On Tuesday, August 9, 2016 at 6:19:09 PM UTC-7, carl...@gmail.com wrote: > > I am trying to write a Go client to connect to an HTTPS server. I am > having trouble with the certificates provided from this server, with an > error "x509: cannot verify signature: algorithm unimplemented". I think > I've tracked this down to a legacy OID in the certificate for the signature > algorithm: 1.3.14.3.2.29 for SHA1 with RSA. The Go source (at > https://golang.org/src/crypto/x509/x509.go#L262) only defines SHA1 with > RSA to have an OID of 1.2.840.113549.1.1.5. > > This can be produced by generating a certificate using Microsoft's > MakeCert tool: > > makecert.exe -pe -n "CN=mytest" -a sha1 -sky signature -r "mytest.cer" > > I have some sample code at https://play.golang.org/p/1PK-AZcIj6 that > shows that the parsed certificate has 0 for SignatureAlgorithm (as in not > matched), where I expected "SHA1-RSA". If you look at the raw TBS data you > can see that it does contain 1.3.14.3.2.29 for the algorithm. > > I've found examples of other projects having this issue: > -https://codereview.chromium.org/1223763002 > -https://bugzilla.mozilla.org/show_bug.cgi?id=405966 > > Is this something that might be allowed, or alternatively are there any > possible workarounds (short of InsecureSkipVerify)? Unfortunately I do not > have a lot of control over the server and the certificate it uses. >
I hope to fix this during the 1.8 cycle. Cheers AGL -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.