Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: crypto/x509: add Public Key Algorithms from RFC 4491 #21858

Closed
realmfoo opened this issue Sep 13, 2017 · 7 comments
Closed

proposal: crypto/x509: add Public Key Algorithms from RFC 4491 #21858

realmfoo opened this issue Sep 13, 2017 · 7 comments
Labels
FrozenDueToAge Proposal
Milestone
Proposal

Comments

@realmfoo
Copy link

RFC 4491 describes encoding formats,
identifiers, and parameter formats for the algorithms GOST R 34.10-
94, GOST R 34.10-2001, and GOST R 34.11-94 for use in Internet X.509
Public Key Infrastructure (PKI).

It was published at May 2006.

What did you do?

Parsed certificate with GOST R 34.10 Algorithms. Such as:

Certificate:
    Data:
        Version: 3 (0x2)
    ...
    Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
        Subject Public Key Info:
            Public Key Algorithm: GOST R 34.10-2001
        ...

And tried to get information about public key algorithm:

	cert, err := x509.ParseCertificate(raw)
	if err != nil {
		return nil, err
	}

	fmt.Printf("%s", cert.PublicKeyAlgorithm)

What did you expect to see?

Expected to see some valid algorithm with value greater then 0:

s%!(EXTRA x509.PublicKeyAlgorithm=4)

What did you see instead?

It's unknown algorithm:

s%!(EXTRA x509.PublicKeyAlgorithm=0)
@gopherbot gopherbot added this to the Proposal milestone Sep 13, 2017
@ianlancetaylor
Copy link
Contributor

CC @agl @FiloSottile

@jeffallen
Copy link
Contributor

I wonder if this is a good time to discuss how the crypto package could be adapted (in Go 2?) in order to make additional algorithms available via plugins?

@FiloSottile
Copy link
Contributor

0 is the value of UnknownPublicKeyAlgorithm. https://godoc.org/crypto/x509#PublicKeyAlgorithm

Are you suggesting adding GOST values to PublicKeyAlgorithm, just so you can detect GOST certificates while still getting PublicKey = nil, or adding full support for GOST public keys? The former can be a problem if someone is checking for UnknownPublicKeyAlgorithm before blindly using the public key. The latter is much wider and unlikely, since there is no GOST code anywhere in the stdlib or x/crypto, and very little demand.

@jeffallen There is precedent with hash functions, but it seemed to always cause more trouble than it's worth. Personally I'd rather make sure stdlib packages are decoupled enough to allow forks to be easily plugged in, allowing more than just adding algorithms without a sprawling plugin interface.

@realmfoo
Copy link
Author

OpenSSL knows about these algorithms even without ability to use it (with disabled GOST engine).

Yes, I suggest to add values to PublicKeyAlgorithm. And it would be even better to add support of these algorithms, but it can be added lately.

The reason why this is not yet implemented neither in stdlib, nor x/crypto, is that Java, C# or OpenSSL (via libopenssl, cgo) is used to create signature or encrypt/decrypt some data.

I understand that this is a time-consuming task and therefor I ask about the possibility of adding support
for these algorithms.

If it is possible then I or someone else can implement it and open a pull request.

If it's not going to be merged then we should add ability to extend functionality of crypto/x509. Right now it is not possible to know OID of unknown algorithm.

@realmfoo
Copy link
Author

realmfoo commented Sep 14, 2017
edited

@FiloSottile no one opened an issue here but tried to implement it in their own packages.

@ianlancetaylor
Copy link
Contributor

Ping @agl @FiloSottile

@agl
Copy link
Contributor

agl commented Mar 20, 2018

I'm going to say no on this. GOST algorithms appear to me to be substantially driven by non-technical concerns and they are extremely rare on the public internet. I don't believe this proposal is close to carrying its weight.

@agl agl closed this as completed Mar 20, 2018
@golang golang locked and limited conversation to collaborators Mar 20, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Proposal
Projects
None yet
Milestone
Proposal
Development

No branches or pull requests
6 participants
@agl @realmfoo @jeffallen @FiloSottile @ianlancetaylor @gopherbot