Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: support OIDs for tcg-kp (2.23.133.8) #47620

Open
tracefinder opened this issue Aug 10, 2021 · 1 comment
Open

crypto/x509: support OIDs for tcg-kp (2.23.133.8) #47620

tracefinder opened this issue Aug 10, 2021 · 1 comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@tracefinder
Copy link

tracefinder commented Aug 10, 2021
edited

What version of Go are you using (go version)?

$ go version
go version go1.16.6 linux/amd64

Does this issue reproduce with the latest release?

Yes, according to the sources.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/user/.cache/go-build"
GOENV="/home/user/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/user/repos/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/user/repos/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16.6"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build169247540=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I'm playing around TPM Endorsement Key certificates. One of the things I want to archive is to verify a EK certificate against the root CA. The function looks like

func (v *Verifier) VerifyEK(ekPem []byte) (bool, error) {
	block, _ := pem.Decode(ekPem)
	if block == nil {
		return false, errors.New("failed to parse certificate PEM")
	}

	ek, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return false, fmt.Errorf("failed to parse certificate: %w", err)
	}

	opts := x509.VerifyOptions{
		Roots: v.ekRoots,
		Intermediates: v.ekIntermediates,
	}
	if _, err := ek.Verify(opts); err != nil {
		return false, fmt.Errorf("failed to verify certificate: %w", err)
	}

	return true, nil
}

What did you expect to see?

I expect all ExtKeyUsages to be correctly parsed with ParseCertificate.

What did you see instead?

UnknownExtKeyIsage of the x509.Certificate object (ek) is not empty. It contains asn1.ObjectIdentifier 2.23.133.8.1. Verification fails with x509: certificate specifies an incompatible key usage. The latter can be fixed by adding KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny} to x509.VerifyOptions.

The reason

crypto.x509 has extKeyUsageOIDs.

extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID

There is no any tcg-kp OID.

The proposal

Add tcg-kp OIDs to extKeyUsageOIDs. However, I understand that it can be excessive as there are plenty of other OIDs people may wish to add.
@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Aug 10, 2021
@seankhliao
Copy link
Member

cc @FiloSottile

@seankhliao seankhliao added this to the Unplanned milestone Aug 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
2 participants
@tracefinder @seankhliao