Skip to content

x/crypto/pkcs12: PKCS12 Decode requires privateKey and certificate #23499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
adamdecaf opened this issue Jan 21, 2018 · 5 comments
Closed

x/crypto/pkcs12: PKCS12 Decode requires privateKey and certificate #23499

adamdecaf opened this issue Jan 21, 2018 · 5 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@adamdecaf
Copy link
Contributor

What version of Go are you using (go version)?

go version go1.9.2 darwin/amd64

Does this issue reproduce with the latest release?

Yes, but it's x/crypto/pkcs12.

What operating system and processor architecture are you using (go env)?

$ go env
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/adam/code"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.9.2/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.9.2/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/2r/yy2yvr397cd8t6_92769zvc80000gn/T/go-build596174208=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you do?

I'm trying to list certificates from various windows stores. (e.g. My and Root) When I attempt to read an exported PKCS12 / PFX file x/crypto/pkcs12 fails.

// exporting cert (windows)
> certutil -exportPFX -f -p "password" Root 79ad16a14aa0a5ad4c7358f407132e65 out.pfx

pkcs12.Decode() currently requires two items are decoded, a private key and certificate. I get the following error:

pkcs12: expected exactly two items in the authenticated safe

This seems to come from a runtime check in the decoding routines, but I'm not totally sure why it's required.

https://github.com/golang/crypto/blob/459e26527287adbc2adcc5d0d49abff9a5f315a7/pkcs12/pkcs12.go#L311-L313

FWIW openssl doesn't have a problem showing this certificate.

$ openssl pkcs12 -in testdata/cert.pfx 
Enter Import Password:
MAC verified OK
Bag Attributes
    friendlyName: Microsoft Root Certificate Authority 2010
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQKMw6Jb+6RKxEmptYa0M5qjANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMp
TWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMTAw
NjIzMjE1NzI0WhcNMzUwNjIzMjIwNDAxWjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5IDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC5CJ4o5OTsBk5QaLNBxXvrrraOr4G6IkQfZTRpTL5wQBfyFnvief2G7Q05
9BuorZKQHss9do9a2bWREC48BY2KbSRU5x/tVq2DtFCcFaUXdIhZIPwIxYR202jU
byh4zly481CQRP/jY1++oZoslhUE1gf+HoQh4EIxEcQoNpTPUKRinsnWq3EAslsM
5pbUCiSW9f/G1bcb18u3IWKvEtyhXTfjGvsaRpjAm8DnYx8qCJMCfh5qjvKfGInk
IoWisYRXQP/1DthvnO3iRTEBzRfpf7CBReOqIUAmoXKqp088AQV+7oNYsV4GY5li
kXiCtw2TDCRqtBvbJ+xflQQ/k0ow9ZcYs6f5GaeTMx0ByNsiUlzXJclG+aL7h1lD
vptisY0thkQaRqx4YX4wCfquicRBKiJmA5E5RZzHiwyoyg0v+1LqDPdjMyOd/rAf
rWfWp1ADxgRwY7UssYZaQ7f7rvluKW4hIUEmBozJw+6wwoWTobmF2eYybEtMP9Zd
o+W1nXfDnMBVt3QA47g4q4OXUOGaQiQdxsCjMNEaWshSNPdz8ccYHzOteuzLQWDz
I5QgwkhFrFxRxi6AwuJ3Fb2Fh+02nZaR7gC1o3Dsn+ONgGiDdrqvXXBSIhbiZvu6
s8XC9z4vd6bK3sGmxkhMwzdRI9Mn17hOcJbwoUR2r3jPmuFmEwIDAQABo1EwTzAL
BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU1fZWy4/oolxi
aNE9lJBb186aGMQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggIB
AKylloy/u66m9tdxh0MxVoj9HDJxWzW31PCR8q834hTx8wImBT4WFH8UurhP+4my
sufUCcxtuVs7ZGVwZrfysVrfGgLz9VG4Z215879We+SEuSsem0CcJjT5RxiYadgc
17bRv49hwmfEte9gQ44QGzZJ5CDKrafBsSdlCfjN9Vsq0IQz8+8f8vWcC1iTN6B1
oN5y3mx1KmYi9YwGMFafQLkwqkB3FYLXi+zA07K9g8V3DB6urxlToE15cZ8PrzDO
Z/nWLMwiQXoH8pdCGM5ZeRBV3m8Q5Ljag2ZAFgloI1uXLiaaArtXjMW4umliMoCJ
nqH9wJJ8eyszGYQqY8UAaGL6n0eNmXpFOqfp7e5pQrXzgZtHVhB7/HA2hBhz6u/5
l02eMyPdJgu6Krc/RNyDJ/+9YVkrEbfKT9vFiwwcMa4y+Pi5Qvd/3GGadrFaBOER
PWZFtxhxvskkhdbz1LpBNF0SLSW5jaYTSG1LsAd9mZMJYYF0VyaKq2nj5NnHiMwk
2OxSJFwevJEU4pbe6wrant1fs1vb1ILsxiBQhyVAOvvH7s3+M+Vuw4QJVQMlOcDp
NV1lMaj2v6AJzSnHszYyLtyV84PBWs+LjfbqsyH4pO0eMQ62TBGrYAukEiMiF6M2
ZIKRBBLgq28ey1AFYbRA/1mGcdHVM2l8qXOKONdkDPFp
-----END CERTIFICATE-----
openssl x509 -inform pem -in thing -noout -text 
$ openssl x509 -inform pem -in thing -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            28:cc:3a:25:bf:ba:44:ac:44:9a:9b:58:6b:43:39:aa
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
        Validity
            Not Before: Jun 23 21:57:24 2010 GMT
            Not After : Jun 23 22:04:01 2035 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b9:08:9e:28:e4:e4:ec:06:4e:50:68:b3:41:c5:
                    7b:eb:ae:b6:8e:af:81:ba:22:44:1f:65:34:69:4c:
                    be:70:40:17:f2:16:7b:e2:79:fd:86:ed:0d:39:f4:
                    1b:a8:ad:92:90:1e:cb:3d:76:8f:5a:d9:b5:91:10:
                    2e:3c:05:8d:8a:6d:24:54:e7:1f:ed:56:ad:83:b4:
                    50:9c:15:a5:17:74:88:59:20:fc:08:c5:84:76:d3:
                    68:d4:6f:28:78:ce:5c:b8:f3:50:90:44:ff:e3:63:
                    5f:be:a1:9a:2c:96:15:04:d6:07:fe:1e:84:21:e0:
                    42:31:11:c4:28:36:94:cf:50:a4:62:9e:c9:d6:ab:
                    71:00:b2:5b:0c:e6:96:d4:0a:24:96:f5:ff:c6:d5:
                    b7:1b:d7:cb:b7:21:62:af:12:dc:a1:5d:37:e3:1a:
                    fb:1a:46:98:c0:9b:c0:e7:63:1f:2a:08:93:02:7e:
                    1e:6a:8e:f2:9f:18:89:e4:22:85:a2:b1:84:57:40:
                    ff:f5:0e:d8:6f:9c:ed:e2:45:31:01:cd:17:e9:7f:
                    b0:81:45:e3:aa:21:40:26:a1:72:aa:a7:4f:3c:01:
                    05:7e:ee:83:58:b1:5e:06:63:99:62:91:78:82:b7:
                    0d:93:0c:24:6a:b4:1b:db:27:ec:5f:95:04:3f:93:
                    4a:30:f5:97:18:b3:a7:f9:19:a7:93:33:1d:01:c8:
                    db:22:52:5c:d7:25:c9:46:f9:a2:fb:87:59:43:be:
                    9b:62:b1:8d:2d:86:44:1a:46:ac:78:61:7e:30:09:
                    fa:ae:89:c4:41:2a:22:66:03:91:39:45:9c:c7:8b:
                    0c:a8:ca:0d:2f:fb:52:ea:0c:f7:63:33:23:9d:fe:
                    b0:1f:ad:67:d6:a7:50:03:c6:04:70:63:b5:2c:b1:
                    86:5a:43:b7:fb:ae:f9:6e:29:6e:21:21:41:26:06:
                    8c:c9:c3:ee:b0:c2:85:93:a1:b9:85:d9:e6:32:6c:
                    4b:4c:3f:d6:5d:a3:e5:b5:9d:77:c3:9c:c0:55:b7:
                    74:00:e3:b8:38:ab:83:97:50:e1:9a:42:24:1d:c6:
                    c0:a3:30:d1:1a:5a:c8:52:34:f7:73:f1:c7:18:1f:
                    33:ad:7a:ec:cb:41:60:f3:23:94:20:c2:48:45:ac:
                    5c:51:c6:2e:80:c2:e2:77:15:bd:85:87:ed:36:9d:
                    96:91:ee:00:b5:a3:70:ec:9f:e3:8d:80:68:83:76:
                    ba:af:5d:70:52:22:16:e2:66:fb:ba:b3:c5:c2:f7:
                    3e:2f:77:a6:ca:de:c1:a6:c6:48:4c:c3:37:51:23:
                    d3:27:d7:b8:4e:70:96:f0:a1:44:76:af:78:cf:9a:
                    e1:66:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
            1.3.6.1.4.1.311.21.1: 
                ...
    Signature Algorithm: sha256WithRSAEncryption
         ac:a5:96:8c:bf:bb:ae:a6:f6:d7:71:87:43:31:56:88:fd:1c:
         32:71:5b:35:b7:d4:f0:91:f2:af:37:e2:14:f1:f3:02:26:05:
         3e:16:14:7f:14:ba:b8:4f:fb:89:b2:b2:e7:d4:09:cc:6d:b9:
         5b:3b:64:65:70:66:b7:f2:b1:5a:df:1a:02:f3:f5:51:b8:67:
         6d:79:f3:bf:56:7b:e4:84:b9:2b:1e:9b:40:9c:26:34:f9:47:
         18:98:69:d8:1c:d7:b6:d1:bf:8f:61:c2:67:c4:b5:ef:60:43:
         8e:10:1b:36:49:e4:20:ca:ad:a7:c1:b1:27:65:09:f8:cd:f5:
         5b:2a:d0:84:33:f3:ef:1f:f2:f5:9c:0b:58:93:37:a0:75:a0:
         de:72:de:6c:75:2a:66:22:f5:8c:06:30:56:9f:40:b9:30:aa:
         40:77:15:82:d7:8b:ec:c0:d3:b2:bd:83:c5:77:0c:1e:ae:af:
         19:53:a0:4d:79:71:9f:0f:af:30:ce:67:f9:d6:2c:cc:22:41:
         7a:07:f2:97:42:18:ce:59:79:10:55:de:6f:10:e4:b8:da:83:
         66:40:16:09:68:23:5b:97:2e:26:9a:02:bb:57:8c:c5:b8:ba:
         69:62:32:80:89:9e:a1:fd:c0:92:7c:7b:2b:33:19:84:2a:63:
         c5:00:68:62:fa:9f:47:8d:99:7a:45:3a:a7:e9:ed:ee:69:42:
         b5:f3:81:9b:47:56:10:7b:fc:70:36:84:18:73:ea:ef:f9:97:
         4d:9e:33:23:dd:26:0b:ba:2a:b7:3f:44:dc:83:27:ff:bd:61:
         59:2b:11:b7:ca:4f:db:c5:8b:0c:1c:31:ae:32:f8:f8:b9:42:
         f7:7f:dc:61:9a:76:b1:5a:04:e1:11:3d:66:45:b7:18:71:be:
         c9:24:85:d6:f3:d4:ba:41:34:5d:12:2d:25:b9:8d:a6:13:48:
         6d:4b:b0:07:7d:99:93:09:61:81:74:57:26:8a:ab:69:e3:e4:
         d9:c7:88:cc:24:d8:ec:52:24:5c:1e:bc:91:14:e2:96:de:eb:
         0a:da:9e:dd:5f:b3:5b:db:d4:82:ec:c6:20:50:87:25:40:3a:
         fb:c7:ee:cd:fe:33:e5:6e:c3:84:09:55:03:25:39:c0:e9:35:
         5d:65:31:a8:f6:bf:a0:09:cd:29:c7:b3:36:32:2e:dc:95:f3:
         83:c1:5a:cf:8b:8d:f6:ea:b3:21:f8:a4:ed:1e:31:0e:b6:4c:
         11:ab:60:0b:a4:12:23:22:17:a3:36:64:82:91:04:12:e0:ab:
         6f:1e:cb:50:05:61:b4:40:ff:59:86:71:d1:d5:33:69:7c:a9:
         73:8a:38:d7:64:0c:f1:69
@adamdecaf
Copy link
Contributor Author

adamdecaf commented Jan 21, 2018
edited
Loading

I saw that x/crypto/pkcs12 isn't recommended, but I haven't found a better way to export/list certificates from windows. They offer a few other options, but I haven't looked into them much yet.

#14125 (comment)

@bradfitz bradfitz changed the title PKCS12 Decode requires privateKey and certificate x/crypto/pkcs12: PKCS12 Decode requires privateKey and certificate Jan 22, 2018
@gopherbot gopherbot added this to the Unreleased milestone Jan 22, 2018
@adamdecaf
Copy link
Contributor Author

Can the nil-ability of returning a privateKey or cert be changed? It would be easy enough to remove the check, but there's probably a reason to requiring both?

@adamdecaf
Copy link
Contributor Author

cc @agl

@adamdecaf adamdecaf mentioned this issue Feb 1, 2018
Closed
@agl
Copy link
Contributor

agl commented Feb 22, 2018

PKCS#12, as a format, is designed to be a super-abstract, anything-container with various bits being encrypted or not. As such it's only actually usable in contexts where there are expectations of the internal structure of the data contained.

x/crypto/pkcs12 is designed for a somewhat common situation where a private key and certificate are provided together in a single PKCS#12 file. It's not intended to be a general PKCS#12 processor.

@adamdecaf
Copy link
Contributor Author

@agl Sounds good. I'll fork x/crypto/pkcs12 for my project, thanks!

@golang golang locked and limited conversation to collaborators Feb 24, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@agl @adamdecaf @gopherbot