Go语言的TLS 1.3实现忽略了密钥用途。

huangapple go评论96阅读模式
英文:

Go's TLS 1.3 Implementation Ignores Key Usage

问题

最近在使用Go和Java进行TLS 1.3的工作时,我发现Go会忽略Key Usage状态标志。而Java的实现则会按照RFC检查密钥用途。我特别关注的是数字签名位。

根据RFC 8446第4.4.2.2节的规定:
如果存在Key Usage扩展,数字签名位必须设置。

阅读verify.go中的注释,我发现Go没有实现这个功能,因为在实际使用中存在不一致性。

我的理解正确吗?

英文:

Doing some work with TLS 1.3 in both Go and Java, I recently found that Go ignores Key Usage status flags. On the other hand, Java's implementation checks key usage following the RFC. I'm thinking in particular about the digital signature bit:

> the digitalSignature bit MUST be set if the Key Usage extension is present

Reading the comment in verify.go, I see that Go didn't implement this feature given its inconsistent usage in the world.

Is my understanding correct?

答案1

得分: 1

如果你阅读有关如何创建X.509证书、证书颁发机构等方面的文章,你会发现它们经常忽略keyUsageextendedKeyUsage等细节。

这意味着有很多由用户创建的证书没有正确的使用标志。

然而,这真的重要吗?无论你如何装饰证书包,私钥都是私钥。这些标志只是化妆品。无论有没有使用标志,密钥的工作方式都完全相同。

Java库试图防止经验不足的加密开发人员使用不正确。在我看来,Golang面向的是不同的受众。

例如,你可以使用私钥和公钥进行加密。约定是使用公钥进行加密,使用私钥进行解密。Java强制执行这个约定,但Golang不会。当然,我的说法有例外,但我的观点是这两种语言之间的哲学是不同的。

如果使用标志无关紧要,那么它们的作用是什么?销售证书的企业希望你购买证书。他们希望通过使用标志来限制你可以使用证书的方式,以便你要么购买更多的证书,要么为某些功能支付更多费用。

英文:

If you read articles on how to create X.509 certificate, certificate authorities, etc you will find they often leave out details such as keyUsage and extendedKeyUsage.

That means there are a lot of certificates created by users without the correct usage flags.

However, does it really matter? A private key is a private key no matter what flags you adorn the certificate bundle with. The flags are just lipstick. The keys work exactly the same with or without the usage flags.

Java libraries try to prevent incorrect usage for inexperienced cryptography developers. IMHO Golang targets a different audience.

For example, you can encrypt with the private key and the public key. The convention has you encrypt with the public key and decrypt with the private key. Java enforces that convention, but Golang does not. There are of course exceptions to my statement, but my point is the philosophy between the languages is different.

If the usage flags do not matter then what are they for? Businesses that sell certificates want you to buy certificates. They want to limit via usage flags what you can use the certificate for so that you either purchase more certificates or pay more for certain features.

huangapple
  • 本文由 发表于 2023年5月5日 23:42:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/76183882.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定