1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// Package x509 parses X.509-encoded keys and certificates. 6package x509 7 8import ( 9 "bytes" 10 "crypto" 11 "crypto/ecdsa" 12 "crypto/ed25519" 13 "crypto/elliptic" 14 "crypto/rsa" 15 "crypto/sha1" 16 "crypto/x509/pkix" 17 "encoding/asn1" 18 "encoding/pem" 19 "errors" 20 "fmt" 21 "io" 22 "math/big" 23 "net" 24 "net/url" 25 "strconv" 26 "time" 27 "unicode" 28 29 // Explicitly import these for their crypto.RegisterHash init side-effects. 30 // Keep these as blank imports, even if they're imported above. 31 _ "crypto/sha1" 32 _ "crypto/sha256" 33 _ "crypto/sha512" 34 35 "golang.org/x/crypto/cryptobyte" 36 cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" 37) 38 39// pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo 40// in RFC 3280. 41type pkixPublicKey struct { 42 Algo pkix.AlgorithmIdentifier 43 BitString asn1.BitString 44} 45 46// ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form. 47// The encoded public key is a SubjectPublicKeyInfo structure 48// (see RFC 5280, Section 4.1). 49// 50// It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or 51// ed25519.PublicKey. More types might be supported in the future. 52// 53// This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY". 54func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) { 55 var pki publicKeyInfo 56 if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil { 57 if _, err := asn1.Unmarshal(derBytes, &pkcs1PublicKey{}); err == nil { 58 return nil, errors.New("x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)") 59 } 60 return nil, err 61 } else if len(rest) != 0 { 62 return nil, errors.New("x509: trailing data after ASN.1 of public-key") 63 } 64 algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm) 65 if algo == UnknownPublicKeyAlgorithm { 66 return nil, errors.New("x509: unknown public key algorithm") 67 } 68 return parsePublicKey(algo, &pki) 69} 70 71func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) { 72 switch pub := pub.(type) { 73 case *rsa.PublicKey: 74 publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{ 75 N: pub.N, 76 E: pub.E, 77 }) 78 if err != nil { 79 return nil, pkix.AlgorithmIdentifier{}, err 80 } 81 publicKeyAlgorithm.Algorithm = oidPublicKeyRSA 82 // This is a NULL parameters value which is required by 83 // RFC 3279, Section 2.3.1. 84 publicKeyAlgorithm.Parameters = asn1.NullRawValue 85 case *ecdsa.PublicKey: 86 publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y) 87 oid, ok := oidFromNamedCurve(pub.Curve) 88 if !ok { 89 return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve") 90 } 91 publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA 92 var paramBytes []byte 93 paramBytes, err = asn1.Marshal(oid) 94 if err != nil { 95 return 96 } 97 publicKeyAlgorithm.Parameters.FullBytes = paramBytes 98 case ed25519.PublicKey: 99 publicKeyBytes = pub 100 publicKeyAlgorithm.Algorithm = oidPublicKeyEd25519 101 default: 102 return nil, pkix.AlgorithmIdentifier{}, fmt.Errorf("x509: unsupported public key type: %T", pub) 103 } 104 105 return publicKeyBytes, publicKeyAlgorithm, nil 106} 107 108// MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form. 109// The encoded public key is a SubjectPublicKeyInfo structure 110// (see RFC 5280, Section 4.1). 111// 112// The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey 113// and ed25519.PublicKey. Unsupported key types result in an error. 114// 115// This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY". 116func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) { 117 var publicKeyBytes []byte 118 var publicKeyAlgorithm pkix.AlgorithmIdentifier 119 var err error 120 121 if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil { 122 return nil, err 123 } 124 125 pkix := pkixPublicKey{ 126 Algo: publicKeyAlgorithm, 127 BitString: asn1.BitString{ 128 Bytes: publicKeyBytes, 129 BitLength: 8 * len(publicKeyBytes), 130 }, 131 } 132 133 ret, _ := asn1.Marshal(pkix) 134 return ret, nil 135} 136 137// These structures reflect the ASN.1 structure of X.509 certificates.: 138 139type certificate struct { 140 Raw asn1.RawContent 141 TBSCertificate tbsCertificate 142 SignatureAlgorithm pkix.AlgorithmIdentifier 143 SignatureValue asn1.BitString 144} 145 146type tbsCertificate struct { 147 Raw asn1.RawContent 148 Version int `asn1:"optional,explicit,default:0,tag:0"` 149 SerialNumber *big.Int 150 SignatureAlgorithm pkix.AlgorithmIdentifier 151 Issuer asn1.RawValue 152 Validity validity 153 Subject asn1.RawValue 154 PublicKey publicKeyInfo 155 UniqueId asn1.BitString `asn1:"optional,tag:1"` 156 SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"` 157 Extensions []pkix.Extension `asn1:"optional,explicit,tag:3"` 158} 159 160type dsaAlgorithmParameters struct { 161 P, Q, G *big.Int 162} 163 164type validity struct { 165 NotBefore, NotAfter time.Time 166} 167 168type publicKeyInfo struct { 169 Raw asn1.RawContent 170 Algorithm pkix.AlgorithmIdentifier 171 PublicKey asn1.BitString 172} 173 174// RFC 5280, 4.2.1.1 175type authKeyId struct { 176 Id []byte `asn1:"optional,tag:0"` 177} 178 179type SignatureAlgorithm int 180 181const ( 182 UnknownSignatureAlgorithm SignatureAlgorithm = iota 183 184 MD2WithRSA // Unsupported. 185 MD5WithRSA // Only supported for signing, not verification. 186 SHA1WithRSA 187 SHA256WithRSA 188 SHA384WithRSA 189 SHA512WithRSA 190 DSAWithSHA1 // Unsupported. 191 DSAWithSHA256 // Unsupported. 192 ECDSAWithSHA1 193 ECDSAWithSHA256 194 ECDSAWithSHA384 195 ECDSAWithSHA512 196 SHA256WithRSAPSS 197 SHA384WithRSAPSS 198 SHA512WithRSAPSS 199 PureEd25519 200) 201 202func (algo SignatureAlgorithm) isRSAPSS() bool { 203 switch algo { 204 case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS: 205 return true 206 default: 207 return false 208 } 209} 210 211func (algo SignatureAlgorithm) String() string { 212 for _, details := range signatureAlgorithmDetails { 213 if details.algo == algo { 214 return details.name 215 } 216 } 217 return strconv.Itoa(int(algo)) 218} 219 220type PublicKeyAlgorithm int 221 222const ( 223 UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota 224 RSA 225 DSA // Unsupported. 226 ECDSA 227 Ed25519 228) 229 230var publicKeyAlgoName = [...]string{ 231 RSA: "RSA", 232 DSA: "DSA", 233 ECDSA: "ECDSA", 234 Ed25519: "Ed25519", 235} 236 237func (algo PublicKeyAlgorithm) String() string { 238 if 0 < algo && int(algo) < len(publicKeyAlgoName) { 239 return publicKeyAlgoName[algo] 240 } 241 return strconv.Itoa(int(algo)) 242} 243 244// OIDs for signature algorithms 245// 246// pkcs-1 OBJECT IDENTIFIER ::= { 247// iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } 248// 249// 250// RFC 3279 2.2.1 RSA Signature Algorithms 251// 252// md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } 253// 254// md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } 255// 256// sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } 257// 258// dsaWithSha1 OBJECT IDENTIFIER ::= { 259// iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 } 260// 261// RFC 3279 2.2.3 ECDSA Signature Algorithm 262// 263// ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 264// iso(1) member-body(2) us(840) ansi-x962(10045) 265// signatures(4) ecdsa-with-SHA1(1)} 266// 267// 268// RFC 4055 5 PKCS #1 Version 1.5 269// 270// sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } 271// 272// sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } 273// 274// sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } 275// 276// 277// RFC 5758 3.1 DSA Signature Algorithms 278// 279// dsaWithSha256 OBJECT IDENTIFIER ::= { 280// joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 281// csor(3) algorithms(4) id-dsa-with-sha2(3) 2} 282// 283// RFC 5758 3.2 ECDSA Signature Algorithm 284// 285// ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 286// us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 } 287// 288// ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 289// us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } 290// 291// ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 292// us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 } 293// 294// 295// RFC 8410 3 Curve25519 and Curve448 Algorithm Identifiers 296// 297// id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 } 298 299var ( 300 oidSignatureMD2WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} 301 oidSignatureMD5WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} 302 oidSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} 303 oidSignatureSHA256WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} 304 oidSignatureSHA384WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} 305 oidSignatureSHA512WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} 306 oidSignatureRSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10} 307 oidSignatureDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3} 308 oidSignatureDSAWithSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2} 309 oidSignatureECDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1} 310 oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2} 311 oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3} 312 oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4} 313 oidSignatureEd25519 = asn1.ObjectIdentifier{1, 3, 101, 112} 314 315 oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1} 316 oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} 317 oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3} 318 319 oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8} 320 321 // oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA 322 // but it's specified by ISO. Microsoft's makecert.exe has been known 323 // to produce certificates with this OID. 324 oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29} 325) 326 327var signatureAlgorithmDetails = []struct { 328 algo SignatureAlgorithm 329 name string 330 oid asn1.ObjectIdentifier 331 pubKeyAlgo PublicKeyAlgorithm 332 hash crypto.Hash 333}{ 334 {MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */}, 335 {MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5}, 336 {SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1}, 337 {SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1}, 338 {SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256}, 339 {SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384}, 340 {SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512}, 341 {SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256}, 342 {SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384}, 343 {SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512}, 344 {DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1}, 345 {DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256}, 346 {ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1}, 347 {ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256}, 348 {ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384}, 349 {ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512}, 350 {PureEd25519, "Ed25519", oidSignatureEd25519, Ed25519, crypto.Hash(0) /* no pre-hashing */}, 351} 352 353// hashToPSSParameters contains the DER encoded RSA PSS parameters for the 354// SHA256, SHA384, and SHA512 hashes as defined in RFC 3447, Appendix A.2.3. 355// The parameters contain the following values: 356// * hashAlgorithm contains the associated hash identifier with NULL parameters 357// * maskGenAlgorithm always contains the default mgf1SHA1 identifier 358// * saltLength contains the length of the associated hash 359// * trailerField always contains the default trailerFieldBC value 360var hashToPSSParameters = map[crypto.Hash]asn1.RawValue{ 361 crypto.SHA256: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 162, 3, 2, 1, 32}}, 362 crypto.SHA384: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 162, 3, 2, 1, 48}}, 363 crypto.SHA512: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 162, 3, 2, 1, 64}}, 364} 365 366// pssParameters reflects the parameters in an AlgorithmIdentifier that 367// specifies RSA PSS. See RFC 3447, Appendix A.2.3. 368type pssParameters struct { 369 // The following three fields are not marked as 370 // optional because the default values specify SHA-1, 371 // which is no longer suitable for use in signatures. 372 Hash pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"` 373 MGF pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"` 374 SaltLength int `asn1:"explicit,tag:2"` 375 TrailerField int `asn1:"optional,explicit,tag:3,default:1"` 376} 377 378func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm { 379 if ai.Algorithm.Equal(oidSignatureEd25519) { 380 // RFC 8410, Section 3 381 // > For all of the OIDs, the parameters MUST be absent. 382 if len(ai.Parameters.FullBytes) != 0 { 383 return UnknownSignatureAlgorithm 384 } 385 } 386 387 if !ai.Algorithm.Equal(oidSignatureRSAPSS) { 388 for _, details := range signatureAlgorithmDetails { 389 if ai.Algorithm.Equal(details.oid) { 390 return details.algo 391 } 392 } 393 return UnknownSignatureAlgorithm 394 } 395 396 // RSA PSS is special because it encodes important parameters 397 // in the Parameters. 398 399 var params pssParameters 400 if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, ¶ms); err != nil { 401 return UnknownSignatureAlgorithm 402 } 403 404 var mgf1HashFunc pkix.AlgorithmIdentifier 405 if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil { 406 return UnknownSignatureAlgorithm 407 } 408 409 // PSS is greatly overburdened with options. This code forces them into 410 // three buckets by requiring that the MGF1 hash function always match the 411 // message hash function (as recommended in RFC 3447, Section 8.1), that the 412 // salt length matches the hash length, and that the trailer field has the 413 // default value. 414 if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) || 415 !params.MGF.Algorithm.Equal(oidMGF1) || 416 !mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) || 417 (len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) || 418 params.TrailerField != 1 { 419 return UnknownSignatureAlgorithm 420 } 421 422 switch { 423 case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32: 424 return SHA256WithRSAPSS 425 case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48: 426 return SHA384WithRSAPSS 427 case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64: 428 return SHA512WithRSAPSS 429 } 430 431 return UnknownSignatureAlgorithm 432} 433 434// RFC 3279, 2.3 Public Key Algorithms 435// 436// pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) 437// rsadsi(113549) pkcs(1) 1 } 438// 439// rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 } 440// 441// id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) 442// x9-57(10040) x9cm(4) 1 } 443// 444// RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters 445// 446// id-ecPublicKey OBJECT IDENTIFIER ::= { 447// iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 448var ( 449 oidPublicKeyRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} 450 oidPublicKeyDSA = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1} 451 oidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1} 452 oidPublicKeyEd25519 = oidSignatureEd25519 453) 454 455func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm { 456 switch { 457 case oid.Equal(oidPublicKeyRSA): 458 return RSA 459 case oid.Equal(oidPublicKeyDSA): 460 return DSA 461 case oid.Equal(oidPublicKeyECDSA): 462 return ECDSA 463 case oid.Equal(oidPublicKeyEd25519): 464 return Ed25519 465 } 466 return UnknownPublicKeyAlgorithm 467} 468 469// RFC 5480, 2.1.1.1. Named Curve 470// 471// secp224r1 OBJECT IDENTIFIER ::= { 472// iso(1) identified-organization(3) certicom(132) curve(0) 33 } 473// 474// secp256r1 OBJECT IDENTIFIER ::= { 475// iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 476// prime(1) 7 } 477// 478// secp384r1 OBJECT IDENTIFIER ::= { 479// iso(1) identified-organization(3) certicom(132) curve(0) 34 } 480// 481// secp521r1 OBJECT IDENTIFIER ::= { 482// iso(1) identified-organization(3) certicom(132) curve(0) 35 } 483// 484// NB: secp256r1 is equivalent to prime256v1 485var ( 486 oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33} 487 oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7} 488 oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34} 489 oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35} 490) 491 492func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve { 493 switch { 494 case oid.Equal(oidNamedCurveP224): 495 return elliptic.P224() 496 case oid.Equal(oidNamedCurveP256): 497 return elliptic.P256() 498 case oid.Equal(oidNamedCurveP384): 499 return elliptic.P384() 500 case oid.Equal(oidNamedCurveP521): 501 return elliptic.P521() 502 } 503 return nil 504} 505 506func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) { 507 switch curve { 508 case elliptic.P224(): 509 return oidNamedCurveP224, true 510 case elliptic.P256(): 511 return oidNamedCurveP256, true 512 case elliptic.P384(): 513 return oidNamedCurveP384, true 514 case elliptic.P521(): 515 return oidNamedCurveP521, true 516 } 517 518 return nil, false 519} 520 521// KeyUsage represents the set of actions that are valid for a given key. It's 522// a bitmap of the KeyUsage* constants. 523type KeyUsage int 524 525const ( 526 KeyUsageDigitalSignature KeyUsage = 1 << iota 527 KeyUsageContentCommitment 528 KeyUsageKeyEncipherment 529 KeyUsageDataEncipherment 530 KeyUsageKeyAgreement 531 KeyUsageCertSign 532 KeyUsageCRLSign 533 KeyUsageEncipherOnly 534 KeyUsageDecipherOnly 535) 536 537// RFC 5280, 4.2.1.12 Extended Key Usage 538// 539// anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } 540// 541// id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 542// 543// id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } 544// id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } 545// id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } 546// id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } 547// id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } 548// id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 549var ( 550 oidExtKeyUsageAny = asn1.ObjectIdentifier{2, 5, 29, 37, 0} 551 oidExtKeyUsageServerAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1} 552 oidExtKeyUsageClientAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2} 553 oidExtKeyUsageCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3} 554 oidExtKeyUsageEmailProtection = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4} 555 oidExtKeyUsageIPSECEndSystem = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5} 556 oidExtKeyUsageIPSECTunnel = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6} 557 oidExtKeyUsageIPSECUser = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7} 558 oidExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8} 559 oidExtKeyUsageOCSPSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9} 560 oidExtKeyUsageMicrosoftServerGatedCrypto = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3} 561 oidExtKeyUsageNetscapeServerGatedCrypto = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1} 562 oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22} 563 oidExtKeyUsageMicrosoftKernelCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1} 564) 565 566// ExtKeyUsage represents an extended set of actions that are valid for a given key. 567// Each of the ExtKeyUsage* constants define a unique action. 568type ExtKeyUsage int 569 570const ( 571 ExtKeyUsageAny ExtKeyUsage = iota 572 ExtKeyUsageServerAuth 573 ExtKeyUsageClientAuth 574 ExtKeyUsageCodeSigning 575 ExtKeyUsageEmailProtection 576 ExtKeyUsageIPSECEndSystem 577 ExtKeyUsageIPSECTunnel 578 ExtKeyUsageIPSECUser 579 ExtKeyUsageTimeStamping 580 ExtKeyUsageOCSPSigning 581 ExtKeyUsageMicrosoftServerGatedCrypto 582 ExtKeyUsageNetscapeServerGatedCrypto 583 ExtKeyUsageMicrosoftCommercialCodeSigning 584 ExtKeyUsageMicrosoftKernelCodeSigning 585) 586 587// extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID. 588var extKeyUsageOIDs = []struct { 589 extKeyUsage ExtKeyUsage 590 oid asn1.ObjectIdentifier 591}{ 592 {ExtKeyUsageAny, oidExtKeyUsageAny}, 593 {ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth}, 594 {ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth}, 595 {ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning}, 596 {ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection}, 597 {ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem}, 598 {ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel}, 599 {ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser}, 600 {ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping}, 601 {ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning}, 602 {ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto}, 603 {ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto}, 604 {ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning}, 605 {ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning}, 606} 607 608func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) { 609 for _, pair := range extKeyUsageOIDs { 610 if oid.Equal(pair.oid) { 611 return pair.extKeyUsage, true 612 } 613 } 614 return 615} 616 617func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) { 618 for _, pair := range extKeyUsageOIDs { 619 if eku == pair.extKeyUsage { 620 return pair.oid, true 621 } 622 } 623 return 624} 625 626// A Certificate represents an X.509 certificate. 627type Certificate struct { 628 Raw []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature). 629 RawTBSCertificate []byte // Certificate part of raw ASN.1 DER content. 630 RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo. 631 RawSubject []byte // DER encoded Subject 632 RawIssuer []byte // DER encoded Issuer 633 634 Signature []byte 635 SignatureAlgorithm SignatureAlgorithm 636 637 PublicKeyAlgorithm PublicKeyAlgorithm 638 PublicKey interface{} 639 640 Version int 641 SerialNumber *big.Int 642 Issuer pkix.Name 643 Subject pkix.Name 644 NotBefore, NotAfter time.Time // Validity bounds. 645 KeyUsage KeyUsage 646 647 // Extensions contains raw X.509 extensions. When parsing certificates, 648 // this can be used to extract non-critical extensions that are not 649 // parsed by this package. When marshaling certificates, the Extensions 650 // field is ignored, see ExtraExtensions. 651 Extensions []pkix.Extension 652 653 // ExtraExtensions contains extensions to be copied, raw, into any 654 // marshaled certificates. Values override any extensions that would 655 // otherwise be produced based on the other fields. The ExtraExtensions 656 // field is not populated when parsing certificates, see Extensions. 657 ExtraExtensions []pkix.Extension 658 659 // UnhandledCriticalExtensions contains a list of extension IDs that 660 // were not (fully) processed when parsing. Verify will fail if this 661 // slice is non-empty, unless verification is delegated to an OS 662 // library which understands all the critical extensions. 663 // 664 // Users can access these extensions using Extensions and can remove 665 // elements from this slice if they believe that they have been 666 // handled. 667 UnhandledCriticalExtensions []asn1.ObjectIdentifier 668 669 ExtKeyUsage []ExtKeyUsage // Sequence of extended key usages. 670 UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package. 671 672 // BasicConstraintsValid indicates whether IsCA, MaxPathLen, 673 // and MaxPathLenZero are valid. 674 BasicConstraintsValid bool 675 IsCA bool 676 677 // MaxPathLen and MaxPathLenZero indicate the presence and 678 // value of the BasicConstraints' "pathLenConstraint". 679 // 680 // When parsing a certificate, a positive non-zero MaxPathLen 681 // means that the field was specified, -1 means it was unset, 682 // and MaxPathLenZero being true mean that the field was 683 // explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false 684 // should be treated equivalent to -1 (unset). 685 // 686 // When generating a certificate, an unset pathLenConstraint 687 // can be requested with either MaxPathLen == -1 or using the 688 // zero value for both MaxPathLen and MaxPathLenZero. 689 MaxPathLen int 690 // MaxPathLenZero indicates that BasicConstraintsValid==true 691 // and MaxPathLen==0 should be interpreted as an actual 692 // maximum path length of zero. Otherwise, that combination is 693 // interpreted as MaxPathLen not being set. 694 MaxPathLenZero bool 695 696 SubjectKeyId []byte 697 AuthorityKeyId []byte 698 699 // RFC 5280, 4.2.2.1 (Authority Information Access) 700 OCSPServer []string 701 IssuingCertificateURL []string 702 703 // Subject Alternate Name values. (Note that these values may not be valid 704 // if invalid values were contained within a parsed certificate. For 705 // example, an element of DNSNames may not be a valid DNS domain name.) 706 DNSNames []string 707 EmailAddresses []string 708 IPAddresses []net.IP 709 URIs []*url.URL 710 711 // Name constraints 712 PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical. 713 PermittedDNSDomains []string 714 ExcludedDNSDomains []string 715 PermittedIPRanges []*net.IPNet 716 ExcludedIPRanges []*net.IPNet 717 PermittedEmailAddresses []string 718 ExcludedEmailAddresses []string 719 PermittedURIDomains []string 720 ExcludedURIDomains []string 721 722 // CRL Distribution Points 723 CRLDistributionPoints []string 724 725 PolicyIdentifiers []asn1.ObjectIdentifier 726} 727 728// ErrUnsupportedAlgorithm results from attempting to perform an operation that 729// involves algorithms that are not currently implemented. 730var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented") 731 732// An InsecureAlgorithmError 733type InsecureAlgorithmError SignatureAlgorithm 734 735func (e InsecureAlgorithmError) Error() string { 736 return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e)) 737} 738 739// ConstraintViolationError results when a requested usage is not permitted by 740// a certificate. For example: checking a signature when the public key isn't a 741// certificate signing key. 742type ConstraintViolationError struct{} 743 744func (ConstraintViolationError) Error() string { 745 return "x509: invalid signature: parent certificate cannot sign this kind of certificate" 746} 747 748func (c *Certificate) Equal(other *Certificate) bool { 749 if c == nil || other == nil { 750 return c == other 751 } 752 return bytes.Equal(c.Raw, other.Raw) 753} 754 755func (c *Certificate) hasSANExtension() bool { 756 return oidInExtensions(oidExtensionSubjectAltName, c.Extensions) 757} 758 759// CheckSignatureFrom verifies that the signature on c is a valid signature 760// from parent. 761func (c *Certificate) CheckSignatureFrom(parent *Certificate) error { 762 // RFC 5280, 4.2.1.9: 763 // "If the basic constraints extension is not present in a version 3 764 // certificate, or the extension is present but the cA boolean is not 765 // asserted, then the certified public key MUST NOT be used to verify 766 // certificate signatures." 767 if parent.Version == 3 && !parent.BasicConstraintsValid || 768 parent.BasicConstraintsValid && !parent.IsCA { 769 return ConstraintViolationError{} 770 } 771 772 if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 { 773 return ConstraintViolationError{} 774 } 775 776 if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm { 777 return ErrUnsupportedAlgorithm 778 } 779 780 // TODO(agl): don't ignore the path length constraint. 781 782 return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature) 783} 784 785// CheckSignature verifies that signature is a valid signature over signed from 786// c's public key. 787func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error { 788 return checkSignature(algo, signed, signature, c.PublicKey) 789} 790 791func (c *Certificate) hasNameConstraints() bool { 792 return oidInExtensions(oidExtensionNameConstraints, c.Extensions) 793} 794 795func (c *Certificate) getSANExtension() []byte { 796 for _, e := range c.Extensions { 797 if e.Id.Equal(oidExtensionSubjectAltName) { 798 return e.Value 799 } 800 } 801 return nil 802} 803 804func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error { 805 return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey) 806} 807 808// CheckSignature verifies that signature is a valid signature over signed from 809// a crypto.PublicKey. 810func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) { 811 var hashType crypto.Hash 812 var pubKeyAlgo PublicKeyAlgorithm 813 814 for _, details := range signatureAlgorithmDetails { 815 if details.algo == algo { 816 hashType = details.hash 817 pubKeyAlgo = details.pubKeyAlgo 818 } 819 } 820 821 switch hashType { 822 case crypto.Hash(0): 823 if pubKeyAlgo != Ed25519 { 824 return ErrUnsupportedAlgorithm 825 } 826 case crypto.MD5: 827 return InsecureAlgorithmError(algo) 828 default: 829 if !hashType.Available() { 830 return ErrUnsupportedAlgorithm 831 } 832 h := hashType.New() 833 h.Write(signed) 834 signed = h.Sum(nil) 835 } 836 837 switch pub := publicKey.(type) { 838 case *rsa.PublicKey: 839 if pubKeyAlgo != RSA { 840 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) 841 } 842 if algo.isRSAPSS() { 843 return rsa.VerifyPSS(pub, hashType, signed, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}) 844 } else { 845 return rsa.VerifyPKCS1v15(pub, hashType, signed, signature) 846 } 847 case *ecdsa.PublicKey: 848 if pubKeyAlgo != ECDSA { 849 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) 850 } 851 if !ecdsa.VerifyASN1(pub, signed, signature) { 852 return errors.New("x509: ECDSA verification failure") 853 } 854 return 855 case ed25519.PublicKey: 856 if pubKeyAlgo != Ed25519 { 857 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) 858 } 859 if !ed25519.Verify(pub, signed, signature) { 860 return errors.New("x509: Ed25519 verification failure") 861 } 862 return 863 } 864 return ErrUnsupportedAlgorithm 865} 866 867// CheckCRLSignature checks that the signature in crl is from c. 868func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error { 869 algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm) 870 return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign()) 871} 872 873type UnhandledCriticalExtension struct{} 874 875func (h UnhandledCriticalExtension) Error() string { 876 return "x509: unhandled critical extension" 877} 878 879type basicConstraints struct { 880 IsCA bool `asn1:"optional"` 881 MaxPathLen int `asn1:"optional,default:-1"` 882} 883 884// RFC 5280 4.2.1.4 885type policyInformation struct { 886 Policy asn1.ObjectIdentifier 887 // policyQualifiers omitted 888} 889 890const ( 891 nameTypeEmail = 1 892 nameTypeDNS = 2 893 nameTypeURI = 6 894 nameTypeIP = 7 895) 896 897// RFC 5280, 4.2.2.1 898type authorityInfoAccess struct { 899 Method asn1.ObjectIdentifier 900 Location asn1.RawValue 901} 902 903// RFC 5280, 4.2.1.14 904type distributionPoint struct { 905 DistributionPoint distributionPointName `asn1:"optional,tag:0"` 906 Reason asn1.BitString `asn1:"optional,tag:1"` 907 CRLIssuer asn1.RawValue `asn1:"optional,tag:2"` 908} 909 910type distributionPointName struct { 911 FullName []asn1.RawValue `asn1:"optional,tag:0"` 912 RelativeName pkix.RDNSequence `asn1:"optional,tag:1"` 913} 914 915func reverseBitsInAByte(in byte) byte { 916 b1 := in>>4 | in<<4 917 b2 := b1>>2&0x33 | b1<<2&0xcc 918 b3 := b2>>1&0x55 | b2<<1&0xaa 919 return b3 920} 921 922// asn1BitLength returns the bit-length of bitString by considering the 923// most-significant bit in a byte to be the "first" bit. This convention 924// matches ASN.1, but differs from almost everything else. 925func asn1BitLength(bitString []byte) int { 926 bitLen := len(bitString) * 8 927 928 for i := range bitString { 929 b := bitString[len(bitString)-i-1] 930 931 for bit := uint(0); bit < 8; bit++ { 932 if (b>>bit)&1 == 1 { 933 return bitLen 934 } 935 bitLen-- 936 } 937 } 938 939 return 0 940} 941 942var ( 943 oidExtensionSubjectKeyId = []int{2, 5, 29, 14} 944 oidExtensionKeyUsage = []int{2, 5, 29, 15} 945 oidExtensionExtendedKeyUsage = []int{2, 5, 29, 37} 946 oidExtensionAuthorityKeyId = []int{2, 5, 29, 35} 947 oidExtensionBasicConstraints = []int{2, 5, 29, 19} 948 oidExtensionSubjectAltName = []int{2, 5, 29, 17} 949 oidExtensionCertificatePolicies = []int{2, 5, 29, 32} 950 oidExtensionNameConstraints = []int{2, 5, 29, 30} 951 oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31} 952 oidExtensionAuthorityInfoAccess = []int{1, 3, 6, 1, 5, 5, 7, 1, 1} 953 oidExtensionCRLNumber = []int{2, 5, 29, 20} 954) 955 956var ( 957 oidAuthorityInfoAccessOcsp = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1} 958 oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2} 959) 960 961// oidNotInExtensions reports whether an extension with the given oid exists in 962// extensions. 963func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool { 964 for _, e := range extensions { 965 if e.Id.Equal(oid) { 966 return true 967 } 968 } 969 return false 970} 971 972// marshalSANs marshals a list of addresses into a the contents of an X.509 973// SubjectAlternativeName extension. 974func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) { 975 var rawValues []asn1.RawValue 976 for _, name := range dnsNames { 977 if err := isIA5String(name); err != nil { 978 return nil, err 979 } 980 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)}) 981 } 982 for _, email := range emailAddresses { 983 if err := isIA5String(email); err != nil { 984 return nil, err 985 } 986 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)}) 987 } 988 for _, rawIP := range ipAddresses { 989 // If possible, we always want to encode IPv4 addresses in 4 bytes. 990 ip := rawIP.To4() 991 if ip == nil { 992 ip = rawIP 993 } 994 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip}) 995 } 996 for _, uri := range uris { 997 uriStr := uri.String() 998 if err := isIA5String(uriStr); err != nil { 999 return nil, err 1000 } 1001 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uriStr)}) 1002 } 1003 return asn1.Marshal(rawValues) 1004} 1005 1006func isIA5String(s string) error { 1007 for _, r := range s { 1008 // Per RFC5280 "IA5String is limited to the set of ASCII characters" 1009 if r > unicode.MaxASCII { 1010 return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s) 1011 } 1012 } 1013 1014 return nil 1015} 1016 1017func buildCertExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte, subjectKeyId []byte) (ret []pkix.Extension, err error) { 1018 ret = make([]pkix.Extension, 10 /* maximum number of elements. */) 1019 n := 0 1020 1021 if template.KeyUsage != 0 && 1022 !oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) { 1023 ret[n], err = marshalKeyUsage(template.KeyUsage) 1024 if err != nil { 1025 return nil, err 1026 } 1027 n++ 1028 } 1029 1030 if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) && 1031 !oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) { 1032 ret[n], err = marshalExtKeyUsage(template.ExtKeyUsage, template.UnknownExtKeyUsage) 1033 if err != nil { 1034 return nil, err 1035 } 1036 n++ 1037 } 1038 1039 if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) { 1040 ret[n], err = marshalBasicConstraints(template.IsCA, template.MaxPathLen, template.MaxPathLenZero) 1041 if err != nil { 1042 return nil, err 1043 } 1044 n++ 1045 } 1046 1047 if len(subjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) { 1048 ret[n].Id = oidExtensionSubjectKeyId 1049 ret[n].Value, err = asn1.Marshal(subjectKeyId) 1050 if err != nil { 1051 return 1052 } 1053 n++ 1054 } 1055 1056 if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) { 1057 ret[n].Id = oidExtensionAuthorityKeyId 1058 ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId}) 1059 if err != nil { 1060 return 1061 } 1062 n++ 1063 } 1064 1065 if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) && 1066 !oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) { 1067 ret[n].Id = oidExtensionAuthorityInfoAccess 1068 var aiaValues []authorityInfoAccess 1069 for _, name := range template.OCSPServer { 1070 aiaValues = append(aiaValues, authorityInfoAccess{ 1071 Method: oidAuthorityInfoAccessOcsp, 1072 Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)}, 1073 }) 1074 } 1075 for _, name := range template.IssuingCertificateURL { 1076 aiaValues = append(aiaValues, authorityInfoAccess{ 1077 Method: oidAuthorityInfoAccessIssuers, 1078 Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)}, 1079 }) 1080 } 1081 ret[n].Value, err = asn1.Marshal(aiaValues) 1082 if err != nil { 1083 return 1084 } 1085 n++ 1086 } 1087 1088 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) && 1089 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) { 1090 ret[n].Id = oidExtensionSubjectAltName 1091 // From RFC 5280, Section 4.2.1.6: 1092 // “If the subject field contains an empty sequence ... then 1093 // subjectAltName extension ... is marked as critical” 1094 ret[n].Critical = subjectIsEmpty 1095 ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs) 1096 if err != nil { 1097 return 1098 } 1099 n++ 1100 } 1101 1102 if len(template.PolicyIdentifiers) > 0 && 1103 !oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) { 1104 ret[n], err = marshalCertificatePolicies(template.PolicyIdentifiers) 1105 if err != nil { 1106 return nil, err 1107 } 1108 n++ 1109 } 1110 1111 if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 || 1112 len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 || 1113 len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 || 1114 len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) && 1115 !oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) { 1116 ret[n].Id = oidExtensionNameConstraints 1117 ret[n].Critical = template.PermittedDNSDomainsCritical 1118 1119 ipAndMask := func(ipNet *net.IPNet) []byte { 1120 maskedIP := ipNet.IP.Mask(ipNet.Mask) 1121 ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask)) 1122 ipAndMask = append(ipAndMask, maskedIP...) 1123 ipAndMask = append(ipAndMask, ipNet.Mask...) 1124 return ipAndMask 1125 } 1126 1127 serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) { 1128 var b cryptobyte.Builder 1129 1130 for _, name := range dns { 1131 if err = isIA5String(name); err != nil { 1132 return nil, err 1133 } 1134 1135 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1136 b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) { 1137 b.AddBytes([]byte(name)) 1138 }) 1139 }) 1140 } 1141 1142 for _, ipNet := range ips { 1143 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1144 b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) { 1145 b.AddBytes(ipAndMask(ipNet)) 1146 }) 1147 }) 1148 } 1149 1150 for _, email := range emails { 1151 if err = isIA5String(email); err != nil { 1152 return nil, err 1153 } 1154 1155 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1156 b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) { 1157 b.AddBytes([]byte(email)) 1158 }) 1159 }) 1160 } 1161 1162 for _, uriDomain := range uriDomains { 1163 if err = isIA5String(uriDomain); err != nil { 1164 return nil, err 1165 } 1166 1167 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1168 b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) { 1169 b.AddBytes([]byte(uriDomain)) 1170 }) 1171 }) 1172 } 1173 1174 return b.Bytes() 1175 } 1176 1177 permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains) 1178 if err != nil { 1179 return nil, err 1180 } 1181 1182 excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains) 1183 if err != nil { 1184 return nil, err 1185 } 1186 1187 var b cryptobyte.Builder 1188 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1189 if len(permitted) > 0 { 1190 b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) { 1191 b.AddBytes(permitted) 1192 }) 1193 } 1194 1195 if len(excluded) > 0 { 1196 b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) { 1197 b.AddBytes(excluded) 1198 }) 1199 } 1200 }) 1201 1202 ret[n].Value, err = b.Bytes() 1203 if err != nil { 1204 return nil, err 1205 } 1206 n++ 1207 } 1208 1209 if len(template.CRLDistributionPoints) > 0 && 1210 !oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) { 1211 ret[n].Id = oidExtensionCRLDistributionPoints 1212 1213 var crlDp []distributionPoint 1214 for _, name := range template.CRLDistributionPoints { 1215 dp := distributionPoint{ 1216 DistributionPoint: distributionPointName{ 1217 FullName: []asn1.RawValue{ 1218 {Tag: 6, Class: 2, Bytes: []byte(name)}, 1219 }, 1220 }, 1221 } 1222 crlDp = append(crlDp, dp) 1223 } 1224 1225 ret[n].Value, err = asn1.Marshal(crlDp) 1226 if err != nil { 1227 return 1228 } 1229 n++ 1230 } 1231 1232 // Adding another extension here? Remember to update the maximum number 1233 // of elements in the make() at the top of the function and the list of 1234 // template fields used in CreateCertificate documentation. 1235 1236 return append(ret[:n], template.ExtraExtensions...), nil 1237} 1238 1239func marshalKeyUsage(ku KeyUsage) (pkix.Extension, error) { 1240 ext := pkix.Extension{Id: oidExtensionKeyUsage, Critical: true} 1241 1242 var a [2]byte 1243 a[0] = reverseBitsInAByte(byte(ku)) 1244 a[1] = reverseBitsInAByte(byte(ku >> 8)) 1245 1246 l := 1 1247 if a[1] != 0 { 1248 l = 2 1249 } 1250 1251 bitString := a[:l] 1252 var err error 1253 ext.Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)}) 1254 if err != nil { 1255 return ext, err 1256 } 1257 return ext, nil 1258} 1259 1260func marshalExtKeyUsage(extUsages []ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error) { 1261 ext := pkix.Extension{Id: oidExtensionExtendedKeyUsage} 1262 1263 oids := make([]asn1.ObjectIdentifier, len(extUsages)+len(unknownUsages)) 1264 for i, u := range extUsages { 1265 if oid, ok := oidFromExtKeyUsage(u); ok { 1266 oids[i] = oid 1267 } else { 1268 return ext, errors.New("x509: unknown extended key usage") 1269 } 1270 } 1271 1272 copy(oids[len(extUsages):], unknownUsages) 1273 1274 var err error 1275 ext.Value, err = asn1.Marshal(oids) 1276 if err != nil { 1277 return ext, err 1278 } 1279 return ext, nil 1280} 1281 1282func marshalBasicConstraints(isCA bool, maxPathLen int, maxPathLenZero bool) (pkix.Extension, error) { 1283 ext := pkix.Extension{Id: oidExtensionBasicConstraints, Critical: true} 1284 // Leaving MaxPathLen as zero indicates that no maximum path 1285 // length is desired, unless MaxPathLenZero is set. A value of 1286 // -1 causes encoding/asn1 to omit the value as desired. 1287 if maxPathLen == 0 && !maxPathLenZero { 1288 maxPathLen = -1 1289 } 1290 var err error 1291 ext.Value, err = asn1.Marshal(basicConstraints{isCA, maxPathLen}) 1292 if err != nil { 1293 return ext, nil 1294 } 1295 return ext, nil 1296} 1297 1298func marshalCertificatePolicies(policyIdentifiers []asn1.ObjectIdentifier) (pkix.Extension, error) { 1299 ext := pkix.Extension{Id: oidExtensionCertificatePolicies} 1300 policies := make([]policyInformation, len(policyIdentifiers)) 1301 for i, policy := range policyIdentifiers { 1302 policies[i].Policy = policy 1303 } 1304 var err error 1305 ext.Value, err = asn1.Marshal(policies) 1306 if err != nil { 1307 return ext, err 1308 } 1309 return ext, nil 1310} 1311 1312func buildCSRExtensions(template *CertificateRequest) ([]pkix.Extension, error) { 1313 var ret []pkix.Extension 1314 1315 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) && 1316 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) { 1317 sanBytes, err := marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs) 1318 if err != nil { 1319 return nil, err 1320 } 1321 1322 ret = append(ret, pkix.Extension{ 1323 Id: oidExtensionSubjectAltName, 1324 Value: sanBytes, 1325 }) 1326 } 1327 1328 return append(ret, template.ExtraExtensions...), nil 1329} 1330 1331func subjectBytes(cert *Certificate) ([]byte, error) { 1332 if len(cert.RawSubject) > 0 { 1333 return cert.RawSubject, nil 1334 } 1335 1336 return asn1.Marshal(cert.Subject.ToRDNSequence()) 1337} 1338 1339// signingParamsForPublicKey returns the parameters to use for signing with 1340// priv. If requestedSigAlgo is not zero then it overrides the default 1341// signature algorithm. 1342func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) { 1343 var pubType PublicKeyAlgorithm 1344 1345 switch pub := pub.(type) { 1346 case *rsa.PublicKey: 1347 pubType = RSA 1348 hashFunc = crypto.SHA256 1349 sigAlgo.Algorithm = oidSignatureSHA256WithRSA 1350 sigAlgo.Parameters = asn1.NullRawValue 1351 1352 case *ecdsa.PublicKey: 1353 pubType = ECDSA 1354 1355 switch pub.Curve { 1356 case elliptic.P224(), elliptic.P256(): 1357 hashFunc = crypto.SHA256 1358 sigAlgo.Algorithm = oidSignatureECDSAWithSHA256 1359 case elliptic.P384(): 1360 hashFunc = crypto.SHA384 1361 sigAlgo.Algorithm = oidSignatureECDSAWithSHA384 1362 case elliptic.P521(): 1363 hashFunc = crypto.SHA512 1364 sigAlgo.Algorithm = oidSignatureECDSAWithSHA512 1365 default: 1366 err = errors.New("x509: unknown elliptic curve") 1367 } 1368 1369 case ed25519.PublicKey: 1370 pubType = Ed25519 1371 sigAlgo.Algorithm = oidSignatureEd25519 1372 1373 default: 1374 err = errors.New("x509: only RSA, ECDSA and Ed25519 keys supported") 1375 } 1376 1377 if err != nil { 1378 return 1379 } 1380 1381 if requestedSigAlgo == 0 { 1382 return 1383 } 1384 1385 found := false 1386 for _, details := range signatureAlgorithmDetails { 1387 if details.algo == requestedSigAlgo { 1388 if details.pubKeyAlgo != pubType { 1389 err = errors.New("x509: requested SignatureAlgorithm does not match private key type") 1390 return 1391 } 1392 sigAlgo.Algorithm, hashFunc = details.oid, details.hash 1393 if hashFunc == 0 && pubType != Ed25519 { 1394 err = errors.New("x509: cannot sign with hash function requested") 1395 return 1396 } 1397 if requestedSigAlgo.isRSAPSS() { 1398 sigAlgo.Parameters = hashToPSSParameters[hashFunc] 1399 } 1400 found = true 1401 break 1402 } 1403 } 1404 1405 if !found { 1406 err = errors.New("x509: unknown SignatureAlgorithm") 1407 } 1408 1409 return 1410} 1411 1412// emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is 1413// just an empty SEQUENCE. 1414var emptyASN1Subject = []byte{0x30, 0} 1415 1416// CreateCertificate creates a new X.509 v3 certificate based on a template. 1417// The following members of template are currently used: 1418// 1419// - AuthorityKeyId 1420// - BasicConstraintsValid 1421// - CRLDistributionPoints 1422// - DNSNames 1423// - EmailAddresses 1424// - ExcludedDNSDomains 1425// - ExcludedEmailAddresses 1426// - ExcludedIPRanges 1427// - ExcludedURIDomains 1428// - ExtKeyUsage 1429// - ExtraExtensions 1430// - IPAddresses 1431// - IsCA 1432// - IssuingCertificateURL 1433// - KeyUsage 1434// - MaxPathLen 1435// - MaxPathLenZero 1436// - NotAfter 1437// - NotBefore 1438// - OCSPServer 1439// - PermittedDNSDomains 1440// - PermittedDNSDomainsCritical 1441// - PermittedEmailAddresses 1442// - PermittedIPRanges 1443// - PermittedURIDomains 1444// - PolicyIdentifiers 1445// - SerialNumber 1446// - SignatureAlgorithm 1447// - Subject 1448// - SubjectKeyId 1449// - URIs 1450// - UnknownExtKeyUsage 1451// 1452// The certificate is signed by parent. If parent is equal to template then the 1453// certificate is self-signed. The parameter pub is the public key of the 1454// certificate to be generated and priv is the private key of the signer. 1455// 1456// The returned slice is the certificate in DER encoding. 1457// 1458// The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and 1459// ed25519.PublicKey. pub must be a supported key type, and priv must be a 1460// crypto.Signer with a supported public key. 1461// 1462// The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any, 1463// unless the resulting certificate is self-signed. Otherwise the value from 1464// template will be used. 1465// 1466// If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId 1467// will be generated from the hash of the public key. 1468func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) ([]byte, error) { 1469 key, ok := priv.(crypto.Signer) 1470 if !ok { 1471 return nil, errors.New("x509: certificate private key does not implement crypto.Signer") 1472 } 1473 1474 if template.SerialNumber == nil { 1475 return nil, errors.New("x509: no SerialNumber given") 1476 } 1477 1478 if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) { 1479 return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen") 1480 } 1481 1482 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm) 1483 if err != nil { 1484 return nil, err 1485 } 1486 1487 publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub) 1488 if err != nil { 1489 return nil, err 1490 } 1491 1492 asn1Issuer, err := subjectBytes(parent) 1493 if err != nil { 1494 return nil, err 1495 } 1496 1497 asn1Subject, err := subjectBytes(template) 1498 if err != nil { 1499 return nil, err 1500 } 1501 1502 authorityKeyId := template.AuthorityKeyId 1503 if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 { 1504 authorityKeyId = parent.SubjectKeyId 1505 } 1506 1507 subjectKeyId := template.SubjectKeyId 1508 if len(subjectKeyId) == 0 && template.IsCA { 1509 // SubjectKeyId generated using method 1 in RFC 5280, Section 4.2.1.2: 1510 // (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the 1511 // value of the BIT STRING subjectPublicKey (excluding the tag, 1512 // length, and number of unused bits). 1513 h := sha1.Sum(publicKeyBytes) 1514 subjectKeyId = h[:] 1515 } 1516 1517 // Check that the signer's public key matches the private key, if available. 1518 type privateKey interface { 1519 Equal(crypto.PublicKey) bool 1520 } 1521 if privPub, ok := key.Public().(privateKey); !ok { 1522 return nil, errors.New("x509: internal error: supported public key does not implement Equal") 1523 } else if parent.PublicKey != nil && !privPub.Equal(parent.PublicKey) { 1524 return nil, errors.New("x509: provided PrivateKey doesn't match parent's PublicKey") 1525 } 1526 1527 extensions, err := buildCertExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId, subjectKeyId) 1528 if err != nil { 1529 return nil, err 1530 } 1531 1532 encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes} 1533 c := tbsCertificate{ 1534 Version: 2, 1535 SerialNumber: template.SerialNumber, 1536 SignatureAlgorithm: signatureAlgorithm, 1537 Issuer: asn1.RawValue{FullBytes: asn1Issuer}, 1538 Validity: validity{template.NotBefore.UTC(), template.NotAfter.UTC()}, 1539 Subject: asn1.RawValue{FullBytes: asn1Subject}, 1540 PublicKey: publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey}, 1541 Extensions: extensions, 1542 } 1543 1544 tbsCertContents, err := asn1.Marshal(c) 1545 if err != nil { 1546 return nil, err 1547 } 1548 c.Raw = tbsCertContents 1549 1550 signed := tbsCertContents 1551 if hashFunc != 0 { 1552 h := hashFunc.New() 1553 h.Write(signed) 1554 signed = h.Sum(nil) 1555 } 1556 1557 var signerOpts crypto.SignerOpts = hashFunc 1558 if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() { 1559 signerOpts = &rsa.PSSOptions{ 1560 SaltLength: rsa.PSSSaltLengthEqualsHash, 1561 Hash: hashFunc, 1562 } 1563 } 1564 1565 var signature []byte 1566 signature, err = key.Sign(rand, signed, signerOpts) 1567 if err != nil { 1568 return nil, err 1569 } 1570 1571 signedCert, err := asn1.Marshal(certificate{ 1572 nil, 1573 c, 1574 signatureAlgorithm, 1575 asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, 1576 }) 1577 if err != nil { 1578 return nil, err 1579 } 1580 1581 // Check the signature to ensure the crypto.Signer behaved correctly. 1582 // We skip this check if the signature algorithm is MD5WithRSA as we 1583 // only support this algorithm for signing, and not verification. 1584 if sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm); sigAlg != MD5WithRSA { 1585 if err := checkSignature(sigAlg, c.Raw, signature, key.Public()); err != nil { 1586 return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err) 1587 } 1588 } 1589 1590 return signedCert, nil 1591} 1592 1593// pemCRLPrefix is the magic string that indicates that we have a PEM encoded 1594// CRL. 1595var pemCRLPrefix = []byte("-----BEGIN X509 CRL") 1596 1597// pemType is the type of a PEM encoded CRL. 1598var pemType = "X509 CRL" 1599 1600// ParseCRL parses a CRL from the given bytes. It's often the case that PEM 1601// encoded CRLs will appear where they should be DER encoded, so this function 1602// will transparently handle PEM encoding as long as there isn't any leading 1603// garbage. 1604func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) { 1605 if bytes.HasPrefix(crlBytes, pemCRLPrefix) { 1606 block, _ := pem.Decode(crlBytes) 1607 if block != nil && block.Type == pemType { 1608 crlBytes = block.Bytes 1609 } 1610 } 1611 return ParseDERCRL(crlBytes) 1612} 1613 1614// ParseDERCRL parses a DER encoded CRL from the given bytes. 1615func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) { 1616 certList := new(pkix.CertificateList) 1617 if rest, err := asn1.Unmarshal(derBytes, certList); err != nil { 1618 return nil, err 1619 } else if len(rest) != 0 { 1620 return nil, errors.New("x509: trailing data after CRL") 1621 } 1622 return certList, nil 1623} 1624 1625// CreateCRL returns a DER encoded CRL, signed by this Certificate, that 1626// contains the given list of revoked certificates. 1627// 1628// Note: this method does not generate an RFC 5280 conformant X.509 v2 CRL. 1629// To generate a standards compliant CRL, use CreateRevocationList instead. 1630func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { 1631 key, ok := priv.(crypto.Signer) 1632 if !ok { 1633 return nil, errors.New("x509: certificate private key does not implement crypto.Signer") 1634 } 1635 1636 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), 0) 1637 if err != nil { 1638 return nil, err 1639 } 1640 1641 // Force revocation times to UTC per RFC 5280. 1642 revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts)) 1643 for i, rc := range revokedCerts { 1644 rc.RevocationTime = rc.RevocationTime.UTC() 1645 revokedCertsUTC[i] = rc 1646 } 1647 1648 tbsCertList := pkix.TBSCertificateList{ 1649 Version: 1, 1650 Signature: signatureAlgorithm, 1651 Issuer: c.Subject.ToRDNSequence(), 1652 ThisUpdate: now.UTC(), 1653 NextUpdate: expiry.UTC(), 1654 RevokedCertificates: revokedCertsUTC, 1655 } 1656 1657 // Authority Key Id 1658 if len(c.SubjectKeyId) > 0 { 1659 var aki pkix.Extension 1660 aki.Id = oidExtensionAuthorityKeyId 1661 aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId}) 1662 if err != nil { 1663 return 1664 } 1665 tbsCertList.Extensions = append(tbsCertList.Extensions, aki) 1666 } 1667 1668 tbsCertListContents, err := asn1.Marshal(tbsCertList) 1669 if err != nil { 1670 return 1671 } 1672 1673 signed := tbsCertListContents 1674 if hashFunc != 0 { 1675 h := hashFunc.New() 1676 h.Write(signed) 1677 signed = h.Sum(nil) 1678 } 1679 1680 var signature []byte 1681 signature, err = key.Sign(rand, signed, hashFunc) 1682 if err != nil { 1683 return 1684 } 1685 1686 return asn1.Marshal(pkix.CertificateList{ 1687 TBSCertList: tbsCertList, 1688 SignatureAlgorithm: signatureAlgorithm, 1689 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, 1690 }) 1691} 1692 1693// CertificateRequest represents a PKCS #10, certificate signature request. 1694type CertificateRequest struct { 1695 Raw []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature). 1696 RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content. 1697 RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo. 1698 RawSubject []byte // DER encoded Subject. 1699 1700 Version int 1701 Signature []byte 1702 SignatureAlgorithm SignatureAlgorithm 1703 1704 PublicKeyAlgorithm PublicKeyAlgorithm 1705 PublicKey interface{} 1706 1707 Subject pkix.Name 1708 1709 // Attributes contains the CSR attributes that can parse as 1710 // pkix.AttributeTypeAndValueSET. 1711 // 1712 // Deprecated: Use Extensions and ExtraExtensions instead for parsing and 1713 // generating the requestedExtensions attribute. 1714 Attributes []pkix.AttributeTypeAndValueSET 1715 1716 // Extensions contains all requested extensions, in raw form. When parsing 1717 // CSRs, this can be used to extract extensions that are not parsed by this 1718 // package. 1719 Extensions []pkix.Extension 1720 1721 // ExtraExtensions contains extensions to be copied, raw, into any CSR 1722 // marshaled by CreateCertificateRequest. Values override any extensions 1723 // that would otherwise be produced based on the other fields but are 1724 // overridden by any extensions specified in Attributes. 1725 // 1726 // The ExtraExtensions field is not populated by ParseCertificateRequest, 1727 // see Extensions instead. 1728 ExtraExtensions []pkix.Extension 1729 1730 // Subject Alternate Name values. 1731 DNSNames []string 1732 EmailAddresses []string 1733 IPAddresses []net.IP 1734 URIs []*url.URL 1735} 1736 1737// These structures reflect the ASN.1 structure of X.509 certificate 1738// signature requests (see RFC 2986): 1739 1740type tbsCertificateRequest struct { 1741 Raw asn1.RawContent 1742 Version int 1743 Subject asn1.RawValue 1744 PublicKey publicKeyInfo 1745 RawAttributes []asn1.RawValue `asn1:"tag:0"` 1746} 1747 1748type certificateRequest struct { 1749 Raw asn1.RawContent 1750 TBSCSR tbsCertificateRequest 1751 SignatureAlgorithm pkix.AlgorithmIdentifier 1752 SignatureValue asn1.BitString 1753} 1754 1755// oidExtensionRequest is a PKCS #9 OBJECT IDENTIFIER that indicates requested 1756// extensions in a CSR. 1757var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14} 1758 1759// newRawAttributes converts AttributeTypeAndValueSETs from a template 1760// CertificateRequest's Attributes into tbsCertificateRequest RawAttributes. 1761func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) { 1762 var rawAttributes []asn1.RawValue 1763 b, err := asn1.Marshal(attributes) 1764 if err != nil { 1765 return nil, err 1766 } 1767 rest, err := asn1.Unmarshal(b, &rawAttributes) 1768 if err != nil { 1769 return nil, err 1770 } 1771 if len(rest) != 0 { 1772 return nil, errors.New("x509: failed to unmarshal raw CSR Attributes") 1773 } 1774 return rawAttributes, nil 1775} 1776 1777// parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs. 1778func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET { 1779 var attributes []pkix.AttributeTypeAndValueSET 1780 for _, rawAttr := range rawAttributes { 1781 var attr pkix.AttributeTypeAndValueSET 1782 rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr) 1783 // Ignore attributes that don't parse into pkix.AttributeTypeAndValueSET 1784 // (i.e.: challengePassword or unstructuredName). 1785 if err == nil && len(rest) == 0 { 1786 attributes = append(attributes, attr) 1787 } 1788 } 1789 return attributes 1790} 1791 1792// parseCSRExtensions parses the attributes from a CSR and extracts any 1793// requested extensions. 1794func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) { 1795 // pkcs10Attribute reflects the Attribute structure from RFC 2986, Section 4.1. 1796 type pkcs10Attribute struct { 1797 Id asn1.ObjectIdentifier 1798 Values []asn1.RawValue `asn1:"set"` 1799 } 1800 1801 var ret []pkix.Extension 1802 for _, rawAttr := range rawAttributes { 1803 var attr pkcs10Attribute 1804 if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 { 1805 // Ignore attributes that don't parse. 1806 continue 1807 } 1808 1809 if !attr.Id.Equal(oidExtensionRequest) { 1810 continue 1811 } 1812 1813 var extensions []pkix.Extension 1814 if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil { 1815 return nil, err 1816 } 1817 ret = append(ret, extensions...) 1818 } 1819 1820 return ret, nil 1821} 1822 1823// CreateCertificateRequest creates a new certificate request based on a 1824// template. The following members of template are used: 1825// 1826// - SignatureAlgorithm 1827// - Subject 1828// - DNSNames 1829// - EmailAddresses 1830// - IPAddresses 1831// - URIs 1832// - ExtraExtensions 1833// - Attributes (deprecated) 1834// 1835// priv is the private key to sign the CSR with, and the corresponding public 1836// key will be included in the CSR. It must implement crypto.Signer and its 1837// Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a 1838// ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or 1839// ed25519.PrivateKey satisfies this.) 1840// 1841// The returned slice is the certificate request in DER encoding. 1842func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error) { 1843 key, ok := priv.(crypto.Signer) 1844 if !ok { 1845 return nil, errors.New("x509: certificate private key does not implement crypto.Signer") 1846 } 1847 1848 var hashFunc crypto.Hash 1849 var sigAlgo pkix.AlgorithmIdentifier 1850 hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm) 1851 if err != nil { 1852 return nil, err 1853 } 1854 1855 var publicKeyBytes []byte 1856 var publicKeyAlgorithm pkix.AlgorithmIdentifier 1857 publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public()) 1858 if err != nil { 1859 return nil, err 1860 } 1861 1862 extensions, err := buildCSRExtensions(template) 1863 if err != nil { 1864 return nil, err 1865 } 1866 1867 // Make a copy of template.Attributes because we may alter it below. 1868 attributes := make([]pkix.AttributeTypeAndValueSET, 0, len(template.Attributes)) 1869 for _, attr := range template.Attributes { 1870 values := make([][]pkix.AttributeTypeAndValue, len(attr.Value)) 1871 copy(values, attr.Value) 1872 attributes = append(attributes, pkix.AttributeTypeAndValueSET{ 1873 Type: attr.Type, 1874 Value: values, 1875 }) 1876 } 1877 1878 extensionsAppended := false 1879 if len(extensions) > 0 { 1880 // Append the extensions to an existing attribute if possible. 1881 for _, atvSet := range attributes { 1882 if !atvSet.Type.Equal(oidExtensionRequest) || len(atvSet.Value) == 0 { 1883 continue 1884 } 1885 1886 // specifiedExtensions contains all the extensions that we 1887 // found specified via template.Attributes. 1888 specifiedExtensions := make(map[string]bool) 1889 1890 for _, atvs := range atvSet.Value { 1891 for _, atv := range atvs { 1892 specifiedExtensions[atv.Type.String()] = true 1893 } 1894 } 1895 1896 newValue := make([]pkix.AttributeTypeAndValue, 0, len(atvSet.Value[0])+len(extensions)) 1897 newValue = append(newValue, atvSet.Value[0]...) 1898 1899 for _, e := range extensions { 1900 if specifiedExtensions[e.Id.String()] { 1901 // Attributes already contained a value for 1902 // this extension and it takes priority. 1903 continue 1904 } 1905 1906 newValue = append(newValue, pkix.AttributeTypeAndValue{ 1907 // There is no place for the critical 1908 // flag in an AttributeTypeAndValue. 1909 Type: e.Id, 1910 Value: e.Value, 1911 }) 1912 } 1913 1914 atvSet.Value[0] = newValue 1915 extensionsAppended = true 1916 break 1917 } 1918 } 1919 1920 rawAttributes, err := newRawAttributes(attributes) 1921 if err != nil { 1922 return 1923 } 1924 1925 // If not included in attributes, add a new attribute for the 1926 // extensions. 1927 if len(extensions) > 0 && !extensionsAppended { 1928 attr := struct { 1929 Type asn1.ObjectIdentifier 1930 Value [][]pkix.Extension `asn1:"set"` 1931 }{ 1932 Type: oidExtensionRequest, 1933 Value: [][]pkix.Extension{extensions}, 1934 } 1935 1936 b, err := asn1.Marshal(attr) 1937 if err != nil { 1938 return nil, errors.New("x509: failed to serialise extensions attribute: " + err.Error()) 1939 } 1940 1941 var rawValue asn1.RawValue 1942 if _, err := asn1.Unmarshal(b, &rawValue); err != nil { 1943 return nil, err 1944 } 1945 1946 rawAttributes = append(rawAttributes, rawValue) 1947 } 1948 1949 asn1Subject := template.RawSubject 1950 if len(asn1Subject) == 0 { 1951 asn1Subject, err = asn1.Marshal(template.Subject.ToRDNSequence()) 1952 if err != nil { 1953 return nil, err 1954 } 1955 } 1956 1957 tbsCSR := tbsCertificateRequest{ 1958 Version: 0, // PKCS #10, RFC 2986 1959 Subject: asn1.RawValue{FullBytes: asn1Subject}, 1960 PublicKey: publicKeyInfo{ 1961 Algorithm: publicKeyAlgorithm, 1962 PublicKey: asn1.BitString{ 1963 Bytes: publicKeyBytes, 1964 BitLength: len(publicKeyBytes) * 8, 1965 }, 1966 }, 1967 RawAttributes: rawAttributes, 1968 } 1969 1970 tbsCSRContents, err := asn1.Marshal(tbsCSR) 1971 if err != nil { 1972 return 1973 } 1974 tbsCSR.Raw = tbsCSRContents 1975 1976 signed := tbsCSRContents 1977 if hashFunc != 0 { 1978 h := hashFunc.New() 1979 h.Write(signed) 1980 signed = h.Sum(nil) 1981 } 1982 1983 var signature []byte 1984 signature, err = key.Sign(rand, signed, hashFunc) 1985 if err != nil { 1986 return 1987 } 1988 1989 return asn1.Marshal(certificateRequest{ 1990 TBSCSR: tbsCSR, 1991 SignatureAlgorithm: sigAlgo, 1992 SignatureValue: asn1.BitString{ 1993 Bytes: signature, 1994 BitLength: len(signature) * 8, 1995 }, 1996 }) 1997} 1998 1999// ParseCertificateRequest parses a single certificate request from the 2000// given ASN.1 DER data. 2001func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) { 2002 var csr certificateRequest 2003 2004 rest, err := asn1.Unmarshal(asn1Data, &csr) 2005 if err != nil { 2006 return nil, err 2007 } else if len(rest) != 0 { 2008 return nil, asn1.SyntaxError{Msg: "trailing data"} 2009 } 2010 2011 return parseCertificateRequest(&csr) 2012} 2013 2014func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) { 2015 out := &CertificateRequest{ 2016 Raw: in.Raw, 2017 RawTBSCertificateRequest: in.TBSCSR.Raw, 2018 RawSubjectPublicKeyInfo: in.TBSCSR.PublicKey.Raw, 2019 RawSubject: in.TBSCSR.Subject.FullBytes, 2020 2021 Signature: in.SignatureValue.RightAlign(), 2022 SignatureAlgorithm: getSignatureAlgorithmFromAI(in.SignatureAlgorithm), 2023 2024 PublicKeyAlgorithm: getPublicKeyAlgorithmFromOID(in.TBSCSR.PublicKey.Algorithm.Algorithm), 2025 2026 Version: in.TBSCSR.Version, 2027 Attributes: parseRawAttributes(in.TBSCSR.RawAttributes), 2028 } 2029 2030 var err error 2031 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey) 2032 if err != nil { 2033 return nil, err 2034 } 2035 2036 var subject pkix.RDNSequence 2037 if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil { 2038 return nil, err 2039 } else if len(rest) != 0 { 2040 return nil, errors.New("x509: trailing data after X.509 Subject") 2041 } 2042 2043 out.Subject.FillFromRDNSequence(&subject) 2044 2045 if out.Extensions, err = parseCSRExtensions(in.TBSCSR.RawAttributes); err != nil { 2046 return nil, err 2047 } 2048 2049 for _, extension := range out.Extensions { 2050 switch { 2051 case extension.Id.Equal(oidExtensionSubjectAltName): 2052 out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value) 2053 if err != nil { 2054 return nil, err 2055 } 2056 } 2057 } 2058 2059 return out, nil 2060} 2061 2062// CheckSignature reports whether the signature on c is valid. 2063func (c *CertificateRequest) CheckSignature() error { 2064 return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey) 2065} 2066 2067// RevocationList contains the fields used to create an X.509 v2 Certificate 2068// Revocation list with CreateRevocationList. 2069type RevocationList struct { 2070 // SignatureAlgorithm is used to determine the signature algorithm to be 2071 // used when signing the CRL. If 0 the default algorithm for the signing 2072 // key will be used. 2073 SignatureAlgorithm SignatureAlgorithm 2074 2075 // RevokedCertificates is used to populate the revokedCertificates 2076 // sequence in the CRL, it may be empty. RevokedCertificates may be nil, 2077 // in which case an empty CRL will be created. 2078 RevokedCertificates []pkix.RevokedCertificate 2079 2080 // Number is used to populate the X.509 v2 cRLNumber extension in the CRL, 2081 // which should be a monotonically increasing sequence number for a given 2082 // CRL scope and CRL issuer. 2083 Number *big.Int 2084 // ThisUpdate is used to populate the thisUpdate field in the CRL, which 2085 // indicates the issuance date of the CRL. 2086 ThisUpdate time.Time 2087 // NextUpdate is used to populate the nextUpdate field in the CRL, which 2088 // indicates the date by which the next CRL will be issued. NextUpdate 2089 // must be greater than ThisUpdate. 2090 NextUpdate time.Time 2091 // ExtraExtensions contains any additional extensions to add directly to 2092 // the CRL. 2093 ExtraExtensions []pkix.Extension 2094} 2095 2096// CreateRevocationList creates a new X.509 v2 Certificate Revocation List, 2097// according to RFC 5280, based on template. 2098// 2099// The CRL is signed by priv which should be the private key associated with 2100// the public key in the issuer certificate. 2101// 2102// The issuer may not be nil, and the crlSign bit must be set in KeyUsage in 2103// order to use it as a CRL issuer. 2104// 2105// The issuer distinguished name CRL field and authority key identifier 2106// extension are populated using the issuer certificate. issuer must have 2107// SubjectKeyId set. 2108func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer) ([]byte, error) { 2109 if template == nil { 2110 return nil, errors.New("x509: template can not be nil") 2111 } 2112 if issuer == nil { 2113 return nil, errors.New("x509: issuer can not be nil") 2114 } 2115 if (issuer.KeyUsage & KeyUsageCRLSign) == 0 { 2116 return nil, errors.New("x509: issuer must have the crlSign key usage bit set") 2117 } 2118 if len(issuer.SubjectKeyId) == 0 { 2119 return nil, errors.New("x509: issuer certificate doesn't contain a subject key identifier") 2120 } 2121 if template.NextUpdate.Before(template.ThisUpdate) { 2122 return nil, errors.New("x509: template.ThisUpdate is after template.NextUpdate") 2123 } 2124 if template.Number == nil { 2125 return nil, errors.New("x509: template contains nil Number field") 2126 } 2127 2128 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm) 2129 if err != nil { 2130 return nil, err 2131 } 2132 2133 // Force revocation times to UTC per RFC 5280. 2134 revokedCertsUTC := make([]pkix.RevokedCertificate, len(template.RevokedCertificates)) 2135 for i, rc := range template.RevokedCertificates { 2136 rc.RevocationTime = rc.RevocationTime.UTC() 2137 revokedCertsUTC[i] = rc 2138 } 2139 2140 aki, err := asn1.Marshal(authKeyId{Id: issuer.SubjectKeyId}) 2141 if err != nil { 2142 return nil, err 2143 } 2144 crlNum, err := asn1.Marshal(template.Number) 2145 if err != nil { 2146 return nil, err 2147 } 2148 2149 tbsCertList := pkix.TBSCertificateList{ 2150 Version: 1, // v2 2151 Signature: signatureAlgorithm, 2152 Issuer: issuer.Subject.ToRDNSequence(), 2153 ThisUpdate: template.ThisUpdate.UTC(), 2154 NextUpdate: template.NextUpdate.UTC(), 2155 Extensions: []pkix.Extension{ 2156 { 2157 Id: oidExtensionAuthorityKeyId, 2158 Value: aki, 2159 }, 2160 { 2161 Id: oidExtensionCRLNumber, 2162 Value: crlNum, 2163 }, 2164 }, 2165 } 2166 if len(revokedCertsUTC) > 0 { 2167 tbsCertList.RevokedCertificates = revokedCertsUTC 2168 } 2169 2170 if len(template.ExtraExtensions) > 0 { 2171 tbsCertList.Extensions = append(tbsCertList.Extensions, template.ExtraExtensions...) 2172 } 2173 2174 tbsCertListContents, err := asn1.Marshal(tbsCertList) 2175 if err != nil { 2176 return nil, err 2177 } 2178 2179 input := tbsCertListContents 2180 if hashFunc != 0 { 2181 h := hashFunc.New() 2182 h.Write(tbsCertListContents) 2183 input = h.Sum(nil) 2184 } 2185 var signerOpts crypto.SignerOpts = hashFunc 2186 if template.SignatureAlgorithm.isRSAPSS() { 2187 signerOpts = &rsa.PSSOptions{ 2188 SaltLength: rsa.PSSSaltLengthEqualsHash, 2189 Hash: hashFunc, 2190 } 2191 } 2192 2193 signature, err := priv.Sign(rand, input, signerOpts) 2194 if err != nil { 2195 return nil, err 2196 } 2197 2198 return asn1.Marshal(pkix.CertificateList{ 2199 TBSCertList: tbsCertList, 2200 SignatureAlgorithm: signatureAlgorithm, 2201 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, 2202 }) 2203} 2204