Hi, I am trying to write a Go client to connect to an HTTPS server. I am having trouble with the certificates provided from this server, with an error "x509: cannot verify signature: algorithm unimplemented". I think I've tracked this down to a legacy OID in the certificate for the signature algorithm: 1.3.14.3.2.29 for SHA1 with RSA. The Go source (at https://golang.org/src/crypto/x509/x509.go#L262) only defines SHA1 with RSA to have an OID of 1.2.840.113549.1.1.5.
This can be produced by generating a certificate using Microsoft's MakeCert tool: makecert.exe -pe -n "CN=mytest" -a sha1 -sky signature -r "mytest.cer" I have some sample code at https://play.golang.org/p/1PK-AZcIj6 that shows that the parsed certificate has 0 for SignatureAlgorithm (as in not matched), where I expected "SHA1-RSA". If you look at the raw TBS data you can see that it does contain 1.3.14.3.2.29 for the algorithm. I've found examples of other projects having this issue: -https://codereview.chromium.org/1223763002 -https://bugzilla.mozilla.org/show_bug.cgi?id=405966 Is this something that might be allowed, or alternatively are there any possible workarounds (short of InsecureSkipVerify)? Unfortunately I do not have a lot of control over the server and the certificate it uses. Thanks, carl -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
