Backend Development
Golang
Issue providing ExtendedKeyUsage information to CSR during build in golang
Issue providing ExtendedKeyUsage information to CSR during build in golang
During CSR generation in golang, a problem arose in providing information to ExtendedKeyUsage. This issue may affect the correctness and validity of the generated CSR. ExtendedKeyUsage is part of the certificate extension and is used to specify the purpose of using the certificate. By providing correct ExtendedKeyUsage information to the CSR, the availability and security of the certificate in specific scenarios can be ensured. However, in golang, sometimes you encounter the problem that ExtendedKeyUsage information cannot be provided correctly when generating CSR. PHP editor Xigua will introduce the cause and solution of this problem in detail in this article to help readers solve similar problems and successfully generate CSR that meets the requirements.
Question content
I stumbled upon a strange problem. I'm writing a small golang tool that generates csr based on some user-supplied input. I mostly succeeded in achieving my goal, but ran into issues with extendedkeyusage. Simply put, it doesn't work.
asn1 marshaling codes for some x509 fields:
var oidemailaddress = asn1.objectidentifier{1, 2, 840, 113549, 1, 9, 1}
var oidextensionkeyusage = asn1.objectidentifier{2, 5, 29, 15}
var oidextensionextendedkeyusage = asn1.objectidentifier{2, 5, 29, 37}
asn1keyusagedigsig, err := asn1.marshal(asn1.bitstring{
bytes: []byte{byte(x509.keyusagedigitalsignature)},
bitlength: 8,
})
asn1keyusagedatenc, err := asn1.marshal(asn1.bitstring{
bytes: []byte{byte(x509.keyusagedataencipherment)},
bitlength: 8,
})
asn1keyusagecauth, err := asn1.marshal(asn1.bitstring{
bytes: []byte{byte(x509.extkeyusageclientauth)},
bitlength: 8,
})
if err != nil {
error.fatalf("can't serialize extended key usage %s", err)
}Then I created a template and successfully generated and saved csr, almost:
template := x509.certificaterequest{
rawsubject: asn1subj,
emailaddresses: []string{emailaddress},
signaturealgorithm: _sigalg,
extraextensions: []pkix.extension{
{
id: oidextensionextendedkeyusage,
value: asn1keyusagecauth,
},
{
id: oidextensionkeyusage,
critical: true,
value: asn1keyusagedatenc,
},
{
id: oidextensionkeyusage,
critical: true,
value: asn1keyusagedigsig,
},
},
}
csrbytes, _ := x509.createcertificaterequest(rand.reader, &template, privatekey)and here is an openssl req -in my_output.csr -text -noout
******
asn1 oid: prime256v1
nist curve: p-256
attributes:
requested extensions:
x509v3 subject alternative name:
email:[email protected]
x509v3 extended key usage:
....
x509v3 key usage: critical
key agreement
x509v3 key usage: critical
encipher only
signature algorithm: ecdsa-with-sha256
******My extendedkeyusage is empty, while it should be clientauthentication. What did i do wrong?
I look forward to seeing:
X509v3 Extended Key Usage: ClientAuthentication
What I see is an empty field. I tried using a different set of bytes from another oid but still no results. It's like the extendedkeyusage field doesn't allow anything to be written (although it should)
If imported:
Version: go1.19.3 darwin/amd64
Solution
I think the problem is when printing the data. The keys/values actually exist in the data.
From the code:
var oidextensionextendedkeyusage = asn1.objectidentifier{2, 5, 29, 37}
asn1keyusagecauth, err := asn1.marshal(asn1.bitstring{
bytes: []byte{byte(x509.extkeyusageclientauth)},
bitlength: 8,
})
extraextensions: []pkix.extension{
{
id: oidextensionextendedkeyusage,
//critical: true,
value: asn1keyusagecauth,
//value: {2, 5, 29, 15},
},oidextensionextendedkeyusage is asn.1 oid 2.5.29.37, which when encoded using the der encoder will be "55 1d 25"
You can encode it online to see what binary it will generate (e.g. https://www.php.cn/link/8e08227323cd829e449559bb381484b7)
asn1keyusagecauth value is 2 (constant defined in x509.go), which will be "00 02" when encoded to asn.1 bit string using der encoder (the first 00 is the number of padding bits (none), 02 is the number of padding digits) value 2)
Now get the base64 value of the certificate request and decode it using the asn.1 der decoder (eg: https://asn1.io/asn1playground)
miibtzccav0caqawgzwxczajbgnvbaytakfvmq8wdqydvqqiewztewruzxkxdzan bgnvbactbln5zg5letetmbega1uechmkc210aensawvuddelmakga1uecxmcsvqx jtajbgnvbamthhntdggtq2xpzw50lvk4cdg1bk1psvnzmgliz0exijagbgkqhkig 9w0bcqeme3ntdghjbgllbnrac210ac5jb20wwtatbgcqhkjopqibbggqhkjopqmb bwncaar4riguoxsyxdaml9f9e2grjumuk8q0jilotb2kadmbz1rocedszuuxkqcr 0vud2aw3vidph1ar4hkqwkm43hxqof4wxayjkozihvcnaqkomu8wttaebgnvhree fzavgrnzbxroy2xpzw50qhntdgguy29tmasga1udjqqeawiiaajaobgnvhq8baf8e bamcaagwdgydvr0paqh/baqdagabmaogccqgsm49bamca0gameuciqdtbj 0atjy f1gy8am2mv7/x3tsebmmvdszkw8l6rvseqigmih8co9nkp0axdmgp9x4kvjjzk9x rw3roydt89d73oa=
try the full power of oss' asn-1step by downloading a free trial
oss nokalva tlv print utility version 8.6.1
copyright (c) 1997-2022 oss nokalva, inc. all rights reserved.
30 8201b7(439)
30 82015d(349)
02 01 00
30 819c(156)
31 0b
30 09
06 03 550406
13 02 4155
31 0f
30 0d
06 03 550408
13 06 5379646e6579
31 0f
30 0d
06 03 550407
13 06 5379646e6579
31 13
30 11
06 03 55040a
13 0a 736d7468436c69656e74
31 0b
30 09
06 03 55040b
13 02 4954
31 25
30 23
06 03 550403
13 1c 736d74682d436c69656e742d59387038356e4d694953733069486741
31 22
30 20
06 09 2a864886f70d010901
0c 13 736d7468636c69656e7440736d74682e636f6d
30 59
30 13
06 07 2a8648ce3d0201
06 08 2a8648ce3d030107
03 42 000478ac88143b14b25dd68c2fd17d7b68118ee3142bc4348e29684dbda401d9...
a0 5e
30 5c
06 09 2a864886f70d01090e
31 4f
30 4d
30 1e
06 03 551d11
04 17 30158113736d7468636c69656e7440736d74682e636f6d
30 0b -- here it is!
06 03 551d25
04 04 03020002
30 0e
06 03 551d0f
01 01 ff
04 04 03020008
30 0e
06 03 551d0f
01 01 ff
04 04 03020001
30 0a
06 08 2a8648ce3d040302
03 48 003045022100d3063fb402d8f2175198f0033632feff5f7b6c11b98c55db332b0f25...
results
to get more details, please provide/compile a schema for your data.Scroll down the output above until you find here it is!
Your key/value is:
30 0B -- a SEQUENCE of 11 bytes
06 03 551D25 -- an item of 3 bytes (551D25 ... OidExtensionExtendedKeyUsage)
04 04 03020002 -- an item of 4 bytes (03 02 0002 ... an item of 2 bytes 0002 ... asn1KeyUsageCAuth)I'd love to decode the csr according to the asn.1 spec...but I can't find it :(
The above is the detailed content of Issue providing ExtendedKeyUsage information to CSR during build in golang. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How do you use the pprof tool to analyze Go performance?
Mar 21, 2025 pm 06:37 PM
The article explains how to use the pprof tool for analyzing Go performance, including enabling profiling, collecting data, and identifying common bottlenecks like CPU and memory issues.Character count: 159
How do you write unit tests in Go?
Mar 21, 2025 pm 06:34 PM
The article discusses writing unit tests in Go, covering best practices, mocking techniques, and tools for efficient test management.
How do I write mock objects and stubs for testing in Go?
Mar 10, 2025 pm 05:38 PM
This article demonstrates creating mocks and stubs in Go for unit testing. It emphasizes using interfaces, provides examples of mock implementations, and discusses best practices like keeping mocks focused and using assertion libraries. The articl
How can I define custom type constraints for generics in Go?
Mar 10, 2025 pm 03:20 PM
This article explores Go's custom type constraints for generics. It details how interfaces define minimum type requirements for generic functions, improving type safety and code reusability. The article also discusses limitations and best practices
How can I use tracing tools to understand the execution flow of my Go applications?
Mar 10, 2025 pm 05:36 PM
This article explores using tracing tools to analyze Go application execution flow. It discusses manual and automatic instrumentation techniques, comparing tools like Jaeger, Zipkin, and OpenTelemetry, and highlighting effective data visualization
Explain the purpose of Go's reflect package. When would you use reflection? What are the performance implications?
Mar 25, 2025 am 11:17 AM
The article discusses Go's reflect package, used for runtime manipulation of code, beneficial for serialization, generic programming, and more. It warns of performance costs like slower execution and higher memory use, advising judicious use and best
How do you use table-driven tests in Go?
Mar 21, 2025 pm 06:35 PM
The article discusses using table-driven tests in Go, a method that uses a table of test cases to test functions with multiple inputs and outcomes. It highlights benefits like improved readability, reduced duplication, scalability, consistency, and a
How do you specify dependencies in your go.mod file?
Mar 27, 2025 pm 07:14 PM
The article discusses managing Go module dependencies via go.mod, covering specification, updates, and conflict resolution. It emphasizes best practices like semantic versioning and regular updates.
