New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: crypto/x509: support extending list of algorithms #34844
Comments
The Linux kernel crypto people will accept anything. Not sure their judgement is super relevant. |
I can't argue about the crypto people, the point is that the algorithms out of the supported by the Keeping the list of supported hash functions and algorithms restricted seems like an outdated solution, it's not 80-x or 90-s anymore when everyone used mostly a limited variety of applicable technology. Go is nowadays used in many countries in production, and thus limiting the supported range of cryptography makes people choose to use Go in partial implementation, leaving the main role to some other languages, which do not apply such restrictions. I do understand, that developers are free to implement the support in a custom solution. Yet, I think, that providing an extendable interface is a more flexible approach. |
CC @FiloSottile @agl |
We did not argue that the functions are weak. We argued that supporting them is not worth the complexity and the resources required to maintain a secure and fast implementation. Linux adding an implementation does not change the fact that they are rarely used. We disagree about how modern cryptography has developed. I strongly believe that modern cryptography has fewer, not more, options. Modern cryptography is picking the best primitive for the job, and only supporting that. Extensibility in security contexts is an anti-pattern, it adds risk and complexity, and delegated decisions to users that don't need or want to make them. You can read more about the decision framework for this at https://golang.org/design/cryptography-principles. |
What version of Go are you using (
go version
)?-- go1.12.4
Does this issue reproduce with the latest release?
-- Probably, yes too.
What operating system and processor architecture are you using (
go env
)?-- Linux, amd64
What did you do?
Used a
test.cer
file which contains encoded pkix certificate using GOST 34.10-2001 algorithmand attempted to extract the name with:
What did you expect to see?
Some name, for example
GOST 34.10-2001
.What did you see instead?
0
This issue intentionally repeats closed issue, due to the updates made to the Linux kernel, earlier this year, which included the support for the GOST encryption, which makes the original issue close reason, as stated by the contributor, Adam Langley: not carrying it's weight, ― obsolete, in my opinion.
I suggest that package
x509
at very least should support extending the list of the supported algorithms defining a way to extend thex509
package with external packages, the same wayimage
package can be extended. Which essentially means, that the wholecrypto
package and specifically it'shash
sub-package, both need to adopt the same changes.After all new algorithms are popping out, old become vulnerable and thus obsolete, some countries, e.g. China, India, Israel, Russia, ― are defining cryptography algorithms out of the default, so far, range. In my opinion, packages
crypto
,crypto/hash
andcrypto/x509
need to allow the user to extend the usage, allowing other implementations to comply with the unified interface, skipping the necessity to comply only withcrypto
package by redefining the wholex509
from the scratch.The text was updated successfully, but these errors were encountered: