1// Copyright 2021 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4package x509 5 6import ( 7 "bytes" 8 "crypto/dsa" 9 "crypto/ecdsa" 10 "crypto/ed25519" 11 "crypto/elliptic" 12 "crypto/rsa" 13 "crypto/x509/pkix" 14 "encoding/asn1" 15 "errors" 16 "fmt" 17 "math/big" 18 "net" 19 "net/url" 20 "strconv" 21 "strings" 22 "time" 23 "unicode/utf16" 24 "unicode/utf8" 25 26 "golang.org/x/crypto/cryptobyte" 27 cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" 28) 29 30// isPrintable reports whether the given b is in the ASN.1 PrintableString set. 31// This is a simplified version of encoding/asn1.isPrintable. 32func isPrintable(b byte) bool { 33 return 'a' <= b && b <= 'z' || 34 'A' <= b && b <= 'Z' || 35 '0' <= b && b <= '9' || 36 '\'' <= b && b <= ')' || 37 '+' <= b && b <= '/' || 38 b == ' ' || 39 b == ':' || 40 b == '=' || 41 b == '?' || 42 // This is technically not allowed in a PrintableString. 43 // However, x509 certificates with wildcard strings don't 44 // always use the correct string type so we permit it. 45 b == '*' || 46 // This is not technically allowed either. However, not 47 // only is it relatively common, but there are also a 48 // handful of CA certificates that contain it. At least 49 // one of which will not expire until 2027. 50 b == '&' 51} 52 53// parseASN1String parses the ASN.1 string types T61String, PrintableString, 54// UTF8String, BMPString, and IA5String. This is mostly copied from the 55// respective encoding/asn1.parse... methods, rather than just increasing 56// the API surface of that package. 57func parseASN1String(tag cryptobyte_asn1.Tag, value []byte) (string, error) { 58 switch tag { 59 case cryptobyte_asn1.T61String: 60 return string(value), nil 61 case cryptobyte_asn1.PrintableString: 62 for _, b := range value { 63 if !isPrintable(b) { 64 return "", errors.New("invalid PrintableString") 65 } 66 } 67 return string(value), nil 68 case cryptobyte_asn1.UTF8String: 69 if !utf8.Valid(value) { 70 return "", errors.New("invalid UTF-8 string") 71 } 72 return string(value), nil 73 case cryptobyte_asn1.Tag(asn1.TagBMPString): 74 if len(value)%2 != 0 { 75 return "", errors.New("invalid BMPString") 76 } 77 78 // Strip terminator if present. 79 if l := len(value); l >= 2 && value[l-1] == 0 && value[l-2] == 0 { 80 value = value[:l-2] 81 } 82 83 s := make([]uint16, 0, len(value)/2) 84 for len(value) > 0 { 85 s = append(s, uint16(value[0])<<8+uint16(value[1])) 86 value = value[2:] 87 } 88 89 return string(utf16.Decode(s)), nil 90 case cryptobyte_asn1.IA5String: 91 s := string(value) 92 if isIA5String(s) != nil { 93 return "", errors.New("invalid IA5String") 94 } 95 return s, nil 96 } 97 return "", fmt.Errorf("unsupported string type: %v", tag) 98} 99 100// parseName parses a DER encoded Name as defined in RFC 5280. We may 101// want to export this function in the future for use in crypto/tls. 102func parseName(raw cryptobyte.String) (*pkix.RDNSequence, error) { 103 if !raw.ReadASN1(&raw, cryptobyte_asn1.SEQUENCE) { 104 return nil, errors.New("x509: invalid RDNSequence") 105 } 106 107 var rdnSeq pkix.RDNSequence 108 for !raw.Empty() { 109 var rdnSet pkix.RelativeDistinguishedNameSET 110 var set cryptobyte.String 111 if !raw.ReadASN1(&set, cryptobyte_asn1.SET) { 112 return nil, errors.New("x509: invalid RDNSequence") 113 } 114 for !set.Empty() { 115 var atav cryptobyte.String 116 if !set.ReadASN1(&atav, cryptobyte_asn1.SEQUENCE) { 117 return nil, errors.New("x509: invalid RDNSequence: invalid attribute") 118 } 119 var attr pkix.AttributeTypeAndValue 120 if !atav.ReadASN1ObjectIdentifier(&attr.Type) { 121 return nil, errors.New("x509: invalid RDNSequence: invalid attribute type") 122 } 123 var rawValue cryptobyte.String 124 var valueTag cryptobyte_asn1.Tag 125 if !atav.ReadAnyASN1(&rawValue, &valueTag) { 126 return nil, errors.New("x509: invalid RDNSequence: invalid attribute value") 127 } 128 var err error 129 attr.Value, err = parseASN1String(valueTag, rawValue) 130 if err != nil { 131 return nil, fmt.Errorf("x509: invalid RDNSequence: invalid attribute value: %s", err) 132 } 133 rdnSet = append(rdnSet, attr) 134 } 135 136 rdnSeq = append(rdnSeq, rdnSet) 137 } 138 139 return &rdnSeq, nil 140} 141 142func parseAI(der cryptobyte.String) (pkix.AlgorithmIdentifier, error) { 143 ai := pkix.AlgorithmIdentifier{} 144 if !der.ReadASN1ObjectIdentifier(&ai.Algorithm) { 145 return ai, errors.New("x509: malformed OID") 146 } 147 if der.Empty() { 148 return ai, nil 149 } 150 var params cryptobyte.String 151 var tag cryptobyte_asn1.Tag 152 if !der.ReadAnyASN1Element(¶ms, &tag) { 153 return ai, errors.New("x509: malformed parameters") 154 } 155 ai.Parameters.Tag = int(tag) 156 ai.Parameters.FullBytes = params 157 return ai, nil 158} 159 160func parseValidity(der cryptobyte.String) (time.Time, time.Time, error) { 161 extract := func() (time.Time, error) { 162 var t time.Time 163 switch { 164 case der.PeekASN1Tag(cryptobyte_asn1.UTCTime): 165 // TODO(rolandshoemaker): once #45411 is fixed, the following code 166 // should be replaced with a call to der.ReadASN1UTCTime. 167 var utc cryptobyte.String 168 if !der.ReadASN1(&utc, cryptobyte_asn1.UTCTime) { 169 return t, errors.New("x509: malformed UTCTime") 170 } 171 s := string(utc) 172 173 formatStr := "0601021504Z0700" 174 var err error 175 t, err = time.Parse(formatStr, s) 176 if err != nil { 177 formatStr = "060102150405Z0700" 178 t, err = time.Parse(formatStr, s) 179 } 180 if err != nil { 181 return t, err 182 } 183 184 if serialized := t.Format(formatStr); serialized != s { 185 return t, errors.New("x509: malformed UTCTime") 186 } 187 188 if t.Year() >= 2050 { 189 // UTCTime only encodes times prior to 2050. See https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1 190 t = t.AddDate(-100, 0, 0) 191 } 192 case der.PeekASN1Tag(cryptobyte_asn1.GeneralizedTime): 193 if !der.ReadASN1GeneralizedTime(&t) { 194 return t, errors.New("x509: malformed GeneralizedTime") 195 } 196 default: 197 return t, errors.New("x509: unsupported time format") 198 } 199 return t, nil 200 } 201 202 notBefore, err := extract() 203 if err != nil { 204 return time.Time{}, time.Time{}, err 205 } 206 notAfter, err := extract() 207 if err != nil { 208 return time.Time{}, time.Time{}, err 209 } 210 211 return notBefore, notAfter, nil 212} 213 214func parseExtension(der cryptobyte.String) (pkix.Extension, error) { 215 var ext pkix.Extension 216 if !der.ReadASN1ObjectIdentifier(&ext.Id) { 217 return ext, errors.New("x509: malformed extension OID field") 218 } 219 if der.PeekASN1Tag(cryptobyte_asn1.BOOLEAN) { 220 if !der.ReadASN1Boolean(&ext.Critical) { 221 return ext, errors.New("x509: malformed extension critical field") 222 } 223 } 224 var val cryptobyte.String 225 if !der.ReadASN1(&val, cryptobyte_asn1.OCTET_STRING) { 226 return ext, errors.New("x509: malformed extension value field") 227 } 228 ext.Value = val 229 return ext, nil 230} 231 232func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (any, error) { 233 der := cryptobyte.String(keyData.PublicKey.RightAlign()) 234 switch algo { 235 case RSA: 236 // RSA public keys must have a NULL in the parameters. 237 // See RFC 3279, Section 2.3.1. 238 if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) { 239 return nil, errors.New("x509: RSA key missing NULL parameters") 240 } 241 242 p := &pkcs1PublicKey{N: new(big.Int)} 243 if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) { 244 return nil, errors.New("x509: invalid RSA public key") 245 } 246 if !der.ReadASN1Integer(p.N) { 247 return nil, errors.New("x509: invalid RSA modulus") 248 } 249 if !der.ReadASN1Integer(&p.E) { 250 return nil, errors.New("x509: invalid RSA public exponent") 251 } 252 253 if p.N.Sign() <= 0 { 254 return nil, errors.New("x509: RSA modulus is not a positive number") 255 } 256 if p.E <= 0 { 257 return nil, errors.New("x509: RSA public exponent is not a positive number") 258 } 259 260 pub := &rsa.PublicKey{ 261 E: p.E, 262 N: p.N, 263 } 264 return pub, nil 265 case ECDSA: 266 paramsDer := cryptobyte.String(keyData.Algorithm.Parameters.FullBytes) 267 namedCurveOID := new(asn1.ObjectIdentifier) 268 if !paramsDer.ReadASN1ObjectIdentifier(namedCurveOID) { 269 return nil, errors.New("x509: invalid ECDSA parameters") 270 } 271 namedCurve := namedCurveFromOID(*namedCurveOID) 272 if namedCurve == nil { 273 return nil, errors.New("x509: unsupported elliptic curve") 274 } 275 x, y := elliptic.Unmarshal(namedCurve, der) 276 if x == nil { 277 return nil, errors.New("x509: failed to unmarshal elliptic curve point") 278 } 279 pub := &ecdsa.PublicKey{ 280 Curve: namedCurve, 281 X: x, 282 Y: y, 283 } 284 return pub, nil 285 case Ed25519: 286 // RFC 8410, Section 3 287 // > For all of the OIDs, the parameters MUST be absent. 288 if len(keyData.Algorithm.Parameters.FullBytes) != 0 { 289 return nil, errors.New("x509: Ed25519 key encoded with illegal parameters") 290 } 291 if len(der) != ed25519.PublicKeySize { 292 return nil, errors.New("x509: wrong Ed25519 public key size") 293 } 294 return ed25519.PublicKey(der), nil 295 case DSA: 296 y := new(big.Int) 297 if !der.ReadASN1Integer(y) { 298 return nil, errors.New("x509: invalid DSA public key") 299 } 300 pub := &dsa.PublicKey{ 301 Y: y, 302 Parameters: dsa.Parameters{ 303 P: new(big.Int), 304 Q: new(big.Int), 305 G: new(big.Int), 306 }, 307 } 308 paramsDer := cryptobyte.String(keyData.Algorithm.Parameters.FullBytes) 309 if !paramsDer.ReadASN1(¶msDer, cryptobyte_asn1.SEQUENCE) || 310 !paramsDer.ReadASN1Integer(pub.Parameters.P) || 311 !paramsDer.ReadASN1Integer(pub.Parameters.Q) || 312 !paramsDer.ReadASN1Integer(pub.Parameters.G) { 313 return nil, errors.New("x509: invalid DSA parameters") 314 } 315 if pub.Y.Sign() <= 0 || pub.Parameters.P.Sign() <= 0 || 316 pub.Parameters.Q.Sign() <= 0 || pub.Parameters.G.Sign() <= 0 { 317 return nil, errors.New("x509: zero or negative DSA parameter") 318 } 319 return pub, nil 320 default: 321 return nil, nil 322 } 323} 324 325func parseKeyUsageExtension(der cryptobyte.String) (KeyUsage, error) { 326 var usageBits asn1.BitString 327 if !der.ReadASN1BitString(&usageBits) { 328 return 0, errors.New("x509: invalid key usage") 329 } 330 331 var usage int 332 for i := 0; i < 9; i++ { 333 if usageBits.At(i) != 0 { 334 usage |= 1 << uint(i) 335 } 336 } 337 return KeyUsage(usage), nil 338} 339 340func parseBasicConstraintsExtension(der cryptobyte.String) (bool, int, error) { 341 var isCA bool 342 if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) { 343 return false, 0, errors.New("x509: invalid basic constraints a") 344 } 345 if der.PeekASN1Tag(cryptobyte_asn1.BOOLEAN) { 346 if !der.ReadASN1Boolean(&isCA) { 347 return false, 0, errors.New("x509: invalid basic constraints b") 348 } 349 } 350 maxPathLen := -1 351 if !der.Empty() && der.PeekASN1Tag(cryptobyte_asn1.INTEGER) { 352 if !der.ReadASN1Integer(&maxPathLen) { 353 return false, 0, errors.New("x509: invalid basic constraints c") 354 } 355 } 356 357 // TODO: map out.MaxPathLen to 0 if it has the -1 default value? (Issue 19285) 358 return isCA, maxPathLen, nil 359} 360 361func forEachSAN(der cryptobyte.String, callback func(tag int, data []byte) error) error { 362 if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) { 363 return errors.New("x509: invalid subject alternative names") 364 } 365 for !der.Empty() { 366 var san cryptobyte.String 367 var tag cryptobyte_asn1.Tag 368 if !der.ReadAnyASN1(&san, &tag) { 369 return errors.New("x509: invalid subject alternative name") 370 } 371 if err := callback(int(tag^0x80), san); err != nil { 372 return err 373 } 374 } 375 376 return nil 377} 378 379func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error) { 380 err = forEachSAN(der, func(tag int, data []byte) error { 381 switch tag { 382 case nameTypeEmail: 383 email := string(data) 384 if err := isIA5String(email); err != nil { 385 return errors.New("x509: SAN rfc822Name is malformed") 386 } 387 emailAddresses = append(emailAddresses, email) 388 case nameTypeDNS: 389 name := string(data) 390 if err := isIA5String(name); err != nil { 391 return errors.New("x509: SAN dNSName is malformed") 392 } 393 dnsNames = append(dnsNames, string(name)) 394 case nameTypeURI: 395 uriStr := string(data) 396 if err := isIA5String(uriStr); err != nil { 397 return errors.New("x509: SAN uniformResourceIdentifier is malformed") 398 } 399 uri, err := url.Parse(uriStr) 400 if err != nil { 401 return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err) 402 } 403 if len(uri.Host) > 0 { 404 if _, ok := domainToReverseLabels(uri.Host); !ok { 405 return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr) 406 } 407 } 408 uris = append(uris, uri) 409 case nameTypeIP: 410 switch len(data) { 411 case net.IPv4len, net.IPv6len: 412 ipAddresses = append(ipAddresses, data) 413 default: 414 return errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(data))) 415 } 416 } 417 418 return nil 419 }) 420 421 return 422} 423 424func parseExtKeyUsageExtension(der cryptobyte.String) ([]ExtKeyUsage, []asn1.ObjectIdentifier, error) { 425 var extKeyUsages []ExtKeyUsage 426 var unknownUsages []asn1.ObjectIdentifier 427 if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) { 428 return nil, nil, errors.New("x509: invalid extended key usages") 429 } 430 for !der.Empty() { 431 var eku asn1.ObjectIdentifier 432 if !der.ReadASN1ObjectIdentifier(&eku) { 433 return nil, nil, errors.New("x509: invalid extended key usages") 434 } 435 if extKeyUsage, ok := extKeyUsageFromOID(eku); ok { 436 extKeyUsages = append(extKeyUsages, extKeyUsage) 437 } else { 438 unknownUsages = append(unknownUsages, eku) 439 } 440 } 441 return extKeyUsages, unknownUsages, nil 442} 443 444func parseCertificatePoliciesExtension(der cryptobyte.String) ([]asn1.ObjectIdentifier, error) { 445 var oids []asn1.ObjectIdentifier 446 if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) { 447 return nil, errors.New("x509: invalid certificate policies") 448 } 449 for !der.Empty() { 450 var cp cryptobyte.String 451 if !der.ReadASN1(&cp, cryptobyte_asn1.SEQUENCE) { 452 return nil, errors.New("x509: invalid certificate policies") 453 } 454 var oid asn1.ObjectIdentifier 455 if !cp.ReadASN1ObjectIdentifier(&oid) { 456 return nil, errors.New("x509: invalid certificate policies") 457 } 458 oids = append(oids, oid) 459 } 460 461 return oids, nil 462} 463 464// isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits. 465func isValidIPMask(mask []byte) bool { 466 seenZero := false 467 468 for _, b := range mask { 469 if seenZero { 470 if b != 0 { 471 return false 472 } 473 474 continue 475 } 476 477 switch b { 478 case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe: 479 seenZero = true 480 case 0xff: 481 default: 482 return false 483 } 484 } 485 486 return true 487} 488 489func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) { 490 // RFC 5280, 4.2.1.10 491 492 // NameConstraints ::= SEQUENCE { 493 // permittedSubtrees [0] GeneralSubtrees OPTIONAL, 494 // excludedSubtrees [1] GeneralSubtrees OPTIONAL } 495 // 496 // GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 497 // 498 // GeneralSubtree ::= SEQUENCE { 499 // base GeneralName, 500 // minimum [0] BaseDistance DEFAULT 0, 501 // maximum [1] BaseDistance OPTIONAL } 502 // 503 // BaseDistance ::= INTEGER (0..MAX) 504 505 outer := cryptobyte.String(e.Value) 506 var toplevel, permitted, excluded cryptobyte.String 507 var havePermitted, haveExcluded bool 508 if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) || 509 !outer.Empty() || 510 !toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) || 511 !toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) || 512 !toplevel.Empty() { 513 return false, errors.New("x509: invalid NameConstraints extension") 514 } 515 516 if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 { 517 // From RFC 5280, Section 4.2.1.10: 518 // “either the permittedSubtrees field 519 // or the excludedSubtrees MUST be 520 // present” 521 return false, errors.New("x509: empty name constraints extension") 522 } 523 524 getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) { 525 for !subtrees.Empty() { 526 var seq, value cryptobyte.String 527 var tag cryptobyte_asn1.Tag 528 if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) || 529 !seq.ReadAnyASN1(&value, &tag) { 530 return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension") 531 } 532 533 var ( 534 dnsTag = cryptobyte_asn1.Tag(2).ContextSpecific() 535 emailTag = cryptobyte_asn1.Tag(1).ContextSpecific() 536 ipTag = cryptobyte_asn1.Tag(7).ContextSpecific() 537 uriTag = cryptobyte_asn1.Tag(6).ContextSpecific() 538 ) 539 540 switch tag { 541 case dnsTag: 542 domain := string(value) 543 if err := isIA5String(domain); err != nil { 544 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) 545 } 546 547 trimmedDomain := domain 548 if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { 549 // constraints can have a leading 550 // period to exclude the domain 551 // itself, but that's not valid in a 552 // normal domain name. 553 trimmedDomain = trimmedDomain[1:] 554 } 555 if _, ok := domainToReverseLabels(trimmedDomain); !ok { 556 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain) 557 } 558 dnsNames = append(dnsNames, domain) 559 560 case ipTag: 561 l := len(value) 562 var ip, mask []byte 563 564 switch l { 565 case 8: 566 ip = value[:4] 567 mask = value[4:] 568 569 case 32: 570 ip = value[:16] 571 mask = value[16:] 572 573 default: 574 return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l) 575 } 576 577 if !isValidIPMask(mask) { 578 return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask) 579 } 580 581 ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)}) 582 583 case emailTag: 584 constraint := string(value) 585 if err := isIA5String(constraint); err != nil { 586 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) 587 } 588 589 // If the constraint contains an @ then 590 // it specifies an exact mailbox name. 591 if strings.Contains(constraint, "@") { 592 if _, ok := parseRFC2821Mailbox(constraint); !ok { 593 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) 594 } 595 } else { 596 // Otherwise it's a domain name. 597 domain := constraint 598 if len(domain) > 0 && domain[0] == '.' { 599 domain = domain[1:] 600 } 601 if _, ok := domainToReverseLabels(domain); !ok { 602 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) 603 } 604 } 605 emails = append(emails, constraint) 606 607 case uriTag: 608 domain := string(value) 609 if err := isIA5String(domain); err != nil { 610 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) 611 } 612 613 if net.ParseIP(domain) != nil { 614 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain) 615 } 616 617 trimmedDomain := domain 618 if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { 619 // constraints can have a leading 620 // period to exclude the domain itself, 621 // but that's not valid in a normal 622 // domain name. 623 trimmedDomain = trimmedDomain[1:] 624 } 625 if _, ok := domainToReverseLabels(trimmedDomain); !ok { 626 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain) 627 } 628 uriDomains = append(uriDomains, domain) 629 630 default: 631 unhandled = true 632 } 633 } 634 635 return dnsNames, ips, emails, uriDomains, nil 636 } 637 638 if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil { 639 return false, err 640 } 641 if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil { 642 return false, err 643 } 644 out.PermittedDNSDomainsCritical = e.Critical 645 646 return unhandled, nil 647} 648 649func processExtensions(out *Certificate) error { 650 var err error 651 for _, e := range out.Extensions { 652 unhandled := false 653 654 if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 { 655 switch e.Id[3] { 656 case 15: 657 out.KeyUsage, err = parseKeyUsageExtension(e.Value) 658 if err != nil { 659 return err 660 } 661 case 19: 662 out.IsCA, out.MaxPathLen, err = parseBasicConstraintsExtension(e.Value) 663 if err != nil { 664 return err 665 } 666 out.BasicConstraintsValid = true 667 out.MaxPathLenZero = out.MaxPathLen == 0 668 case 17: 669 out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(e.Value) 670 if err != nil { 671 return err 672 } 673 674 if len(out.DNSNames) == 0 && len(out.EmailAddresses) == 0 && len(out.IPAddresses) == 0 && len(out.URIs) == 0 { 675 // If we didn't parse anything then we do the critical check, below. 676 unhandled = true 677 } 678 679 case 30: 680 unhandled, err = parseNameConstraintsExtension(out, e) 681 if err != nil { 682 return err 683 } 684 685 case 31: 686 // RFC 5280, 4.2.1.13 687 688 // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 689 // 690 // DistributionPoint ::= SEQUENCE { 691 // distributionPoint [0] DistributionPointName OPTIONAL, 692 // reasons [1] ReasonFlags OPTIONAL, 693 // cRLIssuer [2] GeneralNames OPTIONAL } 694 // 695 // DistributionPointName ::= CHOICE { 696 // fullName [0] GeneralNames, 697 // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } 698 val := cryptobyte.String(e.Value) 699 if !val.ReadASN1(&val, cryptobyte_asn1.SEQUENCE) { 700 return errors.New("x509: invalid CRL distribution points") 701 } 702 for !val.Empty() { 703 var dpDER cryptobyte.String 704 if !val.ReadASN1(&dpDER, cryptobyte_asn1.SEQUENCE) { 705 return errors.New("x509: invalid CRL distribution point") 706 } 707 var dpNameDER cryptobyte.String 708 var dpNamePresent bool 709 if !dpDER.ReadOptionalASN1(&dpNameDER, &dpNamePresent, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific()) { 710 return errors.New("x509: invalid CRL distribution point") 711 } 712 if !dpNamePresent { 713 continue 714 } 715 if !dpNameDER.ReadASN1(&dpNameDER, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific()) { 716 return errors.New("x509: invalid CRL distribution point") 717 } 718 for !dpNameDER.Empty() { 719 if !dpNameDER.PeekASN1Tag(cryptobyte_asn1.Tag(6).ContextSpecific()) { 720 break 721 } 722 var uri cryptobyte.String 723 if !dpNameDER.ReadASN1(&uri, cryptobyte_asn1.Tag(6).ContextSpecific()) { 724 return errors.New("x509: invalid CRL distribution point") 725 } 726 out.CRLDistributionPoints = append(out.CRLDistributionPoints, string(uri)) 727 } 728 } 729 730 case 35: 731 // RFC 5280, 4.2.1.1 732 val := cryptobyte.String(e.Value) 733 var akid cryptobyte.String 734 if !val.ReadASN1(&akid, cryptobyte_asn1.SEQUENCE) { 735 return errors.New("x509: invalid authority key identifier") 736 } 737 if akid.PeekASN1Tag(cryptobyte_asn1.Tag(0).ContextSpecific()) { 738 if !akid.ReadASN1(&akid, cryptobyte_asn1.Tag(0).ContextSpecific()) { 739 return errors.New("x509: invalid authority key identifier") 740 } 741 out.AuthorityKeyId = akid 742 } 743 case 37: 744 out.ExtKeyUsage, out.UnknownExtKeyUsage, err = parseExtKeyUsageExtension(e.Value) 745 if err != nil { 746 return err 747 } 748 case 14: 749 // RFC 5280, 4.2.1.2 750 val := cryptobyte.String(e.Value) 751 var skid cryptobyte.String 752 if !val.ReadASN1(&skid, cryptobyte_asn1.OCTET_STRING) { 753 return errors.New("x509: invalid subject key identifier") 754 } 755 out.SubjectKeyId = skid 756 case 32: 757 out.PolicyIdentifiers, err = parseCertificatePoliciesExtension(e.Value) 758 if err != nil { 759 return err 760 } 761 default: 762 // Unknown extensions are recorded if critical. 763 unhandled = true 764 } 765 } else if e.Id.Equal(oidExtensionAuthorityInfoAccess) { 766 // RFC 5280 4.2.2.1: Authority Information Access 767 val := cryptobyte.String(e.Value) 768 if !val.ReadASN1(&val, cryptobyte_asn1.SEQUENCE) { 769 return errors.New("x509: invalid authority info access") 770 } 771 for !val.Empty() { 772 var aiaDER cryptobyte.String 773 if !val.ReadASN1(&aiaDER, cryptobyte_asn1.SEQUENCE) { 774 return errors.New("x509: invalid authority info access") 775 } 776 var method asn1.ObjectIdentifier 777 if !aiaDER.ReadASN1ObjectIdentifier(&method) { 778 return errors.New("x509: invalid authority info access") 779 } 780 if !aiaDER.PeekASN1Tag(cryptobyte_asn1.Tag(6).ContextSpecific()) { 781 continue 782 } 783 if !aiaDER.ReadASN1(&aiaDER, cryptobyte_asn1.Tag(6).ContextSpecific()) { 784 return errors.New("x509: invalid authority info access") 785 } 786 switch { 787 case method.Equal(oidAuthorityInfoAccessOcsp): 788 out.OCSPServer = append(out.OCSPServer, string(aiaDER)) 789 case method.Equal(oidAuthorityInfoAccessIssuers): 790 out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(aiaDER)) 791 } 792 } 793 } else { 794 // Unknown extensions are recorded if critical. 795 unhandled = true 796 } 797 798 if e.Critical && unhandled { 799 out.UnhandledCriticalExtensions = append(out.UnhandledCriticalExtensions, e.Id) 800 } 801 } 802 803 return nil 804} 805 806func parseCertificate(der []byte) (*Certificate, error) { 807 cert := &Certificate{} 808 809 input := cryptobyte.String(der) 810 // we read the SEQUENCE including length and tag bytes so that 811 // we can populate Certificate.Raw, before unwrapping the 812 // SEQUENCE so it can be operated on 813 if !input.ReadASN1Element(&input, cryptobyte_asn1.SEQUENCE) { 814 return nil, errors.New("x509: malformed certificate") 815 } 816 cert.Raw = input 817 if !input.ReadASN1(&input, cryptobyte_asn1.SEQUENCE) { 818 return nil, errors.New("x509: malformed certificate") 819 } 820 821 var tbs cryptobyte.String 822 // do the same trick again as above to extract the raw 823 // bytes for Certificate.RawTBSCertificate 824 if !input.ReadASN1Element(&tbs, cryptobyte_asn1.SEQUENCE) { 825 return nil, errors.New("x509: malformed tbs certificate") 826 } 827 cert.RawTBSCertificate = tbs 828 if !tbs.ReadASN1(&tbs, cryptobyte_asn1.SEQUENCE) { 829 return nil, errors.New("x509: malformed tbs certificate") 830 } 831 832 if !tbs.ReadOptionalASN1Integer(&cert.Version, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific(), 0) { 833 return nil, errors.New("x509: malformed version") 834 } 835 if cert.Version < 0 { 836 return nil, errors.New("x509: malformed version") 837 } 838 // for backwards compat reasons Version is one-indexed, 839 // rather than zero-indexed as defined in 5280 840 cert.Version++ 841 if cert.Version > 3 { 842 return nil, errors.New("x509: invalid version") 843 } 844 845 serial := new(big.Int) 846 if !tbs.ReadASN1Integer(serial) { 847 return nil, errors.New("x509: malformed serial number") 848 } 849 // we ignore the presence of negative serial numbers because 850 // of their prevalence, despite them being invalid 851 // TODO(rolandshoemaker): revist this decision, there are currently 852 // only 10 trusted certificates with negative serial numbers 853 // according to censys.io. 854 cert.SerialNumber = serial 855 856 var sigAISeq cryptobyte.String 857 if !tbs.ReadASN1(&sigAISeq, cryptobyte_asn1.SEQUENCE) { 858 return nil, errors.New("x509: malformed signature algorithm identifier") 859 } 860 // Before parsing the inner algorithm identifier, extract 861 // the outer algorithm identifier and make sure that they 862 // match. 863 var outerSigAISeq cryptobyte.String 864 if !input.ReadASN1(&outerSigAISeq, cryptobyte_asn1.SEQUENCE) { 865 return nil, errors.New("x509: malformed algorithm identifier") 866 } 867 if !bytes.Equal(outerSigAISeq, sigAISeq) { 868 return nil, errors.New("x509: inner and outer signature algorithm identifiers don't match") 869 } 870 sigAI, err := parseAI(sigAISeq) 871 if err != nil { 872 return nil, err 873 } 874 cert.SignatureAlgorithm = getSignatureAlgorithmFromAI(sigAI) 875 876 var issuerSeq cryptobyte.String 877 if !tbs.ReadASN1Element(&issuerSeq, cryptobyte_asn1.SEQUENCE) { 878 return nil, errors.New("x509: malformed issuer") 879 } 880 cert.RawIssuer = issuerSeq 881 issuerRDNs, err := parseName(issuerSeq) 882 if err != nil { 883 return nil, err 884 } 885 cert.Issuer.FillFromRDNSequence(issuerRDNs) 886 887 var validity cryptobyte.String 888 if !tbs.ReadASN1(&validity, cryptobyte_asn1.SEQUENCE) { 889 return nil, errors.New("x509: malformed validity") 890 } 891 cert.NotBefore, cert.NotAfter, err = parseValidity(validity) 892 if err != nil { 893 return nil, err 894 } 895 896 var subjectSeq cryptobyte.String 897 if !tbs.ReadASN1Element(&subjectSeq, cryptobyte_asn1.SEQUENCE) { 898 return nil, errors.New("x509: malformed issuer") 899 } 900 cert.RawSubject = subjectSeq 901 subjectRDNs, err := parseName(subjectSeq) 902 if err != nil { 903 return nil, err 904 } 905 cert.Subject.FillFromRDNSequence(subjectRDNs) 906 907 var spki cryptobyte.String 908 if !tbs.ReadASN1Element(&spki, cryptobyte_asn1.SEQUENCE) { 909 return nil, errors.New("x509: malformed spki") 910 } 911 cert.RawSubjectPublicKeyInfo = spki 912 if !spki.ReadASN1(&spki, cryptobyte_asn1.SEQUENCE) { 913 return nil, errors.New("x509: malformed spki") 914 } 915 var pkAISeq cryptobyte.String 916 if !spki.ReadASN1(&pkAISeq, cryptobyte_asn1.SEQUENCE) { 917 return nil, errors.New("x509: malformed public key algorithm identifier") 918 } 919 pkAI, err := parseAI(pkAISeq) 920 if err != nil { 921 return nil, err 922 } 923 cert.PublicKeyAlgorithm = getPublicKeyAlgorithmFromOID(pkAI.Algorithm) 924 var spk asn1.BitString 925 if !spki.ReadASN1BitString(&spk) { 926 return nil, errors.New("x509: malformed subjectPublicKey") 927 } 928 cert.PublicKey, err = parsePublicKey(cert.PublicKeyAlgorithm, &publicKeyInfo{ 929 Algorithm: pkAI, 930 PublicKey: spk, 931 }) 932 if err != nil { 933 return nil, err 934 } 935 936 if cert.Version > 1 { 937 if !tbs.SkipOptionalASN1(cryptobyte_asn1.Tag(1).Constructed().ContextSpecific()) { 938 return nil, errors.New("x509: malformed issuerUniqueID") 939 } 940 if !tbs.SkipOptionalASN1(cryptobyte_asn1.Tag(2).Constructed().ContextSpecific()) { 941 return nil, errors.New("x509: malformed subjectUniqueID") 942 } 943 if cert.Version == 3 { 944 var extensions cryptobyte.String 945 var present bool 946 if !tbs.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.Tag(3).Constructed().ContextSpecific()) { 947 return nil, errors.New("x509: malformed extensions") 948 } 949 if present { 950 if !extensions.ReadASN1(&extensions, cryptobyte_asn1.SEQUENCE) { 951 return nil, errors.New("x509: malformed extensions") 952 } 953 for !extensions.Empty() { 954 var extension cryptobyte.String 955 if !extensions.ReadASN1(&extension, cryptobyte_asn1.SEQUENCE) { 956 return nil, errors.New("x509: malformed extension") 957 } 958 ext, err := parseExtension(extension) 959 if err != nil { 960 return nil, err 961 } 962 cert.Extensions = append(cert.Extensions, ext) 963 } 964 err = processExtensions(cert) 965 if err != nil { 966 return nil, err 967 } 968 } 969 } 970 } 971 972 var signature asn1.BitString 973 if !input.ReadASN1BitString(&signature) { 974 return nil, errors.New("x509: malformed signature") 975 } 976 cert.Signature = signature.RightAlign() 977 978 return cert, nil 979} 980 981// ParseCertificate parses a single certificate from the given ASN.1 DER data. 982func ParseCertificate(der []byte) (*Certificate, error) { 983 cert, err := parseCertificate(der) 984 if err != nil { 985 return nil, err 986 } 987 if len(der) != len(cert.Raw) { 988 return nil, errors.New("x509: trailing data") 989 } 990 return cert, err 991} 992 993// ParseCertificates parses one or more certificates from the given ASN.1 DER 994// data. The certificates must be concatenated with no intermediate padding. 995func ParseCertificates(der []byte) ([]*Certificate, error) { 996 var certs []*Certificate 997 for len(der) > 0 { 998 cert, err := parseCertificate(der) 999 if err != nil { 1000 return nil, err 1001 } 1002 certs = append(certs, cert) 1003 der = der[len(cert.Raw):] 1004 } 1005 return certs, nil 1006} 1007