Skip to content

proposal: crypto/x509: expose OID of the issuer's signature algorithm when algorithm is unrecognized #76133

New issue
New issue
Open
Open
proposal: crypto/x509: expose OID of the issuer's signature algorithm when algorithm is unrecognized#76133
Labels
LibraryProposalIssues describing a requested change to the Go standard library or x/ libraries, but not to a toolProposal
Milestone
Proposal
@cjpatton

Description

@cjpatton
cjpatton
opened on Oct 31, 2025

Proposal Details

I'm working on an implementation of Merkle Tree Certificates, a new type of certificate that combines issuance with certificate transparency in a way that reduces the overall size of the certificate The spec involves a new type of signature algorithm, specifically for the issuer's signature.

crypto/X509.ParseCertificate() successfully parses the certificate, but sets SignatureAlgorithm to UnknownSignatureAlgorithm. Before attempting to validate the Signature, I would like to inspect the raw signature algorithm in order to ensure it is the OID we expect.

Options:

  1. Expose the raw signature algorihm as a field in Certificate. Though I don't know enough about X.509 to say if this is a realistic option.
  2. Add support for the MTC signature algorithm. Note, however, that the spec is in an experimental phase and the OID has not been finalized.

Related proposal: #75260

Metadata

Metadata

Assignees

No one assigned

    Labels

    LibraryProposalIssues describing a requested change to the Go standard library or x/ libraries, but not to a toolProposal

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions