You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The problem is that OpenSSL generates AlgorithmIdentifiers for the PSS hash and MGF with empty parameters, instead of NULL. (Related to what is described here). However, Go only accepts NULL parameters in getSignatureAlgorithmFromAI
According to RFC 4055,
All implementations MUST accept both NULL and absent parameters as legal and equivalent encodings
If it's decided this should be fixed, I can write the patch.
The text was updated successfully, but these errors were encountered:
What version of Go are you using (
go version
)?go version go1.9.2 linux/amd64
Does this issue reproduce with the latest release?
I haven't tested with 1.9.4 or 1.10
What operating system and processor architecture are you using (
go env
)?What did you do?
Generate certificate with OpenSSL:
openssl req -newkey rsa:2048 -keyout test.key -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -sigopt rsa_mgf1_md:sha256 -x509 -days 3650 -nodes -subj '/C=US/ST=CA/L=SF/O=Test/CN=Test' -out test.pem
and parse it with
x509.ParseCertificate
. TheSignatureAlgorithm
will be 0 (Unknown), which eventually makes the certification validation fail.https://play.golang.org/p/CKf-GRBnda1
What did you expect to see?
SignatureAlgorithm
should beSHA256-RSAPSS
What did you see instead?
SignatureAlgorithm
is 0 (Unknown)Analysis
The problem is that OpenSSL generates AlgorithmIdentifiers for the PSS hash and MGF with empty parameters, instead of NULL. (Related to what is described here). However, Go only accepts NULL parameters in
getSignatureAlgorithmFromAI
According to RFC 4055,
If it's decided this should be fixed, I can write the patch.
The text was updated successfully, but these errors were encountered: