Golang X509 证书如何编组目标信息扩展

Question

I want to add to X509 certificate id-ce-targetingInformation extension with several strings identifying cert targets. This strings represents targets IDs. I've found OID of extension {2, 5, 29, 55} According to spec it have format below:

    targetingInformation EXTENSION ::= {
SYNTAX SEQUENCE SIZE (1..MAX) OF Targets
IDENTIFIED BY id-ce-targetingInformation }
Targets ::= SEQUENCE SIZE (1..MAX) OF Target
Target ::= CHOICE {
targetName [0] GeneralName,
targetGroup [1] GeneralName,
targetCert [2] TargetCert,
}

I add extension in such way

targets := []string{"targetID1", "targetID2"}
asn1Bytes, err := asn1.Marshal(targets)
extraExtensions:=[]pkix.Extension{
            pkix.Extension{
                Id:       asn1.ObjectIdentifier{2, 5, 29, 55},
                Critical: true,
                Value:    asn1Bytes,
            },
        }

But I feel that Value field should be marshaled in another way. How properly (according to spec) generate value field of extension?

Answer 1

I don't see a lot of documentation about this. But this should help.

    oidExtensionExtendedKeyUsage      := []int{2, 5, 29, 37}
    oidExtKeyUsageClientAuth                    := asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
    usages := []asn1.ObjectIdentifier{oidExtKeyUsageClientAuth}
    marshalledUsages, err := asn1.Marshal(usages)
    if err != nil {
        fmt.Printf("%v", err)
        return
    }
    template := x509.CertificateRequest{
        Subject:            subj,
        Version:            3,
        SignatureAlgorithm: x509.SHA256WithRSA,
        ExtraExtensions: []pkix.Extension{
            {
                Id: oidExtensionExtendedKeyUsage,
                Critical: false,
                Value:  marshalledUsages,
            },
        },
        IPAddresses: []net.IP {
            net.IPv4(8,8,8,8),
        },
    }

    csrBytes, _ := x509.CreateCertificateRequest(rand.Reader, &template, keyBytes)
    pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})

The output

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=AU, ST=Some-State, L=MyCity1, O=Company Ltd, OU=IT, CN=example.com/emailAddress=test@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:e5:12:aa:05:91:bf:3a:cf:84:33:f1:88:65:85:
                    09:32:b7:8c:ef:47:1e:71:c7:12:2e:d8:02:62:39:
                    01:b7:90:db:66:fd:12:22:55:32:26:fc:4f:a2:e0:
                    10:70:ec:46:51:62:aa:2c:e5:a7:87:61:94:3d:5a:
                    5b:cc:08:b8:0c:c1:ab:98:d9:9b:91:f0:ba:b9:65:
                    57:49:58:8b:25:77:71:3b:5a:53:4e:0f:0e:4a:bc:
                    77:71:6f:82:20:ee:19:25:7a:31:b3:91:aa:32:c7:
                    b8:78:cd:95:8b:d0:0e:32:9e:89:a1:8d:6c:d9:2e:
                    8a:ed:12:d4:c3:2b:25:0b:73
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:8.8.8.8
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
         81:0d:48:4c:e1:d1:59:27:76:53:46:18:93:11:c7:e1:27:0b:
         65:83:72:f5:f4:b6:e0:05:13:6a:80:08:4e:aa:cf:2b:57:69:
         85:73:c6:3f:d5:2a:47:06:16:2d:23:2b:64:2f:b5:7f:87:15:
         9b:23:3a:79:5a:38:98:97:49:a8:38:82:ab:57:e6:69:f0:c8:
         09:49:a0:2e:7a:f6:d7:21:6c:9c:20:f9:8d:88:8e:5c:30:62:
         9b:1b:a2:33:eb:a9:01:a7:de:b0:f0:1d:1a:cb:6b:99:93:4b:
         dd:31:66:61:87:aa:07:4a:88:fa:f3:04:36:33:ec:0e:1c:7a:
         41:99