在使用Golang生成CSR时,出现了提供ExtendedKeyUsage信息的问题。

huangapple go评论95阅读模式
英文:

Problem providing ExtendedKeyUsage information to CSR during generation in golang

问题

我遇到了一个奇怪的问题。
我正在编写一个小的golang工具,根据用户提供的输入生成一个CSR。我在实现我的目标方面基本上是成功的,但是在ExtendedKeyUsage方面遇到了问题。简单来说,它不起作用。
以下是一段涉及x509字段的asn1编组代码:

    var oidEmailAddress = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}
	var OidExtensionKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 15}
	var OidExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}

	asn1KeyUsageDigSig, err := asn1.Marshal(asn1.BitString{
		Bytes:     []byte{byte(x509.KeyUsageDigitalSignature)},
		BitLength: 8,
	})
	asn1KeyUsageDatEnc, err := asn1.Marshal(asn1.BitString{
		Bytes:     []byte{byte(x509.KeyUsageDataEncipherment)},
		BitLength: 8,
	})
	asn1KeyUsageCAuth, err := asn1.Marshal(asn1.BitString{
		Bytes:     []byte{byte(x509.ExtKeyUsageClientAuth)},
		BitLength: 8,
	})

	if err != nil {
		Error.Fatalf("Can't serialize Extended Key Usage %s", err)
	}

然后我创建了一个模板,并成功生成和保存了一个CSR,几乎成功了:

template := x509.CertificateRequest{
		RawSubject:         asn1Subj,
		EmailAddresses:     []string{emailAddress},
		SignatureAlgorithm: _sigAlg,
		ExtraExtensions: []pkix.Extension{
			{
				Id: OidExtensionExtendedKeyUsage,
				Value: asn1KeyUsageCAuth,
			},
			{
				Id:       OidExtensionKeyUsage,
				Critical: true,
				Value:    asn1KeyUsageDatEnc,
			},
			{
				Id:       OidExtensionKeyUsage,
				Critical: true,
				Value:    asn1KeyUsageDigSig,
			},
		},
	}

	csrBytes, _ := x509.CreateCertificateRequest(rand.Reader, &template, privateKey)

> 这是一个openssl req -in MY_OUTPUT.csr -text -noout的输出:

******
         ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                email:someone@somewhere.com
            X509v3 Extended Key Usage: 
                ....
            X509v3 Key Usage: critical
                Key Agreement
            X509v3 Key Usage: critical
                Encipher Only
    Signature Algorithm: ecdsa-with-SHA256

******

我的ExtendedKeyUsage是空的,而它应该是ClientAuthentication。我做错了什么?
我期望看到:

X509v3 Extended Key Usage: ClientAuthentication

但是我看到的是一个空字段。我尝试使用来自另一个oid的不同字节集,但仍然没有效果。好像ExtendedKeyUsage字段不允许写入任何内容(尽管应该允许)。

如果有导入的内容:
go版本:go1.19.3 darwin/amd64

英文:

I've stumbled upon a strange problem.
I'm writing a small golang tool, which generates a CSR based on some user-provided input. I'm mostly successful at achieving my goal, but have a problem with ExtendedKeyUsage. Simply put it does not work.
A bit of code with asn1 marshalling of x509 fields:

    var oidEmailAddress = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}
	var OidExtensionKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 15}
	var OidExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}

	asn1KeyUsageDigSig, err := asn1.Marshal(asn1.BitString{
		Bytes:     []byte{byte(x509.KeyUsageDigitalSignature)},
		BitLength: 8,
	})
	asn1KeyUsageDatEnc, err := asn1.Marshal(asn1.BitString{
		Bytes:     []byte{byte(x509.KeyUsageDataEncipherment)},
		BitLength: 8,
	})
	asn1KeyUsageCAuth, err := asn1.Marshal(asn1.BitString{
		Bytes:     []byte{byte(x509.ExtKeyUsageClientAuth)},
		BitLength: 8,
	})

	if err != nil {
		Error.Fatalf("Can't serialize Extended Key Usage %s", err)
	}

Then I create a template and successful at generating and saving a CSR, well almost:


template := x509.CertificateRequest{
		RawSubject:         asn1Subj,
		EmailAddresses:     []string{emailAddress},
		SignatureAlgorithm: _sigAlg,
		ExtraExtensions: []pkix.Extension{
			{
				Id: OidExtensionExtendedKeyUsage,
				Value: asn1KeyUsageCAuth,
			},
			{
				Id:       OidExtensionKeyUsage,
				Critical: true,
				Value:    asn1KeyUsageDatEnc,
			},
			{
				Id:       OidExtensionKeyUsage,
				Critical: true,
				Value:    asn1KeyUsageDigSig,
			},
		},
	}

	csrBytes, _ := x509.CreateCertificateRequest(rand.Reader, &template, privateKey)

> And here is an openssl req -in MY_OUTPUT.csr -text -noout

******
         ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                email:someone@somewhere.com
            X509v3 Extended Key Usage: 
                ....
            X509v3 Key Usage: critical
                Key Agreement
            X509v3 Key Usage: critical
                Encipher Only
    Signature Algorithm: ecdsa-with-SHA256

******

My ExtendedKeyUsage is empty, while it should be ClientAuthentication. What am I doing wrong?

I'm expecting to see:

X509v3 Extended Key Usage: ClientAuthentication

I'm seeing empty field. I tried using different set of bytes from another oid, but still nothing. It is as if ExtendedKeyUsage field doesn't allow anything to be written (while it should)

If it is imported:
go ver: go1.19.3 darwin/amd64

答案1

得分: 0

我认为问题出在打印数据时。实际上,键/值在数据中是存在的。

从代码中可以看到:

var OidExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}

asn1KeyUsageCAuth, err := asn1.Marshal(asn1.BitString{
    Bytes:     []byte{byte(x509.ExtKeyUsageClientAuth)},
    BitLength: 8,
})

ExtraExtensions: []pkix.Extension{
    {
        Id: OidExtensionExtendedKeyUsage,
        //Critical: true,
        Value: asn1KeyUsageCAuth,
        //Value: {2, 5, 29, 15},
    },

OidExtensionExtendedKeyUsage 是 ASN.1 OID 2.5.29.37,使用 DER 编码器编码后将变为 '55 1D 25'。

你可以在线编码它,查看它将产生的二进制值(例如:https://misc.daniel-marschall.de/asn.1/oid-converter/online.php)。

asn1KeyUsageCAuth 的值是 2(在 x509.go 中定义的常量),使用 ASN.1 BIT STRING 和 DER 编码器编码后将变为 '00 02'(第一个 00 是填充位数(无),02 是值 2)。

现在,将你的证书请求的 Base64 值解码为 ASN.1 DER 解码器(例如:https://asn1.io/asn1playground)。

MIIBtzCCAV0CAQAwgZwxCzAJBgNVBAYTAkFVMQ8wDQYDVQQIEwZTeWRuZXkxDzAN
BgNVBAcTBlN5ZG5leTETMBEGA1UEChMKc210aENsaWVudDELMAkGA1UECxMCSVQx
JTAjBgNVBAMTHHNtdGgtQ2xpZW50LVk4cDg1bk1pSVNzMGlIZ0ExIjAgBgkqhkiG
9w0BCQEME3NtdGhjbGllbnRAc210aC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAAR4rIgUOxSyXdaML9F9e2gRjuMUK8Q0jiloTb2kAdmbz1RoCEdsZUUxKQcr
0Vud2aW3VIDph1ar4hkqWkM43hxqoF4wXAYJKoZIhvcNAQkOMU8wTTAeBgNVHREE
FzAVgRNzbXRoY2xpZW50QHNtdGguY29tMAsGA1UdJQQEAwIAAjAOBgNVHQ8BAf8E
BAMCAAgwDgYDVR0PAQH/BAQDAgABMAoGCCqGSM49BAMCA0gAMEUCIQDTBj+0Atjy
F1GY8AM2Mv7/X3tsEbmMVdszKw8l6rVsEQIgMiH8CO9nkP0aXdMgp9x4kVjJZK9X
rW3ROydT89D73OA=

尝试使用 ASN-1 DER 解码器解码它。

滚动到上面的输出中,直到找到 HERE IT IS!。

你的键/值是:

30 0B    -- 一个长度为 11 字节的 SEQUENCE
    06 03 551D25   -- 一个长度为 3 字节的项目(551D25 ... OidExtensionExtendedKeyUsage)
    04 04 03020002 -- 一个长度为 4 字节的项目(03 02 0002 ... 一个长度为 2 字节的项目 0002 ... asn1KeyUsageCAuth)

我很想根据 ASN.1 规范解码 CSR,但是我找不到它 在使用Golang生成CSR时,出现了提供ExtendedKeyUsage信息的问题。

英文:

I think the problem is when you print the data. The key/value is actually present in the data.

From the code:

var OidExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}

asn1KeyUsageCAuth, err := asn1.Marshal(asn1.BitString{
    Bytes:     []byte{byte(x509.ExtKeyUsageClientAuth)},
    BitLength: 8,
})

ExtraExtensions: []pkix.Extension{
    {
        Id: OidExtensionExtendedKeyUsage,
        //Critical: true,
        Value: asn1KeyUsageCAuth,
        //Value: {2, 5, 29, 15},
    },

OidExtensionExtendedKeyUsage is ASN.1 OID 2.5.29.37 and will be '55 1D 25' when encoded with a DER encoder

You can encode it online to see what binary it will produce (e.g. https://misc.daniel-marschall.de/asn.1/oid-converter/online.php)

asn1KeyUsageCAuth value is 2 (constant defined in x509.go) and will be '00 02' when encoded as ASN.1 BIT STRING with a DER encoder (first 00 is the number of padding bits (none), 02 is the value 2)

Now take the Base64 value of your Certificate Request and decode it with an ASN.1 DER Decoder (for example: https://asn1.io/asn1playground)

> MIIBtzCCAV0CAQAwgZwxCzAJBgNVBAYTAkFVMQ8wDQYDVQQIEwZTeWRuZXkxDzAN
> BgNVBAcTBlN5ZG5leTETMBEGA1UEChMKc210aENsaWVudDELMAkGA1UECxMCSVQx
> JTAjBgNVBAMTHHNtdGgtQ2xpZW50LVk4cDg1bk1pSVNzMGlIZ0ExIjAgBgkqhkiG
> 9w0BCQEME3NtdGhjbGllbnRAc210aC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
> BwNCAAR4rIgUOxSyXdaML9F9e2gRjuMUK8Q0jiloTb2kAdmbz1RoCEdsZUUxKQcr
> 0Vud2aW3VIDph1ar4hkqWkM43hxqoF4wXAYJKoZIhvcNAQkOMU8wTTAeBgNVHREE
> FzAVgRNzbXRoY2xpZW50QHNtdGguY29tMAsGA1UdJQQEAwIAAjAOBgNVHQ8BAf8E
> BAMCAAgwDgYDVR0PAQH/BAQDAgABMAoGCCqGSM49BAMCA0gAMEUCIQDTBj+0Atjy
> F1GY8AM2Mv7/X3tsEbmMVdszKw8l6rVsEQIgMiH8CO9nkP0aXdMgp9x4kVjJZK9X
> rW3ROydT89D73OA=

Try the full power of OSS' ASN-1Step by downloading a free trial

OSS Nokalva TLV Print Utility  Version 8.6.1
Copyright (C) 1997-2022 OSS Nokalva, Inc.  All rights reserved.


30 8201B7(439)
  30 82015D(349)
    02 01 00
    30 819C(156)
      31 0B
        30 09
          06 03 550406
          13 02 4155
      31 0F
        30 0D
          06 03 550408
          13 06 5379646E6579
      31 0F
        30 0D
          06 03 550407
          13 06 5379646E6579
      31 13
        30 11
          06 03 55040A
          13 0A 736D7468436C69656E74
      31 0B
        30 09
          06 03 55040B
          13 02 4954
      31 25
        30 23
          06 03 550403
          13 1C 736D74682D436C69656E742D59387038356E4D694953733069486741
      31 22
        30 20
          06 09 2A864886F70D010901
          0C 13 736D7468636C69656E7440736D74682E636F6D
    30 59
      30 13
        06 07 2A8648CE3D0201
        06 08 2A8648CE3D030107
      03 42 000478AC88143B14B25DD68C2FD17D7B68118EE3142BC4348E29684DBDA401D9...
    A0 5E
      30 5C
        06 09 2A864886F70D01090E
        31 4F
          30 4D
            30 1E
              06 03 551D11
              04 17 30158113736D7468636C69656E7440736D74682E636F6D
            30 0B -- HERE IT IS!
              06 03 551D25
              04 04 03020002
            30 0E
              06 03 551D0F
              01 01 FF
              04 04 03020008
            30 0E
              06 03 551D0F
              01 01 FF
              04 04 03020001
  30 0A
    06 08 2A8648CE3D040302
  03 48 003045022100D3063FB402D8F2175198F0033632FEFF5F7B6C11B98C55DB332B0F25...


Results
To get more details, please provide/compile a schema for your data.

Scroll down the output above until you find HERE IT IS!

Your key/value is:

30 0B    -- a SEQUENCE of 11 bytes
    06 03 551D25   -- an item of 3 bytes (551D25 ... OidExtensionExtendedKeyUsage)
    04 04 03020002 --  an item of 4 bytes (03 02 0002 ... an item of 2 bytes 0002 ... asn1KeyUsageCAuth)

I would have loved to decode the CSR againt the ASN.1 specification ... but I could not find it 在使用Golang生成CSR时,出现了提供ExtendedKeyUsage信息的问题。

huangapple
  • 本文由 发表于 2022年12月9日 16:10:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/74740374.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定