From b0a5a1c74a957ac15f89950dd60faffe090d79f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BE=90=E8=83=96?= Date: Thu, 20 Jan 2022 18:15:26 +0800 Subject: [PATCH] Alias x509 types --- smx509/parser.go | 5 ++-- smx509/root_windows.go | 2 +- smx509/verify.go | 10 ++++---- smx509/x509.go | 57 +++++++++++++++++++++++++++++------------- 4 files changed, 47 insertions(+), 27 deletions(-) diff --git a/smx509/parser.go b/smx509/parser.go index 6041b08..39254dc 100644 --- a/smx509/parser.go +++ b/smx509/parser.go @@ -7,7 +7,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rsa" - "crypto/x509" "crypto/x509/pkix" "encoding/asn1" "encoding/pem" @@ -420,8 +419,8 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string return } -func parseExtKeyUsageExtension(der cryptobyte.String) ([]x509.ExtKeyUsage, []asn1.ObjectIdentifier, error) { - var extKeyUsages []x509.ExtKeyUsage +func parseExtKeyUsageExtension(der cryptobyte.String) ([]ExtKeyUsage, []asn1.ObjectIdentifier, error) { + var extKeyUsages []ExtKeyUsage var unknownUsages []asn1.ObjectIdentifier if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) { return nil, nil, errors.New("x509: invalid extended key usages") diff --git a/smx509/root_windows.go b/smx509/root_windows.go index 46c69ee..aa4c9b4 100644 --- a/smx509/root_windows.go +++ b/smx509/root_windows.go @@ -148,7 +148,7 @@ func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContex // windowsExtKeyUsageOIDs are the C NUL-terminated string representations of the // OIDs for use with the Windows API. -var windowsExtKeyUsageOIDs = make(map[x509.ExtKeyUsage][]byte, len(extKeyUsageOIDs)) +var windowsExtKeyUsageOIDs = make(map[ExtKeyUsage][]byte, len(extKeyUsageOIDs)) func init() { for _, eku := range extKeyUsageOIDs { diff --git a/smx509/verify.go b/smx509/verify.go index 14b70d5..45ef892 100644 --- a/smx509/verify.go +++ b/smx509/verify.go @@ -66,7 +66,7 @@ type VerifyOptions struct { // KeyUsages specifies which Extended Key Usage values are acceptable. A // chain is accepted if it allows any of the listed values. An empty list // means ExtKeyUsageServerAuth. To accept any key usage, include ExtKeyUsageAny. - KeyUsages []x509.ExtKeyUsage + KeyUsages []ExtKeyUsage // MaxConstraintComparisions is the maximum number of comparisons to // perform when checking a given certificate's name constraints. If @@ -554,7 +554,7 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e keyUsages := opts.KeyUsages if len(keyUsages) == 0 { - keyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} + keyUsages = []ExtKeyUsage{x509.ExtKeyUsageServerAuth} } // If any key usage is acceptable then we're done. @@ -823,8 +823,8 @@ func (c *Certificate) VerifyHostname(h string) error { return x509.HostnameError{&c.Certificate, h} } -func checkChainForKeyUsage(chain []*Certificate, keyUsages []x509.ExtKeyUsage) bool { - usages := make([]x509.ExtKeyUsage, len(keyUsages)) +func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool { + usages := make([]ExtKeyUsage, len(keyUsages)) copy(usages, keyUsages) if len(chain) == 0 { @@ -852,7 +852,7 @@ NextCert: } } - const invalidUsage x509.ExtKeyUsage = -1 + const invalidUsage ExtKeyUsage = -1 NextRequestedUsage: for i, requestedUsage := range usages { diff --git a/smx509/x509.go b/smx509/x509.go index 82d870a..82036df 100644 --- a/smx509/x509.go +++ b/smx509/x509.go @@ -501,28 +501,49 @@ var ( oidExtKeyUsageMicrosoftKernelCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1} ) +// ExtKeyUsage represents an extended set of actions that are valid for a given key. +// Each of the ExtKeyUsage* constants define a unique action. +type ExtKeyUsage = x509.ExtKeyUsage + +const ( + ExtKeyUsageAny = x509.ExtKeyUsageAny + ExtKeyUsageServerAuth = x509.ExtKeyUsageServerAuth + ExtKeyUsageClientAuth = x509.ExtKeyUsageClientAuth + ExtKeyUsageCodeSigning = x509.ExtKeyUsageCodeSigning + ExtKeyUsageEmailProtection = x509.ExtKeyUsageEmailProtection + ExtKeyUsageIPSECEndSystem = x509.ExtKeyUsageIPSECEndSystem + ExtKeyUsageIPSECTunnel = x509.ExtKeyUsageIPSECTunnel + ExtKeyUsageIPSECUser = x509.ExtKeyUsageIPSECUser + ExtKeyUsageTimeStamping = x509.ExtKeyUsageTimeStamping + ExtKeyUsageOCSPSigning = x509.ExtKeyUsageOCSPSigning + ExtKeyUsageMicrosoftServerGatedCrypto = x509.ExtKeyUsageMicrosoftServerGatedCrypto + ExtKeyUsageNetscapeServerGatedCrypto = x509.ExtKeyUsageNetscapeServerGatedCrypto + ExtKeyUsageMicrosoftCommercialCodeSigning = x509.ExtKeyUsageMicrosoftCommercialCodeSigning + ExtKeyUsageMicrosoftKernelCodeSigning = x509.ExtKeyUsageMicrosoftKernelCodeSigning +) + // extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID. var extKeyUsageOIDs = []struct { - extKeyUsage x509.ExtKeyUsage + extKeyUsage ExtKeyUsage oid asn1.ObjectIdentifier }{ - {x509.ExtKeyUsageAny, oidExtKeyUsageAny}, - {x509.ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth}, - {x509.ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth}, - {x509.ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning}, - {x509.ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection}, - {x509.ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem}, - {x509.ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel}, - {x509.ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser}, - {x509.ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping}, - {x509.ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning}, - {x509.ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto}, - {x509.ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto}, - {x509.ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning}, - {x509.ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning}, + {ExtKeyUsageAny, oidExtKeyUsageAny}, + {ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth}, + {ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth}, + {ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning}, + {ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection}, + {ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem}, + {ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel}, + {ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser}, + {ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping}, + {ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning}, + {ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto}, + {ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto}, + {ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning}, + {ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning}, } -func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku x509.ExtKeyUsage, ok bool) { +func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) { for _, pair := range extKeyUsageOIDs { if oid.Equal(pair.oid) { return pair.extKeyUsage, true @@ -531,7 +552,7 @@ func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku x509.ExtKeyUsage, ok boo return } -func oidFromExtKeyUsage(eku x509.ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) { +func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) { for _, pair := range extKeyUsageOIDs { if eku == pair.extKeyUsage { return pair.oid, true @@ -1071,7 +1092,7 @@ func marshalKeyUsage(ku KeyUsage) (pkix.Extension, error) { return ext, nil } -func marshalExtKeyUsage(extUsages []x509.ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error) { +func marshalExtKeyUsage(extUsages []ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error) { ext := pkix.Extension{Id: oidExtensionExtendedKeyUsage} oids := make([]asn1.ObjectIdentifier, len(extUsages)+len(unknownUsages))