Develop Reference

Problem providing ExtendedKeyUsage information to CSR during generation in golang

I've stumbled upon a strange problem.
I'm writing a small golang tool, which generates a CSR based on some user-provided input. I'm mostly successful at achieving my goal, but have a problem with ExtendedKeyUsage. Simply put it does not work.
A bit of code with asn1 marshalling of x509 fields:
var oidEmailAddress = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}
var OidExtensionKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 15}
var OidExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}
asn1KeyUsageDigSig, err := asn1.Marshal(asn1.BitString{
Bytes: []byte{byte(x509.KeyUsageDigitalSignature)},
BitLength: 8,
})
asn1KeyUsageDatEnc, err := asn1.Marshal(asn1.BitString{
Bytes: []byte{byte(x509.KeyUsageDataEncipherment)},
BitLength: 8,
})
asn1KeyUsageCAuth, err := asn1.Marshal(asn1.BitString{
Bytes: []byte{byte(x509.ExtKeyUsageClientAuth)},
BitLength: 8,
})
if err != nil {
Error.Fatalf("Can't serialize Extended Key Usage %s", err)
}
Then I create a template and successful at generating and saving a CSR, well almost:
template := x509.CertificateRequest{
RawSubject: asn1Subj,
EmailAddresses: []string{emailAddress},
SignatureAlgorithm: _sigAlg,
ExtraExtensions: []pkix.Extension{
{
Id: OidExtensionExtendedKeyUsage,
Value: asn1KeyUsageCAuth,
},
{
Id: OidExtensionKeyUsage,
Critical: true,
Value: asn1KeyUsageDatEnc,
},
{
Id: OidExtensionKeyUsage,
Critical: true,
Value: asn1KeyUsageDigSig,
},
},
}
csrBytes, _ := x509.CreateCertificateRequest(rand.Reader, &template, privateKey)
And here is an openssl req -in MY_OUTPUT.csr -text -noout
******
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
email:someone#somewhere.com
X509v3 Extended Key Usage:
....
X509v3 Key Usage: critical
Key Agreement
X509v3 Key Usage: critical
Encipher Only
Signature Algorithm: ecdsa-with-SHA256
******
My ExtendedKeyUsage is empty, while it should be ClientAuthentication. What am I doing wrong?
I'm expecting to see:
X509v3 Extended Key Usage: ClientAuthentication
I'm seeing empty field. I tried using different set of bytes from another oid, but still nothing. It is as if ExtendedKeyUsage field doesn't allow anything to be written (while it should)
If it is imported:
go ver: go1.19.3 darwin/amd64

I think the problem is when you print the data. The key/value is actually present in the data.
From the code:
var OidExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}
asn1KeyUsageCAuth, err := asn1.Marshal(asn1.BitString{
Bytes: []byte{byte(x509.ExtKeyUsageClientAuth)},
BitLength: 8,
})
ExtraExtensions: []pkix.Extension{
{
Id: OidExtensionExtendedKeyUsage,
//Critical: true,
Value: asn1KeyUsageCAuth,
//Value: {2, 5, 29, 15},
},
OidExtensionExtendedKeyUsage is ASN.1 OID 2.5.29.37 and will be '55 1D 25' when encoded with a DER encoder
You can encode it online to see what binary it will produce (e.g. https://misc.daniel-marschall.de/asn.1/oid-converter/online.php)
asn1KeyUsageCAuth value is 2 (constant defined in x509.go) and will be '00 02' when encoded as ASN.1 BIT STRING with a DER encoder (first 00 is the number of padding bits (none), 02 is the value 2)
Now take the Base64 value of your Certificate Request and decode it with an ASN.1 DER Decoder (for example: https://asn1.io/asn1playground)
MIIBtzCCAV0CAQAwgZwxCzAJBgNVBAYTAkFVMQ8wDQYDVQQIEwZTeWRuZXkxDzAN
BgNVBAcTBlN5ZG5leTETMBEGA1UEChMKc210aENsaWVudDELMAkGA1UECxMCSVQx
JTAjBgNVBAMTHHNtdGgtQ2xpZW50LVk4cDg1bk1pSVNzMGlIZ0ExIjAgBgkqhkiG
9w0BCQEME3NtdGhjbGllbnRAc210aC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAAR4rIgUOxSyXdaML9F9e2gRjuMUK8Q0jiloTb2kAdmbz1RoCEdsZUUxKQcr
0Vud2aW3VIDph1ar4hkqWkM43hxqoF4wXAYJKoZIhvcNAQkOMU8wTTAeBgNVHREE
FzAVgRNzbXRoY2xpZW50QHNtdGguY29tMAsGA1UdJQQEAwIAAjAOBgNVHQ8BAf8E
BAMCAAgwDgYDVR0PAQH/BAQDAgABMAoGCCqGSM49BAMCA0gAMEUCIQDTBj+0Atjy
F1GY8AM2Mv7/X3tsEbmMVdszKw8l6rVsEQIgMiH8CO9nkP0aXdMgp9x4kVjJZK9X
rW3ROydT89D73OA=
Try the full power of OSS' ASN-1Step by downloading a free trial
OSS Nokalva TLV Print Utility Version 8.6.1
Copyright (C) 1997-2022 OSS Nokalva, Inc. All rights reserved.
30 8201B7(439)
30 82015D(349)
02 01 00
30 819C(156)
31 0B
30 09
06 03 550406
13 02 4155
31 0F
30 0D
06 03 550408
13 06 5379646E6579
31 0F
30 0D
06 03 550407
13 06 5379646E6579
31 13
30 11
06 03 55040A
13 0A 736D7468436C69656E74
31 0B
30 09
06 03 55040B
13 02 4954
31 25
30 23
06 03 550403
13 1C 736D74682D436C69656E742D59387038356E4D694953733069486741
31 22
30 20
06 09 2A864886F70D010901
0C 13 736D7468636C69656E7440736D74682E636F6D
30 59
30 13
06 07 2A8648CE3D0201
06 08 2A8648CE3D030107
03 42 000478AC88143B14B25DD68C2FD17D7B68118EE3142BC4348E29684DBDA401D9...
A0 5E
30 5C
06 09 2A864886F70D01090E
31 4F
30 4D
30 1E
06 03 551D11
04 17 30158113736D7468636C69656E7440736D74682E636F6D
30 0B -- HERE IT IS!
06 03 551D25
04 04 03020002
30 0E
06 03 551D0F
01 01 FF
04 04 03020008
30 0E
06 03 551D0F
01 01 FF
04 04 03020001
30 0A
06 08 2A8648CE3D040302
03 48 003045022100D3063FB402D8F2175198F0033632FEFF5F7B6C11B98C55DB332B0F25...
Results
To get more details, please provide/compile a schema for your data.
Scroll down the output above until you find HERE IT IS!
Your key/value is:
30 0B -- a SEQUENCE of 11 bytes
06 03 551D25 -- an item of 3 bytes (551D25 ... OidExtensionExtendedKeyUsage)
04 04 03020002 -- an item of 4 bytes (03 02 0002 ... an item of 2 bytes 0002 ... asn1KeyUsageCAuth)
I would have loved to decode the CSR againt the ASN.1 specification ... but I could not find it :(

Why Encode a string in Base64 (based on the Microsoft Crypto API) using PowerBuilder produce a result differ than Convert.ToBase64String() in .Net?

I have a text contains a hexadecimal bytes as follows:
01 1b 42 61 6b 68 73 68 5f 48 6f 73 70 69 74 61 6c 5f 41 6c 2d 53 68 61 72 61 66 69 61 02 0f 33 30 30 31 37 34 37 36 39 35 31 30 30 30 33 03 10 30 32 2f 30 31 2f 31 37 5f 30 35 3a 31 32 5f 50 04 05 31 34 2e 30 30 05 01 30
, when I am encrypting it to BASE64 using the of_encode64() function in powerbuilder winsock user object, I got the below result:
MDExQjQyNjE2QjY4NzM2ODVGNDg2RjczNzA2OTc0NjE2QzVGNDE2QzJENTM2ODYx
NzI2MTY2Njk2MTAyMEYzMzMwMzAzMTM3MzQzNzM2MzkzNTMxMzAzMDMwMzMwMzEw
MzAzMjJGMzAzMTJGMzEzNzVGMzAzNTNBMzEzMjVGNTAwNDA1MzEzNDJFMzAzMDA1
MDEzMA==
, but when my friend encodes it using the Convert.ToBase64String() in Dot Net, he got a totally different result as below:
ARtCYWtoc2hfSG9zcGl0YWxfQWwtU2hhcmFmaWECDzMwMDE3NDc2OTUxMDAwMwMQMDIvMDEvMTdfMDU6MTJfUAQFMTQuMDAFATA=
, I played with all possible parameters: CRYPT_STRING_BASE64HEADER, CRYPT_STRING_BASE64REQUESTHEADER, CRYPT_STRING_BASE64X509CRLHEADER but not help!
The of_encode64() function code as below:
[local function declaration]
Function boolean CryptBinaryToString ( &
Blob pbBinary, &
ulong cbBinary, &
ulong dwFlags, &
Ref string pszString, &
Ref ulong pcchString &
) Library "crypt32.dll" Alias For "CryptBinaryToStringW"
[instance variables]
// Base64, with certificate beginning and ending headers
CONSTANT Ulong CRYPT_STRING_BASE64HEADER = 0
// Base64, without headers
CONSTANT Ulong CRYPT_STRING_BASE64 = 1
// Base64, with request beginning and ending headers
CONSTANT Ulong CRYPT_STRING_BASE64REQUESTHEADER = 3
// Base64, with X.509 CRL beginning and ending headers
CONSTANT Ulong CRYPT_STRING_BASE64X509CRLHEADER = 9
Encode a String to Base64:
// -----------------------------------------------------------------------------
// SCRIPT: n_winsock.of_Encode64
//
// PURPOSE: This function converts binary data to a Base64 encoded string.
//
// Note: Requires Windows XP or Server 2003
//
// ARGUMENTS: ablob_data - Blob containing data
//
// RETURN: String containing encoded data
//
// DATE PROG/ID DESCRIPTION OF CHANGE / REASON
// ---------- -------- -----------------------------------------------------
// 08/20/2010 RolandS Initial coding
// 09/27/2010 RolandS Changed to remove trailing CRLF characters
// 03/17/2012 RolandS Changed argument to read-only
// -----------------------------------------------------------------------------
String ls_encoded
ULong lul_len, lul_buflen
Boolean lb_rtn
lul_len = Len(ablob_data)
lul_buflen = lul_len * 3
//lul_buflen = lul_len * 2
ls_encoded = Space(lul_buflen)
lb_rtn = CryptBinaryToString(ablob_data, lul_len, &
CRYPT_STRING_BASE64, ls_encoded, lul_buflen)
If lb_rtn Then
ls_encoded = Left(ls_encoded, lul_buflen - 2)
Else
SetNull(ls_encoded)
End If
Return ls_encoded
I am calling it using this code: Where as_data is the Hexadecimal Bytes String above
Return of_Encode64(Blob(as_data, EncodingAnsi!))
The full code for Encode/decode a string in Base64 in PowerBuilder using the winsock user object in this below URL:
https://www.rgagnon.com/pbdetails/pb-0258.html
Thank you in advance. Keep Safe.

Why can't i use KeWaitForSingleObject with infianity timeout in IRP Dispatch function?

In the IRP_MJ_DEVICE_CONTROL Dispatch function, I try to invoke the KeWaitForSingleObject with infianity timeout.
Like this:
KeWaitForSingleObject(pMainDevExt->pEvent, Executive, KernelMode, FALSE, NULL);
pEvent is Nonpaged pool allocate by ExAllocatePoolWithTag.
But i get a BSOD with IRQL_NOT_LESS_OR_EQUAL
1: kd> g
Driver Verifier: Enabled for MyDriver.sys, 0:0x100009, 1:0x2, build 19042, key 4XXOFJKTWokcIDxOlNSWC
KDTARGET: Refreshing KD connection
*** Fatal System Error: 0x0000000a
(0x0000000000000000,0x0000000000000002,0x0000000000000000,0xFFFFF8015AA156F1)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
nt!DbgBreakPointWithStatus:
fffff801`5ac08b90 cc int 3
0: kd> k
# Child-SP RetAddr Call Site
00 fffffb8e`8a844b48 fffff801`5ad1cd12 nt!DbgBreakPointWithStatus
01 fffffb8e`8a844b50 fffff801`5ad1c2f6 nt!KiBugCheckDebugBreak+0x12
02 fffffb8e`8a844bb0 fffff801`5ac00df7 nt!KeBugCheck2+0x946
03 fffffb8e`8a8452c0 fffff801`5ac12c69 nt!KeBugCheckEx+0x107
04 fffffb8e`8a845300 fffff801`5ac0ef69 nt!KiBugCheckDispatch+0x69
05 fffffb8e`8a845440 fffff801`5aa156f1 nt!KiPageFault+0x469
06 fffffb8e`8a8455d0 fffff801`5b1e559d nt!KeWaitForSingleObject+0x1e1
07 fffffb8e`8a8456c0 fffff801`5b1e49de nt!ViKeWaitForSingleObjectCommon+0x95
08 fffffb8e`8a845710 fffff801`5e051280 nt!VerifierKeWaitForSingleObject+0x1e
09 fffffb8e`8a845750 fffff801`5ab225b5 MyDriver!DispatchIoControl+0x240
0a fffffb8e`8a845800 fffff801`5aeec718 nt!IofCallDriver+0x55
0b fffffb8e`8a845840 fffff801`5aeebfe5 nt!IopSynchronousServiceTail+0x1a8
0c fffffb8e`8a8458e0 fffff801`5aeeb9e6 nt!IopXxxControlFile+0x5e5
0d fffffb8e`8a845a20 fffff801`5ac126b5 nt!NtDeviceIoControlFile+0x56
0e fffffb8e`8a845a90 00007ff9`c524cf04 nt!KiSystemServiceCopyEnd+0x25
0f 0000007b`f44ff678 00007ff9`c2d0ad21 ntdll!NtDeviceIoControlFile+0x14
10 0000007b`f44ff680 00007ff9`c43f5611 KERNELBASE!DeviceIoControl+0x121
11 0000007b`f44ff6f0 00007ff6`253c85fc KERNEL32!DeviceIoControlImplementation+0x81
12 0000007b`f44ff740 000001d7`eca97ad0 0x00007ff6`253c85fc
13 0000007b`f44ff748 00000000`00000000 0x000001d7`eca97ad0
Then i found this in MSDN
https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/dispatch-routines-and-irqls
Furthermore, they should not be dependent on any blocking calls (such as KeWaitForSingleObject with a nonzero time-out).
But, i don't know why.
Why can't i call KeWaitForSingleObject with a nonzero time-out?
My KEVENT is located in Nonpaged pool!
Why there is a page fault??? Why can't i invoke???

This has nothing to do with paged vs non-paged code, your code is invoked at DISPATCH_LEVEL where it is not allowed to make a blocking wait, as per MS docs. You pass NULL instead of a 0 timeout, try this instead:
LARGE_INTEGER timeout;
timeout.QuadPart = 0;
KeWaitForSingleObject(pMainDevExt->pEvent, Executive, KernelMode, FALSE, &timeout);
Note that this will allow you to check if the event has been signalled, but you can not perform a blocking wait in DISPATCH_LEVEL, non-paged event or not ;)

K6: k6 websocket - how to decode compressed text in K6

I have used K6 in websocket performance test. While the content from server is compressed, and I got "�0E�e�!�56���j0&��v!�{�:�9�^�" printed in console.
I used nodejs code to handle the same message from server. I got the right text.
So my question is how to decode compressed text in K6?
my K6 script is
socket.on('message', function (data) {
console.log(typeof (data));
console.log(data.length)
if (data.length < 200) {
// I got "�0E�e�!�56���j0&��v!�{�:�9�^�" in console
console.log(data);
}
// I tried to decode it got "incorrect header check"
let text = pako.inflate(data, { to: 'string' });
}
If I used the following JS script, I got the correct text to inflate it to plain text.
ws.on('message', function (data) {
console.log('-------- begin -------');
// I got <Buffer 1f 8b 08 00 00 00 00 00 00 00 2d 8b 4b 0a 80 20 14 45 f7 72 c7 21 f9 1b e4 6e 34 1f 14 12 49 5e 47 d1 de 33 68 7a 3e 37 f6 8c 80 c4 b5 b7 4c 4c 68 3d in console
console.log(data);
console.log('-------- end -------');
let text = pako.inflate(data, {
to: 'string'
});
// msg is " msg: {"id":"btcusdt","subbed":"market.btcusdt.depth.step0","ts":1525243319443,"status":"ok"} "
console.log('msg: ' + text);
})

As I mentioned in the GitHub issue, it seems like pako's browserify version may have some issues when you specify { to: 'string' } in the options. Instead you should be able to do something like this:
let binText = pako.inflate(data);
let strText = String.fromCharCode.apply(null, binText);
console.log(strText);

Windows 7 rejecting UDP packets

I'm writing a program that should simultaneously send and receive special RAW UDP packets. Almost all fields (except MAC-addresses) are filled by myself. And besides that I'm using some fake IP options like: FE 04 01 00 (I've tried different), but the whole IP header is right. So here is an example packet
MACs: 30 85 a9 1f b8 d6 00 25 22 62 22 07 08 00
IP header: 48 00 00 3e 03 d0 00 00 40 11 bb b7 c0 a8 89 a1 c0 a8 89 01
IP options:
fd 04 01 00
fe 08 01 11 1d 15 0a 00
UDP header, payload: c3 50 c3 55 00 1e d7 ce 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 11 22 33 44 55 66 77
Issue
Precondition: windows firewall is disabled and no other firewall is running. On Windows 7 host program is launched with "Run as Administrator".
On Windows XP user is Administrator.
When packet is sent to remote host with Windows XP (LAN), or to the localhost on Windows 7 or Windows XP then it's successfully received(on the remote host or localhost). But if the packet is sent to the remote host with Windows 7 (LAN) then it's rejected by the remote host with ICMP message "Parameter problem". This only can be seen using (for example) Wireshark: sample wireshark capture file
Here's some source code on sending
ressrc = ResolveAddress(srcAddrStr, srcPort, addressFamily, socketType, protocol);
if (ressrc == NULL) {
// handling
}
resdest = ResolveAddress(dstAddrStr, dstPort, ressrc->ai_family, ressrc->ai_socktype, ressrc->ai_protocol);
if (resdest == NULL) {
// handling
}
sendSock = socket(ressrc->ai_family, socketType, ressrc->ai_protocol);
if (sendSock == INVALID_SOCKET) {
// handling
}
int optval = 1;
rc = setsockopt(sendSock, IPPROTO_IP, IP_HDRINCL, (char *)&optval, sizeof(optval));
if (rc == SOCKET_ERROR) {
// handling
}
// packetizing
WSABUF *wbuf = ...
rc = sendto(sendSock, wbuf[0].buf, wbuf[0].len, 0, resdest->ai_addr, resdest->ai_addrlen);
and receiving
ressrc = ResolveAddress(srcAddrStr, NULL, addressFamily, socketType, protocol);
if (ressrc == NULL) {
//handling
}
recvSock = socket(ressrc->ai_family, socketType, ressrc->ai_protocol);
if (recvSock == INVALID_SOCKET) {
//handling
}
rc = bind(recvSock, ressrc->ai_addr, ressrc->ai_addrlen);
if (rc == SOCKET_ERROR) {
//handling
}
while (1)
{
fromlen = sizeof(safrom);
rc = recvfrom(recvSock, buf, MAX_PACKET, 0, (SOCKADDR *)&safrom, &fromlen);
if (rc == SOCKET_ERROR) {
//handling
}
/*
* handling received packet
*/
}
I've tried:
comparing packets received on different hosts (no differences)
putting receiving socket in promiscuous mode using WSAIoctl and ioctlsocket functions
googling, but the only thing I've found about my issue is this topic
What can cause this problem? Should I turn something on/off? Or am I doing wrong something else?