Black Lives Matter. Support the Equal Justice Initiative.

Source file src/crypto/x509/x509.go

Documentation: crypto/x509

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package x509 parses X.509-encoded keys and certificates.
     6  package x509
     7  
     8  import (
     9  	"bytes"
    10  	"crypto"
    11  	"crypto/ecdsa"
    12  	"crypto/ed25519"
    13  	"crypto/elliptic"
    14  	"crypto/rsa"
    15  	"crypto/sha1"
    16  	"crypto/x509/pkix"
    17  	"encoding/asn1"
    18  	"encoding/pem"
    19  	"errors"
    20  	"fmt"
    21  	"io"
    22  	"math/big"
    23  	"net"
    24  	"net/url"
    25  	"strconv"
    26  	"time"
    27  	"unicode"
    28  
    29  	// Explicitly import these for their crypto.RegisterHash init side-effects.
    30  	// Keep these as blank imports, even if they're imported above.
    31  	_ "crypto/sha1"
    32  	_ "crypto/sha256"
    33  	_ "crypto/sha512"
    34  
    35  	"golang.org/x/crypto/cryptobyte"
    36  	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
    37  )
    38  
    39  // pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo
    40  // in RFC 3280.
    41  type pkixPublicKey struct {
    42  	Algo      pkix.AlgorithmIdentifier
    43  	BitString asn1.BitString
    44  }
    45  
    46  // ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
    47  // The encoded public key is a SubjectPublicKeyInfo structure
    48  // (see RFC 5280, Section 4.1).
    49  //
    50  // It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or
    51  // ed25519.PublicKey. More types might be supported in the future.
    52  //
    53  // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
    54  func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) {
    55  	var pki publicKeyInfo
    56  	if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil {
    57  		if _, err := asn1.Unmarshal(derBytes, &pkcs1PublicKey{}); err == nil {
    58  			return nil, errors.New("x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)")
    59  		}
    60  		return nil, err
    61  	} else if len(rest) != 0 {
    62  		return nil, errors.New("x509: trailing data after ASN.1 of public-key")
    63  	}
    64  	algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm)
    65  	if algo == UnknownPublicKeyAlgorithm {
    66  		return nil, errors.New("x509: unknown public key algorithm")
    67  	}
    68  	return parsePublicKey(algo, &pki)
    69  }
    70  
    71  func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) {
    72  	switch pub := pub.(type) {
    73  	case *rsa.PublicKey:
    74  		publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{
    75  			N: pub.N,
    76  			E: pub.E,
    77  		})
    78  		if err != nil {
    79  			return nil, pkix.AlgorithmIdentifier{}, err
    80  		}
    81  		publicKeyAlgorithm.Algorithm = oidPublicKeyRSA
    82  		// This is a NULL parameters value which is required by
    83  		// RFC 3279, Section 2.3.1.
    84  		publicKeyAlgorithm.Parameters = asn1.NullRawValue
    85  	case *ecdsa.PublicKey:
    86  		publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
    87  		oid, ok := oidFromNamedCurve(pub.Curve)
    88  		if !ok {
    89  			return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve")
    90  		}
    91  		publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA
    92  		var paramBytes []byte
    93  		paramBytes, err = asn1.Marshal(oid)
    94  		if err != nil {
    95  			return
    96  		}
    97  		publicKeyAlgorithm.Parameters.FullBytes = paramBytes
    98  	case ed25519.PublicKey:
    99  		publicKeyBytes = pub
   100  		publicKeyAlgorithm.Algorithm = oidPublicKeyEd25519
   101  	default:
   102  		return nil, pkix.AlgorithmIdentifier{}, fmt.Errorf("x509: unsupported public key type: %T", pub)
   103  	}
   104  
   105  	return publicKeyBytes, publicKeyAlgorithm, nil
   106  }
   107  
   108  // MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
   109  // The encoded public key is a SubjectPublicKeyInfo structure
   110  // (see RFC 5280, Section 4.1).
   111  //
   112  // The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey
   113  // and ed25519.PublicKey. Unsupported key types result in an error.
   114  //
   115  // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
   116  func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) {
   117  	var publicKeyBytes []byte
   118  	var publicKeyAlgorithm pkix.AlgorithmIdentifier
   119  	var err error
   120  
   121  	if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil {
   122  		return nil, err
   123  	}
   124  
   125  	pkix := pkixPublicKey{
   126  		Algo: publicKeyAlgorithm,
   127  		BitString: asn1.BitString{
   128  			Bytes:     publicKeyBytes,
   129  			BitLength: 8 * len(publicKeyBytes),
   130  		},
   131  	}
   132  
   133  	ret, _ := asn1.Marshal(pkix)
   134  	return ret, nil
   135  }
   136  
   137  // These structures reflect the ASN.1 structure of X.509 certificates.:
   138  
   139  type certificate struct {
   140  	Raw                asn1.RawContent
   141  	TBSCertificate     tbsCertificate
   142  	SignatureAlgorithm pkix.AlgorithmIdentifier
   143  	SignatureValue     asn1.BitString
   144  }
   145  
   146  type tbsCertificate struct {
   147  	Raw                asn1.RawContent
   148  	Version            int `asn1:"optional,explicit,default:0,tag:0"`
   149  	SerialNumber       *big.Int
   150  	SignatureAlgorithm pkix.AlgorithmIdentifier
   151  	Issuer             asn1.RawValue
   152  	Validity           validity
   153  	Subject            asn1.RawValue
   154  	PublicKey          publicKeyInfo
   155  	UniqueId           asn1.BitString   `asn1:"optional,tag:1"`
   156  	SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`
   157  	Extensions         []pkix.Extension `asn1:"optional,explicit,tag:3"`
   158  }
   159  
   160  type dsaAlgorithmParameters struct {
   161  	P, Q, G *big.Int
   162  }
   163  
   164  type validity struct {
   165  	NotBefore, NotAfter time.Time
   166  }
   167  
   168  type publicKeyInfo struct {
   169  	Raw       asn1.RawContent
   170  	Algorithm pkix.AlgorithmIdentifier
   171  	PublicKey asn1.BitString
   172  }
   173  
   174  // RFC 5280,  4.2.1.1
   175  type authKeyId struct {
   176  	Id []byte `asn1:"optional,tag:0"`
   177  }
   178  
   179  type SignatureAlgorithm int
   180  
   181  const (
   182  	UnknownSignatureAlgorithm SignatureAlgorithm = iota
   183  
   184  	MD2WithRSA // Unsupported.
   185  	MD5WithRSA // Only supported for signing, not verification.
   186  	SHA1WithRSA
   187  	SHA256WithRSA
   188  	SHA384WithRSA
   189  	SHA512WithRSA
   190  	DSAWithSHA1   // Unsupported.
   191  	DSAWithSHA256 // Unsupported.
   192  	ECDSAWithSHA1
   193  	ECDSAWithSHA256
   194  	ECDSAWithSHA384
   195  	ECDSAWithSHA512
   196  	SHA256WithRSAPSS
   197  	SHA384WithRSAPSS
   198  	SHA512WithRSAPSS
   199  	PureEd25519
   200  )
   201  
   202  func (algo SignatureAlgorithm) isRSAPSS() bool {
   203  	switch algo {
   204  	case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS:
   205  		return true
   206  	default:
   207  		return false
   208  	}
   209  }
   210  
   211  func (algo SignatureAlgorithm) String() string {
   212  	for _, details := range signatureAlgorithmDetails {
   213  		if details.algo == algo {
   214  			return details.name
   215  		}
   216  	}
   217  	return strconv.Itoa(int(algo))
   218  }
   219  
   220  type PublicKeyAlgorithm int
   221  
   222  const (
   223  	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
   224  	RSA
   225  	DSA // Unsupported.
   226  	ECDSA
   227  	Ed25519
   228  )
   229  
   230  var publicKeyAlgoName = [...]string{
   231  	RSA:     "RSA",
   232  	DSA:     "DSA",
   233  	ECDSA:   "ECDSA",
   234  	Ed25519: "Ed25519",
   235  }
   236  
   237  func (algo PublicKeyAlgorithm) String() string {
   238  	if 0 < algo && int(algo) < len(publicKeyAlgoName) {
   239  		return publicKeyAlgoName[algo]
   240  	}
   241  	return strconv.Itoa(int(algo))
   242  }
   243  
   244  // OIDs for signature algorithms
   245  //
   246  // pkcs-1 OBJECT IDENTIFIER ::= {
   247  //    iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
   248  //
   249  //
   250  // RFC 3279 2.2.1 RSA Signature Algorithms
   251  //
   252  // md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
   253  //
   254  // md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
   255  //
   256  // sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
   257  //
   258  // dsaWithSha1 OBJECT IDENTIFIER ::= {
   259  //    iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 }
   260  //
   261  // RFC 3279 2.2.3 ECDSA Signature Algorithm
   262  //
   263  // ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
   264  // 	  iso(1) member-body(2) us(840) ansi-x962(10045)
   265  //    signatures(4) ecdsa-with-SHA1(1)}
   266  //
   267  //
   268  // RFC 4055 5 PKCS #1 Version 1.5
   269  //
   270  // sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
   271  //
   272  // sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
   273  //
   274  // sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
   275  //
   276  //
   277  // RFC 5758 3.1 DSA Signature Algorithms
   278  //
   279  // dsaWithSha256 OBJECT IDENTIFIER ::= {
   280  //    joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
   281  //    csor(3) algorithms(4) id-dsa-with-sha2(3) 2}
   282  //
   283  // RFC 5758 3.2 ECDSA Signature Algorithm
   284  //
   285  // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   286  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
   287  //
   288  // ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   289  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
   290  //
   291  // ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   292  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 }
   293  //
   294  //
   295  // RFC 8410 3 Curve25519 and Curve448 Algorithm Identifiers
   296  //
   297  // id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 }
   298  
   299  var (
   300  	oidSignatureMD2WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
   301  	oidSignatureMD5WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
   302  	oidSignatureSHA1WithRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
   303  	oidSignatureSHA256WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
   304  	oidSignatureSHA384WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
   305  	oidSignatureSHA512WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
   306  	oidSignatureRSAPSS          = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
   307  	oidSignatureDSAWithSHA1     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
   308  	oidSignatureDSAWithSHA256   = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
   309  	oidSignatureECDSAWithSHA1   = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
   310  	oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
   311  	oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
   312  	oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
   313  	oidSignatureEd25519         = asn1.ObjectIdentifier{1, 3, 101, 112}
   314  
   315  	oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
   316  	oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
   317  	oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
   318  
   319  	oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
   320  
   321  	// oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA
   322  	// but it's specified by ISO. Microsoft's makecert.exe has been known
   323  	// to produce certificates with this OID.
   324  	oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29}
   325  )
   326  
   327  var signatureAlgorithmDetails = []struct {
   328  	algo       SignatureAlgorithm
   329  	name       string
   330  	oid        asn1.ObjectIdentifier
   331  	pubKeyAlgo PublicKeyAlgorithm
   332  	hash       crypto.Hash
   333  }{
   334  	{MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
   335  	{MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5},
   336  	{SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1},
   337  	{SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1},
   338  	{SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256},
   339  	{SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384},
   340  	{SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512},
   341  	{SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256},
   342  	{SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384},
   343  	{SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512},
   344  	{DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1},
   345  	{DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256},
   346  	{ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1},
   347  	{ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256},
   348  	{ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384},
   349  	{ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512},
   350  	{PureEd25519, "Ed25519", oidSignatureEd25519, Ed25519, crypto.Hash(0) /* no pre-hashing */},
   351  }
   352  
   353  // hashToPSSParameters contains the DER encoded RSA PSS parameters for the
   354  // SHA256, SHA384, and SHA512 hashes as defined in RFC 3447, Appendix A.2.3.
   355  // The parameters contain the following values:
   356  //   * hashAlgorithm contains the associated hash identifier with NULL parameters
   357  //   * maskGenAlgorithm always contains the default mgf1SHA1 identifier
   358  //   * saltLength contains the length of the associated hash
   359  //   * trailerField always contains the default trailerFieldBC value
   360  var hashToPSSParameters = map[crypto.Hash]asn1.RawValue{
   361  	crypto.SHA256: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 162, 3, 2, 1, 32}},
   362  	crypto.SHA384: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 162, 3, 2, 1, 48}},
   363  	crypto.SHA512: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 162, 3, 2, 1, 64}},
   364  }
   365  
   366  // pssParameters reflects the parameters in an AlgorithmIdentifier that
   367  // specifies RSA PSS. See RFC 3447, Appendix A.2.3.
   368  type pssParameters struct {
   369  	// The following three fields are not marked as
   370  	// optional because the default values specify SHA-1,
   371  	// which is no longer suitable for use in signatures.
   372  	Hash         pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"`
   373  	MGF          pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"`
   374  	SaltLength   int                      `asn1:"explicit,tag:2"`
   375  	TrailerField int                      `asn1:"optional,explicit,tag:3,default:1"`
   376  }
   377  
   378  func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm {
   379  	if ai.Algorithm.Equal(oidSignatureEd25519) {
   380  		// RFC 8410, Section 3
   381  		// > For all of the OIDs, the parameters MUST be absent.
   382  		if len(ai.Parameters.FullBytes) != 0 {
   383  			return UnknownSignatureAlgorithm
   384  		}
   385  	}
   386  
   387  	if !ai.Algorithm.Equal(oidSignatureRSAPSS) {
   388  		for _, details := range signatureAlgorithmDetails {
   389  			if ai.Algorithm.Equal(details.oid) {
   390  				return details.algo
   391  			}
   392  		}
   393  		return UnknownSignatureAlgorithm
   394  	}
   395  
   396  	// RSA PSS is special because it encodes important parameters
   397  	// in the Parameters.
   398  
   399  	var params pssParameters
   400  	if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, &params); err != nil {
   401  		return UnknownSignatureAlgorithm
   402  	}
   403  
   404  	var mgf1HashFunc pkix.AlgorithmIdentifier
   405  	if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil {
   406  		return UnknownSignatureAlgorithm
   407  	}
   408  
   409  	// PSS is greatly overburdened with options. This code forces them into
   410  	// three buckets by requiring that the MGF1 hash function always match the
   411  	// message hash function (as recommended in RFC 3447, Section 8.1), that the
   412  	// salt length matches the hash length, and that the trailer field has the
   413  	// default value.
   414  	if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) ||
   415  		!params.MGF.Algorithm.Equal(oidMGF1) ||
   416  		!mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) ||
   417  		(len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) ||
   418  		params.TrailerField != 1 {
   419  		return UnknownSignatureAlgorithm
   420  	}
   421  
   422  	switch {
   423  	case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32:
   424  		return SHA256WithRSAPSS
   425  	case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48:
   426  		return SHA384WithRSAPSS
   427  	case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64:
   428  		return SHA512WithRSAPSS
   429  	}
   430  
   431  	return UnknownSignatureAlgorithm
   432  }
   433  
   434  // RFC 3279, 2.3 Public Key Algorithms
   435  //
   436  // pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   437  //    rsadsi(113549) pkcs(1) 1 }
   438  //
   439  // rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 }
   440  //
   441  // id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   442  //    x9-57(10040) x9cm(4) 1 }
   443  //
   444  // RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters
   445  //
   446  // id-ecPublicKey OBJECT IDENTIFIER ::= {
   447  //       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
   448  var (
   449  	oidPublicKeyRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
   450  	oidPublicKeyDSA     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
   451  	oidPublicKeyECDSA   = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
   452  	oidPublicKeyEd25519 = oidSignatureEd25519
   453  )
   454  
   455  func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm {
   456  	switch {
   457  	case oid.Equal(oidPublicKeyRSA):
   458  		return RSA
   459  	case oid.Equal(oidPublicKeyDSA):
   460  		return DSA
   461  	case oid.Equal(oidPublicKeyECDSA):
   462  		return ECDSA
   463  	case oid.Equal(oidPublicKeyEd25519):
   464  		return Ed25519
   465  	}
   466  	return UnknownPublicKeyAlgorithm
   467  }
   468  
   469  // RFC 5480, 2.1.1.1. Named Curve
   470  //
   471  // secp224r1 OBJECT IDENTIFIER ::= {
   472  //   iso(1) identified-organization(3) certicom(132) curve(0) 33 }
   473  //
   474  // secp256r1 OBJECT IDENTIFIER ::= {
   475  //   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
   476  //   prime(1) 7 }
   477  //
   478  // secp384r1 OBJECT IDENTIFIER ::= {
   479  //   iso(1) identified-organization(3) certicom(132) curve(0) 34 }
   480  //
   481  // secp521r1 OBJECT IDENTIFIER ::= {
   482  //   iso(1) identified-organization(3) certicom(132) curve(0) 35 }
   483  //
   484  // NB: secp256r1 is equivalent to prime256v1
   485  var (
   486  	oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
   487  	oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
   488  	oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
   489  	oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
   490  )
   491  
   492  func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
   493  	switch {
   494  	case oid.Equal(oidNamedCurveP224):
   495  		return elliptic.P224()
   496  	case oid.Equal(oidNamedCurveP256):
   497  		return elliptic.P256()
   498  	case oid.Equal(oidNamedCurveP384):
   499  		return elliptic.P384()
   500  	case oid.Equal(oidNamedCurveP521):
   501  		return elliptic.P521()
   502  	}
   503  	return nil
   504  }
   505  
   506  func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
   507  	switch curve {
   508  	case elliptic.P224():
   509  		return oidNamedCurveP224, true
   510  	case elliptic.P256():
   511  		return oidNamedCurveP256, true
   512  	case elliptic.P384():
   513  		return oidNamedCurveP384, true
   514  	case elliptic.P521():
   515  		return oidNamedCurveP521, true
   516  	}
   517  
   518  	return nil, false
   519  }
   520  
   521  // KeyUsage represents the set of actions that are valid for a given key. It's
   522  // a bitmap of the KeyUsage* constants.
   523  type KeyUsage int
   524  
   525  const (
   526  	KeyUsageDigitalSignature KeyUsage = 1 << iota
   527  	KeyUsageContentCommitment
   528  	KeyUsageKeyEncipherment
   529  	KeyUsageDataEncipherment
   530  	KeyUsageKeyAgreement
   531  	KeyUsageCertSign
   532  	KeyUsageCRLSign
   533  	KeyUsageEncipherOnly
   534  	KeyUsageDecipherOnly
   535  )
   536  
   537  // RFC 5280, 4.2.1.12  Extended Key Usage
   538  //
   539  // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
   540  //
   541  // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
   542  //
   543  // id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   544  // id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
   545  // id-kp-codeSigning            OBJECT IDENTIFIER ::= { id-kp 3 }
   546  // id-kp-emailProtection        OBJECT IDENTIFIER ::= { id-kp 4 }
   547  // id-kp-timeStamping           OBJECT IDENTIFIER ::= { id-kp 8 }
   548  // id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
   549  var (
   550  	oidExtKeyUsageAny                            = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
   551  	oidExtKeyUsageServerAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
   552  	oidExtKeyUsageClientAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
   553  	oidExtKeyUsageCodeSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
   554  	oidExtKeyUsageEmailProtection                = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
   555  	oidExtKeyUsageIPSECEndSystem                 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
   556  	oidExtKeyUsageIPSECTunnel                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
   557  	oidExtKeyUsageIPSECUser                      = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
   558  	oidExtKeyUsageTimeStamping                   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
   559  	oidExtKeyUsageOCSPSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
   560  	oidExtKeyUsageMicrosoftServerGatedCrypto     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
   561  	oidExtKeyUsageNetscapeServerGatedCrypto      = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
   562  	oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
   563  	oidExtKeyUsageMicrosoftKernelCodeSigning     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
   564  )
   565  
   566  // ExtKeyUsage represents an extended set of actions that are valid for a given key.
   567  // Each of the ExtKeyUsage* constants define a unique action.
   568  type ExtKeyUsage int
   569  
   570  const (
   571  	ExtKeyUsageAny ExtKeyUsage = iota
   572  	ExtKeyUsageServerAuth
   573  	ExtKeyUsageClientAuth
   574  	ExtKeyUsageCodeSigning
   575  	ExtKeyUsageEmailProtection
   576  	ExtKeyUsageIPSECEndSystem
   577  	ExtKeyUsageIPSECTunnel
   578  	ExtKeyUsageIPSECUser
   579  	ExtKeyUsageTimeStamping
   580  	ExtKeyUsageOCSPSigning
   581  	ExtKeyUsageMicrosoftServerGatedCrypto
   582  	ExtKeyUsageNetscapeServerGatedCrypto
   583  	ExtKeyUsageMicrosoftCommercialCodeSigning
   584  	ExtKeyUsageMicrosoftKernelCodeSigning
   585  )
   586  
   587  // extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.
   588  var extKeyUsageOIDs = []struct {
   589  	extKeyUsage ExtKeyUsage
   590  	oid         asn1.ObjectIdentifier
   591  }{
   592  	{ExtKeyUsageAny, oidExtKeyUsageAny},
   593  	{ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth},
   594  	{ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth},
   595  	{ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning},
   596  	{ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection},
   597  	{ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem},
   598  	{ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel},
   599  	{ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser},
   600  	{ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping},
   601  	{ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning},
   602  	{ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto},
   603  	{ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto},
   604  	{ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning},
   605  	{ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning},
   606  }
   607  
   608  func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) {
   609  	for _, pair := range extKeyUsageOIDs {
   610  		if oid.Equal(pair.oid) {
   611  			return pair.extKeyUsage, true
   612  		}
   613  	}
   614  	return
   615  }
   616  
   617  func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
   618  	for _, pair := range extKeyUsageOIDs {
   619  		if eku == pair.extKeyUsage {
   620  			return pair.oid, true
   621  		}
   622  	}
   623  	return
   624  }
   625  
   626  // A Certificate represents an X.509 certificate.
   627  type Certificate struct {
   628  	Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
   629  	RawTBSCertificate       []byte // Certificate part of raw ASN.1 DER content.
   630  	RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
   631  	RawSubject              []byte // DER encoded Subject
   632  	RawIssuer               []byte // DER encoded Issuer
   633  
   634  	Signature          []byte
   635  	SignatureAlgorithm SignatureAlgorithm
   636  
   637  	PublicKeyAlgorithm PublicKeyAlgorithm
   638  	PublicKey          interface{}
   639  
   640  	Version             int
   641  	SerialNumber        *big.Int
   642  	Issuer              pkix.Name
   643  	Subject             pkix.Name
   644  	NotBefore, NotAfter time.Time // Validity bounds.
   645  	KeyUsage            KeyUsage
   646  
   647  	// Extensions contains raw X.509 extensions. When parsing certificates,
   648  	// this can be used to extract non-critical extensions that are not
   649  	// parsed by this package. When marshaling certificates, the Extensions
   650  	// field is ignored, see ExtraExtensions.
   651  	Extensions []pkix.Extension
   652  
   653  	// ExtraExtensions contains extensions to be copied, raw, into any
   654  	// marshaled certificates. Values override any extensions that would
   655  	// otherwise be produced based on the other fields. The ExtraExtensions
   656  	// field is not populated when parsing certificates, see Extensions.
   657  	ExtraExtensions []pkix.Extension
   658  
   659  	// UnhandledCriticalExtensions contains a list of extension IDs that
   660  	// were not (fully) processed when parsing. Verify will fail if this
   661  	// slice is non-empty, unless verification is delegated to an OS
   662  	// library which understands all the critical extensions.
   663  	//
   664  	// Users can access these extensions using Extensions and can remove
   665  	// elements from this slice if they believe that they have been
   666  	// handled.
   667  	UnhandledCriticalExtensions []asn1.ObjectIdentifier
   668  
   669  	ExtKeyUsage        []ExtKeyUsage           // Sequence of extended key usages.
   670  	UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.
   671  
   672  	// BasicConstraintsValid indicates whether IsCA, MaxPathLen,
   673  	// and MaxPathLenZero are valid.
   674  	BasicConstraintsValid bool
   675  	IsCA                  bool
   676  
   677  	// MaxPathLen and MaxPathLenZero indicate the presence and
   678  	// value of the BasicConstraints' "pathLenConstraint".
   679  	//
   680  	// When parsing a certificate, a positive non-zero MaxPathLen
   681  	// means that the field was specified, -1 means it was unset,
   682  	// and MaxPathLenZero being true mean that the field was
   683  	// explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
   684  	// should be treated equivalent to -1 (unset).
   685  	//
   686  	// When generating a certificate, an unset pathLenConstraint
   687  	// can be requested with either MaxPathLen == -1 or using the
   688  	// zero value for both MaxPathLen and MaxPathLenZero.
   689  	MaxPathLen int
   690  	// MaxPathLenZero indicates that BasicConstraintsValid==true
   691  	// and MaxPathLen==0 should be interpreted as an actual
   692  	// maximum path length of zero. Otherwise, that combination is
   693  	// interpreted as MaxPathLen not being set.
   694  	MaxPathLenZero bool
   695  
   696  	SubjectKeyId   []byte
   697  	AuthorityKeyId []byte
   698  
   699  	// RFC 5280, 4.2.2.1 (Authority Information Access)
   700  	OCSPServer            []string
   701  	IssuingCertificateURL []string
   702  
   703  	// Subject Alternate Name values. (Note that these values may not be valid
   704  	// if invalid values were contained within a parsed certificate. For
   705  	// example, an element of DNSNames may not be a valid DNS domain name.)
   706  	DNSNames       []string
   707  	EmailAddresses []string
   708  	IPAddresses    []net.IP
   709  	URIs           []*url.URL
   710  
   711  	// Name constraints
   712  	PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical.
   713  	PermittedDNSDomains         []string
   714  	ExcludedDNSDomains          []string
   715  	PermittedIPRanges           []*net.IPNet
   716  	ExcludedIPRanges            []*net.IPNet
   717  	PermittedEmailAddresses     []string
   718  	ExcludedEmailAddresses      []string
   719  	PermittedURIDomains         []string
   720  	ExcludedURIDomains          []string
   721  
   722  	// CRL Distribution Points
   723  	CRLDistributionPoints []string
   724  
   725  	PolicyIdentifiers []asn1.ObjectIdentifier
   726  }
   727  
   728  // ErrUnsupportedAlgorithm results from attempting to perform an operation that
   729  // involves algorithms that are not currently implemented.
   730  var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")
   731  
   732  // An InsecureAlgorithmError
   733  type InsecureAlgorithmError SignatureAlgorithm
   734  
   735  func (e InsecureAlgorithmError) Error() string {
   736  	return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e))
   737  }
   738  
   739  // ConstraintViolationError results when a requested usage is not permitted by
   740  // a certificate. For example: checking a signature when the public key isn't a
   741  // certificate signing key.
   742  type ConstraintViolationError struct{}
   743  
   744  func (ConstraintViolationError) Error() string {
   745  	return "x509: invalid signature: parent certificate cannot sign this kind of certificate"
   746  }
   747  
   748  func (c *Certificate) Equal(other *Certificate) bool {
   749  	if c == nil || other == nil {
   750  		return c == other
   751  	}
   752  	return bytes.Equal(c.Raw, other.Raw)
   753  }
   754  
   755  func (c *Certificate) hasSANExtension() bool {
   756  	return oidInExtensions(oidExtensionSubjectAltName, c.Extensions)
   757  }
   758  
   759  // CheckSignatureFrom verifies that the signature on c is a valid signature
   760  // from parent.
   761  func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
   762  	// RFC 5280, 4.2.1.9:
   763  	// "If the basic constraints extension is not present in a version 3
   764  	// certificate, or the extension is present but the cA boolean is not
   765  	// asserted, then the certified public key MUST NOT be used to verify
   766  	// certificate signatures."
   767  	if parent.Version == 3 && !parent.BasicConstraintsValid ||
   768  		parent.BasicConstraintsValid && !parent.IsCA {
   769  		return ConstraintViolationError{}
   770  	}
   771  
   772  	if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 {
   773  		return ConstraintViolationError{}
   774  	}
   775  
   776  	if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm {
   777  		return ErrUnsupportedAlgorithm
   778  	}
   779  
   780  	// TODO(agl): don't ignore the path length constraint.
   781  
   782  	return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
   783  }
   784  
   785  // CheckSignature verifies that signature is a valid signature over signed from
   786  // c's public key.
   787  func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error {
   788  	return checkSignature(algo, signed, signature, c.PublicKey)
   789  }
   790  
   791  func (c *Certificate) hasNameConstraints() bool {
   792  	return oidInExtensions(oidExtensionNameConstraints, c.Extensions)
   793  }
   794  
   795  func (c *Certificate) getSANExtension() []byte {
   796  	for _, e := range c.Extensions {
   797  		if e.Id.Equal(oidExtensionSubjectAltName) {
   798  			return e.Value
   799  		}
   800  	}
   801  	return nil
   802  }
   803  
   804  func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error {
   805  	return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
   806  }
   807  
   808  // CheckSignature verifies that signature is a valid signature over signed from
   809  // a crypto.PublicKey.
   810  func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
   811  	var hashType crypto.Hash
   812  	var pubKeyAlgo PublicKeyAlgorithm
   813  
   814  	for _, details := range signatureAlgorithmDetails {
   815  		if details.algo == algo {
   816  			hashType = details.hash
   817  			pubKeyAlgo = details.pubKeyAlgo
   818  		}
   819  	}
   820  
   821  	switch hashType {
   822  	case crypto.Hash(0):
   823  		if pubKeyAlgo != Ed25519 {
   824  			return ErrUnsupportedAlgorithm
   825  		}
   826  	case crypto.MD5:
   827  		return InsecureAlgorithmError(algo)
   828  	default:
   829  		if !hashType.Available() {
   830  			return ErrUnsupportedAlgorithm
   831  		}
   832  		h := hashType.New()
   833  		h.Write(signed)
   834  		signed = h.Sum(nil)
   835  	}
   836  
   837  	switch pub := publicKey.(type) {
   838  	case *rsa.PublicKey:
   839  		if pubKeyAlgo != RSA {
   840  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   841  		}
   842  		if algo.isRSAPSS() {
   843  			return rsa.VerifyPSS(pub, hashType, signed, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash})
   844  		} else {
   845  			return rsa.VerifyPKCS1v15(pub, hashType, signed, signature)
   846  		}
   847  	case *ecdsa.PublicKey:
   848  		if pubKeyAlgo != ECDSA {
   849  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   850  		}
   851  		if !ecdsa.VerifyASN1(pub, signed, signature) {
   852  			return errors.New("x509: ECDSA verification failure")
   853  		}
   854  		return
   855  	case ed25519.PublicKey:
   856  		if pubKeyAlgo != Ed25519 {
   857  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   858  		}
   859  		if !ed25519.Verify(pub, signed, signature) {
   860  			return errors.New("x509: Ed25519 verification failure")
   861  		}
   862  		return
   863  	}
   864  	return ErrUnsupportedAlgorithm
   865  }
   866  
   867  // CheckCRLSignature checks that the signature in crl is from c.
   868  func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error {
   869  	algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm)
   870  	return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign())
   871  }
   872  
   873  type UnhandledCriticalExtension struct{}
   874  
   875  func (h UnhandledCriticalExtension) Error() string {
   876  	return "x509: unhandled critical extension"
   877  }
   878  
   879  type basicConstraints struct {
   880  	IsCA       bool `asn1:"optional"`
   881  	MaxPathLen int  `asn1:"optional,default:-1"`
   882  }
   883  
   884  // RFC 5280 4.2.1.4
   885  type policyInformation struct {
   886  	Policy asn1.ObjectIdentifier
   887  	// policyQualifiers omitted
   888  }
   889  
   890  const (
   891  	nameTypeEmail = 1
   892  	nameTypeDNS   = 2
   893  	nameTypeURI   = 6
   894  	nameTypeIP    = 7
   895  )
   896  
   897  // RFC 5280, 4.2.2.1
   898  type authorityInfoAccess struct {
   899  	Method   asn1.ObjectIdentifier
   900  	Location asn1.RawValue
   901  }
   902  
   903  // RFC 5280, 4.2.1.14
   904  type distributionPoint struct {
   905  	DistributionPoint distributionPointName `asn1:"optional,tag:0"`
   906  	Reason            asn1.BitString        `asn1:"optional,tag:1"`
   907  	CRLIssuer         asn1.RawValue         `asn1:"optional,tag:2"`
   908  }
   909  
   910  type distributionPointName struct {
   911  	FullName     []asn1.RawValue  `asn1:"optional,tag:0"`
   912  	RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
   913  }
   914  
   915  func reverseBitsInAByte(in byte) byte {
   916  	b1 := in>>4 | in<<4
   917  	b2 := b1>>2&0x33 | b1<<2&0xcc
   918  	b3 := b2>>1&0x55 | b2<<1&0xaa
   919  	return b3
   920  }
   921  
   922  // asn1BitLength returns the bit-length of bitString by considering the
   923  // most-significant bit in a byte to be the "first" bit. This convention
   924  // matches ASN.1, but differs from almost everything else.
   925  func asn1BitLength(bitString []byte) int {
   926  	bitLen := len(bitString) * 8
   927  
   928  	for i := range bitString {
   929  		b := bitString[len(bitString)-i-1]
   930  
   931  		for bit := uint(0); bit < 8; bit++ {
   932  			if (b>>bit)&1 == 1 {
   933  				return bitLen
   934  			}
   935  			bitLen--
   936  		}
   937  	}
   938  
   939  	return 0
   940  }
   941  
   942  var (
   943  	oidExtensionSubjectKeyId          = []int{2, 5, 29, 14}
   944  	oidExtensionKeyUsage              = []int{2, 5, 29, 15}
   945  	oidExtensionExtendedKeyUsage      = []int{2, 5, 29, 37}
   946  	oidExtensionAuthorityKeyId        = []int{2, 5, 29, 35}
   947  	oidExtensionBasicConstraints      = []int{2, 5, 29, 19}
   948  	oidExtensionSubjectAltName        = []int{2, 5, 29, 17}
   949  	oidExtensionCertificatePolicies   = []int{2, 5, 29, 32}
   950  	oidExtensionNameConstraints       = []int{2, 5, 29, 30}
   951  	oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31}
   952  	oidExtensionAuthorityInfoAccess   = []int{1, 3, 6, 1, 5, 5, 7, 1, 1}
   953  	oidExtensionCRLNumber             = []int{2, 5, 29, 20}
   954  )
   955  
   956  var (
   957  	oidAuthorityInfoAccessOcsp    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
   958  	oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
   959  )
   960  
   961  // oidNotInExtensions reports whether an extension with the given oid exists in
   962  // extensions.
   963  func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool {
   964  	for _, e := range extensions {
   965  		if e.Id.Equal(oid) {
   966  			return true
   967  		}
   968  	}
   969  	return false
   970  }
   971  
   972  // marshalSANs marshals a list of addresses into a the contents of an X.509
   973  // SubjectAlternativeName extension.
   974  func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) {
   975  	var rawValues []asn1.RawValue
   976  	for _, name := range dnsNames {
   977  		if err := isIA5String(name); err != nil {
   978  			return nil, err
   979  		}
   980  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)})
   981  	}
   982  	for _, email := range emailAddresses {
   983  		if err := isIA5String(email); err != nil {
   984  			return nil, err
   985  		}
   986  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)})
   987  	}
   988  	for _, rawIP := range ipAddresses {
   989  		// If possible, we always want to encode IPv4 addresses in 4 bytes.
   990  		ip := rawIP.To4()
   991  		if ip == nil {
   992  			ip = rawIP
   993  		}
   994  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip})
   995  	}
   996  	for _, uri := range uris {
   997  		uriStr := uri.String()
   998  		if err := isIA5String(uriStr); err != nil {
   999  			return nil, err
  1000  		}
  1001  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uriStr)})
  1002  	}
  1003  	return asn1.Marshal(rawValues)
  1004  }
  1005  
  1006  func isIA5String(s string) error {
  1007  	for _, r := range s {
  1008  		// Per RFC5280 "IA5String is limited to the set of ASCII characters"
  1009  		if r > unicode.MaxASCII {
  1010  			return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
  1011  		}
  1012  	}
  1013  
  1014  	return nil
  1015  }
  1016  
  1017  func buildCertExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte, subjectKeyId []byte) (ret []pkix.Extension, err error) {
  1018  	ret = make([]pkix.Extension, 10 /* maximum number of elements. */)
  1019  	n := 0
  1020  
  1021  	if template.KeyUsage != 0 &&
  1022  		!oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) {
  1023  		ret[n], err = marshalKeyUsage(template.KeyUsage)
  1024  		if err != nil {
  1025  			return nil, err
  1026  		}
  1027  		n++
  1028  	}
  1029  
  1030  	if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) &&
  1031  		!oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) {
  1032  		ret[n], err = marshalExtKeyUsage(template.ExtKeyUsage, template.UnknownExtKeyUsage)
  1033  		if err != nil {
  1034  			return nil, err
  1035  		}
  1036  		n++
  1037  	}
  1038  
  1039  	if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) {
  1040  		ret[n], err = marshalBasicConstraints(template.IsCA, template.MaxPathLen, template.MaxPathLenZero)
  1041  		if err != nil {
  1042  			return nil, err
  1043  		}
  1044  		n++
  1045  	}
  1046  
  1047  	if len(subjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) {
  1048  		ret[n].Id = oidExtensionSubjectKeyId
  1049  		ret[n].Value, err = asn1.Marshal(subjectKeyId)
  1050  		if err != nil {
  1051  			return
  1052  		}
  1053  		n++
  1054  	}
  1055  
  1056  	if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) {
  1057  		ret[n].Id = oidExtensionAuthorityKeyId
  1058  		ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId})
  1059  		if err != nil {
  1060  			return
  1061  		}
  1062  		n++
  1063  	}
  1064  
  1065  	if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) &&
  1066  		!oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) {
  1067  		ret[n].Id = oidExtensionAuthorityInfoAccess
  1068  		var aiaValues []authorityInfoAccess
  1069  		for _, name := range template.OCSPServer {
  1070  			aiaValues = append(aiaValues, authorityInfoAccess{
  1071  				Method:   oidAuthorityInfoAccessOcsp,
  1072  				Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1073  			})
  1074  		}
  1075  		for _, name := range template.IssuingCertificateURL {
  1076  			aiaValues = append(aiaValues, authorityInfoAccess{
  1077  				Method:   oidAuthorityInfoAccessIssuers,
  1078  				Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1079  			})
  1080  		}
  1081  		ret[n].Value, err = asn1.Marshal(aiaValues)
  1082  		if err != nil {
  1083  			return
  1084  		}
  1085  		n++
  1086  	}
  1087  
  1088  	if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
  1089  		!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
  1090  		ret[n].Id = oidExtensionSubjectAltName
  1091  		// From RFC 5280, Section 4.2.1.6:
  1092  		// “If the subject field contains an empty sequence ... then
  1093  		// subjectAltName extension ... is marked as critical”
  1094  		ret[n].Critical = subjectIsEmpty
  1095  		ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
  1096  		if err != nil {
  1097  			return
  1098  		}
  1099  		n++
  1100  	}
  1101  
  1102  	if len(template.PolicyIdentifiers) > 0 &&
  1103  		!oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) {
  1104  		ret[n], err = marshalCertificatePolicies(template.PolicyIdentifiers)
  1105  		if err != nil {
  1106  			return nil, err
  1107  		}
  1108  		n++
  1109  	}
  1110  
  1111  	if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 ||
  1112  		len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 ||
  1113  		len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 ||
  1114  		len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) &&
  1115  		!oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) {
  1116  		ret[n].Id = oidExtensionNameConstraints
  1117  		ret[n].Critical = template.PermittedDNSDomainsCritical
  1118  
  1119  		ipAndMask := func(ipNet *net.IPNet) []byte {
  1120  			maskedIP := ipNet.IP.Mask(ipNet.Mask)
  1121  			ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask))
  1122  			ipAndMask = append(ipAndMask, maskedIP...)
  1123  			ipAndMask = append(ipAndMask, ipNet.Mask...)
  1124  			return ipAndMask
  1125  		}
  1126  
  1127  		serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) {
  1128  			var b cryptobyte.Builder
  1129  
  1130  			for _, name := range dns {
  1131  				if err = isIA5String(name); err != nil {
  1132  					return nil, err
  1133  				}
  1134  
  1135  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1136  					b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) {
  1137  						b.AddBytes([]byte(name))
  1138  					})
  1139  				})
  1140  			}
  1141  
  1142  			for _, ipNet := range ips {
  1143  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1144  					b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) {
  1145  						b.AddBytes(ipAndMask(ipNet))
  1146  					})
  1147  				})
  1148  			}
  1149  
  1150  			for _, email := range emails {
  1151  				if err = isIA5String(email); err != nil {
  1152  					return nil, err
  1153  				}
  1154  
  1155  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1156  					b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) {
  1157  						b.AddBytes([]byte(email))
  1158  					})
  1159  				})
  1160  			}
  1161  
  1162  			for _, uriDomain := range uriDomains {
  1163  				if err = isIA5String(uriDomain); err != nil {
  1164  					return nil, err
  1165  				}
  1166  
  1167  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1168  					b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) {
  1169  						b.AddBytes([]byte(uriDomain))
  1170  					})
  1171  				})
  1172  			}
  1173  
  1174  			return b.Bytes()
  1175  		}
  1176  
  1177  		permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains)
  1178  		if err != nil {
  1179  			return nil, err
  1180  		}
  1181  
  1182  		excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains)
  1183  		if err != nil {
  1184  			return nil, err
  1185  		}
  1186  
  1187  		var b cryptobyte.Builder
  1188  		b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1189  			if len(permitted) > 0 {
  1190  				b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
  1191  					b.AddBytes(permitted)
  1192  				})
  1193  			}
  1194  
  1195  			if len(excluded) > 0 {
  1196  				b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
  1197  					b.AddBytes(excluded)
  1198  				})
  1199  			}
  1200  		})
  1201  
  1202  		ret[n].Value, err = b.Bytes()
  1203  		if err != nil {
  1204  			return nil, err
  1205  		}
  1206  		n++
  1207  	}
  1208  
  1209  	if len(template.CRLDistributionPoints) > 0 &&
  1210  		!oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) {
  1211  		ret[n].Id = oidExtensionCRLDistributionPoints
  1212  
  1213  		var crlDp []distributionPoint
  1214  		for _, name := range template.CRLDistributionPoints {
  1215  			dp := distributionPoint{
  1216  				DistributionPoint: distributionPointName{
  1217  					FullName: []asn1.RawValue{
  1218  						{Tag: 6, Class: 2, Bytes: []byte(name)},
  1219  					},
  1220  				},
  1221  			}
  1222  			crlDp = append(crlDp, dp)
  1223  		}
  1224  
  1225  		ret[n].Value, err = asn1.Marshal(crlDp)
  1226  		if err != nil {
  1227  			return
  1228  		}
  1229  		n++
  1230  	}
  1231  
  1232  	// Adding another extension here? Remember to update the maximum number
  1233  	// of elements in the make() at the top of the function and the list of
  1234  	// template fields used in CreateCertificate documentation.
  1235  
  1236  	return append(ret[:n], template.ExtraExtensions...), nil
  1237  }
  1238  
  1239  func marshalKeyUsage(ku KeyUsage) (pkix.Extension, error) {
  1240  	ext := pkix.Extension{Id: oidExtensionKeyUsage, Critical: true}
  1241  
  1242  	var a [2]byte
  1243  	a[0] = reverseBitsInAByte(byte(ku))
  1244  	a[1] = reverseBitsInAByte(byte(ku >> 8))
  1245  
  1246  	l := 1
  1247  	if a[1] != 0 {
  1248  		l = 2
  1249  	}
  1250  
  1251  	bitString := a[:l]
  1252  	var err error
  1253  	ext.Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)})
  1254  	if err != nil {
  1255  		return ext, err
  1256  	}
  1257  	return ext, nil
  1258  }
  1259  
  1260  func marshalExtKeyUsage(extUsages []ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error) {
  1261  	ext := pkix.Extension{Id: oidExtensionExtendedKeyUsage}
  1262  
  1263  	oids := make([]asn1.ObjectIdentifier, len(extUsages)+len(unknownUsages))
  1264  	for i, u := range extUsages {
  1265  		if oid, ok := oidFromExtKeyUsage(u); ok {
  1266  			oids[i] = oid
  1267  		} else {
  1268  			return ext, errors.New("x509: unknown extended key usage")
  1269  		}
  1270  	}
  1271  
  1272  	copy(oids[len(extUsages):], unknownUsages)
  1273  
  1274  	var err error
  1275  	ext.Value, err = asn1.Marshal(oids)
  1276  	if err != nil {
  1277  		return ext, err
  1278  	}
  1279  	return ext, nil
  1280  }
  1281  
  1282  func marshalBasicConstraints(isCA bool, maxPathLen int, maxPathLenZero bool) (pkix.Extension, error) {
  1283  	ext := pkix.Extension{Id: oidExtensionBasicConstraints, Critical: true}
  1284  	// Leaving MaxPathLen as zero indicates that no maximum path
  1285  	// length is desired, unless MaxPathLenZero is set. A value of
  1286  	// -1 causes encoding/asn1 to omit the value as desired.
  1287  	if maxPathLen == 0 && !maxPathLenZero {
  1288  		maxPathLen = -1
  1289  	}
  1290  	var err error
  1291  	ext.Value, err = asn1.Marshal(basicConstraints{isCA, maxPathLen})
  1292  	if err != nil {
  1293  		return ext, nil
  1294  	}
  1295  	return ext, nil
  1296  }
  1297  
  1298  func marshalCertificatePolicies(policyIdentifiers []asn1.ObjectIdentifier) (pkix.Extension, error) {
  1299  	ext := pkix.Extension{Id: oidExtensionCertificatePolicies}
  1300  	policies := make([]policyInformation, len(policyIdentifiers))
  1301  	for i, policy := range policyIdentifiers {
  1302  		policies[i].Policy = policy
  1303  	}
  1304  	var err error
  1305  	ext.Value, err = asn1.Marshal(policies)
  1306  	if err != nil {
  1307  		return ext, err
  1308  	}
  1309  	return ext, nil
  1310  }
  1311  
  1312  func buildCSRExtensions(template *CertificateRequest) ([]pkix.Extension, error) {
  1313  	var ret []pkix.Extension
  1314  
  1315  	if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
  1316  		!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
  1317  		sanBytes, err := marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
  1318  		if err != nil {
  1319  			return nil, err
  1320  		}
  1321  
  1322  		ret = append(ret, pkix.Extension{
  1323  			Id:    oidExtensionSubjectAltName,
  1324  			Value: sanBytes,
  1325  		})
  1326  	}
  1327  
  1328  	return append(ret, template.ExtraExtensions...), nil
  1329  }
  1330  
  1331  func subjectBytes(cert *Certificate) ([]byte, error) {
  1332  	if len(cert.RawSubject) > 0 {
  1333  		return cert.RawSubject, nil
  1334  	}
  1335  
  1336  	return asn1.Marshal(cert.Subject.ToRDNSequence())
  1337  }
  1338  
  1339  // signingParamsForPublicKey returns the parameters to use for signing with
  1340  // priv. If requestedSigAlgo is not zero then it overrides the default
  1341  // signature algorithm.
  1342  func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
  1343  	var pubType PublicKeyAlgorithm
  1344  
  1345  	switch pub := pub.(type) {
  1346  	case *rsa.PublicKey:
  1347  		pubType = RSA
  1348  		hashFunc = crypto.SHA256
  1349  		sigAlgo.Algorithm = oidSignatureSHA256WithRSA
  1350  		sigAlgo.Parameters = asn1.NullRawValue
  1351  
  1352  	case *ecdsa.PublicKey:
  1353  		pubType = ECDSA
  1354  
  1355  		switch pub.Curve {
  1356  		case elliptic.P224(), elliptic.P256():
  1357  			hashFunc = crypto.SHA256
  1358  			sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
  1359  		case elliptic.P384():
  1360  			hashFunc = crypto.SHA384
  1361  			sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
  1362  		case elliptic.P521():
  1363  			hashFunc = crypto.SHA512
  1364  			sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
  1365  		default:
  1366  			err = errors.New("x509: unknown elliptic curve")
  1367  		}
  1368  
  1369  	case ed25519.PublicKey:
  1370  		pubType = Ed25519
  1371  		sigAlgo.Algorithm = oidSignatureEd25519
  1372  
  1373  	default:
  1374  		err = errors.New("x509: only RSA, ECDSA and Ed25519 keys supported")
  1375  	}
  1376  
  1377  	if err != nil {
  1378  		return
  1379  	}
  1380  
  1381  	if requestedSigAlgo == 0 {
  1382  		return
  1383  	}
  1384  
  1385  	found := false
  1386  	for _, details := range signatureAlgorithmDetails {
  1387  		if details.algo == requestedSigAlgo {
  1388  			if details.pubKeyAlgo != pubType {
  1389  				err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
  1390  				return
  1391  			}
  1392  			sigAlgo.Algorithm, hashFunc = details.oid, details.hash
  1393  			if hashFunc == 0 && pubType != Ed25519 {
  1394  				err = errors.New("x509: cannot sign with hash function requested")
  1395  				return
  1396  			}
  1397  			if requestedSigAlgo.isRSAPSS() {
  1398  				sigAlgo.Parameters = hashToPSSParameters[hashFunc]
  1399  			}
  1400  			found = true
  1401  			break
  1402  		}
  1403  	}
  1404  
  1405  	if !found {
  1406  		err = errors.New("x509: unknown SignatureAlgorithm")
  1407  	}
  1408  
  1409  	return
  1410  }
  1411  
  1412  // emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is
  1413  // just an empty SEQUENCE.
  1414  var emptyASN1Subject = []byte{0x30, 0}
  1415  
  1416  // CreateCertificate creates a new X.509 v3 certificate based on a template.
  1417  // The following members of template are currently used:
  1418  //
  1419  //  - AuthorityKeyId
  1420  //  - BasicConstraintsValid
  1421  //  - CRLDistributionPoints
  1422  //  - DNSNames
  1423  //  - EmailAddresses
  1424  //  - ExcludedDNSDomains
  1425  //  - ExcludedEmailAddresses
  1426  //  - ExcludedIPRanges
  1427  //  - ExcludedURIDomains
  1428  //  - ExtKeyUsage
  1429  //  - ExtraExtensions
  1430  //  - IPAddresses
  1431  //  - IsCA
  1432  //  - IssuingCertificateURL
  1433  //  - KeyUsage
  1434  //  - MaxPathLen
  1435  //  - MaxPathLenZero
  1436  //  - NotAfter
  1437  //  - NotBefore
  1438  //  - OCSPServer
  1439  //  - PermittedDNSDomains
  1440  //  - PermittedDNSDomainsCritical
  1441  //  - PermittedEmailAddresses
  1442  //  - PermittedIPRanges
  1443  //  - PermittedURIDomains
  1444  //  - PolicyIdentifiers
  1445  //  - SerialNumber
  1446  //  - SignatureAlgorithm
  1447  //  - Subject
  1448  //  - SubjectKeyId
  1449  //  - URIs
  1450  //  - UnknownExtKeyUsage
  1451  //
  1452  // The certificate is signed by parent. If parent is equal to template then the
  1453  // certificate is self-signed. The parameter pub is the public key of the
  1454  // certificate to be generated and priv is the private key of the signer.
  1455  //
  1456  // The returned slice is the certificate in DER encoding.
  1457  //
  1458  // The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and
  1459  // ed25519.PublicKey. pub must be a supported key type, and priv must be a
  1460  // crypto.Signer with a supported public key.
  1461  //
  1462  // The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any,
  1463  // unless the resulting certificate is self-signed. Otherwise the value from
  1464  // template will be used.
  1465  //
  1466  // If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId
  1467  // will be generated from the hash of the public key.
  1468  func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) ([]byte, error) {
  1469  	key, ok := priv.(crypto.Signer)
  1470  	if !ok {
  1471  		return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  1472  	}
  1473  
  1474  	if template.SerialNumber == nil {
  1475  		return nil, errors.New("x509: no SerialNumber given")
  1476  	}
  1477  
  1478  	if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
  1479  		return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
  1480  	}
  1481  
  1482  	hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
  1483  	if err != nil {
  1484  		return nil, err
  1485  	}
  1486  
  1487  	publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub)
  1488  	if err != nil {
  1489  		return nil, err
  1490  	}
  1491  
  1492  	asn1Issuer, err := subjectBytes(parent)
  1493  	if err != nil {
  1494  		return nil, err
  1495  	}
  1496  
  1497  	asn1Subject, err := subjectBytes(template)
  1498  	if err != nil {
  1499  		return nil, err
  1500  	}
  1501  
  1502  	authorityKeyId := template.AuthorityKeyId
  1503  	if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 {
  1504  		authorityKeyId = parent.SubjectKeyId
  1505  	}
  1506  
  1507  	subjectKeyId := template.SubjectKeyId
  1508  	if len(subjectKeyId) == 0 && template.IsCA {
  1509  		// SubjectKeyId generated using method 1 in RFC 5280, Section 4.2.1.2:
  1510  		//   (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
  1511  		//   value of the BIT STRING subjectPublicKey (excluding the tag,
  1512  		//   length, and number of unused bits).
  1513  		h := sha1.Sum(publicKeyBytes)
  1514  		subjectKeyId = h[:]
  1515  	}
  1516  
  1517  	// Check that the signer's public key matches the private key, if available.
  1518  	type privateKey interface {
  1519  		Equal(crypto.PublicKey) bool
  1520  	}
  1521  	if privPub, ok := key.Public().(privateKey); !ok {
  1522  		return nil, errors.New("x509: internal error: supported public key does not implement Equal")
  1523  	} else if parent.PublicKey != nil && !privPub.Equal(parent.PublicKey) {
  1524  		return nil, errors.New("x509: provided PrivateKey doesn't match parent's PublicKey")
  1525  	}
  1526  
  1527  	extensions, err := buildCertExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId, subjectKeyId)
  1528  	if err != nil {
  1529  		return nil, err
  1530  	}
  1531  
  1532  	encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
  1533  	c := tbsCertificate{
  1534  		Version:            2,
  1535  		SerialNumber:       template.SerialNumber,
  1536  		SignatureAlgorithm: signatureAlgorithm,
  1537  		Issuer:             asn1.RawValue{FullBytes: asn1Issuer},
  1538  		Validity:           validity{template.NotBefore.UTC(), template.NotAfter.UTC()},
  1539  		Subject:            asn1.RawValue{FullBytes: asn1Subject},
  1540  		PublicKey:          publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey},
  1541  		Extensions:         extensions,
  1542  	}
  1543  
  1544  	tbsCertContents, err := asn1.Marshal(c)
  1545  	if err != nil {
  1546  		return nil, err
  1547  	}
  1548  	c.Raw = tbsCertContents
  1549  
  1550  	signed := tbsCertContents
  1551  	if hashFunc != 0 {
  1552  		h := hashFunc.New()
  1553  		h.Write(signed)
  1554  		signed = h.Sum(nil)
  1555  	}
  1556  
  1557  	var signerOpts crypto.SignerOpts = hashFunc
  1558  	if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() {
  1559  		signerOpts = &rsa.PSSOptions{
  1560  			SaltLength: rsa.PSSSaltLengthEqualsHash,
  1561  			Hash:       hashFunc,
  1562  		}
  1563  	}
  1564  
  1565  	var signature []byte
  1566  	signature, err = key.Sign(rand, signed, signerOpts)
  1567  	if err != nil {
  1568  		return nil, err
  1569  	}
  1570  
  1571  	signedCert, err := asn1.Marshal(certificate{
  1572  		nil,
  1573  		c,
  1574  		signatureAlgorithm,
  1575  		asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
  1576  	})
  1577  	if err != nil {
  1578  		return nil, err
  1579  	}
  1580  
  1581  	// Check the signature to ensure the crypto.Signer behaved correctly.
  1582  	// We skip this check if the signature algorithm is MD5WithRSA as we
  1583  	// only support this algorithm for signing, and not verification.
  1584  	if sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm); sigAlg != MD5WithRSA {
  1585  		if err := checkSignature(sigAlg, c.Raw, signature, key.Public()); err != nil {
  1586  			return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err)
  1587  		}
  1588  	}
  1589  
  1590  	return signedCert, nil
  1591  }
  1592  
  1593  // pemCRLPrefix is the magic string that indicates that we have a PEM encoded
  1594  // CRL.
  1595  var pemCRLPrefix = []byte("-----BEGIN X509 CRL")
  1596  
  1597  // pemType is the type of a PEM encoded CRL.
  1598  var pemType = "X509 CRL"
  1599  
  1600  // ParseCRL parses a CRL from the given bytes. It's often the case that PEM
  1601  // encoded CRLs will appear where they should be DER encoded, so this function
  1602  // will transparently handle PEM encoding as long as there isn't any leading
  1603  // garbage.
  1604  func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) {
  1605  	if bytes.HasPrefix(crlBytes, pemCRLPrefix) {
  1606  		block, _ := pem.Decode(crlBytes)
  1607  		if block != nil && block.Type == pemType {
  1608  			crlBytes = block.Bytes
  1609  		}
  1610  	}
  1611  	return ParseDERCRL(crlBytes)
  1612  }
  1613  
  1614  // ParseDERCRL parses a DER encoded CRL from the given bytes.
  1615  func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) {
  1616  	certList := new(pkix.CertificateList)
  1617  	if rest, err := asn1.Unmarshal(derBytes, certList); err != nil {
  1618  		return nil, err
  1619  	} else if len(rest) != 0 {
  1620  		return nil, errors.New("x509: trailing data after CRL")
  1621  	}
  1622  	return certList, nil
  1623  }
  1624  
  1625  // CreateCRL returns a DER encoded CRL, signed by this Certificate, that
  1626  // contains the given list of revoked certificates.
  1627  //
  1628  // Note: this method does not generate an RFC 5280 conformant X.509 v2 CRL.
  1629  // To generate a standards compliant CRL, use CreateRevocationList instead.
  1630  func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
  1631  	key, ok := priv.(crypto.Signer)
  1632  	if !ok {
  1633  		return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  1634  	}
  1635  
  1636  	hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), 0)
  1637  	if err != nil {
  1638  		return nil, err
  1639  	}
  1640  
  1641  	// Force revocation times to UTC per RFC 5280.
  1642  	revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts))
  1643  	for i, rc := range revokedCerts {
  1644  		rc.RevocationTime = rc.RevocationTime.UTC()
  1645  		revokedCertsUTC[i] = rc
  1646  	}
  1647  
  1648  	tbsCertList := pkix.TBSCertificateList{
  1649  		Version:             1,
  1650  		Signature:           signatureAlgorithm,
  1651  		Issuer:              c.Subject.ToRDNSequence(),
  1652  		ThisUpdate:          now.UTC(),
  1653  		NextUpdate:          expiry.UTC(),
  1654  		RevokedCertificates: revokedCertsUTC,
  1655  	}
  1656  
  1657  	// Authority Key Id
  1658  	if len(c.SubjectKeyId) > 0 {
  1659  		var aki pkix.Extension
  1660  		aki.Id = oidExtensionAuthorityKeyId
  1661  		aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId})
  1662  		if err != nil {
  1663  			return
  1664  		}
  1665  		tbsCertList.Extensions = append(tbsCertList.Extensions, aki)
  1666  	}
  1667  
  1668  	tbsCertListContents, err := asn1.Marshal(tbsCertList)
  1669  	if err != nil {
  1670  		return
  1671  	}
  1672  
  1673  	signed := tbsCertListContents
  1674  	if hashFunc != 0 {
  1675  		h := hashFunc.New()
  1676  		h.Write(signed)
  1677  		signed = h.Sum(nil)
  1678  	}
  1679  
  1680  	var signature []byte
  1681  	signature, err = key.Sign(rand, signed, hashFunc)
  1682  	if err != nil {
  1683  		return
  1684  	}
  1685  
  1686  	return asn1.Marshal(pkix.CertificateList{
  1687  		TBSCertList:        tbsCertList,
  1688  		SignatureAlgorithm: signatureAlgorithm,
  1689  		SignatureValue:     asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
  1690  	})
  1691  }
  1692  
  1693  // CertificateRequest represents a PKCS #10, certificate signature request.
  1694  type CertificateRequest struct {
  1695  	Raw                      []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature).
  1696  	RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content.
  1697  	RawSubjectPublicKeyInfo  []byte // DER encoded SubjectPublicKeyInfo.
  1698  	RawSubject               []byte // DER encoded Subject.
  1699  
  1700  	Version            int
  1701  	Signature          []byte
  1702  	SignatureAlgorithm SignatureAlgorithm
  1703  
  1704  	PublicKeyAlgorithm PublicKeyAlgorithm
  1705  	PublicKey          interface{}
  1706  
  1707  	Subject pkix.Name
  1708  
  1709  	// Attributes contains the CSR attributes that can parse as
  1710  	// pkix.AttributeTypeAndValueSET.
  1711  	//
  1712  	// Deprecated: Use Extensions and ExtraExtensions instead for parsing and
  1713  	// generating the requestedExtensions attribute.
  1714  	Attributes []pkix.AttributeTypeAndValueSET
  1715  
  1716  	// Extensions contains all requested extensions, in raw form. When parsing
  1717  	// CSRs, this can be used to extract extensions that are not parsed by this
  1718  	// package.
  1719  	Extensions []pkix.Extension
  1720  
  1721  	// ExtraExtensions contains extensions to be copied, raw, into any CSR
  1722  	// marshaled by CreateCertificateRequest. Values override any extensions
  1723  	// that would otherwise be produced based on the other fields but are
  1724  	// overridden by any extensions specified in Attributes.
  1725  	//
  1726  	// The ExtraExtensions field is not populated by ParseCertificateRequest,
  1727  	// see Extensions instead.
  1728  	ExtraExtensions []pkix.Extension
  1729  
  1730  	// Subject Alternate Name values.
  1731  	DNSNames       []string
  1732  	EmailAddresses []string
  1733  	IPAddresses    []net.IP
  1734  	URIs           []*url.URL
  1735  }
  1736  
  1737  // These structures reflect the ASN.1 structure of X.509 certificate
  1738  // signature requests (see RFC 2986):
  1739  
  1740  type tbsCertificateRequest struct {
  1741  	Raw           asn1.RawContent
  1742  	Version       int
  1743  	Subject       asn1.RawValue
  1744  	PublicKey     publicKeyInfo
  1745  	RawAttributes []asn1.RawValue `asn1:"tag:0"`
  1746  }
  1747  
  1748  type certificateRequest struct {
  1749  	Raw                asn1.RawContent
  1750  	TBSCSR             tbsCertificateRequest
  1751  	SignatureAlgorithm pkix.AlgorithmIdentifier
  1752  	SignatureValue     asn1.BitString
  1753  }
  1754  
  1755  // oidExtensionRequest is a PKCS #9 OBJECT IDENTIFIER that indicates requested
  1756  // extensions in a CSR.
  1757  var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14}
  1758  
  1759  // newRawAttributes converts AttributeTypeAndValueSETs from a template
  1760  // CertificateRequest's Attributes into tbsCertificateRequest RawAttributes.
  1761  func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) {
  1762  	var rawAttributes []asn1.RawValue
  1763  	b, err := asn1.Marshal(attributes)
  1764  	if err != nil {
  1765  		return nil, err
  1766  	}
  1767  	rest, err := asn1.Unmarshal(b, &rawAttributes)
  1768  	if err != nil {
  1769  		return nil, err
  1770  	}
  1771  	if len(rest) != 0 {
  1772  		return nil, errors.New("x509: failed to unmarshal raw CSR Attributes")
  1773  	}
  1774  	return rawAttributes, nil
  1775  }
  1776  
  1777  // parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs.
  1778  func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET {
  1779  	var attributes []pkix.AttributeTypeAndValueSET
  1780  	for _, rawAttr := range rawAttributes {
  1781  		var attr pkix.AttributeTypeAndValueSET
  1782  		rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr)
  1783  		// Ignore attributes that don't parse into pkix.AttributeTypeAndValueSET
  1784  		// (i.e.: challengePassword or unstructuredName).
  1785  		if err == nil && len(rest) == 0 {
  1786  			attributes = append(attributes, attr)
  1787  		}
  1788  	}
  1789  	return attributes
  1790  }
  1791  
  1792  // parseCSRExtensions parses the attributes from a CSR and extracts any
  1793  // requested extensions.
  1794  func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) {
  1795  	// pkcs10Attribute reflects the Attribute structure from RFC 2986, Section 4.1.
  1796  	type pkcs10Attribute struct {
  1797  		Id     asn1.ObjectIdentifier
  1798  		Values []asn1.RawValue `asn1:"set"`
  1799  	}
  1800  
  1801  	var ret []pkix.Extension
  1802  	for _, rawAttr := range rawAttributes {
  1803  		var attr pkcs10Attribute
  1804  		if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 {
  1805  			// Ignore attributes that don't parse.
  1806  			continue
  1807  		}
  1808  
  1809  		if !attr.Id.Equal(oidExtensionRequest) {
  1810  			continue
  1811  		}
  1812  
  1813  		var extensions []pkix.Extension
  1814  		if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil {
  1815  			return nil, err
  1816  		}
  1817  		ret = append(ret, extensions...)
  1818  	}
  1819  
  1820  	return ret, nil
  1821  }
  1822  
  1823  // CreateCertificateRequest creates a new certificate request based on a
  1824  // template. The following members of template are used:
  1825  //
  1826  //  - SignatureAlgorithm
  1827  //  - Subject
  1828  //  - DNSNames
  1829  //  - EmailAddresses
  1830  //  - IPAddresses
  1831  //  - URIs
  1832  //  - ExtraExtensions
  1833  //  - Attributes (deprecated)
  1834  //
  1835  // priv is the private key to sign the CSR with, and the corresponding public
  1836  // key will be included in the CSR. It must implement crypto.Signer and its
  1837  // Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a
  1838  // ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or
  1839  // ed25519.PrivateKey satisfies this.)
  1840  //
  1841  // The returned slice is the certificate request in DER encoding.
  1842  func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error) {
  1843  	key, ok := priv.(crypto.Signer)
  1844  	if !ok {
  1845  		return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  1846  	}
  1847  
  1848  	var hashFunc crypto.Hash
  1849  	var sigAlgo pkix.AlgorithmIdentifier
  1850  	hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
  1851  	if err != nil {
  1852  		return nil, err
  1853  	}
  1854  
  1855  	var publicKeyBytes []byte
  1856  	var publicKeyAlgorithm pkix.AlgorithmIdentifier
  1857  	publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public())
  1858  	if err != nil {
  1859  		return nil, err
  1860  	}
  1861  
  1862  	extensions, err := buildCSRExtensions(template)
  1863  	if err != nil {
  1864  		return nil, err
  1865  	}
  1866  
  1867  	// Make a copy of template.Attributes because we may alter it below.
  1868  	attributes := make([]pkix.AttributeTypeAndValueSET, 0, len(template.Attributes))
  1869  	for _, attr := range template.Attributes {
  1870  		values := make([][]pkix.AttributeTypeAndValue, len(attr.Value))
  1871  		copy(values, attr.Value)
  1872  		attributes = append(attributes, pkix.AttributeTypeAndValueSET{
  1873  			Type:  attr.Type,
  1874  			Value: values,
  1875  		})
  1876  	}
  1877  
  1878  	extensionsAppended := false
  1879  	if len(extensions) > 0 {
  1880  		// Append the extensions to an existing attribute if possible.
  1881  		for _, atvSet := range attributes {
  1882  			if !atvSet.Type.Equal(oidExtensionRequest) || len(atvSet.Value) == 0 {
  1883  				continue
  1884  			}
  1885  
  1886  			// specifiedExtensions contains all the extensions that we
  1887  			// found specified via template.Attributes.
  1888  			specifiedExtensions := make(map[string]bool)
  1889  
  1890  			for _, atvs := range atvSet.Value {
  1891  				for _, atv := range atvs {
  1892  					specifiedExtensions[atv.Type.String()] = true
  1893  				}
  1894  			}
  1895  
  1896  			newValue := make([]pkix.AttributeTypeAndValue, 0, len(atvSet.Value[0])+len(extensions))
  1897  			newValue = append(newValue, atvSet.Value[0]...)
  1898  
  1899  			for _, e := range extensions {
  1900  				if specifiedExtensions[e.Id.String()] {
  1901  					// Attributes already contained a value for
  1902  					// this extension and it takes priority.
  1903  					continue
  1904  				}
  1905  
  1906  				newValue = append(newValue, pkix.AttributeTypeAndValue{
  1907  					// There is no place for the critical
  1908  					// flag in an AttributeTypeAndValue.
  1909  					Type:  e.Id,
  1910  					Value: e.Value,
  1911  				})
  1912  			}
  1913  
  1914  			atvSet.Value[0] = newValue
  1915  			extensionsAppended = true
  1916  			break
  1917  		}
  1918  	}
  1919  
  1920  	rawAttributes, err := newRawAttributes(attributes)
  1921  	if err != nil {
  1922  		return
  1923  	}
  1924  
  1925  	// If not included in attributes, add a new attribute for the
  1926  	// extensions.
  1927  	if len(extensions) > 0 && !extensionsAppended {
  1928  		attr := struct {
  1929  			Type  asn1.ObjectIdentifier
  1930  			Value [][]pkix.Extension `asn1:"set"`
  1931  		}{
  1932  			Type:  oidExtensionRequest,
  1933  			Value: [][]pkix.Extension{extensions},
  1934  		}
  1935  
  1936  		b, err := asn1.Marshal(attr)
  1937  		if err != nil {
  1938  			return nil, errors.New("x509: failed to serialise extensions attribute: " + err.Error())
  1939  		}
  1940  
  1941  		var rawValue asn1.RawValue
  1942  		if _, err := asn1.Unmarshal(b, &rawValue); err != nil {
  1943  			return nil, err
  1944  		}
  1945  
  1946  		rawAttributes = append(rawAttributes, rawValue)
  1947  	}
  1948  
  1949  	asn1Subject := template.RawSubject
  1950  	if len(asn1Subject) == 0 {
  1951  		asn1Subject, err = asn1.Marshal(template.Subject.ToRDNSequence())
  1952  		if err != nil {
  1953  			return nil, err
  1954  		}
  1955  	}
  1956  
  1957  	tbsCSR := tbsCertificateRequest{
  1958  		Version: 0, // PKCS #10, RFC 2986
  1959  		Subject: asn1.RawValue{FullBytes: asn1Subject},
  1960  		PublicKey: publicKeyInfo{
  1961  			Algorithm: publicKeyAlgorithm,
  1962  			PublicKey: asn1.BitString{
  1963  				Bytes:     publicKeyBytes,
  1964  				BitLength: len(publicKeyBytes) * 8,
  1965  			},
  1966  		},
  1967  		RawAttributes: rawAttributes,
  1968  	}
  1969  
  1970  	tbsCSRContents, err := asn1.Marshal(tbsCSR)
  1971  	if err != nil {
  1972  		return
  1973  	}
  1974  	tbsCSR.Raw = tbsCSRContents
  1975  
  1976  	signed := tbsCSRContents
  1977  	if hashFunc != 0 {
  1978  		h := hashFunc.New()
  1979  		h.Write(signed)
  1980  		signed = h.Sum(nil)
  1981  	}
  1982  
  1983  	var signature []byte
  1984  	signature, err = key.Sign(rand, signed, hashFunc)
  1985  	if err != nil {
  1986  		return
  1987  	}
  1988  
  1989  	return asn1.Marshal(certificateRequest{
  1990  		TBSCSR:             tbsCSR,
  1991  		SignatureAlgorithm: sigAlgo,
  1992  		SignatureValue: asn1.BitString{
  1993  			Bytes:     signature,
  1994  			BitLength: len(signature) * 8,
  1995  		},
  1996  	})
  1997  }
  1998  
  1999  // ParseCertificateRequest parses a single certificate request from the
  2000  // given ASN.1 DER data.
  2001  func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) {
  2002  	var csr certificateRequest
  2003  
  2004  	rest, err := asn1.Unmarshal(asn1Data, &csr)
  2005  	if err != nil {
  2006  		return nil, err
  2007  	} else if len(rest) != 0 {
  2008  		return nil, asn1.SyntaxError{Msg: "trailing data"}
  2009  	}
  2010  
  2011  	return parseCertificateRequest(&csr)
  2012  }
  2013  
  2014  func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) {
  2015  	out := &CertificateRequest{
  2016  		Raw:                      in.Raw,
  2017  		RawTBSCertificateRequest: in.TBSCSR.Raw,
  2018  		RawSubjectPublicKeyInfo:  in.TBSCSR.PublicKey.Raw,
  2019  		RawSubject:               in.TBSCSR.Subject.FullBytes,
  2020  
  2021  		Signature:          in.SignatureValue.RightAlign(),
  2022  		SignatureAlgorithm: getSignatureAlgorithmFromAI(in.SignatureAlgorithm),
  2023  
  2024  		PublicKeyAlgorithm: getPublicKeyAlgorithmFromOID(in.TBSCSR.PublicKey.Algorithm.Algorithm),
  2025  
  2026  		Version:    in.TBSCSR.Version,
  2027  		Attributes: parseRawAttributes(in.TBSCSR.RawAttributes),
  2028  	}
  2029  
  2030  	var err error
  2031  	out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey)
  2032  	if err != nil {
  2033  		return nil, err
  2034  	}
  2035  
  2036  	var subject pkix.RDNSequence
  2037  	if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil {
  2038  		return nil, err
  2039  	} else if len(rest) != 0 {
  2040  		return nil, errors.New("x509: trailing data after X.509 Subject")
  2041  	}
  2042  
  2043  	out.Subject.FillFromRDNSequence(&subject)
  2044  
  2045  	if out.Extensions, err = parseCSRExtensions(in.TBSCSR.RawAttributes); err != nil {
  2046  		return nil, err
  2047  	}
  2048  
  2049  	for _, extension := range out.Extensions {
  2050  		switch {
  2051  		case extension.Id.Equal(oidExtensionSubjectAltName):
  2052  			out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value)
  2053  			if err != nil {
  2054  				return nil, err
  2055  			}
  2056  		}
  2057  	}
  2058  
  2059  	return out, nil
  2060  }
  2061  
  2062  // CheckSignature reports whether the signature on c is valid.
  2063  func (c *CertificateRequest) CheckSignature() error {
  2064  	return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey)
  2065  }
  2066  
  2067  // RevocationList contains the fields used to create an X.509 v2 Certificate
  2068  // Revocation list with CreateRevocationList.
  2069  type RevocationList struct {
  2070  	// SignatureAlgorithm is used to determine the signature algorithm to be
  2071  	// used when signing the CRL. If 0 the default algorithm for the signing
  2072  	// key will be used.
  2073  	SignatureAlgorithm SignatureAlgorithm
  2074  
  2075  	// RevokedCertificates is used to populate the revokedCertificates
  2076  	// sequence in the CRL, it may be empty. RevokedCertificates may be nil,
  2077  	// in which case an empty CRL will be created.
  2078  	RevokedCertificates []pkix.RevokedCertificate
  2079  
  2080  	// Number is used to populate the X.509 v2 cRLNumber extension in the CRL,
  2081  	// which should be a monotonically increasing sequence number for a given
  2082  	// CRL scope and CRL issuer.
  2083  	Number *big.Int
  2084  	// ThisUpdate is used to populate the thisUpdate field in the CRL, which
  2085  	// indicates the issuance date of the CRL.
  2086  	ThisUpdate time.Time
  2087  	// NextUpdate is used to populate the nextUpdate field in the CRL, which
  2088  	// indicates the date by which the next CRL will be issued. NextUpdate
  2089  	// must be greater than ThisUpdate.
  2090  	NextUpdate time.Time
  2091  	// ExtraExtensions contains any additional extensions to add directly to
  2092  	// the CRL.
  2093  	ExtraExtensions []pkix.Extension
  2094  }
  2095  
  2096  // CreateRevocationList creates a new X.509 v2 Certificate Revocation List,
  2097  // according to RFC 5280, based on template.
  2098  //
  2099  // The CRL is signed by priv which should be the private key associated with
  2100  // the public key in the issuer certificate.
  2101  //
  2102  // The issuer may not be nil, and the crlSign bit must be set in KeyUsage in
  2103  // order to use it as a CRL issuer.
  2104  //
  2105  // The issuer distinguished name CRL field and authority key identifier
  2106  // extension are populated using the issuer certificate. issuer must have
  2107  // SubjectKeyId set.
  2108  func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer) ([]byte, error) {
  2109  	if template == nil {
  2110  		return nil, errors.New("x509: template can not be nil")
  2111  	}
  2112  	if issuer == nil {
  2113  		return nil, errors.New("x509: issuer can not be nil")
  2114  	}
  2115  	if (issuer.KeyUsage & KeyUsageCRLSign) == 0 {
  2116  		return nil, errors.New("x509: issuer must have the crlSign key usage bit set")
  2117  	}
  2118  	if len(issuer.SubjectKeyId) == 0 {
  2119  		return nil, errors.New("x509: issuer certificate doesn't contain a subject key identifier")
  2120  	}
  2121  	if template.NextUpdate.Before(template.ThisUpdate) {
  2122  		return nil, errors.New("x509: template.ThisUpdate is after template.NextUpdate")
  2123  	}
  2124  	if template.Number == nil {
  2125  		return nil, errors.New("x509: template contains nil Number field")
  2126  	}
  2127  
  2128  	hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm)
  2129  	if err != nil {
  2130  		return nil, err
  2131  	}
  2132  
  2133  	// Force revocation times to UTC per RFC 5280.
  2134  	revokedCertsUTC := make([]pkix.RevokedCertificate, len(template.RevokedCertificates))
  2135  	for i, rc := range template.RevokedCertificates {
  2136  		rc.RevocationTime = rc.RevocationTime.UTC()
  2137  		revokedCertsUTC[i] = rc
  2138  	}
  2139  
  2140  	aki, err := asn1.Marshal(authKeyId{Id: issuer.SubjectKeyId})
  2141  	if err != nil {
  2142  		return nil, err
  2143  	}
  2144  	crlNum, err := asn1.Marshal(template.Number)
  2145  	if err != nil {
  2146  		return nil, err
  2147  	}
  2148  
  2149  	tbsCertList := pkix.TBSCertificateList{
  2150  		Version:    1, // v2
  2151  		Signature:  signatureAlgorithm,
  2152  		Issuer:     issuer.Subject.ToRDNSequence(),
  2153  		ThisUpdate: template.ThisUpdate.UTC(),
  2154  		NextUpdate: template.NextUpdate.UTC(),
  2155  		Extensions: []pkix.Extension{
  2156  			{
  2157  				Id:    oidExtensionAuthorityKeyId,
  2158  				Value: aki,
  2159  			},
  2160  			{
  2161  				Id:    oidExtensionCRLNumber,
  2162  				Value: crlNum,
  2163  			},
  2164  		},
  2165  	}
  2166  	if len(revokedCertsUTC) > 0 {
  2167  		tbsCertList.RevokedCertificates = revokedCertsUTC
  2168  	}
  2169  
  2170  	if len(template.ExtraExtensions) > 0 {
  2171  		tbsCertList.Extensions = append(tbsCertList.Extensions, template.ExtraExtensions...)
  2172  	}
  2173  
  2174  	tbsCertListContents, err := asn1.Marshal(tbsCertList)
  2175  	if err != nil {
  2176  		return nil, err
  2177  	}
  2178  
  2179  	input := tbsCertListContents
  2180  	if hashFunc != 0 {
  2181  		h := hashFunc.New()
  2182  		h.Write(tbsCertListContents)
  2183  		input = h.Sum(nil)
  2184  	}
  2185  	var signerOpts crypto.SignerOpts = hashFunc
  2186  	if template.SignatureAlgorithm.isRSAPSS() {
  2187  		signerOpts = &rsa.PSSOptions{
  2188  			SaltLength: rsa.PSSSaltLengthEqualsHash,
  2189  			Hash:       hashFunc,
  2190  		}
  2191  	}
  2192  
  2193  	signature, err := priv.Sign(rand, input, signerOpts)
  2194  	if err != nil {
  2195  		return nil, err
  2196  	}
  2197  
  2198  	return asn1.Marshal(pkix.CertificateList{
  2199  		TBSCertList:        tbsCertList,
  2200  		SignatureAlgorithm: signatureAlgorithm,
  2201  		SignatureValue:     asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
  2202  	})
  2203  }
  2204  

View as plain text