有没有解决办法来解析具有显式曲线参数的证书?

huangapple go评论98阅读模式
英文:

Is there a workaround for parsing a certificate with explicit curve params?

问题

我有一个需要在Go中解析和验证的证书,但在x509.ParseCertificate处解析失败,出现x509: invalid ECDSA parameters错误。这是一个playground代码片段

我在Go中找到了这两个相关的问题:

事实证明,x509证书必须在算法标识符部分指定一个命名曲线,而解析就是在这里失败的。

我检查了证书,确实在显式曲线参数中指定了具体的曲线,而不是命名曲线。这里是带有ASN.1描述的Pastebin链接

OpenSSL似乎没有问题,可以使用openssl x509 -noout -text -in解析该证书,因此从这个意义上说,证书似乎是有效的。

我尝试使用spacemonkeygo/openssl包解析证书,它成功了,但是在Go的标准x509包中似乎无法轻松使用该包中的Certificate

是否有任何快速解决该问题的方法,而不必使用OpenSSL或修改Go的x509包?

请注意,我在playground中使用了一个示例证书和ASN.1解码,但我没有生成需要解析的原始证书,也无法要求发行者以不同的方式生成证书。

英文:

I have a certificate that I need to parse and verify in Go but parsing fails at x509.ParseCertificate with x509: invalid ECDSA parameters error. Here's a playground snippet.

I've found these two issues in Go, which seemed related:

Turns out, x509 certificates must have a named curve specified in the Algorithm Identifier section, and that's exactly where parsing was failing.

I inspected the certificate, and indeed, it has explicit curve params specified instead of a named curve. Pastebin link with ASN.1 description.

OpenSSL seems to have no problems parsing this certificate using openssl x509 -noout -text -in so in that sense the certificate seems to be valid.

I've tried to parse the certificate using spacemonkeygo/openssl package and it succeeds but it doesn't look like I can use Certificate from this package in Go's standard x509 package easily.

Are there any quick workarounds around the problem without having to use OpenSSL or forking Go's x509?

Please note that I used an example certificate in the playground and ASN.1 decoding but I didn't generate the original certificate I need to parse and cannot ask the issuer to do it differently.

答案1

得分: 1

我已经查看了go x509的源代码,它看起来明显是手写的代码,而不是根据各种证书标准使用的asn1模式文件自动生成的代码。

不幸的是,这意味着在没有GitHub Go的情况下,将旧的标准适配到Go的x509实现中需要相当大的工作量。

另一种选择是获取您想要的x509格式的asn.1模式(我假设它们存在!),并使用Objective System的ASN1C(需要付费),它可以输出Go源代码。这样,您可以轻松地获得任何模式定义的证书格式的解析器(或者任何其他编码的ASN1 PDU)。

我认为不幸的一点是,Google的官方序列化器是GPB,虽然它很好(但有限),但这意味着他们在Google语言中对其他预先存在的序列化器(如ASN1)的实现工具方面关注较少。

英文:

I've taken a look at the source code for go x509, and it looks distinctly like hand cut code, rather than code that's been machine generated from whatever asn1 schema files that the various standards for certificates use.

Which, unfortunately, means that with out-of-the-github Go, it'd be a fair piece of work to retrofit the old standards into Go's x509 implementation.

An alternative would be to get the asn.1 schemas for the x509 flavour that you want (I'm assuming that they exist!), and use the Objective System's ASN1C (costs money) which can output Go source code. That way it'd be trivial to get a parser for any schema defined certificate format you wish (or indeed, any other ASN1 PDU in any encoding).

One of the unfortunate things I think is that Google's official serialiser is GPB which, fine (if limited) though it is, means that they're less focused on implementing good tools in Google languages for other, pre-existing serialisers such as ASN1.

huangapple
  • 本文由 发表于 2023年2月2日 01:00:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/75313670.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定