Replace embedded X509 parser with my own lightweight parser
This commit is contained in:
parent
5ccf9fdcd3
commit
a071e9490a
|
@ -0,0 +1,65 @@
|
||||||
|
package ctwatch
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"bytes"
|
||||||
|
"encoding/binary"
|
||||||
|
"encoding/asn1"
|
||||||
|
)
|
||||||
|
|
||||||
|
func stringFromByteSlice (chars []byte) string {
|
||||||
|
runes := make([]rune, len(chars))
|
||||||
|
for i, ch := range chars {
|
||||||
|
runes[i] = rune(ch)
|
||||||
|
}
|
||||||
|
return string(runes)
|
||||||
|
}
|
||||||
|
|
||||||
|
func stringFromUint16Slice (chars []uint16) string {
|
||||||
|
runes := make([]rune, len(chars))
|
||||||
|
for i, ch := range chars {
|
||||||
|
runes[i] = rune(ch)
|
||||||
|
}
|
||||||
|
return string(runes)
|
||||||
|
}
|
||||||
|
|
||||||
|
func stringFromUint32Slice (chars []uint32) string {
|
||||||
|
runes := make([]rune, len(chars))
|
||||||
|
for i, ch := range chars {
|
||||||
|
runes[i] = rune(ch)
|
||||||
|
}
|
||||||
|
return string(runes)
|
||||||
|
}
|
||||||
|
|
||||||
|
func decodeASN1String (value *asn1.RawValue) (string, error) {
|
||||||
|
if !value.IsCompound && value.Class == 0 {
|
||||||
|
if value.Tag == 12 {
|
||||||
|
// UTF8String
|
||||||
|
return string(value.Bytes), nil
|
||||||
|
} else if value.Tag == 19 || value.Tag == 22 || value.Tag == 20 {
|
||||||
|
// * PrintableString - subset of ASCII
|
||||||
|
// * IA5String - ASCII
|
||||||
|
// * TeletexString - 8 bit charset; not quite ISO-8859-1, but often treated as such
|
||||||
|
|
||||||
|
// Don't enforce character set rules. Allow any 8 bit character, since
|
||||||
|
// CAs routinely mess this up
|
||||||
|
return stringFromByteSlice(value.Bytes), nil
|
||||||
|
} else if value.Tag == 30 {
|
||||||
|
// BMPString - Unicode, encoded in big-endian format using two octets
|
||||||
|
runes := make([]uint16, len(value.Bytes) / 2)
|
||||||
|
if err := binary.Read(bytes.NewReader(value.Bytes), binary.BigEndian, runes); err != nil {
|
||||||
|
return "", errors.New("Malformed BMPString: " + err.Error())
|
||||||
|
}
|
||||||
|
return stringFromUint16Slice(runes), nil
|
||||||
|
} else if value.Tag == 28 {
|
||||||
|
// UniversalString - Unicode, encoded in big-endian format using four octets
|
||||||
|
runes := make([]uint32, len(value.Bytes) / 4)
|
||||||
|
if err := binary.Read(bytes.NewReader(value.Bytes), binary.BigEndian, runes); err != nil {
|
||||||
|
return "", errors.New("Malformed UniversalString: " + err.Error())
|
||||||
|
}
|
||||||
|
return stringFromUint32Slice(runes), nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return "", errors.New("Not a string")
|
||||||
|
}
|
||||||
|
|
|
@ -59,7 +59,7 @@ func LogEntry (info *ctwatch.EntryInfo) {
|
||||||
if !*noSave {
|
if !*noSave {
|
||||||
var alreadyPresent bool
|
var alreadyPresent bool
|
||||||
var err error
|
var err error
|
||||||
alreadyPresent, info.Filename, err = ctwatch.WriteCertRepository(filepath.Join(stateDir, "certs"), info.Entry)
|
alreadyPresent, info.Filename, err = ctwatch.WriteCertRepository(filepath.Join(stateDir, "certs"), info.IsPrecert, info.FullChain)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Print(err)
|
log.Print(err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -65,25 +65,17 @@ func processEntry (scanner *ctwatch.Scanner, entry *ct.LogEntry) {
|
||||||
info := ctwatch.EntryInfo{
|
info := ctwatch.EntryInfo{
|
||||||
LogUri: scanner.LogUri,
|
LogUri: scanner.LogUri,
|
||||||
Entry: entry,
|
Entry: entry,
|
||||||
|
IsPrecert: ctwatch.IsPrecert(entry),
|
||||||
|
FullChain: ctwatch.GetFullChain(entry),
|
||||||
}
|
}
|
||||||
|
|
||||||
// Extract DNS names
|
info.CertInfo, info.ParseError = ctwatch.MakeCertInfo(entry)
|
||||||
var dnsNames []string
|
|
||||||
dnsNames, info.ParseError = ctwatch.EntryDNSNames(entry)
|
|
||||||
|
|
||||||
if info.ParseError == nil {
|
if info.ParseError == nil && info.CertInfo.DNSNamesParseError == nil {
|
||||||
// Match DNS names
|
// Match DNS names
|
||||||
if !anyDnsNameMatches(dnsNames) {
|
if !anyDnsNameMatches(info.CertInfo.DNSNames) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parse the certificate
|
|
||||||
info.ParsedCert, info.ParseError = ctwatch.ParseEntryCertificate(entry)
|
|
||||||
if info.ParsedCert != nil {
|
|
||||||
info.CertInfo = ctwatch.MakeCertInfo(info.ParsedCert)
|
|
||||||
} else {
|
|
||||||
info.CertInfo.DnsNames = dnsNames
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd.LogEntry(&info)
|
cmd.LogEntry(&info)
|
||||||
|
|
956
ct/asn1/asn1.go
956
ct/asn1/asn1.go
|
@ -1,956 +0,0 @@
|
||||||
// Copyright 2009 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// Package asn1 implements parsing of DER-encoded ASN.1 data structures,
|
|
||||||
// as defined in ITU-T Rec X.690.
|
|
||||||
//
|
|
||||||
// See also ``A Layman's Guide to a Subset of ASN.1, BER, and DER,''
|
|
||||||
// http://luca.ntop.org/Teaching/Appunti/asn1.html.
|
|
||||||
//
|
|
||||||
// START CT CHANGES
|
|
||||||
// This is a fork of the Go standard library ASN.1 implementation
|
|
||||||
// (encoding/asn1). The main difference is that this version tries to correct
|
|
||||||
// for errors (e.g. use of tagPrintableString when the string data is really
|
|
||||||
// ISO8859-1 - a common error present in many x509 certificates in the wild.)
|
|
||||||
// END CT CHANGES
|
|
||||||
package asn1
|
|
||||||
|
|
||||||
// ASN.1 is a syntax for specifying abstract objects and BER, DER, PER, XER etc
|
|
||||||
// are different encoding formats for those objects. Here, we'll be dealing
|
|
||||||
// with DER, the Distinguished Encoding Rules. DER is used in X.509 because
|
|
||||||
// it's fast to parse and, unlike BER, has a unique encoding for every object.
|
|
||||||
// When calculating hashes over objects, it's important that the resulting
|
|
||||||
// bytes be the same at both ends and DER removes this margin of error.
|
|
||||||
//
|
|
||||||
// ASN.1 is very complex and this package doesn't attempt to implement
|
|
||||||
// everything by any means.
|
|
||||||
|
|
||||||
import (
|
|
||||||
// START CT CHANGES
|
|
||||||
"errors"
|
|
||||||
"fmt"
|
|
||||||
// END CT CHANGES
|
|
||||||
"math/big"
|
|
||||||
"reflect"
|
|
||||||
// START CT CHANGES
|
|
||||||
"strings"
|
|
||||||
// END CT CHANGES
|
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
// A StructuralError suggests that the ASN.1 data is valid, but the Go type
|
|
||||||
// which is receiving it doesn't match.
|
|
||||||
type StructuralError struct {
|
|
||||||
Msg string
|
|
||||||
}
|
|
||||||
|
|
||||||
func (e StructuralError) Error() string { return "asn1: structure error: " + e.Msg }
|
|
||||||
|
|
||||||
// A SyntaxError suggests that the ASN.1 data is invalid.
|
|
||||||
type SyntaxError struct {
|
|
||||||
Msg string
|
|
||||||
}
|
|
||||||
|
|
||||||
func (e SyntaxError) Error() string { return "asn1: syntax error: " + e.Msg }
|
|
||||||
|
|
||||||
// We start by dealing with each of the primitive types in turn.
|
|
||||||
|
|
||||||
// BOOLEAN
|
|
||||||
|
|
||||||
func parseBool(bytes []byte) (ret bool, err error) {
|
|
||||||
if len(bytes) != 1 {
|
|
||||||
err = SyntaxError{"invalid boolean"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DER demands that "If the encoding represents the boolean value TRUE,
|
|
||||||
// its single contents octet shall have all eight bits set to one."
|
|
||||||
// Thus only 0 and 255 are valid encoded values.
|
|
||||||
switch bytes[0] {
|
|
||||||
case 0:
|
|
||||||
ret = false
|
|
||||||
case 0xff:
|
|
||||||
ret = true
|
|
||||||
default:
|
|
||||||
err = SyntaxError{"invalid boolean"}
|
|
||||||
}
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// INTEGER
|
|
||||||
|
|
||||||
// parseInt64 treats the given bytes as a big-endian, signed integer and
|
|
||||||
// returns the result.
|
|
||||||
func parseInt64(bytes []byte) (ret int64, err error) {
|
|
||||||
if len(bytes) > 8 {
|
|
||||||
// We'll overflow an int64 in this case.
|
|
||||||
err = StructuralError{"integer too large"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
for bytesRead := 0; bytesRead < len(bytes); bytesRead++ {
|
|
||||||
ret <<= 8
|
|
||||||
ret |= int64(bytes[bytesRead])
|
|
||||||
}
|
|
||||||
|
|
||||||
// Shift up and down in order to sign extend the result.
|
|
||||||
ret <<= 64 - uint8(len(bytes))*8
|
|
||||||
ret >>= 64 - uint8(len(bytes))*8
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// parseInt treats the given bytes as a big-endian, signed integer and returns
|
|
||||||
// the result.
|
|
||||||
func parseInt32(bytes []byte) (int32, error) {
|
|
||||||
ret64, err := parseInt64(bytes)
|
|
||||||
if err != nil {
|
|
||||||
return 0, err
|
|
||||||
}
|
|
||||||
if ret64 != int64(int32(ret64)) {
|
|
||||||
return 0, StructuralError{"integer too large"}
|
|
||||||
}
|
|
||||||
return int32(ret64), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
var bigOne = big.NewInt(1)
|
|
||||||
|
|
||||||
// parseBigInt treats the given bytes as a big-endian, signed integer and returns
|
|
||||||
// the result.
|
|
||||||
func parseBigInt(bytes []byte) *big.Int {
|
|
||||||
ret := new(big.Int)
|
|
||||||
if len(bytes) > 0 && bytes[0]&0x80 == 0x80 {
|
|
||||||
// This is a negative number.
|
|
||||||
notBytes := make([]byte, len(bytes))
|
|
||||||
for i := range notBytes {
|
|
||||||
notBytes[i] = ^bytes[i]
|
|
||||||
}
|
|
||||||
ret.SetBytes(notBytes)
|
|
||||||
ret.Add(ret, bigOne)
|
|
||||||
ret.Neg(ret)
|
|
||||||
return ret
|
|
||||||
}
|
|
||||||
ret.SetBytes(bytes)
|
|
||||||
return ret
|
|
||||||
}
|
|
||||||
|
|
||||||
// BIT STRING
|
|
||||||
|
|
||||||
// BitString is the structure to use when you want an ASN.1 BIT STRING type. A
|
|
||||||
// bit string is padded up to the nearest byte in memory and the number of
|
|
||||||
// valid bits is recorded. Padding bits will be zero.
|
|
||||||
type BitString struct {
|
|
||||||
Bytes []byte // bits packed into bytes.
|
|
||||||
BitLength int // length in bits.
|
|
||||||
}
|
|
||||||
|
|
||||||
// At returns the bit at the given index. If the index is out of range it
|
|
||||||
// returns false.
|
|
||||||
func (b BitString) At(i int) int {
|
|
||||||
if i < 0 || i >= b.BitLength {
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
x := i / 8
|
|
||||||
y := 7 - uint(i%8)
|
|
||||||
return int(b.Bytes[x]>>y) & 1
|
|
||||||
}
|
|
||||||
|
|
||||||
// RightAlign returns a slice where the padding bits are at the beginning. The
|
|
||||||
// slice may share memory with the BitString.
|
|
||||||
func (b BitString) RightAlign() []byte {
|
|
||||||
shift := uint(8 - (b.BitLength % 8))
|
|
||||||
if shift == 8 || len(b.Bytes) == 0 {
|
|
||||||
return b.Bytes
|
|
||||||
}
|
|
||||||
|
|
||||||
a := make([]byte, len(b.Bytes))
|
|
||||||
a[0] = b.Bytes[0] >> shift
|
|
||||||
for i := 1; i < len(b.Bytes); i++ {
|
|
||||||
a[i] = b.Bytes[i-1] << (8 - shift)
|
|
||||||
a[i] |= b.Bytes[i] >> shift
|
|
||||||
}
|
|
||||||
|
|
||||||
return a
|
|
||||||
}
|
|
||||||
|
|
||||||
// parseBitString parses an ASN.1 bit string from the given byte slice and returns it.
|
|
||||||
func parseBitString(bytes []byte) (ret BitString, err error) {
|
|
||||||
if len(bytes) == 0 {
|
|
||||||
err = SyntaxError{"zero length BIT STRING"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
paddingBits := int(bytes[0])
|
|
||||||
if paddingBits > 7 ||
|
|
||||||
len(bytes) == 1 && paddingBits > 0 ||
|
|
||||||
bytes[len(bytes)-1]&((1<<bytes[0])-1) != 0 {
|
|
||||||
err = SyntaxError{"invalid padding bits in BIT STRING"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
ret.BitLength = (len(bytes)-1)*8 - paddingBits
|
|
||||||
ret.Bytes = bytes[1:]
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// OBJECT IDENTIFIER
|
|
||||||
|
|
||||||
// An ObjectIdentifier represents an ASN.1 OBJECT IDENTIFIER.
|
|
||||||
type ObjectIdentifier []int
|
|
||||||
|
|
||||||
// Equal reports whether oi and other represent the same identifier.
|
|
||||||
func (oi ObjectIdentifier) Equal(other ObjectIdentifier) bool {
|
|
||||||
if len(oi) != len(other) {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
for i := 0; i < len(oi); i++ {
|
|
||||||
if oi[i] != other[i] {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
// parseObjectIdentifier parses an OBJECT IDENTIFIER from the given bytes and
|
|
||||||
// returns it. An object identifier is a sequence of variable length integers
|
|
||||||
// that are assigned in a hierarchy.
|
|
||||||
func parseObjectIdentifier(bytes []byte) (s []int, err error) {
|
|
||||||
if len(bytes) == 0 {
|
|
||||||
err = SyntaxError{"zero length OBJECT IDENTIFIER"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// In the worst case, we get two elements from the first byte (which is
|
|
||||||
// encoded differently) and then every varint is a single byte long.
|
|
||||||
s = make([]int, len(bytes)+1)
|
|
||||||
|
|
||||||
// The first varint is 40*value1 + value2:
|
|
||||||
// According to this packing, value1 can take the values 0, 1 and 2 only.
|
|
||||||
// When value1 = 0 or value1 = 1, then value2 is <= 39. When value1 = 2,
|
|
||||||
// then there are no restrictions on value2.
|
|
||||||
v, offset, err := parseBase128Int(bytes, 0)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if v < 80 {
|
|
||||||
s[0] = v / 40
|
|
||||||
s[1] = v % 40
|
|
||||||
} else {
|
|
||||||
s[0] = 2
|
|
||||||
s[1] = v - 80
|
|
||||||
}
|
|
||||||
|
|
||||||
i := 2
|
|
||||||
for ; offset < len(bytes); i++ {
|
|
||||||
v, offset, err = parseBase128Int(bytes, offset)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
s[i] = v
|
|
||||||
}
|
|
||||||
s = s[0:i]
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// ENUMERATED
|
|
||||||
|
|
||||||
// An Enumerated is represented as a plain int.
|
|
||||||
type Enumerated int
|
|
||||||
|
|
||||||
// FLAG
|
|
||||||
|
|
||||||
// A Flag accepts any data and is set to true if present.
|
|
||||||
type Flag bool
|
|
||||||
|
|
||||||
// parseBase128Int parses a base-128 encoded int from the given offset in the
|
|
||||||
// given byte slice. It returns the value and the new offset.
|
|
||||||
func parseBase128Int(bytes []byte, initOffset int) (ret, offset int, err error) {
|
|
||||||
offset = initOffset
|
|
||||||
for shifted := 0; offset < len(bytes); shifted++ {
|
|
||||||
if shifted > 4 {
|
|
||||||
err = StructuralError{"base 128 integer too large"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
ret <<= 7
|
|
||||||
b := bytes[offset]
|
|
||||||
ret |= int(b & 0x7f)
|
|
||||||
offset++
|
|
||||||
if b&0x80 == 0 {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
err = SyntaxError{"truncated base 128 integer"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// UTCTime
|
|
||||||
|
|
||||||
func parseUTCTime(bytes []byte) (ret time.Time, err error) {
|
|
||||||
s := string(bytes)
|
|
||||||
ret, err = time.Parse("0601021504Z0700", s)
|
|
||||||
if err != nil {
|
|
||||||
ret, err = time.Parse("060102150405Z0700", s)
|
|
||||||
}
|
|
||||||
if err == nil && ret.Year() >= 2050 {
|
|
||||||
// UTCTime only encodes times prior to 2050. See https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1
|
|
||||||
ret = ret.AddDate(-100, 0, 0)
|
|
||||||
}
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// parseGeneralizedTime parses the GeneralizedTime from the given byte slice
|
|
||||||
// and returns the resulting time.
|
|
||||||
func parseGeneralizedTime(bytes []byte) (ret time.Time, err error) {
|
|
||||||
return time.Parse("20060102150405Z0700", string(bytes))
|
|
||||||
}
|
|
||||||
|
|
||||||
// PrintableString
|
|
||||||
|
|
||||||
// parsePrintableString parses a ASN.1 PrintableString from the given byte
|
|
||||||
// array and returns it.
|
|
||||||
func parsePrintableString(bytes []byte) (ret string, err error) {
|
|
||||||
for _, b := range bytes {
|
|
||||||
if !isPrintable(b) {
|
|
||||||
err = SyntaxError{"PrintableString contains invalid character"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ret = string(bytes)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// isPrintable returns true iff the given b is in the ASN.1 PrintableString set.
|
|
||||||
func isPrintable(b byte) bool {
|
|
||||||
return 'a' <= b && b <= 'z' ||
|
|
||||||
'A' <= b && b <= 'Z' ||
|
|
||||||
'0' <= b && b <= '9' ||
|
|
||||||
'\'' <= b && b <= ')' ||
|
|
||||||
'+' <= b && b <= '/' ||
|
|
||||||
b == ' ' ||
|
|
||||||
b == ':' ||
|
|
||||||
b == '=' ||
|
|
||||||
b == '?' ||
|
|
||||||
// This is technically not allowed in a PrintableString.
|
|
||||||
// However, x509 certificates with wildcard strings don't
|
|
||||||
// always use the correct string type so we permit it.
|
|
||||||
b == '*'
|
|
||||||
}
|
|
||||||
|
|
||||||
// IA5String
|
|
||||||
|
|
||||||
// parseIA5String parses a ASN.1 IA5String (ASCII string) from the given
|
|
||||||
// byte slice and returns it.
|
|
||||||
func parseIA5String(bytes []byte) (ret string, err error) {
|
|
||||||
for _, b := range bytes {
|
|
||||||
if b >= 0x80 {
|
|
||||||
err = SyntaxError{"IA5String contains invalid character"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ret = string(bytes)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// T61String
|
|
||||||
|
|
||||||
// parseT61String parses a ASN.1 T61String (8-bit clean string) from the given
|
|
||||||
// byte slice and returns it.
|
|
||||||
func parseT61String(bytes []byte) (ret string, err error) {
|
|
||||||
return string(bytes), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// UTF8String
|
|
||||||
|
|
||||||
// parseUTF8String parses a ASN.1 UTF8String (raw UTF-8) from the given byte
|
|
||||||
// array and returns it.
|
|
||||||
func parseUTF8String(bytes []byte) (ret string, err error) {
|
|
||||||
return string(bytes), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// A RawValue represents an undecoded ASN.1 object.
|
|
||||||
type RawValue struct {
|
|
||||||
Class, Tag int
|
|
||||||
IsCompound bool
|
|
||||||
Bytes []byte
|
|
||||||
FullBytes []byte // includes the tag and length
|
|
||||||
}
|
|
||||||
|
|
||||||
// RawContent is used to signal that the undecoded, DER data needs to be
|
|
||||||
// preserved for a struct. To use it, the first field of the struct must have
|
|
||||||
// this type. It's an error for any of the other fields to have this type.
|
|
||||||
type RawContent []byte
|
|
||||||
|
|
||||||
// Tagging
|
|
||||||
|
|
||||||
// parseTagAndLength parses an ASN.1 tag and length pair from the given offset
|
|
||||||
// into a byte slice. It returns the parsed data and the new offset. SET and
|
|
||||||
// SET OF (tag 17) are mapped to SEQUENCE and SEQUENCE OF (tag 16) since we
|
|
||||||
// don't distinguish between ordered and unordered objects in this code.
|
|
||||||
func parseTagAndLength(bytes []byte, initOffset int) (ret tagAndLength, offset int, err error) {
|
|
||||||
offset = initOffset
|
|
||||||
b := bytes[offset]
|
|
||||||
offset++
|
|
||||||
ret.class = int(b >> 6)
|
|
||||||
ret.isCompound = b&0x20 == 0x20
|
|
||||||
ret.tag = int(b & 0x1f)
|
|
||||||
|
|
||||||
// If the bottom five bits are set, then the tag number is actually base 128
|
|
||||||
// encoded afterwards
|
|
||||||
if ret.tag == 0x1f {
|
|
||||||
ret.tag, offset, err = parseBase128Int(bytes, offset)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if offset >= len(bytes) {
|
|
||||||
err = SyntaxError{"truncated tag or length"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
b = bytes[offset]
|
|
||||||
offset++
|
|
||||||
if b&0x80 == 0 {
|
|
||||||
// The length is encoded in the bottom 7 bits.
|
|
||||||
ret.length = int(b & 0x7f)
|
|
||||||
} else {
|
|
||||||
// Bottom 7 bits give the number of length bytes to follow.
|
|
||||||
numBytes := int(b & 0x7f)
|
|
||||||
if numBytes == 0 {
|
|
||||||
err = SyntaxError{"indefinite length found (not DER)"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
ret.length = 0
|
|
||||||
for i := 0; i < numBytes; i++ {
|
|
||||||
if offset >= len(bytes) {
|
|
||||||
err = SyntaxError{"truncated tag or length"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
b = bytes[offset]
|
|
||||||
offset++
|
|
||||||
if ret.length >= 1<<23 {
|
|
||||||
// We can't shift ret.length up without
|
|
||||||
// overflowing.
|
|
||||||
err = StructuralError{"length too large"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
ret.length <<= 8
|
|
||||||
ret.length |= int(b)
|
|
||||||
if ret.length == 0 {
|
|
||||||
// DER requires that lengths be minimal.
|
|
||||||
err = StructuralError{"superfluous leading zeros in length"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// parseSequenceOf is used for SEQUENCE OF and SET OF values. It tries to parse
|
|
||||||
// a number of ASN.1 values from the given byte slice and returns them as a
|
|
||||||
// slice of Go values of the given type.
|
|
||||||
func parseSequenceOf(bytes []byte, sliceType reflect.Type, elemType reflect.Type) (ret reflect.Value, err error) {
|
|
||||||
expectedTag, compoundType, ok := getUniversalType(elemType)
|
|
||||||
if !ok {
|
|
||||||
err = StructuralError{"unknown Go type for slice"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// First we iterate over the input and count the number of elements,
|
|
||||||
// checking that the types are correct in each case.
|
|
||||||
numElements := 0
|
|
||||||
for offset := 0; offset < len(bytes); {
|
|
||||||
var t tagAndLength
|
|
||||||
t, offset, err = parseTagAndLength(bytes, offset)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
// We pretend that GENERAL STRINGs are PRINTABLE STRINGs so
|
|
||||||
// that a sequence of them can be parsed into a []string.
|
|
||||||
if t.tag == tagGeneralString {
|
|
||||||
t.tag = tagPrintableString
|
|
||||||
}
|
|
||||||
if t.class != classUniversal || t.isCompound != compoundType || t.tag != expectedTag {
|
|
||||||
err = StructuralError{"sequence tag mismatch"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if invalidLength(offset, t.length, len(bytes)) {
|
|
||||||
err = SyntaxError{"truncated sequence"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
offset += t.length
|
|
||||||
numElements++
|
|
||||||
}
|
|
||||||
ret = reflect.MakeSlice(sliceType, numElements, numElements)
|
|
||||||
params := fieldParameters{}
|
|
||||||
offset := 0
|
|
||||||
for i := 0; i < numElements; i++ {
|
|
||||||
offset, err = parseField(ret.Index(i), bytes, offset, params)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
var (
|
|
||||||
bitStringType = reflect.TypeOf(BitString{})
|
|
||||||
objectIdentifierType = reflect.TypeOf(ObjectIdentifier{})
|
|
||||||
enumeratedType = reflect.TypeOf(Enumerated(0))
|
|
||||||
flagType = reflect.TypeOf(Flag(false))
|
|
||||||
timeType = reflect.TypeOf(time.Time{})
|
|
||||||
rawValueType = reflect.TypeOf(RawValue{})
|
|
||||||
rawContentsType = reflect.TypeOf(RawContent(nil))
|
|
||||||
bigIntType = reflect.TypeOf(new(big.Int))
|
|
||||||
)
|
|
||||||
|
|
||||||
// invalidLength returns true iff offset + length > sliceLength, or if the
|
|
||||||
// addition would overflow.
|
|
||||||
func invalidLength(offset, length, sliceLength int) bool {
|
|
||||||
return offset+length < offset || offset+length > sliceLength
|
|
||||||
}
|
|
||||||
|
|
||||||
// START CT CHANGES
|
|
||||||
|
|
||||||
// Tests whether the data in |bytes| would be a valid ISO8859-1 string.
|
|
||||||
// Clearly, a sequence of bytes comprised solely of valid ISO8859-1
|
|
||||||
// codepoints does not imply that the encoding MUST be ISO8859-1, rather that
|
|
||||||
// you would not encounter an error trying to interpret the data as such.
|
|
||||||
func couldBeISO8859_1(bytes []byte) bool {
|
|
||||||
for _, b := range bytes {
|
|
||||||
if b < 0x20 || (b >= 0x7F && b < 0xA0) {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
// Checks whether the data in |bytes| would be a valid T.61 string.
|
|
||||||
// Clearly, a sequence of bytes comprised solely of valid T.61
|
|
||||||
// codepoints does not imply that the encoding MUST be T.61, rather that
|
|
||||||
// you would not encounter an error trying to interpret the data as such.
|
|
||||||
func couldBeT61(bytes []byte) bool {
|
|
||||||
for _, b := range bytes {
|
|
||||||
switch b {
|
|
||||||
case 0x00:
|
|
||||||
// Since we're guessing at (incorrect) encodings for a
|
|
||||||
// PrintableString, we'll err on the side of caution and disallow
|
|
||||||
// strings with a NUL in them, don't want to re-create a PayPal NUL
|
|
||||||
// situation in monitors.
|
|
||||||
fallthrough
|
|
||||||
case 0x23, 0x24, 0x5C, 0x5E, 0x60, 0x7B, 0x7D, 0x7E, 0xA5, 0xA6, 0xAC, 0xAD, 0xAE, 0xAF,
|
|
||||||
0xB9, 0xBA, 0xC0, 0xC9, 0xD0, 0xD1, 0xD2, 0xD3, 0xD4, 0xD5, 0xD6, 0xD7, 0xD8, 0xD9,
|
|
||||||
0xDA, 0xDB, 0xDC, 0xDE, 0xDF, 0xE5, 0xFF:
|
|
||||||
// These are all invalid code points in T.61, so it can't be a T.61 string.
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
// Converts the data in |bytes| to the equivalent UTF-8 string.
|
|
||||||
func iso8859_1ToUTF8(bytes []byte) string {
|
|
||||||
buf := make([]rune, len(bytes))
|
|
||||||
for i, b := range bytes {
|
|
||||||
buf[i] = rune(b)
|
|
||||||
}
|
|
||||||
return string(buf)
|
|
||||||
}
|
|
||||||
|
|
||||||
// END CT CHANGES
|
|
||||||
|
|
||||||
// parseField is the main parsing function. Given a byte slice and an offset
|
|
||||||
// into the array, it will try to parse a suitable ASN.1 value out and store it
|
|
||||||
// in the given Value.
|
|
||||||
func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParameters) (offset int, err error) {
|
|
||||||
offset = initOffset
|
|
||||||
fieldType := v.Type()
|
|
||||||
|
|
||||||
// If we have run out of data, it may be that there are optional elements at the end.
|
|
||||||
if offset == len(bytes) {
|
|
||||||
if !setDefaultValue(v, params) {
|
|
||||||
err = SyntaxError{"sequence truncated"}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// Deal with raw values.
|
|
||||||
if fieldType == rawValueType {
|
|
||||||
var t tagAndLength
|
|
||||||
t, offset, err = parseTagAndLength(bytes, offset)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if invalidLength(offset, t.length, len(bytes)) {
|
|
||||||
err = SyntaxError{"data truncated"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
result := RawValue{t.class, t.tag, t.isCompound, bytes[offset : offset+t.length], bytes[initOffset : offset+t.length]}
|
|
||||||
offset += t.length
|
|
||||||
v.Set(reflect.ValueOf(result))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// Deal with the ANY type.
|
|
||||||
if ifaceType := fieldType; ifaceType.Kind() == reflect.Interface && ifaceType.NumMethod() == 0 {
|
|
||||||
var t tagAndLength
|
|
||||||
t, offset, err = parseTagAndLength(bytes, offset)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if invalidLength(offset, t.length, len(bytes)) {
|
|
||||||
err = SyntaxError{"data truncated"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
var result interface{}
|
|
||||||
if !t.isCompound && t.class == classUniversal {
|
|
||||||
innerBytes := bytes[offset : offset+t.length]
|
|
||||||
switch t.tag {
|
|
||||||
case tagPrintableString:
|
|
||||||
result, err = parsePrintableString(innerBytes)
|
|
||||||
// START CT CHANGES
|
|
||||||
if err != nil && strings.Contains(err.Error(), "PrintableString contains invalid character") {
|
|
||||||
// Probably an ISO8859-1 string stuffed in, check if it
|
|
||||||
// would be valid and assume that's what's happened if so,
|
|
||||||
// otherwise try T.61, failing that give up and just assign
|
|
||||||
// the bytes
|
|
||||||
switch {
|
|
||||||
case couldBeISO8859_1(innerBytes):
|
|
||||||
result, err = iso8859_1ToUTF8(innerBytes), nil
|
|
||||||
case couldBeT61(innerBytes):
|
|
||||||
result, err = parseT61String(innerBytes)
|
|
||||||
default:
|
|
||||||
result = nil
|
|
||||||
err = errors.New("PrintableString contains invalid character, but couldn't determine correct String type.")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// END CT CHANGES
|
|
||||||
case tagIA5String:
|
|
||||||
result, err = parseIA5String(innerBytes)
|
|
||||||
case tagT61String:
|
|
||||||
result, err = parseT61String(innerBytes)
|
|
||||||
case tagUTF8String:
|
|
||||||
result, err = parseUTF8String(innerBytes)
|
|
||||||
case tagInteger:
|
|
||||||
result, err = parseInt64(innerBytes)
|
|
||||||
case tagBitString:
|
|
||||||
result, err = parseBitString(innerBytes)
|
|
||||||
case tagOID:
|
|
||||||
result, err = parseObjectIdentifier(innerBytes)
|
|
||||||
case tagUTCTime:
|
|
||||||
result, err = parseUTCTime(innerBytes)
|
|
||||||
case tagOctetString:
|
|
||||||
result = innerBytes
|
|
||||||
default:
|
|
||||||
// If we don't know how to handle the type, we just leave Value as nil.
|
|
||||||
}
|
|
||||||
}
|
|
||||||
offset += t.length
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if result != nil {
|
|
||||||
v.Set(reflect.ValueOf(result))
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
universalTag, compoundType, ok1 := getUniversalType(fieldType)
|
|
||||||
if !ok1 {
|
|
||||||
err = StructuralError{fmt.Sprintf("unknown Go type: %v", fieldType)}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
t, offset, err := parseTagAndLength(bytes, offset)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if params.explicit {
|
|
||||||
expectedClass := classContextSpecific
|
|
||||||
if params.application {
|
|
||||||
expectedClass = classApplication
|
|
||||||
}
|
|
||||||
if t.class == expectedClass && t.tag == *params.tag && (t.length == 0 || t.isCompound) {
|
|
||||||
if t.length > 0 {
|
|
||||||
t, offset, err = parseTagAndLength(bytes, offset)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if fieldType != flagType {
|
|
||||||
err = StructuralError{"zero length explicit tag was not an asn1.Flag"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
v.SetBool(true)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
// The tags didn't match, it might be an optional element.
|
|
||||||
ok := setDefaultValue(v, params)
|
|
||||||
if ok {
|
|
||||||
offset = initOffset
|
|
||||||
} else {
|
|
||||||
err = StructuralError{"explicitly tagged member didn't match"}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Special case for strings: all the ASN.1 string types map to the Go
|
|
||||||
// type string. getUniversalType returns the tag for PrintableString
|
|
||||||
// when it sees a string, so if we see a different string type on the
|
|
||||||
// wire, we change the universal type to match.
|
|
||||||
if universalTag == tagPrintableString {
|
|
||||||
switch t.tag {
|
|
||||||
case tagIA5String, tagGeneralString, tagT61String, tagUTF8String:
|
|
||||||
universalTag = t.tag
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Special case for time: UTCTime and GeneralizedTime both map to the
|
|
||||||
// Go type time.Time.
|
|
||||||
if universalTag == tagUTCTime && t.tag == tagGeneralizedTime {
|
|
||||||
universalTag = tagGeneralizedTime
|
|
||||||
}
|
|
||||||
|
|
||||||
expectedClass := classUniversal
|
|
||||||
expectedTag := universalTag
|
|
||||||
|
|
||||||
if !params.explicit && params.tag != nil {
|
|
||||||
expectedClass = classContextSpecific
|
|
||||||
expectedTag = *params.tag
|
|
||||||
}
|
|
||||||
|
|
||||||
if !params.explicit && params.application && params.tag != nil {
|
|
||||||
expectedClass = classApplication
|
|
||||||
expectedTag = *params.tag
|
|
||||||
}
|
|
||||||
|
|
||||||
// We have unwrapped any explicit tagging at this point.
|
|
||||||
if t.class != expectedClass || t.tag != expectedTag || t.isCompound != compoundType {
|
|
||||||
// Tags don't match. Again, it could be an optional element.
|
|
||||||
ok := setDefaultValue(v, params)
|
|
||||||
if ok {
|
|
||||||
offset = initOffset
|
|
||||||
} else {
|
|
||||||
err = StructuralError{fmt.Sprintf("tags don't match (%d vs %+v) %+v %s @%d", expectedTag, t, params, fieldType.Name(), offset)}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if invalidLength(offset, t.length, len(bytes)) {
|
|
||||||
err = SyntaxError{"data truncated"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
innerBytes := bytes[offset : offset+t.length]
|
|
||||||
offset += t.length
|
|
||||||
|
|
||||||
// We deal with the structures defined in this package first.
|
|
||||||
switch fieldType {
|
|
||||||
case objectIdentifierType:
|
|
||||||
newSlice, err1 := parseObjectIdentifier(innerBytes)
|
|
||||||
v.Set(reflect.MakeSlice(v.Type(), len(newSlice), len(newSlice)))
|
|
||||||
if err1 == nil {
|
|
||||||
reflect.Copy(v, reflect.ValueOf(newSlice))
|
|
||||||
}
|
|
||||||
err = err1
|
|
||||||
return
|
|
||||||
case bitStringType:
|
|
||||||
bs, err1 := parseBitString(innerBytes)
|
|
||||||
if err1 == nil {
|
|
||||||
v.Set(reflect.ValueOf(bs))
|
|
||||||
}
|
|
||||||
err = err1
|
|
||||||
return
|
|
||||||
case timeType:
|
|
||||||
var time time.Time
|
|
||||||
var err1 error
|
|
||||||
if universalTag == tagUTCTime {
|
|
||||||
time, err1 = parseUTCTime(innerBytes)
|
|
||||||
} else {
|
|
||||||
time, err1 = parseGeneralizedTime(innerBytes)
|
|
||||||
}
|
|
||||||
if err1 == nil {
|
|
||||||
v.Set(reflect.ValueOf(time))
|
|
||||||
}
|
|
||||||
err = err1
|
|
||||||
return
|
|
||||||
case enumeratedType:
|
|
||||||
parsedInt, err1 := parseInt32(innerBytes)
|
|
||||||
if err1 == nil {
|
|
||||||
v.SetInt(int64(parsedInt))
|
|
||||||
}
|
|
||||||
err = err1
|
|
||||||
return
|
|
||||||
case flagType:
|
|
||||||
v.SetBool(true)
|
|
||||||
return
|
|
||||||
case bigIntType:
|
|
||||||
parsedInt := parseBigInt(innerBytes)
|
|
||||||
v.Set(reflect.ValueOf(parsedInt))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
switch val := v; val.Kind() {
|
|
||||||
case reflect.Bool:
|
|
||||||
parsedBool, err1 := parseBool(innerBytes)
|
|
||||||
if err1 == nil {
|
|
||||||
val.SetBool(parsedBool)
|
|
||||||
}
|
|
||||||
err = err1
|
|
||||||
return
|
|
||||||
case reflect.Int, reflect.Int32, reflect.Int64:
|
|
||||||
if val.Type().Size() == 4 {
|
|
||||||
parsedInt, err1 := parseInt32(innerBytes)
|
|
||||||
if err1 == nil {
|
|
||||||
val.SetInt(int64(parsedInt))
|
|
||||||
}
|
|
||||||
err = err1
|
|
||||||
} else {
|
|
||||||
parsedInt, err1 := parseInt64(innerBytes)
|
|
||||||
if err1 == nil {
|
|
||||||
val.SetInt(parsedInt)
|
|
||||||
}
|
|
||||||
err = err1
|
|
||||||
}
|
|
||||||
return
|
|
||||||
// TODO(dfc) Add support for the remaining integer types
|
|
||||||
case reflect.Struct:
|
|
||||||
structType := fieldType
|
|
||||||
|
|
||||||
if structType.NumField() > 0 &&
|
|
||||||
structType.Field(0).Type == rawContentsType {
|
|
||||||
bytes := bytes[initOffset:offset]
|
|
||||||
val.Field(0).Set(reflect.ValueOf(RawContent(bytes)))
|
|
||||||
}
|
|
||||||
|
|
||||||
innerOffset := 0
|
|
||||||
for i := 0; i < structType.NumField(); i++ {
|
|
||||||
field := structType.Field(i)
|
|
||||||
if i == 0 && field.Type == rawContentsType {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
innerOffset, err = parseField(val.Field(i), innerBytes, innerOffset, parseFieldParameters(field.Tag.Get("asn1")))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// We allow extra bytes at the end of the SEQUENCE because
|
|
||||||
// adding elements to the end has been used in X.509 as the
|
|
||||||
// version numbers have increased.
|
|
||||||
return
|
|
||||||
case reflect.Slice:
|
|
||||||
sliceType := fieldType
|
|
||||||
if sliceType.Elem().Kind() == reflect.Uint8 {
|
|
||||||
val.Set(reflect.MakeSlice(sliceType, len(innerBytes), len(innerBytes)))
|
|
||||||
reflect.Copy(val, reflect.ValueOf(innerBytes))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
newSlice, err1 := parseSequenceOf(innerBytes, sliceType, sliceType.Elem())
|
|
||||||
if err1 == nil {
|
|
||||||
val.Set(newSlice)
|
|
||||||
}
|
|
||||||
err = err1
|
|
||||||
return
|
|
||||||
case reflect.String:
|
|
||||||
var v string
|
|
||||||
switch universalTag {
|
|
||||||
case tagPrintableString:
|
|
||||||
v, err = parsePrintableString(innerBytes)
|
|
||||||
case tagIA5String:
|
|
||||||
v, err = parseIA5String(innerBytes)
|
|
||||||
case tagT61String:
|
|
||||||
v, err = parseT61String(innerBytes)
|
|
||||||
case tagUTF8String:
|
|
||||||
v, err = parseUTF8String(innerBytes)
|
|
||||||
case tagGeneralString:
|
|
||||||
// GeneralString is specified in ISO-2022/ECMA-35,
|
|
||||||
// A brief review suggests that it includes structures
|
|
||||||
// that allow the encoding to change midstring and
|
|
||||||
// such. We give up and pass it as an 8-bit string.
|
|
||||||
v, err = parseT61String(innerBytes)
|
|
||||||
default:
|
|
||||||
err = SyntaxError{fmt.Sprintf("internal error: unknown string type %d", universalTag)}
|
|
||||||
}
|
|
||||||
if err == nil {
|
|
||||||
val.SetString(v)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
err = StructuralError{"unsupported: " + v.Type().String()}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// setDefaultValue is used to install a default value, from a tag string, into
|
|
||||||
// a Value. It is successful is the field was optional, even if a default value
|
|
||||||
// wasn't provided or it failed to install it into the Value.
|
|
||||||
func setDefaultValue(v reflect.Value, params fieldParameters) (ok bool) {
|
|
||||||
if !params.optional {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
ok = true
|
|
||||||
if params.defaultValue == nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
switch val := v; val.Kind() {
|
|
||||||
case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
|
|
||||||
val.SetInt(*params.defaultValue)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// Unmarshal parses the DER-encoded ASN.1 data structure b
|
|
||||||
// and uses the reflect package to fill in an arbitrary value pointed at by val.
|
|
||||||
// Because Unmarshal uses the reflect package, the structs
|
|
||||||
// being written to must use upper case field names.
|
|
||||||
//
|
|
||||||
// An ASN.1 INTEGER can be written to an int, int32, int64,
|
|
||||||
// or *big.Int (from the math/big package).
|
|
||||||
// If the encoded value does not fit in the Go type,
|
|
||||||
// Unmarshal returns a parse error.
|
|
||||||
//
|
|
||||||
// An ASN.1 BIT STRING can be written to a BitString.
|
|
||||||
//
|
|
||||||
// An ASN.1 OCTET STRING can be written to a []byte.
|
|
||||||
//
|
|
||||||
// An ASN.1 OBJECT IDENTIFIER can be written to an
|
|
||||||
// ObjectIdentifier.
|
|
||||||
//
|
|
||||||
// An ASN.1 ENUMERATED can be written to an Enumerated.
|
|
||||||
//
|
|
||||||
// An ASN.1 UTCTIME or GENERALIZEDTIME can be written to a time.Time.
|
|
||||||
//
|
|
||||||
// An ASN.1 PrintableString or IA5String can be written to a string.
|
|
||||||
//
|
|
||||||
// Any of the above ASN.1 values can be written to an interface{}.
|
|
||||||
// The value stored in the interface has the corresponding Go type.
|
|
||||||
// For integers, that type is int64.
|
|
||||||
//
|
|
||||||
// An ASN.1 SEQUENCE OF x or SET OF x can be written
|
|
||||||
// to a slice if an x can be written to the slice's element type.
|
|
||||||
//
|
|
||||||
// An ASN.1 SEQUENCE or SET can be written to a struct
|
|
||||||
// if each of the elements in the sequence can be
|
|
||||||
// written to the corresponding element in the struct.
|
|
||||||
//
|
|
||||||
// The following tags on struct fields have special meaning to Unmarshal:
|
|
||||||
//
|
|
||||||
// optional marks the field as ASN.1 OPTIONAL
|
|
||||||
// [explicit] tag:x specifies the ASN.1 tag number; implies ASN.1 CONTEXT SPECIFIC
|
|
||||||
// default:x sets the default value for optional integer fields
|
|
||||||
//
|
|
||||||
// If the type of the first field of a structure is RawContent then the raw
|
|
||||||
// ASN1 contents of the struct will be stored in it.
|
|
||||||
//
|
|
||||||
// Other ASN.1 types are not supported; if it encounters them,
|
|
||||||
// Unmarshal returns a parse error.
|
|
||||||
func Unmarshal(b []byte, val interface{}) (rest []byte, err error) {
|
|
||||||
return UnmarshalWithParams(b, val, "")
|
|
||||||
}
|
|
||||||
|
|
||||||
// UnmarshalWithParams allows field parameters to be specified for the
|
|
||||||
// top-level element. The form of the params is the same as the field tags.
|
|
||||||
func UnmarshalWithParams(b []byte, val interface{}, params string) (rest []byte, err error) {
|
|
||||||
v := reflect.ValueOf(val).Elem()
|
|
||||||
offset, err := parseField(v, b, 0, parseFieldParameters(params))
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return b[offset:], nil
|
|
||||||
}
|
|
|
@ -1,790 +0,0 @@
|
||||||
// Copyright 2009 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package asn1
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"math/big"
|
|
||||||
"reflect"
|
|
||||||
"testing"
|
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
type boolTest struct {
|
|
||||||
in []byte
|
|
||||||
ok bool
|
|
||||||
out bool
|
|
||||||
}
|
|
||||||
|
|
||||||
var boolTestData = []boolTest{
|
|
||||||
{[]byte{0x00}, true, false},
|
|
||||||
{[]byte{0xff}, true, true},
|
|
||||||
{[]byte{0x00, 0x00}, false, false},
|
|
||||||
{[]byte{0xff, 0xff}, false, false},
|
|
||||||
{[]byte{0x01}, false, false},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestParseBool(t *testing.T) {
|
|
||||||
for i, test := range boolTestData {
|
|
||||||
ret, err := parseBool(test.in)
|
|
||||||
if (err == nil) != test.ok {
|
|
||||||
t.Errorf("#%d: Incorrect error result (did fail? %v, expected: %v)", i, err == nil, test.ok)
|
|
||||||
}
|
|
||||||
if test.ok && ret != test.out {
|
|
||||||
t.Errorf("#%d: Bad result: %v (expected %v)", i, ret, test.out)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type int64Test struct {
|
|
||||||
in []byte
|
|
||||||
ok bool
|
|
||||||
out int64
|
|
||||||
}
|
|
||||||
|
|
||||||
var int64TestData = []int64Test{
|
|
||||||
{[]byte{0x00}, true, 0},
|
|
||||||
{[]byte{0x7f}, true, 127},
|
|
||||||
{[]byte{0x00, 0x80}, true, 128},
|
|
||||||
{[]byte{0x01, 0x00}, true, 256},
|
|
||||||
{[]byte{0x80}, true, -128},
|
|
||||||
{[]byte{0xff, 0x7f}, true, -129},
|
|
||||||
{[]byte{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, true, -1},
|
|
||||||
{[]byte{0xff}, true, -1},
|
|
||||||
{[]byte{0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, true, -9223372036854775808},
|
|
||||||
{[]byte{0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, false, 0},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestParseInt64(t *testing.T) {
|
|
||||||
for i, test := range int64TestData {
|
|
||||||
ret, err := parseInt64(test.in)
|
|
||||||
if (err == nil) != test.ok {
|
|
||||||
t.Errorf("#%d: Incorrect error result (did fail? %v, expected: %v)", i, err == nil, test.ok)
|
|
||||||
}
|
|
||||||
if test.ok && ret != test.out {
|
|
||||||
t.Errorf("#%d: Bad result: %v (expected %v)", i, ret, test.out)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type int32Test struct {
|
|
||||||
in []byte
|
|
||||||
ok bool
|
|
||||||
out int32
|
|
||||||
}
|
|
||||||
|
|
||||||
var int32TestData = []int32Test{
|
|
||||||
{[]byte{0x00}, true, 0},
|
|
||||||
{[]byte{0x7f}, true, 127},
|
|
||||||
{[]byte{0x00, 0x80}, true, 128},
|
|
||||||
{[]byte{0x01, 0x00}, true, 256},
|
|
||||||
{[]byte{0x80}, true, -128},
|
|
||||||
{[]byte{0xff, 0x7f}, true, -129},
|
|
||||||
{[]byte{0xff, 0xff, 0xff, 0xff}, true, -1},
|
|
||||||
{[]byte{0xff}, true, -1},
|
|
||||||
{[]byte{0x80, 0x00, 0x00, 0x00}, true, -2147483648},
|
|
||||||
{[]byte{0x80, 0x00, 0x00, 0x00, 0x00}, false, 0},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestParseInt32(t *testing.T) {
|
|
||||||
for i, test := range int32TestData {
|
|
||||||
ret, err := parseInt32(test.in)
|
|
||||||
if (err == nil) != test.ok {
|
|
||||||
t.Errorf("#%d: Incorrect error result (did fail? %v, expected: %v)", i, err == nil, test.ok)
|
|
||||||
}
|
|
||||||
if test.ok && int32(ret) != test.out {
|
|
||||||
t.Errorf("#%d: Bad result: %v (expected %v)", i, ret, test.out)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var bigIntTests = []struct {
|
|
||||||
in []byte
|
|
||||||
base10 string
|
|
||||||
}{
|
|
||||||
{[]byte{0xff}, "-1"},
|
|
||||||
{[]byte{0x00}, "0"},
|
|
||||||
{[]byte{0x01}, "1"},
|
|
||||||
{[]byte{0x00, 0xff}, "255"},
|
|
||||||
{[]byte{0xff, 0x00}, "-256"},
|
|
||||||
{[]byte{0x01, 0x00}, "256"},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestParseBigInt(t *testing.T) {
|
|
||||||
for i, test := range bigIntTests {
|
|
||||||
ret := parseBigInt(test.in)
|
|
||||||
if ret.String() != test.base10 {
|
|
||||||
t.Errorf("#%d: bad result from %x, got %s want %s", i, test.in, ret.String(), test.base10)
|
|
||||||
}
|
|
||||||
fw := newForkableWriter()
|
|
||||||
marshalBigInt(fw, ret)
|
|
||||||
result := fw.Bytes()
|
|
||||||
if !bytes.Equal(result, test.in) {
|
|
||||||
t.Errorf("#%d: got %x from marshaling %s, want %x", i, result, ret, test.in)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type bitStringTest struct {
|
|
||||||
in []byte
|
|
||||||
ok bool
|
|
||||||
out []byte
|
|
||||||
bitLength int
|
|
||||||
}
|
|
||||||
|
|
||||||
var bitStringTestData = []bitStringTest{
|
|
||||||
{[]byte{}, false, []byte{}, 0},
|
|
||||||
{[]byte{0x00}, true, []byte{}, 0},
|
|
||||||
{[]byte{0x07, 0x00}, true, []byte{0x00}, 1},
|
|
||||||
{[]byte{0x07, 0x01}, false, []byte{}, 0},
|
|
||||||
{[]byte{0x07, 0x40}, false, []byte{}, 0},
|
|
||||||
{[]byte{0x08, 0x00}, false, []byte{}, 0},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestBitString(t *testing.T) {
|
|
||||||
for i, test := range bitStringTestData {
|
|
||||||
ret, err := parseBitString(test.in)
|
|
||||||
if (err == nil) != test.ok {
|
|
||||||
t.Errorf("#%d: Incorrect error result (did fail? %v, expected: %v)", i, err == nil, test.ok)
|
|
||||||
}
|
|
||||||
if err == nil {
|
|
||||||
if test.bitLength != ret.BitLength || !bytes.Equal(ret.Bytes, test.out) {
|
|
||||||
t.Errorf("#%d: Bad result: %v (expected %v %v)", i, ret, test.out, test.bitLength)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestBitStringAt(t *testing.T) {
|
|
||||||
bs := BitString{[]byte{0x82, 0x40}, 16}
|
|
||||||
if bs.At(0) != 1 {
|
|
||||||
t.Error("#1: Failed")
|
|
||||||
}
|
|
||||||
if bs.At(1) != 0 {
|
|
||||||
t.Error("#2: Failed")
|
|
||||||
}
|
|
||||||
if bs.At(6) != 1 {
|
|
||||||
t.Error("#3: Failed")
|
|
||||||
}
|
|
||||||
if bs.At(9) != 1 {
|
|
||||||
t.Error("#4: Failed")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type bitStringRightAlignTest struct {
|
|
||||||
in []byte
|
|
||||||
inlen int
|
|
||||||
out []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
var bitStringRightAlignTests = []bitStringRightAlignTest{
|
|
||||||
{[]byte{0x80}, 1, []byte{0x01}},
|
|
||||||
{[]byte{0x80, 0x80}, 9, []byte{0x01, 0x01}},
|
|
||||||
{[]byte{}, 0, []byte{}},
|
|
||||||
{[]byte{0xce}, 8, []byte{0xce}},
|
|
||||||
{[]byte{0xce, 0x47}, 16, []byte{0xce, 0x47}},
|
|
||||||
{[]byte{0x34, 0x50}, 12, []byte{0x03, 0x45}},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestBitStringRightAlign(t *testing.T) {
|
|
||||||
for i, test := range bitStringRightAlignTests {
|
|
||||||
bs := BitString{test.in, test.inlen}
|
|
||||||
out := bs.RightAlign()
|
|
||||||
if !bytes.Equal(out, test.out) {
|
|
||||||
t.Errorf("#%d got: %x want: %x", i, out, test.out)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type objectIdentifierTest struct {
|
|
||||||
in []byte
|
|
||||||
ok bool
|
|
||||||
out []int
|
|
||||||
}
|
|
||||||
|
|
||||||
var objectIdentifierTestData = []objectIdentifierTest{
|
|
||||||
{[]byte{}, false, []int{}},
|
|
||||||
{[]byte{85}, true, []int{2, 5}},
|
|
||||||
{[]byte{85, 0x02}, true, []int{2, 5, 2}},
|
|
||||||
{[]byte{85, 0x02, 0xc0, 0x00}, true, []int{2, 5, 2, 0x2000}},
|
|
||||||
{[]byte{0x81, 0x34, 0x03}, true, []int{2, 100, 3}},
|
|
||||||
{[]byte{85, 0x02, 0xc0, 0x80, 0x80, 0x80, 0x80}, false, []int{}},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestObjectIdentifier(t *testing.T) {
|
|
||||||
for i, test := range objectIdentifierTestData {
|
|
||||||
ret, err := parseObjectIdentifier(test.in)
|
|
||||||
if (err == nil) != test.ok {
|
|
||||||
t.Errorf("#%d: Incorrect error result (did fail? %v, expected: %v)", i, err == nil, test.ok)
|
|
||||||
}
|
|
||||||
if err == nil {
|
|
||||||
if !reflect.DeepEqual(test.out, ret) {
|
|
||||||
t.Errorf("#%d: Bad result: %v (expected %v)", i, ret, test.out)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type timeTest struct {
|
|
||||||
in string
|
|
||||||
ok bool
|
|
||||||
out time.Time
|
|
||||||
}
|
|
||||||
|
|
||||||
var utcTestData = []timeTest{
|
|
||||||
{"910506164540-0700", true, time.Date(1991, 05, 06, 16, 45, 40, 0, time.FixedZone("", -7*60*60))},
|
|
||||||
{"910506164540+0730", true, time.Date(1991, 05, 06, 16, 45, 40, 0, time.FixedZone("", 7*60*60+30*60))},
|
|
||||||
{"910506234540Z", true, time.Date(1991, 05, 06, 23, 45, 40, 0, time.UTC)},
|
|
||||||
{"9105062345Z", true, time.Date(1991, 05, 06, 23, 45, 0, 0, time.UTC)},
|
|
||||||
{"a10506234540Z", false, time.Time{}},
|
|
||||||
{"91a506234540Z", false, time.Time{}},
|
|
||||||
{"9105a6234540Z", false, time.Time{}},
|
|
||||||
{"910506a34540Z", false, time.Time{}},
|
|
||||||
{"910506334a40Z", false, time.Time{}},
|
|
||||||
{"91050633444aZ", false, time.Time{}},
|
|
||||||
{"910506334461Z", false, time.Time{}},
|
|
||||||
{"910506334400Za", false, time.Time{}},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestUTCTime(t *testing.T) {
|
|
||||||
for i, test := range utcTestData {
|
|
||||||
ret, err := parseUTCTime([]byte(test.in))
|
|
||||||
if err != nil {
|
|
||||||
if test.ok {
|
|
||||||
t.Errorf("#%d: parseUTCTime(%q) = error %v", i, test.in, err)
|
|
||||||
}
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if !test.ok {
|
|
||||||
t.Errorf("#%d: parseUTCTime(%q) succeeded, should have failed", i, test.in)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
const format = "Jan _2 15:04:05 -0700 2006" // ignore zone name, just offset
|
|
||||||
have := ret.Format(format)
|
|
||||||
want := test.out.Format(format)
|
|
||||||
if have != want {
|
|
||||||
t.Errorf("#%d: parseUTCTime(%q) = %s, want %s", i, test.in, have, want)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var generalizedTimeTestData = []timeTest{
|
|
||||||
{"20100102030405Z", true, time.Date(2010, 01, 02, 03, 04, 05, 0, time.UTC)},
|
|
||||||
{"20100102030405", false, time.Time{}},
|
|
||||||
{"20100102030405+0607", true, time.Date(2010, 01, 02, 03, 04, 05, 0, time.FixedZone("", 6*60*60+7*60))},
|
|
||||||
{"20100102030405-0607", true, time.Date(2010, 01, 02, 03, 04, 05, 0, time.FixedZone("", -6*60*60-7*60))},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestGeneralizedTime(t *testing.T) {
|
|
||||||
for i, test := range generalizedTimeTestData {
|
|
||||||
ret, err := parseGeneralizedTime([]byte(test.in))
|
|
||||||
if (err == nil) != test.ok {
|
|
||||||
t.Errorf("#%d: Incorrect error result (did fail? %v, expected: %v)", i, err == nil, test.ok)
|
|
||||||
}
|
|
||||||
if err == nil {
|
|
||||||
if !reflect.DeepEqual(test.out, ret) {
|
|
||||||
t.Errorf("#%d: Bad result: %v (expected %v)", i, ret, test.out)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type tagAndLengthTest struct {
|
|
||||||
in []byte
|
|
||||||
ok bool
|
|
||||||
out tagAndLength
|
|
||||||
}
|
|
||||||
|
|
||||||
var tagAndLengthData = []tagAndLengthTest{
|
|
||||||
{[]byte{0x80, 0x01}, true, tagAndLength{2, 0, 1, false}},
|
|
||||||
{[]byte{0xa0, 0x01}, true, tagAndLength{2, 0, 1, true}},
|
|
||||||
{[]byte{0x02, 0x00}, true, tagAndLength{0, 2, 0, false}},
|
|
||||||
{[]byte{0xfe, 0x00}, true, tagAndLength{3, 30, 0, true}},
|
|
||||||
{[]byte{0x1f, 0x01, 0x00}, true, tagAndLength{0, 1, 0, false}},
|
|
||||||
{[]byte{0x1f, 0x81, 0x00, 0x00}, true, tagAndLength{0, 128, 0, false}},
|
|
||||||
{[]byte{0x1f, 0x81, 0x80, 0x01, 0x00}, true, tagAndLength{0, 0x4001, 0, false}},
|
|
||||||
{[]byte{0x00, 0x81, 0x01}, true, tagAndLength{0, 0, 1, false}},
|
|
||||||
{[]byte{0x00, 0x82, 0x01, 0x00}, true, tagAndLength{0, 0, 256, false}},
|
|
||||||
{[]byte{0x00, 0x83, 0x01, 0x00}, false, tagAndLength{}},
|
|
||||||
{[]byte{0x1f, 0x85}, false, tagAndLength{}},
|
|
||||||
{[]byte{0x30, 0x80}, false, tagAndLength{}},
|
|
||||||
// Superfluous zeros in the length should be an error.
|
|
||||||
{[]byte{0xa0, 0x82, 0x00, 0x01}, false, tagAndLength{}},
|
|
||||||
// Lengths up to the maximum size of an int should work.
|
|
||||||
{[]byte{0xa0, 0x84, 0x7f, 0xff, 0xff, 0xff}, true, tagAndLength{2, 0, 0x7fffffff, true}},
|
|
||||||
// Lengths that would overflow an int should be rejected.
|
|
||||||
{[]byte{0xa0, 0x84, 0x80, 0x00, 0x00, 0x00}, false, tagAndLength{}},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestParseTagAndLength(t *testing.T) {
|
|
||||||
for i, test := range tagAndLengthData {
|
|
||||||
tagAndLength, _, err := parseTagAndLength(test.in, 0)
|
|
||||||
if (err == nil) != test.ok {
|
|
||||||
t.Errorf("#%d: Incorrect error result (did pass? %v, expected: %v)", i, err == nil, test.ok)
|
|
||||||
}
|
|
||||||
if err == nil && !reflect.DeepEqual(test.out, tagAndLength) {
|
|
||||||
t.Errorf("#%d: Bad result: %v (expected %v)", i, tagAndLength, test.out)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type parseFieldParametersTest struct {
|
|
||||||
in string
|
|
||||||
out fieldParameters
|
|
||||||
}
|
|
||||||
|
|
||||||
func newInt(n int) *int { return &n }
|
|
||||||
|
|
||||||
func newInt64(n int64) *int64 { return &n }
|
|
||||||
|
|
||||||
func newString(s string) *string { return &s }
|
|
||||||
|
|
||||||
func newBool(b bool) *bool { return &b }
|
|
||||||
|
|
||||||
var parseFieldParametersTestData []parseFieldParametersTest = []parseFieldParametersTest{
|
|
||||||
{"", fieldParameters{}},
|
|
||||||
{"ia5", fieldParameters{stringType: tagIA5String}},
|
|
||||||
{"printable", fieldParameters{stringType: tagPrintableString}},
|
|
||||||
{"optional", fieldParameters{optional: true}},
|
|
||||||
{"explicit", fieldParameters{explicit: true, tag: new(int)}},
|
|
||||||
{"application", fieldParameters{application: true, tag: new(int)}},
|
|
||||||
{"optional,explicit", fieldParameters{optional: true, explicit: true, tag: new(int)}},
|
|
||||||
{"default:42", fieldParameters{defaultValue: newInt64(42)}},
|
|
||||||
{"tag:17", fieldParameters{tag: newInt(17)}},
|
|
||||||
{"optional,explicit,default:42,tag:17", fieldParameters{optional: true, explicit: true, defaultValue: newInt64(42), tag: newInt(17)}},
|
|
||||||
{"optional,explicit,default:42,tag:17,rubbish1", fieldParameters{true, true, false, newInt64(42), newInt(17), 0, false, false}},
|
|
||||||
{"set", fieldParameters{set: true}},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestParseFieldParameters(t *testing.T) {
|
|
||||||
for i, test := range parseFieldParametersTestData {
|
|
||||||
f := parseFieldParameters(test.in)
|
|
||||||
if !reflect.DeepEqual(f, test.out) {
|
|
||||||
t.Errorf("#%d: Bad result: %v (expected %v)", i, f, test.out)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type TestObjectIdentifierStruct struct {
|
|
||||||
OID ObjectIdentifier
|
|
||||||
}
|
|
||||||
|
|
||||||
type TestContextSpecificTags struct {
|
|
||||||
A int `asn1:"tag:1"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type TestContextSpecificTags2 struct {
|
|
||||||
A int `asn1:"explicit,tag:1"`
|
|
||||||
B int
|
|
||||||
}
|
|
||||||
|
|
||||||
type TestElementsAfterString struct {
|
|
||||||
S string
|
|
||||||
A, B int
|
|
||||||
}
|
|
||||||
|
|
||||||
type TestBigInt struct {
|
|
||||||
X *big.Int
|
|
||||||
}
|
|
||||||
|
|
||||||
var unmarshalTestData = []struct {
|
|
||||||
in []byte
|
|
||||||
out interface{}
|
|
||||||
}{
|
|
||||||
{[]byte{0x02, 0x01, 0x42}, newInt(0x42)},
|
|
||||||
{[]byte{0x30, 0x08, 0x06, 0x06, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d}, &TestObjectIdentifierStruct{[]int{1, 2, 840, 113549}}},
|
|
||||||
{[]byte{0x03, 0x04, 0x06, 0x6e, 0x5d, 0xc0}, &BitString{[]byte{110, 93, 192}, 18}},
|
|
||||||
{[]byte{0x30, 0x09, 0x02, 0x01, 0x01, 0x02, 0x01, 0x02, 0x02, 0x01, 0x03}, &[]int{1, 2, 3}},
|
|
||||||
{[]byte{0x02, 0x01, 0x10}, newInt(16)},
|
|
||||||
{[]byte{0x13, 0x04, 't', 'e', 's', 't'}, newString("test")},
|
|
||||||
{[]byte{0x16, 0x04, 't', 'e', 's', 't'}, newString("test")},
|
|
||||||
{[]byte{0x16, 0x04, 't', 'e', 's', 't'}, &RawValue{0, 22, false, []byte("test"), []byte("\x16\x04test")}},
|
|
||||||
{[]byte{0x04, 0x04, 1, 2, 3, 4}, &RawValue{0, 4, false, []byte{1, 2, 3, 4}, []byte{4, 4, 1, 2, 3, 4}}},
|
|
||||||
{[]byte{0x30, 0x03, 0x81, 0x01, 0x01}, &TestContextSpecificTags{1}},
|
|
||||||
{[]byte{0x30, 0x08, 0xa1, 0x03, 0x02, 0x01, 0x01, 0x02, 0x01, 0x02}, &TestContextSpecificTags2{1, 2}},
|
|
||||||
{[]byte{0x01, 0x01, 0x00}, newBool(false)},
|
|
||||||
{[]byte{0x01, 0x01, 0xff}, newBool(true)},
|
|
||||||
{[]byte{0x30, 0x0b, 0x13, 0x03, 0x66, 0x6f, 0x6f, 0x02, 0x01, 0x22, 0x02, 0x01, 0x33}, &TestElementsAfterString{"foo", 0x22, 0x33}},
|
|
||||||
{[]byte{0x30, 0x05, 0x02, 0x03, 0x12, 0x34, 0x56}, &TestBigInt{big.NewInt(0x123456)}},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestUnmarshal(t *testing.T) {
|
|
||||||
for i, test := range unmarshalTestData {
|
|
||||||
pv := reflect.New(reflect.TypeOf(test.out).Elem())
|
|
||||||
val := pv.Interface()
|
|
||||||
_, err := Unmarshal(test.in, val)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("Unmarshal failed at index %d %v", i, err)
|
|
||||||
}
|
|
||||||
if !reflect.DeepEqual(val, test.out) {
|
|
||||||
t.Errorf("#%d:\nhave %#v\nwant %#v", i, val, test.out)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type Certificate struct {
|
|
||||||
TBSCertificate TBSCertificate
|
|
||||||
SignatureAlgorithm AlgorithmIdentifier
|
|
||||||
SignatureValue BitString
|
|
||||||
}
|
|
||||||
|
|
||||||
type TBSCertificate struct {
|
|
||||||
Version int `asn1:"optional,explicit,default:0,tag:0"`
|
|
||||||
SerialNumber RawValue
|
|
||||||
SignatureAlgorithm AlgorithmIdentifier
|
|
||||||
Issuer RDNSequence
|
|
||||||
Validity Validity
|
|
||||||
Subject RDNSequence
|
|
||||||
PublicKey PublicKeyInfo
|
|
||||||
}
|
|
||||||
|
|
||||||
type AlgorithmIdentifier struct {
|
|
||||||
Algorithm ObjectIdentifier
|
|
||||||
}
|
|
||||||
|
|
||||||
type RDNSequence []RelativeDistinguishedNameSET
|
|
||||||
|
|
||||||
type RelativeDistinguishedNameSET []AttributeTypeAndValue
|
|
||||||
|
|
||||||
type AttributeTypeAndValue struct {
|
|
||||||
Type ObjectIdentifier
|
|
||||||
Value interface{}
|
|
||||||
}
|
|
||||||
|
|
||||||
type Validity struct {
|
|
||||||
NotBefore, NotAfter time.Time
|
|
||||||
}
|
|
||||||
|
|
||||||
type PublicKeyInfo struct {
|
|
||||||
Algorithm AlgorithmIdentifier
|
|
||||||
PublicKey BitString
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestCertificate(t *testing.T) {
|
|
||||||
// This is a minimal, self-signed certificate that should parse correctly.
|
|
||||||
var cert Certificate
|
|
||||||
if _, err := Unmarshal(derEncodedSelfSignedCertBytes, &cert); err != nil {
|
|
||||||
t.Errorf("Unmarshal failed: %v", err)
|
|
||||||
}
|
|
||||||
if !reflect.DeepEqual(cert, derEncodedSelfSignedCert) {
|
|
||||||
t.Errorf("Bad result:\ngot: %+v\nwant: %+v", cert, derEncodedSelfSignedCert)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestCertificateWithNUL(t *testing.T) {
|
|
||||||
// This is the paypal NUL-hack certificate. It should fail to parse because
|
|
||||||
// NUL isn't a permitted character in a PrintableString.
|
|
||||||
|
|
||||||
var cert Certificate
|
|
||||||
if _, err := Unmarshal(derEncodedPaypalNULCertBytes, &cert); err == nil {
|
|
||||||
t.Error("Unmarshal succeeded, should not have")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type rawStructTest struct {
|
|
||||||
Raw RawContent
|
|
||||||
A int
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestRawStructs(t *testing.T) {
|
|
||||||
var s rawStructTest
|
|
||||||
input := []byte{0x30, 0x03, 0x02, 0x01, 0x50}
|
|
||||||
|
|
||||||
rest, err := Unmarshal(input, &s)
|
|
||||||
if len(rest) != 0 {
|
|
||||||
t.Errorf("incomplete parse: %x", rest)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
t.Error(err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if s.A != 0x50 {
|
|
||||||
t.Errorf("bad value for A: got %d want %d", s.A, 0x50)
|
|
||||||
}
|
|
||||||
if !bytes.Equal([]byte(s.Raw), input) {
|
|
||||||
t.Errorf("bad value for Raw: got %x want %x", s.Raw, input)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestCouleBeISO8859_1(t *testing.T) {
|
|
||||||
for i := 0; i < 0xff; i++ {
|
|
||||||
b := []byte("StringWithA")
|
|
||||||
b = append(b, byte(i))
|
|
||||||
switch {
|
|
||||||
// These values are disallowed:
|
|
||||||
case i < 0x20, i >= 0x7f && i < 0xa0:
|
|
||||||
if couldBeISO8859_1(b) {
|
|
||||||
t.Fatalf("Allowed invalid value %d", i)
|
|
||||||
}
|
|
||||||
|
|
||||||
// These values are allowed:
|
|
||||||
case i >= 0x20 && i < 0x7f, i >= 0xa0 && i <= 0xff:
|
|
||||||
if !couldBeISO8859_1(b) {
|
|
||||||
t.Fatalf("Disallowed valid value %d", i)
|
|
||||||
}
|
|
||||||
|
|
||||||
default:
|
|
||||||
t.Fatalf("Test logic error - value %d not covered above", i)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestCouleBeT61(t *testing.T) {
|
|
||||||
for i := 0; i < 255; i++ {
|
|
||||||
b := []byte("StringWithA")
|
|
||||||
b = append(b, byte(i))
|
|
||||||
|
|
||||||
if couldBeT61(b) {
|
|
||||||
switch i {
|
|
||||||
case 0x00:
|
|
||||||
fallthrough
|
|
||||||
case 0x23, 0x24, 0x5C, 0x5E, 0x60, 0x7B, 0x7D, 0x7E, 0xA5, 0xA6, 0xAC, 0xAD, 0xAE, 0xAF,
|
|
||||||
0xB9, 0xBA, 0xC0, 0xC9, 0xD0, 0xD1, 0xD2, 0xD3, 0xD4, 0xD5, 0xD6, 0xD7, 0xD8, 0xD9,
|
|
||||||
0xDA, 0xDB, 0xDC, 0xDE, 0xDF, 0xE5, 0xFF:
|
|
||||||
t.Fatalf("Allowed string with byte %d", i)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestISO8859_1ToUTF8(t *testing.T) {
|
|
||||||
b := []byte{'c', 'a', 'f', 0xE9} // 0xE9 == é in ISO8859-1, but is invalid in UTF8
|
|
||||||
if string(b) == "café" {
|
|
||||||
t.Fatal("Sanity failure: that shouldn't have matched")
|
|
||||||
}
|
|
||||||
if iso8859_1ToUTF8(b) != "café" {
|
|
||||||
t.Fatalf("Failed to convert properly, got %v", iso8859_1ToUTF8(b))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var derEncodedSelfSignedCert = Certificate{
|
|
||||||
TBSCertificate: TBSCertificate{
|
|
||||||
Version: 0,
|
|
||||||
SerialNumber: RawValue{Class: 0, Tag: 2, IsCompound: false, Bytes: []uint8{0x0, 0x8c, 0xc3, 0x37, 0x92, 0x10, 0xec, 0x2c, 0x98}, FullBytes: []byte{2, 9, 0x0, 0x8c, 0xc3, 0x37, 0x92, 0x10, 0xec, 0x2c, 0x98}},
|
|
||||||
SignatureAlgorithm: AlgorithmIdentifier{Algorithm: ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}},
|
|
||||||
Issuer: RDNSequence{
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{2, 5, 4, 6}, Value: "XX"}},
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{2, 5, 4, 8}, Value: "Some-State"}},
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{2, 5, 4, 7}, Value: "City"}},
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{2, 5, 4, 10}, Value: "Internet Widgits Pty Ltd"}},
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{2, 5, 4, 3}, Value: "false.example.com"}},
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}, Value: "false@example.com"}},
|
|
||||||
},
|
|
||||||
Validity: Validity{
|
|
||||||
NotBefore: time.Date(2009, 10, 8, 00, 25, 53, 0, time.UTC),
|
|
||||||
NotAfter: time.Date(2010, 10, 8, 00, 25, 53, 0, time.UTC),
|
|
||||||
},
|
|
||||||
Subject: RDNSequence{
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{2, 5, 4, 6}, Value: "XX"}},
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{2, 5, 4, 8}, Value: "Some-State"}},
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{2, 5, 4, 7}, Value: "City"}},
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{2, 5, 4, 10}, Value: "Internet Widgits Pty Ltd"}},
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{2, 5, 4, 3}, Value: "false.example.com"}},
|
|
||||||
RelativeDistinguishedNameSET{AttributeTypeAndValue{Type: ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}, Value: "false@example.com"}},
|
|
||||||
},
|
|
||||||
PublicKey: PublicKeyInfo{
|
|
||||||
Algorithm: AlgorithmIdentifier{Algorithm: ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}},
|
|
||||||
PublicKey: BitString{
|
|
||||||
Bytes: []uint8{
|
|
||||||
0x30, 0x48, 0x2, 0x41, 0x0, 0xcd, 0xb7,
|
|
||||||
0x63, 0x9c, 0x32, 0x78, 0xf0, 0x6, 0xaa, 0x27, 0x7f, 0x6e, 0xaf, 0x42,
|
|
||||||
0x90, 0x2b, 0x59, 0x2d, 0x8c, 0xbc, 0xbe, 0x38, 0xa1, 0xc9, 0x2b, 0xa4,
|
|
||||||
0x69, 0x5a, 0x33, 0x1b, 0x1d, 0xea, 0xde, 0xad, 0xd8, 0xe9, 0xa5, 0xc2,
|
|
||||||
0x7e, 0x8c, 0x4c, 0x2f, 0xd0, 0xa8, 0x88, 0x96, 0x57, 0x72, 0x2a, 0x4f,
|
|
||||||
0x2a, 0xf7, 0x58, 0x9c, 0xf2, 0xc7, 0x70, 0x45, 0xdc, 0x8f, 0xde, 0xec,
|
|
||||||
0x35, 0x7d, 0x2, 0x3, 0x1, 0x0, 0x1,
|
|
||||||
},
|
|
||||||
BitLength: 592,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
SignatureAlgorithm: AlgorithmIdentifier{Algorithm: ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}},
|
|
||||||
SignatureValue: BitString{
|
|
||||||
Bytes: []uint8{
|
|
||||||
0xa6, 0x7b, 0x6, 0xec, 0x5e, 0xce,
|
|
||||||
0x92, 0x77, 0x2c, 0xa4, 0x13, 0xcb, 0xa3, 0xca, 0x12, 0x56, 0x8f, 0xdc, 0x6c,
|
|
||||||
0x7b, 0x45, 0x11, 0xcd, 0x40, 0xa7, 0xf6, 0x59, 0x98, 0x4, 0x2, 0xdf, 0x2b,
|
|
||||||
0x99, 0x8b, 0xb9, 0xa4, 0xa8, 0xcb, 0xeb, 0x34, 0xc0, 0xf0, 0xa7, 0x8c, 0xf8,
|
|
||||||
0xd9, 0x1e, 0xde, 0x14, 0xa5, 0xed, 0x76, 0xbf, 0x11, 0x6f, 0xe3, 0x60, 0xaa,
|
|
||||||
0xfa, 0x88, 0x21, 0x49, 0x4, 0x35,
|
|
||||||
},
|
|
||||||
BitLength: 512,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
var derEncodedSelfSignedCertBytes = []byte{
|
|
||||||
0x30, 0x82, 0x02, 0x18, 0x30,
|
|
||||||
0x82, 0x01, 0xc2, 0x02, 0x09, 0x00, 0x8c, 0xc3, 0x37, 0x92, 0x10, 0xec, 0x2c,
|
|
||||||
0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
|
||||||
0x05, 0x05, 0x00, 0x30, 0x81, 0x92, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
|
|
||||||
0x04, 0x06, 0x13, 0x02, 0x58, 0x58, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
|
|
||||||
0x04, 0x08, 0x13, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74,
|
|
||||||
0x65, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x04, 0x43,
|
|
||||||
0x69, 0x74, 0x79, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
|
|
||||||
0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64,
|
|
||||||
0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64, 0x31,
|
|
||||||
0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x11, 0x66, 0x61, 0x6c,
|
|
||||||
0x73, 0x65, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f,
|
|
||||||
0x6d, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
|
|
||||||
0x01, 0x09, 0x01, 0x16, 0x11, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x40, 0x65, 0x78,
|
|
||||||
0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d,
|
|
||||||
0x30, 0x39, 0x31, 0x30, 0x30, 0x38, 0x30, 0x30, 0x32, 0x35, 0x35, 0x33, 0x5a,
|
|
||||||
0x17, 0x0d, 0x31, 0x30, 0x31, 0x30, 0x30, 0x38, 0x30, 0x30, 0x32, 0x35, 0x35,
|
|
||||||
0x33, 0x5a, 0x30, 0x81, 0x92, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
|
|
||||||
0x06, 0x13, 0x02, 0x58, 0x58, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
|
|
||||||
0x08, 0x13, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65,
|
|
||||||
0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x04, 0x43, 0x69,
|
|
||||||
0x74, 0x79, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x18,
|
|
||||||
0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67,
|
|
||||||
0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64, 0x31, 0x1a,
|
|
||||||
0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x11, 0x66, 0x61, 0x6c, 0x73,
|
|
||||||
0x65, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
|
|
||||||
0x31, 0x20, 0x30, 0x1e, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
|
|
||||||
0x09, 0x01, 0x16, 0x11, 0x66, 0x61, 0x6c, 0x73, 0x65, 0x40, 0x65, 0x78, 0x61,
|
|
||||||
0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x5c, 0x30, 0x0d, 0x06,
|
|
||||||
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
|
|
||||||
0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xcd, 0xb7, 0x63, 0x9c, 0x32, 0x78,
|
|
||||||
0xf0, 0x06, 0xaa, 0x27, 0x7f, 0x6e, 0xaf, 0x42, 0x90, 0x2b, 0x59, 0x2d, 0x8c,
|
|
||||||
0xbc, 0xbe, 0x38, 0xa1, 0xc9, 0x2b, 0xa4, 0x69, 0x5a, 0x33, 0x1b, 0x1d, 0xea,
|
|
||||||
0xde, 0xad, 0xd8, 0xe9, 0xa5, 0xc2, 0x7e, 0x8c, 0x4c, 0x2f, 0xd0, 0xa8, 0x88,
|
|
||||||
0x96, 0x57, 0x72, 0x2a, 0x4f, 0x2a, 0xf7, 0x58, 0x9c, 0xf2, 0xc7, 0x70, 0x45,
|
|
||||||
0xdc, 0x8f, 0xde, 0xec, 0x35, 0x7d, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d,
|
|
||||||
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00,
|
|
||||||
0x03, 0x41, 0x00, 0xa6, 0x7b, 0x06, 0xec, 0x5e, 0xce, 0x92, 0x77, 0x2c, 0xa4,
|
|
||||||
0x13, 0xcb, 0xa3, 0xca, 0x12, 0x56, 0x8f, 0xdc, 0x6c, 0x7b, 0x45, 0x11, 0xcd,
|
|
||||||
0x40, 0xa7, 0xf6, 0x59, 0x98, 0x04, 0x02, 0xdf, 0x2b, 0x99, 0x8b, 0xb9, 0xa4,
|
|
||||||
0xa8, 0xcb, 0xeb, 0x34, 0xc0, 0xf0, 0xa7, 0x8c, 0xf8, 0xd9, 0x1e, 0xde, 0x14,
|
|
||||||
0xa5, 0xed, 0x76, 0xbf, 0x11, 0x6f, 0xe3, 0x60, 0xaa, 0xfa, 0x88, 0x21, 0x49,
|
|
||||||
0x04, 0x35,
|
|
||||||
}
|
|
||||||
|
|
||||||
var derEncodedPaypalNULCertBytes = []byte{
|
|
||||||
0x30, 0x82, 0x06, 0x44, 0x30,
|
|
||||||
0x82, 0x05, 0xad, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x00, 0xf0, 0x9b,
|
|
||||||
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
|
|
||||||
0x05, 0x00, 0x30, 0x82, 0x01, 0x12, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
|
|
||||||
0x04, 0x06, 0x13, 0x02, 0x45, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55,
|
|
||||||
0x04, 0x08, 0x13, 0x09, 0x42, 0x61, 0x72, 0x63, 0x65, 0x6c, 0x6f, 0x6e, 0x61,
|
|
||||||
0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x42, 0x61,
|
|
||||||
0x72, 0x63, 0x65, 0x6c, 0x6f, 0x6e, 0x61, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03,
|
|
||||||
0x55, 0x04, 0x0a, 0x13, 0x20, 0x49, 0x50, 0x53, 0x20, 0x43, 0x65, 0x72, 0x74,
|
|
||||||
0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
|
|
||||||
0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x73, 0x2e, 0x6c, 0x2e, 0x31, 0x2e,
|
|
||||||
0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x14, 0x25, 0x67, 0x65, 0x6e, 0x65,
|
|
||||||
0x72, 0x61, 0x6c, 0x40, 0x69, 0x70, 0x73, 0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d,
|
|
||||||
0x20, 0x43, 0x2e, 0x49, 0x2e, 0x46, 0x2e, 0x20, 0x20, 0x42, 0x2d, 0x42, 0x36,
|
|
||||||
0x32, 0x32, 0x31, 0x30, 0x36, 0x39, 0x35, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03,
|
|
||||||
0x55, 0x04, 0x0b, 0x13, 0x25, 0x69, 0x70, 0x73, 0x43, 0x41, 0x20, 0x43, 0x4c,
|
|
||||||
0x41, 0x53, 0x45, 0x41, 0x31, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
|
|
||||||
0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
|
|
||||||
0x69, 0x74, 0x79, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
|
|
||||||
0x25, 0x69, 0x70, 0x73, 0x43, 0x41, 0x20, 0x43, 0x4c, 0x41, 0x53, 0x45, 0x41,
|
|
||||||
0x31, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
|
|
||||||
0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31,
|
|
||||||
0x20, 0x30, 0x1e, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09,
|
|
||||||
0x01, 0x16, 0x11, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x6c, 0x40, 0x69, 0x70,
|
|
||||||
0x73, 0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x39,
|
|
||||||
0x30, 0x32, 0x32, 0x34, 0x32, 0x33, 0x30, 0x34, 0x31, 0x37, 0x5a, 0x17, 0x0d,
|
|
||||||
0x31, 0x31, 0x30, 0x32, 0x32, 0x34, 0x32, 0x33, 0x30, 0x34, 0x31, 0x37, 0x5a,
|
|
||||||
0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
|
|
||||||
0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13,
|
|
||||||
0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x16,
|
|
||||||
0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0d, 0x53, 0x61, 0x6e, 0x20,
|
|
||||||
0x46, 0x72, 0x61, 0x6e, 0x63, 0x69, 0x73, 0x63, 0x6f, 0x31, 0x11, 0x30, 0x0f,
|
|
||||||
0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
|
|
||||||
0x74, 0x79, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x0b,
|
|
||||||
0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x55, 0x6e, 0x69, 0x74, 0x31, 0x2f,
|
|
||||||
0x30, 0x2d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x26, 0x77, 0x77, 0x77, 0x2e,
|
|
||||||
0x70, 0x61, 0x79, 0x70, 0x61, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x73, 0x73,
|
|
||||||
0x6c, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x63, 0x6f, 0x6e, 0x6e, 0x65,
|
|
||||||
0x63, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x63, 0x63, 0x30, 0x81, 0x9f, 0x30, 0x0d,
|
|
||||||
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
|
|
||||||
0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xd2, 0x69,
|
|
||||||
0xfa, 0x6f, 0x3a, 0x00, 0xb4, 0x21, 0x1b, 0xc8, 0xb1, 0x02, 0xd7, 0x3f, 0x19,
|
|
||||||
0xb2, 0xc4, 0x6d, 0xb4, 0x54, 0xf8, 0x8b, 0x8a, 0xcc, 0xdb, 0x72, 0xc2, 0x9e,
|
|
||||||
0x3c, 0x60, 0xb9, 0xc6, 0x91, 0x3d, 0x82, 0xb7, 0x7d, 0x99, 0xff, 0xd1, 0x29,
|
|
||||||
0x84, 0xc1, 0x73, 0x53, 0x9c, 0x82, 0xdd, 0xfc, 0x24, 0x8c, 0x77, 0xd5, 0x41,
|
|
||||||
0xf3, 0xe8, 0x1e, 0x42, 0xa1, 0xad, 0x2d, 0x9e, 0xff, 0x5b, 0x10, 0x26, 0xce,
|
|
||||||
0x9d, 0x57, 0x17, 0x73, 0x16, 0x23, 0x38, 0xc8, 0xd6, 0xf1, 0xba, 0xa3, 0x96,
|
|
||||||
0x5b, 0x16, 0x67, 0x4a, 0x4f, 0x73, 0x97, 0x3a, 0x4d, 0x14, 0xa4, 0xf4, 0xe2,
|
|
||||||
0x3f, 0x8b, 0x05, 0x83, 0x42, 0xd1, 0xd0, 0xdc, 0x2f, 0x7a, 0xe5, 0xb6, 0x10,
|
|
||||||
0xb2, 0x11, 0xc0, 0xdc, 0x21, 0x2a, 0x90, 0xff, 0xae, 0x97, 0x71, 0x5a, 0x49,
|
|
||||||
0x81, 0xac, 0x40, 0xf3, 0x3b, 0xb8, 0x59, 0xb2, 0x4f, 0x02, 0x03, 0x01, 0x00,
|
|
||||||
0x01, 0xa3, 0x82, 0x03, 0x21, 0x30, 0x82, 0x03, 0x1d, 0x30, 0x09, 0x06, 0x03,
|
|
||||||
0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x11, 0x06, 0x09, 0x60, 0x86,
|
|
||||||
0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40,
|
|
||||||
0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x03, 0xf8,
|
|
||||||
0x30, 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08,
|
|
||||||
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x30, 0x1d, 0x06, 0x03, 0x55,
|
|
||||||
0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x61, 0x8f, 0x61, 0x34, 0x43, 0x55, 0x14,
|
|
||||||
0x7f, 0x27, 0x09, 0xce, 0x4c, 0x8b, 0xea, 0x9b, 0x7b, 0x19, 0x25, 0xbc, 0x6e,
|
|
||||||
0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
|
|
||||||
0x0e, 0x07, 0x60, 0xd4, 0x39, 0xc9, 0x1b, 0x5b, 0x5d, 0x90, 0x7b, 0x23, 0xc8,
|
|
||||||
0xd2, 0x34, 0x9d, 0x4a, 0x9a, 0x46, 0x39, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d,
|
|
||||||
0x11, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x12, 0x04,
|
|
||||||
0x15, 0x30, 0x13, 0x81, 0x11, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x6c, 0x40,
|
|
||||||
0x69, 0x70, 0x73, 0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x72, 0x06, 0x09,
|
|
||||||
0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x65, 0x16, 0x63,
|
|
||||||
0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
|
|
||||||
0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x4e,
|
|
||||||
0x4f, 0x54, 0x20, 0x56, 0x41, 0x4c, 0x49, 0x44, 0x41, 0x54, 0x45, 0x44, 0x2e,
|
|
||||||
0x20, 0x43, 0x4c, 0x41, 0x53, 0x45, 0x41, 0x31, 0x20, 0x53, 0x65, 0x72, 0x76,
|
|
||||||
0x65, 0x72, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
|
|
||||||
0x65, 0x20, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x68,
|
|
||||||
0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x69, 0x70,
|
|
||||||
0x73, 0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x30, 0x2f, 0x06, 0x09, 0x60,
|
|
||||||
0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x02, 0x04, 0x22, 0x16, 0x20, 0x68,
|
|
||||||
0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x69, 0x70,
|
|
||||||
0x73, 0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x69, 0x70, 0x73, 0x63, 0x61,
|
|
||||||
0x32, 0x30, 0x30, 0x32, 0x2f, 0x30, 0x43, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
|
|
||||||
0x86, 0xf8, 0x42, 0x01, 0x04, 0x04, 0x36, 0x16, 0x34, 0x68, 0x74, 0x74, 0x70,
|
|
||||||
0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x69, 0x70, 0x73, 0x63, 0x61,
|
|
||||||
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x69, 0x70, 0x73, 0x63, 0x61, 0x32, 0x30, 0x30,
|
|
||||||
0x32, 0x2f, 0x69, 0x70, 0x73, 0x63, 0x61, 0x32, 0x30, 0x30, 0x32, 0x43, 0x4c,
|
|
||||||
0x41, 0x53, 0x45, 0x41, 0x31, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x46, 0x06, 0x09,
|
|
||||||
0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x03, 0x04, 0x39, 0x16, 0x37,
|
|
||||||
0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x69,
|
|
||||||
0x70, 0x73, 0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x69, 0x70, 0x73, 0x63,
|
|
||||||
0x61, 0x32, 0x30, 0x30, 0x32, 0x2f, 0x72, 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74,
|
|
||||||
0x69, 0x6f, 0x6e, 0x43, 0x4c, 0x41, 0x53, 0x45, 0x41, 0x31, 0x2e, 0x68, 0x74,
|
|
||||||
0x6d, 0x6c, 0x3f, 0x30, 0x43, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8,
|
|
||||||
0x42, 0x01, 0x07, 0x04, 0x36, 0x16, 0x34, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a,
|
|
||||||
0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x69, 0x70, 0x73, 0x63, 0x61, 0x2e, 0x63,
|
|
||||||
0x6f, 0x6d, 0x2f, 0x69, 0x70, 0x73, 0x63, 0x61, 0x32, 0x30, 0x30, 0x32, 0x2f,
|
|
||||||
0x72, 0x65, 0x6e, 0x65, 0x77, 0x61, 0x6c, 0x43, 0x4c, 0x41, 0x53, 0x45, 0x41,
|
|
||||||
0x31, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x3f, 0x30, 0x41, 0x06, 0x09, 0x60, 0x86,
|
|
||||||
0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x08, 0x04, 0x34, 0x16, 0x32, 0x68, 0x74,
|
|
||||||
0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x69, 0x70, 0x73,
|
|
||||||
0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x69, 0x70, 0x73, 0x63, 0x61, 0x32,
|
|
||||||
0x30, 0x30, 0x32, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x43, 0x4c, 0x41,
|
|
||||||
0x53, 0x45, 0x41, 0x31, 0x2e, 0x68, 0x74, 0x6d, 0x6c, 0x30, 0x81, 0x83, 0x06,
|
|
||||||
0x03, 0x55, 0x1d, 0x1f, 0x04, 0x7c, 0x30, 0x7a, 0x30, 0x39, 0xa0, 0x37, 0xa0,
|
|
||||||
0x35, 0x86, 0x33, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
|
|
||||||
0x2e, 0x69, 0x70, 0x73, 0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x69, 0x70,
|
|
||||||
0x73, 0x63, 0x61, 0x32, 0x30, 0x30, 0x32, 0x2f, 0x69, 0x70, 0x73, 0x63, 0x61,
|
|
||||||
0x32, 0x30, 0x30, 0x32, 0x43, 0x4c, 0x41, 0x53, 0x45, 0x41, 0x31, 0x2e, 0x63,
|
|
||||||
0x72, 0x6c, 0x30, 0x3d, 0xa0, 0x3b, 0xa0, 0x39, 0x86, 0x37, 0x68, 0x74, 0x74,
|
|
||||||
0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x62, 0x61, 0x63, 0x6b, 0x2e, 0x69,
|
|
||||||
0x70, 0x73, 0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x69, 0x70, 0x73, 0x63,
|
|
||||||
0x61, 0x32, 0x30, 0x30, 0x32, 0x2f, 0x69, 0x70, 0x73, 0x63, 0x61, 0x32, 0x30,
|
|
||||||
0x30, 0x32, 0x43, 0x4c, 0x41, 0x53, 0x45, 0x41, 0x31, 0x2e, 0x63, 0x72, 0x6c,
|
|
||||||
0x30, 0x32, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04,
|
|
||||||
0x26, 0x30, 0x24, 0x30, 0x22, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
|
|
||||||
0x30, 0x01, 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63,
|
|
||||||
0x73, 0x70, 0x2e, 0x69, 0x70, 0x73, 0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
|
|
||||||
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
|
|
||||||
0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x68, 0xee, 0x79, 0x97, 0x97, 0xdd, 0x3b,
|
|
||||||
0xef, 0x16, 0x6a, 0x06, 0xf2, 0x14, 0x9a, 0x6e, 0xcd, 0x9e, 0x12, 0xf7, 0xaa,
|
|
||||||
0x83, 0x10, 0xbd, 0xd1, 0x7c, 0x98, 0xfa, 0xc7, 0xae, 0xd4, 0x0e, 0x2c, 0x9e,
|
|
||||||
0x38, 0x05, 0x9d, 0x52, 0x60, 0xa9, 0x99, 0x0a, 0x81, 0xb4, 0x98, 0x90, 0x1d,
|
|
||||||
0xae, 0xbb, 0x4a, 0xd7, 0xb9, 0xdc, 0x88, 0x9e, 0x37, 0x78, 0x41, 0x5b, 0xf7,
|
|
||||||
0x82, 0xa5, 0xf2, 0xba, 0x41, 0x25, 0x5a, 0x90, 0x1a, 0x1e, 0x45, 0x38, 0xa1,
|
|
||||||
0x52, 0x58, 0x75, 0x94, 0x26, 0x44, 0xfb, 0x20, 0x07, 0xba, 0x44, 0xcc, 0xe5,
|
|
||||||
0x4a, 0x2d, 0x72, 0x3f, 0x98, 0x47, 0xf6, 0x26, 0xdc, 0x05, 0x46, 0x05, 0x07,
|
|
||||||
0x63, 0x21, 0xab, 0x46, 0x9b, 0x9c, 0x78, 0xd5, 0x54, 0x5b, 0x3d, 0x0c, 0x1e,
|
|
||||||
0xc8, 0x64, 0x8c, 0xb5, 0x50, 0x23, 0x82, 0x6f, 0xdb, 0xb8, 0x22, 0x1c, 0x43,
|
|
||||||
0x96, 0x07, 0xa8, 0xbb,
|
|
||||||
}
|
|
|
@ -1,163 +0,0 @@
|
||||||
// Copyright 2009 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package asn1
|
|
||||||
|
|
||||||
import (
|
|
||||||
"reflect"
|
|
||||||
"strconv"
|
|
||||||
"strings"
|
|
||||||
)
|
|
||||||
|
|
||||||
// ASN.1 objects have metadata preceding them:
|
|
||||||
// the tag: the type of the object
|
|
||||||
// a flag denoting if this object is compound or not
|
|
||||||
// the class type: the namespace of the tag
|
|
||||||
// the length of the object, in bytes
|
|
||||||
|
|
||||||
// Here are some standard tags and classes
|
|
||||||
|
|
||||||
const (
|
|
||||||
tagBoolean = 1
|
|
||||||
tagInteger = 2
|
|
||||||
tagBitString = 3
|
|
||||||
tagOctetString = 4
|
|
||||||
tagOID = 6
|
|
||||||
tagEnum = 10
|
|
||||||
tagUTF8String = 12
|
|
||||||
tagSequence = 16
|
|
||||||
tagSet = 17
|
|
||||||
tagPrintableString = 19
|
|
||||||
tagT61String = 20
|
|
||||||
tagIA5String = 22
|
|
||||||
tagUTCTime = 23
|
|
||||||
tagGeneralizedTime = 24
|
|
||||||
tagGeneralString = 27
|
|
||||||
)
|
|
||||||
|
|
||||||
const (
|
|
||||||
classUniversal = 0
|
|
||||||
classApplication = 1
|
|
||||||
classContextSpecific = 2
|
|
||||||
classPrivate = 3
|
|
||||||
)
|
|
||||||
|
|
||||||
type tagAndLength struct {
|
|
||||||
class, tag, length int
|
|
||||||
isCompound bool
|
|
||||||
}
|
|
||||||
|
|
||||||
// ASN.1 has IMPLICIT and EXPLICIT tags, which can be translated as "instead
|
|
||||||
// of" and "in addition to". When not specified, every primitive type has a
|
|
||||||
// default tag in the UNIVERSAL class.
|
|
||||||
//
|
|
||||||
// For example: a BIT STRING is tagged [UNIVERSAL 3] by default (although ASN.1
|
|
||||||
// doesn't actually have a UNIVERSAL keyword). However, by saying [IMPLICIT
|
|
||||||
// CONTEXT-SPECIFIC 42], that means that the tag is replaced by another.
|
|
||||||
//
|
|
||||||
// On the other hand, if it said [EXPLICIT CONTEXT-SPECIFIC 10], then an
|
|
||||||
// /additional/ tag would wrap the default tag. This explicit tag will have the
|
|
||||||
// compound flag set.
|
|
||||||
//
|
|
||||||
// (This is used in order to remove ambiguity with optional elements.)
|
|
||||||
//
|
|
||||||
// You can layer EXPLICIT and IMPLICIT tags to an arbitrary depth, however we
|
|
||||||
// don't support that here. We support a single layer of EXPLICIT or IMPLICIT
|
|
||||||
// tagging with tag strings on the fields of a structure.
|
|
||||||
|
|
||||||
// fieldParameters is the parsed representation of tag string from a structure field.
|
|
||||||
type fieldParameters struct {
|
|
||||||
optional bool // true iff the field is OPTIONAL
|
|
||||||
explicit bool // true iff an EXPLICIT tag is in use.
|
|
||||||
application bool // true iff an APPLICATION tag is in use.
|
|
||||||
defaultValue *int64 // a default value for INTEGER typed fields (maybe nil).
|
|
||||||
tag *int // the EXPLICIT or IMPLICIT tag (maybe nil).
|
|
||||||
stringType int // the string tag to use when marshaling.
|
|
||||||
set bool // true iff this should be encoded as a SET
|
|
||||||
omitEmpty bool // true iff this should be omitted if empty when marshaling.
|
|
||||||
|
|
||||||
// Invariants:
|
|
||||||
// if explicit is set, tag is non-nil.
|
|
||||||
}
|
|
||||||
|
|
||||||
// Given a tag string with the format specified in the package comment,
|
|
||||||
// parseFieldParameters will parse it into a fieldParameters structure,
|
|
||||||
// ignoring unknown parts of the string.
|
|
||||||
func parseFieldParameters(str string) (ret fieldParameters) {
|
|
||||||
for _, part := range strings.Split(str, ",") {
|
|
||||||
switch {
|
|
||||||
case part == "optional":
|
|
||||||
ret.optional = true
|
|
||||||
case part == "explicit":
|
|
||||||
ret.explicit = true
|
|
||||||
if ret.tag == nil {
|
|
||||||
ret.tag = new(int)
|
|
||||||
}
|
|
||||||
case part == "ia5":
|
|
||||||
ret.stringType = tagIA5String
|
|
||||||
case part == "printable":
|
|
||||||
ret.stringType = tagPrintableString
|
|
||||||
case part == "utf8":
|
|
||||||
ret.stringType = tagUTF8String
|
|
||||||
case strings.HasPrefix(part, "default:"):
|
|
||||||
i, err := strconv.ParseInt(part[8:], 10, 64)
|
|
||||||
if err == nil {
|
|
||||||
ret.defaultValue = new(int64)
|
|
||||||
*ret.defaultValue = i
|
|
||||||
}
|
|
||||||
case strings.HasPrefix(part, "tag:"):
|
|
||||||
i, err := strconv.Atoi(part[4:])
|
|
||||||
if err == nil {
|
|
||||||
ret.tag = new(int)
|
|
||||||
*ret.tag = i
|
|
||||||
}
|
|
||||||
case part == "set":
|
|
||||||
ret.set = true
|
|
||||||
case part == "application":
|
|
||||||
ret.application = true
|
|
||||||
if ret.tag == nil {
|
|
||||||
ret.tag = new(int)
|
|
||||||
}
|
|
||||||
case part == "omitempty":
|
|
||||||
ret.omitEmpty = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// Given a reflected Go type, getUniversalType returns the default tag number
|
|
||||||
// and expected compound flag.
|
|
||||||
func getUniversalType(t reflect.Type) (tagNumber int, isCompound, ok bool) {
|
|
||||||
switch t {
|
|
||||||
case objectIdentifierType:
|
|
||||||
return tagOID, false, true
|
|
||||||
case bitStringType:
|
|
||||||
return tagBitString, false, true
|
|
||||||
case timeType:
|
|
||||||
return tagUTCTime, false, true
|
|
||||||
case enumeratedType:
|
|
||||||
return tagEnum, false, true
|
|
||||||
case bigIntType:
|
|
||||||
return tagInteger, false, true
|
|
||||||
}
|
|
||||||
switch t.Kind() {
|
|
||||||
case reflect.Bool:
|
|
||||||
return tagBoolean, false, true
|
|
||||||
case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
|
|
||||||
return tagInteger, false, true
|
|
||||||
case reflect.Struct:
|
|
||||||
return tagSequence, true, true
|
|
||||||
case reflect.Slice:
|
|
||||||
if t.Elem().Kind() == reflect.Uint8 {
|
|
||||||
return tagOctetString, false, true
|
|
||||||
}
|
|
||||||
if strings.HasSuffix(t.Name(), "SET") {
|
|
||||||
return tagSet, true, true
|
|
||||||
}
|
|
||||||
return tagSequence, true, true
|
|
||||||
case reflect.String:
|
|
||||||
return tagPrintableString, false, true
|
|
||||||
}
|
|
||||||
return 0, false, false
|
|
||||||
}
|
|
|
@ -1,581 +0,0 @@
|
||||||
// Copyright 2009 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package asn1
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"errors"
|
|
||||||
"fmt"
|
|
||||||
"io"
|
|
||||||
"math/big"
|
|
||||||
"reflect"
|
|
||||||
"time"
|
|
||||||
"unicode/utf8"
|
|
||||||
)
|
|
||||||
|
|
||||||
// A forkableWriter is an in-memory buffer that can be
|
|
||||||
// 'forked' to create new forkableWriters that bracket the
|
|
||||||
// original. After
|
|
||||||
// pre, post := w.fork();
|
|
||||||
// the overall sequence of bytes represented is logically w+pre+post.
|
|
||||||
type forkableWriter struct {
|
|
||||||
*bytes.Buffer
|
|
||||||
pre, post *forkableWriter
|
|
||||||
}
|
|
||||||
|
|
||||||
func newForkableWriter() *forkableWriter {
|
|
||||||
return &forkableWriter{new(bytes.Buffer), nil, nil}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (f *forkableWriter) fork() (pre, post *forkableWriter) {
|
|
||||||
if f.pre != nil || f.post != nil {
|
|
||||||
panic("have already forked")
|
|
||||||
}
|
|
||||||
f.pre = newForkableWriter()
|
|
||||||
f.post = newForkableWriter()
|
|
||||||
return f.pre, f.post
|
|
||||||
}
|
|
||||||
|
|
||||||
func (f *forkableWriter) Len() (l int) {
|
|
||||||
l += f.Buffer.Len()
|
|
||||||
if f.pre != nil {
|
|
||||||
l += f.pre.Len()
|
|
||||||
}
|
|
||||||
if f.post != nil {
|
|
||||||
l += f.post.Len()
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func (f *forkableWriter) writeTo(out io.Writer) (n int, err error) {
|
|
||||||
n, err = out.Write(f.Bytes())
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
var nn int
|
|
||||||
|
|
||||||
if f.pre != nil {
|
|
||||||
nn, err = f.pre.writeTo(out)
|
|
||||||
n += nn
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if f.post != nil {
|
|
||||||
nn, err = f.post.writeTo(out)
|
|
||||||
n += nn
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalBase128Int(out *forkableWriter, n int64) (err error) {
|
|
||||||
if n == 0 {
|
|
||||||
err = out.WriteByte(0)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
l := 0
|
|
||||||
for i := n; i > 0; i >>= 7 {
|
|
||||||
l++
|
|
||||||
}
|
|
||||||
|
|
||||||
for i := l - 1; i >= 0; i-- {
|
|
||||||
o := byte(n >> uint(i*7))
|
|
||||||
o &= 0x7f
|
|
||||||
if i != 0 {
|
|
||||||
o |= 0x80
|
|
||||||
}
|
|
||||||
err = out.WriteByte(o)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalInt64(out *forkableWriter, i int64) (err error) {
|
|
||||||
n := int64Length(i)
|
|
||||||
|
|
||||||
for ; n > 0; n-- {
|
|
||||||
err = out.WriteByte(byte(i >> uint((n-1)*8)))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func int64Length(i int64) (numBytes int) {
|
|
||||||
numBytes = 1
|
|
||||||
|
|
||||||
for i > 127 {
|
|
||||||
numBytes++
|
|
||||||
i >>= 8
|
|
||||||
}
|
|
||||||
|
|
||||||
for i < -128 {
|
|
||||||
numBytes++
|
|
||||||
i >>= 8
|
|
||||||
}
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalBigInt(out *forkableWriter, n *big.Int) (err error) {
|
|
||||||
if n.Sign() < 0 {
|
|
||||||
// A negative number has to be converted to two's-complement
|
|
||||||
// form. So we'll subtract 1 and invert. If the
|
|
||||||
// most-significant-bit isn't set then we'll need to pad the
|
|
||||||
// beginning with 0xff in order to keep the number negative.
|
|
||||||
nMinus1 := new(big.Int).Neg(n)
|
|
||||||
nMinus1.Sub(nMinus1, bigOne)
|
|
||||||
bytes := nMinus1.Bytes()
|
|
||||||
for i := range bytes {
|
|
||||||
bytes[i] ^= 0xff
|
|
||||||
}
|
|
||||||
if len(bytes) == 0 || bytes[0]&0x80 == 0 {
|
|
||||||
err = out.WriteByte(0xff)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
_, err = out.Write(bytes)
|
|
||||||
} else if n.Sign() == 0 {
|
|
||||||
// Zero is written as a single 0 zero rather than no bytes.
|
|
||||||
err = out.WriteByte(0x00)
|
|
||||||
} else {
|
|
||||||
bytes := n.Bytes()
|
|
||||||
if len(bytes) > 0 && bytes[0]&0x80 != 0 {
|
|
||||||
// We'll have to pad this with 0x00 in order to stop it
|
|
||||||
// looking like a negative number.
|
|
||||||
err = out.WriteByte(0)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
_, err = out.Write(bytes)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalLength(out *forkableWriter, i int) (err error) {
|
|
||||||
n := lengthLength(i)
|
|
||||||
|
|
||||||
for ; n > 0; n-- {
|
|
||||||
err = out.WriteByte(byte(i >> uint((n-1)*8)))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func lengthLength(i int) (numBytes int) {
|
|
||||||
numBytes = 1
|
|
||||||
for i > 255 {
|
|
||||||
numBytes++
|
|
||||||
i >>= 8
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalTagAndLength(out *forkableWriter, t tagAndLength) (err error) {
|
|
||||||
b := uint8(t.class) << 6
|
|
||||||
if t.isCompound {
|
|
||||||
b |= 0x20
|
|
||||||
}
|
|
||||||
if t.tag >= 31 {
|
|
||||||
b |= 0x1f
|
|
||||||
err = out.WriteByte(b)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
err = marshalBase128Int(out, int64(t.tag))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
b |= uint8(t.tag)
|
|
||||||
err = out.WriteByte(b)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if t.length >= 128 {
|
|
||||||
l := lengthLength(t.length)
|
|
||||||
err = out.WriteByte(0x80 | byte(l))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
err = marshalLength(out, t.length)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
err = out.WriteByte(byte(t.length))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalBitString(out *forkableWriter, b BitString) (err error) {
|
|
||||||
paddingBits := byte((8 - b.BitLength%8) % 8)
|
|
||||||
err = out.WriteByte(paddingBits)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
_, err = out.Write(b.Bytes)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalObjectIdentifier(out *forkableWriter, oid []int) (err error) {
|
|
||||||
if len(oid) < 2 || oid[0] > 2 || (oid[0] < 2 && oid[1] >= 40) {
|
|
||||||
return StructuralError{"invalid object identifier"}
|
|
||||||
}
|
|
||||||
|
|
||||||
err = marshalBase128Int(out, int64(oid[0]*40+oid[1]))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
for i := 2; i < len(oid); i++ {
|
|
||||||
err = marshalBase128Int(out, int64(oid[i]))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalPrintableString(out *forkableWriter, s string) (err error) {
|
|
||||||
b := []byte(s)
|
|
||||||
for _, c := range b {
|
|
||||||
if !isPrintable(c) {
|
|
||||||
return StructuralError{"PrintableString contains invalid character"}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = out.Write(b)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalIA5String(out *forkableWriter, s string) (err error) {
|
|
||||||
b := []byte(s)
|
|
||||||
for _, c := range b {
|
|
||||||
if c > 127 {
|
|
||||||
return StructuralError{"IA5String contains invalid character"}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = out.Write(b)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalUTF8String(out *forkableWriter, s string) (err error) {
|
|
||||||
_, err = out.Write([]byte(s))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalTwoDigits(out *forkableWriter, v int) (err error) {
|
|
||||||
err = out.WriteByte(byte('0' + (v/10)%10))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
return out.WriteByte(byte('0' + v%10))
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalUTCTime(out *forkableWriter, t time.Time) (err error) {
|
|
||||||
year, month, day := t.Date()
|
|
||||||
|
|
||||||
switch {
|
|
||||||
case 1950 <= year && year < 2000:
|
|
||||||
err = marshalTwoDigits(out, int(year-1900))
|
|
||||||
case 2000 <= year && year < 2050:
|
|
||||||
err = marshalTwoDigits(out, int(year-2000))
|
|
||||||
default:
|
|
||||||
return StructuralError{"cannot represent time as UTCTime"}
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
err = marshalTwoDigits(out, int(month))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
err = marshalTwoDigits(out, day)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
hour, min, sec := t.Clock()
|
|
||||||
|
|
||||||
err = marshalTwoDigits(out, hour)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
err = marshalTwoDigits(out, min)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
err = marshalTwoDigits(out, sec)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
_, offset := t.Zone()
|
|
||||||
|
|
||||||
switch {
|
|
||||||
case offset/60 == 0:
|
|
||||||
err = out.WriteByte('Z')
|
|
||||||
return
|
|
||||||
case offset > 0:
|
|
||||||
err = out.WriteByte('+')
|
|
||||||
case offset < 0:
|
|
||||||
err = out.WriteByte('-')
|
|
||||||
}
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
offsetMinutes := offset / 60
|
|
||||||
if offsetMinutes < 0 {
|
|
||||||
offsetMinutes = -offsetMinutes
|
|
||||||
}
|
|
||||||
|
|
||||||
err = marshalTwoDigits(out, offsetMinutes/60)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
err = marshalTwoDigits(out, offsetMinutes%60)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func stripTagAndLength(in []byte) []byte {
|
|
||||||
_, offset, err := parseTagAndLength(in, 0)
|
|
||||||
if err != nil {
|
|
||||||
return in
|
|
||||||
}
|
|
||||||
return in[offset:]
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalBody(out *forkableWriter, value reflect.Value, params fieldParameters) (err error) {
|
|
||||||
switch value.Type() {
|
|
||||||
case timeType:
|
|
||||||
return marshalUTCTime(out, value.Interface().(time.Time))
|
|
||||||
case bitStringType:
|
|
||||||
return marshalBitString(out, value.Interface().(BitString))
|
|
||||||
case objectIdentifierType:
|
|
||||||
return marshalObjectIdentifier(out, value.Interface().(ObjectIdentifier))
|
|
||||||
case bigIntType:
|
|
||||||
return marshalBigInt(out, value.Interface().(*big.Int))
|
|
||||||
}
|
|
||||||
|
|
||||||
switch v := value; v.Kind() {
|
|
||||||
case reflect.Bool:
|
|
||||||
if v.Bool() {
|
|
||||||
return out.WriteByte(255)
|
|
||||||
} else {
|
|
||||||
return out.WriteByte(0)
|
|
||||||
}
|
|
||||||
case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
|
|
||||||
return marshalInt64(out, int64(v.Int()))
|
|
||||||
case reflect.Struct:
|
|
||||||
t := v.Type()
|
|
||||||
|
|
||||||
startingField := 0
|
|
||||||
|
|
||||||
// If the first element of the structure is a non-empty
|
|
||||||
// RawContents, then we don't bother serializing the rest.
|
|
||||||
if t.NumField() > 0 && t.Field(0).Type == rawContentsType {
|
|
||||||
s := v.Field(0)
|
|
||||||
if s.Len() > 0 {
|
|
||||||
bytes := make([]byte, s.Len())
|
|
||||||
for i := 0; i < s.Len(); i++ {
|
|
||||||
bytes[i] = uint8(s.Index(i).Uint())
|
|
||||||
}
|
|
||||||
/* The RawContents will contain the tag and
|
|
||||||
* length fields but we'll also be writing
|
|
||||||
* those ourselves, so we strip them out of
|
|
||||||
* bytes */
|
|
||||||
_, err = out.Write(stripTagAndLength(bytes))
|
|
||||||
return
|
|
||||||
} else {
|
|
||||||
startingField = 1
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
for i := startingField; i < t.NumField(); i++ {
|
|
||||||
var pre *forkableWriter
|
|
||||||
pre, out = out.fork()
|
|
||||||
err = marshalField(pre, v.Field(i), parseFieldParameters(t.Field(i).Tag.Get("asn1")))
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
case reflect.Slice:
|
|
||||||
sliceType := v.Type()
|
|
||||||
if sliceType.Elem().Kind() == reflect.Uint8 {
|
|
||||||
bytes := make([]byte, v.Len())
|
|
||||||
for i := 0; i < v.Len(); i++ {
|
|
||||||
bytes[i] = uint8(v.Index(i).Uint())
|
|
||||||
}
|
|
||||||
_, err = out.Write(bytes)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
var fp fieldParameters
|
|
||||||
for i := 0; i < v.Len(); i++ {
|
|
||||||
var pre *forkableWriter
|
|
||||||
pre, out = out.fork()
|
|
||||||
err = marshalField(pre, v.Index(i), fp)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return
|
|
||||||
case reflect.String:
|
|
||||||
switch params.stringType {
|
|
||||||
case tagIA5String:
|
|
||||||
return marshalIA5String(out, v.String())
|
|
||||||
case tagPrintableString:
|
|
||||||
return marshalPrintableString(out, v.String())
|
|
||||||
default:
|
|
||||||
return marshalUTF8String(out, v.String())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return StructuralError{"unknown Go type"}
|
|
||||||
}
|
|
||||||
|
|
||||||
func marshalField(out *forkableWriter, v reflect.Value, params fieldParameters) (err error) {
|
|
||||||
// If the field is an interface{} then recurse into it.
|
|
||||||
if v.Kind() == reflect.Interface && v.Type().NumMethod() == 0 {
|
|
||||||
return marshalField(out, v.Elem(), params)
|
|
||||||
}
|
|
||||||
|
|
||||||
if v.Kind() == reflect.Slice && v.Len() == 0 && params.omitEmpty {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if params.optional && reflect.DeepEqual(v.Interface(), reflect.Zero(v.Type()).Interface()) {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if v.Type() == rawValueType {
|
|
||||||
rv := v.Interface().(RawValue)
|
|
||||||
if len(rv.FullBytes) != 0 {
|
|
||||||
_, err = out.Write(rv.FullBytes)
|
|
||||||
} else {
|
|
||||||
err = marshalTagAndLength(out, tagAndLength{rv.Class, rv.Tag, len(rv.Bytes), rv.IsCompound})
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
_, err = out.Write(rv.Bytes)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
tag, isCompound, ok := getUniversalType(v.Type())
|
|
||||||
if !ok {
|
|
||||||
err = StructuralError{fmt.Sprintf("unknown Go type: %v", v.Type())}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
class := classUniversal
|
|
||||||
|
|
||||||
if params.stringType != 0 && tag != tagPrintableString {
|
|
||||||
return StructuralError{"explicit string type given to non-string member"}
|
|
||||||
}
|
|
||||||
|
|
||||||
if tag == tagPrintableString {
|
|
||||||
if params.stringType == 0 {
|
|
||||||
// This is a string without an explicit string type. We'll use
|
|
||||||
// a PrintableString if the character set in the string is
|
|
||||||
// sufficiently limited, otherwise we'll use a UTF8String.
|
|
||||||
for _, r := range v.String() {
|
|
||||||
if r >= utf8.RuneSelf || !isPrintable(byte(r)) {
|
|
||||||
if !utf8.ValidString(v.String()) {
|
|
||||||
return errors.New("asn1: string not valid UTF-8")
|
|
||||||
}
|
|
||||||
tag = tagUTF8String
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
tag = params.stringType
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if params.set {
|
|
||||||
if tag != tagSequence {
|
|
||||||
return StructuralError{"non sequence tagged as set"}
|
|
||||||
}
|
|
||||||
tag = tagSet
|
|
||||||
}
|
|
||||||
|
|
||||||
tags, body := out.fork()
|
|
||||||
|
|
||||||
err = marshalBody(body, v, params)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
bodyLen := body.Len()
|
|
||||||
|
|
||||||
var explicitTag *forkableWriter
|
|
||||||
if params.explicit {
|
|
||||||
explicitTag, tags = tags.fork()
|
|
||||||
}
|
|
||||||
|
|
||||||
if !params.explicit && params.tag != nil {
|
|
||||||
// implicit tag.
|
|
||||||
tag = *params.tag
|
|
||||||
class = classContextSpecific
|
|
||||||
}
|
|
||||||
|
|
||||||
err = marshalTagAndLength(tags, tagAndLength{class, tag, bodyLen, isCompound})
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if params.explicit {
|
|
||||||
err = marshalTagAndLength(explicitTag, tagAndLength{
|
|
||||||
class: classContextSpecific,
|
|
||||||
tag: *params.tag,
|
|
||||||
length: bodyLen + tags.Len(),
|
|
||||||
isCompound: true,
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Marshal returns the ASN.1 encoding of val.
|
|
||||||
func Marshal(val interface{}) ([]byte, error) {
|
|
||||||
var out bytes.Buffer
|
|
||||||
v := reflect.ValueOf(val)
|
|
||||||
f := newForkableWriter()
|
|
||||||
err := marshalField(f, v, fieldParameters{})
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
_, err = f.writeTo(&out)
|
|
||||||
return out.Bytes(), nil
|
|
||||||
}
|
|
|
@ -1,148 +0,0 @@
|
||||||
// Copyright 2009 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package asn1
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"encoding/hex"
|
|
||||||
"math/big"
|
|
||||||
"testing"
|
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
type intStruct struct {
|
|
||||||
A int
|
|
||||||
}
|
|
||||||
|
|
||||||
type twoIntStruct struct {
|
|
||||||
A int
|
|
||||||
B int
|
|
||||||
}
|
|
||||||
|
|
||||||
type bigIntStruct struct {
|
|
||||||
A *big.Int
|
|
||||||
}
|
|
||||||
|
|
||||||
type nestedStruct struct {
|
|
||||||
A intStruct
|
|
||||||
}
|
|
||||||
|
|
||||||
type rawContentsStruct struct {
|
|
||||||
Raw RawContent
|
|
||||||
A int
|
|
||||||
}
|
|
||||||
|
|
||||||
type implicitTagTest struct {
|
|
||||||
A int `asn1:"implicit,tag:5"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type explicitTagTest struct {
|
|
||||||
A int `asn1:"explicit,tag:5"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type ia5StringTest struct {
|
|
||||||
A string `asn1:"ia5"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type printableStringTest struct {
|
|
||||||
A string `asn1:"printable"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type optionalRawValueTest struct {
|
|
||||||
A RawValue `asn1:"optional"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type omitEmptyTest struct {
|
|
||||||
A []string `asn1:"omitempty"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type testSET []int
|
|
||||||
|
|
||||||
var PST = time.FixedZone("PST", -8*60*60)
|
|
||||||
|
|
||||||
type marshalTest struct {
|
|
||||||
in interface{}
|
|
||||||
out string // hex encoded
|
|
||||||
}
|
|
||||||
|
|
||||||
var marshalTests = []marshalTest{
|
|
||||||
{10, "02010a"},
|
|
||||||
{127, "02017f"},
|
|
||||||
{128, "02020080"},
|
|
||||||
{-128, "020180"},
|
|
||||||
{-129, "0202ff7f"},
|
|
||||||
{intStruct{64}, "3003020140"},
|
|
||||||
{bigIntStruct{big.NewInt(0x123456)}, "30050203123456"},
|
|
||||||
{twoIntStruct{64, 65}, "3006020140020141"},
|
|
||||||
{nestedStruct{intStruct{127}}, "3005300302017f"},
|
|
||||||
{[]byte{1, 2, 3}, "0403010203"},
|
|
||||||
{implicitTagTest{64}, "3003850140"},
|
|
||||||
{explicitTagTest{64}, "3005a503020140"},
|
|
||||||
{time.Unix(0, 0).UTC(), "170d3730303130313030303030305a"},
|
|
||||||
{time.Unix(1258325776, 0).UTC(), "170d3039313131353232353631365a"},
|
|
||||||
{time.Unix(1258325776, 0).In(PST), "17113039313131353134353631362d30383030"},
|
|
||||||
{BitString{[]byte{0x80}, 1}, "03020780"},
|
|
||||||
{BitString{[]byte{0x81, 0xf0}, 12}, "03030481f0"},
|
|
||||||
{ObjectIdentifier([]int{1, 2, 3, 4}), "06032a0304"},
|
|
||||||
{ObjectIdentifier([]int{1, 2, 840, 133549, 1, 1, 5}), "06092a864888932d010105"},
|
|
||||||
{ObjectIdentifier([]int{2, 100, 3}), "0603813403"},
|
|
||||||
{"test", "130474657374"},
|
|
||||||
{
|
|
||||||
"" +
|
|
||||||
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +
|
|
||||||
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +
|
|
||||||
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +
|
|
||||||
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", // This is 127 times 'x'
|
|
||||||
"137f" +
|
|
||||||
"7878787878787878787878787878787878787878787878787878787878787878" +
|
|
||||||
"7878787878787878787878787878787878787878787878787878787878787878" +
|
|
||||||
"7878787878787878787878787878787878787878787878787878787878787878" +
|
|
||||||
"78787878787878787878787878787878787878787878787878787878787878",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"" +
|
|
||||||
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +
|
|
||||||
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +
|
|
||||||
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +
|
|
||||||
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", // This is 128 times 'x'
|
|
||||||
"138180" +
|
|
||||||
"7878787878787878787878787878787878787878787878787878787878787878" +
|
|
||||||
"7878787878787878787878787878787878787878787878787878787878787878" +
|
|
||||||
"7878787878787878787878787878787878787878787878787878787878787878" +
|
|
||||||
"7878787878787878787878787878787878787878787878787878787878787878",
|
|
||||||
},
|
|
||||||
{ia5StringTest{"test"}, "3006160474657374"},
|
|
||||||
{optionalRawValueTest{}, "3000"},
|
|
||||||
{printableStringTest{"test"}, "3006130474657374"},
|
|
||||||
{printableStringTest{"test*"}, "30071305746573742a"},
|
|
||||||
{rawContentsStruct{nil, 64}, "3003020140"},
|
|
||||||
{rawContentsStruct{[]byte{0x30, 3, 1, 2, 3}, 64}, "3003010203"},
|
|
||||||
{RawValue{Tag: 1, Class: 2, IsCompound: false, Bytes: []byte{1, 2, 3}}, "8103010203"},
|
|
||||||
{testSET([]int{10}), "310302010a"},
|
|
||||||
{omitEmptyTest{[]string{}}, "3000"},
|
|
||||||
{omitEmptyTest{[]string{"1"}}, "30053003130131"},
|
|
||||||
{"Σ", "0c02cea3"},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestMarshal(t *testing.T) {
|
|
||||||
for i, test := range marshalTests {
|
|
||||||
data, err := Marshal(test.in)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("#%d failed: %s", i, err)
|
|
||||||
}
|
|
||||||
out, _ := hex.DecodeString(test.out)
|
|
||||||
if !bytes.Equal(out, data) {
|
|
||||||
t.Errorf("#%d got: %x want %x\n\t%q\n\t%q", i, data, out, data, out)
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestInvalidUTF8(t *testing.T) {
|
|
||||||
_, err := Marshal(string([]byte{0xff, 0xff}))
|
|
||||||
if err == nil {
|
|
||||||
t.Errorf("invalid UTF8 string was accepted")
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,116 +0,0 @@
|
||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
"encoding/pem"
|
|
||||||
)
|
|
||||||
|
|
||||||
// CertPool is a set of certificates.
|
|
||||||
type CertPool struct {
|
|
||||||
bySubjectKeyId map[string][]int
|
|
||||||
byName map[string][]int
|
|
||||||
certs []*Certificate
|
|
||||||
}
|
|
||||||
|
|
||||||
// NewCertPool returns a new, empty CertPool.
|
|
||||||
func NewCertPool() *CertPool {
|
|
||||||
return &CertPool{
|
|
||||||
make(map[string][]int),
|
|
||||||
make(map[string][]int),
|
|
||||||
nil,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// findVerifiedParents attempts to find certificates in s which have signed the
|
|
||||||
// given certificate. If any candidates were rejected then errCert will be set
|
|
||||||
// to one of them, arbitrarily, and err will contain the reason that it was
|
|
||||||
// rejected.
|
|
||||||
func (s *CertPool) findVerifiedParents(cert *Certificate) (parents []int, errCert *Certificate, err error) {
|
|
||||||
if s == nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
var candidates []int
|
|
||||||
|
|
||||||
if len(cert.AuthorityKeyId) > 0 {
|
|
||||||
candidates = s.bySubjectKeyId[string(cert.AuthorityKeyId)]
|
|
||||||
}
|
|
||||||
if len(candidates) == 0 {
|
|
||||||
candidates = s.byName[string(cert.RawIssuer)]
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, c := range candidates {
|
|
||||||
if err = cert.CheckSignatureFrom(s.certs[c]); err == nil {
|
|
||||||
parents = append(parents, c)
|
|
||||||
} else {
|
|
||||||
errCert = s.certs[c]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// AddCert adds a certificate to a pool.
|
|
||||||
func (s *CertPool) AddCert(cert *Certificate) {
|
|
||||||
if cert == nil {
|
|
||||||
panic("adding nil Certificate to CertPool")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check that the certificate isn't being added twice.
|
|
||||||
for _, c := range s.certs {
|
|
||||||
if c.Equal(cert) {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
n := len(s.certs)
|
|
||||||
s.certs = append(s.certs, cert)
|
|
||||||
|
|
||||||
if len(cert.SubjectKeyId) > 0 {
|
|
||||||
keyId := string(cert.SubjectKeyId)
|
|
||||||
s.bySubjectKeyId[keyId] = append(s.bySubjectKeyId[keyId], n)
|
|
||||||
}
|
|
||||||
name := string(cert.RawSubject)
|
|
||||||
s.byName[name] = append(s.byName[name], n)
|
|
||||||
}
|
|
||||||
|
|
||||||
// AppendCertsFromPEM attempts to parse a series of PEM encoded certificates.
|
|
||||||
// It appends any certificates found to s and returns true if any certificates
|
|
||||||
// were successfully parsed.
|
|
||||||
//
|
|
||||||
// On many Linux systems, /etc/ssl/cert.pem will contain the system wide set
|
|
||||||
// of root CAs in a format suitable for this function.
|
|
||||||
func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool) {
|
|
||||||
for len(pemCerts) > 0 {
|
|
||||||
var block *pem.Block
|
|
||||||
block, pemCerts = pem.Decode(pemCerts)
|
|
||||||
if block == nil {
|
|
||||||
break
|
|
||||||
}
|
|
||||||
if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
cert, err := ParseCertificate(block.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
s.AddCert(cert)
|
|
||||||
ok = true
|
|
||||||
}
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// Subjects returns a list of the DER-encoded subjects of
|
|
||||||
// all of the certificates in the pool.
|
|
||||||
func (s *CertPool) Subjects() (res [][]byte) {
|
|
||||||
res = make([][]byte, len(s.certs))
|
|
||||||
for i, c := range s.certs {
|
|
||||||
res[i] = c.RawSubject
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
|
@ -1,233 +0,0 @@
|
||||||
// Copyright 2012 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
// RFC 1423 describes the encryption of PEM blocks. The algorithm used to
|
|
||||||
// generate a key from the password was derived by looking at the OpenSSL
|
|
||||||
// implementation.
|
|
||||||
|
|
||||||
import (
|
|
||||||
"crypto/aes"
|
|
||||||
"crypto/cipher"
|
|
||||||
"crypto/des"
|
|
||||||
"crypto/md5"
|
|
||||||
"encoding/hex"
|
|
||||||
"encoding/pem"
|
|
||||||
"errors"
|
|
||||||
"io"
|
|
||||||
"strings"
|
|
||||||
)
|
|
||||||
|
|
||||||
type PEMCipher int
|
|
||||||
|
|
||||||
// Possible values for the EncryptPEMBlock encryption algorithm.
|
|
||||||
const (
|
|
||||||
_ PEMCipher = iota
|
|
||||||
PEMCipherDES
|
|
||||||
PEMCipher3DES
|
|
||||||
PEMCipherAES128
|
|
||||||
PEMCipherAES192
|
|
||||||
PEMCipherAES256
|
|
||||||
)
|
|
||||||
|
|
||||||
// rfc1423Algo holds a method for enciphering a PEM block.
|
|
||||||
type rfc1423Algo struct {
|
|
||||||
cipher PEMCipher
|
|
||||||
name string
|
|
||||||
cipherFunc func(key []byte) (cipher.Block, error)
|
|
||||||
keySize int
|
|
||||||
blockSize int
|
|
||||||
}
|
|
||||||
|
|
||||||
// rfc1423Algos holds a slice of the possible ways to encrypt a PEM
|
|
||||||
// block. The ivSize numbers were taken from the OpenSSL source.
|
|
||||||
var rfc1423Algos = []rfc1423Algo{{
|
|
||||||
cipher: PEMCipherDES,
|
|
||||||
name: "DES-CBC",
|
|
||||||
cipherFunc: des.NewCipher,
|
|
||||||
keySize: 8,
|
|
||||||
blockSize: des.BlockSize,
|
|
||||||
}, {
|
|
||||||
cipher: PEMCipher3DES,
|
|
||||||
name: "DES-EDE3-CBC",
|
|
||||||
cipherFunc: des.NewTripleDESCipher,
|
|
||||||
keySize: 24,
|
|
||||||
blockSize: des.BlockSize,
|
|
||||||
}, {
|
|
||||||
cipher: PEMCipherAES128,
|
|
||||||
name: "AES-128-CBC",
|
|
||||||
cipherFunc: aes.NewCipher,
|
|
||||||
keySize: 16,
|
|
||||||
blockSize: aes.BlockSize,
|
|
||||||
}, {
|
|
||||||
cipher: PEMCipherAES192,
|
|
||||||
name: "AES-192-CBC",
|
|
||||||
cipherFunc: aes.NewCipher,
|
|
||||||
keySize: 24,
|
|
||||||
blockSize: aes.BlockSize,
|
|
||||||
}, {
|
|
||||||
cipher: PEMCipherAES256,
|
|
||||||
name: "AES-256-CBC",
|
|
||||||
cipherFunc: aes.NewCipher,
|
|
||||||
keySize: 32,
|
|
||||||
blockSize: aes.BlockSize,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
// deriveKey uses a key derivation function to stretch the password into a key
|
|
||||||
// with the number of bits our cipher requires. This algorithm was derived from
|
|
||||||
// the OpenSSL source.
|
|
||||||
func (c rfc1423Algo) deriveKey(password, salt []byte) []byte {
|
|
||||||
hash := md5.New()
|
|
||||||
out := make([]byte, c.keySize)
|
|
||||||
var digest []byte
|
|
||||||
|
|
||||||
for i := 0; i < len(out); i += len(digest) {
|
|
||||||
hash.Reset()
|
|
||||||
hash.Write(digest)
|
|
||||||
hash.Write(password)
|
|
||||||
hash.Write(salt)
|
|
||||||
digest = hash.Sum(digest[:0])
|
|
||||||
copy(out[i:], digest)
|
|
||||||
}
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// IsEncryptedPEMBlock returns if the PEM block is password encrypted.
|
|
||||||
func IsEncryptedPEMBlock(b *pem.Block) bool {
|
|
||||||
_, ok := b.Headers["DEK-Info"]
|
|
||||||
return ok
|
|
||||||
}
|
|
||||||
|
|
||||||
// IncorrectPasswordError is returned when an incorrect password is detected.
|
|
||||||
var IncorrectPasswordError = errors.New("x509: decryption password incorrect")
|
|
||||||
|
|
||||||
// DecryptPEMBlock takes a password encrypted PEM block and the password used to
|
|
||||||
// encrypt it and returns a slice of decrypted DER encoded bytes. It inspects
|
|
||||||
// the DEK-Info header to determine the algorithm used for decryption. If no
|
|
||||||
// DEK-Info header is present, an error is returned. If an incorrect password
|
|
||||||
// is detected an IncorrectPasswordError is returned.
|
|
||||||
func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error) {
|
|
||||||
dek, ok := b.Headers["DEK-Info"]
|
|
||||||
if !ok {
|
|
||||||
return nil, errors.New("x509: no DEK-Info header in block")
|
|
||||||
}
|
|
||||||
|
|
||||||
idx := strings.Index(dek, ",")
|
|
||||||
if idx == -1 {
|
|
||||||
return nil, errors.New("x509: malformed DEK-Info header")
|
|
||||||
}
|
|
||||||
|
|
||||||
mode, hexIV := dek[:idx], dek[idx+1:]
|
|
||||||
ciph := cipherByName(mode)
|
|
||||||
if ciph == nil {
|
|
||||||
return nil, errors.New("x509: unknown encryption mode")
|
|
||||||
}
|
|
||||||
iv, err := hex.DecodeString(hexIV)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if len(iv) != ciph.blockSize {
|
|
||||||
return nil, errors.New("x509: incorrect IV size")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Based on the OpenSSL implementation. The salt is the first 8 bytes
|
|
||||||
// of the initialization vector.
|
|
||||||
key := ciph.deriveKey(password, iv[:8])
|
|
||||||
block, err := ciph.cipherFunc(key)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
data := make([]byte, len(b.Bytes))
|
|
||||||
dec := cipher.NewCBCDecrypter(block, iv)
|
|
||||||
dec.CryptBlocks(data, b.Bytes)
|
|
||||||
|
|
||||||
// Blocks are padded using a scheme where the last n bytes of padding are all
|
|
||||||
// equal to n. It can pad from 1 to blocksize bytes inclusive. See RFC 1423.
|
|
||||||
// For example:
|
|
||||||
// [x y z 2 2]
|
|
||||||
// [x y 7 7 7 7 7 7 7]
|
|
||||||
// If we detect a bad padding, we assume it is an invalid password.
|
|
||||||
dlen := len(data)
|
|
||||||
if dlen == 0 || dlen%ciph.blockSize != 0 {
|
|
||||||
return nil, errors.New("x509: invalid padding")
|
|
||||||
}
|
|
||||||
last := int(data[dlen-1])
|
|
||||||
if dlen < last {
|
|
||||||
return nil, IncorrectPasswordError
|
|
||||||
}
|
|
||||||
if last == 0 || last > ciph.blockSize {
|
|
||||||
return nil, IncorrectPasswordError
|
|
||||||
}
|
|
||||||
for _, val := range data[dlen-last:] {
|
|
||||||
if int(val) != last {
|
|
||||||
return nil, IncorrectPasswordError
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return data[:dlen-last], nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// EncryptPEMBlock returns a PEM block of the specified type holding the
|
|
||||||
// given DER-encoded data encrypted with the specified algorithm and
|
|
||||||
// password.
|
|
||||||
func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error) {
|
|
||||||
ciph := cipherByKey(alg)
|
|
||||||
if ciph == nil {
|
|
||||||
return nil, errors.New("x509: unknown encryption mode")
|
|
||||||
}
|
|
||||||
iv := make([]byte, ciph.blockSize)
|
|
||||||
if _, err := io.ReadFull(rand, iv); err != nil {
|
|
||||||
return nil, errors.New("x509: cannot generate IV: " + err.Error())
|
|
||||||
}
|
|
||||||
// The salt is the first 8 bytes of the initialization vector,
|
|
||||||
// matching the key derivation in DecryptPEMBlock.
|
|
||||||
key := ciph.deriveKey(password, iv[:8])
|
|
||||||
block, err := ciph.cipherFunc(key)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
enc := cipher.NewCBCEncrypter(block, iv)
|
|
||||||
pad := ciph.blockSize - len(data)%ciph.blockSize
|
|
||||||
encrypted := make([]byte, len(data), len(data)+pad)
|
|
||||||
// We could save this copy by encrypting all the whole blocks in
|
|
||||||
// the data separately, but it doesn't seem worth the additional
|
|
||||||
// code.
|
|
||||||
copy(encrypted, data)
|
|
||||||
// See RFC 1423, section 1.1
|
|
||||||
for i := 0; i < pad; i++ {
|
|
||||||
encrypted = append(encrypted, byte(pad))
|
|
||||||
}
|
|
||||||
enc.CryptBlocks(encrypted, encrypted)
|
|
||||||
|
|
||||||
return &pem.Block{
|
|
||||||
Type: blockType,
|
|
||||||
Headers: map[string]string{
|
|
||||||
"Proc-Type": "4,ENCRYPTED",
|
|
||||||
"DEK-Info": ciph.name + "," + hex.EncodeToString(iv),
|
|
||||||
},
|
|
||||||
Bytes: encrypted,
|
|
||||||
}, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func cipherByName(name string) *rfc1423Algo {
|
|
||||||
for i := range rfc1423Algos {
|
|
||||||
alg := &rfc1423Algos[i]
|
|
||||||
if alg.name == name {
|
|
||||||
return alg
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func cipherByKey(key PEMCipher) *rfc1423Algo {
|
|
||||||
for i := range rfc1423Algos {
|
|
||||||
alg := &rfc1423Algos[i]
|
|
||||||
if alg.cipher == key {
|
|
||||||
return alg
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
|
@ -1,223 +0,0 @@
|
||||||
// Copyright 2012 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"crypto/rand"
|
|
||||||
"encoding/base64"
|
|
||||||
"encoding/pem"
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestDecrypt(t *testing.T) {
|
|
||||||
for i, data := range testData {
|
|
||||||
t.Logf("test %d. %s", i, data.kind)
|
|
||||||
block, rest := pem.Decode(data.pemData)
|
|
||||||
if len(rest) > 0 {
|
|
||||||
t.Error("extra data")
|
|
||||||
}
|
|
||||||
der, err := DecryptPEMBlock(block, data.password)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("decrypt failed: ", err)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if _, err := ParsePKCS1PrivateKey(der); err != nil {
|
|
||||||
t.Error("invalid private key: ", err)
|
|
||||||
}
|
|
||||||
plainDER, err := base64.StdEncoding.DecodeString(data.plainDER)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal("cannot decode test DER data: ", err)
|
|
||||||
}
|
|
||||||
if !bytes.Equal(der, plainDER) {
|
|
||||||
t.Error("data mismatch")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestEncrypt(t *testing.T) {
|
|
||||||
for i, data := range testData {
|
|
||||||
t.Logf("test %d. %s", i, data.kind)
|
|
||||||
plainDER, err := base64.StdEncoding.DecodeString(data.plainDER)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal("cannot decode test DER data: ", err)
|
|
||||||
}
|
|
||||||
password := []byte("kremvax1")
|
|
||||||
block, err := EncryptPEMBlock(rand.Reader, "RSA PRIVATE KEY", plainDER, password, data.kind)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("encrypt: ", err)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if !IsEncryptedPEMBlock(block) {
|
|
||||||
t.Error("PEM block does not appear to be encrypted")
|
|
||||||
}
|
|
||||||
if block.Type != "RSA PRIVATE KEY" {
|
|
||||||
t.Errorf("unexpected block type; got %q want %q", block.Type, "RSA PRIVATE KEY")
|
|
||||||
}
|
|
||||||
if block.Headers["Proc-Type"] != "4,ENCRYPTED" {
|
|
||||||
t.Errorf("block does not have correct Proc-Type header")
|
|
||||||
}
|
|
||||||
der, err := DecryptPEMBlock(block, password)
|
|
||||||
if err != nil {
|
|
||||||
t.Error("decrypt: ", err)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if !bytes.Equal(der, plainDER) {
|
|
||||||
t.Errorf("data mismatch")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var testData = []struct {
|
|
||||||
kind PEMCipher
|
|
||||||
password []byte
|
|
||||||
pemData []byte
|
|
||||||
plainDER string
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
kind: PEMCipherDES,
|
|
||||||
password: []byte("asdf"),
|
|
||||||
pemData: []byte(`
|
|
||||||
-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
Proc-Type: 4,ENCRYPTED
|
|
||||||
DEK-Info: DES-CBC,34F09A4FC8DE22B5
|
|
||||||
|
|
||||||
WXxy8kbZdiZvANtKvhmPBLV7eVFj2A5z6oAxvI9KGyhG0ZK0skfnt00C24vfU7m5
|
|
||||||
ICXeoqP67lzJ18xCzQfHjDaBNs53DSDT+Iz4e8QUep1xQ30+8QKX2NA2coee3nwc
|
|
||||||
6oM1cuvhNUDemBH2i3dKgMVkfaga0zQiiOq6HJyGSncCMSruQ7F9iWEfRbFcxFCx
|
|
||||||
qtHb1kirfGKEtgWTF+ynyco6+2gMXNu70L7nJcnxnV/RLFkHt7AUU1yrclxz7eZz
|
|
||||||
XOH9VfTjb52q/I8Suozq9coVQwg4tXfIoYUdT//O+mB7zJb9HI9Ps77b9TxDE6Gm
|
|
||||||
4C9brwZ3zg2vqXcwwV6QRZMtyll9rOpxkbw6NPlpfBqkc3xS51bbxivbO/Nve4KD
|
|
||||||
r12ymjFNF4stXCfJnNqKoZ50BHmEEUDu5Wb0fpVn82XrGw7CYc4iug==
|
|
||||||
-----END RSA PRIVATE KEY-----`),
|
|
||||||
plainDER: `
|
|
||||||
MIIBPAIBAAJBAPASZe+tCPU6p80AjHhDkVsLYa51D35e/YGa8QcZyooeZM8EHozo
|
|
||||||
KD0fNiKI+53bHdy07N+81VQ8/ejPcRoXPlsCAwEAAQJBAMTxIuSq27VpR+zZ7WJf
|
|
||||||
c6fvv1OBvpMZ0/d1pxL/KnOAgq2rD5hDtk9b0LGhTPgQAmrrMTKuSeGoIuYE+gKQ
|
|
||||||
QvkCIQD+GC1m+/do+QRurr0uo46Kx1LzLeSCrjBk34wiOp2+dwIhAPHfTLRXS2fv
|
|
||||||
7rljm0bYa4+eDZpz+E8RcXEgzhhvcQQ9AiAI5eHZJGOyml3MXnQjiPi55WcDOw0w
|
|
||||||
glcRgT6QCEtz2wIhANSyqaFtosIkHKqrDUGfz/bb5tqMYTAnBruVPaf/WEOBAiEA
|
|
||||||
9xORWeRG1tRpso4+dYy4KdDkuLPIO01KY6neYGm3BCM=`,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
kind: PEMCipher3DES,
|
|
||||||
password: []byte("asdf"),
|
|
||||||
pemData: []byte(`
|
|
||||||
-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
Proc-Type: 4,ENCRYPTED
|
|
||||||
DEK-Info: DES-EDE3-CBC,C1F4A6A03682C2C7
|
|
||||||
|
|
||||||
0JqVdBEH6iqM7drTkj+e2W/bE3LqakaiWhb9WUVonFkhyu8ca/QzebY3b5gCvAZQ
|
|
||||||
YwBvDcT/GHospKqPx+cxDHJNsUASDZws6bz8ZXWJGwZGExKzr0+Qx5fgXn44Ms3x
|
|
||||||
8g1ENFuTXtxo+KoNK0zuAMAqp66Llcds3Fjl4XR18QaD0CrVNAfOdgATWZm5GJxk
|
|
||||||
Fgx5f84nT+/ovvreG+xeOzWgvtKo0UUZVrhGOgfKLpa57adumcJ6SkUuBtEFpZFB
|
|
||||||
ldw5w7WC7d13x2LsRkwo8ZrDKgIV+Y9GNvhuCCkTzNP0V3gNeJpd201HZHR+9n3w
|
|
||||||
3z0VjR/MGqsfcy1ziEWMNOO53At3zlG6zP05aHMnMcZoVXadEK6L1gz++inSSDCq
|
|
||||||
gI0UJP4e3JVB7AkgYymYAwiYALAkoEIuanxoc50njJk=
|
|
||||||
-----END RSA PRIVATE KEY-----`),
|
|
||||||
plainDER: `
|
|
||||||
MIIBOwIBAAJBANOCXKdoNS/iP/MAbl9cf1/SF3P+Ns7ZeNL27CfmDh0O6Zduaax5
|
|
||||||
NBiumd2PmjkaCu7lQ5JOibHfWn+xJsc3kw0CAwEAAQJANX/W8d1Q/sCqzkuAn4xl
|
|
||||||
B5a7qfJWaLHndu1QRLNTRJPn0Ee7OKJ4H0QKOhQM6vpjRrz+P2u9thn6wUxoPsef
|
|
||||||
QQIhAP/jCkfejFcy4v15beqKzwz08/tslVjF+Yq41eJGejmxAiEA05pMoqfkyjcx
|
|
||||||
fyvGhpoOyoCp71vSGUfR2I9CR65oKh0CIC1Msjs66LlfJtQctRq6bCEtFCxEcsP+
|
|
||||||
eEjYo/Sk6WphAiEAxpgWPMJeU/shFT28gS+tmhjPZLpEoT1qkVlC14u0b3ECIQDX
|
|
||||||
tZZZxCtPAm7shftEib0VU77Lk8MsXJcx2C4voRsjEw==`,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
kind: PEMCipherAES128,
|
|
||||||
password: []byte("asdf"),
|
|
||||||
pemData: []byte(`
|
|
||||||
-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
Proc-Type: 4,ENCRYPTED
|
|
||||||
DEK-Info: AES-128-CBC,D4492E793FC835CC038A728ED174F78A
|
|
||||||
|
|
||||||
EyfQSzXSjv6BaNH+NHdXRlkHdimpF9izWlugVJAPApgXrq5YldPe2aGIOFXyJ+QE
|
|
||||||
ZIG20DYqaPzJRjTEbPNZ6Es0S2JJ5yCpKxwJuDkgJZKtF39Q2i36JeGbSZQIuWJE
|
|
||||||
GZbBpf1jDH/pr0iGonuAdl2PCCZUiy+8eLsD2tyviHUkFLOB+ykYoJ5t8ngZ/B6D
|
|
||||||
33U43LLb7+9zD4y3Q9OVHqBFGyHcxCY9+9Qh4ZnFp7DTf6RY5TNEvE3s4g6aDpBs
|
|
||||||
3NbvRVvYTgs8K9EPk4K+5R+P2kD8J8KvEIGxVa1vz8QoCJ/jr7Ka2rvNgPCex5/E
|
|
||||||
080LzLHPCrXKdlr/f50yhNWq08ZxMWQFkui+FDHPDUaEELKAXV8/5PDxw80Rtybo
|
|
||||||
AVYoCVIbZXZCuCO81op8UcOgEpTtyU5Lgh3Mw5scQL0=
|
|
||||||
-----END RSA PRIVATE KEY-----`),
|
|
||||||
plainDER: `
|
|
||||||
MIIBOgIBAAJBAMBlj5FxYtqbcy8wY89d/S7n0+r5MzD9F63BA/Lpl78vQKtdJ5dT
|
|
||||||
cDGh/rBt1ufRrNp0WihcmZi7Mpl/3jHjiWECAwEAAQJABNOHYnKhtDIqFYj1OAJ3
|
|
||||||
k3GlU0OlERmIOoeY/cL2V4lgwllPBEs7r134AY4wMmZSBUj8UR/O4SNO668ElKPE
|
|
||||||
cQIhAOuqY7/115x5KCdGDMWi+jNaMxIvI4ETGwV40ykGzqlzAiEA0P9oEC3m9tHB
|
|
||||||
kbpjSTxaNkrXxDgdEOZz8X0uOUUwHNsCIAwzcSCiGLyYJTULUmP1ESERfW1mlV78
|
|
||||||
XzzESaJpIM/zAiBQkSTcl9VhcJreQqvjn5BnPZLP4ZHS4gPwJAGdsj5J4QIhAOVR
|
|
||||||
B3WlRNTXR2WsJ5JdByezg9xzdXzULqmga0OE339a`,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
kind: PEMCipherAES192,
|
|
||||||
password: []byte("asdf"),
|
|
||||||
pemData: []byte(`
|
|
||||||
-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
Proc-Type: 4,ENCRYPTED
|
|
||||||
DEK-Info: AES-192-CBC,E2C9FB02BCA23ADE1829F8D8BC5F5369
|
|
||||||
|
|
||||||
cqVslvHqDDM6qwU6YjezCRifXmKsrgEev7ng6Qs7UmDJOpHDgJQZI9fwMFUhIyn5
|
|
||||||
FbCu1SHkLMW52Ld3CuEqMnzWMlhPrW8tFvUOrMWPYSisv7nNq88HobZEJcUNL2MM
|
|
||||||
Y15XmHW6IJwPqhKyLHpWXyOCVEh4ODND2nV15PCoi18oTa475baxSk7+1qH7GuIs
|
|
||||||
Rb7tshNTMqHbCpyo9Rn3UxeFIf9efdl8YLiMoIqc7J8E5e9VlbeQSdLMQOgDAQJG
|
|
||||||
ReUtTw8exmKsY4gsSjhkg5uiw7/ZB1Ihto0qnfQJgjGc680qGkT1d6JfvOfeYAk6
|
|
||||||
xn5RqS/h8rYAYm64KnepfC9vIujo4NqpaREDmaLdX5MJPQ+SlytITQvgUsUq3q/t
|
|
||||||
Ss85xjQEZH3hzwjQqdJvmA4hYP6SUjxYpBM+02xZ1Xw=
|
|
||||||
-----END RSA PRIVATE KEY-----`),
|
|
||||||
plainDER: `
|
|
||||||
MIIBOwIBAAJBAMGcRrZiNNmtF20zyS6MQ7pdGx17aFDl+lTl+qnLuJRUCMUG05xs
|
|
||||||
OmxmL/O1Qlf+bnqR8Bgg65SfKg21SYuLhiMCAwEAAQJBAL94uuHyO4wux2VC+qpj
|
|
||||||
IzPykjdU7XRcDHbbvksf4xokSeUFjjD3PB0Qa83M94y89ZfdILIqS9x5EgSB4/lX
|
|
||||||
qNkCIQD6cCIqLfzq/lYbZbQgAAjpBXeQVYsbvVtJrPrXJAlVVQIhAMXpDKMeFPMn
|
|
||||||
J0g2rbx1gngx0qOa5r5iMU5w/noN4W2XAiBjf+WzCG5yFvazD+dOx3TC0A8+4x3P
|
|
||||||
uZ3pWbaXf5PNuQIgAcdXarvhelH2w2piY1g3BPeFqhzBSCK/yLGxR82KIh8CIQDD
|
|
||||||
+qGKsd09NhQ/G27y/DARzOYtml1NvdmCQAgsDIIOLA==`,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
kind: PEMCipherAES256,
|
|
||||||
password: []byte("asdf"),
|
|
||||||
pemData: []byte(`
|
|
||||||
-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
Proc-Type: 4,ENCRYPTED
|
|
||||||
DEK-Info: AES-256-CBC,8E7ED5CD731902CE938957A886A5FFBD
|
|
||||||
|
|
||||||
4Mxr+KIzRVwoOP0wwq6caSkvW0iS+GE2h2Ov/u+n9ZTMwL83PRnmjfjzBgfRZLVf
|
|
||||||
JFPXxUK26kMNpIdssNnqGOds+DhB+oSrsNKoxgxSl5OBoYv9eJTVYm7qOyAFIsjr
|
|
||||||
DRKAcjYCmzfesr7PVTowwy0RtHmYwyXMGDlAzzZrEvaiySFFmMyKKvtoavwaFoc7
|
|
||||||
Pz3RZScwIuubzTGJ1x8EzdffYOsdCa9Mtgpp3L136+23dOd6L/qK2EG2fzrJSHs/
|
|
||||||
2XugkleBFSMKzEp9mxXKRfa++uidQvMZTFLDK9w5YjrRvMBo/l2BoZIsq0jAIE1N
|
|
||||||
sv5Z/KwlX+3MDEpPQpUwGPlGGdLnjI3UZ+cjgqBcoMiNc6HfgbBgYJSU6aDSHuCk
|
|
||||||
clCwByxWkBNgJ2GrkwNrF26v+bGJJJNR4SKouY1jQf0=
|
|
||||||
-----END RSA PRIVATE KEY-----`),
|
|
||||||
plainDER: `
|
|
||||||
MIIBOgIBAAJBAKy3GFkstoCHIEeUU/qO8207m8WSrjksR+p9B4tf1w5k+2O1V/GY
|
|
||||||
AQ5WFCApItcOkQe/I0yZZJk/PmCqMzSxrc8CAwEAAQJAOCAz0F7AW9oNelVQSP8F
|
|
||||||
Sfzx7O1yom+qWyAQQJF/gFR11gpf9xpVnnyu1WxIRnDUh1LZwUsjwlDYb7MB74id
|
|
||||||
oQIhANPcOiLwOPT4sIUpRM5HG6BF1BI7L77VpyGVk8xNP7X/AiEA0LMHZtk4I+lJ
|
|
||||||
nClgYp4Yh2JZ1Znbu7IoQMCEJCjwKDECIGd8Dzm5tViTkUW6Hs3Tlf73nNs65duF
|
|
||||||
aRnSglss8I3pAiEAonEnKruawgD8RavDFR+fUgmQiPz4FnGGeVgfwpGG1JECIBYq
|
|
||||||
PXHYtPqxQIbD2pScR5qum7iGUh11lEUPkmt+2uqS`,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
// generated with:
|
|
||||||
// openssl genrsa -aes128 -passout pass:asdf -out server.orig.key 128
|
|
||||||
kind: PEMCipherAES128,
|
|
||||||
password: []byte("asdf"),
|
|
||||||
pemData: []byte(`
|
|
||||||
-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
Proc-Type: 4,ENCRYPTED
|
|
||||||
DEK-Info: AES-128-CBC,74611ABC2571AF11B1BF9B69E62C89E7
|
|
||||||
|
|
||||||
6ei/MlytjE0FFgZOGQ+jrwomKfpl8kdefeE0NSt/DMRrw8OacHAzBNi3pPEa0eX3
|
|
||||||
eND9l7C9meCirWovjj9QWVHrXyugFuDIqgdhQ8iHTgCfF3lrmcttVrbIfMDw+smD
|
|
||||||
hTP8O1mS/MHl92NE0nhv0w==
|
|
||||||
-----END RSA PRIVATE KEY-----`),
|
|
||||||
plainDER: `
|
|
||||||
MGMCAQACEQC6ssxmYuauuHGOCDAI54RdAgMBAAECEQCWIn6Yv2O+kBcDF7STctKB
|
|
||||||
AgkA8SEfu/2i3g0CCQDGNlXbBHX7kQIIK3Ww5o0cYbECCQDCimPb0dYGsQIIeQ7A
|
|
||||||
jryIst8=`,
|
|
||||||
},
|
|
||||||
}
|
|
124
ct/x509/pkcs1.go
124
ct/x509/pkcs1.go
|
@ -1,124 +0,0 @@
|
||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
"crypto/rsa"
|
|
||||||
// START CT CHANGES
|
|
||||||
"src.agwa.name/ctwatch/ct/asn1"
|
|
||||||
// END CT CHANGES
|
|
||||||
"errors"
|
|
||||||
"math/big"
|
|
||||||
)
|
|
||||||
|
|
||||||
// pkcs1PrivateKey is a structure which mirrors the PKCS#1 ASN.1 for an RSA private key.
|
|
||||||
type pkcs1PrivateKey struct {
|
|
||||||
Version int
|
|
||||||
N *big.Int
|
|
||||||
E int
|
|
||||||
D *big.Int
|
|
||||||
P *big.Int
|
|
||||||
Q *big.Int
|
|
||||||
// We ignore these values, if present, because rsa will calculate them.
|
|
||||||
Dp *big.Int `asn1:"optional"`
|
|
||||||
Dq *big.Int `asn1:"optional"`
|
|
||||||
Qinv *big.Int `asn1:"optional"`
|
|
||||||
|
|
||||||
AdditionalPrimes []pkcs1AdditionalRSAPrime `asn1:"optional,omitempty"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type pkcs1AdditionalRSAPrime struct {
|
|
||||||
Prime *big.Int
|
|
||||||
|
|
||||||
// We ignore these values because rsa will calculate them.
|
|
||||||
Exp *big.Int
|
|
||||||
Coeff *big.Int
|
|
||||||
}
|
|
||||||
|
|
||||||
// ParsePKCS1PrivateKey returns an RSA private key from its ASN.1 PKCS#1 DER encoded form.
|
|
||||||
func ParsePKCS1PrivateKey(der []byte) (key *rsa.PrivateKey, err error) {
|
|
||||||
var priv pkcs1PrivateKey
|
|
||||||
rest, err := asn1.Unmarshal(der, &priv)
|
|
||||||
if len(rest) > 0 {
|
|
||||||
err = asn1.SyntaxError{Msg: "trailing data"}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if priv.Version > 1 {
|
|
||||||
return nil, errors.New("x509: unsupported private key version")
|
|
||||||
}
|
|
||||||
|
|
||||||
if priv.N.Sign() <= 0 || priv.D.Sign() <= 0 || priv.P.Sign() <= 0 || priv.Q.Sign() <= 0 {
|
|
||||||
return nil, errors.New("x509: private key contains zero or negative value")
|
|
||||||
}
|
|
||||||
|
|
||||||
key = new(rsa.PrivateKey)
|
|
||||||
key.PublicKey = rsa.PublicKey{
|
|
||||||
E: priv.E,
|
|
||||||
N: priv.N,
|
|
||||||
}
|
|
||||||
|
|
||||||
key.D = priv.D
|
|
||||||
key.Primes = make([]*big.Int, 2+len(priv.AdditionalPrimes))
|
|
||||||
key.Primes[0] = priv.P
|
|
||||||
key.Primes[1] = priv.Q
|
|
||||||
for i, a := range priv.AdditionalPrimes {
|
|
||||||
if a.Prime.Sign() <= 0 {
|
|
||||||
return nil, errors.New("x509: private key contains zero or negative prime")
|
|
||||||
}
|
|
||||||
key.Primes[i+2] = a.Prime
|
|
||||||
// We ignore the other two values because rsa will calculate
|
|
||||||
// them as needed.
|
|
||||||
}
|
|
||||||
|
|
||||||
err = key.Validate()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
key.Precompute()
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// MarshalPKCS1PrivateKey converts a private key to ASN.1 DER encoded form.
|
|
||||||
func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte {
|
|
||||||
key.Precompute()
|
|
||||||
|
|
||||||
version := 0
|
|
||||||
if len(key.Primes) > 2 {
|
|
||||||
version = 1
|
|
||||||
}
|
|
||||||
|
|
||||||
priv := pkcs1PrivateKey{
|
|
||||||
Version: version,
|
|
||||||
N: key.N,
|
|
||||||
E: key.PublicKey.E,
|
|
||||||
D: key.D,
|
|
||||||
P: key.Primes[0],
|
|
||||||
Q: key.Primes[1],
|
|
||||||
Dp: key.Precomputed.Dp,
|
|
||||||
Dq: key.Precomputed.Dq,
|
|
||||||
Qinv: key.Precomputed.Qinv,
|
|
||||||
}
|
|
||||||
|
|
||||||
priv.AdditionalPrimes = make([]pkcs1AdditionalRSAPrime, len(key.Precomputed.CRTValues))
|
|
||||||
for i, values := range key.Precomputed.CRTValues {
|
|
||||||
priv.AdditionalPrimes[i].Prime = key.Primes[2+i]
|
|
||||||
priv.AdditionalPrimes[i].Exp = values.Exp
|
|
||||||
priv.AdditionalPrimes[i].Coeff = values.Coeff
|
|
||||||
}
|
|
||||||
|
|
||||||
b, _ := asn1.Marshal(priv)
|
|
||||||
return b
|
|
||||||
}
|
|
||||||
|
|
||||||
// rsaPublicKey reflects the ASN.1 structure of a PKCS#1 public key.
|
|
||||||
type rsaPublicKey struct {
|
|
||||||
N *big.Int
|
|
||||||
E int
|
|
||||||
}
|
|
|
@ -1,56 +0,0 @@
|
||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
// START CT CHANGES
|
|
||||||
"src.agwa.name/ctwatch/ct/asn1"
|
|
||||||
"src.agwa.name/ctwatch/ct/x509/pkix"
|
|
||||||
// END CT CHANGES
|
|
||||||
"errors"
|
|
||||||
"fmt"
|
|
||||||
)
|
|
||||||
|
|
||||||
// pkcs8 reflects an ASN.1, PKCS#8 PrivateKey. See
|
|
||||||
// ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-8/pkcs-8v1_2.asn
|
|
||||||
// and RFC5208.
|
|
||||||
type pkcs8 struct {
|
|
||||||
Version int
|
|
||||||
Algo pkix.AlgorithmIdentifier
|
|
||||||
PrivateKey []byte
|
|
||||||
// optional attributes omitted.
|
|
||||||
}
|
|
||||||
|
|
||||||
// ParsePKCS8PrivateKey parses an unencrypted, PKCS#8 private key. See
|
|
||||||
// http://www.rsa.com/rsalabs/node.asp?id=2130 and RFC5208.
|
|
||||||
func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error) {
|
|
||||||
var privKey pkcs8
|
|
||||||
if _, err := asn1.Unmarshal(der, &privKey); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
switch {
|
|
||||||
case privKey.Algo.Algorithm.Equal(oidPublicKeyRSA):
|
|
||||||
key, err = ParsePKCS1PrivateKey(privKey.PrivateKey)
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.New("x509: failed to parse RSA private key embedded in PKCS#8: " + err.Error())
|
|
||||||
}
|
|
||||||
return key, nil
|
|
||||||
|
|
||||||
case privKey.Algo.Algorithm.Equal(oidPublicKeyECDSA):
|
|
||||||
bytes := privKey.Algo.Parameters.FullBytes
|
|
||||||
namedCurveOID := new(asn1.ObjectIdentifier)
|
|
||||||
if _, err := asn1.Unmarshal(bytes, namedCurveOID); err != nil {
|
|
||||||
namedCurveOID = nil
|
|
||||||
}
|
|
||||||
key, err = parseECPrivateKey(namedCurveOID, privKey.PrivateKey)
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.New("x509: failed to parse EC private key embedded in PKCS#8: " + err.Error())
|
|
||||||
}
|
|
||||||
return key, nil
|
|
||||||
|
|
||||||
default:
|
|
||||||
return nil, fmt.Errorf("x509: PKCS#8 wrapping contained private key with unknown algorithm: %v", privKey.Algo.Algorithm)
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,28 +0,0 @@
|
||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
"encoding/hex"
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
var pkcs8RSAPrivateKeyHex = `30820278020100300d06092a864886f70d0101010500048202623082025e02010002818100cfb1b5bf9685ffa97b4f99df4ff122b70e59ac9b992f3bc2b3dde17d53c1a34928719b02e8fd17839499bfbd515bd6ef99c7a1c47a239718fe36bfd824c0d96060084b5f67f0273443007a24dfaf5634f7772c9346e10eb294c2306671a5a5e719ae24b4de467291bc571014b0e02dec04534d66a9bb171d644b66b091780e8d020301000102818100b595778383c4afdbab95d2bfed12b3f93bb0a73a7ad952f44d7185fd9ec6c34de8f03a48770f2009c8580bcd275e9632714e9a5e3f32f29dc55474b2329ff0ebc08b3ffcb35bc96e6516b483df80a4a59cceb71918cbabf91564e64a39d7e35dce21cb3031824fdbc845dba6458852ec16af5dddf51a8397a8797ae0337b1439024100ea0eb1b914158c70db39031dd8904d6f18f408c85fbbc592d7d20dee7986969efbda081fdf8bc40e1b1336d6b638110c836bfdc3f314560d2e49cd4fbde1e20b024100e32a4e793b574c9c4a94c8803db5152141e72d03de64e54ef2c8ed104988ca780cd11397bc359630d01b97ebd87067c5451ba777cf045ca23f5912f1031308c702406dfcdbbd5a57c9f85abc4edf9e9e29153507b07ce0a7ef6f52e60dcfebe1b8341babd8b789a837485da6c8d55b29bbb142ace3c24a1f5b54b454d01b51e2ad03024100bd6a2b60dee01e1b3bfcef6a2f09ed027c273cdbbaf6ba55a80f6dcc64e4509ee560f84b4f3e076bd03b11e42fe71a3fdd2dffe7e0902c8584f8cad877cdc945024100aa512fa4ada69881f1d8bb8ad6614f192b83200aef5edf4811313d5ef30a86cbd0a90f7b025c71ea06ec6b34db6306c86b1040670fd8654ad7291d066d06d031`
|
|
||||||
|
|
||||||
// Generated using:
|
|
||||||
// openssl ecparam -genkey -name secp521r1 | openssl pkcs8 -topk8 -nocrypt
|
|
||||||
var pkcs8ECPrivateKeyHex = `3081ed020100301006072a8648ce3d020106052b810400230481d53081d20201010441850d81618c5da1aec74c2eed608ba816038506975e6427237c2def150c96a3b13efbfa1f89f1be15cdf4d0ac26422e680e65a0ddd4ad3541ad76165fbf54d6e34ba18189038186000400da97bcedba1eb6d30aeb93c9f9a1454598fa47278df27d6f60ea73eb672d8dc528a9b67885b5b5dcef93c9824f7449ab512ee6a27e76142f56b94b474cfd697e810046c8ca70419365245c1d7d44d0db82c334073835d002232714548abbae6e5700f5ef315ee08b929d8581383dcf2d1c98c2f8a9fccbf79c9579f7b2fd8a90115ac2`
|
|
||||||
|
|
||||||
func TestPKCS8(t *testing.T) {
|
|
||||||
derBytes, _ := hex.DecodeString(pkcs8RSAPrivateKeyHex)
|
|
||||||
if _, err := ParsePKCS8PrivateKey(derBytes); err != nil {
|
|
||||||
t.Errorf("failed to decode PKCS8 with RSA private key: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
derBytes, _ = hex.DecodeString(pkcs8ECPrivateKeyHex)
|
|
||||||
if _, err := ParsePKCS8PrivateKey(derBytes); err != nil {
|
|
||||||
t.Errorf("failed to decode PKCS8 with EC private key: %s", err)
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,173 +0,0 @@
|
||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// Package pkix contains shared, low level structures used for ASN.1 parsing
|
|
||||||
// and serialization of X.509 certificates, CRL and OCSP.
|
|
||||||
package pkix
|
|
||||||
|
|
||||||
import (
|
|
||||||
// START CT CHANGES
|
|
||||||
"src.agwa.name/ctwatch/ct/asn1"
|
|
||||||
// END CT CHANGES
|
|
||||||
"math/big"
|
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
// AlgorithmIdentifier represents the ASN.1 structure of the same name. See RFC
|
|
||||||
// 5280, section 4.1.1.2.
|
|
||||||
type AlgorithmIdentifier struct {
|
|
||||||
Algorithm asn1.ObjectIdentifier
|
|
||||||
Parameters asn1.RawValue `asn1:"optional"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type RDNSequence []RelativeDistinguishedNameSET
|
|
||||||
|
|
||||||
type RelativeDistinguishedNameSET []AttributeTypeAndValue
|
|
||||||
|
|
||||||
// AttributeTypeAndValue mirrors the ASN.1 structure of the same name in
|
|
||||||
// http://tools.ietf.org/html/rfc5280#section-4.1.2.4
|
|
||||||
type AttributeTypeAndValue struct {
|
|
||||||
Type asn1.ObjectIdentifier
|
|
||||||
Value interface{}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Extension represents the ASN.1 structure of the same name. See RFC
|
|
||||||
// 5280, section 4.2.
|
|
||||||
type Extension struct {
|
|
||||||
Id asn1.ObjectIdentifier
|
|
||||||
Critical bool `asn1:"optional"`
|
|
||||||
Value []byte
|
|
||||||
}
|
|
||||||
|
|
||||||
// Name represents an X.509 distinguished name. This only includes the common
|
|
||||||
// elements of a DN. Additional elements in the name are ignored.
|
|
||||||
type Name struct {
|
|
||||||
Country, Organization, OrganizationalUnit []string
|
|
||||||
Locality, Province []string
|
|
||||||
StreetAddress, PostalCode []string
|
|
||||||
SerialNumber, CommonName string
|
|
||||||
|
|
||||||
Names []AttributeTypeAndValue
|
|
||||||
}
|
|
||||||
|
|
||||||
func (n *Name) FillFromRDNSequence(rdns *RDNSequence) {
|
|
||||||
for _, rdn := range *rdns {
|
|
||||||
if len(rdn) == 0 {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
atv := rdn[0]
|
|
||||||
n.Names = append(n.Names, atv)
|
|
||||||
value, ok := atv.Value.(string)
|
|
||||||
if !ok {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
t := atv.Type
|
|
||||||
if len(t) == 4 && t[0] == 2 && t[1] == 5 && t[2] == 4 {
|
|
||||||
switch t[3] {
|
|
||||||
case 3:
|
|
||||||
n.CommonName = value
|
|
||||||
case 5:
|
|
||||||
n.SerialNumber = value
|
|
||||||
case 6:
|
|
||||||
n.Country = append(n.Country, value)
|
|
||||||
case 7:
|
|
||||||
n.Locality = append(n.Locality, value)
|
|
||||||
case 8:
|
|
||||||
n.Province = append(n.Province, value)
|
|
||||||
case 9:
|
|
||||||
n.StreetAddress = append(n.StreetAddress, value)
|
|
||||||
case 10:
|
|
||||||
n.Organization = append(n.Organization, value)
|
|
||||||
case 11:
|
|
||||||
n.OrganizationalUnit = append(n.OrganizationalUnit, value)
|
|
||||||
case 17:
|
|
||||||
n.PostalCode = append(n.PostalCode, value)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var (
|
|
||||||
oidCountry = []int{2, 5, 4, 6}
|
|
||||||
oidOrganization = []int{2, 5, 4, 10}
|
|
||||||
oidOrganizationalUnit = []int{2, 5, 4, 11}
|
|
||||||
oidCommonName = []int{2, 5, 4, 3}
|
|
||||||
oidSerialNumber = []int{2, 5, 4, 5}
|
|
||||||
oidLocality = []int{2, 5, 4, 7}
|
|
||||||
oidProvince = []int{2, 5, 4, 8}
|
|
||||||
oidStreetAddress = []int{2, 5, 4, 9}
|
|
||||||
oidPostalCode = []int{2, 5, 4, 17}
|
|
||||||
)
|
|
||||||
|
|
||||||
// appendRDNs appends a relativeDistinguishedNameSET to the given RDNSequence
|
|
||||||
// and returns the new value. The relativeDistinguishedNameSET contains an
|
|
||||||
// attributeTypeAndValue for each of the given values. See RFC 5280, A.1, and
|
|
||||||
// search for AttributeTypeAndValue.
|
|
||||||
func appendRDNs(in RDNSequence, values []string, oid asn1.ObjectIdentifier) RDNSequence {
|
|
||||||
if len(values) == 0 {
|
|
||||||
return in
|
|
||||||
}
|
|
||||||
|
|
||||||
s := make([]AttributeTypeAndValue, len(values))
|
|
||||||
for i, value := range values {
|
|
||||||
s[i].Type = oid
|
|
||||||
s[i].Value = value
|
|
||||||
}
|
|
||||||
|
|
||||||
return append(in, s)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (n Name) ToRDNSequence() (ret RDNSequence) {
|
|
||||||
ret = appendRDNs(ret, n.Country, oidCountry)
|
|
||||||
ret = appendRDNs(ret, n.Organization, oidOrganization)
|
|
||||||
ret = appendRDNs(ret, n.OrganizationalUnit, oidOrganizationalUnit)
|
|
||||||
ret = appendRDNs(ret, n.Locality, oidLocality)
|
|
||||||
ret = appendRDNs(ret, n.Province, oidProvince)
|
|
||||||
ret = appendRDNs(ret, n.StreetAddress, oidStreetAddress)
|
|
||||||
ret = appendRDNs(ret, n.PostalCode, oidPostalCode)
|
|
||||||
if len(n.CommonName) > 0 {
|
|
||||||
ret = appendRDNs(ret, []string{n.CommonName}, oidCommonName)
|
|
||||||
}
|
|
||||||
if len(n.SerialNumber) > 0 {
|
|
||||||
ret = appendRDNs(ret, []string{n.SerialNumber}, oidSerialNumber)
|
|
||||||
}
|
|
||||||
|
|
||||||
return ret
|
|
||||||
}
|
|
||||||
|
|
||||||
// CertificateList represents the ASN.1 structure of the same name. See RFC
|
|
||||||
// 5280, section 5.1. Use Certificate.CheckCRLSignature to verify the
|
|
||||||
// signature.
|
|
||||||
type CertificateList struct {
|
|
||||||
TBSCertList TBSCertificateList
|
|
||||||
SignatureAlgorithm AlgorithmIdentifier
|
|
||||||
SignatureValue asn1.BitString
|
|
||||||
}
|
|
||||||
|
|
||||||
// HasExpired reports whether now is past the expiry time of certList.
|
|
||||||
func (certList *CertificateList) HasExpired(now time.Time) bool {
|
|
||||||
return now.After(certList.TBSCertList.NextUpdate)
|
|
||||||
}
|
|
||||||
|
|
||||||
// TBSCertificateList represents the ASN.1 structure of the same name. See RFC
|
|
||||||
// 5280, section 5.1.
|
|
||||||
type TBSCertificateList struct {
|
|
||||||
Raw asn1.RawContent
|
|
||||||
Version int `asn1:"optional,default:2"`
|
|
||||||
Signature AlgorithmIdentifier
|
|
||||||
Issuer RDNSequence
|
|
||||||
ThisUpdate time.Time
|
|
||||||
NextUpdate time.Time
|
|
||||||
RevokedCertificates []RevokedCertificate `asn1:"optional"`
|
|
||||||
Extensions []Extension `asn1:"tag:0,optional,explicit"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// RevokedCertificate represents the ASN.1 structure of the same name. See RFC
|
|
||||||
// 5280, section 5.1.
|
|
||||||
type RevokedCertificate struct {
|
|
||||||
SerialNumber *big.Int
|
|
||||||
RevocationTime time.Time
|
|
||||||
Extensions []Extension `asn1:"optional"`
|
|
||||||
}
|
|
|
@ -1,17 +0,0 @@
|
||||||
// Copyright 2012 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import "sync"
|
|
||||||
|
|
||||||
var (
|
|
||||||
once sync.Once
|
|
||||||
systemRoots *CertPool
|
|
||||||
)
|
|
||||||
|
|
||||||
func systemRootsPool() *CertPool {
|
|
||||||
once.Do(initSystemRoots)
|
|
||||||
return systemRoots
|
|
||||||
}
|
|
|
@ -1,83 +0,0 @@
|
||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// +build darwin,cgo
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
/*
|
|
||||||
#cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060
|
|
||||||
#cgo LDFLAGS: -framework CoreFoundation -framework Security
|
|
||||||
|
|
||||||
#include <CoreFoundation/CoreFoundation.h>
|
|
||||||
#include <Security/Security.h>
|
|
||||||
|
|
||||||
// FetchPEMRootsCTX509 fetches the system's list of trusted X.509 root certificates.
|
|
||||||
//
|
|
||||||
// On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root
|
|
||||||
// certificates of the system. On failure, the function returns -1.
|
|
||||||
//
|
|
||||||
// Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after
|
|
||||||
// we've consumed its content.
|
|
||||||
int FetchPEMRootsCTX509(CFDataRef *pemRoots) {
|
|
||||||
if (pemRoots == NULL) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
CFArrayRef certs = NULL;
|
|
||||||
OSStatus err = SecTrustCopyAnchorCertificates(&certs);
|
|
||||||
if (err != noErr) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
|
|
||||||
int i, ncerts = CFArrayGetCount(certs);
|
|
||||||
for (i = 0; i < ncerts; i++) {
|
|
||||||
CFDataRef data = NULL;
|
|
||||||
SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, i);
|
|
||||||
if (cert == NULL) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
|
|
||||||
// Once we support weak imports via cgo we should prefer that, and fall back to this
|
|
||||||
// for older systems.
|
|
||||||
err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
|
|
||||||
if (err != noErr) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (data != NULL) {
|
|
||||||
CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data));
|
|
||||||
CFRelease(data);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
CFRelease(certs);
|
|
||||||
|
|
||||||
*pemRoots = combinedData;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
*/
|
|
||||||
import "C"
|
|
||||||
import "unsafe"
|
|
||||||
|
|
||||||
func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func initSystemRoots() {
|
|
||||||
roots := NewCertPool()
|
|
||||||
|
|
||||||
var data C.CFDataRef = nil
|
|
||||||
err := C.FetchPEMRootsCTX509(&data)
|
|
||||||
if err == -1 {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
defer C.CFRelease(C.CFTypeRef(data))
|
|
||||||
buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data)))
|
|
||||||
roots.AppendCertsFromPEM(buf)
|
|
||||||
systemRoots = roots
|
|
||||||
}
|
|
|
@ -1,33 +0,0 @@
|
||||||
// Copyright 2012 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// +build plan9
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import "io/ioutil"
|
|
||||||
|
|
||||||
// Possible certificate files; stop after finding one.
|
|
||||||
var certFiles = []string{
|
|
||||||
"/sys/lib/tls/ca.pem",
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func initSystemRoots() {
|
|
||||||
roots := NewCertPool()
|
|
||||||
for _, file := range certFiles {
|
|
||||||
data, err := ioutil.ReadFile(file)
|
|
||||||
if err == nil {
|
|
||||||
roots.AppendCertsFromPEM(data)
|
|
||||||
systemRoots = roots
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// All of the files failed to load. systemRoots will be nil which will
|
|
||||||
// trigger a specific error at verification time.
|
|
||||||
}
|
|
|
@ -1,14 +0,0 @@
|
||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// +build darwin,!cgo
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func initSystemRoots() {
|
|
||||||
}
|
|
|
@ -1,37 +0,0 @@
|
||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
// +build dragonfly freebsd linux openbsd netbsd
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import "io/ioutil"
|
|
||||||
|
|
||||||
// Possible certificate files; stop after finding one.
|
|
||||||
var certFiles = []string{
|
|
||||||
"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
|
|
||||||
"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL
|
|
||||||
"/etc/ssl/ca-bundle.pem", // OpenSUSE
|
|
||||||
"/etc/ssl/cert.pem", // OpenBSD
|
|
||||||
"/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func initSystemRoots() {
|
|
||||||
roots := NewCertPool()
|
|
||||||
for _, file := range certFiles {
|
|
||||||
data, err := ioutil.ReadFile(file)
|
|
||||||
if err == nil {
|
|
||||||
roots.AppendCertsFromPEM(data)
|
|
||||||
systemRoots = roots
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// All of the files failed to load. systemRoots will be nil which will
|
|
||||||
// trigger a specific error at verification time.
|
|
||||||
}
|
|
|
@ -1,229 +0,0 @@
|
||||||
// Copyright 2012 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
"errors"
|
|
||||||
"syscall"
|
|
||||||
"unsafe"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Creates a new *syscall.CertContext representing the leaf certificate in an in-memory
|
|
||||||
// certificate store containing itself and all of the intermediate certificates specified
|
|
||||||
// in the opts.Intermediates CertPool.
|
|
||||||
//
|
|
||||||
// A pointer to the in-memory store is available in the returned CertContext's Store field.
|
|
||||||
// The store is automatically freed when the CertContext is freed using
|
|
||||||
// syscall.CertFreeCertificateContext.
|
|
||||||
func createStoreContext(leaf *Certificate, opts *VerifyOptions) (*syscall.CertContext, error) {
|
|
||||||
var storeCtx *syscall.CertContext
|
|
||||||
|
|
||||||
leafCtx, err := syscall.CertCreateCertificateContext(syscall.X509_ASN_ENCODING|syscall.PKCS_7_ASN_ENCODING, &leaf.Raw[0], uint32(len(leaf.Raw)))
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
defer syscall.CertFreeCertificateContext(leafCtx)
|
|
||||||
|
|
||||||
handle, err := syscall.CertOpenStore(syscall.CERT_STORE_PROV_MEMORY, 0, 0, syscall.CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, 0)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
defer syscall.CertCloseStore(handle, 0)
|
|
||||||
|
|
||||||
err = syscall.CertAddCertificateContextToStore(handle, leafCtx, syscall.CERT_STORE_ADD_ALWAYS, &storeCtx)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
if opts.Intermediates != nil {
|
|
||||||
for _, intermediate := range opts.Intermediates.certs {
|
|
||||||
ctx, err := syscall.CertCreateCertificateContext(syscall.X509_ASN_ENCODING|syscall.PKCS_7_ASN_ENCODING, &intermediate.Raw[0], uint32(len(intermediate.Raw)))
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
err = syscall.CertAddCertificateContextToStore(handle, ctx, syscall.CERT_STORE_ADD_ALWAYS, nil)
|
|
||||||
syscall.CertFreeCertificateContext(ctx)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return storeCtx, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// extractSimpleChain extracts the final certificate chain from a CertSimpleChain.
|
|
||||||
func extractSimpleChain(simpleChain **syscall.CertSimpleChain, count int) (chain []*Certificate, err error) {
|
|
||||||
if simpleChain == nil || count == 0 {
|
|
||||||
return nil, errors.New("x509: invalid simple chain")
|
|
||||||
}
|
|
||||||
|
|
||||||
simpleChains := (*[1 << 20]*syscall.CertSimpleChain)(unsafe.Pointer(simpleChain))[:]
|
|
||||||
lastChain := simpleChains[count-1]
|
|
||||||
elements := (*[1 << 20]*syscall.CertChainElement)(unsafe.Pointer(lastChain.Elements))[:]
|
|
||||||
for i := 0; i < int(lastChain.NumElements); i++ {
|
|
||||||
// Copy the buf, since ParseCertificate does not create its own copy.
|
|
||||||
cert := elements[i].CertContext
|
|
||||||
encodedCert := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
|
|
||||||
buf := make([]byte, cert.Length)
|
|
||||||
copy(buf, encodedCert[:])
|
|
||||||
parsedCert, err := ParseCertificate(buf)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
chain = append(chain, parsedCert)
|
|
||||||
}
|
|
||||||
|
|
||||||
return chain, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// checkChainTrustStatus checks the trust status of the certificate chain, translating
|
|
||||||
// any errors it finds into Go errors in the process.
|
|
||||||
func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainContext) error {
|
|
||||||
if chainCtx.TrustStatus.ErrorStatus != syscall.CERT_TRUST_NO_ERROR {
|
|
||||||
status := chainCtx.TrustStatus.ErrorStatus
|
|
||||||
switch status {
|
|
||||||
case syscall.CERT_TRUST_IS_NOT_TIME_VALID:
|
|
||||||
return CertificateInvalidError{c, Expired}
|
|
||||||
default:
|
|
||||||
return UnknownAuthorityError{c, nil, nil}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// checkChainSSLServerPolicy checks that the certificate chain in chainCtx is valid for
|
|
||||||
// use as a certificate chain for a SSL/TLS server.
|
|
||||||
func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContext, opts *VerifyOptions) error {
|
|
||||||
servernamep, err := syscall.UTF16PtrFromString(opts.DNSName)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
sslPara := &syscall.SSLExtraCertChainPolicyPara{
|
|
||||||
AuthType: syscall.AUTHTYPE_SERVER,
|
|
||||||
ServerName: servernamep,
|
|
||||||
}
|
|
||||||
sslPara.Size = uint32(unsafe.Sizeof(*sslPara))
|
|
||||||
|
|
||||||
para := &syscall.CertChainPolicyPara{
|
|
||||||
ExtraPolicyPara: uintptr(unsafe.Pointer(sslPara)),
|
|
||||||
}
|
|
||||||
para.Size = uint32(unsafe.Sizeof(*para))
|
|
||||||
|
|
||||||
status := syscall.CertChainPolicyStatus{}
|
|
||||||
err = syscall.CertVerifyCertificateChainPolicy(syscall.CERT_CHAIN_POLICY_SSL, chainCtx, para, &status)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO(mkrautz): use the lChainIndex and lElementIndex fields
|
|
||||||
// of the CertChainPolicyStatus to provide proper context, instead
|
|
||||||
// using c.
|
|
||||||
if status.Error != 0 {
|
|
||||||
switch status.Error {
|
|
||||||
case syscall.CERT_E_EXPIRED:
|
|
||||||
return CertificateInvalidError{c, Expired}
|
|
||||||
case syscall.CERT_E_CN_NO_MATCH:
|
|
||||||
return HostnameError{c, opts.DNSName}
|
|
||||||
case syscall.CERT_E_UNTRUSTEDROOT:
|
|
||||||
return UnknownAuthorityError{c, nil, nil}
|
|
||||||
default:
|
|
||||||
return UnknownAuthorityError{c, nil, nil}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// systemVerify is like Verify, except that it uses CryptoAPI calls
|
|
||||||
// to build certificate chains and verify them.
|
|
||||||
func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
|
|
||||||
hasDNSName := opts != nil && len(opts.DNSName) > 0
|
|
||||||
|
|
||||||
storeCtx, err := createStoreContext(c, opts)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
defer syscall.CertFreeCertificateContext(storeCtx)
|
|
||||||
|
|
||||||
para := new(syscall.CertChainPara)
|
|
||||||
para.Size = uint32(unsafe.Sizeof(*para))
|
|
||||||
|
|
||||||
// If there's a DNSName set in opts, assume we're verifying
|
|
||||||
// a certificate from a TLS server.
|
|
||||||
if hasDNSName {
|
|
||||||
oids := []*byte{
|
|
||||||
&syscall.OID_PKIX_KP_SERVER_AUTH[0],
|
|
||||||
// Both IE and Chrome allow certificates with
|
|
||||||
// Server Gated Crypto as well. Some certificates
|
|
||||||
// in the wild require them.
|
|
||||||
&syscall.OID_SERVER_GATED_CRYPTO[0],
|
|
||||||
&syscall.OID_SGC_NETSCAPE[0],
|
|
||||||
}
|
|
||||||
para.RequestedUsage.Type = syscall.USAGE_MATCH_TYPE_OR
|
|
||||||
para.RequestedUsage.Usage.Length = uint32(len(oids))
|
|
||||||
para.RequestedUsage.Usage.UsageIdentifiers = &oids[0]
|
|
||||||
} else {
|
|
||||||
para.RequestedUsage.Type = syscall.USAGE_MATCH_TYPE_AND
|
|
||||||
para.RequestedUsage.Usage.Length = 0
|
|
||||||
para.RequestedUsage.Usage.UsageIdentifiers = nil
|
|
||||||
}
|
|
||||||
|
|
||||||
var verifyTime *syscall.Filetime
|
|
||||||
if opts != nil && !opts.CurrentTime.IsZero() {
|
|
||||||
ft := syscall.NsecToFiletime(opts.CurrentTime.UnixNano())
|
|
||||||
verifyTime = &ft
|
|
||||||
}
|
|
||||||
|
|
||||||
// CertGetCertificateChain will traverse Windows's root stores
|
|
||||||
// in an attempt to build a verified certificate chain. Once
|
|
||||||
// it has found a verified chain, it stops. MSDN docs on
|
|
||||||
// CERT_CHAIN_CONTEXT:
|
|
||||||
//
|
|
||||||
// When a CERT_CHAIN_CONTEXT is built, the first simple chain
|
|
||||||
// begins with an end certificate and ends with a self-signed
|
|
||||||
// certificate. If that self-signed certificate is not a root
|
|
||||||
// or otherwise trusted certificate, an attempt is made to
|
|
||||||
// build a new chain. CTLs are used to create the new chain
|
|
||||||
// beginning with the self-signed certificate from the original
|
|
||||||
// chain as the end certificate of the new chain. This process
|
|
||||||
// continues building additional simple chains until the first
|
|
||||||
// self-signed certificate is a trusted certificate or until
|
|
||||||
// an additional simple chain cannot be built.
|
|
||||||
//
|
|
||||||
// The result is that we'll only get a single trusted chain to
|
|
||||||
// return to our caller.
|
|
||||||
var chainCtx *syscall.CertChainContext
|
|
||||||
err = syscall.CertGetCertificateChain(syscall.Handle(0), storeCtx, verifyTime, storeCtx.Store, para, 0, 0, &chainCtx)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
defer syscall.CertFreeCertificateChain(chainCtx)
|
|
||||||
|
|
||||||
err = checkChainTrustStatus(c, chainCtx)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
if hasDNSName {
|
|
||||||
err = checkChainSSLServerPolicy(c, chainCtx, opts)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
chain, err := extractSimpleChain(chainCtx.Chains, int(chainCtx.ChainCount))
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
chains = append(chains, chain)
|
|
||||||
|
|
||||||
return chains, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func initSystemRoots() {
|
|
||||||
}
|
|
|
@ -1,85 +0,0 @@
|
||||||
// Copyright 2012 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
"crypto/ecdsa"
|
|
||||||
"crypto/elliptic"
|
|
||||||
// START CT CHANGES
|
|
||||||
"src.agwa.name/ctwatch/ct/asn1"
|
|
||||||
// START CT CHANGES
|
|
||||||
"errors"
|
|
||||||
"fmt"
|
|
||||||
"math/big"
|
|
||||||
)
|
|
||||||
|
|
||||||
const ecPrivKeyVersion = 1
|
|
||||||
|
|
||||||
// ecPrivateKey reflects an ASN.1 Elliptic Curve Private Key Structure.
|
|
||||||
// References:
|
|
||||||
// RFC5915
|
|
||||||
// SEC1 - http://www.secg.org/download/aid-780/sec1-v2.pdf
|
|
||||||
// Per RFC5915 the NamedCurveOID is marked as ASN.1 OPTIONAL, however in
|
|
||||||
// most cases it is not.
|
|
||||||
type ecPrivateKey struct {
|
|
||||||
Version int
|
|
||||||
PrivateKey []byte
|
|
||||||
NamedCurveOID asn1.ObjectIdentifier `asn1:"optional,explicit,tag:0"`
|
|
||||||
PublicKey asn1.BitString `asn1:"optional,explicit,tag:1"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// ParseECPrivateKey parses an ASN.1 Elliptic Curve Private Key Structure.
|
|
||||||
func ParseECPrivateKey(der []byte) (key *ecdsa.PrivateKey, err error) {
|
|
||||||
return parseECPrivateKey(nil, der)
|
|
||||||
}
|
|
||||||
|
|
||||||
// MarshalECPrivateKey marshals an EC private key into ASN.1, DER format.
|
|
||||||
func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
|
|
||||||
oid, ok := oidFromNamedCurve(key.Curve)
|
|
||||||
if !ok {
|
|
||||||
return nil, errors.New("x509: unknown elliptic curve")
|
|
||||||
}
|
|
||||||
return asn1.Marshal(ecPrivateKey{
|
|
||||||
Version: 1,
|
|
||||||
PrivateKey: key.D.Bytes(),
|
|
||||||
NamedCurveOID: oid,
|
|
||||||
PublicKey: asn1.BitString{Bytes: elliptic.Marshal(key.Curve, key.X, key.Y)},
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
// parseECPrivateKey parses an ASN.1 Elliptic Curve Private Key Structure.
|
|
||||||
// The OID for the named curve may be provided from another source (such as
|
|
||||||
// the PKCS8 container) - if it is provided then use this instead of the OID
|
|
||||||
// that may exist in the EC private key structure.
|
|
||||||
func parseECPrivateKey(namedCurveOID *asn1.ObjectIdentifier, der []byte) (key *ecdsa.PrivateKey, err error) {
|
|
||||||
var privKey ecPrivateKey
|
|
||||||
if _, err := asn1.Unmarshal(der, &privKey); err != nil {
|
|
||||||
return nil, errors.New("x509: failed to parse EC private key: " + err.Error())
|
|
||||||
}
|
|
||||||
if privKey.Version != ecPrivKeyVersion {
|
|
||||||
return nil, fmt.Errorf("x509: unknown EC private key version %d", privKey.Version)
|
|
||||||
}
|
|
||||||
|
|
||||||
var curve elliptic.Curve
|
|
||||||
if namedCurveOID != nil {
|
|
||||||
curve = namedCurveFromOID(*namedCurveOID)
|
|
||||||
} else {
|
|
||||||
curve = namedCurveFromOID(privKey.NamedCurveOID)
|
|
||||||
}
|
|
||||||
if curve == nil {
|
|
||||||
return nil, errors.New("x509: unknown elliptic curve")
|
|
||||||
}
|
|
||||||
|
|
||||||
k := new(big.Int).SetBytes(privKey.PrivateKey)
|
|
||||||
if k.Cmp(curve.Params().N) >= 0 {
|
|
||||||
return nil, errors.New("x509: invalid elliptic curve private key value")
|
|
||||||
}
|
|
||||||
priv := new(ecdsa.PrivateKey)
|
|
||||||
priv.Curve = curve
|
|
||||||
priv.D = k
|
|
||||||
priv.X, priv.Y = curve.ScalarBaseMult(privKey.PrivateKey)
|
|
||||||
|
|
||||||
return priv, nil
|
|
||||||
}
|
|
|
@ -1,30 +0,0 @@
|
||||||
// Copyright 2012 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"encoding/hex"
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Generated using:
|
|
||||||
// openssl ecparam -genkey -name secp384r1 -outform PEM
|
|
||||||
var ecPrivateKeyHex = `3081a40201010430bdb9839c08ee793d1157886a7a758a3c8b2a17a4df48f17ace57c72c56b4723cf21dcda21d4e1ad57ff034f19fcfd98ea00706052b81040022a16403620004feea808b5ee2429cfcce13c32160e1c960990bd050bb0fdf7222f3decd0a55008e32a6aa3c9062051c4cba92a7a3b178b24567412d43cdd2f882fa5addddd726fe3e208d2c26d733a773a597abb749714df7256ead5105fa6e7b3650de236b50`
|
|
||||||
|
|
||||||
func TestParseECPrivateKey(t *testing.T) {
|
|
||||||
derBytes, _ := hex.DecodeString(ecPrivateKeyHex)
|
|
||||||
key, err := ParseECPrivateKey(derBytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("failed to decode EC private key: %s", err)
|
|
||||||
}
|
|
||||||
serialized, err := MarshalECPrivateKey(key)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("failed to encode EC private key: %s", err)
|
|
||||||
}
|
|
||||||
if !bytes.Equal(serialized, derBytes) {
|
|
||||||
t.Fatalf("serialized key differs: got %x, want %x", serialized, derBytes)
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,476 +0,0 @@
|
||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"net"
|
|
||||||
"runtime"
|
|
||||||
"strings"
|
|
||||||
"time"
|
|
||||||
"unicode/utf8"
|
|
||||||
)
|
|
||||||
|
|
||||||
type InvalidReason int
|
|
||||||
|
|
||||||
const (
|
|
||||||
// NotAuthorizedToSign results when a certificate is signed by another
|
|
||||||
// which isn't marked as a CA certificate.
|
|
||||||
NotAuthorizedToSign InvalidReason = iota
|
|
||||||
// Expired results when a certificate has expired, based on the time
|
|
||||||
// given in the VerifyOptions.
|
|
||||||
Expired
|
|
||||||
// CANotAuthorizedForThisName results when an intermediate or root
|
|
||||||
// certificate has a name constraint which doesn't include the name
|
|
||||||
// being checked.
|
|
||||||
CANotAuthorizedForThisName
|
|
||||||
// TooManyIntermediates results when a path length constraint is
|
|
||||||
// violated.
|
|
||||||
TooManyIntermediates
|
|
||||||
// IncompatibleUsage results when the certificate's key usage indicates
|
|
||||||
// that it may only be used for a different purpose.
|
|
||||||
IncompatibleUsage
|
|
||||||
)
|
|
||||||
|
|
||||||
// CertificateInvalidError results when an odd error occurs. Users of this
|
|
||||||
// library probably want to handle all these errors uniformly.
|
|
||||||
type CertificateInvalidError struct {
|
|
||||||
Cert *Certificate
|
|
||||||
Reason InvalidReason
|
|
||||||
}
|
|
||||||
|
|
||||||
func (e CertificateInvalidError) Error() string {
|
|
||||||
switch e.Reason {
|
|
||||||
case NotAuthorizedToSign:
|
|
||||||
return "x509: certificate is not authorized to sign other certificates"
|
|
||||||
case Expired:
|
|
||||||
return "x509: certificate has expired or is not yet valid"
|
|
||||||
case CANotAuthorizedForThisName:
|
|
||||||
return "x509: a root or intermediate certificate is not authorized to sign in this domain"
|
|
||||||
case TooManyIntermediates:
|
|
||||||
return "x509: too many intermediates for path length constraint"
|
|
||||||
case IncompatibleUsage:
|
|
||||||
return "x509: certificate specifies an incompatible key usage"
|
|
||||||
}
|
|
||||||
return "x509: unknown error"
|
|
||||||
}
|
|
||||||
|
|
||||||
// HostnameError results when the set of authorized names doesn't match the
|
|
||||||
// requested name.
|
|
||||||
type HostnameError struct {
|
|
||||||
Certificate *Certificate
|
|
||||||
Host string
|
|
||||||
}
|
|
||||||
|
|
||||||
func (h HostnameError) Error() string {
|
|
||||||
c := h.Certificate
|
|
||||||
|
|
||||||
var valid string
|
|
||||||
if ip := net.ParseIP(h.Host); ip != nil {
|
|
||||||
// Trying to validate an IP
|
|
||||||
if len(c.IPAddresses) == 0 {
|
|
||||||
return "x509: cannot validate certificate for " + h.Host + " because it doesn't contain any IP SANs"
|
|
||||||
}
|
|
||||||
for _, san := range c.IPAddresses {
|
|
||||||
if len(valid) > 0 {
|
|
||||||
valid += ", "
|
|
||||||
}
|
|
||||||
valid += san.String()
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if len(c.DNSNames) > 0 {
|
|
||||||
valid = strings.Join(c.DNSNames, ", ")
|
|
||||||
} else {
|
|
||||||
valid = c.Subject.CommonName
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return "x509: certificate is valid for " + valid + ", not " + h.Host
|
|
||||||
}
|
|
||||||
|
|
||||||
// UnknownAuthorityError results when the certificate issuer is unknown
|
|
||||||
type UnknownAuthorityError struct {
|
|
||||||
cert *Certificate
|
|
||||||
// hintErr contains an error that may be helpful in determining why an
|
|
||||||
// authority wasn't found.
|
|
||||||
hintErr error
|
|
||||||
// hintCert contains a possible authority certificate that was rejected
|
|
||||||
// because of the error in hintErr.
|
|
||||||
hintCert *Certificate
|
|
||||||
}
|
|
||||||
|
|
||||||
func (e UnknownAuthorityError) Error() string {
|
|
||||||
s := "x509: certificate signed by unknown authority"
|
|
||||||
if e.hintErr != nil {
|
|
||||||
certName := e.hintCert.Subject.CommonName
|
|
||||||
if len(certName) == 0 {
|
|
||||||
if len(e.hintCert.Subject.Organization) > 0 {
|
|
||||||
certName = e.hintCert.Subject.Organization[0]
|
|
||||||
}
|
|
||||||
certName = "serial:" + e.hintCert.SerialNumber.String()
|
|
||||||
}
|
|
||||||
s += fmt.Sprintf(" (possibly because of %q while trying to verify candidate authority certificate %q)", e.hintErr, certName)
|
|
||||||
}
|
|
||||||
return s
|
|
||||||
}
|
|
||||||
|
|
||||||
// SystemRootsError results when we fail to load the system root certificates.
|
|
||||||
type SystemRootsError struct {
|
|
||||||
}
|
|
||||||
|
|
||||||
func (e SystemRootsError) Error() string {
|
|
||||||
return "x509: failed to load system roots and no roots provided"
|
|
||||||
}
|
|
||||||
|
|
||||||
// VerifyOptions contains parameters for Certificate.Verify. It's a structure
|
|
||||||
// because other PKIX verification APIs have ended up needing many options.
|
|
||||||
type VerifyOptions struct {
|
|
||||||
DNSName string
|
|
||||||
Intermediates *CertPool
|
|
||||||
Roots *CertPool // if nil, the system roots are used
|
|
||||||
CurrentTime time.Time // if zero, the current time is used
|
|
||||||
DisableTimeChecks bool
|
|
||||||
// KeyUsage specifies which Extended Key Usage values are acceptable.
|
|
||||||
// An empty list means ExtKeyUsageServerAuth. Key usage is considered a
|
|
||||||
// constraint down the chain which mirrors Windows CryptoAPI behaviour,
|
|
||||||
// but not the spec. To accept any key usage, include ExtKeyUsageAny.
|
|
||||||
KeyUsages []ExtKeyUsage
|
|
||||||
}
|
|
||||||
|
|
||||||
const (
|
|
||||||
leafCertificate = iota
|
|
||||||
intermediateCertificate
|
|
||||||
rootCertificate
|
|
||||||
)
|
|
||||||
|
|
||||||
// isValid performs validity checks on the c.
|
|
||||||
func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *VerifyOptions) error {
|
|
||||||
if !opts.DisableTimeChecks {
|
|
||||||
now := opts.CurrentTime
|
|
||||||
if now.IsZero() {
|
|
||||||
now = time.Now()
|
|
||||||
}
|
|
||||||
if now.Before(c.NotBefore) || now.After(c.NotAfter) {
|
|
||||||
return CertificateInvalidError{c, Expired}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(c.PermittedDNSDomains) > 0 {
|
|
||||||
ok := false
|
|
||||||
for _, domain := range c.PermittedDNSDomains {
|
|
||||||
if opts.DNSName == domain ||
|
|
||||||
(strings.HasSuffix(opts.DNSName, domain) &&
|
|
||||||
len(opts.DNSName) >= 1+len(domain) &&
|
|
||||||
opts.DNSName[len(opts.DNSName)-len(domain)-1] == '.') {
|
|
||||||
ok = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if !ok {
|
|
||||||
return CertificateInvalidError{c, CANotAuthorizedForThisName}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// KeyUsage status flags are ignored. From Engineering Security, Peter
|
|
||||||
// Gutmann: A European government CA marked its signing certificates as
|
|
||||||
// being valid for encryption only, but no-one noticed. Another
|
|
||||||
// European CA marked its signature keys as not being valid for
|
|
||||||
// signatures. A different CA marked its own trusted root certificate
|
|
||||||
// as being invalid for certificate signing. Another national CA
|
|
||||||
// distributed a certificate to be used to encrypt data for the
|
|
||||||
// country’s tax authority that was marked as only being usable for
|
|
||||||
// digital signatures but not for encryption. Yet another CA reversed
|
|
||||||
// the order of the bit flags in the keyUsage due to confusion over
|
|
||||||
// encoding endianness, essentially setting a random keyUsage in
|
|
||||||
// certificates that it issued. Another CA created a self-invalidating
|
|
||||||
// certificate by adding a certificate policy statement stipulating
|
|
||||||
// that the certificate had to be used strictly as specified in the
|
|
||||||
// keyUsage, and a keyUsage containing a flag indicating that the RSA
|
|
||||||
// encryption key could only be used for Diffie-Hellman key agreement.
|
|
||||||
|
|
||||||
if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) {
|
|
||||||
return CertificateInvalidError{c, NotAuthorizedToSign}
|
|
||||||
}
|
|
||||||
|
|
||||||
if c.BasicConstraintsValid && c.MaxPathLen >= 0 {
|
|
||||||
numIntermediates := len(currentChain) - 1
|
|
||||||
if numIntermediates > c.MaxPathLen {
|
|
||||||
return CertificateInvalidError{c, TooManyIntermediates}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Verify attempts to verify c by building one or more chains from c to a
|
|
||||||
// certificate in opts.Roots, using certificates in opts.Intermediates if
|
|
||||||
// needed. If successful, it returns one or more chains where the first
|
|
||||||
// element of the chain is c and the last element is from opts.Roots.
|
|
||||||
//
|
|
||||||
// WARNING: this doesn't do any revocation checking.
|
|
||||||
func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) {
|
|
||||||
// Use Windows's own verification and chain building.
|
|
||||||
if opts.Roots == nil && runtime.GOOS == "windows" {
|
|
||||||
return c.systemVerify(&opts)
|
|
||||||
}
|
|
||||||
|
|
||||||
if opts.Roots == nil {
|
|
||||||
opts.Roots = systemRootsPool()
|
|
||||||
if opts.Roots == nil {
|
|
||||||
return nil, SystemRootsError{}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
err = c.isValid(leafCertificate, nil, &opts)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(opts.DNSName) > 0 {
|
|
||||||
err = c.VerifyHostname(opts.DNSName)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
candidateChains, err := c.buildChains(make(map[int][][]*Certificate), []*Certificate{c}, &opts)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
keyUsages := opts.KeyUsages
|
|
||||||
if len(keyUsages) == 0 {
|
|
||||||
keyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth}
|
|
||||||
}
|
|
||||||
|
|
||||||
// If any key usage is acceptable then we're done.
|
|
||||||
for _, usage := range keyUsages {
|
|
||||||
if usage == ExtKeyUsageAny {
|
|
||||||
chains = candidateChains
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, candidate := range candidateChains {
|
|
||||||
if checkChainForKeyUsage(candidate, keyUsages) {
|
|
||||||
chains = append(chains, candidate)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(chains) == 0 {
|
|
||||||
err = CertificateInvalidError{c, IncompatibleUsage}
|
|
||||||
}
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate {
|
|
||||||
n := make([]*Certificate, len(chain)+1)
|
|
||||||
copy(n, chain)
|
|
||||||
n[len(chain)] = cert
|
|
||||||
return n
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *Certificate) buildChains(cache map[int][][]*Certificate, currentChain []*Certificate, opts *VerifyOptions) (chains [][]*Certificate, err error) {
|
|
||||||
possibleRoots, failedRoot, rootErr := opts.Roots.findVerifiedParents(c)
|
|
||||||
for _, rootNum := range possibleRoots {
|
|
||||||
root := opts.Roots.certs[rootNum]
|
|
||||||
err = root.isValid(rootCertificate, currentChain, opts)
|
|
||||||
if err != nil {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
chains = append(chains, appendToFreshChain(currentChain, root))
|
|
||||||
}
|
|
||||||
|
|
||||||
possibleIntermediates, failedIntermediate, intermediateErr := opts.Intermediates.findVerifiedParents(c)
|
|
||||||
nextIntermediate:
|
|
||||||
for _, intermediateNum := range possibleIntermediates {
|
|
||||||
intermediate := opts.Intermediates.certs[intermediateNum]
|
|
||||||
for _, cert := range currentChain {
|
|
||||||
if cert == intermediate {
|
|
||||||
continue nextIntermediate
|
|
||||||
}
|
|
||||||
}
|
|
||||||
err = intermediate.isValid(intermediateCertificate, currentChain, opts)
|
|
||||||
if err != nil {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
var childChains [][]*Certificate
|
|
||||||
childChains, ok := cache[intermediateNum]
|
|
||||||
if !ok {
|
|
||||||
childChains, err = intermediate.buildChains(cache, appendToFreshChain(currentChain, intermediate), opts)
|
|
||||||
cache[intermediateNum] = childChains
|
|
||||||
}
|
|
||||||
chains = append(chains, childChains...)
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(chains) > 0 {
|
|
||||||
err = nil
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(chains) == 0 && err == nil {
|
|
||||||
hintErr := rootErr
|
|
||||||
hintCert := failedRoot
|
|
||||||
if hintErr == nil {
|
|
||||||
hintErr = intermediateErr
|
|
||||||
hintCert = failedIntermediate
|
|
||||||
}
|
|
||||||
err = UnknownAuthorityError{c, hintErr, hintCert}
|
|
||||||
}
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func matchHostnames(pattern, host string) bool {
|
|
||||||
if len(pattern) == 0 || len(host) == 0 {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
patternParts := strings.Split(pattern, ".")
|
|
||||||
hostParts := strings.Split(host, ".")
|
|
||||||
|
|
||||||
if len(patternParts) != len(hostParts) {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
for i, patternPart := range patternParts {
|
|
||||||
if patternPart == "*" {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if patternPart != hostParts[i] {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use
|
|
||||||
// an explicitly ASCII function to avoid any sharp corners resulting from
|
|
||||||
// performing Unicode operations on DNS labels.
|
|
||||||
func toLowerCaseASCII(in string) string {
|
|
||||||
// If the string is already lower-case then there's nothing to do.
|
|
||||||
isAlreadyLowerCase := true
|
|
||||||
for _, c := range in {
|
|
||||||
if c == utf8.RuneError {
|
|
||||||
// If we get a UTF-8 error then there might be
|
|
||||||
// upper-case ASCII bytes in the invalid sequence.
|
|
||||||
isAlreadyLowerCase = false
|
|
||||||
break
|
|
||||||
}
|
|
||||||
if 'A' <= c && c <= 'Z' {
|
|
||||||
isAlreadyLowerCase = false
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if isAlreadyLowerCase {
|
|
||||||
return in
|
|
||||||
}
|
|
||||||
|
|
||||||
out := []byte(in)
|
|
||||||
for i, c := range out {
|
|
||||||
if 'A' <= c && c <= 'Z' {
|
|
||||||
out[i] += 'a' - 'A'
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return string(out)
|
|
||||||
}
|
|
||||||
|
|
||||||
// VerifyHostname returns nil if c is a valid certificate for the named host.
|
|
||||||
// Otherwise it returns an error describing the mismatch.
|
|
||||||
func (c *Certificate) VerifyHostname(h string) error {
|
|
||||||
// IP addresses may be written in [ ].
|
|
||||||
candidateIP := h
|
|
||||||
if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' {
|
|
||||||
candidateIP = h[1 : len(h)-1]
|
|
||||||
}
|
|
||||||
if ip := net.ParseIP(candidateIP); ip != nil {
|
|
||||||
// We only match IP addresses against IP SANs.
|
|
||||||
// https://tools.ietf.org/html/rfc6125#appendix-B.2
|
|
||||||
for _, candidate := range c.IPAddresses {
|
|
||||||
if ip.Equal(candidate) {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return HostnameError{c, candidateIP}
|
|
||||||
}
|
|
||||||
|
|
||||||
lowered := toLowerCaseASCII(h)
|
|
||||||
|
|
||||||
if len(c.DNSNames) > 0 {
|
|
||||||
for _, match := range c.DNSNames {
|
|
||||||
if matchHostnames(toLowerCaseASCII(match), lowered) {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// If Subject Alt Name is given, we ignore the common name.
|
|
||||||
} else if matchHostnames(toLowerCaseASCII(c.Subject.CommonName), lowered) {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return HostnameError{c, h}
|
|
||||||
}
|
|
||||||
|
|
||||||
func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool {
|
|
||||||
usages := make([]ExtKeyUsage, len(keyUsages))
|
|
||||||
copy(usages, keyUsages)
|
|
||||||
|
|
||||||
if len(chain) == 0 {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
usagesRemaining := len(usages)
|
|
||||||
|
|
||||||
// We walk down the list and cross out any usages that aren't supported
|
|
||||||
// by each certificate. If we cross out all the usages, then the chain
|
|
||||||
// is unacceptable.
|
|
||||||
|
|
||||||
for i := len(chain) - 1; i >= 0; i-- {
|
|
||||||
cert := chain[i]
|
|
||||||
if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 {
|
|
||||||
// The certificate doesn't have any extended key usage specified.
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, usage := range cert.ExtKeyUsage {
|
|
||||||
if usage == ExtKeyUsageAny {
|
|
||||||
// The certificate is explicitly good for any usage.
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
const invalidUsage ExtKeyUsage = -1
|
|
||||||
|
|
||||||
NextRequestedUsage:
|
|
||||||
for i, requestedUsage := range usages {
|
|
||||||
if requestedUsage == invalidUsage {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, usage := range cert.ExtKeyUsage {
|
|
||||||
if requestedUsage == usage {
|
|
||||||
continue NextRequestedUsage
|
|
||||||
} else if requestedUsage == ExtKeyUsageServerAuth &&
|
|
||||||
(usage == ExtKeyUsageNetscapeServerGatedCrypto ||
|
|
||||||
usage == ExtKeyUsageMicrosoftServerGatedCrypto) {
|
|
||||||
// In order to support COMODO
|
|
||||||
// certificate chains, we have to
|
|
||||||
// accept Netscape or Microsoft SGC
|
|
||||||
// usages as equal to ServerAuth.
|
|
||||||
continue NextRequestedUsage
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
usages[i] = invalidUsage
|
|
||||||
usagesRemaining--
|
|
||||||
if usagesRemaining == 0 {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return true
|
|
||||||
}
|
|
|
@ -1,975 +0,0 @@
|
||||||
// Copyright 2011 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
// START CT CHANGES
|
|
||||||
"src.agwa.name/ctwatch/ct/x509/pkix"
|
|
||||||
// END CT CHANGES
|
|
||||||
"encoding/pem"
|
|
||||||
"errors"
|
|
||||||
"runtime"
|
|
||||||
"strings"
|
|
||||||
"testing"
|
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
type verifyTest struct {
|
|
||||||
leaf string
|
|
||||||
intermediates []string
|
|
||||||
roots []string
|
|
||||||
currentTime int64
|
|
||||||
dnsName string
|
|
||||||
systemSkip bool
|
|
||||||
keyUsages []ExtKeyUsage
|
|
||||||
testSystemRootsError bool
|
|
||||||
disableTimeChecks bool
|
|
||||||
|
|
||||||
errorCallback func(*testing.T, int, error) bool
|
|
||||||
expectedChains [][]string
|
|
||||||
}
|
|
||||||
|
|
||||||
var verifyTests = []verifyTest{
|
|
||||||
{
|
|
||||||
leaf: googleLeaf,
|
|
||||||
intermediates: []string{thawteIntermediate},
|
|
||||||
currentTime: 1302726541,
|
|
||||||
dnsName: "www.google.com",
|
|
||||||
testSystemRootsError: true,
|
|
||||||
|
|
||||||
// Without any roots specified we should get a system roots
|
|
||||||
// error.
|
|
||||||
errorCallback: expectSystemRootsError,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: googleLeaf,
|
|
||||||
intermediates: []string{thawteIntermediate},
|
|
||||||
roots: []string{verisignRoot},
|
|
||||||
currentTime: 1302726541,
|
|
||||||
dnsName: "www.google.com",
|
|
||||||
|
|
||||||
expectedChains: [][]string{
|
|
||||||
{"Google", "Thawte", "VeriSign"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: googleLeaf,
|
|
||||||
intermediates: []string{thawteIntermediate},
|
|
||||||
roots: []string{verisignRoot},
|
|
||||||
currentTime: 1302726541,
|
|
||||||
dnsName: "WwW.GooGLE.coM",
|
|
||||||
|
|
||||||
expectedChains: [][]string{
|
|
||||||
{"Google", "Thawte", "VeriSign"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: googleLeaf,
|
|
||||||
intermediates: []string{thawteIntermediate},
|
|
||||||
roots: []string{verisignRoot},
|
|
||||||
currentTime: 1302726541,
|
|
||||||
dnsName: "www.example.com",
|
|
||||||
|
|
||||||
errorCallback: expectHostnameError,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: googleLeaf,
|
|
||||||
intermediates: []string{thawteIntermediate},
|
|
||||||
roots: []string{verisignRoot},
|
|
||||||
currentTime: 1,
|
|
||||||
dnsName: "www.google.com",
|
|
||||||
|
|
||||||
errorCallback: expectExpired,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: googleLeaf,
|
|
||||||
intermediates: []string{thawteIntermediate},
|
|
||||||
roots: []string{verisignRoot},
|
|
||||||
currentTime: 1,
|
|
||||||
dnsName: "www.google.com",
|
|
||||||
disableTimeChecks: true,
|
|
||||||
|
|
||||||
expectedChains: [][]string{
|
|
||||||
{"Google", "Thawte", "VeriSign"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: googleLeaf,
|
|
||||||
intermediates: []string{thawteIntermediate},
|
|
||||||
roots: []string{verisignRoot},
|
|
||||||
currentTime: 10000000000,
|
|
||||||
dnsName: "www.google.com",
|
|
||||||
|
|
||||||
errorCallback: expectExpired,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: googleLeaf,
|
|
||||||
intermediates: []string{thawteIntermediate},
|
|
||||||
roots: []string{verisignRoot},
|
|
||||||
currentTime: 10000000000,
|
|
||||||
dnsName: "www.google.com",
|
|
||||||
disableTimeChecks: true,
|
|
||||||
|
|
||||||
expectedChains: [][]string{
|
|
||||||
{"Google", "Thawte", "VeriSign"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: googleLeaf,
|
|
||||||
roots: []string{verisignRoot},
|
|
||||||
currentTime: 1302726541,
|
|
||||||
dnsName: "www.google.com",
|
|
||||||
|
|
||||||
// Skip when using systemVerify, since Windows
|
|
||||||
// *will* find the missing intermediate cert.
|
|
||||||
systemSkip: true,
|
|
||||||
errorCallback: expectAuthorityUnknown,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: googleLeaf,
|
|
||||||
intermediates: []string{verisignRoot, thawteIntermediate},
|
|
||||||
roots: []string{verisignRoot},
|
|
||||||
currentTime: 1302726541,
|
|
||||||
dnsName: "www.google.com",
|
|
||||||
|
|
||||||
expectedChains: [][]string{
|
|
||||||
{"Google", "Thawte", "VeriSign"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: dnssecExpLeaf,
|
|
||||||
intermediates: []string{startComIntermediate},
|
|
||||||
roots: []string{startComRoot},
|
|
||||||
currentTime: 1302726541,
|
|
||||||
|
|
||||||
expectedChains: [][]string{
|
|
||||||
{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: dnssecExpLeaf,
|
|
||||||
intermediates: []string{startComIntermediate, startComRoot},
|
|
||||||
roots: []string{startComRoot},
|
|
||||||
currentTime: 1302726541,
|
|
||||||
|
|
||||||
// Skip when using systemVerify, since Windows
|
|
||||||
// can only return a single chain to us (for now).
|
|
||||||
systemSkip: true,
|
|
||||||
expectedChains: [][]string{
|
|
||||||
{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority"},
|
|
||||||
{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority", "StartCom Certification Authority"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: googleLeafWithInvalidHash,
|
|
||||||
intermediates: []string{thawteIntermediate},
|
|
||||||
roots: []string{verisignRoot},
|
|
||||||
currentTime: 1302726541,
|
|
||||||
dnsName: "www.google.com",
|
|
||||||
|
|
||||||
// The specific error message may not occur when using system
|
|
||||||
// verification.
|
|
||||||
systemSkip: true,
|
|
||||||
errorCallback: expectHashError,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
// The default configuration should reject an S/MIME chain.
|
|
||||||
leaf: smimeLeaf,
|
|
||||||
roots: []string{smimeIntermediate},
|
|
||||||
currentTime: 1339436154,
|
|
||||||
|
|
||||||
// Key usage not implemented for Windows yet.
|
|
||||||
systemSkip: true,
|
|
||||||
errorCallback: expectUsageError,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: smimeLeaf,
|
|
||||||
roots: []string{smimeIntermediate},
|
|
||||||
currentTime: 1339436154,
|
|
||||||
keyUsages: []ExtKeyUsage{ExtKeyUsageServerAuth},
|
|
||||||
|
|
||||||
// Key usage not implemented for Windows yet.
|
|
||||||
systemSkip: true,
|
|
||||||
errorCallback: expectUsageError,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: smimeLeaf,
|
|
||||||
roots: []string{smimeIntermediate},
|
|
||||||
currentTime: 1339436154,
|
|
||||||
keyUsages: []ExtKeyUsage{ExtKeyUsageEmailProtection},
|
|
||||||
|
|
||||||
// Key usage not implemented for Windows yet.
|
|
||||||
systemSkip: true,
|
|
||||||
expectedChains: [][]string{
|
|
||||||
{"Ryan Hurst", "GlobalSign PersonalSign 2 CA - G2"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
leaf: megaLeaf,
|
|
||||||
intermediates: []string{comodoIntermediate1},
|
|
||||||
roots: []string{comodoRoot},
|
|
||||||
currentTime: 1360431182,
|
|
||||||
|
|
||||||
// CryptoAPI can find alternative validation paths so we don't
|
|
||||||
// perform this test with system validation.
|
|
||||||
systemSkip: true,
|
|
||||||
expectedChains: [][]string{
|
|
||||||
{"mega.co.nz", "EssentialSSL CA", "COMODO Certification Authority"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
// Check that a name constrained intermediate works even when
|
|
||||||
// it lists multiple constraints.
|
|
||||||
leaf: nameConstraintsLeaf,
|
|
||||||
intermediates: []string{nameConstraintsIntermediate1, nameConstraintsIntermediate2},
|
|
||||||
roots: []string{globalSignRoot},
|
|
||||||
currentTime: 1382387896,
|
|
||||||
dnsName: "secure.iddl.vt.edu",
|
|
||||||
|
|
||||||
expectedChains: [][]string{
|
|
||||||
{
|
|
||||||
"Technology-enhanced Learning and Online Strategies",
|
|
||||||
"Virginia Tech Global Qualified Server CA",
|
|
||||||
"Trusted Root CA G2",
|
|
||||||
"GlobalSign Root CA",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
func expectHostnameError(t *testing.T, i int, err error) (ok bool) {
|
|
||||||
if _, ok := err.(HostnameError); !ok {
|
|
||||||
t.Errorf("#%d: error was not a HostnameError: %s", i, err)
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
func expectExpired(t *testing.T, i int, err error) (ok bool) {
|
|
||||||
if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != Expired {
|
|
||||||
t.Errorf("#%d: error was not Expired: %s", i, err)
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
func expectUsageError(t *testing.T, i int, err error) (ok bool) {
|
|
||||||
if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != IncompatibleUsage {
|
|
||||||
t.Errorf("#%d: error was not IncompatibleUsage: %s", i, err)
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
func expectAuthorityUnknown(t *testing.T, i int, err error) (ok bool) {
|
|
||||||
if _, ok := err.(UnknownAuthorityError); !ok {
|
|
||||||
t.Errorf("#%d: error was not UnknownAuthorityError: %s", i, err)
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
func expectSystemRootsError(t *testing.T, i int, err error) bool {
|
|
||||||
if _, ok := err.(SystemRootsError); !ok {
|
|
||||||
t.Errorf("#%d: error was not SystemRootsError: %s", i, err)
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
func expectHashError(t *testing.T, i int, err error) bool {
|
|
||||||
if err == nil {
|
|
||||||
t.Errorf("#%d: no error resulted from invalid hash", i)
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
if expected := "algorithm unimplemented"; !strings.Contains(err.Error(), expected) {
|
|
||||||
t.Errorf("#%d: error resulting from invalid hash didn't contain '%s', rather it was: %s", i, expected, err)
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
func certificateFromPEM(pemBytes string) (*Certificate, error) {
|
|
||||||
block, _ := pem.Decode([]byte(pemBytes))
|
|
||||||
if block == nil {
|
|
||||||
return nil, errors.New("failed to decode PEM")
|
|
||||||
}
|
|
||||||
return ParseCertificate(block.Bytes)
|
|
||||||
}
|
|
||||||
|
|
||||||
func testVerify(t *testing.T, useSystemRoots bool) {
|
|
||||||
for i, test := range verifyTests {
|
|
||||||
if useSystemRoots && test.systemSkip {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if runtime.GOOS == "windows" && test.testSystemRootsError {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
opts := VerifyOptions{
|
|
||||||
Intermediates: NewCertPool(),
|
|
||||||
DNSName: test.dnsName,
|
|
||||||
CurrentTime: time.Unix(test.currentTime, 0),
|
|
||||||
KeyUsages: test.keyUsages,
|
|
||||||
DisableTimeChecks: test.disableTimeChecks,
|
|
||||||
}
|
|
||||||
|
|
||||||
if !useSystemRoots {
|
|
||||||
opts.Roots = NewCertPool()
|
|
||||||
for j, root := range test.roots {
|
|
||||||
ok := opts.Roots.AppendCertsFromPEM([]byte(root))
|
|
||||||
if !ok {
|
|
||||||
t.Errorf("#%d: failed to parse root #%d", i, j)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
for j, intermediate := range test.intermediates {
|
|
||||||
ok := opts.Intermediates.AppendCertsFromPEM([]byte(intermediate))
|
|
||||||
if !ok {
|
|
||||||
t.Errorf("#%d: failed to parse intermediate #%d", i, j)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
leaf, err := certificateFromPEM(test.leaf)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("#%d: failed to parse leaf: %s", i, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
var oldSystemRoots *CertPool
|
|
||||||
if test.testSystemRootsError {
|
|
||||||
oldSystemRoots = systemRootsPool()
|
|
||||||
systemRoots = nil
|
|
||||||
opts.Roots = nil
|
|
||||||
}
|
|
||||||
|
|
||||||
chains, err := leaf.Verify(opts)
|
|
||||||
|
|
||||||
if test.testSystemRootsError {
|
|
||||||
systemRoots = oldSystemRoots
|
|
||||||
}
|
|
||||||
|
|
||||||
if test.errorCallback == nil && err != nil {
|
|
||||||
t.Errorf("#%d: unexpected error: %s", i, err)
|
|
||||||
}
|
|
||||||
if test.errorCallback != nil {
|
|
||||||
if !test.errorCallback(t, i, err) {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(chains) != len(test.expectedChains) {
|
|
||||||
t.Errorf("#%d: wanted %d chains, got %d", i, len(test.expectedChains), len(chains))
|
|
||||||
}
|
|
||||||
|
|
||||||
// We check that each returned chain matches a chain from
|
|
||||||
// expectedChains but an entry in expectedChains can't match
|
|
||||||
// two chains.
|
|
||||||
seenChains := make([]bool, len(chains))
|
|
||||||
NextOutputChain:
|
|
||||||
for _, chain := range chains {
|
|
||||||
TryNextExpected:
|
|
||||||
for j, expectedChain := range test.expectedChains {
|
|
||||||
if seenChains[j] {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if len(chain) != len(expectedChain) {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
for k, cert := range chain {
|
|
||||||
if strings.Index(nameToKey(&cert.Subject), expectedChain[k]) == -1 {
|
|
||||||
continue TryNextExpected
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// we matched
|
|
||||||
seenChains[j] = true
|
|
||||||
continue NextOutputChain
|
|
||||||
}
|
|
||||||
t.Errorf("#%d: No expected chain matched %s", i, chainToDebugString(chain))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestGoVerify(t *testing.T) {
|
|
||||||
testVerify(t, false)
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestSystemVerify(t *testing.T) {
|
|
||||||
if runtime.GOOS != "windows" {
|
|
||||||
t.Skipf("skipping verify test using system APIs on %q", runtime.GOOS)
|
|
||||||
}
|
|
||||||
|
|
||||||
testVerify(t, true)
|
|
||||||
}
|
|
||||||
|
|
||||||
func chainToDebugString(chain []*Certificate) string {
|
|
||||||
var chainStr string
|
|
||||||
for _, cert := range chain {
|
|
||||||
if len(chainStr) > 0 {
|
|
||||||
chainStr += " -> "
|
|
||||||
}
|
|
||||||
chainStr += nameToKey(&cert.Subject)
|
|
||||||
}
|
|
||||||
return chainStr
|
|
||||||
}
|
|
||||||
|
|
||||||
func nameToKey(name *pkix.Name) string {
|
|
||||||
return strings.Join(name.Country, ",") + "/" + strings.Join(name.Organization, ",") + "/" + strings.Join(name.OrganizationalUnit, ",") + "/" + name.CommonName
|
|
||||||
}
|
|
||||||
|
|
||||||
const verisignRoot = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
|
|
||||||
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
|
|
||||||
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
|
|
||||||
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
|
|
||||||
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
|
|
||||||
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
|
|
||||||
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
|
|
||||||
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
|
|
||||||
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
|
|
||||||
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
|
|
||||||
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
|
|
||||||
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
`
|
|
||||||
|
|
||||||
const thawteIntermediate = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDIzCCAoygAwIBAgIEMAAAAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJV
|
|
||||||
UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi
|
|
||||||
bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNTEzMDAw
|
|
||||||
MDAwWhcNMTQwNTEyMjM1OTU5WjBMMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
|
|
||||||
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBD
|
|
||||||
QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1NNn0I0Vf67NMf59HZGhPwtx
|
|
||||||
PKzMyGT7Y/wySweUvW+Aui/hBJPAM/wJMyPpC3QrccQDxtLN4i/1CWPN/0ilAL/g
|
|
||||||
5/OIty0y3pg25gqtAHvEZEo7hHUD8nCSfQ5i9SGraTaEMXWQ+L/HbIgbBpV8yeWo
|
|
||||||
3nWhLHpo39XKHIdYYBkCAwEAAaOB/jCB+zASBgNVHRMBAf8ECDAGAQH/AgEAMAsG
|
|
||||||
A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwKAYDVR0RBCEwH6QdMBsxGTAX
|
|
||||||
BgNVBAMTEFByaXZhdGVMYWJlbDMtMTUwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDov
|
|
||||||
L2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
|
|
||||||
AQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMDQGA1UdJQQtMCsGCCsGAQUF
|
|
||||||
BwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEB
|
|
||||||
BQUAA4GBAFWsY+reod3SkF+fC852vhNRj5PZBSvIG3dLrWlQoe7e3P3bB+noOZTc
|
|
||||||
q3J5Lwa/q4FwxKjt6lM07e8eU9kGx1Yr0Vz00YqOtCuxN5BICEIlxT6Ky3/rbwTR
|
|
||||||
bcV0oveifHtgPHfNDs5IAn8BL7abN+AqKjbc1YXWrOU/VG+WHgWv
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
`
|
|
||||||
|
|
||||||
const googleLeaf = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM
|
|
||||||
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
|
|
||||||
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x
|
|
||||||
MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
|
|
||||||
MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
|
|
||||||
FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
|
|
||||||
gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN
|
|
||||||
gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L
|
|
||||||
05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM
|
|
||||||
BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
|
|
||||||
LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
|
|
||||||
BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
|
|
||||||
Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
|
|
||||||
ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
|
|
||||||
AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5
|
|
||||||
u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6
|
|
||||||
z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw==
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
// googleLeafWithInvalidHash is the same as googleLeaf, but the signature
|
|
||||||
// algorithm in the certificate contains a nonsense OID.
|
|
||||||
const googleLeafWithInvalidHash = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BATIFADBM
|
|
||||||
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
|
|
||||||
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x
|
|
||||||
MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
|
|
||||||
MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
|
|
||||||
FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
|
|
||||||
gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN
|
|
||||||
gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L
|
|
||||||
05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM
|
|
||||||
BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
|
|
||||||
LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
|
|
||||||
BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
|
|
||||||
Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
|
|
||||||
ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAVAF
|
|
||||||
AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5
|
|
||||||
u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6
|
|
||||||
z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw==
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
const dnssecExpLeaf = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIGzTCCBbWgAwIBAgIDAdD6MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
|
|
||||||
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
|
|
||||||
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
|
|
||||||
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTAwNzA0MTQ1MjQ1
|
|
||||||
WhcNMTEwNzA1MTA1NzA0WjCBwTEgMB4GA1UEDRMXMjIxMTM3LWxpOWE5dHhJRzZM
|
|
||||||
NnNyVFMxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVQZXJzb25hIE5vdCBWYWxpZGF0
|
|
||||||
ZWQxKTAnBgNVBAsTIFN0YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdGUgTWVtYmVyMRsw
|
|
||||||
GQYDVQQDExJ3d3cuZG5zc2VjLWV4cC5vcmcxKDAmBgkqhkiG9w0BCQEWGWhvc3Rt
|
|
||||||
YXN0ZXJAZG5zc2VjLWV4cC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
|
|
||||||
AoIBAQDEdF/22vaxrPbqpgVYMWi+alfpzBctpbfLBdPGuqOazJdCT0NbWcK8/+B4
|
|
||||||
X6OlSOURNIlwLzhkmwVsWdVv6dVSaN7d4yI/fJkvgfDB9+au+iBJb6Pcz8ULBfe6
|
|
||||||
D8HVvqKdORp6INzHz71z0sghxrQ0EAEkoWAZLh+kcn2ZHdcmZaBNUfjmGbyU6PRt
|
|
||||||
RjdqoP+owIaC1aktBN7zl4uO7cRjlYFdusINrh2kPP02KAx2W84xjxX1uyj6oS6e
|
|
||||||
7eBfvcwe8czW/N1rbE0CoR7h9+HnIrjnVG9RhBiZEiw3mUmF++Up26+4KTdRKbu3
|
|
||||||
+BL4yMpfd66z0+zzqu+HkvyLpFn5AgMBAAGjggL/MIIC+zAJBgNVHRMEAjAAMAsG
|
|
||||||
A1UdDwQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUy04I5guM
|
|
||||||
drzfh2JQaXhgV86+4jUwHwYDVR0jBBgwFoAU60I00Jiwq5/0G2sI98xkLu8OLEUw
|
|
||||||
LQYDVR0RBCYwJIISd3d3LmRuc3NlYy1leHAub3Jngg5kbnNzZWMtZXhwLm9yZzCC
|
|
||||||
AUIGA1UdIASCATkwggE1MIIBMQYLKwYBBAGBtTcBAgIwggEgMC4GCCsGAQUFBwIB
|
|
||||||
FiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQGCCsGAQUFBwIB
|
|
||||||
FihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUucGRmMIG3Bggr
|
|
||||||
BgEFBQcCAjCBqjAUFg1TdGFydENvbSBMdGQuMAMCAQEagZFMaW1pdGVkIExpYWJp
|
|
||||||
bGl0eSwgc2VlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3Rh
|
|
||||||
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBh
|
|
||||||
dCBodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGEGA1UdHwRaMFgw
|
|
||||||
KqAooCaGJGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDAqoCig
|
|
||||||
JoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1jcmwuY3JsMIGOBggrBgEF
|
|
||||||
BQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20v
|
|
||||||
c3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93d3cuc3Rh
|
|
||||||
cnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVyLmNhLmNydDAjBgNVHRIE
|
|
||||||
HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEB
|
|
||||||
ACXj6SB59KRJPenn6gUdGEqcta97U769SATyiQ87i9er64qLwvIGLMa3o2Rcgl2Y
|
|
||||||
kghUeyLdN/EXyFBYA8L8uvZREPoc7EZukpT/ZDLXy9i2S0jkOxvF2fD/XLbcjGjM
|
|
||||||
iEYG1/6ASw0ri9C0k4oDDoJLCoeH9++yqF7SFCCMcDkJqiAGXNb4euDpa8vCCtEQ
|
|
||||||
CSS+ObZbfkreRt3cNCf5LfCXe9OsTnCfc8Cuq81c0oLaG+SmaLUQNBuToq8e9/Zm
|
|
||||||
+b+/a3RVjxmkV5OCcGVBxsXNDn54Q6wsdw0TBMcjwoEndzpLS7yWgFbbkq5ZiGpw
|
|
||||||
Qibb2+CfKuQ+WFV1GkVQmVA=
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
const startComIntermediate = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIGNDCCBBygAwIBAgIBGDANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
|
|
||||||
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
|
|
||||||
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
|
|
||||||
dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NDE3WhcNMTcxMDI0MjA1NDE3WjCB
|
|
||||||
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
|
|
||||||
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
|
|
||||||
YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
|
|
||||||
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj0PREGBiE
|
|
||||||
gFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo/OenJOJA
|
|
||||||
pgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn66+6CPAVv
|
|
||||||
kvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+vWjhwRRI/
|
|
||||||
ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxDKslIDlc5
|
|
||||||
xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21TLwb0pwID
|
|
||||||
AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
|
|
||||||
VR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaAFE4L7xqkQFul
|
|
||||||
F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
|
|
||||||
L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
|
|
||||||
YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
|
|
||||||
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
|
|
||||||
c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
|
|
||||||
BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
|
|
||||||
BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
|
|
||||||
LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAIQlJPqWIbuALi0jaMU2P91ZXouHTYlfp
|
|
||||||
tVbzhUV1O+VQHwSL5qBaPucAroXQ+/8gA2TLrQLhxpFy+KNN1t7ozD+hiqLjfDen
|
|
||||||
xk+PNdb01m4Ge90h2c9W/8swIkn+iQTzheWq8ecf6HWQTd35RvdCNPdFWAwRDYSw
|
|
||||||
xtpdPvkBnufh2lWVvnQce/xNFE+sflVHfXv0pQ1JHpXo9xLBzP92piVH0PN1Nb6X
|
|
||||||
t1gW66pceG/sUzCv6gRNzKkC4/C2BBL2MLERPZBOVmTX3DxDX3M570uvh+v2/miI
|
|
||||||
RHLq0gfGabDBoYvvF0nXYbFFSF87ICHpW7LM9NfpMfULFWE7epTj69m8f5SuauNi
|
|
||||||
YpaoZHy4h/OZMn6SolK+u/hlz8nyMPyLwcKmltdfieFcNID1j0cHL7SRv7Gifl9L
|
|
||||||
WtBbnySGBVFaaQNlQ0lxxeBvlDRr9hvYqbBMflPrj0jfyjO1SPo2ShpTpjMM0InN
|
|
||||||
SRXNiTE8kMBy12VLUjWKRhFEuT2OKGWmPnmeXAhEKa2wNREuIU640ucQPl2Eg7PD
|
|
||||||
wuTSxv0JS3QJ3fGz0xk+gA2iCxnwOOfFwq/iI9th4p1cbiCJSS4jarJiwUW0n6+L
|
|
||||||
p/EiO/h94pDQehn7Skzj0n1fSoMD7SfWI55rjbRZotnvbIIp3XUZPD9MEI3vu3Un
|
|
||||||
0q6Dp6jOW6c=
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
const startComRoot = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
|
|
||||||
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
|
|
||||||
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
|
|
||||||
dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM2WhcNMzYwOTE3MTk0NjM2WjB9
|
|
||||||
MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
|
|
||||||
U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
|
|
||||||
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA
|
|
||||||
A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk
|
|
||||||
pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf
|
|
||||||
OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C
|
|
||||||
Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT
|
|
||||||
Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi
|
|
||||||
HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM
|
|
||||||
Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w
|
|
||||||
+2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+
|
|
||||||
Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3
|
|
||||||
Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B
|
|
||||||
26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID
|
|
||||||
AQABo4ICUjCCAk4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAa4wHQYDVR0OBBYE
|
|
||||||
FE4L7xqkQFulF2mHMMo0aEPQQa7yMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9j
|
|
||||||
ZXJ0LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3Js
|
|
||||||
LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFM
|
|
||||||
BgsrBgEEAYG1NwEBATCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0
|
|
||||||
Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFy
|
|
||||||
dGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3Rh
|
|
||||||
cnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlh
|
|
||||||
YmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg
|
|
||||||
dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFp
|
|
||||||
bGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJ
|
|
||||||
YIZIAYb4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNT
|
|
||||||
TCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAgEAFmyZ
|
|
||||||
9GYMNPXQhV59CuzaEE44HF7fpiUFS5Eyweg78T3dRAlbB0mKKctmArexmvclmAk8
|
|
||||||
jhvh3TaHK0u7aNM5Zj2gJsfyOZEdUauCe37Vzlrk4gNXcGmXCPleWKYK34wGmkUW
|
|
||||||
FjgKXlf2Ysd6AgXmvB618p70qSmD+LIU424oh0TDkBreOKk8rENNZEXO3SipXPJz
|
|
||||||
ewT4F+irsfMuXGRuczE6Eri8sxHkfY+BUZo7jYn0TZNmezwD7dOaHZrzZVD1oNB1
|
|
||||||
ny+v8OqCQ5j4aZyJecRDjkZy42Q2Eq/3JR44iZB3fsNrarnDy0RLrHiQi+fHLB5L
|
|
||||||
EUTINFInzQpdn4XBidUaePKVEFMy3YCEZnXZtWgo+2EuvoSoOMCZEoalHmdkrQYu
|
|
||||||
L6lwhceWD3yJZfWOQ1QOq92lgDmUYMA0yZZwLKMS9R9Ie70cfmu3nZD0Ijuu+Pwq
|
|
||||||
yvqCUqDvr0tVk+vBtfAii6w0TiYiBKGHLHVKt+V9E9e4DGTANtLJL4YSjCMJwRuC
|
|
||||||
O3NJo2pXh5Tl1njFmUNj403gdy3hZZlyaQQaRwnmDwFWJPsfvw55qVguucQJAX6V
|
|
||||||
um0ABj6y6koQOdjQK/W/7HW/lwLFCRsI3FU34oH7N4RDYiDK51ZLZer+bMEkkySh
|
|
||||||
NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14=
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
const startComRootSHA256 = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIHhzCCBW+gAwIBAgIBLTANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJJTDEW
|
|
||||||
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
|
|
||||||
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
|
|
||||||
dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM3WhcNMzYwOTE3MTk0NjM2WjB9
|
|
||||||
MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
|
|
||||||
U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
|
|
||||||
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA
|
|
||||||
A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk
|
|
||||||
pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf
|
|
||||||
OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C
|
|
||||||
Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT
|
|
||||||
Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi
|
|
||||||
HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM
|
|
||||||
Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w
|
|
||||||
+2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+
|
|
||||||
Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3
|
|
||||||
Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B
|
|
||||||
26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID
|
|
||||||
AQABo4ICEDCCAgwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
|
|
||||||
VR0OBBYEFE4L7xqkQFulF2mHMMo0aEPQQa7yMB8GA1UdIwQYMBaAFE4L7xqkQFul
|
|
||||||
F2mHMMo0aEPQQa7yMIIBWgYDVR0gBIIBUTCCAU0wggFJBgsrBgEEAYG1NwEBATCC
|
|
||||||
ATgwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5w
|
|
||||||
ZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVk
|
|
||||||
aWF0ZS5wZGYwgc8GCCsGAQUFBwICMIHCMCcWIFN0YXJ0IENvbW1lcmNpYWwgKFN0
|
|
||||||
YXJ0Q29tKSBMdGQuMAMCAQEagZZMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUg
|
|
||||||
c2VjdGlvbiAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0
|
|
||||||
aWZpY2F0aW9uIEF1dGhvcml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly93
|
|
||||||
d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMDgG
|
|
||||||
CWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNTTCBDZXJ0aWZpY2F0aW9uIEF1
|
|
||||||
dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAgEAjo/n3JR5fPGFf59Jb2vKXfuM/gTF
|
|
||||||
wWLRfUKKvFO3lANmMD+x5wqnUCBVJX92ehQN6wQOQOY+2IirByeDqXWmN3PH/UvS
|
|
||||||
Ta0XQMhGvjt/UfzDtgUx3M2FIk5xt/JxXrAaxrqTi3iSSoX4eA+D/i+tLPfkpLst
|
|
||||||
0OcNOrg+zvZ49q5HJMqjNTbOx8aHmNrs++myziebiMMEofYLWWivydsQD032ZGNc
|
|
||||||
pRJvkrKTlMeIFw6Ttn5ii5B/q06f/ON1FE8qMt9bDeD1e5MNq6HPh+GlBEXoPBKl
|
|
||||||
CcWw0bdT82AUuoVpaiF8H3VhFyAXe2w7QSlc4axa0c2Mm+tgHRns9+Ww2vl5GKVF
|
|
||||||
P0lDV9LdJNUso/2RjSe15esUBppMeyG7Oq0wBhjA2MFrLH9ZXF2RsXAiV+uKa0hK
|
|
||||||
1Q8p7MZAwC+ITGgBF3f0JBlPvfrhsiAhS90a2Cl9qrjeVOwhVYBsHvUwyKMQ5bLm
|
|
||||||
KhQxw4UtjJixhlpPiVktucf3HMiKf8CdBUrmQk9io20ppB+Fq9vlgcitKj1MXVuE
|
|
||||||
JnHEhV5xJMqlG2zYYdMa4FTbzrqpMrUi9nNBCV24F10OD5mQ1kfabwo6YigUZ4LZ
|
|
||||||
8dCAWZvLMdibD4x3TrVoivJs9iQOLWxwxXPR3hTQcY+203sC9uO41Alua551hDnm
|
|
||||||
fyWl8kgAwKQB2j8=
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
const smimeLeaf = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIFBjCCA+6gAwIBAgISESFvrjT8XcJTEe6rBlPptILlMA0GCSqGSIb3DQEBBQUA
|
|
||||||
MFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSowKAYD
|
|
||||||
VQQDEyFHbG9iYWxTaWduIFBlcnNvbmFsU2lnbiAyIENBIC0gRzIwHhcNMTIwMTIz
|
|
||||||
MTYzNjU5WhcNMTUwMTIzMTYzNjU5WjCBlDELMAkGA1UEBhMCVVMxFjAUBgNVBAgT
|
|
||||||
DU5ldyBIYW1zcGhpcmUxEzARBgNVBAcTClBvcnRzbW91dGgxGTAXBgNVBAoTEEds
|
|
||||||
b2JhbFNpZ24sIEluYy4xEzARBgNVBAMTClJ5YW4gSHVyc3QxKDAmBgkqhkiG9w0B
|
|
||||||
CQEWGXJ5YW4uaHVyc3RAZ2xvYmFsc2lnbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA
|
|
||||||
A4IBDwAwggEKAoIBAQC4ASSTvavmsFQAob60ukSSwOAL9nT/s99ltNUCAf5fPH5j
|
|
||||||
NceMKxaQse2miOmRRIXaykcq1p/TbI70Ztce38r2mbOwqDHHPVi13GxJEyUXWgaR
|
|
||||||
BteDMu5OGyWNG1kchVsGWpbstT0Z4v0md5m1BYFnxB20ebJyOR2lXDxsFK28nnKV
|
|
||||||
+5eMj76U8BpPQ4SCH7yTMG6y0XXsB3cCrBKr2o3TOYgEKv+oNnbaoMt3UxMt9nSf
|
|
||||||
9jyIshjqfnT5Aew3CUNMatO55g5FXXdIukAweg1YSb1ls05qW3sW00T3d7dQs9/7
|
|
||||||
NuxCg/A2elmVJSoy8+MLR8JSFEf/aMgjO/TyLg/jAgMBAAGjggGPMIIBizAOBgNV
|
|
||||||
HQ8BAf8EBAMCBaAwTQYDVR0gBEYwRDBCBgorBgEEAaAyASgKMDQwMgYIKwYBBQUH
|
|
||||||
AgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMCQGA1Ud
|
|
||||||
EQQdMBuBGXJ5YW4uaHVyc3RAZ2xvYmFsc2lnbi5jb20wCQYDVR0TBAIwADAdBgNV
|
|
||||||
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwQwYDVR0fBDwwOjA4oDagNIYyaHR0
|
|
||||||
cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc3BlcnNvbmFsc2lnbjJnMi5jcmww
|
|
||||||
VQYIKwYBBQUHAQEESTBHMEUGCCsGAQUFBzAChjlodHRwOi8vc2VjdXJlLmdsb2Jh
|
|
||||||
bHNpZ24uY29tL2NhY2VydC9nc3BlcnNvbmFsc2lnbjJnMi5jcnQwHQYDVR0OBBYE
|
|
||||||
FFWiECe0/L72eVYqcWYnLV6SSjzhMB8GA1UdIwQYMBaAFD8V0m18L+cxnkMKBqiU
|
|
||||||
bCw7xe5lMA0GCSqGSIb3DQEBBQUAA4IBAQAhQi6hLPeudmf3IBF4IDzCvRI0FaYd
|
|
||||||
BKfprSk/H0PDea4vpsLbWpA0t0SaijiJYtxKjlM4bPd+2chb7ejatDdyrZIzmDVy
|
|
||||||
q4c30/xMninGKokpYA11/Ve+i2dvjulu65qasrtQRGybAuuZ67lrp/K3OMFgjV5N
|
|
||||||
C3AHYLzvNU4Dwc4QQ1BaMOg6KzYSrKbABRZajfrpC9uiePsv7mDIXLx/toBPxWNl
|
|
||||||
a5vJm5DrZdn7uHdvBCE6kMykbOLN5pmEK0UIlwKh6Qi5XD0pzlVkEZliFkBMJgub
|
|
||||||
d/eF7xeg7TKPWC5xyOFp9SdMolJM7LTC3wnSO3frBAev+q/nGs9Xxyvs
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
const smimeIntermediate = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIEFjCCAv6gAwIBAgILBAAAAAABL07hL1IwDQYJKoZIhvcNAQEFBQAwVzELMAkG
|
|
||||||
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
|
||||||
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
|
|
||||||
MDBaFw0xOTA0MTMxMDAwMDBaMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
|
||||||
YWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIFBlcnNvbmFsU2lnbiAy
|
|
||||||
IENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBa0H5Nez4
|
|
||||||
En3dIlFpX7e5E0YndxQ74xOBbz7kdBd+DLX0LOQMjVPU3DAgKL9ujhH+ZhHkURbH
|
|
||||||
3X/94TQSUL/z2JjsaQvS0NqyZXHhM5eeuquzOJRzEQ8+odETzHg2G0Erv7yjSeww
|
|
||||||
gkwDWDJnYUDlOjYTDUEG6+i+8Mn425reo4I0E277wD542kmVWeW7+oHv5dZo9e1Q
|
|
||||||
yWwiKTEP6BEQVVSBgThXMG4traSSDRUt3T1eQTZx5EObpiBEBO4OTqiBTJfg4vEI
|
|
||||||
YgkXzKLpnfszTB6YMDpR9/QS6p3ANB3kfAb+t6udSO3WCst0DGrwHDLBFGDR4UeY
|
|
||||||
T5KGGnI7cWL7AgMBAAGjgeUwgeIwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQI
|
|
||||||
MAYBAf8CAQAwHQYDVR0OBBYEFD8V0m18L+cxnkMKBqiUbCw7xe5lMEcGA1UdIARA
|
|
||||||
MD4wPAYEVR0gADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWdu
|
|
||||||
LmNvbS9yZXBvc2l0b3J5LzAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmds
|
|
||||||
b2JhbHNpZ24ubmV0L3Jvb3QuY3JsMB8GA1UdIwQYMBaAFGB7ZhpFDZfKiVAvfQTN
|
|
||||||
NKj//P1LMA0GCSqGSIb3DQEBBQUAA4IBAQBDc3nMpMxJMQMcYUCB3+C73UpvwDE8
|
|
||||||
eCOr7t2F/uaQKKcyqqstqLZc6vPwI/rcE9oDHugY5QEjQzIBIEaTnN6P0vege2IX
|
|
||||||
eCOr7t2F/uaQKKcyqqstqLZc6vPwI/rcE9oDHugY5QEjQzIBIEaTnN6P0vege2IX
|
|
||||||
YEvTWbWwGdPytDFPYIl3/6OqNSXSnZ7DxPcdLJq2uyiga8PB/TTIIHYkdM2+1DE0
|
|
||||||
7y3rH/7TjwDVD7SLu5/SdOfKskuMPTjOEvz3K161mymW06klVhubCIWOro/Gx1Q2
|
|
||||||
2FQOZ7/2k4uYoOdBTSlb8kTAuzZNgIE0rB2BIYCTz/P6zZIKW0ogbRSH
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
var megaLeaf = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIFOjCCBCKgAwIBAgIQWYE8Dup170kZ+k11Lg51OjANBgkqhkiG9w0BAQUFADBy
|
|
||||||
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
|
|
||||||
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEYMBYGA1UE
|
|
||||||
AxMPRXNzZW50aWFsU1NMIENBMB4XDTEyMTIxNDAwMDAwMFoXDTE0MTIxNDIzNTk1
|
|
||||||
OVowfzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMS4wLAYDVQQL
|
|
||||||
EyVIb3N0ZWQgYnkgSW5zdHJhIENvcnBvcmF0aW9uIFB0eS4gTFREMRUwEwYDVQQL
|
|
||||||
EwxFc3NlbnRpYWxTU0wxEzARBgNVBAMTCm1lZ2EuY28ubnowggEiMA0GCSqGSIb3
|
|
||||||
DQEBAQUAA4IBDwAwggEKAoIBAQDcxMCClae8BQIaJHBUIVttlLvhbK4XhXPk3RQ3
|
|
||||||
G5XA6tLZMBQ33l3F9knYJ0YErXtr8IdfYoulRQFmKFMJl9GtWyg4cGQi2Rcr5VN5
|
|
||||||
S5dA1vu4oyJBxE9fPELcK6Yz1vqaf+n6za+mYTiQYKggVdS8/s8hmNuXP9Zk1pIn
|
|
||||||
+q0pGsf8NAcSHMJgLqPQrTDw+zae4V03DvcYfNKjuno88d2226ld7MAmQZ7uRNsI
|
|
||||||
/CnkdelVs+akZsXf0szefSqMJlf08SY32t2jj4Ra7RApVYxOftD9nij/aLfuqOU6
|
|
||||||
ow6IgIcIG2ZvXLZwK87c5fxL7UAsTTV+M1sVv8jA33V2oKLhAgMBAAGjggG9MIIB
|
|
||||||
uTAfBgNVHSMEGDAWgBTay+qtWwhdzP/8JlTOSeVVxjj0+DAdBgNVHQ4EFgQUmP9l
|
|
||||||
6zhyrZ06Qj4zogt+6LKFk4AwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAw
|
|
||||||
NAYDVR0lBC0wKwYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3CgMDBglghkgB
|
|
||||||
hvhCBAEwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkGCCsGAQUFBwIBFh1o
|
|
||||||
dHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEwOwYDVR0fBDQw
|
|
||||||
MjAwoC6gLIYqaHR0cDovL2NybC5jb21vZG9jYS5jb20vRXNzZW50aWFsU1NMQ0Eu
|
|
||||||
Y3JsMG4GCCsGAQUFBwEBBGIwYDA4BggrBgEFBQcwAoYsaHR0cDovL2NydC5jb21v
|
|
||||||
ZG9jYS5jb20vRXNzZW50aWFsU1NMQ0FfMi5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6
|
|
||||||
Ly9vY3NwLmNvbW9kb2NhLmNvbTAlBgNVHREEHjAcggptZWdhLmNvLm56gg53d3cu
|
|
||||||
bWVnYS5jby5uejANBgkqhkiG9w0BAQUFAAOCAQEAcYhrsPSvDuwihMOh0ZmRpbOE
|
|
||||||
Gw6LqKgLNTmaYUPQhzi2cyIjhUhNvugXQQlP5f0lp5j8cixmArafg1dTn4kQGgD3
|
|
||||||
ivtuhBTgKO1VYB/VRoAt6Lmswg3YqyiS7JiLDZxjoV7KoS5xdiaINfHDUaBBY4ZH
|
|
||||||
j2BUlPniNBjCqXe/HndUTVUewlxbVps9FyCmH+C4o9DWzdGBzDpCkcmo5nM+cp7q
|
|
||||||
ZhTIFTvZfo3zGuBoyu8BzuopCJcFRm3cRiXkpI7iOMUIixO1szkJS6WpL1sKdT73
|
|
||||||
UXp08U0LBqoqG130FbzEJBBV3ixbvY6BWMHoCWuaoF12KJnC5kHt2RoWAAgMXA==
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
var comodoIntermediate1 = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIFAzCCA+ugAwIBAgIQGLLLuqME8aAPwfLzJkYqSjANBgkqhkiG9w0BAQUFADCB
|
|
||||||
gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
|
|
||||||
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
|
|
||||||
BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEyMDEwMDAw
|
|
||||||
MDBaFw0xOTEyMzEyMzU5NTlaMHIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVh
|
|
||||||
dGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E
|
|
||||||
TyBDQSBMaW1pdGVkMRgwFgYDVQQDEw9Fc3NlbnRpYWxTU0wgQ0EwggEiMA0GCSqG
|
|
||||||
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt8AiwcsargxIxF3CJhakgEtSYau2A1NHf
|
|
||||||
5I5ZLdOWIY120j8YC0YZYwvHIPPlC92AGvFaoL0dds23Izp0XmEbdaqb1IX04XiR
|
|
||||||
0y3hr/yYLgbSeT1awB8hLRyuIVPGOqchfr7tZ291HRqfalsGs2rjsQuqag7nbWzD
|
|
||||||
ypWMN84hHzWQfdvaGlyoiBSyD8gSIF/F03/o4Tjg27z5H6Gq1huQByH6RSRQXScq
|
|
||||||
oChBRVt9vKCiL6qbfltTxfEFFld+Edc7tNkBdtzffRDPUanlOPJ7FAB1WfnwWdsX
|
|
||||||
Pvev5gItpHnBXaIcw5rIp6gLSApqLn8tl2X2xQScRMiZln5+pN0vAgMBAAGjggGD
|
|
||||||
MIIBfzAfBgNVHSMEGDAWgBQLWOWLxkwVN6RAqTCpIb5HNlpW/zAdBgNVHQ4EFgQU
|
|
||||||
2svqrVsIXcz//CZUzknlVcY49PgwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQI
|
|
||||||
MAYBAf8CAQAwIAYDVR0lBBkwFwYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMD4GA1Ud
|
|
||||||
IAQ3MDUwMwYEVR0gADArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21v
|
|
||||||
ZG8uY29tL0NQUzBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLmNvbW9kb2Nh
|
|
||||||
LmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBsBggrBgEFBQcB
|
|
||||||
AQRgMF4wNgYIKwYBBQUHMAKGKmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NvbW9k
|
|
||||||
b1VUTlNHQ0NBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2Eu
|
|
||||||
Y29tMA0GCSqGSIb3DQEBBQUAA4IBAQAtlzR6QDLqcJcvgTtLeRJ3rvuq1xqo2l/z
|
|
||||||
odueTZbLN3qo6u6bldudu+Ennv1F7Q5Slqz0J790qpL0pcRDAB8OtXj5isWMcL2a
|
|
||||||
ejGjKdBZa0wztSz4iw+SY1dWrCRnilsvKcKxudokxeRiDn55w/65g+onO7wdQ7Vu
|
|
||||||
F6r7yJiIatnyfKH2cboZT7g440LX8NqxwCPf3dfxp+0Jj1agq8MLy6SSgIGSH6lv
|
|
||||||
+Wwz3D5XxqfyH8wqfOQsTEZf6/Nh9yvENZ+NWPU6g0QO2JOsTGvMd/QDzczc4BxL
|
|
||||||
XSXaPV7Od4rhPsbXlM1wSTz/Dr0ISKvlUhQVnQ6cGodWaK2cCQBk
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
var comodoRoot = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIEHTCCAwWgAwIBAgIQToEtioJl4AsC7j41AkblPTANBgkqhkiG9w0BAQUFADCB
|
|
||||||
gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
|
|
||||||
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
|
|
||||||
BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEyMDEwMDAw
|
|
||||||
MDBaFw0yOTEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
|
|
||||||
YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
|
|
||||||
RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0
|
|
||||||
aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3
|
|
||||||
UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI
|
|
||||||
2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8
|
|
||||||
Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp
|
|
||||||
+2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+
|
|
||||||
DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O
|
|
||||||
nKVIrLsm9wIDAQABo4GOMIGLMB0GA1UdDgQWBBQLWOWLxkwVN6RAqTCpIb5HNlpW
|
|
||||||
/zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBJBgNVHR8EQjBAMD6g
|
|
||||||
PKA6hjhodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9u
|
|
||||||
QXV0aG9yaXR5LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAPpiem/Yb6dc5t3iuHXIY
|
|
||||||
SdOH5EOC6z/JqvWote9VfCFSZfnVDeFs9D6Mk3ORLgLETgdxb8CPOGEIqB6BCsAv
|
|
||||||
IC9Bi5HcSEW88cbeunZrM8gALTFGTO3nnc+IlP8zwFboJIYmuNg4ON8qa90SzMc/
|
|
||||||
RxdMosIGlgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4
|
|
||||||
zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
|
|
||||||
BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB
|
|
||||||
ZQ==
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
var nameConstraintsLeaf = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIHMTCCBRmgAwIBAgIIIZaV/3ezOJkwDQYJKoZIhvcNAQEFBQAwgcsxCzAJBgNV
|
|
||||||
BAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTETMBEGA1UEBxMKQmxhY2tzYnVyZzEj
|
|
||||||
MCEGA1UECxMaR2xvYmFsIFF1YWxpZmllZCBTZXJ2ZXIgQ0ExPDA6BgNVBAoTM1Zp
|
|
||||||
cmdpbmlhIFBvbHl0ZWNobmljIEluc3RpdHV0ZSBhbmQgU3RhdGUgVW5pdmVyc2l0
|
|
||||||
eTExMC8GA1UEAxMoVmlyZ2luaWEgVGVjaCBHbG9iYWwgUXVhbGlmaWVkIFNlcnZl
|
|
||||||
ciBDQTAeFw0xMzA5MTkxNDM2NTVaFw0xNTA5MTkxNDM2NTVaMIHNMQswCQYDVQQG
|
|
||||||
EwJVUzERMA8GA1UECAwIVmlyZ2luaWExEzARBgNVBAcMCkJsYWNrc2J1cmcxPDA6
|
|
||||||
BgNVBAoMM1ZpcmdpbmlhIFBvbHl0ZWNobmljIEluc3RpdHV0ZSBhbmQgU3RhdGUg
|
|
||||||
VW5pdmVyc2l0eTE7MDkGA1UECwwyVGVjaG5vbG9neS1lbmhhbmNlZCBMZWFybmlu
|
|
||||||
ZyBhbmQgT25saW5lIFN0cmF0ZWdpZXMxGzAZBgNVBAMMEnNlY3VyZS5pZGRsLnZ0
|
|
||||||
LmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkOyPpsOK/6IuPG
|
|
||||||
WnIBlVwlHzeYf+cUlggqkLq0b0+vZbiTXgio9/VCuNQ8opSoss7J7o3ygV9to+9Y
|
|
||||||
YwJKVC5WDT/y5JWpQey0CWILymViJnpNSwnxBc8A+Q8w5NUGDd/UhtPx/U8/hqbd
|
|
||||||
WPDYj2hbOqyq8UlRhfS5pwtnv6BbCTaY11I6FhCLK7zttISyTuWCf9p9o/ggiipP
|
|
||||||
ii/5oh4dkl+r5SfuSp5GPNHlYO8lWqys5NAPoDD4fc/kuflcK7Exx7XJ+Oqu0W0/
|
|
||||||
psjEY/tES1ZgDWU/ParcxxFpFmKHbD5DXsfPOObzkVWXIY6tGMutSlE1Froy/Nn0
|
|
||||||
OZsAOrcCAwEAAaOCAhMwggIPMIG4BggrBgEFBQcBAQSBqzCBqDBYBggrBgEFBQcw
|
|
||||||
AoZMaHR0cDovL3d3dy5wa2kudnQuZWR1L2dsb2JhbHF1YWxpZmllZHNlcnZlci9j
|
|
||||||
YWNlcnQvZ2xvYmFscXVhbGlmaWVkc2VydmVyLmNydDBMBggrBgEFBQcwAYZAaHR0
|
|
||||||
cDovL3Z0Y2EtcC5lcHJvdi5zZXRpLnZ0LmVkdTo4MDgwL2VqYmNhL3B1YmxpY3dl
|
|
||||||
Yi9zdGF0dXMvb2NzcDAdBgNVHQ4EFgQUp7xbO6iHkvtZbPE4jmndmnAbSEcwDAYD
|
|
||||||
VR0TAQH/BAIwADAfBgNVHSMEGDAWgBS8YmAn1eM1SBfpS6tFatDIqHdxjDBqBgNV
|
|
||||||
HSAEYzBhMA4GDCsGAQQBtGgFAgICATAOBgwrBgEEAbRoBQICAQEwPwYMKwYBBAG0
|
|
||||||
aAUCAgMBMC8wLQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cucGtpLnZ0LmVkdS9nbG9i
|
|
||||||
YWwvY3BzLzBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vd3d3LnBraS52dC5lZHUv
|
|
||||||
Z2xvYmFscXVhbGlmaWVkc2VydmVyL2NybC9jYWNybC5jcmwwDgYDVR0PAQH/BAQD
|
|
||||||
AgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHREEFjAUghJz
|
|
||||||
ZWN1cmUuaWRkbC52dC5lZHUwDQYJKoZIhvcNAQEFBQADggIBAEgoYo4aUtatY3gI
|
|
||||||
OyyKp7QlIOaLbTJZywESHqy+L5EGDdJW2DJV+mcE0LDGvqa2/1Lo+AR1ntsZwfOi
|
|
||||||
Y718JwgVVaX/RCd5+QKP25c5/x72xI8hb/L1bgS0ED9b0YAhd7Qm1K1ot82+6mqX
|
|
||||||
DW6WiGeDr8Z07MQ3143qQe2rBlq+QI69DYzm2GOqAIAnUIWv7tCyLUm31b4DwmrJ
|
|
||||||
TeudVreTKUbBNB1TWRFHEPkWhjjXKZnNGRO11wHXcyBu6YekIvVZ+vmx8ePee4jJ
|
|
||||||
3GFOi7lMuWOeq57jTVL7KOKaKLVXBb6gqo5aq+Wwt8RUD5MakrCAEeQZj7DKaFmZ
|
|
||||||
oQCO0Pxrsl3InCGvxnGzT+bFVO9nJ/BAMj7hknFdm9Jr6Bg5q33Z+gnf909AD9QF
|
|
||||||
ESqUSykaHu2LVdJx2MaCH1CyKnRgMw5tEwE15EXpUjCm24m8FMOYC+rNtf18pgrz
|
|
||||||
5D8Jhh+oxK9PjcBYqXNtnioIxiMCYcV0q5d4w4BYFEh71tk7/bYB0R55CsBUVPmp
|
|
||||||
timWNOdRd57Tfpk3USaVsumWZAf9MP3wPiC7gb4d5tYEEAG5BuDT8ruFw838wU8G
|
|
||||||
1VvAVutSiYBg7k3NYO7AUqZ+Ax4klQX3aM9lgonmJ78Qt94UPtbptrfZ4/lSqEf8
|
|
||||||
GBUwDrQNTb+gsXsDkjd5lcYxNx6l
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
var nameConstraintsIntermediate1 = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIINLjCCDBagAwIBAgIRIqpyf/YoGgvHc8HiDAxAI8owDQYJKoZIhvcNAQEFBQAw
|
|
||||||
XDELMAkGA1UEBhMCQkUxFTATBgNVBAsTDFRydXN0ZWQgUm9vdDEZMBcGA1UEChMQ
|
|
||||||
R2xvYmFsU2lnbiBudi1zYTEbMBkGA1UEAxMSVHJ1c3RlZCBSb290IENBIEcyMB4X
|
|
||||||
DTEyMTIxMzAwMDAwMFoXDTE3MTIxMzAwMDAwMFowgcsxCzAJBgNVBAYTAlVTMREw
|
|
||||||
DwYDVQQIEwhWaXJnaW5pYTETMBEGA1UEBxMKQmxhY2tzYnVyZzEjMCEGA1UECxMa
|
|
||||||
R2xvYmFsIFF1YWxpZmllZCBTZXJ2ZXIgQ0ExPDA6BgNVBAoTM1ZpcmdpbmlhIFBv
|
|
||||||
bHl0ZWNobmljIEluc3RpdHV0ZSBhbmQgU3RhdGUgVW5pdmVyc2l0eTExMC8GA1UE
|
|
||||||
AxMoVmlyZ2luaWEgVGVjaCBHbG9iYWwgUXVhbGlmaWVkIFNlcnZlciBDQTCCAiIw
|
|
||||||
DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALgIZhEaptBWADBqdJ45ueFGzMXa
|
|
||||||
GHnzNxoxR1fQIaaRQNdCg4cw3A4dWKMeEgYLtsp65ai3Xfw62Qaus0+KJ3RhgV+r
|
|
||||||
ihqK81NUzkls78fJlADVDI4fCTlothsrE1CTOMiy97jKHai5mVTiWxmcxpmjv7fm
|
|
||||||
5Nhc+uHgh2hIz6npryq495mD51ZrUTIaqAQN6Pw/VHfAmR524vgriTOjtp1t4lA9
|
|
||||||
pXGWjF/vkhAKFFheOQSQ00rngo2wHgCqMla64UTN0oz70AsCYNZ3jDLx0kOP0YmM
|
|
||||||
R3Ih91VA63kLqPXA0R6yxmmhhxLZ5bcyAy1SLjr1N302MIxLM/pSy6aquEnbELhz
|
|
||||||
qyp9yGgRyGJay96QH7c4RJY6gtcoPDbldDcHI9nXngdAL4DrZkJ9OkDkJLyqG66W
|
|
||||||
ZTF5q4EIs6yMdrywz0x7QP+OXPJrjYpbeFs6tGZCFnWPFfmHCRJF8/unofYrheq+
|
|
||||||
9J7Jx3U55S/k57NXbAM1RAJOuMTlfn9Etf9Dpoac9poI4Liav6rBoUQk3N3JWqnV
|
|
||||||
HNx/NdCyJ1/6UbKMJUZsStAVglsi6lVPo289HHOE4f7iwl3SyekizVOp01wUin3y
|
|
||||||
cnbZB/rXmZbwapSxTTSBf0EIOr9i4EGfnnhCAVA9U5uLrI5OEB69IY8PNX0071s3
|
|
||||||
Z2a2fio5c8m3JkdrAgMBAAGjggh5MIIIdTAOBgNVHQ8BAf8EBAMCAQYwTAYDVR0g
|
|
||||||
BEUwQzBBBgkrBgEEAaAyATwwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv
|
|
||||||
YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wEgYDVR0TAQH/BAgwBgEB/wIBADCCBtAG
|
|
||||||
A1UdHgSCBscwggbDoIIGvzASghAzZGJsYWNrc2J1cmcub3JnMBiCFmFjY2VsZXJh
|
|
||||||
dGV2aXJnaW5pYS5jb20wGIIWYWNjZWxlcmF0ZXZpcmdpbmlhLm9yZzALgglhY3Zj
|
|
||||||
cC5vcmcwCYIHYmV2Lm5ldDAJggdiZXYub3JnMAuCCWNsaWdzLm9yZzAMggpjbWl3
|
|
||||||
ZWIub3JnMBeCFWVhc3Rlcm5icm9va3Ryb3V0Lm5ldDAXghVlYXN0ZXJuYnJvb2t0
|
|
||||||
cm91dC5vcmcwEYIPZWNvcnJpZG9ycy5pbmZvMBOCEWVkZ2FycmVzZWFyY2gub3Jn
|
|
||||||
MBKCEGdldC1lZHVjYXRlZC5jb20wE4IRZ2V0LWVkdWNhdGVkLmluZm8wEYIPZ2V0
|
|
||||||
ZWR1Y2F0ZWQubmV0MBKCEGdldC1lZHVjYXRlZC5uZXQwEYIPZ2V0ZWR1Y2F0ZWQu
|
|
||||||
b3JnMBKCEGdldC1lZHVjYXRlZC5vcmcwD4INaG9raWVjbHViLmNvbTAQgg5ob2tp
|
|
||||||
ZXBob3RvLmNvbTAPgg1ob2tpZXNob3AuY29tMBGCD2hva2llc3BvcnRzLmNvbTAS
|
|
||||||
ghBob2tpZXRpY2tldHMuY29tMBKCEGhvdGVscm9hbm9rZS5jb20wE4IRaHVtYW53
|
|
||||||
aWxkbGlmZS5vcmcwF4IVaW5uYXR2aXJnaW5pYXRlY2guY29tMA+CDWlzY2hwMjAx
|
|
||||||
MS5vcmcwD4INbGFuZHJlaGFiLm9yZzAggh5uYXRpb25hbHRpcmVyZXNlYXJjaGNl
|
|
||||||
bnRlci5jb20wFYITbmV0d29ya3ZpcmdpbmlhLm5ldDAMggpwZHJjdnQuY29tMBiC
|
|
||||||
FnBldGVkeWVyaXZlcmNvdXJzZS5jb20wDYILcmFkaW9pcS5vcmcwFYITcml2ZXJj
|
|
||||||
b3Vyc2Vnb2xmLmNvbTALgglzZGltaS5vcmcwEIIOc292YW1vdGlvbi5jb20wHoIc
|
|
||||||
c3VzdGFpbmFibGUtYmlvbWF0ZXJpYWxzLmNvbTAeghxzdXN0YWluYWJsZS1iaW9t
|
|
||||||
YXRlcmlhbHMub3JnMBWCE3RoaXNpc3RoZWZ1dHVyZS5jb20wGIIWdGhpcy1pcy10
|
|
||||||
aGUtZnV0dXJlLmNvbTAVghN0aGlzaXN0aGVmdXR1cmUubmV0MBiCFnRoaXMtaXMt
|
|
||||||
dGhlLWZ1dHVyZS5uZXQwCoIIdmFkcy5vcmcwDIIKdmFsZWFmLm9yZzANggt2YXRl
|
|
||||||
Y2guaW5mbzANggt2YXRlY2gubW9iaTAcghp2YXRlY2hsaWZlbG9uZ2xlYXJuaW5n
|
|
||||||
LmNvbTAcghp2YXRlY2hsaWZlbG9uZ2xlYXJuaW5nLm5ldDAcghp2YXRlY2hsaWZl
|
|
||||||
bG9uZ2xlYXJuaW5nLm9yZzAKggh2Y29tLmVkdTASghB2aXJnaW5pYXZpZXcubmV0
|
|
||||||
MDSCMnZpcmdpbmlhcG9seXRlY2huaWNpbnN0aXR1dGVhbmRzdGF0ZXVuaXZlcnNp
|
|
||||||
dHkuY29tMDWCM3ZpcmdpbmlhcG9seXRlY2huaWNpbnN0aXR1dGVhbmRzdGF0ZXVu
|
|
||||||
aXZlcnNpdHkuaW5mbzA0gjJ2aXJnaW5pYXBvbHl0ZWNobmljaW5zdGl0dXRlYW5k
|
|
||||||
c3RhdGV1bml2ZXJzaXR5Lm5ldDA0gjJ2aXJnaW5pYXBvbHl0ZWNobmljaW5zdGl0
|
|
||||||
dXRlYW5kc3RhdGV1bml2ZXJzaXR5Lm9yZzAZghd2aXJnaW5pYXB1YmxpY3JhZGlv
|
|
||||||
Lm9yZzASghB2aXJnaW5pYXRlY2guZWR1MBOCEXZpcmdpbmlhdGVjaC5tb2JpMByC
|
|
||||||
GnZpcmdpbmlhdGVjaGZvdW5kYXRpb24ub3JnMAiCBnZ0LmVkdTALggl2dGFyYy5v
|
|
||||||
cmcwDIIKdnQtYXJjLm9yZzALggl2dGNyYy5jb20wCoIIdnRpcC5vcmcwDIIKdnRs
|
|
||||||
ZWFuLm9yZzAWghR2dGtub3dsZWRnZXdvcmtzLmNvbTAYghZ2dGxpZmVsb25nbGVh
|
|
||||||
cm5pbmcuY29tMBiCFnZ0bGlmZWxvbmdsZWFybmluZy5uZXQwGIIWdnRsaWZlbG9u
|
|
||||||
Z2xlYXJuaW5nLm9yZzATghF2dHNwb3J0c21lZGlhLmNvbTALggl2dHdlaS5jb20w
|
|
||||||
D4INd2l3YXR3ZXJjLmNvbTAKggh3dnRmLm9yZzAIgQZ2dC5lZHUwd6R1MHMxCzAJ
|
|
||||||
BgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTETMBEGA1UEBxMKQmxhY2tzYnVy
|
|
||||||
ZzE8MDoGA1UEChMzVmlyZ2luaWEgUG9seXRlY2huaWMgSW5zdGl0dXRlIGFuZCBT
|
|
||||||
dGF0ZSBVbml2ZXJzaXR5MCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDAQYI
|
|
||||||
KwYBBQUHAwkwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2NybC5nbG9iYWxzaWdu
|
|
||||||
LmNvbS9ncy90cnVzdHJvb3RnMi5jcmwwgYQGCCsGAQUFBwEBBHgwdjAzBggrBgEF
|
|
||||||
BQcwAYYnaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3RydXN0cm9vdGcyMD8G
|
|
||||||
CCsGAQUFBzAChjNodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC90
|
|
||||||
cnVzdHJvb3RnMi5jcnQwHQYDVR0OBBYEFLxiYCfV4zVIF+lLq0Vq0Miod3GMMB8G
|
|
||||||
A1UdIwQYMBaAFBT25YsxtkWASkxt/MKHico2w5BiMA0GCSqGSIb3DQEBBQUAA4IB
|
|
||||||
AQAyJm/lOB2Er4tHXhc/+fSufSzgjohJgYfMkvG4LknkvnZ1BjliefR8tTXX49d2
|
|
||||||
SCDFWfGjqyJZwavavkl/4p3oXPG/nAMDMvxh4YAT+CfEK9HH+6ICV087kD4BLegi
|
|
||||||
+aFJMj8MMdReWCzn5sLnSR1rdse2mo2arX3Uod14SW+PGrbUmTuWNyvRbz3fVmxp
|
|
||||||
UdbGmj3laknO9YPsBGgHfv73pVVsTJkW4ZfY/7KdD/yaVv6ophpOB3coXfjl2+kd
|
|
||||||
Z4ypn2zK+cx9IL/LSewqd/7W9cD55PCUy4X9OTbEmAccwiz3LB66mQoUGfdHdkoB
|
|
||||||
jUY+v9vLQXmaVwI0AYL7g9LN
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
var nameConstraintsIntermediate2 = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIEXTCCA0WgAwIBAgILBAAAAAABNuk6OrMwDQYJKoZIhvcNAQEFBQAwVzELMAkG
|
|
||||||
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
|
||||||
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMjA0MjUxMTAw
|
|
||||||
MDBaFw0yNzA0MjUxMTAwMDBaMFwxCzAJBgNVBAYTAkJFMRUwEwYDVQQLEwxUcnVz
|
|
||||||
dGVkIFJvb3QxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExGzAZBgNVBAMTElRy
|
|
||||||
dXN0ZWQgUm9vdCBDQSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
|
|
||||||
AKyuvqrtcMr7g7EuNbu4sKwxM127UsCmx1RxbxxgcArGS7rjiefpBH/w4LYrymjf
|
|
||||||
vcw1ueyMNoqLo9nJMz/ORXupb35NNfE667prQYHa+tTjl1IiKpB7QUwt3wXPuTMF
|
|
||||||
Ja1tXtjKzkqJyuJlNuPKT76HcjgNqgV1s9qG44MD5I2JvI12du8zI1bgdQ+l/KsX
|
|
||||||
kTfbGjUvhOLOlVNWVQDpL+YMIrGqgBYxy5TUNgrAcRtwpNdS2KkF5otSmMweVb5k
|
|
||||||
hoUVv3u8UxQH/WWbNhHq1RrIlg/0rBUfi/ziShYFSB7U+aLx5DxPphTFBiDquQGp
|
|
||||||
tB+FC4JvnukDStFihZCZ1R8CAwEAAaOCASMwggEfMA4GA1UdDwEB/wQEAwIBBjAP
|
|
||||||
BgNVHRMBAf8EBTADAQH/MEcGA1UdIARAMD4wPAYEVR0gADA0MDIGCCsGAQUFBwIB
|
|
||||||
FiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAdBgNVHQ4E
|
|
||||||
FgQUFPblizG2RYBKTG38woeJyjbDkGIwMwYDVR0fBCwwKjAooCagJIYiaHR0cDov
|
|
||||||
L2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDA+BggrBgEFBQcBAQQyMDAwLgYI
|
|
||||||
KwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjEwHwYD
|
|
||||||
VR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEFBQADggEB
|
|
||||||
AL7IG0l+k4LkcpI+a/kvZsSRwSM4uA6zGX34e78A2oytr8RG8bJwVb8+AHMUD+Xe
|
|
||||||
2kYdh/Uj/waQXfqR0OgxQXL9Ct4ZM+JlR1avsNKXWL5AwYXAXCOB3J5PW2XOck7H
|
|
||||||
Zw0vRbGQhjWjQx+B4KOUFg1b3ov/z6Xkr3yaCfRQhXh7KC0Bc0RXPPG5Nv5lCW+z
|
|
||||||
tbbg0zMm3kyfQITRusMSg6IBsDJqOnjaiaKQRcXiD0Sk43ZXb2bUKMxC7+Td3QL4
|
|
||||||
RyHcWJbQ7YylLTS/x+jxWIcOQ0oO5/54t5PTQ14neYhOz9x4gUk2AYAW6d1vePwb
|
|
||||||
hcC8roQwkHT7HvfYBoc74FM=
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
var globalSignRoot = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
|
|
||||||
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
|
||||||
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
|
|
||||||
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
|
||||||
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
|
|
||||||
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
|
|
||||||
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
|
|
||||||
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
|
|
||||||
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
|
|
||||||
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
|
|
||||||
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
|
|
||||||
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
|
|
||||||
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
|
|
||||||
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
|
|
||||||
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
|
|
||||||
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
|
|
||||||
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
|
|
||||||
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
|
|
||||||
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
|
|
||||||
-----END CERTIFICATE-----`
|
|
1644
ct/x509/x509.go
1644
ct/x509/x509.go
File diff suppressed because it is too large
Load Diff
|
@ -1,751 +0,0 @@
|
||||||
// Copyright 2009 The Go Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package x509
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"crypto/dsa"
|
|
||||||
"crypto/ecdsa"
|
|
||||||
"crypto/elliptic"
|
|
||||||
"crypto/rand"
|
|
||||||
"crypto/rsa"
|
|
||||||
_ "crypto/sha256"
|
|
||||||
_ "crypto/sha512"
|
|
||||||
// START CT CHANGES
|
|
||||||
"src.agwa.name/ctwatch/ct/asn1"
|
|
||||||
"src.agwa.name/ctwatch/ct/x509/pkix"
|
|
||||||
// END CT CHANGES
|
|
||||||
"encoding/base64"
|
|
||||||
"encoding/hex"
|
|
||||||
"encoding/pem"
|
|
||||||
// START CT CHANGES
|
|
||||||
"errors"
|
|
||||||
// END CT CHANGES
|
|
||||||
"math/big"
|
|
||||||
"net"
|
|
||||||
"reflect"
|
|
||||||
// START CT CHANGES
|
|
||||||
"strings"
|
|
||||||
// END CT CHANGES
|
|
||||||
"testing"
|
|
||||||
"time"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestParsePKCS1PrivateKey(t *testing.T) {
|
|
||||||
block, _ := pem.Decode([]byte(pemPrivateKey))
|
|
||||||
priv, err := ParsePKCS1PrivateKey(block.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("Failed to parse private key: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if priv.PublicKey.N.Cmp(rsaPrivateKey.PublicKey.N) != 0 ||
|
|
||||||
priv.PublicKey.E != rsaPrivateKey.PublicKey.E ||
|
|
||||||
priv.D.Cmp(rsaPrivateKey.D) != 0 ||
|
|
||||||
priv.Primes[0].Cmp(rsaPrivateKey.Primes[0]) != 0 ||
|
|
||||||
priv.Primes[1].Cmp(rsaPrivateKey.Primes[1]) != 0 {
|
|
||||||
t.Errorf("got:%+v want:%+v", priv, rsaPrivateKey)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestParsePKIXPublicKey(t *testing.T) {
|
|
||||||
block, _ := pem.Decode([]byte(pemPublicKey))
|
|
||||||
pub, err := ParsePKIXPublicKey(block.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("Failed to parse RSA public key: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
rsaPub, ok := pub.(*rsa.PublicKey)
|
|
||||||
if !ok {
|
|
||||||
t.Errorf("Value returned from ParsePKIXPublicKey was not an RSA public key")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
pubBytes2, err := MarshalPKIXPublicKey(rsaPub)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("Failed to marshal RSA public key for the second time: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if !bytes.Equal(pubBytes2, block.Bytes) {
|
|
||||||
t.Errorf("Reserialization of public key didn't match. got %x, want %x", pubBytes2, block.Bytes)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var pemPublicKey = `-----BEGIN PUBLIC KEY-----
|
|
||||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3VoPN9PKUjKFLMwOge6+
|
|
||||||
wnDi8sbETGIx2FKXGgqtAKpzmem53kRGEQg8WeqRmp12wgp74TGpkEXsGae7RS1k
|
|
||||||
enJCnma4fii+noGH7R0qKgHvPrI2Bwa9hzsH8tHxpyM3qrXslOmD45EH9SxIDUBJ
|
|
||||||
FehNdaPbLP1gFyahKMsdfxFJLUvbUycuZSJ2ZnIgeVxwm4qbSvZInL9Iu4FzuPtg
|
|
||||||
fINKcbbovy1qq4KvPIrXzhbY3PWDc6btxCf3SE0JdE1MCPThntB62/bLMSQ7xdDR
|
|
||||||
FF53oIpvxe/SCOymfWq/LW849Ytv3Xwod0+wzAP8STXG4HSELS4UedPYeHJJJYcZ
|
|
||||||
+QIDAQAB
|
|
||||||
-----END PUBLIC KEY-----
|
|
||||||
`
|
|
||||||
|
|
||||||
var pemPrivateKey = `-----BEGIN RSA PRIVATE KEY-----
|
|
||||||
MIIBOgIBAAJBALKZD0nEffqM1ACuak0bijtqE2QrI/KLADv7l3kK3ppMyCuLKoF0
|
|
||||||
fd7Ai2KW5ToIwzFofvJcS/STa6HA5gQenRUCAwEAAQJBAIq9amn00aS0h/CrjXqu
|
|
||||||
/ThglAXJmZhOMPVn4eiu7/ROixi9sex436MaVeMqSNf7Ex9a8fRNfWss7Sqd9eWu
|
|
||||||
RTUCIQDasvGASLqmjeffBNLTXV2A5g4t+kLVCpsEIZAycV5GswIhANEPLmax0ME/
|
|
||||||
EO+ZJ79TJKN5yiGBRsv5yvx5UiHxajEXAiAhAol5N4EUyq6I9w1rYdhPMGpLfk7A
|
|
||||||
IU2snfRJ6Nq2CQIgFrPsWRCkV+gOYcajD17rEqmuLrdIRexpg8N1DOSXoJ8CIGlS
|
|
||||||
tAboUGBxTDq3ZroNism3DaMIbKPyYrAqhKov1h5V
|
|
||||||
-----END RSA PRIVATE KEY-----
|
|
||||||
`
|
|
||||||
|
|
||||||
func bigFromString(s string) *big.Int {
|
|
||||||
ret := new(big.Int)
|
|
||||||
ret.SetString(s, 10)
|
|
||||||
return ret
|
|
||||||
}
|
|
||||||
|
|
||||||
func fromBase10(base10 string) *big.Int {
|
|
||||||
i := new(big.Int)
|
|
||||||
i.SetString(base10, 10)
|
|
||||||
return i
|
|
||||||
}
|
|
||||||
|
|
||||||
func bigFromHexString(s string) *big.Int {
|
|
||||||
ret := new(big.Int)
|
|
||||||
ret.SetString(s, 16)
|
|
||||||
return ret
|
|
||||||
}
|
|
||||||
|
|
||||||
var rsaPrivateKey = &rsa.PrivateKey{
|
|
||||||
PublicKey: rsa.PublicKey{
|
|
||||||
N: bigFromString("9353930466774385905609975137998169297361893554149986716853295022578535724979677252958524466350471210367835187480748268864277464700638583474144061408845077"),
|
|
||||||
E: 65537,
|
|
||||||
},
|
|
||||||
D: bigFromString("7266398431328116344057699379749222532279343923819063639497049039389899328538543087657733766554155839834519529439851673014800261285757759040931985506583861"),
|
|
||||||
Primes: []*big.Int{
|
|
||||||
bigFromString("98920366548084643601728869055592650835572950932266967461790948584315647051443"),
|
|
||||||
bigFromString("94560208308847015747498523884063394671606671904944666360068158221458669711639"),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestMarshalRSAPrivateKey(t *testing.T) {
|
|
||||||
priv := &rsa.PrivateKey{
|
|
||||||
PublicKey: rsa.PublicKey{
|
|
||||||
N: fromBase10("16346378922382193400538269749936049106320265317511766357599732575277382844051791096569333808598921852351577762718529818072849191122419410612033592401403764925096136759934497687765453905884149505175426053037420486697072448609022753683683718057795566811401938833367954642951433473337066311978821180526439641496973296037000052546108507805269279414789035461158073156772151892452251106173507240488993608650881929629163465099476849643165682709047462010581308719577053905787496296934240246311806555924593059995202856826239801816771116902778517096212527979497399966526283516447337775509777558018145573127308919204297111496233"),
|
|
||||||
E: 3,
|
|
||||||
},
|
|
||||||
D: fromBase10("10897585948254795600358846499957366070880176878341177571733155050184921896034527397712889205732614568234385175145686545381899460748279607074689061600935843283397424506622998458510302603922766336783617368686090042765718290914099334449154829375179958369993407724946186243249568928237086215759259909861748642124071874879861299389874230489928271621259294894142840428407196932444474088857746123104978617098858619445675532587787023228852383149557470077802718705420275739737958953794088728369933811184572620857678792001136676902250566845618813972833750098806496641114644760255910789397593428910198080271317419213080834885003"),
|
|
||||||
Primes: []*big.Int{
|
|
||||||
fromBase10("1025363189502892836833747188838978207017355117492483312747347695538428729137306368764177201532277413433182799108299960196606011786562992097313508180436744488171474690412562218914213688661311117337381958560443"),
|
|
||||||
fromBase10("3467903426626310123395340254094941045497208049900750380025518552334536945536837294961497712862519984786362199788654739924501424784631315081391467293694361474867825728031147665777546570788493758372218019373"),
|
|
||||||
fromBase10("4597024781409332673052708605078359346966325141767460991205742124888960305710298765592730135879076084498363772408626791576005136245060321874472727132746643162385746062759369754202494417496879741537284589047"),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
derBytes := MarshalPKCS1PrivateKey(priv)
|
|
||||||
|
|
||||||
priv2, err := ParsePKCS1PrivateKey(derBytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("error parsing serialized key: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if priv.PublicKey.N.Cmp(priv2.PublicKey.N) != 0 ||
|
|
||||||
priv.PublicKey.E != priv2.PublicKey.E ||
|
|
||||||
priv.D.Cmp(priv2.D) != 0 ||
|
|
||||||
len(priv2.Primes) != 3 ||
|
|
||||||
priv.Primes[0].Cmp(priv2.Primes[0]) != 0 ||
|
|
||||||
priv.Primes[1].Cmp(priv2.Primes[1]) != 0 ||
|
|
||||||
priv.Primes[2].Cmp(priv2.Primes[2]) != 0 {
|
|
||||||
t.Errorf("got:%+v want:%+v", priv, priv2)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type matchHostnamesTest struct {
|
|
||||||
pattern, host string
|
|
||||||
ok bool
|
|
||||||
}
|
|
||||||
|
|
||||||
var matchHostnamesTests = []matchHostnamesTest{
|
|
||||||
{"a.b.c", "a.b.c", true},
|
|
||||||
{"a.b.c", "b.b.c", false},
|
|
||||||
{"", "b.b.c", false},
|
|
||||||
{"a.b.c", "", false},
|
|
||||||
{"example.com", "example.com", true},
|
|
||||||
{"example.com", "www.example.com", false},
|
|
||||||
{"*.example.com", "www.example.com", true},
|
|
||||||
{"*.example.com", "xyz.www.example.com", false},
|
|
||||||
{"*.*.example.com", "xyz.www.example.com", true},
|
|
||||||
{"*.www.*.com", "xyz.www.example.com", true},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestMatchHostnames(t *testing.T) {
|
|
||||||
for i, test := range matchHostnamesTests {
|
|
||||||
r := matchHostnames(test.pattern, test.host)
|
|
||||||
if r != test.ok {
|
|
||||||
t.Errorf("#%d mismatch got: %t want: %t", i, r, test.ok)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestMatchIP(t *testing.T) {
|
|
||||||
// Check that pattern matching is working.
|
|
||||||
c := &Certificate{
|
|
||||||
DNSNames: []string{"*.foo.bar.baz"},
|
|
||||||
Subject: pkix.Name{
|
|
||||||
CommonName: "*.foo.bar.baz",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
err := c.VerifyHostname("quux.foo.bar.baz")
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("VerifyHostname(quux.foo.bar.baz): %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// But check that if we change it to be matching against an IP address,
|
|
||||||
// it is rejected.
|
|
||||||
c = &Certificate{
|
|
||||||
DNSNames: []string{"*.2.3.4"},
|
|
||||||
Subject: pkix.Name{
|
|
||||||
CommonName: "*.2.3.4",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
err = c.VerifyHostname("1.2.3.4")
|
|
||||||
if err == nil {
|
|
||||||
t.Fatalf("VerifyHostname(1.2.3.4) should have failed, did not")
|
|
||||||
}
|
|
||||||
|
|
||||||
c = &Certificate{
|
|
||||||
IPAddresses: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")},
|
|
||||||
}
|
|
||||||
err = c.VerifyHostname("127.0.0.1")
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("VerifyHostname(127.0.0.1): %v", err)
|
|
||||||
}
|
|
||||||
err = c.VerifyHostname("::1")
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("VerifyHostname(::1): %v", err)
|
|
||||||
}
|
|
||||||
err = c.VerifyHostname("[::1]")
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("VerifyHostname([::1]): %v", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestCertificateParse(t *testing.T) {
|
|
||||||
s, _ := hex.DecodeString(certBytes)
|
|
||||||
certs, err := ParseCertificates(s)
|
|
||||||
if err != nil {
|
|
||||||
t.Error(err)
|
|
||||||
}
|
|
||||||
if len(certs) != 2 {
|
|
||||||
t.Errorf("Wrong number of certs: got %d want 2", len(certs))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
err = certs[0].CheckSignatureFrom(certs[1])
|
|
||||||
if err != nil {
|
|
||||||
t.Error(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := certs[0].VerifyHostname("mail.google.com"); err != nil {
|
|
||||||
t.Error(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
const expectedExtensions = 4
|
|
||||||
if n := len(certs[0].Extensions); n != expectedExtensions {
|
|
||||||
t.Errorf("want %d extensions, got %d", expectedExtensions, n)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
var certBytes = "308203223082028ba00302010202106edf0d9499fd4533dd1297fc42a93be1300d06092a864886" +
|
|
||||||
"f70d0101050500304c310b3009060355040613025a4131253023060355040a131c546861777465" +
|
|
||||||
"20436f6e73756c74696e67202850747929204c74642e311630140603550403130d546861777465" +
|
|
||||||
"20534743204341301e170d3039303332353136343932395a170d3130303332353136343932395a" +
|
|
||||||
"3069310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630" +
|
|
||||||
"140603550407130d4d6f756e7461696e205669657731133011060355040a130a476f6f676c6520" +
|
|
||||||
"496e63311830160603550403130f6d61696c2e676f6f676c652e636f6d30819f300d06092a8648" +
|
|
||||||
"86f70d010101050003818d0030818902818100c5d6f892fccaf5614b064149e80a2c9581a218ef" +
|
|
||||||
"41ec35bd7a58125ae76f9ea54ddc893abbeb029f6b73616bf0ffd868791fba7af9c4aebf3706ba" +
|
|
||||||
"3eeaeed27435b4ddcfb157c05f351d66aa87fee0de072d66d773affbd36ab78bef090e0cc861a9" +
|
|
||||||
"03ac90dd98b51c9c41566c017f0beec3bff391051ffba0f5cc6850ad2a590203010001a381e730" +
|
|
||||||
"81e430280603551d250421301f06082b0601050507030106082b06010505070302060960864801" +
|
|
||||||
"86f842040130360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e74686177" +
|
|
||||||
"74652e636f6d2f54686177746553474343412e63726c307206082b060105050701010466306430" +
|
|
||||||
"2206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d303e0608" +
|
|
||||||
"2b060105050730028632687474703a2f2f7777772e7468617774652e636f6d2f7265706f736974" +
|
|
||||||
"6f72792f5468617774655f5347435f43412e637274300c0603551d130101ff04023000300d0609" +
|
|
||||||
"2a864886f70d01010505000381810062f1f3050ebc105e497c7aedf87e24d2f4a986bb3b837bd1" +
|
|
||||||
"9b91ebcad98b065992f6bd2b49b7d6d3cb2e427a99d606c7b1d46352527fac39e6a8b6726de5bf" +
|
|
||||||
"70212a52cba07634a5e332011bd1868e78eb5e3c93cf03072276786f207494feaa0ed9d53b2110" +
|
|
||||||
"a76571f90209cdae884385c882587030ee15f33d761e2e45a6bc308203233082028ca003020102" +
|
|
||||||
"020430000002300d06092a864886f70d0101050500305f310b3009060355040613025553311730" +
|
|
||||||
"15060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c61737320" +
|
|
||||||
"33205075626c6963205072696d6172792043657274696669636174696f6e20417574686f726974" +
|
|
||||||
"79301e170d3034303531333030303030305a170d3134303531323233353935395a304c310b3009" +
|
|
||||||
"060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e672028" +
|
|
||||||
"50747929204c74642e311630140603550403130d5468617774652053474320434130819f300d06" +
|
|
||||||
"092a864886f70d010101050003818d0030818902818100d4d367d08d157faecd31fe7d1d91a13f" +
|
|
||||||
"0b713cacccc864fb63fc324b0794bd6f80ba2fe10493c033fc093323e90b742b71c403c6d2cde2" +
|
|
||||||
"2ff50963cdff48a500bfe0e7f388b72d32de9836e60aad007bc4644a3b847503f270927d0e62f5" +
|
|
||||||
"21ab693684317590f8bfc76c881b06957cc9e5a8de75a12c7a68dfd5ca1c875860190203010001" +
|
|
||||||
"a381fe3081fb30120603551d130101ff040830060101ff020100300b0603551d0f040403020106" +
|
|
||||||
"301106096086480186f842010104040302010630280603551d110421301fa41d301b3119301706" +
|
|
||||||
"035504031310507269766174654c6162656c332d313530310603551d1f042a30283026a024a022" +
|
|
||||||
"8620687474703a2f2f63726c2e766572697369676e2e636f6d2f706361332e63726c303206082b" +
|
|
||||||
"0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468" +
|
|
||||||
"617774652e636f6d30340603551d25042d302b06082b0601050507030106082b06010505070302" +
|
|
||||||
"06096086480186f8420401060a6086480186f845010801300d06092a864886f70d010105050003" +
|
|
||||||
"81810055ac63eadea1ddd2905f9f0bce76be13518f93d9052bc81b774bad6950a1eededcfddb07" +
|
|
||||||
"e9e83994dcab72792f06bfab8170c4a8edea5334edef1e53d906c7562bd15cf4d18a8eb42bb137" +
|
|
||||||
"9048084225c53e8acb7feb6f04d16dc574a2f7a27c7b603c77cd0ece48027f012fb69b37e02a2a" +
|
|
||||||
"36dcd585d6ace53f546f961e05af"
|
|
||||||
|
|
||||||
func TestCreateSelfSignedCertificate(t *testing.T) {
|
|
||||||
random := rand.Reader
|
|
||||||
|
|
||||||
block, _ := pem.Decode([]byte(pemPrivateKey))
|
|
||||||
rsaPriv, err := ParsePKCS1PrivateKey(block.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("Failed to parse private key: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("Failed to generate ECDSA key: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
pub, priv interface{}
|
|
||||||
checkSig bool
|
|
||||||
}{
|
|
||||||
{"RSA/RSA", &rsaPriv.PublicKey, rsaPriv, true},
|
|
||||||
{"RSA/ECDSA", &rsaPriv.PublicKey, ecdsaPriv, false},
|
|
||||||
{"ECDSA/RSA", &ecdsaPriv.PublicKey, rsaPriv, false},
|
|
||||||
{"ECDSA/ECDSA", &ecdsaPriv.PublicKey, ecdsaPriv, true},
|
|
||||||
}
|
|
||||||
|
|
||||||
testExtKeyUsage := []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageServerAuth}
|
|
||||||
testUnknownExtKeyUsage := []asn1.ObjectIdentifier{[]int{1, 2, 3}, []int{2, 59, 1}}
|
|
||||||
extraExtensionData := []byte("extra extension")
|
|
||||||
|
|
||||||
for _, test := range tests {
|
|
||||||
commonName := "test.example.com"
|
|
||||||
template := Certificate{
|
|
||||||
SerialNumber: big.NewInt(1),
|
|
||||||
Subject: pkix.Name{
|
|
||||||
CommonName: commonName,
|
|
||||||
Organization: []string{"Σ Acme Co"},
|
|
||||||
},
|
|
||||||
NotBefore: time.Unix(1000, 0),
|
|
||||||
NotAfter: time.Unix(100000, 0),
|
|
||||||
|
|
||||||
SubjectKeyId: []byte{1, 2, 3, 4},
|
|
||||||
KeyUsage: KeyUsageCertSign,
|
|
||||||
|
|
||||||
ExtKeyUsage: testExtKeyUsage,
|
|
||||||
UnknownExtKeyUsage: testUnknownExtKeyUsage,
|
|
||||||
|
|
||||||
BasicConstraintsValid: true,
|
|
||||||
IsCA: true,
|
|
||||||
|
|
||||||
OCSPServer: []string{"http://ocsp.example.com"},
|
|
||||||
IssuingCertificateURL: []string{"http://crt.example.com/ca1.crt"},
|
|
||||||
|
|
||||||
DNSNames: []string{"test.example.com"},
|
|
||||||
EmailAddresses: []string{"gopher@golang.org"},
|
|
||||||
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1).To4(), net.ParseIP("2001:4860:0:2001::68")},
|
|
||||||
|
|
||||||
PolicyIdentifiers: []asn1.ObjectIdentifier{[]int{1, 2, 3}},
|
|
||||||
PermittedDNSDomains: []string{".example.com", "example.com"},
|
|
||||||
|
|
||||||
CRLDistributionPoints: []string{"http://crl1.example.com/ca1.crl", "http://crl2.example.com/ca1.crl"},
|
|
||||||
|
|
||||||
ExtraExtensions: []pkix.Extension{
|
|
||||||
{
|
|
||||||
Id: []int{1, 2, 3, 4},
|
|
||||||
Value: extraExtensionData,
|
|
||||||
},
|
|
||||||
// This extension should override the SubjectKeyId, above.
|
|
||||||
{
|
|
||||||
Id: oidExtensionSubjectKeyId,
|
|
||||||
Critical: false,
|
|
||||||
Value: []byte{0x04, 0x04, 4, 3, 2, 1},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
derBytes, err := CreateCertificate(random, &template, &template, test.pub, test.priv)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("%s: failed to create certificate: %s", test.name, err)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
cert, err := ParseCertificate(derBytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("%s: failed to parse certificate: %s", test.name, err)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(cert.PolicyIdentifiers) != 1 || !cert.PolicyIdentifiers[0].Equal(template.PolicyIdentifiers[0]) {
|
|
||||||
t.Errorf("%s: failed to parse policy identifiers: got:%#v want:%#v", test.name, cert.PolicyIdentifiers, template.PolicyIdentifiers)
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(cert.PermittedDNSDomains) != 2 || cert.PermittedDNSDomains[0] != ".example.com" || cert.PermittedDNSDomains[1] != "example.com" {
|
|
||||||
t.Errorf("%s: failed to parse name constraints: %#v", test.name, cert.PermittedDNSDomains)
|
|
||||||
}
|
|
||||||
|
|
||||||
if cert.Subject.CommonName != commonName {
|
|
||||||
t.Errorf("%s: subject wasn't correctly copied from the template. Got %s, want %s", test.name, cert.Subject.CommonName, commonName)
|
|
||||||
}
|
|
||||||
|
|
||||||
if cert.Issuer.CommonName != commonName {
|
|
||||||
t.Errorf("%s: issuer wasn't correctly copied from the template. Got %s, want %s", test.name, cert.Issuer.CommonName, commonName)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !reflect.DeepEqual(cert.ExtKeyUsage, testExtKeyUsage) {
|
|
||||||
t.Errorf("%s: extkeyusage wasn't correctly copied from the template. Got %v, want %v", test.name, cert.ExtKeyUsage, testExtKeyUsage)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !reflect.DeepEqual(cert.UnknownExtKeyUsage, testUnknownExtKeyUsage) {
|
|
||||||
t.Errorf("%s: unknown extkeyusage wasn't correctly copied from the template. Got %v, want %v", test.name, cert.UnknownExtKeyUsage, testUnknownExtKeyUsage)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !reflect.DeepEqual(cert.OCSPServer, template.OCSPServer) {
|
|
||||||
t.Errorf("%s: OCSP servers differ from template. Got %v, want %v", test.name, cert.OCSPServer, template.OCSPServer)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !reflect.DeepEqual(cert.IssuingCertificateURL, template.IssuingCertificateURL) {
|
|
||||||
t.Errorf("%s: Issuing certificate URLs differ from template. Got %v, want %v", test.name, cert.IssuingCertificateURL, template.IssuingCertificateURL)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !reflect.DeepEqual(cert.DNSNames, template.DNSNames) {
|
|
||||||
t.Errorf("%s: SAN DNS names differ from template. Got %v, want %v", test.name, cert.DNSNames, template.DNSNames)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !reflect.DeepEqual(cert.EmailAddresses, template.EmailAddresses) {
|
|
||||||
t.Errorf("%s: SAN emails differ from template. Got %v, want %v", test.name, cert.EmailAddresses, template.EmailAddresses)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !reflect.DeepEqual(cert.IPAddresses, template.IPAddresses) {
|
|
||||||
t.Errorf("%s: SAN IPs differ from template. Got %v, want %v", test.name, cert.IPAddresses, template.IPAddresses)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !reflect.DeepEqual(cert.CRLDistributionPoints, template.CRLDistributionPoints) {
|
|
||||||
t.Errorf("%s: CRL distribution points differ from template. Got %v, want %v", test.name, cert.CRLDistributionPoints, template.CRLDistributionPoints)
|
|
||||||
}
|
|
||||||
|
|
||||||
if !bytes.Equal(cert.SubjectKeyId, []byte{4, 3, 2, 1}) {
|
|
||||||
t.Errorf("%s: ExtraExtensions didn't override SubjectKeyId", test.name)
|
|
||||||
}
|
|
||||||
|
|
||||||
if bytes.Index(derBytes, extraExtensionData) == -1 {
|
|
||||||
t.Errorf("%s: didn't find extra extension in DER output", test.name)
|
|
||||||
}
|
|
||||||
|
|
||||||
if test.checkSig {
|
|
||||||
err = cert.CheckSignatureFrom(cert)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("%s: signature verification failed: %s", test.name, err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Self-signed certificate using ECDSA with SHA1 & secp256r1
|
|
||||||
var ecdsaSHA1CertPem = `
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICDjCCAbUCCQDF6SfN0nsnrjAJBgcqhkjOPQQBMIGPMQswCQYDVQQGEwJVUzET
|
|
||||||
MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEVMBMG
|
|
||||||
A1UECgwMR29vZ2xlLCBJbmMuMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG
|
|
||||||
CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIwMjAyMDUw
|
|
||||||
WhcNMjIwNTE4MjAyMDUwWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
|
|
||||||
b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFTATBgNVBAoMDEdvb2dsZSwg
|
|
||||||
SW5jLjEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGdv
|
|
||||||
bGFuZy1kZXZAZ21haWwuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/Wgn
|
|
||||||
WQDo5+bz71T0327ERgd5SDDXFbXLpzIZDXTkjpe8QTEbsF+ezsQfrekrpDPC4Cd3
|
|
||||||
P9LY0tG+aI8IyVKdUjAJBgcqhkjOPQQBA0gAMEUCIGlsqMcRqWVIWTD6wXwe6Jk2
|
|
||||||
DKxL46r/FLgJYnzBEH99AiEA3fBouObsvV1R3oVkb4BQYnD4/4LeId6lAT43YvyV
|
|
||||||
a/A=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
`
|
|
||||||
|
|
||||||
// Self-signed certificate using ECDSA with SHA256 & secp256r1
|
|
||||||
var ecdsaSHA256p256CertPem = `
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICDzCCAbYCCQDlsuMWvgQzhTAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCVVMx
|
|
||||||
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFTAT
|
|
||||||
BgNVBAoMDEdvb2dsZSwgSW5jLjEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20xIzAh
|
|
||||||
BgkqhkiG9w0BCQEWFGdvbGFuZy1kZXZAZ21haWwuY29tMB4XDTEyMDUyMTAwMTkx
|
|
||||||
NloXDTIyMDUxOTAwMTkxNlowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
|
|
||||||
Zm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRUwEwYDVQQKDAxHb29nbGUs
|
|
||||||
IEluYy4xFzAVBgNVBAMMDnd3dy5nb29nbGUuY29tMSMwIQYJKoZIhvcNAQkBFhRn
|
|
||||||
b2xhbmctZGV2QGdtYWlsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPMt
|
|
||||||
2ErhxAty5EJRu9yM+MTy+hUXm3pdW1ensAv382KoGExSXAFWP7pjJnNtHO+XSwVm
|
|
||||||
YNtqjcAGFKpweoN//kQwCgYIKoZIzj0EAwIDRwAwRAIgIYSaUA/IB81gjbIw/hUV
|
|
||||||
70twxJr5EcgOo0hLp3Jm+EYCIFDO3NNcgmURbJ1kfoS3N/0O+irUtoPw38YoNkqJ
|
|
||||||
h5wi
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
`
|
|
||||||
|
|
||||||
// Self-signed certificate using ECDSA with SHA256 & secp384r1
|
|
||||||
var ecdsaSHA256p384CertPem = `
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICSjCCAdECCQDje/no7mXkVzAKBggqhkjOPQQDAjCBjjELMAkGA1UEBhMCVVMx
|
|
||||||
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDAS
|
|
||||||
BgNVBAoMC0dvb2dsZSwgSW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG
|
|
||||||
CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIxMDYxMDM0
|
|
||||||
WhcNMjIwNTE5MDYxMDM0WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
|
|
||||||
b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSwg
|
|
||||||
SW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEGCSqGSIb3DQEJARYUZ29s
|
|
||||||
YW5nLWRldkBnbWFpbC5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARRuzRNIKRK
|
|
||||||
jIktEmXanNmrTR/q/FaHXLhWRZ6nHWe26Fw7Rsrbk+VjGy4vfWtNn7xSFKrOu5ze
|
|
||||||
qxKnmE0h5E480MNgrUiRkaGO2GMJJVmxx20aqkXOk59U8yGA4CghE6MwCgYIKoZI
|
|
||||||
zj0EAwIDZwAwZAIwBZEN8gvmRmfeP/9C1PRLzODIY4JqWub2PLRT4mv9GU+yw3Gr
|
|
||||||
PU9A3CHMdEcdw/MEAjBBO1lId8KOCh9UZunsSMfqXiVurpzmhWd6VYZ/32G+M+Mh
|
|
||||||
3yILeYQzllt/g0rKVRk=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
`
|
|
||||||
|
|
||||||
// Self-signed certificate using ECDSA with SHA384 & secp521r1
|
|
||||||
var ecdsaSHA384p521CertPem = `
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
MIICljCCAfcCCQDhp1AFD/ahKjAKBggqhkjOPQQDAzCBjjELMAkGA1UEBhMCVVMx
|
|
||||||
EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDAS
|
|
||||||
BgNVBAoMC0dvb2dsZSwgSW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG
|
|
||||||
CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIxMTUwNDI5
|
|
||||||
WhcNMjIwNTE5MTUwNDI5WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
|
|
||||||
b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSwg
|
|
||||||
SW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEGCSqGSIb3DQEJARYUZ29s
|
|
||||||
YW5nLWRldkBnbWFpbC5jb20wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACqx9Rv
|
|
||||||
IssRs1LWYcNN+WffwlHw4Tv3y8/LIAA9MF1ZScIonU9nRMxt4a2uGJVCPDw6JHpz
|
|
||||||
PaYc0E9puLoE9AfKpwFr59Jkot7dBg55SKPEFkddoip/rvmN7NPAWjMBirOwjOkm
|
|
||||||
8FPthvPhGPqsu9AvgVuHu3PosWiHGNrhh379pva8MzAKBggqhkjOPQQDAwOBjAAw
|
|
||||||
gYgCQgEHNmswkUdPpHqrVxp9PvLVl+xxPuHBkT+75z9JizyxtqykHQo9Uh6SWCYH
|
|
||||||
BF9KLolo01wMt8DjoYP5Fb3j5MH7xwJCAbWZzTOp4l4DPkIvAh4LeC4VWbwPPyqh
|
|
||||||
kBg71w/iEcSY3wUKgHGcJJrObZw7wys91I5kENljqw/Samdr3ka+jBJa
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
`
|
|
||||||
|
|
||||||
var ecdsaTests = []struct {
|
|
||||||
sigAlgo SignatureAlgorithm
|
|
||||||
pemCert string
|
|
||||||
}{
|
|
||||||
{ECDSAWithSHA1, ecdsaSHA1CertPem},
|
|
||||||
{ECDSAWithSHA256, ecdsaSHA256p256CertPem},
|
|
||||||
{ECDSAWithSHA256, ecdsaSHA256p384CertPem},
|
|
||||||
{ECDSAWithSHA384, ecdsaSHA384p521CertPem},
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestECDSA(t *testing.T) {
|
|
||||||
for i, test := range ecdsaTests {
|
|
||||||
pemBlock, _ := pem.Decode([]byte(test.pemCert))
|
|
||||||
cert, err := ParseCertificate(pemBlock.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("%d: failed to parse certificate: %s", i, err)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if sa := cert.SignatureAlgorithm; sa != test.sigAlgo {
|
|
||||||
t.Errorf("%d: signature algorithm is %v, want %v", i, sa, test.sigAlgo)
|
|
||||||
}
|
|
||||||
if parsedKey, ok := cert.PublicKey.(*ecdsa.PublicKey); !ok {
|
|
||||||
t.Errorf("%d: wanted an ECDSA public key but found: %#v", i, parsedKey)
|
|
||||||
}
|
|
||||||
if pka := cert.PublicKeyAlgorithm; pka != ECDSA {
|
|
||||||
t.Errorf("%d: public key algorithm is %v, want ECDSA", i, pka)
|
|
||||||
}
|
|
||||||
if err = cert.CheckSignatureFrom(cert); err != nil {
|
|
||||||
t.Errorf("%d: certificate verification failed: %s", i, err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Self-signed certificate using DSA with SHA1
|
|
||||||
var dsaCertPem = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIEDTCCA82gAwIBAgIJALHPghaoxeDhMAkGByqGSM44BAMweTELMAkGA1UEBhMC
|
|
||||||
VVMxCzAJBgNVBAgTAk5DMQ8wDQYDVQQHEwZOZXd0b24xFDASBgNVBAoTC0dvb2ds
|
|
||||||
ZSwgSW5jMRIwEAYDVQQDEwlKb24gQWxsaWUxIjAgBgkqhkiG9w0BCQEWE2pvbmFs
|
|
||||||
bGllQGdvb2dsZS5jb20wHhcNMTEwNTE0MDMwMTQ1WhcNMTEwNjEzMDMwMTQ1WjB5
|
|
||||||
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkMxDzANBgNVBAcTBk5ld3RvbjEUMBIG
|
|
||||||
A1UEChMLR29vZ2xlLCBJbmMxEjAQBgNVBAMTCUpvbiBBbGxpZTEiMCAGCSqGSIb3
|
|
||||||
DQEJARYTam9uYWxsaWVAZ29vZ2xlLmNvbTCCAbcwggEsBgcqhkjOOAQBMIIBHwKB
|
|
||||||
gQC8hLUnQ7FpFYu4WXTj6DKvXvz8QrJkNJCVMTpKAT7uBpobk32S5RrPKXocd4gN
|
|
||||||
8lyGB9ggS03EVlEwXvSmO0DH2MQtke2jl9j1HLydClMf4sbx5V6TV9IFw505U1iW
|
|
||||||
jL7awRMgxge+FsudtJK254FjMFo03ZnOQ8ZJJ9E6AEDrlwIVAJpnBn9moyP11Ox5
|
|
||||||
Asc/5dnjb6dPAoGBAJFHd4KVv1iTVCvEG6gGiYop5DJh28hUQcN9kul+2A0yPUSC
|
|
||||||
X93oN00P8Vh3eYgSaCWZsha7zDG53MrVJ0Zf6v/X/CoZNhLldeNOepivTRAzn+Rz
|
|
||||||
kKUYy5l1sxYLHQKF0UGNCXfFKZT0PCmgU+PWhYNBBMn6/cIh44vp85ideo5CA4GE
|
|
||||||
AAKBgFmifCafzeRaohYKXJgMGSEaggCVCRq5xdyDCat+wbOkjC4mfG01/um3G8u5
|
|
||||||
LxasjlWRKTR/tcAL7t0QuokVyQaYdVypZXNaMtx1db7YBuHjj3aP+8JOQRI9xz8c
|
|
||||||
bp5NDJ5pISiFOv4p3GZfqZPcqckDt78AtkQrmnal2txhhjF6o4HeMIHbMB0GA1Ud
|
|
||||||
DgQWBBQVyyr7hO11ZFFpWX50298Sa3V+rzCBqwYDVR0jBIGjMIGggBQVyyr7hO11
|
|
||||||
ZFFpWX50298Sa3V+r6F9pHsweTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMQ8w
|
|
||||||
DQYDVQQHEwZOZXd0b24xFDASBgNVBAoTC0dvb2dsZSwgSW5jMRIwEAYDVQQDEwlK
|
|
||||||
b24gQWxsaWUxIjAgBgkqhkiG9w0BCQEWE2pvbmFsbGllQGdvb2dsZS5jb22CCQCx
|
|
||||||
z4IWqMXg4TAMBgNVHRMEBTADAQH/MAkGByqGSM44BAMDLwAwLAIUPtn/5j8Q1jJI
|
|
||||||
7ggOIsgrhgUdjGQCFCsmDq1H11q9+9Wp9IMeGrTSKHIM
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
`
|
|
||||||
|
|
||||||
func TestParseCertificateWithDsaPublicKey(t *testing.T) {
|
|
||||||
expectedKey := &dsa.PublicKey{
|
|
||||||
Parameters: dsa.Parameters{
|
|
||||||
P: bigFromHexString("00BC84B52743B169158BB85974E3E832AF5EFCFC42B264349095313A4A013EEE069A1B937D92E51ACF297A1C77880DF25C8607D8204B4DC45651305EF4A63B40C7D8C42D91EDA397D8F51CBC9D0A531FE2C6F1E55E9357D205C39D395358968CBEDAC11320C607BE16CB9DB492B6E78163305A34DD99CE43C64927D13A0040EB97"),
|
|
||||||
Q: bigFromHexString("009A67067F66A323F5D4EC7902C73FE5D9E36FA74F"),
|
|
||||||
G: bigFromHexString("009147778295BF5893542BC41BA806898A29E43261DBC85441C37D92E97ED80D323D44825FDDE8374D0FF15877798812682599B216BBCC31B9DCCAD527465FEAFFD7FC2A193612E575E34E7A98AF4D10339FE47390A518CB9975B3160B1D0285D1418D0977C52994F43C29A053E3D685834104C9FAFDC221E38BE9F3989D7A8E42"),
|
|
||||||
},
|
|
||||||
Y: bigFromHexString("59A27C269FCDE45AA2160A5C980C19211A820095091AB9C5DC8309AB7EC1B3A48C2E267C6D35FEE9B71BCBB92F16AC8E559129347FB5C00BEEDD10BA8915C90698755CA965735A32DC7575BED806E1E38F768FFBC24E41123DC73F1C6E9E4D0C9E692128853AFE29DC665FA993DCA9C903B7BF00B6442B9A76A5DADC6186317A"),
|
|
||||||
}
|
|
||||||
pemBlock, _ := pem.Decode([]byte(dsaCertPem))
|
|
||||||
cert, err := ParseCertificate(pemBlock.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("Failed to parse certificate: %s", err)
|
|
||||||
}
|
|
||||||
if cert.PublicKeyAlgorithm != DSA {
|
|
||||||
t.Errorf("Parsed key algorithm was not DSA")
|
|
||||||
}
|
|
||||||
parsedKey, ok := cert.PublicKey.(*dsa.PublicKey)
|
|
||||||
if !ok {
|
|
||||||
t.Fatalf("Parsed key was not a DSA key: %s", err)
|
|
||||||
}
|
|
||||||
if expectedKey.Y.Cmp(parsedKey.Y) != 0 ||
|
|
||||||
expectedKey.P.Cmp(parsedKey.P) != 0 ||
|
|
||||||
expectedKey.Q.Cmp(parsedKey.Q) != 0 ||
|
|
||||||
expectedKey.G.Cmp(parsedKey.G) != 0 {
|
|
||||||
t.Fatal("Parsed key differs from expected key")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestParseCertificateWithDSASignatureAlgorithm(t *testing.T) {
|
|
||||||
pemBlock, _ := pem.Decode([]byte(dsaCertPem))
|
|
||||||
cert, err := ParseCertificate(pemBlock.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("Failed to parse certificate: %s", err)
|
|
||||||
}
|
|
||||||
if cert.SignatureAlgorithm != DSAWithSHA1 {
|
|
||||||
t.Errorf("Parsed signature algorithm was not DSAWithSHA1")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestVerifyCertificateWithDSASignature(t *testing.T) {
|
|
||||||
pemBlock, _ := pem.Decode([]byte(dsaCertPem))
|
|
||||||
cert, err := ParseCertificate(pemBlock.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("Failed to parse certificate: %s", err)
|
|
||||||
}
|
|
||||||
// test cert is self-signed
|
|
||||||
if err = cert.CheckSignatureFrom(cert); err != nil {
|
|
||||||
t.Fatalf("DSA Certificate verification failed: %s", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
const pemCertificate = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIIB5DCCAZCgAwIBAgIBATALBgkqhkiG9w0BAQUwLTEQMA4GA1UEChMHQWNtZSBDbzEZMBcGA1UE
|
|
||||||
AxMQdGVzdC5leGFtcGxlLmNvbTAeFw03MDAxMDEwMDE2NDBaFw03MDAxMDIwMzQ2NDBaMC0xEDAO
|
|
||||||
BgNVBAoTB0FjbWUgQ28xGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20wWjALBgkqhkiG9w0BAQED
|
|
||||||
SwAwSAJBALKZD0nEffqM1ACuak0bijtqE2QrI/KLADv7l3kK3ppMyCuLKoF0fd7Ai2KW5ToIwzFo
|
|
||||||
fvJcS/STa6HA5gQenRUCAwEAAaOBnjCBmzAOBgNVHQ8BAf8EBAMCAAQwDwYDVR0TAQH/BAUwAwEB
|
|
||||||
/zANBgNVHQ4EBgQEAQIDBDAPBgNVHSMECDAGgAQBAgMEMBsGA1UdEQQUMBKCEHRlc3QuZXhhbXBs
|
|
||||||
ZS5jb20wDwYDVR0gBAgwBjAEBgIqAzAqBgNVHR4EIzAhoB8wDoIMLmV4YW1wbGUuY29tMA2CC2V4
|
|
||||||
YW1wbGUuY29tMAsGCSqGSIb3DQEBBQNBAHKZKoS1wEQOGhgklx4+/yFYQlnqwKXvar/ZecQvJwui
|
|
||||||
0seMQnwBhwdBkHfVIU2Fu5VUMRyxlf0ZNaDXcpU581k=
|
|
||||||
-----END CERTIFICATE-----`
|
|
||||||
|
|
||||||
func TestCRLCreation(t *testing.T) {
|
|
||||||
block, _ := pem.Decode([]byte(pemPrivateKey))
|
|
||||||
priv, _ := ParsePKCS1PrivateKey(block.Bytes)
|
|
||||||
block, _ = pem.Decode([]byte(pemCertificate))
|
|
||||||
cert, _ := ParseCertificate(block.Bytes)
|
|
||||||
|
|
||||||
now := time.Unix(1000, 0)
|
|
||||||
expiry := time.Unix(10000, 0)
|
|
||||||
|
|
||||||
revokedCerts := []pkix.RevokedCertificate{
|
|
||||||
{
|
|
||||||
SerialNumber: big.NewInt(1),
|
|
||||||
RevocationTime: now,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
SerialNumber: big.NewInt(42),
|
|
||||||
RevocationTime: now,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
crlBytes, err := cert.CreateCRL(rand.Reader, priv, revokedCerts, now, expiry)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("error creating CRL: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = ParseDERCRL(crlBytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("error reparsing CRL: %s", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func fromBase64(in string) []byte {
|
|
||||||
out := make([]byte, base64.StdEncoding.DecodedLen(len(in)))
|
|
||||||
_, err := base64.StdEncoding.Decode(out, []byte(in))
|
|
||||||
if err != nil {
|
|
||||||
panic("failed to base64 decode")
|
|
||||||
}
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestParseDERCRL(t *testing.T) {
|
|
||||||
derBytes := fromBase64(derCRLBase64)
|
|
||||||
certList, err := ParseDERCRL(derBytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("error parsing: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
numCerts := len(certList.TBSCertList.RevokedCertificates)
|
|
||||||
expected := 88
|
|
||||||
if numCerts != expected {
|
|
||||||
t.Errorf("bad number of revoked certificates. got: %d want: %d", numCerts, expected)
|
|
||||||
}
|
|
||||||
|
|
||||||
if certList.HasExpired(time.Unix(1302517272, 0)) {
|
|
||||||
t.Errorf("CRL has expired (but shouldn't have)")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Can't check the signature here without a package cycle.
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestParsePEMCRL(t *testing.T) {
|
|
||||||
pemBytes := fromBase64(pemCRLBase64)
|
|
||||||
certList, err := ParseCRL(pemBytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Errorf("error parsing: %s", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
numCerts := len(certList.TBSCertList.RevokedCertificates)
|
|
||||||
expected := 2
|
|
||||||
if numCerts != expected {
|
|
||||||
t.Errorf("bad number of revoked certificates. got: %d want: %d", numCerts, expected)
|
|
||||||
}
|
|
||||||
|
|
||||||
if certList.HasExpired(time.Unix(1302517272, 0)) {
|
|
||||||
t.Errorf("CRL has expired (but shouldn't have)")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Can't check the signature here without a package cycle.
|
|
||||||
}
|
|
||||||
|
|
||||||
// START CT CHANGES
|
|
||||||
|
|
||||||
func TestNonFatalErrors(t *testing.T) {
|
|
||||||
nfe := NonFatalErrors{}
|
|
||||||
|
|
||||||
nfe.AddError(errors.New("one"))
|
|
||||||
nfe.AddError(errors.New("two"))
|
|
||||||
nfe.AddError(errors.New("three"))
|
|
||||||
|
|
||||||
if !nfe.HasError() {
|
|
||||||
t.Fatal("NonFatalError claimed not to have an error")
|
|
||||||
}
|
|
||||||
|
|
||||||
if !strings.Contains(nfe.Error(), "one; two; three") {
|
|
||||||
t.Fatalf("Didn't see expected string from Error(), got '%s'", nfe.Error())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// END CT CHANGES
|
|
||||||
|
|
||||||
const derCRLBase64 = "MIINqzCCDJMCAQEwDQYJKoZIhvcNAQEFBQAwVjEZMBcGA1UEAxMQUEtJIEZJTk1FQ0NBTklDQTEVMBMGA1UEChMMRklOTUVDQ0FOSUNBMRUwEwYDVQQLEwxGSU5NRUNDQU5JQ0ExCzAJBgNVBAYTAklUFw0xMTA1MDQxNjU3NDJaFw0xMTA1MDQyMDU3NDJaMIIMBzAhAg4Ze1od49Lt1qIXBydAzhcNMDkwNzE2MDg0MzIyWjAAMCECDl0HSL9bcZ1Ci/UHJ0DPFw0wOTA3MTYwODQzMTNaMAAwIQIOESB9tVAmX3cY7QcnQNAXDTA5MDcxNjA4NDUyMlowADAhAg4S1tGAQ3mHt8uVBydA1RcNMDkwODA0MTUyNTIyWjAAMCECDlQ249Y7vtC25ScHJ0DWFw0wOTA4MDQxNTI1MzdaMAAwIQIOISMop3NkA4PfYwcnQNkXDTA5MDgwNDExMDAzNFowADAhAg56/BMoS29KEShTBydA2hcNMDkwODA0MTEwMTAzWjAAMCECDnBp/22HPH5CSWoHJ0DbFw0wOTA4MDQxMDU0NDlaMAAwIQIOV9IP+8CD8bK+XAcnQNwXDTA5MDgwNDEwNTcxN1owADAhAg4v5aRz0IxWqYiXBydA3RcNMDkwODA0MTA1NzQ1WjAAMCECDlOU34VzvZAybQwHJ0DeFw0wOTA4MDQxMDU4MjFaMAAwIAINO4CD9lluIxcwBydBAxcNMDkwNzIyMTUzMTU5WjAAMCECDgOllfO8Y1QA7/wHJ0ExFw0wOTA3MjQxMTQxNDNaMAAwIQIOJBX7jbiCdRdyjgcnQUQXDTA5MDkxNjA5MzAwOFowADAhAg5iYSAgmDrlH/RZBydBRRcNMDkwOTE2MDkzMDE3WjAAMCECDmu6k6srP3jcMaQHJ0FRFw0wOTA4MDQxMDU2NDBaMAAwIQIOX8aHlO0V+WVH4QcnQVMXDTA5MDgwNDEwNTcyOVowADAhAg5flK2rg3NnsRgDBydBzhcNMTEwMjAxMTUzMzQ2WjAAMCECDg35yJDL1jOPTgoHJ0HPFw0xMTAyMDExNTM0MjZaMAAwIQIOMyFJ6+e9iiGVBQcnQdAXDTA5MDkxODEzMjAwNVowADAhAg5Emb/Oykucmn8fBydB1xcNMDkwOTIxMTAxMDQ3WjAAMCECDjQKCncV+MnUavMHJ0HaFw0wOTA5MjIwODE1MjZaMAAwIQIOaxiFUt3dpd+tPwcnQfQXDTEwMDYxODA4NDI1MVowADAhAg5G7P8nO0tkrMt7BydB9RcNMTAwNjE4MDg0MjMwWjAAMCECDmTCC3SXhmDRst4HJ0H2Fw0wOTA5MjgxMjA3MjBaMAAwIQIOHoGhUr/pRwzTKgcnQfcXDTA5MDkyODEyMDcyNFowADAhAg50wrcrCiw8mQmPBydCBBcNMTAwMjE2MTMwMTA2WjAAMCECDifWmkvwyhEqwEcHJ0IFFw0xMDAyMTYxMzAxMjBaMAAwIQIOfgPmlW9fg+osNgcnQhwXDTEwMDQxMzA5NTIwMFowADAhAg4YHAGuA6LgCk7tBydCHRcNMTAwNDEzMDk1MTM4WjAAMCECDi1zH1bxkNJhokAHJ0IsFw0xMDA0MTMwOTU5MzBaMAAwIQIOMipNccsb/wo2fwcnQi0XDTEwMDQxMzA5NTkwMFowADAhAg46lCmvPl4GpP6ABydCShcNMTAwMTE5MDk1MjE3WjAAMCECDjaTcaj+wBpcGAsHJ0JLFw0xMDAxMTkwOTUyMzRaMAAwIQIOOMC13EOrBuxIOQcnQloXDTEwMDIwMTA5NDcwNVowADAhAg5KmZl+krz4RsmrBydCWxcNMTAwMjAxMDk0NjQwWjAAMCECDmLG3zQJ/fzdSsUHJ0JiFw0xMDAzMDEwOTUxNDBaMAAwIQIOP39ksgHdojf4owcnQmMXDTEwMDMwMTA5NTExN1owADAhAg4LDQzvWNRlD6v9BydCZBcNMTAwMzAxMDk0NjIyWjAAMCECDkmNfeclaFhIaaUHJ0JlFw0xMDAzMDEwOTQ2MDVaMAAwIQIOT/qWWfpH/m8NTwcnQpQXDTEwMDUxMTA5MTgyMVowADAhAg5m/ksYxvCEgJSvBydClRcNMTAwNTExMDkxODAxWjAAMCECDgvf3Ohq6JOPU9AHJ0KWFw0xMDA1MTEwOTIxMjNaMAAwIQIOKSPas10z4jNVIQcnQpcXDTEwMDUxMTA5MjEwMlowADAhAg4mCWmhoZ3lyKCDBydCohcNMTEwNDI4MTEwMjI1WjAAMCECDkeiyRsBMK0Gvr4HJ0KjFw0xMTA0MjgxMTAyMDdaMAAwIQIOa09b/nH2+55SSwcnQq4XDTExMDQwMTA4Mjk0NlowADAhAg5O7M7iq7gGplr1BydCrxcNMTEwNDAxMDgzMDE3WjAAMCECDjlT6mJxUjTvyogHJ0K1Fw0xMTAxMjcxNTQ4NTJaMAAwIQIODS/l4UUFLe21NAcnQrYXDTExMDEyNzE1NDgyOFowADAhAg5lPRA0XdOUF6lSBydDHhcNMTEwMTI4MTQzNTA1WjAAMCECDixKX4fFGGpENwgHJ0MfFw0xMTAxMjgxNDM1MzBaMAAwIQIORNBkqsPnpKTtbAcnQ08XDTEwMDkwOTA4NDg0MlowADAhAg5QL+EMM3lohedEBydDUBcNMTAwOTA5MDg0ODE5WjAAMCECDlhDnHK+HiTRAXcHJ0NUFw0xMDEwMTkxNjIxNDBaMAAwIQIOdBFqAzq/INz53gcnQ1UXDTEwMTAxOTE2MjA0NFowADAhAg4OjR7s8MgKles1BydDWhcNMTEwMTI3MTY1MzM2WjAAMCECDmfR/elHee+d0SoHJ0NbFw0xMTAxMjcxNjUzNTZaMAAwIQIOBTKv2ui+KFMI+wcnQ5YXDTEwMDkxNTEwMjE1N1owADAhAg49F3c/GSah+oRUBydDmxcNMTEwMTI3MTczMjMzWjAAMCECDggv4I61WwpKFMMHJ0OcFw0xMTAxMjcxNzMyNTVaMAAwIQIOXx/Y8sEvwS10LAcnQ6UXDTExMDEyODExMjkzN1owADAhAg5LSLbnVrSKaw/9BydDphcNMTEwMTI4MTEyOTIwWjAAMCECDmFFoCuhKUeACQQHJ0PfFw0xMTAxMTExMDE3MzdaMAAwIQIOQTDdFh2fSPF6AAcnQ+AXDTExMDExMTEwMTcxMFowADAhAg5B8AOXX61FpvbbBydD5RcNMTAxMDA2MTAxNDM2WjAAMCECDh41P2Gmi7PkwI4HJ0PmFw0xMDEwMDYxMDE2MjVaMAAwIQIOWUHGLQCd+Ale9gcnQ/0XDTExMDUwMjA3NTYxMFowADAhAg5Z2c9AYkikmgWOBydD/hcNMTEwNTAyMDc1NjM0WjAAMCECDmf/UD+/h8nf+74HJ0QVFw0xMTA0MTUwNzI4MzNaMAAwIQIOICvj4epy3MrqfwcnRBYXDTExMDQxNTA3Mjg1NlowADAhAg4bouRMfOYqgv4xBydEHxcNMTEwMzA4MTYyNDI1WjAAMCECDhebWHGoKiTp7pEHJ0QgFw0xMTAzMDgxNjI0NDhaMAAwIQIOX+qnxxAqJ8LtawcnRDcXDTExMDEzMTE1MTIyOFowADAhAg4j0fICqZ+wkOdqBydEOBcNMTEwMTMxMTUxMTQxWjAAMCECDhmXjsV4SUpWtAMHJ0RLFw0xMTAxMjgxMTI0MTJaMAAwIQIODno/w+zG43kkTwcnREwXDTExMDEyODExMjM1MlowADAhAg4b1gc88767Fr+LBydETxcNMTEwMTI4MTEwMjA4WjAAMCECDn+M3Pa1w2nyFeUHJ0RQFw0xMTAxMjgxMDU4NDVaMAAwIQIOaduoyIH61tqybAcnRJUXDTEwMTIxNTA5NDMyMlowADAhAg4nLqQPkyi3ESAKBydElhcNMTAxMjE1MDk0MzM2WjAAMCECDi504NIMH8578gQHJ0SbFw0xMTAyMTQxNDA1NDFaMAAwIQIOGuaM8PDaC5u1egcnRJwXDTExMDIxNDE0MDYwNFowADAhAg4ehYq/BXGnB5PWBydEnxcNMTEwMjA0MDgwOTUxWjAAMCECDkSD4eS4FxW5H20HJ0SgFw0xMTAyMDQwODA5MjVaMAAwIQIOOCcb6ilYObt1egcnRKEXDTExMDEyNjEwNDEyOVowADAhAg58tISWCCwFnKGnBydEohcNMTEwMjA0MDgxMzQyWjAAMCECDn5rjtabY/L/WL0HJ0TJFw0xMTAyMDQxMTAzNDFaMAAwDQYJKoZIhvcNAQEFBQADggEBAGnF2Gs0+LNiYCW1Ipm83OXQYP/bd5tFFRzyz3iepFqNfYs4D68/QihjFoRHQoXEB0OEe1tvaVnnPGnEOpi6krwekquMxo4H88B5SlyiFIqemCOIss0SxlCFs69LmfRYvPPvPEhoXtQ3ZThe0UvKG83GOklhvGl6OaiRf4Mt+m8zOT4Wox/j6aOBK6cw6qKCdmD+Yj1rrNqFGg1CnSWMoD6S6mwNgkzwdBUJZ22BwrzAAo4RHa2Uy3ef1FjwD0XtU5N3uDSxGGBEDvOe5z82rps3E22FpAA8eYl8kaXtmWqyvYU0epp4brGuTxCuBMCAsxt/OjIjeNNQbBGkwxgfYA0="
|
|
||||||
|
|
||||||
const pemCRLBase64 = "LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tDQpNSUlCOWpDQ0FWOENBUUV3RFFZSktvWklodmNOQVFFRkJRQXdiREVhTUJnR0ExVUVDaE1SVWxOQklGTmxZM1Z5DQphWFI1SUVsdVl5NHhIakFjQmdOVkJBTVRGVkpUUVNCUWRXSnNhV01nVW05dmRDQkRRU0IyTVRFdU1Dd0dDU3FHDQpTSWIzRFFFSkFSWWZjbk5oYTJWdmJuSnZiM1J6YVdkdVFISnpZWE5sWTNWeWFYUjVMbU52YlJjTk1URXdNakl6DQpNVGt5T0RNd1doY05NVEV3T0RJeU1Ua3lPRE13V2pDQmpEQktBaEVBckRxb2g5RkhKSFhUN09QZ3V1bjQrQmNODQpNRGt4TVRBeU1UUXlOekE1V2pBbU1Bb0dBMVVkRlFRRENnRUpNQmdHQTFVZEdBUVJHQTh5TURBNU1URXdNakUwDQpNalExTlZvd1BnSVJBTEd6blowOTVQQjVhQU9MUGc1N2ZNTVhEVEF5TVRBeU16RTBOVEF4TkZvd0dqQVlCZ05WDQpIUmdFRVJnUE1qQXdNakV3TWpNeE5EVXdNVFJhb0RBd0xqQWZCZ05WSFNNRUdEQVdnQlQxVERGNlVRTS9MTmVMDQpsNWx2cUhHUXEzZzltekFMQmdOVkhSUUVCQUlDQUlRd0RRWUpLb1pJaHZjTkFRRUZCUUFEZ1lFQUZVNUFzNk16DQpxNVBSc2lmYW9iUVBHaDFhSkx5QytNczVBZ2MwYld5QTNHQWR4dXI1U3BQWmVSV0NCamlQL01FSEJXSkNsQkhQDQpHUmNxNXlJZDNFakRrYUV5eFJhK2k2N0x6dmhJNmMyOUVlNks5cFNZd2ppLzdSVWhtbW5Qclh0VHhsTDBsckxyDQptUVFKNnhoRFJhNUczUUE0Q21VZHNITnZicnpnbUNZcHZWRT0NCi0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0NCg0K"
|
|
198
dnsnames.go
198
dnsnames.go
|
@ -1,198 +0,0 @@
|
||||||
package ctwatch
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"errors"
|
|
||||||
"bytes"
|
|
||||||
"encoding/binary"
|
|
||||||
"encoding/asn1"
|
|
||||||
"crypto/x509/pkix"
|
|
||||||
)
|
|
||||||
|
|
||||||
var (
|
|
||||||
oidExtensionSubjectAltName = []int{2, 5, 29, 17}
|
|
||||||
oidCommonName = []int{2, 5, 4, 3}
|
|
||||||
)
|
|
||||||
|
|
||||||
type rdnSequence []relativeDistinguishedNameSET
|
|
||||||
type relativeDistinguishedNameSET []attributeTypeAndValue
|
|
||||||
type attributeTypeAndValue struct {
|
|
||||||
Type asn1.ObjectIdentifier
|
|
||||||
Value asn1.RawValue
|
|
||||||
}
|
|
||||||
|
|
||||||
type tbsCertificate struct {
|
|
||||||
Version int `asn1:"optional,explicit,default:1,tag:0"`
|
|
||||||
SerialNumber asn1.RawValue
|
|
||||||
SignatureAlgorithm asn1.RawValue
|
|
||||||
Issuer asn1.RawValue
|
|
||||||
Validity asn1.RawValue
|
|
||||||
Subject asn1.RawValue
|
|
||||||
PublicKey asn1.RawValue
|
|
||||||
UniqueId asn1.BitString `asn1:"optional,tag:1"`
|
|
||||||
SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"`
|
|
||||||
Extensions []pkix.Extension `asn1:"optional,explicit,tag:3"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type certificate struct {
|
|
||||||
TBSCertificate asn1.RawValue
|
|
||||||
SignatureAlgorithm asn1.RawValue
|
|
||||||
SignatureValue asn1.RawValue
|
|
||||||
}
|
|
||||||
|
|
||||||
func stringFromByteSlice (chars []byte) string {
|
|
||||||
runes := make([]rune, len(chars))
|
|
||||||
for i, ch := range chars {
|
|
||||||
runes[i] = rune(ch)
|
|
||||||
}
|
|
||||||
return string(runes)
|
|
||||||
}
|
|
||||||
|
|
||||||
func stringFromUint16Slice (chars []uint16) string {
|
|
||||||
runes := make([]rune, len(chars))
|
|
||||||
for i, ch := range chars {
|
|
||||||
runes[i] = rune(ch)
|
|
||||||
}
|
|
||||||
return string(runes)
|
|
||||||
}
|
|
||||||
|
|
||||||
func stringFromUint32Slice (chars []uint32) string {
|
|
||||||
runes := make([]rune, len(chars))
|
|
||||||
for i, ch := range chars {
|
|
||||||
runes[i] = rune(ch)
|
|
||||||
}
|
|
||||||
return string(runes)
|
|
||||||
}
|
|
||||||
|
|
||||||
func decodeString (value *asn1.RawValue) (string, error) {
|
|
||||||
if !value.IsCompound && value.Class == 0 {
|
|
||||||
if value.Tag == 12 {
|
|
||||||
// UTF8String
|
|
||||||
return string(value.Bytes), nil
|
|
||||||
} else if value.Tag == 19 || value.Tag == 22 || value.Tag == 20 {
|
|
||||||
// * PrintableString - subset of ASCII
|
|
||||||
// * IA5String - ASCII
|
|
||||||
// * TeletexString - 8 bit charset; not quite ISO-8859-1, but often treated as such
|
|
||||||
|
|
||||||
// Don't enforce character set rules. Allow any 8 bit character, since
|
|
||||||
// CAs routinely mess this up
|
|
||||||
return stringFromByteSlice(value.Bytes), nil
|
|
||||||
} else if value.Tag == 30 {
|
|
||||||
// BMPString - Unicode, encoded in big-endian format using two octets
|
|
||||||
runes := make([]uint16, len(value.Bytes) / 2)
|
|
||||||
if err := binary.Read(bytes.NewReader(value.Bytes), binary.BigEndian, runes); err != nil {
|
|
||||||
return "", errors.New("Malformed BMPString: " + err.Error())
|
|
||||||
}
|
|
||||||
return stringFromUint16Slice(runes), nil
|
|
||||||
} else if value.Tag == 28 {
|
|
||||||
// UniversalString - Unicode, encoded in big-endian format using four octets
|
|
||||||
runes := make([]uint32, len(value.Bytes) / 4)
|
|
||||||
if err := binary.Read(bytes.NewReader(value.Bytes), binary.BigEndian, runes); err != nil {
|
|
||||||
return "", errors.New("Malformed UniversalString: " + err.Error())
|
|
||||||
}
|
|
||||||
return stringFromUint32Slice(runes), nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return "", errors.New("Not a string")
|
|
||||||
}
|
|
||||||
|
|
||||||
func getCNs (rdns *rdnSequence) ([]string, error) {
|
|
||||||
var cns []string
|
|
||||||
|
|
||||||
for _, rdn := range *rdns {
|
|
||||||
if len(rdn) == 0 {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
atv := rdn[0]
|
|
||||||
if atv.Type.Equal(oidCommonName) {
|
|
||||||
cnString, err := decodeString(&atv.Value)
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.New("Error decoding CN: " + err.Error())
|
|
||||||
}
|
|
||||||
cns = append(cns, cnString)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return cns, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func parseSANExtension (value []byte) ([]string, error) {
|
|
||||||
var dnsNames []string
|
|
||||||
var seq asn1.RawValue
|
|
||||||
if rest, err := asn1.Unmarshal(value, &seq); err != nil {
|
|
||||||
return nil, errors.New("failed to parse subjectAltName extension: " + err.Error())
|
|
||||||
} else if len(rest) != 0 {
|
|
||||||
// Don't complain if the SAN is followed by exactly one zero byte,
|
|
||||||
// which is a common error.
|
|
||||||
if !(len(rest) == 1 && rest[0] == 0) {
|
|
||||||
return nil, fmt.Errorf("trailing data in subjectAltName extension: %v", rest)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
|
|
||||||
return nil, errors.New("failed to parse subjectAltName extension: bad SAN sequence")
|
|
||||||
}
|
|
||||||
|
|
||||||
rest := seq.Bytes
|
|
||||||
for len(rest) > 0 {
|
|
||||||
var val asn1.RawValue
|
|
||||||
var err error
|
|
||||||
rest, err = asn1.Unmarshal(rest, &val)
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.New("failed to parse subjectAltName extension item: " + err.Error())
|
|
||||||
}
|
|
||||||
switch val.Tag {
|
|
||||||
case 2:
|
|
||||||
dnsNames = append(dnsNames, string(val.Bytes))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return dnsNames, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func ExtractDNSNamesFromTBS (tbsBytes []byte) ([]string, error) {
|
|
||||||
var dnsNames []string
|
|
||||||
|
|
||||||
var tbs tbsCertificate
|
|
||||||
if rest, err := asn1.Unmarshal(tbsBytes, &tbs); err != nil {
|
|
||||||
return nil, errors.New("failed to parse TBS: " + err.Error())
|
|
||||||
} else if len(rest) > 0 {
|
|
||||||
return nil, fmt.Errorf("trailing data after TBS: %v", rest)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Extract Common Name from Subject
|
|
||||||
var subject rdnSequence
|
|
||||||
if rest, err := asn1.Unmarshal(tbs.Subject.FullBytes, &subject); err != nil {
|
|
||||||
return nil, errors.New("failed to parse certificate subject: " + err.Error())
|
|
||||||
} else if len(rest) != 0 {
|
|
||||||
return nil, fmt.Errorf("trailing data in certificate subject: %v", rest)
|
|
||||||
}
|
|
||||||
cns, err := getCNs(&subject)
|
|
||||||
if err != nil {
|
|
||||||
return nil, errors.New("failed to process certificate subject: " + err.Error())
|
|
||||||
}
|
|
||||||
dnsNames = append(dnsNames, cns...)
|
|
||||||
|
|
||||||
// Extract DNS names from SubjectAlternativeName extension
|
|
||||||
for _, ext := range tbs.Extensions {
|
|
||||||
if ext.Id.Equal(oidExtensionSubjectAltName) {
|
|
||||||
dnsSans, err := parseSANExtension(ext.Value)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
dnsNames = append(dnsNames, dnsSans...)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return dnsNames, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func ExtractDNSNames (certBytes []byte) ([]string, error) {
|
|
||||||
var cert certificate
|
|
||||||
if rest, err := asn1.Unmarshal(certBytes, &cert); err != nil {
|
|
||||||
return nil, errors.New("failed to parse certificate: " + err.Error())
|
|
||||||
} else if len(rest) > 0 {
|
|
||||||
return nil, fmt.Errorf("trailing data after certificate: %v", rest)
|
|
||||||
}
|
|
||||||
|
|
||||||
return ExtractDNSNamesFromTBS(cert.TBSCertificate.FullBytes)
|
|
||||||
}
|
|
330
helpers.go
330
helpers.go
|
@ -18,8 +18,6 @@ import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
|
||||||
"src.agwa.name/ctwatch/ct"
|
"src.agwa.name/ctwatch/ct"
|
||||||
"src.agwa.name/ctwatch/ct/x509"
|
|
||||||
"src.agwa.name/ctwatch/ct/x509/pkix"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func ReadSTHFile (path string) (*ct.SignedTreeHead, error) {
|
func ReadSTHFile (path string) (*ct.SignedTreeHead, error) {
|
||||||
|
@ -48,72 +46,24 @@ func WriteSTHFile (path string, sth *ct.SignedTreeHead) error {
|
||||||
return ioutil.WriteFile(path, sthJson, 0666)
|
return ioutil.WriteFile(path, sthJson, 0666)
|
||||||
}
|
}
|
||||||
|
|
||||||
func EntryDNSNames (entry *ct.LogEntry) ([]string, error) {
|
func IsPrecert (entry *ct.LogEntry) bool {
|
||||||
switch entry.Leaf.TimestampedEntry.EntryType {
|
return entry.Leaf.TimestampedEntry.EntryType == ct.PrecertLogEntryType
|
||||||
case ct.X509LogEntryType:
|
|
||||||
return ExtractDNSNames(entry.Leaf.TimestampedEntry.X509Entry)
|
|
||||||
case ct.PrecertLogEntryType:
|
|
||||||
return ExtractDNSNamesFromTBS(entry.Leaf.TimestampedEntry.PrecertEntry.TBSCertificate)
|
|
||||||
}
|
|
||||||
panic("EntryDNSNames: entry is neither precert nor x509")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func ParseEntryCertificate (entry *ct.LogEntry) (*x509.Certificate, error) {
|
func GetFullChain (entry *ct.LogEntry) [][]byte {
|
||||||
if entry.Leaf.TimestampedEntry.EntryType == ct.PrecertLogEntryType {
|
certs := make([][]byte, 0, len(entry.Chain) + 1)
|
||||||
return x509.ParseTBSCertificate(entry.Leaf.TimestampedEntry.PrecertEntry.TBSCertificate)
|
|
||||||
} else if entry.Leaf.TimestampedEntry.EntryType == ct.X509LogEntryType {
|
if entry.Leaf.TimestampedEntry.EntryType == ct.X509LogEntryType {
|
||||||
return x509.ParseCertificate(entry.Leaf.TimestampedEntry.X509Entry)
|
certs = append(certs, entry.Leaf.TimestampedEntry.X509Entry)
|
||||||
} else {
|
|
||||||
panic("ParseEntryCertificate: entry is neither precert nor x509")
|
|
||||||
}
|
}
|
||||||
|
for _, cert := range entry.Chain {
|
||||||
|
certs = append(certs, cert)
|
||||||
|
}
|
||||||
|
|
||||||
|
return certs
|
||||||
}
|
}
|
||||||
|
|
||||||
func appendDnArray (buf *bytes.Buffer, code string, values []string) {
|
func formatSerialNumber (serial *big.Int) string {
|
||||||
for _, value := range values {
|
|
||||||
if buf.Len() != 0 {
|
|
||||||
buf.WriteString(", ")
|
|
||||||
}
|
|
||||||
buf.WriteString(code)
|
|
||||||
buf.WriteString("=")
|
|
||||||
buf.WriteString(value)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func appendDnValue (buf *bytes.Buffer, code string, value string) {
|
|
||||||
if value != "" {
|
|
||||||
appendDnArray(buf, code, []string{value})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func formatDN (name pkix.Name) (string) {
|
|
||||||
// C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
|
|
||||||
var buf bytes.Buffer
|
|
||||||
appendDnArray(&buf, "C", name.Country)
|
|
||||||
appendDnArray(&buf, "ST", name.Province)
|
|
||||||
appendDnArray(&buf, "L", name.Locality)
|
|
||||||
appendDnArray(&buf, "O", name.Organization)
|
|
||||||
appendDnArray(&buf, "OU", name.OrganizationalUnit)
|
|
||||||
appendDnValue(&buf, "CN", name.CommonName)
|
|
||||||
return buf.String()
|
|
||||||
}
|
|
||||||
|
|
||||||
func allDNSNames (cert *x509.Certificate) []string {
|
|
||||||
dnsNames := []string{}
|
|
||||||
|
|
||||||
if cert.Subject.CommonName != "" {
|
|
||||||
dnsNames = append(dnsNames, cert.Subject.CommonName)
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, dnsName := range cert.DNSNames {
|
|
||||||
if dnsName != cert.Subject.CommonName {
|
|
||||||
dnsNames = append(dnsNames, dnsName)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return dnsNames
|
|
||||||
}
|
|
||||||
|
|
||||||
func formatSerial (serial *big.Int) string {
|
|
||||||
if serial != nil {
|
if serial != nil {
|
||||||
return fmt.Sprintf("%x", serial)
|
return fmt.Sprintf("%x", serial)
|
||||||
} else {
|
} else {
|
||||||
|
@ -126,91 +76,154 @@ func sha256hex (data []byte) string {
|
||||||
return hex.EncodeToString(sum[:])
|
return hex.EncodeToString(sum[:])
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetRawCert (entry *ct.LogEntry) []byte {
|
|
||||||
switch entry.Leaf.TimestampedEntry.EntryType {
|
|
||||||
case ct.X509LogEntryType:
|
|
||||||
return entry.Leaf.TimestampedEntry.X509Entry
|
|
||||||
case ct.PrecertLogEntryType:
|
|
||||||
return entry.Chain[0]
|
|
||||||
}
|
|
||||||
panic("GetRawCert: entry is neither precert nor x509")
|
|
||||||
}
|
|
||||||
|
|
||||||
func IsPrecert (entry *ct.LogEntry) bool {
|
|
||||||
switch entry.Leaf.TimestampedEntry.EntryType {
|
|
||||||
case ct.PrecertLogEntryType:
|
|
||||||
return true
|
|
||||||
case ct.X509LogEntryType:
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
panic("IsPrecert: entry is neither precert nor x509")
|
|
||||||
}
|
|
||||||
|
|
||||||
type EntryInfo struct {
|
type EntryInfo struct {
|
||||||
LogUri string
|
LogUri string
|
||||||
Entry *ct.LogEntry
|
Entry *ct.LogEntry
|
||||||
ParsedCert *x509.Certificate
|
IsPrecert bool
|
||||||
ParseError error
|
FullChain [][]byte // first entry is logged X509 cert or pre-cert
|
||||||
CertInfo CertInfo
|
CertInfo *CertInfo
|
||||||
|
ParseError error // set iff CertInfo is nil
|
||||||
Filename string
|
Filename string
|
||||||
}
|
}
|
||||||
|
|
||||||
type CertInfo struct {
|
type CertInfo struct {
|
||||||
DnsNames []string
|
TBS *TBSCertificate
|
||||||
SubjectDn string
|
|
||||||
IssuerDn string
|
DNSNames []string
|
||||||
Serial string
|
DNSNamesParseError error
|
||||||
PubkeyHash string
|
Subject RDNSequence
|
||||||
NotBefore *time.Time
|
SubjectParseError error
|
||||||
NotAfter *time.Time
|
Issuer RDNSequence
|
||||||
|
IssuerParseError error
|
||||||
|
SerialNumber *big.Int
|
||||||
|
SerialNumberParseError error
|
||||||
|
Validity *CertValidity
|
||||||
|
ValidityParseError error
|
||||||
|
Constraints *BasicConstraints
|
||||||
|
ConstraintsParseError error
|
||||||
}
|
}
|
||||||
|
|
||||||
func MakeCertInfo (cert *x509.Certificate) CertInfo {
|
func MakeCertInfoFromTBS (tbs *TBSCertificate) *CertInfo {
|
||||||
return CertInfo {
|
info := &CertInfo{TBS: tbs}
|
||||||
DnsNames: allDNSNames(cert),
|
|
||||||
SubjectDn: formatDN(cert.Subject),
|
info.DNSNames, info.DNSNamesParseError = tbs.ParseDNSNames()
|
||||||
IssuerDn: formatDN(cert.Issuer),
|
info.Subject, info.SubjectParseError = tbs.ParseSubject()
|
||||||
Serial: formatSerial(cert.SerialNumber),
|
info.Issuer, info.IssuerParseError = tbs.ParseIssuer()
|
||||||
PubkeyHash: sha256hex(cert.RawSubjectPublicKeyInfo),
|
info.SerialNumber, info.SerialNumberParseError = tbs.ParseSerialNumber()
|
||||||
NotBefore: &cert.NotBefore,
|
info.Validity, info.ValidityParseError = tbs.ParseValidity()
|
||||||
NotAfter: &cert.NotAfter,
|
info.Constraints, info.ConstraintsParseError = tbs.ParseBasicConstraints()
|
||||||
|
|
||||||
|
return info
|
||||||
|
}
|
||||||
|
|
||||||
|
func MakeCertInfoFromRawTBS (tbsBytes []byte) (*CertInfo, error) {
|
||||||
|
tbs, err := ParseTBSCertificate(tbsBytes)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return MakeCertInfoFromTBS(tbs), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func MakeCertInfoFromRawCert (certBytes []byte) (*CertInfo, error) {
|
||||||
|
cert, err := ParseCertificate(certBytes)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return MakeCertInfoFromRawTBS(cert.GetRawTBSCertificate())
|
||||||
|
}
|
||||||
|
|
||||||
|
func MakeCertInfo (entry *ct.LogEntry) (*CertInfo, error) {
|
||||||
|
switch entry.Leaf.TimestampedEntry.EntryType {
|
||||||
|
case ct.X509LogEntryType:
|
||||||
|
return MakeCertInfoFromRawCert(entry.Leaf.TimestampedEntry.X509Entry)
|
||||||
|
|
||||||
|
case ct.PrecertLogEntryType:
|
||||||
|
return MakeCertInfoFromRawTBS(entry.Leaf.TimestampedEntry.PrecertEntry.TBSCertificate)
|
||||||
|
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("MakeCertInfoFromCTEntry: unknown CT entry type (neither X509 nor precert)")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (info *CertInfo) dnsNamesFriendlyString () string {
|
func (info *CertInfo) dnsNamesString () string {
|
||||||
if info.DnsNames != nil {
|
if info.DNSNamesParseError == nil {
|
||||||
return strings.Join(info.DnsNames, ", ")
|
return strings.Join(info.DNSNames, ", ")
|
||||||
} else {
|
} else {
|
||||||
return "*** UNKNOWN ***"
|
return ""
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (info *CertInfo) NotBefore () *time.Time {
|
||||||
|
if info.ValidityParseError == nil {
|
||||||
|
return &info.Validity.NotBefore
|
||||||
|
} else {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (info *CertInfo) NotAfter () *time.Time {
|
||||||
|
if info.ValidityParseError == nil {
|
||||||
|
return &info.Validity.NotAfter
|
||||||
|
} else {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (info *CertInfo) PubkeyHash () string {
|
||||||
|
return sha256hex(info.TBS.GetRawPublicKey())
|
||||||
|
}
|
||||||
|
|
||||||
func (info *CertInfo) Environ () []string {
|
func (info *CertInfo) Environ () []string {
|
||||||
var env []string
|
env := make([]string, 0, 10)
|
||||||
if info.DnsNames != nil { env = append(env, "DNS_NAMES=" + strings.Join(info.DnsNames, ",")) }
|
|
||||||
if info.SubjectDn != "" { env = append(env, "SUBJECT_DN=" + info.SubjectDn) }
|
env = append(env, "PUBKEY_HASH=" + info.PubkeyHash())
|
||||||
if info.IssuerDn != "" { env = append(env, "ISSUER_DN=" + info.IssuerDn) }
|
|
||||||
if info.Serial != "" { env = append(env, "SERIAL=" + info.Serial) }
|
if info.DNSNamesParseError != nil {
|
||||||
if info.PubkeyHash != "" { env = append(env, "PUBKEY_HASH=" + info.PubkeyHash) }
|
env = append(env, "DNS_NAMES_PARSE_ERROR=" + info.DNSNamesParseError.Error())
|
||||||
if info.NotBefore != nil { env = append(env, "NOT_BEFORE=" + strconv.FormatInt(info.NotBefore.Unix(), 10)) }
|
} else {
|
||||||
if info.NotAfter != nil { env = append(env, "NOT_AFTER=" + strconv.FormatInt(info.NotAfter.Unix(), 10)) }
|
env = append(env, "DNS_NAMES=" + strings.Join(info.DNSNames, ","))
|
||||||
|
}
|
||||||
|
|
||||||
|
if info.SerialNumberParseError != nil {
|
||||||
|
env = append(env, "SERIAL_PARSE_ERROR=" + info.SerialNumberParseError.Error())
|
||||||
|
} else {
|
||||||
|
env = append(env, "SERIAL=" + formatSerialNumber(info.SerialNumber))
|
||||||
|
}
|
||||||
|
|
||||||
|
if info.ValidityParseError != nil {
|
||||||
|
env = append(env, "VALIDITY_PARSE_ERROR=" + info.ValidityParseError.Error())
|
||||||
|
} else {
|
||||||
|
env = append(env, "NOT_BEFORE=" + info.Validity.NotBefore.String())
|
||||||
|
env = append(env, "NOT_BEFORE_UNIXTIME=" + strconv.FormatInt(info.Validity.NotBefore.Unix(), 10))
|
||||||
|
env = append(env, "NOT_AFTER=" + info.Validity.NotAfter.String())
|
||||||
|
env = append(env, "NOT_AFTER_UNIXTIME=" + strconv.FormatInt(info.Validity.NotAfter.Unix(), 10))
|
||||||
|
}
|
||||||
|
|
||||||
|
if info.SubjectParseError != nil {
|
||||||
|
env = append(env, "SUBJECT_PARSE_ERROR=" + info.SubjectParseError.Error())
|
||||||
|
} else {
|
||||||
|
env = append(env, "SUBJECT_DN=" + info.Subject.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
if info.IssuerParseError != nil {
|
||||||
|
env = append(env, "ISSUER_PARSE_ERROR=" + info.IssuerParseError.Error())
|
||||||
|
} else {
|
||||||
|
env = append(env, "ISSUER_DN=" + info.Issuer.String())
|
||||||
|
}
|
||||||
|
|
||||||
return env
|
return env
|
||||||
}
|
}
|
||||||
|
|
||||||
func (info *EntryInfo) GetRawCert () []byte {
|
|
||||||
return GetRawCert(info.Entry)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (info *EntryInfo) Fingerprint () string {
|
func (info *EntryInfo) Fingerprint () string {
|
||||||
return sha256hex(info.GetRawCert())
|
if len(info.FullChain) > 0 {
|
||||||
}
|
return sha256hex(info.FullChain[0])
|
||||||
|
} else {
|
||||||
func (info *EntryInfo) IsPrecert () bool {
|
return ""
|
||||||
return IsPrecert(info.Entry)
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (info *EntryInfo) typeString () string {
|
func (info *EntryInfo) typeString () string {
|
||||||
if info.IsPrecert() {
|
if info.IsPrecert {
|
||||||
return "precert"
|
return "precert"
|
||||||
} else {
|
} else {
|
||||||
return "cert"
|
return "cert"
|
||||||
|
@ -218,7 +231,7 @@ func (info *EntryInfo) typeString () string {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (info *EntryInfo) typeFriendlyString () string {
|
func (info *EntryInfo) typeFriendlyString () string {
|
||||||
if info.IsPrecert() {
|
if info.IsPrecert {
|
||||||
return "Pre-certificate"
|
return "Pre-certificate"
|
||||||
} else {
|
} else {
|
||||||
return "Certificate"
|
return "Certificate"
|
||||||
|
@ -237,7 +250,7 @@ func (info *EntryInfo) Environ () []string {
|
||||||
env := []string{
|
env := []string{
|
||||||
"FINGERPRINT=" + info.Fingerprint(),
|
"FINGERPRINT=" + info.Fingerprint(),
|
||||||
"CERT_TYPE=" + info.typeString(),
|
"CERT_TYPE=" + info.typeString(),
|
||||||
"CERT_PARSEABLE=" + yesnoString(info.ParsedCert != nil),
|
"CERT_PARSEABLE=" + yesnoString(info.ParseError == nil),
|
||||||
"LOG_URI=" + info.LogUri,
|
"LOG_URI=" + info.LogUri,
|
||||||
"ENTRY_INDEX=" + strconv.FormatInt(info.Entry.Index, 10),
|
"ENTRY_INDEX=" + strconv.FormatInt(info.Entry.Index, 10),
|
||||||
}
|
}
|
||||||
|
@ -245,37 +258,44 @@ func (info *EntryInfo) Environ () []string {
|
||||||
if info.Filename != "" {
|
if info.Filename != "" {
|
||||||
env = append(env, "CERT_FILENAME=" + info.Filename)
|
env = append(env, "CERT_FILENAME=" + info.Filename)
|
||||||
}
|
}
|
||||||
if info.ParseError != nil {
|
if info.ParseError == nil {
|
||||||
|
certEnv := info.CertInfo.Environ()
|
||||||
|
env = append(env, certEnv...)
|
||||||
|
} else {
|
||||||
env = append(env, "PARSE_ERROR=" + info.ParseError.Error())
|
env = append(env, "PARSE_ERROR=" + info.ParseError.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
certEnv := info.CertInfo.Environ()
|
|
||||||
env = append(env, certEnv...)
|
|
||||||
|
|
||||||
return env
|
return env
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func writeField (out io.Writer, name string, value interface{}, err error) {
|
||||||
|
if err == nil {
|
||||||
|
fmt.Fprintf(out, "\t%13s = %s\n", name, value)
|
||||||
|
} else {
|
||||||
|
fmt.Fprintf(out, "\t%13s = *** UNKNOWN (%s) ***\n", name, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func (info *EntryInfo) Write (out io.Writer) {
|
func (info *EntryInfo) Write (out io.Writer) {
|
||||||
fingerprint := info.Fingerprint()
|
fingerprint := info.Fingerprint()
|
||||||
fmt.Fprintf(out, "%s:\n", fingerprint)
|
fmt.Fprintf(out, "%s:\n", fingerprint)
|
||||||
if info.ParseError != nil {
|
if info.ParseError != nil {
|
||||||
if info.ParsedCert != nil {
|
writeField(out, "Parse Error", "*** " + info.ParseError.Error() + " ***", nil)
|
||||||
fmt.Fprintf(out, "\tParse Warning = *** %s ***\n", info.ParseError)
|
|
||||||
} else {
|
} else {
|
||||||
fmt.Fprintf(out, "\t Parse Error = *** %s ***\n", info.ParseError)
|
writeField(out, "DNS Names", info.CertInfo.dnsNamesString(), info.CertInfo.DNSNamesParseError)
|
||||||
|
writeField(out, "Pubkey", info.CertInfo.PubkeyHash(), nil)
|
||||||
|
writeField(out, "Subject", info.CertInfo.Subject, info.CertInfo.SubjectParseError)
|
||||||
|
writeField(out, "Issuer", info.CertInfo.Issuer, info.CertInfo.IssuerParseError)
|
||||||
|
writeField(out, "Serial", info.CertInfo.SerialNumber, info.CertInfo.SerialNumberParseError)
|
||||||
|
writeField(out, "Not Before", info.CertInfo.NotBefore(), info.CertInfo.ValidityParseError)
|
||||||
|
writeField(out, "Not After", info.CertInfo.NotAfter(), info.CertInfo.ValidityParseError)
|
||||||
}
|
}
|
||||||
|
writeField(out, "Type", info.typeFriendlyString(), nil)
|
||||||
|
writeField(out, "Log Entry", fmt.Sprintf("%d @ %s", info.Entry.Index, info.LogUri), nil)
|
||||||
|
writeField(out, "crt.sh", "https://crt.sh/?q=" + fingerprint, nil)
|
||||||
|
if info.Filename != "" {
|
||||||
|
writeField(out, "Filename", info.Filename, nil)
|
||||||
}
|
}
|
||||||
fmt.Fprintf(out, "\t DNS Names = %s\n", info.CertInfo.dnsNamesFriendlyString())
|
|
||||||
if info.CertInfo.PubkeyHash != "" { fmt.Fprintf(out, "\t Pubkey = %s\n", info.CertInfo.PubkeyHash) }
|
|
||||||
if info.CertInfo.SubjectDn != "" { fmt.Fprintf(out, "\t Subject = %s\n", info.CertInfo.SubjectDn) }
|
|
||||||
if info.CertInfo.IssuerDn != "" { fmt.Fprintf(out, "\t Issuer = %s\n", info.CertInfo.IssuerDn) }
|
|
||||||
if info.CertInfo.Serial != "" { fmt.Fprintf(out, "\t Serial = %s\n", info.CertInfo.Serial) }
|
|
||||||
if info.CertInfo.NotBefore != nil { fmt.Fprintf(out, "\t Not Before = %s\n", *info.CertInfo.NotBefore) }
|
|
||||||
if info.CertInfo.NotAfter != nil { fmt.Fprintf(out, "\t Not After = %s\n", *info.CertInfo.NotAfter) }
|
|
||||||
fmt.Fprintf(out, "\t Type = %s\n", info.typeFriendlyString())
|
|
||||||
fmt.Fprintf(out, "\t Log Entry = %d @ %s\n", info.Entry.Index, info.LogUri)
|
|
||||||
fmt.Fprintf(out, "\t crt.sh = https://crt.sh/?q=%s\n", fingerprint)
|
|
||||||
if info.Filename != "" { fmt.Fprintf(out, "\t Filename = %s\n", info.Filename) }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (info *EntryInfo) InvokeHookScript (command string) error {
|
func (info *EntryInfo) InvokeHookScript (command string) error {
|
||||||
|
@ -295,13 +315,17 @@ func (info *EntryInfo) InvokeHookScript (command string) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func WriteCertRepository (repoPath string, entry *ct.LogEntry) (bool, string, error) {
|
func WriteCertRepository (repoPath string, isPrecert bool, certs [][]byte) (bool, string, error) {
|
||||||
fingerprint := sha256hex(GetRawCert(entry))
|
if len(certs) == 0 {
|
||||||
|
return false, "", fmt.Errorf("Cannot write an empty certificate chain")
|
||||||
|
}
|
||||||
|
|
||||||
|
fingerprint := sha256hex(certs[0])
|
||||||
prefixPath := filepath.Join(repoPath, fingerprint[0:2])
|
prefixPath := filepath.Join(repoPath, fingerprint[0:2])
|
||||||
var filenameSuffix string
|
var filenameSuffix string
|
||||||
if entry.Leaf.TimestampedEntry.EntryType == ct.PrecertLogEntryType {
|
if isPrecert {
|
||||||
filenameSuffix = ".precert.pem"
|
filenameSuffix = ".precert.pem"
|
||||||
} else if entry.Leaf.TimestampedEntry.EntryType == ct.X509LogEntryType {
|
} else {
|
||||||
filenameSuffix = ".cert.pem"
|
filenameSuffix = ".cert.pem"
|
||||||
}
|
}
|
||||||
if err := os.Mkdir(prefixPath, 0777); err != nil && !os.IsExist(err) {
|
if err := os.Mkdir(prefixPath, 0777); err != nil && !os.IsExist(err) {
|
||||||
|
@ -316,14 +340,8 @@ func WriteCertRepository (repoPath string, entry *ct.LogEntry) (bool, string, er
|
||||||
return false, path, fmt.Errorf("Failed to open %s for writing: %s", path, err)
|
return false, path, fmt.Errorf("Failed to open %s for writing: %s", path, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if entry.Leaf.TimestampedEntry.EntryType == ct.X509LogEntryType {
|
for _, cert := range certs {
|
||||||
if err := pem.Encode(file, &pem.Block{Type: "CERTIFICATE", Bytes: entry.Leaf.TimestampedEntry.X509Entry}); err != nil {
|
if err := pem.Encode(file, &pem.Block{Type: "CERTIFICATE", Bytes: cert}); err != nil {
|
||||||
file.Close()
|
|
||||||
return false, path, fmt.Errorf("Error writing to %s: %s", path, err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
for _, chainCert := range entry.Chain {
|
|
||||||
if err := pem.Encode(file, &pem.Block{Type: "CERTIFICATE", Bytes: chainCert}); err != nil {
|
|
||||||
file.Close()
|
file.Close()
|
||||||
return false, path, fmt.Errorf("Error writing to %s: %s", path, err)
|
return false, path, fmt.Errorf("Error writing to %s: %s", path, err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,300 @@
|
||||||
|
package ctwatch
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"bytes"
|
||||||
|
"errors"
|
||||||
|
"encoding/asn1"
|
||||||
|
"math/big"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17}
|
||||||
|
oidExtensionBasicConstraints = asn1.ObjectIdentifier{2, 5, 29, 19}
|
||||||
|
oidCountry = asn1.ObjectIdentifier{2, 5, 4, 6}
|
||||||
|
oidOrganization = asn1.ObjectIdentifier{2, 5, 4, 10}
|
||||||
|
oidOrganizationalUnit = asn1.ObjectIdentifier{2, 5, 4, 11}
|
||||||
|
oidCommonName = asn1.ObjectIdentifier{2, 5, 4, 3}
|
||||||
|
oidSerialNumber = asn1.ObjectIdentifier{2, 5, 4, 5}
|
||||||
|
oidLocality = asn1.ObjectIdentifier{2, 5, 4, 7}
|
||||||
|
oidProvince = asn1.ObjectIdentifier{2, 5, 4, 8}
|
||||||
|
oidStreetAddress = asn1.ObjectIdentifier{2, 5, 4, 9}
|
||||||
|
oidPostalCode = asn1.ObjectIdentifier{2, 5, 4, 17}
|
||||||
|
)
|
||||||
|
|
||||||
|
type CertValidity struct {
|
||||||
|
NotBefore time.Time
|
||||||
|
NotAfter time.Time
|
||||||
|
}
|
||||||
|
|
||||||
|
type BasicConstraints struct {
|
||||||
|
IsCA bool `asn1:"optional"`
|
||||||
|
MaxPathLen int `asn1:"optional,default:-1"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type Extension struct {
|
||||||
|
Id asn1.ObjectIdentifier
|
||||||
|
Critical bool `asn1:"optional"`
|
||||||
|
Value []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
type RDNSequence []RelativeDistinguishedNameSET
|
||||||
|
type RelativeDistinguishedNameSET []AttributeTypeAndValue
|
||||||
|
type AttributeTypeAndValue struct {
|
||||||
|
Type asn1.ObjectIdentifier
|
||||||
|
Value asn1.RawValue
|
||||||
|
}
|
||||||
|
|
||||||
|
type TBSCertificate struct {
|
||||||
|
Raw asn1.RawContent
|
||||||
|
|
||||||
|
Version int `asn1:"optional,explicit,default:1,tag:0"`
|
||||||
|
SerialNumber asn1.RawValue
|
||||||
|
SignatureAlgorithm asn1.RawValue
|
||||||
|
Issuer asn1.RawValue
|
||||||
|
Validity asn1.RawValue
|
||||||
|
Subject asn1.RawValue
|
||||||
|
PublicKey asn1.RawValue
|
||||||
|
UniqueId asn1.BitString `asn1:"optional,tag:1"`
|
||||||
|
SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"`
|
||||||
|
Extensions []Extension `asn1:"optional,explicit,tag:3"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type Certificate struct {
|
||||||
|
Raw asn1.RawContent
|
||||||
|
|
||||||
|
TBSCertificate asn1.RawValue
|
||||||
|
SignatureAlgorithm asn1.RawValue
|
||||||
|
SignatureValue asn1.RawValue
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
func (rdns RDNSequence) ParseCNs () ([]string, error) {
|
||||||
|
var cns []string
|
||||||
|
|
||||||
|
for _, rdn := range rdns {
|
||||||
|
if len(rdn) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
atv := rdn[0]
|
||||||
|
if atv.Type.Equal(oidCommonName) {
|
||||||
|
cnString, err := decodeASN1String(&atv.Value)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.New("Error decoding CN: " + err.Error())
|
||||||
|
}
|
||||||
|
cns = append(cns, cnString)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return cns, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func rdnLabel (oid asn1.ObjectIdentifier) string {
|
||||||
|
switch {
|
||||||
|
case oid.Equal(oidCountry): return "C"
|
||||||
|
case oid.Equal(oidOrganization): return "O"
|
||||||
|
case oid.Equal(oidOrganizationalUnit): return "OU"
|
||||||
|
case oid.Equal(oidCommonName): return "CN"
|
||||||
|
case oid.Equal(oidSerialNumber): return "serialNumber"
|
||||||
|
case oid.Equal(oidLocality): return "L"
|
||||||
|
case oid.Equal(oidProvince): return "ST"
|
||||||
|
case oid.Equal(oidStreetAddress): return "street"
|
||||||
|
case oid.Equal(oidPostalCode): return "postalCode"
|
||||||
|
}
|
||||||
|
return oid.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (rdns RDNSequence) String () string {
|
||||||
|
var buf bytes.Buffer
|
||||||
|
|
||||||
|
for _, rdn := range rdns {
|
||||||
|
if len(rdn) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
atv := rdn[0]
|
||||||
|
|
||||||
|
if buf.Len() != 0 {
|
||||||
|
buf.WriteString(", ")
|
||||||
|
}
|
||||||
|
buf.WriteString(rdnLabel(atv.Type))
|
||||||
|
buf.WriteString("=")
|
||||||
|
valueString, err := decodeASN1String(&atv.Value)
|
||||||
|
if err == nil {
|
||||||
|
buf.WriteString(valueString)
|
||||||
|
} else {
|
||||||
|
fmt.Fprintf(&buf, "%v", atv.Value.FullBytes)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return buf.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
func ParseTBSCertificate (tbsBytes []byte) (*TBSCertificate, error) {
|
||||||
|
var tbs TBSCertificate
|
||||||
|
if rest, err := asn1.Unmarshal(tbsBytes, &tbs); err != nil {
|
||||||
|
return nil, errors.New("failed to parse TBS: " + err.Error())
|
||||||
|
} else if len(rest) > 0 {
|
||||||
|
return nil, fmt.Errorf("trailing data after TBS: %v", rest)
|
||||||
|
}
|
||||||
|
return &tbs, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) ParseValidity () (*CertValidity, error) {
|
||||||
|
var validity CertValidity
|
||||||
|
if rest, err := asn1.Unmarshal(tbs.Validity.FullBytes, &validity); err != nil {
|
||||||
|
return nil, errors.New("failed to parse validity: " + err.Error())
|
||||||
|
} else if len(rest) > 0 {
|
||||||
|
return nil, fmt.Errorf("trailing data after validity: %v", rest)
|
||||||
|
}
|
||||||
|
return &validity, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) ParseBasicConstraints () (*BasicConstraints, error) {
|
||||||
|
constraintExts := tbs.GetExtension(oidExtensionBasicConstraints)
|
||||||
|
if len(constraintExts) == 0 {
|
||||||
|
return nil, nil
|
||||||
|
} else if len(constraintExts) > 1 {
|
||||||
|
return nil, fmt.Errorf("Certificate has more than one Basic Constraints extension")
|
||||||
|
}
|
||||||
|
|
||||||
|
var constraints BasicConstraints
|
||||||
|
if rest, err := asn1.Unmarshal(constraintExts[0].Value, &constraints); err != nil {
|
||||||
|
return nil, errors.New("failed to parse Basic Constraints: " + err.Error())
|
||||||
|
} else if len(rest) > 0 {
|
||||||
|
return nil, fmt.Errorf("trailing data after Basic Constraints: %v", rest)
|
||||||
|
}
|
||||||
|
return &constraints, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) ParseSerialNumber () (*big.Int, error) {
|
||||||
|
serialNumber := big.NewInt(0)
|
||||||
|
if rest, err := asn1.Unmarshal(tbs.SerialNumber.FullBytes, &serialNumber); err != nil {
|
||||||
|
return nil, errors.New("failed to parse serial number: " + err.Error())
|
||||||
|
} else if len(rest) > 0 {
|
||||||
|
return nil, fmt.Errorf("trailing data after serial number: %v", rest)
|
||||||
|
}
|
||||||
|
return serialNumber, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) GetRawPublicKey () []byte {
|
||||||
|
return tbs.PublicKey.FullBytes
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) GetRawSubject () []byte {
|
||||||
|
return tbs.Subject.FullBytes
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) GetRawIssuer () []byte {
|
||||||
|
return tbs.Issuer.FullBytes
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) ParseSubject () (RDNSequence, error) {
|
||||||
|
var subject RDNSequence
|
||||||
|
if rest, err := asn1.Unmarshal(tbs.GetRawSubject(), &subject); err != nil {
|
||||||
|
return nil, errors.New("failed to parse certificate subject: " + err.Error())
|
||||||
|
} else if len(rest) != 0 {
|
||||||
|
return nil, fmt.Errorf("trailing data in certificate subject: %v", rest)
|
||||||
|
}
|
||||||
|
return subject, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) ParseIssuer () (RDNSequence, error) {
|
||||||
|
var issuer RDNSequence
|
||||||
|
if rest, err := asn1.Unmarshal(tbs.GetRawIssuer(), &issuer); err != nil {
|
||||||
|
return nil, errors.New("failed to parse certificate issuer: " + err.Error())
|
||||||
|
} else if len(rest) != 0 {
|
||||||
|
return nil, fmt.Errorf("trailing data in certificate issuer: %v", rest)
|
||||||
|
}
|
||||||
|
return issuer, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) ParseDNSNames () ([]string, error) {
|
||||||
|
var dnsNames []string
|
||||||
|
|
||||||
|
// Extract Common Name from Subject
|
||||||
|
subject, err := tbs.ParseSubject()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
cns, err := subject.ParseCNs()
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.New("failed to process certificate subject: " + err.Error())
|
||||||
|
}
|
||||||
|
dnsNames = append(dnsNames, cns...)
|
||||||
|
|
||||||
|
// Extract DNS names from SubjectAlternativeName extension
|
||||||
|
for _, sanExt := range tbs.GetExtension(oidExtensionSubjectAltName) {
|
||||||
|
dnsSans, err := parseSANExtension(sanExt.Value)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
dnsNames = append(dnsNames, dnsSans...)
|
||||||
|
}
|
||||||
|
|
||||||
|
return dnsNames, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) GetExtension (id asn1.ObjectIdentifier) []Extension {
|
||||||
|
var exts []Extension
|
||||||
|
for _, ext := range tbs.Extensions {
|
||||||
|
if ext.Id.Equal(id) {
|
||||||
|
exts = append(exts, ext)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return exts
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
func ParseCertificate (certBytes []byte) (*Certificate, error) {
|
||||||
|
var cert Certificate
|
||||||
|
if rest, err := asn1.Unmarshal(certBytes, &cert); err != nil {
|
||||||
|
return nil, errors.New("failed to parse certificate: " + err.Error())
|
||||||
|
} else if len(rest) > 0 {
|
||||||
|
return nil, fmt.Errorf("trailing data after certificate: %v", rest)
|
||||||
|
}
|
||||||
|
return &cert, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cert *Certificate) GetRawTBSCertificate () []byte {
|
||||||
|
return cert.TBSCertificate.FullBytes
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cert *Certificate) ParseTBSCertificate () (*TBSCertificate, error) {
|
||||||
|
return ParseTBSCertificate(cert.GetRawTBSCertificate())
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
func parseSANExtension (value []byte) ([]string, error) {
|
||||||
|
var dnsNames []string
|
||||||
|
var seq asn1.RawValue
|
||||||
|
if rest, err := asn1.Unmarshal(value, &seq); err != nil {
|
||||||
|
return nil, errors.New("failed to parse subjectAltName extension: " + err.Error())
|
||||||
|
} else if len(rest) != 0 {
|
||||||
|
// Don't complain if the SAN is followed by exactly one zero byte,
|
||||||
|
// which is a common error.
|
||||||
|
if !(len(rest) == 1 && rest[0] == 0) {
|
||||||
|
return nil, fmt.Errorf("trailing data in subjectAltName extension: %v", rest)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
|
||||||
|
return nil, errors.New("failed to parse subjectAltName extension: bad SAN sequence")
|
||||||
|
}
|
||||||
|
|
||||||
|
rest := seq.Bytes
|
||||||
|
for len(rest) > 0 {
|
||||||
|
var val asn1.RawValue
|
||||||
|
var err error
|
||||||
|
rest, err = asn1.Unmarshal(rest, &val)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.New("failed to parse subjectAltName extension item: " + err.Error())
|
||||||
|
}
|
||||||
|
switch val.Tag {
|
||||||
|
case 2:
|
||||||
|
dnsNames = append(dnsNames, string(val.Bytes))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return dnsNames, nil
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue