On Tuesday, August 9, 2016 at 6:19:09 PM UTC-7, carl...@gmail.com wrote:
>
> I am trying to write a Go client to connect to an HTTPS server. I am 
> having trouble with the certificates provided from this server, with an 
> error "x509: cannot verify signature: algorithm unimplemented". I think 
> I've tracked this down to a legacy OID in the certificate for the signature 
> algorithm: 1.3.14.3.2.29 for SHA1 with RSA. The Go source (at 
> https://golang.org/src/crypto/x509/x509.go#L262) only defines SHA1 with 
> RSA to have an OID of 1.2.840.113549.1.1.5.
>
> This can be produced by generating a certificate using Microsoft's 
> MakeCert tool:
>
> makecert.exe -pe -n "CN=mytest" -a sha1 -sky signature -r "mytest.cer"
>
> I have some sample code at https://play.golang.org/p/1PK-AZcIj6 that 
> shows that the parsed certificate has 0 for SignatureAlgorithm (as in not 
> matched), where I expected "SHA1-RSA". If you look at the raw TBS data you 
> can see that it does contain 1.3.14.3.2.29 for the algorithm.
>
> I've found examples of other projects having this issue:
> -https://codereview.chromium.org/1223763002
> -https://bugzilla.mozilla.org/show_bug.cgi?id=405966
>
> Is this something that might be allowed, or alternatively are there any 
> possible workarounds (short of InsecureSkipVerify)? Unfortunately I do not 
> have a lot of control over the server and the certificate it uses.
>

I hope to fix this during the 1.8 cycle.


Cheers

AGL 

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to