Issue providing ExtendedKeyUsage information to CSR during build in golang-Golang-php.cn

Home

Backend Development

Golang

Issue providing ExtendedKeyUsage information to CSR during build in golang

王林

Feb 09, 2024 pm 03:03 PM

在 golang 中生成期间向 CSR 提供 ExtendedKeyUsage 信息时出现问题

During CSR generation in golang, a problem arose in providing information to ExtendedKeyUsage. This issue may affect the correctness and validity of the generated CSR. ExtendedKeyUsage is part of the certificate extension and is used to specify the purpose of using the certificate. By providing correct ExtendedKeyUsage information to the CSR, the availability and security of the certificate in specific scenarios can be ensured. However, in golang, sometimes you encounter the problem that ExtendedKeyUsage information cannot be provided correctly when generating CSR. PHP editor Xigua will introduce the cause and solution of this problem in detail in this article to help readers solve similar problems and successfully generate CSR that meets the requirements.

Question content

I stumbled upon a strange problem. I'm writing a small golang tool that generates csr based on some user-supplied input. I mostly succeeded in achieving my goal, but ran into issues with extendedkeyusage. Simply put, it doesn't work.

asn1 marshaling codes for some x509 fields:

var oidemailaddress = asn1.objectidentifier{1, 2, 840, 113549, 1, 9, 1}
    var oidextensionkeyusage = asn1.objectidentifier{2, 5, 29, 15}
    var oidextensionextendedkeyusage = asn1.objectidentifier{2, 5, 29, 37}

    asn1keyusagedigsig, err := asn1.marshal(asn1.bitstring{
        bytes:     []byte{byte(x509.keyusagedigitalsignature)},
        bitlength: 8,
    })
    asn1keyusagedatenc, err := asn1.marshal(asn1.bitstring{
        bytes:     []byte{byte(x509.keyusagedataencipherment)},
        bitlength: 8,
    })
    asn1keyusagecauth, err := asn1.marshal(asn1.bitstring{
        bytes:     []byte{byte(x509.extkeyusageclientauth)},
        bitlength: 8,
    })

    if err != nil {
        error.fatalf("can't serialize extended key usage %s", err)
    }

Then I created a template and successfully generated and saved csr, almost:

template := x509.certificaterequest{
        rawsubject:         asn1subj,
        emailaddresses:     []string{emailaddress},
        signaturealgorithm: _sigalg,
        extraextensions: []pkix.extension{
            {
                id: oidextensionextendedkeyusage,
                value: asn1keyusagecauth,
            },
            {
                id:       oidextensionkeyusage,
                critical: true,
                value:    asn1keyusagedatenc,
            },
            {
                id:       oidextensionkeyusage,
                critical: true,
                value:    asn1keyusagedigsig,
            },
        },
    }

    csrbytes, _ := x509.createcertificaterequest(rand.reader, &template, privatekey)

and here is an openssl req -in my_output.csr -text -noout

******
         asn1 oid: prime256v1
                nist curve: p-256
        attributes:
        requested extensions:
            x509v3 subject alternative name: 
                email:[email&#160;protected]
            x509v3 extended key usage: 
                ....
            x509v3 key usage: critical
                key agreement
            x509v3 key usage: critical
                encipher only
    signature algorithm: ecdsa-with-sha256

******

My extendedkeyusage is empty, while it should be clientauthentication. What did i do wrong?

I look forward to seeing:

X509v3 Extended Key Usage: ClientAuthentication

What I see is an empty field. I tried using a different set of bytes from another oid but still no results. It's like the extendedkeyusage field doesn't allow anything to be written (although it should)

If imported:

Version: go1.19.3 darwin/amd64

Solution

I think the problem is when printing the data. The keys/values actually exist in the data.

From the code:

var oidextensionextendedkeyusage = asn1.objectidentifier{2, 5, 29, 37}

asn1keyusagecauth, err := asn1.marshal(asn1.bitstring{
    bytes:     []byte{byte(x509.extkeyusageclientauth)},
    bitlength: 8,
})

extraextensions: []pkix.extension{
    {
        id: oidextensionextendedkeyusage,
        //critical: true,
        value: asn1keyusagecauth,
        //value: {2, 5, 29, 15},
    },

oidextensionextendedkeyusage is asn.1 oid 2.5.29.37, which when encoded using the der encoder will be "55 1d 25"

You can encode it online to see what binary it will generate (e.g. https://www.php.cn/link/8e08227323cd829e449559bb381484b7)

asn1keyusagecauth value is 2 (constant defined in x509.go), which will be "00 02" when encoded to asn.1 bit string using der encoder (the first 00 is the number of padding bits (none), 02 is the number of padding digits) value 2)

Now get the base64 value of the certificate request and decode it using the asn.1 der decoder (eg: https://asn1.io/asn1playground)

miibtzccav0caqawgzwxczajbgnvbaytakfvmq8wdqydvqqiewztewruzxkxdzan bgnvbactbln5zg5letetmbega1uechmkc210aensawvuddelmakga1uecxmcsvqx jtajbgnvbamthhntdggtq2xpzw50lvk4cdg1bk1psvnzmgliz0exijagbgkqhkig 9w0bcqeme3ntdghjbgllbnrac210ac5jb20wwtatbgcqhkjopqibbggqhkjopqmb bwncaar4riguoxsyxdaml9f9e2grjumuk8q0jilotb2kadmbz1rocedszuuxkqcr 0vud2aw3vidph1ar4hkqwkm43hxqof4wxayjkozihvcnaqkomu8wttaebgnvhree fzavgrnzbxroy2xpzw50qhntdgguy29tmasga1udjqqeawiiaajaobgnvhq8baf8e bamcaagwdgydvr0paqh/baqdagabmaogccqgsm49bamca0gameuciqdtbj 0atjy f1gy8am2mv7/x3tsebmmvdszkw8l6rvseqigmih8co9nkp0axdmgp9x4kvjjzk9x rw3roydt89d73oa=

try the full power of oss' asn-1step by downloading a free trial

oss nokalva tlv print utility  version 8.6.1
copyright (c) 1997-2022 oss nokalva, inc.  all rights reserved.


30 8201b7(439)
  30 82015d(349)
    02 01 00
    30 819c(156)
      31 0b
        30 09
          06 03 550406
          13 02 4155
      31 0f
        30 0d
          06 03 550408
          13 06 5379646e6579
      31 0f
        30 0d
          06 03 550407
          13 06 5379646e6579
      31 13
        30 11
          06 03 55040a
          13 0a 736d7468436c69656e74
      31 0b
        30 09
          06 03 55040b
          13 02 4954
      31 25
        30 23
          06 03 550403
          13 1c 736d74682d436c69656e742d59387038356e4d694953733069486741
      31 22
        30 20
          06 09 2a864886f70d010901
          0c 13 736d7468636c69656e7440736d74682e636f6d
    30 59
      30 13
        06 07 2a8648ce3d0201
        06 08 2a8648ce3d030107
      03 42 000478ac88143b14b25dd68c2fd17d7b68118ee3142bc4348e29684dbda401d9...
    a0 5e
      30 5c
        06 09 2a864886f70d01090e
        31 4f
          30 4d
            30 1e
              06 03 551d11
              04 17 30158113736d7468636c69656e7440736d74682e636f6d
            30 0b -- here it is!
              06 03 551d25
              04 04 03020002
            30 0e
              06 03 551d0f
              01 01 ff
              04 04 03020008
            30 0e
              06 03 551d0f
              01 01 ff
              04 04 03020001
  30 0a
    06 08 2a8648ce3d040302
  03 48 003045022100d3063fb402d8f2175198f0033632feff5f7b6c11b98c55db332b0f25...


results
to get more details, please provide/compile a schema for your data.

Scroll down the output above until you find here it is!

Your key/value is:

30 0B    -- a SEQUENCE of 11 bytes
    06 03 551D25   -- an item of 3 bytes (551D25 ... OidExtensionExtendedKeyUsage)
    04 04 03020002 --  an item of 4 bytes (03 02 0002 ... an item of 2 bytes 0002 ... asn1KeyUsageCAuth)

I'd love to decode the csr according to the asn.1 spec...but I can't find it :(

The above is the detailed content of Issue providing ExtendedKeyUsage information to CSR during build in golang. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:stackoverflow. If there is any infringement, please contact admin@php.cn delete

Golang vs. Python: The Pros and ConsApr 21, 2025 am 12:17 AM

Golangisidealforbuildingscalablesystemsduetoitsefficiencyandconcurrency,whilePythonexcelsinquickscriptinganddataanalysisduetoitssimplicityandvastecosystem.Golang'sdesignencouragesclean,readablecodeanditsgoroutinesenableefficientconcurrentoperations,t

Golang and C : Concurrency vs. Raw SpeedApr 21, 2025 am 12:16 AM

Golang is better than C in concurrency, while C is better than Golang in raw speed. 1) Golang achieves efficient concurrency through goroutine and channel, which is suitable for handling a large number of concurrent tasks. 2)C Through compiler optimization and standard library, it provides high performance close to hardware, suitable for applications that require extreme optimization.

Why Use Golang? Benefits and Advantages ExplainedApr 21, 2025 am 12:15 AM

Reasons for choosing Golang include: 1) high concurrency performance, 2) static type system, 3) garbage collection mechanism, 4) rich standard libraries and ecosystems, which make it an ideal choice for developing efficient and reliable software.

Golang vs. C : Performance and Speed ComparisonApr 21, 2025 am 12:13 AM

Golang is suitable for rapid development and concurrent scenarios, and C is suitable for scenarios where extreme performance and low-level control are required. 1) Golang improves performance through garbage collection and concurrency mechanisms, and is suitable for high-concurrency Web service development. 2) C achieves the ultimate performance through manual memory management and compiler optimization, and is suitable for embedded system development.

Is Golang Faster Than C ? Exploring the LimitsApr 20, 2025 am 12:19 AM

Golang performs better in compilation time and concurrent processing, while C has more advantages in running speed and memory management. 1.Golang has fast compilation speed and is suitable for rapid development. 2.C runs fast and is suitable for performance-critical applications. 3. Golang is simple and efficient in concurrent processing, suitable for concurrent programming. 4.C Manual memory management provides higher performance, but increases development complexity.

Golang: From Web Services to System ProgrammingApr 20, 2025 am 12:18 AM

Golang's application in web services and system programming is mainly reflected in its simplicity, efficiency and concurrency. 1) In web services, Golang supports the creation of high-performance web applications and APIs through powerful HTTP libraries and concurrent processing capabilities. 2) In system programming, Golang uses features close to hardware and compatibility with C language to be suitable for operating system development and embedded systems.

Golang vs. C : Benchmarks and Real-World PerformanceApr 20, 2025 am 12:18 AM

Golang and C have their own advantages and disadvantages in performance comparison: 1. Golang is suitable for high concurrency and rapid development, but garbage collection may affect performance; 2.C provides higher performance and hardware control, but has high development complexity. When making a choice, you need to consider project requirements and team skills in a comprehensive way.

Golang vs. Python: A Comparative AnalysisApr 20, 2025 am 12:17 AM

Golang is suitable for high-performance and concurrent programming scenarios, while Python is suitable for rapid development and data processing. 1.Golang emphasizes simplicity and efficiency, and is suitable for back-end services and microservices. 2. Python is known for its concise syntax and rich libraries, suitable for data science and machine learning.

See all articles