New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: crypto/x509: expose hash algorithm for SignatureAlgorithm #33317
Comments
Add method to return the hashing algorithm associated with a certificates signature algorithm. This is useful when generating TLS channel bindings as documented in RFC 5929. Fixes golang#33317
Change https://golang.org/cl/187778 mentions this issue: |
/cc @FiloSottile |
Thank you for this request @bodgit and welcome to the Go project! While this request and its corresponding CL are simple and straight forward, and it follows pretty much what we did for (SignatureAlgorithm).String() https://golang.org/pkg/crypto/x509/#SignatureAlgorithm.String, I have tagged it as a proposal because it increases the API surface. |
What are we supposed to return for Ed25519? What does channel binding end up using with it? |
This is what the RFC says:
So as you would be returning |
IIRC Would this API have any other use case than RFC 5929 channel bindings? |
I wasn't using
No idea TBH. As it stands the implementation literally just returns the associated struct member; the logic documented in the RFC for using SHA256 in place of MD5 or SHA1 remains the responsibility of the calling code, it's not part of this PR. |
It'd be nice to see this merged. This would be useful in environments that implement custom TLS verification based on a |
Adding to proposal minutes. Is this something people still need? |
This proposal has been added to the active column of the proposals project |
Based on the discussion above, this proposal seems like a likely decline. |
No change in consensus, so declined. |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
As part of generating TLS channel bindings (RFC 5929) it is necessary to generate a hash of a given certificate using the hashing algorithm used in its
SignatureAlgorithm
, (with some exceptions documented in the RFC). So for example aSignatureAlgorithm
ofx509.SHA256WithRSA
should usecrypto.SHA256
to generate itstls-server-end-point
channel binding type, etc.What did you expect to see?
I was hoping to have a method on
SignatureAlgorithm
to return its associatedcrypto.Hash
. This information is available in the unexportedsignatureAlgorithmDetails
struct.What did you see instead?
For now, I have made my own
map[x509.SignatureAlgorithm]crypto.Hash
but as new algorithms are added this needs to be kept in sync, (x509.PureEd25519
for example has been added to the source since 1.12.7).I propose adding a simple method along the lines of:
The text was updated successfully, but these errors were encountered: