Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: missing support for EC parameter encoding #16660

Closed
ghost opened this issue Aug 10, 2016 · 2 comments
Closed

crypto/x509: missing support for EC parameter encoding #16660

ghost opened this issue Aug 10, 2016 · 2 comments
Labels
FrozenDueToAge NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made.
Milestone
Go1.8Maybe

Comments

@ghost
Copy link

ghost commented Aug 10, 2016
edited by ghost

LetsEncrypt's "Boulder" server, the backend for processing CSRs, apparently uses

go1.6.2 linux/amd64

and specifically

the upstream Golang x509 package ... to process CSRs.

If a CSR submitted to LetsEncrypt service references a PrivKey that has ec parameters explicitly encoded, e.g.,

openssl ecparam \
 -genkey \
 -param_enc explicit \
...

, perfectly valid under Openssl, the Boulder server process fails with a server error

Err: asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:45 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificateRequest @2
Req: (*x509.CertificateRequest)(nil)

This is claimed as a result of GoLang's X509 pkg lacking support

The upstream x509 library does not support explicit parameter encoding

Despite their befuddling insistence that

regardless of whether it is added there we likely won't support it in Boulder.

it'll be useful for GoLang's X509 pkg to implement feature parity with Openssl in supporting the explicit parameter encoding

More detail's provided in the original bug post there

Certbot “Exiting abnormally” if CSR uses PrivKey with ec parameters encoded (=param_enc explicit)

https://community.letsencrypt.org/t/certbot-exiting-abnormally-if-csr-uses-privkey-with-ec-parameters-encoded-param-enc-explicit/18814

I can provide additional info here as requested
@bradfitz bradfitz changed the title GoLang (go1.6.2) x509 pkg missing support for EC parameter encoding crypto/x509: missing support for EC parameter encoding Aug 10, 2016
@bradfitz bradfitz added the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label Aug 10, 2016
@bradfitz
Copy link
Contributor

To @agl for a decision.

@bradfitz bradfitz added this to the Go1.8Maybe milestone Aug 10, 2016
@agl
Copy link
Contributor

agl commented Aug 10, 2016

I don't believe that we want to support this. Arbitrary EC curves were an old, excessive generality and Go doesn't have generic EC code in any case. Sometimes the explicit parameters happen to match a well-known curve and we could recognise those, but then it's just a waste of bytes and the generating code should have used a named curve instead.

@golang golang locked and limited conversation to collaborators Aug 10, 2017
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made.
Projects
None yet
Milestone
Go1.8Maybe
Development

No branches or pull requests
3 participants
@bradfitz @agl @gopherbot