Alias x509 types

smx509/root_windows.go

@@ -92,9 +92,9 @@ func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainContext) e
 		status := chainCtx.TrustStatus.ErrorStatus
 		switch status {
 		case syscall.CERT_TRUST_IS_NOT_TIME_VALID:
-			return x509.CertificateInvalidError{c.asX509(), x509.Expired, ""}
+			return CertificateInvalidError{c.asX509(), Expired, ""}
 		case syscall.CERT_TRUST_IS_NOT_VALID_FOR_USAGE:
-			return x509.CertificateInvalidError{c.asX509(), x509.IncompatibleUsage, ""}
+			return CertificateInvalidError{c.asX509(), IncompatibleUsage, ""}
 		// TODO(filippo): surface more error statuses.
 		default:
 			return UnknownAuthorityError{c, nil, nil}
@@ -133,7 +133,7 @@ func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContex
 	if status.Error != 0 {
 		switch status.Error {
 		case syscall.CERT_E_EXPIRED:
-			return x509.CertificateInvalidError{Cert: c.asX509(), Reason: x509.Expired, Detail: ""}
+			return CertificateInvalidError{Cert: c.asX509(), Reason: Expired, Detail: ""}
 		case syscall.CERT_E_CN_NO_MATCH:
 			return x509.HostnameError{Certificate: c.asX509(), Host: opts.DNSName}
 		case syscall.CERT_E_UNTRUSTEDROOT:

smx509/verify.go

@@ -14,6 +14,21 @@ import (
 	"unicode/utf8"
 )
 
+const (
+	NotAuthorizedToSign           = x509.NotAuthorizedToSign
+	Expired                       = x509.Expired
+	CANotAuthorizedForThisName    = x509.CANotAuthorizedForThisName
+	TooManyIntermediates          = x509.TooManyIntermediates
+	IncompatibleUsage             = x509.IncompatibleUsage
+	NameMismatch                  = x509.NameMismatch
+	NameConstraintsWithoutSANs    = x509.NameConstraintsWithoutSANs
+	UnconstrainedName             = x509.UnconstrainedName
+	TooManyConstraints            = x509.TooManyConstraints
+	CANotAuthorizedForExtKeyUsage = x509.CANotAuthorizedForExtKeyUsage
+)
+
+type CertificateInvalidError = x509.CertificateInvalidError
+
 // UnknownAuthorityError results when the certificate issuer is unknown
 type UnknownAuthorityError struct {
 	Cert *Certificate
@@ -246,18 +261,18 @@ func (c *Certificate) checkNameConstraints(count *int,
 
 	*count += excludedValue.Len()
 	if *count > maxConstraintComparisons {
-		return x509.CertificateInvalidError{c.asX509(), x509.TooManyConstraints, ""}
+		return CertificateInvalidError{c.asX509(), TooManyConstraints, ""}
 	}
 
 	for i := 0; i < excludedValue.Len(); i++ {
 		constraint := excludedValue.Index(i).Interface()
 		match, err := match(parsedName, constraint)
 		if err != nil {
-			return x509.CertificateInvalidError{c.asX509(), x509.CANotAuthorizedForThisName, err.Error()}
+			return CertificateInvalidError{c.asX509(), CANotAuthorizedForThisName, err.Error()}
 		}
 
 		if match {
-			return x509.CertificateInvalidError{c.asX509(), x509.CANotAuthorizedForThisName, fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint)}
+			return CertificateInvalidError{c.asX509(), CANotAuthorizedForThisName, fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint)}
 		}
 	}
 
@@ -265,7 +280,7 @@ func (c *Certificate) checkNameConstraints(count *int,
 
 	*count += permittedValue.Len()
 	if *count > maxConstraintComparisons {
-		return x509.CertificateInvalidError{c.asX509(), x509.TooManyConstraints, ""}
+		return CertificateInvalidError{c.asX509(), TooManyConstraints, ""}
 	}
 
 	ok := true
@@ -274,7 +289,7 @@ func (c *Certificate) checkNameConstraints(count *int,
 
 		var err error
 		if ok, err = match(parsedName, constraint); err != nil {
-			return x509.CertificateInvalidError{c.asX509(), x509.CANotAuthorizedForThisName, err.Error()}
+			return CertificateInvalidError{c.asX509(), CANotAuthorizedForThisName, err.Error()}
 		}
 
 		if ok {
@@ -283,7 +298,7 @@ func (c *Certificate) checkNameConstraints(count *int,
 	}
 
 	if !ok {
-		return x509.CertificateInvalidError{c.asX509(), x509.CANotAuthorizedForThisName, fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name)}
+		return CertificateInvalidError{c.asX509(), CANotAuthorizedForThisName, fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name)}
 	}
 
 	return nil
@@ -334,7 +349,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 	if len(currentChain) > 0 {
 		child := currentChain[len(currentChain)-1]
 		if !bytes.Equal(child.RawIssuer, c.RawSubject) {
-			return x509.CertificateInvalidError{c.asX509(), x509.NameMismatch, ""}
+			return CertificateInvalidError{c.asX509(), NameMismatch, ""}
 		}
 	}
 
@@ -343,15 +358,15 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 		now = time.Now()
 	}
 	if now.Before(c.NotBefore) {
-		return x509.CertificateInvalidError{
+		return CertificateInvalidError{
 			Cert:   c.asX509(),
-			Reason: x509.Expired,
+			Reason: Expired,
 			Detail: fmt.Sprintf("current time %s is before %s", now.Format(time.RFC3339), c.NotBefore.Format(time.RFC3339)),
 		}
 	} else if now.After(c.NotAfter) {
-		return x509.CertificateInvalidError{
+		return CertificateInvalidError{
 			Cert:   c.asX509(),
-			Reason: x509.Expired,
+			Reason: Expired,
 			Detail: fmt.Sprintf("current time %s is after %s", now.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339)),
 		}
 	}
@@ -458,13 +473,13 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 	// encryption key could only be used for Diffie-Hellman key agreement.
 
 	if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) {
-		return x509.CertificateInvalidError{c.asX509(), x509.NotAuthorizedToSign, ""}
+		return CertificateInvalidError{c.asX509(), NotAuthorizedToSign, ""}
 	}
 
 	if c.BasicConstraintsValid && c.MaxPathLen >= 0 {
 		numIntermediates := len(currentChain) - 1
 		if numIntermediates > c.MaxPathLen {
-			return x509.CertificateInvalidError{c.asX509(), x509.TooManyIntermediates, ""}
+			return CertificateInvalidError{c.asX509(), TooManyIntermediates, ""}
 		}
 	}
 
@@ -571,7 +586,7 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e
 	}
 
 	if len(chains) == 0 {
-		return nil, x509.CertificateInvalidError{c.asX509(), x509.IncompatibleUsage, ""}
+		return nil, CertificateInvalidError{c.asX509(), IncompatibleUsage, ""}
 	}
 
 	return chains, nil

smx509/verify_test.go

@@ -377,13 +377,13 @@ func expectHostnameError(msg string) func(*testing.T, error) {
 }
 
 func expectExpired(t *testing.T, err error) {
-	if inval, ok := err.(x509.CertificateInvalidError); !ok || inval.Reason != x509.Expired {
+	if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != Expired {
 		t.Fatalf("error was not Expired: %v", err)
 	}
 }
 
 func expectUsageError(t *testing.T, err error) {
-	if inval, ok := err.(x509.CertificateInvalidError); !ok || inval.Reason != x509.IncompatibleUsage {
+	if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != IncompatibleUsage {
 		t.Fatalf("error was not IncompatibleUsage: %v", err)
 	}
 }
@@ -408,13 +408,13 @@ func expectHashError(t *testing.T, err error) {
 }
 
 func expectNameConstraintsError(t *testing.T, err error) {
-	if inval, ok := err.(x509.CertificateInvalidError); !ok || inval.Reason != x509.CANotAuthorizedForThisName {
+	if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != CANotAuthorizedForThisName {
 		t.Fatalf("error was not a CANotAuthorizedForThisName: %v", err)
 	}
 }
 
 func expectNotAuthorizedError(t *testing.T, err error) {
-	if inval, ok := err.(x509.CertificateInvalidError); !ok || inval.Reason != x509.NotAuthorizedToSign {
+	if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != NotAuthorizedToSign {
 		t.Fatalf("error was not a NotAuthorizedToSign: %v", err)
 	}
 }