1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Package x509 parses X.509-encoded keys and certificates. 6 // 7 // On UNIX systems the environment variables SSL_CERT_FILE and SSL_CERT_DIR 8 // can be used to override the system default locations for the SSL certificate 9 // file and SSL certificate files directory, respectively. 10 package x509 11 12 import ( 13 "bytes" 14 "crypto" 15 "crypto/dsa" 16 "crypto/ecdsa" 17 "crypto/elliptic" 18 "crypto/rsa" 19 _ "crypto/sha1" 20 _ "crypto/sha256" 21 _ "crypto/sha512" 22 "crypto/x509/pkix" 23 "encoding/asn1" 24 "encoding/pem" 25 "errors" 26 "fmt" 27 "io" 28 "math/big" 29 "net" 30 "net/url" 31 "strconv" 32 "strings" 33 "time" 34 "unicode/utf8" 35 36 "golang_org/x/crypto/cryptobyte" 37 cryptobyte_asn1 "golang_org/x/crypto/cryptobyte/asn1" 38 ) 39 40 // pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo 41 // in RFC 3280. 42 type pkixPublicKey struct { 43 Algo pkix.AlgorithmIdentifier 44 BitString asn1.BitString 45 } 46 47 // ParsePKIXPublicKey parses a DER encoded public key. These values are 48 // typically found in PEM blocks with "BEGIN PUBLIC KEY". 49 // 50 // Supported key types include RSA, DSA, and ECDSA. Unknown key 51 // types result in an error. 52 // 53 // On success, pub will be of type *rsa.PublicKey, *dsa.PublicKey, 54 // or *ecdsa.PublicKey. 55 func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) { 56 var pki publicKeyInfo 57 if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil { 58 return nil, err 59 } else if len(rest) != 0 { 60 return nil, errors.New("x509: trailing data after ASN.1 of public-key") 61 } 62 algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm) 63 if algo == UnknownPublicKeyAlgorithm { 64 return nil, errors.New("x509: unknown public key algorithm") 65 } 66 return parsePublicKey(algo, &pki) 67 } 68 69 func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) { 70 switch pub := pub.(type) { 71 case *rsa.PublicKey: 72 publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{ 73 N: pub.N, 74 E: pub.E, 75 }) 76 if err != nil { 77 return nil, pkix.AlgorithmIdentifier{}, err 78 } 79 publicKeyAlgorithm.Algorithm = oidPublicKeyRSA 80 // This is a NULL parameters value which is required by 81 // https://tools.ietf.org/html/rfc3279#section-2.3.1. 82 publicKeyAlgorithm.Parameters = asn1.NullRawValue 83 case *ecdsa.PublicKey: 84 publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y) 85 oid, ok := oidFromNamedCurve(pub.Curve) 86 if !ok { 87 return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve") 88 } 89 publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA 90 var paramBytes []byte 91 paramBytes, err = asn1.Marshal(oid) 92 if err != nil { 93 return 94 } 95 publicKeyAlgorithm.Parameters.FullBytes = paramBytes 96 default: 97 return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: only RSA and ECDSA public keys supported") 98 } 99 100 return publicKeyBytes, publicKeyAlgorithm, nil 101 } 102 103 // MarshalPKIXPublicKey serialises a public key to DER-encoded PKIX format. 104 func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) { 105 var publicKeyBytes []byte 106 var publicKeyAlgorithm pkix.AlgorithmIdentifier 107 var err error 108 109 if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil { 110 return nil, err 111 } 112 113 pkix := pkixPublicKey{ 114 Algo: publicKeyAlgorithm, 115 BitString: asn1.BitString{ 116 Bytes: publicKeyBytes, 117 BitLength: 8 * len(publicKeyBytes), 118 }, 119 } 120 121 ret, _ := asn1.Marshal(pkix) 122 return ret, nil 123 } 124 125 // These structures reflect the ASN.1 structure of X.509 certificates.: 126 127 type certificate struct { 128 Raw asn1.RawContent 129 TBSCertificate tbsCertificate 130 SignatureAlgorithm pkix.AlgorithmIdentifier 131 SignatureValue asn1.BitString 132 } 133 134 type tbsCertificate struct { 135 Raw asn1.RawContent 136 Version int `asn1:"optional,explicit,default:0,tag:0"` 137 SerialNumber *big.Int 138 SignatureAlgorithm pkix.AlgorithmIdentifier 139 Issuer asn1.RawValue 140 Validity validity 141 Subject asn1.RawValue 142 PublicKey publicKeyInfo 143 UniqueId asn1.BitString `asn1:"optional,tag:1"` 144 SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"` 145 Extensions []pkix.Extension `asn1:"optional,explicit,tag:3"` 146 } 147 148 type dsaAlgorithmParameters struct { 149 P, Q, G *big.Int 150 } 151 152 type dsaSignature struct { 153 R, S *big.Int 154 } 155 156 type ecdsaSignature dsaSignature 157 158 type validity struct { 159 NotBefore, NotAfter time.Time 160 } 161 162 type publicKeyInfo struct { 163 Raw asn1.RawContent 164 Algorithm pkix.AlgorithmIdentifier 165 PublicKey asn1.BitString 166 } 167 168 // RFC 5280, 4.2.1.1 169 type authKeyId struct { 170 Id []byte `asn1:"optional,tag:0"` 171 } 172 173 type SignatureAlgorithm int 174 175 const ( 176 UnknownSignatureAlgorithm SignatureAlgorithm = iota 177 MD2WithRSA 178 MD5WithRSA 179 SHA1WithRSA 180 SHA256WithRSA 181 SHA384WithRSA 182 SHA512WithRSA 183 DSAWithSHA1 184 DSAWithSHA256 185 ECDSAWithSHA1 186 ECDSAWithSHA256 187 ECDSAWithSHA384 188 ECDSAWithSHA512 189 SHA256WithRSAPSS 190 SHA384WithRSAPSS 191 SHA512WithRSAPSS 192 ) 193 194 func (algo SignatureAlgorithm) isRSAPSS() bool { 195 switch algo { 196 case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS: 197 return true 198 default: 199 return false 200 } 201 } 202 203 func (algo SignatureAlgorithm) String() string { 204 for _, details := range signatureAlgorithmDetails { 205 if details.algo == algo { 206 return details.name 207 } 208 } 209 return strconv.Itoa(int(algo)) 210 } 211 212 type PublicKeyAlgorithm int 213 214 const ( 215 UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota 216 RSA 217 DSA 218 ECDSA 219 ) 220 221 var publicKeyAlgoName = [...]string{ 222 RSA: "RSA", 223 DSA: "DSA", 224 ECDSA: "ECDSA", 225 } 226 227 func (algo PublicKeyAlgorithm) String() string { 228 if 0 < algo && int(algo) < len(publicKeyAlgoName) { 229 return publicKeyAlgoName[algo] 230 } 231 return strconv.Itoa(int(algo)) 232 } 233 234 // OIDs for signature algorithms 235 // 236 // pkcs-1 OBJECT IDENTIFIER ::= { 237 // iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } 238 // 239 // 240 // RFC 3279 2.2.1 RSA Signature Algorithms 241 // 242 // md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } 243 // 244 // md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } 245 // 246 // sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } 247 // 248 // dsaWithSha1 OBJECT IDENTIFIER ::= { 249 // iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 } 250 // 251 // RFC 3279 2.2.3 ECDSA Signature Algorithm 252 // 253 // ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 254 // iso(1) member-body(2) us(840) ansi-x962(10045) 255 // signatures(4) ecdsa-with-SHA1(1)} 256 // 257 // 258 // RFC 4055 5 PKCS #1 Version 1.5 259 // 260 // sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } 261 // 262 // sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } 263 // 264 // sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } 265 // 266 // 267 // RFC 5758 3.1 DSA Signature Algorithms 268 // 269 // dsaWithSha256 OBJECT IDENTIFIER ::= { 270 // joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 271 // csor(3) algorithms(4) id-dsa-with-sha2(3) 2} 272 // 273 // RFC 5758 3.2 ECDSA Signature Algorithm 274 // 275 // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 276 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 } 277 // 278 // ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 279 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } 280 // 281 // ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 282 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 } 283 284 var ( 285 oidSignatureMD2WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} 286 oidSignatureMD5WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} 287 oidSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} 288 oidSignatureSHA256WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} 289 oidSignatureSHA384WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} 290 oidSignatureSHA512WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} 291 oidSignatureRSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10} 292 oidSignatureDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3} 293 oidSignatureDSAWithSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2} 294 oidSignatureECDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1} 295 oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2} 296 oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3} 297 oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4} 298 299 oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1} 300 oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} 301 oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3} 302 303 oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8} 304 305 // oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA 306 // but it's specified by ISO. Microsoft's makecert.exe has been known 307 // to produce certificates with this OID. 308 oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29} 309 ) 310 311 var signatureAlgorithmDetails = []struct { 312 algo SignatureAlgorithm 313 name string 314 oid asn1.ObjectIdentifier 315 pubKeyAlgo PublicKeyAlgorithm 316 hash crypto.Hash 317 }{ 318 {MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */}, 319 {MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5}, 320 {SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1}, 321 {SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1}, 322 {SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256}, 323 {SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384}, 324 {SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512}, 325 {SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256}, 326 {SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384}, 327 {SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512}, 328 {DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1}, 329 {DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256}, 330 {ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1}, 331 {ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256}, 332 {ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384}, 333 {ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512}, 334 } 335 336 // pssParameters reflects the parameters in an AlgorithmIdentifier that 337 // specifies RSA PSS. See https://tools.ietf.org/html/rfc3447#appendix-A.2.3 338 type pssParameters struct { 339 // The following three fields are not marked as 340 // optional because the default values specify SHA-1, 341 // which is no longer suitable for use in signatures. 342 Hash pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"` 343 MGF pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"` 344 SaltLength int `asn1:"explicit,tag:2"` 345 TrailerField int `asn1:"optional,explicit,tag:3,default:1"` 346 } 347 348 // rsaPSSParameters returns an asn1.RawValue suitable for use as the Parameters 349 // in an AlgorithmIdentifier that specifies RSA PSS. 350 func rsaPSSParameters(hashFunc crypto.Hash) asn1.RawValue { 351 var hashOID asn1.ObjectIdentifier 352 353 switch hashFunc { 354 case crypto.SHA256: 355 hashOID = oidSHA256 356 case crypto.SHA384: 357 hashOID = oidSHA384 358 case crypto.SHA512: 359 hashOID = oidSHA512 360 } 361 362 params := pssParameters{ 363 Hash: pkix.AlgorithmIdentifier{ 364 Algorithm: hashOID, 365 Parameters: asn1.NullRawValue, 366 }, 367 MGF: pkix.AlgorithmIdentifier{ 368 Algorithm: oidMGF1, 369 }, 370 SaltLength: hashFunc.Size(), 371 TrailerField: 1, 372 } 373 374 mgf1Params := pkix.AlgorithmIdentifier{ 375 Algorithm: hashOID, 376 Parameters: asn1.NullRawValue, 377 } 378 379 var err error 380 params.MGF.Parameters.FullBytes, err = asn1.Marshal(mgf1Params) 381 if err != nil { 382 panic(err) 383 } 384 385 serialized, err := asn1.Marshal(params) 386 if err != nil { 387 panic(err) 388 } 389 390 return asn1.RawValue{FullBytes: serialized} 391 } 392 393 func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm { 394 if !ai.Algorithm.Equal(oidSignatureRSAPSS) { 395 for _, details := range signatureAlgorithmDetails { 396 if ai.Algorithm.Equal(details.oid) { 397 return details.algo 398 } 399 } 400 return UnknownSignatureAlgorithm 401 } 402 403 // RSA PSS is special because it encodes important parameters 404 // in the Parameters. 405 406 var params pssParameters 407 if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, ¶ms); err != nil { 408 return UnknownSignatureAlgorithm 409 } 410 411 var mgf1HashFunc pkix.AlgorithmIdentifier 412 if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil { 413 return UnknownSignatureAlgorithm 414 } 415 416 // PSS is greatly overburdened with options. This code forces 417 // them into three buckets by requiring that the MGF1 hash 418 // function always match the message hash function (as 419 // recommended in 420 // https://tools.ietf.org/html/rfc3447#section-8.1), that the 421 // salt length matches the hash length, and that the trailer 422 // field has the default value. 423 if !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes) || 424 !params.MGF.Algorithm.Equal(oidMGF1) || 425 !mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) || 426 !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes) || 427 params.TrailerField != 1 { 428 return UnknownSignatureAlgorithm 429 } 430 431 switch { 432 case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32: 433 return SHA256WithRSAPSS 434 case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48: 435 return SHA384WithRSAPSS 436 case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64: 437 return SHA512WithRSAPSS 438 } 439 440 return UnknownSignatureAlgorithm 441 } 442 443 // RFC 3279, 2.3 Public Key Algorithms 444 // 445 // pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) 446 // rsadsi(113549) pkcs(1) 1 } 447 // 448 // rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 } 449 // 450 // id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) 451 // x9-57(10040) x9cm(4) 1 } 452 // 453 // RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters 454 // 455 // id-ecPublicKey OBJECT IDENTIFIER ::= { 456 // iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 457 var ( 458 oidPublicKeyRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} 459 oidPublicKeyDSA = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1} 460 oidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1} 461 ) 462 463 func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm { 464 switch { 465 case oid.Equal(oidPublicKeyRSA): 466 return RSA 467 case oid.Equal(oidPublicKeyDSA): 468 return DSA 469 case oid.Equal(oidPublicKeyECDSA): 470 return ECDSA 471 } 472 return UnknownPublicKeyAlgorithm 473 } 474 475 // RFC 5480, 2.1.1.1. Named Curve 476 // 477 // secp224r1 OBJECT IDENTIFIER ::= { 478 // iso(1) identified-organization(3) certicom(132) curve(0) 33 } 479 // 480 // secp256r1 OBJECT IDENTIFIER ::= { 481 // iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 482 // prime(1) 7 } 483 // 484 // secp384r1 OBJECT IDENTIFIER ::= { 485 // iso(1) identified-organization(3) certicom(132) curve(0) 34 } 486 // 487 // secp521r1 OBJECT IDENTIFIER ::= { 488 // iso(1) identified-organization(3) certicom(132) curve(0) 35 } 489 // 490 // NB: secp256r1 is equivalent to prime256v1 491 var ( 492 oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33} 493 oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7} 494 oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34} 495 oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35} 496 ) 497 498 func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve { 499 switch { 500 case oid.Equal(oidNamedCurveP224): 501 return elliptic.P224() 502 case oid.Equal(oidNamedCurveP256): 503 return elliptic.P256() 504 case oid.Equal(oidNamedCurveP384): 505 return elliptic.P384() 506 case oid.Equal(oidNamedCurveP521): 507 return elliptic.P521() 508 } 509 return nil 510 } 511 512 func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) { 513 switch curve { 514 case elliptic.P224(): 515 return oidNamedCurveP224, true 516 case elliptic.P256(): 517 return oidNamedCurveP256, true 518 case elliptic.P384(): 519 return oidNamedCurveP384, true 520 case elliptic.P521(): 521 return oidNamedCurveP521, true 522 } 523 524 return nil, false 525 } 526 527 // KeyUsage represents the set of actions that are valid for a given key. It's 528 // a bitmap of the KeyUsage* constants. 529 type KeyUsage int 530 531 const ( 532 KeyUsageDigitalSignature KeyUsage = 1 << iota 533 KeyUsageContentCommitment 534 KeyUsageKeyEncipherment 535 KeyUsageDataEncipherment 536 KeyUsageKeyAgreement 537 KeyUsageCertSign 538 KeyUsageCRLSign 539 KeyUsageEncipherOnly 540 KeyUsageDecipherOnly 541 ) 542 543 // RFC 5280, 4.2.1.12 Extended Key Usage 544 // 545 // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } 546 // 547 // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 548 // 549 // id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } 550 // id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } 551 // id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } 552 // id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } 553 // id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } 554 // id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 555 var ( 556 oidExtKeyUsageAny = asn1.ObjectIdentifier{2, 5, 29, 37, 0} 557 oidExtKeyUsageServerAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1} 558 oidExtKeyUsageClientAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2} 559 oidExtKeyUsageCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3} 560 oidExtKeyUsageEmailProtection = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4} 561 oidExtKeyUsageIPSECEndSystem = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5} 562 oidExtKeyUsageIPSECTunnel = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6} 563 oidExtKeyUsageIPSECUser = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7} 564 oidExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8} 565 oidExtKeyUsageOCSPSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9} 566 oidExtKeyUsageMicrosoftServerGatedCrypto = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3} 567 oidExtKeyUsageNetscapeServerGatedCrypto = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1} 568 oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22} 569 oidExtKeyUsageMicrosoftKernelCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1} 570 ) 571 572 // ExtKeyUsage represents an extended set of actions that are valid for a given key. 573 // Each of the ExtKeyUsage* constants define a unique action. 574 type ExtKeyUsage int 575 576 const ( 577 ExtKeyUsageAny ExtKeyUsage = iota 578 ExtKeyUsageServerAuth 579 ExtKeyUsageClientAuth 580 ExtKeyUsageCodeSigning 581 ExtKeyUsageEmailProtection 582 ExtKeyUsageIPSECEndSystem 583 ExtKeyUsageIPSECTunnel 584 ExtKeyUsageIPSECUser 585 ExtKeyUsageTimeStamping 586 ExtKeyUsageOCSPSigning 587 ExtKeyUsageMicrosoftServerGatedCrypto 588 ExtKeyUsageNetscapeServerGatedCrypto 589 ExtKeyUsageMicrosoftCommercialCodeSigning 590 ExtKeyUsageMicrosoftKernelCodeSigning 591 ) 592 593 // extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID. 594 var extKeyUsageOIDs = []struct { 595 extKeyUsage ExtKeyUsage 596 oid asn1.ObjectIdentifier 597 }{ 598 {ExtKeyUsageAny, oidExtKeyUsageAny}, 599 {ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth}, 600 {ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth}, 601 {ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning}, 602 {ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection}, 603 {ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem}, 604 {ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel}, 605 {ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser}, 606 {ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping}, 607 {ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning}, 608 {ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto}, 609 {ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto}, 610 {ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning}, 611 {ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning}, 612 } 613 614 func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) { 615 for _, pair := range extKeyUsageOIDs { 616 if oid.Equal(pair.oid) { 617 return pair.extKeyUsage, true 618 } 619 } 620 return 621 } 622 623 func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) { 624 for _, pair := range extKeyUsageOIDs { 625 if eku == pair.extKeyUsage { 626 return pair.oid, true 627 } 628 } 629 return 630 } 631 632 // A Certificate represents an X.509 certificate. 633 type Certificate struct { 634 Raw []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature). 635 RawTBSCertificate []byte // Certificate part of raw ASN.1 DER content. 636 RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo. 637 RawSubject []byte // DER encoded Subject 638 RawIssuer []byte // DER encoded Issuer 639 640 Signature []byte 641 SignatureAlgorithm SignatureAlgorithm 642 643 PublicKeyAlgorithm PublicKeyAlgorithm 644 PublicKey interface{} 645 646 Version int 647 SerialNumber *big.Int 648 Issuer pkix.Name 649 Subject pkix.Name 650 NotBefore, NotAfter time.Time // Validity bounds. 651 KeyUsage KeyUsage 652 653 // Extensions contains raw X.509 extensions. When parsing certificates, 654 // this can be used to extract non-critical extensions that are not 655 // parsed by this package. When marshaling certificates, the Extensions 656 // field is ignored, see ExtraExtensions. 657 Extensions []pkix.Extension 658 659 // ExtraExtensions contains extensions to be copied, raw, into any 660 // marshaled certificates. Values override any extensions that would 661 // otherwise be produced based on the other fields. The ExtraExtensions 662 // field is not populated when parsing certificates, see Extensions. 663 ExtraExtensions []pkix.Extension 664 665 // UnhandledCriticalExtensions contains a list of extension IDs that 666 // were not (fully) processed when parsing. Verify will fail if this 667 // slice is non-empty, unless verification is delegated to an OS 668 // library which understands all the critical extensions. 669 // 670 // Users can access these extensions using Extensions and can remove 671 // elements from this slice if they believe that they have been 672 // handled. 673 UnhandledCriticalExtensions []asn1.ObjectIdentifier 674 675 ExtKeyUsage []ExtKeyUsage // Sequence of extended key usages. 676 UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package. 677 678 // BasicConstraintsValid indicates whether IsCA, MaxPathLen, 679 // and MaxPathLenZero are valid. 680 BasicConstraintsValid bool 681 IsCA bool 682 683 // MaxPathLen and MaxPathLenZero indicate the presence and 684 // value of the BasicConstraints' "pathLenConstraint". 685 // 686 // When parsing a certificate, a positive non-zero MaxPathLen 687 // means that the field was specified, -1 means it was unset, 688 // and MaxPathLenZero being true mean that the field was 689 // explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false 690 // should be treated equivalent to -1 (unset). 691 // 692 // When generating a certificate, an unset pathLenConstraint 693 // can be requested with either MaxPathLen == -1 or using the 694 // zero value for both MaxPathLen and MaxPathLenZero. 695 MaxPathLen int 696 // MaxPathLenZero indicates that BasicConstraintsValid==true 697 // and MaxPathLen==0 should be interpreted as an actual 698 // maximum path length of zero. Otherwise, that combination is 699 // interpreted as MaxPathLen not being set. 700 MaxPathLenZero bool 701 702 SubjectKeyId []byte 703 AuthorityKeyId []byte 704 705 // RFC 5280, 4.2.2.1 (Authority Information Access) 706 OCSPServer []string 707 IssuingCertificateURL []string 708 709 // Subject Alternate Name values 710 DNSNames []string 711 EmailAddresses []string 712 IPAddresses []net.IP 713 URIs []*url.URL 714 715 // Name constraints 716 PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical. 717 PermittedDNSDomains []string 718 ExcludedDNSDomains []string 719 PermittedIPRanges []*net.IPNet 720 ExcludedIPRanges []*net.IPNet 721 PermittedEmailAddresses []string 722 ExcludedEmailAddresses []string 723 PermittedURIDomains []string 724 ExcludedURIDomains []string 725 726 // CRL Distribution Points 727 CRLDistributionPoints []string 728 729 PolicyIdentifiers []asn1.ObjectIdentifier 730 } 731 732 // ErrUnsupportedAlgorithm results from attempting to perform an operation that 733 // involves algorithms that are not currently implemented. 734 var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented") 735 736 // An InsecureAlgorithmError 737 type InsecureAlgorithmError SignatureAlgorithm 738 739 func (e InsecureAlgorithmError) Error() string { 740 return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e)) 741 } 742 743 // ConstraintViolationError results when a requested usage is not permitted by 744 // a certificate. For example: checking a signature when the public key isn't a 745 // certificate signing key. 746 type ConstraintViolationError struct{} 747 748 func (ConstraintViolationError) Error() string { 749 return "x509: invalid signature: parent certificate cannot sign this kind of certificate" 750 } 751 752 func (c *Certificate) Equal(other *Certificate) bool { 753 return bytes.Equal(c.Raw, other.Raw) 754 } 755 756 func (c *Certificate) hasSANExtension() bool { 757 return oidInExtensions(oidExtensionSubjectAltName, c.Extensions) 758 } 759 760 // Entrust have a broken root certificate (CN=Entrust.net Certification 761 // Authority (2048)) which isn't marked as a CA certificate and is thus invalid 762 // according to PKIX. 763 // We recognise this certificate by its SubjectPublicKeyInfo and exempt it 764 // from the Basic Constraints requirement. 765 // See http://www.entrust.net/knowledge-base/technote.cfm?tn=7869 766 // 767 // TODO(agl): remove this hack once their reissued root is sufficiently 768 // widespread. 769 var entrustBrokenSPKI = []byte{ 770 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 771 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 772 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 773 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 774 0x00, 0x97, 0xa3, 0x2d, 0x3c, 0x9e, 0xde, 0x05, 775 0xda, 0x13, 0xc2, 0x11, 0x8d, 0x9d, 0x8e, 0xe3, 776 0x7f, 0xc7, 0x4b, 0x7e, 0x5a, 0x9f, 0xb3, 0xff, 777 0x62, 0xab, 0x73, 0xc8, 0x28, 0x6b, 0xba, 0x10, 778 0x64, 0x82, 0x87, 0x13, 0xcd, 0x57, 0x18, 0xff, 779 0x28, 0xce, 0xc0, 0xe6, 0x0e, 0x06, 0x91, 0x50, 780 0x29, 0x83, 0xd1, 0xf2, 0xc3, 0x2a, 0xdb, 0xd8, 781 0xdb, 0x4e, 0x04, 0xcc, 0x00, 0xeb, 0x8b, 0xb6, 782 0x96, 0xdc, 0xbc, 0xaa, 0xfa, 0x52, 0x77, 0x04, 783 0xc1, 0xdb, 0x19, 0xe4, 0xae, 0x9c, 0xfd, 0x3c, 784 0x8b, 0x03, 0xef, 0x4d, 0xbc, 0x1a, 0x03, 0x65, 785 0xf9, 0xc1, 0xb1, 0x3f, 0x72, 0x86, 0xf2, 0x38, 786 0xaa, 0x19, 0xae, 0x10, 0x88, 0x78, 0x28, 0xda, 787 0x75, 0xc3, 0x3d, 0x02, 0x82, 0x02, 0x9c, 0xb9, 788 0xc1, 0x65, 0x77, 0x76, 0x24, 0x4c, 0x98, 0xf7, 789 0x6d, 0x31, 0x38, 0xfb, 0xdb, 0xfe, 0xdb, 0x37, 790 0x02, 0x76, 0xa1, 0x18, 0x97, 0xa6, 0xcc, 0xde, 791 0x20, 0x09, 0x49, 0x36, 0x24, 0x69, 0x42, 0xf6, 792 0xe4, 0x37, 0x62, 0xf1, 0x59, 0x6d, 0xa9, 0x3c, 793 0xed, 0x34, 0x9c, 0xa3, 0x8e, 0xdb, 0xdc, 0x3a, 794 0xd7, 0xf7, 0x0a, 0x6f, 0xef, 0x2e, 0xd8, 0xd5, 795 0x93, 0x5a, 0x7a, 0xed, 0x08, 0x49, 0x68, 0xe2, 796 0x41, 0xe3, 0x5a, 0x90, 0xc1, 0x86, 0x55, 0xfc, 797 0x51, 0x43, 0x9d, 0xe0, 0xb2, 0xc4, 0x67, 0xb4, 798 0xcb, 0x32, 0x31, 0x25, 0xf0, 0x54, 0x9f, 0x4b, 799 0xd1, 0x6f, 0xdb, 0xd4, 0xdd, 0xfc, 0xaf, 0x5e, 800 0x6c, 0x78, 0x90, 0x95, 0xde, 0xca, 0x3a, 0x48, 801 0xb9, 0x79, 0x3c, 0x9b, 0x19, 0xd6, 0x75, 0x05, 802 0xa0, 0xf9, 0x88, 0xd7, 0xc1, 0xe8, 0xa5, 0x09, 803 0xe4, 0x1a, 0x15, 0xdc, 0x87, 0x23, 0xaa, 0xb2, 804 0x75, 0x8c, 0x63, 0x25, 0x87, 0xd8, 0xf8, 0x3d, 805 0xa6, 0xc2, 0xcc, 0x66, 0xff, 0xa5, 0x66, 0x68, 806 0x55, 0x02, 0x03, 0x01, 0x00, 0x01, 807 } 808 809 // CheckSignatureFrom verifies that the signature on c is a valid signature 810 // from parent. 811 func (c *Certificate) CheckSignatureFrom(parent *Certificate) error { 812 // RFC 5280, 4.2.1.9: 813 // "If the basic constraints extension is not present in a version 3 814 // certificate, or the extension is present but the cA boolean is not 815 // asserted, then the certified public key MUST NOT be used to verify 816 // certificate signatures." 817 // (except for Entrust, see comment above entrustBrokenSPKI) 818 if (parent.Version == 3 && !parent.BasicConstraintsValid || 819 parent.BasicConstraintsValid && !parent.IsCA) && 820 !bytes.Equal(c.RawSubjectPublicKeyInfo, entrustBrokenSPKI) { 821 return ConstraintViolationError{} 822 } 823 824 if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 { 825 return ConstraintViolationError{} 826 } 827 828 if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm { 829 return ErrUnsupportedAlgorithm 830 } 831 832 // TODO(agl): don't ignore the path length constraint. 833 834 return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature) 835 } 836 837 // CheckSignature verifies that signature is a valid signature over signed from 838 // c's public key. 839 func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error { 840 return checkSignature(algo, signed, signature, c.PublicKey) 841 } 842 843 func (c *Certificate) hasNameConstraints() bool { 844 for _, e := range c.Extensions { 845 if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 && e.Id[3] == 30 { 846 return true 847 } 848 } 849 850 return false 851 } 852 853 func (c *Certificate) getSANExtension() ([]byte, bool) { 854 for _, e := range c.Extensions { 855 if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 && e.Id[3] == 17 { 856 return e.Value, true 857 } 858 } 859 860 return nil, false 861 } 862 863 func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error { 864 return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey) 865 } 866 867 // CheckSignature verifies that signature is a valid signature over signed from 868 // a crypto.PublicKey. 869 func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) { 870 var hashType crypto.Hash 871 var pubKeyAlgo PublicKeyAlgorithm 872 873 for _, details := range signatureAlgorithmDetails { 874 if details.algo == algo { 875 hashType = details.hash 876 pubKeyAlgo = details.pubKeyAlgo 877 } 878 } 879 880 switch hashType { 881 case crypto.Hash(0): 882 return ErrUnsupportedAlgorithm 883 case crypto.MD5: 884 return InsecureAlgorithmError(algo) 885 } 886 887 if !hashType.Available() { 888 return ErrUnsupportedAlgorithm 889 } 890 h := hashType.New() 891 892 h.Write(signed) 893 digest := h.Sum(nil) 894 895 switch pub := publicKey.(type) { 896 case *rsa.PublicKey: 897 if pubKeyAlgo != RSA { 898 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) 899 } 900 if algo.isRSAPSS() { 901 return rsa.VerifyPSS(pub, hashType, digest, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}) 902 } else { 903 return rsa.VerifyPKCS1v15(pub, hashType, digest, signature) 904 } 905 case *dsa.PublicKey: 906 if pubKeyAlgo != DSA { 907 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) 908 } 909 dsaSig := new(dsaSignature) 910 if rest, err := asn1.Unmarshal(signature, dsaSig); err != nil { 911 return err 912 } else if len(rest) != 0 { 913 return errors.New("x509: trailing data after DSA signature") 914 } 915 if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 { 916 return errors.New("x509: DSA signature contained zero or negative values") 917 } 918 if !dsa.Verify(pub, digest, dsaSig.R, dsaSig.S) { 919 return errors.New("x509: DSA verification failure") 920 } 921 return 922 case *ecdsa.PublicKey: 923 if pubKeyAlgo != ECDSA { 924 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) 925 } 926 ecdsaSig := new(ecdsaSignature) 927 if rest, err := asn1.Unmarshal(signature, ecdsaSig); err != nil { 928 return err 929 } else if len(rest) != 0 { 930 return errors.New("x509: trailing data after ECDSA signature") 931 } 932 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { 933 return errors.New("x509: ECDSA signature contained zero or negative values") 934 } 935 if !ecdsa.Verify(pub, digest, ecdsaSig.R, ecdsaSig.S) { 936 return errors.New("x509: ECDSA verification failure") 937 } 938 return 939 } 940 return ErrUnsupportedAlgorithm 941 } 942 943 // CheckCRLSignature checks that the signature in crl is from c. 944 func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error { 945 algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm) 946 return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign()) 947 } 948 949 type UnhandledCriticalExtension struct{} 950 951 func (h UnhandledCriticalExtension) Error() string { 952 return "x509: unhandled critical extension" 953 } 954 955 type basicConstraints struct { 956 IsCA bool `asn1:"optional"` 957 MaxPathLen int `asn1:"optional,default:-1"` 958 } 959 960 // RFC 5280 4.2.1.4 961 type policyInformation struct { 962 Policy asn1.ObjectIdentifier 963 // policyQualifiers omitted 964 } 965 966 const ( 967 nameTypeEmail = 1 968 nameTypeDNS = 2 969 nameTypeURI = 6 970 nameTypeIP = 7 971 ) 972 973 // RFC 5280, 4.2.2.1 974 type authorityInfoAccess struct { 975 Method asn1.ObjectIdentifier 976 Location asn1.RawValue 977 } 978 979 // RFC 5280, 4.2.1.14 980 type distributionPoint struct { 981 DistributionPoint distributionPointName `asn1:"optional,tag:0"` 982 Reason asn1.BitString `asn1:"optional,tag:1"` 983 CRLIssuer asn1.RawValue `asn1:"optional,tag:2"` 984 } 985 986 type distributionPointName struct { 987 FullName []asn1.RawValue `asn1:"optional,tag:0"` 988 RelativeName pkix.RDNSequence `asn1:"optional,tag:1"` 989 } 990 991 func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) { 992 asn1Data := keyData.PublicKey.RightAlign() 993 switch algo { 994 case RSA: 995 // RSA public keys must have a NULL in the parameters 996 // (https://tools.ietf.org/html/rfc3279#section-2.3.1). 997 if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) { 998 return nil, errors.New("x509: RSA key missing NULL parameters") 999 } 1000 1001 p := new(pkcs1PublicKey) 1002 rest, err := asn1.Unmarshal(asn1Data, p) 1003 if err != nil { 1004 return nil, err 1005 } 1006 if len(rest) != 0 { 1007 return nil, errors.New("x509: trailing data after RSA public key") 1008 } 1009 1010 if p.N.Sign() <= 0 { 1011 return nil, errors.New("x509: RSA modulus is not a positive number") 1012 } 1013 if p.E <= 0 { 1014 return nil, errors.New("x509: RSA public exponent is not a positive number") 1015 } 1016 1017 pub := &rsa.PublicKey{ 1018 E: p.E, 1019 N: p.N, 1020 } 1021 return pub, nil 1022 case DSA: 1023 var p *big.Int 1024 rest, err := asn1.Unmarshal(asn1Data, &p) 1025 if err != nil { 1026 return nil, err 1027 } 1028 if len(rest) != 0 { 1029 return nil, errors.New("x509: trailing data after DSA public key") 1030 } 1031 paramsData := keyData.Algorithm.Parameters.FullBytes 1032 params := new(dsaAlgorithmParameters) 1033 rest, err = asn1.Unmarshal(paramsData, params) 1034 if err != nil { 1035 return nil, err 1036 } 1037 if len(rest) != 0 { 1038 return nil, errors.New("x509: trailing data after DSA parameters") 1039 } 1040 if p.Sign() <= 0 || params.P.Sign() <= 0 || params.Q.Sign() <= 0 || params.G.Sign() <= 0 { 1041 return nil, errors.New("x509: zero or negative DSA parameter") 1042 } 1043 pub := &dsa.PublicKey{ 1044 Parameters: dsa.Parameters{ 1045 P: params.P, 1046 Q: params.Q, 1047 G: params.G, 1048 }, 1049 Y: p, 1050 } 1051 return pub, nil 1052 case ECDSA: 1053 paramsData := keyData.Algorithm.Parameters.FullBytes 1054 namedCurveOID := new(asn1.ObjectIdentifier) 1055 rest, err := asn1.Unmarshal(paramsData, namedCurveOID) 1056 if err != nil { 1057 return nil, err 1058 } 1059 if len(rest) != 0 { 1060 return nil, errors.New("x509: trailing data after ECDSA parameters") 1061 } 1062 namedCurve := namedCurveFromOID(*namedCurveOID) 1063 if namedCurve == nil { 1064 return nil, errors.New("x509: unsupported elliptic curve") 1065 } 1066 x, y := elliptic.Unmarshal(namedCurve, asn1Data) 1067 if x == nil { 1068 return nil, errors.New("x509: failed to unmarshal elliptic curve point") 1069 } 1070 pub := &ecdsa.PublicKey{ 1071 Curve: namedCurve, 1072 X: x, 1073 Y: y, 1074 } 1075 return pub, nil 1076 default: 1077 return nil, nil 1078 } 1079 } 1080 1081 func forEachSAN(extension []byte, callback func(tag int, data []byte) error) error { 1082 // RFC 5280, 4.2.1.6 1083 1084 // SubjectAltName ::= GeneralNames 1085 // 1086 // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 1087 // 1088 // GeneralName ::= CHOICE { 1089 // otherName [0] OtherName, 1090 // rfc822Name [1] IA5String, 1091 // dNSName [2] IA5String, 1092 // x400Address [3] ORAddress, 1093 // directoryName [4] Name, 1094 // ediPartyName [5] EDIPartyName, 1095 // uniformResourceIdentifier [6] IA5String, 1096 // iPAddress [7] OCTET STRING, 1097 // registeredID [8] OBJECT IDENTIFIER } 1098 var seq asn1.RawValue 1099 rest, err := asn1.Unmarshal(extension, &seq) 1100 if err != nil { 1101 return err 1102 } else if len(rest) != 0 { 1103 return errors.New("x509: trailing data after X.509 extension") 1104 } 1105 if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 { 1106 return asn1.StructuralError{Msg: "bad SAN sequence"} 1107 } 1108 1109 rest = seq.Bytes 1110 for len(rest) > 0 { 1111 var v asn1.RawValue 1112 rest, err = asn1.Unmarshal(rest, &v) 1113 if err != nil { 1114 return err 1115 } 1116 1117 if err := callback(v.Tag, v.Bytes); err != nil { 1118 return err 1119 } 1120 } 1121 1122 return nil 1123 } 1124 1125 func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error) { 1126 err = forEachSAN(value, func(tag int, data []byte) error { 1127 switch tag { 1128 case nameTypeEmail: 1129 mailbox := string(data) 1130 if _, ok := parseRFC2821Mailbox(mailbox); !ok { 1131 return fmt.Errorf("x509: cannot parse rfc822Name %q", mailbox) 1132 } 1133 emailAddresses = append(emailAddresses, mailbox) 1134 case nameTypeDNS: 1135 domain := string(data) 1136 if _, ok := domainToReverseLabels(domain); !ok { 1137 return fmt.Errorf("x509: cannot parse dnsName %q", string(data)) 1138 } 1139 dnsNames = append(dnsNames, domain) 1140 case nameTypeURI: 1141 uri, err := url.Parse(string(data)) 1142 if err != nil { 1143 return fmt.Errorf("x509: cannot parse URI %q: %s", string(data), err) 1144 } 1145 if len(uri.Host) > 0 { 1146 if _, ok := domainToReverseLabels(uri.Host); !ok { 1147 return fmt.Errorf("x509: cannot parse URI %q: invalid domain", string(data)) 1148 } 1149 } 1150 uris = append(uris, uri) 1151 case nameTypeIP: 1152 switch len(data) { 1153 case net.IPv4len, net.IPv6len: 1154 ipAddresses = append(ipAddresses, data) 1155 default: 1156 return errors.New("x509: certificate contained IP address of length " + strconv.Itoa(len(data))) 1157 } 1158 } 1159 1160 return nil 1161 }) 1162 1163 return 1164 } 1165 1166 // isValidIPMask returns true iff mask consists of zero or more 1 bits, followed by zero bits. 1167 func isValidIPMask(mask []byte) bool { 1168 seenZero := false 1169 1170 for _, b := range mask { 1171 if seenZero { 1172 if b != 0 { 1173 return false 1174 } 1175 1176 continue 1177 } 1178 1179 switch b { 1180 case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe: 1181 seenZero = true 1182 case 0xff: 1183 default: 1184 return false 1185 } 1186 } 1187 1188 return true 1189 } 1190 1191 func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) { 1192 // RFC 5280, 4.2.1.10 1193 1194 // NameConstraints ::= SEQUENCE { 1195 // permittedSubtrees [0] GeneralSubtrees OPTIONAL, 1196 // excludedSubtrees [1] GeneralSubtrees OPTIONAL } 1197 // 1198 // GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 1199 // 1200 // GeneralSubtree ::= SEQUENCE { 1201 // base GeneralName, 1202 // minimum [0] BaseDistance DEFAULT 0, 1203 // maximum [1] BaseDistance OPTIONAL } 1204 // 1205 // BaseDistance ::= INTEGER (0..MAX) 1206 1207 outer := cryptobyte.String(e.Value) 1208 var toplevel, permitted, excluded cryptobyte.String 1209 var havePermitted, haveExcluded bool 1210 if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) || 1211 !outer.Empty() || 1212 !toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) || 1213 !toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) || 1214 !toplevel.Empty() { 1215 return false, errors.New("x509: invalid NameConstraints extension") 1216 } 1217 1218 if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 { 1219 // https://tools.ietf.org/html/rfc5280#section-4.2.1.10: 1220 // either the permittedSubtrees field 1221 // or the excludedSubtrees MUST be 1222 // present 1223 return false, errors.New("x509: empty name constraints extension") 1224 } 1225 1226 getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) { 1227 for !subtrees.Empty() { 1228 var seq, value cryptobyte.String 1229 var tag cryptobyte_asn1.Tag 1230 if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) || 1231 !seq.ReadAnyASN1(&value, &tag) { 1232 return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension") 1233 } 1234 1235 var ( 1236 dnsTag = cryptobyte_asn1.Tag(2).ContextSpecific() 1237 emailTag = cryptobyte_asn1.Tag(1).ContextSpecific() 1238 ipTag = cryptobyte_asn1.Tag(7).ContextSpecific() 1239 uriTag = cryptobyte_asn1.Tag(6).ContextSpecific() 1240 ) 1241 1242 switch tag { 1243 case dnsTag: 1244 domain := string(value) 1245 if err := isIA5String(domain); err != nil { 1246 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) 1247 } 1248 1249 trimmedDomain := domain 1250 if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { 1251 // constraints can have a leading 1252 // period to exclude the domain 1253 // itself, but that's not valid in a 1254 // normal domain name. 1255 trimmedDomain = trimmedDomain[1:] 1256 } 1257 if _, ok := domainToReverseLabels(trimmedDomain); !ok { 1258 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain) 1259 } 1260 dnsNames = append(dnsNames, domain) 1261 1262 case ipTag: 1263 l := len(value) 1264 var ip, mask []byte 1265 1266 switch l { 1267 case 8: 1268 ip = value[:4] 1269 mask = value[4:] 1270 1271 case 32: 1272 ip = value[:16] 1273 mask = value[16:] 1274 1275 default: 1276 return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l) 1277 } 1278 1279 if !isValidIPMask(mask) { 1280 return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask) 1281 } 1282 1283 ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)}) 1284 1285 case emailTag: 1286 constraint := string(value) 1287 if err := isIA5String(constraint); err != nil { 1288 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) 1289 } 1290 1291 // If the constraint contains an @ then 1292 // it specifies an exact mailbox name. 1293 if strings.Contains(constraint, "@") { 1294 if _, ok := parseRFC2821Mailbox(constraint); !ok { 1295 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) 1296 } 1297 } else { 1298 // Otherwise it's a domain name. 1299 domain := constraint 1300 if len(domain) > 0 && domain[0] == '.' { 1301 domain = domain[1:] 1302 } 1303 if _, ok := domainToReverseLabels(domain); !ok { 1304 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) 1305 } 1306 } 1307 emails = append(emails, constraint) 1308 1309 case uriTag: 1310 domain := string(value) 1311 if err := isIA5String(domain); err != nil { 1312 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) 1313 } 1314 1315 if net.ParseIP(domain) != nil { 1316 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain) 1317 } 1318 1319 trimmedDomain := domain 1320 if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { 1321 // constraints can have a leading 1322 // period to exclude the domain itself, 1323 // but that's not valid in a normal 1324 // domain name. 1325 trimmedDomain = trimmedDomain[1:] 1326 } 1327 if _, ok := domainToReverseLabels(trimmedDomain); !ok { 1328 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain) 1329 } 1330 uriDomains = append(uriDomains, domain) 1331 1332 default: 1333 unhandled = true 1334 } 1335 } 1336 1337 return dnsNames, ips, emails, uriDomains, nil 1338 } 1339 1340 if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil { 1341 return false, err 1342 } 1343 if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil { 1344 return false, err 1345 } 1346 out.PermittedDNSDomainsCritical = e.Critical 1347 1348 return unhandled, nil 1349 } 1350 1351 func parseCertificate(in *certificate) (*Certificate, error) { 1352 out := new(Certificate) 1353 out.Raw = in.Raw 1354 out.RawTBSCertificate = in.TBSCertificate.Raw 1355 out.RawSubjectPublicKeyInfo = in.TBSCertificate.PublicKey.Raw 1356 out.RawSubject = in.TBSCertificate.Subject.FullBytes 1357 out.RawIssuer = in.TBSCertificate.Issuer.FullBytes 1358 1359 out.Signature = in.SignatureValue.RightAlign() 1360 out.SignatureAlgorithm = 1361 getSignatureAlgorithmFromAI(in.TBSCertificate.SignatureAlgorithm) 1362 1363 out.PublicKeyAlgorithm = 1364 getPublicKeyAlgorithmFromOID(in.TBSCertificate.PublicKey.Algorithm.Algorithm) 1365 var err error 1366 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCertificate.PublicKey) 1367 if err != nil { 1368 return nil, err 1369 } 1370 1371 out.Version = in.TBSCertificate.Version + 1 1372 out.SerialNumber = in.TBSCertificate.SerialNumber 1373 1374 var issuer, subject pkix.RDNSequence 1375 if rest, err := asn1.Unmarshal(in.TBSCertificate.Subject.FullBytes, &subject); err != nil { 1376 return nil, err 1377 } else if len(rest) != 0 { 1378 return nil, errors.New("x509: trailing data after X.509 subject") 1379 } 1380 if rest, err := asn1.Unmarshal(in.TBSCertificate.Issuer.FullBytes, &issuer); err != nil { 1381 return nil, err 1382 } else if len(rest) != 0 { 1383 return nil, errors.New("x509: trailing data after X.509 subject") 1384 } 1385 1386 out.Issuer.FillFromRDNSequence(&issuer) 1387 out.Subject.FillFromRDNSequence(&subject) 1388 1389 out.NotBefore = in.TBSCertificate.Validity.NotBefore 1390 out.NotAfter = in.TBSCertificate.Validity.NotAfter 1391 1392 for _, e := range in.TBSCertificate.Extensions { 1393 out.Extensions = append(out.Extensions, e) 1394 unhandled := false 1395 1396 if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 { 1397 switch e.Id[3] { 1398 case 15: 1399 // RFC 5280, 4.2.1.3 1400 var usageBits asn1.BitString 1401 if rest, err := asn1.Unmarshal(e.Value, &usageBits); err != nil { 1402 return nil, err 1403 } else if len(rest) != 0 { 1404 return nil, errors.New("x509: trailing data after X.509 KeyUsage") 1405 } 1406 1407 var usage int 1408 for i := 0; i < 9; i++ { 1409 if usageBits.At(i) != 0 { 1410 usage |= 1 << uint(i) 1411 } 1412 } 1413 out.KeyUsage = KeyUsage(usage) 1414 1415 case 19: 1416 // RFC 5280, 4.2.1.9 1417 var constraints basicConstraints 1418 if rest, err := asn1.Unmarshal(e.Value, &constraints); err != nil { 1419 return nil, err 1420 } else if len(rest) != 0 { 1421 return nil, errors.New("x509: trailing data after X.509 BasicConstraints") 1422 } 1423 1424 out.BasicConstraintsValid = true 1425 out.IsCA = constraints.IsCA 1426 out.MaxPathLen = constraints.MaxPathLen 1427 out.MaxPathLenZero = out.MaxPathLen == 0 1428 // TODO: map out.MaxPathLen to 0 if it has the -1 default value? (Issue 19285) 1429 case 17: 1430 out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(e.Value) 1431 if err != nil { 1432 return nil, err 1433 } 1434 1435 if len(out.DNSNames) == 0 && len(out.EmailAddresses) == 0 && len(out.IPAddresses) == 0 && len(out.URIs) == 0 { 1436 // If we didn't parse anything then we do the critical check, below. 1437 unhandled = true 1438 } 1439 1440 case 30: 1441 unhandled, err = parseNameConstraintsExtension(out, e) 1442 if err != nil { 1443 return nil, err 1444 } 1445 1446 case 31: 1447 // RFC 5280, 4.2.1.13 1448 1449 // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 1450 // 1451 // DistributionPoint ::= SEQUENCE { 1452 // distributionPoint [0] DistributionPointName OPTIONAL, 1453 // reasons [1] ReasonFlags OPTIONAL, 1454 // cRLIssuer [2] GeneralNames OPTIONAL } 1455 // 1456 // DistributionPointName ::= CHOICE { 1457 // fullName [0] GeneralNames, 1458 // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } 1459 1460 var cdp []distributionPoint 1461 if rest, err := asn1.Unmarshal(e.Value, &cdp); err != nil { 1462 return nil, err 1463 } else if len(rest) != 0 { 1464 return nil, errors.New("x509: trailing data after X.509 CRL distribution point") 1465 } 1466 1467 for _, dp := range cdp { 1468 // Per RFC 5280, 4.2.1.13, one of distributionPoint or cRLIssuer may be empty. 1469 if len(dp.DistributionPoint.FullName) == 0 { 1470 continue 1471 } 1472 1473 for _, fullName := range dp.DistributionPoint.FullName { 1474 if fullName.Tag == 6 { 1475 out.CRLDistributionPoints = append(out.CRLDistributionPoints, string(fullName.Bytes)) 1476 } 1477 } 1478 } 1479 1480 case 35: 1481 // RFC 5280, 4.2.1.1 1482 var a authKeyId 1483 if rest, err := asn1.Unmarshal(e.Value, &a); err != nil { 1484 return nil, err 1485 } else if len(rest) != 0 { 1486 return nil, errors.New("x509: trailing data after X.509 authority key-id") 1487 } 1488 out.AuthorityKeyId = a.Id 1489 1490 case 37: 1491 // RFC 5280, 4.2.1.12. Extended Key Usage 1492 1493 // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } 1494 // 1495 // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 1496 // 1497 // KeyPurposeId ::= OBJECT IDENTIFIER 1498 1499 var keyUsage []asn1.ObjectIdentifier 1500 if rest, err := asn1.Unmarshal(e.Value, &keyUsage); err != nil { 1501 return nil, err 1502 } else if len(rest) != 0 { 1503 return nil, errors.New("x509: trailing data after X.509 ExtendedKeyUsage") 1504 } 1505 1506 for _, u := range keyUsage { 1507 if extKeyUsage, ok := extKeyUsageFromOID(u); ok { 1508 out.ExtKeyUsage = append(out.ExtKeyUsage, extKeyUsage) 1509 } else { 1510 out.UnknownExtKeyUsage = append(out.UnknownExtKeyUsage, u) 1511 } 1512 } 1513 1514 case 14: 1515 // RFC 5280, 4.2.1.2 1516 var keyid []byte 1517 if rest, err := asn1.Unmarshal(e.Value, &keyid); err != nil { 1518 return nil, err 1519 } else if len(rest) != 0 { 1520 return nil, errors.New("x509: trailing data after X.509 key-id") 1521 } 1522 out.SubjectKeyId = keyid 1523 1524 case 32: 1525 // RFC 5280 4.2.1.4: Certificate Policies 1526 var policies []policyInformation 1527 if rest, err := asn1.Unmarshal(e.Value, &policies); err != nil { 1528 return nil, err 1529 } else if len(rest) != 0 { 1530 return nil, errors.New("x509: trailing data after X.509 certificate policies") 1531 } 1532 out.PolicyIdentifiers = make([]asn1.ObjectIdentifier, len(policies)) 1533 for i, policy := range policies { 1534 out.PolicyIdentifiers[i] = policy.Policy 1535 } 1536 1537 default: 1538 // Unknown extensions are recorded if critical. 1539 unhandled = true 1540 } 1541 } else if e.Id.Equal(oidExtensionAuthorityInfoAccess) { 1542 // RFC 5280 4.2.2.1: Authority Information Access 1543 var aia []authorityInfoAccess 1544 if rest, err := asn1.Unmarshal(e.Value, &aia); err != nil { 1545 return nil, err 1546 } else if len(rest) != 0 { 1547 return nil, errors.New("x509: trailing data after X.509 authority information") 1548 } 1549 1550 for _, v := range aia { 1551 // GeneralName: uniformResourceIdentifier [6] IA5String 1552 if v.Location.Tag != 6 { 1553 continue 1554 } 1555 if v.Method.Equal(oidAuthorityInfoAccessOcsp) { 1556 out.OCSPServer = append(out.OCSPServer, string(v.Location.Bytes)) 1557 } else if v.Method.Equal(oidAuthorityInfoAccessIssuers) { 1558 out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(v.Location.Bytes)) 1559 } 1560 } 1561 } else { 1562 // Unknown extensions are recorded if critical. 1563 unhandled = true 1564 } 1565 1566 if e.Critical && unhandled { 1567 out.UnhandledCriticalExtensions = append(out.UnhandledCriticalExtensions, e.Id) 1568 } 1569 } 1570 1571 return out, nil 1572 } 1573 1574 // ParseCertificate parses a single certificate from the given ASN.1 DER data. 1575 func ParseCertificate(asn1Data []byte) (*Certificate, error) { 1576 var cert certificate 1577 rest, err := asn1.Unmarshal(asn1Data, &cert) 1578 if err != nil { 1579 return nil, err 1580 } 1581 if len(rest) > 0 { 1582 return nil, asn1.SyntaxError{Msg: "trailing data"} 1583 } 1584 1585 return parseCertificate(&cert) 1586 } 1587 1588 // ParseCertificates parses one or more certificates from the given ASN.1 DER 1589 // data. The certificates must be concatenated with no intermediate padding. 1590 func ParseCertificates(asn1Data []byte) ([]*Certificate, error) { 1591 var v []*certificate 1592 1593 for len(asn1Data) > 0 { 1594 cert := new(certificate) 1595 var err error 1596 asn1Data, err = asn1.Unmarshal(asn1Data, cert) 1597 if err != nil { 1598 return nil, err 1599 } 1600 v = append(v, cert) 1601 } 1602 1603 ret := make([]*Certificate, len(v)) 1604 for i, ci := range v { 1605 cert, err := parseCertificate(ci) 1606 if err != nil { 1607 return nil, err 1608 } 1609 ret[i] = cert 1610 } 1611 1612 return ret, nil 1613 } 1614 1615 func reverseBitsInAByte(in byte) byte { 1616 b1 := in>>4 | in<<4 1617 b2 := b1>>2&0x33 | b1<<2&0xcc 1618 b3 := b2>>1&0x55 | b2<<1&0xaa 1619 return b3 1620 } 1621 1622 // asn1BitLength returns the bit-length of bitString by considering the 1623 // most-significant bit in a byte to be the "first" bit. This convention 1624 // matches ASN.1, but differs from almost everything else. 1625 func asn1BitLength(bitString []byte) int { 1626 bitLen := len(bitString) * 8 1627 1628 for i := range bitString { 1629 b := bitString[len(bitString)-i-1] 1630 1631 for bit := uint(0); bit < 8; bit++ { 1632 if (b>>bit)&1 == 1 { 1633 return bitLen 1634 } 1635 bitLen-- 1636 } 1637 } 1638 1639 return 0 1640 } 1641 1642 var ( 1643 oidExtensionSubjectKeyId = []int{2, 5, 29, 14} 1644 oidExtensionKeyUsage = []int{2, 5, 29, 15} 1645 oidExtensionExtendedKeyUsage = []int{2, 5, 29, 37} 1646 oidExtensionAuthorityKeyId = []int{2, 5, 29, 35} 1647 oidExtensionBasicConstraints = []int{2, 5, 29, 19} 1648 oidExtensionSubjectAltName = []int{2, 5, 29, 17} 1649 oidExtensionCertificatePolicies = []int{2, 5, 29, 32} 1650 oidExtensionNameConstraints = []int{2, 5, 29, 30} 1651 oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31} 1652 oidExtensionAuthorityInfoAccess = []int{1, 3, 6, 1, 5, 5, 7, 1, 1} 1653 ) 1654 1655 var ( 1656 oidAuthorityInfoAccessOcsp = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1} 1657 oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2} 1658 ) 1659 1660 // oidNotInExtensions returns whether an extension with the given oid exists in 1661 // extensions. 1662 func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool { 1663 for _, e := range extensions { 1664 if e.Id.Equal(oid) { 1665 return true 1666 } 1667 } 1668 return false 1669 } 1670 1671 // marshalSANs marshals a list of addresses into a the contents of an X.509 1672 // SubjectAlternativeName extension. 1673 func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) { 1674 var rawValues []asn1.RawValue 1675 for _, name := range dnsNames { 1676 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)}) 1677 } 1678 for _, email := range emailAddresses { 1679 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)}) 1680 } 1681 for _, rawIP := range ipAddresses { 1682 // If possible, we always want to encode IPv4 addresses in 4 bytes. 1683 ip := rawIP.To4() 1684 if ip == nil { 1685 ip = rawIP 1686 } 1687 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip}) 1688 } 1689 for _, uri := range uris { 1690 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uri.String())}) 1691 } 1692 return asn1.Marshal(rawValues) 1693 } 1694 1695 func isIA5String(s string) error { 1696 for _, r := range s { 1697 if r >= utf8.RuneSelf { 1698 return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s) 1699 } 1700 } 1701 1702 return nil 1703 } 1704 1705 func buildExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte) (ret []pkix.Extension, err error) { 1706 ret = make([]pkix.Extension, 10 /* maximum number of elements. */) 1707 n := 0 1708 1709 if template.KeyUsage != 0 && 1710 !oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) { 1711 ret[n].Id = oidExtensionKeyUsage 1712 ret[n].Critical = true 1713 1714 var a [2]byte 1715 a[0] = reverseBitsInAByte(byte(template.KeyUsage)) 1716 a[1] = reverseBitsInAByte(byte(template.KeyUsage >> 8)) 1717 1718 l := 1 1719 if a[1] != 0 { 1720 l = 2 1721 } 1722 1723 bitString := a[:l] 1724 ret[n].Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)}) 1725 if err != nil { 1726 return 1727 } 1728 n++ 1729 } 1730 1731 if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) && 1732 !oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) { 1733 ret[n].Id = oidExtensionExtendedKeyUsage 1734 1735 var oids []asn1.ObjectIdentifier 1736 for _, u := range template.ExtKeyUsage { 1737 if oid, ok := oidFromExtKeyUsage(u); ok { 1738 oids = append(oids, oid) 1739 } else { 1740 panic("internal error") 1741 } 1742 } 1743 1744 oids = append(oids, template.UnknownExtKeyUsage...) 1745 1746 ret[n].Value, err = asn1.Marshal(oids) 1747 if err != nil { 1748 return 1749 } 1750 n++ 1751 } 1752 1753 if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) { 1754 // Leaving MaxPathLen as zero indicates that no maximum path 1755 // length is desired, unless MaxPathLenZero is set. A value of 1756 // -1 causes encoding/asn1 to omit the value as desired. 1757 maxPathLen := template.MaxPathLen 1758 if maxPathLen == 0 && !template.MaxPathLenZero { 1759 maxPathLen = -1 1760 } 1761 ret[n].Id = oidExtensionBasicConstraints 1762 ret[n].Value, err = asn1.Marshal(basicConstraints{template.IsCA, maxPathLen}) 1763 ret[n].Critical = true 1764 if err != nil { 1765 return 1766 } 1767 n++ 1768 } 1769 1770 if len(template.SubjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) { 1771 ret[n].Id = oidExtensionSubjectKeyId 1772 ret[n].Value, err = asn1.Marshal(template.SubjectKeyId) 1773 if err != nil { 1774 return 1775 } 1776 n++ 1777 } 1778 1779 if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) { 1780 ret[n].Id = oidExtensionAuthorityKeyId 1781 ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId}) 1782 if err != nil { 1783 return 1784 } 1785 n++ 1786 } 1787 1788 if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) && 1789 !oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) { 1790 ret[n].Id = oidExtensionAuthorityInfoAccess 1791 var aiaValues []authorityInfoAccess 1792 for _, name := range template.OCSPServer { 1793 aiaValues = append(aiaValues, authorityInfoAccess{ 1794 Method: oidAuthorityInfoAccessOcsp, 1795 Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)}, 1796 }) 1797 } 1798 for _, name := range template.IssuingCertificateURL { 1799 aiaValues = append(aiaValues, authorityInfoAccess{ 1800 Method: oidAuthorityInfoAccessIssuers, 1801 Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)}, 1802 }) 1803 } 1804 ret[n].Value, err = asn1.Marshal(aiaValues) 1805 if err != nil { 1806 return 1807 } 1808 n++ 1809 } 1810 1811 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) && 1812 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) { 1813 ret[n].Id = oidExtensionSubjectAltName 1814 // https://tools.ietf.org/html/rfc5280#section-4.2.1.6 1815 // If the subject field contains an empty sequence ... then 1816 // subjectAltName extension ... is marked as critical 1817 ret[n].Critical = subjectIsEmpty 1818 ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs) 1819 if err != nil { 1820 return 1821 } 1822 n++ 1823 } 1824 1825 if len(template.PolicyIdentifiers) > 0 && 1826 !oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) { 1827 ret[n].Id = oidExtensionCertificatePolicies 1828 policies := make([]policyInformation, len(template.PolicyIdentifiers)) 1829 for i, policy := range template.PolicyIdentifiers { 1830 policies[i].Policy = policy 1831 } 1832 ret[n].Value, err = asn1.Marshal(policies) 1833 if err != nil { 1834 return 1835 } 1836 n++ 1837 } 1838 1839 if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 || 1840 len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 || 1841 len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 || 1842 len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) && 1843 !oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) { 1844 ret[n].Id = oidExtensionNameConstraints 1845 ret[n].Critical = template.PermittedDNSDomainsCritical 1846 1847 ipAndMask := func(ipNet *net.IPNet) []byte { 1848 maskedIP := ipNet.IP.Mask(ipNet.Mask) 1849 ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask)) 1850 ipAndMask = append(ipAndMask, maskedIP...) 1851 ipAndMask = append(ipAndMask, ipNet.Mask...) 1852 return ipAndMask 1853 } 1854 1855 serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) { 1856 var b cryptobyte.Builder 1857 1858 for _, name := range dns { 1859 if err = isIA5String(name); err != nil { 1860 return nil, err 1861 } 1862 1863 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1864 b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) { 1865 b.AddBytes([]byte(name)) 1866 }) 1867 }) 1868 } 1869 1870 for _, ipNet := range ips { 1871 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1872 b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) { 1873 b.AddBytes(ipAndMask(ipNet)) 1874 }) 1875 }) 1876 } 1877 1878 for _, email := range emails { 1879 if err = isIA5String(email); err != nil { 1880 return nil, err 1881 } 1882 1883 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1884 b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) { 1885 b.AddBytes([]byte(email)) 1886 }) 1887 }) 1888 } 1889 1890 for _, uriDomain := range uriDomains { 1891 if err = isIA5String(uriDomain); err != nil { 1892 return nil, err 1893 } 1894 1895 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1896 b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) { 1897 b.AddBytes([]byte(uriDomain)) 1898 }) 1899 }) 1900 } 1901 1902 return b.Bytes() 1903 } 1904 1905 permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains) 1906 if err != nil { 1907 return nil, err 1908 } 1909 1910 excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains) 1911 if err != nil { 1912 return nil, err 1913 } 1914 1915 var b cryptobyte.Builder 1916 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1917 if len(permitted) > 0 { 1918 b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) { 1919 b.AddBytes(permitted) 1920 }) 1921 } 1922 1923 if len(excluded) > 0 { 1924 b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) { 1925 b.AddBytes(excluded) 1926 }) 1927 } 1928 }) 1929 1930 ret[n].Value, err = b.Bytes() 1931 if err != nil { 1932 return nil, err 1933 } 1934 n++ 1935 } 1936 1937 if len(template.CRLDistributionPoints) > 0 && 1938 !oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) { 1939 ret[n].Id = oidExtensionCRLDistributionPoints 1940 1941 var crlDp []distributionPoint 1942 for _, name := range template.CRLDistributionPoints { 1943 dp := distributionPoint{ 1944 DistributionPoint: distributionPointName{ 1945 FullName: []asn1.RawValue{ 1946 asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)}, 1947 }, 1948 }, 1949 } 1950 crlDp = append(crlDp, dp) 1951 } 1952 1953 ret[n].Value, err = asn1.Marshal(crlDp) 1954 if err != nil { 1955 return 1956 } 1957 n++ 1958 } 1959 1960 // Adding another extension here? Remember to update the maximum number 1961 // of elements in the make() at the top of the function. 1962 1963 return append(ret[:n], template.ExtraExtensions...), nil 1964 } 1965 1966 func subjectBytes(cert *Certificate) ([]byte, error) { 1967 if len(cert.RawSubject) > 0 { 1968 return cert.RawSubject, nil 1969 } 1970 1971 return asn1.Marshal(cert.Subject.ToRDNSequence()) 1972 } 1973 1974 // signingParamsForPublicKey returns the parameters to use for signing with 1975 // priv. If requestedSigAlgo is not zero then it overrides the default 1976 // signature algorithm. 1977 func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) { 1978 var pubType PublicKeyAlgorithm 1979 1980 switch pub := pub.(type) { 1981 case *rsa.PublicKey: 1982 pubType = RSA 1983 hashFunc = crypto.SHA256 1984 sigAlgo.Algorithm = oidSignatureSHA256WithRSA 1985 sigAlgo.Parameters = asn1.NullRawValue 1986 1987 case *ecdsa.PublicKey: 1988 pubType = ECDSA 1989 1990 switch pub.Curve { 1991 case elliptic.P224(), elliptic.P256(): 1992 hashFunc = crypto.SHA256 1993 sigAlgo.Algorithm = oidSignatureECDSAWithSHA256 1994 case elliptic.P384(): 1995 hashFunc = crypto.SHA384 1996 sigAlgo.Algorithm = oidSignatureECDSAWithSHA384 1997 case elliptic.P521(): 1998 hashFunc = crypto.SHA512 1999 sigAlgo.Algorithm = oidSignatureECDSAWithSHA512 2000 default: 2001 err = errors.New("x509: unknown elliptic curve") 2002 } 2003 2004 default: 2005 err = errors.New("x509: only RSA and ECDSA keys supported") 2006 } 2007 2008 if err != nil { 2009 return 2010 } 2011 2012 if requestedSigAlgo == 0 { 2013 return 2014 } 2015 2016 found := false 2017 for _, details := range signatureAlgorithmDetails { 2018 if details.algo == requestedSigAlgo { 2019 if details.pubKeyAlgo != pubType { 2020 err = errors.New("x509: requested SignatureAlgorithm does not match private key type") 2021 return 2022 } 2023 sigAlgo.Algorithm, hashFunc = details.oid, details.hash 2024 if hashFunc == 0 { 2025 err = errors.New("x509: cannot sign with hash function requested") 2026 return 2027 } 2028 if requestedSigAlgo.isRSAPSS() { 2029 sigAlgo.Parameters = rsaPSSParameters(hashFunc) 2030 } 2031 found = true 2032 break 2033 } 2034 } 2035 2036 if !found { 2037 err = errors.New("x509: unknown SignatureAlgorithm") 2038 } 2039 2040 return 2041 } 2042 2043 // emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is 2044 // just an empty SEQUENCE. 2045 var emptyASN1Subject = []byte{0x30, 0} 2046 2047 // CreateCertificate creates a new X.509v3 certificate based on a template. 2048 // The following members of template are used: AuthorityKeyId, 2049 // BasicConstraintsValid, DNSNames, ExcludedDNSDomains, ExtKeyUsage, 2050 // IsCA, KeyUsage, MaxPathLen, MaxPathLenZero, NotAfter, NotBefore, 2051 // PermittedDNSDomains, PermittedDNSDomainsCritical, SerialNumber, 2052 // SignatureAlgorithm, Subject, SubjectKeyId, and UnknownExtKeyUsage. 2053 // 2054 // The certificate is signed by parent. If parent is equal to template then the 2055 // certificate is self-signed. The parameter pub is the public key of the 2056 // signee and priv is the private key of the signer. 2057 // 2058 // The returned slice is the certificate in DER encoding. 2059 // 2060 // All keys types that are implemented via crypto.Signer are supported (This 2061 // includes *rsa.PublicKey and *ecdsa.PublicKey.) 2062 // 2063 // The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any, 2064 // unless the resulting certificate is self-signed. Otherwise the value from 2065 // template will be used. 2066 func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error) { 2067 key, ok := priv.(crypto.Signer) 2068 if !ok { 2069 return nil, errors.New("x509: certificate private key does not implement crypto.Signer") 2070 } 2071 2072 if template.SerialNumber == nil { 2073 return nil, errors.New("x509: no SerialNumber given") 2074 } 2075 2076 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm) 2077 if err != nil { 2078 return nil, err 2079 } 2080 2081 publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub) 2082 if err != nil { 2083 return nil, err 2084 } 2085 2086 asn1Issuer, err := subjectBytes(parent) 2087 if err != nil { 2088 return 2089 } 2090 2091 asn1Subject, err := subjectBytes(template) 2092 if err != nil { 2093 return 2094 } 2095 2096 authorityKeyId := template.AuthorityKeyId 2097 if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 { 2098 authorityKeyId = parent.SubjectKeyId 2099 } 2100 2101 extensions, err := buildExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId) 2102 if err != nil { 2103 return 2104 } 2105 2106 encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes} 2107 c := tbsCertificate{ 2108 Version: 2, 2109 SerialNumber: template.SerialNumber, 2110 SignatureAlgorithm: signatureAlgorithm, 2111 Issuer: asn1.RawValue{FullBytes: asn1Issuer}, 2112 Validity: validity{template.NotBefore.UTC(), template.NotAfter.UTC()}, 2113 Subject: asn1.RawValue{FullBytes: asn1Subject}, 2114 PublicKey: publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey}, 2115 Extensions: extensions, 2116 } 2117 2118 tbsCertContents, err := asn1.Marshal(c) 2119 if err != nil { 2120 return 2121 } 2122 2123 c.Raw = tbsCertContents 2124 2125 h := hashFunc.New() 2126 h.Write(tbsCertContents) 2127 digest := h.Sum(nil) 2128 2129 var signerOpts crypto.SignerOpts 2130 signerOpts = hashFunc 2131 if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() { 2132 signerOpts = &rsa.PSSOptions{ 2133 SaltLength: rsa.PSSSaltLengthEqualsHash, 2134 Hash: hashFunc, 2135 } 2136 } 2137 2138 var signature []byte 2139 signature, err = key.Sign(rand, digest, signerOpts) 2140 if err != nil { 2141 return 2142 } 2143 2144 return asn1.Marshal(certificate{ 2145 nil, 2146 c, 2147 signatureAlgorithm, 2148 asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, 2149 }) 2150 } 2151 2152 // pemCRLPrefix is the magic string that indicates that we have a PEM encoded 2153 // CRL. 2154 var pemCRLPrefix = []byte("-----BEGIN X509 CRL") 2155 2156 // pemType is the type of a PEM encoded CRL. 2157 var pemType = "X509 CRL" 2158 2159 // ParseCRL parses a CRL from the given bytes. It's often the case that PEM 2160 // encoded CRLs will appear where they should be DER encoded, so this function 2161 // will transparently handle PEM encoding as long as there isn't any leading 2162 // garbage. 2163 func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) { 2164 if bytes.HasPrefix(crlBytes, pemCRLPrefix) { 2165 block, _ := pem.Decode(crlBytes) 2166 if block != nil && block.Type == pemType { 2167 crlBytes = block.Bytes 2168 } 2169 } 2170 return ParseDERCRL(crlBytes) 2171 } 2172 2173 // ParseDERCRL parses a DER encoded CRL from the given bytes. 2174 func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) { 2175 certList := new(pkix.CertificateList) 2176 if rest, err := asn1.Unmarshal(derBytes, certList); err != nil { 2177 return nil, err 2178 } else if len(rest) != 0 { 2179 return nil, errors.New("x509: trailing data after CRL") 2180 } 2181 return certList, nil 2182 } 2183 2184 // CreateCRL returns a DER encoded CRL, signed by this Certificate, that 2185 // contains the given list of revoked certificates. 2186 func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { 2187 key, ok := priv.(crypto.Signer) 2188 if !ok { 2189 return nil, errors.New("x509: certificate private key does not implement crypto.Signer") 2190 } 2191 2192 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), 0) 2193 if err != nil { 2194 return nil, err 2195 } 2196 2197 // Force revocation times to UTC per RFC 5280. 2198 revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts)) 2199 for i, rc := range revokedCerts { 2200 rc.RevocationTime = rc.RevocationTime.UTC() 2201 revokedCertsUTC[i] = rc 2202 } 2203 2204 tbsCertList := pkix.TBSCertificateList{ 2205 Version: 1, 2206 Signature: signatureAlgorithm, 2207 Issuer: c.Subject.ToRDNSequence(), 2208 ThisUpdate: now.UTC(), 2209 NextUpdate: expiry.UTC(), 2210 RevokedCertificates: revokedCertsUTC, 2211 } 2212 2213 // Authority Key Id 2214 if len(c.SubjectKeyId) > 0 { 2215 var aki pkix.Extension 2216 aki.Id = oidExtensionAuthorityKeyId 2217 aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId}) 2218 if err != nil { 2219 return 2220 } 2221 tbsCertList.Extensions = append(tbsCertList.Extensions, aki) 2222 } 2223 2224 tbsCertListContents, err := asn1.Marshal(tbsCertList) 2225 if err != nil { 2226 return 2227 } 2228 2229 h := hashFunc.New() 2230 h.Write(tbsCertListContents) 2231 digest := h.Sum(nil) 2232 2233 var signature []byte 2234 signature, err = key.Sign(rand, digest, hashFunc) 2235 if err != nil { 2236 return 2237 } 2238 2239 return asn1.Marshal(pkix.CertificateList{ 2240 TBSCertList: tbsCertList, 2241 SignatureAlgorithm: signatureAlgorithm, 2242 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, 2243 }) 2244 } 2245 2246 // CertificateRequest represents a PKCS #10, certificate signature request. 2247 type CertificateRequest struct { 2248 Raw []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature). 2249 RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content. 2250 RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo. 2251 RawSubject []byte // DER encoded Subject. 2252 2253 Version int 2254 Signature []byte 2255 SignatureAlgorithm SignatureAlgorithm 2256 2257 PublicKeyAlgorithm PublicKeyAlgorithm 2258 PublicKey interface{} 2259 2260 Subject pkix.Name 2261 2262 // Attributes is the dried husk of a bug and shouldn't be used. 2263 Attributes []pkix.AttributeTypeAndValueSET 2264 2265 // Extensions contains raw X.509 extensions. When parsing CSRs, this 2266 // can be used to extract extensions that are not parsed by this 2267 // package. 2268 Extensions []pkix.Extension 2269 2270 // ExtraExtensions contains extensions to be copied, raw, into any 2271 // marshaled CSR. Values override any extensions that would otherwise 2272 // be produced based on the other fields but are overridden by any 2273 // extensions specified in Attributes. 2274 // 2275 // The ExtraExtensions field is not populated when parsing CSRs, see 2276 // Extensions. 2277 ExtraExtensions []pkix.Extension 2278 2279 // Subject Alternate Name values. 2280 DNSNames []string 2281 EmailAddresses []string 2282 IPAddresses []net.IP 2283 URIs []*url.URL 2284 } 2285 2286 // These structures reflect the ASN.1 structure of X.509 certificate 2287 // signature requests (see RFC 2986): 2288 2289 type tbsCertificateRequest struct { 2290 Raw asn1.RawContent 2291 Version int 2292 Subject asn1.RawValue 2293 PublicKey publicKeyInfo 2294 RawAttributes []asn1.RawValue `asn1:"tag:0"` 2295 } 2296 2297 type certificateRequest struct { 2298 Raw asn1.RawContent 2299 TBSCSR tbsCertificateRequest 2300 SignatureAlgorithm pkix.AlgorithmIdentifier 2301 SignatureValue asn1.BitString 2302 } 2303 2304 // oidExtensionRequest is a PKCS#9 OBJECT IDENTIFIER that indicates requested 2305 // extensions in a CSR. 2306 var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14} 2307 2308 // newRawAttributes converts AttributeTypeAndValueSETs from a template 2309 // CertificateRequest's Attributes into tbsCertificateRequest RawAttributes. 2310 func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) { 2311 var rawAttributes []asn1.RawValue 2312 b, err := asn1.Marshal(attributes) 2313 if err != nil { 2314 return nil, err 2315 } 2316 rest, err := asn1.Unmarshal(b, &rawAttributes) 2317 if err != nil { 2318 return nil, err 2319 } 2320 if len(rest) != 0 { 2321 return nil, errors.New("x509: failed to unmarshal raw CSR Attributes") 2322 } 2323 return rawAttributes, nil 2324 } 2325 2326 // parseRawAttributes Unmarshals RawAttributes intos AttributeTypeAndValueSETs. 2327 func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET { 2328 var attributes []pkix.AttributeTypeAndValueSET 2329 for _, rawAttr := range rawAttributes { 2330 var attr pkix.AttributeTypeAndValueSET 2331 rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr) 2332 // Ignore attributes that don't parse into pkix.AttributeTypeAndValueSET 2333 // (i.e.: challengePassword or unstructuredName). 2334 if err == nil && len(rest) == 0 { 2335 attributes = append(attributes, attr) 2336 } 2337 } 2338 return attributes 2339 } 2340 2341 // parseCSRExtensions parses the attributes from a CSR and extracts any 2342 // requested extensions. 2343 func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) { 2344 // pkcs10Attribute reflects the Attribute structure from section 4.1 of 2345 // https://tools.ietf.org/html/rfc2986. 2346 type pkcs10Attribute struct { 2347 Id asn1.ObjectIdentifier 2348 Values []asn1.RawValue `asn1:"set"` 2349 } 2350 2351 var ret []pkix.Extension 2352 for _, rawAttr := range rawAttributes { 2353 var attr pkcs10Attribute 2354 if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 { 2355 // Ignore attributes that don't parse. 2356 continue 2357 } 2358 2359 if !attr.Id.Equal(oidExtensionRequest) { 2360 continue 2361 } 2362 2363 var extensions []pkix.Extension 2364 if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil { 2365 return nil, err 2366 } 2367 ret = append(ret, extensions...) 2368 } 2369 2370 return ret, nil 2371 } 2372 2373 // CreateCertificateRequest creates a new certificate request based on a 2374 // template. The following members of template are used: Attributes, DNSNames, 2375 // EmailAddresses, ExtraExtensions, IPAddresses, URIs, SignatureAlgorithm, and 2376 // Subject. The private key is the private key of the signer. 2377 // 2378 // The returned slice is the certificate request in DER encoding. 2379 // 2380 // All keys types that are implemented via crypto.Signer are supported (This 2381 // includes *rsa.PublicKey and *ecdsa.PublicKey.) 2382 func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error) { 2383 key, ok := priv.(crypto.Signer) 2384 if !ok { 2385 return nil, errors.New("x509: certificate private key does not implement crypto.Signer") 2386 } 2387 2388 var hashFunc crypto.Hash 2389 var sigAlgo pkix.AlgorithmIdentifier 2390 hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm) 2391 if err != nil { 2392 return nil, err 2393 } 2394 2395 var publicKeyBytes []byte 2396 var publicKeyAlgorithm pkix.AlgorithmIdentifier 2397 publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public()) 2398 if err != nil { 2399 return nil, err 2400 } 2401 2402 var extensions []pkix.Extension 2403 2404 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) && 2405 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) { 2406 sanBytes, err := marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs) 2407 if err != nil { 2408 return nil, err 2409 } 2410 2411 extensions = append(extensions, pkix.Extension{ 2412 Id: oidExtensionSubjectAltName, 2413 Value: sanBytes, 2414 }) 2415 } 2416 2417 extensions = append(extensions, template.ExtraExtensions...) 2418 2419 var attributes []pkix.AttributeTypeAndValueSET 2420 attributes = append(attributes, template.Attributes...) 2421 2422 if len(extensions) > 0 { 2423 // specifiedExtensions contains all the extensions that we 2424 // found specified via template.Attributes. 2425 specifiedExtensions := make(map[string]bool) 2426 2427 for _, atvSet := range template.Attributes { 2428 if !atvSet.Type.Equal(oidExtensionRequest) { 2429 continue 2430 } 2431 2432 for _, atvs := range atvSet.Value { 2433 for _, atv := range atvs { 2434 specifiedExtensions[atv.Type.String()] = true 2435 } 2436 } 2437 } 2438 2439 atvs := make([]pkix.AttributeTypeAndValue, 0, len(extensions)) 2440 for _, e := range extensions { 2441 if specifiedExtensions[e.Id.String()] { 2442 // Attributes already contained a value for 2443 // this extension and it takes priority. 2444 continue 2445 } 2446 2447 atvs = append(atvs, pkix.AttributeTypeAndValue{ 2448 // There is no place for the critical flag in a CSR. 2449 Type: e.Id, 2450 Value: e.Value, 2451 }) 2452 } 2453 2454 // Append the extensions to an existing attribute if possible. 2455 appended := false 2456 for _, atvSet := range attributes { 2457 if !atvSet.Type.Equal(oidExtensionRequest) || len(atvSet.Value) == 0 { 2458 continue 2459 } 2460 2461 atvSet.Value[0] = append(atvSet.Value[0], atvs...) 2462 appended = true 2463 break 2464 } 2465 2466 // Otherwise, add a new attribute for the extensions. 2467 if !appended { 2468 attributes = append(attributes, pkix.AttributeTypeAndValueSET{ 2469 Type: oidExtensionRequest, 2470 Value: [][]pkix.AttributeTypeAndValue{ 2471 atvs, 2472 }, 2473 }) 2474 } 2475 } 2476 2477 asn1Subject := template.RawSubject 2478 if len(asn1Subject) == 0 { 2479 asn1Subject, err = asn1.Marshal(template.Subject.ToRDNSequence()) 2480 if err != nil { 2481 return 2482 } 2483 } 2484 2485 rawAttributes, err := newRawAttributes(attributes) 2486 if err != nil { 2487 return 2488 } 2489 2490 tbsCSR := tbsCertificateRequest{ 2491 Version: 0, // PKCS #10, RFC 2986 2492 Subject: asn1.RawValue{FullBytes: asn1Subject}, 2493 PublicKey: publicKeyInfo{ 2494 Algorithm: publicKeyAlgorithm, 2495 PublicKey: asn1.BitString{ 2496 Bytes: publicKeyBytes, 2497 BitLength: len(publicKeyBytes) * 8, 2498 }, 2499 }, 2500 RawAttributes: rawAttributes, 2501 } 2502 2503 tbsCSRContents, err := asn1.Marshal(tbsCSR) 2504 if err != nil { 2505 return 2506 } 2507 tbsCSR.Raw = tbsCSRContents 2508 2509 h := hashFunc.New() 2510 h.Write(tbsCSRContents) 2511 digest := h.Sum(nil) 2512 2513 var signature []byte 2514 signature, err = key.Sign(rand, digest, hashFunc) 2515 if err != nil { 2516 return 2517 } 2518 2519 return asn1.Marshal(certificateRequest{ 2520 TBSCSR: tbsCSR, 2521 SignatureAlgorithm: sigAlgo, 2522 SignatureValue: asn1.BitString{ 2523 Bytes: signature, 2524 BitLength: len(signature) * 8, 2525 }, 2526 }) 2527 } 2528 2529 // ParseCertificateRequest parses a single certificate request from the 2530 // given ASN.1 DER data. 2531 func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) { 2532 var csr certificateRequest 2533 2534 rest, err := asn1.Unmarshal(asn1Data, &csr) 2535 if err != nil { 2536 return nil, err 2537 } else if len(rest) != 0 { 2538 return nil, asn1.SyntaxError{Msg: "trailing data"} 2539 } 2540 2541 return parseCertificateRequest(&csr) 2542 } 2543 2544 func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) { 2545 out := &CertificateRequest{ 2546 Raw: in.Raw, 2547 RawTBSCertificateRequest: in.TBSCSR.Raw, 2548 RawSubjectPublicKeyInfo: in.TBSCSR.PublicKey.Raw, 2549 RawSubject: in.TBSCSR.Subject.FullBytes, 2550 2551 Signature: in.SignatureValue.RightAlign(), 2552 SignatureAlgorithm: getSignatureAlgorithmFromAI(in.SignatureAlgorithm), 2553 2554 PublicKeyAlgorithm: getPublicKeyAlgorithmFromOID(in.TBSCSR.PublicKey.Algorithm.Algorithm), 2555 2556 Version: in.TBSCSR.Version, 2557 Attributes: parseRawAttributes(in.TBSCSR.RawAttributes), 2558 } 2559 2560 var err error 2561 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey) 2562 if err != nil { 2563 return nil, err 2564 } 2565 2566 var subject pkix.RDNSequence 2567 if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil { 2568 return nil, err 2569 } else if len(rest) != 0 { 2570 return nil, errors.New("x509: trailing data after X.509 Subject") 2571 } 2572 2573 out.Subject.FillFromRDNSequence(&subject) 2574 2575 if out.Extensions, err = parseCSRExtensions(in.TBSCSR.RawAttributes); err != nil { 2576 return nil, err 2577 } 2578 2579 for _, extension := range out.Extensions { 2580 if extension.Id.Equal(oidExtensionSubjectAltName) { 2581 out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value) 2582 if err != nil { 2583 return nil, err 2584 } 2585 } 2586 } 2587 2588 return out, nil 2589 } 2590 2591 // CheckSignature reports whether the signature on c is valid. 2592 func (c *CertificateRequest) CheckSignature() error { 2593 return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey) 2594 } 2595
