Sorry to revive this ancient discussion. We've come across https://forum.golangbridge.org/t/x509-certificate-parse-error-with-iot-device/27622/2 where an IOT device from a large vendor uses BER for it's TLS certificate. It's unlikely, that the vendor will fix the certificate any time soon. We've not found an approach for communicating with the device sofar unless using patched Go stdlib.
Are there any options we could use to accept a BER-encoded ASN.1 certificate for TLS connections? Thanks! On Thursday, July 2, 2015 at 1:28:26 AM UTC+2 matt....@gmail.com wrote: > Just to be clear, SNMP (and LDAP) uses BER, not DER. It's not sloppy or > non-compliant that the data you're getting isn't DER. DER is used for more > specific purposes than BER. I would support a more extensive version of the > asn1 package being created; I might help out with the development. > Eventually the new version could be included in the standard library if the > language maintainers find it compelling enough. > > On Wed, Jul 1, 2015 at 9:43 AM 'Paul Borman' via golang-nuts < > golan...@googlegroups.com> wrote: > >> It seems there is a strong feeling the ability to enforce DER is >> required. Fair enough. That does not mean it cannot accept BER, only that >> the current API will only accept DER. The package benefit from having a >> mechanism to select between BER and strict DER enforcement. The package is >> not named der, after all. The documentation, at a minimum, could probably >> be improved. >> >> Craig, if you want this in, maybe file an issue to flesh out the asn1 >> package. >> >> Hopefully fleshing out this package, while retaining all existing >> semantics, would be acceptable. My personal feeling is that general use >> packages should be as complete as reasonably possible, not just sufficient >> for the initial motivation/use case. That view comes from the experience >> of having been a an OS developer for 25 years (BSDi and Cray). >> >> -Paul >> >> *expedient* |ikˈspēdēənt| >> *adjective* >> Doing something to save time today that you will regret tomorrow. >> >> On Tue, Jun 30, 2015 at 1:57 PM, Craig Peterson <peterso...@gmail.com> >> wrote: >> >>> I can appreciate that reasoning, even if the outcome is not sufficient >>> for my needs. None of the packages I have found for ber are maintained or >>> of very high quality. I will likely fork encoding/asn1 and apply the >>> changes I need. >>> >>> On Tuesday, June 30, 2015 at 2:54:33 PM UTC-6, Matt Harden wrote: >>>> >>>> "Package asn1 implements parsing of DER-encoded ASN.1 data structures, >>>> as defined in ITU-T Rec X.690." >>>> >>>> It's only present in the standard library to support TLS. In the case >>>> of TLS it is often *less secure* to be liberal in what you receive. DER is >>>> designed have one and only one way to represent data. Validation of >>>> conformance to DER is important while parsing this data. >>>> >>>> The package is not intended for SNMP or LDAP or other purposes. Other >>>> packages exist outside the standard library to parse BER. >>>> >>>> On Tue, Jun 30, 2015 at 2:01 PM Craig Peterson <peterso...@gmail.com> >>>> wrote: >>>> >>>>> I agree completely. I made a CR to modify the package, but it wasn't >>>>> received well: https://go-review.googlesource.com/#/c/11734/ >>>>> >>>>> >>>>> On Tuesday, June 30, 2015 at 11:34:49 AM UTC-6, Paul Borman wrote: >>>>> >>>>>> It is probably better, if you have only one, to accept BER and >>>>>> produce DER. That is pretty much the standard networking mantra. Be >>>>>> liberal in what you receive and conservative in what you send. >>>>>> >>>>>> -Paul >>>>>> >>>>> On Tue, Jun 30, 2015 at 10:17 AM, Matt Harden <matt....@gmail.com> >>>>>> wrote: >>>>>> >>>>> If the data you're decoding is not canonical, then it's not DER. It's >>>>>>> probably BER. DER is a strict subset of BER, and by definition there is >>>>>>> only one way to represent a particular value in DER, which is the whole >>>>>>> point. Unfortunately the asn1 package does not include a BER decoder. >>>>>>> >>>>>>> See http://go-search.org/search?q=ber >>>>>>> >>>>>> On Tue, Jun 30, 2015 at 11:25 AM <peterso...@gmail.com> wrote: >>>>>>> >>>>>> I am having an issue where a network device I am communicating with >>>>>>>> is returning asn1 that the encoding/asn1 package refuses to parse. >>>>>>>> >>>>>>>> The byte stream I am reading is 0x30(sequence) 82(2 bytes for >>>>>>>> length to follow) 00 12 (length of 18). The asn1 package has a check >>>>>>>> at >>>>>>>> https://github.com/golang/go/blob/master/src/encoding/asn1/asn1.go#L472 >>>>>>>> >>>>>>>> that does not like the zero byte at the beginning of the length, >>>>>>>> citing the >>>>>>>> DER spec as the reason why. >>>>>>>> >>>>>>>> Yes, the length here could be expressed as two, or even one byte, >>>>>>>> but it seems there are multiple implementations in the wild that do >>>>>>>> not >>>>>>>> honor the spec in this regard. It would make sense to me to relax the >>>>>>>> restriction a bit in encoding/asn1 and only check for length of zero >>>>>>>> after >>>>>>>> all numBytes length bytes have been processed. >>>>>>>> >>>>>>>> Is this something that can be changed? Should I file an issue? I'm >>>>>>>> not sure how to go about this kind of thing. >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "golang-nuts" group. >>>>>>>> >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to golang-nuts...@googlegroups.com. >>>>>>> >>>>>>> >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "golang-nuts" group. >>>>>>> >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to golang-nuts...@googlegroups.com. >>>>>>> >>>>>> >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "golang-nuts" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to golang-nuts...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "golang-nuts" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to golang-nuts...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/816244ea-1c98-4dc3-9af4-6bb902327c07n%40googlegroups.com.
