From f3a1eab5fe1d1fc240a0221330e02b33351afe2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BE=90=E8=83=96?= Date: Thu, 20 Jan 2022 18:07:21 +0800 Subject: [PATCH] Alias x509 types --- smx509/parser.go | 6 +++--- smx509/verify_test.go | 2 +- smx509/x509.go | 32 ++++++++++++++++++++++++-------- smx509/x509_test.go | 22 +++++++++++----------- 4 files changed, 39 insertions(+), 23 deletions(-) diff --git a/smx509/parser.go b/smx509/parser.go index 3791cb3..6041b08 100644 --- a/smx509/parser.go +++ b/smx509/parser.go @@ -228,7 +228,7 @@ func parseExtension(der cryptobyte.String) (pkix.Extension, error) { return ext, nil } -func parsePublicKey(algo x509.PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) { +func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) { der := cryptobyte.String(keyData.PublicKey.RightAlign()) switch algo { case RSA: @@ -321,7 +321,7 @@ func parsePublicKey(algo x509.PublicKeyAlgorithm, keyData *publicKeyInfo) (inter } } -func parseKeyUsageExtension(der cryptobyte.String) (x509.KeyUsage, error) { +func parseKeyUsageExtension(der cryptobyte.String) (KeyUsage, error) { var usageBits asn1.BitString if !der.ReadASN1BitString(&usageBits) { return 0, errors.New("x509: invalid key usage") @@ -333,7 +333,7 @@ func parseKeyUsageExtension(der cryptobyte.String) (x509.KeyUsage, error) { usage |= 1 << uint(i) } } - return x509.KeyUsage(usage), nil + return KeyUsage(usage), nil } func parseBasicConstraintsExtension(der cryptobyte.String) (bool, int, error) { diff --git a/smx509/verify_test.go b/smx509/verify_test.go index 191d18a..5753de5 100644 --- a/smx509/verify_test.go +++ b/smx509/verify_test.go @@ -1721,7 +1721,7 @@ func generateCert(cn string, isCA bool, issuer *x509.Certificate, issuerKey cryp NotBefore: time.Now().Add(-1 * time.Hour), NotAfter: time.Now().Add(24 * time.Hour), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + KeyUsage: KeyUsageKeyEncipherment | KeyUsageDigitalSignature | KeyUsageCertSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, IsCA: isCA, diff --git a/smx509/x509.go b/smx509/x509.go index 122bd2b..82d870a 100644 --- a/smx509/x509.go +++ b/smx509/x509.go @@ -246,7 +246,7 @@ var signatureAlgorithmDetails = []struct { algo SignatureAlgorithm name string oid asn1.ObjectIdentifier - pubKeyAlgo x509.PublicKeyAlgorithm + pubKeyAlgo PublicKeyAlgorithm hash crypto.Hash }{ {MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */}, @@ -371,7 +371,7 @@ var ( oidPublicKeyEd25519 = asn1.ObjectIdentifier{1, 3, 101, 112} ) -func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.PublicKeyAlgorithm { +func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm { switch { case oid.Equal(oidPublicKeyRSA): return RSA @@ -456,6 +456,22 @@ func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve { return nil } +// KeyUsage represents the set of actions that are valid for a given key. It's +// a bitmap of the KeyUsage* constants. +type KeyUsage = x509.KeyUsage + +const ( + KeyUsageDigitalSignature = x509.KeyUsageDigitalSignature + KeyUsageContentCommitment = x509.KeyUsageContentCommitment + KeyUsageKeyEncipherment = x509.KeyUsageKeyEncipherment + KeyUsageDataEncipherment = x509.KeyUsageDataEncipherment + KeyUsageKeyAgreement = x509.KeyUsageKeyAgreement + KeyUsageCertSign = x509.KeyUsageCertSign + KeyUsageCRLSign = x509.KeyUsageCRLSign + KeyUsageEncipherOnly = x509.KeyUsageEncipherOnly + KeyUsageDecipherOnly = x509.KeyUsageDecipherOnly +) + // RFC 5280, 4.2.1.12 Extended Key Usage // // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } @@ -553,7 +569,7 @@ func (c *Certificate) CheckSignatureFrom(parent *Certificate) error { return x509.ConstraintViolationError{} } - if parent.KeyUsage != 0 && parent.KeyUsage&x509.KeyUsageCertSign == 0 { + if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 { return x509.ConstraintViolationError{} } @@ -585,7 +601,7 @@ func (c *Certificate) getSANExtension() []byte { return nil } -func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo x509.PublicKeyAlgorithm, pubKey interface{}) error { +func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error { return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey) } @@ -609,7 +625,7 @@ func verifyECDSAASN1(pub *ecdsa.PublicKey, hash, sig []byte) bool { // a crypto.PublicKey. func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) { var hashType crypto.Hash - var pubKeyAlgo x509.PublicKeyAlgorithm + var pubKeyAlgo PublicKeyAlgorithm isSM2 := (algo == SM2WithSM3) for _, details := range signatureAlgorithmDetails { @@ -1034,7 +1050,7 @@ func buildCertExtensions(template *x509.Certificate, subjectIsEmpty bool, author return append(ret[:n], template.ExtraExtensions...), nil } -func marshalKeyUsage(ku x509.KeyUsage) (pkix.Extension, error) { +func marshalKeyUsage(ku KeyUsage) (pkix.Extension, error) { ext := pkix.Extension{Id: oidExtensionKeyUsage, Critical: true} var a [2]byte @@ -1138,7 +1154,7 @@ func subjectBytes(cert *x509.Certificate) ([]byte, error) { // priv. If requestedSigAlgo is not zero then it overrides the default // signature algorithm. func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) { - var pubType x509.PublicKeyAlgorithm + var pubType PublicKeyAlgorithm switch pub := pub.(type) { case *rsa.PublicKey: @@ -1843,7 +1859,7 @@ func CreateRevocationList(rand io.Reader, template *x509.RevocationList, issuer if issuer == nil { return nil, errors.New("x509: issuer can not be nil") } - if (issuer.KeyUsage & x509.KeyUsageCRLSign) == 0 { + if (issuer.KeyUsage & KeyUsageCRLSign) == 0 { return nil, errors.New("x509: issuer must have the crlSign key usage bit set") } if len(issuer.SubjectKeyId) == 0 { diff --git a/smx509/x509_test.go b/smx509/x509_test.go index 4b6bd14..34620e3 100644 --- a/smx509/x509_test.go +++ b/smx509/x509_test.go @@ -497,7 +497,7 @@ func TestCreateSelfSignedCertificate(t *testing.T) { SignatureAlgorithm: test.sigAlgo, SubjectKeyId: []byte{1, 2, 3, 4}, - KeyUsage: x509.KeyUsageCertSign, + KeyUsage: KeyUsageCertSign, ExtKeyUsage: testExtKeyUsage, UnknownExtKeyUsage: testUnknownExtKeyUsage, @@ -1181,7 +1181,7 @@ func TestCreateRevocationList(t *testing.T) { name: "issuer doesn't have crlSign key usage bit set", key: sm2Priv, issuer: &x509.Certificate{ - KeyUsage: x509.KeyUsageCertSign, + KeyUsage: KeyUsageCertSign, }, template: &x509.RevocationList{}, expectedError: "x509: issuer must have the crlSign key usage bit set", @@ -1190,7 +1190,7 @@ func TestCreateRevocationList(t *testing.T) { name: "issuer missing SubjectKeyId", key: sm2Priv, issuer: &x509.Certificate{ - KeyUsage: x509.KeyUsageCRLSign, + KeyUsage: KeyUsageCRLSign, }, template: &x509.RevocationList{}, expectedError: "x509: issuer certificate doesn't contain a subject key identifier", @@ -1199,7 +1199,7 @@ func TestCreateRevocationList(t *testing.T) { name: "nextUpdate before thisUpdate", key: sm2Priv, issuer: &x509.Certificate{ - KeyUsage: x509.KeyUsageCRLSign, + KeyUsage: KeyUsageCRLSign, Subject: pkix.Name{ CommonName: "testing", }, @@ -1215,7 +1215,7 @@ func TestCreateRevocationList(t *testing.T) { name: "nil Number", key: sm2Priv, issuer: &x509.Certificate{ - KeyUsage: x509.KeyUsageCRLSign, + KeyUsage: KeyUsageCRLSign, Subject: pkix.Name{ CommonName: "testing", }, @@ -1231,7 +1231,7 @@ func TestCreateRevocationList(t *testing.T) { name: "invalid signature algorithm", key: sm2Priv, issuer: &x509.Certificate{ - KeyUsage: x509.KeyUsageCRLSign, + KeyUsage: KeyUsageCRLSign, Subject: pkix.Name{ CommonName: "testing", }, @@ -1255,7 +1255,7 @@ func TestCreateRevocationList(t *testing.T) { name: "valid", key: sm2Priv, issuer: &x509.Certificate{ - KeyUsage: x509.KeyUsageCRLSign, + KeyUsage: KeyUsageCRLSign, Subject: pkix.Name{ CommonName: "testing", }, @@ -1277,7 +1277,7 @@ func TestCreateRevocationList(t *testing.T) { name: "valid, Ed25519 key", key: ed25519Priv, issuer: &x509.Certificate{ - KeyUsage: x509.KeyUsageCRLSign, + KeyUsage: KeyUsageCRLSign, Subject: pkix.Name{ CommonName: "testing", }, @@ -1299,7 +1299,7 @@ func TestCreateRevocationList(t *testing.T) { name: "valid, non-default signature algorithm", key: sm2Priv, issuer: &x509.Certificate{ - KeyUsage: x509.KeyUsageCRLSign, + KeyUsage: KeyUsageCRLSign, Subject: pkix.Name{ CommonName: "testing", }, @@ -1322,7 +1322,7 @@ func TestCreateRevocationList(t *testing.T) { name: "valid, extra extension", key: sm2Priv, issuer: &x509.Certificate{ - KeyUsage: x509.KeyUsageCRLSign, + KeyUsage: KeyUsageCRLSign, Subject: pkix.Name{ CommonName: "testing", }, @@ -1350,7 +1350,7 @@ func TestCreateRevocationList(t *testing.T) { name: "valid, empty list", key: sm2Priv, issuer: &x509.Certificate{ - KeyUsage: x509.KeyUsageCRLSign, + KeyUsage: KeyUsageCRLSign, Subject: pkix.Name{ CommonName: "testing", },