FAQ
I am trying to make a client/server pair using crypto/tls, and if using
tls.RequireAndVerifyClientCert in my tls.Config, the server requires the
client cert to have extended key usage for client authentication set. But,
tls.LoadX509KeyPair and x509.ParseCertificate both fail for certificates
generated by openssl with option '-addtrust clientAuth'. I have not tried
to construct an x509 with crypto/x509 to see if that makes a different
format from openssl. The parsing error seems to be coming from
encoding/asn1's Unmarshal, but that's as far as I have tracked it down...
When I try to Unmarshal the pem.Block manually, I get errors even for the
ones that succeed with tls.LoadX509KeyPair and x509.ParseCertificate.

See https://github.com/mbanack/x509loader for certs, sample loading code
(loadcert.go), and the openssl commands which generated the certs (using
OpenSSL 1.0.0j).

It is entirely possible I am just doing something silly, but I could use
another set of eyes.

Matt

--

Search Discussions

  • Agl at Jan 14, 2013 at 2:47 pm

    On Monday, January 14, 2013 2:05:59 AM UTC-5, mba...@gmail.com wrote:

    I am trying to make a client/server pair using crypto/tls, and if using
    tls.RequireAndVerifyClientCert in my tls.Config, the server requires the
    client cert to have extended key usage for client authentication set. But,
    tls.LoadX509KeyPair and x509.ParseCertificate both fail for certificates
    generated by openssl with option '-addtrust clientAuth'. I have not tried
    to construct an x509 with crypto/x509 to see if that makes a different
    format from openssl. The parsing error seems to be coming from
    encoding/asn1's Unmarshal, but that's as far as I have tracked it down...
    When I try to Unmarshal the pem.Block manually, I get errors even for the
    ones that succeed with tls.LoadX509KeyPair and x509.ParseCertificate.
    Please include the PEM for the failing certificate.


    Cheers

    AGL

    --
  • Mbanack at Jan 14, 2013 at 11:38 pm

    On Monday, January 14, 2013 7:41:01 AM UTC-7, agl wrote:
    Please include the PEM for the failing certificate.
    Cert:

    -----BEGIN TRUSTED CERTIFICATE-----
    MIIBkDCB+gIJAIvmkDWmN3/6MA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAYTAlVT
    MB4XDTEzMDExNDA1MDQxNloXDTE0MDExNDA1MDQxNlowDTELMAkGA1UEBhMCVVMw
    gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANKxD2QQxau5LgRIGEQQHvQ5Faot
    vV64Q/G3H8cPEK32lmg9hKPRUM0dBtZDXOAL+GkxnOs/MaDrAXCSZLK7Pd1d90Be
    8MQgpy1nyyI/ZSGbLoD353FGr6icgCxFxc7RGVixHL1LJem12b5GLusKqfWCA4wf
    Bx+bRuzmDxAe6HoxAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAQ+Bxh8TpTFrH2S0z
    yxn6RF8PzjVebQ83KMxxTr+kMYTeFZ7wtqF+ETKup9X8/F4m//WzB9aSln+FnMJh
    SF1OXMTDMHWJkv8H/xs1Koz0DquiRbpKOYcsI1koG1rXpOkO9ehRobM7V6Z66GAg
    d3STic+mMJn8nXJ/mjoXfpNgr7kwDDAKBggrBgEFBQcDAg==
    -----END TRUSTED CERTIFICATE-----

    Key:

    -----BEGIN RSA PRIVATE KEY-----
    MIICXgIBAAKBgQDSsQ9kEMWruS4ESBhEEB70ORWqLb1euEPxtx/HDxCt9pZoPYSj
    0VDNHQbWQ1zgC/hpMZzrPzGg6wFwkmSyuz3dXfdAXvDEIKctZ8siP2Uhmy6A9+dx
    Rq+onIAsRcXO0RlYsRy9SyXptdm+Ri7rCqn1ggOMHwcfm0bs5g8QHuh6MQIDAQAB
    AoGBAI+3d2gqiKu6hUkmZGcJGBQ/XCfZS3Nw/efDokmGXTpNGgvA6tlTzmobgq5l
    BNVPVQNsdD2DvbamlzTSpx3D204G07wX/k8A9gcLrl0k0vAAfzlh5c3O5BD+7ANv
    qNranSUNAUaSd0lnGgIfRUI7SyXcFiyeFyxUn0XbQdIRQigBAkEA/c8EDzazAw04
    BQI/dGQ1ZzJ9zzHHyLzYYkcqAhqAKijOuzKJaB1/A9x3QOIj9l/HLyaCz1F+R4LR
    SLGSuFIIGQJBANSCvojuzYApNsvY9huKm3Y70X3s6eCeJxIbrOUKuF4NT6EIsXux
    Nqlbaj4/kzdlqW0XQo1xZs2Pi/ppgg5UJdkCQQCALi60qEFcBy8FiI8XbwxxY9SZ
    8WAehxEZASu8CDo2EInnjKxMgqkFADDR+eODp/dmXqKtpVCLOQwNFHEu2W7xAkBE
    P0TfhwmaKiI97wyCpc3td6J8tXQavc/AYgDxgbLaCZ5UEg2lsrDiTMhe+13VAaIa
    tcia0ht40qvanL22ylFpAkEA0OpIK+H4920dCHQig715pOCZt0M5OvpGi1l6HyhN
    p28cKfjleyyjSXTxUbNnZ8M99nhUJt0EEWoKwttaameQ+Q==
    -----END RSA PRIVATE KEY-----

    Matt


    --
  • Jeff R. Allen at Jan 15, 2013 at 4:32 pm
    The error you are getting is "crypto/tls: failed to parse certificate PEM
    data". It comes from here:

    func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Certificate, err
    error) {
    var certDERBlock *pem.Block
    for {
    certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
    if certDERBlock == nil {
    break
    }
    if certDERBlock.Type == "CERTIFICATE" {
    cert.Certificate = append(cert.Certificate,
    certDERBlock.Bytes)
    }
    }

    if len(cert.Certificate) == 0 {
    err = errors.New("crypto/tls: failed to parse certificate
    PEM data")
    return
    }

    because your certificate has a different PEM header than Go is expecting
    (it expects "BEGIN CERTIFICATE", yours says "BEGIN TRUSTED CERTIFICATE").

    I started looking into why your cert says that, what happens if you hack it
    to make Go look at it anyway, etc, but I'm out of time right now. Perhaps
    this reply will nudge you in the right direction anyway. :)

    -jeff

    --
  • Dave Cheney at Jan 15, 2013 at 7:37 pm
    From memory there is an alias for each combination, after sourcing the file tab completion should give you a hint. This is from memory, I need to update it for the new platforms coming online for go-1.1
    On 16/01/2013, at 3:31, "Jeff R. Allen" wrote:

    The error you are getting is "crypto/tls: failed to parse certificate PEM data". It comes from here:

    func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Certificate, err error) {
    var certDERBlock *pem.Block
    for {
    certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
    if certDERBlock == nil {
    break
    }
    if certDERBlock.Type == "CERTIFICATE" {
    cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
    }
    }

    if len(cert.Certificate) == 0 {
    err = errors.New("crypto/tls: failed to parse certificate PEM data")
    return
    }

    because your certificate has a different PEM header than Go is expecting (it expects "BEGIN CERTIFICATE", yours says "BEGIN TRUSTED CERTIFICATE").

    I started looking into why your cert says that, what happens if you hack it to make Go look at it anyway, etc, but I'm out of time right now. Perhaps this reply will nudge you in the right direction anyway. :)

    -jeff
    --
    --
  • Dave Cheney at Jan 15, 2013 at 7:38 pm
    Sorry, please ignore, that reply was for a different thread started by Jeff.
    On 16/01/2013, at 6:37, Dave Cheney wrote:

    From memory there is an alias for each combination, after sourcing the file tab completion should give you a hint. This is from memory, I need to update it for the new platforms coming online for go-1.1
    On 16/01/2013, at 3:31, "Jeff R. Allen" wrote:

    The error you are getting is "crypto/tls: failed to parse certificate PEM data". It comes from here:

    func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Certificate, err error) {
    var certDERBlock *pem.Block
    for {
    certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
    if certDERBlock == nil {
    break
    }
    if certDERBlock.Type == "CERTIFICATE" {
    cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
    }
    }

    if len(cert.Certificate) == 0 {
    err = errors.New("crypto/tls: failed to parse certificate PEM data")
    return
    }

    because your certificate has a different PEM header than Go is expecting (it expects "BEGIN CERTIFICATE", yours says "BEGIN TRUSTED CERTIFICATE").

    I started looking into why your cert says that, what happens if you hack it to make Go look at it anyway, etc, but I'm out of time right now. Perhaps this reply will nudge you in the right direction anyway. :)

    -jeff
    --
    --
  • Agl at Jan 16, 2013 at 12:09 am

    On Tuesday, January 15, 2013 11:31:58 AM UTC-5, Jeff R. Allen wrote:
    because your certificate has a different PEM header than Go is expecting
    (it expects "BEGIN CERTIFICATE", yours says "BEGIN TRUSTED CERTIFICATE").

    I started looking into why your cert says that, what happens if you hack
    it to make Go look at it anyway, etc, but I'm out of time right now.
    Perhaps this reply will nudge you in the right direction anyway. :)
    BEGIN TRUSTED CERTIFICATE isn't just a different string, it's actually a
    different type of object. It's certainly not what you want for client auth.
    I think you need to pass -extfile to OpenSSL and give it explicit config to
    set the X.509 parameters as you desire. [1] isn't quite right, but it's a
    start.

    [1] http://publib.boulder.ibm.com/infocenter/tivihelp/v8r1/index.jsp?topic=%2Fcom.ibm.netcool_OMNIbus.doc%2Fprobes%2Fmicrosoft_scom%2Fmicrosoft_scom%2Fwip%2Freference%2Fmsscom_gnrt-clnt-crt.html


    Cheers

    AGL

    --
  • Mbanack at Jan 16, 2013 at 3:52 am
    Thanks for looking into this guys. I will see what kind of cert I get
    using -extfile.

    Matt
    On Tuesday, January 15, 2013 5:09:33 PM UTC-7, agl wrote:
    On Tuesday, January 15, 2013 11:31:58 AM UTC-5, Jeff R. Allen wrote:

    because your certificate has a different PEM header than Go is expecting
    (it expects "BEGIN CERTIFICATE", yours says "BEGIN TRUSTED CERTIFICATE").

    I started looking into why your cert says that, what happens if you hack
    it to make Go look at it anyway, etc, but I'm out of time right now.
    Perhaps this reply will nudge you in the right direction anyway. :)
    BEGIN TRUSTED CERTIFICATE isn't just a different string, it's actually a
    different type of object. It's certainly not what you want for client auth.
    I think you need to pass -extfile to OpenSSL and give it explicit config to
    set the X.509 parameters as you desire. [1] isn't quite right, but it's a
    start.

    [1]
    http://publib.boulder.ibm.com/infocenter/tivihelp/v8r1/index.jsp?topic=%2Fcom.ibm.netcool_OMNIbus.doc%2Fprobes%2Fmicrosoft_scom%2Fmicrosoft_scom%2Fwip%2Freference%2Fmsscom_gnrt-clnt-crt.html


    Cheers

    AGL
    --
  • Mbanack at Jan 16, 2013 at 11:39 am
    That seems to have done the trick.

    Put "extendedKeyUsage=clientAuth" (etc) in openssl.conf, included with
    -extfile openssl.conf in openssl invocation.

    Loading just fine now with both tls.LoadX509KeyPair and
    x509.ParseCertificate. Thanks for the help!

    Matt

    --

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedJan 14, '13 at 8:12a
activeJan 16, '13 at 11:39a
posts9
users4
websitegolang.org

People

Translate

site design / logo © 2021 Grokbase