FAQ
hi there,

I am trying to issue a GET request on some server, using a x509
certificate for authentication (beware: I am a total ignorant in this
matter so I may use incorrect terms and vocabulary)

I got a certificate (from CERN, if that matters) and I am pretty
confident it all works (I used curl to test everything)

here is what I did to get PEM files:


$ openssl pkcs12 -in mycert.pfx -clcerts -nokeys -out usercert.pem
$ openssl pkcs12 -in mycert.pfx -nocerts -out userkey.pem
$ chmod 400 userkey.pem
$ chmod 444 usercert.pem

$ curl -G "https://somewhere.at.cern.ch:someport/somepage" -k --cert
usercert.pem --key userkey.pem
Enter PEM pass phrase: <secret>
<lines of output as I expected>

now, trying to do the same using net/http:

```go
package main

import (
  "fmt"
  "net/http"
  "net/url"
  "crypto/tls"
  "os"
)

func checkError(err error, hdr string) {
  if err != nil {
   fmt.Printf("[%s] Fatal error: %v\n", hdr, err.Error())
   os.Exit(1)
  }
}

func main() {
         rurl, err := url.Parse("https://somewhere.at.cern.ch:someport/somepage")
  checkError(err, "url.Parse")

  cert, err := tls.LoadX509KeyPair("usercert.pem", "userkey.pem")
  checkError(err, "loadcert")

  tr := &http.Transport{
   TLSClientConfig: &tls.Config{
       Certificates: []tls.Certificate {cert},
       InsecureSkipVerify: true,
    ClientAuth: tls.RequireAnyClientCert,
   },
  }
  client := &http.Client{Transport: tr}

  req, err := http.NewRequest("GET", rurl.String(), nil)
  checkError(err, "http.NewRequest")
  fmt.Printf("request: %v\n", *req)

  resp, err := client.Do(req)
  checkError(err, "client.Do")
  if resp.Status != "200 OK" {
   fmt.Println(resp.Status)
   os.Exit(2)
  }

  var buf [512]byte
  reader := resp.Body
  fmt.Println("got body")
  for {
   n, err := reader.Read(buf[0:])
   if err != nil {
    os.Exit(0)
   }
   fmt.Print(string(buf[0:n]))
  }

  os.Exit(0)
}

```

$ go run ./nuts.go

[loadcert] Fatal error: crypto/tls: failed to parse key: ASN.1
structure error: tags don't match (2 vs {class:0 tag:16 length:64
isCompound:true}) {optional:false explicit:false application:false
defaultValue:<nil> tag:<nil> stringType:0 set:false omitEmpty:false}
int @2
exit status 1

so, I am obviously not doing something right...
any idea what I should do to fix this ?

thx,
-s

--

Search Discussions

  • Agl at Sep 27, 2012 at 1:31 pm

    On Thursday, September 27, 2012 7:08:19 AM UTC-4, Sebastien Binet wrote:

    [loadcert] Fatal error: crypto/tls: failed to parse key: ASN.1
    structure error: tags don't match (2 vs {class:0 tag:16 length:64
    isCompound:true}) {optional:false explicit:false application:false
    defaultValue:<nil> tag:<nil> stringType:0 set:false omitEmpty:false}
    int @2
    exit status 1

    Could you include the first line of the key file (the "BEGIN" line).


    Cheers

    AGL
    --
  • Sebastien Binet at Sep 27, 2012 at 2:09 pm

    On Thu, Sep 27, 2012 at 3:31 PM, agl wrote:
    On Thursday, September 27, 2012 7:08:19 AM UTC-4, Sebastien Binet wrote:

    [loadcert] Fatal error: crypto/tls: failed to parse key: ASN.1
    structure error: tags don't match (2 vs {class:0 tag:16 length:64
    isCompound:true}) {optional:false explicit:false application:false
    defaultValue:<nil> tag:<nil> stringType:0 set:false omitEmpty:false}
    int @2
    exit status 1

    Could you include the first line of the key file (the "BEGIN" line).
    that's:
    -----BEGIN ENCRYPTED PRIVATE KEY-----

    well, actually, there are a few bits before:
    Bag Attributes
         friendlyName: me
         localKeyID: some-hex
    Key Attributes: <No Attributes>

    if that matters...

    -s

    Cheers

    AGL
    --
    --
  • Adam Langley at Sep 27, 2012 at 2:03 pm

    On Thu, Sep 27, 2012 at 9:39 AM, Sebastien Binet wrote:
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    That's the issue: we don't support encrypted private keys via that
    interface I'm afraid. (Although general support is in
    https://codereview.appspot.com/6555052/, which I hope to land this
    afternoon.)

    If you can load the cert and key yourself, you can patch that CL in
    and decrypt it.

    Alternatively, if it's acceptable to you, you can decrypt the private
    key and load the unencrypted private key from disk:

    openssl rsa -in encrypted.key > decrypted.key


    Cheers

    AGL

    --
  • Sebastien Binet at Sep 27, 2012 at 5:22 pm
    Adam,
    On Thu, Sep 27, 2012 at 3:56 PM, Adam Langley wrote:
    On Thu, Sep 27, 2012 at 9:39 AM, Sebastien Binet wrote:
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    That's the issue: we don't support encrypted private keys via that
    interface I'm afraid. (Although general support is in
    https://codereview.appspot.com/6555052/, which I hope to land this
    afternoon.)

    If you can load the cert and key yourself, you can patch that CL in
    and decrypt it.

    Alternatively, if it's acceptable to you, you can decrypt the private
    key and load the unencrypted private key from disk:

    openssl rsa -in encrypted.key > decrypted.key
    ok, thanks, that helped a lot.
    turns out my encrypted.key does not have the headers the CL is
    mentioning (ie: no such "DEK-Info") but I can live with exec.Cmd'ing
    openssl to decrypt the key for the moment.

    thanks again,
    -s

    --
  • Adam Langley at Sep 27, 2012 at 6:09 pm

    On Thu, Sep 27, 2012 at 1:22 PM, Sebastien Binet wrote:
    turns out my encrypted.key does not have the headers the CL is
    mentioning (ie: no such "DEK-Info") but I can live with exec.Cmd'ing
    openssl to decrypt the key for the moment.
    Thanks for the head's up. I was vaguely aware that there was a form of
    encrypted key that worked differently but, if people are using it in
    the wild, I'll try to support it in the future.


    Cheers

    AGL

    --
  • Jfcgauss at Nov 5, 2013 at 6:42 am
    Greetings,

    I am creating a test EC certificate with OpenSSL 1.0.1e via these commands:

    openssl ecparam -out ecpar.pem -name secp224r1

    openssl req -x509 -days 444 -newkey ec:ecpar.pem -keyout priv.pem -out pub.pem


    then I am using (1.2rc3) pem.Decode and x509.DecryptPEMBlock to get priv key but i am getting a "DEK info not found error". Am I missing something ?

    On Thursday, September 27, 2012 9:09:23 PM UTC+3, agl wrote:
    On Thu, Sep 27, 2012 at 1:22 PM, Sebastien Binet wrote:
    turns out my encrypted.key does not have the headers the CL is
    mentioning (ie: no such "DEK-Info") but I can live with exec.Cmd'ing
    openssl to decrypt the key for the moment.
    Thanks for the head's up. I was vaguely aware that there was a form of
    encrypted key that worked differently but, if people are using it in
    the wild, I'll try to support it in the future.


    Cheers

    AGL
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Jeff R. Allen at Nov 5, 2013 at 4:16 pm
    When I use these commands:

    openssl ecparam -out ecpar.pem -name secp224r1
    openssl req -x509 -days 444 -newkey ec:ecpar.pem -keyout priv.pem -out pub.pem


    I get a priv.pem like this:
    -----BEGIN EC PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,23F8D3C4F3E54362

    M0FFdRyIQAnOJsMb0inutQS+Z1b1WdShEM8G2rsEQSRxSp+DSa8yiYJJQrEQ50gG
    ZjAzcVxRF5OpXyWgE0RmoycYLf2svrBo3GBnj6aKcsHkCuqwqEwM7dWgxLAmcB47
    Hah0pi3f3PQj/HiI1P6FuA==
    -----END EC PRIVATE KEY-----

    (What does yours look like? Does it have the same two headers in it? Please
    remember this is supposed to be a *private* key, if you want to send yours
    for us to look at, send a throw-away one.)

    With that priv.key x509.DecryptPEMBlock will correctly read the key out of
    that file. (I had to take the implementation of tls.LoadX509KeyPair and
    hack it up to add in a call to x509.DecryptPEMBlock; perhaps you can show
    how you are doing that?)

    When I go on to try to use that key and the sell-signed cert in "pub.pem",
    I get the following panic:

    2013/11/05 17:06:32 http: panic serving [::1]:51547: interface conversion:
    interface is *ecdsa.PrivateKey, not *rsa.PrivateKey
    goroutine 8 [running]:
    net/http.func·007()
    /Users/jeffall/go/src/pkg/net/http/server.go:1022 +0xac
    crypto/tls.(*ecdheRSAKeyAgreement).generateServerKeyExchange(0xc2000a0480,
    0xc2000a1750, 0xc20009bbe0, 0xc2000e63c0, 0xc200113f00, ...)
    /Users/jeffall/go/src/pkg/crypto/tls/key_agreement.go:154 +0x4d7

    So that's apparently what's waiting for you once you get your key loaded
    correctly... :)

       -jeff

    PS: go version go1.1.2 darwin/amd64

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Michael Gehring at Nov 5, 2013 at 7:00 pm

    On Mon, Nov 04, 2013 at 10:42:28PM -0800, jfcgauss@gmail.com wrote:
    Greetings,

    I am creating a test EC certificate with OpenSSL 1.0.1e via these commands:

    openssl ecparam -out ecpar.pem -name secp224r1

    openssl req -x509 -days 444 -newkey ec:ecpar.pem -keyout priv.pem -out pub.pem


    then I am using (1.2rc3) pem.Decode and x509.DecryptPEMBlock to get priv key but i am getting a "DEK info not found error". Am I missing something ?
    The generated key (at least here linux/openssl 1.0.1e) is in PKCS8
    format and I couldn't find an option to force it to use the traditional
    format (which uses the DEK-Info header).

    Since x509.DecryptPEMBlock only understands the traditional format and
    x509.ParsePKCS8PrivateKey only supports unencrypted keys, there currently
    seems no way to use these keys directly. One option is to remove the
    encryption on the private key (openssl pkcs8 -in priv.pem) or convert it
    to the traditional format (unfortunately there seems no support for this in
    the openssl commandline tools?).

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Michael Gehring at Nov 5, 2013 at 7:40 pm

    On Tue, Nov 05, 2013 at 07:59:40PM +0100, Michael Gehring wrote:
    On Mon, Nov 04, 2013 at 10:42:28PM -0800, jfcgauss@gmail.com wrote:
    Greetings,

    I am creating a test EC certificate with OpenSSL 1.0.1e via these commands:

    openssl ecparam -out ecpar.pem -name secp224r1

    openssl req -x509 -days 444 -newkey ec:ecpar.pem -keyout priv.pem -out pub.pem


    then I am using (1.2rc3) pem.Decode and x509.DecryptPEMBlock to get priv key but i am getting a "DEK info not found error". Am I missing something ?
    The generated key (at least here linux/openssl 1.0.1e) is in PKCS8
    format and I couldn't find an option to force it to use the traditional
    format (which uses the DEK-Info header).

    Since x509.DecryptPEMBlock only understands the traditional format and
    x509.ParsePKCS8PrivateKey only supports unencrypted keys, there currently
    seems no way to use these keys directly. One option is to remove the
    encryption on the private key (openssl pkcs8 -in priv.pem) or convert it
    to the traditional format (unfortunately there seems no support for this in
    the openssl commandline tools?).
    The pkcs8 key can be converted to the traditional format with:
      openssl ec -in <key> -<cipher>
    e.g.
      openssl ec -in priv.pem -aes128


    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Jeff R. Allen at Nov 5, 2013 at 4:45 pm
    With go version go1.2rc3 darwin/amd64 and openssl-1.0.1e, ECDSA worked for
    me (using the commands you posted to generate the key and the self-signed
    cert).

    I was not able to connect from Chrome to the Go-based server, however
    (ERR_SSL_VERSION_OR_CIPHER_MISMATCH).

    Hope this helps.

       -jeff

    PS: The hacked up server code I'm using
    is: http://play.golang.org/p/8OYTuZtZIQ

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Jfcgauss at Nov 5, 2013 at 9:56 pm

    On Tuesday, November 5, 2013 6:39:05 PM UTC+2, Jeff R. Allen wrote:

    PS: The hacked up server code I'm using is:
    http://play.golang.org/p/8OYTuZtZIQ
    I think this example is a good justification for improving crypto/x509.
    Using ECC, and keeping private keys encrypted is a very natural use case,
    we shouldnt be needing this much of a tumbling. Thanks for the example btw..

    Also, I am trying to get an encrypted EC private key in one command and I
    get the following error. Is this an OpenSSL bug maybe ? :

    $ openssl.exe genpkey -out priv.pem -aes128 -algorithm EC -pkeyopt
    ec_paramgen_curve:secp224r1
    parameter setting error
    3512:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid
    operation:.\crypto\evp\pmeth_lib.c:404

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Jeff R. Allen at Nov 6, 2013 at 1:03 pm
    I think this example is a good justification for improving crypto/x509.
    Agreed: https://code.google.com/p/go/issues/detail?id=6722

       -jeff

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Van Hu at Dec 31, 2014 at 2:49 pm
    This link seems to solve my problem nicely.

    http://stackoverflow.com/a/24438202/576497

    sock, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
    if err != nil {
         log.Fatal(err)
    }

    agent := agent.NewClient(sock)

    signers, err := agent.Signers()
    if err != nil {
         log.Fatal(err)
    }

    auths := []ssh.AuthMethod{ssh.PublicKeys(signers...)}

    cfg := &ssh.ClientConfig{
         User: "username",
         Auth: auths,
    }
    cfg.SetDefaults()

    client, err := ssh.Dial("tcp", "aws-hostname:22", cfg)
    if err != nil {
         log.Fatal(err)
    }

    session, err = client.NewSession()
    if err != nil {
         log.Fatal(err)
    }

    log.Println("we have a session!")

    ...



    On Thursday, September 27, 2012 7:08:19 PM UTC+8, Sebastien Binet wrote:

    hi there,

    I am trying to issue a GET request on some server, using a x509
    certificate for authentication (beware: I am a total ignorant in this
    matter so I may use incorrect terms and vocabulary)

    I got a certificate (from CERN, if that matters) and I am pretty
    confident it all works (I used curl to test everything)

    here is what I did to get PEM files:


    $ openssl pkcs12 -in mycert.pfx -clcerts -nokeys -out usercert.pem
    $ openssl pkcs12 -in mycert.pfx -nocerts -out userkey.pem
    $ chmod 400 userkey.pem
    $ chmod 444 usercert.pem

    $ curl -G "https://somewhere.at.cern.ch:someport/somepage" -k --cert
    usercert.pem --key userkey.pem
    Enter PEM pass phrase: <secret>
    <lines of output as I expected>

    now, trying to do the same using net/http:

    ```go
    package main

    import (
    "fmt"
    "net/http"
    "net/url"
    "crypto/tls"
    "os"
    )

    func checkError(err error, hdr string) {
    if err != nil {
    fmt.Printf("[%s] Fatal error: %v\n", hdr, err.Error())
    os.Exit(1)
    }
    }

    func main() {
    rurl, err :=
    url.Parse("https://somewhere.at.cern.ch:someport/somepage")
    checkError(err, "url.Parse")

    cert, err := tls.LoadX509KeyPair("usercert.pem", "userkey.pem")
    checkError(err, "loadcert")

    tr := &http.Transport{
    TLSClientConfig: &tls.Config{
    Certificates: []tls.Certificate {cert},
    InsecureSkipVerify: true,
    ClientAuth: tls.RequireAnyClientCert,
    },
    }
    client := &http.Client{Transport: tr}

    req, err := http.NewRequest("GET", rurl.String(), nil)
    checkError(err, "http.NewRequest")
    fmt.Printf("request: %v\n", *req)

    resp, err := client.Do(req)
    checkError(err, "client.Do")
    if resp.Status != "200 OK" {
    fmt.Println(resp.Status)
    os.Exit(2)
    }

    var buf [512]byte
    reader := resp.Body
    fmt.Println("got body")
    for {
    n, err := reader.Read(buf[0:])
    if err != nil {
    os.Exit(0)
    }
    fmt.Print(string(buf[0:n]))
    }

    os.Exit(0)
    }

    ```

    $ go run ./nuts.go

    [loadcert] Fatal error: crypto/tls: failed to parse key: ASN.1
    structure error: tags don't match (2 vs {class:0 tag:16 length:64
    isCompound:true}) {optional:false explicit:false application:false
    defaultValue:<nil> tag:<nil> stringType:0 set:false omitEmpty:false}
    int @2
    exit status 1

    so, I am obviously not doing something right...
    any idea what I should do to fix this ?

    thx,
    -s
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedSep 27, '12 at 11:08a
activeDec 31, '14 at 2:49p
posts14
users6
websitegolang.org

People

Translate

site design / logo © 2021 Grokbase