mirror of
https://github.com/emmansun/gmsm.git
synced 2025-04-22 02:06:18 +08:00
1903 lines
62 KiB
Go
1903 lines
62 KiB
Go
package smx509
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/ed25519"
|
|
"crypto/elliptic"
|
|
"crypto/rsa"
|
|
"crypto/sha1"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/asn1"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"math/big"
|
|
"net"
|
|
"net/url"
|
|
"time"
|
|
"unicode/utf8"
|
|
|
|
"golang.org/x/crypto/cryptobyte"
|
|
cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
|
|
|
|
"github.com/emmansun/gmsm/sm2"
|
|
)
|
|
|
|
// pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo
|
|
// in RFC 3280.
|
|
type pkixPublicKey struct {
|
|
Algo pkix.AlgorithmIdentifier
|
|
BitString asn1.BitString
|
|
}
|
|
|
|
// ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
|
|
//
|
|
// It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or
|
|
// ed25519.PublicKey. More types might be supported in the future.
|
|
//
|
|
// This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
|
|
func ParsePKIXPublicKey(derBytes []byte) (interface{}, error) {
|
|
var pki publicKeyInfo
|
|
if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil {
|
|
if _, err := asn1.Unmarshal(derBytes, &pkcs1PublicKey{}); err == nil {
|
|
return nil, errors.New("x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)")
|
|
}
|
|
return nil, err
|
|
} else if len(rest) != 0 {
|
|
return nil, errors.New("x509: trailing data after ASN.1 of public-key")
|
|
}
|
|
|
|
if !pki.Algorithm.Algorithm.Equal(oidPublicKeyECDSA) {
|
|
return x509.ParsePKIXPublicKey(derBytes)
|
|
}
|
|
keyData := &pki
|
|
asn1Data := keyData.PublicKey.RightAlign()
|
|
paramsData := keyData.Algorithm.Parameters.FullBytes
|
|
namedCurveOID := new(asn1.ObjectIdentifier)
|
|
rest, err := asn1.Unmarshal(paramsData, namedCurveOID)
|
|
if err != nil {
|
|
return nil, errors.New("x509: failed to parse ECDSA parameters as named curve")
|
|
}
|
|
if len(rest) != 0 {
|
|
return nil, errors.New("x509: trailing data after ECDSA parameters")
|
|
}
|
|
if !namedCurveOID.Equal(oidNamedCurveP256SM2) {
|
|
return x509.ParsePKIXPublicKey(derBytes)
|
|
}
|
|
namedCurve := sm2.P256()
|
|
x, y := elliptic.Unmarshal(namedCurve, asn1Data)
|
|
if x == nil {
|
|
return nil, errors.New("x509: failed to unmarshal elliptic curve point")
|
|
}
|
|
pub := &ecdsa.PublicKey{
|
|
Curve: namedCurve,
|
|
X: x,
|
|
Y: y,
|
|
}
|
|
return pub, nil
|
|
}
|
|
|
|
func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) {
|
|
switch pub := pub.(type) {
|
|
case *rsa.PublicKey:
|
|
publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{
|
|
N: pub.N,
|
|
E: pub.E,
|
|
})
|
|
if err != nil {
|
|
return nil, pkix.AlgorithmIdentifier{}, err
|
|
}
|
|
publicKeyAlgorithm.Algorithm = oidPublicKeyRSA
|
|
// This is a NULL parameters value which is required by
|
|
// RFC 3279, Section 2.3.1.
|
|
publicKeyAlgorithm.Parameters = asn1.NullRawValue
|
|
case *ecdsa.PublicKey:
|
|
publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
|
|
oid, ok := oidFromNamedCurve(pub.Curve)
|
|
if !ok {
|
|
return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve")
|
|
}
|
|
publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA
|
|
var paramBytes []byte
|
|
paramBytes, err = asn1.Marshal(oid)
|
|
if err != nil {
|
|
return
|
|
}
|
|
publicKeyAlgorithm.Parameters.FullBytes = paramBytes
|
|
case ed25519.PublicKey:
|
|
publicKeyBytes = pub
|
|
publicKeyAlgorithm.Algorithm = oidPublicKeyEd25519
|
|
default:
|
|
return nil, pkix.AlgorithmIdentifier{}, fmt.Errorf("x509: unsupported public key type: %T", pub)
|
|
}
|
|
|
|
return publicKeyBytes, publicKeyAlgorithm, nil
|
|
}
|
|
|
|
// MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
|
|
//
|
|
// The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey
|
|
// and ed25519.PublicKey. Unsupported key types result in an error.
|
|
//
|
|
// This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
|
|
func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) {
|
|
var publicKeyBytes []byte
|
|
var publicKeyAlgorithm pkix.AlgorithmIdentifier
|
|
var err error
|
|
|
|
if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pkix := pkixPublicKey{
|
|
Algo: publicKeyAlgorithm,
|
|
BitString: asn1.BitString{
|
|
Bytes: publicKeyBytes,
|
|
BitLength: 8 * len(publicKeyBytes),
|
|
},
|
|
}
|
|
|
|
ret, _ := asn1.Marshal(pkix)
|
|
return ret, nil
|
|
}
|
|
|
|
// CertificateRequest represents a PKCS #10, certificate signature request.
|
|
type CertificateRequest struct {
|
|
x509.CertificateRequest
|
|
}
|
|
|
|
// These structures reflect the ASN.1 structure of X.509 certificates.:
|
|
type certificate struct {
|
|
Raw asn1.RawContent
|
|
TBSCertificate tbsCertificate
|
|
SignatureAlgorithm pkix.AlgorithmIdentifier
|
|
SignatureValue asn1.BitString
|
|
}
|
|
|
|
type tbsCertificate struct {
|
|
Raw asn1.RawContent
|
|
Version int `asn1:"optional,explicit,default:0,tag:0"`
|
|
SerialNumber *big.Int
|
|
SignatureAlgorithm pkix.AlgorithmIdentifier
|
|
Issuer asn1.RawValue
|
|
Validity validity
|
|
Subject asn1.RawValue
|
|
PublicKey publicKeyInfo
|
|
UniqueId asn1.BitString `asn1:"optional,tag:1"`
|
|
SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"`
|
|
Extensions []pkix.Extension `asn1:"optional,explicit,tag:3"`
|
|
}
|
|
|
|
type dsaAlgorithmParameters struct {
|
|
P, Q, G *big.Int
|
|
}
|
|
|
|
type validity struct {
|
|
NotBefore, NotAfter time.Time
|
|
}
|
|
|
|
type publicKeyInfo struct {
|
|
Raw asn1.RawContent
|
|
Algorithm pkix.AlgorithmIdentifier
|
|
PublicKey asn1.BitString
|
|
}
|
|
|
|
// RFC 5280, 4.2.1.1
|
|
type authKeyId struct {
|
|
Id []byte `asn1:"optional,tag:0"`
|
|
}
|
|
|
|
func isRSAPSS(algo x509.SignatureAlgorithm) bool {
|
|
switch algo {
|
|
case x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS:
|
|
return true
|
|
default:
|
|
return false
|
|
}
|
|
}
|
|
|
|
// pkcs1PublicKey reflects the ASN.1 structure of a PKCS#1 public key.
|
|
type pkcs1PublicKey struct {
|
|
N *big.Int
|
|
E int
|
|
}
|
|
|
|
const SM2WithSM3 x509.SignatureAlgorithm = 99
|
|
|
|
var signatureAlgorithmDetails = []struct {
|
|
algo x509.SignatureAlgorithm
|
|
name string
|
|
oid asn1.ObjectIdentifier
|
|
pubKeyAlgo x509.PublicKeyAlgorithm
|
|
hash crypto.Hash
|
|
}{
|
|
{x509.MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, x509.RSA, crypto.Hash(0) /* no value for MD2 */},
|
|
{x509.MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, x509.RSA, crypto.MD5},
|
|
{x509.SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, x509.RSA, crypto.SHA1},
|
|
{x509.SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, x509.RSA, crypto.SHA1},
|
|
{x509.SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, x509.RSA, crypto.SHA256},
|
|
{x509.SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, x509.RSA, crypto.SHA384},
|
|
{x509.SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, x509.RSA, crypto.SHA512},
|
|
{x509.SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, x509.RSA, crypto.SHA256},
|
|
{x509.SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, x509.RSA, crypto.SHA384},
|
|
{x509.SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, x509.RSA, crypto.SHA512},
|
|
{x509.DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, x509.DSA, crypto.SHA1},
|
|
{x509.DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, x509.DSA, crypto.SHA256},
|
|
{x509.ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, x509.ECDSA, crypto.SHA1},
|
|
{x509.ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, x509.ECDSA, crypto.SHA256},
|
|
{x509.ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, x509.ECDSA, crypto.SHA384},
|
|
{x509.ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, x509.ECDSA, crypto.SHA512},
|
|
{x509.PureEd25519, "Ed25519", oidSignatureEd25519, x509.Ed25519, crypto.Hash(0) /* no pre-hashing */},
|
|
{SM2WithSM3, "SM2-SM3", oidSignatureSM2WithSM3, x509.ECDSA, crypto.Hash(0) /* no pre-hashing */},
|
|
}
|
|
|
|
// hashToPSSParameters contains the DER encoded RSA PSS parameters for the
|
|
// SHA256, SHA384, and SHA512 hashes as defined in RFC 3447, Appendix A.2.3.
|
|
// The parameters contain the following values:
|
|
// * hashAlgorithm contains the associated hash identifier with NULL parameters
|
|
// * maskGenAlgorithm always contains the default mgf1SHA1 identifier
|
|
// * saltLength contains the length of the associated hash
|
|
// * trailerField always contains the default trailerFieldBC value
|
|
var hashToPSSParameters = map[crypto.Hash]asn1.RawValue{
|
|
crypto.SHA256: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 162, 3, 2, 1, 32}},
|
|
crypto.SHA384: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 162, 3, 2, 1, 48}},
|
|
crypto.SHA512: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 162, 3, 2, 1, 64}},
|
|
}
|
|
|
|
// pssParameters reflects the parameters in an AlgorithmIdentifier that
|
|
// specifies RSA PSS. See RFC 3447, Appendix A.2.3.
|
|
type pssParameters struct {
|
|
// The following three fields are not marked as
|
|
// optional because the default values specify SHA-1,
|
|
// which is no longer suitable for use in signatures.
|
|
Hash pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"`
|
|
MGF pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"`
|
|
SaltLength int `asn1:"explicit,tag:2"`
|
|
TrailerField int `asn1:"optional,explicit,tag:3,default:1"`
|
|
}
|
|
|
|
func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) x509.SignatureAlgorithm {
|
|
if ai.Algorithm.Equal(oidSignatureEd25519) {
|
|
// RFC 8410, Section 3
|
|
// > For all of the OIDs, the parameters MUST be absent.
|
|
if len(ai.Parameters.FullBytes) != 0 {
|
|
return x509.UnknownSignatureAlgorithm
|
|
}
|
|
}
|
|
|
|
if !ai.Algorithm.Equal(oidSignatureRSAPSS) {
|
|
for _, details := range signatureAlgorithmDetails {
|
|
if ai.Algorithm.Equal(details.oid) {
|
|
return details.algo
|
|
}
|
|
}
|
|
return x509.UnknownSignatureAlgorithm
|
|
}
|
|
|
|
// RSA PSS is special because it encodes important parameters
|
|
// in the Parameters.
|
|
|
|
var params pssParameters
|
|
if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, ¶ms); err != nil {
|
|
return x509.UnknownSignatureAlgorithm
|
|
}
|
|
|
|
var mgf1HashFunc pkix.AlgorithmIdentifier
|
|
if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil {
|
|
return x509.UnknownSignatureAlgorithm
|
|
}
|
|
|
|
// PSS is greatly overburdened with options. This code forces them into
|
|
// three buckets by requiring that the MGF1 hash function always match the
|
|
// message hash function (as recommended in RFC 3447, Section 8.1), that the
|
|
// salt length matches the hash length, and that the trailer field has the
|
|
// default value.
|
|
if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) ||
|
|
!params.MGF.Algorithm.Equal(oidMGF1) ||
|
|
!mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) ||
|
|
(len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) ||
|
|
params.TrailerField != 1 {
|
|
return x509.UnknownSignatureAlgorithm
|
|
}
|
|
|
|
switch {
|
|
case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32:
|
|
return x509.SHA256WithRSAPSS
|
|
case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48:
|
|
return x509.SHA384WithRSAPSS
|
|
case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64:
|
|
return x509.SHA512WithRSAPSS
|
|
}
|
|
|
|
return x509.UnknownSignatureAlgorithm
|
|
}
|
|
|
|
// RFC 3279, 2.3 Public Key Algorithms
|
|
//
|
|
// pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
|
|
// rsadsi(113549) pkcs(1) 1 }
|
|
//
|
|
// rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 }
|
|
//
|
|
// id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
|
|
// x9-57(10040) x9cm(4) 1 }
|
|
//
|
|
// RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters
|
|
//
|
|
// id-ecPublicKey OBJECT IDENTIFIER ::= {
|
|
// iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
|
|
var (
|
|
oidPublicKeyRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
|
|
oidPublicKeyDSA = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
|
|
oidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
|
|
oidPublicKeyEd25519 = asn1.ObjectIdentifier{1, 3, 101, 112}
|
|
)
|
|
|
|
func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.PublicKeyAlgorithm {
|
|
switch {
|
|
case oid.Equal(oidPublicKeyRSA):
|
|
return x509.RSA
|
|
case oid.Equal(oidPublicKeyDSA):
|
|
return x509.DSA
|
|
case oid.Equal(oidPublicKeyECDSA):
|
|
return x509.ECDSA
|
|
case oid.Equal(oidPublicKeyEd25519):
|
|
return x509.Ed25519
|
|
}
|
|
return x509.UnknownPublicKeyAlgorithm
|
|
}
|
|
|
|
// http://gmssl.org/docs/oid.html
|
|
var (
|
|
oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
|
|
oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
|
|
oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
|
|
oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
|
|
oidNamedCurveP256SM2 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 301}
|
|
|
|
oidSignatureMD2WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
|
|
oidSignatureMD5WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
|
|
oidSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
|
|
oidSignatureSHA256WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
|
|
oidSignatureSHA384WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
|
|
oidSignatureSHA512WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
|
|
oidSignatureRSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
|
|
oidSignatureDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
|
|
oidSignatureDSAWithSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
|
|
oidSignatureECDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
|
|
oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
|
|
oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
|
|
oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
|
|
oidSignatureEd25519 = asn1.ObjectIdentifier{1, 3, 101, 112}
|
|
oidSignatureSM2WithSM3 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 501}
|
|
oidSignatureSM2WithSHA1 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 502}
|
|
oidSignatureSM2WithSHA256 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 503}
|
|
|
|
oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
|
|
oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
|
|
oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
|
|
|
|
oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
|
|
|
|
// oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA
|
|
// but it's specified by ISO. Microsoft's makecert.exe has been known
|
|
// to produce certificates with this OID.
|
|
oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29}
|
|
)
|
|
|
|
func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
|
|
switch curve {
|
|
case elliptic.P224():
|
|
return oidNamedCurveP224, true
|
|
case elliptic.P256():
|
|
return oidNamedCurveP256, true
|
|
case elliptic.P384():
|
|
return oidNamedCurveP384, true
|
|
case elliptic.P521():
|
|
return oidNamedCurveP521, true
|
|
case sm2.P256():
|
|
return oidNamedCurveP256SM2, true
|
|
}
|
|
|
|
return nil, false
|
|
}
|
|
|
|
func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
|
|
switch {
|
|
case oid.Equal(oidNamedCurveP224):
|
|
return elliptic.P224()
|
|
case oid.Equal(oidNamedCurveP256):
|
|
return elliptic.P256()
|
|
case oid.Equal(oidNamedCurveP384):
|
|
return elliptic.P384()
|
|
case oid.Equal(oidNamedCurveP521):
|
|
return elliptic.P521()
|
|
case oid.Equal(oidNamedCurveP256SM2):
|
|
return sm2.P256()
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// RFC 5280, 4.2.1.12 Extended Key Usage
|
|
//
|
|
// anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
|
|
//
|
|
// id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
|
|
//
|
|
// id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
|
|
// id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
|
|
// id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
|
|
// id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
|
|
// id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
|
|
// id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
|
|
var (
|
|
oidExtKeyUsageAny = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
|
|
oidExtKeyUsageServerAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
|
|
oidExtKeyUsageClientAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
|
|
oidExtKeyUsageCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
|
|
oidExtKeyUsageEmailProtection = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
|
|
oidExtKeyUsageIPSECEndSystem = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
|
|
oidExtKeyUsageIPSECTunnel = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
|
|
oidExtKeyUsageIPSECUser = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
|
|
oidExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
|
|
oidExtKeyUsageOCSPSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
|
|
oidExtKeyUsageMicrosoftServerGatedCrypto = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
|
|
oidExtKeyUsageNetscapeServerGatedCrypto = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
|
|
oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
|
|
oidExtKeyUsageMicrosoftKernelCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
|
|
)
|
|
|
|
// extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.
|
|
var extKeyUsageOIDs = []struct {
|
|
extKeyUsage x509.ExtKeyUsage
|
|
oid asn1.ObjectIdentifier
|
|
}{
|
|
{x509.ExtKeyUsageAny, oidExtKeyUsageAny},
|
|
{x509.ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth},
|
|
{x509.ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth},
|
|
{x509.ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning},
|
|
{x509.ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection},
|
|
{x509.ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem},
|
|
{x509.ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel},
|
|
{x509.ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser},
|
|
{x509.ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping},
|
|
{x509.ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning},
|
|
{x509.ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto},
|
|
{x509.ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto},
|
|
{x509.ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning},
|
|
{x509.ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning},
|
|
}
|
|
|
|
func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku x509.ExtKeyUsage, ok bool) {
|
|
for _, pair := range extKeyUsageOIDs {
|
|
if oid.Equal(pair.oid) {
|
|
return pair.extKeyUsage, true
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
func oidFromExtKeyUsage(eku x509.ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
|
|
for _, pair := range extKeyUsageOIDs {
|
|
if eku == pair.extKeyUsage {
|
|
return pair.oid, true
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
// A Certificate represents an X.509 certificate.
|
|
type Certificate struct {
|
|
x509.Certificate
|
|
}
|
|
|
|
func (c *Certificate) Equal(other *Certificate) bool {
|
|
if c == nil || other == nil {
|
|
return c == other
|
|
}
|
|
return bytes.Equal(c.Raw, other.Raw)
|
|
}
|
|
|
|
func (c *Certificate) hasSANExtension() bool {
|
|
return oidInExtensions(oidExtensionSubjectAltName, c.Extensions)
|
|
}
|
|
|
|
// CheckSignatureFrom verifies that the signature on c is a valid signature
|
|
// from parent.
|
|
func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
|
|
// RFC 5280, 4.2.1.9:
|
|
// "If the basic constraints extension is not present in a version 3
|
|
// certificate, or the extension is present but the cA boolean is not
|
|
// asserted, then the certified public key MUST NOT be used to verify
|
|
// certificate signatures."
|
|
if parent.Version == 3 && !parent.BasicConstraintsValid ||
|
|
parent.BasicConstraintsValid && !parent.IsCA {
|
|
return x509.ConstraintViolationError{}
|
|
}
|
|
|
|
if parent.KeyUsage != 0 && parent.KeyUsage&x509.KeyUsageCertSign == 0 {
|
|
return x509.ConstraintViolationError{}
|
|
}
|
|
|
|
if parent.PublicKeyAlgorithm == x509.UnknownPublicKeyAlgorithm {
|
|
return x509.ErrUnsupportedAlgorithm
|
|
}
|
|
|
|
// TODO(agl): don't ignore the path length constraint.
|
|
|
|
return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
|
|
}
|
|
|
|
// CheckSignature verifies that signature is a valid signature over signed from
|
|
// c's public key.
|
|
func (c *Certificate) CheckSignature(algo x509.SignatureAlgorithm, signed, signature []byte) error {
|
|
return checkSignature(algo, signed, signature, c.PublicKey)
|
|
}
|
|
|
|
func (c *Certificate) hasNameConstraints() bool {
|
|
return oidInExtensions(oidExtensionNameConstraints, c.Extensions)
|
|
}
|
|
|
|
func (c *Certificate) getSANExtension() []byte {
|
|
for _, e := range c.Extensions {
|
|
if e.Id.Equal(oidExtensionSubjectAltName) {
|
|
return e.Value
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo x509.PublicKeyAlgorithm, pubKey interface{}) error {
|
|
return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
|
|
}
|
|
|
|
func verifyECDSAASN1(pub *ecdsa.PublicKey, hash, sig []byte) bool {
|
|
var (
|
|
r, s = &big.Int{}, &big.Int{}
|
|
inner cryptobyte.String
|
|
)
|
|
input := cryptobyte.String(sig)
|
|
if !input.ReadASN1(&inner, cryptobyte_asn1.SEQUENCE) ||
|
|
!input.Empty() ||
|
|
!inner.ReadASN1Integer(r) ||
|
|
!inner.ReadASN1Integer(s) ||
|
|
!inner.Empty() {
|
|
return false
|
|
}
|
|
return ecdsa.Verify(pub, hash, r, s)
|
|
}
|
|
|
|
// checkSignature verifies that signature is a valid signature over signed from
|
|
// a crypto.PublicKey.
|
|
func checkSignature(algo x509.SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
|
|
var hashType crypto.Hash
|
|
var pubKeyAlgo x509.PublicKeyAlgorithm
|
|
|
|
isSM2 := (algo == SM2WithSM3)
|
|
for _, details := range signatureAlgorithmDetails {
|
|
if details.algo == algo {
|
|
hashType = details.hash
|
|
pubKeyAlgo = details.pubKeyAlgo
|
|
}
|
|
}
|
|
|
|
switch hashType {
|
|
case crypto.Hash(0):
|
|
if !isSM2 && pubKeyAlgo != x509.Ed25519 {
|
|
return x509.ErrUnsupportedAlgorithm
|
|
}
|
|
case crypto.MD5:
|
|
return x509.InsecureAlgorithmError(algo)
|
|
default:
|
|
if !hashType.Available() {
|
|
return x509.ErrUnsupportedAlgorithm
|
|
}
|
|
h := hashType.New()
|
|
h.Write(signed)
|
|
signed = h.Sum(nil)
|
|
}
|
|
|
|
switch pub := publicKey.(type) {
|
|
case *rsa.PublicKey:
|
|
if pubKeyAlgo != x509.RSA {
|
|
return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
|
|
}
|
|
if isRSAPSS(algo) {
|
|
return rsa.VerifyPSS(pub, hashType, signed, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash})
|
|
} else {
|
|
return rsa.VerifyPKCS1v15(pub, hashType, signed, signature)
|
|
}
|
|
case *ecdsa.PublicKey:
|
|
if pubKeyAlgo != x509.ECDSA {
|
|
return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
|
|
}
|
|
if isSM2 {
|
|
if !sm2.VerifyASN1WithSM2(pub, nil, signed, signature) {
|
|
return errors.New("x509: ECDSA verification failure")
|
|
}
|
|
} else if !ecdsa.VerifyASN1(pub, signed, signature) {
|
|
return errors.New("x509: ECDSA verification failure")
|
|
}
|
|
return
|
|
case ed25519.PublicKey:
|
|
if pubKeyAlgo != x509.Ed25519 {
|
|
return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
|
|
}
|
|
if !ed25519.Verify(pub, signed, signature) {
|
|
return errors.New("x509: Ed25519 verification failure")
|
|
}
|
|
return
|
|
}
|
|
return x509.ErrUnsupportedAlgorithm
|
|
}
|
|
|
|
// CheckCRLSignature checks that the signature in crl is from c.
|
|
func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error {
|
|
algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm)
|
|
return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign())
|
|
}
|
|
|
|
type basicConstraints struct {
|
|
IsCA bool `asn1:"optional"`
|
|
MaxPathLen int `asn1:"optional,default:-1"`
|
|
}
|
|
|
|
// RFC 5280 4.2.1.4
|
|
type policyInformation struct {
|
|
Policy asn1.ObjectIdentifier
|
|
// policyQualifiers omitted
|
|
}
|
|
|
|
const (
|
|
nameTypeEmail = 1
|
|
nameTypeDNS = 2
|
|
nameTypeURI = 6
|
|
nameTypeIP = 7
|
|
)
|
|
|
|
// RFC 5280, 4.2.2.1
|
|
type authorityInfoAccess struct {
|
|
Method asn1.ObjectIdentifier
|
|
Location asn1.RawValue
|
|
}
|
|
|
|
// RFC 5280, 4.2.1.14
|
|
type distributionPoint struct {
|
|
DistributionPoint distributionPointName `asn1:"optional,tag:0"`
|
|
Reason asn1.BitString `asn1:"optional,tag:1"`
|
|
CRLIssuer asn1.RawValue `asn1:"optional,tag:2"`
|
|
}
|
|
|
|
type distributionPointName struct {
|
|
FullName []asn1.RawValue `asn1:"optional,tag:0"`
|
|
RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
|
|
}
|
|
|
|
func reverseBitsInAByte(in byte) byte {
|
|
b1 := in>>4 | in<<4
|
|
b2 := b1>>2&0x33 | b1<<2&0xcc
|
|
b3 := b2>>1&0x55 | b2<<1&0xaa
|
|
return b3
|
|
}
|
|
|
|
// asn1BitLength returns the bit-length of bitString by considering the
|
|
// most-significant bit in a byte to be the "first" bit. This convention
|
|
// matches ASN.1, but differs from almost everything else.
|
|
func asn1BitLength(bitString []byte) int {
|
|
bitLen := len(bitString) * 8
|
|
|
|
for i := range bitString {
|
|
b := bitString[len(bitString)-i-1]
|
|
|
|
for bit := uint(0); bit < 8; bit++ {
|
|
if (b>>bit)&1 == 1 {
|
|
return bitLen
|
|
}
|
|
bitLen--
|
|
}
|
|
}
|
|
|
|
return 0
|
|
}
|
|
|
|
var (
|
|
oidExtensionSubjectKeyId = []int{2, 5, 29, 14}
|
|
oidExtensionKeyUsage = []int{2, 5, 29, 15}
|
|
oidExtensionExtendedKeyUsage = []int{2, 5, 29, 37}
|
|
oidExtensionAuthorityKeyId = []int{2, 5, 29, 35}
|
|
oidExtensionBasicConstraints = []int{2, 5, 29, 19}
|
|
oidExtensionSubjectAltName = []int{2, 5, 29, 17}
|
|
oidExtensionCertificatePolicies = []int{2, 5, 29, 32}
|
|
oidExtensionNameConstraints = []int{2, 5, 29, 30}
|
|
oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31}
|
|
oidExtensionAuthorityInfoAccess = []int{1, 3, 6, 1, 5, 5, 7, 1, 1}
|
|
oidExtensionCRLNumber = []int{2, 5, 29, 20}
|
|
)
|
|
|
|
var (
|
|
oidAuthorityInfoAccessOcsp = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
|
|
oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
|
|
)
|
|
|
|
// oidNotInExtensions reports whether an extension with the given oid exists in
|
|
// extensions.
|
|
func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool {
|
|
for _, e := range extensions {
|
|
if e.Id.Equal(oid) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// marshalSANs marshals a list of addresses into a the contents of an X.509
|
|
// SubjectAlternativeName extension.
|
|
func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) {
|
|
var rawValues []asn1.RawValue
|
|
for _, name := range dnsNames {
|
|
if err := isIA5String(name); err != nil {
|
|
return nil, err
|
|
}
|
|
rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)})
|
|
}
|
|
for _, email := range emailAddresses {
|
|
if err := isIA5String(email); err != nil {
|
|
return nil, err
|
|
}
|
|
rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)})
|
|
}
|
|
for _, rawIP := range ipAddresses {
|
|
// If possible, we always want to encode IPv4 addresses in 4 bytes.
|
|
ip := rawIP.To4()
|
|
if ip == nil {
|
|
ip = rawIP
|
|
}
|
|
rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip})
|
|
}
|
|
for _, uri := range uris {
|
|
uriStr := uri.String()
|
|
if err := isIA5String(uriStr); err != nil {
|
|
return nil, err
|
|
}
|
|
rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uri.String())})
|
|
}
|
|
return asn1.Marshal(rawValues)
|
|
}
|
|
|
|
func isIA5String(s string) error {
|
|
for _, r := range s {
|
|
if r >= utf8.RuneSelf {
|
|
return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func buildCertExtensions(template *x509.Certificate, subjectIsEmpty bool, authorityKeyId, subjectKeyId []byte) (ret []pkix.Extension, err error) {
|
|
ret = make([]pkix.Extension, 10 /* maximum number of elements. */)
|
|
n := 0
|
|
|
|
if template.KeyUsage != 0 &&
|
|
!oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) {
|
|
ret[n], err = marshalKeyUsage(template.KeyUsage)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
n++
|
|
}
|
|
|
|
if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) &&
|
|
!oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) {
|
|
ret[n], err = marshalExtKeyUsage(template.ExtKeyUsage, template.UnknownExtKeyUsage)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
n++
|
|
}
|
|
|
|
if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) {
|
|
ret[n], err = marshalBasicConstraints(template.IsCA, template.MaxPathLen, template.MaxPathLenZero)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
n++
|
|
}
|
|
|
|
if len(subjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) {
|
|
ret[n].Id = oidExtensionSubjectKeyId
|
|
ret[n].Value, err = asn1.Marshal(subjectKeyId)
|
|
if err != nil {
|
|
return
|
|
}
|
|
n++
|
|
}
|
|
|
|
if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) {
|
|
ret[n].Id = oidExtensionAuthorityKeyId
|
|
ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId})
|
|
if err != nil {
|
|
return
|
|
}
|
|
n++
|
|
}
|
|
|
|
if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) &&
|
|
!oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) {
|
|
ret[n].Id = oidExtensionAuthorityInfoAccess
|
|
var aiaValues []authorityInfoAccess
|
|
for _, name := range template.OCSPServer {
|
|
aiaValues = append(aiaValues, authorityInfoAccess{
|
|
Method: oidAuthorityInfoAccessOcsp,
|
|
Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
|
|
})
|
|
}
|
|
for _, name := range template.IssuingCertificateURL {
|
|
aiaValues = append(aiaValues, authorityInfoAccess{
|
|
Method: oidAuthorityInfoAccessIssuers,
|
|
Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
|
|
})
|
|
}
|
|
ret[n].Value, err = asn1.Marshal(aiaValues)
|
|
if err != nil {
|
|
return
|
|
}
|
|
n++
|
|
}
|
|
|
|
if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
|
|
!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
|
|
ret[n].Id = oidExtensionSubjectAltName
|
|
// From RFC 5280, Section 4.2.1.6:
|
|
// “If the subject field contains an empty sequence ... then
|
|
// subjectAltName extension ... is marked as critical”
|
|
ret[n].Critical = subjectIsEmpty
|
|
ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
|
|
if err != nil {
|
|
return
|
|
}
|
|
n++
|
|
}
|
|
|
|
if len(template.PolicyIdentifiers) > 0 &&
|
|
!oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) {
|
|
ret[n], err = marshalCertificatePolicies(template.PolicyIdentifiers)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
n++
|
|
}
|
|
|
|
if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 ||
|
|
len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 ||
|
|
len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 ||
|
|
len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) &&
|
|
!oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) {
|
|
ret[n].Id = oidExtensionNameConstraints
|
|
ret[n].Critical = template.PermittedDNSDomainsCritical
|
|
|
|
ipAndMask := func(ipNet *net.IPNet) []byte {
|
|
maskedIP := ipNet.IP.Mask(ipNet.Mask)
|
|
ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask))
|
|
ipAndMask = append(ipAndMask, maskedIP...)
|
|
ipAndMask = append(ipAndMask, ipNet.Mask...)
|
|
return ipAndMask
|
|
}
|
|
|
|
serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) {
|
|
var b cryptobyte.Builder
|
|
|
|
for _, name := range dns {
|
|
if err = isIA5String(name); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
|
|
b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) {
|
|
b.AddBytes([]byte(name))
|
|
})
|
|
})
|
|
}
|
|
|
|
for _, ipNet := range ips {
|
|
b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
|
|
b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) {
|
|
b.AddBytes(ipAndMask(ipNet))
|
|
})
|
|
})
|
|
}
|
|
|
|
for _, email := range emails {
|
|
if err = isIA5String(email); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
|
|
b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) {
|
|
b.AddBytes([]byte(email))
|
|
})
|
|
})
|
|
}
|
|
|
|
for _, uriDomain := range uriDomains {
|
|
if err = isIA5String(uriDomain); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
|
|
b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) {
|
|
b.AddBytes([]byte(uriDomain))
|
|
})
|
|
})
|
|
}
|
|
|
|
return b.Bytes()
|
|
}
|
|
|
|
permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var b cryptobyte.Builder
|
|
b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
|
|
if len(permitted) > 0 {
|
|
b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
|
|
b.AddBytes(permitted)
|
|
})
|
|
}
|
|
|
|
if len(excluded) > 0 {
|
|
b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
|
|
b.AddBytes(excluded)
|
|
})
|
|
}
|
|
})
|
|
|
|
ret[n].Value, err = b.Bytes()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
n++
|
|
}
|
|
|
|
if len(template.CRLDistributionPoints) > 0 &&
|
|
!oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) {
|
|
ret[n].Id = oidExtensionCRLDistributionPoints
|
|
|
|
var crlDp []distributionPoint
|
|
for _, name := range template.CRLDistributionPoints {
|
|
dp := distributionPoint{
|
|
DistributionPoint: distributionPointName{
|
|
FullName: []asn1.RawValue{
|
|
{Tag: 6, Class: 2, Bytes: []byte(name)},
|
|
},
|
|
},
|
|
}
|
|
crlDp = append(crlDp, dp)
|
|
}
|
|
|
|
ret[n].Value, err = asn1.Marshal(crlDp)
|
|
if err != nil {
|
|
return
|
|
}
|
|
n++
|
|
}
|
|
|
|
// Adding another extension here? Remember to update the maximum number
|
|
// of elements in the make() at the top of the function and the list of
|
|
// template fields used in CreateCertificate documentation.
|
|
|
|
return append(ret[:n], template.ExtraExtensions...), nil
|
|
}
|
|
|
|
func marshalKeyUsage(ku x509.KeyUsage) (pkix.Extension, error) {
|
|
ext := pkix.Extension{Id: oidExtensionKeyUsage, Critical: true}
|
|
|
|
var a [2]byte
|
|
a[0] = reverseBitsInAByte(byte(ku))
|
|
a[1] = reverseBitsInAByte(byte(ku >> 8))
|
|
|
|
l := 1
|
|
if a[1] != 0 {
|
|
l = 2
|
|
}
|
|
|
|
bitString := a[:l]
|
|
var err error
|
|
ext.Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)})
|
|
if err != nil {
|
|
return ext, err
|
|
}
|
|
return ext, nil
|
|
}
|
|
|
|
func marshalExtKeyUsage(extUsages []x509.ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error) {
|
|
ext := pkix.Extension{Id: oidExtensionExtendedKeyUsage}
|
|
|
|
oids := make([]asn1.ObjectIdentifier, len(extUsages)+len(unknownUsages))
|
|
for i, u := range extUsages {
|
|
if oid, ok := oidFromExtKeyUsage(u); ok {
|
|
oids[i] = oid
|
|
} else {
|
|
return ext, errors.New("x509: unknown extended key usage")
|
|
}
|
|
}
|
|
|
|
copy(oids[len(extUsages):], unknownUsages)
|
|
|
|
var err error
|
|
ext.Value, err = asn1.Marshal(oids)
|
|
if err != nil {
|
|
return ext, err
|
|
}
|
|
return ext, nil
|
|
}
|
|
|
|
func marshalBasicConstraints(isCA bool, maxPathLen int, maxPathLenZero bool) (pkix.Extension, error) {
|
|
ext := pkix.Extension{Id: oidExtensionBasicConstraints, Critical: true}
|
|
// Leaving MaxPathLen as zero indicates that no maximum path
|
|
// length is desired, unless MaxPathLenZero is set. A value of
|
|
// -1 causes encoding/asn1 to omit the value as desired.
|
|
if maxPathLen == 0 && !maxPathLenZero {
|
|
maxPathLen = -1
|
|
}
|
|
var err error
|
|
ext.Value, err = asn1.Marshal(basicConstraints{isCA, maxPathLen})
|
|
if err != nil {
|
|
return ext, nil
|
|
}
|
|
return ext, nil
|
|
}
|
|
|
|
func marshalCertificatePolicies(policyIdentifiers []asn1.ObjectIdentifier) (pkix.Extension, error) {
|
|
ext := pkix.Extension{Id: oidExtensionCertificatePolicies}
|
|
policies := make([]policyInformation, len(policyIdentifiers))
|
|
for i, policy := range policyIdentifiers {
|
|
policies[i].Policy = policy
|
|
}
|
|
var err error
|
|
ext.Value, err = asn1.Marshal(policies)
|
|
if err != nil {
|
|
return ext, err
|
|
}
|
|
return ext, nil
|
|
}
|
|
|
|
func buildCSRExtensions(template *x509.CertificateRequest) ([]pkix.Extension, error) {
|
|
var ret []pkix.Extension
|
|
|
|
if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
|
|
!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
|
|
sanBytes, err := marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
ret = append(ret, pkix.Extension{
|
|
Id: oidExtensionSubjectAltName,
|
|
Value: sanBytes,
|
|
})
|
|
}
|
|
|
|
return append(ret, template.ExtraExtensions...), nil
|
|
}
|
|
|
|
func subjectBytes(cert *x509.Certificate) ([]byte, error) {
|
|
if len(cert.RawSubject) > 0 {
|
|
return cert.RawSubject, nil
|
|
}
|
|
|
|
return asn1.Marshal(cert.Subject.ToRDNSequence())
|
|
}
|
|
|
|
// signingParamsForPublicKey returns the parameters to use for signing with
|
|
// priv. If requestedSigAlgo is not zero then it overrides the default
|
|
// signature algorithm.
|
|
func signingParamsForPublicKey(pub interface{}, requestedSigAlgo x509.SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
|
|
var pubType x509.PublicKeyAlgorithm
|
|
|
|
switch pub := pub.(type) {
|
|
case *rsa.PublicKey:
|
|
pubType = x509.RSA
|
|
hashFunc = crypto.SHA256
|
|
sigAlgo.Algorithm = oidSignatureSHA256WithRSA
|
|
sigAlgo.Parameters = asn1.NullRawValue
|
|
|
|
case *ecdsa.PublicKey:
|
|
pubType = x509.ECDSA
|
|
|
|
switch pub.Curve {
|
|
case elliptic.P224(), elliptic.P256():
|
|
hashFunc = crypto.SHA256
|
|
sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
|
|
case elliptic.P384():
|
|
hashFunc = crypto.SHA384
|
|
sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
|
|
case elliptic.P521():
|
|
hashFunc = crypto.SHA512
|
|
sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
|
|
case sm2.P256():
|
|
hashFunc = crypto.Hash(0)
|
|
sigAlgo.Algorithm = oidSignatureSM2WithSM3
|
|
default:
|
|
err = errors.New("x509: unknown elliptic curve")
|
|
}
|
|
|
|
case ed25519.PublicKey:
|
|
pubType = x509.Ed25519
|
|
sigAlgo.Algorithm = oidSignatureEd25519
|
|
|
|
default:
|
|
err = errors.New("x509: only RSA, ECDSA and Ed25519 keys supported")
|
|
}
|
|
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
if requestedSigAlgo == 0 {
|
|
return
|
|
}
|
|
|
|
found := false
|
|
for _, details := range signatureAlgorithmDetails {
|
|
if details.algo == requestedSigAlgo {
|
|
if details.pubKeyAlgo != pubType {
|
|
err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
|
|
return
|
|
}
|
|
sigAlgo.Algorithm, hashFunc = details.oid, details.hash
|
|
if hashFunc == 0 && pubType != x509.Ed25519 && !sigAlgo.Algorithm.Equal(oidSignatureSM2WithSM3) {
|
|
err = errors.New("x509: cannot sign with hash function requested")
|
|
return
|
|
}
|
|
if isRSAPSS(requestedSigAlgo) {
|
|
sigAlgo.Parameters = hashToPSSParameters[hashFunc]
|
|
}
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !found {
|
|
err = errors.New("x509: unknown SignatureAlgorithm")
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
// emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is
|
|
// just an empty SEQUENCE.
|
|
var emptyASN1Subject = []byte{0x30, 0}
|
|
|
|
// CreateCertificate creates a new X.509 v3 certificate based on a template.
|
|
// The following members of template are used:
|
|
//
|
|
// - AuthorityKeyId
|
|
// - BasicConstraintsValid
|
|
// - CRLDistributionPoints
|
|
// - DNSNames
|
|
// - EmailAddresses
|
|
// - ExcludedDNSDomains
|
|
// - ExcludedEmailAddresses
|
|
// - ExcludedIPRanges
|
|
// - ExcludedURIDomains
|
|
// - ExtKeyUsage
|
|
// - ExtraExtensions
|
|
// - IPAddresses
|
|
// - IsCA
|
|
// - IssuingCertificateURL
|
|
// - KeyUsage
|
|
// - MaxPathLen
|
|
// - MaxPathLenZero
|
|
// - NotAfter
|
|
// - NotBefore
|
|
// - OCSPServer
|
|
// - PermittedDNSDomains
|
|
// - PermittedDNSDomainsCritical
|
|
// - PermittedEmailAddresses
|
|
// - PermittedIPRanges
|
|
// - PermittedURIDomains
|
|
// - PolicyIdentifiers
|
|
// - SerialNumber
|
|
// - SignatureAlgorithm
|
|
// - Subject
|
|
// - SubjectKeyId
|
|
// - URIs
|
|
// - UnknownExtKeyUsage
|
|
//
|
|
// The certificate is signed by parent. If parent is equal to template then the
|
|
// certificate is self-signed. The parameter pub is the public key of the
|
|
// signee and priv is the private key of the signer.
|
|
//
|
|
// The returned slice is the certificate in DER encoding.
|
|
//
|
|
// The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and
|
|
// ed25519.PublicKey. pub must be a supported key type, and priv must be a
|
|
// crypto.Signer with a supported public key.
|
|
//
|
|
// The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any,
|
|
// unless the resulting certificate is self-signed. Otherwise the value from
|
|
// template will be used.
|
|
func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub, priv interface{}) ([]byte, error) {
|
|
key, ok := priv.(crypto.Signer)
|
|
if !ok {
|
|
return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
|
|
}
|
|
|
|
if template.SerialNumber == nil {
|
|
return nil, errors.New("x509: no SerialNumber given")
|
|
}
|
|
|
|
if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
|
|
return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
|
|
}
|
|
|
|
hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
asn1Issuer, err := subjectBytes(parent)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
asn1Subject, err := subjectBytes(template)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
authorityKeyId := template.AuthorityKeyId
|
|
if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 {
|
|
authorityKeyId = parent.SubjectKeyId
|
|
}
|
|
|
|
subjectKeyId := template.SubjectKeyId
|
|
if len(subjectKeyId) == 0 && template.IsCA {
|
|
// SubjectKeyId generated using method 1 in RFC 5280, Section 4.2.1.2:
|
|
// (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
|
|
// value of the BIT STRING subjectPublicKey (excluding the tag,
|
|
// length, and number of unused bits).
|
|
h := sha1.Sum(publicKeyBytes)
|
|
subjectKeyId = h[:]
|
|
}
|
|
|
|
// Check that the signer's public key matches the private key, if available.
|
|
type privateKey interface {
|
|
Equal(crypto.PublicKey) bool
|
|
}
|
|
|
|
if privPub, ok := key.Public().(privateKey); !ok {
|
|
return nil, errors.New("x509: internal error: supported public key does not implement Equal")
|
|
} else if parent.PublicKey != nil && !privPub.Equal(parent.PublicKey) {
|
|
return nil, errors.New("x509: provided PrivateKey doesn't match parent's PublicKey")
|
|
}
|
|
|
|
extensions, err := buildCertExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId, subjectKeyId)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
|
|
c := tbsCertificate{
|
|
Version: 2,
|
|
SerialNumber: template.SerialNumber,
|
|
SignatureAlgorithm: signatureAlgorithm,
|
|
Issuer: asn1.RawValue{FullBytes: asn1Issuer},
|
|
Validity: validity{template.NotBefore.UTC(), template.NotAfter.UTC()},
|
|
Subject: asn1.RawValue{FullBytes: asn1Subject},
|
|
PublicKey: publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey},
|
|
Extensions: extensions,
|
|
}
|
|
|
|
tbsCertContents, err := asn1.Marshal(c)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
c.Raw = tbsCertContents
|
|
|
|
signed := tbsCertContents
|
|
|
|
var signature []byte
|
|
if hashFunc != 0 {
|
|
h := hashFunc.New()
|
|
h.Write(signed)
|
|
signed = h.Sum(nil)
|
|
}
|
|
var signerOpts crypto.SignerOpts = hashFunc
|
|
if template.SignatureAlgorithm != 0 && isRSAPSS(template.SignatureAlgorithm) {
|
|
signerOpts = &rsa.PSSOptions{
|
|
SaltLength: rsa.PSSSaltLengthEqualsHash,
|
|
Hash: hashFunc,
|
|
}
|
|
} else if signatureAlgorithm.Algorithm.Equal(oidSignatureSM2WithSM3) {
|
|
signerOpts = sm2.NewSM2SignerOption(true, nil)
|
|
}
|
|
signature, err = key.Sign(rand, signed, signerOpts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
signedCert, err := asn1.Marshal(certificate{
|
|
nil,
|
|
c,
|
|
signatureAlgorithm,
|
|
asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Check the signature to ensure the crypto.Signer behaved correctly.
|
|
sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm)
|
|
switch sigAlg {
|
|
case x509.MD5WithRSA, x509.SHA1WithRSA, x509.ECDSAWithSHA1:
|
|
// We skip the check if the signature algorithm is only supported for
|
|
// signing, not verification.
|
|
default:
|
|
if err := checkSignature(sigAlg, c.Raw, signature, key.Public()); err != nil {
|
|
return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err)
|
|
}
|
|
}
|
|
|
|
return signedCert, nil
|
|
}
|
|
|
|
// ParseCRL parses a CRL from the given bytes. It's often the case that PEM
|
|
// encoded CRLs will appear where they should be DER encoded, so this function
|
|
// will transparently handle PEM encoding as long as there isn't any leading
|
|
// garbage.
|
|
func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) {
|
|
return x509.ParseCRL(crlBytes)
|
|
}
|
|
|
|
// ParseDERCRL parses a DER encoded CRL from the given bytes.
|
|
func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) {
|
|
return x509.ParseDERCRL(derBytes)
|
|
}
|
|
|
|
// CreateCRL returns a DER encoded CRL, signed by this Certificate, that
|
|
// contains the given list of revoked certificates.
|
|
func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
|
|
key, ok := priv.(crypto.Signer)
|
|
if !ok {
|
|
return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
|
|
}
|
|
|
|
hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), 0)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Force revocation times to UTC per RFC 5280.
|
|
revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts))
|
|
for i, rc := range revokedCerts {
|
|
rc.RevocationTime = rc.RevocationTime.UTC()
|
|
revokedCertsUTC[i] = rc
|
|
}
|
|
|
|
tbsCertList := pkix.TBSCertificateList{
|
|
Version: 1,
|
|
Signature: signatureAlgorithm,
|
|
Issuer: c.Subject.ToRDNSequence(),
|
|
ThisUpdate: now.UTC(),
|
|
NextUpdate: expiry.UTC(),
|
|
RevokedCertificates: revokedCertsUTC,
|
|
}
|
|
|
|
// Authority Key Id
|
|
if len(c.SubjectKeyId) > 0 {
|
|
var aki pkix.Extension
|
|
aki.Id = oidExtensionAuthorityKeyId
|
|
aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId})
|
|
if err != nil {
|
|
return
|
|
}
|
|
tbsCertList.Extensions = append(tbsCertList.Extensions, aki)
|
|
}
|
|
|
|
tbsCertListContents, err := asn1.Marshal(tbsCertList)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
signed := tbsCertListContents
|
|
var opts crypto.SignerOpts = hashFunc
|
|
if signatureAlgorithm.Algorithm.Equal(oidSignatureSM2WithSM3) {
|
|
opts = sm2.NewSM2SignerOption(true, nil)
|
|
}
|
|
if hashFunc != 0 {
|
|
h := hashFunc.New()
|
|
h.Write(signed)
|
|
signed = h.Sum(nil)
|
|
}
|
|
signature, err := key.Sign(rand, signed, opts)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
return asn1.Marshal(pkix.CertificateList{
|
|
TBSCertList: tbsCertList,
|
|
SignatureAlgorithm: signatureAlgorithm,
|
|
SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
|
|
})
|
|
}
|
|
|
|
// These structures reflect the ASN.1 structure of X.509 certificate
|
|
// signature requests (see RFC 2986):
|
|
|
|
type tbsCertificateRequest struct {
|
|
Raw asn1.RawContent
|
|
Version int
|
|
Subject asn1.RawValue
|
|
PublicKey publicKeyInfo
|
|
RawAttributes []asn1.RawValue `asn1:"tag:0"`
|
|
}
|
|
|
|
type certificateRequest struct {
|
|
Raw asn1.RawContent
|
|
TBSCSR tbsCertificateRequest
|
|
SignatureAlgorithm pkix.AlgorithmIdentifier
|
|
SignatureValue asn1.BitString
|
|
}
|
|
|
|
// oidExtensionRequest is a PKCS#9 OBJECT IDENTIFIER that indicates requested
|
|
// extensions in a CSR.
|
|
var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14}
|
|
|
|
// newRawAttributes converts AttributeTypeAndValueSETs from a template
|
|
// CertificateRequest's Attributes into tbsCertificateRequest RawAttributes.
|
|
func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) {
|
|
var rawAttributes []asn1.RawValue
|
|
b, err := asn1.Marshal(attributes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
rest, err := asn1.Unmarshal(b, &rawAttributes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(rest) != 0 {
|
|
return nil, errors.New("x509: failed to unmarshal raw CSR Attributes")
|
|
}
|
|
return rawAttributes, nil
|
|
}
|
|
|
|
// parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs.
|
|
func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET {
|
|
var attributes []pkix.AttributeTypeAndValueSET
|
|
for _, rawAttr := range rawAttributes {
|
|
var attr pkix.AttributeTypeAndValueSET
|
|
rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr)
|
|
// Ignore attributes that don't parse into pkix.AttributeTypeAndValueSET
|
|
// (i.e.: challengePassword or unstructuredName).
|
|
if err == nil && len(rest) == 0 {
|
|
attributes = append(attributes, attr)
|
|
}
|
|
}
|
|
return attributes
|
|
}
|
|
|
|
// parseCSRExtensions parses the attributes from a CSR and extracts any
|
|
// requested extensions.
|
|
func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) {
|
|
// pkcs10Attribute reflects the Attribute structure from RFC 2986, Section 4.1.
|
|
type pkcs10Attribute struct {
|
|
Id asn1.ObjectIdentifier
|
|
Values []asn1.RawValue `asn1:"set"`
|
|
}
|
|
|
|
var ret []pkix.Extension
|
|
for _, rawAttr := range rawAttributes {
|
|
var attr pkcs10Attribute
|
|
if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 {
|
|
// Ignore attributes that don't parse.
|
|
continue
|
|
}
|
|
|
|
if !attr.Id.Equal(oidExtensionRequest) {
|
|
continue
|
|
}
|
|
|
|
var extensions []pkix.Extension
|
|
if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil {
|
|
return nil, err
|
|
}
|
|
ret = append(ret, extensions...)
|
|
}
|
|
|
|
return ret, nil
|
|
}
|
|
|
|
// CreateCertificateRequest creates a new certificate request based on a
|
|
// template. The following members of template are used:
|
|
//
|
|
// - SignatureAlgorithm
|
|
// - Subject
|
|
// - DNSNames
|
|
// - EmailAddresses
|
|
// - IPAddresses
|
|
// - URIs
|
|
// - ExtraExtensions
|
|
// - Attributes (deprecated)
|
|
//
|
|
// priv is the private key to sign the CSR with, and the corresponding public
|
|
// key will be included in the CSR. It must implement crypto.Signer and its
|
|
// Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a
|
|
// ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or
|
|
// ed25519.PrivateKey satisfies this.)
|
|
//
|
|
// The returned slice is the certificate request in DER encoding.
|
|
func CreateCertificateRequest(rand io.Reader, template *x509.CertificateRequest, priv interface{}) (csr []byte, err error) {
|
|
key, ok := priv.(crypto.Signer)
|
|
if !ok {
|
|
return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
|
|
}
|
|
var hashFunc crypto.Hash
|
|
var sigAlgo pkix.AlgorithmIdentifier
|
|
hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var publicKeyBytes []byte
|
|
var publicKeyAlgorithm pkix.AlgorithmIdentifier
|
|
publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
extensions, err := buildCSRExtensions(template)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Make a copy of template.Attributes because we may alter it below.
|
|
attributes := make([]pkix.AttributeTypeAndValueSET, 0, len(template.Attributes))
|
|
for _, attr := range template.Attributes {
|
|
values := make([][]pkix.AttributeTypeAndValue, len(attr.Value))
|
|
copy(values, attr.Value)
|
|
attributes = append(attributes, pkix.AttributeTypeAndValueSET{
|
|
Type: attr.Type,
|
|
Value: values,
|
|
})
|
|
}
|
|
|
|
extensionsAppended := false
|
|
if len(extensions) > 0 {
|
|
// Append the extensions to an existing attribute if possible.
|
|
for _, atvSet := range attributes {
|
|
if !atvSet.Type.Equal(oidExtensionRequest) || len(atvSet.Value) == 0 {
|
|
continue
|
|
}
|
|
|
|
// specifiedExtensions contains all the extensions that we
|
|
// found specified via template.Attributes.
|
|
specifiedExtensions := make(map[string]bool)
|
|
|
|
for _, atvs := range atvSet.Value {
|
|
for _, atv := range atvs {
|
|
specifiedExtensions[atv.Type.String()] = true
|
|
}
|
|
}
|
|
|
|
newValue := make([]pkix.AttributeTypeAndValue, 0, len(atvSet.Value[0])+len(extensions))
|
|
newValue = append(newValue, atvSet.Value[0]...)
|
|
|
|
for _, e := range extensions {
|
|
if specifiedExtensions[e.Id.String()] {
|
|
// Attributes already contained a value for
|
|
// this extension and it takes priority.
|
|
continue
|
|
}
|
|
|
|
newValue = append(newValue, pkix.AttributeTypeAndValue{
|
|
// There is no place for the critical
|
|
// flag in an AttributeTypeAndValue.
|
|
Type: e.Id,
|
|
Value: e.Value,
|
|
})
|
|
}
|
|
|
|
atvSet.Value[0] = newValue
|
|
extensionsAppended = true
|
|
break
|
|
}
|
|
}
|
|
|
|
rawAttributes, err := newRawAttributes(attributes)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
// If not included in attributes, add a new attribute for the
|
|
// extensions.
|
|
if len(extensions) > 0 && !extensionsAppended {
|
|
attr := struct {
|
|
Type asn1.ObjectIdentifier
|
|
Value [][]pkix.Extension `asn1:"set"`
|
|
}{
|
|
Type: oidExtensionRequest,
|
|
Value: [][]pkix.Extension{extensions},
|
|
}
|
|
|
|
b, err := asn1.Marshal(attr)
|
|
if err != nil {
|
|
return nil, errors.New("x509: failed to serialise extensions attribute: " + err.Error())
|
|
}
|
|
|
|
var rawValue asn1.RawValue
|
|
if _, err := asn1.Unmarshal(b, &rawValue); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
rawAttributes = append(rawAttributes, rawValue)
|
|
}
|
|
|
|
asn1Subject := template.RawSubject
|
|
if len(asn1Subject) == 0 {
|
|
asn1Subject, err = asn1.Marshal(template.Subject.ToRDNSequence())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
tbsCSR := tbsCertificateRequest{
|
|
Version: 0, // PKCS #10, RFC 2986
|
|
Subject: asn1.RawValue{FullBytes: asn1Subject},
|
|
PublicKey: publicKeyInfo{
|
|
Algorithm: publicKeyAlgorithm,
|
|
PublicKey: asn1.BitString{
|
|
Bytes: publicKeyBytes,
|
|
BitLength: len(publicKeyBytes) * 8,
|
|
},
|
|
},
|
|
RawAttributes: rawAttributes,
|
|
}
|
|
|
|
tbsCSRContents, err := asn1.Marshal(tbsCSR)
|
|
if err != nil {
|
|
return
|
|
}
|
|
tbsCSR.Raw = tbsCSRContents
|
|
|
|
signed := tbsCSRContents
|
|
var signature []byte
|
|
var opts crypto.SignerOpts = hashFunc
|
|
if hashFunc != 0 {
|
|
h := hashFunc.New()
|
|
h.Write(signed)
|
|
signed = h.Sum(nil)
|
|
}
|
|
if sigAlgo.Algorithm.Equal(oidSignatureSM2WithSM3) {
|
|
opts = sm2.NewSM2SignerOption(true, nil)
|
|
}
|
|
signature, err = key.Sign(rand, signed, opts)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
return asn1.Marshal(certificateRequest{
|
|
TBSCSR: tbsCSR,
|
|
SignatureAlgorithm: sigAlgo,
|
|
SignatureValue: asn1.BitString{
|
|
Bytes: signature,
|
|
BitLength: len(signature) * 8,
|
|
},
|
|
})
|
|
}
|
|
|
|
// ParseCertificateRequest parses a single certificate request from the
|
|
// given ASN.1 DER data.
|
|
func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) {
|
|
var csr certificateRequest
|
|
|
|
rest, err := asn1.Unmarshal(asn1Data, &csr)
|
|
if err != nil {
|
|
return nil, err
|
|
} else if len(rest) != 0 {
|
|
return nil, asn1.SyntaxError{Msg: "trailing data"}
|
|
}
|
|
if !csr.SignatureAlgorithm.Algorithm.Equal(oidSignatureSM2WithSM3) {
|
|
csrR, err := x509.ParseCertificateRequest(asn1Data)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &CertificateRequest{*csrR}, nil
|
|
}
|
|
return parseCertificateRequest(&csr)
|
|
}
|
|
|
|
// ParseCertificateRequestPEM parses a single certificate request from the
|
|
// given PEM data.
|
|
func ParseCertificateRequestPEM(data []byte) (*CertificateRequest, error) {
|
|
block, _ := pem.Decode(data)
|
|
if block == nil {
|
|
return nil, errors.New("failed to decode PEM block containing CSR")
|
|
}
|
|
return ParseCertificateRequest(block.Bytes)
|
|
}
|
|
|
|
func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) {
|
|
if !oidSignatureSM2WithSM3.Equal(in.SignatureAlgorithm.Algorithm) {
|
|
return nil, errors.New("unsupport signature algorithm")
|
|
}
|
|
out := &CertificateRequest{x509.CertificateRequest{
|
|
Raw: in.Raw,
|
|
RawTBSCertificateRequest: in.TBSCSR.Raw,
|
|
RawSubjectPublicKeyInfo: in.TBSCSR.PublicKey.Raw,
|
|
RawSubject: in.TBSCSR.Subject.FullBytes,
|
|
|
|
Signature: in.SignatureValue.RightAlign(),
|
|
SignatureAlgorithm: getSignatureAlgorithmFromAI(in.SignatureAlgorithm),
|
|
|
|
PublicKeyAlgorithm: getPublicKeyAlgorithmFromOID(in.TBSCSR.PublicKey.Algorithm.Algorithm),
|
|
|
|
Version: in.TBSCSR.Version,
|
|
Attributes: parseRawAttributes(in.TBSCSR.RawAttributes),
|
|
},
|
|
}
|
|
|
|
var err error
|
|
out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var subject pkix.RDNSequence
|
|
if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil {
|
|
return nil, err
|
|
} else if len(rest) != 0 {
|
|
return nil, errors.New("x509: trailing data after X.509 Subject")
|
|
}
|
|
|
|
out.Subject.FillFromRDNSequence(&subject)
|
|
|
|
if out.Extensions, err = parseCSRExtensions(in.TBSCSR.RawAttributes); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, extension := range out.Extensions {
|
|
if extension.Id.Equal(oidExtensionSubjectAltName) {
|
|
out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
}
|
|
|
|
return out, nil
|
|
}
|
|
|
|
// CheckSignature reports whether the signature on c is valid.
|
|
func (c *CertificateRequest) CheckSignature() error {
|
|
return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey)
|
|
}
|
|
|
|
// CreateRevocationList creates a new X.509 v2 Certificate Revocation List,
|
|
// according to RFC 5280, based on template.
|
|
//
|
|
// The CRL is signed by priv which should be the private key associated with
|
|
// the public key in the issuer certificate.
|
|
//
|
|
// The issuer may not be nil, and the crlSign bit must be set in KeyUsage in
|
|
// order to use it as a CRL issuer.
|
|
//
|
|
// The issuer distinguished name CRL field and authority key identifier
|
|
// extension are populated using the issuer certificate. issuer must have
|
|
// SubjectKeyId set.
|
|
func CreateRevocationList(rand io.Reader, template *x509.RevocationList, issuer *Certificate, priv crypto.Signer) ([]byte, error) {
|
|
if template == nil {
|
|
return nil, errors.New("x509: template can not be nil")
|
|
}
|
|
if issuer == nil {
|
|
return nil, errors.New("x509: issuer can not be nil")
|
|
}
|
|
if (issuer.KeyUsage & x509.KeyUsageCRLSign) == 0 {
|
|
return nil, errors.New("x509: issuer must have the crlSign key usage bit set")
|
|
}
|
|
if len(issuer.SubjectKeyId) == 0 {
|
|
return nil, errors.New("x509: issuer certificate doesn't contain a subject key identifier")
|
|
}
|
|
if template.NextUpdate.Before(template.ThisUpdate) {
|
|
return nil, errors.New("x509: template.ThisUpdate is after template.NextUpdate")
|
|
}
|
|
if template.Number == nil {
|
|
return nil, errors.New("x509: template contains nil Number field")
|
|
}
|
|
|
|
hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Force revocation times to UTC per RFC 5280.
|
|
revokedCertsUTC := make([]pkix.RevokedCertificate, len(template.RevokedCertificates))
|
|
for i, rc := range template.RevokedCertificates {
|
|
rc.RevocationTime = rc.RevocationTime.UTC()
|
|
revokedCertsUTC[i] = rc
|
|
}
|
|
|
|
aki, err := asn1.Marshal(authKeyId{Id: issuer.SubjectKeyId})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
crlNum, err := asn1.Marshal(template.Number)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
tbsCertList := pkix.TBSCertificateList{
|
|
Version: 1, // v2
|
|
Signature: signatureAlgorithm,
|
|
Issuer: issuer.Subject.ToRDNSequence(),
|
|
ThisUpdate: template.ThisUpdate.UTC(),
|
|
NextUpdate: template.NextUpdate.UTC(),
|
|
Extensions: []pkix.Extension{
|
|
{
|
|
Id: oidExtensionAuthorityKeyId,
|
|
Value: aki,
|
|
},
|
|
{
|
|
Id: oidExtensionCRLNumber,
|
|
Value: crlNum,
|
|
},
|
|
},
|
|
}
|
|
if len(revokedCertsUTC) > 0 {
|
|
tbsCertList.RevokedCertificates = revokedCertsUTC
|
|
}
|
|
|
|
if len(template.ExtraExtensions) > 0 {
|
|
tbsCertList.Extensions = append(tbsCertList.Extensions, template.ExtraExtensions...)
|
|
}
|
|
|
|
tbsCertListContents, err := asn1.Marshal(tbsCertList)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
input := tbsCertListContents
|
|
if hashFunc != 0 {
|
|
h := hashFunc.New()
|
|
h.Write(tbsCertListContents)
|
|
input = h.Sum(nil)
|
|
}
|
|
var signerOpts crypto.SignerOpts = hashFunc
|
|
if isRSAPSS(template.SignatureAlgorithm) {
|
|
signerOpts = &rsa.PSSOptions{
|
|
SaltLength: rsa.PSSSaltLengthEqualsHash,
|
|
Hash: hashFunc,
|
|
}
|
|
} else if signatureAlgorithm.Algorithm.Equal(oidSignatureSM2WithSM3) {
|
|
signerOpts = sm2.NewSM2SignerOption(true, nil)
|
|
}
|
|
|
|
signature, err := priv.Sign(rand, input, signerOpts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return asn1.Marshal(pkix.CertificateList{
|
|
TBSCertList: tbsCertList,
|
|
SignatureAlgorithm: signatureAlgorithm,
|
|
SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
|
|
})
|
|
}
|