Why do x509.CertificateRequest ExtraExtensions become attributes?

[Mauro Monteiro]

Hello all

I am using go crypto libs to create x509 certificate requests (CSR) and certificates. I noticed that CSR template extra extensions become CSR template attributes in case I need to marshal / unmarshal csr templates. For instance, below is a simple code that shows this behaviour:

    cr := &x509.CertificateRequest{
        Version:            0,
        SignatureAlgorithm: getSignatureAlgorithm(),
        PublicKeyAlgorithm: getPublicKeyAlgorithm(),
        DNSNames:    getDNSNames(),
        IPAddresses: getIPAddresses(),
        ExtraExtensions: getExtraExtensions(),
    }

    fmt.Printf("********* CSR With extra extensions %+v\n", cr.ExtraExtensions)

    csr, err = x509.CreateCertificateRequest(rand.Reader, cr, privKey)
    if err != nil {
        return nil, nil, err
    }

    csrTemplate, err = x509.ParseCertificateRequest(csr)
    if err != nil {
        return nil, nil, err
    }

    fmt.Printf("********* CSR Without extra extensions %+v\n", csrTemplate.ExtraExtensions)
    fmt.Printf("********* CSR attributes %+v\n", csrTemplate.Attributes)

As can be seen, the code creates a template (x509.CertificateRequest) and adds a value for the ExtraExtensions which is printed on the first fmt call. Then, it calls the method x509.CreateCertificateRequest and x509.ParseCertificateRequest. After that, the code prints again however now the ExtraExtensions value is empty while the Attributes have the expected value.

Is there a reason for it? Based on the crypto documentation, Attributes field for CertificateRequest is deprecated.

Mauro