From: Adam Langley Date: Fri, 19 Aug 2016 00:14:43 +0000 (-0700) Subject: crypto/x509: recognise ISO OID for RSA+SHA1 X-Git-Tag: go1.8beta1~1771 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=bcd54f6ca514ae0e347c780b45d743f2c4145bf3;p=gostls13.git crypto/x509: recognise ISO OID for RSA+SHA1 For some reason, ISO decided to duplicate the OID for RSA+SHA1. Most pertinantly, the makecert.exe utility on Windows is known to have used this OID. This change makes the ISO OID an alias for the normal one. Change-Id: I60b76265bf1721282bdb0d5c99c98d227c18a878 Reviewed-on: https://go-review.googlesource.com/27394 Run-TryBot: Adam Langley Reviewed-by: Brad Fitzpatrick TryBot-Result: Gobot Gobot --- diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go index 1ecb0e26cd..b8da5801c7 100644 --- a/src/crypto/x509/x509.go +++ b/src/crypto/x509/x509.go @@ -296,6 +296,11 @@ var ( oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3} oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8} + + // oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA + // but it's specified by ISO. Microsoft's makecert.exe has been known + // to produce certificates with this OID. + oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29} ) var signatureAlgorithmDetails = []struct { @@ -307,6 +312,7 @@ var signatureAlgorithmDetails = []struct { {MD2WithRSA, oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */}, {MD5WithRSA, oidSignatureMD5WithRSA, RSA, crypto.MD5}, {SHA1WithRSA, oidSignatureSHA1WithRSA, RSA, crypto.SHA1}, + {SHA1WithRSA, oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1}, {SHA256WithRSA, oidSignatureSHA256WithRSA, RSA, crypto.SHA256}, {SHA384WithRSA, oidSignatureSHA384WithRSA, RSA, crypto.SHA384}, {SHA512WithRSA, oidSignatureSHA512WithRSA, RSA, crypto.SHA512}, diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go index e7858295ab..ec5c7daf39 100644 --- a/src/crypto/x509/x509_test.go +++ b/src/crypto/x509/x509_test.go @@ -1381,3 +1381,27 @@ func TestRSAMissingNULLParameters(t *testing.T) { t.Errorf("unrecognised error when parsing certificate with missing RSA NULL parameter: %s", err) } } + +const certISOOID = ` +-----BEGIN CERTIFICATE----- +MIIB5TCCAVKgAwIBAgIQtwyL3RPWV7dJQp34HwZG9DAJBgUrDgMCHQUAMBExDzAN +BgNVBAMTBm15dGVzdDAeFw0xNjA4MDkyMjExMDVaFw0zOTEyMzEyMzU5NTlaMBEx +DzANBgNVBAMTBm15dGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArzIH +GsyDB3ohIGkkvijF2PTRUX1bvOtY1eUUpjwHyu0twpAKSuaQv2Ha+/63+aHe8O86 +BT+98wjXFX6RFSagtAujo80rIF2dSm33BGt18pDN8v6zp93dnAm0jRaSQrHJ75xw +5O+S1oEYR1LtUoFJy6qB104j6aINBAgOiLIKiMkCAwEAAaNGMEQwQgYDVR0BBDsw +OYAQVuYVQ/WDjdGSkZRlTtJDNKETMBExDzANBgNVBAMTBm15dGVzdIIQtwyL3RPW +V7dJQp34HwZG9DAJBgUrDgMCHQUAA4GBABngrSkH7vG5lY4sa4AZF59lAAXqBVJE +J4TBiKC62hCdZv18rBleP6ETfhbPg7pTs8p4ebQbpmtNxRS9Lw3MzQ8Ya5Ybwzj2 +NwBSyCtCQl7mrEg4nJqJl4A2EUhnET/oVxU0oTV/SZ3ziGXcY1oG1s6vidV7TZTu +MCRtdSdaM7g3 +-----END CERTIFICATE-----` + +func TestISOOIDInCertificate(t *testing.T) { + block, _ := pem.Decode([]byte(certISOOID)) + if cert, err := ParseCertificate(block.Bytes); err != nil { + t.Errorf("certificate with ISO OID failed to parse: %s", err) + } else if cert.SignatureAlgorithm == UnknownSignatureAlgorithm { + t.Errorf("ISO OID not recognised in certificate") + } +}