Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/asn1: tags don't match parsing certificate #18634

Closed
jefferai opened this issue Jan 12, 2017 · 4 comments
Closed

encoding/asn1: tags don't match parsing certificate #18634

jefferai opened this issue Jan 12, 2017 · 4 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Go1.9

Comments

@jefferai
Copy link

Maybe related to #18584 but not fixed by 1.8rc1.

What version of Go are you using (go version)?

go version go1.8rc1 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/jeff/go"
GORACE=""
GOROOT="/Users/jeff/src/go"
GOTOOLDIR="/Users/jeff/src/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/h0/06d2pyw96751gy0j9t96kvrc0000gn/T/go-build693834288=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

Attempted to parse a certificate produced by Puppet and signed with EC keys. openssl asn1parse does not complain and the certificate is successfully displayed.

Program and input is at https://play.golang.org/p/5jEVqD5No9

What did you expect to see?

A parsed certificate.

What did you see instead?

asn1: structure error: tags don't match (6 vs {class:0 tag:16 length:450 isCompound:true}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} ObjectIdentifier @4
@jefferai jefferai mentioned this issue Jan 12, 2017
Closed
@bradfitz bradfitz added this to the Go1.9 milestone Jan 12, 2017
@bradfitz
Copy link
Contributor

Not a regression from Go 1.7, so this isn't a Go 1.8 candidate at this stage. Targetting Go 1.9.

$ go run prog.go
2017/01/12 17:58:10 asn1: structure error: tags don't match (6 vs {class:0 tag:16 length:450 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} ObjectIdentifier @4
exit status 1

$ GOROOT=$HOME/go1.7 go run prog.go
2017/01/12 17:58:23 asn1: structure error: tags don't match (6 vs {class:0 tag:16 length:450 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} ObjectIdentifier @4
exit status 1

@bradfitz bradfitz added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 12, 2017
@agl
Copy link
Contributor

agl commented Jan 12, 2017

The certificate is trying to use arbitrary curves rather than specifying one.

If this is coming from OpenSSL then the code needs to call EC_GROUP_set_asn1_flag with OPENSSL_EC_NAMED_CURVE.

@agl agl closed this as completed Jan 12, 2017
@koweblomke
Copy link

koweblomke commented Jan 13, 2017
edited

@agl: Can you explain this a bit more?

This is the way the EC key was generated:
openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:secp521r1 -out ecp.pem
openssl genpkey -paramfile ecp.pem -aes256 -pass file:.passphrase -out imca.key.pem

what do you mean by "The certificate is trying to use arbitrary curves rather than specifying one."
is the certificate and its key created wrongly, or is the parsing of the certificate going wrong?

@agl
Copy link
Contributor

agl commented Jan 13, 2017

A long time ago it was unclear which elliptic curves would end up being a good idea so formats were designed to support arbitrary curves: i.e. the public key can contain the specification for any curve over prime or binary fields and, in theory, every public key could work on its own, unique curve.

That was bonkers and now software only operates on a few, known-good curves (i.e. P-256, P-384 etc). Thus public keys now just contain an OID identifying the curve.

Your certificate contains the full set of parameters however. It's probably the parameters for a standard curve, but we don't go trying to match arbitrary curves to ones that we know.

One option is to generate the key and certificate using Go.

If you need to use the OpenSSL command-line tools then you can add -pkeyopt ec_param_enc:named_curve to the parameter generation command (the one where you have -algorithm EC).

@golang golang locked and limited conversation to collaborators Jan 16, 2018
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Go1.9
Development

No branches or pull requests
5 participants
@bradfitz @agl @jefferai @koweblomke @gopherbot