Support PKCS #7 certificates
marcelomd opened this issue · 4 comments
Hi,
We're having an issue using cert-chain-resolver with a Letsencrypt certificate.
mallmann:cert-chain-resolver> ./cert-chain-resolver cert.crt
Invalid certificate.
mallmann:cert-chain-resolver>
Looking into is, it appears that this certificate points to two parents: http://cert.int-x3.letsencrypt.org/ and http://apps.identrust.com/roots/dstrootcax3.p7c.
The error happens when we try to parse the second one.
In the file ./src/github.com/zakjan/cert-chain-resolver/certUtil/io.go, inside func DecodeCertificate, the call to x509.ParseCertificate(data) returns the following error:
asn1: structure error: tags don't match (16 vs {class:0 tag:6 length:9 isCompound:false}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2
Looks like the certificate from identrust is in DER form. What is the best way to handle this?
If there is anything we can do, we'll be glad to develop and post a PR. We just need a few pointers =)
Thanks!
Hi,
Thanks for reporting this issue! Note the line if IsPEM(data) {, the DER format is already supported. This certificate is in another PKCS #7 format.
I guess we can use this library https://godoc.org/github.com/fullsailor/pkcs7 I will be happy to accept a PR:)
Right.
PEM vs DER: I'm a n00b. Now I get the differences between formats and encodings =)
I made a quick fix for our use here. In case of parsing error we retry using fullsailors's pkcs7. Works nicely, but I'm not sure it's the best approach. I'll submit the PR and we can discuss there, ok?
Ok :) I'll keep this issue opened.