1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package x509 6 7import ( 8 "bytes" 9 "crypto/dsa" 10 "crypto/ecdsa" 11 "crypto/elliptic" 12 "crypto/rand" 13 "crypto/rsa" 14 _ "crypto/sha256" 15 _ "crypto/sha512" 16 "encoding/base64" 17 "encoding/hex" 18 "encoding/pem" 19 "errors" 20 "fmt" 21 "io/ioutil" 22 "math/big" 23 "net" 24 "net/url" 25 "os/exec" 26 "reflect" 27 "runtime" 28 "strings" 29 "testing" 30 "time" 31 32 "github.com/google/certificate-transparency-go/asn1" 33 "github.com/google/certificate-transparency-go/x509/pkix" 34) 35 36func TestParsePKCS1PrivateKey(t *testing.T) { 37 block, _ := pem.Decode([]byte(pemPrivateKey)) 38 priv, err := ParsePKCS1PrivateKey(block.Bytes) 39 if err != nil { 40 t.Errorf("Failed to parse private key: %s", err) 41 return 42 } 43 if priv.PublicKey.N.Cmp(rsaPrivateKey.PublicKey.N) != 0 || 44 priv.PublicKey.E != rsaPrivateKey.PublicKey.E || 45 priv.D.Cmp(rsaPrivateKey.D) != 0 || 46 priv.Primes[0].Cmp(rsaPrivateKey.Primes[0]) != 0 || 47 priv.Primes[1].Cmp(rsaPrivateKey.Primes[1]) != 0 { 48 t.Errorf("got:%+v want:%+v", priv, rsaPrivateKey) 49 } 50 51 // This private key includes an invalid prime that 52 // rsa.PrivateKey.Validate should reject. 53 data := []byte("0\x16\x02\x00\x02\x02\u007f\x00\x02\x0200\x02\x0200\x02\x02\x00\x01\x02\x02\u007f\x00") 54 if _, err := ParsePKCS1PrivateKey(data); err == nil { 55 t.Errorf("parsing invalid private key did not result in an error") 56 } 57} 58 59func TestParsePKIXPublicKey(t *testing.T) { 60 block, _ := pem.Decode([]byte(pemPublicKey)) 61 pub, err := ParsePKIXPublicKey(block.Bytes) 62 if err != nil { 63 t.Errorf("Failed to parse RSA public key: %s", err) 64 return 65 } 66 rsaPub, ok := pub.(*rsa.PublicKey) 67 if !ok { 68 t.Errorf("Value returned from ParsePKIXPublicKey was not an RSA public key") 69 return 70 } 71 72 pubBytes2, err := MarshalPKIXPublicKey(rsaPub) 73 if err != nil { 74 t.Errorf("Failed to marshal RSA public key for the second time: %s", err) 75 return 76 } 77 if !bytes.Equal(pubBytes2, block.Bytes) { 78 t.Errorf("Reserialization of public key didn't match. got %x, want %x", pubBytes2, block.Bytes) 79 } 80} 81 82var pemPublicKey = `-----BEGIN PUBLIC KEY----- 83MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3VoPN9PKUjKFLMwOge6+ 84wnDi8sbETGIx2FKXGgqtAKpzmem53kRGEQg8WeqRmp12wgp74TGpkEXsGae7RS1k 85enJCnma4fii+noGH7R0qKgHvPrI2Bwa9hzsH8tHxpyM3qrXslOmD45EH9SxIDUBJ 86FehNdaPbLP1gFyahKMsdfxFJLUvbUycuZSJ2ZnIgeVxwm4qbSvZInL9Iu4FzuPtg 87fINKcbbovy1qq4KvPIrXzhbY3PWDc6btxCf3SE0JdE1MCPThntB62/bLMSQ7xdDR 88FF53oIpvxe/SCOymfWq/LW849Ytv3Xwod0+wzAP8STXG4HSELS4UedPYeHJJJYcZ 89+QIDAQAB 90-----END PUBLIC KEY----- 91` 92 93var pemPrivateKey = ` 94-----BEGIN RSA PRIVATE KEY----- 95MIICXAIBAAKBgQCxoeCUW5KJxNPxMp+KmCxKLc1Zv9Ny+4CFqcUXVUYH69L3mQ7v 96IWrJ9GBfcaA7BPQqUlWxWM+OCEQZH1EZNIuqRMNQVuIGCbz5UQ8w6tS0gcgdeGX7 97J7jgCQ4RK3F/PuCM38QBLaHx988qG8NMc6VKErBjctCXFHQt14lerd5KpQIDAQAB 98AoGAYrf6Hbk+mT5AI33k2Jt1kcweodBP7UkExkPxeuQzRVe0KVJw0EkcFhywKpr1 99V5eLMrILWcJnpyHE5slWwtFHBG6a5fLaNtsBBtcAIfqTQ0Vfj5c6SzVaJv0Z5rOd 1007gQF6isy3t3w9IF3We9wXQKzT6q5ypPGdm6fciKQ8RnzREkCQQDZwppKATqQ41/R 101vhSj90fFifrGE6aVKC1hgSpxGQa4oIdsYYHwMzyhBmWW9Xv/R+fPyr8ZwPxp2c12 10233QwOLPLAkEA0NNUb+z4ebVVHyvSwF5jhfJxigim+s49KuzJ1+A2RaSApGyBZiwS 103rWvWkB471POAKUYt5ykIWVZ83zcceQiNTwJBAMJUFQZX5GDqWFc/zwGoKkeR49Yi 104MTXIvf7Wmv6E++eFcnT461FlGAUHRV+bQQXGsItR/opIG7mGogIkVXa3E1MCQARX 105AAA7eoZ9AEHflUeuLn9QJI/r0hyQQLEtrpwv6rDT1GCWaLII5HJ6NUFVf4TTcqxo 1066vdM4QGKTJoO+SaCyP0CQFdpcxSAuzpFcKv0IlJ8XzS/cy+mweCMwyJ1PFEc4FX6 107wg/HcAJWY60xZTJDFN+Qfx8ZQvBEin6c2/h+zZi5IVY= 108-----END RSA PRIVATE KEY----- 109` 110 111var testPrivateKey *rsa.PrivateKey 112 113func init() { 114 block, _ := pem.Decode([]byte(pemPrivateKey)) 115 116 var err error 117 if testPrivateKey, err = ParsePKCS1PrivateKey(block.Bytes); err != nil { 118 panic("Failed to parse private key: " + err.Error()) 119 } 120} 121 122func bigFromString(s string) *big.Int { 123 ret := new(big.Int) 124 ret.SetString(s, 10) 125 return ret 126} 127 128func fromBase10(base10 string) *big.Int { 129 i := new(big.Int) 130 i.SetString(base10, 10) 131 return i 132} 133 134func bigFromHexString(s string) *big.Int { 135 ret := new(big.Int) 136 ret.SetString(s, 16) 137 return ret 138} 139 140var rsaPrivateKey = &rsa.PrivateKey{ 141 PublicKey: rsa.PublicKey{ 142 N: bigFromString("124737666279038955318614287965056875799409043964547386061640914307192830334599556034328900586693254156136128122194531292927142396093148164407300419162827624945636708870992355233833321488652786796134504707628792159725681555822420087112284637501705261187690946267527866880072856272532711620639179596808018872997"), 143 E: 65537, 144 }, 145 D: bigFromString("69322600686866301945688231018559005300304807960033948687567105312977055197015197977971637657636780793670599180105424702854759606794705928621125408040473426339714144598640466128488132656829419518221592374964225347786430566310906679585739468938549035854760501049443920822523780156843263434219450229353270690889"), 146 Primes: []*big.Int{ 147 bigFromString("11405025354575369741595561190164746858706645478381139288033759331174478411254205003127028642766986913445391069745480057674348716675323735886284176682955723"), 148 bigFromString("10937079261204603443118731009201819560867324167189758120988909645641782263430128449826989846631183550578761324239709121189827307416350485191350050332642639"), 149 }, 150} 151 152func TestMarshalRSAPrivateKey(t *testing.T) { 153 priv := &rsa.PrivateKey{ 154 PublicKey: rsa.PublicKey{ 155 N: fromBase10("16346378922382193400538269749936049106320265317511766357599732575277382844051791096569333808598921852351577762718529818072849191122419410612033592401403764925096136759934497687765453905884149505175426053037420486697072448609022753683683718057795566811401938833367954642951433473337066311978821180526439641496973296037000052546108507805269279414789035461158073156772151892452251106173507240488993608650881929629163465099476849643165682709047462010581308719577053905787496296934240246311806555924593059995202856826239801816771116902778517096212527979497399966526283516447337775509777558018145573127308919204297111496233"), 156 E: 3, 157 }, 158 D: fromBase10("10897585948254795600358846499957366070880176878341177571733155050184921896034527397712889205732614568234385175145686545381899460748279607074689061600935843283397424506622998458510302603922766336783617368686090042765718290914099334449154829375179958369993407724946186243249568928237086215759259909861748642124071874879861299389874230489928271621259294894142840428407196932444474088857746123104978617098858619445675532587787023228852383149557470077802718705420275739737958953794088728369933811184572620857678792001136676902250566845618813972833750098806496641114644760255910789397593428910198080271317419213080834885003"), 159 Primes: []*big.Int{ 160 fromBase10("1025363189502892836833747188838978207017355117492483312747347695538428729137306368764177201532277413433182799108299960196606011786562992097313508180436744488171474690412562218914213688661311117337381958560443"), 161 fromBase10("3467903426626310123395340254094941045497208049900750380025518552334536945536837294961497712862519984786362199788654739924501424784631315081391467293694361474867825728031147665777546570788493758372218019373"), 162 fromBase10("4597024781409332673052708605078359346966325141767460991205742124888960305710298765592730135879076084498363772408626791576005136245060321874472727132746643162385746062759369754202494417496879741537284589047"), 163 }, 164 } 165 166 derBytes := MarshalPKCS1PrivateKey(priv) 167 168 priv2, err := ParsePKCS1PrivateKey(derBytes) 169 if err != nil { 170 t.Errorf("error parsing serialized key: %s", err) 171 return 172 } 173 if priv.PublicKey.N.Cmp(priv2.PublicKey.N) != 0 || 174 priv.PublicKey.E != priv2.PublicKey.E || 175 priv.D.Cmp(priv2.D) != 0 || 176 len(priv2.Primes) != 3 || 177 priv.Primes[0].Cmp(priv2.Primes[0]) != 0 || 178 priv.Primes[1].Cmp(priv2.Primes[1]) != 0 || 179 priv.Primes[2].Cmp(priv2.Primes[2]) != 0 { 180 t.Errorf("got:%+v want:%+v", priv, priv2) 181 } 182} 183 184func TestMarshalRSAPublicKey(t *testing.T) { 185 pub := &rsa.PublicKey{ 186 N: fromBase10("16346378922382193400538269749936049106320265317511766357599732575277382844051791096569333808598921852351577762718529818072849191122419410612033592401403764925096136759934497687765453905884149505175426053037420486697072448609022753683683718057795566811401938833367954642951433473337066311978821180526439641496973296037000052546108507805269279414789035461158073156772151892452251106173507240488993608650881929629163465099476849643165682709047462010581308719577053905787496296934240246311806555924593059995202856826239801816771116902778517096212527979497399966526283516447337775509777558018145573127308919204297111496233"), 187 E: 3, 188 } 189 derBytes := MarshalPKCS1PublicKey(pub) 190 pub2, err := ParsePKCS1PublicKey(derBytes) 191 if err != nil { 192 t.Errorf("ParsePKCS1PublicKey: %s", err) 193 } 194 if pub.N.Cmp(pub2.N) != 0 || pub.E != pub2.E { 195 t.Errorf("ParsePKCS1PublicKey = %+v, want %+v", pub, pub2) 196 } 197 198 // It's never been documented that asn1.Marshal/Unmarshal on rsa.PublicKey works, 199 // but it does, and we know of code that depends on it. 200 // Lock that in, even though we'd prefer that people use MarshalPKCS1PublicKey and ParsePKCS1PublicKey. 201 derBytes2, err := asn1.Marshal(*pub) 202 if err != nil { 203 t.Errorf("Marshal(rsa.PublicKey): %v", err) 204 } else if !bytes.Equal(derBytes, derBytes2) { 205 t.Errorf("Marshal(rsa.PublicKey) = %x, want %x", derBytes2, derBytes) 206 } 207 pub3 := new(rsa.PublicKey) 208 rest, err := asn1.Unmarshal(derBytes, pub3) 209 if err != nil { 210 t.Errorf("Unmarshal(rsa.PublicKey): %v", err) 211 } 212 if len(rest) != 0 || pub.N.Cmp(pub3.N) != 0 || pub.E != pub3.E { 213 t.Errorf("Unmarshal(rsa.PublicKey) = %+v, %q want %+v, %q", pub, rest, pub2, []byte(nil)) 214 } 215 216 publicKeys := []struct { 217 derBytes []byte 218 expectedErrSubstr string 219 }{ 220 { 221 derBytes: []byte{ 222 0x30, 6, // SEQUENCE, 6 bytes 223 0x02, 1, // INTEGER, 1 byte 224 17, 225 0x02, 1, // INTEGER, 1 byte 226 3, // 3 227 }, 228 }, { 229 derBytes: []byte{ 230 0x30, 6, // SEQUENCE 231 0x02, 1, // INTEGER, 1 byte 232 0xff, // -1 233 0x02, 1, // INTEGER, 1 byte 234 3, 235 }, 236 expectedErrSubstr: "zero or negative", 237 }, { 238 derBytes: []byte{ 239 0x30, 6, // SEQUENCE 240 0x02, 1, // INTEGER, 1 byte 241 17, 242 0x02, 1, // INTEGER, 1 byte 243 0xff, // -1 244 }, 245 expectedErrSubstr: "zero or negative", 246 }, { 247 derBytes: []byte{ 248 0x30, 6, // SEQUENCE 249 0x02, 1, // INTEGER, 1 byte 250 17, 251 0x02, 1, // INTEGER, 1 byte 252 3, 253 1, 254 }, 255 expectedErrSubstr: "trailing data", 256 }, { 257 derBytes: []byte{ 258 0x30, 9, // SEQUENCE 259 0x02, 1, // INTEGER, 1 byte 260 17, 261 0x02, 4, // INTEGER, 4 bytes 262 0x7f, 0xff, 0xff, 0xff, 263 }, 264 }, { 265 derBytes: []byte{ 266 0x30, 10, // SEQUENCE 267 0x02, 1, // INTEGER, 1 byte 268 17, 269 0x02, 5, // INTEGER, 5 bytes 270 0x00, 0x80, 0x00, 0x00, 0x00, 271 }, 272 // On 64-bit systems, encoding/asn1 will accept the 273 // public exponent, but ParsePKCS1PublicKey will return 274 // an error. On 32-bit systems, encoding/asn1 will 275 // return the error. The common substring of both error 276 // is the word “large”. 277 expectedErrSubstr: "large", 278 }, 279 } 280 281 for i, test := range publicKeys { 282 shouldFail := len(test.expectedErrSubstr) > 0 283 pub, err := ParsePKCS1PublicKey(test.derBytes) 284 if shouldFail { 285 if err == nil { 286 t.Errorf("#%d: unexpected success, got %#v", i, pub) 287 } else if !strings.Contains(err.Error(), test.expectedErrSubstr) { 288 t.Errorf("#%d: expected error containing %q, got %s", i, test.expectedErrSubstr, err) 289 } 290 } else { 291 if err != nil { 292 t.Errorf("#%d: unexpected failure: %s", i, err) 293 continue 294 } 295 reserialized := MarshalPKCS1PublicKey(pub) 296 if !bytes.Equal(reserialized, test.derBytes) { 297 t.Errorf("#%d: failed to reserialize: got %x, expected %x", i, reserialized, test.derBytes) 298 } 299 } 300 } 301} 302 303type matchHostnamesTest struct { 304 pattern, host string 305 ok bool 306} 307 308var matchHostnamesTests = []matchHostnamesTest{ 309 {"a.b.c", "a.b.c", true}, 310 {"a.b.c", "b.b.c", false}, 311 {"", "b.b.c", false}, 312 {"a.b.c", "", false}, 313 {"example.com", "example.com", true}, 314 {"example.com", "www.example.com", false}, 315 {"*.example.com", "example.com", false}, 316 {"*.example.com", "www.example.com", true}, 317 {"*.example.com", "www.example.com.", true}, 318 {"*.example.com", "xyz.www.example.com", false}, 319 {"*.*.example.com", "xyz.www.example.com", false}, 320 {"*.www.*.com", "xyz.www.example.com", false}, 321 {"*bar.example.com", "foobar.example.com", false}, 322 {"f*.example.com", "foobar.example.com", false}, 323 {"", ".", false}, 324 {".", "", false}, 325 {".", ".", false}, 326 {"example.com", "example.com.", true}, 327 {"example.com.", "example.com", true}, 328 {"example.com.", "example.com.", true}, 329 {"*.com.", "example.com.", true}, 330 {"*.com.", "example.com", true}, 331 {"*.com", "example.com", true}, 332 {"*.com", "example.com.", true}, 333} 334 335func TestMatchHostnames(t *testing.T) { 336 for i, test := range matchHostnamesTests { 337 r := matchHostnames(test.pattern, test.host) 338 if r != test.ok { 339 t.Errorf("#%d mismatch got: %t want: %t when matching '%s' against '%s'", i, r, test.ok, test.host, test.pattern) 340 } 341 } 342} 343 344func TestMatchIP(t *testing.T) { 345 // Check that pattern matching is working. 346 c := &Certificate{ 347 DNSNames: []string{"*.foo.bar.baz"}, 348 Subject: pkix.Name{ 349 CommonName: "*.foo.bar.baz", 350 }, 351 } 352 err := c.VerifyHostname("quux.foo.bar.baz") 353 if err != nil { 354 t.Fatalf("VerifyHostname(quux.foo.bar.baz): %v", err) 355 } 356 357 // But check that if we change it to be matching against an IP address, 358 // it is rejected. 359 c = &Certificate{ 360 DNSNames: []string{"*.2.3.4"}, 361 Subject: pkix.Name{ 362 CommonName: "*.2.3.4", 363 }, 364 } 365 err = c.VerifyHostname("1.2.3.4") 366 if err == nil { 367 t.Fatalf("VerifyHostname(1.2.3.4) should have failed, did not") 368 } 369 370 c = &Certificate{ 371 IPAddresses: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}, 372 } 373 err = c.VerifyHostname("127.0.0.1") 374 if err != nil { 375 t.Fatalf("VerifyHostname(127.0.0.1): %v", err) 376 } 377 err = c.VerifyHostname("::1") 378 if err != nil { 379 t.Fatalf("VerifyHostname(::1): %v", err) 380 } 381 err = c.VerifyHostname("[::1]") 382 if err != nil { 383 t.Fatalf("VerifyHostname([::1]): %v", err) 384 } 385} 386 387func TestCertificateParse(t *testing.T) { 388 s, _ := hex.DecodeString(certBytes) 389 certs, err := ParseCertificates(s) 390 if IsFatal(err) { 391 t.Error(err) 392 } 393 if len(certs) != 2 { 394 t.Errorf("Wrong number of certs: got %d want 2", len(certs)) 395 return 396 } 397 398 err = certs[0].CheckSignatureFrom(certs[1]) 399 if err != nil { 400 t.Error(err) 401 } 402 403 if err := certs[0].VerifyHostname("mail.google.com"); err != nil { 404 t.Error(err) 405 } 406 407 const expectedExtensions = 4 408 if n := len(certs[0].Extensions); n != expectedExtensions { 409 t.Errorf("want %d extensions, got %d", expectedExtensions, n) 410 } 411} 412 413func TestMismatchedSignatureAlgorithm(t *testing.T) { 414 der, _ := pem.Decode([]byte(rsaPSSSelfSignedPEM)) 415 if der == nil { 416 t.Fatal("Failed to find PEM block") 417 } 418 419 cert, err := ParseCertificate(der.Bytes) 420 if err != nil { 421 t.Fatal(err) 422 } 423 424 if err = cert.CheckSignature(ECDSAWithSHA256, nil, nil); err == nil { 425 t.Fatal("CheckSignature unexpectedly return no error") 426 } 427 428 const expectedSubstring = " but have public key of type " 429 if !strings.Contains(err.Error(), expectedSubstring) { 430 t.Errorf("Expected error containing %q, but got %q", expectedSubstring, err) 431 } 432} 433 434var certBytes = "308203223082028ba00302010202106edf0d9499fd4533dd1297fc42a93be1300d06092a864886" + 435 "f70d0101050500304c310b3009060355040613025a4131253023060355040a131c546861777465" + 436 "20436f6e73756c74696e67202850747929204c74642e311630140603550403130d546861777465" + 437 "20534743204341301e170d3039303332353136343932395a170d3130303332353136343932395a" + 438 "3069310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630" + 439 "140603550407130d4d6f756e7461696e205669657731133011060355040a130a476f6f676c6520" + 440 "496e63311830160603550403130f6d61696c2e676f6f676c652e636f6d30819f300d06092a8648" + 441 "86f70d010101050003818d0030818902818100c5d6f892fccaf5614b064149e80a2c9581a218ef" + 442 "41ec35bd7a58125ae76f9ea54ddc893abbeb029f6b73616bf0ffd868791fba7af9c4aebf3706ba" + 443 "3eeaeed27435b4ddcfb157c05f351d66aa87fee0de072d66d773affbd36ab78bef090e0cc861a9" + 444 "03ac90dd98b51c9c41566c017f0beec3bff391051ffba0f5cc6850ad2a590203010001a381e730" + 445 "81e430280603551d250421301f06082b0601050507030106082b06010505070302060960864801" + 446 "86f842040130360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e74686177" + 447 "74652e636f6d2f54686177746553474343412e63726c307206082b060105050701010466306430" + 448 "2206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d303e0608" + 449 "2b060105050730028632687474703a2f2f7777772e7468617774652e636f6d2f7265706f736974" + 450 "6f72792f5468617774655f5347435f43412e637274300c0603551d130101ff04023000300d0609" + 451 "2a864886f70d01010505000381810062f1f3050ebc105e497c7aedf87e24d2f4a986bb3b837bd1" + 452 "9b91ebcad98b065992f6bd2b49b7d6d3cb2e427a99d606c7b1d46352527fac39e6a8b6726de5bf" + 453 "70212a52cba07634a5e332011bd1868e78eb5e3c93cf03072276786f207494feaa0ed9d53b2110" + 454 "a76571f90209cdae884385c882587030ee15f33d761e2e45a6bc308203233082028ca003020102" + 455 "020430000002300d06092a864886f70d0101050500305f310b3009060355040613025553311730" + 456 "15060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c61737320" + 457 "33205075626c6963205072696d6172792043657274696669636174696f6e20417574686f726974" + 458 "79301e170d3034303531333030303030305a170d3134303531323233353935395a304c310b3009" + 459 "060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e672028" + 460 "50747929204c74642e311630140603550403130d5468617774652053474320434130819f300d06" + 461 "092a864886f70d010101050003818d0030818902818100d4d367d08d157faecd31fe7d1d91a13f" + 462 "0b713cacccc864fb63fc324b0794bd6f80ba2fe10493c033fc093323e90b742b71c403c6d2cde2" + 463 "2ff50963cdff48a500bfe0e7f388b72d32de9836e60aad007bc4644a3b847503f270927d0e62f5" + 464 "21ab693684317590f8bfc76c881b06957cc9e5a8de75a12c7a68dfd5ca1c875860190203010001" + 465 "a381fe3081fb30120603551d130101ff040830060101ff020100300b0603551d0f040403020106" + 466 "301106096086480186f842010104040302010630280603551d110421301fa41d301b3119301706" + 467 "035504031310507269766174654c6162656c332d313530310603551d1f042a30283026a024a022" + 468 "8620687474703a2f2f63726c2e766572697369676e2e636f6d2f706361332e63726c303206082b" + 469 "0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468" + 470 "617774652e636f6d30340603551d25042d302b06082b0601050507030106082b06010505070302" + 471 "06096086480186f8420401060a6086480186f845010801300d06092a864886f70d010105050003" + 472 "81810055ac63eadea1ddd2905f9f0bce76be13518f93d9052bc81b774bad6950a1eededcfddb07" + 473 "e9e83994dcab72792f06bfab8170c4a8edea5334edef1e53d906c7562bd15cf4d18a8eb42bb137" + 474 "9048084225c53e8acb7feb6f04d16dc574a2f7a27c7b603c77cd0ece48027f012fb69b37e02a2a" + 475 "36dcd585d6ace53f546f961e05af" 476 477var certWithSCTListPEM = ` 478-----BEGIN CERTIFICATE----- 479MIIHkzCCBnugAwIBAgIUHz6ZOwEjk6zhU9v3n2Jo3qeucqYwDQYJKoZIhvcNAQEL 480BQAwSTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHzAd 481BgNVBAMTFlF1b1ZhZGlzIEVWIFNTTCBJQ0EgRzEwHhcNMTcwMjA4MTQxNTU3WhcN 482MTgwMjA4MTQyNTAwWjCByzETMBEGCysGAQQBgjc8AgEDEwJHQjEYMBYGA1UEDwwP 483QnVzaW5lc3MgRW50aXR5MREwDwYDVQQFEwhTQzA5NTAwMDELMAkGA1UEBhMCR0Ix 484EjAQBgNVBAgMCUVkaW5idXJnaDESMBAGA1UEBwwJRWRpbmJ1cmdoMSEwHwYDVQQK 485DBhMbG95ZHMgQmFua2luZyBHcm91cCBQTEMxEjAQBgNVBAsMCUdST1VQIElUMjEb 486MBkGA1UEAwwSd3d3Lmxsb3lkc2JhbmsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC 487AQ8AMIIBCgKCAQEAyRkzN3UmnYbuIW7V4P5qyF/3iCdJwaw/avb0tpOJTa/svtM2 4889KxtVtgwqAPCSuWgjHh6lx+OzXBOh0cM1+gOvjscIJ7k6J0UKouhxrZ02G6CHiNS 4890P3ztsW1CVYAnEQqnhC+hBSl+Ut7DdcsReOUaUrIbO8T0psfsBnez6VtcLB74Hi0 490y6s2AOwPKG7zRjMcMEylOYyGMrUI4ooGsf7IBzMOdMZpkAMUEe6KZ/8AssZOH7F9 491OacCBcGHwN3qp/AG02+tXGaS9DWCS9/seMWqyhE8YPk+iGV3sFZEueBMxixVObFZ 4920Ezwv3cCel6v2mlA5OweteDI57VG4/7OI45CawIDAQABo4ID7jCCA+owdwYIKwYB 493BQUHAQEEazBpMDgGCCsGAQUFBzAChixodHRwOi8vdHJ1c3QucXVvdmFkaXNnbG9i 494YWwuY29tL3F2ZXZzc2wxLmNydDAtBggrBgEFBQcwAYYhaHR0cDovL2V2Lm9jc3Au 495cXVvdmFkaXNnbG9iYWwuY29tMB0GA1UdDgQWBBSIASoK0Cmqs5B06CJUUzq5nQ6c 496IDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFFVYhs66fHZOmROpD9Nsn8L10zzj 497MFEGA1UdIARKMEgwRgYMKwYBBAG+WAACZAECMDYwNAYIKwYBBQUHAgEWKGh0dHA6 498Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL3JlcG9zaXRvcnkwOwYDVR0fBDQwMjAw 499oC6gLIYqaHR0cDovL2NybC5xdW92YWRpc2dsb2JhbC5jb20vcXZldnNzbDEuY3Js 500MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw 501gd8GA1UdEQSB1zCB1IISd3d3Lmxsb3lkc2JhbmsuY29tghRzdGF0aWMuaGFsaWZh 502eC5jby51a4IUd3d3Lmxsb3lkc2JhbmsuY28udWuCFGltYWdlcy5oYWxpZmF4LmNv 503LnVrghh3d3cuYmFua29mc2NvdGxhbmQuY28udWuCD3d3dy5oYWxpZmF4LmNvbYIT 504d3d3Lmxsb3lkc3RzYi5jby51a4IRd3d3Lmxsb3lkc3RzYi5jb22CEXd3dy5oYWxp 505ZmF4LmNvLnVrghZ3d3cuYmFua29mc2NvdGxhbmQuY29tMIIBfgYKKwYBBAHWeQIE 506AgSCAW4EggFqAWgAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAA 507AVoeHdwIAAAEAwBHMEUCIQD3fh/6Cp3I44poKfhA7IkhjInvl8qC9JkooycB7NfE 508lgIgMihc8F0Ap1gIU7WUCxWgV0nUxeWp34mp+g0IPnNJ1KcAdgCkuQmQtBhYFIe7 509E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAVoeHdwaAAAEAwBHMEUCIA45u9pfeirN 510Hn8K0xHDCUfCihQSFJo0YYmFxYEgO8GEAiEAwDXdmIkkv3lJ1td+RjTzXMBIjp9R 5113Ii1GumOGKe8IqcAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAA 512AVoeHdxAAAAEAwBHMEUCIEfe5grRiTvaHZJ4e4glbGftZ87n1pQf2lVeyBMUq0Xa 513AiEA/+W+qCcVd3hHVaYJryO67SYCbUBinU5/6je8eDLOEM4wDQYJKoZIhvcNAQEL 514BQADggEBADGdRf8XpQRPzxv+NeUr5i4q49JI8M/umbwSEXkHJmaDD4CDiUGkFUNR 515Tte0HDRvjbu5y9xub09MgdMl84qvfjsph54rUVK7LWVphi6CC21XbRP5gEwKBeA2 516wAZU1IhhWBy6DaW4CjpTu1Ji3FJqHqKklFrZTMSS+xoqfYbbN96q1mJHQhyDdRlC 517JvNuS1lDM0u3+g/MHNpQM1aGZVKtwpzRABIYhydSJrO14TzWJjbKm1UTnKiwvHbt 518p1ATnYNDZKj3Ec8EASXGTHHoorX0jZpMiNxHv4p4BUinsNFttkhudMGbCfbjjqef 519UfUJESblkeQVpcnndMfnsHSahCVd96k= 520-----END CERTIFICATE----- 521` 522 523// The cert above contains the following SCTs, each of which is a TLS-encoded 524// SignedCertificateTimestamp structure from RFC6962 s3.2. 525/* 526 struct { 527 Version sct_version; 528 LogID id; 529 uint64 timestamp; 530 CtExtensions extensions; 531 digitally-signed struct { 532 Version sct_version; 533 SignatureType signature_type = certificate_timestamp; 534 uint64 timestamp; 535 LogEntryType entry_type; 536 select(entry_type) { 537 case x509_entry: ASN.1Cert; 538 case precert_entry: PreCert; 539 } signed_entry; 540 CtExtensions extensions; 541 }; 542 } SignedCertificateTimestamp; 543*/ 544 545var wantSCTs = []string{ 546 ("00" + // Version: v1(0) 547 "bbd9dfbc1f8a71b593942397aa927b473857950aab52e81a909664368e1ed185" + // LogID: Google Skydiver 548 "0000015a1e1ddc08" + // Timestamp 549 "0000" + // No Extensions 550 ("04" + "03" + // SHA-256, ECDSA 551 ("0047" + 552 "3045022100f77e1ffa0a9dc8e38a6829f840ec89218c89ef97ca82f49928a32701ecd7c496022032285cf05d00a7580853b5940b15a05749d4c5e5a9df89a9fa0d083e7349d4a7"))), 553 554 ("00" + // Version: v1(0) 555 "a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc10" + // LogID: Google Pilot 556 "0000015a1e1ddc1a" + 557 "0000" + // No Extensions 558 ("04" + "03" + // SHA-256, ECDSA 559 ("0047" + 560 "304502200e39bbda5f7a2acd1e7f0ad311c30947c28a1412149a34618985c581203bc184022100c035dd988924bf7949d6d77e4634f35cc0488e9f51dc88b51ae98e18a7bc22a7"))), 561 ("00" + // Version: v1(0) 562 "5614069a2fd7c2ecd3f5e1bd44b23ec74676b9bc99115cc0ef949855d689d0dd" + // LogID: Digicert Log Server 563 "0000015a1e1ddc40" + // Timestamp 564 "0000" + // No Extensions 565 ("04" + "03" + // SHA-256, ECDSA 566 ("0047" + 567 "3045022047dee60ad1893bda1d92787b88256c67ed67cee7d6941fda555ec81314ab45da022100ffe5bea8271577784755a609af23baed26026d40629d4e7fea37bc7832ce10ce"))), 568} 569 570func TestParseCertificateSCTs(t *testing.T) { 571 pemBlock, _ := pem.Decode([]byte(certWithSCTListPEM)) 572 cert, err := ParseCertificate(pemBlock.Bytes) 573 if err != nil { 574 t.Fatalf("ParseCertificate()=_,%v; want _, nil", err) 575 } 576 if len(cert.RawSCT) == 0 { 577 t.Errorf("len(cert.RawSCT)=0, want >0") 578 } 579 for i, got := range cert.SCTList.SCTList { 580 want, _ := hex.DecodeString(wantSCTs[i]) 581 if !bytes.Equal(got.Val, want) { 582 t.Errorf("SCT[%d]=%x; want %x", i, got.Val, want) 583 } 584 } 585} 586 587func parseCIDR(s string) *net.IPNet { 588 _, net, err := net.ParseCIDR(s) 589 if err != nil { 590 panic(err) 591 } 592 return net 593} 594 595func parseURI(s string) *url.URL { 596 uri, err := url.Parse(s) 597 if err != nil { 598 panic(err) 599 } 600 return uri 601} 602 603func TestCreateSelfSignedCertificate(t *testing.T) { 604 random := rand.Reader 605 606 ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 607 if err != nil { 608 t.Fatalf("Failed to generate ECDSA key: %s", err) 609 } 610 611 tests := []struct { 612 name string 613 pub, priv interface{} 614 checkSig bool 615 sigAlgo SignatureAlgorithm 616 }{ 617 {"RSA/RSA", &testPrivateKey.PublicKey, testPrivateKey, true, SHA1WithRSA}, 618 {"RSA/ECDSA", &testPrivateKey.PublicKey, ecdsaPriv, false, ECDSAWithSHA384}, 619 {"ECDSA/RSA", &ecdsaPriv.PublicKey, testPrivateKey, false, SHA256WithRSA}, 620 {"ECDSA/ECDSA", &ecdsaPriv.PublicKey, ecdsaPriv, true, ECDSAWithSHA1}, 621 {"RSAPSS/RSAPSS", &testPrivateKey.PublicKey, testPrivateKey, true, SHA256WithRSAPSS}, 622 {"ECDSA/RSAPSS", &ecdsaPriv.PublicKey, testPrivateKey, false, SHA256WithRSAPSS}, 623 {"RSAPSS/ECDSA", &testPrivateKey.PublicKey, ecdsaPriv, false, ECDSAWithSHA384}, 624 } 625 626 testExtKeyUsage := []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageServerAuth} 627 testUnknownExtKeyUsage := []asn1.ObjectIdentifier{[]int{1, 2, 3}, []int{2, 59, 1}} 628 extraExtensionData := []byte("extra extension") 629 630 for _, test := range tests { 631 commonName := "test.example.com" 632 template := Certificate{ 633 // SerialNumber is negative to ensure that negative 634 // values are parsed. This is due to the prevalence of 635 // buggy code that produces certificates with negative 636 // serial numbers. 637 SerialNumber: big.NewInt(-1), 638 Subject: pkix.Name{ 639 CommonName: commonName, 640 Organization: []string{"Σ Acme Co"}, 641 Country: []string{"US"}, 642 ExtraNames: []pkix.AttributeTypeAndValue{ 643 { 644 Type: []int{2, 5, 4, 42}, 645 Value: "Gopher", 646 }, 647 // This should override the Country, above. 648 { 649 Type: []int{2, 5, 4, 6}, 650 Value: "NL", 651 }, 652 }, 653 }, 654 NotBefore: time.Unix(1000, 0), 655 NotAfter: time.Unix(100000, 0), 656 657 SignatureAlgorithm: test.sigAlgo, 658 659 SubjectKeyId: []byte{1, 2, 3, 4}, 660 KeyUsage: KeyUsageCertSign, 661 662 ExtKeyUsage: testExtKeyUsage, 663 UnknownExtKeyUsage: testUnknownExtKeyUsage, 664 665 BasicConstraintsValid: true, 666 IsCA: true, 667 668 OCSPServer: []string{"http://ocsp.example.com"}, 669 IssuingCertificateURL: []string{"http://crt.example.com/ca1.crt"}, 670 671 DNSNames: []string{"test.example.com"}, 672 EmailAddresses: []string{"gopher@golang.org"}, 673 IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1).To4(), net.ParseIP("2001:4860:0:2001::68")}, 674 URIs: []*url.URL{parseURI("https://foo.com/wibble#foo")}, 675 676 PolicyIdentifiers: []asn1.ObjectIdentifier{[]int{1, 2, 3}}, 677 PermittedDNSDomains: []string{".example.com", "example.com"}, 678 ExcludedDNSDomains: []string{"bar.example.com"}, 679 PermittedIPRanges: []*net.IPNet{parseCIDR("192.168.1.1/16"), parseCIDR("1.2.3.4/8")}, 680 ExcludedIPRanges: []*net.IPNet{parseCIDR("2001:db8::/48")}, 681 PermittedEmailAddresses: []string{"foo@example.com"}, 682 ExcludedEmailAddresses: []string{".example.com", "example.com"}, 683 PermittedURIDomains: []string{".bar.com", "bar.com"}, 684 ExcludedURIDomains: []string{".bar2.com", "bar2.com"}, 685 686 CRLDistributionPoints: []string{"http://crl1.example.com/ca1.crl", "http://crl2.example.com/ca1.crl"}, 687 688 RawSCT: []byte{0xde, 0xad}, // Ignored because SCTList provided. 689 SCTList: SignedCertificateTimestampList{ 690 SCTList: []SerializedSCT{ 691 {Val: []byte{0x01, 0x02, 0x03}}, 692 {Val: []byte{0x04, 0x05, 0x06}}, 693 }, 694 }, 695 696 ExtraExtensions: []pkix.Extension{ 697 { 698 Id: []int{1, 2, 3, 4}, 699 Value: extraExtensionData, 700 }, 701 // This extension should override the SubjectKeyId, above. 702 { 703 Id: OIDExtensionSubjectKeyId, 704 Critical: false, 705 Value: []byte{0x04, 0x04, 4, 3, 2, 1}, 706 }, 707 }, 708 } 709 710 derBytes, err := CreateCertificate(random, &template, &template, test.pub, test.priv) 711 if err != nil { 712 t.Errorf("%s: failed to create certificate: %s", test.name, err) 713 continue 714 } 715 716 cert, err := ParseCertificate(derBytes) 717 if err != nil { 718 t.Errorf("%s: failed to parse certificate: %s", test.name, err) 719 continue 720 } 721 722 if len(cert.PolicyIdentifiers) != 1 || !cert.PolicyIdentifiers[0].Equal(template.PolicyIdentifiers[0]) { 723 t.Errorf("%s: failed to parse policy identifiers: got:%#v want:%#v", test.name, cert.PolicyIdentifiers, template.PolicyIdentifiers) 724 } 725 726 if len(cert.PermittedDNSDomains) != 2 || cert.PermittedDNSDomains[0] != ".example.com" || cert.PermittedDNSDomains[1] != "example.com" { 727 t.Errorf("%s: failed to parse name constraints: %#v", test.name, cert.PermittedDNSDomains) 728 } 729 730 if len(cert.ExcludedDNSDomains) != 1 || cert.ExcludedDNSDomains[0] != "bar.example.com" { 731 t.Errorf("%s: failed to parse name constraint exclusions: %#v", test.name, cert.ExcludedDNSDomains) 732 } 733 734 if len(cert.PermittedIPRanges) != 2 || cert.PermittedIPRanges[0].String() != "192.168.0.0/16" || cert.PermittedIPRanges[1].String() != "1.0.0.0/8" { 735 t.Errorf("%s: failed to parse IP constraints: %#v", test.name, cert.PermittedIPRanges) 736 } 737 738 if len(cert.ExcludedIPRanges) != 1 || cert.ExcludedIPRanges[0].String() != "2001:db8::/48" { 739 t.Errorf("%s: failed to parse IP constraint exclusions: %#v", test.name, cert.ExcludedIPRanges) 740 } 741 742 if len(cert.PermittedEmailAddresses) != 1 || cert.PermittedEmailAddresses[0] != "foo@example.com" { 743 t.Errorf("%s: failed to parse permitted email addreses: %#v", test.name, cert.PermittedEmailAddresses) 744 } 745 746 if len(cert.ExcludedEmailAddresses) != 2 || cert.ExcludedEmailAddresses[0] != ".example.com" || cert.ExcludedEmailAddresses[1] != "example.com" { 747 t.Errorf("%s: failed to parse excluded email addreses: %#v", test.name, cert.ExcludedEmailAddresses) 748 } 749 750 if len(cert.PermittedURIDomains) != 2 || cert.PermittedURIDomains[0] != ".bar.com" || cert.PermittedURIDomains[1] != "bar.com" { 751 t.Errorf("%s: failed to parse permitted URIs: %#v", test.name, cert.PermittedURIDomains) 752 } 753 754 if len(cert.ExcludedURIDomains) != 2 || cert.ExcludedURIDomains[0] != ".bar2.com" || cert.ExcludedURIDomains[1] != "bar2.com" { 755 t.Errorf("%s: failed to parse excluded URIs: %#v", test.name, cert.ExcludedURIDomains) 756 } 757 758 if cert.Subject.CommonName != commonName { 759 t.Errorf("%s: subject wasn't correctly copied from the template. Got %s, want %s", test.name, cert.Subject.CommonName, commonName) 760 } 761 762 if len(cert.Subject.Country) != 1 || cert.Subject.Country[0] != "NL" { 763 t.Errorf("%s: ExtraNames didn't override Country", test.name) 764 } 765 766 for _, ext := range cert.Extensions { 767 if ext.Id.Equal(OIDExtensionSubjectAltName) { 768 if ext.Critical { 769 t.Fatal("SAN extension is marked critical") 770 } 771 } 772 } 773 774 found := false 775 for _, atv := range cert.Subject.Names { 776 if atv.Type.Equal([]int{2, 5, 4, 42}) { 777 found = true 778 break 779 } 780 } 781 if !found { 782 t.Errorf("%s: Names didn't contain oid 2.5.4.42 from ExtraNames", test.name) 783 } 784 785 if cert.Issuer.CommonName != commonName { 786 t.Errorf("%s: issuer wasn't correctly copied from the template. Got %s, want %s", test.name, cert.Issuer.CommonName, commonName) 787 } 788 789 if cert.SignatureAlgorithm != test.sigAlgo { 790 t.Errorf("%s: SignatureAlgorithm wasn't copied from template. Got %v, want %v", test.name, cert.SignatureAlgorithm, test.sigAlgo) 791 } 792 793 if !reflect.DeepEqual(cert.ExtKeyUsage, testExtKeyUsage) { 794 t.Errorf("%s: extkeyusage wasn't correctly copied from the template. Got %v, want %v", test.name, cert.ExtKeyUsage, testExtKeyUsage) 795 } 796 797 if !reflect.DeepEqual(cert.UnknownExtKeyUsage, testUnknownExtKeyUsage) { 798 t.Errorf("%s: unknown extkeyusage wasn't correctly copied from the template. Got %v, want %v", test.name, cert.UnknownExtKeyUsage, testUnknownExtKeyUsage) 799 } 800 801 if !reflect.DeepEqual(cert.OCSPServer, template.OCSPServer) { 802 t.Errorf("%s: OCSP servers differ from template. Got %v, want %v", test.name, cert.OCSPServer, template.OCSPServer) 803 } 804 805 if !reflect.DeepEqual(cert.IssuingCertificateURL, template.IssuingCertificateURL) { 806 t.Errorf("%s: Issuing certificate URLs differ from template. Got %v, want %v", test.name, cert.IssuingCertificateURL, template.IssuingCertificateURL) 807 } 808 809 if !reflect.DeepEqual(cert.DNSNames, template.DNSNames) { 810 t.Errorf("%s: SAN DNS names differ from template. Got %v, want %v", test.name, cert.DNSNames, template.DNSNames) 811 } 812 813 if !reflect.DeepEqual(cert.EmailAddresses, template.EmailAddresses) { 814 t.Errorf("%s: SAN emails differ from template. Got %v, want %v", test.name, cert.EmailAddresses, template.EmailAddresses) 815 } 816 817 if len(cert.URIs) != 1 || cert.URIs[0].String() != "https://foo.com/wibble#foo" { 818 t.Errorf("%s: URIs differ from template. Got %v, want %v", test.name, cert.URIs, template.URIs) 819 } 820 821 if !reflect.DeepEqual(cert.IPAddresses, template.IPAddresses) { 822 t.Errorf("%s: SAN IPs differ from template. Got %v, want %v", test.name, cert.IPAddresses, template.IPAddresses) 823 } 824 825 if !reflect.DeepEqual(cert.CRLDistributionPoints, template.CRLDistributionPoints) { 826 t.Errorf("%s: CRL distribution points differ from template. Got %v, want %v", test.name, cert.CRLDistributionPoints, template.CRLDistributionPoints) 827 } 828 829 if !reflect.DeepEqual(cert.SCTList, template.SCTList) { 830 t.Errorf("%s: SCTList differs from template. Got %v, want %v", test.name, cert.SCTList, template.SCTList) 831 } 832 833 if !bytes.Equal(cert.SubjectKeyId, []byte{4, 3, 2, 1}) { 834 t.Errorf("%s: ExtraExtensions didn't override SubjectKeyId", test.name) 835 } 836 837 if !bytes.Contains(derBytes, extraExtensionData) { 838 t.Errorf("%s: didn't find extra extension in DER output", test.name) 839 } 840 841 if test.checkSig { 842 err = cert.CheckSignatureFrom(cert) 843 if err != nil { 844 t.Errorf("%s: signature verification failed: %s", test.name, err) 845 } 846 } 847 } 848} 849 850// Self-signed certificate using ECDSA with SHA1 & secp256r1 851var ecdsaSHA1CertPem = ` 852-----BEGIN CERTIFICATE----- 853MIICDjCCAbUCCQDF6SfN0nsnrjAJBgcqhkjOPQQBMIGPMQswCQYDVQQGEwJVUzET 854MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEVMBMG 855A1UECgwMR29vZ2xlLCBJbmMuMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG 856CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIwMjAyMDUw 857WhcNMjIwNTE4MjAyMDUwWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm 858b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFTATBgNVBAoMDEdvb2dsZSwg 859SW5jLjEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGdv 860bGFuZy1kZXZAZ21haWwuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/Wgn 861WQDo5+bz71T0327ERgd5SDDXFbXLpzIZDXTkjpe8QTEbsF+ezsQfrekrpDPC4Cd3 862P9LY0tG+aI8IyVKdUjAJBgcqhkjOPQQBA0gAMEUCIGlsqMcRqWVIWTD6wXwe6Jk2 863DKxL46r/FLgJYnzBEH99AiEA3fBouObsvV1R3oVkb4BQYnD4/4LeId6lAT43YvyV 864a/A= 865-----END CERTIFICATE----- 866` 867 868// Self-signed certificate using ECDSA with SHA256 & secp256r1 869var ecdsaSHA256p256CertPem = ` 870-----BEGIN CERTIFICATE----- 871MIICDzCCAbYCCQDlsuMWvgQzhTAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCVVMx 872EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFTAT 873BgNVBAoMDEdvb2dsZSwgSW5jLjEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20xIzAh 874BgkqhkiG9w0BCQEWFGdvbGFuZy1kZXZAZ21haWwuY29tMB4XDTEyMDUyMTAwMTkx 875NloXDTIyMDUxOTAwMTkxNlowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp 876Zm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRUwEwYDVQQKDAxHb29nbGUs 877IEluYy4xFzAVBgNVBAMMDnd3dy5nb29nbGUuY29tMSMwIQYJKoZIhvcNAQkBFhRn 878b2xhbmctZGV2QGdtYWlsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPMt 8792ErhxAty5EJRu9yM+MTy+hUXm3pdW1ensAv382KoGExSXAFWP7pjJnNtHO+XSwVm 880YNtqjcAGFKpweoN//kQwCgYIKoZIzj0EAwIDRwAwRAIgIYSaUA/IB81gjbIw/hUV 88170twxJr5EcgOo0hLp3Jm+EYCIFDO3NNcgmURbJ1kfoS3N/0O+irUtoPw38YoNkqJ 882h5wi 883-----END CERTIFICATE----- 884` 885 886// Self-signed certificate using ECDSA with SHA256 & secp384r1 887var ecdsaSHA256p384CertPem = ` 888-----BEGIN CERTIFICATE----- 889MIICSjCCAdECCQDje/no7mXkVzAKBggqhkjOPQQDAjCBjjELMAkGA1UEBhMCVVMx 890EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDAS 891BgNVBAoMC0dvb2dsZSwgSW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG 892CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIxMDYxMDM0 893WhcNMjIwNTE5MDYxMDM0WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm 894b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSwg 895SW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEGCSqGSIb3DQEJARYUZ29s 896YW5nLWRldkBnbWFpbC5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARRuzRNIKRK 897jIktEmXanNmrTR/q/FaHXLhWRZ6nHWe26Fw7Rsrbk+VjGy4vfWtNn7xSFKrOu5ze 898qxKnmE0h5E480MNgrUiRkaGO2GMJJVmxx20aqkXOk59U8yGA4CghE6MwCgYIKoZI 899zj0EAwIDZwAwZAIwBZEN8gvmRmfeP/9C1PRLzODIY4JqWub2PLRT4mv9GU+yw3Gr 900PU9A3CHMdEcdw/MEAjBBO1lId8KOCh9UZunsSMfqXiVurpzmhWd6VYZ/32G+M+Mh 9013yILeYQzllt/g0rKVRk= 902-----END CERTIFICATE----- 903` 904 905// Self-signed certificate using ECDSA with SHA384 & secp521r1 906var ecdsaSHA384p521CertPem = ` 907-----BEGIN CERTIFICATE----- 908MIICljCCAfcCCQDhp1AFD/ahKjAKBggqhkjOPQQDAzCBjjELMAkGA1UEBhMCVVMx 909EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDAS 910BgNVBAoMC0dvb2dsZSwgSW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG 911CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIxMTUwNDI5 912WhcNMjIwNTE5MTUwNDI5WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm 913b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSwg 914SW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEGCSqGSIb3DQEJARYUZ29s 915YW5nLWRldkBnbWFpbC5jb20wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACqx9Rv 916IssRs1LWYcNN+WffwlHw4Tv3y8/LIAA9MF1ZScIonU9nRMxt4a2uGJVCPDw6JHpz 917PaYc0E9puLoE9AfKpwFr59Jkot7dBg55SKPEFkddoip/rvmN7NPAWjMBirOwjOkm 9188FPthvPhGPqsu9AvgVuHu3PosWiHGNrhh379pva8MzAKBggqhkjOPQQDAwOBjAAw 919gYgCQgEHNmswkUdPpHqrVxp9PvLVl+xxPuHBkT+75z9JizyxtqykHQo9Uh6SWCYH 920BF9KLolo01wMt8DjoYP5Fb3j5MH7xwJCAbWZzTOp4l4DPkIvAh4LeC4VWbwPPyqh 921kBg71w/iEcSY3wUKgHGcJJrObZw7wys91I5kENljqw/Samdr3ka+jBJa 922-----END CERTIFICATE----- 923` 924 925var ecdsaTests = []struct { 926 sigAlgo SignatureAlgorithm 927 pemCert string 928}{ 929 {ECDSAWithSHA1, ecdsaSHA1CertPem}, 930 {ECDSAWithSHA256, ecdsaSHA256p256CertPem}, 931 {ECDSAWithSHA256, ecdsaSHA256p384CertPem}, 932 {ECDSAWithSHA384, ecdsaSHA384p521CertPem}, 933} 934 935func TestECDSA(t *testing.T) { 936 for i, test := range ecdsaTests { 937 pemBlock, _ := pem.Decode([]byte(test.pemCert)) 938 cert, err := ParseCertificate(pemBlock.Bytes) 939 if err != nil { 940 t.Errorf("%d: failed to parse certificate: %s", i, err) 941 continue 942 } 943 if sa := cert.SignatureAlgorithm; sa != test.sigAlgo { 944 t.Errorf("%d: signature algorithm is %v, want %v", i, sa, test.sigAlgo) 945 } 946 if parsedKey, ok := cert.PublicKey.(*ecdsa.PublicKey); !ok { 947 t.Errorf("%d: wanted an ECDSA public key but found: %#v", i, parsedKey) 948 } 949 if pka := cert.PublicKeyAlgorithm; pka != ECDSA { 950 t.Errorf("%d: public key algorithm is %v, want ECDSA", i, pka) 951 } 952 if err = cert.CheckSignatureFrom(cert); err != nil { 953 t.Errorf("%d: certificate verification failed: %s", i, err) 954 } 955 } 956} 957 958// Self-signed certificate using DSA with SHA1 959var dsaCertPem = `-----BEGIN CERTIFICATE----- 960MIIEDTCCA82gAwIBAgIJALHPghaoxeDhMAkGByqGSM44BAMweTELMAkGA1UEBhMC 961VVMxCzAJBgNVBAgTAk5DMQ8wDQYDVQQHEwZOZXd0b24xFDASBgNVBAoTC0dvb2ds 962ZSwgSW5jMRIwEAYDVQQDEwlKb24gQWxsaWUxIjAgBgkqhkiG9w0BCQEWE2pvbmFs 963bGllQGdvb2dsZS5jb20wHhcNMTEwNTE0MDMwMTQ1WhcNMTEwNjEzMDMwMTQ1WjB5 964MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxDzANBgNVBAcTBk5ld3RvbjEUMBIG 965A1UEChMLR29vZ2xlLCBJbmMxEjAQBgNVBAMTCUpvbiBBbGxpZTEiMCAGCSqGSIb3 966DQEJARYTam9uYWxsaWVAZ29vZ2xlLmNvbTCCAbcwggEsBgcqhkjOOAQBMIIBHwKB 967gQC8hLUnQ7FpFYu4WXTj6DKvXvz8QrJkNJCVMTpKAT7uBpobk32S5RrPKXocd4gN 9688lyGB9ggS03EVlEwXvSmO0DH2MQtke2jl9j1HLydClMf4sbx5V6TV9IFw505U1iW 969jL7awRMgxge+FsudtJK254FjMFo03ZnOQ8ZJJ9E6AEDrlwIVAJpnBn9moyP11Ox5 970Asc/5dnjb6dPAoGBAJFHd4KVv1iTVCvEG6gGiYop5DJh28hUQcN9kul+2A0yPUSC 971X93oN00P8Vh3eYgSaCWZsha7zDG53MrVJ0Zf6v/X/CoZNhLldeNOepivTRAzn+Rz 972kKUYy5l1sxYLHQKF0UGNCXfFKZT0PCmgU+PWhYNBBMn6/cIh44vp85ideo5CA4GE 973AAKBgFmifCafzeRaohYKXJgMGSEaggCVCRq5xdyDCat+wbOkjC4mfG01/um3G8u5 974LxasjlWRKTR/tcAL7t0QuokVyQaYdVypZXNaMtx1db7YBuHjj3aP+8JOQRI9xz8c 975bp5NDJ5pISiFOv4p3GZfqZPcqckDt78AtkQrmnal2txhhjF6o4HeMIHbMB0GA1Ud 976DgQWBBQVyyr7hO11ZFFpWX50298Sa3V+rzCBqwYDVR0jBIGjMIGggBQVyyr7hO11 977ZFFpWX50298Sa3V+r6F9pHsweTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMQ8w 978DQYDVQQHEwZOZXd0b24xFDASBgNVBAoTC0dvb2dsZSwgSW5jMRIwEAYDVQQDEwlK 979b24gQWxsaWUxIjAgBgkqhkiG9w0BCQEWE2pvbmFsbGllQGdvb2dsZS5jb22CCQCx 980z4IWqMXg4TAMBgNVHRMEBTADAQH/MAkGByqGSM44BAMDLwAwLAIUPtn/5j8Q1jJI 9817ggOIsgrhgUdjGQCFCsmDq1H11q9+9Wp9IMeGrTSKHIM 982-----END CERTIFICATE----- 983` 984 985func TestParseCertificateWithDsaPublicKey(t *testing.T) { 986 expectedKey := &dsa.PublicKey{ 987 Parameters: dsa.Parameters{ 988 P: bigFromHexString("00BC84B52743B169158BB85974E3E832AF5EFCFC42B264349095313A4A013EEE069A1B937D92E51ACF297A1C77880DF25C8607D8204B4DC45651305EF4A63B40C7D8C42D91EDA397D8F51CBC9D0A531FE2C6F1E55E9357D205C39D395358968CBEDAC11320C607BE16CB9DB492B6E78163305A34DD99CE43C64927D13A0040EB97"), 989 Q: bigFromHexString("009A67067F66A323F5D4EC7902C73FE5D9E36FA74F"), 990 G: bigFromHexString("009147778295BF5893542BC41BA806898A29E43261DBC85441C37D92E97ED80D323D44825FDDE8374D0FF15877798812682599B216BBCC31B9DCCAD527465FEAFFD7FC2A193612E575E34E7A98AF4D10339FE47390A518CB9975B3160B1D0285D1418D0977C52994F43C29A053E3D685834104C9FAFDC221E38BE9F3989D7A8E42"), 991 }, 992 Y: bigFromHexString("59A27C269FCDE45AA2160A5C980C19211A820095091AB9C5DC8309AB7EC1B3A48C2E267C6D35FEE9B71BCBB92F16AC8E559129347FB5C00BEEDD10BA8915C90698755CA965735A32DC7575BED806E1E38F768FFBC24E41123DC73F1C6E9E4D0C9E692128853AFE29DC665FA993DCA9C903B7BF00B6442B9A76A5DADC6186317A"), 993 } 994 pemBlock, _ := pem.Decode([]byte(dsaCertPem)) 995 cert, err := ParseCertificate(pemBlock.Bytes) 996 if err != nil { 997 t.Fatalf("Failed to parse certificate: %s", err) 998 } 999 if cert.PublicKeyAlgorithm != DSA { 1000 t.Errorf("Parsed key algorithm was not DSA") 1001 } 1002 parsedKey, ok := cert.PublicKey.(*dsa.PublicKey) 1003 if !ok { 1004 t.Fatalf("Parsed key was not a DSA key: %s", err) 1005 } 1006 if expectedKey.Y.Cmp(parsedKey.Y) != 0 || 1007 expectedKey.P.Cmp(parsedKey.P) != 0 || 1008 expectedKey.Q.Cmp(parsedKey.Q) != 0 || 1009 expectedKey.G.Cmp(parsedKey.G) != 0 { 1010 t.Fatal("Parsed key differs from expected key") 1011 } 1012} 1013 1014func TestParseCertificateWithDSASignatureAlgorithm(t *testing.T) { 1015 pemBlock, _ := pem.Decode([]byte(dsaCertPem)) 1016 cert, err := ParseCertificate(pemBlock.Bytes) 1017 if err != nil { 1018 t.Fatalf("Failed to parse certificate: %s", err) 1019 } 1020 if cert.SignatureAlgorithm != DSAWithSHA1 { 1021 t.Errorf("Parsed signature algorithm was not DSAWithSHA1") 1022 } 1023} 1024 1025func TestVerifyCertificateWithDSASignature(t *testing.T) { 1026 pemBlock, _ := pem.Decode([]byte(dsaCertPem)) 1027 cert, err := ParseCertificate(pemBlock.Bytes) 1028 if err != nil { 1029 t.Fatalf("Failed to parse certificate: %s", err) 1030 } 1031 // test cert is self-signed 1032 if err = cert.CheckSignatureFrom(cert); err != nil { 1033 t.Fatalf("DSA Certificate verification failed: %s", err) 1034 } 1035} 1036 1037var rsaPSSSelfSignedPEM = `-----BEGIN CERTIFICATE----- 1038MIIGHjCCA9KgAwIBAgIBdjBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUA 1039oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASAwbjELMAkGA1UEBhMC 1040SlAxHDAaBgNVBAoME0phcGFuZXNlIEdvdmVybm1lbnQxKDAmBgNVBAsMH1RoZSBN 1041aW5pc3RyeSBvZiBGb3JlaWduIEFmZmFpcnMxFzAVBgNVBAMMDmUtcGFzc3BvcnRD 1042U0NBMB4XDTEzMDUxNDA1MDczMFoXDTI5MDUxNDA1MDczMFowbjELMAkGA1UEBhMC 1043SlAxHDAaBgNVBAoME0phcGFuZXNlIEdvdmVybm1lbnQxKDAmBgNVBAsMH1RoZSBN 1044aW5pc3RyeSBvZiBGb3JlaWduIEFmZmFpcnMxFzAVBgNVBAMMDmUtcGFzc3BvcnRD 1045U0NBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx/E3WRVxcCDXhoST 10468nVSLjW6hwM4Ni99AegWzcGtfGFo0zjFA1Cl5URqxauvYu3gQgQHBGA1CovWeGrl 1047yVSRzOL1imcYsSgLOcnhVYB3Xcrof4ebv9+W+TwNdc9YzAwcj8rNd5nP6PKXIQ+W 1048PCkEOXdyb80YEnxuT+NPjkVfFSPBS7QYZpvT2fwy4fZ0eh48253+7VleSmTO0mqj 10497TlzaG56q150SLZbhpOd8jD8bM/wACnLCPR88wj4hCcDLEwoLyY85HJCTIQQMnoT 1050UpqyzEeupPREIm6yi4d8C9YqIWFn2YTnRcWcmMaJLzq+kYwKoudfnoC6RW2vzZXn 1051defQs68IZuK+uALu9G3JWGPgu0CQGj0JNDT8zkiDV++4eNrZczWKjr1YnAL+VbLK 1052bApwL2u19l2WDpfUklimhWfraqHNIUKU6CjZOG31RzXcplIj0mtqs0E1r7r357Es 1053yFoB28iNo4cz1lCulh0E4WJzWzLZcT4ZspHHRCFyvYnXoibXEV1nULq8ByKKG0FS 10547nn4SseoV+8PvjHLPhmHGMvi4mxkbcXdV3wthHT1/HXdqY84A4xHWt1+sB/TpTek 1055tDhFlEfcUygvTu58UtOnysomOVVeERmi7WSujfzKsGJAJYeetiA5R+zX7BxeyFVE 1056qW0zh1Tkwh0S8LRe5diJh4+6FG0CAwEAAaNfMF0wHQYDVR0OBBYEFD+oahaikBTV 1057Urk81Uz7kRS2sx0aMA4GA1UdDwEB/wQEAwIBBjAYBgNVHSAEETAPMA0GCyqDCIaP 1058fgYFAQEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwQQYJKoZIhvcNAQEKMDSgDzANBglg 1059hkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IC 1060AQAaxWBQn5CZuNBfyzL57mn31ukHUFd61OMROSX3PT7oCv1Dy+C2AdRlxOcbN3/n 1061li0yfXUUqiY3COlLAHKRlkr97mLtxEFoJ0R8nVN2IQdChNQM/XSCzSGyY8NVa1OR 1062TTpEWLnexJ9kvIdbFXwUqdTnAkOI0m7Rg8j+E+lRRHg1xDAA1qKttrtUj3HRQWf3 1063kNTu628SiMvap6aIdncburaK56MP7gkR1Wr/ichOfjIA3Jgw2PapI31i0GqeMd66 1064U1+lC9FeyMAJpuSVp/SoiYzYo+79SFcVoM2yw3yAnIKg7q9GLYYqzncdykT6C06c 106515gWFI6igmReAsD9ITSvYh0jLrLHfEYcPTOD3ZXJ4EwwHtWSoO3gq1EAtOYKu/Lv 1066C8zfBsZcFdsHvsSiYeBU8Oioe42mguky3Ax9O7D805Ek6R68ra07MW/G4YxvV7IN 10672BfSaYy8MX9IG0ZMIOcoc0FeF5xkFmJ7kdrlTaJzC0IE9PNxNaH5QnOAFB8vxHcO 1068FioUxb6UKdHcPLR1VZtAdTdTMjSJxUqD/35Cdfqs7oDJXz8f6TXO2Tdy6G++YUs9 1069qsGZWxzFvvkXUkQSl0dQQ5jO/FtUJcAVXVVp20LxPemfatAHpW31WdJYeWSQWky2 1070+f9b5TXKXVyjlUL7uHxowWrT2AtTchDH22wTEtqLEF9Z3Q== 1071-----END CERTIFICATE-----` 1072 1073func TestRSAPSSSelfSigned(t *testing.T) { 1074 der, _ := pem.Decode([]byte(rsaPSSSelfSignedPEM)) 1075 if der == nil { 1076 t.Fatal("Failed to find PEM block") 1077 } 1078 1079 cert, err := ParseCertificate(der.Bytes) 1080 if err != nil { 1081 t.Fatal(err) 1082 } 1083 1084 if err = cert.CheckSignatureFrom(cert); err != nil { 1085 t.Fatal(err) 1086 } 1087} 1088 1089const ( 1090 pemCertificate = `-----BEGIN CERTIFICATE----- 1091MIIDATCCAemgAwIBAgIRAKQkkrFx1T/dgB/Go/xBM5swDQYJKoZIhvcNAQELBQAw 1092EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xNjA4MTcyMDM2MDdaFw0xNzA4MTcyMDM2 1093MDdaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw 1094ggEKAoIBAQDAoJtjG7M6InsWwIo+l3qq9u+g2rKFXNu9/mZ24XQ8XhV6PUR+5HQ4 1095jUFWC58ExYhottqK5zQtKGkw5NuhjowFUgWB/VlNGAUBHtJcWR/062wYrHBYRxJH 1096qVXOpYKbIWwFKoXu3hcpg/CkdOlDWGKoZKBCwQwUBhWE7MDhpVdQ+ZljUJWL+FlK 1097yQK5iRsJd5TGJ6VUzLzdT4fmN2DzeK6GLeyMpVpU3sWV90JJbxWQ4YrzkKzYhMmB 1098EcpXTG2wm+ujiHU/k2p8zlf8Sm7VBM/scmnMFt0ynNXop4FWvJzEm1G0xD2t+e2I 10995Utr04dOZPCgkm++QJgYhtZvgW7ZZiGTAgMBAAGjUjBQMA4GA1UdDwEB/wQEAwIF 1100oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBsGA1UdEQQUMBKC 1101EHRlc3QuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBADpqKQxrthH5InC7 1102X96UP0OJCu/lLEMkrjoEWYIQaFl7uLPxKH5AmQPH4lYwF7u7gksR7owVG9QU9fs6 11031fK7II9CVgCd/4tZ0zm98FmU4D0lHGtPARrrzoZaqVZcAvRnFTlPX5pFkPhVjjai 1104/mkxX9LpD8oK1445DFHxK5UjLMmPIIWd8EOi+v5a+hgGwnJpoW7hntSl8kHMtTmy 1105fnnktsblSUV4lRCit0ymC7Ojhe+gzCCwkgs5kDzVVag+tnl/0e2DloIjASwOhpbH 1106KVcg7fBd484ht/sS+l0dsB4KDOSpd8JzVDMF8OZqlaydizoJO0yWr9GbCN1+OKq5 1107EhLrEqU= 1108-----END CERTIFICATE-----` 1109 pemPrecertificate = `-----BEGIN CERTIFICATE----- 1110MIIC3zCCAkigAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk 1111MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX 1112YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw 1113MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu 1114c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G 1115CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/ 1116BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk 1117EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw 1118FAn/Xdh+tQIDAQABo4HBMIG+MB0GA1UdDgQWBBQgMVQa8lwF/9hli2hDeU9ekDb3 1119tDB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkGA1UE 1120BhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEOMAwG 1121A1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwCQYDVR0TBAIwADATBgor 1122BgEEAdZ5AgQDAQH/BAIFADANBgkqhkiG9w0BAQUFAAOBgQACocOeAVr1Tf8CPDNg 1123h1//NDdVLx8JAb3CVDFfM3K3I/sV+87MTfRxoM5NjFRlXYSHl/soHj36u0YtLGhL 1124BW/qe2O0cP8WbjLURgY1s9K8bagkmyYw5x/DTwjyPdTuIo+PdPY9eGMR3QpYEUBf 1125kGzKLC0+6/yBmWTr2M98CIY/vg== 1126-----END CERTIFICATE-----` 1127) 1128 1129func TestIsPrecertificate(t *testing.T) { 1130 tests := []struct { 1131 desc string 1132 certPEM string 1133 want bool 1134 }{ 1135 { 1136 desc: "certificate", 1137 certPEM: pemCertificate, 1138 want: false, 1139 }, 1140 { 1141 desc: "precertificate", 1142 certPEM: pemPrecertificate, 1143 want: true, 1144 }, 1145 { 1146 desc: "nil", 1147 certPEM: "", 1148 want: false, 1149 }, 1150 } 1151 1152 for _, test := range tests { 1153 var cert *Certificate 1154 if test.certPEM != "" { 1155 var err error 1156 cert, err = certificateFromPEM(test.certPEM) 1157 if err != nil { 1158 t.Errorf("%s: error parsing certificate: %s", test.desc, err) 1159 continue 1160 } 1161 } 1162 if got := cert.IsPrecertificate(); got != test.want { 1163 t.Errorf("%s: c.IsPrecertificate() = %t, want %t", test.desc, got, test.want) 1164 } 1165 } 1166} 1167 1168func TestCRLCreation(t *testing.T) { 1169 block, _ := pem.Decode([]byte(pemPrivateKey)) 1170 priv, _ := ParsePKCS1PrivateKey(block.Bytes) 1171 block, _ = pem.Decode([]byte(pemCertificate)) 1172 cert, _ := ParseCertificate(block.Bytes) 1173 1174 loc := time.FixedZone("Oz/Atlantis", int((2 * time.Hour).Seconds())) 1175 1176 now := time.Unix(1000, 0).In(loc) 1177 nowUTC := now.UTC() 1178 expiry := time.Unix(10000, 0) 1179 1180 revokedCerts := []pkix.RevokedCertificate{ 1181 { 1182 SerialNumber: big.NewInt(1), 1183 RevocationTime: nowUTC, 1184 }, 1185 { 1186 SerialNumber: big.NewInt(42), 1187 // RevocationTime should be converted to UTC before marshaling. 1188 RevocationTime: now, 1189 }, 1190 } 1191 expectedCerts := []pkix.RevokedCertificate{ 1192 { 1193 SerialNumber: big.NewInt(1), 1194 RevocationTime: nowUTC, 1195 }, 1196 { 1197 SerialNumber: big.NewInt(42), 1198 RevocationTime: nowUTC, 1199 }, 1200 } 1201 1202 crlBytes, err := cert.CreateCRL(rand.Reader, priv, revokedCerts, now, expiry) 1203 if err != nil { 1204 t.Errorf("error creating CRL: %s", err) 1205 } 1206 1207 parsedCRL, err := ParseDERCRL(crlBytes) 1208 if err != nil { 1209 t.Errorf("error reparsing CRL: %s", err) 1210 } 1211 if !reflect.DeepEqual(parsedCRL.TBSCertList.RevokedCertificates, expectedCerts) { 1212 t.Errorf("RevokedCertificates mismatch: got %v; want %v.", 1213 parsedCRL.TBSCertList.RevokedCertificates, expectedCerts) 1214 } 1215} 1216 1217func fromBase64(in string) []byte { 1218 out := make([]byte, base64.StdEncoding.DecodedLen(len(in))) 1219 n, err := base64.StdEncoding.Decode(out, []byte(in)) 1220 if err != nil { 1221 panic("failed to base64 decode") 1222 } 1223 return out[:n] 1224} 1225 1226func TestParseDERCRL(t *testing.T) { 1227 derBytes := fromBase64(derCRLBase64) 1228 certList, err := ParseDERCRL(derBytes) 1229 if err != nil { 1230 t.Errorf("error parsing: %s", err) 1231 return 1232 } 1233 numCerts := len(certList.TBSCertList.RevokedCertificates) 1234 expected := 88 1235 if numCerts != expected { 1236 t.Errorf("bad number of revoked certificates. got: %d want: %d", numCerts, expected) 1237 } 1238 1239 if certList.HasExpired(time.Unix(1302517272, 0)) { 1240 t.Errorf("CRL has expired (but shouldn't have)") 1241 } 1242 1243 // Can't check the signature here without a package cycle. 1244} 1245 1246func TestCRLWithoutExpiry(t *testing.T) { 1247 derBytes := fromBase64("MIHYMIGZMAkGByqGSM44BAMwEjEQMA4GA1UEAxMHQ2FybERTUxcNOTkwODI3MDcwMDAwWjBpMBMCAgDIFw05OTA4MjIwNzAwMDBaMBMCAgDJFw05OTA4MjIwNzAwMDBaMBMCAgDTFw05OTA4MjIwNzAwMDBaMBMCAgDSFw05OTA4MjIwNzAwMDBaMBMCAgDUFw05OTA4MjQwNzAwMDBaMAkGByqGSM44BAMDLwAwLAIUfmVSdjP+NHMX0feW+aDU2G1cfT0CFAJ6W7fVWxjBz4fvftok8yqDnDWh") 1248 certList, err := ParseDERCRL(derBytes) 1249 if err != nil { 1250 t.Fatal(err) 1251 } 1252 if !certList.TBSCertList.NextUpdate.IsZero() { 1253 t.Errorf("NextUpdate is not the zero value") 1254 } 1255} 1256 1257func TestParsePEMCRL(t *testing.T) { 1258 pemBytes := fromBase64(pemCRLBase64) 1259 certList, err := ParseCRL(pemBytes) 1260 if err != nil { 1261 t.Errorf("error parsing: %s", err) 1262 return 1263 } 1264 numCerts := len(certList.TBSCertList.RevokedCertificates) 1265 expected := 2 1266 if numCerts != expected { 1267 t.Errorf("bad number of revoked certificates. got: %d want: %d", numCerts, expected) 1268 } 1269 1270 if certList.HasExpired(time.Unix(1302517272, 0)) { 1271 t.Errorf("CRL has expired (but shouldn't have)") 1272 } 1273 1274 // Can't check the signature here without a package cycle. 1275} 1276 1277func TestNonFatalErrors(t *testing.T) { 1278 nfe := NonFatalErrors{} 1279 1280 nfe.AddError(errors.New("one")) 1281 nfe.AddError(errors.New("two")) 1282 nfe.AddError(errors.New("three")) 1283 1284 if !nfe.HasError() { 1285 t.Fatal("NonFatalError claimed not to have an error") 1286 } 1287 1288 if !strings.Contains(nfe.Error(), "one; two; three") { 1289 t.Fatalf("Didn't see expected string from Error(), got '%s'", nfe.Error()) 1290 } 1291} 1292 1293func TestIsFatal(t *testing.T) { 1294 tests := []struct { 1295 err error 1296 want bool 1297 }{ 1298 {err: errors.New("normal error"), want: true}, 1299 {err: NonFatalErrors{}, want: false}, 1300 {err: nil, want: false}, 1301 {err: &Errors{}, want: false}, 1302 {err: &Errors{Errs: []Error{{ID: 1, Summary: "test", Fatal: true}}}, want: true}, 1303 {err: &Errors{Errs: []Error{{ID: 1, Summary: "test", Fatal: false}}}, want: false}, 1304 } 1305 for _, test := range tests { 1306 got := IsFatal(test.err) 1307 if got != test.want { 1308 t.Errorf("IsFatal(%T %v)=%v, want %v", test.err, test.err, got, test.want) 1309 } 1310 } 1311} 1312 1313const ( 1314 tbsNoPoison = "30820245a003020102020842822a5b866fbfeb300d06092a864886f70d01010b" + 1315 "05003071310b3009060355040613024742310f300d060355040813064c6f6e64" + 1316 "6f6e310f300d060355040713064c6f6e646f6e310f300d060355040a1306476f" + 1317 "6f676c65310c300a060355040b1303456e673121301f0603550403131846616b" + 1318 "654365727469666963617465417574686f72697479301e170d31363037313731" + 1319 "31313534305a170d3139303331393131313534305a3066310b30090603550406" + 1320 "130255533113301106035504080c0a43616c69666f726e696131163014060355" + 1321 "04070c0d4d6f756e7461696e205669657731133011060355040a0c0a476f6f67" + 1322 "6c6520496e633115301306035504030c0c2a2e676f6f676c652e636f6d305930" + 1323 "1306072a8648ce3d020106082a8648ce3d03010703420004c4093984f5158d12" + 1324 "54b2029cf901e26d3547d40dd011616609351dcb121495b23fff35bd228e4dfc" + 1325 "38502d22d6981ecaa023afa4967e32d1825f3157fb28ff37a381ce3081cb301d" + 1326 "0603551d250416301406082b0601050507030106082b06010505070302306806" + 1327 "082b06010505070101045c305a302b06082b06010505073002861f687474703a" + 1328 "2f2f706b692e676f6f676c652e636f6d2f47494147322e637274302b06082b06" + 1329 "010505073001861f687474703a2f2f636c69656e7473312e676f6f676c652e63" + 1330 "6f6d2f6f637370301d0603551d0e04160414dbf46e63eee2dcbebf38604f9831" + 1331 "d06444f163d830210603551d20041a3018300c060a2b06010401d67902050130" + 1332 "08060667810c010202" 1333 tbsPoisonFirst = "3082025aa003020102020842822a5b866fbfeb300d06092a864886f70d01010b" + 1334 "05003071310b3009060355040613024742310f300d060355040813064c6f6e64" + 1335 "6f6e310f300d060355040713064c6f6e646f6e310f300d060355040a1306476f" + 1336 "6f676c65310c300a060355040b1303456e673121301f0603550403131846616b" + 1337 "654365727469666963617465417574686f72697479301e170d31363037313731" + 1338 "31313534305a170d3139303331393131313534305a3066310b30090603550406" + 1339 "130255533113301106035504080c0a43616c69666f726e696131163014060355" + 1340 "04070c0d4d6f756e7461696e205669657731133011060355040a0c0a476f6f67" + 1341 "6c6520496e633115301306035504030c0c2a2e676f6f676c652e636f6d305930" + 1342 "1306072a8648ce3d020106082a8648ce3d03010703420004c4093984f5158d12" + 1343 "54b2029cf901e26d3547d40dd011616609351dcb121495b23fff35bd228e4dfc" + 1344 "38502d22d6981ecaa023afa4967e32d1825f3157fb28ff37a381e33081e03013" + 1345 "060a2b06010401d6790204030101ff04020500301d0603551d25041630140608" + 1346 "2b0601050507030106082b06010505070302306806082b06010505070101045c" + 1347 "305a302b06082b06010505073002861f687474703a2f2f706b692e676f6f676c" + 1348 "652e636f6d2f47494147322e637274302b06082b06010505073001861f687474" + 1349 "703a2f2f636c69656e7473312e676f6f676c652e636f6d2f6f637370301d0603" + 1350 "551d0e04160414dbf46e63eee2dcbebf38604f9831d06444f163d83021060355" + 1351 "1d20041a3018300c060a2b06010401d6790205013008060667810c010202" 1352 tbsPoisonLast = "3082025aa003020102020842822a5b866fbfeb300d06092a864886f70d01010b" + 1353 "05003071310b3009060355040613024742310f300d060355040813064c6f6e64" + 1354 "6f6e310f300d060355040713064c6f6e646f6e310f300d060355040a1306476f" + 1355 "6f676c65310c300a060355040b1303456e673121301f0603550403131846616b" + 1356 "654365727469666963617465417574686f72697479301e170d31363037313731" + 1357 "31313534305a170d3139303331393131313534305a3066310b30090603550406" + 1358 "130255533113301106035504080c0a43616c69666f726e696131163014060355" + 1359 "04070c0d4d6f756e7461696e205669657731133011060355040a0c0a476f6f67" + 1360 "6c6520496e633115301306035504030c0c2a2e676f6f676c652e636f6d305930" + 1361 "1306072a8648ce3d020106082a8648ce3d03010703420004c4093984f5158d12" + 1362 "54b2029cf901e26d3547d40dd011616609351dcb121495b23fff35bd228e4dfc" + 1363 "38502d22d6981ecaa023afa4967e32d1825f3157fb28ff37a381e33081e0301d" + 1364 "0603551d250416301406082b0601050507030106082b06010505070302306806" + 1365 "082b06010505070101045c305a302b06082b06010505073002861f687474703a" + 1366 "2f2f706b692e676f6f676c652e636f6d2f47494147322e637274302b06082b06" + 1367 "010505073001861f687474703a2f2f636c69656e7473312e676f6f676c652e63" + 1368 "6f6d2f6f637370301d0603551d0e04160414dbf46e63eee2dcbebf38604f9831" + 1369 "d06444f163d830210603551d20041a3018300c060a2b06010401d67902050130" + 1370 "08060667810c0102023013060a2b06010401d6790204030101ff04020500" 1371 tbsPoisonMiddle = "3082025aa003020102020842822a5b866fbfeb300d06092a864886f70d01010b" + 1372 "05003071310b3009060355040613024742310f300d060355040813064c6f6e64" + 1373 "6f6e310f300d060355040713064c6f6e646f6e310f300d060355040a1306476f" + 1374 "6f676c65310c300a060355040b1303456e673121301f0603550403131846616b" + 1375 "654365727469666963617465417574686f72697479301e170d31363037313731" + 1376 "31313534305a170d3139303331393131313534305a3066310b30090603550406" + 1377 "130255533113301106035504080c0a43616c69666f726e696131163014060355" + 1378 "04070c0d4d6f756e7461696e205669657731133011060355040a0c0a476f6f67" + 1379 "6c6520496e633115301306035504030c0c2a2e676f6f676c652e636f6d305930" + 1380 "1306072a8648ce3d020106082a8648ce3d03010703420004c4093984f5158d12" + 1381 "54b2029cf901e26d3547d40dd011616609351dcb121495b23fff35bd228e4dfc" + 1382 "38502d22d6981ecaa023afa4967e32d1825f3157fb28ff37a381e33081e0301d" + 1383 "0603551d250416301406082b0601050507030106082b06010505070302306806" + 1384 "082b06010505070101045c305a302b06082b06010505073002861f687474703a" + 1385 "2f2f706b692e676f6f676c652e636f6d2f47494147322e637274302b06082b06" + 1386 "010505073001861f687474703a2f2f636c69656e7473312e676f6f676c652e63" + 1387 "6f6d2f6f6373703013060a2b06010401d6790204030101ff04020500301d0603" + 1388 "551d0e04160414dbf46e63eee2dcbebf38604f9831d06444f163d83021060355" + 1389 "1d20041a3018300c060a2b06010401d6790205013008060667810c010202" 1390 tbsPoisonTwice = "3082026fa003020102020842822a5b866fbfeb300d06092a864886f70d01010b" + 1391 "05003071310b3009060355040613024742310f300d060355040813064c6f6e64" + 1392 "6f6e310f300d060355040713064c6f6e646f6e310f300d060355040a1306476f" + 1393 "6f676c65310c300a060355040b1303456e673121301f0603550403131846616b" + 1394 "654365727469666963617465417574686f72697479301e170d31363037313731" + 1395 "31313534305a170d3139303331393131313534305a3066310b30090603550406" + 1396 "130255533113301106035504080c0a43616c69666f726e696131163014060355" + 1397 "04070c0d4d6f756e7461696e205669657731133011060355040a0c0a476f6f67" + 1398 "6c6520496e633115301306035504030c0c2a2e676f6f676c652e636f6d305930" + 1399 "1306072a8648ce3d020106082a8648ce3d03010703420004c4093984f5158d12" + 1400 "54b2029cf901e26d3547d40dd011616609351dcb121495b23fff35bd228e4dfc" + 1401 "38502d22d6981ecaa023afa4967e32d1825f3157fb28ff37a381f83081f5301d" + 1402 "0603551d250416301406082b0601050507030106082b06010505070302306806" + 1403 "082b06010505070101045c305a302b06082b06010505073002861f687474703a" + 1404 "2f2f706b692e676f6f676c652e636f6d2f47494147322e637274302b06082b06" + 1405 "010505073001861f687474703a2f2f636c69656e7473312e676f6f676c652e63" + 1406 "6f6d2f6f6373703013060a2b06010401d6790204030101ff04020500301d0603" + 1407 "551d0e04160414dbf46e63eee2dcbebf38604f9831d06444f163d83013060a2b" + 1408 "06010401d6790204030101ff0402050030210603551d20041a3018300c060a2b" + 1409 "06010401d6790205013008060667810c010202" 1410) 1411 1412func TestRemoveCTPoison(t *testing.T) { 1413 var tests = []struct { 1414 name string // for human consumption 1415 tbs string // hex encoded 1416 want string // hex encoded 1417 errstr string 1418 }{ 1419 {name: "invalid-der", tbs: "01020304", errstr: "failed to parse"}, 1420 {name: "trailing-data", tbs: tbsPoisonMiddle + "01020304", errstr: "trailing data"}, 1421 {name: "no-poison-ext", tbs: tbsNoPoison, errstr: "no extension of specified type present"}, 1422 {name: "two-poison-exts", tbs: tbsPoisonTwice, errstr: "multiple extensions of specified type present"}, 1423 {name: "poison-first", tbs: tbsPoisonFirst, want: tbsNoPoison}, 1424 {name: "poison-last", tbs: tbsPoisonLast, want: tbsNoPoison}, 1425 {name: "poison-middle", tbs: tbsPoisonMiddle, want: tbsNoPoison}, 1426 } 1427 for _, test := range tests { 1428 in, _ := hex.DecodeString(test.tbs) 1429 got, err := RemoveCTPoison(in) 1430 if test.errstr != "" { 1431 if err == nil { 1432 t.Errorf("RemoveCTPoison(%s)=%s,nil; want error %q", test.name, hex.EncodeToString(got), test.errstr) 1433 } else if !strings.Contains(err.Error(), test.errstr) { 1434 t.Errorf("RemoveCTPoison(%s)=nil,%q; want error %q", test.name, err, test.errstr) 1435 } 1436 continue 1437 } 1438 want, _ := hex.DecodeString(test.want) 1439 if err != nil { 1440 t.Errorf("RemoveCTPoison(%s)=nil,%q; want %s,nil", test.name, err, test.want) 1441 } else if !bytes.Equal(got, want) { 1442 t.Errorf("RemoveCTPoison(%s)=%s,nil; want %s,nil", test.name, hex.EncodeToString(got), test.want) 1443 } 1444 } 1445} 1446 1447func makeCert(t *testing.T, template, issuer *Certificate) *Certificate { 1448 t.Helper() 1449 certData, err := CreateCertificate(rand.Reader, template, issuer, &testPrivateKey.PublicKey, testPrivateKey) 1450 if err != nil { 1451 t.Fatalf("failed to create pre-cert: %v", err) 1452 } 1453 cert, err := ParseCertificate(certData) 1454 if err != nil { 1455 t.Fatalf("failed to re-parse pre-cert: %v", err) 1456 } 1457 return cert 1458} 1459 1460func TestBuildPrecertTBS(t *testing.T) { 1461 poisonExt := pkix.Extension{Id: OIDExtensionCTPoison, Critical: true, Value: asn1.NullBytes} 1462 preIssuerKeyID := []byte{0x19, 0x09, 0x19, 0x70} 1463 issuerKeyID := []byte{0x07, 0x07, 0x20, 0x07} 1464 preCertTemplate := Certificate{ 1465 Version: 3, 1466 SerialNumber: big.NewInt(123), 1467 Issuer: pkix.Name{CommonName: "precert Issuer"}, 1468 Subject: pkix.Name{CommonName: "precert subject"}, 1469 NotBefore: time.Now(), 1470 NotAfter: time.Now().Add(3 * time.Hour), 1471 ExtraExtensions: []pkix.Extension{poisonExt}, 1472 AuthorityKeyId: preIssuerKeyID, 1473 } 1474 preIssuerTemplate := Certificate{ 1475 Version: 3, 1476 SerialNumber: big.NewInt(1234), 1477 Issuer: pkix.Name{CommonName: "real Issuer"}, 1478 Subject: pkix.Name{CommonName: "precert Issuer"}, 1479 NotBefore: time.Now(), 1480 NotAfter: time.Now().Add(3 * time.Hour), 1481 AuthorityKeyId: issuerKeyID, 1482 SubjectKeyId: preIssuerKeyID, 1483 ExtKeyUsage: []ExtKeyUsage{ExtKeyUsageCertificateTransparency}, 1484 } 1485 actualIssuerTemplate := Certificate{ 1486 Version: 3, 1487 SerialNumber: big.NewInt(12345), 1488 Issuer: pkix.Name{CommonName: "real Issuer"}, 1489 Subject: pkix.Name{CommonName: "real Issuer"}, 1490 NotBefore: time.Now(), 1491 NotAfter: time.Now().Add(3 * time.Hour), 1492 SubjectKeyId: issuerKeyID, 1493 } 1494 preCertWithAKI := makeCert(t, &preCertTemplate, &preIssuerTemplate) 1495 preIssuerWithAKI := makeCert(t, &preIssuerTemplate, &actualIssuerTemplate) 1496 1497 preIssuerTemplate.AuthorityKeyId = nil 1498 actualIssuerTemplate.SubjectKeyId = nil 1499 preIssuerWithoutAKI := makeCert(t, &preIssuerTemplate, &actualIssuerTemplate) 1500 1501 preCertTemplate.AuthorityKeyId = nil 1502 preIssuerTemplate.SubjectKeyId = nil 1503 preCertWithoutAKI := makeCert(t, &preCertTemplate, &preIssuerTemplate) 1504 1505 preIssuerTemplate.ExtKeyUsage = nil 1506 invalidPreIssuer := makeCert(t, &preIssuerTemplate, &actualIssuerTemplate) 1507 1508 akiPrefix := []byte{0x30, 0x06, 0x80, 0x04} // SEQUENCE { [0] { ... } } 1509 var tests = []struct { 1510 name string 1511 tbs *Certificate 1512 preIssuer *Certificate 1513 wantAKI []byte 1514 wantErr bool 1515 }{ 1516 { 1517 name: "no-preIssuer-provided", 1518 tbs: preCertWithAKI, 1519 wantAKI: append(akiPrefix, preIssuerKeyID...), 1520 }, 1521 { 1522 name: "both-with-AKI", 1523 tbs: preCertWithAKI, 1524 preIssuer: preIssuerWithAKI, 1525 wantAKI: append(akiPrefix, issuerKeyID...), 1526 }, 1527 { 1528 name: "invalid-preIssuer", 1529 tbs: preCertWithAKI, 1530 preIssuer: invalidPreIssuer, 1531 wantErr: true, 1532 }, 1533 { 1534 name: "both-without-AKI", 1535 tbs: preCertWithoutAKI, 1536 preIssuer: preIssuerWithoutAKI, 1537 }, 1538 { 1539 name: "precert-with-preIssuer-without-AKI", 1540 tbs: preCertWithAKI, 1541 preIssuer: preIssuerWithoutAKI, 1542 }, 1543 { 1544 name: "precert-without-preIssuer-with-AKI", 1545 tbs: preCertWithoutAKI, 1546 preIssuer: preIssuerWithAKI, 1547 wantAKI: append(akiPrefix, issuerKeyID...), 1548 }, 1549 } 1550 for _, test := range tests { 1551 got, err := BuildPrecertTBS(test.tbs.RawTBSCertificate, test.preIssuer) 1552 if err != nil { 1553 if !test.wantErr { 1554 t.Errorf("BuildPrecertTBS(%s)=nil,%q; want _,nil", test.name, err) 1555 } 1556 continue 1557 } 1558 if test.wantErr { 1559 t.Errorf("BuildPrecertTBS(%s)=_,nil; want _,non-nil", test.name) 1560 } 1561 1562 var tbs tbsCertificate 1563 if rest, err := asn1.Unmarshal(got, &tbs); err != nil { 1564 t.Errorf("BuildPrecertTBS(%s) gave unparsable TBS: %v", test.name, err) 1565 continue 1566 } else if len(rest) > 0 { 1567 t.Errorf("BuildPrecertTBS(%s) gave extra data in DER", test.name) 1568 } 1569 if test.preIssuer != nil { 1570 if got, want := tbs.Issuer.FullBytes, test.preIssuer.RawIssuer; !bytes.Equal(got, want) { 1571 t.Errorf("BuildPrecertTBS(%s).Issuer=%x, want %x", test.name, got, want) 1572 } 1573 } 1574 var gotAKI []byte 1575 for _, ext := range tbs.Extensions { 1576 if ext.Id.Equal(OIDExtensionAuthorityKeyId) { 1577 gotAKI = ext.Value 1578 break 1579 } 1580 } 1581 if gotAKI != nil { 1582 if test.wantAKI != nil { 1583 if !reflect.DeepEqual(gotAKI, test.wantAKI) { 1584 t.Errorf("BuildPrecertTBS(%s).Extensions[AKI]=%+v, want %+v", test.name, gotAKI, test.wantAKI) 1585 } 1586 } else { 1587 t.Errorf("BuildPrecertTBS(%s).Extensions[AKI]=%+v, want nil", test.name, gotAKI) 1588 } 1589 } else if test.wantAKI != nil { 1590 t.Errorf("BuildPrecertTBS(%s).Extensions[AKI]=nil, want %+v", test.name, test.wantAKI) 1591 } 1592 } 1593} 1594 1595func TestImports(t *testing.T) { 1596 // testenv.MustHaveGoRun(t) 1597 1598 // Replace testenv.GoToolPath(t) with "go" for use outside of Go repo. 1599 if err := exec.Command("go", "run", "x509_test_import.go").Run(); err != nil { 1600 t.Errorf("failed to run x509_test_import.go: %s", err) 1601 } 1602} 1603 1604const derCRLBase64 = "MIINqzCCDJMCAQEwDQYJKoZIhvcNAQEFBQAwVjEZMBcGA1UEAxMQUEtJIEZJTk1FQ0NBTklDQTEVMBMGA1UEChMMRklOTUVDQ0FOSUNBMRUwEwYDVQQLEwxGSU5NRUNDQU5JQ0ExCzAJBgNVBAYTAklUFw0xMTA1MDQxNjU3NDJaFw0xMTA1MDQyMDU3NDJaMIIMBzAhAg4Ze1od49Lt1qIXBydAzhcNMDkwNzE2MDg0MzIyWjAAMCECDl0HSL9bcZ1Ci/UHJ0DPFw0wOTA3MTYwODQzMTNaMAAwIQIOESB9tVAmX3cY7QcnQNAXDTA5MDcxNjA4NDUyMlowADAhAg4S1tGAQ3mHt8uVBydA1RcNMDkwODA0MTUyNTIyWjAAMCECDlQ249Y7vtC25ScHJ0DWFw0wOTA4MDQxNTI1MzdaMAAwIQIOISMop3NkA4PfYwcnQNkXDTA5MDgwNDExMDAzNFowADAhAg56/BMoS29KEShTBydA2hcNMDkwODA0MTEwMTAzWjAAMCECDnBp/22HPH5CSWoHJ0DbFw0wOTA4MDQxMDU0NDlaMAAwIQIOV9IP+8CD8bK+XAcnQNwXDTA5MDgwNDEwNTcxN1owADAhAg4v5aRz0IxWqYiXBydA3RcNMDkwODA0MTA1NzQ1WjAAMCECDlOU34VzvZAybQwHJ0DeFw0wOTA4MDQxMDU4MjFaMAAwIAINO4CD9lluIxcwBydBAxcNMDkwNzIyMTUzMTU5WjAAMCECDgOllfO8Y1QA7/wHJ0ExFw0wOTA3MjQxMTQxNDNaMAAwIQIOJBX7jbiCdRdyjgcnQUQXDTA5MDkxNjA5MzAwOFowADAhAg5iYSAgmDrlH/RZBydBRRcNMDkwOTE2MDkzMDE3WjAAMCECDmu6k6srP3jcMaQHJ0FRFw0wOTA4MDQxMDU2NDBaMAAwIQIOX8aHlO0V+WVH4QcnQVMXDTA5MDgwNDEwNTcyOVowADAhAg5flK2rg3NnsRgDBydBzhcNMTEwMjAxMTUzMzQ2WjAAMCECDg35yJDL1jOPTgoHJ0HPFw0xMTAyMDExNTM0MjZaMAAwIQIOMyFJ6+e9iiGVBQcnQdAXDTA5MDkxODEzMjAwNVowADAhAg5Emb/Oykucmn8fBydB1xcNMDkwOTIxMTAxMDQ3WjAAMCECDjQKCncV+MnUavMHJ0HaFw0wOTA5MjIwODE1MjZaMAAwIQIOaxiFUt3dpd+tPwcnQfQXDTEwMDYxODA4NDI1MVowADAhAg5G7P8nO0tkrMt7BydB9RcNMTAwNjE4MDg0MjMwWjAAMCECDmTCC3SXhmDRst4HJ0H2Fw0wOTA5MjgxMjA3MjBaMAAwIQIOHoGhUr/pRwzTKgcnQfcXDTA5MDkyODEyMDcyNFowADAhAg50wrcrCiw8mQmPBydCBBcNMTAwMjE2MTMwMTA2WjAAMCECDifWmkvwyhEqwEcHJ0IFFw0xMDAyMTYxMzAxMjBaMAAwIQIOfgPmlW9fg+osNgcnQhwXDTEwMDQxMzA5NTIwMFowADAhAg4YHAGuA6LgCk7tBydCHRcNMTAwNDEzMDk1MTM4WjAAMCECDi1zH1bxkNJhokAHJ0IsFw0xMDA0MTMwOTU5MzBaMAAwIQIOMipNccsb/wo2fwcnQi0XDTEwMDQxMzA5NTkwMFowADAhAg46lCmvPl4GpP6ABydCShcNMTAwMTE5MDk1MjE3WjAAMCECDjaTcaj+wBpcGAsHJ0JLFw0xMDAxMTkwOTUyMzRaMAAwIQIOOMC13EOrBuxIOQcnQloXDTEwMDIwMTA5NDcwNVowADAhAg5KmZl+krz4RsmrBydCWxcNMTAwMjAxMDk0NjQwWjAAMCECDmLG3zQJ/fzdSsUHJ0JiFw0xMDAzMDEwOTUxNDBaMAAwIQIOP39ksgHdojf4owcnQmMXDTEwMDMwMTA5NTExN1owADAhAg4LDQzvWNRlD6v9BydCZBcNMTAwMzAxMDk0NjIyWjAAMCECDkmNfeclaFhIaaUHJ0JlFw0xMDAzMDEwOTQ2MDVaMAAwIQIOT/qWWfpH/m8NTwcnQpQXDTEwMDUxMTA5MTgyMVowADAhAg5m/ksYxvCEgJSvBydClRcNMTAwNTExMDkxODAxWjAAMCECDgvf3Ohq6JOPU9AHJ0KWFw0xMDA1MTEwOTIxMjNaMAAwIQIOKSPas10z4jNVIQcnQpcXDTEwMDUxMTA5MjEwMlowADAhAg4mCWmhoZ3lyKCDBydCohcNMTEwNDI4MTEwMjI1WjAAMCECDkeiyRsBMK0Gvr4HJ0KjFw0xMTA0MjgxMTAyMDdaMAAwIQIOa09b/nH2+55SSwcnQq4XDTExMDQwMTA4Mjk0NlowADAhAg5O7M7iq7gGplr1BydCrxcNMTEwNDAxMDgzMDE3WjAAMCECDjlT6mJxUjTvyogHJ0K1Fw0xMTAxMjcxNTQ4NTJaMAAwIQIODS/l4UUFLe21NAcnQrYXDTExMDEyNzE1NDgyOFowADAhAg5lPRA0XdOUF6lSBydDHhcNMTEwMTI4MTQzNTA1WjAAMCECDixKX4fFGGpENwgHJ0MfFw0xMTAxMjgxNDM1MzBaMAAwIQIORNBkqsPnpKTtbAcnQ08XDTEwMDkwOTA4NDg0MlowADAhAg5QL+EMM3lohedEBydDUBcNMTAwOTA5MDg0ODE5WjAAMCECDlhDnHK+HiTRAXcHJ0NUFw0xMDEwMTkxNjIxNDBaMAAwIQIOdBFqAzq/INz53gcnQ1UXDTEwMTAxOTE2MjA0NFowADAhAg4OjR7s8MgKles1BydDWhcNMTEwMTI3MTY1MzM2WjAAMCECDmfR/elHee+d0SoHJ0NbFw0xMTAxMjcxNjUzNTZaMAAwIQIOBTKv2ui+KFMI+wcnQ5YXDTEwMDkxNTEwMjE1N1owADAhAg49F3c/GSah+oRUBydDmxcNMTEwMTI3MTczMjMzWjAAMCECDggv4I61WwpKFMMHJ0OcFw0xMTAxMjcxNzMyNTVaMAAwIQIOXx/Y8sEvwS10LAcnQ6UXDTExMDEyODExMjkzN1owADAhAg5LSLbnVrSKaw/9BydDphcNMTEwMTI4MTEyOTIwWjAAMCECDmFFoCuhKUeACQQHJ0PfFw0xMTAxMTExMDE3MzdaMAAwIQIOQTDdFh2fSPF6AAcnQ+AXDTExMDExMTEwMTcxMFowADAhAg5B8AOXX61FpvbbBydD5RcNMTAxMDA2MTAxNDM2WjAAMCECDh41P2Gmi7PkwI4HJ0PmFw0xMDEwMDYxMDE2MjVaMAAwIQIOWUHGLQCd+Ale9gcnQ/0XDTExMDUwMjA3NTYxMFowADAhAg5Z2c9AYkikmgWOBydD/hcNMTEwNTAyMDc1NjM0WjAAMCECDmf/UD+/h8nf+74HJ0QVFw0xMTA0MTUwNzI4MzNaMAAwIQIOICvj4epy3MrqfwcnRBYXDTExMDQxNTA3Mjg1NlowADAhAg4bouRMfOYqgv4xBydEHxcNMTEwMzA4MTYyNDI1WjAAMCECDhebWHGoKiTp7pEHJ0QgFw0xMTAzMDgxNjI0NDhaMAAwIQIOX+qnxxAqJ8LtawcnRDcXDTExMDEzMTE1MTIyOFowADAhAg4j0fICqZ+wkOdqBydEOBcNMTEwMTMxMTUxMTQxWjAAMCECDhmXjsV4SUpWtAMHJ0RLFw0xMTAxMjgxMTI0MTJaMAAwIQIODno/w+zG43kkTwcnREwXDTExMDEyODExMjM1MlowADAhAg4b1gc88767Fr+LBydETxcNMTEwMTI4MTEwMjA4WjAAMCECDn+M3Pa1w2nyFeUHJ0RQFw0xMTAxMjgxMDU4NDVaMAAwIQIOaduoyIH61tqybAcnRJUXDTEwMTIxNTA5NDMyMlowADAhAg4nLqQPkyi3ESAKBydElhcNMTAxMjE1MDk0MzM2WjAAMCECDi504NIMH8578gQHJ0SbFw0xMTAyMTQxNDA1NDFaMAAwIQIOGuaM8PDaC5u1egcnRJwXDTExMDIxNDE0MDYwNFowADAhAg4ehYq/BXGnB5PWBydEnxcNMTEwMjA0MDgwOTUxWjAAMCECDkSD4eS4FxW5H20HJ0SgFw0xMTAyMDQwODA5MjVaMAAwIQIOOCcb6ilYObt1egcnRKEXDTExMDEyNjEwNDEyOVowADAhAg58tISWCCwFnKGnBydEohcNMTEwMjA0MDgxMzQyWjAAMCECDn5rjtabY/L/WL0HJ0TJFw0xMTAyMDQxMTAzNDFaMAAwDQYJKoZIhvcNAQEFBQADggEBAGnF2Gs0+LNiYCW1Ipm83OXQYP/bd5tFFRzyz3iepFqNfYs4D68/QihjFoRHQoXEB0OEe1tvaVnnPGnEOpi6krwekquMxo4H88B5SlyiFIqemCOIss0SxlCFs69LmfRYvPPvPEhoXtQ3ZThe0UvKG83GOklhvGl6OaiRf4Mt+m8zOT4Wox/j6aOBK6cw6qKCdmD+Yj1rrNqFGg1CnSWMoD6S6mwNgkzwdBUJZ22BwrzAAo4RHa2Uy3ef1FjwD0XtU5N3uDSxGGBEDvOe5z82rps3E22FpAA8eYl8kaXtmWqyvYU0epp4brGuTxCuBMCAsxt/OjIjeNNQbBGkwxgfYA0=" 1605 1606const pemCRLBase64 = "LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tDQpNSUlCOWpDQ0FWOENBUUV3RFFZSktvWklodmNOQVFFRkJRQXdiREVhTUJnR0ExVUVDaE1SVWxOQklGTmxZM1Z5DQphWFI1SUVsdVl5NHhIakFjQmdOVkJBTVRGVkpUUVNCUWRXSnNhV01nVW05dmRDQkRRU0IyTVRFdU1Dd0dDU3FHDQpTSWIzRFFFSkFSWWZjbk5oYTJWdmJuSnZiM1J6YVdkdVFISnpZWE5sWTNWeWFYUjVMbU52YlJjTk1URXdNakl6DQpNVGt5T0RNd1doY05NVEV3T0RJeU1Ua3lPRE13V2pDQmpEQktBaEVBckRxb2g5RkhKSFhUN09QZ3V1bjQrQmNODQpNRGt4TVRBeU1UUXlOekE1V2pBbU1Bb0dBMVVkRlFRRENnRUpNQmdHQTFVZEdBUVJHQTh5TURBNU1URXdNakUwDQpNalExTlZvd1BnSVJBTEd6blowOTVQQjVhQU9MUGc1N2ZNTVhEVEF5TVRBeU16RTBOVEF4TkZvd0dqQVlCZ05WDQpIUmdFRVJnUE1qQXdNakV3TWpNeE5EVXdNVFJhb0RBd0xqQWZCZ05WSFNNRUdEQVdnQlQxVERGNlVRTS9MTmVMDQpsNWx2cUhHUXEzZzltekFMQmdOVkhSUUVCQUlDQUlRd0RRWUpLb1pJaHZjTkFRRUZCUUFEZ1lFQUZVNUFzNk16DQpxNVBSc2lmYW9iUVBHaDFhSkx5QytNczVBZ2MwYld5QTNHQWR4dXI1U3BQWmVSV0NCamlQL01FSEJXSkNsQkhQDQpHUmNxNXlJZDNFakRrYUV5eFJhK2k2N0x6dmhJNmMyOUVlNks5cFNZd2ppLzdSVWhtbW5Qclh0VHhsTDBsckxyDQptUVFKNnhoRFJhNUczUUE0Q21VZHNITnZicnpnbUNZcHZWRT0NCi0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0NCg0K" 1607 1608func TestCreateCertificateRequest(t *testing.T) { 1609 random := rand.Reader 1610 1611 ecdsa256Priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 1612 if err != nil { 1613 t.Fatalf("Failed to generate ECDSA key: %s", err) 1614 } 1615 1616 ecdsa384Priv, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) 1617 if err != nil { 1618 t.Fatalf("Failed to generate ECDSA key: %s", err) 1619 } 1620 1621 ecdsa521Priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader) 1622 if err != nil { 1623 t.Fatalf("Failed to generate ECDSA key: %s", err) 1624 } 1625 1626 tests := []struct { 1627 name string 1628 priv interface{} 1629 sigAlgo SignatureAlgorithm 1630 }{ 1631 {"RSA", testPrivateKey, SHA1WithRSA}, 1632 {"ECDSA-256", ecdsa256Priv, ECDSAWithSHA1}, 1633 {"ECDSA-384", ecdsa384Priv, ECDSAWithSHA1}, 1634 {"ECDSA-521", ecdsa521Priv, ECDSAWithSHA1}, 1635 } 1636 1637 for _, test := range tests { 1638 template := CertificateRequest{ 1639 Subject: pkix.Name{ 1640 CommonName: "test.example.com", 1641 Organization: []string{"Σ Acme Co"}, 1642 }, 1643 SignatureAlgorithm: test.sigAlgo, 1644 DNSNames: []string{"test.example.com"}, 1645 EmailAddresses: []string{"gopher@golang.org"}, 1646 IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1).To4(), net.ParseIP("2001:4860:0:2001::68")}, 1647 } 1648 1649 derBytes, err := CreateCertificateRequest(random, &template, test.priv) 1650 if err != nil { 1651 t.Errorf("%s: failed to create certificate request: %s", test.name, err) 1652 continue 1653 } 1654 1655 out, err := ParseCertificateRequest(derBytes) 1656 if err != nil { 1657 t.Errorf("%s: failed to create certificate request: %s", test.name, err) 1658 continue 1659 } 1660 1661 err = out.CheckSignature() 1662 if err != nil { 1663 t.Errorf("%s: failed to check certificate request signature: %s", test.name, err) 1664 continue 1665 } 1666 1667 if out.Subject.CommonName != template.Subject.CommonName { 1668 t.Errorf("%s: output subject common name and template subject common name don't match", test.name) 1669 } else if len(out.Subject.Organization) != len(template.Subject.Organization) { 1670 t.Errorf("%s: output subject organisation and template subject organisation don't match", test.name) 1671 } else if len(out.DNSNames) != len(template.DNSNames) { 1672 t.Errorf("%s: output DNS names and template DNS names don't match", test.name) 1673 } else if len(out.EmailAddresses) != len(template.EmailAddresses) { 1674 t.Errorf("%s: output email addresses and template email addresses don't match", test.name) 1675 } else if len(out.IPAddresses) != len(template.IPAddresses) { 1676 t.Errorf("%s: output IP addresses and template IP addresses names don't match", test.name) 1677 } 1678 } 1679} 1680 1681func marshalAndParseCSR(t *testing.T, template *CertificateRequest) *CertificateRequest { 1682 derBytes, err := CreateCertificateRequest(rand.Reader, template, testPrivateKey) 1683 if err != nil { 1684 t.Fatal(err) 1685 } 1686 1687 csr, err := ParseCertificateRequest(derBytes) 1688 if err != nil { 1689 t.Fatal(err) 1690 } 1691 1692 return csr 1693} 1694 1695func TestCertificateRequestOverrides(t *testing.T) { 1696 sanContents, err := marshalSANs([]string{"foo.example.com"}, nil, nil, nil) 1697 if err != nil { 1698 t.Fatal(err) 1699 } 1700 1701 template := CertificateRequest{ 1702 Subject: pkix.Name{ 1703 CommonName: "test.example.com", 1704 Organization: []string{"Σ Acme Co"}, 1705 }, 1706 DNSNames: []string{"test.example.com"}, 1707 1708 // An explicit extension should override the DNSNames from the 1709 // template. 1710 ExtraExtensions: []pkix.Extension{ 1711 { 1712 Id: OIDExtensionSubjectAltName, 1713 Value: sanContents, 1714 }, 1715 }, 1716 } 1717 1718 csr := marshalAndParseCSR(t, &template) 1719 1720 if len(csr.DNSNames) != 1 || csr.DNSNames[0] != "foo.example.com" { 1721 t.Errorf("Extension did not override template. Got %v\n", csr.DNSNames) 1722 } 1723 1724 // If there is already an attribute with X.509 extensions then the 1725 // extra extensions should be added to it rather than creating a CSR 1726 // with two extension attributes. 1727 1728 template.Attributes = []pkix.AttributeTypeAndValueSET{ 1729 { 1730 Type: oidExtensionRequest, 1731 Value: [][]pkix.AttributeTypeAndValue{ 1732 { 1733 { 1734 Type: OIDExtensionAuthorityInfoAccess, 1735 Value: []byte("foo"), 1736 }, 1737 }, 1738 }, 1739 }, 1740 } 1741 1742 csr = marshalAndParseCSR(t, &template) 1743 if l := len(csr.Attributes); l != 1 { 1744 t.Errorf("incorrect number of attributes: %d\n", l) 1745 } 1746 1747 if !csr.Attributes[0].Type.Equal(oidExtensionRequest) || 1748 len(csr.Attributes[0].Value) != 1 || 1749 len(csr.Attributes[0].Value[0]) != 2 { 1750 t.Errorf("bad attributes: %#v\n", csr.Attributes) 1751 } 1752 1753 sanContents2, err := marshalSANs([]string{"foo2.example.com"}, nil, nil, nil) 1754 if err != nil { 1755 t.Fatal(err) 1756 } 1757 1758 // Extensions in Attributes should override those in ExtraExtensions. 1759 template.Attributes[0].Value[0] = append(template.Attributes[0].Value[0], pkix.AttributeTypeAndValue{ 1760 Type: OIDExtensionSubjectAltName, 1761 Value: sanContents2, 1762 }) 1763 1764 csr = marshalAndParseCSR(t, &template) 1765 1766 if len(csr.DNSNames) != 1 || csr.DNSNames[0] != "foo2.example.com" { 1767 t.Errorf("Attributes did not override ExtraExtensions. Got %v\n", csr.DNSNames) 1768 } 1769} 1770 1771func TestParseCertificateRequest(t *testing.T) { 1772 for _, csrBase64 := range csrBase64Array { 1773 csrBytes := fromBase64(csrBase64) 1774 csr, err := ParseCertificateRequest(csrBytes) 1775 if err != nil { 1776 t.Fatalf("failed to parse CSR: %s", err) 1777 } 1778 1779 if len(csr.EmailAddresses) != 1 || csr.EmailAddresses[0] != "gopher@golang.org" { 1780 t.Errorf("incorrect email addresses found: %v", csr.EmailAddresses) 1781 } 1782 1783 if len(csr.DNSNames) != 1 || csr.DNSNames[0] != "test.example.com" { 1784 t.Errorf("incorrect DNS names found: %v", csr.DNSNames) 1785 } 1786 1787 if len(csr.Subject.Country) != 1 || csr.Subject.Country[0] != "AU" { 1788 t.Errorf("incorrect Subject name: %v", csr.Subject) 1789 } 1790 1791 found := false 1792 for _, e := range csr.Extensions { 1793 if e.Id.Equal(OIDExtensionBasicConstraints) { 1794 found = true 1795 break 1796 } 1797 } 1798 if !found { 1799 t.Errorf("basic constraints extension not found in CSR") 1800 } 1801 } 1802} 1803 1804func TestCriticalFlagInCSRRequestedExtensions(t *testing.T) { 1805 // This CSR contains an extension request where the extensions have a 1806 // critical flag in them. In the past we failed to handle this. 1807 const csrBase64 = "MIICrTCCAZUCAQIwMzEgMB4GA1UEAwwXU0NFUCBDQSBmb3IgRGV2ZWxlciBTcmwxDzANBgNVBAsMBjQzNTk3MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALFMAJ7Zy9YyfgbNlbUWAW0LalNRMPs7aXmLANsCpjhnw3lLlfDPaLeWyKh1nK5I5ojaJOW6KIOSAcJkDUe3rrE0wR0RVt3UxArqs0R/ND3u5Q+bDQY2X1HAFUHzUzcdm5JRAIA355v90teMckaWAIlkRQjDE22Lzc6NAl64KOd1rqOUNj8+PfX6fSo20jm94Pp1+a6mfk3G/RUWVuSm7owO5DZI/Fsi2ijdmb4NUar6K/bDKYTrDFkzcqAyMfP3TitUtBp19Mp3B1yAlHjlbp/r5fSSXfOGHZdgIvp0WkLuK2u5eQrX5l7HMB/5epgUs3HQxKY6ljhh5wAjDwz//LsCAwEAAaA1MDMGCSqGSIb3DQEJDjEmMCQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQEFBQADggEBAAMq3bxJSPQEgzLYR/yaVvgjCDrc3zUbIwdOis6Go06Q4RnjH5yRaSZAqZQTDsPurQcnz2I39VMGEiSkFJFavf4QHIZ7QFLkyXadMtALc87tm17Ej719SbHcBSSZayR9VYJUNXRLayI6HvyUrmqcMKh+iX3WY3ICr59/wlM0tYa8DYN4yzmOa2Onb29gy3YlaF5A2AKAMmk003cRT9gY26mjpv7d21czOSSeNyVIoZ04IR9ee71vWTMdv0hu/af5kSjQ+ZG5/Qgc0+mnECLz/1gtxt1srLYbtYQ/qAY8oX1DCSGFS61tN/vl+4cxGMD/VGcGzADRLRHSlVqy2Qgss6Q=" 1808 1809 csrBytes := fromBase64(csrBase64) 1810 csr, err := ParseCertificateRequest(csrBytes) 1811 if err != nil { 1812 t.Fatalf("failed to parse CSR: %s", err) 1813 } 1814 1815 expected := []struct { 1816 Id asn1.ObjectIdentifier 1817 Value []byte 1818 }{ 1819 {OIDExtensionBasicConstraints, fromBase64("MAYBAf8CAQA=")}, 1820 {OIDExtensionKeyUsage, fromBase64("AwIChA==")}, 1821 } 1822 1823 if n := len(csr.Extensions); n != len(expected) { 1824 t.Fatalf("expected to find %d extensions but found %d", len(expected), n) 1825 } 1826 1827 for i, extension := range csr.Extensions { 1828 if !extension.Id.Equal(expected[i].Id) { 1829 t.Fatalf("extension #%d has unexpected type %v (expected %v)", i, extension.Id, expected[i].Id) 1830 } 1831 1832 if !bytes.Equal(extension.Value, expected[i].Value) { 1833 t.Fatalf("extension #%d has unexpected contents %x (expected %x)", i, extension.Value, expected[i].Value) 1834 } 1835 } 1836} 1837 1838// serialiseAndParse generates a self-signed certificate from template and 1839// returns a parsed version of it. 1840func serialiseAndParse(t *testing.T, template *Certificate) *Certificate { 1841 derBytes, err := CreateCertificate(rand.Reader, template, template, &testPrivateKey.PublicKey, testPrivateKey) 1842 if err != nil { 1843 t.Fatalf("failed to create certificate: %s", err) 1844 return nil 1845 } 1846 1847 cert, err := ParseCertificate(derBytes) 1848 if err != nil { 1849 t.Fatalf("failed to parse certificate: %s", err) 1850 return nil 1851 } 1852 1853 return cert 1854} 1855 1856func TestMaxPathLen(t *testing.T) { 1857 template := &Certificate{ 1858 SerialNumber: big.NewInt(1), 1859 Subject: pkix.Name{ 1860 CommonName: "Σ Acme Co", 1861 }, 1862 NotBefore: time.Unix(1000, 0), 1863 NotAfter: time.Unix(100000, 0), 1864 1865 BasicConstraintsValid: true, 1866 IsCA: true, 1867 } 1868 1869 cert1 := serialiseAndParse(t, template) 1870 if m := cert1.MaxPathLen; m != -1 { 1871 t.Errorf("Omitting MaxPathLen didn't turn into -1, got %d", m) 1872 } 1873 if cert1.MaxPathLenZero { 1874 t.Errorf("Omitting MaxPathLen resulted in MaxPathLenZero") 1875 } 1876 1877 template.MaxPathLen = 1 1878 cert2 := serialiseAndParse(t, template) 1879 if m := cert2.MaxPathLen; m != 1 { 1880 t.Errorf("Setting MaxPathLen didn't work. Got %d but set 1", m) 1881 } 1882 if cert2.MaxPathLenZero { 1883 t.Errorf("Setting MaxPathLen resulted in MaxPathLenZero") 1884 } 1885 1886 template.MaxPathLen = 0 1887 template.MaxPathLenZero = true 1888 cert3 := serialiseAndParse(t, template) 1889 if m := cert3.MaxPathLen; m != 0 { 1890 t.Errorf("Setting MaxPathLenZero didn't work, got %d", m) 1891 } 1892 if !cert3.MaxPathLenZero { 1893 t.Errorf("Setting MaxPathLen to zero didn't result in MaxPathLenZero") 1894 } 1895} 1896 1897func TestNoAuthorityKeyIdInSelfSignedCert(t *testing.T) { 1898 template := &Certificate{ 1899 SerialNumber: big.NewInt(1), 1900 Subject: pkix.Name{ 1901 CommonName: "Σ Acme Co", 1902 }, 1903 NotBefore: time.Unix(1000, 0), 1904 NotAfter: time.Unix(100000, 0), 1905 1906 BasicConstraintsValid: true, 1907 IsCA: true, 1908 SubjectKeyId: []byte{1, 2, 3, 4}, 1909 } 1910 1911 if cert := serialiseAndParse(t, template); len(cert.AuthorityKeyId) != 0 { 1912 t.Fatalf("self-signed certificate contained default authority key id") 1913 } 1914 1915 template.AuthorityKeyId = []byte{1, 2, 3, 4} 1916 if cert := serialiseAndParse(t, template); len(cert.AuthorityKeyId) == 0 { 1917 t.Fatalf("self-signed certificate erased explicit authority key id") 1918 } 1919} 1920 1921func TestASN1BitLength(t *testing.T) { 1922 tests := []struct { 1923 bytes []byte 1924 bitLen int 1925 }{ 1926 {nil, 0}, 1927 {[]byte{0x00}, 0}, 1928 {[]byte{0x00, 0x00}, 0}, 1929 {[]byte{0xf0}, 4}, 1930 {[]byte{0x88}, 5}, 1931 {[]byte{0xff}, 8}, 1932 {[]byte{0xff, 0x80}, 9}, 1933 {[]byte{0xff, 0x81}, 16}, 1934 } 1935 1936 for i, test := range tests { 1937 if got := asn1BitLength(test.bytes); got != test.bitLen { 1938 t.Errorf("#%d: calculated bit-length of %d for %x, wanted %d", i, got, test.bytes, test.bitLen) 1939 } 1940 } 1941} 1942 1943func TestVerifyEmptyCertificate(t *testing.T) { 1944 if _, err := new(Certificate).Verify(VerifyOptions{}); err != errNotParsed { 1945 t.Errorf("Verifying empty certificate resulted in unexpected error: %q (wanted %q)", err, errNotParsed) 1946 } 1947} 1948 1949func TestInsecureAlgorithmErrorString(t *testing.T) { 1950 tests := []struct { 1951 sa SignatureAlgorithm 1952 want string 1953 }{ 1954 {MD2WithRSA, "x509: cannot verify signature: insecure algorithm MD2-RSA"}, 1955 {-1, "x509: cannot verify signature: insecure algorithm -1"}, 1956 {0, "x509: cannot verify signature: insecure algorithm 0"}, 1957 {9999, "x509: cannot verify signature: insecure algorithm 9999"}, 1958 } 1959 for i, tt := range tests { 1960 if got := fmt.Sprint(InsecureAlgorithmError(tt.sa)); got != tt.want { 1961 t.Errorf("%d. mismatch.\n got: %s\nwant: %s\n", i, got, tt.want) 1962 } 1963 } 1964} 1965 1966// These CSR was generated with OpenSSL: 1967// openssl req -out CSR.csr -new -sha256 -nodes -keyout privateKey.key -config openssl.cnf 1968// 1969// With openssl.cnf containing the following sections: 1970// [ v3_req ] 1971// basicConstraints = CA:FALSE 1972// keyUsage = nonRepudiation, digitalSignature, keyEncipherment 1973// subjectAltName = email:gopher@golang.org,DNS:test.example.com 1974// [ req_attributes ] 1975// challengePassword = ignored challenge 1976// unstructuredName = ignored unstructured name 1977var csrBase64Array = [...]string{ 1978 // Just [ v3_req ] 1979 "MIIDHDCCAgQCAQAwfjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwLQ29tbW9uIE5hbWUxITAfBgkqhkiG9w0BCQEWEnRlc3RAZW1haWwuYWRkcmVzczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1GY4YFx2ujlZEOJxQVYmsjUnLsd5nFVnNpLE4cV+77sgv9NPNlB8uhn3MXt5leD34rm/2BisCHOifPucYlSrszo2beuKhvwn4+2FxDmWtBEMu/QA16L5IvoOfYZm/gJTsPwKDqvaR0tTU67a9OtxwNTBMI56YKtmwd/o8d3hYv9cg+9ZGAZ/gKONcg/OWYx/XRh6bd0g8DMbCikpWgXKDsvvK1Nk+VtkDO1JxuBaj4Lz/p/MifTfnHoqHxWOWl4EaTs4Ychxsv34/rSj1KD1tJqorIv5Xv2aqv4sjxfbrYzX4kvS5SC1goIovLnhj5UjmQ3Qy8u65eow/LLWw+YFcCAwEAAaBZMFcGCSqGSIb3DQEJDjFKMEgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLgYDVR0RBCcwJYERZ29waGVyQGdvbGFuZy5vcmeCEHRlc3QuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAB6VPMRrchvNW61Tokyq3ZvO6/NoGIbuwUn54q6l5VZW0Ep5Nq8juhegSSnaJ0jrovmUgKDN9vEo2KxuAtwG6udS6Ami3zP+hRd4k9Q8djJPb78nrjzWiindLK5Fps9U5mMoi1ER8ViveyAOTfnZt/jsKUaRsscY2FzE9t9/o5moE6LTcHUS4Ap1eheR+J72WOnQYn3cifYaemsA9MJuLko+kQ6xseqttbh9zjqd9fiCSh/LNkzos9c+mg2yMADitaZinAh+HZi50ooEbjaT3erNq9O6RqwJlgD00g6MQdoz9bTAryCUhCQfkIaepmQ7BxS0pqWNW3MMwfDwx/Snz6g=", 1980 // Both [ v3_req ] and [ req_attributes ] 1981 "MIIDaTCCAlECAQAwfjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwLQ29tbW9uIE5hbWUxITAfBgkqhkiG9w0BCQEWEnRlc3RAZW1haWwuYWRkcmVzczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1GY4YFx2ujlZEOJxQVYmsjUnLsd5nFVnNpLE4cV+77sgv9NPNlB8uhn3MXt5leD34rm/2BisCHOifPucYlSrszo2beuKhvwn4+2FxDmWtBEMu/QA16L5IvoOfYZm/gJTsPwKDqvaR0tTU67a9OtxwNTBMI56YKtmwd/o8d3hYv9cg+9ZGAZ/gKONcg/OWYx/XRh6bd0g8DMbCikpWgXKDsvvK1Nk+VtkDO1JxuBaj4Lz/p/MifTfnHoqHxWOWl4EaTs4Ychxsv34/rSj1KD1tJqorIv5Xv2aqv4sjxfbrYzX4kvS5SC1goIovLnhj5UjmQ3Qy8u65eow/LLWw+YFcCAwEAAaCBpTAgBgkqhkiG9w0BCQcxEwwRaWdub3JlZCBjaGFsbGVuZ2UwKAYJKoZIhvcNAQkCMRsMGWlnbm9yZWQgdW5zdHJ1Y3R1cmVkIG5hbWUwVwYJKoZIhvcNAQkOMUowSDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAuBgNVHREEJzAlgRFnb3BoZXJAZ29sYW5nLm9yZ4IQdGVzdC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAgxe2N5O48EMsYE7o0rZBB0wi3Ov5/yYfnmmVI22Y3sP6VXbLDW0+UWIeSccOhzUCcZ/G4qcrfhhx6gTZTeA01nP7TdTJURvWAH5iFqj9sQ0qnLq6nEcVHij3sG6M5+BxAIVClQBk6lTCzgphc835Fjj6qSLuJ20XHdL5UfUbiJxx299CHgyBRL+hBUIPfz8p+ZgamyAuDLfnj54zzcRVyLlrmMLNPZNll1Q70RxoU6uWvLH8wB8vQe3Q/guSGubLyLRTUQVPh+dw1L4t8MKFWfX/48jwRM4gIRHFHPeAAE9D9YAoqdIvj/iFm/eQ++7DP8MDwOZWsXeB6jjwHuLmkQ==", 1982} 1983 1984var md5cert = ` 1985-----BEGIN CERTIFICATE----- 1986MIIB4TCCAUoCCQCfmw3vMgPS5TANBgkqhkiG9w0BAQQFADA1MQswCQYDVQQGEwJB 1987VTETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEChMITUQ1IEluYy4wHhcNMTUx 1988MjAzMTkyOTMyWhcNMjkwODEyMTkyOTMyWjA1MQswCQYDVQQGEwJBVTETMBEGA1UE 1989CBMKU29tZS1TdGF0ZTERMA8GA1UEChMITUQ1IEluYy4wgZ8wDQYJKoZIhvcNAQEB 1990BQADgY0AMIGJAoGBANrq2nhLQj5mlXbpVX3QUPhfEm/vdEqPkoWtR/jRZIWm4WGf 1991Wpq/LKHJx2Pqwn+t117syN8l4U5unyAi1BJSXjBwPZNd7dXjcuJ+bRLV7FZ/iuvs 1992cfYyQQFTxan4TaJMd0x1HoNDbNbjHa02IyjjYE/r3mb/PIg+J2t5AZEh80lPAgMB 1993AAEwDQYJKoZIhvcNAQEEBQADgYEAjGzp3K3ey/YfKHohf33yHHWd695HQxDAP+wY 1994cs9/TAyLR+gJzJP7d18EcDDLJWVi7bhfa4EAD86di05azOh9kWSn4b3o9QYRGCSw 1995GNnI3Zk0cwNKA49hZntKKiy22DhRk7JAHF01d6Bu3KkHkmENrtJ+zj/+159WAnUa 1996qViorq4= 1997-----END CERTIFICATE----- 1998` 1999 2000func TestMD5(t *testing.T) { 2001 pemBlock, _ := pem.Decode([]byte(md5cert)) 2002 cert, err := ParseCertificate(pemBlock.Bytes) 2003 if err != nil { 2004 t.Fatalf("failed to parse certificate: %s", err) 2005 } 2006 if sa := cert.SignatureAlgorithm; sa != MD5WithRSA { 2007 t.Errorf("signature algorithm is %v, want %v", sa, MD5WithRSA) 2008 } 2009 if err = cert.CheckSignatureFrom(cert); err == nil { 2010 t.Fatalf("certificate verification succeeded incorrectly") 2011 } 2012 if _, ok := err.(InsecureAlgorithmError); !ok { 2013 t.Fatalf("certificate verification returned %v (%T), wanted InsecureAlgorithmError", err, err) 2014 } 2015} 2016 2017// certMissingRSANULL contains an RSA public key where the AlgorithmIdentifer 2018// parameters are omitted rather than being an ASN.1 NULL. 2019const certMissingRSANULL = ` 2020-----BEGIN CERTIFICATE----- 2021MIIB7TCCAVigAwIBAgIBADALBgkqhkiG9w0BAQUwJjEQMA4GA1UEChMHQWNtZSBD 2022bzESMBAGA1UEAxMJMTI3LjAuMC4xMB4XDTExMTIwODA3NTUxMloXDTEyMTIwNzA4 2023MDAxMlowJjEQMA4GA1UEChMHQWNtZSBDbzESMBAGA1UEAxMJMTI3LjAuMC4xMIGc 2024MAsGCSqGSIb3DQEBAQOBjAAwgYgCgYBO0Hsx44Jk2VnAwoekXh6LczPHY1PfZpIG 2025hPZk1Y/kNqcdK+izIDZFI7Xjla7t4PUgnI2V339aEu+H5Fto5OkOdOwEin/ekyfE 2026ARl6vfLcPRSr0FTKIQzQTW6HLlzF0rtNS0/Otiz3fojsfNcCkXSmHgwa2uNKWi7e 2027E5xMQIhZkwIDAQABozIwMDAOBgNVHQ8BAf8EBAMCAKAwDQYDVR0OBAYEBAECAwQw 2028DwYDVR0jBAgwBoAEAQIDBDALBgkqhkiG9w0BAQUDgYEANh+zegx1yW43RmEr1b3A 2029p0vMRpqBWHyFeSnIyMZn3TJWRSt1tukkqVCavh9a+hoV2cxVlXIWg7nCto/9iIw4 2030hB2rXZIxE0/9gzvGnfERYraL7KtnvshksBFQRlgXa5kc0x38BvEO5ZaoDPl4ILdE 2031GFGNEH5PlGffo05wc46QkYU= 2032-----END CERTIFICATE-----` 2033 2034func TestRSAMissingNULLParameters(t *testing.T) { 2035 block, _ := pem.Decode([]byte(certMissingRSANULL)) 2036 if _, err := ParseCertificate(block.Bytes); err == nil { 2037 t.Error("unexpected success when parsing certificate with missing RSA NULL parameter") 2038 } else if !strings.Contains(err.Error(), "missing NULL") { 2039 t.Errorf("unrecognised error when parsing certificate with missing RSA NULL parameter: %s", err) 2040 } 2041} 2042 2043const certISOOID = ` 2044-----BEGIN CERTIFICATE----- 2045MIIB5TCCAVKgAwIBAgIQtwyL3RPWV7dJQp34HwZG9DAJBgUrDgMCHQUAMBExDzAN 2046BgNVBAMTBm15dGVzdDAeFw0xNjA4MDkyMjExMDVaFw0zOTEyMzEyMzU5NTlaMBEx 2047DzANBgNVBAMTBm15dGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArzIH 2048GsyDB3ohIGkkvijF2PTRUX1bvOtY1eUUpjwHyu0twpAKSuaQv2Ha+/63+aHe8O86 2049BT+98wjXFX6RFSagtAujo80rIF2dSm33BGt18pDN8v6zp93dnAm0jRaSQrHJ75xw 20505O+S1oEYR1LtUoFJy6qB104j6aINBAgOiLIKiMkCAwEAAaNGMEQwQgYDVR0BBDsw 2051OYAQVuYVQ/WDjdGSkZRlTtJDNKETMBExDzANBgNVBAMTBm15dGVzdIIQtwyL3RPW 2052V7dJQp34HwZG9DAJBgUrDgMCHQUAA4GBABngrSkH7vG5lY4sa4AZF59lAAXqBVJE 2053J4TBiKC62hCdZv18rBleP6ETfhbPg7pTs8p4ebQbpmtNxRS9Lw3MzQ8Ya5Ybwzj2 2054NwBSyCtCQl7mrEg4nJqJl4A2EUhnET/oVxU0oTV/SZ3ziGXcY1oG1s6vidV7TZTu 2055MCRtdSdaM7g3 2056-----END CERTIFICATE-----` 2057 2058func TestISOOIDInCertificate(t *testing.T) { 2059 block, _ := pem.Decode([]byte(certISOOID)) 2060 if cert, err := ParseCertificate(block.Bytes); err != nil { 2061 t.Errorf("certificate with ISO OID failed to parse: %s", err) 2062 } else if cert.SignatureAlgorithm == UnknownSignatureAlgorithm { 2063 t.Errorf("ISO OID not recognised in certificate") 2064 } 2065} 2066 2067// certMultipleRDN contains a RelativeDistinguishedName with two elements (the 2068// common name and serial number). This particular certificate was the first 2069// such certificate in the “Pilot” Certificate Transparency log. 2070const certMultipleRDN = ` 2071-----BEGIN CERTIFICATE----- 2072MIIFRzCCBC+gAwIBAgIEOl59NTANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJz 2073aTEbMBkGA1UEChMSc3RhdGUtaW5zdGl0dXRpb25zMREwDwYDVQQLEwhzaWdvdi1j 2074YTAeFw0xMjExMTYxMDUyNTdaFw0xNzExMTYxMjQ5MDVaMIGLMQswCQYDVQQGEwJz 2075aTEbMBkGA1UEChMSc3RhdGUtaW5zdGl0dXRpb25zMRkwFwYDVQQLExB3ZWItY2Vy 2076dGlmaWNhdGVzMRAwDgYDVQQLEwdTZXJ2ZXJzMTIwFAYDVQQFEw0xMjM2NDg0MDEw 2077MDEwMBoGA1UEAxMTZXBvcnRhbC5tc3MuZWR1cy5zaTCCASIwDQYJKoZIhvcNAQEB 2078BQADggEPADCCAQoCggEBAMrNkZH9MPuBTjMGNk3sJX8V+CkFx/4ru7RTlLS6dlYM 2079098dtSfJ3s2w0p/1NB9UmR8j0yS0Kg6yoZ3ShsSO4DWBtcQD8820a6BYwqxxQTNf 2080HSRZOc+N/4TQrvmK6t4k9Aw+YEYTMrWOU4UTeyhDeCcUsBdh7HjfWsVaqNky+2sv 2081oic3zP5gF+2QfPkvOoHT3FLR8olNhViIE6Kk3eFIEs4dkq/ZzlYdLb8pHQoj/sGI 2082zFmA5AFvm1HURqOmJriFjBwaCtn8AVEYOtQrnUCzJYu1ex8azyS2ZgYMX0u8A5Z/ 2083y2aMS/B2W+H79WcgLpK28vPwe7vam0oFrVytAd+u65ECAwEAAaOCAf4wggH6MA4G 2084A1UdDwEB/wQEAwIFoDBABgNVHSAEOTA3MDUGCisGAQQBr1kBAwMwJzAlBggrBgEF 2085BQcCARYZaHR0cDovL3d3dy5jYS5nb3Yuc2kvY3BzLzAfBgNVHREEGDAWgRRwb2Rw 2086b3JhLm1pemtzQGdvdi5zaTCB8QYDVR0fBIHpMIHmMFWgU6BRpE8wTTELMAkGA1UE 2087BhMCc2kxGzAZBgNVBAoTEnN0YXRlLWluc3RpdHV0aW9uczERMA8GA1UECxMIc2ln 2088b3YtY2ExDjAMBgNVBAMTBUNSTDM5MIGMoIGJoIGGhldsZGFwOi8veDUwMC5nb3Yu 2089c2kvb3U9c2lnb3YtY2Esbz1zdGF0ZS1pbnN0aXR1dGlvbnMsYz1zaT9jZXJ0aWZp 2090Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2WGK2h0dHA6Ly93d3cuc2lnb3YtY2EuZ292 2091LnNpL2NybC9zaWdvdi1jYS5jcmwwKwYDVR0QBCQwIoAPMjAxMjExMTYxMDUyNTda 2092gQ8yMDE3MTExNjEyNDkwNVowHwYDVR0jBBgwFoAUHvjUU2uzgwbpBAZXAvmlv8ZY 2093PHIwHQYDVR0OBBYEFGI1Duuu+wTGDZka/xHNbwcbM69ZMAkGA1UdEwQCMAAwGQYJ 2094KoZIhvZ9B0EABAwwChsEVjcuMQMCA6gwDQYJKoZIhvcNAQEFBQADggEBAHny0K1y 2095BQznrzDu3DDpBcGYguKU0dvU9rqsV1ua4nxkriSMWjgsX6XJFDdDW60I3P4VWab5 2096ag5fZzbGqi8kva/CzGgZh+CES0aWCPy+4Gb8lwOTt+854/laaJvd6kgKTER7z7U9 20979C86Ch2y4sXNwwwPJ1A9dmrZJZOcJjS/WYZgwaafY2Hdxub5jqPE5nehwYUPVu9R 2098uH6/skk4OEKcfOtN0hCnISOVuKYyS4ANARWRG5VGHIH06z3lGUVARFRJ61gtAprd 2099La+fgSS+LVZ+kU2TkeoWAKvGq8MAgDq4D4Xqwekg7WKFeuyusi/NI5rm40XgjBMF 2100DF72IUofoVt7wo0= 2101-----END CERTIFICATE-----` 2102 2103func TestMultipleRDN(t *testing.T) { 2104 block, _ := pem.Decode([]byte(certMultipleRDN)) 2105 cert, err := ParseCertificate(block.Bytes) 2106 if err != nil { 2107 t.Fatalf("certificate with two elements in an RDN failed to parse: %v", err) 2108 } 2109 2110 if want := "eportal.mss.edus.si"; cert.Subject.CommonName != want { 2111 t.Errorf("got common name of %q, but want %q", cert.Subject.CommonName, want) 2112 } 2113 2114 if want := "1236484010010"; cert.Subject.SerialNumber != want { 2115 t.Errorf("got serial number of %q, but want %q", cert.Subject.SerialNumber, want) 2116 } 2117} 2118 2119func TestSystemCertPool(t *testing.T) { 2120 if runtime.GOOS == "windows" { 2121 t.Skip("not implemented on Windows; Issue 16736, 18609") 2122 } 2123 _, err := SystemCertPool() 2124 if err != nil { 2125 t.Fatal(err) 2126 } 2127} 2128 2129const emptyNameConstraintsPEM = ` 2130-----BEGIN CERTIFICATE----- 2131MIIC1jCCAb6gAwIBAgICEjQwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAxMdRW1w 2132dHkgbmFtZSBjb25zdHJhaW50cyBpc3N1ZXIwHhcNMTMwMjAxMDAwMDAwWhcNMjAw 2133NTMwMTA0ODM4WjAhMR8wHQYDVQQDExZFbXB0eSBuYW1lIGNvbnN0cmFpbnRzMIIB 2134IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwriElUIt3LCqmJObs+yDoWPD 2135F5IqgWk6moIobYjPfextZiYU6I3EfvAwoNxPDkN2WowcocUZMJbEeEq5ebBksFnx 2136f12gBxlIViIYwZAzu7aFvhDMyPKQI3C8CG0ZSC9ABZ1E3umdA3CEueNOmP/TChNq 2137Cl23+BG1Qb/PJkpAO+GfpWSVhTcV53Mf/cKvFHcjGNrxzdSoq9fyW7a6gfcGEQY0 2138LVkmwFWUfJ0wT8kaeLr0E0tozkIfo01KNWNzv6NcYP80QOBRDlApWu9ODmEVJHPD 2139blx4jzTQ3JLa+4DvBNOjVUOp+mgRmjiW0rLdrxwOxIqIOwNjweMCp/hgxX/hTQID 2140AQABoxEwDzANBgNVHR4EBjAEoAChADANBgkqhkiG9w0BAQsFAAOCAQEAWG+/zUMH 2141QhP8uNCtgSHyim/vh7wminwAvWgMKxlkLBFns6nZeQqsOV1lABY7U0Zuoqa1Z5nb 21426L+iJa4ElREJOi/erLc9uLwBdDCAR0hUTKD7a6i4ooS39DTle87cUnj0MW1CUa6H 2143v5SsvpYW+1XleYJk/axQOOTcy4Es53dvnZsjXH0EA/QHnn7UV+JmlE3rtVxcYp6M 2144LYPmRhTioROA/drghicRkiu9hxdPyxkYS16M5g3Zj30jdm+k/6C6PeNtN9YmOOga 2145nCOSyFYfGhqOANYzpmuV+oIedAsPpIbfIzN8njYUs1zio+1IoI4o8ddM9sCbtPU8 2146o+WoY6IsCKXV/g== 2147-----END CERTIFICATE-----` 2148 2149func TestEmptyNameConstraints(t *testing.T) { 2150 block, _ := pem.Decode([]byte(emptyNameConstraintsPEM)) 2151 _, err := ParseCertificate(block.Bytes) 2152 if err == nil { 2153 t.Fatal("unexpected success") 2154 } 2155 2156 const expected = "empty name constraints" 2157 if str := err.Error(); !strings.Contains(str, expected) { 2158 t.Errorf("expected %q in error but got %q", expected, str) 2159 } 2160} 2161 2162func TestPKIXNameString(t *testing.T) { 2163 pem, err := hex.DecodeString(certBytes) 2164 if err != nil { 2165 t.Fatal(err) 2166 } 2167 certs, err := ParseCertificates(pem) 2168 if IsFatal(err) { 2169 t.Fatal(err) 2170 } 2171 2172 tests := []struct { 2173 dn pkix.Name 2174 want string 2175 }{ 2176 {pkix.Name{ 2177 CommonName: "Steve Kille", 2178 Organization: []string{"Isode Limited"}, 2179 OrganizationalUnit: []string{"RFCs"}, 2180 Locality: []string{"Richmond"}, 2181 Province: []string{"Surrey"}, 2182 StreetAddress: []string{"The Square"}, 2183 PostalCode: []string{"TW9 1DT"}, 2184 SerialNumber: "RFC 2253", 2185 Country: []string{"GB"}, 2186 }, "SERIALNUMBER=RFC 2253,CN=Steve Kille,OU=RFCs,O=Isode Limited,POSTALCODE=TW9 1DT,STREET=The Square,L=Richmond,ST=Surrey,C=GB"}, 2187 {certs[0].Subject, 2188 "CN=mail.google.com,O=Google Inc,L=Mountain View,ST=California,C=US"}, 2189 {pkix.Name{ 2190 Organization: []string{"#Google, Inc. \n-> 'Alphabet\" "}, 2191 Country: []string{"US"}, 2192 }, "O=\\#Google\\, Inc. \n-\\> 'Alphabet\\\"\\ ,C=US"}, 2193 {pkix.Name{ 2194 CommonName: "foo.com", 2195 Organization: []string{"Gopher Industries"}, 2196 ExtraNames: []pkix.AttributeTypeAndValue{ 2197 {Type: asn1.ObjectIdentifier([]int{2, 5, 4, 3}), Value: "bar.com"}}, 2198 }, "CN=bar.com,O=Gopher Industries"}, 2199 {pkix.Name{ 2200 Locality: []string{"Gophertown"}, 2201 ExtraNames: []pkix.AttributeTypeAndValue{ 2202 {Type: asn1.ObjectIdentifier([]int{1, 2, 3, 4, 5}), Value: "golang.org"}}, 2203 }, "1.2.3.4.5=#130a676f6c616e672e6f7267,L=Gophertown"}, 2204 } 2205 2206 for i, test := range tests { 2207 if got := test.dn.String(); got != test.want { 2208 t.Errorf("#%d: String() = \n%s\n, want \n%s", i, got, test.want) 2209 } 2210 } 2211} 2212 2213func TestRDNSequenceString(t *testing.T) { 2214 // Test some extra cases that get lost in pkix.Name conversions such as 2215 // multi-valued attributes. 2216 2217 var ( 2218 oidCountry = []int{2, 5, 4, 6} 2219 oidOrganization = []int{2, 5, 4, 10} 2220 oidOrganizationalUnit = []int{2, 5, 4, 11} 2221 oidCommonName = []int{2, 5, 4, 3} 2222 ) 2223 2224 tests := []struct { 2225 seq pkix.RDNSequence 2226 want string 2227 }{ 2228 { 2229 seq: pkix.RDNSequence{ 2230 pkix.RelativeDistinguishedNameSET{ 2231 pkix.AttributeTypeAndValue{Type: oidCountry, Value: "US"}, 2232 }, 2233 pkix.RelativeDistinguishedNameSET{ 2234 pkix.AttributeTypeAndValue{Type: oidOrganization, Value: "Widget Inc."}, 2235 }, 2236 pkix.RelativeDistinguishedNameSET{ 2237 pkix.AttributeTypeAndValue{Type: oidOrganizationalUnit, Value: "Sales"}, 2238 pkix.AttributeTypeAndValue{Type: oidCommonName, Value: "J. Smith"}, 2239 }, 2240 }, 2241 want: "OU=Sales+CN=J. Smith,O=Widget Inc.,C=US", 2242 }, 2243 } 2244 2245 for i, test := range tests { 2246 if got := test.seq.String(); got != test.want { 2247 t.Errorf("#%d: String() = \n%s\n, want \n%s", i, got, test.want) 2248 } 2249 } 2250} 2251 2252const criticalNameConstraintWithUnknownTypePEM = ` 2253-----BEGIN CERTIFICATE----- 2254MIIC/TCCAeWgAwIBAgICEjQwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAxMdRW1w 2255dHkgbmFtZSBjb25zdHJhaW50cyBpc3N1ZXIwHhcNMTMwMjAxMDAwMDAwWhcNMjAw 2256NTMwMTA0ODM4WjAhMR8wHQYDVQQDExZFbXB0eSBuYW1lIGNvbnN0cmFpbnRzMIIB 2257IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwriElUIt3LCqmJObs+yDoWPD 2258F5IqgWk6moIobYjPfextZiYU6I3EfvAwoNxPDkN2WowcocUZMJbEeEq5ebBksFnx 2259f12gBxlIViIYwZAzu7aFvhDMyPKQI3C8CG0ZSC9ABZ1E3umdA3CEueNOmP/TChNq 2260Cl23+BG1Qb/PJkpAO+GfpWSVhTcV53Mf/cKvFHcjGNrxzdSoq9fyW7a6gfcGEQY0 2261LVkmwFWUfJ0wT8kaeLr0E0tozkIfo01KNWNzv6NcYP80QOBRDlApWu9ODmEVJHPD 2262blx4jzTQ3JLa+4DvBNOjVUOp+mgRmjiW0rLdrxwOxIqIOwNjweMCp/hgxX/hTQID 2263AQABozgwNjA0BgNVHR4BAf8EKjAooCQwIokgIACrzQAAAAAAAAAAAAAAAP////8A 2264AAAAAAAAAAAAAAChADANBgkqhkiG9w0BAQsFAAOCAQEAWG+/zUMHQhP8uNCtgSHy 2265im/vh7wminwAvWgMKxlkLBFns6nZeQqsOV1lABY7U0Zuoqa1Z5nb6L+iJa4ElREJ 2266Oi/erLc9uLwBdDCAR0hUTKD7a6i4ooS39DTle87cUnj0MW1CUa6Hv5SsvpYW+1Xl 2267eYJk/axQOOTcy4Es53dvnZsjXH0EA/QHnn7UV+JmlE3rtVxcYp6MLYPmRhTioROA 2268/drghicRkiu9hxdPyxkYS16M5g3Zj30jdm+k/6C6PeNtN9YmOOganCOSyFYfGhqO 2269ANYzpmuV+oIedAsPpIbfIzN8njYUs1zio+1IoI4o8ddM9sCbtPU8o+WoY6IsCKXV 2270/g== 2271-----END CERTIFICATE-----` 2272 2273func TestCriticalNameConstraintWithUnknownType(t *testing.T) { 2274 block, _ := pem.Decode([]byte(criticalNameConstraintWithUnknownTypePEM)) 2275 cert, err := ParseCertificate(block.Bytes) 2276 if err != nil { 2277 t.Fatalf("unexpected parsing failure: %s", err) 2278 } 2279 2280 if l := len(cert.UnhandledCriticalExtensions); l != 1 { 2281 t.Fatalf("expected one unhandled critical extension, but found %d", l) 2282 } 2283} 2284 2285const badIPMaskPEM = ` 2286-----BEGIN CERTIFICATE----- 2287MIICzzCCAbegAwIBAgICEjQwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAxMSQmFk 2288IElQIG1hc2sgaXNzdWVyMB4XDTEzMDIwMTAwMDAwMFoXDTIwMDUzMDEwNDgzOFow 2289FjEUMBIGA1UEAxMLQmFkIElQIG1hc2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw 2290ggEKAoIBAQDCuISVQi3csKqYk5uz7IOhY8MXkiqBaTqagihtiM997G1mJhTojcR+ 22918DCg3E8OQ3ZajByhxRkwlsR4Srl5sGSwWfF/XaAHGUhWIhjBkDO7toW+EMzI8pAj 2292cLwIbRlIL0AFnUTe6Z0DcIS5406Y/9MKE2oKXbf4EbVBv88mSkA74Z+lZJWFNxXn 2293cx/9wq8UdyMY2vHN1Kir1/JbtrqB9wYRBjQtWSbAVZR8nTBPyRp4uvQTS2jOQh+j 2294TUo1Y3O/o1xg/zRA4FEOUCla704OYRUkc8NuXHiPNNDcktr7gO8E06NVQ6n6aBGa 2295OJbSst2vHA7Eiog7A2PB4wKn+GDFf+FNAgMBAAGjIDAeMBwGA1UdHgEB/wQSMBCg 2296DDAKhwgBAgME//8BAKEAMA0GCSqGSIb3DQEBCwUAA4IBAQBYb7/NQwdCE/y40K2B 2297IfKKb++HvCaKfAC9aAwrGWQsEWezqdl5Cqw5XWUAFjtTRm6iprVnmdvov6IlrgSV 2298EQk6L96stz24vAF0MIBHSFRMoPtrqLiihLf0NOV7ztxSePQxbUJRroe/lKy+lhb7 2299VeV5gmT9rFA45NzLgSznd2+dmyNcfQQD9AeeftRX4maUTeu1XFxinowtg+ZGFOKh 2300E4D92uCGJxGSK72HF0/LGRhLXozmDdmPfSN2b6T/oLo942031iY46BqcI5LIVh8a 2301Go4A1jOma5X6gh50Cw+kht8jM3yeNhSzXOKj7Uigjijx10z2wJu09Tyj5ahjoiwI 2302pdX+ 2303-----END CERTIFICATE-----` 2304 2305func TestBadIPMask(t *testing.T) { 2306 block, _ := pem.Decode([]byte(badIPMaskPEM)) 2307 _, err := ParseCertificate(block.Bytes) 2308 if err == nil { 2309 t.Fatalf("unexpected success") 2310 } 2311 2312 const expected = "contained invalid mask" 2313 if !strings.Contains(err.Error(), expected) { 2314 t.Fatalf("expected %q in error but got: %s", expected, err) 2315 } 2316} 2317 2318const additionalGeneralSubtreePEM = ` 2319-----BEGIN CERTIFICATE----- 2320MIIG4TCCBMmgAwIBAgIRALss+4rLw2Ia7tFFhxE8g5cwDQYJKoZIhvcNAQELBQAw 2321bjELMAkGA1UEBhMCTkwxIDAeBgNVBAoMF01pbmlzdGVyaWUgdmFuIERlZmVuc2ll 2322MT0wOwYDVQQDDDRNaW5pc3RlcmllIHZhbiBEZWZlbnNpZSBDZXJ0aWZpY2F0aWUg 2323QXV0b3JpdGVpdCAtIEcyMB4XDTEzMDMwNjEyMDM0OVoXDTEzMTEzMDEyMDM1MFow 2324bDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUNlcnRpUGF0aCBMTEMxIjAgBgNVBAsT 2325GUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxITAfBgNVBAMTGENlcnRpUGF0aCBC 2326cmlkZ2UgQ0EgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLW 23274kXiRqvwBhJfN9uz12FA+P2D34MPxOt7TGXljm2plJ2CLzvaH8/ymsMdSWdJBS1M 23288FmwvNL1w3A6ZuzksJjPikAu8kY3dcp3mrkk9eCPORDAwGtfsXwZysLiuEaDWpbD 2329dHOaHnI6qWU0N6OI+hNX58EjDpIGC1WQdho1tHOTPc5Hf5/hOpM/29v/wr7kySjs 2330Z+7nsvkm5rNhuJNzPsLsgzVaJ5/BVyOplZy24FKM8Y43MjR4osZm+a2e0zniqw6/ 2331rvcjcGYabYaznZfQG1GXoyf2Vea+CCgpgUhlVafgkwEs8izl8rIpvBzXiFAgFQuG 2332Ituoy92PJbDs430fA/cCAwEAAaOCAnowggJ2MEUGCCsGAQUFBwEBBDkwNzA1Bggr 2333BgEFBQcwAoYpaHR0cDovL2NlcnRzLmNhLm1pbmRlZi5ubC9taW5kZWYtY2EtMi5w 2334N2MwHwYDVR0jBBgwFoAUzln9WSPz2M64Rl2HYf2/KD8StmQwDwYDVR0TAQH/BAUw 2335AwEB/zCB6QYDVR0gBIHhMIHeMEgGCmCEEAGHawECBQEwOjA4BggrBgEFBQcCARYs 2336aHR0cDovL2Nwcy5kcC5jYS5taW5kZWYubmwvbWluZGVmLWNhLWRwLWNwcy8wSAYK 2337YIQQAYdrAQIFAjA6MDgGCCsGAQUFBwIBFixodHRwOi8vY3BzLmRwLmNhLm1pbmRl 2338Zi5ubC9taW5kZWYtY2EtZHAtY3BzLzBIBgpghBABh2sBAgUDMDowOAYIKwYBBQUH 2339AgEWLGh0dHA6Ly9jcHMuZHAuY2EubWluZGVmLm5sL21pbmRlZi1jYS1kcC1jcHMv 2340MDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmxzLmNhLm1pbmRlZi5ubC9taW5k 2341ZWYtY2EtMi5jcmwwDgYDVR0PAQH/BAQDAgEGMEYGA1UdHgEB/wQ8MDqhODA2pDEw 2342LzELMAkGA1UEBhMCTkwxIDAeBgNVBAoTF01pbmlzdGVyaWUgdmFuIERlZmVuc2ll 2343gQFjMF0GA1UdIQRWMFQwGgYKYIQQAYdrAQIFAQYMKwYBBAGBu1MBAQECMBoGCmCE 2344EAGHawECBQIGDCsGAQQBgbtTAQEBAjAaBgpghBABh2sBAgUDBgwrBgEEAYG7UwEB 2345AQIwHQYDVR0OBBYEFNDCjBM3M3ZKkag84ei3/aKc0d0UMA0GCSqGSIb3DQEBCwUA 2346A4ICAQAQXFn9jF90/DNFf15JhoGtta/0dNInb14PMu3PAjcdrXYCDPpQZOArTUng 23475YT1WuzfmjnXiTsziT3my0r9Mxvz/btKK/lnVOMW4c2q/8sIsIPnnW5ZaRGrsANB 2348dNDZkzMYmeG2Pfgvd0AQSOrpE/TVgWfu/+MMRWwX9y6VbooBR7BLv7zMuVH0WqLn 23496OMFth7fqsThlfMSzkE/RDSaU6n3wXAWT1SIqBITtccRjSUQUFm/q3xrb2cwcZA6 23508vdS4hzNd+ttS905ay31Ks4/1Wrm1bH5RhEfRSH0VSXnc0b+z+RyBbmiwtVZqzxE 2351u3UQg/rAmtLDclLFEzjp8YDTIRYSLwstDbEXO/0ArdGrQm79HQ8i/3ZbP2357myW 2352i15qd6gMJIgGHS4b8Hc7R1K8LQ9Gm1aLKBEWVNGZlPK/cpXThpVmoEyslN2DHCrc 2353fbMbjNZpXlTMa+/b9z7Fa4X8dY8u/ELzZuJXJv5Rmqtg29eopFFYDCl0Nkh1XAjo 2354QejEoHHUvYV8TThHZr6Z6Ib8CECgTehU4QvepkgDXNoNrKRZBG0JhLjkwxh2whZq 2355nvWBfALC2VuNOM6C0rDY+HmhMlVt0XeqnybD9MuQALMit7Z00Cw2CIjNsBI9xBqD 2356xKK9CjUb7gzRUWSpB9jGHsvpEMHOzIFhufvH2Bz1XJw+Cl7khw== 2357-----END CERTIFICATE-----` 2358 2359func TestAdditionFieldsInGeneralSubtree(t *testing.T) { 2360 // Very rarely, certificates can include additional fields in the 2361 // GeneralSubtree structure. This tests that such certificates can be 2362 // parsed. 2363 block, _ := pem.Decode([]byte(additionalGeneralSubtreePEM)) 2364 if _, err := ParseCertificate(block.Bytes); IsFatal(err) { 2365 t.Fatalf("failed to parse certificate: %s", err) 2366 } 2367} 2368 2369func TestEmptySubject(t *testing.T) { 2370 template := Certificate{ 2371 SerialNumber: big.NewInt(1), 2372 DNSNames: []string{"example.com"}, 2373 } 2374 2375 derBytes, err := CreateCertificate(rand.Reader, &template, &template, &testPrivateKey.PublicKey, testPrivateKey) 2376 if err != nil { 2377 t.Fatalf("failed to create certificate: %s", err) 2378 } 2379 2380 cert, err := ParseCertificate(derBytes) 2381 if err != nil { 2382 t.Fatalf("failed to parse certificate: %s", err) 2383 } 2384 2385 for _, ext := range cert.Extensions { 2386 if ext.Id.Equal(OIDExtensionSubjectAltName) { 2387 if !ext.Critical { 2388 t.Fatal("SAN extension is not critical") 2389 } 2390 return 2391 } 2392 } 2393 2394 t.Fatal("SAN extension is missing") 2395} 2396 2397// multipleURLsInCRLDPPEM contains two URLs in a single CRL DistributionPoint 2398// structure. It is taken from https://crt.sh/?id=12721534. 2399const multipleURLsInCRLDPPEM = ` 2400-----BEGIN CERTIFICATE----- 2401MIIF4TCCBMmgAwIBAgIQc+6uFePfrahUGpXs8lhiTzANBgkqhkiG9w0BAQsFADCB 24028zELMAkGA1UEBhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2Vy 2403dGlmaWNhY2lvIChOSUYgUS0wODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1 2404YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYDVQQLEyxWZWdldSBodHRwczovL3d3 2405dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMGA1UECxMsSmVyYXJxdWlh 2406IEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzANBgNVBAMTBkVD 2407LUFDQzAeFw0xNDA5MTgwODIxMDBaFw0zMDA5MTgwODIxMDBaMIGGMQswCQYDVQQG 2408EwJFUzEzMDEGA1UECgwqQ09OU09SQ0kgQURNSU5JU1RSQUNJTyBPQkVSVEEgREUg 2409Q0FUQUxVTllBMSowKAYDVQQLDCFTZXJ2ZWlzIFDDumJsaWNzIGRlIENlcnRpZmlj 2410YWNpw7MxFjAUBgNVBAMMDUVDLUNpdXRhZGFuaWEwggEiMA0GCSqGSIb3DQEBAQUA 2411A4IBDwAwggEKAoIBAQDFkHPRZPZlXTWZ5psJhbS/Gx+bxcTpGrlVQHHtIkgGz77y 2412TA7UZUFb2EQMncfbOhR0OkvQQn1aMvhObFJSR6nI+caf2D+h/m/InMl1MyH3S0Ak 2413YGZZsthnyC6KxqK2A/NApncrOreh70ULkQs45aOKsi1kR1W0zE+iFN+/P19P7AkL 2414Rl3bXBCVd8w+DLhcwRrkf1FCDw6cEqaFm3cGgf5cbBDMaVYAweWTxwBZAq2RbQAW 2415jE7mledcYghcZa4U6bUmCBPuLOnO8KMFAvH+aRzaf3ws5/ZoOVmryyLLJVZ54peZ 2416OwnP9EL4OuWzmXCjBifXR2IAblxs5JYj57tls45nAgMBAAGjggHaMIIB1jASBgNV 2417HRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUC2hZPofI 2418oxUa4ECCIl+fHbLFNxUwHwYDVR0jBBgwFoAUoMOLRKo3pUW/l4Ba0fF4opvpXY0w 2419gdYGA1UdIASBzjCByzCByAYEVR0gADCBvzAxBggrBgEFBQcCARYlaHR0cHM6Ly93 2420d3cuYW9jLmNhdC9DQVRDZXJ0L1JlZ3VsYWNpbzCBiQYIKwYBBQUHAgIwfQx7QXF1 2421ZXN0IGNlcnRpZmljYXQgw6lzIGVtw6hzIMO6bmljYSBpIGV4Y2x1c2l2YW1lbnQg 2422YSBFbnRpdGF0cyBkZSBDZXJ0aWZpY2FjacOzLiBWZWdldSBodHRwczovL3d3dy5h 2423b2MuY2F0L0NBVENlcnQvUmVndWxhY2lvMDMGCCsGAQUFBwEBBCcwJTAjBggrBgEF 2424BQcwAYYXaHR0cDovL29jc3AuY2F0Y2VydC5jYXQwYgYDVR0fBFswWTBXoFWgU4Yn 2425aHR0cDovL2Vwc2NkLmNhdGNlcnQubmV0L2NybC9lYy1hY2MuY3JshihodHRwOi8v 2426ZXBzY2QyLmNhdGNlcnQubmV0L2NybC9lYy1hY2MuY3JsMA0GCSqGSIb3DQEBCwUA 2427A4IBAQChqFTjlAH5PyIhLjLgEs68CyNNC1+vDuZXRhy22TI83JcvGmQrZosPvVIL 2428PsUXx+C06Pfqmh48Q9S89X9K8w1SdJxP/rZeGEoRiKpwvQzM4ArD9QxyC8jirxex 24293Umg9Ai/sXQ+1lBf6xw4HfUUr1WIp7pNHj0ZWLo106urqktcdeAFWme+/klis5fu 2430labCSVPuT/QpwakPrtqOhRms8vgpKiXa/eLtL9ZiA28X/Mker0zlAeTA7Z7uAnp6 2431oPJTlZu1Gg1ZDJueTWWsLlO+P+Wzm3MRRIbcgdRzm4mdO7ubu26SzX/aQXDhuih+ 2432eVxXDTCfs7GUlxnjOp5j559X/N0A 2433-----END CERTIFICATE----- 2434` 2435 2436func TestMultipleURLsInCRLDP(t *testing.T) { 2437 block, _ := pem.Decode([]byte(multipleURLsInCRLDPPEM)) 2438 cert, err := ParseCertificate(block.Bytes) 2439 if err != nil { 2440 t.Fatalf("failed to parse certificate: %s", err) 2441 } 2442 2443 want := []string{ 2444 "http://epscd.catcert.net/crl/ec-acc.crl", 2445 "http://epscd2.catcert.net/crl/ec-acc.crl", 2446 } 2447 if got := cert.CRLDistributionPoints; !reflect.DeepEqual(got, want) { 2448 t.Errorf("CRL distribution points = %#v, want #%v", got, want) 2449 } 2450} 2451 2452func TestParseCertificateFail(t *testing.T) { 2453 var tests = []struct { 2454 desc string 2455 in string 2456 wantErr string 2457 }{ 2458 {desc: "SubjectInfoEmpty", in: "testdata/invalid/xf-ext-subject-info-empty.pem", wantErr: "empty SubjectInfoAccess"}, 2459 {desc: "RSAParamsNonNULL", in: "testdata/invalid/xf-pubkey-rsa-param-nonnull.pem", wantErr: "RSA key missing NULL parameters"}, 2460 {desc: "EmptyEKU", in: "testdata/invalid/xf-ext-extended-key-usage-empty.pem", wantErr: "empty ExtendedKeyUsage"}, 2461 {desc: "SECp192r1TooShort", in: "testdata/invalid/xf-pubkey-ecdsa-secp192r1.pem", wantErr: "insecure curve (secp192r1)"}, 2462 } 2463 for _, test := range tests { 2464 t.Run(test.desc, func(t *testing.T) { 2465 data, err := ioutil.ReadFile(test.in) 2466 if err != nil { 2467 t.Fatalf("failed to read test data: %v", err) 2468 } 2469 block, _ := pem.Decode(data) 2470 got, err := ParseCertificate(block.Bytes) 2471 if err == nil { 2472 t.Fatalf("ParseCertificate()=%+v,nil; want nil, err containing %q", got, test.wantErr) 2473 } 2474 if !strings.Contains(err.Error(), test.wantErr) { 2475 t.Fatalf("ParseCertificate()=_,%v; want nil, err containing %q", err, test.wantErr) 2476 } 2477 }) 2478 } 2479} 2480