Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: failed to parse ECDSA256 PEM generated by Apple Developer Website #33560

Closed
QianNangong opened this issue Aug 9, 2019 · 3 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@QianNangong
Copy link

QianNangong commented Aug 9, 2019

What version of Go are you using (go version)?

1.12.7

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
GOOS="darwin"
GOARCH="amd64"

What did you do?

I'm trying to build a Apple Push Notification Service server with github.com/dgrijalva/jwt-go, which can generate token to communicate with Apple's server.
I downloaded the ECDSA256 private key(.pem file) from Apple Developer Website and tried to form the token using built-in parser.
I've regenerated the private key more than two times and it always occur.

This key is already revoked so I think it's safe to attach here

-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgK4vwsbmI8Zv5L3Vi
3A6jLxpPhT1foluxAzVrF8HUz0+gCgYIKoZIzj0DAQehRANCAASiiOmidKO8QG/1
uxIzl8g8yqYDCmImljypqZxutYg1YaMJuBpgfFCJdtp+SdYhq8J8avOMwDwep8KC
lfN6cID4
-----END PRIVATE KEY-----

What did you expect to see?

No error should be presented.

What did you see instead?

It presented such error messages.

2019/08/09 14:56:14 x509: failed to parse EC private key: asn1: structure error: tags don't match (4 vs {class:0 tag:16 length:19 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false}  @5
@odeke-em
Copy link
Member

Thank you for reporting this issue @frozen-tofu and welcome to the Go project!

I have made for you a runnable playground link https://play.golang.org/p/KYMQBqBqlz0
or inlined below

package main

import (
	"crypto/x509"
	"fmt"
	"log"
)

func main() {
	blob := []byte(`
-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgK4vwsbmI8Zv5L3Vi
3A6jLxpPhT1foluxAzVrF8HUz0+gCgYIKoZIzj0DAQehRANCAASiiOmidKO8QG/1
uxIzl8g8yqYDCmImljypqZxutYg1YaMJuBpgfFCJdtp+SdYhq8J8avOMwDwep8KC
lfN6cID4
-----END PRIVATE KEY-----
`)
	privKey, err := x509.ParseECPrivateKey(blob)
	if err != nil {
		log.Fatalf("Failed to parse private key: %v", err)
	}
	fmt.Printf("%#v\n", privKey)
}

in the future, please attach a reproducible code sample not just the private key :)

We are currently in code freeze before we release Go1.13 but I shall kindly ping some cryptography experts @agl @FiloSottile to take a look.

@odeke-em odeke-em changed the title Failed to parse ECDSA256 PEM generated by Apple Developer Website crypto/x509: failed to parse ECDSA256 PEM generated by Apple Developer Website Aug 10, 2019
@odeke-em odeke-em added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Aug 10, 2019
@odeke-em odeke-em added this to the Go1.14 milestone Aug 10, 2019
@agl
Copy link
Contributor

agl commented Aug 10, 2019

That private key is PEM encoded, so you need to unwrap that first. Also, it's a PKCS#8 rather than raw ECC private key, so the correct parsing function is ParsePKCS8PrivateKey. (The “PRIVATE KEY” means PKCS#8—I'm afraid the PKCS standards are just awkward like that.)

See https://play.golang.org/p/AlXERsa1Evr

@agl agl closed this as completed Aug 10, 2019
@QianNangong
Copy link
Author

Okay thank you

@golang golang locked and limited conversation to collaborators Aug 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

4 participants