Source file src/crypto/x509/x509.go

Documentation: crypto/x509

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package x509 parses X.509-encoded keys and certificates.
     6  //
     7  // On UNIX systems the environment variables SSL_CERT_FILE and SSL_CERT_DIR
     8  // can be used to override the system default locations for the SSL certificate
     9  // file and SSL certificate files directory, respectively.
    10  package x509
    11  
    12  import (
    13  	"bytes"
    14  	"crypto"
    15  	"crypto/dsa"
    16  	"crypto/ecdsa"
    17  	"crypto/ed25519"
    18  	"crypto/elliptic"
    19  	"crypto/rsa"
    20  	_ "crypto/sha1"
    21  	_ "crypto/sha256"
    22  	_ "crypto/sha512"
    23  	"crypto/x509/pkix"
    24  	"encoding/asn1"
    25  	"encoding/pem"
    26  	"errors"
    27  	"fmt"
    28  	"golang.org/x/crypto/cryptobyte"
    29  	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
    30  	"io"
    31  	"math/big"
    32  	"net"
    33  	"net/url"
    34  	"strconv"
    35  	"strings"
    36  	"time"
    37  	"unicode/utf8"
    38  )
    39  
    40  // pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo
    41  // in RFC 3280.
    42  type pkixPublicKey struct {
    43  	Algo      pkix.AlgorithmIdentifier
    44  	BitString asn1.BitString
    45  }
    46  
    47  // ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
    48  //
    49  // It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or
    50  // ed25519.PublicKey. More types might be supported in the future.
    51  //
    52  // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
    53  func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) {
    54  	var pki publicKeyInfo
    55  	if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil {
    56  		if _, err := asn1.Unmarshal(derBytes, &pkcs1PublicKey{}); err == nil {
    57  			return nil, errors.New("x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)")
    58  		}
    59  		return nil, err
    60  	} else if len(rest) != 0 {
    61  		return nil, errors.New("x509: trailing data after ASN.1 of public-key")
    62  	}
    63  	algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm)
    64  	if algo == UnknownPublicKeyAlgorithm {
    65  		return nil, errors.New("x509: unknown public key algorithm")
    66  	}
    67  	return parsePublicKey(algo, &pki)
    68  }
    69  
    70  func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) {
    71  	switch pub := pub.(type) {
    72  	case *rsa.PublicKey:
    73  		publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{
    74  			N: pub.N,
    75  			E: pub.E,
    76  		})
    77  		if err != nil {
    78  			return nil, pkix.AlgorithmIdentifier{}, err
    79  		}
    80  		publicKeyAlgorithm.Algorithm = oidPublicKeyRSA
    81  		// This is a NULL parameters value which is required by
    82  		// RFC 3279, Section 2.3.1.
    83  		publicKeyAlgorithm.Parameters = asn1.NullRawValue
    84  	case *ecdsa.PublicKey:
    85  		publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
    86  		oid, ok := oidFromNamedCurve(pub.Curve)
    87  		if !ok {
    88  			return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve")
    89  		}
    90  		publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA
    91  		var paramBytes []byte
    92  		paramBytes, err = asn1.Marshal(oid)
    93  		if err != nil {
    94  			return
    95  		}
    96  		publicKeyAlgorithm.Parameters.FullBytes = paramBytes
    97  	case ed25519.PublicKey:
    98  		publicKeyBytes = pub
    99  		publicKeyAlgorithm.Algorithm = oidPublicKeyEd25519
   100  	default:
   101  		return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: only RSA and ECDSA public keys supported")
   102  	}
   103  
   104  	return publicKeyBytes, publicKeyAlgorithm, nil
   105  }
   106  
   107  // MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
   108  //
   109  // The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey
   110  // and ed25519.PublicKey. Unsupported key types result in an error.
   111  //
   112  // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
   113  func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) {
   114  	var publicKeyBytes []byte
   115  	var publicKeyAlgorithm pkix.AlgorithmIdentifier
   116  	var err error
   117  
   118  	if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil {
   119  		return nil, err
   120  	}
   121  
   122  	pkix := pkixPublicKey{
   123  		Algo: publicKeyAlgorithm,
   124  		BitString: asn1.BitString{
   125  			Bytes:     publicKeyBytes,
   126  			BitLength: 8 * len(publicKeyBytes),
   127  		},
   128  	}
   129  
   130  	ret, _ := asn1.Marshal(pkix)
   131  	return ret, nil
   132  }
   133  
   134  // These structures reflect the ASN.1 structure of X.509 certificates.:
   135  
   136  type certificate struct {
   137  	Raw                asn1.RawContent
   138  	TBSCertificate     tbsCertificate
   139  	SignatureAlgorithm pkix.AlgorithmIdentifier
   140  	SignatureValue     asn1.BitString
   141  }
   142  
   143  type tbsCertificate struct {
   144  	Raw                asn1.RawContent
   145  	Version            int `asn1:"optional,explicit,default:0,tag:0"`
   146  	SerialNumber       *big.Int
   147  	SignatureAlgorithm pkix.AlgorithmIdentifier
   148  	Issuer             asn1.RawValue
   149  	Validity           validity
   150  	Subject            asn1.RawValue
   151  	PublicKey          publicKeyInfo
   152  	UniqueId           asn1.BitString   `asn1:"optional,tag:1"`
   153  	SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`
   154  	Extensions         []pkix.Extension `asn1:"optional,explicit,tag:3"`
   155  }
   156  
   157  type dsaAlgorithmParameters struct {
   158  	P, Q, G *big.Int
   159  }
   160  
   161  type dsaSignature struct {
   162  	R, S *big.Int
   163  }
   164  
   165  type ecdsaSignature dsaSignature
   166  
   167  type validity struct {
   168  	NotBefore, NotAfter time.Time
   169  }
   170  
   171  type publicKeyInfo struct {
   172  	Raw       asn1.RawContent
   173  	Algorithm pkix.AlgorithmIdentifier
   174  	PublicKey asn1.BitString
   175  }
   176  
   177  // RFC 5280,  4.2.1.1
   178  type authKeyId struct {
   179  	Id []byte `asn1:"optional,tag:0"`
   180  }
   181  
   182  type SignatureAlgorithm int
   183  
   184  const (
   185  	UnknownSignatureAlgorithm SignatureAlgorithm = iota
   186  	MD2WithRSA
   187  	MD5WithRSA
   188  	SHA1WithRSA
   189  	SHA256WithRSA
   190  	SHA384WithRSA
   191  	SHA512WithRSA
   192  	DSAWithSHA1
   193  	DSAWithSHA256
   194  	ECDSAWithSHA1
   195  	ECDSAWithSHA256
   196  	ECDSAWithSHA384
   197  	ECDSAWithSHA512
   198  	SHA256WithRSAPSS
   199  	SHA384WithRSAPSS
   200  	SHA512WithRSAPSS
   201  	PureEd25519
   202  )
   203  
   204  func (algo SignatureAlgorithm) isRSAPSS() bool {
   205  	switch algo {
   206  	case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS:
   207  		return true
   208  	default:
   209  		return false
   210  	}
   211  }
   212  
   213  func (algo SignatureAlgorithm) String() string {
   214  	for _, details := range signatureAlgorithmDetails {
   215  		if details.algo == algo {
   216  			return details.name
   217  		}
   218  	}
   219  	return strconv.Itoa(int(algo))
   220  }
   221  
   222  type PublicKeyAlgorithm int
   223  
   224  const (
   225  	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
   226  	RSA
   227  	DSA
   228  	ECDSA
   229  	Ed25519
   230  )
   231  
   232  var publicKeyAlgoName = [...]string{
   233  	RSA:     "RSA",
   234  	DSA:     "DSA",
   235  	ECDSA:   "ECDSA",
   236  	Ed25519: "Ed25519",
   237  }
   238  
   239  func (algo PublicKeyAlgorithm) String() string {
   240  	if 0 < algo && int(algo) < len(publicKeyAlgoName) {
   241  		return publicKeyAlgoName[algo]
   242  	}
   243  	return strconv.Itoa(int(algo))
   244  }
   245  
   246  // OIDs for signature algorithms
   247  //
   248  // pkcs-1 OBJECT IDENTIFIER ::= {
   249  //    iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
   250  //
   251  //
   252  // RFC 3279 2.2.1 RSA Signature Algorithms
   253  //
   254  // md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
   255  //
   256  // md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
   257  //
   258  // sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
   259  //
   260  // dsaWithSha1 OBJECT IDENTIFIER ::= {
   261  //    iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 }
   262  //
   263  // RFC 3279 2.2.3 ECDSA Signature Algorithm
   264  //
   265  // ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
   266  // 	  iso(1) member-body(2) us(840) ansi-x962(10045)
   267  //    signatures(4) ecdsa-with-SHA1(1)}
   268  //
   269  //
   270  // RFC 4055 5 PKCS #1 Version 1.5
   271  //
   272  // sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
   273  //
   274  // sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
   275  //
   276  // sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
   277  //
   278  //
   279  // RFC 5758 3.1 DSA Signature Algorithms
   280  //
   281  // dsaWithSha256 OBJECT IDENTIFIER ::= {
   282  //    joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
   283  //    csor(3) algorithms(4) id-dsa-with-sha2(3) 2}
   284  //
   285  // RFC 5758 3.2 ECDSA Signature Algorithm
   286  //
   287  // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   288  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
   289  //
   290  // ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   291  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
   292  //
   293  // ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   294  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 }
   295  //
   296  //
   297  // RFC 8410 3 Curve25519 and Curve448 Algorithm Identifiers
   298  //
   299  // id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 }
   300  
   301  var (
   302  	oidSignatureMD2WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
   303  	oidSignatureMD5WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
   304  	oidSignatureSHA1WithRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
   305  	oidSignatureSHA256WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
   306  	oidSignatureSHA384WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
   307  	oidSignatureSHA512WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
   308  	oidSignatureRSAPSS          = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
   309  	oidSignatureDSAWithSHA1     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
   310  	oidSignatureDSAWithSHA256   = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
   311  	oidSignatureECDSAWithSHA1   = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
   312  	oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
   313  	oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
   314  	oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
   315  	oidSignatureEd25519         = asn1.ObjectIdentifier{1, 3, 101, 112}
   316  
   317  	oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
   318  	oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
   319  	oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
   320  
   321  	oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
   322  
   323  	// oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA
   324  	// but it's specified by ISO. Microsoft's makecert.exe has been known
   325  	// to produce certificates with this OID.
   326  	oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29}
   327  )
   328  
   329  var signatureAlgorithmDetails = []struct {
   330  	algo       SignatureAlgorithm
   331  	name       string
   332  	oid        asn1.ObjectIdentifier
   333  	pubKeyAlgo PublicKeyAlgorithm
   334  	hash       crypto.Hash
   335  }{
   336  	{MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
   337  	{MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5},
   338  	{SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1},
   339  	{SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1},
   340  	{SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256},
   341  	{SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384},
   342  	{SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512},
   343  	{SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256},
   344  	{SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384},
   345  	{SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512},
   346  	{DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1},
   347  	{DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256},
   348  	{ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1},
   349  	{ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256},
   350  	{ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384},
   351  	{ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512},
   352  	{PureEd25519, "Ed25519", oidSignatureEd25519, Ed25519, crypto.Hash(0) /* no pre-hashing */},
   353  }
   354  
   355  // pssParameters reflects the parameters in an AlgorithmIdentifier that
   356  // specifies RSA PSS. See RFC 3447, Appendix A.2.3.
   357  type pssParameters struct {
   358  	// The following three fields are not marked as
   359  	// optional because the default values specify SHA-1,
   360  	// which is no longer suitable for use in signatures.
   361  	Hash         pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"`
   362  	MGF          pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"`
   363  	SaltLength   int                      `asn1:"explicit,tag:2"`
   364  	TrailerField int                      `asn1:"optional,explicit,tag:3,default:1"`
   365  }
   366  
   367  // rsaPSSParameters returns an asn1.RawValue suitable for use as the Parameters
   368  // in an AlgorithmIdentifier that specifies RSA PSS.
   369  func rsaPSSParameters(hashFunc crypto.Hash) asn1.RawValue {
   370  	var hashOID asn1.ObjectIdentifier
   371  
   372  	switch hashFunc {
   373  	case crypto.SHA256:
   374  		hashOID = oidSHA256
   375  	case crypto.SHA384:
   376  		hashOID = oidSHA384
   377  	case crypto.SHA512:
   378  		hashOID = oidSHA512
   379  	}
   380  
   381  	params := pssParameters{
   382  		Hash: pkix.AlgorithmIdentifier{
   383  			Algorithm:  hashOID,
   384  			Parameters: asn1.NullRawValue,
   385  		},
   386  		MGF: pkix.AlgorithmIdentifier{
   387  			Algorithm: oidMGF1,
   388  		},
   389  		SaltLength:   hashFunc.Size(),
   390  		TrailerField: 1,
   391  	}
   392  
   393  	mgf1Params := pkix.AlgorithmIdentifier{
   394  		Algorithm:  hashOID,
   395  		Parameters: asn1.NullRawValue,
   396  	}
   397  
   398  	var err error
   399  	params.MGF.Parameters.FullBytes, err = asn1.Marshal(mgf1Params)
   400  	if err != nil {
   401  		panic(err)
   402  	}
   403  
   404  	serialized, err := asn1.Marshal(params)
   405  	if err != nil {
   406  		panic(err)
   407  	}
   408  
   409  	return asn1.RawValue{FullBytes: serialized}
   410  }
   411  
   412  func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm {
   413  	if ai.Algorithm.Equal(oidSignatureEd25519) {
   414  		// RFC 8410, Section 3
   415  		// > For all of the OIDs, the parameters MUST be absent.
   416  		if len(ai.Parameters.FullBytes) != 0 {
   417  			return UnknownSignatureAlgorithm
   418  		}
   419  	}
   420  
   421  	if !ai.Algorithm.Equal(oidSignatureRSAPSS) {
   422  		for _, details := range signatureAlgorithmDetails {
   423  			if ai.Algorithm.Equal(details.oid) {
   424  				return details.algo
   425  			}
   426  		}
   427  		return UnknownSignatureAlgorithm
   428  	}
   429  
   430  	// RSA PSS is special because it encodes important parameters
   431  	// in the Parameters.
   432  
   433  	var params pssParameters
   434  	if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, &params); err != nil {
   435  		return UnknownSignatureAlgorithm
   436  	}
   437  
   438  	var mgf1HashFunc pkix.AlgorithmIdentifier
   439  	if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil {
   440  		return UnknownSignatureAlgorithm
   441  	}
   442  
   443  	// PSS is greatly overburdened with options. This code forces them into
   444  	// three buckets by requiring that the MGF1 hash function always match the
   445  	// message hash function (as recommended in RFC 3447, Section 8.1), that the
   446  	// salt length matches the hash length, and that the trailer field has the
   447  	// default value.
   448  	if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) ||
   449  		!params.MGF.Algorithm.Equal(oidMGF1) ||
   450  		!mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) ||
   451  		(len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) ||
   452  		params.TrailerField != 1 {
   453  		return UnknownSignatureAlgorithm
   454  	}
   455  
   456  	switch {
   457  	case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32:
   458  		return SHA256WithRSAPSS
   459  	case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48:
   460  		return SHA384WithRSAPSS
   461  	case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64:
   462  		return SHA512WithRSAPSS
   463  	}
   464  
   465  	return UnknownSignatureAlgorithm
   466  }
   467  
   468  // RFC 3279, 2.3 Public Key Algorithms
   469  //
   470  // pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   471  //    rsadsi(113549) pkcs(1) 1 }
   472  //
   473  // rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 }
   474  //
   475  // id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   476  //    x9-57(10040) x9cm(4) 1 }
   477  //
   478  // RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters
   479  //
   480  // id-ecPublicKey OBJECT IDENTIFIER ::= {
   481  //       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
   482  var (
   483  	oidPublicKeyRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
   484  	oidPublicKeyDSA     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
   485  	oidPublicKeyECDSA   = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
   486  	oidPublicKeyEd25519 = oidSignatureEd25519
   487  )
   488  
   489  func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm {
   490  	switch {
   491  	case oid.Equal(oidPublicKeyRSA):
   492  		return RSA
   493  	case oid.Equal(oidPublicKeyDSA):
   494  		return DSA
   495  	case oid.Equal(oidPublicKeyECDSA):
   496  		return ECDSA
   497  	case oid.Equal(oidPublicKeyEd25519):
   498  		return Ed25519
   499  	}
   500  	return UnknownPublicKeyAlgorithm
   501  }
   502  
   503  // RFC 5480, 2.1.1.1. Named Curve
   504  //
   505  // secp224r1 OBJECT IDENTIFIER ::= {
   506  //   iso(1) identified-organization(3) certicom(132) curve(0) 33 }
   507  //
   508  // secp256r1 OBJECT IDENTIFIER ::= {
   509  //   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
   510  //   prime(1) 7 }
   511  //
   512  // secp384r1 OBJECT IDENTIFIER ::= {
   513  //   iso(1) identified-organization(3) certicom(132) curve(0) 34 }
   514  //
   515  // secp521r1 OBJECT IDENTIFIER ::= {
   516  //   iso(1) identified-organization(3) certicom(132) curve(0) 35 }
   517  //
   518  // NB: secp256r1 is equivalent to prime256v1
   519  var (
   520  	oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
   521  	oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
   522  	oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
   523  	oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
   524  )
   525  
   526  func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
   527  	switch {
   528  	case oid.Equal(oidNamedCurveP224):
   529  		return elliptic.P224()
   530  	case oid.Equal(oidNamedCurveP256):
   531  		return elliptic.P256()
   532  	case oid.Equal(oidNamedCurveP384):
   533  		return elliptic.P384()
   534  	case oid.Equal(oidNamedCurveP521):
   535  		return elliptic.P521()
   536  	}
   537  	return nil
   538  }
   539  
   540  func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
   541  	switch curve {
   542  	case elliptic.P224():
   543  		return oidNamedCurveP224, true
   544  	case elliptic.P256():
   545  		return oidNamedCurveP256, true
   546  	case elliptic.P384():
   547  		return oidNamedCurveP384, true
   548  	case elliptic.P521():
   549  		return oidNamedCurveP521, true
   550  	}
   551  
   552  	return nil, false
   553  }
   554  
   555  // KeyUsage represents the set of actions that are valid for a given key. It's
   556  // a bitmap of the KeyUsage* constants.
   557  type KeyUsage int
   558  
   559  const (
   560  	KeyUsageDigitalSignature KeyUsage = 1 << iota
   561  	KeyUsageContentCommitment
   562  	KeyUsageKeyEncipherment
   563  	KeyUsageDataEncipherment
   564  	KeyUsageKeyAgreement
   565  	KeyUsageCertSign
   566  	KeyUsageCRLSign
   567  	KeyUsageEncipherOnly
   568  	KeyUsageDecipherOnly
   569  )
   570  
   571  // RFC 5280, 4.2.1.12  Extended Key Usage
   572  //
   573  // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
   574  //
   575  // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
   576  //
   577  // id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   578  // id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
   579  // id-kp-codeSigning            OBJECT IDENTIFIER ::= { id-kp 3 }
   580  // id-kp-emailProtection        OBJECT IDENTIFIER ::= { id-kp 4 }
   581  // id-kp-timeStamping           OBJECT IDENTIFIER ::= { id-kp 8 }
   582  // id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
   583  var (
   584  	oidExtKeyUsageAny                            = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
   585  	oidExtKeyUsageServerAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
   586  	oidExtKeyUsageClientAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
   587  	oidExtKeyUsageCodeSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
   588  	oidExtKeyUsageEmailProtection                = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
   589  	oidExtKeyUsageIPSECEndSystem                 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
   590  	oidExtKeyUsageIPSECTunnel                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
   591  	oidExtKeyUsageIPSECUser                      = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
   592  	oidExtKeyUsageTimeStamping                   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
   593  	oidExtKeyUsageOCSPSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
   594  	oidExtKeyUsageMicrosoftServerGatedCrypto     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
   595  	oidExtKeyUsageNetscapeServerGatedCrypto      = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
   596  	oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
   597  	oidExtKeyUsageMicrosoftKernelCodeSigning     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
   598  )
   599  
   600  // ExtKeyUsage represents an extended set of actions that are valid for a given key.
   601  // Each of the ExtKeyUsage* constants define a unique action.
   602  type ExtKeyUsage int
   603  
   604  const (
   605  	ExtKeyUsageAny ExtKeyUsage = iota
   606  	ExtKeyUsageServerAuth
   607  	ExtKeyUsageClientAuth
   608  	ExtKeyUsageCodeSigning
   609  	ExtKeyUsageEmailProtection
   610  	ExtKeyUsageIPSECEndSystem
   611  	ExtKeyUsageIPSECTunnel
   612  	ExtKeyUsageIPSECUser
   613  	ExtKeyUsageTimeStamping
   614  	ExtKeyUsageOCSPSigning
   615  	ExtKeyUsageMicrosoftServerGatedCrypto
   616  	ExtKeyUsageNetscapeServerGatedCrypto
   617  	ExtKeyUsageMicrosoftCommercialCodeSigning
   618  	ExtKeyUsageMicrosoftKernelCodeSigning
   619  )
   620  
   621  // extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.
   622  var extKeyUsageOIDs = []struct {
   623  	extKeyUsage ExtKeyUsage
   624  	oid         asn1.ObjectIdentifier
   625  }{
   626  	{ExtKeyUsageAny, oidExtKeyUsageAny},
   627  	{ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth},
   628  	{ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth},
   629  	{ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning},
   630  	{ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection},
   631  	{ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem},
   632  	{ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel},
   633  	{ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser},
   634  	{ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping},
   635  	{ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning},
   636  	{ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto},
   637  	{ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto},
   638  	{ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning},
   639  	{ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning},
   640  }
   641  
   642  func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) {
   643  	for _, pair := range extKeyUsageOIDs {
   644  		if oid.Equal(pair.oid) {
   645  			return pair.extKeyUsage, true
   646  		}
   647  	}
   648  	return
   649  }
   650  
   651  func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
   652  	for _, pair := range extKeyUsageOIDs {
   653  		if eku == pair.extKeyUsage {
   654  			return pair.oid, true
   655  		}
   656  	}
   657  	return
   658  }
   659  
   660  // A Certificate represents an X.509 certificate.
   661  type Certificate struct {
   662  	Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
   663  	RawTBSCertificate       []byte // Certificate part of raw ASN.1 DER content.
   664  	RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
   665  	RawSubject              []byte // DER encoded Subject
   666  	RawIssuer               []byte // DER encoded Issuer
   667  
   668  	Signature          []byte
   669  	SignatureAlgorithm SignatureAlgorithm
   670  
   671  	PublicKeyAlgorithm PublicKeyAlgorithm
   672  	PublicKey          interface{}
   673  
   674  	Version             int
   675  	SerialNumber        *big.Int
   676  	Issuer              pkix.Name
   677  	Subject             pkix.Name
   678  	NotBefore, NotAfter time.Time // Validity bounds.
   679  	KeyUsage            KeyUsage
   680  
   681  	// Extensions contains raw X.509 extensions. When parsing certificates,
   682  	// this can be used to extract non-critical extensions that are not
   683  	// parsed by this package. When marshaling certificates, the Extensions
   684  	// field is ignored, see ExtraExtensions.
   685  	Extensions []pkix.Extension
   686  
   687  	// ExtraExtensions contains extensions to be copied, raw, into any
   688  	// marshaled certificates. Values override any extensions that would
   689  	// otherwise be produced based on the other fields. The ExtraExtensions
   690  	// field is not populated when parsing certificates, see Extensions.
   691  	ExtraExtensions []pkix.Extension
   692  
   693  	// UnhandledCriticalExtensions contains a list of extension IDs that
   694  	// were not (fully) processed when parsing. Verify will fail if this
   695  	// slice is non-empty, unless verification is delegated to an OS
   696  	// library which understands all the critical extensions.
   697  	//
   698  	// Users can access these extensions using Extensions and can remove
   699  	// elements from this slice if they believe that they have been
   700  	// handled.
   701  	UnhandledCriticalExtensions []asn1.ObjectIdentifier
   702  
   703  	ExtKeyUsage        []ExtKeyUsage           // Sequence of extended key usages.
   704  	UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.
   705  
   706  	// BasicConstraintsValid indicates whether IsCA, MaxPathLen,
   707  	// and MaxPathLenZero are valid.
   708  	BasicConstraintsValid bool
   709  	IsCA                  bool
   710  
   711  	// MaxPathLen and MaxPathLenZero indicate the presence and
   712  	// value of the BasicConstraints' "pathLenConstraint".
   713  	//
   714  	// When parsing a certificate, a positive non-zero MaxPathLen
   715  	// means that the field was specified, -1 means it was unset,
   716  	// and MaxPathLenZero being true mean that the field was
   717  	// explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
   718  	// should be treated equivalent to -1 (unset).
   719  	//
   720  	// When generating a certificate, an unset pathLenConstraint
   721  	// can be requested with either MaxPathLen == -1 or using the
   722  	// zero value for both MaxPathLen and MaxPathLenZero.
   723  	MaxPathLen int
   724  	// MaxPathLenZero indicates that BasicConstraintsValid==true
   725  	// and MaxPathLen==0 should be interpreted as an actual
   726  	// maximum path length of zero. Otherwise, that combination is
   727  	// interpreted as MaxPathLen not being set.
   728  	MaxPathLenZero bool
   729  
   730  	SubjectKeyId   []byte
   731  	AuthorityKeyId []byte
   732  
   733  	// RFC 5280, 4.2.2.1 (Authority Information Access)
   734  	OCSPServer            []string
   735  	IssuingCertificateURL []string
   736  
   737  	// Subject Alternate Name values. (Note that these values may not be valid
   738  	// if invalid values were contained within a parsed certificate. For
   739  	// example, an element of DNSNames may not be a valid DNS domain name.)
   740  	DNSNames       []string
   741  	EmailAddresses []string
   742  	IPAddresses    []net.IP
   743  	URIs           []*url.URL
   744  
   745  	// Name constraints
   746  	PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical.
   747  	PermittedDNSDomains         []string
   748  	ExcludedDNSDomains          []string
   749  	PermittedIPRanges           []*net.IPNet
   750  	ExcludedIPRanges            []*net.IPNet
   751  	PermittedEmailAddresses     []string
   752  	ExcludedEmailAddresses      []string
   753  	PermittedURIDomains         []string
   754  	ExcludedURIDomains          []string
   755  
   756  	// CRL Distribution Points
   757  	CRLDistributionPoints []string
   758  
   759  	PolicyIdentifiers []asn1.ObjectIdentifier
   760  }
   761  
   762  // ErrUnsupportedAlgorithm results from attempting to perform an operation that
   763  // involves algorithms that are not currently implemented.
   764  var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")
   765  
   766  // An InsecureAlgorithmError
   767  type InsecureAlgorithmError SignatureAlgorithm
   768  
   769  func (e InsecureAlgorithmError) Error() string {
   770  	return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e))
   771  }
   772  
   773  // ConstraintViolationError results when a requested usage is not permitted by
   774  // a certificate. For example: checking a signature when the public key isn't a
   775  // certificate signing key.
   776  type ConstraintViolationError struct{}
   777  
   778  func (ConstraintViolationError) Error() string {
   779  	return "x509: invalid signature: parent certificate cannot sign this kind of certificate"
   780  }
   781  
   782  func (c *Certificate) Equal(other *Certificate) bool {
   783  	return bytes.Equal(c.Raw, other.Raw)
   784  }
   785  
   786  func (c *Certificate) hasSANExtension() bool {
   787  	return oidInExtensions(oidExtensionSubjectAltName, c.Extensions)
   788  }
   789  
   790  // Entrust have a broken root certificate (CN=Entrust.net Certification
   791  // Authority (2048)) which isn't marked as a CA certificate and is thus invalid
   792  // according to PKIX.
   793  // We recognise this certificate by its SubjectPublicKeyInfo and exempt it
   794  // from the Basic Constraints requirement.
   795  // See http://www.entrust.net/knowledge-base/technote.cfm?tn=7869
   796  //
   797  // TODO(agl): remove this hack once their reissued root is sufficiently
   798  // widespread.
   799  var entrustBrokenSPKI = []byte{
   800  	0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
   801  	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
   802  	0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
   803  	0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
   804  	0x00, 0x97, 0xa3, 0x2d, 0x3c, 0x9e, 0xde, 0x05,
   805  	0xda, 0x13, 0xc2, 0x11, 0x8d, 0x9d, 0x8e, 0xe3,
   806  	0x7f, 0xc7, 0x4b, 0x7e, 0x5a, 0x9f, 0xb3, 0xff,
   807  	0x62, 0xab, 0x73, 0xc8, 0x28, 0x6b, 0xba, 0x10,
   808  	0x64, 0x82, 0x87, 0x13, 0xcd, 0x57, 0x18, 0xff,
   809  	0x28, 0xce, 0xc0, 0xe6, 0x0e, 0x06, 0x91, 0x50,
   810  	0x29, 0x83, 0xd1, 0xf2, 0xc3, 0x2a, 0xdb, 0xd8,
   811  	0xdb, 0x4e, 0x04, 0xcc, 0x00, 0xeb, 0x8b, 0xb6,
   812  	0x96, 0xdc, 0xbc, 0xaa, 0xfa, 0x52, 0x77, 0x04,
   813  	0xc1, 0xdb, 0x19, 0xe4, 0xae, 0x9c, 0xfd, 0x3c,
   814  	0x8b, 0x03, 0xef, 0x4d, 0xbc, 0x1a, 0x03, 0x65,
   815  	0xf9, 0xc1, 0xb1, 0x3f, 0x72, 0x86, 0xf2, 0x38,
   816  	0xaa, 0x19, 0xae, 0x10, 0x88, 0x78, 0x28, 0xda,
   817  	0x75, 0xc3, 0x3d, 0x02, 0x82, 0x02, 0x9c, 0xb9,
   818  	0xc1, 0x65, 0x77, 0x76, 0x24, 0x4c, 0x98, 0xf7,
   819  	0x6d, 0x31, 0x38, 0xfb, 0xdb, 0xfe, 0xdb, 0x37,
   820  	0x02, 0x76, 0xa1, 0x18, 0x97, 0xa6, 0xcc, 0xde,
   821  	0x20, 0x09, 0x49, 0x36, 0x24, 0x69, 0x42, 0xf6,
   822  	0xe4, 0x37, 0x62, 0xf1, 0x59, 0x6d, 0xa9, 0x3c,
   823  	0xed, 0x34, 0x9c, 0xa3, 0x8e, 0xdb, 0xdc, 0x3a,
   824  	0xd7, 0xf7, 0x0a, 0x6f, 0xef, 0x2e, 0xd8, 0xd5,
   825  	0x93, 0x5a, 0x7a, 0xed, 0x08, 0x49, 0x68, 0xe2,
   826  	0x41, 0xe3, 0x5a, 0x90, 0xc1, 0x86, 0x55, 0xfc,
   827  	0x51, 0x43, 0x9d, 0xe0, 0xb2, 0xc4, 0x67, 0xb4,
   828  	0xcb, 0x32, 0x31, 0x25, 0xf0, 0x54, 0x9f, 0x4b,
   829  	0xd1, 0x6f, 0xdb, 0xd4, 0xdd, 0xfc, 0xaf, 0x5e,
   830  	0x6c, 0x78, 0x90, 0x95, 0xde, 0xca, 0x3a, 0x48,
   831  	0xb9, 0x79, 0x3c, 0x9b, 0x19, 0xd6, 0x75, 0x05,
   832  	0xa0, 0xf9, 0x88, 0xd7, 0xc1, 0xe8, 0xa5, 0x09,
   833  	0xe4, 0x1a, 0x15, 0xdc, 0x87, 0x23, 0xaa, 0xb2,
   834  	0x75, 0x8c, 0x63, 0x25, 0x87, 0xd8, 0xf8, 0x3d,
   835  	0xa6, 0xc2, 0xcc, 0x66, 0xff, 0xa5, 0x66, 0x68,
   836  	0x55, 0x02, 0x03, 0x01, 0x00, 0x01,
   837  }
   838  
   839  // CheckSignatureFrom verifies that the signature on c is a valid signature
   840  // from parent.
   841  func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
   842  	// RFC 5280, 4.2.1.9:
   843  	// "If the basic constraints extension is not present in a version 3
   844  	// certificate, or the extension is present but the cA boolean is not
   845  	// asserted, then the certified public key MUST NOT be used to verify
   846  	// certificate signatures."
   847  	// (except for Entrust, see comment above entrustBrokenSPKI)
   848  	if (parent.Version == 3 && !parent.BasicConstraintsValid ||
   849  		parent.BasicConstraintsValid && !parent.IsCA) &&
   850  		!bytes.Equal(c.RawSubjectPublicKeyInfo, entrustBrokenSPKI) {
   851  		return ConstraintViolationError{}
   852  	}
   853  
   854  	if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 {
   855  		return ConstraintViolationError{}
   856  	}
   857  
   858  	if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm {
   859  		return ErrUnsupportedAlgorithm
   860  	}
   861  
   862  	// TODO(agl): don't ignore the path length constraint.
   863  
   864  	return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
   865  }
   866  
   867  // CheckSignature verifies that signature is a valid signature over signed from
   868  // c's public key.
   869  func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error {
   870  	return checkSignature(algo, signed, signature, c.PublicKey)
   871  }
   872  
   873  func (c *Certificate) hasNameConstraints() bool {
   874  	return oidInExtensions(oidExtensionNameConstraints, c.Extensions)
   875  }
   876  
   877  func (c *Certificate) getSANExtension() []byte {
   878  	for _, e := range c.Extensions {
   879  		if e.Id.Equal(oidExtensionSubjectAltName) {
   880  			return e.Value
   881  		}
   882  	}
   883  	return nil
   884  }
   885  
   886  func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error {
   887  	return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
   888  }
   889  
   890  // CheckSignature verifies that signature is a valid signature over signed from
   891  // a crypto.PublicKey.
   892  func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
   893  	var hashType crypto.Hash
   894  	var pubKeyAlgo PublicKeyAlgorithm
   895  
   896  	for _, details := range signatureAlgorithmDetails {
   897  		if details.algo == algo {
   898  			hashType = details.hash
   899  			pubKeyAlgo = details.pubKeyAlgo
   900  		}
   901  	}
   902  
   903  	switch hashType {
   904  	case crypto.Hash(0):
   905  		if pubKeyAlgo != Ed25519 {
   906  			return ErrUnsupportedAlgorithm
   907  		}
   908  	case crypto.MD5:
   909  		return InsecureAlgorithmError(algo)
   910  	default:
   911  		if !hashType.Available() {
   912  			return ErrUnsupportedAlgorithm
   913  		}
   914  		h := hashType.New()
   915  		h.Write(signed)
   916  		signed = h.Sum(nil)
   917  	}
   918  
   919  	switch pub := publicKey.(type) {
   920  	case *rsa.PublicKey:
   921  		if pubKeyAlgo != RSA {
   922  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   923  		}
   924  		if algo.isRSAPSS() {
   925  			return rsa.VerifyPSS(pub, hashType, signed, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash})
   926  		} else {
   927  			return rsa.VerifyPKCS1v15(pub, hashType, signed, signature)
   928  		}
   929  	case *dsa.PublicKey:
   930  		if pubKeyAlgo != DSA {
   931  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   932  		}
   933  		dsaSig := new(dsaSignature)
   934  		if rest, err := asn1.Unmarshal(signature, dsaSig); err != nil {
   935  			return err
   936  		} else if len(rest) != 0 {
   937  			return errors.New("x509: trailing data after DSA signature")
   938  		}
   939  		if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 {
   940  			return errors.New("x509: DSA signature contained zero or negative values")
   941  		}
   942  		if !dsa.Verify(pub, signed, dsaSig.R, dsaSig.S) {
   943  			return errors.New("x509: DSA verification failure")
   944  		}
   945  		return
   946  	case *ecdsa.PublicKey:
   947  		if pubKeyAlgo != ECDSA {
   948  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   949  		}
   950  		ecdsaSig := new(ecdsaSignature)
   951  		if rest, err := asn1.Unmarshal(signature, ecdsaSig); err != nil {
   952  			return err
   953  		} else if len(rest) != 0 {
   954  			return errors.New("x509: trailing data after ECDSA signature")
   955  		}
   956  		if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
   957  			return errors.New("x509: ECDSA signature contained zero or negative values")
   958  		}
   959  		if !ecdsa.Verify(pub, signed, ecdsaSig.R, ecdsaSig.S) {
   960  			return errors.New("x509: ECDSA verification failure")
   961  		}
   962  		return
   963  	case ed25519.PublicKey:
   964  		if pubKeyAlgo != Ed25519 {
   965  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   966  		}
   967  		if !ed25519.Verify(pub, signed, signature) {
   968  			return errors.New("x509: Ed25519 verification failure")
   969  		}
   970  		return
   971  	}
   972  	return ErrUnsupportedAlgorithm
   973  }
   974  
   975  // CheckCRLSignature checks that the signature in crl is from c.
   976  func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error {
   977  	algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm)
   978  	return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign())
   979  }
   980  
   981  type UnhandledCriticalExtension struct{}
   982  
   983  func (h UnhandledCriticalExtension) Error() string {
   984  	return "x509: unhandled critical extension"
   985  }
   986  
   987  type basicConstraints struct {
   988  	IsCA       bool `asn1:"optional"`
   989  	MaxPathLen int  `asn1:"optional,default:-1"`
   990  }
   991  
   992  // RFC 5280 4.2.1.4
   993  type policyInformation struct {
   994  	Policy asn1.ObjectIdentifier
   995  	// policyQualifiers omitted
   996  }
   997  
   998  const (
   999  	nameTypeEmail = 1
  1000  	nameTypeDNS   = 2
  1001  	nameTypeURI   = 6
  1002  	nameTypeIP    = 7
  1003  )
  1004  
  1005  // RFC 5280, 4.2.2.1
  1006  type authorityInfoAccess struct {
  1007  	Method   asn1.ObjectIdentifier
  1008  	Location asn1.RawValue
  1009  }
  1010  
  1011  // RFC 5280, 4.2.1.14
  1012  type distributionPoint struct {
  1013  	DistributionPoint distributionPointName `asn1:"optional,tag:0"`
  1014  	Reason            asn1.BitString        `asn1:"optional,tag:1"`
  1015  	CRLIssuer         asn1.RawValue         `asn1:"optional,tag:2"`
  1016  }
  1017  
  1018  type distributionPointName struct {
  1019  	FullName     []asn1.RawValue  `asn1:"optional,tag:0"`
  1020  	RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
  1021  }
  1022  
  1023  func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) {
  1024  	asn1Data := keyData.PublicKey.RightAlign()
  1025  	switch algo {
  1026  	case RSA:
  1027  		// RSA public keys must have a NULL in the parameters.
  1028  		// See RFC 3279, Section 2.3.1.
  1029  		if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) {
  1030  			return nil, errors.New("x509: RSA key missing NULL parameters")
  1031  		}
  1032  
  1033  		p := new(pkcs1PublicKey)
  1034  		rest, err := asn1.Unmarshal(asn1Data, p)
  1035  		if err != nil {
  1036  			return nil, err
  1037  		}
  1038  		if len(rest) != 0 {
  1039  			return nil, errors.New("x509: trailing data after RSA public key")
  1040  		}
  1041  
  1042  		if p.N.Sign() <= 0 {
  1043  			return nil, errors.New("x509: RSA modulus is not a positive number")
  1044  		}
  1045  		if p.E <= 0 {
  1046  			return nil, errors.New("x509: RSA public exponent is not a positive number")
  1047  		}
  1048  
  1049  		pub := &rsa.PublicKey{
  1050  			E: p.E,
  1051  			N: p.N,
  1052  		}
  1053  		return pub, nil
  1054  	case DSA:
  1055  		var p *big.Int
  1056  		rest, err := asn1.Unmarshal(asn1Data, &p)
  1057  		if err != nil {
  1058  			return nil, err
  1059  		}
  1060  		if len(rest) != 0 {
  1061  			return nil, errors.New("x509: trailing data after DSA public key")
  1062  		}
  1063  		paramsData := keyData.Algorithm.Parameters.FullBytes
  1064  		params := new(dsaAlgorithmParameters)
  1065  		rest, err = asn1.Unmarshal(paramsData, params)
  1066  		if err != nil {
  1067  			return nil, err
  1068  		}
  1069  		if len(rest) != 0 {
  1070  			return nil, errors.New("x509: trailing data after DSA parameters")
  1071  		}
  1072  		if p.Sign() <= 0 || params.P.Sign() <= 0 || params.Q.Sign() <= 0 || params.G.Sign() <= 0 {
  1073  			return nil, errors.New("x509: zero or negative DSA parameter")
  1074  		}
  1075  		pub := &dsa.PublicKey{
  1076  			Parameters: dsa.Parameters{
  1077  				P: params.P,
  1078  				Q: params.Q,
  1079  				G: params.G,
  1080  			},
  1081  			Y: p,
  1082  		}
  1083  		return pub, nil
  1084  	case ECDSA:
  1085  		paramsData := keyData.Algorithm.Parameters.FullBytes
  1086  		namedCurveOID := new(asn1.ObjectIdentifier)
  1087  		rest, err := asn1.Unmarshal(paramsData, namedCurveOID)
  1088  		if err != nil {
  1089  			return nil, errors.New("x509: failed to parse ECDSA parameters as named curve")
  1090  		}
  1091  		if len(rest) != 0 {
  1092  			return nil, errors.New("x509: trailing data after ECDSA parameters")
  1093  		}
  1094  		namedCurve := namedCurveFromOID(*namedCurveOID)
  1095  		if namedCurve == nil {
  1096  			return nil, errors.New("x509: unsupported elliptic curve")
  1097  		}
  1098  		x, y := elliptic.Unmarshal(namedCurve, asn1Data)
  1099  		if x == nil {
  1100  			return nil, errors.New("x509: failed to unmarshal elliptic curve point")
  1101  		}
  1102  		pub := &ecdsa.PublicKey{
  1103  			Curve: namedCurve,
  1104  			X:     x,
  1105  			Y:     y,
  1106  		}
  1107  		return pub, nil
  1108  	case Ed25519:
  1109  		// RFC 8410, Section 3
  1110  		// > For all of the OIDs, the parameters MUST be absent.
  1111  		if len(keyData.Algorithm.Parameters.FullBytes) != 0 {
  1112  			return nil, errors.New("x509: Ed25519 key encoded with illegal parameters")
  1113  		}
  1114  		if len(asn1Data) != ed25519.PublicKeySize {
  1115  			return nil, errors.New("x509: wrong Ed25519 public key size")
  1116  		}
  1117  		pub := make([]byte, ed25519.PublicKeySize)
  1118  		copy(pub, asn1Data)
  1119  		return ed25519.PublicKey(pub), nil
  1120  	default:
  1121  		return nil, nil
  1122  	}
  1123  }
  1124  
  1125  func forEachSAN(extension []byte, callback func(tag int, data []byte) error) error {
  1126  	// RFC 5280, 4.2.1.6
  1127  
  1128  	// SubjectAltName ::= GeneralNames
  1129  	//
  1130  	// GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
  1131  	//
  1132  	// GeneralName ::= CHOICE {
  1133  	//      otherName                       [0]     OtherName,
  1134  	//      rfc822Name                      [1]     IA5String,
  1135  	//      dNSName                         [2]     IA5String,
  1136  	//      x400Address                     [3]     ORAddress,
  1137  	//      directoryName                   [4]     Name,
  1138  	//      ediPartyName                    [5]     EDIPartyName,
  1139  	//      uniformResourceIdentifier       [6]     IA5String,
  1140  	//      iPAddress                       [7]     OCTET STRING,
  1141  	//      registeredID                    [8]     OBJECT IDENTIFIER }
  1142  	var seq asn1.RawValue
  1143  	rest, err := asn1.Unmarshal(extension, &seq)
  1144  	if err != nil {
  1145  		return err
  1146  	} else if len(rest) != 0 {
  1147  		return errors.New("x509: trailing data after X.509 extension")
  1148  	}
  1149  	if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
  1150  		return asn1.StructuralError{Msg: "bad SAN sequence"}
  1151  	}
  1152  
  1153  	rest = seq.Bytes
  1154  	for len(rest) > 0 {
  1155  		var v asn1.RawValue
  1156  		rest, err = asn1.Unmarshal(rest, &v)
  1157  		if err != nil {
  1158  			return err
  1159  		}
  1160  
  1161  		if err := callback(v.Tag, v.Bytes); err != nil {
  1162  			return err
  1163  		}
  1164  	}
  1165  
  1166  	return nil
  1167  }
  1168  
  1169  func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error) {
  1170  	err = forEachSAN(value, func(tag int, data []byte) error {
  1171  		switch tag {
  1172  		case nameTypeEmail:
  1173  			emailAddresses = append(emailAddresses, string(data))
  1174  		case nameTypeDNS:
  1175  			dnsNames = append(dnsNames, string(data))
  1176  		case nameTypeURI:
  1177  			uri, err := url.Parse(string(data))
  1178  			if err != nil {
  1179  				return fmt.Errorf("x509: cannot parse URI %q: %s", string(data), err)
  1180  			}
  1181  			if len(uri.Host) > 0 {
  1182  				if _, ok := domainToReverseLabels(uri.Host); !ok {
  1183  					return fmt.Errorf("x509: cannot parse URI %q: invalid domain", string(data))
  1184  				}
  1185  			}
  1186  			uris = append(uris, uri)
  1187  		case nameTypeIP:
  1188  			switch len(data) {
  1189  			case net.IPv4len, net.IPv6len:
  1190  				ipAddresses = append(ipAddresses, data)
  1191  			default:
  1192  				return errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(data)))
  1193  			}
  1194  		}
  1195  
  1196  		return nil
  1197  	})
  1198  
  1199  	return
  1200  }
  1201  
  1202  // isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.
  1203  func isValidIPMask(mask []byte) bool {
  1204  	seenZero := false
  1205  
  1206  	for _, b := range mask {
  1207  		if seenZero {
  1208  			if b != 0 {
  1209  				return false
  1210  			}
  1211  
  1212  			continue
  1213  		}
  1214  
  1215  		switch b {
  1216  		case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe:
  1217  			seenZero = true
  1218  		case 0xff:
  1219  		default:
  1220  			return false
  1221  		}
  1222  	}
  1223  
  1224  	return true
  1225  }
  1226  
  1227  func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) {
  1228  	// RFC 5280, 4.2.1.10
  1229  
  1230  	// NameConstraints ::= SEQUENCE {
  1231  	//      permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
  1232  	//      excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
  1233  	//
  1234  	// GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
  1235  	//
  1236  	// GeneralSubtree ::= SEQUENCE {
  1237  	//      base                    GeneralName,
  1238  	//      minimum         [0]     BaseDistance DEFAULT 0,
  1239  	//      maximum         [1]     BaseDistance OPTIONAL }
  1240  	//
  1241  	// BaseDistance ::= INTEGER (0..MAX)
  1242  
  1243  	outer := cryptobyte.String(e.Value)
  1244  	var toplevel, permitted, excluded cryptobyte.String
  1245  	var havePermitted, haveExcluded bool
  1246  	if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) ||
  1247  		!outer.Empty() ||
  1248  		!toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) ||
  1249  		!toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) ||
  1250  		!toplevel.Empty() {
  1251  		return false, errors.New("x509: invalid NameConstraints extension")
  1252  	}
  1253  
  1254  	if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 {
  1255  		// From RFC 5280, Section 4.2.1.10:
  1256  		//   “either the permittedSubtrees field
  1257  		//   or the excludedSubtrees MUST be
  1258  		//   present”
  1259  		return false, errors.New("x509: empty name constraints extension")
  1260  	}
  1261  
  1262  	getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) {
  1263  		for !subtrees.Empty() {
  1264  			var seq, value cryptobyte.String
  1265  			var tag cryptobyte_asn1.Tag
  1266  			if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) ||
  1267  				!seq.ReadAnyASN1(&value, &tag) {
  1268  				return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension")
  1269  			}
  1270  
  1271  			var (
  1272  				dnsTag   = cryptobyte_asn1.Tag(2).ContextSpecific()
  1273  				emailTag = cryptobyte_asn1.Tag(1).ContextSpecific()
  1274  				ipTag    = cryptobyte_asn1.Tag(7).ContextSpecific()
  1275  				uriTag   = cryptobyte_asn1.Tag(6).ContextSpecific()
  1276  			)
  1277  
  1278  			switch tag {
  1279  			case dnsTag:
  1280  				domain := string(value)
  1281  				if err := isIA5String(domain); err != nil {
  1282  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
  1283  				}
  1284  
  1285  				trimmedDomain := domain
  1286  				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
  1287  					// constraints can have a leading
  1288  					// period to exclude the domain
  1289  					// itself, but that's not valid in a
  1290  					// normal domain name.
  1291  					trimmedDomain = trimmedDomain[1:]
  1292  				}
  1293  				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
  1294  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
  1295  				}
  1296  				dnsNames = append(dnsNames, domain)
  1297  
  1298  			case ipTag:
  1299  				l := len(value)
  1300  				var ip, mask []byte
  1301  
  1302  				switch l {
  1303  				case 8:
  1304  					ip = value[:4]
  1305  					mask = value[4:]
  1306  
  1307  				case 32:
  1308  					ip = value[:16]
  1309  					mask = value[16:]
  1310  
  1311  				default:
  1312  					return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l)
  1313  				}
  1314  
  1315  				if !isValidIPMask(mask) {
  1316  					return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask)
  1317  				}
  1318  
  1319  				ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)})
  1320  
  1321  			case emailTag:
  1322  				constraint := string(value)
  1323  				if err := isIA5String(constraint); err != nil {
  1324  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
  1325  				}
  1326  
  1327  				// If the constraint contains an @ then
  1328  				// it specifies an exact mailbox name.
  1329  				if strings.Contains(constraint, "@") {
  1330  					if _, ok := parseRFC2821Mailbox(constraint); !ok {
  1331  						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
  1332  					}
  1333  				} else {
  1334  					// Otherwise it's a domain name.
  1335  					domain := constraint
  1336  					if len(domain) > 0 && domain[0] == '.' {
  1337  						domain = domain[1:]
  1338  					}
  1339  					if _, ok := domainToReverseLabels(domain); !ok {
  1340  						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
  1341  					}
  1342  				}
  1343  				emails = append(emails, constraint)
  1344  
  1345  			case uriTag:
  1346  				domain := string(value)
  1347  				if err := isIA5String(domain); err != nil {
  1348  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
  1349  				}
  1350  
  1351  				if net.ParseIP(domain) != nil {
  1352  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
  1353  				}
  1354  
  1355  				trimmedDomain := domain
  1356  				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
  1357  					// constraints can have a leading
  1358  					// period to exclude the domain itself,
  1359  					// but that's not valid in a normal
  1360  					// domain name.
  1361  					trimmedDomain = trimmedDomain[1:]
  1362  				}
  1363  				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
  1364  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
  1365  				}
  1366  				uriDomains = append(uriDomains, domain)
  1367  
  1368  			default:
  1369  				unhandled = true
  1370  			}
  1371  		}
  1372  
  1373  		return dnsNames, ips, emails, uriDomains, nil
  1374  	}
  1375  
  1376  	if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil {
  1377  		return false, err
  1378  	}
  1379  	if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil {
  1380  		return false, err
  1381  	}
  1382  	out.PermittedDNSDomainsCritical = e.Critical
  1383  
  1384  	return unhandled, nil
  1385  }
  1386  
  1387  func parseCertificate(in *certificate) (*Certificate, error) {
  1388  	out := new(Certificate)
  1389  	out.Raw = in.Raw
  1390  	out.RawTBSCertificate = in.TBSCertificate.Raw
  1391  	out.RawSubjectPublicKeyInfo = in.TBSCertificate.PublicKey.Raw
  1392  	out.RawSubject = in.TBSCertificate.Subject.FullBytes
  1393  	out.RawIssuer = in.TBSCertificate.Issuer.FullBytes
  1394  
  1395  	out.Signature = in.SignatureValue.RightAlign()
  1396  	out.SignatureAlgorithm =
  1397  		getSignatureAlgorithmFromAI(in.TBSCertificate.SignatureAlgorithm)
  1398  
  1399  	out.PublicKeyAlgorithm =
  1400  		getPublicKeyAlgorithmFromOID(in.TBSCertificate.PublicKey.Algorithm.Algorithm)
  1401  	var err error
  1402  	out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCertificate.PublicKey)
  1403  	if err != nil {
  1404  		return nil, err
  1405  	}
  1406  
  1407  	out.Version = in.TBSCertificate.Version + 1
  1408  	out.SerialNumber = in.TBSCertificate.SerialNumber
  1409  
  1410  	var issuer, subject pkix.RDNSequence
  1411  	if rest, err := asn1.Unmarshal(in.TBSCertificate.Subject.FullBytes, &subject); err != nil {
  1412  		return nil, err
  1413  	} else if len(rest) != 0 {
  1414  		return nil, errors.New("x509: trailing data after X.509 subject")
  1415  	}
  1416  	if rest, err := asn1.Unmarshal(in.TBSCertificate.Issuer.FullBytes, &issuer); err != nil {
  1417  		return nil, err
  1418  	} else if len(rest) != 0 {
  1419  		return nil, errors.New("x509: trailing data after X.509 subject")
  1420  	}
  1421  
  1422  	out.Issuer.FillFromRDNSequence(&issuer)
  1423  	out.Subject.FillFromRDNSequence(&subject)
  1424  
  1425  	out.NotBefore = in.TBSCertificate.Validity.NotBefore
  1426  	out.NotAfter = in.TBSCertificate.Validity.NotAfter
  1427  
  1428  	for _, e := range in.TBSCertificate.Extensions {
  1429  		out.Extensions = append(out.Extensions, e)
  1430  		unhandled := false
  1431  
  1432  		if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 {
  1433  			switch e.Id[3] {
  1434  			case 15:
  1435  				// RFC 5280, 4.2.1.3
  1436  				var usageBits asn1.BitString
  1437  				if rest, err := asn1.Unmarshal(e.Value, &usageBits); err != nil {
  1438  					return nil, err
  1439  				} else if len(rest) != 0 {
  1440  					return nil, errors.New("x509: trailing data after X.509 KeyUsage")
  1441  				}
  1442  
  1443  				var usage int
  1444  				for i := 0; i < 9; i++ {
  1445  					if usageBits.At(i) != 0 {
  1446  						usage |= 1 << uint(i)
  1447  					}
  1448  				}
  1449  				out.KeyUsage = KeyUsage(usage)
  1450  
  1451  			case 19:
  1452  				// RFC 5280, 4.2.1.9
  1453  				var constraints basicConstraints
  1454  				if rest, err := asn1.Unmarshal(e.Value, &constraints); err != nil {
  1455  					return nil, err
  1456  				} else if len(rest) != 0 {
  1457  					return nil, errors.New("x509: trailing data after X.509 BasicConstraints")
  1458  				}
  1459  
  1460  				out.BasicConstraintsValid = true
  1461  				out.IsCA = constraints.IsCA
  1462  				out.MaxPathLen = constraints.MaxPathLen
  1463  				out.MaxPathLenZero = out.MaxPathLen == 0
  1464  				// TODO: map out.MaxPathLen to 0 if it has the -1 default value? (Issue 19285)
  1465  			case 17:
  1466  				out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(e.Value)
  1467  				if err != nil {
  1468  					return nil, err
  1469  				}
  1470  
  1471  				if len(out.DNSNames) == 0 && len(out.EmailAddresses) == 0 && len(out.IPAddresses) == 0 && len(out.URIs) == 0 {
  1472  					// If we didn't parse anything then we do the critical check, below.
  1473  					unhandled = true
  1474  				}
  1475  
  1476  			case 30:
  1477  				unhandled, err = parseNameConstraintsExtension(out, e)
  1478  				if err != nil {
  1479  					return nil, err
  1480  				}
  1481  
  1482  			case 31:
  1483  				// RFC 5280, 4.2.1.13
  1484  
  1485  				// CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
  1486  				//
  1487  				// DistributionPoint ::= SEQUENCE {
  1488  				//     distributionPoint       [0]     DistributionPointName OPTIONAL,
  1489  				//     reasons                 [1]     ReasonFlags OPTIONAL,
  1490  				//     cRLIssuer               [2]     GeneralNames OPTIONAL }
  1491  				//
  1492  				// DistributionPointName ::= CHOICE {
  1493  				//     fullName                [0]     GeneralNames,
  1494  				//     nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
  1495  
  1496  				var cdp []distributionPoint
  1497  				if rest, err := asn1.Unmarshal(e.Value, &cdp); err != nil {
  1498  					return nil, err
  1499  				} else if len(rest) != 0 {
  1500  					return nil, errors.New("x509: trailing data after X.509 CRL distribution point")
  1501  				}
  1502  
  1503  				for _, dp := range cdp {
  1504  					// Per RFC 5280, 4.2.1.13, one of distributionPoint or cRLIssuer may be empty.
  1505  					if len(dp.DistributionPoint.FullName) == 0 {
  1506  						continue
  1507  					}
  1508  
  1509  					for _, fullName := range dp.DistributionPoint.FullName {
  1510  						if fullName.Tag == 6 {
  1511  							out.CRLDistributionPoints = append(out.CRLDistributionPoints, string(fullName.Bytes))
  1512  						}
  1513  					}
  1514  				}
  1515  
  1516  			case 35:
  1517  				// RFC 5280, 4.2.1.1
  1518  				var a authKeyId
  1519  				if rest, err := asn1.Unmarshal(e.Value, &a); err != nil {
  1520  					return nil, err
  1521  				} else if len(rest) != 0 {
  1522  					return nil, errors.New("x509: trailing data after X.509 authority key-id")
  1523  				}
  1524  				out.AuthorityKeyId = a.Id
  1525  
  1526  			case 37:
  1527  				// RFC 5280, 4.2.1.12.  Extended Key Usage
  1528  
  1529  				// id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
  1530  				//
  1531  				// ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
  1532  				//
  1533  				// KeyPurposeId ::= OBJECT IDENTIFIER
  1534  
  1535  				var keyUsage []asn1.ObjectIdentifier
  1536  				if rest, err := asn1.Unmarshal(e.Value, &keyUsage); err != nil {
  1537  					return nil, err
  1538  				} else if len(rest) != 0 {
  1539  					return nil, errors.New("x509: trailing data after X.509 ExtendedKeyUsage")
  1540  				}
  1541  
  1542  				for _, u := range keyUsage {
  1543  					if extKeyUsage, ok := extKeyUsageFromOID(u); ok {
  1544  						out.ExtKeyUsage = append(out.ExtKeyUsage, extKeyUsage)
  1545  					} else {
  1546  						out.UnknownExtKeyUsage = append(out.UnknownExtKeyUsage, u)
  1547  					}
  1548  				}
  1549  
  1550  			case 14:
  1551  				// RFC 5280, 4.2.1.2
  1552  				var keyid []byte
  1553  				if rest, err := asn1.Unmarshal(e.Value, &keyid); err != nil {
  1554  					return nil, err
  1555  				} else if len(rest) != 0 {
  1556  					return nil, errors.New("x509: trailing data after X.509 key-id")
  1557  				}
  1558  				out.SubjectKeyId = keyid
  1559  
  1560  			case 32:
  1561  				// RFC 5280 4.2.1.4: Certificate Policies
  1562  				var policies []policyInformation
  1563  				if rest, err := asn1.Unmarshal(e.Value, &policies); err != nil {
  1564  					return nil, err
  1565  				} else if len(rest) != 0 {
  1566  					return nil, errors.New("x509: trailing data after X.509 certificate policies")
  1567  				}
  1568  				out.PolicyIdentifiers = make([]asn1.ObjectIdentifier, len(policies))
  1569  				for i, policy := range policies {
  1570  					out.PolicyIdentifiers[i] = policy.Policy
  1571  				}
  1572  
  1573  			default:
  1574  				// Unknown extensions are recorded if critical.
  1575  				unhandled = true
  1576  			}
  1577  		} else if e.Id.Equal(oidExtensionAuthorityInfoAccess) {
  1578  			// RFC 5280 4.2.2.1: Authority Information Access
  1579  			var aia []authorityInfoAccess
  1580  			if rest, err := asn1.Unmarshal(e.Value, &aia); err != nil {
  1581  				return nil, err
  1582  			} else if len(rest) != 0 {
  1583  				return nil, errors.New("x509: trailing data after X.509 authority information")
  1584  			}
  1585  
  1586  			for _, v := range aia {
  1587  				// GeneralName: uniformResourceIdentifier [6] IA5String
  1588  				if v.Location.Tag != 6 {
  1589  					continue
  1590  				}
  1591  				if v.Method.Equal(oidAuthorityInfoAccessOcsp) {
  1592  					out.OCSPServer = append(out.OCSPServer, string(v.Location.Bytes))
  1593  				} else if v.Method.Equal(oidAuthorityInfoAccessIssuers) {
  1594  					out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(v.Location.Bytes))
  1595  				}
  1596  			}
  1597  		} else {
  1598  			// Unknown extensions are recorded if critical.
  1599  			unhandled = true
  1600  		}
  1601  
  1602  		if e.Critical && unhandled {
  1603  			out.UnhandledCriticalExtensions = append(out.UnhandledCriticalExtensions, e.Id)
  1604  		}
  1605  	}
  1606  
  1607  	return out, nil
  1608  }
  1609  
  1610  // ParseCertificate parses a single certificate from the given ASN.1 DER data.
  1611  func ParseCertificate(asn1Data []byte) (*Certificate, error) {
  1612  	var cert certificate
  1613  	rest, err := asn1.Unmarshal(asn1Data, &cert)
  1614  	if err != nil {
  1615  		return nil, err
  1616  	}
  1617  	if len(rest) > 0 {
  1618  		return nil, asn1.SyntaxError{Msg: "trailing data"}
  1619  	}
  1620  
  1621  	return parseCertificate(&cert)
  1622  }
  1623  
  1624  // ParseCertificates parses one or more certificates from the given ASN.1 DER
  1625  // data. The certificates must be concatenated with no intermediate padding.
  1626  func ParseCertificates(asn1Data []byte) ([]*Certificate, error) {
  1627  	var v []*certificate
  1628  
  1629  	for len(asn1Data) > 0 {
  1630  		cert := new(certificate)
  1631  		var err error
  1632  		asn1Data, err = asn1.Unmarshal(asn1Data, cert)
  1633  		if err != nil {
  1634  			return nil, err
  1635  		}
  1636  		v = append(v, cert)
  1637  	}
  1638  
  1639  	ret := make([]*Certificate, len(v))
  1640  	for i, ci := range v {
  1641  		cert, err := parseCertificate(ci)
  1642  		if err != nil {
  1643  			return nil, err
  1644  		}
  1645  		ret[i] = cert
  1646  	}
  1647  
  1648  	return ret, nil
  1649  }
  1650  
  1651  func reverseBitsInAByte(in byte) byte {
  1652  	b1 := in>>4 | in<<4
  1653  	b2 := b1>>2&0x33 | b1<<2&0xcc
  1654  	b3 := b2>>1&0x55 | b2<<1&0xaa
  1655  	return b3
  1656  }
  1657  
  1658  // asn1BitLength returns the bit-length of bitString by considering the
  1659  // most-significant bit in a byte to be the "first" bit. This convention
  1660  // matches ASN.1, but differs from almost everything else.
  1661  func asn1BitLength(bitString []byte) int {
  1662  	bitLen := len(bitString) * 8
  1663  
  1664  	for i := range bitString {
  1665  		b := bitString[len(bitString)-i-1]
  1666  
  1667  		for bit := uint(0); bit < 8; bit++ {
  1668  			if (b>>bit)&1 == 1 {
  1669  				return bitLen
  1670  			}
  1671  			bitLen--
  1672  		}
  1673  	}
  1674  
  1675  	return 0
  1676  }
  1677  
  1678  var (
  1679  	oidExtensionSubjectKeyId          = []int{2, 5, 29, 14}
  1680  	oidExtensionKeyUsage              = []int{2, 5, 29, 15}
  1681  	oidExtensionExtendedKeyUsage      = []int{2, 5, 29, 37}
  1682  	oidExtensionAuthorityKeyId        = []int{2, 5, 29, 35}
  1683  	oidExtensionBasicConstraints      = []int{2, 5, 29, 19}
  1684  	oidExtensionSubjectAltName        = []int{2, 5, 29, 17}
  1685  	oidExtensionCertificatePolicies   = []int{2, 5, 29, 32}
  1686  	oidExtensionNameConstraints       = []int{2, 5, 29, 30}
  1687  	oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31}
  1688  	oidExtensionAuthorityInfoAccess   = []int{1, 3, 6, 1, 5, 5, 7, 1, 1}
  1689  )
  1690  
  1691  var (
  1692  	oidAuthorityInfoAccessOcsp    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
  1693  	oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
  1694  )
  1695  
  1696  // oidNotInExtensions reports whether an extension with the given oid exists in
  1697  // extensions.
  1698  func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool {
  1699  	for _, e := range extensions {
  1700  		if e.Id.Equal(oid) {
  1701  			return true
  1702  		}
  1703  	}
  1704  	return false
  1705  }
  1706  
  1707  // marshalSANs marshals a list of addresses into a the contents of an X.509
  1708  // SubjectAlternativeName extension.
  1709  func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) {
  1710  	var rawValues []asn1.RawValue
  1711  	for _, name := range dnsNames {
  1712  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)})
  1713  	}
  1714  	for _, email := range emailAddresses {
  1715  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)})
  1716  	}
  1717  	for _, rawIP := range ipAddresses {
  1718  		// If possible, we always want to encode IPv4 addresses in 4 bytes.
  1719  		ip := rawIP.To4()
  1720  		if ip == nil {
  1721  			ip = rawIP
  1722  		}
  1723  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip})
  1724  	}
  1725  	for _, uri := range uris {
  1726  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uri.String())})
  1727  	}
  1728  	return asn1.Marshal(rawValues)
  1729  }
  1730  
  1731  func isIA5String(s string) error {
  1732  	for _, r := range s {
  1733  		if r >= utf8.RuneSelf {
  1734  			return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
  1735  		}
  1736  	}
  1737  
  1738  	return nil
  1739  }
  1740  
  1741  func buildExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte) (ret []pkix.Extension, err error) {
  1742  	ret = make([]pkix.Extension, 10 /* maximum number of elements. */)
  1743  	n := 0
  1744  
  1745  	if template.KeyUsage != 0 &&
  1746  		!oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) {
  1747  		ret[n].Id = oidExtensionKeyUsage
  1748  		ret[n].Critical = true
  1749  
  1750  		var a [2]byte
  1751  		a[0] = reverseBitsInAByte(byte(template.KeyUsage))
  1752  		a[1] = reverseBitsInAByte(byte(template.KeyUsage >> 8))
  1753  
  1754  		l := 1
  1755  		if a[1] != 0 {
  1756  			l = 2
  1757  		}
  1758  
  1759  		bitString := a[:l]
  1760  		ret[n].Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)})
  1761  		if err != nil {
  1762  			return
  1763  		}
  1764  		n++
  1765  	}
  1766  
  1767  	if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) &&
  1768  		!oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) {
  1769  		ret[n].Id = oidExtensionExtendedKeyUsage
  1770  
  1771  		var oids []asn1.ObjectIdentifier
  1772  		for _, u := range template.ExtKeyUsage {
  1773  			if oid, ok := oidFromExtKeyUsage(u); ok {
  1774  				oids = append(oids, oid)
  1775  			} else {
  1776  				panic("internal error")
  1777  			}
  1778  		}
  1779  
  1780  		oids = append(oids, template.UnknownExtKeyUsage...)
  1781  
  1782  		ret[n].Value, err = asn1.Marshal(oids)
  1783  		if err != nil {
  1784  			return
  1785  		}
  1786  		n++
  1787  	}
  1788  
  1789  	if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) {
  1790  		// Leaving MaxPathLen as zero indicates that no maximum path
  1791  		// length is desired, unless MaxPathLenZero is set. A value of
  1792  		// -1 causes encoding/asn1 to omit the value as desired.
  1793  		maxPathLen := template.MaxPathLen
  1794  		if maxPathLen == 0 && !template.MaxPathLenZero {
  1795  			maxPathLen = -1
  1796  		}
  1797  		ret[n].Id = oidExtensionBasicConstraints
  1798  		ret[n].Value, err = asn1.Marshal(basicConstraints{template.IsCA, maxPathLen})
  1799  		ret[n].Critical = true
  1800  		if err != nil {
  1801  			return
  1802  		}
  1803  		n++
  1804  	}
  1805  
  1806  	if len(template.SubjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) {
  1807  		ret[n].Id = oidExtensionSubjectKeyId
  1808  		ret[n].Value, err = asn1.Marshal(template.SubjectKeyId)
  1809  		if err != nil {
  1810  			return
  1811  		}
  1812  		n++
  1813  	}
  1814  
  1815  	if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) {
  1816  		ret[n].Id = oidExtensionAuthorityKeyId
  1817  		ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId})
  1818  		if err != nil {
  1819  			return
  1820  		}
  1821  		n++
  1822  	}
  1823  
  1824  	if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) &&
  1825  		!oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) {
  1826  		ret[n].Id = oidExtensionAuthorityInfoAccess
  1827  		var aiaValues []authorityInfoAccess
  1828  		for _, name := range template.OCSPServer {
  1829  			aiaValues = append(aiaValues, authorityInfoAccess{
  1830  				Method:   oidAuthorityInfoAccessOcsp,
  1831  				Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1832  			})
  1833  		}
  1834  		for _, name := range template.IssuingCertificateURL {
  1835  			aiaValues = append(aiaValues, authorityInfoAccess{
  1836  				Method:   oidAuthorityInfoAccessIssuers,
  1837  				Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1838  			})
  1839  		}
  1840  		ret[n].Value, err = asn1.Marshal(aiaValues)
  1841  		if err != nil {
  1842  			return
  1843  		}
  1844  		n++
  1845  	}
  1846  
  1847  	if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
  1848  		!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
  1849  		ret[n].Id = oidExtensionSubjectAltName
  1850  		// From RFC 5280, Section 4.2.1.6:
  1851  		// “If the subject field contains an empty sequence ... then
  1852  		// subjectAltName extension ... is marked as critical”
  1853  		ret[n].Critical = subjectIsEmpty
  1854  		ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
  1855  		if err != nil {
  1856  			return
  1857  		}
  1858  		n++
  1859  	}
  1860  
  1861  	if len(template.PolicyIdentifiers) > 0 &&
  1862  		!oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) {
  1863  		ret[n].Id = oidExtensionCertificatePolicies
  1864  		policies := make([]policyInformation, len(template.PolicyIdentifiers))
  1865  		for i, policy := range template.PolicyIdentifiers {
  1866  			policies[i].Policy = policy
  1867  		}
  1868  		ret[n].Value, err = asn1.Marshal(policies)
  1869  		if err != nil {
  1870  			return
  1871  		}
  1872  		n++
  1873  	}
  1874  
  1875  	if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 ||
  1876  		len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 ||
  1877  		len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 ||
  1878  		len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) &&
  1879  		!oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) {
  1880  		ret[n].Id = oidExtensionNameConstraints
  1881  		ret[n].Critical = template.PermittedDNSDomainsCritical
  1882  
  1883  		ipAndMask := func(ipNet *net.IPNet) []byte {
  1884  			maskedIP := ipNet.IP.Mask(ipNet.Mask)
  1885  			ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask))
  1886  			ipAndMask = append(ipAndMask, maskedIP...)
  1887  			ipAndMask = append(ipAndMask, ipNet.Mask...)
  1888  			return ipAndMask
  1889  		}
  1890  
  1891  		serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) {
  1892  			var b cryptobyte.Builder
  1893  
  1894  			for _, name := range dns {
  1895  				if err = isIA5String(name); err != nil {
  1896  					return nil, err
  1897  				}
  1898  
  1899  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1900  					b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) {
  1901  						b.AddBytes([]byte(name))
  1902  					})
  1903  				})
  1904  			}
  1905  
  1906  			for _, ipNet := range ips {
  1907  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1908  					b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) {
  1909  						b.AddBytes(ipAndMask(ipNet))
  1910  					})
  1911  				})
  1912  			}
  1913  
  1914  			for _, email := range emails {
  1915  				if err = isIA5String(email); err != nil {
  1916  					return nil, err
  1917  				}
  1918  
  1919  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1920  					b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) {
  1921  						b.AddBytes([]byte(email))
  1922  					})
  1923  				})
  1924  			}
  1925  
  1926  			for _, uriDomain := range uriDomains {
  1927  				if err = isIA5String(uriDomain); err != nil {
  1928  					return nil, err
  1929  				}
  1930  
  1931  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1932  					b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) {
  1933  						b.AddBytes([]byte(uriDomain))
  1934  					})
  1935  				})
  1936  			}
  1937  
  1938  			return b.Bytes()
  1939  		}
  1940  
  1941  		permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains)
  1942  		if err != nil {
  1943  			return nil, err
  1944  		}
  1945  
  1946  		excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains)
  1947  		if err != nil {
  1948  			return nil, err
  1949  		}
  1950  
  1951  		var b cryptobyte.Builder
  1952  		b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1953  			if len(permitted) > 0 {
  1954  				b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
  1955  					b.AddBytes(permitted)
  1956  				})
  1957  			}
  1958  
  1959  			if len(excluded) > 0 {
  1960  				b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
  1961  					b.AddBytes(excluded)
  1962  				})
  1963  			}
  1964  		})
  1965  
  1966  		ret[n].Value, err = b.Bytes()
  1967  		if err != nil {
  1968  			return nil, err
  1969  		}
  1970  		n++
  1971  	}
  1972  
  1973  	if len(template.CRLDistributionPoints) > 0 &&
  1974  		!oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) {
  1975  		ret[n].Id = oidExtensionCRLDistributionPoints
  1976  
  1977  		var crlDp []distributionPoint
  1978  		for _, name := range template.CRLDistributionPoints {
  1979  			dp := distributionPoint{
  1980  				DistributionPoint: distributionPointName{
  1981  					FullName: []asn1.RawValue{
  1982  						{Tag: 6, Class: 2, Bytes: []byte(name)},
  1983  					},
  1984  				},
  1985  			}
  1986  			crlDp = append(crlDp, dp)
  1987  		}
  1988  
  1989  		ret[n].Value, err = asn1.Marshal(crlDp)
  1990  		if err != nil {
  1991  			return
  1992  		}
  1993  		n++
  1994  	}
  1995  
  1996  	// Adding another extension here? Remember to update the maximum number
  1997  	// of elements in the make() at the top of the function and the list of
  1998  	// template fields used in CreateCertificate documentation.
  1999  
  2000  	return append(ret[:n], template.ExtraExtensions...), nil
  2001  }
  2002  
  2003  func subjectBytes(cert *Certificate) ([]byte, error) {
  2004  	if len(cert.RawSubject) > 0 {
  2005  		return cert.RawSubject, nil
  2006  	}
  2007  
  2008  	return asn1.Marshal(cert.Subject.ToRDNSequence())
  2009  }
  2010  
  2011  // signingParamsForPublicKey returns the parameters to use for signing with
  2012  // priv. If requestedSigAlgo is not zero then it overrides the default
  2013  // signature algorithm.
  2014  func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
  2015  	var pubType PublicKeyAlgorithm
  2016  
  2017  	switch pub := pub.(type) {
  2018  	case *rsa.PublicKey:
  2019  		pubType = RSA
  2020  		hashFunc = crypto.SHA256
  2021  		sigAlgo.Algorithm = oidSignatureSHA256WithRSA
  2022  		sigAlgo.Parameters = asn1.NullRawValue
  2023  
  2024  	case *ecdsa.PublicKey:
  2025  		pubType = ECDSA
  2026  
  2027  		switch pub.Curve {
  2028  		case elliptic.P224(), elliptic.P256():
  2029  			hashFunc = crypto.SHA256
  2030  			sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
  2031  		case elliptic.P384():
  2032  			hashFunc = crypto.SHA384
  2033  			sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
  2034  		case elliptic.P521():
  2035  			hashFunc = crypto.SHA512
  2036  			sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
  2037  		default:
  2038  			err = errors.New("x509: unknown elliptic curve")
  2039  		}
  2040  
  2041  	case ed25519.PublicKey:
  2042  		pubType = Ed25519
  2043  		sigAlgo.Algorithm = oidSignatureEd25519
  2044  
  2045  	default:
  2046  		err = errors.New("x509: only RSA, ECDSA and Ed25519 keys supported")
  2047  	}
  2048  
  2049  	if err != nil {
  2050  		return
  2051  	}
  2052  
  2053  	if requestedSigAlgo == 0 {
  2054  		return
  2055  	}
  2056  
  2057  	found := false
  2058  	for _, details := range signatureAlgorithmDetails {
  2059  		if details.algo == requestedSigAlgo {
  2060  			if details.pubKeyAlgo != pubType {
  2061  				err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
  2062  				return
  2063  			}
  2064  			sigAlgo.Algorithm, hashFunc = details.oid, details.hash
  2065  			if hashFunc == 0 && pubType != Ed25519 {
  2066  				err = errors.New("x509: cannot sign with hash function requested")
  2067  				return
  2068  			}
  2069  			if requestedSigAlgo.isRSAPSS() {
  2070  				sigAlgo.Parameters = rsaPSSParameters(hashFunc)
  2071  			}
  2072  			found = true
  2073  			break
  2074  		}
  2075  	}
  2076  
  2077  	if !found {
  2078  		err = errors.New("x509: unknown SignatureAlgorithm")
  2079  	}
  2080  
  2081  	return
  2082  }
  2083  
  2084  // emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is
  2085  // just an empty SEQUENCE.
  2086  var emptyASN1Subject = []byte{0x30, 0}
  2087  
  2088  // CreateCertificate creates a new X.509v3 certificate based on a template.
  2089  // The following members of template are used:
  2090  //
  2091  //  - AuthorityKeyId
  2092  //  - BasicConstraintsValid
  2093  //  - CRLDistributionPoints
  2094  //  - DNSNames
  2095  //  - EmailAddresses
  2096  //  - ExcludedDNSDomains
  2097  //  - ExcludedEmailAddresses
  2098  //  - ExcludedIPRanges
  2099  //  - ExcludedURIDomains
  2100  //  - ExtKeyUsage
  2101  //  - ExtraExtensions
  2102  //  - IsCA
  2103  //  - IssuingCertificateURL
  2104  //  - KeyUsage
  2105  //  - MaxPathLen
  2106  //  - MaxPathLenZero
  2107  //  - NotAfter
  2108  //  - NotBefore
  2109  //  - OCSPServer
  2110  //  - PermittedDNSDomains
  2111  //  - PermittedDNSDomainsCritical
  2112  //  - PermittedEmailAddresses
  2113  //  - PermittedIPRanges
  2114  //  - PermittedURIDomains
  2115  //  - PolicyIdentifiers
  2116  //  - SerialNumber
  2117  //  - SignatureAlgorithm
  2118  //  - Subject
  2119  //  - SubjectKeyId
  2120  //  - URIs
  2121  //  - UnknownExtKeyUsage
  2122  //
  2123  // The certificate is signed by parent. If parent is equal to template then the
  2124  // certificate is self-signed. The parameter pub is the public key of the
  2125  // signee and priv is the private key of the signer.
  2126  //
  2127  // The returned slice is the certificate in DER encoding.
  2128  //
  2129  // The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and
  2130  // ed25519.PublicKey. pub must be a supported key type, and priv must be a
  2131  // crypto.Signer with a supported public key.
  2132  //
  2133  // The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any,
  2134  // unless the resulting certificate is self-signed. Otherwise the value from
  2135  // template will be used.
  2136  func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error) {
  2137  	key, ok := priv.(crypto.Signer)
  2138  	if !ok {
  2139  		return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  2140  	}
  2141  
  2142  	if template.SerialNumber == nil {
  2143  		return nil, errors.New("x509: no SerialNumber given")
  2144  	}
  2145  
  2146  	hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
  2147  	if err != nil {
  2148  		return nil, err
  2149  	}
  2150  
  2151  	publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub)
  2152  	if err != nil {
  2153  		return nil, err
  2154  	}
  2155  
  2156  	asn1Issuer, err := subjectBytes(parent)
  2157  	if err != nil {
  2158  		return
  2159  	}
  2160  
  2161  	asn1Subject, err := subjectBytes(template)
  2162  	if err != nil {
  2163  		return
  2164  	}
  2165  
  2166  	authorityKeyId := template.AuthorityKeyId
  2167  	if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 {
  2168  		authorityKeyId = parent.SubjectKeyId
  2169  	}
  2170  
  2171  	extensions, err := buildExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId)
  2172  	if err != nil {
  2173  		return
  2174  	}
  2175  
  2176  	encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
  2177  	c := tbsCertificate{
  2178  		Version:            2,
  2179  		SerialNumber:       template.SerialNumber,
  2180  		SignatureAlgorithm: signatureAlgorithm,
  2181  		Issuer:             asn1.RawValue{FullBytes: asn1Issuer},
  2182  		Validity:           validity{template.NotBefore.UTC(), template.NotAfter.UTC()},
  2183  		Subject:            asn1.RawValue{FullBytes: asn1Subject},
  2184  		PublicKey:          publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey},
  2185  		Extensions:         extensions,
  2186  	}
  2187  
  2188  	tbsCertContents, err := asn1.Marshal(c)
  2189  	if err != nil {
  2190  		return
  2191  	}
  2192  	c.Raw = tbsCertContents
  2193  
  2194  	signed := tbsCertContents
  2195  	if hashFunc != 0 {
  2196  		h := hashFunc.New()
  2197  		h.Write(signed)
  2198  		signed = h.Sum(nil)
  2199  	}
  2200  
  2201  	var signerOpts crypto.SignerOpts = hashFunc
  2202  	if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() {
  2203  		signerOpts = &rsa.PSSOptions{
  2204  			SaltLength: rsa.PSSSaltLengthEqualsHash,
  2205  			Hash:       hashFunc,
  2206  		}
  2207  	}
  2208  
  2209  	var signature []byte
  2210  	signature, err = key.Sign(rand, signed, signerOpts)
  2211  	if err != nil {
  2212  		return
  2213  	}
  2214  
  2215  	return asn1.Marshal(certificate{
  2216  		nil,
  2217  		c,
  2218  		signatureAlgorithm,
  2219  		asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
  2220  	})
  2221  }
  2222  
  2223  // pemCRLPrefix is the magic string that indicates that we have a PEM encoded
  2224  // CRL.
  2225  var pemCRLPrefix = []byte("-----BEGIN X509 CRL")
  2226  
  2227  // pemType is the type of a PEM encoded CRL.
  2228  var pemType = "X509 CRL"
  2229  
  2230  // ParseCRL parses a CRL from the given bytes. It's often the case that PEM
  2231  // encoded CRLs will appear where they should be DER encoded, so this function
  2232  // will transparently handle PEM encoding as long as there isn't any leading
  2233  // garbage.
  2234  func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) {
  2235  	if bytes.HasPrefix(crlBytes, pemCRLPrefix) {
  2236  		block, _ := pem.Decode(crlBytes)
  2237  		if block != nil && block.Type == pemType {
  2238  			crlBytes = block.Bytes
  2239  		}
  2240  	}
  2241  	return ParseDERCRL(crlBytes)
  2242  }
  2243  
  2244  // ParseDERCRL parses a DER encoded CRL from the given bytes.
  2245  func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) {
  2246  	certList := new(pkix.CertificateList)
  2247  	if rest, err := asn1.Unmarshal(derBytes, certList); err != nil {
  2248  		return nil, err
  2249  	} else if len(rest) != 0 {
  2250  		return nil, errors.New("x509: trailing data after CRL")
  2251  	}
  2252  	return certList, nil
  2253  }
  2254  
  2255  // CreateCRL returns a DER encoded CRL, signed by this Certificate, that
  2256  // contains the given list of revoked certificates.
  2257  func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
  2258  	key, ok := priv.(crypto.Signer)
  2259  	if !ok {
  2260  		return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  2261  	}
  2262  
  2263  	hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), 0)
  2264  	if err != nil {
  2265  		return nil, err
  2266  	}
  2267  
  2268  	// Force revocation times to UTC per RFC 5280.
  2269  	revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts))
  2270  	for i, rc := range revokedCerts {
  2271  		rc.RevocationTime = rc.RevocationTime.UTC()
  2272  		revokedCertsUTC[i] = rc
  2273  	}
  2274  
  2275  	tbsCertList := pkix.TBSCertificateList{
  2276  		Version:             1,
  2277  		Signature:           signatureAlgorithm,
  2278  		Issuer:              c.Subject.ToRDNSequence(),
  2279  		ThisUpdate:          now.UTC(),
  2280  		NextUpdate:          expiry.UTC(),
  2281  		RevokedCertificates: revokedCertsUTC,
  2282  	}
  2283  
  2284  	// Authority Key Id
  2285  	if len(c.SubjectKeyId) > 0 {
  2286  		var aki pkix.Extension
  2287  		aki.Id = oidExtensionAuthorityKeyId
  2288  		aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId})
  2289  		if err != nil {
  2290  			return
  2291  		}
  2292  		tbsCertList.Extensions = append(tbsCertList.Extensions, aki)
  2293  	}
  2294  
  2295  	tbsCertListContents, err := asn1.Marshal(tbsCertList)
  2296  	if err != nil {
  2297  		return
  2298  	}
  2299  
  2300  	h := hashFunc.New()
  2301  	h.Write(tbsCertListContents)
  2302  	digest := h.Sum(nil)
  2303  
  2304  	var signature []byte
  2305  	signature, err = key.Sign(rand, digest, hashFunc)
  2306  	if err != nil {
  2307  		return
  2308  	}
  2309  
  2310  	return asn1.Marshal(pkix.CertificateList{
  2311  		TBSCertList:        tbsCertList,
  2312  		SignatureAlgorithm: signatureAlgorithm,
  2313  		SignatureValue:     asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
  2314  	})
  2315  }
  2316  
  2317  // CertificateRequest represents a PKCS #10, certificate signature request.
  2318  type CertificateRequest struct {
  2319  	Raw                      []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature).
  2320  	RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content.
  2321  	RawSubjectPublicKeyInfo  []byte // DER encoded SubjectPublicKeyInfo.
  2322  	RawSubject               []byte // DER encoded Subject.
  2323  
  2324  	Version            int
  2325  	Signature          []byte
  2326  	SignatureAlgorithm SignatureAlgorithm
  2327  
  2328  	PublicKeyAlgorithm PublicKeyAlgorithm
  2329  	PublicKey          interface{}
  2330  
  2331  	Subject pkix.Name
  2332  
  2333  	// Attributes contains the CSR attributes that can parse as
  2334  	// pkix.AttributeTypeAndValueSET.
  2335  	//
  2336  	// Deprecated: Use Extensions and ExtraExtensions instead for parsing and
  2337  	// generating the requestedExtensions attribute.
  2338  	Attributes []pkix.AttributeTypeAndValueSET
  2339  
  2340  	// Extensions contains all requested extensions, in raw form. When parsing
  2341  	// CSRs, this can be used to extract extensions that are not parsed by this
  2342  	// package.
  2343  	Extensions []pkix.Extension
  2344  
  2345  	// ExtraExtensions contains extensions to be copied, raw, into any CSR
  2346  	// marshaled by CreateCertificateRequest. Values override any extensions
  2347  	// that would otherwise be produced based on the other fields but are
  2348  	// overridden by any extensions specified in Attributes.
  2349  	//
  2350  	// The ExtraExtensions field is not populated by ParseCertificateRequest,
  2351  	// see Extensions instead.
  2352  	ExtraExtensions []pkix.Extension
  2353  
  2354  	// Subject Alternate Name values.
  2355  	DNSNames       []string
  2356  	EmailAddresses []string
  2357  	IPAddresses    []net.IP
  2358  	URIs           []*url.URL
  2359  }
  2360  
  2361  // These structures reflect the ASN.1 structure of X.509 certificate
  2362  // signature requests (see RFC 2986):
  2363  
  2364  type tbsCertificateRequest struct {
  2365  	Raw           asn1.RawContent
  2366  	Version       int
  2367  	Subject       asn1.RawValue
  2368  	PublicKey     publicKeyInfo
  2369  	RawAttributes []asn1.RawValue `asn1:"tag:0"`
  2370  }
  2371  
  2372  type certificateRequest struct {
  2373  	Raw                asn1.RawContent
  2374  	TBSCSR             tbsCertificateRequest
  2375  	SignatureAlgorithm pkix.AlgorithmIdentifier
  2376  	SignatureValue     asn1.BitString
  2377  }
  2378  
  2379  // oidExtensionRequest is a PKCS#9 OBJECT IDENTIFIER that indicates requested
  2380  // extensions in a CSR.
  2381  var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14}
  2382  
  2383  // newRawAttributes converts AttributeTypeAndValueSETs from a template
  2384  // CertificateRequest's Attributes into tbsCertificateRequest RawAttributes.
  2385  func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) {
  2386  	var rawAttributes []asn1.RawValue
  2387  	b, err := asn1.Marshal(attributes)
  2388  	if err != nil {
  2389  		return nil, err
  2390  	}
  2391  	rest, err := asn1.Unmarshal(b, &rawAttributes)
  2392  	if err != nil {
  2393  		return nil, err
  2394  	}
  2395  	if len(rest) != 0 {
  2396  		return nil, errors.New("x509: failed to unmarshal raw CSR Attributes")
  2397  	}
  2398  	return rawAttributes, nil
  2399  }
  2400  
  2401  // parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs.
  2402  func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET {
  2403  	var attributes []pkix.AttributeTypeAndValueSET
  2404  	for _, rawAttr := range rawAttributes {
  2405  		var attr pkix.AttributeTypeAndValueSET
  2406  		rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr)
  2407  		// Ignore attributes that don't parse into pkix.AttributeTypeAndValueSET
  2408  		// (i.e.: challengePassword or unstructuredName).
  2409  		if err == nil && len(rest) == 0 {
  2410  			attributes = append(attributes, attr)
  2411  		}
  2412  	}
  2413  	return attributes
  2414  }
  2415  
  2416  // parseCSRExtensions parses the attributes from a CSR and extracts any
  2417  // requested extensions.
  2418  func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) {
  2419  	// pkcs10Attribute reflects the Attribute structure from RFC 2986, Section 4.1.
  2420  	type pkcs10Attribute struct {
  2421  		Id     asn1.ObjectIdentifier
  2422  		Values []asn1.RawValue `asn1:"set"`
  2423  	}
  2424  
  2425  	var ret []pkix.Extension
  2426  	for _, rawAttr := range rawAttributes {
  2427  		var attr pkcs10Attribute
  2428  		if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 {
  2429  			// Ignore attributes that don't parse.
  2430  			continue
  2431  		}
  2432  
  2433  		if !attr.Id.Equal(oidExtensionRequest) {
  2434  			continue
  2435  		}
  2436  
  2437  		var extensions []pkix.Extension
  2438  		if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil {
  2439  			return nil, err
  2440  		}
  2441  		ret = append(ret, extensions...)
  2442  	}
  2443  
  2444  	return ret, nil
  2445  }
  2446  
  2447  // CreateCertificateRequest creates a new certificate request based on a
  2448  // template. The following members of template are used:
  2449  //
  2450  //  - SignatureAlgorithm
  2451  //  - Subject
  2452  //  - DNSNames
  2453  //  - EmailAddresses
  2454  //  - IPAddresses
  2455  //  - URIs
  2456  //  - ExtraExtensions
  2457  //  - Attributes (deprecated)
  2458  //
  2459  // priv is the private key to sign the CSR with, and the corresponding public
  2460  // key will be included in the CSR. It must implement crypto.Signer and its
  2461  // Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a
  2462  // ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or
  2463  // ed25519.PrivateKey satisfies this.)
  2464  //
  2465  // The returned slice is the certificate request in DER encoding.
  2466  func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error) {
  2467  	key, ok := priv.(crypto.Signer)
  2468  	if !ok {
  2469  		return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  2470  	}
  2471  
  2472  	var hashFunc crypto.Hash
  2473  	var sigAlgo pkix.AlgorithmIdentifier
  2474  	hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
  2475  	if err != nil {
  2476  		return nil, err
  2477  	}
  2478  
  2479  	var publicKeyBytes []byte
  2480  	var publicKeyAlgorithm pkix.AlgorithmIdentifier
  2481  	publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public())
  2482  	if err != nil {
  2483  		return nil, err
  2484  	}
  2485  
  2486  	var extensions []pkix.Extension
  2487  
  2488  	if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
  2489  		!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
  2490  		sanBytes, err := marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
  2491  		if err != nil {
  2492  			return nil, err
  2493  		}
  2494  
  2495  		extensions = append(extensions, pkix.Extension{
  2496  			Id:    oidExtensionSubjectAltName,
  2497  			Value: sanBytes,
  2498  		})
  2499  	}
  2500  
  2501  	extensions = append(extensions, template.ExtraExtensions...)
  2502  
  2503  	// Make a copy of template.Attributes because we may alter it below.
  2504  	attributes := make([]pkix.AttributeTypeAndValueSET, 0, len(template.Attributes))
  2505  	for _, attr := range template.Attributes {
  2506  		values := make([][]pkix.AttributeTypeAndValue, len(attr.Value))
  2507  		copy(values, attr.Value)
  2508  		attributes = append(attributes, pkix.AttributeTypeAndValueSET{
  2509  			Type:  attr.Type,
  2510  			Value: values,
  2511  		})
  2512  	}
  2513  
  2514  	extensionsAppended := false
  2515  	if len(extensions) > 0 {
  2516  		// Append the extensions to an existing attribute if possible.
  2517  		for _, atvSet := range attributes {
  2518  			if !atvSet.Type.Equal(oidExtensionRequest) || len(atvSet.Value) == 0 {
  2519  				continue
  2520  			}
  2521  
  2522  			// specifiedExtensions contains all the extensions that we
  2523  			// found specified via template.Attributes.
  2524  			specifiedExtensions := make(map[string]bool)
  2525  
  2526  			for _, atvs := range atvSet.Value {
  2527  				for _, atv := range atvs {
  2528  					specifiedExtensions[atv.Type.String()] = true
  2529  				}
  2530  			}
  2531  
  2532  			newValue := make([]pkix.AttributeTypeAndValue, 0, len(atvSet.Value[0])+len(extensions))
  2533  			newValue = append(newValue, atvSet.Value[0]...)
  2534  
  2535  			for _, e := range extensions {
  2536  				if specifiedExtensions[e.Id.String()] {
  2537  					// Attributes already contained a value for
  2538  					// this extension and it takes priority.
  2539  					continue
  2540  				}
  2541  
  2542  				newValue = append(newValue, pkix.AttributeTypeAndValue{
  2543  					// There is no place for the critical
  2544  					// flag in an AttributeTypeAndValue.
  2545  					Type:  e.Id,
  2546  					Value: e.Value,
  2547  				})
  2548  			}
  2549  
  2550  			atvSet.Value[0] = newValue
  2551  			extensionsAppended = true
  2552  			break
  2553  		}
  2554  	}
  2555  
  2556  	rawAttributes, err := newRawAttributes(attributes)
  2557  	if err != nil {
  2558  		return
  2559  	}
  2560  
  2561  	// If not included in attributes, add a new attribute for the
  2562  	// extensions.
  2563  	if len(extensions) > 0 && !extensionsAppended {
  2564  		attr := struct {
  2565  			Type  asn1.ObjectIdentifier
  2566  			Value [][]pkix.Extension `asn1:"set"`
  2567  		}{
  2568  			Type:  oidExtensionRequest,
  2569  			Value: [][]pkix.Extension{extensions},
  2570  		}
  2571  
  2572  		b, err := asn1.Marshal(attr)
  2573  		if err != nil {
  2574  			return nil, errors.New("x509: failed to serialise extensions attribute: " + err.Error())
  2575  		}
  2576  
  2577  		var rawValue asn1.RawValue
  2578  		if _, err := asn1.Unmarshal(b, &rawValue); err != nil {
  2579  			return nil, err
  2580  		}
  2581  
  2582  		rawAttributes = append(rawAttributes, rawValue)
  2583  	}
  2584  
  2585  	asn1Subject := template.RawSubject
  2586  	if len(asn1Subject) == 0 {
  2587  		asn1Subject, err = asn1.Marshal(template.Subject.ToRDNSequence())
  2588  		if err != nil {
  2589  			return nil, err
  2590  		}
  2591  	}
  2592  
  2593  	tbsCSR := tbsCertificateRequest{
  2594  		Version: 0, // PKCS #10, RFC 2986
  2595  		Subject: asn1.RawValue{FullBytes: asn1Subject},
  2596  		PublicKey: publicKeyInfo{
  2597  			Algorithm: publicKeyAlgorithm,
  2598  			PublicKey: asn1.BitString{
  2599  				Bytes:     publicKeyBytes,
  2600  				BitLength: len(publicKeyBytes) * 8,
  2601  			},
  2602  		},
  2603  		RawAttributes: rawAttributes,
  2604  	}
  2605  
  2606  	tbsCSRContents, err := asn1.Marshal(tbsCSR)
  2607  	if err != nil {
  2608  		return
  2609  	}
  2610  	tbsCSR.Raw = tbsCSRContents
  2611  
  2612  	signed := tbsCSRContents
  2613  	if hashFunc != 0 {
  2614  		h := hashFunc.New()
  2615  		h.Write(signed)
  2616  		signed = h.Sum(nil)
  2617  	}
  2618  
  2619  	var signature []byte
  2620  	signature, err = key.Sign(rand, signed, hashFunc)
  2621  	if err != nil {
  2622  		return
  2623  	}
  2624  
  2625  	return asn1.Marshal(certificateRequest{
  2626  		TBSCSR:             tbsCSR,
  2627  		SignatureAlgorithm: sigAlgo,
  2628  		SignatureValue: asn1.BitString{
  2629  			Bytes:     signature,
  2630  			BitLength: len(signature) * 8,
  2631  		},
  2632  	})
  2633  }
  2634  
  2635  // ParseCertificateRequest parses a single certificate request from the
  2636  // given ASN.1 DER data.
  2637  func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) {
  2638  	var csr certificateRequest
  2639  
  2640  	rest, err := asn1.Unmarshal(asn1Data, &csr)
  2641  	if err != nil {
  2642  		return nil, err
  2643  	} else if len(rest) != 0 {
  2644  		return nil, asn1.SyntaxError{Msg: "trailing data"}
  2645  	}
  2646  
  2647  	return parseCertificateRequest(&csr)
  2648  }
  2649  
  2650  func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) {
  2651  	out := &CertificateRequest{
  2652  		Raw:                      in.Raw,
  2653  		RawTBSCertificateRequest: in.TBSCSR.Raw,
  2654  		RawSubjectPublicKeyInfo:  in.TBSCSR.PublicKey.Raw,
  2655  		RawSubject:               in.TBSCSR.Subject.FullBytes,
  2656  
  2657  		Signature:          in.SignatureValue.RightAlign(),
  2658  		SignatureAlgorithm: getSignatureAlgorithmFromAI(in.SignatureAlgorithm),
  2659  
  2660  		PublicKeyAlgorithm: getPublicKeyAlgorithmFromOID(in.TBSCSR.PublicKey.Algorithm.Algorithm),
  2661  
  2662  		Version:    in.TBSCSR.Version,
  2663  		Attributes: parseRawAttributes(in.TBSCSR.RawAttributes),
  2664  	}
  2665  
  2666  	var err error
  2667  	out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey)
  2668  	if err != nil {
  2669  		return nil, err
  2670  	}
  2671  
  2672  	var subject pkix.RDNSequence
  2673  	if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil {
  2674  		return nil, err
  2675  	} else if len(rest) != 0 {
  2676  		return nil, errors.New("x509: trailing data after X.509 Subject")
  2677  	}
  2678  
  2679  	out.Subject.FillFromRDNSequence(&subject)
  2680  
  2681  	if out.Extensions, err = parseCSRExtensions(in.TBSCSR.RawAttributes); err != nil {
  2682  		return nil, err
  2683  	}
  2684  
  2685  	for _, extension := range out.Extensions {
  2686  		if extension.Id.Equal(oidExtensionSubjectAltName) {
  2687  			out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value)
  2688  			if err != nil {
  2689  				return nil, err
  2690  			}
  2691  		}
  2692  	}
  2693  
  2694  	return out, nil
  2695  }
  2696  
  2697  // CheckSignature reports whether the signature on c is valid.
  2698  func (c *CertificateRequest) CheckSignature() error {
  2699  	return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey)
  2700  }
  2701  

View as plain text