Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/pkcs12: unknown attribute with OID 1.3.6.1.4.1.311.17.3.92 #24325

Closed
leeview opened this issue Mar 9, 2018 · 9 comments
Closed

x/crypto/pkcs12: unknown attribute with OID 1.3.6.1.4.1.311.17.3.92 #24325

leeview opened this issue Mar 9, 2018 · 9 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@leeview
Copy link

leeview commented Mar 9, 2018

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.10

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

windows 10 amd64

What did you do?

I was converting a PFX file to pem.Block using the golang.org/x/crypto/pkcs12.ToPEM() function

What did you expect to see?

the certificate and the key PEM bytes

What did you see instead?

error: pkcs12: unknown attribute with OID 1.3.6.1.4.1.311.17.3.92

http://oid-info.com/get/1.3.6.1.4.1.311.17.3.92

Apparently PFX files (on windows) can contain an OID which is not handled by pkcs12 parser.

https://github.com/golang/crypto/blob/master/pkcs12/pkcs12.go#L177

Is there a way to handle this OID or just ignore it if it's not relevant to the output ?
Thank you
@gopherbot gopherbot added this to the Unreleased milestone Mar 9, 2018
@andybons andybons added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 9, 2018
@andybons
Copy link
Member

andybons commented Mar 9, 2018

/cc @FiloSottile

@sooryaprakash99
Copy link

I am also getting the above error with go lang version 1.8.7 . Is there any solution

@adamdecaf
Copy link
Contributor

It looks like we would need to decode the blob they send (CRYPT_INTEGER_BLOB ).

Docs: https://docs.microsoft.com/en-us/windows/desktop/api/wincrypt/nf-wincrypt-certsetcertificatecontextproperty#cert_subject_pub_key_bit_length_prop_id

FWIW I don't see that specific OID on their page, but are there lots of others we'd need to worry about?

https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography

@andrewstuart
Copy link

andrewstuart commented Oct 17, 2018
edited

Interestingly, a very similar issue has cropped up in our environment just yesterday (for OID 1 3 6 1 4 1 311 17 2). Not sure if there was a Microsoft update or what that recently caused us to start seeing this issue, but we've also had a really hard time tracking down documentation on this particular OID. In our case, the attribute.Value.Bytes is a bunch of \0 bytes, so we've created a mirror as a temporary workaround that ignores empty (after bytes.Trim) OIDs.

It's really hard to figure out what to do with the bytes in our case if they ever are not empty (though honestly in my case, we don't care, we just want the cert, but in the general case that may not be true depending on what they mean).

The best I've been able to come up with as an action plan is to dive into OpenSSL and see how they're handling it, but I'm pretty unfamiliar with both the language and codebase.

@FiloSottile FiloSottile changed the title x/crypto: pkcs12 unknown attribute with OID 1.3.6.1.4.1.311.17.3.92 x/crypto/pkcs12: unknown attribute with OID 1.3.6.1.4.1.311.17.3.92 Feb 9, 2019
@paulmey
Copy link

paulmey commented Mar 19, 2019
edited

Ran into 1.3.6.1.4.1.311.17.2 as well... OpenSSL seems to decode that OID as Microsoft Local Key set and I've only seen <No Values> as the value so far.

@paulmey paulmey mentioned this issue Mar 21, 2019
Closed
@khevse khevse mentioned this issue Mar 22, 2019
Closed
@gopherbot
Copy link

Change https://golang.org/cl/166520 mentions this issue: pkcs12: updates certificate parsing with attribute 'Microsoft Local Key set'

@paulolimarb
Copy link

Hello

Any updates on this issue?

Thanks

@khevse khevse mentioned this issue Oct 16, 2019
Closed
@gopherbot
Copy link

Change https://golang.org/cl/201457 mentions this issue: pkcs12: update certificate parsing with attribute 'Microsoft Local Key set'

@gopherbot
Copy link

Change https://golang.org/cl/241281 mentions this issue: pkcs12: update certificate parsing with attribute 'Microsoft Local Key set'

chronologos added a commit to chronologos/go-pkcs12 that referenced this issue Aug 30, 2020
@chronologos
fixed tests and reverted change to ToPEM.
2809ff2 
instead of ignoring unknown attributes, I added an extra attribute {1, 3, 6, 1, 4, 1, 311, 17, 2}.
golang/go#24325 (comment)
@chronologos chronologos mentioned this issue Aug 30, 2020
Merged
chronologos added a commit to chronologos/go-pkcs12 that referenced this issue Aug 30, 2020
@chronologos
fixed tests and reverted change to ToPEM.
bad3f2c 
instead of ignoring unknown attributes, I added an extra attribute {1, 3, 6, 1, 4, 1, 311, 17, 2}.
golang/go#24325 (comment)
chronologos added a commit to chronologos/go-pkcs12 that referenced this issue Aug 30, 2020
@chronologos
fixed tests and reverted change to ToPEM.
7e9055b 
instead of ignoring unknown attributes, I added an extra attribute {1, 3, 6, 1, 4, 1, 311, 17, 2}.
golang/go#24325 (comment)
@golang golang locked and limited conversation to collaborators Jul 9, 2021
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 28, 2022
@FiloSottile
pkcs12: drop PKCS#12 attributes with unknown OIDs
61745c1 
Looking at our own use case as well as people running into the same issue
[1][2], it seems like users usually don't care about decoding unknown
PKCS12Attributes.

[1]: golang/go#24325
[2]: SSLMate/go-pkcs12#4

Fixes golang/go#24325

Change-Id: I4f3700d2551af6dac215c49dd179ce46c4b2a9db
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/241281
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 29, 2022
@c-expert-zigbee
pkcs12: drop PKCS#12 attributes with unknown OIDs
dc76a5a 
Looking at our own use case as well as people running into the same issue
[1][2], it seems like users usually don't care about decoding unknown
PKCS12Attributes.

[1]: golang/go#24325
[2]: SSLMate/go-pkcs12#4

Fixes golang/go#24325

Change-Id: I4f3700d2551af6dac215c49dd179ce46c4b2a9db
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/241281
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 29, 2022
@c-expert-zigbee
pkcs12: drop PKCS#12 attributes with unknown OIDs
e988afe 
Looking at our own use case as well as people running into the same issue
[1][2], it seems like users usually don't care about decoding unknown
PKCS12Attributes.

[1]: golang/go#24325
[2]: SSLMate/go-pkcs12#4

Fixes golang/go#24325

Change-Id: I4f3700d2551af6dac215c49dd179ce46c4b2a9db
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/241281
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
LewiGoddard pushed a commit to LewiGoddard/crypto that referenced this issue Feb 16, 2023
@FiloSottile
pkcs12: drop PKCS#12 attributes with unknown OIDs
117e7a8 
Looking at our own use case as well as people running into the same issue
[1][2], it seems like users usually don't care about decoding unknown
PKCS12Attributes.

[1]: golang/go#24325
[2]: SSLMate/go-pkcs12#4

Fixes golang/go#24325

Change-Id: I4f3700d2551af6dac215c49dd179ce46c4b2a9db
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/241281
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
@FiloSottile
pkcs12: drop PKCS#12 attributes with unknown OIDs
b276903 
Looking at our own use case as well as people running into the same issue
[1][2], it seems like users usually don't care about decoding unknown
PKCS12Attributes.

[1]: golang/go#24325
[2]: SSLMate/go-pkcs12#4

Fixes golang/go#24325

Change-Id: I4f3700d2551af6dac215c49dd179ce46c4b2a9db
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/241281
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
8 participants
@adamdecaf @andybons @paulmey @andrewstuart @leeview @paulolimarb @gopherbot @sooryaprakash99