Alias x509 types

2025-04-26 20:26:19 +08:00 · 2022-01-20 18:07:21 +08:00 · 2022-01-20 18:07:21 +08:00 · f3a1eab5fe
commit f3a1eab5fe
parent fc37929456
4 changed files with 39 additions and 23 deletions
--- a/smx509/parser.go
+++ b/smx509/parser.go
@ -228,7 +228,7 @@ func parseExtension(der cryptobyte.String) (pkix.Extension, error) {
 	return ext, nil
 }

-func parsePublicKey(algo x509.PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) {
+func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) {
 	der := cryptobyte.String(keyData.PublicKey.RightAlign())
 	switch algo {
 	case RSA:
@ -321,7 +321,7 @@ func parsePublicKey(algo x509.PublicKeyAlgorithm, keyData *publicKeyInfo) (inter
 	}
 }

-func parseKeyUsageExtension(der cryptobyte.String) (x509.KeyUsage, error) {
+func parseKeyUsageExtension(der cryptobyte.String) (KeyUsage, error) {
 	var usageBits asn1.BitString
 	if !der.ReadASN1BitString(&usageBits) {
 		return 0, errors.New("x509: invalid key usage")
@ -333,7 +333,7 @@ func parseKeyUsageExtension(der cryptobyte.String) (x509.KeyUsage, error) {
 			usage |= 1 << uint(i)
 		}
 	}
-	return x509.KeyUsage(usage), nil
+	return KeyUsage(usage), nil
 }

 func parseBasicConstraintsExtension(der cryptobyte.String) (bool, int, error) {
--- a/smx509/verify_test.go
+++ b/smx509/verify_test.go
@ -1721,7 +1721,7 @@ func generateCert(cn string, isCA bool, issuer *x509.Certificate, issuerKey cryp
 		NotBefore:    time.Now().Add(-1 * time.Hour),
 		NotAfter:     time.Now().Add(24 * time.Hour),

-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		KeyUsage:              KeyUsageKeyEncipherment | KeyUsageDigitalSignature | KeyUsageCertSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 		IsCA:                  isCA,
--- a/smx509/x509.go
+++ b/smx509/x509.go
@ -246,7 +246,7 @@ var signatureAlgorithmDetails = []struct {
 	algo       SignatureAlgorithm
 	name       string
 	oid        asn1.ObjectIdentifier
-	pubKeyAlgo x509.PublicKeyAlgorithm
+	pubKeyAlgo PublicKeyAlgorithm
 	hash       crypto.Hash
 }{
 	{MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
@ -371,7 +371,7 @@ var (
 	oidPublicKeyEd25519 = asn1.ObjectIdentifier{1, 3, 101, 112}
 )

-func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.PublicKeyAlgorithm {
+func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm {
 	switch {
 	case oid.Equal(oidPublicKeyRSA):
 		return RSA
@ -456,6 +456,22 @@ func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
 	return nil
 }

+// KeyUsage represents the set of actions that are valid for a given key. It's
+// a bitmap of the KeyUsage* constants.
+type KeyUsage = x509.KeyUsage
+
+const (
+	KeyUsageDigitalSignature  = x509.KeyUsageDigitalSignature
+	KeyUsageContentCommitment = x509.KeyUsageContentCommitment
+	KeyUsageKeyEncipherment   = x509.KeyUsageKeyEncipherment
+	KeyUsageDataEncipherment  = x509.KeyUsageDataEncipherment
+	KeyUsageKeyAgreement      = x509.KeyUsageKeyAgreement
+	KeyUsageCertSign          = x509.KeyUsageCertSign
+	KeyUsageCRLSign           = x509.KeyUsageCRLSign
+	KeyUsageEncipherOnly      = x509.KeyUsageEncipherOnly
+	KeyUsageDecipherOnly      = x509.KeyUsageDecipherOnly
+)
+
 // RFC 5280, 4.2.1.12  Extended Key Usage
 //
 // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
@ -553,7 +569,7 @@ func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
 		return x509.ConstraintViolationError{}
 	}

-	if parent.KeyUsage != 0 && parent.KeyUsage&x509.KeyUsageCertSign == 0 {
+	if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 {
 		return x509.ConstraintViolationError{}
 	}

@ -585,7 +601,7 @@ func (c *Certificate) getSANExtension() []byte {
 	return nil
 }

-func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo x509.PublicKeyAlgorithm, pubKey interface{}) error {
+func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error {
 	return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
 }

@ -609,7 +625,7 @@ func verifyECDSAASN1(pub *ecdsa.PublicKey, hash, sig []byte) bool {
 // a crypto.PublicKey.
 func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
 	var hashType crypto.Hash
-	var pubKeyAlgo x509.PublicKeyAlgorithm
+	var pubKeyAlgo PublicKeyAlgorithm

 	isSM2 := (algo == SM2WithSM3)
 	for _, details := range signatureAlgorithmDetails {
@ -1034,7 +1050,7 @@ func buildCertExtensions(template *x509.Certificate, subjectIsEmpty bool, author
 	return append(ret[:n], template.ExtraExtensions...), nil
 }

-func marshalKeyUsage(ku x509.KeyUsage) (pkix.Extension, error) {
+func marshalKeyUsage(ku KeyUsage) (pkix.Extension, error) {
 	ext := pkix.Extension{Id: oidExtensionKeyUsage, Critical: true}

 	var a [2]byte
@ -1138,7 +1154,7 @@ func subjectBytes(cert *x509.Certificate) ([]byte, error) {
 // priv. If requestedSigAlgo is not zero then it overrides the default
 // signature algorithm.
 func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
-	var pubType x509.PublicKeyAlgorithm
+	var pubType PublicKeyAlgorithm

 	switch pub := pub.(type) {
 	case *rsa.PublicKey:
@ -1843,7 +1859,7 @@ func CreateRevocationList(rand io.Reader, template *x509.RevocationList, issuer
 	if issuer == nil {
 		return nil, errors.New("x509: issuer can not be nil")
 	}
-	if (issuer.KeyUsage & x509.KeyUsageCRLSign) == 0 {
+	if (issuer.KeyUsage & KeyUsageCRLSign) == 0 {
 		return nil, errors.New("x509: issuer must have the crlSign key usage bit set")
 	}
 	if len(issuer.SubjectKeyId) == 0 {
--- a/smx509/x509_test.go
+++ b/smx509/x509_test.go
@ -497,7 +497,7 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
 			SignatureAlgorithm: test.sigAlgo,

 			SubjectKeyId: []byte{1, 2, 3, 4},
-			KeyUsage:     x509.KeyUsageCertSign,
+			KeyUsage:     KeyUsageCertSign,

 			ExtKeyUsage:        testExtKeyUsage,
 			UnknownExtKeyUsage: testUnknownExtKeyUsage,
@ -1181,7 +1181,7 @@ func TestCreateRevocationList(t *testing.T) {
 			name: "issuer doesn't have crlSign key usage bit set",
 			key:  sm2Priv,
 			issuer: &x509.Certificate{
-				KeyUsage: x509.KeyUsageCertSign,
+				KeyUsage: KeyUsageCertSign,
 			},
 			template:      &x509.RevocationList{},
 			expectedError: "x509: issuer must have the crlSign key usage bit set",
@ -1190,7 +1190,7 @@ func TestCreateRevocationList(t *testing.T) {
 			name: "issuer missing SubjectKeyId",
 			key:  sm2Priv,
 			issuer: &x509.Certificate{
-				KeyUsage: x509.KeyUsageCRLSign,
+				KeyUsage: KeyUsageCRLSign,
 			},
 			template:      &x509.RevocationList{},
 			expectedError: "x509: issuer certificate doesn't contain a subject key identifier",
@ -1199,7 +1199,7 @@ func TestCreateRevocationList(t *testing.T) {
 			name: "nextUpdate before thisUpdate",
 			key:  sm2Priv,
 			issuer: &x509.Certificate{
-				KeyUsage: x509.KeyUsageCRLSign,
+				KeyUsage: KeyUsageCRLSign,
 				Subject: pkix.Name{
 					CommonName: "testing",
 				},
@ -1215,7 +1215,7 @@ func TestCreateRevocationList(t *testing.T) {
 			name: "nil Number",
 			key:  sm2Priv,
 			issuer: &x509.Certificate{
-				KeyUsage: x509.KeyUsageCRLSign,
+				KeyUsage: KeyUsageCRLSign,
 				Subject: pkix.Name{
 					CommonName: "testing",
 				},
@ -1231,7 +1231,7 @@ func TestCreateRevocationList(t *testing.T) {
 			name: "invalid signature algorithm",
 			key:  sm2Priv,
 			issuer: &x509.Certificate{
-				KeyUsage: x509.KeyUsageCRLSign,
+				KeyUsage: KeyUsageCRLSign,
 				Subject: pkix.Name{
 					CommonName: "testing",
 				},
@ -1255,7 +1255,7 @@ func TestCreateRevocationList(t *testing.T) {
 			name: "valid",
 			key:  sm2Priv,
 			issuer: &x509.Certificate{
-				KeyUsage: x509.KeyUsageCRLSign,
+				KeyUsage: KeyUsageCRLSign,
 				Subject: pkix.Name{
 					CommonName: "testing",
 				},
@ -1277,7 +1277,7 @@ func TestCreateRevocationList(t *testing.T) {
 			name: "valid, Ed25519 key",
 			key:  ed25519Priv,
 			issuer: &x509.Certificate{
-				KeyUsage: x509.KeyUsageCRLSign,
+				KeyUsage: KeyUsageCRLSign,
 				Subject: pkix.Name{
 					CommonName: "testing",
 				},
@ -1299,7 +1299,7 @@ func TestCreateRevocationList(t *testing.T) {
 			name: "valid, non-default signature algorithm",
 			key:  sm2Priv,
 			issuer: &x509.Certificate{
-				KeyUsage: x509.KeyUsageCRLSign,
+				KeyUsage: KeyUsageCRLSign,
 				Subject: pkix.Name{
 					CommonName: "testing",
 				},
@ -1322,7 +1322,7 @@ func TestCreateRevocationList(t *testing.T) {
 			name: "valid, extra extension",
 			key:  sm2Priv,
 			issuer: &x509.Certificate{
-				KeyUsage: x509.KeyUsageCRLSign,
+				KeyUsage: KeyUsageCRLSign,
 				Subject: pkix.Name{
 					CommonName: "testing",
 				},
@ -1350,7 +1350,7 @@ func TestCreateRevocationList(t *testing.T) {
 			name: "valid, empty list",
 			key:  sm2Priv,
 			issuer: &x509.Certificate{
-				KeyUsage: x509.KeyUsageCRLSign,
+				KeyUsage: KeyUsageCRLSign,
 				Subject: pkix.Name{
 					CommonName: "testing",
 				},