Prior to Go 1.5 it was not possible to parse CSRs which included single attributes like challenge password( OID 1.2.840.113549.1.9.7) See cloudflare/cfssl#115

This issue was addressed in CL #8160 cloudflare/go@23fca3d by ignoring those attributes.

Currently there is no good way to parse and marshal a CSR with attributes that don't fit in the structure defined by pkix.AttributeTypeAndValueSET. Challenge Password is a necessary attribute when implementing the SCEP Protocol which is widely used in IoT and Mobile Device Management environments like the Apple MDM spec.
To extract or add a challenge password attribute, the CSR has to be unmarshalled and modified separately from the x509/crypto. Here's an example workaround which reimplements parsing and marshaling the CertificateRequest type.

The x509/crypto library should have a method for handling special attributes in the CSR. As CL #8160 mentions in the review comments, one possible solution is to add a RawAttributes field to the CertificateRequest struct.