github.com/geraldss/go/src@v0.0.0-20210511222824-ac7d0ebfc235/crypto/x509/x509.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Package x509 parses X.509-encoded keys and certificates. 6 package x509 7 8 import ( 9 "bytes" 10 "crypto" 11 "crypto/dsa" 12 "crypto/ecdsa" 13 "crypto/ed25519" 14 "crypto/elliptic" 15 "crypto/rsa" 16 "crypto/sha1" 17 "crypto/x509/pkix" 18 "encoding/asn1" 19 "encoding/pem" 20 "errors" 21 "fmt" 22 "io" 23 "math/big" 24 "net" 25 "net/url" 26 "strconv" 27 "strings" 28 "time" 29 "unicode" 30 31 // Explicitly import these for their crypto.RegisterHash init side-effects. 32 // Keep these as blank imports, even if they're imported above. 33 _ "crypto/sha1" 34 _ "crypto/sha256" 35 _ "crypto/sha512" 36 37 "golang.org/x/crypto/cryptobyte" 38 cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" 39 ) 40 41 // pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo 42 // in RFC 3280. 43 type pkixPublicKey struct { 44 Algo pkix.AlgorithmIdentifier 45 BitString asn1.BitString 46 } 47 48 // ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form. 49 // The encoded public key is a SubjectPublicKeyInfo structure 50 // (see RFC 5280, Section 4.1). 51 // 52 // It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or 53 // ed25519.PublicKey. More types might be supported in the future. 54 // 55 // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY". 56 func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) { 57 var pki publicKeyInfo 58 if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil { 59 if _, err := asn1.Unmarshal(derBytes, &pkcs1PublicKey{}); err == nil { 60 return nil, errors.New("x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)") 61 } 62 return nil, err 63 } else if len(rest) != 0 { 64 return nil, errors.New("x509: trailing data after ASN.1 of public-key") 65 } 66 algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm) 67 if algo == UnknownPublicKeyAlgorithm { 68 return nil, errors.New("x509: unknown public key algorithm") 69 } 70 return parsePublicKey(algo, &pki) 71 } 72 73 func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) { 74 switch pub := pub.(type) { 75 case *rsa.PublicKey: 76 publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{ 77 N: pub.N, 78 E: pub.E, 79 }) 80 if err != nil { 81 return nil, pkix.AlgorithmIdentifier{}, err 82 } 83 publicKeyAlgorithm.Algorithm = oidPublicKeyRSA 84 // This is a NULL parameters value which is required by 85 // RFC 3279, Section 2.3.1. 86 publicKeyAlgorithm.Parameters = asn1.NullRawValue 87 case *ecdsa.PublicKey: 88 publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y) 89 oid, ok := oidFromNamedCurve(pub.Curve) 90 if !ok { 91 return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve") 92 } 93 publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA 94 var paramBytes []byte 95 paramBytes, err = asn1.Marshal(oid) 96 if err != nil { 97 return 98 } 99 publicKeyAlgorithm.Parameters.FullBytes = paramBytes 100 case ed25519.PublicKey: 101 publicKeyBytes = pub 102 publicKeyAlgorithm.Algorithm = oidPublicKeyEd25519 103 default: 104 return nil, pkix.AlgorithmIdentifier{}, fmt.Errorf("x509: unsupported public key type: %T", pub) 105 } 106 107 return publicKeyBytes, publicKeyAlgorithm, nil 108 } 109 110 // MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form. 111 // The encoded public key is a SubjectPublicKeyInfo structure 112 // (see RFC 5280, Section 4.1). 113 // 114 // The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey 115 // and ed25519.PublicKey. Unsupported key types result in an error. 116 // 117 // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY". 118 func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) { 119 var publicKeyBytes []byte 120 var publicKeyAlgorithm pkix.AlgorithmIdentifier 121 var err error 122 123 if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil { 124 return nil, err 125 } 126 127 pkix := pkixPublicKey{ 128 Algo: publicKeyAlgorithm, 129 BitString: asn1.BitString{ 130 Bytes: publicKeyBytes, 131 BitLength: 8 * len(publicKeyBytes), 132 }, 133 } 134 135 ret, _ := asn1.Marshal(pkix) 136 return ret, nil 137 } 138 139 // These structures reflect the ASN.1 structure of X.509 certificates.: 140 141 type certificate struct { 142 Raw asn1.RawContent 143 TBSCertificate tbsCertificate 144 SignatureAlgorithm pkix.AlgorithmIdentifier 145 SignatureValue asn1.BitString 146 } 147 148 type tbsCertificate struct { 149 Raw asn1.RawContent 150 Version int `asn1:"optional,explicit,default:0,tag:0"` 151 SerialNumber *big.Int 152 SignatureAlgorithm pkix.AlgorithmIdentifier 153 Issuer asn1.RawValue 154 Validity validity 155 Subject asn1.RawValue 156 PublicKey publicKeyInfo 157 UniqueId asn1.BitString `asn1:"optional,tag:1"` 158 SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"` 159 Extensions []pkix.Extension `asn1:"optional,explicit,tag:3"` 160 } 161 162 type dsaAlgorithmParameters struct { 163 P, Q, G *big.Int 164 } 165 166 type validity struct { 167 NotBefore, NotAfter time.Time 168 } 169 170 type publicKeyInfo struct { 171 Raw asn1.RawContent 172 Algorithm pkix.AlgorithmIdentifier 173 PublicKey asn1.BitString 174 } 175 176 // RFC 5280, 4.2.1.1 177 type authKeyId struct { 178 Id []byte `asn1:"optional,tag:0"` 179 } 180 181 type SignatureAlgorithm int 182 183 const ( 184 UnknownSignatureAlgorithm SignatureAlgorithm = iota 185 186 MD2WithRSA // Unsupported. 187 MD5WithRSA // Only supported for signing, not verification. 188 SHA1WithRSA 189 SHA256WithRSA 190 SHA384WithRSA 191 SHA512WithRSA 192 DSAWithSHA1 // Unsupported. 193 DSAWithSHA256 // Unsupported. 194 ECDSAWithSHA1 195 ECDSAWithSHA256 196 ECDSAWithSHA384 197 ECDSAWithSHA512 198 SHA256WithRSAPSS 199 SHA384WithRSAPSS 200 SHA512WithRSAPSS 201 PureEd25519 202 ) 203 204 func (algo SignatureAlgorithm) isRSAPSS() bool { 205 switch algo { 206 case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS: 207 return true 208 default: 209 return false 210 } 211 } 212 213 func (algo SignatureAlgorithm) String() string { 214 for _, details := range signatureAlgorithmDetails { 215 if details.algo == algo { 216 return details.name 217 } 218 } 219 return strconv.Itoa(int(algo)) 220 } 221 222 type PublicKeyAlgorithm int 223 224 const ( 225 UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota 226 RSA 227 DSA // Unsupported. 228 ECDSA 229 Ed25519 230 ) 231 232 var publicKeyAlgoName = [...]string{ 233 RSA: "RSA", 234 DSA: "DSA", 235 ECDSA: "ECDSA", 236 Ed25519: "Ed25519", 237 } 238 239 func (algo PublicKeyAlgorithm) String() string { 240 if 0 < algo && int(algo) < len(publicKeyAlgoName) { 241 return publicKeyAlgoName[algo] 242 } 243 return strconv.Itoa(int(algo)) 244 } 245 246 // OIDs for signature algorithms 247 // 248 // pkcs-1 OBJECT IDENTIFIER ::= { 249 // iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } 250 // 251 // 252 // RFC 3279 2.2.1 RSA Signature Algorithms 253 // 254 // md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } 255 // 256 // md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } 257 // 258 // sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } 259 // 260 // dsaWithSha1 OBJECT IDENTIFIER ::= { 261 // iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 } 262 // 263 // RFC 3279 2.2.3 ECDSA Signature Algorithm 264 // 265 // ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 266 // iso(1) member-body(2) us(840) ansi-x962(10045) 267 // signatures(4) ecdsa-with-SHA1(1)} 268 // 269 // 270 // RFC 4055 5 PKCS #1 Version 1.5 271 // 272 // sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } 273 // 274 // sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } 275 // 276 // sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } 277 // 278 // 279 // RFC 5758 3.1 DSA Signature Algorithms 280 // 281 // dsaWithSha256 OBJECT IDENTIFIER ::= { 282 // joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 283 // csor(3) algorithms(4) id-dsa-with-sha2(3) 2} 284 // 285 // RFC 5758 3.2 ECDSA Signature Algorithm 286 // 287 // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 288 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 } 289 // 290 // ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 291 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } 292 // 293 // ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 294 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 } 295 // 296 // 297 // RFC 8410 3 Curve25519 and Curve448 Algorithm Identifiers 298 // 299 // id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 } 300 301 var ( 302 oidSignatureMD2WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} 303 oidSignatureMD5WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} 304 oidSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} 305 oidSignatureSHA256WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} 306 oidSignatureSHA384WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} 307 oidSignatureSHA512WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} 308 oidSignatureRSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10} 309 oidSignatureDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3} 310 oidSignatureDSAWithSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2} 311 oidSignatureECDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1} 312 oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2} 313 oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3} 314 oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4} 315 oidSignatureEd25519 = asn1.ObjectIdentifier{1, 3, 101, 112} 316 317 oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1} 318 oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} 319 oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3} 320 321 oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8} 322 323 // oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA 324 // but it's specified by ISO. Microsoft's makecert.exe has been known 325 // to produce certificates with this OID. 326 oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29} 327 ) 328 329 var signatureAlgorithmDetails = []struct { 330 algo SignatureAlgorithm 331 name string 332 oid asn1.ObjectIdentifier 333 pubKeyAlgo PublicKeyAlgorithm 334 hash crypto.Hash 335 }{ 336 {MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */}, 337 {MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5}, 338 {SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1}, 339 {SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1}, 340 {SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256}, 341 {SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384}, 342 {SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512}, 343 {SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256}, 344 {SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384}, 345 {SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512}, 346 {DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1}, 347 {DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256}, 348 {ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1}, 349 {ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256}, 350 {ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384}, 351 {ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512}, 352 {PureEd25519, "Ed25519", oidSignatureEd25519, Ed25519, crypto.Hash(0) /* no pre-hashing */}, 353 } 354 355 // hashToPSSParameters contains the DER encoded RSA PSS parameters for the 356 // SHA256, SHA384, and SHA512 hashes as defined in RFC 3447, Appendix A.2.3. 357 // The parameters contain the following values: 358 // * hashAlgorithm contains the associated hash identifier with NULL parameters 359 // * maskGenAlgorithm always contains the default mgf1SHA1 identifier 360 // * saltLength contains the length of the associated hash 361 // * trailerField always contains the default trailerFieldBC value 362 var hashToPSSParameters = map[crypto.Hash]asn1.RawValue{ 363 crypto.SHA256: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 162, 3, 2, 1, 32}}, 364 crypto.SHA384: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 162, 3, 2, 1, 48}}, 365 crypto.SHA512: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 162, 3, 2, 1, 64}}, 366 } 367 368 // pssParameters reflects the parameters in an AlgorithmIdentifier that 369 // specifies RSA PSS. See RFC 3447, Appendix A.2.3. 370 type pssParameters struct { 371 // The following three fields are not marked as 372 // optional because the default values specify SHA-1, 373 // which is no longer suitable for use in signatures. 374 Hash pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"` 375 MGF pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"` 376 SaltLength int `asn1:"explicit,tag:2"` 377 TrailerField int `asn1:"optional,explicit,tag:3,default:1"` 378 } 379 380 func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm { 381 if ai.Algorithm.Equal(oidSignatureEd25519) { 382 // RFC 8410, Section 3 383 // > For all of the OIDs, the parameters MUST be absent. 384 if len(ai.Parameters.FullBytes) != 0 { 385 return UnknownSignatureAlgorithm 386 } 387 } 388 389 if !ai.Algorithm.Equal(oidSignatureRSAPSS) { 390 for _, details := range signatureAlgorithmDetails { 391 if ai.Algorithm.Equal(details.oid) { 392 return details.algo 393 } 394 } 395 return UnknownSignatureAlgorithm 396 } 397 398 // RSA PSS is special because it encodes important parameters 399 // in the Parameters. 400 401 var params pssParameters 402 if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, ¶ms); err != nil { 403 return UnknownSignatureAlgorithm 404 } 405 406 var mgf1HashFunc pkix.AlgorithmIdentifier 407 if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil { 408 return UnknownSignatureAlgorithm 409 } 410 411 // PSS is greatly overburdened with options. This code forces them into 412 // three buckets by requiring that the MGF1 hash function always match the 413 // message hash function (as recommended in RFC 3447, Section 8.1), that the 414 // salt length matches the hash length, and that the trailer field has the 415 // default value. 416 if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) || 417 !params.MGF.Algorithm.Equal(oidMGF1) || 418 !mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) || 419 (len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) || 420 params.TrailerField != 1 { 421 return UnknownSignatureAlgorithm 422 } 423 424 switch { 425 case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32: 426 return SHA256WithRSAPSS 427 case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48: 428 return SHA384WithRSAPSS 429 case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64: 430 return SHA512WithRSAPSS 431 } 432 433 return UnknownSignatureAlgorithm 434 } 435 436 // RFC 3279, 2.3 Public Key Algorithms 437 // 438 // pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) 439 // rsadsi(113549) pkcs(1) 1 } 440 // 441 // rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 } 442 // 443 // id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) 444 // x9-57(10040) x9cm(4) 1 } 445 // 446 // RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters 447 // 448 // id-ecPublicKey OBJECT IDENTIFIER ::= { 449 // iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 450 var ( 451 oidPublicKeyRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} 452 oidPublicKeyDSA = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1} 453 oidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1} 454 oidPublicKeyEd25519 = oidSignatureEd25519 455 ) 456 457 func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm { 458 switch { 459 case oid.Equal(oidPublicKeyRSA): 460 return RSA 461 case oid.Equal(oidPublicKeyDSA): 462 return DSA 463 case oid.Equal(oidPublicKeyECDSA): 464 return ECDSA 465 case oid.Equal(oidPublicKeyEd25519): 466 return Ed25519 467 } 468 return UnknownPublicKeyAlgorithm 469 } 470 471 // RFC 5480, 2.1.1.1. Named Curve 472 // 473 // secp224r1 OBJECT IDENTIFIER ::= { 474 // iso(1) identified-organization(3) certicom(132) curve(0) 33 } 475 // 476 // secp256r1 OBJECT IDENTIFIER ::= { 477 // iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 478 // prime(1) 7 } 479 // 480 // secp384r1 OBJECT IDENTIFIER ::= { 481 // iso(1) identified-organization(3) certicom(132) curve(0) 34 } 482 // 483 // secp521r1 OBJECT IDENTIFIER ::= { 484 // iso(1) identified-organization(3) certicom(132) curve(0) 35 } 485 // 486 // NB: secp256r1 is equivalent to prime256v1 487 var ( 488 oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33} 489 oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7} 490 oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34} 491 oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35} 492 ) 493 494 func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve { 495 switch { 496 case oid.Equal(oidNamedCurveP224): 497 return elliptic.P224() 498 case oid.Equal(oidNamedCurveP256): 499 return elliptic.P256() 500 case oid.Equal(oidNamedCurveP384): 501 return elliptic.P384() 502 case oid.Equal(oidNamedCurveP521): 503 return elliptic.P521() 504 } 505 return nil 506 } 507 508 func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) { 509 switch curve { 510 case elliptic.P224(): 511 return oidNamedCurveP224, true 512 case elliptic.P256(): 513 return oidNamedCurveP256, true 514 case elliptic.P384(): 515 return oidNamedCurveP384, true 516 case elliptic.P521(): 517 return oidNamedCurveP521, true 518 } 519 520 return nil, false 521 } 522 523 // KeyUsage represents the set of actions that are valid for a given key. It's 524 // a bitmap of the KeyUsage* constants. 525 type KeyUsage int 526 527 const ( 528 KeyUsageDigitalSignature KeyUsage = 1 << iota 529 KeyUsageContentCommitment 530 KeyUsageKeyEncipherment 531 KeyUsageDataEncipherment 532 KeyUsageKeyAgreement 533 KeyUsageCertSign 534 KeyUsageCRLSign 535 KeyUsageEncipherOnly 536 KeyUsageDecipherOnly 537 ) 538 539 // RFC 5280, 4.2.1.12 Extended Key Usage 540 // 541 // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } 542 // 543 // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } 544 // 545 // id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } 546 // id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } 547 // id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } 548 // id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } 549 // id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } 550 // id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } 551 var ( 552 oidExtKeyUsageAny = asn1.ObjectIdentifier{2, 5, 29, 37, 0} 553 oidExtKeyUsageServerAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1} 554 oidExtKeyUsageClientAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2} 555 oidExtKeyUsageCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3} 556 oidExtKeyUsageEmailProtection = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4} 557 oidExtKeyUsageIPSECEndSystem = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5} 558 oidExtKeyUsageIPSECTunnel = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6} 559 oidExtKeyUsageIPSECUser = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7} 560 oidExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8} 561 oidExtKeyUsageOCSPSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9} 562 oidExtKeyUsageMicrosoftServerGatedCrypto = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3} 563 oidExtKeyUsageNetscapeServerGatedCrypto = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1} 564 oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22} 565 oidExtKeyUsageMicrosoftKernelCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1} 566 ) 567 568 // ExtKeyUsage represents an extended set of actions that are valid for a given key. 569 // Each of the ExtKeyUsage* constants define a unique action. 570 type ExtKeyUsage int 571 572 const ( 573 ExtKeyUsageAny ExtKeyUsage = iota 574 ExtKeyUsageServerAuth 575 ExtKeyUsageClientAuth 576 ExtKeyUsageCodeSigning 577 ExtKeyUsageEmailProtection 578 ExtKeyUsageIPSECEndSystem 579 ExtKeyUsageIPSECTunnel 580 ExtKeyUsageIPSECUser 581 ExtKeyUsageTimeStamping 582 ExtKeyUsageOCSPSigning 583 ExtKeyUsageMicrosoftServerGatedCrypto 584 ExtKeyUsageNetscapeServerGatedCrypto 585 ExtKeyUsageMicrosoftCommercialCodeSigning 586 ExtKeyUsageMicrosoftKernelCodeSigning 587 ) 588 589 // extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID. 590 var extKeyUsageOIDs = []struct { 591 extKeyUsage ExtKeyUsage 592 oid asn1.ObjectIdentifier 593 }{ 594 {ExtKeyUsageAny, oidExtKeyUsageAny}, 595 {ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth}, 596 {ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth}, 597 {ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning}, 598 {ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection}, 599 {ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem}, 600 {ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel}, 601 {ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser}, 602 {ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping}, 603 {ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning}, 604 {ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto}, 605 {ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto}, 606 {ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning}, 607 {ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning}, 608 } 609 610 func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) { 611 for _, pair := range extKeyUsageOIDs { 612 if oid.Equal(pair.oid) { 613 return pair.extKeyUsage, true 614 } 615 } 616 return 617 } 618 619 func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) { 620 for _, pair := range extKeyUsageOIDs { 621 if eku == pair.extKeyUsage { 622 return pair.oid, true 623 } 624 } 625 return 626 } 627 628 // A Certificate represents an X.509 certificate. 629 type Certificate struct { 630 Raw []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature). 631 RawTBSCertificate []byte // Certificate part of raw ASN.1 DER content. 632 RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo. 633 RawSubject []byte // DER encoded Subject 634 RawIssuer []byte // DER encoded Issuer 635 636 Signature []byte 637 SignatureAlgorithm SignatureAlgorithm 638 639 PublicKeyAlgorithm PublicKeyAlgorithm 640 PublicKey interface{} 641 642 Version int 643 SerialNumber *big.Int 644 Issuer pkix.Name 645 Subject pkix.Name 646 NotBefore, NotAfter time.Time // Validity bounds. 647 KeyUsage KeyUsage 648 649 // Extensions contains raw X.509 extensions. When parsing certificates, 650 // this can be used to extract non-critical extensions that are not 651 // parsed by this package. When marshaling certificates, the Extensions 652 // field is ignored, see ExtraExtensions. 653 Extensions []pkix.Extension 654 655 // ExtraExtensions contains extensions to be copied, raw, into any 656 // marshaled certificates. Values override any extensions that would 657 // otherwise be produced based on the other fields. The ExtraExtensions 658 // field is not populated when parsing certificates, see Extensions. 659 ExtraExtensions []pkix.Extension 660 661 // UnhandledCriticalExtensions contains a list of extension IDs that 662 // were not (fully) processed when parsing. Verify will fail if this 663 // slice is non-empty, unless verification is delegated to an OS 664 // library which understands all the critical extensions. 665 // 666 // Users can access these extensions using Extensions and can remove 667 // elements from this slice if they believe that they have been 668 // handled. 669 UnhandledCriticalExtensions []asn1.ObjectIdentifier 670 671 ExtKeyUsage []ExtKeyUsage // Sequence of extended key usages. 672 UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package. 673 674 // BasicConstraintsValid indicates whether IsCA, MaxPathLen, 675 // and MaxPathLenZero are valid. 676 BasicConstraintsValid bool 677 IsCA bool 678 679 // MaxPathLen and MaxPathLenZero indicate the presence and 680 // value of the BasicConstraints' "pathLenConstraint". 681 // 682 // When parsing a certificate, a positive non-zero MaxPathLen 683 // means that the field was specified, -1 means it was unset, 684 // and MaxPathLenZero being true mean that the field was 685 // explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false 686 // should be treated equivalent to -1 (unset). 687 // 688 // When generating a certificate, an unset pathLenConstraint 689 // can be requested with either MaxPathLen == -1 or using the 690 // zero value for both MaxPathLen and MaxPathLenZero. 691 MaxPathLen int 692 // MaxPathLenZero indicates that BasicConstraintsValid==true 693 // and MaxPathLen==0 should be interpreted as an actual 694 // maximum path length of zero. Otherwise, that combination is 695 // interpreted as MaxPathLen not being set. 696 MaxPathLenZero bool 697 698 SubjectKeyId []byte 699 AuthorityKeyId []byte 700 701 // RFC 5280, 4.2.2.1 (Authority Information Access) 702 OCSPServer []string 703 IssuingCertificateURL []string 704 705 // Subject Alternate Name values. (Note that these values may not be valid 706 // if invalid values were contained within a parsed certificate. For 707 // example, an element of DNSNames may not be a valid DNS domain name.) 708 DNSNames []string 709 EmailAddresses []string 710 IPAddresses []net.IP 711 URIs []*url.URL 712 713 // Name constraints 714 PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical. 715 PermittedDNSDomains []string 716 ExcludedDNSDomains []string 717 PermittedIPRanges []*net.IPNet 718 ExcludedIPRanges []*net.IPNet 719 PermittedEmailAddresses []string 720 ExcludedEmailAddresses []string 721 PermittedURIDomains []string 722 ExcludedURIDomains []string 723 724 // CRL Distribution Points 725 CRLDistributionPoints []string 726 727 PolicyIdentifiers []asn1.ObjectIdentifier 728 } 729 730 // ErrUnsupportedAlgorithm results from attempting to perform an operation that 731 // involves algorithms that are not currently implemented. 732 var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented") 733 734 // An InsecureAlgorithmError 735 type InsecureAlgorithmError SignatureAlgorithm 736 737 func (e InsecureAlgorithmError) Error() string { 738 return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e)) 739 } 740 741 // ConstraintViolationError results when a requested usage is not permitted by 742 // a certificate. For example: checking a signature when the public key isn't a 743 // certificate signing key. 744 type ConstraintViolationError struct{} 745 746 func (ConstraintViolationError) Error() string { 747 return "x509: invalid signature: parent certificate cannot sign this kind of certificate" 748 } 749 750 func (c *Certificate) Equal(other *Certificate) bool { 751 if c == nil || other == nil { 752 return c == other 753 } 754 return bytes.Equal(c.Raw, other.Raw) 755 } 756 757 func (c *Certificate) hasSANExtension() bool { 758 return oidInExtensions(oidExtensionSubjectAltName, c.Extensions) 759 } 760 761 // CheckSignatureFrom verifies that the signature on c is a valid signature 762 // from parent. 763 func (c *Certificate) CheckSignatureFrom(parent *Certificate) error { 764 // RFC 5280, 4.2.1.9: 765 // "If the basic constraints extension is not present in a version 3 766 // certificate, or the extension is present but the cA boolean is not 767 // asserted, then the certified public key MUST NOT be used to verify 768 // certificate signatures." 769 if parent.Version == 3 && !parent.BasicConstraintsValid || 770 parent.BasicConstraintsValid && !parent.IsCA { 771 return ConstraintViolationError{} 772 } 773 774 if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 { 775 return ConstraintViolationError{} 776 } 777 778 if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm { 779 return ErrUnsupportedAlgorithm 780 } 781 782 // TODO(agl): don't ignore the path length constraint. 783 784 return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature) 785 } 786 787 // CheckSignature verifies that signature is a valid signature over signed from 788 // c's public key. 789 func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error { 790 return checkSignature(algo, signed, signature, c.PublicKey) 791 } 792 793 func (c *Certificate) hasNameConstraints() bool { 794 return oidInExtensions(oidExtensionNameConstraints, c.Extensions) 795 } 796 797 func (c *Certificate) getSANExtension() []byte { 798 for _, e := range c.Extensions { 799 if e.Id.Equal(oidExtensionSubjectAltName) { 800 return e.Value 801 } 802 } 803 return nil 804 } 805 806 func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error { 807 return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey) 808 } 809 810 // CheckSignature verifies that signature is a valid signature over signed from 811 // a crypto.PublicKey. 812 func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) { 813 var hashType crypto.Hash 814 var pubKeyAlgo PublicKeyAlgorithm 815 816 for _, details := range signatureAlgorithmDetails { 817 if details.algo == algo { 818 hashType = details.hash 819 pubKeyAlgo = details.pubKeyAlgo 820 } 821 } 822 823 switch hashType { 824 case crypto.Hash(0): 825 if pubKeyAlgo != Ed25519 { 826 return ErrUnsupportedAlgorithm 827 } 828 case crypto.MD5: 829 return InsecureAlgorithmError(algo) 830 default: 831 if !hashType.Available() { 832 return ErrUnsupportedAlgorithm 833 } 834 h := hashType.New() 835 h.Write(signed) 836 signed = h.Sum(nil) 837 } 838 839 switch pub := publicKey.(type) { 840 case *rsa.PublicKey: 841 if pubKeyAlgo != RSA { 842 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) 843 } 844 if algo.isRSAPSS() { 845 return rsa.VerifyPSS(pub, hashType, signed, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}) 846 } else { 847 return rsa.VerifyPKCS1v15(pub, hashType, signed, signature) 848 } 849 case *ecdsa.PublicKey: 850 if pubKeyAlgo != ECDSA { 851 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) 852 } 853 if !ecdsa.VerifyASN1(pub, signed, signature) { 854 return errors.New("x509: ECDSA verification failure") 855 } 856 return 857 case ed25519.PublicKey: 858 if pubKeyAlgo != Ed25519 { 859 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub) 860 } 861 if !ed25519.Verify(pub, signed, signature) { 862 return errors.New("x509: Ed25519 verification failure") 863 } 864 return 865 } 866 return ErrUnsupportedAlgorithm 867 } 868 869 // CheckCRLSignature checks that the signature in crl is from c. 870 func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error { 871 algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm) 872 return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign()) 873 } 874 875 type UnhandledCriticalExtension struct{} 876 877 func (h UnhandledCriticalExtension) Error() string { 878 return "x509: unhandled critical extension" 879 } 880 881 type basicConstraints struct { 882 IsCA bool `asn1:"optional"` 883 MaxPathLen int `asn1:"optional,default:-1"` 884 } 885 886 // RFC 5280 4.2.1.4 887 type policyInformation struct { 888 Policy asn1.ObjectIdentifier 889 // policyQualifiers omitted 890 } 891 892 const ( 893 nameTypeEmail = 1 894 nameTypeDNS = 2 895 nameTypeURI = 6 896 nameTypeIP = 7 897 ) 898 899 // RFC 5280, 4.2.2.1 900 type authorityInfoAccess struct { 901 Method asn1.ObjectIdentifier 902 Location asn1.RawValue 903 } 904 905 // RFC 5280, 4.2.1.14 906 type distributionPoint struct { 907 DistributionPoint distributionPointName `asn1:"optional,tag:0"` 908 Reason asn1.BitString `asn1:"optional,tag:1"` 909 CRLIssuer asn1.RawValue `asn1:"optional,tag:2"` 910 } 911 912 type distributionPointName struct { 913 FullName []asn1.RawValue `asn1:"optional,tag:0"` 914 RelativeName pkix.RDNSequence `asn1:"optional,tag:1"` 915 } 916 917 func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) { 918 asn1Data := keyData.PublicKey.RightAlign() 919 switch algo { 920 case RSA: 921 // RSA public keys must have a NULL in the parameters. 922 // See RFC 3279, Section 2.3.1. 923 if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) { 924 return nil, errors.New("x509: RSA key missing NULL parameters") 925 } 926 927 p := new(pkcs1PublicKey) 928 rest, err := asn1.Unmarshal(asn1Data, p) 929 if err != nil { 930 return nil, err 931 } 932 if len(rest) != 0 { 933 return nil, errors.New("x509: trailing data after RSA public key") 934 } 935 936 if p.N.Sign() <= 0 { 937 return nil, errors.New("x509: RSA modulus is not a positive number") 938 } 939 if p.E <= 0 { 940 return nil, errors.New("x509: RSA public exponent is not a positive number") 941 } 942 943 pub := &rsa.PublicKey{ 944 E: p.E, 945 N: p.N, 946 } 947 return pub, nil 948 case DSA: 949 var p *big.Int 950 rest, err := asn1.Unmarshal(asn1Data, &p) 951 if err != nil { 952 return nil, err 953 } 954 if len(rest) != 0 { 955 return nil, errors.New("x509: trailing data after DSA public key") 956 } 957 paramsData := keyData.Algorithm.Parameters.FullBytes 958 params := new(dsaAlgorithmParameters) 959 rest, err = asn1.Unmarshal(paramsData, params) 960 if err != nil { 961 return nil, err 962 } 963 if len(rest) != 0 { 964 return nil, errors.New("x509: trailing data after DSA parameters") 965 } 966 if p.Sign() <= 0 || params.P.Sign() <= 0 || params.Q.Sign() <= 0 || params.G.Sign() <= 0 { 967 return nil, errors.New("x509: zero or negative DSA parameter") 968 } 969 pub := &dsa.PublicKey{ 970 Parameters: dsa.Parameters{ 971 P: params.P, 972 Q: params.Q, 973 G: params.G, 974 }, 975 Y: p, 976 } 977 return pub, nil 978 case ECDSA: 979 paramsData := keyData.Algorithm.Parameters.FullBytes 980 namedCurveOID := new(asn1.ObjectIdentifier) 981 rest, err := asn1.Unmarshal(paramsData, namedCurveOID) 982 if err != nil { 983 return nil, errors.New("x509: failed to parse ECDSA parameters as named curve") 984 } 985 if len(rest) != 0 { 986 return nil, errors.New("x509: trailing data after ECDSA parameters") 987 } 988 namedCurve := namedCurveFromOID(*namedCurveOID) 989 if namedCurve == nil { 990 return nil, errors.New("x509: unsupported elliptic curve") 991 } 992 x, y := elliptic.Unmarshal(namedCurve, asn1Data) 993 if x == nil { 994 return nil, errors.New("x509: failed to unmarshal elliptic curve point") 995 } 996 pub := &ecdsa.PublicKey{ 997 Curve: namedCurve, 998 X: x, 999 Y: y, 1000 } 1001 return pub, nil 1002 case Ed25519: 1003 // RFC 8410, Section 3 1004 // > For all of the OIDs, the parameters MUST be absent. 1005 if len(keyData.Algorithm.Parameters.FullBytes) != 0 { 1006 return nil, errors.New("x509: Ed25519 key encoded with illegal parameters") 1007 } 1008 if len(asn1Data) != ed25519.PublicKeySize { 1009 return nil, errors.New("x509: wrong Ed25519 public key size") 1010 } 1011 pub := make([]byte, ed25519.PublicKeySize) 1012 copy(pub, asn1Data) 1013 return ed25519.PublicKey(pub), nil 1014 default: 1015 return nil, nil 1016 } 1017 } 1018 1019 func forEachSAN(extension []byte, callback func(tag int, data []byte) error) error { 1020 // RFC 5280, 4.2.1.6 1021 1022 // SubjectAltName ::= GeneralNames 1023 // 1024 // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 1025 // 1026 // GeneralName ::= CHOICE { 1027 // otherName [0] OtherName, 1028 // rfc822Name [1] IA5String, 1029 // dNSName [2] IA5String, 1030 // x400Address [3] ORAddress, 1031 // directoryName [4] Name, 1032 // ediPartyName [5] EDIPartyName, 1033 // uniformResourceIdentifier [6] IA5String, 1034 // iPAddress [7] OCTET STRING, 1035 // registeredID [8] OBJECT IDENTIFIER } 1036 var seq asn1.RawValue 1037 rest, err := asn1.Unmarshal(extension, &seq) 1038 if err != nil { 1039 return err 1040 } else if len(rest) != 0 { 1041 return errors.New("x509: trailing data after X.509 extension") 1042 } 1043 if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 { 1044 return asn1.StructuralError{Msg: "bad SAN sequence"} 1045 } 1046 1047 rest = seq.Bytes 1048 for len(rest) > 0 { 1049 var v asn1.RawValue 1050 rest, err = asn1.Unmarshal(rest, &v) 1051 if err != nil { 1052 return err 1053 } 1054 1055 if err := callback(v.Tag, v.Bytes); err != nil { 1056 return err 1057 } 1058 } 1059 1060 return nil 1061 } 1062 1063 func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error) { 1064 err = forEachSAN(value, func(tag int, data []byte) error { 1065 switch tag { 1066 case nameTypeEmail: 1067 email := string(data) 1068 if err := isIA5String(email); err != nil { 1069 return errors.New("x509: SAN rfc822Name is malformed") 1070 } 1071 emailAddresses = append(emailAddresses, email) 1072 case nameTypeDNS: 1073 name := string(data) 1074 if err := isIA5String(name); err != nil { 1075 return errors.New("x509: SAN dNSName is malformed") 1076 } 1077 dnsNames = append(dnsNames, string(name)) 1078 case nameTypeURI: 1079 uriStr := string(data) 1080 if err := isIA5String(uriStr); err != nil { 1081 return errors.New("x509: SAN uniformResourceIdentifier is malformed") 1082 } 1083 uri, err := url.Parse(uriStr) 1084 if err != nil { 1085 return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err) 1086 } 1087 if len(uri.Host) > 0 { 1088 if _, ok := domainToReverseLabels(uri.Host); !ok { 1089 return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr) 1090 } 1091 } 1092 uris = append(uris, uri) 1093 case nameTypeIP: 1094 switch len(data) { 1095 case net.IPv4len, net.IPv6len: 1096 ipAddresses = append(ipAddresses, data) 1097 default: 1098 return errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(data))) 1099 } 1100 } 1101 1102 return nil 1103 }) 1104 1105 return 1106 } 1107 1108 // isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits. 1109 func isValidIPMask(mask []byte) bool { 1110 seenZero := false 1111 1112 for _, b := range mask { 1113 if seenZero { 1114 if b != 0 { 1115 return false 1116 } 1117 1118 continue 1119 } 1120 1121 switch b { 1122 case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe: 1123 seenZero = true 1124 case 0xff: 1125 default: 1126 return false 1127 } 1128 } 1129 1130 return true 1131 } 1132 1133 func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) { 1134 // RFC 5280, 4.2.1.10 1135 1136 // NameConstraints ::= SEQUENCE { 1137 // permittedSubtrees [0] GeneralSubtrees OPTIONAL, 1138 // excludedSubtrees [1] GeneralSubtrees OPTIONAL } 1139 // 1140 // GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 1141 // 1142 // GeneralSubtree ::= SEQUENCE { 1143 // base GeneralName, 1144 // minimum [0] BaseDistance DEFAULT 0, 1145 // maximum [1] BaseDistance OPTIONAL } 1146 // 1147 // BaseDistance ::= INTEGER (0..MAX) 1148 1149 outer := cryptobyte.String(e.Value) 1150 var toplevel, permitted, excluded cryptobyte.String 1151 var havePermitted, haveExcluded bool 1152 if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) || 1153 !outer.Empty() || 1154 !toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) || 1155 !toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) || 1156 !toplevel.Empty() { 1157 return false, errors.New("x509: invalid NameConstraints extension") 1158 } 1159 1160 if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 { 1161 // From RFC 5280, Section 4.2.1.10: 1162 // “either the permittedSubtrees field 1163 // or the excludedSubtrees MUST be 1164 // present” 1165 return false, errors.New("x509: empty name constraints extension") 1166 } 1167 1168 getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) { 1169 for !subtrees.Empty() { 1170 var seq, value cryptobyte.String 1171 var tag cryptobyte_asn1.Tag 1172 if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) || 1173 !seq.ReadAnyASN1(&value, &tag) { 1174 return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension") 1175 } 1176 1177 var ( 1178 dnsTag = cryptobyte_asn1.Tag(2).ContextSpecific() 1179 emailTag = cryptobyte_asn1.Tag(1).ContextSpecific() 1180 ipTag = cryptobyte_asn1.Tag(7).ContextSpecific() 1181 uriTag = cryptobyte_asn1.Tag(6).ContextSpecific() 1182 ) 1183 1184 switch tag { 1185 case dnsTag: 1186 domain := string(value) 1187 if err := isIA5String(domain); err != nil { 1188 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) 1189 } 1190 1191 trimmedDomain := domain 1192 if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { 1193 // constraints can have a leading 1194 // period to exclude the domain 1195 // itself, but that's not valid in a 1196 // normal domain name. 1197 trimmedDomain = trimmedDomain[1:] 1198 } 1199 if _, ok := domainToReverseLabels(trimmedDomain); !ok { 1200 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain) 1201 } 1202 dnsNames = append(dnsNames, domain) 1203 1204 case ipTag: 1205 l := len(value) 1206 var ip, mask []byte 1207 1208 switch l { 1209 case 8: 1210 ip = value[:4] 1211 mask = value[4:] 1212 1213 case 32: 1214 ip = value[:16] 1215 mask = value[16:] 1216 1217 default: 1218 return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l) 1219 } 1220 1221 if !isValidIPMask(mask) { 1222 return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask) 1223 } 1224 1225 ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)}) 1226 1227 case emailTag: 1228 constraint := string(value) 1229 if err := isIA5String(constraint); err != nil { 1230 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) 1231 } 1232 1233 // If the constraint contains an @ then 1234 // it specifies an exact mailbox name. 1235 if strings.Contains(constraint, "@") { 1236 if _, ok := parseRFC2821Mailbox(constraint); !ok { 1237 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) 1238 } 1239 } else { 1240 // Otherwise it's a domain name. 1241 domain := constraint 1242 if len(domain) > 0 && domain[0] == '.' { 1243 domain = domain[1:] 1244 } 1245 if _, ok := domainToReverseLabels(domain); !ok { 1246 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) 1247 } 1248 } 1249 emails = append(emails, constraint) 1250 1251 case uriTag: 1252 domain := string(value) 1253 if err := isIA5String(domain); err != nil { 1254 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) 1255 } 1256 1257 if net.ParseIP(domain) != nil { 1258 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain) 1259 } 1260 1261 trimmedDomain := domain 1262 if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { 1263 // constraints can have a leading 1264 // period to exclude the domain itself, 1265 // but that's not valid in a normal 1266 // domain name. 1267 trimmedDomain = trimmedDomain[1:] 1268 } 1269 if _, ok := domainToReverseLabels(trimmedDomain); !ok { 1270 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain) 1271 } 1272 uriDomains = append(uriDomains, domain) 1273 1274 default: 1275 unhandled = true 1276 } 1277 } 1278 1279 return dnsNames, ips, emails, uriDomains, nil 1280 } 1281 1282 if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil { 1283 return false, err 1284 } 1285 if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil { 1286 return false, err 1287 } 1288 out.PermittedDNSDomainsCritical = e.Critical 1289 1290 return unhandled, nil 1291 } 1292 1293 func parseCertificate(in *certificate) (*Certificate, error) { 1294 out := new(Certificate) 1295 out.Raw = in.Raw 1296 out.RawTBSCertificate = in.TBSCertificate.Raw 1297 out.RawSubjectPublicKeyInfo = in.TBSCertificate.PublicKey.Raw 1298 out.RawSubject = in.TBSCertificate.Subject.FullBytes 1299 out.RawIssuer = in.TBSCertificate.Issuer.FullBytes 1300 1301 out.Signature = in.SignatureValue.RightAlign() 1302 out.SignatureAlgorithm = 1303 getSignatureAlgorithmFromAI(in.TBSCertificate.SignatureAlgorithm) 1304 1305 out.PublicKeyAlgorithm = 1306 getPublicKeyAlgorithmFromOID(in.TBSCertificate.PublicKey.Algorithm.Algorithm) 1307 var err error 1308 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCertificate.PublicKey) 1309 if err != nil { 1310 return nil, err 1311 } 1312 1313 out.Version = in.TBSCertificate.Version + 1 1314 out.SerialNumber = in.TBSCertificate.SerialNumber 1315 1316 var issuer, subject pkix.RDNSequence 1317 if rest, err := asn1.Unmarshal(in.TBSCertificate.Subject.FullBytes, &subject); err != nil { 1318 return nil, err 1319 } else if len(rest) != 0 { 1320 return nil, errors.New("x509: trailing data after X.509 subject") 1321 } 1322 if rest, err := asn1.Unmarshal(in.TBSCertificate.Issuer.FullBytes, &issuer); err != nil { 1323 return nil, err 1324 } else if len(rest) != 0 { 1325 return nil, errors.New("x509: trailing data after X.509 issuer") 1326 } 1327 1328 out.Issuer.FillFromRDNSequence(&issuer) 1329 out.Subject.FillFromRDNSequence(&subject) 1330 1331 out.NotBefore = in.TBSCertificate.Validity.NotBefore 1332 out.NotAfter = in.TBSCertificate.Validity.NotAfter 1333 1334 for _, e := range in.TBSCertificate.Extensions { 1335 out.Extensions = append(out.Extensions, e) 1336 unhandled := false 1337 1338 if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 { 1339 switch e.Id[3] { 1340 case 15: 1341 out.KeyUsage, err = parseKeyUsageExtension(e.Value) 1342 if err != nil { 1343 return nil, err 1344 } 1345 case 19: 1346 out.IsCA, out.MaxPathLen, err = parseBasicConstraintsExtension(e.Value) 1347 if err != nil { 1348 return nil, err 1349 } 1350 out.BasicConstraintsValid = true 1351 out.MaxPathLenZero = out.MaxPathLen == 0 1352 case 17: 1353 out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(e.Value) 1354 if err != nil { 1355 return nil, err 1356 } 1357 1358 if len(out.DNSNames) == 0 && len(out.EmailAddresses) == 0 && len(out.IPAddresses) == 0 && len(out.URIs) == 0 { 1359 // If we didn't parse anything then we do the critical check, below. 1360 unhandled = true 1361 } 1362 1363 case 30: 1364 unhandled, err = parseNameConstraintsExtension(out, e) 1365 if err != nil { 1366 return nil, err 1367 } 1368 1369 case 31: 1370 // RFC 5280, 4.2.1.13 1371 1372 // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 1373 // 1374 // DistributionPoint ::= SEQUENCE { 1375 // distributionPoint [0] DistributionPointName OPTIONAL, 1376 // reasons [1] ReasonFlags OPTIONAL, 1377 // cRLIssuer [2] GeneralNames OPTIONAL } 1378 // 1379 // DistributionPointName ::= CHOICE { 1380 // fullName [0] GeneralNames, 1381 // nameRelativeToCRLIssuer [1] RelativeDistinguishedName } 1382 1383 var cdp []distributionPoint 1384 if rest, err := asn1.Unmarshal(e.Value, &cdp); err != nil { 1385 return nil, err 1386 } else if len(rest) != 0 { 1387 return nil, errors.New("x509: trailing data after X.509 CRL distribution point") 1388 } 1389 1390 for _, dp := range cdp { 1391 // Per RFC 5280, 4.2.1.13, one of distributionPoint or cRLIssuer may be empty. 1392 if len(dp.DistributionPoint.FullName) == 0 { 1393 continue 1394 } 1395 1396 for _, fullName := range dp.DistributionPoint.FullName { 1397 if fullName.Tag == 6 { 1398 out.CRLDistributionPoints = append(out.CRLDistributionPoints, string(fullName.Bytes)) 1399 } 1400 } 1401 } 1402 1403 case 35: 1404 // RFC 5280, 4.2.1.1 1405 var a authKeyId 1406 if rest, err := asn1.Unmarshal(e.Value, &a); err != nil { 1407 return nil, err 1408 } else if len(rest) != 0 { 1409 return nil, errors.New("x509: trailing data after X.509 authority key-id") 1410 } 1411 out.AuthorityKeyId = a.Id 1412 1413 case 37: 1414 out.ExtKeyUsage, out.UnknownExtKeyUsage, err = parseExtKeyUsageExtension(e.Value) 1415 if err != nil { 1416 return nil, err 1417 } 1418 case 14: 1419 out.SubjectKeyId, err = parseSubjectKeyIdExtension(e.Value) 1420 if err != nil { 1421 return nil, err 1422 } 1423 case 32: 1424 out.PolicyIdentifiers, err = parseCertificatePoliciesExtension(e.Value) 1425 if err != nil { 1426 return nil, err 1427 } 1428 default: 1429 // Unknown extensions are recorded if critical. 1430 unhandled = true 1431 } 1432 } else if e.Id.Equal(oidExtensionAuthorityInfoAccess) { 1433 // RFC 5280 4.2.2.1: Authority Information Access 1434 var aia []authorityInfoAccess 1435 if rest, err := asn1.Unmarshal(e.Value, &aia); err != nil { 1436 return nil, err 1437 } else if len(rest) != 0 { 1438 return nil, errors.New("x509: trailing data after X.509 authority information") 1439 } 1440 1441 for _, v := range aia { 1442 // GeneralName: uniformResourceIdentifier [6] IA5String 1443 if v.Location.Tag != 6 { 1444 continue 1445 } 1446 if v.Method.Equal(oidAuthorityInfoAccessOcsp) { 1447 out.OCSPServer = append(out.OCSPServer, string(v.Location.Bytes)) 1448 } else if v.Method.Equal(oidAuthorityInfoAccessIssuers) { 1449 out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(v.Location.Bytes)) 1450 } 1451 } 1452 } else { 1453 // Unknown extensions are recorded if critical. 1454 unhandled = true 1455 } 1456 1457 if e.Critical && unhandled { 1458 out.UnhandledCriticalExtensions = append(out.UnhandledCriticalExtensions, e.Id) 1459 } 1460 } 1461 1462 return out, nil 1463 } 1464 1465 // parseKeyUsageExtension parses id-ce-keyUsage (2.5.29.15) from RFC 5280 1466 // Section 4.2.1.3 1467 func parseKeyUsageExtension(ext []byte) (KeyUsage, error) { 1468 var usageBits asn1.BitString 1469 if rest, err := asn1.Unmarshal(ext, &usageBits); err != nil { 1470 return 0, err 1471 } else if len(rest) != 0 { 1472 return 0, errors.New("x509: trailing data after X.509 KeyUsage") 1473 } 1474 1475 var usage int 1476 for i := 0; i < 9; i++ { 1477 if usageBits.At(i) != 0 { 1478 usage |= 1 << uint(i) 1479 } 1480 } 1481 return KeyUsage(usage), nil 1482 } 1483 1484 // parseBasicConstraintsExtension parses id-ce-basicConstraints (2.5.29.19) 1485 // from RFC 5280 Section 4.2.1.9 1486 func parseBasicConstraintsExtension(ext []byte) (isCA bool, maxPathLen int, err error) { 1487 var constraints basicConstraints 1488 if rest, err := asn1.Unmarshal(ext, &constraints); err != nil { 1489 return false, 0, err 1490 } else if len(rest) != 0 { 1491 return false, 0, errors.New("x509: trailing data after X.509 BasicConstraints") 1492 } 1493 1494 // TODO: map out.MaxPathLen to 0 if it has the -1 default value? (Issue 19285) 1495 return constraints.IsCA, constraints.MaxPathLen, nil 1496 } 1497 1498 // parseExtKeyUsageExtension parses id-ce-extKeyUsage (2.5.29.37) from 1499 // RFC 5280 Section 4.2.1.12 1500 func parseExtKeyUsageExtension(ext []byte) ([]ExtKeyUsage, []asn1.ObjectIdentifier, error) { 1501 var keyUsage []asn1.ObjectIdentifier 1502 if rest, err := asn1.Unmarshal(ext, &keyUsage); err != nil { 1503 return nil, nil, err 1504 } else if len(rest) != 0 { 1505 return nil, nil, errors.New("x509: trailing data after X.509 ExtendedKeyUsage") 1506 } 1507 1508 var extKeyUsages []ExtKeyUsage 1509 var unknownUsages []asn1.ObjectIdentifier 1510 for _, u := range keyUsage { 1511 if extKeyUsage, ok := extKeyUsageFromOID(u); ok { 1512 extKeyUsages = append(extKeyUsages, extKeyUsage) 1513 } else { 1514 unknownUsages = append(unknownUsages, u) 1515 } 1516 } 1517 return extKeyUsages, unknownUsages, nil 1518 } 1519 1520 // parseSubjectKeyIdExtension parses id-ce-subjectKeyIdentifier (2.5.29.14) 1521 // from RFC 5280 Section 4.2.1.2 1522 func parseSubjectKeyIdExtension(ext []byte) ([]byte, error) { 1523 var keyid []byte 1524 if rest, err := asn1.Unmarshal(ext, &keyid); err != nil { 1525 return nil, err 1526 } else if len(rest) != 0 { 1527 return nil, errors.New("x509: trailing data after X.509 key-id") 1528 } 1529 return keyid, nil 1530 } 1531 1532 func parseCertificatePoliciesExtension(ext []byte) ([]asn1.ObjectIdentifier, error) { 1533 var policies []policyInformation 1534 if rest, err := asn1.Unmarshal(ext, &policies); err != nil { 1535 return nil, err 1536 } else if len(rest) != 0 { 1537 return nil, errors.New("x509: trailing data after X.509 certificate policies") 1538 } 1539 oids := make([]asn1.ObjectIdentifier, len(policies)) 1540 for i, policy := range policies { 1541 oids[i] = policy.Policy 1542 } 1543 return oids, nil 1544 } 1545 1546 // ParseCertificate parses a single certificate from the given ASN.1 DER data. 1547 func ParseCertificate(asn1Data []byte) (*Certificate, error) { 1548 var cert certificate 1549 rest, err := asn1.Unmarshal(asn1Data, &cert) 1550 if err != nil { 1551 return nil, err 1552 } 1553 if len(rest) > 0 { 1554 return nil, asn1.SyntaxError{Msg: "trailing data"} 1555 } 1556 1557 return parseCertificate(&cert) 1558 } 1559 1560 // ParseCertificates parses one or more certificates from the given ASN.1 DER 1561 // data. The certificates must be concatenated with no intermediate padding. 1562 func ParseCertificates(asn1Data []byte) ([]*Certificate, error) { 1563 var v []*certificate 1564 1565 for len(asn1Data) > 0 { 1566 cert := new(certificate) 1567 var err error 1568 asn1Data, err = asn1.Unmarshal(asn1Data, cert) 1569 if err != nil { 1570 return nil, err 1571 } 1572 v = append(v, cert) 1573 } 1574 1575 ret := make([]*Certificate, len(v)) 1576 for i, ci := range v { 1577 cert, err := parseCertificate(ci) 1578 if err != nil { 1579 return nil, err 1580 } 1581 ret[i] = cert 1582 } 1583 1584 return ret, nil 1585 } 1586 1587 func reverseBitsInAByte(in byte) byte { 1588 b1 := in>>4 | in<<4 1589 b2 := b1>>2&0x33 | b1<<2&0xcc 1590 b3 := b2>>1&0x55 | b2<<1&0xaa 1591 return b3 1592 } 1593 1594 // asn1BitLength returns the bit-length of bitString by considering the 1595 // most-significant bit in a byte to be the "first" bit. This convention 1596 // matches ASN.1, but differs from almost everything else. 1597 func asn1BitLength(bitString []byte) int { 1598 bitLen := len(bitString) * 8 1599 1600 for i := range bitString { 1601 b := bitString[len(bitString)-i-1] 1602 1603 for bit := uint(0); bit < 8; bit++ { 1604 if (b>>bit)&1 == 1 { 1605 return bitLen 1606 } 1607 bitLen-- 1608 } 1609 } 1610 1611 return 0 1612 } 1613 1614 var ( 1615 oidExtensionSubjectKeyId = []int{2, 5, 29, 14} 1616 oidExtensionKeyUsage = []int{2, 5, 29, 15} 1617 oidExtensionExtendedKeyUsage = []int{2, 5, 29, 37} 1618 oidExtensionAuthorityKeyId = []int{2, 5, 29, 35} 1619 oidExtensionBasicConstraints = []int{2, 5, 29, 19} 1620 oidExtensionSubjectAltName = []int{2, 5, 29, 17} 1621 oidExtensionCertificatePolicies = []int{2, 5, 29, 32} 1622 oidExtensionNameConstraints = []int{2, 5, 29, 30} 1623 oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31} 1624 oidExtensionAuthorityInfoAccess = []int{1, 3, 6, 1, 5, 5, 7, 1, 1} 1625 oidExtensionCRLNumber = []int{2, 5, 29, 20} 1626 ) 1627 1628 var ( 1629 oidAuthorityInfoAccessOcsp = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1} 1630 oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2} 1631 ) 1632 1633 // oidNotInExtensions reports whether an extension with the given oid exists in 1634 // extensions. 1635 func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool { 1636 for _, e := range extensions { 1637 if e.Id.Equal(oid) { 1638 return true 1639 } 1640 } 1641 return false 1642 } 1643 1644 // marshalSANs marshals a list of addresses into a the contents of an X.509 1645 // SubjectAlternativeName extension. 1646 func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) { 1647 var rawValues []asn1.RawValue 1648 for _, name := range dnsNames { 1649 if err := isIA5String(name); err != nil { 1650 return nil, err 1651 } 1652 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)}) 1653 } 1654 for _, email := range emailAddresses { 1655 if err := isIA5String(email); err != nil { 1656 return nil, err 1657 } 1658 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)}) 1659 } 1660 for _, rawIP := range ipAddresses { 1661 // If possible, we always want to encode IPv4 addresses in 4 bytes. 1662 ip := rawIP.To4() 1663 if ip == nil { 1664 ip = rawIP 1665 } 1666 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip}) 1667 } 1668 for _, uri := range uris { 1669 uriStr := uri.String() 1670 if err := isIA5String(uriStr); err != nil { 1671 return nil, err 1672 } 1673 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uriStr)}) 1674 } 1675 return asn1.Marshal(rawValues) 1676 } 1677 1678 func isIA5String(s string) error { 1679 for _, r := range s { 1680 // Per RFC5280 "IA5String is limited to the set of ASCII characters" 1681 if r > unicode.MaxASCII { 1682 return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s) 1683 } 1684 } 1685 1686 return nil 1687 } 1688 1689 func buildCertExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte, subjectKeyId []byte) (ret []pkix.Extension, err error) { 1690 ret = make([]pkix.Extension, 10 /* maximum number of elements. */) 1691 n := 0 1692 1693 if template.KeyUsage != 0 && 1694 !oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) { 1695 ret[n], err = marshalKeyUsage(template.KeyUsage) 1696 if err != nil { 1697 return nil, err 1698 } 1699 n++ 1700 } 1701 1702 if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) && 1703 !oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) { 1704 ret[n], err = marshalExtKeyUsage(template.ExtKeyUsage, template.UnknownExtKeyUsage) 1705 if err != nil { 1706 return nil, err 1707 } 1708 n++ 1709 } 1710 1711 if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) { 1712 ret[n], err = marshalBasicConstraints(template.IsCA, template.MaxPathLen, template.MaxPathLenZero) 1713 if err != nil { 1714 return nil, err 1715 } 1716 n++ 1717 } 1718 1719 if len(subjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) { 1720 ret[n].Id = oidExtensionSubjectKeyId 1721 ret[n].Value, err = asn1.Marshal(subjectKeyId) 1722 if err != nil { 1723 return 1724 } 1725 n++ 1726 } 1727 1728 if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) { 1729 ret[n].Id = oidExtensionAuthorityKeyId 1730 ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId}) 1731 if err != nil { 1732 return 1733 } 1734 n++ 1735 } 1736 1737 if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) && 1738 !oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) { 1739 ret[n].Id = oidExtensionAuthorityInfoAccess 1740 var aiaValues []authorityInfoAccess 1741 for _, name := range template.OCSPServer { 1742 aiaValues = append(aiaValues, authorityInfoAccess{ 1743 Method: oidAuthorityInfoAccessOcsp, 1744 Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)}, 1745 }) 1746 } 1747 for _, name := range template.IssuingCertificateURL { 1748 aiaValues = append(aiaValues, authorityInfoAccess{ 1749 Method: oidAuthorityInfoAccessIssuers, 1750 Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)}, 1751 }) 1752 } 1753 ret[n].Value, err = asn1.Marshal(aiaValues) 1754 if err != nil { 1755 return 1756 } 1757 n++ 1758 } 1759 1760 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) && 1761 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) { 1762 ret[n].Id = oidExtensionSubjectAltName 1763 // From RFC 5280, Section 4.2.1.6: 1764 // “If the subject field contains an empty sequence ... then 1765 // subjectAltName extension ... is marked as critical” 1766 ret[n].Critical = subjectIsEmpty 1767 ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs) 1768 if err != nil { 1769 return 1770 } 1771 n++ 1772 } 1773 1774 if len(template.PolicyIdentifiers) > 0 && 1775 !oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) { 1776 ret[n], err = marshalCertificatePolicies(template.PolicyIdentifiers) 1777 if err != nil { 1778 return nil, err 1779 } 1780 n++ 1781 } 1782 1783 if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 || 1784 len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 || 1785 len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 || 1786 len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) && 1787 !oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) { 1788 ret[n].Id = oidExtensionNameConstraints 1789 ret[n].Critical = template.PermittedDNSDomainsCritical 1790 1791 ipAndMask := func(ipNet *net.IPNet) []byte { 1792 maskedIP := ipNet.IP.Mask(ipNet.Mask) 1793 ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask)) 1794 ipAndMask = append(ipAndMask, maskedIP...) 1795 ipAndMask = append(ipAndMask, ipNet.Mask...) 1796 return ipAndMask 1797 } 1798 1799 serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) { 1800 var b cryptobyte.Builder 1801 1802 for _, name := range dns { 1803 if err = isIA5String(name); err != nil { 1804 return nil, err 1805 } 1806 1807 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1808 b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) { 1809 b.AddBytes([]byte(name)) 1810 }) 1811 }) 1812 } 1813 1814 for _, ipNet := range ips { 1815 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1816 b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) { 1817 b.AddBytes(ipAndMask(ipNet)) 1818 }) 1819 }) 1820 } 1821 1822 for _, email := range emails { 1823 if err = isIA5String(email); err != nil { 1824 return nil, err 1825 } 1826 1827 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1828 b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) { 1829 b.AddBytes([]byte(email)) 1830 }) 1831 }) 1832 } 1833 1834 for _, uriDomain := range uriDomains { 1835 if err = isIA5String(uriDomain); err != nil { 1836 return nil, err 1837 } 1838 1839 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1840 b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) { 1841 b.AddBytes([]byte(uriDomain)) 1842 }) 1843 }) 1844 } 1845 1846 return b.Bytes() 1847 } 1848 1849 permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains) 1850 if err != nil { 1851 return nil, err 1852 } 1853 1854 excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains) 1855 if err != nil { 1856 return nil, err 1857 } 1858 1859 var b cryptobyte.Builder 1860 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) { 1861 if len(permitted) > 0 { 1862 b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) { 1863 b.AddBytes(permitted) 1864 }) 1865 } 1866 1867 if len(excluded) > 0 { 1868 b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) { 1869 b.AddBytes(excluded) 1870 }) 1871 } 1872 }) 1873 1874 ret[n].Value, err = b.Bytes() 1875 if err != nil { 1876 return nil, err 1877 } 1878 n++ 1879 } 1880 1881 if len(template.CRLDistributionPoints) > 0 && 1882 !oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) { 1883 ret[n].Id = oidExtensionCRLDistributionPoints 1884 1885 var crlDp []distributionPoint 1886 for _, name := range template.CRLDistributionPoints { 1887 dp := distributionPoint{ 1888 DistributionPoint: distributionPointName{ 1889 FullName: []asn1.RawValue{ 1890 {Tag: 6, Class: 2, Bytes: []byte(name)}, 1891 }, 1892 }, 1893 } 1894 crlDp = append(crlDp, dp) 1895 } 1896 1897 ret[n].Value, err = asn1.Marshal(crlDp) 1898 if err != nil { 1899 return 1900 } 1901 n++ 1902 } 1903 1904 // Adding another extension here? Remember to update the maximum number 1905 // of elements in the make() at the top of the function and the list of 1906 // template fields used in CreateCertificate documentation. 1907 1908 return append(ret[:n], template.ExtraExtensions...), nil 1909 } 1910 1911 func marshalKeyUsage(ku KeyUsage) (pkix.Extension, error) { 1912 ext := pkix.Extension{Id: oidExtensionKeyUsage, Critical: true} 1913 1914 var a [2]byte 1915 a[0] = reverseBitsInAByte(byte(ku)) 1916 a[1] = reverseBitsInAByte(byte(ku >> 8)) 1917 1918 l := 1 1919 if a[1] != 0 { 1920 l = 2 1921 } 1922 1923 bitString := a[:l] 1924 var err error 1925 ext.Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)}) 1926 if err != nil { 1927 return ext, err 1928 } 1929 return ext, nil 1930 } 1931 1932 func marshalExtKeyUsage(extUsages []ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error) { 1933 ext := pkix.Extension{Id: oidExtensionExtendedKeyUsage} 1934 1935 oids := make([]asn1.ObjectIdentifier, len(extUsages)+len(unknownUsages)) 1936 for i, u := range extUsages { 1937 if oid, ok := oidFromExtKeyUsage(u); ok { 1938 oids[i] = oid 1939 } else { 1940 return ext, errors.New("x509: unknown extended key usage") 1941 } 1942 } 1943 1944 copy(oids[len(extUsages):], unknownUsages) 1945 1946 var err error 1947 ext.Value, err = asn1.Marshal(oids) 1948 if err != nil { 1949 return ext, err 1950 } 1951 return ext, nil 1952 } 1953 1954 func marshalBasicConstraints(isCA bool, maxPathLen int, maxPathLenZero bool) (pkix.Extension, error) { 1955 ext := pkix.Extension{Id: oidExtensionBasicConstraints, Critical: true} 1956 // Leaving MaxPathLen as zero indicates that no maximum path 1957 // length is desired, unless MaxPathLenZero is set. A value of 1958 // -1 causes encoding/asn1 to omit the value as desired. 1959 if maxPathLen == 0 && !maxPathLenZero { 1960 maxPathLen = -1 1961 } 1962 var err error 1963 ext.Value, err = asn1.Marshal(basicConstraints{isCA, maxPathLen}) 1964 if err != nil { 1965 return ext, nil 1966 } 1967 return ext, nil 1968 } 1969 1970 func marshalCertificatePolicies(policyIdentifiers []asn1.ObjectIdentifier) (pkix.Extension, error) { 1971 ext := pkix.Extension{Id: oidExtensionCertificatePolicies} 1972 policies := make([]policyInformation, len(policyIdentifiers)) 1973 for i, policy := range policyIdentifiers { 1974 policies[i].Policy = policy 1975 } 1976 var err error 1977 ext.Value, err = asn1.Marshal(policies) 1978 if err != nil { 1979 return ext, err 1980 } 1981 return ext, nil 1982 } 1983 1984 func buildCSRExtensions(template *CertificateRequest) ([]pkix.Extension, error) { 1985 var ret []pkix.Extension 1986 1987 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) && 1988 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) { 1989 sanBytes, err := marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs) 1990 if err != nil { 1991 return nil, err 1992 } 1993 1994 ret = append(ret, pkix.Extension{ 1995 Id: oidExtensionSubjectAltName, 1996 Value: sanBytes, 1997 }) 1998 } 1999 2000 if template.KeyUsage != 0 && 2001 !oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) { 2002 ext, err := marshalKeyUsage(template.KeyUsage) 2003 if err != nil { 2004 return nil, err 2005 } 2006 ret = append(ret, ext) 2007 } 2008 2009 return append(ret, template.ExtraExtensions...), nil 2010 } 2011 2012 func subjectBytes(cert *Certificate) ([]byte, error) { 2013 if len(cert.RawSubject) > 0 { 2014 return cert.RawSubject, nil 2015 } 2016 2017 return asn1.Marshal(cert.Subject.ToRDNSequence()) 2018 } 2019 2020 // signingParamsForPublicKey returns the parameters to use for signing with 2021 // priv. If requestedSigAlgo is not zero then it overrides the default 2022 // signature algorithm. 2023 func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) { 2024 var pubType PublicKeyAlgorithm 2025 2026 switch pub := pub.(type) { 2027 case *rsa.PublicKey: 2028 pubType = RSA 2029 hashFunc = crypto.SHA256 2030 sigAlgo.Algorithm = oidSignatureSHA256WithRSA 2031 sigAlgo.Parameters = asn1.NullRawValue 2032 2033 case *ecdsa.PublicKey: 2034 pubType = ECDSA 2035 2036 switch pub.Curve { 2037 case elliptic.P224(), elliptic.P256(): 2038 hashFunc = crypto.SHA256 2039 sigAlgo.Algorithm = oidSignatureECDSAWithSHA256 2040 case elliptic.P384(): 2041 hashFunc = crypto.SHA384 2042 sigAlgo.Algorithm = oidSignatureECDSAWithSHA384 2043 case elliptic.P521(): 2044 hashFunc = crypto.SHA512 2045 sigAlgo.Algorithm = oidSignatureECDSAWithSHA512 2046 default: 2047 err = errors.New("x509: unknown elliptic curve") 2048 } 2049 2050 case ed25519.PublicKey: 2051 pubType = Ed25519 2052 sigAlgo.Algorithm = oidSignatureEd25519 2053 2054 default: 2055 err = errors.New("x509: only RSA, ECDSA and Ed25519 keys supported") 2056 } 2057 2058 if err != nil { 2059 return 2060 } 2061 2062 if requestedSigAlgo == 0 { 2063 return 2064 } 2065 2066 found := false 2067 for _, details := range signatureAlgorithmDetails { 2068 if details.algo == requestedSigAlgo { 2069 if details.pubKeyAlgo != pubType { 2070 err = errors.New("x509: requested SignatureAlgorithm does not match private key type") 2071 return 2072 } 2073 sigAlgo.Algorithm, hashFunc = details.oid, details.hash 2074 if hashFunc == 0 && pubType != Ed25519 { 2075 err = errors.New("x509: cannot sign with hash function requested") 2076 return 2077 } 2078 if requestedSigAlgo.isRSAPSS() { 2079 sigAlgo.Parameters = hashToPSSParameters[hashFunc] 2080 } 2081 found = true 2082 break 2083 } 2084 } 2085 2086 if !found { 2087 err = errors.New("x509: unknown SignatureAlgorithm") 2088 } 2089 2090 return 2091 } 2092 2093 // emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is 2094 // just an empty SEQUENCE. 2095 var emptyASN1Subject = []byte{0x30, 0} 2096 2097 // CreateCertificate creates a new X.509v3 certificate based on a template. 2098 // The following members of template are used: 2099 // 2100 // - AuthorityKeyId 2101 // - BasicConstraintsValid 2102 // - CRLDistributionPoints 2103 // - DNSNames 2104 // - EmailAddresses 2105 // - ExcludedDNSDomains 2106 // - ExcludedEmailAddresses 2107 // - ExcludedIPRanges 2108 // - ExcludedURIDomains 2109 // - ExtKeyUsage 2110 // - ExtraExtensions 2111 // - IPAddresses 2112 // - IsCA 2113 // - IssuingCertificateURL 2114 // - KeyUsage 2115 // - MaxPathLen 2116 // - MaxPathLenZero 2117 // - NotAfter 2118 // - NotBefore 2119 // - OCSPServer 2120 // - PermittedDNSDomains 2121 // - PermittedDNSDomainsCritical 2122 // - PermittedEmailAddresses 2123 // - PermittedIPRanges 2124 // - PermittedURIDomains 2125 // - PolicyIdentifiers 2126 // - SerialNumber 2127 // - SignatureAlgorithm 2128 // - Subject 2129 // - SubjectKeyId 2130 // - URIs 2131 // - UnknownExtKeyUsage 2132 // 2133 // The certificate is signed by parent. If parent is equal to template then the 2134 // certificate is self-signed. The parameter pub is the public key of the 2135 // signee and priv is the private key of the signer. 2136 // 2137 // The returned slice is the certificate in DER encoding. 2138 // 2139 // The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and 2140 // ed25519.PublicKey. pub must be a supported key type, and priv must be a 2141 // crypto.Signer with a supported public key. 2142 // 2143 // The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any, 2144 // unless the resulting certificate is self-signed. Otherwise the value from 2145 // template will be used. 2146 // 2147 // If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId 2148 // will be generated from the hash of the public key. 2149 func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error) { 2150 key, ok := priv.(crypto.Signer) 2151 if !ok { 2152 return nil, errors.New("x509: certificate private key does not implement crypto.Signer") 2153 } 2154 2155 if template.SerialNumber == nil { 2156 return nil, errors.New("x509: no SerialNumber given") 2157 } 2158 2159 if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) { 2160 return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen") 2161 } 2162 2163 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm) 2164 if err != nil { 2165 return nil, err 2166 } 2167 2168 publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub) 2169 if err != nil { 2170 return nil, err 2171 } 2172 2173 asn1Issuer, err := subjectBytes(parent) 2174 if err != nil { 2175 return 2176 } 2177 2178 asn1Subject, err := subjectBytes(template) 2179 if err != nil { 2180 return 2181 } 2182 2183 authorityKeyId := template.AuthorityKeyId 2184 if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 { 2185 authorityKeyId = parent.SubjectKeyId 2186 } 2187 2188 subjectKeyId := template.SubjectKeyId 2189 if len(subjectKeyId) == 0 && template.IsCA { 2190 // SubjectKeyId generated using method 1 in RFC 5280, Section 4.2.1.2: 2191 // (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the 2192 // value of the BIT STRING subjectPublicKey (excluding the tag, 2193 // length, and number of unused bits). 2194 h := sha1.Sum(publicKeyBytes) 2195 subjectKeyId = h[:] 2196 } 2197 2198 extensions, err := buildCertExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId, subjectKeyId) 2199 if err != nil { 2200 return 2201 } 2202 2203 encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes} 2204 c := tbsCertificate{ 2205 Version: 2, 2206 SerialNumber: template.SerialNumber, 2207 SignatureAlgorithm: signatureAlgorithm, 2208 Issuer: asn1.RawValue{FullBytes: asn1Issuer}, 2209 Validity: validity{template.NotBefore.UTC(), template.NotAfter.UTC()}, 2210 Subject: asn1.RawValue{FullBytes: asn1Subject}, 2211 PublicKey: publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey}, 2212 Extensions: extensions, 2213 } 2214 2215 tbsCertContents, err := asn1.Marshal(c) 2216 if err != nil { 2217 return 2218 } 2219 c.Raw = tbsCertContents 2220 2221 signed := tbsCertContents 2222 if hashFunc != 0 { 2223 h := hashFunc.New() 2224 h.Write(signed) 2225 signed = h.Sum(nil) 2226 } 2227 2228 var signerOpts crypto.SignerOpts = hashFunc 2229 if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() { 2230 signerOpts = &rsa.PSSOptions{ 2231 SaltLength: rsa.PSSSaltLengthEqualsHash, 2232 Hash: hashFunc, 2233 } 2234 } 2235 2236 var signature []byte 2237 signature, err = key.Sign(rand, signed, signerOpts) 2238 if err != nil { 2239 return 2240 } 2241 2242 signedCert, err := asn1.Marshal(certificate{ 2243 nil, 2244 c, 2245 signatureAlgorithm, 2246 asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, 2247 }) 2248 if err != nil { 2249 return nil, err 2250 } 2251 2252 // Check the signature to ensure the crypto.Signer behaved correctly. 2253 // We skip this check if the signature algorithm is MD5WithRSA as we 2254 // only support this algorithm for signing, and not verification. 2255 if sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm); sigAlg != MD5WithRSA { 2256 if err := checkSignature(sigAlg, c.Raw, signature, key.Public()); err != nil { 2257 return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err) 2258 } 2259 } 2260 2261 return signedCert, nil 2262 } 2263 2264 // pemCRLPrefix is the magic string that indicates that we have a PEM encoded 2265 // CRL. 2266 var pemCRLPrefix = []byte("-----BEGIN X509 CRL") 2267 2268 // pemType is the type of a PEM encoded CRL. 2269 var pemType = "X509 CRL" 2270 2271 // ParseCRL parses a CRL from the given bytes. It's often the case that PEM 2272 // encoded CRLs will appear where they should be DER encoded, so this function 2273 // will transparently handle PEM encoding as long as there isn't any leading 2274 // garbage. 2275 func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) { 2276 if bytes.HasPrefix(crlBytes, pemCRLPrefix) { 2277 block, _ := pem.Decode(crlBytes) 2278 if block != nil && block.Type == pemType { 2279 crlBytes = block.Bytes 2280 } 2281 } 2282 return ParseDERCRL(crlBytes) 2283 } 2284 2285 // ParseDERCRL parses a DER encoded CRL from the given bytes. 2286 func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) { 2287 certList := new(pkix.CertificateList) 2288 if rest, err := asn1.Unmarshal(derBytes, certList); err != nil { 2289 return nil, err 2290 } else if len(rest) != 0 { 2291 return nil, errors.New("x509: trailing data after CRL") 2292 } 2293 return certList, nil 2294 } 2295 2296 // CreateCRL returns a DER encoded CRL, signed by this Certificate, that 2297 // contains the given list of revoked certificates. 2298 // 2299 // Note: this method does not generate an RFC 5280 conformant X.509 v2 CRL. 2300 // To generate a standards compliant CRL, use CreateRevocationList instead. 2301 func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { 2302 key, ok := priv.(crypto.Signer) 2303 if !ok { 2304 return nil, errors.New("x509: certificate private key does not implement crypto.Signer") 2305 } 2306 2307 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), 0) 2308 if err != nil { 2309 return nil, err 2310 } 2311 2312 // Force revocation times to UTC per RFC 5280. 2313 revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts)) 2314 for i, rc := range revokedCerts { 2315 rc.RevocationTime = rc.RevocationTime.UTC() 2316 revokedCertsUTC[i] = rc 2317 } 2318 2319 tbsCertList := pkix.TBSCertificateList{ 2320 Version: 1, 2321 Signature: signatureAlgorithm, 2322 Issuer: c.Subject.ToRDNSequence(), 2323 ThisUpdate: now.UTC(), 2324 NextUpdate: expiry.UTC(), 2325 RevokedCertificates: revokedCertsUTC, 2326 } 2327 2328 // Authority Key Id 2329 if len(c.SubjectKeyId) > 0 { 2330 var aki pkix.Extension 2331 aki.Id = oidExtensionAuthorityKeyId 2332 aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId}) 2333 if err != nil { 2334 return 2335 } 2336 tbsCertList.Extensions = append(tbsCertList.Extensions, aki) 2337 } 2338 2339 tbsCertListContents, err := asn1.Marshal(tbsCertList) 2340 if err != nil { 2341 return 2342 } 2343 2344 signed := tbsCertListContents 2345 if hashFunc != 0 { 2346 h := hashFunc.New() 2347 h.Write(signed) 2348 signed = h.Sum(nil) 2349 } 2350 2351 var signature []byte 2352 signature, err = key.Sign(rand, signed, hashFunc) 2353 if err != nil { 2354 return 2355 } 2356 2357 return asn1.Marshal(pkix.CertificateList{ 2358 TBSCertList: tbsCertList, 2359 SignatureAlgorithm: signatureAlgorithm, 2360 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, 2361 }) 2362 } 2363 2364 // CertificateRequest represents a PKCS #10, certificate signature request. 2365 type CertificateRequest struct { 2366 Raw []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature). 2367 RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content. 2368 RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo. 2369 RawSubject []byte // DER encoded Subject. 2370 2371 Version int 2372 Signature []byte 2373 SignatureAlgorithm SignatureAlgorithm 2374 KeyUsage KeyUsage 2375 2376 PublicKeyAlgorithm PublicKeyAlgorithm 2377 PublicKey interface{} 2378 2379 Subject pkix.Name 2380 2381 // Attributes contains the CSR attributes that can parse as 2382 // pkix.AttributeTypeAndValueSET. 2383 // 2384 // Deprecated: Use Extensions and ExtraExtensions instead for parsing and 2385 // generating the requestedExtensions attribute. 2386 Attributes []pkix.AttributeTypeAndValueSET 2387 2388 // Extensions contains all requested extensions, in raw form. When parsing 2389 // CSRs, this can be used to extract extensions that are not parsed by this 2390 // package. 2391 Extensions []pkix.Extension 2392 2393 // ExtraExtensions contains extensions to be copied, raw, into any CSR 2394 // marshaled by CreateCertificateRequest. Values override any extensions 2395 // that would otherwise be produced based on the other fields but are 2396 // overridden by any extensions specified in Attributes. 2397 // 2398 // The ExtraExtensions field is not populated by ParseCertificateRequest, 2399 // see Extensions instead. 2400 ExtraExtensions []pkix.Extension 2401 2402 // Subject Alternate Name values. 2403 DNSNames []string 2404 EmailAddresses []string 2405 IPAddresses []net.IP 2406 URIs []*url.URL 2407 } 2408 2409 // These structures reflect the ASN.1 structure of X.509 certificate 2410 // signature requests (see RFC 2986): 2411 2412 type tbsCertificateRequest struct { 2413 Raw asn1.RawContent 2414 Version int 2415 Subject asn1.RawValue 2416 PublicKey publicKeyInfo 2417 RawAttributes []asn1.RawValue `asn1:"tag:0"` 2418 } 2419 2420 type certificateRequest struct { 2421 Raw asn1.RawContent 2422 TBSCSR tbsCertificateRequest 2423 SignatureAlgorithm pkix.AlgorithmIdentifier 2424 SignatureValue asn1.BitString 2425 } 2426 2427 // oidExtensionRequest is a PKCS #9 OBJECT IDENTIFIER that indicates requested 2428 // extensions in a CSR. 2429 var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14} 2430 2431 // newRawAttributes converts AttributeTypeAndValueSETs from a template 2432 // CertificateRequest's Attributes into tbsCertificateRequest RawAttributes. 2433 func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) { 2434 var rawAttributes []asn1.RawValue 2435 b, err := asn1.Marshal(attributes) 2436 if err != nil { 2437 return nil, err 2438 } 2439 rest, err := asn1.Unmarshal(b, &rawAttributes) 2440 if err != nil { 2441 return nil, err 2442 } 2443 if len(rest) != 0 { 2444 return nil, errors.New("x509: failed to unmarshal raw CSR Attributes") 2445 } 2446 return rawAttributes, nil 2447 } 2448 2449 // parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs. 2450 func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET { 2451 var attributes []pkix.AttributeTypeAndValueSET 2452 for _, rawAttr := range rawAttributes { 2453 var attr pkix.AttributeTypeAndValueSET 2454 rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr) 2455 // Ignore attributes that don't parse into pkix.AttributeTypeAndValueSET 2456 // (i.e.: challengePassword or unstructuredName). 2457 if err == nil && len(rest) == 0 { 2458 attributes = append(attributes, attr) 2459 } 2460 } 2461 return attributes 2462 } 2463 2464 // parseCSRExtensions parses the attributes from a CSR and extracts any 2465 // requested extensions. 2466 func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) { 2467 // pkcs10Attribute reflects the Attribute structure from RFC 2986, Section 4.1. 2468 type pkcs10Attribute struct { 2469 Id asn1.ObjectIdentifier 2470 Values []asn1.RawValue `asn1:"set"` 2471 } 2472 2473 var ret []pkix.Extension 2474 for _, rawAttr := range rawAttributes { 2475 var attr pkcs10Attribute 2476 if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 { 2477 // Ignore attributes that don't parse. 2478 continue 2479 } 2480 2481 if !attr.Id.Equal(oidExtensionRequest) { 2482 continue 2483 } 2484 2485 var extensions []pkix.Extension 2486 if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil { 2487 return nil, err 2488 } 2489 ret = append(ret, extensions...) 2490 } 2491 2492 return ret, nil 2493 } 2494 2495 // CreateCertificateRequest creates a new certificate request based on a 2496 // template. The following members of template are used: 2497 // 2498 // - SignatureAlgorithm 2499 // - Subject 2500 // - DNSNames 2501 // - EmailAddresses 2502 // - IPAddresses 2503 // - URIs 2504 // - KeyUsage 2505 // - ExtKeyUsage 2506 // - UnknownExtKeyUsage 2507 // - BasicConstraintsValid 2508 // - IsCA 2509 // - MaxPathLen 2510 // - MaxPathLenZero 2511 // - SubjectKeyId 2512 // - PolicyIdentifiers 2513 // - ExtraExtensions 2514 // - Attributes (deprecated) 2515 // 2516 // priv is the private key to sign the CSR with, and the corresponding public 2517 // key will be included in the CSR. It must implement crypto.Signer and its 2518 // Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a 2519 // ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or 2520 // ed25519.PrivateKey satisfies this.) 2521 // 2522 // The returned slice is the certificate request in DER encoding. 2523 func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error) { 2524 key, ok := priv.(crypto.Signer) 2525 if !ok { 2526 return nil, errors.New("x509: certificate private key does not implement crypto.Signer") 2527 } 2528 2529 var hashFunc crypto.Hash 2530 var sigAlgo pkix.AlgorithmIdentifier 2531 hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm) 2532 if err != nil { 2533 return nil, err 2534 } 2535 2536 var publicKeyBytes []byte 2537 var publicKeyAlgorithm pkix.AlgorithmIdentifier 2538 publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public()) 2539 if err != nil { 2540 return nil, err 2541 } 2542 2543 extensions, err := buildCSRExtensions(template) 2544 if err != nil { 2545 return nil, err 2546 } 2547 2548 // Make a copy of template.Attributes because we may alter it below. 2549 attributes := make([]pkix.AttributeTypeAndValueSET, 0, len(template.Attributes)) 2550 for _, attr := range template.Attributes { 2551 values := make([][]pkix.AttributeTypeAndValue, len(attr.Value)) 2552 copy(values, attr.Value) 2553 attributes = append(attributes, pkix.AttributeTypeAndValueSET{ 2554 Type: attr.Type, 2555 Value: values, 2556 }) 2557 } 2558 2559 extensionsAppended := false 2560 if len(extensions) > 0 { 2561 // Append the extensions to an existing attribute if possible. 2562 for _, atvSet := range attributes { 2563 if !atvSet.Type.Equal(oidExtensionRequest) || len(atvSet.Value) == 0 { 2564 continue 2565 } 2566 2567 // specifiedExtensions contains all the extensions that we 2568 // found specified via template.Attributes. 2569 specifiedExtensions := make(map[string]bool) 2570 2571 for _, atvs := range atvSet.Value { 2572 for _, atv := range atvs { 2573 specifiedExtensions[atv.Type.String()] = true 2574 } 2575 } 2576 2577 newValue := make([]pkix.AttributeTypeAndValue, 0, len(atvSet.Value[0])+len(extensions)) 2578 newValue = append(newValue, atvSet.Value[0]...) 2579 2580 for _, e := range extensions { 2581 if specifiedExtensions[e.Id.String()] { 2582 // Attributes already contained a value for 2583 // this extension and it takes priority. 2584 continue 2585 } 2586 2587 newValue = append(newValue, pkix.AttributeTypeAndValue{ 2588 // There is no place for the critical 2589 // flag in an AttributeTypeAndValue. 2590 Type: e.Id, 2591 Value: e.Value, 2592 }) 2593 } 2594 2595 atvSet.Value[0] = newValue 2596 extensionsAppended = true 2597 break 2598 } 2599 } 2600 2601 rawAttributes, err := newRawAttributes(attributes) 2602 if err != nil { 2603 return 2604 } 2605 2606 // If not included in attributes, add a new attribute for the 2607 // extensions. 2608 if len(extensions) > 0 && !extensionsAppended { 2609 attr := struct { 2610 Type asn1.ObjectIdentifier 2611 Value [][]pkix.Extension `asn1:"set"` 2612 }{ 2613 Type: oidExtensionRequest, 2614 Value: [][]pkix.Extension{extensions}, 2615 } 2616 2617 b, err := asn1.Marshal(attr) 2618 if err != nil { 2619 return nil, errors.New("x509: failed to serialise extensions attribute: " + err.Error()) 2620 } 2621 2622 var rawValue asn1.RawValue 2623 if _, err := asn1.Unmarshal(b, &rawValue); err != nil { 2624 return nil, err 2625 } 2626 2627 rawAttributes = append(rawAttributes, rawValue) 2628 } 2629 2630 asn1Subject := template.RawSubject 2631 if len(asn1Subject) == 0 { 2632 asn1Subject, err = asn1.Marshal(template.Subject.ToRDNSequence()) 2633 if err != nil { 2634 return nil, err 2635 } 2636 } 2637 2638 tbsCSR := tbsCertificateRequest{ 2639 Version: 0, // PKCS #10, RFC 2986 2640 Subject: asn1.RawValue{FullBytes: asn1Subject}, 2641 PublicKey: publicKeyInfo{ 2642 Algorithm: publicKeyAlgorithm, 2643 PublicKey: asn1.BitString{ 2644 Bytes: publicKeyBytes, 2645 BitLength: len(publicKeyBytes) * 8, 2646 }, 2647 }, 2648 RawAttributes: rawAttributes, 2649 } 2650 2651 tbsCSRContents, err := asn1.Marshal(tbsCSR) 2652 if err != nil { 2653 return 2654 } 2655 tbsCSR.Raw = tbsCSRContents 2656 2657 signed := tbsCSRContents 2658 if hashFunc != 0 { 2659 h := hashFunc.New() 2660 h.Write(signed) 2661 signed = h.Sum(nil) 2662 } 2663 2664 var signature []byte 2665 signature, err = key.Sign(rand, signed, hashFunc) 2666 if err != nil { 2667 return 2668 } 2669 2670 return asn1.Marshal(certificateRequest{ 2671 TBSCSR: tbsCSR, 2672 SignatureAlgorithm: sigAlgo, 2673 SignatureValue: asn1.BitString{ 2674 Bytes: signature, 2675 BitLength: len(signature) * 8, 2676 }, 2677 }) 2678 } 2679 2680 // ParseCertificateRequest parses a single certificate request from the 2681 // given ASN.1 DER data. 2682 func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) { 2683 var csr certificateRequest 2684 2685 rest, err := asn1.Unmarshal(asn1Data, &csr) 2686 if err != nil { 2687 return nil, err 2688 } else if len(rest) != 0 { 2689 return nil, asn1.SyntaxError{Msg: "trailing data"} 2690 } 2691 2692 return parseCertificateRequest(&csr) 2693 } 2694 2695 func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) { 2696 out := &CertificateRequest{ 2697 Raw: in.Raw, 2698 RawTBSCertificateRequest: in.TBSCSR.Raw, 2699 RawSubjectPublicKeyInfo: in.TBSCSR.PublicKey.Raw, 2700 RawSubject: in.TBSCSR.Subject.FullBytes, 2701 2702 Signature: in.SignatureValue.RightAlign(), 2703 SignatureAlgorithm: getSignatureAlgorithmFromAI(in.SignatureAlgorithm), 2704 2705 PublicKeyAlgorithm: getPublicKeyAlgorithmFromOID(in.TBSCSR.PublicKey.Algorithm.Algorithm), 2706 2707 Version: in.TBSCSR.Version, 2708 Attributes: parseRawAttributes(in.TBSCSR.RawAttributes), 2709 } 2710 2711 var err error 2712 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey) 2713 if err != nil { 2714 return nil, err 2715 } 2716 2717 var subject pkix.RDNSequence 2718 if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil { 2719 return nil, err 2720 } else if len(rest) != 0 { 2721 return nil, errors.New("x509: trailing data after X.509 Subject") 2722 } 2723 2724 out.Subject.FillFromRDNSequence(&subject) 2725 2726 if out.Extensions, err = parseCSRExtensions(in.TBSCSR.RawAttributes); err != nil { 2727 return nil, err 2728 } 2729 2730 for _, extension := range out.Extensions { 2731 switch { 2732 case extension.Id.Equal(oidExtensionSubjectAltName): 2733 out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value) 2734 if err != nil { 2735 return nil, err 2736 } 2737 case extension.Id.Equal(oidExtensionKeyUsage): 2738 out.KeyUsage, err = parseKeyUsageExtension(extension.Value) 2739 if err != nil { 2740 return nil, err 2741 } 2742 } 2743 } 2744 2745 return out, nil 2746 } 2747 2748 // CheckSignature reports whether the signature on c is valid. 2749 func (c *CertificateRequest) CheckSignature() error { 2750 return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey) 2751 } 2752 2753 // RevocationList contains the fields used to create an X.509 v2 Certificate 2754 // Revocation list with CreateRevocationList. 2755 type RevocationList struct { 2756 // SignatureAlgorithm is used to determine the signature algorithm to be 2757 // used when signing the CRL. If 0 the default algorithm for the signing 2758 // key will be used. 2759 SignatureAlgorithm SignatureAlgorithm 2760 2761 // RevokedCertificates is used to populate the revokedCertificates 2762 // sequence in the CRL, it may be empty. RevokedCertificates may be nil, 2763 // in which case an empty CRL will be created. 2764 RevokedCertificates []pkix.RevokedCertificate 2765 2766 // Number is used to populate the X.509 v2 cRLNumber extension in the CRL, 2767 // which should be a monotonically increasing sequence number for a given 2768 // CRL scope and CRL issuer. 2769 Number *big.Int 2770 // ThisUpdate is used to populate the thisUpdate field in the CRL, which 2771 // indicates the issuance date of the CRL. 2772 ThisUpdate time.Time 2773 // NextUpdate is used to populate the nextUpdate field in the CRL, which 2774 // indicates the date by which the next CRL will be issued. NextUpdate 2775 // must be greater than ThisUpdate. 2776 NextUpdate time.Time 2777 // ExtraExtensions contains any additional extensions to add directly to 2778 // the CRL. 2779 ExtraExtensions []pkix.Extension 2780 } 2781 2782 // CreateRevocationList creates a new X.509 v2 Certificate Revocation List, 2783 // according to RFC 5280, based on template. 2784 // 2785 // The CRL is signed by priv which should be the private key associated with 2786 // the public key in the issuer certificate. 2787 // 2788 // The issuer may not be nil, and the crlSign bit must be set in KeyUsage in 2789 // order to use it as a CRL issuer. 2790 // 2791 // The issuer distinguished name CRL field and authority key identifier 2792 // extension are populated using the issuer certificate. issuer must have 2793 // SubjectKeyId set. 2794 func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer) ([]byte, error) { 2795 if template == nil { 2796 return nil, errors.New("x509: template can not be nil") 2797 } 2798 if issuer == nil { 2799 return nil, errors.New("x509: issuer can not be nil") 2800 } 2801 if (issuer.KeyUsage & KeyUsageCRLSign) == 0 { 2802 return nil, errors.New("x509: issuer must have the crlSign key usage bit set") 2803 } 2804 if len(issuer.SubjectKeyId) == 0 { 2805 return nil, errors.New("x509: issuer certificate doesn't contain a subject key identifier") 2806 } 2807 if template.NextUpdate.Before(template.ThisUpdate) { 2808 return nil, errors.New("x509: template.ThisUpdate is after template.NextUpdate") 2809 } 2810 if template.Number == nil { 2811 return nil, errors.New("x509: template contains nil Number field") 2812 } 2813 2814 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm) 2815 if err != nil { 2816 return nil, err 2817 } 2818 2819 // Force revocation times to UTC per RFC 5280. 2820 revokedCertsUTC := make([]pkix.RevokedCertificate, len(template.RevokedCertificates)) 2821 for i, rc := range template.RevokedCertificates { 2822 rc.RevocationTime = rc.RevocationTime.UTC() 2823 revokedCertsUTC[i] = rc 2824 } 2825 2826 aki, err := asn1.Marshal(authKeyId{Id: issuer.SubjectKeyId}) 2827 if err != nil { 2828 return nil, err 2829 } 2830 crlNum, err := asn1.Marshal(template.Number) 2831 if err != nil { 2832 return nil, err 2833 } 2834 2835 tbsCertList := pkix.TBSCertificateList{ 2836 Version: 1, // v2 2837 Signature: signatureAlgorithm, 2838 Issuer: issuer.Subject.ToRDNSequence(), 2839 ThisUpdate: template.ThisUpdate.UTC(), 2840 NextUpdate: template.NextUpdate.UTC(), 2841 Extensions: []pkix.Extension{ 2842 { 2843 Id: oidExtensionAuthorityKeyId, 2844 Value: aki, 2845 }, 2846 { 2847 Id: oidExtensionCRLNumber, 2848 Value: crlNum, 2849 }, 2850 }, 2851 } 2852 if len(revokedCertsUTC) > 0 { 2853 tbsCertList.RevokedCertificates = revokedCertsUTC 2854 } 2855 2856 if len(template.ExtraExtensions) > 0 { 2857 tbsCertList.Extensions = append(tbsCertList.Extensions, template.ExtraExtensions...) 2858 } 2859 2860 tbsCertListContents, err := asn1.Marshal(tbsCertList) 2861 if err != nil { 2862 return nil, err 2863 } 2864 2865 input := tbsCertListContents 2866 if hashFunc != 0 { 2867 h := hashFunc.New() 2868 h.Write(tbsCertListContents) 2869 input = h.Sum(nil) 2870 } 2871 var signerOpts crypto.SignerOpts = hashFunc 2872 if template.SignatureAlgorithm.isRSAPSS() { 2873 signerOpts = &rsa.PSSOptions{ 2874 SaltLength: rsa.PSSSaltLengthEqualsHash, 2875 Hash: hashFunc, 2876 } 2877 } 2878 2879 signature, err := priv.Sign(rand, input, signerOpts) 2880 if err != nil { 2881 return nil, err 2882 } 2883 2884 return asn1.Marshal(pkix.CertificateList{ 2885 TBSCertList: tbsCertList, 2886 SignatureAlgorithm: signatureAlgorithm, 2887 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, 2888 }) 2889 }