scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-12-10 18:15:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bump github.com/google/certificate-transparency-go to v1.0.21

Browse Source
This commit is contained in:
Christoph Blecker
2018-10-03 16:47:10 -07:00
parent 16256296d2
commit 2e5578b230
25 changed files with 1306 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
vendor/github.com/google/certificate-transparency-go/x509/BUILD generated vendored
View File

@@ -4,6 +4,7 @@ go_library(
name = "go_default_library",
srcs = [
"cert_pool.go",
"curves.go",
"error.go",
"errors.go",
"names.go",
@@ -12,6 +13,8 @@ go_library(
"pem_decrypt.go",
"pkcs1.go",
"pkcs8.go",
"ptr_sysptr_windows.go",
"ptr_uint_windows.go",
"revoked.go",
"root.go",
"root_bsd.go",
@@ -25,6 +28,7 @@ go_library(
"root_solaris.go",
"root_unix.go",
"root_windows.go",
"rpki.go",
"sec1.go",
"verify.go",
"x509.go",

2
vendor/github.com/google/certificate-transparency-go/x509/cert_pool.go generated vendored
View File

@@ -121,7 +121,7 @@ func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool) {
}
cert, err := ParseCertificate(block.Bytes)
if err != nil {
if IsFatal(err) {
continue
}

37
vendor/github.com/google/certificate-transparency-go/x509/curves.go generated vendored Normal file
View File

@@ -0,0 +1,37 @@
// Copyright 2018 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package x509
import (
"crypto/elliptic"
"math/big"
"sync"
)
// This file holds ECC curves that are not supported by the main Go crypto/elliptic
// library, but which have been observed in certificates in the wild.
var initonce sync.Once
var p192r1 *elliptic.CurveParams
func initAllCurves() {
initSECP192R1()
}
func initSECP192R1() {
// See SEC-2, section 2.2.2
p192r1 = &elliptic.CurveParams{Name: "P-192"}
p192r1.P, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", 16)
p192r1.N, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", 16)
p192r1.B, _ = new(big.Int).SetString("64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1", 16)
p192r1.Gx, _ = new(big.Int).SetString("188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012", 16)
p192r1.Gy, _ = new(big.Int).SetString("07192B95FFC8DA78631011ED6B24CDD573F977A11E794811", 16)
p192r1.BitSize = 192
}
func secp192r1() elliptic.Curve {
initonce.Do(initAllCurves)
return p192r1
}

20
vendor/github.com/google/certificate-transparency-go/x509/ptr_sysptr_windows.go generated vendored Normal file
View File

@@ -0,0 +1,20 @@
// Copyright 2018 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build go1.11
package x509
import (
"syscall"
"unsafe"
)
// For Go versions >= 1.11, the ExtraPolicyPara field in
// syscall.CertChainPolicyPara is of type syscall.Pointer. See:
// https://github.com/golang/go/commit/4869ec00e87ef
func convertToPolicyParaType(p unsafe.Pointer) syscall.Pointer {
return (syscall.Pointer)(p)
}

17
vendor/github.com/google/certificate-transparency-go/x509/ptr_uint_windows.go generated vendored Normal file
View File

@@ -0,0 +1,17 @@
// Copyright 2018 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build !go1.11
package x509
import "unsafe"
// For Go versions before 1.11, the ExtraPolicyPara field in
// syscall.CertChainPolicyPara was of type uintptr. See:
// https://github.com/golang/go/commit/4869ec00e87ef
func convertToPolicyParaType(p unsafe.Pointer) uintptr {
return uintptr(p)
}

9
vendor/github.com/google/certificate-transparency-go/x509/revoked.go generated vendored
View File

@@ -14,12 +14,15 @@ import (
"github.com/google/certificate-transparency-go/x509/pkix"
)
// OID values for CRL extensions (TBSCertList.Extensions), RFC 5280 s5.2.
var (
// OID values for CRL extensions (TBSCertList.Extensions), RFC 5280 s5.2.
OIDExtensionCRLNumber = asn1.ObjectIdentifier{2, 5, 29, 20}
OIDExtensionDeltaCRLIndicator = asn1.ObjectIdentifier{2, 5, 29, 27}
OIDExtensionIssuingDistributionPoint = asn1.ObjectIdentifier{2, 5, 29, 28}
// OID values for CRL entry extensions (RevokedCertificate.Extensions), RFC 5280 s5.3
)
// OID values for CRL entry extensions (RevokedCertificate.Extensions), RFC 5280 s5.3
var (
OIDExtensionCRLReasons = asn1.ObjectIdentifier{2, 5, 29, 21}
OIDExtensionInvalidityDate = asn1.ObjectIdentifier{2, 5, 29, 24}
OIDExtensionCertificateIssuer = asn1.ObjectIdentifier{2, 5, 29, 29}
@@ -238,7 +241,7 @@ func ParseCertificateListDER(derBytes []byte) (*CertificateList, error) {
}
case e.Id.Equal(OIDExtensionAuthorityInfoAccess):
// RFC 5280 s5.2.7
var aia []authorityInfoAccess
var aia []accessDescription
if rest, err := asn1.Unmarshal(e.Value, &aia); err != nil {
errs.AddID(ErrInvalidCertListAuthInfoAccess, err)
} else if len(rest) != 0 {

2
vendor/github.com/google/certificate-transparency-go/x509/root_windows.go generated vendored
View File

@@ -109,7 +109,7 @@ func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContex
sslPara.Size = uint32(unsafe.Sizeof(*sslPara))
para := &syscall.CertChainPolicyPara{
ExtraPolicyPara: uintptr(unsafe.Pointer(sslPara)),
ExtraPolicyPara: convertToPolicyParaType(unsafe.Pointer(sslPara)),
}
para.Size = uint32(unsafe.Sizeof(*para))

242
vendor/github.com/google/certificate-transparency-go/x509/rpki.go generated vendored Normal file
View File

@@ -0,0 +1,242 @@
// Copyright 2018 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package x509
import (
"bytes"
"encoding/binary"
"errors"
"fmt"
"github.com/google/certificate-transparency-go/asn1"
)
// IPAddressPrefix describes an IP address prefix as an ASN.1 bit string,
// where the BitLength field holds the prefix length.
type IPAddressPrefix asn1.BitString
// IPAddressRange describes an (inclusive) IP address range.
type IPAddressRange struct {
Min IPAddressPrefix
Max IPAddressPrefix
}
// Most relevant values for AFI from:
// http://www.iana.org/assignments/address-family-numbers.
const (
IPv4AddressFamilyIndicator = uint16(1)
IPv6AddressFamilyIndicator = uint16(2)
)
// IPAddressFamilyBlocks describes a set of ranges of IP addresses.
type IPAddressFamilyBlocks struct {
// AFI holds an address family indicator from
// http://www.iana.org/assignments/address-family-numbers.
AFI uint16
// SAFI holds a subsequent address family indicator from
// http://www.iana.org/assignments/safi-namespace.
SAFI byte
// InheritFromIssuer indicates that the set of addresses should
// be taken from the issuer's certificate.
InheritFromIssuer bool
// AddressPrefixes holds prefixes if InheritFromIssuer is false.
AddressPrefixes []IPAddressPrefix
// AddressRanges holds ranges if InheritFromIssuer is false.
AddressRanges []IPAddressRange
}
// Internal types for asn1 unmarshalling.
type ipAddressFamily struct {
AddressFamily []byte // 2-byte AFI plus optional 1 byte SAFI
Choice asn1.RawValue
}
// Internally, use raw asn1.BitString rather than the IPAddressPrefix
// type alias (so that asn1.Unmarshal() decodes properly).
type ipAddressRange struct {
Min asn1.BitString
Max asn1.BitString
}
func parseRPKIAddrBlocks(data []byte, nfe *NonFatalErrors) []*IPAddressFamilyBlocks {
// RFC 3779 2.2.3
// IPAddrBlocks ::= SEQUENCE OF IPAddressFamily
//
// IPAddressFamily ::= SEQUENCE { -- AFI & optional SAFI --
// addressFamily OCTET STRING (SIZE (2..3)),
// ipAddressChoice IPAddressChoice }
//
// IPAddressChoice ::= CHOICE {
// inherit NULL, -- inherit from issuer --
// addressesOrRanges SEQUENCE OF IPAddressOrRange }
//
// IPAddressOrRange ::= CHOICE {
// addressPrefix IPAddress,
// addressRange IPAddressRange }
//
// IPAddressRange ::= SEQUENCE {
// min IPAddress,
// max IPAddress }
//
// IPAddress ::= BIT STRING
var addrBlocks []ipAddressFamily
if rest, err := asn1.Unmarshal(data, &addrBlocks); err != nil {
nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ipAddrBlocks extension: %v", err))
return nil
} else if len(rest) != 0 {
nfe.AddError(errors.New("trailing data after ipAddrBlocks extension"))
return nil
}
var results []*IPAddressFamilyBlocks
for i, block := range addrBlocks {
var fam IPAddressFamilyBlocks
if l := len(block.AddressFamily); l < 2 || l > 3 {
nfe.AddError(fmt.Errorf("invalid address family length (%d) for ipAddrBlock.addressFamily", l))
continue
}
fam.AFI = binary.BigEndian.Uint16(block.AddressFamily[0:2])
if len(block.AddressFamily) > 2 {
fam.SAFI = block.AddressFamily[2]
}
// IPAddressChoice is an ASN.1 CHOICE where the chosen alternative is indicated by (implicit)
// tagging of the alternatives -- here, either NULL or SEQUENCE OF.
if bytes.Equal(block.Choice.FullBytes, asn1.NullBytes) {
fam.InheritFromIssuer = true
results = append(results, &fam)
continue
}
var addrRanges []asn1.RawValue
if _, err := asn1.Unmarshal(block.Choice.FullBytes, &addrRanges); err != nil {
nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ipAddrBlocks[%d].ipAddressChoice.addressesOrRanges: %v", i, err))
continue
}
for j, ar := range addrRanges {
// Each IPAddressOrRange is a CHOICE where the alternatives have distinct (implicit)
// tags -- here, either BIT STRING or SEQUENCE.
switch ar.Tag {
case asn1.TagBitString:
// BIT STRING for single prefix IPAddress
var val asn1.BitString
if _, err := asn1.Unmarshal(ar.FullBytes, &val); err != nil {
nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ipAddrBlocks[%d].ipAddressChoice.addressesOrRanges[%d].addressPrefix: %v", i, j, err))
continue
}
fam.AddressPrefixes = append(fam.AddressPrefixes, IPAddressPrefix(val))
case asn1.TagSequence:
var val ipAddressRange
if _, err := asn1.Unmarshal(ar.FullBytes, &val); err != nil {
nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ipAddrBlocks[%d].ipAddressChoice.addressesOrRanges[%d].addressRange: %v", i, j, err))
continue
}
fam.AddressRanges = append(fam.AddressRanges, IPAddressRange{Min: IPAddressPrefix(val.Min), Max: IPAddressPrefix(val.Max)})
default:
nfe.AddError(fmt.Errorf("unexpected ASN.1 type in ipAddrBlocks[%d].ipAddressChoice.addressesOrRanges[%d]: %+v", i, j, ar))
}
}
results = append(results, &fam)
}
return results
}
// ASIDRange describes an inclusive range of AS Identifiers (AS numbers or routing
// domain identifiers).
type ASIDRange struct {
Min int
Max int
}
// ASIdentifiers describes a collection of AS Identifiers (AS numbers or routing
// domain identifiers).
type ASIdentifiers struct {
// InheritFromIssuer indicates that the set of AS identifiers should
// be taken from the issuer's certificate.
InheritFromIssuer bool
// ASIDs holds AS identifiers if InheritFromIssuer is false.
ASIDs []int
// ASIDs holds AS identifier ranges (inclusive) if InheritFromIssuer is false.
ASIDRanges []ASIDRange
}
type asIdentifiers struct {
ASNum asn1.RawValue `asn1:"optional,tag:0"`
RDI asn1.RawValue `asn1:"optional,tag:1"`
}
func parseASIDChoice(val asn1.RawValue, nfe *NonFatalErrors) *ASIdentifiers {
// RFC 3779 2.3.2
// ASIdentifierChoice ::= CHOICE {
// inherit NULL, -- inherit from issuer --
// asIdsOrRanges SEQUENCE OF ASIdOrRange }
// ASIdOrRange ::= CHOICE {
// id ASId,
// range ASRange }
// ASRange ::= SEQUENCE {
// min ASId,
// max ASId }
// ASId ::= INTEGER
if len(val.FullBytes) == 0 { // OPTIONAL
return nil
}
// ASIdentifierChoice is an ASN.1 CHOICE where the chosen alternative is indicated by (implicit)
// tagging of the alternatives -- here, either NULL or SEQUENCE OF.
if bytes.Equal(val.Bytes, asn1.NullBytes) {
return &ASIdentifiers{InheritFromIssuer: true}
}
var ids []asn1.RawValue
if rest, err := asn1.Unmarshal(val.Bytes, &ids); err != nil {
nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ASIdentifiers.asIdsOrRanges: %v", err))
return nil
} else if len(rest) != 0 {
nfe.AddError(errors.New("trailing data after ASIdentifiers.asIdsOrRanges"))
return nil
}
var asID ASIdentifiers
for i, id := range ids {
// Each ASIdOrRange is a CHOICE where the alternatives have distinct (implicit)
// tags -- here, either INTEGER or SEQUENCE.
switch id.Tag {
case asn1.TagInteger:
var val int
if _, err := asn1.Unmarshal(id.FullBytes, &val); err != nil {
nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ASIdentifiers.asIdsOrRanges[%d].id: %v", i, err))
continue
}
asID.ASIDs = append(asID.ASIDs, val)
case asn1.TagSequence:
var val ASIDRange
if _, err := asn1.Unmarshal(id.FullBytes, &val); err != nil {
nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ASIdentifiers.asIdsOrRanges[%d].range: %v", i, err))
continue
}
asID.ASIDRanges = append(asID.ASIDRanges, val)
default:
nfe.AddError(fmt.Errorf("unexpected value in ASIdentifiers.asIdsOrRanges[%d]: %+v", i, id))
}
}
return &asID
}
func parseRPKIASIdentifiers(data []byte, nfe *NonFatalErrors) (*ASIdentifiers, *ASIdentifiers) {
// RFC 3779 2.3.2
// ASIdentifiers ::= SEQUENCE {
// asnum [0] EXPLICIT ASIdentifierChoice OPTIONAL,
// rdi [1] EXPLICIT ASIdentifierChoice OPTIONAL}
var asIDs asIdentifiers
if rest, err := asn1.Unmarshal(data, &asIDs); err != nil {
nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ASIdentifiers extension: %v", err))
return nil, nil
} else if len(rest) != 0 {
nfe.AddError(errors.New("trailing data after ASIdentifiers extension"))
return nil, nil
}
return parseASIDChoice(asIDs.ASNum, nfe), parseASIDChoice(asIDs.RDI, nfe)
}

5
vendor/github.com/google/certificate-transparency-go/x509/sec1.go generated vendored
View File

@@ -72,11 +72,12 @@ func parseECPrivateKey(namedCurveOID *asn1.ObjectIdentifier, der []byte) (key *e
return nil, fmt.Errorf("x509: unknown EC private key version %d", privKey.Version)
}
var nfe NonFatalErrors
var curve elliptic.Curve
if namedCurveOID != nil {
curve = namedCurveFromOID(*namedCurveOID)
curve = namedCurveFromOID(*namedCurveOID, &nfe)
} else {
curve = namedCurveFromOID(privKey.NamedCurveOID)
curve = namedCurveFromOID(privKey.NamedCurveOID, &nfe)
}
if curve == nil {
return nil, errors.New("x509: unknown elliptic curve")

119
vendor/github.com/google/certificate-transparency-go/x509/verify.go generated vendored
View File

@@ -12,9 +12,12 @@ import (
"net/url"
"reflect"
"runtime"
"strconv"
"strings"
"time"
"unicode/utf8"
"github.com/google/certificate-transparency-go/asn1"
)
type InvalidReason int
@@ -174,19 +177,29 @@ var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificat
// VerifyOptions contains parameters for Certificate.Verify. It's a structure
// because other PKIX verification APIs have ended up needing many options.
type VerifyOptions struct {
DNSName string
Intermediates *CertPool
Roots *CertPool // if nil, the system roots are used
CurrentTime time.Time // if zero, the current time is used
DisableTimeChecks bool
// KeyUsage specifies which Extended Key Usage values are acceptable.
// An empty list means ExtKeyUsageServerAuth. Key usage is considered a
// constraint down the chain which mirrors Windows CryptoAPI behavior,
// but not the spec. To accept any key usage, include ExtKeyUsageAny.
DNSName string
Intermediates *CertPool
Roots *CertPool // if nil, the system roots are used
CurrentTime time.Time // if zero, the current time is used
// Options to disable various verification checks.
DisableTimeChecks bool
DisableCriticalExtensionChecks bool
DisableNameChecks bool
DisableEKUChecks bool
DisablePathLenChecks bool
DisableNameConstraintChecks bool
// KeyUsage specifies which Extended Key Usage values are acceptable. A leaf
// certificate is accepted if it contains any of the listed values. An empty
// list means ExtKeyUsageServerAuth. To accept any key usage, include
// ExtKeyUsageAny.
//
// Certificate chains are required to nest extended key usage values,
// irrespective of this value. This matches the Windows CryptoAPI behavior,
// but not the spec.
KeyUsages []ExtKeyUsage
// MaxConstraintComparisions is the maximum number of comparisons to
// perform when checking a given certificate's name constraints. If
// zero, a sensible default is used. This limit prevents pathalogical
// zero, a sensible default is used. This limit prevents pathological
// certificates from consuming excessive amounts of CPU time when
// validating.
MaxConstraintComparisions int
@@ -544,11 +557,16 @@ func (c *Certificate) checkNameConstraints(count *int,
return nil
}
const (
checkingAgainstIssuerCert = iota
checkingAgainstLeafCert
)
// ekuPermittedBy returns true iff the given extended key usage is permitted by
// the given EKU from a certificate. Normally, this would be a simple
// comparison plus a special case for the “any” EKU. But, in order to support
// existing certificates, some exceptions are made.
func ekuPermittedBy(eku, certEKU ExtKeyUsage) bool {
func ekuPermittedBy(eku, certEKU ExtKeyUsage, context int) bool {
if certEKU == ExtKeyUsageAny || eku == certEKU {
return true
}
@@ -565,28 +583,33 @@ func ekuPermittedBy(eku, certEKU ExtKeyUsage) bool {
eku = mapServerAuthEKUs(eku)
certEKU = mapServerAuthEKUs(certEKU)
if eku == certEKU ||
// ServerAuth in a CA permits ClientAuth in the leaf.
(eku == ExtKeyUsageClientAuth && certEKU == ExtKeyUsageServerAuth) ||
if eku == certEKU {
return true
}
// If checking a requested EKU against the list in a leaf certificate there
// are fewer exceptions.
if context == checkingAgainstLeafCert {
return false
}
// ServerAuth in a CA permits ClientAuth in the leaf.
return (eku == ExtKeyUsageClientAuth && certEKU == ExtKeyUsageServerAuth) ||
// Any CA may issue an OCSP responder certificate.
eku == ExtKeyUsageOCSPSigning ||
// Code-signing CAs can use Microsoft's commercial and
// kernel-mode EKUs.
((eku == ExtKeyUsageMicrosoftCommercialCodeSigning || eku == ExtKeyUsageMicrosoftKernelCodeSigning) && certEKU == ExtKeyUsageCodeSigning) {
return true
}
return false
(eku == ExtKeyUsageMicrosoftCommercialCodeSigning || eku == ExtKeyUsageMicrosoftKernelCodeSigning) && certEKU == ExtKeyUsageCodeSigning
}
// isValid performs validity checks on c given that it is a candidate to append
// to the chain in currentChain.
func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *VerifyOptions) error {
if len(c.UnhandledCriticalExtensions) > 0 {
if !opts.DisableCriticalExtensionChecks && len(c.UnhandledCriticalExtensions) > 0 {
return UnhandledCriticalExtension{ID: c.UnhandledCriticalExtensions[0]}
}
if len(currentChain) > 0 {
if !opts.DisableNameChecks && len(currentChain) > 0 {
child := currentChain[len(currentChain)-1]
if !bytes.Equal(child.RawIssuer, c.RawSubject) {
return CertificateInvalidError{c, NameMismatch, ""}
@@ -617,7 +640,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
leaf = currentChain[0]
}
if (certType == intermediateCertificate || certType == rootCertificate) && c.hasNameConstraints() {
if !opts.DisableNameConstraintChecks && (certType == intermediateCertificate || certType == rootCertificate) && c.hasNameConstraints() {
sanExtension, ok := leaf.getSANExtension()
if !ok {
// This is the deprecated, legacy case of depending on
@@ -633,8 +656,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
name := string(data)
mailbox, ok := parseRFC2821Mailbox(name)
if !ok {
// This certificate should not have parsed.
return errors.New("x509: internal error: rfc822Name SAN failed to parse")
return fmt.Errorf("x509: cannot parse rfc822Name %q", mailbox)
}
if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "email address", name, mailbox,
@@ -646,6 +668,10 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
case nameTypeDNS:
name := string(data)
if _, ok := domainToReverseLabels(name); !ok {
return fmt.Errorf("x509: cannot parse dnsName %q", name)
}
if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "DNS name", name, name,
func(parsedName, constraint interface{}) (bool, error) {
return matchDomainConstraint(parsedName.(string), constraint.(string))
@@ -692,7 +718,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
}
}
checkEKUs := certType == intermediateCertificate
checkEKUs := !opts.DisableEKUChecks && certType == intermediateCertificate
// If no extended key usages are specified, then all are acceptable.
if checkEKUs && (len(c.ExtKeyUsage) == 0 && len(c.UnknownExtKeyUsage) == 0) {
@@ -719,7 +745,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
for _, caEKU := range c.ExtKeyUsage {
comparisonCount++
if ekuPermittedBy(eku, caEKU) {
if ekuPermittedBy(eku, caEKU, checkingAgainstIssuerCert) {
continue NextEKU
}
}
@@ -766,7 +792,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
return CertificateInvalidError{c, NotAuthorizedToSign, ""}
}
if c.BasicConstraintsValid && c.MaxPathLen >= 0 {
if !opts.DisablePathLenChecks && c.BasicConstraintsValid && c.MaxPathLen >= 0 {
numIntermediates := len(currentChain) - 1
if numIntermediates > c.MaxPathLen {
return CertificateInvalidError{c, TooManyIntermediates, ""}
@@ -776,6 +802,18 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
return nil
}
// formatOID formats an ASN.1 OBJECT IDENTIFER in the common, dotted style.
func formatOID(oid asn1.ObjectIdentifier) string {
ret := ""
for i, v := range oid {
if i > 0 {
ret += "."
}
ret += strconv.Itoa(v)
}
return ret
}
// Verify attempts to verify c by building one or more chains from c to a
// certificate in opts.Roots, using certificates in opts.Intermediates if
// needed. If successful, it returns one or more chains where the first
@@ -840,7 +878,7 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e
}
// If no key usages are specified, then any are acceptable.
checkEKU := len(c.ExtKeyUsage) > 0
checkEKU := !opts.DisableEKUChecks && len(c.ExtKeyUsage) > 0
for _, eku := range requestedKeyUsages {
if eku == ExtKeyUsageAny {
@@ -850,16 +888,33 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e
}
if checkEKU {
foundMatch := false
NextUsage:
for _, eku := range requestedKeyUsages {
for _, leafEKU := range c.ExtKeyUsage {
if ekuPermittedBy(eku, leafEKU) {
continue NextUsage
if ekuPermittedBy(eku, leafEKU, checkingAgainstLeafCert) {
foundMatch = true
break NextUsage
}
}
}
oid, _ := oidFromExtKeyUsage(eku)
return nil, CertificateInvalidError{c, IncompatibleUsage, fmt.Sprintf("%#v", oid)}
if !foundMatch {
msg := "leaf contains the following, recognized EKUs: "
for i, leafEKU := range c.ExtKeyUsage {
oid, ok := oidFromExtKeyUsage(leafEKU)
if !ok {
continue
}
if i > 0 {
msg += ", "
}
msg += formatOID(oid)
}
return nil, CertificateInvalidError{c, IncompatibleUsage, msg}
}
}

345
vendor/github.com/google/certificate-transparency-go/x509/x509.go generated vendored
View File

@@ -8,9 +8,39 @@
// can be used to override the system default locations for the SSL certificate
// file and SSL certificate files directory, respectively.
//
// This is a fork of the go library crypto/x509 package, it's more relaxed
// about certificates that it'll accept, and exports the TBSCertificate
// structure.
// This is a fork of the Go library crypto/x509 package, primarily adapted for
// use with Certificate Transparency. Main areas of difference are:
//
// - Life as a fork:
// - Rename OS-specific cgo code so it doesn't clash with main Go library.
// - Use local library imports (asn1, pkix) throughout.
// - Add version-specific wrappers for Go version-incompatible code (in
// nilref_*_darwin.go, ptr_*_windows.go).
// - Laxer certificate parsing:
// - Add options to disable various validation checks (times, EKUs etc).
// - Use NonFatalErrors type for some errors and continue parsing; this
// can be checked with IsFatal(err).
// - Support for short bitlength ECDSA curves (in curves.go).
// - Certificate Transparency specific function:
// - Parsing and marshaling of SCTList extension.
// - RemoveSCTList() function for rebuilding CT leaf entry.
// - Pre-certificate processing (RemoveCTPoison(), BuildPrecertTBS(),
// ParseTBSCertificate(), IsPrecertificate()).
// - Revocation list processing:
// - Detailed CRL parsing (in revoked.go)
// - Detailed error recording mechanism (in error.go, errors.go)
// - Factor out parseDistributionPoints() for reuse.
// - Factor out and generalize GeneralNames parsing (in names.go)
// - Fix CRL commenting.
// - RPKI support:
// - Support for SubjectInfoAccess extension
// - Support for RFC3779 extensions (in rpki.go)
// - General improvements:
// - Export and use OID values throughout.
// - Export OIDFromNamedCurve().
// - Export SignatureAlgorithmFromAI().
// - Add OID value to UnhandledCriticalExtension error.
// - Minor typo/lint fixes.
package x509
import (
@@ -69,7 +99,16 @@ func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) {
if algo == UnknownPublicKeyAlgorithm {
return nil, errors.New("x509: unknown public key algorithm")
}
return parsePublicKey(algo, &pki)
var nfe NonFatalErrors
pub, err = parsePublicKey(algo, &pki, &nfe)
if err != nil {
return pub, err
}
// Treat non-fatal errors as fatal for this entrypoint.
if len(nfe.Errors) > 0 {
return nil, nfe.Errors[0]
}
return pub, nil
}
func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) {
@@ -500,15 +539,21 @@ func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm
// secp521r1 OBJECT IDENTIFIER ::= {
// iso(1) identified-organization(3) certicom(132) curve(0) 35 }
//
// NB: secp256r1 is equivalent to prime256v1
// secp192r1 OBJECT IDENTIFIER ::= {
// iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
// prime(1) 1 }
//
// NB: secp256r1 is equivalent to prime256v1,
// secp192r1 is equivalent to ansix9p192r and prime192v1
var (
OIDNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
OIDNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
OIDNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
OIDNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
OIDNamedCurveP192 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 1}
)
func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
func namedCurveFromOID(oid asn1.ObjectIdentifier, nfe *NonFatalErrors) elliptic.Curve {
switch {
case oid.Equal(OIDNamedCurveP224):
return elliptic.P224()
@@ -518,6 +563,9 @@ func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
return elliptic.P384()
case oid.Equal(OIDNamedCurveP521):
return elliptic.P521()
case oid.Equal(OIDNamedCurveP192):
nfe.AddError(errors.New("insecure curve (secp192r1) specified"))
return secp192r1()
}
return nil
}
@@ -534,6 +582,8 @@ func OIDFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
return OIDNamedCurveP384, true
case elliptic.P521():
return OIDNamedCurveP521, true
case secp192r1():
return OIDNamedCurveP192, true
}
return nil, false
@@ -737,7 +787,13 @@ type Certificate struct {
OCSPServer []string
IssuingCertificateURL []string
// Subject Alternate Name values
// Subject Information Access
SubjectTimestamps []string
SubjectCARepositories []string
// Subject Alternate Name values. (Note that these values may not be valid
// if invalid values were contained within a parsed certificate. For
// example, an element of DNSNames may not be a valid DNS domain name.)
DNSNames []string
EmailAddresses []string
IPAddresses []net.IP
@@ -759,6 +815,9 @@ type Certificate struct {
PolicyIdentifiers []asn1.ObjectIdentifier
RPKIAddressRanges []*IPAddressFamilyBlocks
RPKIASNumbers, RPKIRoutingDomainIDs *ASIdentifiers
// Certificate Transparency SCT extension contents; this is a TLS-encoded
// SignedCertificateTimestampList (RFC 6962 s3.3).
RawSCT []byte
@@ -792,6 +851,20 @@ func (c *Certificate) Equal(other *Certificate) bool {
return bytes.Equal(c.Raw, other.Raw)
}
// IsPrecertificate checks whether the certificate is a precertificate, by
// checking for the presence of the CT Poison extension.
func (c *Certificate) IsPrecertificate() bool {
if c == nil {
return false
}
for _, ext := range c.Extensions {
if ext.Id.Equal(OIDExtensionCTPoison) {
return true
}
}
return false
}
func (c *Certificate) hasSANExtension() bool {
return oidInExtensions(OIDExtensionSubjectAltName, c.Extensions)
}
@@ -995,6 +1068,50 @@ func (h UnhandledCriticalExtension) Error() string {
return fmt.Sprintf("x509: unhandled critical extension (%v)", h.ID)
}
// removeExtension takes a DER-encoded TBSCertificate, removes the extension
// specified by oid (preserving the order of other extensions), and returns the
// result still as a DER-encoded TBSCertificate. This function will fail if
// there is not exactly 1 extension of the type specified by the oid present.
func removeExtension(tbsData []byte, oid asn1.ObjectIdentifier) ([]byte, error) {
var tbs tbsCertificate
rest, err := asn1.Unmarshal(tbsData, &tbs)
if err != nil {
return nil, fmt.Errorf("failed to parse TBSCertificate: %v", err)
} else if rLen := len(rest); rLen > 0 {
return nil, fmt.Errorf("trailing data (%d bytes) after TBSCertificate", rLen)
}
extAt := -1
for i, ext := range tbs.Extensions {
if ext.Id.Equal(oid) {
if extAt != -1 {
return nil, errors.New("multiple extensions of specified type present")
}
extAt = i
}
}
if extAt == -1 {
return nil, errors.New("no extension of specified type present")
}
tbs.Extensions = append(tbs.Extensions[:extAt], tbs.Extensions[extAt+1:]...)
// Clear out the asn1.RawContent so the re-marshal operation sees the
// updated structure (rather than just copying the out-of-date DER data).
tbs.Raw = nil
data, err := asn1.Marshal(tbs)
if err != nil {
return nil, fmt.Errorf("failed to re-marshal TBSCertificate: %v", err)
}
return data, nil
}
// RemoveSCTList takes a DER-encoded TBSCertificate and removes the CT SCT
// extension that contains the SCT list (preserving the order of other
// extensions), and returns the result still as a DER-encoded TBSCertificate.
// This function will fail if there is not exactly 1 CT SCT extension present.
func RemoveSCTList(tbsData []byte) ([]byte, error) {
return removeExtension(tbsData, OIDExtensionCTSCT)
}
// RemoveCTPoison takes a DER-encoded TBSCertificate and removes the CT poison
// extension (preserving the order of other extensions), and returns the result
// still as a DER-encoded TBSCertificate. This function will fail if there is
@@ -1019,27 +1136,18 @@ func RemoveCTPoison(tbsData []byte) ([]byte, error) {
// - The precert's AuthorityKeyId is changed to the AuthorityKeyId of the
// intermediate.
func BuildPrecertTBS(tbsData []byte, preIssuer *Certificate) ([]byte, error) {
data, err := removeExtension(tbsData, OIDExtensionCTPoison)
if err != nil {
return nil, err
}
var tbs tbsCertificate
rest, err := asn1.Unmarshal(tbsData, &tbs)
rest, err := asn1.Unmarshal(data, &tbs)
if err != nil {
return nil, fmt.Errorf("failed to parse TBSCertificate: %v", err)
} else if rLen := len(rest); rLen > 0 {
return nil, fmt.Errorf("trailing data (%d bytes) after TBSCertificate", rLen)
}
poisonAt := -1
for i, ext := range tbs.Extensions {
if ext.Id.Equal(OIDExtensionCTPoison) {
if poisonAt != -1 {
return nil, errors.New("multiple CT poison extensions present")
}
poisonAt = i
}
}
if poisonAt == -1 {
return nil, errors.New("no CT poison extension present")
}
tbs.Extensions = append(tbs.Extensions[:poisonAt], tbs.Extensions[poisonAt+1:]...)
tbs.Raw = nil
if preIssuer != nil {
// Update the precert's Issuer field. Use the RawIssuer rather than the
@@ -1092,9 +1200,13 @@ func BuildPrecertTBS(tbsData []byte, preIssuer *Certificate) ([]byte, error) {
}
tbs.Extensions = append(tbs.Extensions, authKeyIDExt)
}
// Clear out the asn1.RawContent so the re-marshal operation sees the
// updated structure (rather than just copying the out-of-date DER data).
tbs.Raw = nil
}
data, err := asn1.Marshal(tbs)
data, err = asn1.Marshal(tbs)
if err != nil {
return nil, fmt.Errorf("failed to re-marshal TBSCertificate: %v", err)
}
@@ -1120,7 +1232,7 @@ const (
)
// RFC 5280, 4.2.2.1
type authorityInfoAccess struct {
type accessDescription struct {
Method asn1.ObjectIdentifier
Location asn1.RawValue
}
@@ -1137,14 +1249,14 @@ type distributionPointName struct {
RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
}
func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) {
func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo, nfe *NonFatalErrors) (interface{}, error) {
asn1Data := keyData.PublicKey.RightAlign()
switch algo {
case RSA:
// RSA public keys must have a NULL in the parameters
// (https://tools.ietf.org/html/rfc3279#section-2.3.1).
if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) {
return nil, errors.New("x509: RSA key missing NULL parameters")
nfe.AddError(errors.New("x509: RSA key missing NULL parameters"))
}
p := new(pkcs1PublicKey)
@@ -1208,9 +1320,9 @@ func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{
if len(rest) != 0 {
return nil, errors.New("x509: trailing data after ECDSA parameters")
}
namedCurve := namedCurveFromOID(*namedCurveOID)
namedCurve := namedCurveFromOID(*namedCurveOID, nfe)
if namedCurve == nil {
return nil, errors.New("x509: unsupported elliptic curve")
return nil, fmt.Errorf("x509: unsupported elliptic curve %v", namedCurveOID)
}
x, y := elliptic.Unmarshal(namedCurve, asn1Data)
if x == nil {
@@ -1235,7 +1347,7 @@ type NonFatalErrors struct {
Errors []error
}
// Adds an error to the list of errors contained by NonFatalErrors.
// AddError adds an error to the list of errors contained by NonFatalErrors.
func (e *NonFatalErrors) AddError(err error) {
e.Errors = append(e.Errors, err)
}
@@ -1250,11 +1362,25 @@ func (e NonFatalErrors) Error() string {
return r
}
// Returns true if |e| contains at least one error
// HasError returns true if |e| contains at least one error
func (e *NonFatalErrors) HasError() bool {
return len(e.Errors) > 0
}
// IsFatal indicates whether an error is fatal.
func IsFatal(err error) bool {
if err == nil {
return false
}
if _, ok := err.(NonFatalErrors); ok {
return false
}
if errs, ok := err.(*Errors); ok {
return errs.Fatal()
}
return true
}
func parseDistributionPoints(data []byte, crldp *[]string) error {
// CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
//
@@ -1337,17 +1463,9 @@ func parseSANExtension(value []byte, nfe *NonFatalErrors) (dnsNames, emailAddres
err = forEachSAN(value, func(tag int, data []byte) error {
switch tag {
case nameTypeEmail:
mailbox := string(data)
if _, ok := parseRFC2821Mailbox(mailbox); !ok {
return fmt.Errorf("x509: cannot parse rfc822Name %q", mailbox)
}
emailAddresses = append(emailAddresses, mailbox)
emailAddresses = append(emailAddresses, string(data))
case nameTypeDNS:
domain := string(data)
if _, ok := domainToReverseLabels(domain); !ok {
return fmt.Errorf("x509: cannot parse dnsName %q", string(data))
}
dnsNames = append(dnsNames, domain)
dnsNames = append(dnsNames, string(data))
case nameTypeURI:
uri, err := url.Parse(string(data))
if err != nil {
@@ -1364,7 +1482,7 @@ func parseSANExtension(value []byte, nfe *NonFatalErrors) (dnsNames, emailAddres
case net.IPv4len, net.IPv6len:
ipAddresses = append(ipAddresses, data)
default:
nfe.AddError(fmt.Errorf("x509: certificate contained IP address of length %d : %v", len(data), data))
nfe.AddError(errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(data))))
}
}
@@ -1399,7 +1517,7 @@ func isValidIPMask(mask []byte) bool {
return true
}
func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) {
func parseNameConstraintsExtension(out *Certificate, e pkix.Extension, nfe *NonFatalErrors) (unhandled bool, err error) {
// RFC 5280, 4.2.1.10
// NameConstraints ::= SEQUENCE {
@@ -1466,7 +1584,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
trimmedDomain = trimmedDomain[1:]
}
if _, ok := domainToReverseLabels(trimmedDomain); !ok {
return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
nfe.AddError(fmt.Errorf("x509: failed to parse dnsName constraint %q", domain))
}
dnsNames = append(dnsNames, domain)
@@ -1503,7 +1621,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
// it specifies an exact mailbox name.
if strings.Contains(constraint, "@") {
if _, ok := parseRFC2821Mailbox(constraint); !ok {
return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
nfe.AddError(fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint))
}
} else {
// Otherwise it's a domain name.
@@ -1512,7 +1630,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
domain = domain[1:]
}
if _, ok := domainToReverseLabels(domain); !ok {
return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
nfe.AddError(fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint))
}
}
emails = append(emails, constraint)
@@ -1536,7 +1654,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
trimmedDomain = trimmedDomain[1:]
}
if _, ok := domainToReverseLabels(trimmedDomain); !ok {
return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
nfe.AddError(fmt.Errorf("x509: failed to parse URI constraint %q", domain))
}
uriDomains = append(uriDomains, domain)
@@ -1575,7 +1693,7 @@ func parseCertificate(in *certificate) (*Certificate, error) {
out.PublicKeyAlgorithm =
getPublicKeyAlgorithmFromOID(in.TBSCertificate.PublicKey.Algorithm.Algorithm)
var err error
out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCertificate.PublicKey)
out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCertificate.PublicKey, &nfe)
if err != nil {
return nil, err
}
@@ -1651,7 +1769,7 @@ func parseCertificate(in *certificate) (*Certificate, error) {
}
case OIDExtensionNameConstraints[3]:
unhandled, err = parseNameConstraintsExtension(out, e)
unhandled, err = parseNameConstraintsExtension(out, e, &nfe)
if err != nil {
return nil, err
}
@@ -1682,10 +1800,14 @@ func parseCertificate(in *certificate) (*Certificate, error) {
// KeyPurposeId ::= OBJECT IDENTIFIER
var keyUsage []asn1.ObjectIdentifier
if rest, err := asn1.Unmarshal(e.Value, &keyUsage); err != nil {
return nil, err
} else if len(rest) != 0 {
return nil, errors.New("x509: trailing data after X.509 ExtendedKeyUsage")
if len(e.Value) == 0 {
nfe.AddError(errors.New("x509: empty ExtendedKeyUsage"))
} else {
if rest, err := asn1.Unmarshal(e.Value, &keyUsage); err != nil {
return nil, err
} else if len(rest) != 0 {
return nil, errors.New("x509: trailing data after X.509 ExtendedKeyUsage")
}
}
for _, u := range keyUsage {
@@ -1725,12 +1847,15 @@ func parseCertificate(in *certificate) (*Certificate, error) {
}
} else if e.Id.Equal(OIDExtensionAuthorityInfoAccess) {
// RFC 5280 4.2.2.1: Authority Information Access
var aia []authorityInfoAccess
var aia []accessDescription
if rest, err := asn1.Unmarshal(e.Value, &aia); err != nil {
return nil, err
} else if len(rest) != 0 {
return nil, errors.New("x509: trailing data after X.509 authority information")
}
if len(aia) == 0 {
nfe.AddError(errors.New("x509: empty AuthorityInfoAccess extension"))
}
for _, v := range aia {
// GeneralName: uniformResourceIdentifier [6] IA5String
@@ -1743,6 +1868,34 @@ func parseCertificate(in *certificate) (*Certificate, error) {
out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(v.Location.Bytes))
}
}
} else if e.Id.Equal(OIDExtensionSubjectInfoAccess) {
// RFC 5280 4.2.2.2: Subject Information Access
var sia []accessDescription
if rest, err := asn1.Unmarshal(e.Value, &sia); err != nil {
return nil, err
} else if len(rest) != 0 {
return nil, errors.New("x509: trailing data after X.509 subject information")
}
if len(sia) == 0 {
nfe.AddError(errors.New("x509: empty SubjectInfoAccess extension"))
}
for _, v := range sia {
// TODO(drysdale): cope with non-URI types of GeneralName
// GeneralName: uniformResourceIdentifier [6] IA5String
if v.Location.Tag != 6 {
continue
}
if v.Method.Equal(OIDSubjectInfoAccessTimestamp) {
out.SubjectTimestamps = append(out.SubjectTimestamps, string(v.Location.Bytes))
} else if v.Method.Equal(OIDSubjectInfoAccessCARepo) {
out.SubjectCARepositories = append(out.SubjectCARepositories, string(v.Location.Bytes))
}
}
} else if e.Id.Equal(OIDExtensionIPPrefixList) {
out.RPKIAddressRanges = parseRPKIAddrBlocks(e.Value, &nfe)
} else if e.Id.Equal(OIDExtensionASList) {
out.RPKIASNumbers, out.RPKIRoutingDomainIDs = parseRPKIASIdentifiers(e.Value, &nfe)
} else if e.Id.Equal(OIDExtensionCTSCT) {
if rest, err := asn1.Unmarshal(e.Value, &out.RawSCT); err != nil {
nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal SCT list extension: %v", err))
@@ -1787,6 +1940,8 @@ func ParseTBSCertificate(asn1Data []byte) (*Certificate, error) {
}
// ParseCertificate parses a single certificate from the given ASN.1 DER data.
// This function can return both a Certificate and an error (in which case the
// error will be of type NonFatalErrors).
func ParseCertificate(asn1Data []byte) (*Certificate, error) {
var cert certificate
rest, err := asn1.Unmarshal(asn1Data, &cert)
@@ -1802,6 +1957,8 @@ func ParseCertificate(asn1Data []byte) (*Certificate, error) {
// ParseCertificates parses one or more certificates from the given ASN.1 DER
// data. The certificates must be concatenated with no intermediate padding.
// This function can return both a slice of Certificate and an error (in which
// case the error will be of type NonFatalErrors).
func ParseCertificates(asn1Data []byte) ([]*Certificate, error) {
var v []*certificate
@@ -1815,15 +1972,23 @@ func ParseCertificates(asn1Data []byte) ([]*Certificate, error) {
v = append(v, cert)
}
var nfe NonFatalErrors
ret := make([]*Certificate, len(v))
for i, ci := range v {
cert, err := parseCertificate(ci)
if err != nil {
return nil, err
if errs, ok := err.(NonFatalErrors); !ok {
return nil, err
} else {
nfe.Errors = append(nfe.Errors, errs.Errors...)
}
}
ret[i] = cert
}
if nfe.HasError() {
return ret, nfe
}
return ret, nil
}
@@ -1875,15 +2040,23 @@ var (
OIDExtensionAuthorityInfoAccess = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1}
OIDExtensionSubjectInfoAccess = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11}
// OIDExtensionCTPoison is defined in RFC 6962 s3.1.
OIDExtensionCTPoison = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3}
// OIDExtensionCTSCT is defined in RFC 6962 s3.3.
OIDExtensionCTSCT = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2}
// OIDExtensionIPPrefixList is defined in RFC 3779 s2.
OIDExtensionIPPrefixList = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 7}
// OIDExtensionASList is defined in RFC 3779 s3.
OIDExtensionASList = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 8}
)
var (
OIDAuthorityInfoAccessOCSP = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
OIDAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
OIDSubjectInfoAccessTimestamp = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 3}
OIDSubjectInfoAccessCARepo = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 5}
OIDAnyPolicy = asn1.ObjectIdentifier{2, 5, 29, 32, 0}
)
// oidInExtensions returns whether an extension with the given oid exists in
@@ -1932,7 +2105,7 @@ func isIA5String(s string) error {
}
func buildExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte) (ret []pkix.Extension, err error) {
ret = make([]pkix.Extension, 11 /* maximum number of elements. */)
ret = make([]pkix.Extension, 12 /* maximum number of elements. */)
n := 0
if template.KeyUsage != 0 &&
@@ -2017,15 +2190,15 @@ func buildExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId
if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) &&
!oidInExtensions(OIDExtensionAuthorityInfoAccess, template.ExtraExtensions) {
ret[n].Id = OIDExtensionAuthorityInfoAccess
var aiaValues []authorityInfoAccess
var aiaValues []accessDescription
for _, name := range template.OCSPServer {
aiaValues = append(aiaValues, authorityInfoAccess{
aiaValues = append(aiaValues, accessDescription{
Method: OIDAuthorityInfoAccessOCSP,
Location: asn1.RawValue{Tag: 6, Class: asn1.ClassContextSpecific, Bytes: []byte(name)},
})
}
for _, name := range template.IssuingCertificateURL {
aiaValues = append(aiaValues, authorityInfoAccess{
aiaValues = append(aiaValues, accessDescription{
Method: OIDAuthorityInfoAccessIssuers,
Location: asn1.RawValue{Tag: 6, Class: asn1.ClassContextSpecific, Bytes: []byte(name)},
})
@@ -2037,6 +2210,29 @@ func buildExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId
n++
}
if len(template.SubjectTimestamps) > 0 || len(template.SubjectCARepositories) > 0 &&
!oidInExtensions(OIDExtensionSubjectInfoAccess, template.ExtraExtensions) {
ret[n].Id = OIDExtensionSubjectInfoAccess
var siaValues []accessDescription
for _, ts := range template.SubjectTimestamps {
siaValues = append(siaValues, accessDescription{
Method: OIDSubjectInfoAccessTimestamp,
Location: asn1.RawValue{Tag: 6, Class: asn1.ClassContextSpecific, Bytes: []byte(ts)},
})
}
for _, repo := range template.SubjectCARepositories {
siaValues = append(siaValues, accessDescription{
Method: OIDSubjectInfoAccessCARepo,
Location: asn1.RawValue{Tag: 6, Class: asn1.ClassContextSpecific, Bytes: []byte(repo)},
})
}
ret[n].Value, err = asn1.Marshal(siaValues)
if err != nil {
return
}
n++
}
if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
!oidInExtensions(OIDExtensionSubjectAltName, template.ExtraExtensions) {
ret[n].Id = OIDExtensionSubjectAltName
@@ -2290,12 +2486,25 @@ func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgori
var emptyASN1Subject = []byte{0x30, 0}
// CreateCertificate creates a new X.509v3 certificate based on a template.
// The following members of template are used: AuthorityKeyId,
// BasicConstraintsValid, DNSNames, ExcludedDNSDomains, ExtKeyUsage,
// IsCA, KeyUsage, MaxPathLen, MaxPathLenZero, NotAfter, NotBefore,
// PermittedDNSDomains, PermittedDNSDomainsCritical, SerialNumber,
// SignatureAlgorithm, Subject, SubjectKeyId, UnknownExtKeyUsage,
// and RawSCT.
// The following members of template are used:
// - SerialNumber
// - Subject
// - NotBefore, NotAfter
// - SignatureAlgorithm
// - For extensions:
// - KeyUsage
// - ExtKeyUsage
// - BasicConstraintsValid, IsCA, MaxPathLen, MaxPathLenZero
// - SubjectKeyId
// - AuthorityKeyId
// - OCSPServer, IssuingCertificateURL
// - SubjectTimestamps, SubjectCARepositories
// - DNSNames, EmailAddresses, IPAddresses, URIs
// - PolicyIdentifiers
// - ExcludedDNSDomains, ExcludedIPRanges, ExcludedEmailAddresses, ExcludedURIDomains, PermittedDNSDomainsCritical,
// PermittedDNSDomains, PermittedIPRanges, PermittedEmailAddresses, PermittedURIDomains
// - CRLDistributionPoints
// - RawSCT, SCTList
//
// The certificate is signed by parent. If parent is equal to template then the
// certificate is self-signed. The parameter pub is the public key of the
@@ -2804,10 +3013,15 @@ func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error
}
var err error
out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey)
var nfe NonFatalErrors
out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey, &nfe)
if err != nil {
return nil, err
}
// Treat non-fatal errors as fatal here.
if len(nfe.Errors) > 0 {
return nil, nfe.Errors[0]
}
var subject pkix.RDNSequence
if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil {
@@ -2822,7 +3036,6 @@ func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error
return nil, err
}
var nfe NonFatalErrors
for _, extension := range out.Extensions {
if extension.Id.Equal(OIDExtensionSubjectAltName) {
out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value, &nfe)