From 2fa225552f2c0a354bf331c378af9648d7bff355 Mon Sep 17 00:00:00 2001
From: Emman <emman.sun@cargosmart.com>
Date: Wed, 9 Feb 2022 13:03:32 +0800
Subject: [PATCH] sync upstream #25

---
 sm2/sm2.go       |  4 ++--
 smx509/verify.go |  8 --------
 smx509/x509.go   | 21 +++------------------
 3 files changed, 5 insertions(+), 28 deletions(-)

diff --git a/sm2/sm2.go b/sm2/sm2.go
index c7a16b1..3b01f3c 100644
--- a/sm2/sm2.go
+++ b/sm2/sm2.go
@@ -169,8 +169,8 @@ func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool {
 
 // Sign signs digest with priv, reading randomness from rand. Compliance with GB/T 32918.2-2016.
 // The opts argument is currently used for SM2SignerOption checking only.
-// If the opts argument is SM2SignerOption and its ForceGMSign is true, then it
-// treats digest as raw data and take UID from opts.
+// If the opts argument is SM2SignerOption and its ForceGMSign is true,
+// digest argument will be treated as raw data and UID will be taken from opts.
 //
 // This method implements crypto.Signer, which is an interface to support keys
 // where the private part is kept in, for example, a hardware module. Common
diff --git a/smx509/verify.go b/smx509/verify.go
index 4a01c9d..be2c856 100644
--- a/smx509/verify.go
+++ b/smx509/verify.go
@@ -987,14 +987,6 @@ NextCert:
 			for _, usage := range cert.ExtKeyUsage {
 				if requestedUsage == usage {
 					continue NextRequestedUsage
-				} else if requestedUsage == ExtKeyUsageServerAuth &&
-					(usage == ExtKeyUsageNetscapeServerGatedCrypto ||
-						usage == ExtKeyUsageMicrosoftServerGatedCrypto) {
-					// In order to support COMODO
-					// certificate chains, we have to
-					// accept Netscape or Microsoft SGC
-					// usages as equal to ServerAuth.
-					continue NextRequestedUsage
 				}
 			}
 
diff --git a/smx509/x509.go b/smx509/x509.go
index 982e218..53f8b5e 100644
--- a/smx509/x509.go
+++ b/smx509/x509.go
@@ -19,7 +19,7 @@ import (
 	"net"
 	"net/url"
 	"time"
-	"unicode/utf8"
+	"unicode"
 
 	"golang.org/x/crypto/cryptobyte"
 	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
@@ -611,22 +611,6 @@ func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm,
 	return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
 }
 
-func verifyECDSAASN1(pub *ecdsa.PublicKey, hash, sig []byte) bool {
-	var (
-		r, s  = &big.Int{}, &big.Int{}
-		inner cryptobyte.String
-	)
-	input := cryptobyte.String(sig)
-	if !input.ReadASN1(&inner, cryptobyte_asn1.SEQUENCE) ||
-		!input.Empty() ||
-		!inner.ReadASN1Integer(r) ||
-		!inner.ReadASN1Integer(s) ||
-		!inner.Empty() {
-		return false
-	}
-	return ecdsa.Verify(pub, hash, r, s)
-}
-
 // checkSignature verifies that signature is a valid signature over signed from
 // a crypto.PublicKey.
 func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
@@ -826,7 +810,8 @@ func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris [
 
 func isIA5String(s string) error {
 	for _, r := range s {
-		if r >= utf8.RuneSelf {
+		// Per RFC5280 "IA5String is limited to the set of ASCII characters"
+		if r >= unicode.MaxASCII {
 			return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
 		}
 	}