crypto/x509: CertificateRequest does not support attributes not covered by pkix.AttributeTypeAndValueSET

[groob]

Prior to Go 1.5 it was not possible to parse CSRs which included single attributes like challenge password( OID 1.2.840.113549.1.9.7) See https://github.com/cloudflare/cfssl/issues/115

This issue was addressed in CL #8160 https://github.com/cloudflare/go/commit/23fca3da84e991bf8b85e1919b65a4ac390814fa by ignoring those attributes.

Currently there is no good way to parse and marshal a CSR with attributes that don't fit in the structure defined by pkix.AttributeTypeAndValueSET. Challenge Password is a necessary attribute when implementing the SCEP Protocol which is widely used in IoT and Mobile Device Management environments like the Apple MDM spec. To extract or add a challenge password attribute, the CSR has to be unmarshalled and modified separately from the x509/crypto. Here's an example workaround which reimplements parsing and marshaling the CertificateRequest type.

The x509/crypto library should have a method for handling special attributes in the CSR. As CL #8160 mentions in the review comments, one possible solution is to add a RawAttributes field to the CertificateRequest struct.

[ianlancetaylor]

CC @agl

[mobe1]

Hi,

Do we have any update on this? We'd like to follow the standard in Go, whether it's SCEP or EST.