute.

Adding a new attribute means re-signing the whole CSR, which means importing
private methods and types from the x509 package.  I hope to eventually submit a CL to the stdlib.

Go Issue: golang/go#15995

For micromdm#44.
For micromdm#22.
groob added a commit to groob/scep that referenced this issue Jul 9, 2017
@groob
add x509util package
f0a3eb9 
x509util.CreateCertificateRequest wraps x509.CreateCertificateRequest and adds
support for challengePassword attribute.

Adding a new attribute means re-signing the whole CSR, which means importing
private methods and types from the x509 package.  I hope to eventually submit a CL to the stdlib.

Go Issue: golang/go#15995

For micromdm#44.
For micromdm#22.
groob added a commit to micromdm/scep that referenced this issue Jul 9, 2017
@groob
add x509util package
9843bbd 
x509util.CreateCertificateRequest wraps x509.CreateCertificateRequest and adds
support for challengePassword attribute.

Adding a new attribute means re-signing the whole CSR, which means importing
private methods and types from the x509 package.  I hope to eventually submit a CL to the stdlib.

Go Issue: golang/go#15995

For #44.
For #22.
@alexzorin alexzorin mentioned this issue Apr 6, 2020
Closed
@rsc rsc unassigned agl Jun 23, 2022
@dachaac dachaac mentioned this issue Jun 10, 2023
Open
@mobe1
Copy link

mobe1 commented Mar 28, 2024

Hi,

Do we have any update on this?
We'd like to follow the standard in Go, whether it's SCEP or EST.

@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@agl @groob @ianlancetaylor @seankhliao @mobe1