mirror/gmsm
1
0
Fork 0
mirror of https://github.com/emmansun/gmsm.git synced 2025-04-27 04:36:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

Alias x509 types

Browse Source
This commit is contained in:
徐胖 2022-01-20 17:51:28 +08:00
parent f98e80a8d6
commit fc37929456
3 changed files with 48 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
smx509/parser.go
View File

@ -231,7 +231,7 @@ func parseExtension(der cryptobyte.String) (pkix.Extension, error) {
func parsePublicKey(algo x509.PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) { func parsePublicKey(algo x509.PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) {
der := cryptobyte.String(keyData.PublicKey.RightAlign()) der := cryptobyte.String(keyData.PublicKey.RightAlign())
switch algo { switch algo {
case x509.RSA: case RSA:
// RSA public keys must have a NULL in the parameters. // RSA public keys must have a NULL in the parameters.
// See RFC 3279, Section 2.3.1. // See RFC 3279, Section 2.3.1.
if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) { if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) {
@ -261,7 +261,7 @@ func parsePublicKey(algo x509.PublicKeyAlgorithm, keyData *publicKeyInfo) (inter
N: p.N, N: p.N,
} }
return pub, nil return pub, nil
case x509.ECDSA: case ECDSA:
paramsDer := cryptobyte.String(keyData.Algorithm.Parameters.FullBytes) paramsDer := cryptobyte.String(keyData.Algorithm.Parameters.FullBytes)
namedCurveOID := new(asn1.ObjectIdentifier) namedCurveOID := new(asn1.ObjectIdentifier)
if !paramsDer.ReadASN1ObjectIdentifier(namedCurveOID) { if !paramsDer.ReadASN1ObjectIdentifier(namedCurveOID) {
@ -281,7 +281,7 @@ func parsePublicKey(algo x509.PublicKeyAlgorithm, keyData *publicKeyInfo) (inter
Y: y, Y: y,
} }
return pub, nil return pub, nil
case x509.Ed25519: case Ed25519:
// RFC 8410, Section 3 // RFC 8410, Section 3
// > For all of the OIDs, the parameters MUST be absent. // > For all of the OIDs, the parameters MUST be absent.
if len(keyData.Algorithm.Parameters.FullBytes) != 0 { if len(keyData.Algorithm.Parameters.FullBytes) != 0 {
@ -291,7 +291,7 @@ func parsePublicKey(algo x509.PublicKeyAlgorithm, keyData *publicKeyInfo) (inter
return nil, errors.New("x509: wrong Ed25519 public key size") return nil, errors.New("x509: wrong Ed25519 public key size")
} }
return ed25519.PublicKey(der), nil return ed25519.PublicKey(der), nil
case x509.DSA: case DSA:
y := new(big.Int) y := new(big.Int)
if !der.ReadASN1Integer(y) { if !der.ReadASN1Integer(y) {
return nil, errors.New("x509: invalid DSA public key") return nil, errors.New("x509: invalid DSA public key")

2
smx509/root_windows.go
View File

@ -183,7 +183,7 @@ func verifyChain(c *Certificate, chainCtx *syscall.CertChainContext, opts *Verif
// using spoofed parameters, the signature will be invalid for the correct // using spoofed parameters, the signature will be invalid for the correct
// ones we parsed. (We don't support custom curves ourselves.) // ones we parsed. (We don't support custom curves ourselves.)
for i, parent := range chain[1:] { for i, parent := range chain[1:] {
if parent.PublicKeyAlgorithm != x509.ECDSA { if parent.PublicKeyAlgorithm != ECDSA {
continue continue
} }
if err := parent.CheckSignature(chain[i].SignatureAlgorithm, if err := parent.CheckSignature(chain[i].SignatureAlgorithm,

75
smx509/x509.go
View File

@ -225,6 +225,17 @@ func isRSAPSS(algo SignatureAlgorithm) bool {
} }
} }
type PublicKeyAlgorithm = x509.PublicKeyAlgorithm
const (
UnknownPublicKeyAlgorithm = x509.UnknownPublicKeyAlgorithm
RSA = x509.RSA
DSA = x509.DSA // Unsupported.
ECDSA = x509.ECDSA
Ed25519 = x509.Ed25519
)
// pkcs1PublicKey reflects the ASN.1 structure of a PKCS#1 public key. // pkcs1PublicKey reflects the ASN.1 structure of a PKCS#1 public key.
type pkcs1PublicKey struct { type pkcs1PublicKey struct {
N *big.Int N *big.Int
@ -238,24 +249,24 @@ var signatureAlgorithmDetails = []struct {
pubKeyAlgo x509.PublicKeyAlgorithm pubKeyAlgo x509.PublicKeyAlgorithm
hash crypto.Hash hash crypto.Hash
}{ }{
{MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, x509.RSA, crypto.Hash(0) /* no value for MD2 */}, {MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
{MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, x509.RSA, crypto.MD5}, {MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5},
{SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, x509.RSA, crypto.SHA1}, {SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1},
{SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, x509.RSA, crypto.SHA1}, {SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1},
{SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, x509.RSA, crypto.SHA256}, {SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256},
{SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, x509.RSA, crypto.SHA384}, {SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384},
{SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, x509.RSA, crypto.SHA512}, {SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512},
{SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, x509.RSA, crypto.SHA256}, {SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256},
{SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, x509.RSA, crypto.SHA384}, {SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384},
{SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, x509.RSA, crypto.SHA512}, {SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512},
{DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, x509.DSA, crypto.SHA1}, {DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1},
{DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, x509.DSA, crypto.SHA256}, {DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256},
{ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, x509.ECDSA, crypto.SHA1}, {ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1},
{ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, x509.ECDSA, crypto.SHA256}, {ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256},
{ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, x509.ECDSA, crypto.SHA384}, {ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384},
{ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, x509.ECDSA, crypto.SHA512}, {ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512},
{PureEd25519, "Ed25519", oidSignatureEd25519, x509.Ed25519, crypto.Hash(0) /* no pre-hashing */}, {PureEd25519, "Ed25519", oidSignatureEd25519, Ed25519, crypto.Hash(0) /* no pre-hashing */},
{SM2WithSM3, "SM2-SM3", oidSignatureSM2WithSM3, x509.ECDSA, crypto.Hash(0) /* no pre-hashing */}, {SM2WithSM3, "SM2-SM3", oidSignatureSM2WithSM3, ECDSA, crypto.Hash(0) /* no pre-hashing */},
} }
// hashToPSSParameters contains the DER encoded RSA PSS parameters for the // hashToPSSParameters contains the DER encoded RSA PSS parameters for the
@ -363,15 +374,15 @@ var (
func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.PublicKeyAlgorithm { func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.PublicKeyAlgorithm {
switch { switch {
case oid.Equal(oidPublicKeyRSA): case oid.Equal(oidPublicKeyRSA):
return x509.RSA return RSA
case oid.Equal(oidPublicKeyDSA): case oid.Equal(oidPublicKeyDSA):
return x509.DSA return DSA
case oid.Equal(oidPublicKeyECDSA): case oid.Equal(oidPublicKeyECDSA):
return x509.ECDSA return ECDSA
case oid.Equal(oidPublicKeyEd25519): case oid.Equal(oidPublicKeyEd25519):
return x509.Ed25519 return Ed25519
} }
return x509.UnknownPublicKeyAlgorithm return UnknownPublicKeyAlgorithm
} }
// http://gmssl.org/docs/oid.html // http://gmssl.org/docs/oid.html
@ -546,7 +557,7 @@ func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
return x509.ConstraintViolationError{} return x509.ConstraintViolationError{}
} }
if parent.PublicKeyAlgorithm == x509.UnknownPublicKeyAlgorithm { if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm {
return x509.ErrUnsupportedAlgorithm return x509.ErrUnsupportedAlgorithm
} }
@ -610,7 +621,7 @@ func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey
switch hashType { switch hashType {
case crypto.Hash(0): case crypto.Hash(0):
if !isSM2 && pubKeyAlgo != x509.Ed25519 { if !isSM2 && pubKeyAlgo != Ed25519 {
return x509.ErrUnsupportedAlgorithm return x509.ErrUnsupportedAlgorithm
} }
case crypto.MD5: case crypto.MD5:
@ -626,7 +637,7 @@ func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey
switch pub := publicKey.(type) { switch pub := publicKey.(type) {
case *rsa.PublicKey: case *rsa.PublicKey:
if pubKeyAlgo != x509.RSA { if pubKeyAlgo != RSA {
return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
} }
if isRSAPSS(algo) { if isRSAPSS(algo) {
@ -635,7 +646,7 @@ func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey
return rsa.VerifyPKCS1v15(pub, hashType, signed, signature) return rsa.VerifyPKCS1v15(pub, hashType, signed, signature)
} }
case *ecdsa.PublicKey: case *ecdsa.PublicKey:
if pubKeyAlgo != x509.ECDSA { if pubKeyAlgo != ECDSA {
return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
} }
if isSM2 { if isSM2 {
@ -647,7 +658,7 @@ func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey
} }
return return
case ed25519.PublicKey: case ed25519.PublicKey:
if pubKeyAlgo != x509.Ed25519 { if pubKeyAlgo != Ed25519 {
return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
} }
if !ed25519.Verify(pub, signed, signature) { if !ed25519.Verify(pub, signed, signature) {
@ -1131,13 +1142,13 @@ func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgori
switch pub := pub.(type) { switch pub := pub.(type) {
case *rsa.PublicKey: case *rsa.PublicKey:
pubType = x509.RSA pubType = RSA
hashFunc = crypto.SHA256 hashFunc = crypto.SHA256
sigAlgo.Algorithm = oidSignatureSHA256WithRSA sigAlgo.Algorithm = oidSignatureSHA256WithRSA
sigAlgo.Parameters = asn1.NullRawValue sigAlgo.Parameters = asn1.NullRawValue
case *ecdsa.PublicKey: case *ecdsa.PublicKey:
pubType = x509.ECDSA pubType = ECDSA
switch pub.Curve { switch pub.Curve {
case elliptic.P224(), elliptic.P256(): case elliptic.P224(), elliptic.P256():
@ -1157,7 +1168,7 @@ func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgori
} }
case ed25519.PublicKey: case ed25519.PublicKey:
pubType = x509.Ed25519 pubType = Ed25519
sigAlgo.Algorithm = oidSignatureEd25519 sigAlgo.Algorithm = oidSignatureEd25519
default: default:
@ -1180,7 +1191,7 @@ func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgori
return return
} }
sigAlgo.Algorithm, hashFunc = details.oid, details.hash sigAlgo.Algorithm, hashFunc = details.oid, details.hash
if hashFunc == 0 && pubType != x509.Ed25519 && !sigAlgo.Algorithm.Equal(oidSignatureSM2WithSM3) { if hashFunc == 0 && pubType != Ed25519 && !sigAlgo.Algorithm.Equal(oidSignatureSM2WithSM3) {
err = errors.New("x509: cannot sign with hash function requested") err = errors.New("x509: cannot sign with hash function requested")
return return
} }