github.com/adnan-c/fabric_e2e_couchdb@v0.6.1-preview.0.20170228180935-21ce6b23cf91/accesscontrol/crypto/utils/x509.go

github.com/adnan-c/fabric_e2e_couchdb@v0.6.1-preview.0.20170228180935-21ce6b23cf91/accesscontrol/crypto/utils/x509.go (about)

     1  /*
     2  Copyright IBM Corp. 2016 All Rights Reserved.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8  		 http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package utils
    18  
    19  import (
    20  	"crypto/rand"
    21  	"crypto/x509"
    22  	"crypto/x509/pkix"
    23  	"encoding/asn1"
    24  	"errors"
    25  	"math/big"
    26  	"net"
    27  	"time"
    28  )
    29  
    30  var (
    31  	// TCertEncTCertIndex oid for TCertIndex
    32  	TCertEncTCertIndex = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 7}
    33  
    34  	// TCertEncEnrollmentID is the ASN1 object identifier of the TCert index.
    35  	TCertEncEnrollmentID = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 8}
    36  
    37  	// TCertEncAttributesBase is the base ASN1 object identifier for attributes.
    38  	// When generating an extension to include the attribute an index will be
    39  	// appended to this Object Identifier.
    40  	TCertEncAttributesBase = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6}
    41  
    42  	// TCertAttributesHeaders is the ASN1 object identifier of attributes header.
    43  	TCertAttributesHeaders = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 9}
    44  )
    45  
    46  // DERToX509Certificate converts der to x509
    47  func DERToX509Certificate(asn1Data []byte) (*x509.Certificate, error) {
    48  	return x509.ParseCertificate(asn1Data)
    49  }
    50  
    51  // GetCriticalExtension returns a requested critical extension. It also remove it from the list
    52  // of unhandled critical extensions
    53  func GetCriticalExtension(cert *x509.Certificate, oid asn1.ObjectIdentifier) ([]byte, error) {
    54  	for i, ext := range cert.UnhandledCriticalExtensions {
    55  		if IntArrayEquals(ext, oid) {
    56  			cert.UnhandledCriticalExtensions = append(cert.UnhandledCriticalExtensions[:i], cert.UnhandledCriticalExtensions[i+1:]...)
    57  
    58  			break
    59  		}
    60  	}
    61  
    62  	for _, ext := range cert.Extensions {
    63  		if IntArrayEquals(ext.Id, oid) {
    64  			return ext.Value, nil
    65  		}
    66  	}
    67  
    68  	return nil, errors.New("Failed retrieving extension.")
    69  }
    70  
    71  // NewSelfSignedCert create a self signed certificate
    72  func NewSelfSignedCert() ([]byte, interface{}, error) {
    73  	privKey, err := NewECDSAKey()
    74  	if err != nil {
    75  		return nil, nil, err
    76  	}
    77  
    78  	testExtKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
    79  	testUnknownExtKeyUsage := []asn1.ObjectIdentifier{[]int{1, 2, 3}, []int{2, 59, 1}}
    80  	extraExtensionData := []byte("extra extension")
    81  	commonName := "test.example.com"
    82  	template := x509.Certificate{
    83  		SerialNumber: big.NewInt(1),
    84  		Subject: pkix.Name{
    85  			CommonName:   commonName,
    86  			Organization: []string{"Σ Acme Co"},
    87  			Country:      []string{"US"},
    88  			ExtraNames: []pkix.AttributeTypeAndValue{
    89  				{
    90  					Type:  []int{2, 5, 4, 42},
    91  					Value: "Gopher",
    92  				},
    93  				// This should override the Country, above.
    94  				{
    95  					Type:  []int{2, 5, 4, 6},
    96  					Value: "NL",
    97  				},
    98  			},
    99  		},
   100  		NotBefore: time.Now().Add(-1 * time.Hour),
   101  		NotAfter:  time.Now().Add(1 * time.Hour),
   102  
   103  		SignatureAlgorithm: x509.ECDSAWithSHA384,
   104  
   105  		SubjectKeyId: []byte{1, 2, 3, 4},
   106  		KeyUsage:     x509.KeyUsageCertSign,
   107  
   108  		ExtKeyUsage:        testExtKeyUsage,
   109  		UnknownExtKeyUsage: testUnknownExtKeyUsage,
   110  
   111  		BasicConstraintsValid: true,
   112  		IsCA: true,
   113  
   114  		OCSPServer:            []string{"http://ocsp.example.com"},
   115  		IssuingCertificateURL: []string{"http://crt.example.com/ca1.crt"},
   116  
   117  		DNSNames:       []string{"test.example.com"},
   118  		EmailAddresses: []string{"gopher@golang.org"},
   119  		IPAddresses:    []net.IP{net.IPv4(127, 0, 0, 1).To4(), net.ParseIP("2001:4860:0:2001::68")},
   120  
   121  		PolicyIdentifiers:   []asn1.ObjectIdentifier{[]int{1, 2, 3}},
   122  		PermittedDNSDomains: []string{".example.com", "example.com"},
   123  
   124  		CRLDistributionPoints: []string{"http://crl1.example.com/ca1.crl", "http://crl2.example.com/ca1.crl"},
   125  
   126  		ExtraExtensions: []pkix.Extension{
   127  			{
   128  				Id:    []int{1, 2, 3, 4},
   129  				Value: extraExtensionData,
   130  			},
   131  		},
   132  	}
   133  
   134  	cert, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
   135  	if err != nil {
   136  		return nil, nil, err
   137  	}
   138  
   139  	return cert, privKey, nil
   140  }