crypto/x509: recognise ISO OID for RSA+SHA1

For some reason, ISO decided to duplicate the OID for RSA+SHA1. Most
pertinantly, the makecert.exe utility on Windows is known to have used
this OID.

This change makes the ISO OID an alias for the normal one.

Change-Id: I60b76265bf1721282bdb0d5c99c98d227c18a878
Reviewed-on: https://go-review.googlesource.com/27394
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
index 1ecb0e26cdbcb37cc10c32ee82cf76075ec2ea31..b8da5801c7e0a63606cbbde74fecf67258eca2da 100644 (file)
--- a/src/crypto/x509/x509.go
+++ b/src/crypto/x509/x509.go
@@ -296,6 +296,11 @@ var (
        oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
 
        oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
+
+       // oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA
+       // but it's specified by ISO. Microsoft's makecert.exe has been known
+       // to produce certificates with this OID.
+       oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29}
 )
 
 var signatureAlgorithmDetails = []struct {
@@ -307,6 +312,7 @@ var signatureAlgorithmDetails = []struct {
        {MD2WithRSA, oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
        {MD5WithRSA, oidSignatureMD5WithRSA, RSA, crypto.MD5},
        {SHA1WithRSA, oidSignatureSHA1WithRSA, RSA, crypto.SHA1},
+       {SHA1WithRSA, oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1},
        {SHA256WithRSA, oidSignatureSHA256WithRSA, RSA, crypto.SHA256},
        {SHA384WithRSA, oidSignatureSHA384WithRSA, RSA, crypto.SHA384},
        {SHA512WithRSA, oidSignatureSHA512WithRSA, RSA, crypto.SHA512},

diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index e7858295ab15d0788c2bc254e41bf80859855fba..ec5c7daf39660e3774d406d3f17975a6c4577e39 100644 (file)
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -1381,3 +1381,27 @@ func TestRSAMissingNULLParameters(t *testing.T) {
                t.Errorf("unrecognised error when parsing certificate with missing RSA NULL parameter: %s", err)
        }
 }
+
+const certISOOID = `
+-----BEGIN CERTIFICATE-----
+MIIB5TCCAVKgAwIBAgIQtwyL3RPWV7dJQp34HwZG9DAJBgUrDgMCHQUAMBExDzAN
+BgNVBAMTBm15dGVzdDAeFw0xNjA4MDkyMjExMDVaFw0zOTEyMzEyMzU5NTlaMBEx
+DzANBgNVBAMTBm15dGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArzIH
+GsyDB3ohIGkkvijF2PTRUX1bvOtY1eUUpjwHyu0twpAKSuaQv2Ha+/63+aHe8O86
+BT+98wjXFX6RFSagtAujo80rIF2dSm33BGt18pDN8v6zp93dnAm0jRaSQrHJ75xw
+5O+S1oEYR1LtUoFJy6qB104j6aINBAgOiLIKiMkCAwEAAaNGMEQwQgYDVR0BBDsw
+OYAQVuYVQ/WDjdGSkZRlTtJDNKETMBExDzANBgNVBAMTBm15dGVzdIIQtwyL3RPW
+V7dJQp34HwZG9DAJBgUrDgMCHQUAA4GBABngrSkH7vG5lY4sa4AZF59lAAXqBVJE
+J4TBiKC62hCdZv18rBleP6ETfhbPg7pTs8p4ebQbpmtNxRS9Lw3MzQ8Ya5Ybwzj2
+NwBSyCtCQl7mrEg4nJqJl4A2EUhnET/oVxU0oTV/SZ3ziGXcY1oG1s6vidV7TZTu
+MCRtdSdaM7g3
+-----END CERTIFICATE-----`
+
+func TestISOOIDInCertificate(t *testing.T) {
+       block, _ := pem.Decode([]byte(certISOOID))
+       if cert, err := ParseCertificate(block.Bytes); err != nil {
+               t.Errorf("certificate with ISO OID failed to parse: %s", err)
+       } else if cert.SignatureAlgorithm == UnknownSignatureAlgorithm {
+               t.Errorf("ISO OID not recognised in certificate")
+       }
+}