sync upstream #25

2025-04-21 17:56:19 +08:00 · 2022-02-09 13:03:32 +08:00 · 2022-02-09 13:03:32 +08:00 · 2fa225552f
commit 2fa225552f
parent 26408e6993
3 changed files with 5 additions and 28 deletions
--- a/sm2/sm2.go
+++ b/sm2/sm2.go
@ -169,8 +169,8 @@ func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool {

 // Sign signs digest with priv, reading randomness from rand. Compliance with GB/T 32918.2-2016.
 // The opts argument is currently used for SM2SignerOption checking only.
-// If the opts argument is SM2SignerOption and its ForceGMSign is true, then it
-// treats digest as raw data and take UID from opts.
+// If the opts argument is SM2SignerOption and its ForceGMSign is true,
+// digest argument will be treated as raw data and UID will be taken from opts.
 //
 // This method implements crypto.Signer, which is an interface to support keys
 // where the private part is kept in, for example, a hardware module. Common
--- a/smx509/verify.go
+++ b/smx509/verify.go
@ -987,14 +987,6 @@ NextCert:
 			for _, usage := range cert.ExtKeyUsage {
 				if requestedUsage == usage {
 					continue NextRequestedUsage
-				} else if requestedUsage == ExtKeyUsageServerAuth &&
-					(usage == ExtKeyUsageNetscapeServerGatedCrypto ||
-						usage == ExtKeyUsageMicrosoftServerGatedCrypto) {
-					// In order to support COMODO
-					// certificate chains, we have to
-					// accept Netscape or Microsoft SGC
-					// usages as equal to ServerAuth.
-					continue NextRequestedUsage
 				}
 			}

--- a/smx509/x509.go
+++ b/smx509/x509.go
@ -19,7 +19,7 @@ import (
 	"net"
 	"net/url"
 	"time"
-	"unicode/utf8"
+	"unicode"

 	"golang.org/x/crypto/cryptobyte"
 	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
@ -611,22 +611,6 @@ func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm,
 	return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
 }

-func verifyECDSAASN1(pub *ecdsa.PublicKey, hash, sig []byte) bool {
-	var (
-		r, s  = &big.Int{}, &big.Int{}
-		inner cryptobyte.String
-	)
-	input := cryptobyte.String(sig)
-	if !input.ReadASN1(&inner, cryptobyte_asn1.SEQUENCE) ||
-		!input.Empty() ||
-		!inner.ReadASN1Integer(r) ||
-		!inner.ReadASN1Integer(s) ||
-		!inner.Empty() {
-		return false
-	}
-	return ecdsa.Verify(pub, hash, r, s)
-}
-
 // checkSignature verifies that signature is a valid signature over signed from
 // a crypto.PublicKey.
 func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
@ -826,7 +810,8 @@ func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris [

 func isIA5String(s string) error {
 	for _, r := range s {
-		if r >= utf8.RuneSelf {
+		// Per RFC5280 "IA5String is limited to the set of ASCII characters"
+		if r >= unicode.MaxASCII {
 			return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
 		}
 	}