...

Source file src/crypto/x509/x509.go

Documentation: crypto/x509

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package x509 parses X.509-encoded keys and certificates.
     6  //
     7  // On UNIX systems the environment variables SSL_CERT_FILE and SSL_CERT_DIR
     8  // can be used to override the system default locations for the SSL certificate
     9  // file and SSL certificate files directory, respectively.
    10  package x509
    11  
    12  import (
    13  	"bytes"
    14  	"crypto"
    15  	"crypto/dsa"
    16  	"crypto/ecdsa"
    17  	"crypto/elliptic"
    18  	"crypto/rsa"
    19  	_ "crypto/sha1"
    20  	_ "crypto/sha256"
    21  	_ "crypto/sha512"
    22  	"crypto/x509/pkix"
    23  	"encoding/asn1"
    24  	"encoding/pem"
    25  	"errors"
    26  	"fmt"
    27  	"internal/x/crypto/cryptobyte"
    28  	cryptobyte_asn1 "internal/x/crypto/cryptobyte/asn1"
    29  	"io"
    30  	"math/big"
    31  	"net"
    32  	"net/url"
    33  	"strconv"
    34  	"strings"
    35  	"time"
    36  	"unicode/utf8"
    37  )
    38  
    39  // pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo
    40  // in RFC 3280.
    41  type pkixPublicKey struct {
    42  	Algo      pkix.AlgorithmIdentifier
    43  	BitString asn1.BitString
    44  }
    45  
    46  // ParsePKIXPublicKey parses a DER encoded public key. These values are
    47  // typically found in PEM blocks with "BEGIN PUBLIC KEY".
    48  //
    49  // Supported key types include RSA, DSA, and ECDSA. Unknown key
    50  // types result in an error.
    51  //
    52  // On success, pub will be of type *rsa.PublicKey, *dsa.PublicKey,
    53  // or *ecdsa.PublicKey.
    54  func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) {
    55  	var pki publicKeyInfo
    56  	if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil {
    57  		return nil, err
    58  	} else if len(rest) != 0 {
    59  		return nil, errors.New("x509: trailing data after ASN.1 of public-key")
    60  	}
    61  	algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm)
    62  	if algo == UnknownPublicKeyAlgorithm {
    63  		return nil, errors.New("x509: unknown public key algorithm")
    64  	}
    65  	return parsePublicKey(algo, &pki)
    66  }
    67  
    68  func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) {
    69  	switch pub := pub.(type) {
    70  	case *rsa.PublicKey:
    71  		publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{
    72  			N: pub.N,
    73  			E: pub.E,
    74  		})
    75  		if err != nil {
    76  			return nil, pkix.AlgorithmIdentifier{}, err
    77  		}
    78  		publicKeyAlgorithm.Algorithm = oidPublicKeyRSA
    79  		// This is a NULL parameters value which is required by
    80  		// RFC 3279, Section 2.3.1.
    81  		publicKeyAlgorithm.Parameters = asn1.NullRawValue
    82  	case *ecdsa.PublicKey:
    83  		publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
    84  		oid, ok := oidFromNamedCurve(pub.Curve)
    85  		if !ok {
    86  			return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve")
    87  		}
    88  		publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA
    89  		var paramBytes []byte
    90  		paramBytes, err = asn1.Marshal(oid)
    91  		if err != nil {
    92  			return
    93  		}
    94  		publicKeyAlgorithm.Parameters.FullBytes = paramBytes
    95  	default:
    96  		return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: only RSA and ECDSA public keys supported")
    97  	}
    98  
    99  	return publicKeyBytes, publicKeyAlgorithm, nil
   100  }
   101  
   102  // MarshalPKIXPublicKey serialises a public key to DER-encoded PKIX format.
   103  func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) {
   104  	var publicKeyBytes []byte
   105  	var publicKeyAlgorithm pkix.AlgorithmIdentifier
   106  	var err error
   107  
   108  	if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil {
   109  		return nil, err
   110  	}
   111  
   112  	pkix := pkixPublicKey{
   113  		Algo: publicKeyAlgorithm,
   114  		BitString: asn1.BitString{
   115  			Bytes:     publicKeyBytes,
   116  			BitLength: 8 * len(publicKeyBytes),
   117  		},
   118  	}
   119  
   120  	ret, _ := asn1.Marshal(pkix)
   121  	return ret, nil
   122  }
   123  
   124  // These structures reflect the ASN.1 structure of X.509 certificates.:
   125  
   126  type certificate struct {
   127  	Raw                asn1.RawContent
   128  	TBSCertificate     tbsCertificate
   129  	SignatureAlgorithm pkix.AlgorithmIdentifier
   130  	SignatureValue     asn1.BitString
   131  }
   132  
   133  type tbsCertificate struct {
   134  	Raw                asn1.RawContent
   135  	Version            int `asn1:"optional,explicit,default:0,tag:0"`
   136  	SerialNumber       *big.Int
   137  	SignatureAlgorithm pkix.AlgorithmIdentifier
   138  	Issuer             asn1.RawValue
   139  	Validity           validity
   140  	Subject            asn1.RawValue
   141  	PublicKey          publicKeyInfo
   142  	UniqueId           asn1.BitString   `asn1:"optional,tag:1"`
   143  	SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`
   144  	Extensions         []pkix.Extension `asn1:"optional,explicit,tag:3"`
   145  }
   146  
   147  type dsaAlgorithmParameters struct {
   148  	P, Q, G *big.Int
   149  }
   150  
   151  type dsaSignature struct {
   152  	R, S *big.Int
   153  }
   154  
   155  type ecdsaSignature dsaSignature
   156  
   157  type validity struct {
   158  	NotBefore, NotAfter time.Time
   159  }
   160  
   161  type publicKeyInfo struct {
   162  	Raw       asn1.RawContent
   163  	Algorithm pkix.AlgorithmIdentifier
   164  	PublicKey asn1.BitString
   165  }
   166  
   167  // RFC 5280,  4.2.1.1
   168  type authKeyId struct {
   169  	Id []byte `asn1:"optional,tag:0"`
   170  }
   171  
   172  type SignatureAlgorithm int
   173  
   174  const (
   175  	UnknownSignatureAlgorithm SignatureAlgorithm = iota
   176  	MD2WithRSA
   177  	MD5WithRSA
   178  	SHA1WithRSA
   179  	SHA256WithRSA
   180  	SHA384WithRSA
   181  	SHA512WithRSA
   182  	DSAWithSHA1
   183  	DSAWithSHA256
   184  	ECDSAWithSHA1
   185  	ECDSAWithSHA256
   186  	ECDSAWithSHA384
   187  	ECDSAWithSHA512
   188  	SHA256WithRSAPSS
   189  	SHA384WithRSAPSS
   190  	SHA512WithRSAPSS
   191  )
   192  
   193  func (algo SignatureAlgorithm) isRSAPSS() bool {
   194  	switch algo {
   195  	case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS:
   196  		return true
   197  	default:
   198  		return false
   199  	}
   200  }
   201  
   202  func (algo SignatureAlgorithm) String() string {
   203  	for _, details := range signatureAlgorithmDetails {
   204  		if details.algo == algo {
   205  			return details.name
   206  		}
   207  	}
   208  	return strconv.Itoa(int(algo))
   209  }
   210  
   211  type PublicKeyAlgorithm int
   212  
   213  const (
   214  	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
   215  	RSA
   216  	DSA
   217  	ECDSA
   218  )
   219  
   220  var publicKeyAlgoName = [...]string{
   221  	RSA:   "RSA",
   222  	DSA:   "DSA",
   223  	ECDSA: "ECDSA",
   224  }
   225  
   226  func (algo PublicKeyAlgorithm) String() string {
   227  	if 0 < algo && int(algo) < len(publicKeyAlgoName) {
   228  		return publicKeyAlgoName[algo]
   229  	}
   230  	return strconv.Itoa(int(algo))
   231  }
   232  
   233  // OIDs for signature algorithms
   234  //
   235  // pkcs-1 OBJECT IDENTIFIER ::= {
   236  //    iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
   237  //
   238  //
   239  // RFC 3279 2.2.1 RSA Signature Algorithms
   240  //
   241  // md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
   242  //
   243  // md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
   244  //
   245  // sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
   246  //
   247  // dsaWithSha1 OBJECT IDENTIFIER ::= {
   248  //    iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 }
   249  //
   250  // RFC 3279 2.2.3 ECDSA Signature Algorithm
   251  //
   252  // ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
   253  // 	  iso(1) member-body(2) us(840) ansi-x962(10045)
   254  //    signatures(4) ecdsa-with-SHA1(1)}
   255  //
   256  //
   257  // RFC 4055 5 PKCS #1 Version 1.5
   258  //
   259  // sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
   260  //
   261  // sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
   262  //
   263  // sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
   264  //
   265  //
   266  // RFC 5758 3.1 DSA Signature Algorithms
   267  //
   268  // dsaWithSha256 OBJECT IDENTIFIER ::= {
   269  //    joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
   270  //    csor(3) algorithms(4) id-dsa-with-sha2(3) 2}
   271  //
   272  // RFC 5758 3.2 ECDSA Signature Algorithm
   273  //
   274  // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   275  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
   276  //
   277  // ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   278  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
   279  //
   280  // ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   281  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 }
   282  
   283  var (
   284  	oidSignatureMD2WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
   285  	oidSignatureMD5WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
   286  	oidSignatureSHA1WithRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
   287  	oidSignatureSHA256WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
   288  	oidSignatureSHA384WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
   289  	oidSignatureSHA512WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
   290  	oidSignatureRSAPSS          = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
   291  	oidSignatureDSAWithSHA1     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
   292  	oidSignatureDSAWithSHA256   = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
   293  	oidSignatureECDSAWithSHA1   = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
   294  	oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
   295  	oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
   296  	oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
   297  
   298  	oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
   299  	oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
   300  	oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
   301  
   302  	oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
   303  
   304  	// oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA
   305  	// but it's specified by ISO. Microsoft's makecert.exe has been known
   306  	// to produce certificates with this OID.
   307  	oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29}
   308  )
   309  
   310  var signatureAlgorithmDetails = []struct {
   311  	algo       SignatureAlgorithm
   312  	name       string
   313  	oid        asn1.ObjectIdentifier
   314  	pubKeyAlgo PublicKeyAlgorithm
   315  	hash       crypto.Hash
   316  }{
   317  	{MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
   318  	{MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5},
   319  	{SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1},
   320  	{SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1},
   321  	{SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256},
   322  	{SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384},
   323  	{SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512},
   324  	{SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256},
   325  	{SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384},
   326  	{SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512},
   327  	{DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1},
   328  	{DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256},
   329  	{ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1},
   330  	{ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256},
   331  	{ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384},
   332  	{ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512},
   333  }
   334  
   335  // pssParameters reflects the parameters in an AlgorithmIdentifier that
   336  // specifies RSA PSS. See RFC 3447, Appendix A.2.3.
   337  type pssParameters struct {
   338  	// The following three fields are not marked as
   339  	// optional because the default values specify SHA-1,
   340  	// which is no longer suitable for use in signatures.
   341  	Hash         pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"`
   342  	MGF          pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"`
   343  	SaltLength   int                      `asn1:"explicit,tag:2"`
   344  	TrailerField int                      `asn1:"optional,explicit,tag:3,default:1"`
   345  }
   346  
   347  // rsaPSSParameters returns an asn1.RawValue suitable for use as the Parameters
   348  // in an AlgorithmIdentifier that specifies RSA PSS.
   349  func rsaPSSParameters(hashFunc crypto.Hash) asn1.RawValue {
   350  	var hashOID asn1.ObjectIdentifier
   351  
   352  	switch hashFunc {
   353  	case crypto.SHA256:
   354  		hashOID = oidSHA256
   355  	case crypto.SHA384:
   356  		hashOID = oidSHA384
   357  	case crypto.SHA512:
   358  		hashOID = oidSHA512
   359  	}
   360  
   361  	params := pssParameters{
   362  		Hash: pkix.AlgorithmIdentifier{
   363  			Algorithm:  hashOID,
   364  			Parameters: asn1.NullRawValue,
   365  		},
   366  		MGF: pkix.AlgorithmIdentifier{
   367  			Algorithm: oidMGF1,
   368  		},
   369  		SaltLength:   hashFunc.Size(),
   370  		TrailerField: 1,
   371  	}
   372  
   373  	mgf1Params := pkix.AlgorithmIdentifier{
   374  		Algorithm:  hashOID,
   375  		Parameters: asn1.NullRawValue,
   376  	}
   377  
   378  	var err error
   379  	params.MGF.Parameters.FullBytes, err = asn1.Marshal(mgf1Params)
   380  	if err != nil {
   381  		panic(err)
   382  	}
   383  
   384  	serialized, err := asn1.Marshal(params)
   385  	if err != nil {
   386  		panic(err)
   387  	}
   388  
   389  	return asn1.RawValue{FullBytes: serialized}
   390  }
   391  
   392  func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm {
   393  	if !ai.Algorithm.Equal(oidSignatureRSAPSS) {
   394  		for _, details := range signatureAlgorithmDetails {
   395  			if ai.Algorithm.Equal(details.oid) {
   396  				return details.algo
   397  			}
   398  		}
   399  		return UnknownSignatureAlgorithm
   400  	}
   401  
   402  	// RSA PSS is special because it encodes important parameters
   403  	// in the Parameters.
   404  
   405  	var params pssParameters
   406  	if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, &params); err != nil {
   407  		return UnknownSignatureAlgorithm
   408  	}
   409  
   410  	var mgf1HashFunc pkix.AlgorithmIdentifier
   411  	if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil {
   412  		return UnknownSignatureAlgorithm
   413  	}
   414  
   415  	// PSS is greatly overburdened with options. This code forces them into
   416  	// three buckets by requiring that the MGF1 hash function always match the
   417  	// message hash function (as recommended in RFC 3447, Section 8.1), that the
   418  	// salt length matches the hash length, and that the trailer field has the
   419  	// default value.
   420  	if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) ||
   421  		!params.MGF.Algorithm.Equal(oidMGF1) ||
   422  		!mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) ||
   423  		(len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) ||
   424  		params.TrailerField != 1 {
   425  		return UnknownSignatureAlgorithm
   426  	}
   427  
   428  	switch {
   429  	case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32:
   430  		return SHA256WithRSAPSS
   431  	case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48:
   432  		return SHA384WithRSAPSS
   433  	case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64:
   434  		return SHA512WithRSAPSS
   435  	}
   436  
   437  	return UnknownSignatureAlgorithm
   438  }
   439  
   440  // RFC 3279, 2.3 Public Key Algorithms
   441  //
   442  // pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   443  //    rsadsi(113549) pkcs(1) 1 }
   444  //
   445  // rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 }
   446  //
   447  // id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   448  //    x9-57(10040) x9cm(4) 1 }
   449  //
   450  // RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters
   451  //
   452  // id-ecPublicKey OBJECT IDENTIFIER ::= {
   453  //       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
   454  var (
   455  	oidPublicKeyRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
   456  	oidPublicKeyDSA   = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
   457  	oidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
   458  )
   459  
   460  func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm {
   461  	switch {
   462  	case oid.Equal(oidPublicKeyRSA):
   463  		return RSA
   464  	case oid.Equal(oidPublicKeyDSA):
   465  		return DSA
   466  	case oid.Equal(oidPublicKeyECDSA):
   467  		return ECDSA
   468  	}
   469  	return UnknownPublicKeyAlgorithm
   470  }
   471  
   472  // RFC 5480, 2.1.1.1. Named Curve
   473  //
   474  // secp224r1 OBJECT IDENTIFIER ::= {
   475  //   iso(1) identified-organization(3) certicom(132) curve(0) 33 }
   476  //
   477  // secp256r1 OBJECT IDENTIFIER ::= {
   478  //   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
   479  //   prime(1) 7 }
   480  //
   481  // secp384r1 OBJECT IDENTIFIER ::= {
   482  //   iso(1) identified-organization(3) certicom(132) curve(0) 34 }
   483  //
   484  // secp521r1 OBJECT IDENTIFIER ::= {
   485  //   iso(1) identified-organization(3) certicom(132) curve(0) 35 }
   486  //
   487  // NB: secp256r1 is equivalent to prime256v1
   488  var (
   489  	oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
   490  	oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
   491  	oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
   492  	oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
   493  )
   494  
   495  func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
   496  	switch {
   497  	case oid.Equal(oidNamedCurveP224):
   498  		return elliptic.P224()
   499  	case oid.Equal(oidNamedCurveP256):
   500  		return elliptic.P256()
   501  	case oid.Equal(oidNamedCurveP384):
   502  		return elliptic.P384()
   503  	case oid.Equal(oidNamedCurveP521):
   504  		return elliptic.P521()
   505  	}
   506  	return nil
   507  }
   508  
   509  func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
   510  	switch curve {
   511  	case elliptic.P224():
   512  		return oidNamedCurveP224, true
   513  	case elliptic.P256():
   514  		return oidNamedCurveP256, true
   515  	case elliptic.P384():
   516  		return oidNamedCurveP384, true
   517  	case elliptic.P521():
   518  		return oidNamedCurveP521, true
   519  	}
   520  
   521  	return nil, false
   522  }
   523  
   524  // KeyUsage represents the set of actions that are valid for a given key. It's
   525  // a bitmap of the KeyUsage* constants.
   526  type KeyUsage int
   527  
   528  const (
   529  	KeyUsageDigitalSignature KeyUsage = 1 << iota
   530  	KeyUsageContentCommitment
   531  	KeyUsageKeyEncipherment
   532  	KeyUsageDataEncipherment
   533  	KeyUsageKeyAgreement
   534  	KeyUsageCertSign
   535  	KeyUsageCRLSign
   536  	KeyUsageEncipherOnly
   537  	KeyUsageDecipherOnly
   538  )
   539  
   540  // RFC 5280, 4.2.1.12  Extended Key Usage
   541  //
   542  // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
   543  //
   544  // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
   545  //
   546  // id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   547  // id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
   548  // id-kp-codeSigning            OBJECT IDENTIFIER ::= { id-kp 3 }
   549  // id-kp-emailProtection        OBJECT IDENTIFIER ::= { id-kp 4 }
   550  // id-kp-timeStamping           OBJECT IDENTIFIER ::= { id-kp 8 }
   551  // id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
   552  var (
   553  	oidExtKeyUsageAny                            = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
   554  	oidExtKeyUsageServerAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
   555  	oidExtKeyUsageClientAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
   556  	oidExtKeyUsageCodeSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
   557  	oidExtKeyUsageEmailProtection                = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
   558  	oidExtKeyUsageIPSECEndSystem                 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
   559  	oidExtKeyUsageIPSECTunnel                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
   560  	oidExtKeyUsageIPSECUser                      = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
   561  	oidExtKeyUsageTimeStamping                   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
   562  	oidExtKeyUsageOCSPSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
   563  	oidExtKeyUsageMicrosoftServerGatedCrypto     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
   564  	oidExtKeyUsageNetscapeServerGatedCrypto      = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
   565  	oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
   566  	oidExtKeyUsageMicrosoftKernelCodeSigning     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
   567  )
   568  
   569  // ExtKeyUsage represents an extended set of actions that are valid for a given key.
   570  // Each of the ExtKeyUsage* constants define a unique action.
   571  type ExtKeyUsage int
   572  
   573  const (
   574  	ExtKeyUsageAny ExtKeyUsage = iota
   575  	ExtKeyUsageServerAuth
   576  	ExtKeyUsageClientAuth
   577  	ExtKeyUsageCodeSigning
   578  	ExtKeyUsageEmailProtection
   579  	ExtKeyUsageIPSECEndSystem
   580  	ExtKeyUsageIPSECTunnel
   581  	ExtKeyUsageIPSECUser
   582  	ExtKeyUsageTimeStamping
   583  	ExtKeyUsageOCSPSigning
   584  	ExtKeyUsageMicrosoftServerGatedCrypto
   585  	ExtKeyUsageNetscapeServerGatedCrypto
   586  	ExtKeyUsageMicrosoftCommercialCodeSigning
   587  	ExtKeyUsageMicrosoftKernelCodeSigning
   588  )
   589  
   590  // extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.
   591  var extKeyUsageOIDs = []struct {
   592  	extKeyUsage ExtKeyUsage
   593  	oid         asn1.ObjectIdentifier
   594  }{
   595  	{ExtKeyUsageAny, oidExtKeyUsageAny},
   596  	{ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth},
   597  	{ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth},
   598  	{ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning},
   599  	{ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection},
   600  	{ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem},
   601  	{ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel},
   602  	{ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser},
   603  	{ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping},
   604  	{ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning},
   605  	{ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto},
   606  	{ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto},
   607  	{ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning},
   608  	{ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning},
   609  }
   610  
   611  func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) {
   612  	for _, pair := range extKeyUsageOIDs {
   613  		if oid.Equal(pair.oid) {
   614  			return pair.extKeyUsage, true
   615  		}
   616  	}
   617  	return
   618  }
   619  
   620  func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
   621  	for _, pair := range extKeyUsageOIDs {
   622  		if eku == pair.extKeyUsage {
   623  			return pair.oid, true
   624  		}
   625  	}
   626  	return
   627  }
   628  
   629  // A Certificate represents an X.509 certificate.
   630  type Certificate struct {
   631  	Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
   632  	RawTBSCertificate       []byte // Certificate part of raw ASN.1 DER content.
   633  	RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
   634  	RawSubject              []byte // DER encoded Subject
   635  	RawIssuer               []byte // DER encoded Issuer
   636  
   637  	Signature          []byte
   638  	SignatureAlgorithm SignatureAlgorithm
   639  
   640  	PublicKeyAlgorithm PublicKeyAlgorithm
   641  	PublicKey          interface{}
   642  
   643  	Version             int
   644  	SerialNumber        *big.Int
   645  	Issuer              pkix.Name
   646  	Subject             pkix.Name
   647  	NotBefore, NotAfter time.Time // Validity bounds.
   648  	KeyUsage            KeyUsage
   649  
   650  	// Extensions contains raw X.509 extensions. When parsing certificates,
   651  	// this can be used to extract non-critical extensions that are not
   652  	// parsed by this package. When marshaling certificates, the Extensions
   653  	// field is ignored, see ExtraExtensions.
   654  	Extensions []pkix.Extension
   655  
   656  	// ExtraExtensions contains extensions to be copied, raw, into any
   657  	// marshaled certificates. Values override any extensions that would
   658  	// otherwise be produced based on the other fields. The ExtraExtensions
   659  	// field is not populated when parsing certificates, see Extensions.
   660  	ExtraExtensions []pkix.Extension
   661  
   662  	// UnhandledCriticalExtensions contains a list of extension IDs that
   663  	// were not (fully) processed when parsing. Verify will fail if this
   664  	// slice is non-empty, unless verification is delegated to an OS
   665  	// library which understands all the critical extensions.
   666  	//
   667  	// Users can access these extensions using Extensions and can remove
   668  	// elements from this slice if they believe that they have been
   669  	// handled.
   670  	UnhandledCriticalExtensions []asn1.ObjectIdentifier
   671  
   672  	ExtKeyUsage        []ExtKeyUsage           // Sequence of extended key usages.
   673  	UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.
   674  
   675  	// BasicConstraintsValid indicates whether IsCA, MaxPathLen,
   676  	// and MaxPathLenZero are valid.
   677  	BasicConstraintsValid bool
   678  	IsCA                  bool
   679  
   680  	// MaxPathLen and MaxPathLenZero indicate the presence and
   681  	// value of the BasicConstraints' "pathLenConstraint".
   682  	//
   683  	// When parsing a certificate, a positive non-zero MaxPathLen
   684  	// means that the field was specified, -1 means it was unset,
   685  	// and MaxPathLenZero being true mean that the field was
   686  	// explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
   687  	// should be treated equivalent to -1 (unset).
   688  	//
   689  	// When generating a certificate, an unset pathLenConstraint
   690  	// can be requested with either MaxPathLen == -1 or using the
   691  	// zero value for both MaxPathLen and MaxPathLenZero.
   692  	MaxPathLen int
   693  	// MaxPathLenZero indicates that BasicConstraintsValid==true
   694  	// and MaxPathLen==0 should be interpreted as an actual
   695  	// maximum path length of zero. Otherwise, that combination is
   696  	// interpreted as MaxPathLen not being set.
   697  	MaxPathLenZero bool
   698  
   699  	SubjectKeyId   []byte
   700  	AuthorityKeyId []byte
   701  
   702  	// RFC 5280, 4.2.2.1 (Authority Information Access)
   703  	OCSPServer            []string
   704  	IssuingCertificateURL []string
   705  
   706  	// Subject Alternate Name values. (Note that these values may not be valid
   707  	// if invalid values were contained within a parsed certificate. For
   708  	// example, an element of DNSNames may not be a valid DNS domain name.)
   709  	DNSNames       []string
   710  	EmailAddresses []string
   711  	IPAddresses    []net.IP
   712  	URIs           []*url.URL
   713  
   714  	// Name constraints
   715  	PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical.
   716  	PermittedDNSDomains         []string
   717  	ExcludedDNSDomains          []string
   718  	PermittedIPRanges           []*net.IPNet
   719  	ExcludedIPRanges            []*net.IPNet
   720  	PermittedEmailAddresses     []string
   721  	ExcludedEmailAddresses      []string
   722  	PermittedURIDomains         []string
   723  	ExcludedURIDomains          []string
   724  
   725  	// CRL Distribution Points
   726  	CRLDistributionPoints []string
   727  
   728  	PolicyIdentifiers []asn1.ObjectIdentifier
   729  }
   730  
   731  // ErrUnsupportedAlgorithm results from attempting to perform an operation that
   732  // involves algorithms that are not currently implemented.
   733  var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")
   734  
   735  // An InsecureAlgorithmError
   736  type InsecureAlgorithmError SignatureAlgorithm
   737  
   738  func (e InsecureAlgorithmError) Error() string {
   739  	return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e))
   740  }
   741  
   742  // ConstraintViolationError results when a requested usage is not permitted by
   743  // a certificate. For example: checking a signature when the public key isn't a
   744  // certificate signing key.
   745  type ConstraintViolationError struct{}
   746  
   747  func (ConstraintViolationError) Error() string {
   748  	return "x509: invalid signature: parent certificate cannot sign this kind of certificate"
   749  }
   750  
   751  func (c *Certificate) Equal(other *Certificate) bool {
   752  	return bytes.Equal(c.Raw, other.Raw)
   753  }
   754  
   755  func (c *Certificate) hasSANExtension() bool {
   756  	return oidInExtensions(oidExtensionSubjectAltName, c.Extensions)
   757  }
   758  
   759  // Entrust have a broken root certificate (CN=Entrust.net Certification
   760  // Authority (2048)) which isn't marked as a CA certificate and is thus invalid
   761  // according to PKIX.
   762  // We recognise this certificate by its SubjectPublicKeyInfo and exempt it
   763  // from the Basic Constraints requirement.
   764  // See http://www.entrust.net/knowledge-base/technote.cfm?tn=7869
   765  //
   766  // TODO(agl): remove this hack once their reissued root is sufficiently
   767  // widespread.
   768  var entrustBrokenSPKI = []byte{
   769  	0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
   770  	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
   771  	0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
   772  	0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
   773  	0x00, 0x97, 0xa3, 0x2d, 0x3c, 0x9e, 0xde, 0x05,
   774  	0xda, 0x13, 0xc2, 0x11, 0x8d, 0x9d, 0x8e, 0xe3,
   775  	0x7f, 0xc7, 0x4b, 0x7e, 0x5a, 0x9f, 0xb3, 0xff,
   776  	0x62, 0xab, 0x73, 0xc8, 0x28, 0x6b, 0xba, 0x10,
   777  	0x64, 0x82, 0x87, 0x13, 0xcd, 0x57, 0x18, 0xff,
   778  	0x28, 0xce, 0xc0, 0xe6, 0x0e, 0x06, 0x91, 0x50,
   779  	0x29, 0x83, 0xd1, 0xf2, 0xc3, 0x2a, 0xdb, 0xd8,
   780  	0xdb, 0x4e, 0x04, 0xcc, 0x00, 0xeb, 0x8b, 0xb6,
   781  	0x96, 0xdc, 0xbc, 0xaa, 0xfa, 0x52, 0x77, 0x04,
   782  	0xc1, 0xdb, 0x19, 0xe4, 0xae, 0x9c, 0xfd, 0x3c,
   783  	0x8b, 0x03, 0xef, 0x4d, 0xbc, 0x1a, 0x03, 0x65,
   784  	0xf9, 0xc1, 0xb1, 0x3f, 0x72, 0x86, 0xf2, 0x38,
   785  	0xaa, 0x19, 0xae, 0x10, 0x88, 0x78, 0x28, 0xda,
   786  	0x75, 0xc3, 0x3d, 0x02, 0x82, 0x02, 0x9c, 0xb9,
   787  	0xc1, 0x65, 0x77, 0x76, 0x24, 0x4c, 0x98, 0xf7,
   788  	0x6d, 0x31, 0x38, 0xfb, 0xdb, 0xfe, 0xdb, 0x37,
   789  	0x02, 0x76, 0xa1, 0x18, 0x97, 0xa6, 0xcc, 0xde,
   790  	0x20, 0x09, 0x49, 0x36, 0x24, 0x69, 0x42, 0xf6,
   791  	0xe4, 0x37, 0x62, 0xf1, 0x59, 0x6d, 0xa9, 0x3c,
   792  	0xed, 0x34, 0x9c, 0xa3, 0x8e, 0xdb, 0xdc, 0x3a,
   793  	0xd7, 0xf7, 0x0a, 0x6f, 0xef, 0x2e, 0xd8, 0xd5,
   794  	0x93, 0x5a, 0x7a, 0xed, 0x08, 0x49, 0x68, 0xe2,
   795  	0x41, 0xe3, 0x5a, 0x90, 0xc1, 0x86, 0x55, 0xfc,
   796  	0x51, 0x43, 0x9d, 0xe0, 0xb2, 0xc4, 0x67, 0xb4,
   797  	0xcb, 0x32, 0x31, 0x25, 0xf0, 0x54, 0x9f, 0x4b,
   798  	0xd1, 0x6f, 0xdb, 0xd4, 0xdd, 0xfc, 0xaf, 0x5e,
   799  	0x6c, 0x78, 0x90, 0x95, 0xde, 0xca, 0x3a, 0x48,
   800  	0xb9, 0x79, 0x3c, 0x9b, 0x19, 0xd6, 0x75, 0x05,
   801  	0xa0, 0xf9, 0x88, 0xd7, 0xc1, 0xe8, 0xa5, 0x09,
   802  	0xe4, 0x1a, 0x15, 0xdc, 0x87, 0x23, 0xaa, 0xb2,
   803  	0x75, 0x8c, 0x63, 0x25, 0x87, 0xd8, 0xf8, 0x3d,
   804  	0xa6, 0xc2, 0xcc, 0x66, 0xff, 0xa5, 0x66, 0x68,
   805  	0x55, 0x02, 0x03, 0x01, 0x00, 0x01,
   806  }
   807  
   808  // CheckSignatureFrom verifies that the signature on c is a valid signature
   809  // from parent.
   810  func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
   811  	// RFC 5280, 4.2.1.9:
   812  	// "If the basic constraints extension is not present in a version 3
   813  	// certificate, or the extension is present but the cA boolean is not
   814  	// asserted, then the certified public key MUST NOT be used to verify
   815  	// certificate signatures."
   816  	// (except for Entrust, see comment above entrustBrokenSPKI)
   817  	if (parent.Version == 3 && !parent.BasicConstraintsValid ||
   818  		parent.BasicConstraintsValid && !parent.IsCA) &&
   819  		!bytes.Equal(c.RawSubjectPublicKeyInfo, entrustBrokenSPKI) {
   820  		return ConstraintViolationError{}
   821  	}
   822  
   823  	if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 {
   824  		return ConstraintViolationError{}
   825  	}
   826  
   827  	if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm {
   828  		return ErrUnsupportedAlgorithm
   829  	}
   830  
   831  	// TODO(agl): don't ignore the path length constraint.
   832  
   833  	return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
   834  }
   835  
   836  // CheckSignature verifies that signature is a valid signature over signed from
   837  // c's public key.
   838  func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error {
   839  	return checkSignature(algo, signed, signature, c.PublicKey)
   840  }
   841  
   842  func (c *Certificate) hasNameConstraints() bool {
   843  	return oidInExtensions(oidExtensionNameConstraints, c.Extensions)
   844  }
   845  
   846  func (c *Certificate) getSANExtension() []byte {
   847  	for _, e := range c.Extensions {
   848  		if e.Id.Equal(oidExtensionSubjectAltName) {
   849  			return e.Value
   850  		}
   851  	}
   852  	return nil
   853  }
   854  
   855  func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error {
   856  	return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
   857  }
   858  
   859  // CheckSignature verifies that signature is a valid signature over signed from
   860  // a crypto.PublicKey.
   861  func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
   862  	var hashType crypto.Hash
   863  	var pubKeyAlgo PublicKeyAlgorithm
   864  
   865  	for _, details := range signatureAlgorithmDetails {
   866  		if details.algo == algo {
   867  			hashType = details.hash
   868  			pubKeyAlgo = details.pubKeyAlgo
   869  		}
   870  	}
   871  
   872  	switch hashType {
   873  	case crypto.Hash(0):
   874  		return ErrUnsupportedAlgorithm
   875  	case crypto.MD5:
   876  		return InsecureAlgorithmError(algo)
   877  	}
   878  
   879  	if !hashType.Available() {
   880  		return ErrUnsupportedAlgorithm
   881  	}
   882  	h := hashType.New()
   883  
   884  	h.Write(signed)
   885  	digest := h.Sum(nil)
   886  
   887  	switch pub := publicKey.(type) {
   888  	case *rsa.PublicKey:
   889  		if pubKeyAlgo != RSA {
   890  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   891  		}
   892  		if algo.isRSAPSS() {
   893  			return rsa.VerifyPSS(pub, hashType, digest, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash})
   894  		} else {
   895  			return rsa.VerifyPKCS1v15(pub, hashType, digest, signature)
   896  		}
   897  	case *dsa.PublicKey:
   898  		if pubKeyAlgo != DSA {
   899  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   900  		}
   901  		dsaSig := new(dsaSignature)
   902  		if rest, err := asn1.Unmarshal(signature, dsaSig); err != nil {
   903  			return err
   904  		} else if len(rest) != 0 {
   905  			return errors.New("x509: trailing data after DSA signature")
   906  		}
   907  		if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 {
   908  			return errors.New("x509: DSA signature contained zero or negative values")
   909  		}
   910  		if !dsa.Verify(pub, digest, dsaSig.R, dsaSig.S) {
   911  			return errors.New("x509: DSA verification failure")
   912  		}
   913  		return
   914  	case *ecdsa.PublicKey:
   915  		if pubKeyAlgo != ECDSA {
   916  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   917  		}
   918  		ecdsaSig := new(ecdsaSignature)
   919  		if rest, err := asn1.Unmarshal(signature, ecdsaSig); err != nil {
   920  			return err
   921  		} else if len(rest) != 0 {
   922  			return errors.New("x509: trailing data after ECDSA signature")
   923  		}
   924  		if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
   925  			return errors.New("x509: ECDSA signature contained zero or negative values")
   926  		}
   927  		if !ecdsa.Verify(pub, digest, ecdsaSig.R, ecdsaSig.S) {
   928  			return errors.New("x509: ECDSA verification failure")
   929  		}
   930  		return
   931  	}
   932  	return ErrUnsupportedAlgorithm
   933  }
   934  
   935  // CheckCRLSignature checks that the signature in crl is from c.
   936  func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error {
   937  	algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm)
   938  	return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign())
   939  }
   940  
   941  type UnhandledCriticalExtension struct{}
   942  
   943  func (h UnhandledCriticalExtension) Error() string {
   944  	return "x509: unhandled critical extension"
   945  }
   946  
   947  type basicConstraints struct {
   948  	IsCA       bool `asn1:"optional"`
   949  	MaxPathLen int  `asn1:"optional,default:-1"`
   950  }
   951  
   952  // RFC 5280 4.2.1.4
   953  type policyInformation struct {
   954  	Policy asn1.ObjectIdentifier
   955  	// policyQualifiers omitted
   956  }
   957  
   958  const (
   959  	nameTypeEmail = 1
   960  	nameTypeDNS   = 2
   961  	nameTypeURI   = 6
   962  	nameTypeIP    = 7
   963  )
   964  
   965  // RFC 5280, 4.2.2.1
   966  type authorityInfoAccess struct {
   967  	Method   asn1.ObjectIdentifier
   968  	Location asn1.RawValue
   969  }
   970  
   971  // RFC 5280, 4.2.1.14
   972  type distributionPoint struct {
   973  	DistributionPoint distributionPointName `asn1:"optional,tag:0"`
   974  	Reason            asn1.BitString        `asn1:"optional,tag:1"`
   975  	CRLIssuer         asn1.RawValue         `asn1:"optional,tag:2"`
   976  }
   977  
   978  type distributionPointName struct {
   979  	FullName     []asn1.RawValue  `asn1:"optional,tag:0"`
   980  	RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
   981  }
   982  
   983  func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) {
   984  	asn1Data := keyData.PublicKey.RightAlign()
   985  	switch algo {
   986  	case RSA:
   987  		// RSA public keys must have a NULL in the parameters.
   988  		// See RFC 3279, Section 2.3.1.
   989  		if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) {
   990  			return nil, errors.New("x509: RSA key missing NULL parameters")
   991  		}
   992  
   993  		p := new(pkcs1PublicKey)
   994  		rest, err := asn1.Unmarshal(asn1Data, p)
   995  		if err != nil {
   996  			return nil, err
   997  		}
   998  		if len(rest) != 0 {
   999  			return nil, errors.New("x509: trailing data after RSA public key")
  1000  		}
  1001  
  1002  		if p.N.Sign() <= 0 {
  1003  			return nil, errors.New("x509: RSA modulus is not a positive number")
  1004  		}
  1005  		if p.E <= 0 {
  1006  			return nil, errors.New("x509: RSA public exponent is not a positive number")
  1007  		}
  1008  
  1009  		pub := &rsa.PublicKey{
  1010  			E: p.E,
  1011  			N: p.N,
  1012  		}
  1013  		return pub, nil
  1014  	case DSA:
  1015  		var p *big.Int
  1016  		rest, err := asn1.Unmarshal(asn1Data, &p)
  1017  		if err != nil {
  1018  			return nil, err
  1019  		}
  1020  		if len(rest) != 0 {
  1021  			return nil, errors.New("x509: trailing data after DSA public key")
  1022  		}
  1023  		paramsData := keyData.Algorithm.Parameters.FullBytes
  1024  		params := new(dsaAlgorithmParameters)
  1025  		rest, err = asn1.Unmarshal(paramsData, params)
  1026  		if err != nil {
  1027  			return nil, err
  1028  		}
  1029  		if len(rest) != 0 {
  1030  			return nil, errors.New("x509: trailing data after DSA parameters")
  1031  		}
  1032  		if p.Sign() <= 0 || params.P.Sign() <= 0 || params.Q.Sign() <= 0 || params.G.Sign() <= 0 {
  1033  			return nil, errors.New("x509: zero or negative DSA parameter")
  1034  		}
  1035  		pub := &dsa.PublicKey{
  1036  			Parameters: dsa.Parameters{
  1037  				P: params.P,
  1038  				Q: params.Q,
  1039  				G: params.G,
  1040  			},
  1041  			Y: p,
  1042  		}
  1043  		return pub, nil
  1044  	case ECDSA:
  1045  		paramsData := keyData.Algorithm.Parameters.FullBytes
  1046  		namedCurveOID := new(asn1.ObjectIdentifier)
  1047  		rest, err := asn1.Unmarshal(paramsData, namedCurveOID)
  1048  		if err != nil {
  1049  			return nil, errors.New("x509: failed to parse ECDSA parameters as named curve")
  1050  		}
  1051  		if len(rest) != 0 {
  1052  			return nil, errors.New("x509: trailing data after ECDSA parameters")
  1053  		}
  1054  		namedCurve := namedCurveFromOID(*namedCurveOID)
  1055  		if namedCurve == nil {
  1056  			return nil, errors.New("x509: unsupported elliptic curve")
  1057  		}
  1058  		x, y := elliptic.Unmarshal(namedCurve, asn1Data)
  1059  		if x == nil {
  1060  			return nil, errors.New("x509: failed to unmarshal elliptic curve point")
  1061  		}
  1062  		pub := &ecdsa.PublicKey{
  1063  			Curve: namedCurve,
  1064  			X:     x,
  1065  			Y:     y,
  1066  		}
  1067  		return pub, nil
  1068  	default:
  1069  		return nil, nil
  1070  	}
  1071  }
  1072  
  1073  func forEachSAN(extension []byte, callback func(tag int, data []byte) error) error {
  1074  	// RFC 5280, 4.2.1.6
  1075  
  1076  	// SubjectAltName ::= GeneralNames
  1077  	//
  1078  	// GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
  1079  	//
  1080  	// GeneralName ::= CHOICE {
  1081  	//      otherName                       [0]     OtherName,
  1082  	//      rfc822Name                      [1]     IA5String,
  1083  	//      dNSName                         [2]     IA5String,
  1084  	//      x400Address                     [3]     ORAddress,
  1085  	//      directoryName                   [4]     Name,
  1086  	//      ediPartyName                    [5]     EDIPartyName,
  1087  	//      uniformResourceIdentifier       [6]     IA5String,
  1088  	//      iPAddress                       [7]     OCTET STRING,
  1089  	//      registeredID                    [8]     OBJECT IDENTIFIER }
  1090  	var seq asn1.RawValue
  1091  	rest, err := asn1.Unmarshal(extension, &seq)
  1092  	if err != nil {
  1093  		return err
  1094  	} else if len(rest) != 0 {
  1095  		return errors.New("x509: trailing data after X.509 extension")
  1096  	}
  1097  	if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
  1098  		return asn1.StructuralError{Msg: "bad SAN sequence"}
  1099  	}
  1100  
  1101  	rest = seq.Bytes
  1102  	for len(rest) > 0 {
  1103  		var v asn1.RawValue
  1104  		rest, err = asn1.Unmarshal(rest, &v)
  1105  		if err != nil {
  1106  			return err
  1107  		}
  1108  
  1109  		if err := callback(v.Tag, v.Bytes); err != nil {
  1110  			return err
  1111  		}
  1112  	}
  1113  
  1114  	return nil
  1115  }
  1116  
  1117  func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error) {
  1118  	err = forEachSAN(value, func(tag int, data []byte) error {
  1119  		switch tag {
  1120  		case nameTypeEmail:
  1121  			emailAddresses = append(emailAddresses, string(data))
  1122  		case nameTypeDNS:
  1123  			dnsNames = append(dnsNames, string(data))
  1124  		case nameTypeURI:
  1125  			uri, err := url.Parse(string(data))
  1126  			if err != nil {
  1127  				return fmt.Errorf("x509: cannot parse URI %q: %s", string(data), err)
  1128  			}
  1129  			if len(uri.Host) > 0 {
  1130  				if _, ok := domainToReverseLabels(uri.Host); !ok {
  1131  					return fmt.Errorf("x509: cannot parse URI %q: invalid domain", string(data))
  1132  				}
  1133  			}
  1134  			uris = append(uris, uri)
  1135  		case nameTypeIP:
  1136  			switch len(data) {
  1137  			case net.IPv4len, net.IPv6len:
  1138  				ipAddresses = append(ipAddresses, data)
  1139  			default:
  1140  				return errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(data)))
  1141  			}
  1142  		}
  1143  
  1144  		return nil
  1145  	})
  1146  
  1147  	return
  1148  }
  1149  
  1150  // isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.
  1151  func isValidIPMask(mask []byte) bool {
  1152  	seenZero := false
  1153  
  1154  	for _, b := range mask {
  1155  		if seenZero {
  1156  			if b != 0 {
  1157  				return false
  1158  			}
  1159  
  1160  			continue
  1161  		}
  1162  
  1163  		switch b {
  1164  		case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe:
  1165  			seenZero = true
  1166  		case 0xff:
  1167  		default:
  1168  			return false
  1169  		}
  1170  	}
  1171  
  1172  	return true
  1173  }
  1174  
  1175  func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) {
  1176  	// RFC 5280, 4.2.1.10
  1177  
  1178  	// NameConstraints ::= SEQUENCE {
  1179  	//      permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
  1180  	//      excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
  1181  	//
  1182  	// GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
  1183  	//
  1184  	// GeneralSubtree ::= SEQUENCE {
  1185  	//      base                    GeneralName,
  1186  	//      minimum         [0]     BaseDistance DEFAULT 0,
  1187  	//      maximum         [1]     BaseDistance OPTIONAL }
  1188  	//
  1189  	// BaseDistance ::= INTEGER (0..MAX)
  1190  
  1191  	outer := cryptobyte.String(e.Value)
  1192  	var toplevel, permitted, excluded cryptobyte.String
  1193  	var havePermitted, haveExcluded bool
  1194  	if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) ||
  1195  		!outer.Empty() ||
  1196  		!toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) ||
  1197  		!toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) ||
  1198  		!toplevel.Empty() {
  1199  		return false, errors.New("x509: invalid NameConstraints extension")
  1200  	}
  1201  
  1202  	if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 {
  1203  		// From RFC 5280, Section 4.2.1.10:
  1204  		//   “either the permittedSubtrees field
  1205  		//   or the excludedSubtrees MUST be
  1206  		//   present”
  1207  		return false, errors.New("x509: empty name constraints extension")
  1208  	}
  1209  
  1210  	getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) {
  1211  		for !subtrees.Empty() {
  1212  			var seq, value cryptobyte.String
  1213  			var tag cryptobyte_asn1.Tag
  1214  			if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) ||
  1215  				!seq.ReadAnyASN1(&value, &tag) {
  1216  				return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension")
  1217  			}
  1218  
  1219  			var (
  1220  				dnsTag   = cryptobyte_asn1.Tag(2).ContextSpecific()
  1221  				emailTag = cryptobyte_asn1.Tag(1).ContextSpecific()
  1222  				ipTag    = cryptobyte_asn1.Tag(7).ContextSpecific()
  1223  				uriTag   = cryptobyte_asn1.Tag(6).ContextSpecific()
  1224  			)
  1225  
  1226  			switch tag {
  1227  			case dnsTag:
  1228  				domain := string(value)
  1229  				if err := isIA5String(domain); err != nil {
  1230  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
  1231  				}
  1232  
  1233  				trimmedDomain := domain
  1234  				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
  1235  					// constraints can have a leading
  1236  					// period to exclude the domain
  1237  					// itself, but that's not valid in a
  1238  					// normal domain name.
  1239  					trimmedDomain = trimmedDomain[1:]
  1240  				}
  1241  				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
  1242  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
  1243  				}
  1244  				dnsNames = append(dnsNames, domain)
  1245  
  1246  			case ipTag:
  1247  				l := len(value)
  1248  				var ip, mask []byte
  1249  
  1250  				switch l {
  1251  				case 8:
  1252  					ip = value[:4]
  1253  					mask = value[4:]
  1254  
  1255  				case 32:
  1256  					ip = value[:16]
  1257  					mask = value[16:]
  1258  
  1259  				default:
  1260  					return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l)
  1261  				}
  1262  
  1263  				if !isValidIPMask(mask) {
  1264  					return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask)
  1265  				}
  1266  
  1267  				ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)})
  1268  
  1269  			case emailTag:
  1270  				constraint := string(value)
  1271  				if err := isIA5String(constraint); err != nil {
  1272  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
  1273  				}
  1274  
  1275  				// If the constraint contains an @ then
  1276  				// it specifies an exact mailbox name.
  1277  				if strings.Contains(constraint, "@") {
  1278  					if _, ok := parseRFC2821Mailbox(constraint); !ok {
  1279  						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
  1280  					}
  1281  				} else {
  1282  					// Otherwise it's a domain name.
  1283  					domain := constraint
  1284  					if len(domain) > 0 && domain[0] == '.' {
  1285  						domain = domain[1:]
  1286  					}
  1287  					if _, ok := domainToReverseLabels(domain); !ok {
  1288  						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
  1289  					}
  1290  				}
  1291  				emails = append(emails, constraint)
  1292  
  1293  			case uriTag:
  1294  				domain := string(value)
  1295  				if err := isIA5String(domain); err != nil {
  1296  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
  1297  				}
  1298  
  1299  				if net.ParseIP(domain) != nil {
  1300  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
  1301  				}
  1302  
  1303  				trimmedDomain := domain
  1304  				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
  1305  					// constraints can have a leading
  1306  					// period to exclude the domain itself,
  1307  					// but that's not valid in a normal
  1308  					// domain name.
  1309  					trimmedDomain = trimmedDomain[1:]
  1310  				}
  1311  				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
  1312  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
  1313  				}
  1314  				uriDomains = append(uriDomains, domain)
  1315  
  1316  			default:
  1317  				unhandled = true
  1318  			}
  1319  		}
  1320  
  1321  		return dnsNames, ips, emails, uriDomains, nil
  1322  	}
  1323  
  1324  	if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil {
  1325  		return false, err
  1326  	}
  1327  	if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil {
  1328  		return false, err
  1329  	}
  1330  	out.PermittedDNSDomainsCritical = e.Critical
  1331  
  1332  	return unhandled, nil
  1333  }
  1334  
  1335  func parseCertificate(in *certificate) (*Certificate, error) {
  1336  	out := new(Certificate)
  1337  	out.Raw = in.Raw
  1338  	out.RawTBSCertificate = in.TBSCertificate.Raw
  1339  	out.RawSubjectPublicKeyInfo = in.TBSCertificate.PublicKey.Raw
  1340  	out.RawSubject = in.TBSCertificate.Subject.FullBytes
  1341  	out.RawIssuer = in.TBSCertificate.Issuer.FullBytes
  1342  
  1343  	out.Signature = in.SignatureValue.RightAlign()
  1344  	out.SignatureAlgorithm =
  1345  		getSignatureAlgorithmFromAI(in.TBSCertificate.SignatureAlgorithm)
  1346  
  1347  	out.PublicKeyAlgorithm =
  1348  		getPublicKeyAlgorithmFromOID(in.TBSCertificate.PublicKey.Algorithm.Algorithm)
  1349  	var err error
  1350  	out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCertificate.PublicKey)
  1351  	if err != nil {
  1352  		return nil, err
  1353  	}
  1354  
  1355  	out.Version = in.TBSCertificate.Version + 1
  1356  	out.SerialNumber = in.TBSCertificate.SerialNumber
  1357  
  1358  	var issuer, subject pkix.RDNSequence
  1359  	if rest, err := asn1.Unmarshal(in.TBSCertificate.Subject.FullBytes, &subject); err != nil {
  1360  		return nil, err
  1361  	} else if len(rest) != 0 {
  1362  		return nil, errors.New("x509: trailing data after X.509 subject")
  1363  	}
  1364  	if rest, err := asn1.Unmarshal(in.TBSCertificate.Issuer.FullBytes, &issuer); err != nil {
  1365  		return nil, err
  1366  	} else if len(rest) != 0 {
  1367  		return nil, errors.New("x509: trailing data after X.509 subject")
  1368  	}
  1369  
  1370  	out.Issuer.FillFromRDNSequence(&issuer)
  1371  	out.Subject.FillFromRDNSequence(&subject)
  1372  
  1373  	out.NotBefore = in.TBSCertificate.Validity.NotBefore
  1374  	out.NotAfter = in.TBSCertificate.Validity.NotAfter
  1375  
  1376  	for _, e := range in.TBSCertificate.Extensions {
  1377  		out.Extensions = append(out.Extensions, e)
  1378  		unhandled := false
  1379  
  1380  		if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 {
  1381  			switch e.Id[3] {
  1382  			case 15:
  1383  				// RFC 5280, 4.2.1.3
  1384  				var usageBits asn1.BitString
  1385  				if rest, err := asn1.Unmarshal(e.Value, &usageBits); err != nil {
  1386  					return nil, err
  1387  				} else if len(rest) != 0 {
  1388  					return nil, errors.New("x509: trailing data after X.509 KeyUsage")
  1389  				}
  1390  
  1391  				var usage int
  1392  				for i := 0; i < 9; i++ {
  1393  					if usageBits.At(i) != 0 {
  1394  						usage |= 1 << uint(i)
  1395  					}
  1396  				}
  1397  				out.KeyUsage = KeyUsage(usage)
  1398  
  1399  			case 19:
  1400  				// RFC 5280, 4.2.1.9
  1401  				var constraints basicConstraints
  1402  				if rest, err := asn1.Unmarshal(e.Value, &constraints); err != nil {
  1403  					return nil, err
  1404  				} else if len(rest) != 0 {
  1405  					return nil, errors.New("x509: trailing data after X.509 BasicConstraints")
  1406  				}
  1407  
  1408  				out.BasicConstraintsValid = true
  1409  				out.IsCA = constraints.IsCA
  1410  				out.MaxPathLen = constraints.MaxPathLen
  1411  				out.MaxPathLenZero = out.MaxPathLen == 0
  1412  				// TODO: map out.MaxPathLen to 0 if it has the -1 default value? (Issue 19285)
  1413  			case 17:
  1414  				out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(e.Value)
  1415  				if err != nil {
  1416  					return nil, err
  1417  				}
  1418  
  1419  				if len(out.DNSNames) == 0 && len(out.EmailAddresses) == 0 && len(out.IPAddresses) == 0 && len(out.URIs) == 0 {
  1420  					// If we didn't parse anything then we do the critical check, below.
  1421  					unhandled = true
  1422  				}
  1423  
  1424  			case 30:
  1425  				unhandled, err = parseNameConstraintsExtension(out, e)
  1426  				if err != nil {
  1427  					return nil, err
  1428  				}
  1429  
  1430  			case 31:
  1431  				// RFC 5280, 4.2.1.13
  1432  
  1433  				// CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
  1434  				//
  1435  				// DistributionPoint ::= SEQUENCE {
  1436  				//     distributionPoint       [0]     DistributionPointName OPTIONAL,
  1437  				//     reasons                 [1]     ReasonFlags OPTIONAL,
  1438  				//     cRLIssuer               [2]     GeneralNames OPTIONAL }
  1439  				//
  1440  				// DistributionPointName ::= CHOICE {
  1441  				//     fullName                [0]     GeneralNames,
  1442  				//     nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
  1443  
  1444  				var cdp []distributionPoint
  1445  				if rest, err := asn1.Unmarshal(e.Value, &cdp); err != nil {
  1446  					return nil, err
  1447  				} else if len(rest) != 0 {
  1448  					return nil, errors.New("x509: trailing data after X.509 CRL distribution point")
  1449  				}
  1450  
  1451  				for _, dp := range cdp {
  1452  					// Per RFC 5280, 4.2.1.13, one of distributionPoint or cRLIssuer may be empty.
  1453  					if len(dp.DistributionPoint.FullName) == 0 {
  1454  						continue
  1455  					}
  1456  
  1457  					for _, fullName := range dp.DistributionPoint.FullName {
  1458  						if fullName.Tag == 6 {
  1459  							out.CRLDistributionPoints = append(out.CRLDistributionPoints, string(fullName.Bytes))
  1460  						}
  1461  					}
  1462  				}
  1463  
  1464  			case 35:
  1465  				// RFC 5280, 4.2.1.1
  1466  				var a authKeyId
  1467  				if rest, err := asn1.Unmarshal(e.Value, &a); err != nil {
  1468  					return nil, err
  1469  				} else if len(rest) != 0 {
  1470  					return nil, errors.New("x509: trailing data after X.509 authority key-id")
  1471  				}
  1472  				out.AuthorityKeyId = a.Id
  1473  
  1474  			case 37:
  1475  				// RFC 5280, 4.2.1.12.  Extended Key Usage
  1476  
  1477  				// id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
  1478  				//
  1479  				// ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
  1480  				//
  1481  				// KeyPurposeId ::= OBJECT IDENTIFIER
  1482  
  1483  				var keyUsage []asn1.ObjectIdentifier
  1484  				if rest, err := asn1.Unmarshal(e.Value, &keyUsage); err != nil {
  1485  					return nil, err
  1486  				} else if len(rest) != 0 {
  1487  					return nil, errors.New("x509: trailing data after X.509 ExtendedKeyUsage")
  1488  				}
  1489  
  1490  				for _, u := range keyUsage {
  1491  					if extKeyUsage, ok := extKeyUsageFromOID(u); ok {
  1492  						out.ExtKeyUsage = append(out.ExtKeyUsage, extKeyUsage)
  1493  					} else {
  1494  						out.UnknownExtKeyUsage = append(out.UnknownExtKeyUsage, u)
  1495  					}
  1496  				}
  1497  
  1498  			case 14:
  1499  				// RFC 5280, 4.2.1.2
  1500  				var keyid []byte
  1501  				if rest, err := asn1.Unmarshal(e.Value, &keyid); err != nil {
  1502  					return nil, err
  1503  				} else if len(rest) != 0 {
  1504  					return nil, errors.New("x509: trailing data after X.509 key-id")
  1505  				}
  1506  				out.SubjectKeyId = keyid
  1507  
  1508  			case 32:
  1509  				// RFC 5280 4.2.1.4: Certificate Policies
  1510  				var policies []policyInformation
  1511  				if rest, err := asn1.Unmarshal(e.Value, &policies); err != nil {
  1512  					return nil, err
  1513  				} else if len(rest) != 0 {
  1514  					return nil, errors.New("x509: trailing data after X.509 certificate policies")
  1515  				}
  1516  				out.PolicyIdentifiers = make([]asn1.ObjectIdentifier, len(policies))
  1517  				for i, policy := range policies {
  1518  					out.PolicyIdentifiers[i] = policy.Policy
  1519  				}
  1520  
  1521  			default:
  1522  				// Unknown extensions are recorded if critical.
  1523  				unhandled = true
  1524  			}
  1525  		} else if e.Id.Equal(oidExtensionAuthorityInfoAccess) {
  1526  			// RFC 5280 4.2.2.1: Authority Information Access
  1527  			var aia []authorityInfoAccess
  1528  			if rest, err := asn1.Unmarshal(e.Value, &aia); err != nil {
  1529  				return nil, err
  1530  			} else if len(rest) != 0 {
  1531  				return nil, errors.New("x509: trailing data after X.509 authority information")
  1532  			}
  1533  
  1534  			for _, v := range aia {
  1535  				// GeneralName: uniformResourceIdentifier [6] IA5String
  1536  				if v.Location.Tag != 6 {
  1537  					continue
  1538  				}
  1539  				if v.Method.Equal(oidAuthorityInfoAccessOcsp) {
  1540  					out.OCSPServer = append(out.OCSPServer, string(v.Location.Bytes))
  1541  				} else if v.Method.Equal(oidAuthorityInfoAccessIssuers) {
  1542  					out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(v.Location.Bytes))
  1543  				}
  1544  			}
  1545  		} else {
  1546  			// Unknown extensions are recorded if critical.
  1547  			unhandled = true
  1548  		}
  1549  
  1550  		if e.Critical && unhandled {
  1551  			out.UnhandledCriticalExtensions = append(out.UnhandledCriticalExtensions, e.Id)
  1552  		}
  1553  	}
  1554  
  1555  	return out, nil
  1556  }
  1557  
  1558  // ParseCertificate parses a single certificate from the given ASN.1 DER data.
  1559  func ParseCertificate(asn1Data []byte) (*Certificate, error) {
  1560  	var cert certificate
  1561  	rest, err := asn1.Unmarshal(asn1Data, &cert)
  1562  	if err != nil {
  1563  		return nil, err
  1564  	}
  1565  	if len(rest) > 0 {
  1566  		return nil, asn1.SyntaxError{Msg: "trailing data"}
  1567  	}
  1568  
  1569  	return parseCertificate(&cert)
  1570  }
  1571  
  1572  // ParseCertificates parses one or more certificates from the given ASN.1 DER
  1573  // data. The certificates must be concatenated with no intermediate padding.
  1574  func ParseCertificates(asn1Data []byte) ([]*Certificate, error) {
  1575  	var v []*certificate
  1576  
  1577  	for len(asn1Data) > 0 {
  1578  		cert := new(certificate)
  1579  		var err error
  1580  		asn1Data, err = asn1.Unmarshal(asn1Data, cert)
  1581  		if err != nil {
  1582  			return nil, err
  1583  		}
  1584  		v = append(v, cert)
  1585  	}
  1586  
  1587  	ret := make([]*Certificate, len(v))
  1588  	for i, ci := range v {
  1589  		cert, err := parseCertificate(ci)
  1590  		if err != nil {
  1591  			return nil, err
  1592  		}
  1593  		ret[i] = cert
  1594  	}
  1595  
  1596  	return ret, nil
  1597  }
  1598  
  1599  func reverseBitsInAByte(in byte) byte {
  1600  	b1 := in>>4 | in<<4
  1601  	b2 := b1>>2&0x33 | b1<<2&0xcc
  1602  	b3 := b2>>1&0x55 | b2<<1&0xaa
  1603  	return b3
  1604  }
  1605  
  1606  // asn1BitLength returns the bit-length of bitString by considering the
  1607  // most-significant bit in a byte to be the "first" bit. This convention
  1608  // matches ASN.1, but differs from almost everything else.
  1609  func asn1BitLength(bitString []byte) int {
  1610  	bitLen := len(bitString) * 8
  1611  
  1612  	for i := range bitString {
  1613  		b := bitString[len(bitString)-i-1]
  1614  
  1615  		for bit := uint(0); bit < 8; bit++ {
  1616  			if (b>>bit)&1 == 1 {
  1617  				return bitLen
  1618  			}
  1619  			bitLen--
  1620  		}
  1621  	}
  1622  
  1623  	return 0
  1624  }
  1625  
  1626  var (
  1627  	oidExtensionSubjectKeyId          = []int{2, 5, 29, 14}
  1628  	oidExtensionKeyUsage              = []int{2, 5, 29, 15}
  1629  	oidExtensionExtendedKeyUsage      = []int{2, 5, 29, 37}
  1630  	oidExtensionAuthorityKeyId        = []int{2, 5, 29, 35}
  1631  	oidExtensionBasicConstraints      = []int{2, 5, 29, 19}
  1632  	oidExtensionSubjectAltName        = []int{2, 5, 29, 17}
  1633  	oidExtensionCertificatePolicies   = []int{2, 5, 29, 32}
  1634  	oidExtensionNameConstraints       = []int{2, 5, 29, 30}
  1635  	oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31}
  1636  	oidExtensionAuthorityInfoAccess   = []int{1, 3, 6, 1, 5, 5, 7, 1, 1}
  1637  )
  1638  
  1639  var (
  1640  	oidAuthorityInfoAccessOcsp    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
  1641  	oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
  1642  )
  1643  
  1644  // oidNotInExtensions reports whether an extension with the given oid exists in
  1645  // extensions.
  1646  func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool {
  1647  	for _, e := range extensions {
  1648  		if e.Id.Equal(oid) {
  1649  			return true
  1650  		}
  1651  	}
  1652  	return false
  1653  }
  1654  
  1655  // marshalSANs marshals a list of addresses into a the contents of an X.509
  1656  // SubjectAlternativeName extension.
  1657  func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) {
  1658  	var rawValues []asn1.RawValue
  1659  	for _, name := range dnsNames {
  1660  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)})
  1661  	}
  1662  	for _, email := range emailAddresses {
  1663  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)})
  1664  	}
  1665  	for _, rawIP := range ipAddresses {
  1666  		// If possible, we always want to encode IPv4 addresses in 4 bytes.
  1667  		ip := rawIP.To4()
  1668  		if ip == nil {
  1669  			ip = rawIP
  1670  		}
  1671  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip})
  1672  	}
  1673  	for _, uri := range uris {
  1674  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uri.String())})
  1675  	}
  1676  	return asn1.Marshal(rawValues)
  1677  }
  1678  
  1679  func isIA5String(s string) error {
  1680  	for _, r := range s {
  1681  		if r >= utf8.RuneSelf {
  1682  			return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
  1683  		}
  1684  	}
  1685  
  1686  	return nil
  1687  }
  1688  
  1689  func buildExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte) (ret []pkix.Extension, err error) {
  1690  	ret = make([]pkix.Extension, 10 /* maximum number of elements. */)
  1691  	n := 0
  1692  
  1693  	if template.KeyUsage != 0 &&
  1694  		!oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) {
  1695  		ret[n].Id = oidExtensionKeyUsage
  1696  		ret[n].Critical = true
  1697  
  1698  		var a [2]byte
  1699  		a[0] = reverseBitsInAByte(byte(template.KeyUsage))
  1700  		a[1] = reverseBitsInAByte(byte(template.KeyUsage >> 8))
  1701  
  1702  		l := 1
  1703  		if a[1] != 0 {
  1704  			l = 2
  1705  		}
  1706  
  1707  		bitString := a[:l]
  1708  		ret[n].Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)})
  1709  		if err != nil {
  1710  			return
  1711  		}
  1712  		n++
  1713  	}
  1714  
  1715  	if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) &&
  1716  		!oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) {
  1717  		ret[n].Id = oidExtensionExtendedKeyUsage
  1718  
  1719  		var oids []asn1.ObjectIdentifier
  1720  		for _, u := range template.ExtKeyUsage {
  1721  			if oid, ok := oidFromExtKeyUsage(u); ok {
  1722  				oids = append(oids, oid)
  1723  			} else {
  1724  				panic("internal error")
  1725  			}
  1726  		}
  1727  
  1728  		oids = append(oids, template.UnknownExtKeyUsage...)
  1729  
  1730  		ret[n].Value, err = asn1.Marshal(oids)
  1731  		if err != nil {
  1732  			return
  1733  		}
  1734  		n++
  1735  	}
  1736  
  1737  	if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) {
  1738  		// Leaving MaxPathLen as zero indicates that no maximum path
  1739  		// length is desired, unless MaxPathLenZero is set. A value of
  1740  		// -1 causes encoding/asn1 to omit the value as desired.
  1741  		maxPathLen := template.MaxPathLen
  1742  		if maxPathLen == 0 && !template.MaxPathLenZero {
  1743  			maxPathLen = -1
  1744  		}
  1745  		ret[n].Id = oidExtensionBasicConstraints
  1746  		ret[n].Value, err = asn1.Marshal(basicConstraints{template.IsCA, maxPathLen})
  1747  		ret[n].Critical = true
  1748  		if err != nil {
  1749  			return
  1750  		}
  1751  		n++
  1752  	}
  1753  
  1754  	if len(template.SubjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) {
  1755  		ret[n].Id = oidExtensionSubjectKeyId
  1756  		ret[n].Value, err = asn1.Marshal(template.SubjectKeyId)
  1757  		if err != nil {
  1758  			return
  1759  		}
  1760  		n++
  1761  	}
  1762  
  1763  	if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) {
  1764  		ret[n].Id = oidExtensionAuthorityKeyId
  1765  		ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId})
  1766  		if err != nil {
  1767  			return
  1768  		}
  1769  		n++
  1770  	}
  1771  
  1772  	if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) &&
  1773  		!oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) {
  1774  		ret[n].Id = oidExtensionAuthorityInfoAccess
  1775  		var aiaValues []authorityInfoAccess
  1776  		for _, name := range template.OCSPServer {
  1777  			aiaValues = append(aiaValues, authorityInfoAccess{
  1778  				Method:   oidAuthorityInfoAccessOcsp,
  1779  				Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1780  			})
  1781  		}
  1782  		for _, name := range template.IssuingCertificateURL {
  1783  			aiaValues = append(aiaValues, authorityInfoAccess{
  1784  				Method:   oidAuthorityInfoAccessIssuers,
  1785  				Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1786  			})
  1787  		}
  1788  		ret[n].Value, err = asn1.Marshal(aiaValues)
  1789  		if err != nil {
  1790  			return
  1791  		}
  1792  		n++
  1793  	}
  1794  
  1795  	if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
  1796  		!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
  1797  		ret[n].Id = oidExtensionSubjectAltName
  1798  		// From RFC 5280, Section 4.2.1.6:
  1799  		// “If the subject field contains an empty sequence ... then
  1800  		// subjectAltName extension ... is marked as critical”
  1801  		ret[n].Critical = subjectIsEmpty
  1802  		ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
  1803  		if err != nil {
  1804  			return
  1805  		}
  1806  		n++
  1807  	}
  1808  
  1809  	if len(template.PolicyIdentifiers) > 0 &&
  1810  		!oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) {
  1811  		ret[n].Id = oidExtensionCertificatePolicies
  1812  		policies := make([]policyInformation, len(template.PolicyIdentifiers))
  1813  		for i, policy := range template.PolicyIdentifiers {
  1814  			policies[i].Policy = policy
  1815  		}
  1816  		ret[n].Value, err = asn1.Marshal(policies)
  1817  		if err != nil {
  1818  			return
  1819  		}
  1820  		n++
  1821  	}
  1822  
  1823  	if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 ||
  1824  		len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 ||
  1825  		len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 ||
  1826  		len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) &&
  1827  		!oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) {
  1828  		ret[n].Id = oidExtensionNameConstraints
  1829  		ret[n].Critical = template.PermittedDNSDomainsCritical
  1830  
  1831  		ipAndMask := func(ipNet *net.IPNet) []byte {
  1832  			maskedIP := ipNet.IP.Mask(ipNet.Mask)
  1833  			ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask))
  1834  			ipAndMask = append(ipAndMask, maskedIP...)
  1835  			ipAndMask = append(ipAndMask, ipNet.Mask...)
  1836  			return ipAndMask
  1837  		}
  1838  
  1839  		serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) {
  1840  			var b cryptobyte.Builder
  1841  
  1842  			for _, name := range dns {
  1843  				if err = isIA5String(name); err != nil {
  1844  					return nil, err
  1845  				}
  1846  
  1847  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1848  					b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) {
  1849  						b.AddBytes([]byte(name))
  1850  					})
  1851  				})
  1852  			}
  1853  
  1854  			for _, ipNet := range ips {
  1855  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1856  					b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) {
  1857  						b.AddBytes(ipAndMask(ipNet))
  1858  					})
  1859  				})
  1860  			}
  1861  
  1862  			for _, email := range emails {
  1863  				if err = isIA5String(email); err != nil {
  1864  					return nil, err
  1865  				}
  1866  
  1867  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1868  					b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) {
  1869  						b.AddBytes([]byte(email))
  1870  					})
  1871  				})
  1872  			}
  1873  
  1874  			for _, uriDomain := range uriDomains {
  1875  				if err = isIA5String(uriDomain); err != nil {
  1876  					return nil, err
  1877  				}
  1878  
  1879  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1880  					b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) {
  1881  						b.AddBytes([]byte(uriDomain))
  1882  					})
  1883  				})
  1884  			}
  1885  
  1886  			return b.Bytes()
  1887  		}
  1888  
  1889  		permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains)
  1890  		if err != nil {
  1891  			return nil, err
  1892  		}
  1893  
  1894  		excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains)
  1895  		if err != nil {
  1896  			return nil, err
  1897  		}
  1898  
  1899  		var b cryptobyte.Builder
  1900  		b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1901  			if len(permitted) > 0 {
  1902  				b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
  1903  					b.AddBytes(permitted)
  1904  				})
  1905  			}
  1906  
  1907  			if len(excluded) > 0 {
  1908  				b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
  1909  					b.AddBytes(excluded)
  1910  				})
  1911  			}
  1912  		})
  1913  
  1914  		ret[n].Value, err = b.Bytes()
  1915  		if err != nil {
  1916  			return nil, err
  1917  		}
  1918  		n++
  1919  	}
  1920  
  1921  	if len(template.CRLDistributionPoints) > 0 &&
  1922  		!oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) {
  1923  		ret[n].Id = oidExtensionCRLDistributionPoints
  1924  
  1925  		var crlDp []distributionPoint
  1926  		for _, name := range template.CRLDistributionPoints {
  1927  			dp := distributionPoint{
  1928  				DistributionPoint: distributionPointName{
  1929  					FullName: []asn1.RawValue{
  1930  						asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1931  					},
  1932  				},
  1933  			}
  1934  			crlDp = append(crlDp, dp)
  1935  		}
  1936  
  1937  		ret[n].Value, err = asn1.Marshal(crlDp)
  1938  		if err != nil {
  1939  			return
  1940  		}
  1941  		n++
  1942  	}
  1943  
  1944  	// Adding another extension here? Remember to update the maximum number
  1945  	// of elements in the make() at the top of the function and the list of
  1946  	// template fields used in CreateCertificate documentation.
  1947  
  1948  	return append(ret[:n], template.ExtraExtensions...), nil
  1949  }
  1950  
  1951  func subjectBytes(cert *Certificate) ([]byte, error) {
  1952  	if len(cert.RawSubject) > 0 {
  1953  		return cert.RawSubject, nil
  1954  	}
  1955  
  1956  	return asn1.Marshal(cert.Subject.ToRDNSequence())
  1957  }
  1958  
  1959  // signingParamsForPublicKey returns the parameters to use for signing with
  1960  // priv. If requestedSigAlgo is not zero then it overrides the default
  1961  // signature algorithm.
  1962  func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
  1963  	var pubType PublicKeyAlgorithm
  1964  
  1965  	switch pub := pub.(type) {
  1966  	case *rsa.PublicKey:
  1967  		pubType = RSA
  1968  		hashFunc = crypto.SHA256
  1969  		sigAlgo.Algorithm = oidSignatureSHA256WithRSA
  1970  		sigAlgo.Parameters = asn1.NullRawValue
  1971  
  1972  	case *ecdsa.PublicKey:
  1973  		pubType = ECDSA
  1974  
  1975  		switch pub.Curve {
  1976  		case elliptic.P224(), elliptic.P256():
  1977  			hashFunc = crypto.SHA256
  1978  			sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
  1979  		case elliptic.P384():
  1980  			hashFunc = crypto.SHA384
  1981  			sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
  1982  		case elliptic.P521():
  1983  			hashFunc = crypto.SHA512
  1984  			sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
  1985  		default:
  1986  			err = errors.New("x509: unknown elliptic curve")
  1987  		}
  1988  
  1989  	default:
  1990  		err = errors.New("x509: only RSA and ECDSA keys supported")
  1991  	}
  1992  
  1993  	if err != nil {
  1994  		return
  1995  	}
  1996  
  1997  	if requestedSigAlgo == 0 {
  1998  		return
  1999  	}
  2000  
  2001  	found := false
  2002  	for _, details := range signatureAlgorithmDetails {
  2003  		if details.algo == requestedSigAlgo {
  2004  			if details.pubKeyAlgo != pubType {
  2005  				err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
  2006  				return
  2007  			}
  2008  			sigAlgo.Algorithm, hashFunc = details.oid, details.hash
  2009  			if hashFunc == 0 {
  2010  				err = errors.New("x509: cannot sign with hash function requested")
  2011  				return
  2012  			}
  2013  			if requestedSigAlgo.isRSAPSS() {
  2014  				sigAlgo.Parameters = rsaPSSParameters(hashFunc)
  2015  			}
  2016  			found = true
  2017  			break
  2018  		}
  2019  	}
  2020  
  2021  	if !found {
  2022  		err = errors.New("x509: unknown SignatureAlgorithm")
  2023  	}
  2024  
  2025  	return
  2026  }
  2027  
  2028  // emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is
  2029  // just an empty SEQUENCE.
  2030  var emptyASN1Subject = []byte{0x30, 0}
  2031  
  2032  // CreateCertificate creates a new X.509v3 certificate based on a template.
  2033  // The following members of template are used:
  2034  //
  2035  //  - AuthorityKeyId
  2036  //  - BasicConstraintsValid
  2037  //  - CRLDistributionPoints
  2038  //  - DNSNames
  2039  //  - EmailAddresses
  2040  //  - ExcludedDNSDomains
  2041  //  - ExcludedEmailAddresses
  2042  //  - ExcludedIPRanges
  2043  //  - ExcludedURIDomains
  2044  //  - ExtKeyUsage
  2045  //  - ExtraExtensions
  2046  //  - IsCA
  2047  //  - IssuingCertificateURL
  2048  //  - KeyUsage
  2049  //  - MaxPathLen
  2050  //  - MaxPathLenZero
  2051  //  - NotAfter
  2052  //  - NotBefore
  2053  //  - OCSPServer
  2054  //  - PermittedDNSDomains
  2055  //  - PermittedDNSDomainsCritical
  2056  //  - PermittedEmailAddresses
  2057  //  - PermittedIPRanges
  2058  //  - PermittedURIDomains
  2059  //  - PolicyIdentifiers
  2060  //  - SerialNumber
  2061  //  - SignatureAlgorithm
  2062  //  - Subject
  2063  //  - SubjectKeyId
  2064  //  - URIs
  2065  //  - UnknownExtKeyUsage
  2066  //
  2067  // The certificate is signed by parent. If parent is equal to template then the
  2068  // certificate is self-signed. The parameter pub is the public key of the
  2069  // signee and priv is the private key of the signer.
  2070  //
  2071  // The returned slice is the certificate in DER encoding.
  2072  //
  2073  // All keys types that are implemented via crypto.Signer are supported (This
  2074  // includes *rsa.PublicKey and *ecdsa.PublicKey.)
  2075  //
  2076  // The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any,
  2077  // unless the resulting certificate is self-signed. Otherwise the value from
  2078  // template will be used.
  2079  func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error) {
  2080  	key, ok := priv.(crypto.Signer)
  2081  	if !ok {
  2082  		return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  2083  	}
  2084  
  2085  	if template.SerialNumber == nil {
  2086  		return nil, errors.New("x509: no SerialNumber given")
  2087  	}
  2088  
  2089  	hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
  2090  	if err != nil {
  2091  		return nil, err
  2092  	}
  2093  
  2094  	publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub)
  2095  	if err != nil {
  2096  		return nil, err
  2097  	}
  2098  
  2099  	asn1Issuer, err := subjectBytes(parent)
  2100  	if err != nil {
  2101  		return
  2102  	}
  2103  
  2104  	asn1Subject, err := subjectBytes(template)
  2105  	if err != nil {
  2106  		return
  2107  	}
  2108  
  2109  	authorityKeyId := template.AuthorityKeyId
  2110  	if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 {
  2111  		authorityKeyId = parent.SubjectKeyId
  2112  	}
  2113  
  2114  	extensions, err := buildExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId)
  2115  	if err != nil {
  2116  		return
  2117  	}
  2118  
  2119  	encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
  2120  	c := tbsCertificate{
  2121  		Version:            2,
  2122  		SerialNumber:       template.SerialNumber,
  2123  		SignatureAlgorithm: signatureAlgorithm,
  2124  		Issuer:             asn1.RawValue{FullBytes: asn1Issuer},
  2125  		Validity:           validity{template.NotBefore.UTC(), template.NotAfter.UTC()},
  2126  		Subject:            asn1.RawValue{FullBytes: asn1Subject},
  2127  		PublicKey:          publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey},
  2128  		Extensions:         extensions,
  2129  	}
  2130  
  2131  	tbsCertContents, err := asn1.Marshal(c)
  2132  	if err != nil {
  2133  		return
  2134  	}
  2135  
  2136  	c.Raw = tbsCertContents
  2137  
  2138  	h := hashFunc.New()
  2139  	h.Write(tbsCertContents)
  2140  	digest := h.Sum(nil)
  2141  
  2142  	var signerOpts crypto.SignerOpts
  2143  	signerOpts = hashFunc
  2144  	if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() {
  2145  		signerOpts = &rsa.PSSOptions{
  2146  			SaltLength: rsa.PSSSaltLengthEqualsHash,
  2147  			Hash:       hashFunc,
  2148  		}
  2149  	}
  2150  
  2151  	var signature []byte
  2152  	signature, err = key.Sign(rand, digest, signerOpts)
  2153  	if err != nil {
  2154  		return
  2155  	}
  2156  
  2157  	return asn1.Marshal(certificate{
  2158  		nil,
  2159  		c,
  2160  		signatureAlgorithm,
  2161  		asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
  2162  	})
  2163  }
  2164  
  2165  // pemCRLPrefix is the magic string that indicates that we have a PEM encoded
  2166  // CRL.
  2167  var pemCRLPrefix = []byte("-----BEGIN X509 CRL")
  2168  
  2169  // pemType is the type of a PEM encoded CRL.
  2170  var pemType = "X509 CRL"
  2171  
  2172  // ParseCRL parses a CRL from the given bytes. It's often the case that PEM
  2173  // encoded CRLs will appear where they should be DER encoded, so this function
  2174  // will transparently handle PEM encoding as long as there isn't any leading
  2175  // garbage.
  2176  func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) {
  2177  	if bytes.HasPrefix(crlBytes, pemCRLPrefix) {
  2178  		block, _ := pem.Decode(crlBytes)
  2179  		if block != nil && block.Type == pemType {
  2180  			crlBytes = block.Bytes
  2181  		}
  2182  	}
  2183  	return ParseDERCRL(crlBytes)
  2184  }
  2185  
  2186  // ParseDERCRL parses a DER encoded CRL from the given bytes.
  2187  func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) {
  2188  	certList := new(pkix.CertificateList)
  2189  	if rest, err := asn1.Unmarshal(derBytes, certList); err != nil {
  2190  		return nil, err
  2191  	} else if len(rest) != 0 {
  2192  		return nil, errors.New("x509: trailing data after CRL")
  2193  	}
  2194  	return certList, nil
  2195  }
  2196  
  2197  // CreateCRL returns a DER encoded CRL, signed by this Certificate, that
  2198  // contains the given list of revoked certificates.
  2199  func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
  2200  	key, ok := priv.(crypto.Signer)
  2201  	if !ok {
  2202  		return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  2203  	}
  2204  
  2205  	hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), 0)
  2206  	if err != nil {
  2207  		return nil, err
  2208  	}
  2209  
  2210  	// Force revocation times to UTC per RFC 5280.
  2211  	revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts))
  2212  	for i, rc := range revokedCerts {
  2213  		rc.RevocationTime = rc.RevocationTime.UTC()
  2214  		revokedCertsUTC[i] = rc
  2215  	}
  2216  
  2217  	tbsCertList := pkix.TBSCertificateList{
  2218  		Version:             1,
  2219  		Signature:           signatureAlgorithm,
  2220  		Issuer:              c.Subject.ToRDNSequence(),
  2221  		ThisUpdate:          now.UTC(),
  2222  		NextUpdate:          expiry.UTC(),
  2223  		RevokedCertificates: revokedCertsUTC,
  2224  	}
  2225  
  2226  	// Authority Key Id
  2227  	if len(c.SubjectKeyId) > 0 {
  2228  		var aki pkix.Extension
  2229  		aki.Id = oidExtensionAuthorityKeyId
  2230  		aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId})
  2231  		if err != nil {
  2232  			return
  2233  		}
  2234  		tbsCertList.Extensions = append(tbsCertList.Extensions, aki)
  2235  	}
  2236  
  2237  	tbsCertListContents, err := asn1.Marshal(tbsCertList)
  2238  	if err != nil {
  2239  		return
  2240  	}
  2241  
  2242  	h := hashFunc.New()
  2243  	h.Write(tbsCertListContents)
  2244  	digest := h.Sum(nil)
  2245  
  2246  	var signature []byte
  2247  	signature, err = key.Sign(rand, digest, hashFunc)
  2248  	if err != nil {
  2249  		return
  2250  	}
  2251  
  2252  	return asn1.Marshal(pkix.CertificateList{
  2253  		TBSCertList:        tbsCertList,
  2254  		SignatureAlgorithm: signatureAlgorithm,
  2255  		SignatureValue:     asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
  2256  	})
  2257  }
  2258  
  2259  // CertificateRequest represents a PKCS #10, certificate signature request.
  2260  type CertificateRequest struct {
  2261  	Raw                      []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature).
  2262  	RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content.
  2263  	RawSubjectPublicKeyInfo  []byte // DER encoded SubjectPublicKeyInfo.
  2264  	RawSubject               []byte // DER encoded Subject.
  2265  
  2266  	Version            int
  2267  	Signature          []byte
  2268  	SignatureAlgorithm SignatureAlgorithm
  2269  
  2270  	PublicKeyAlgorithm PublicKeyAlgorithm
  2271  	PublicKey          interface{}
  2272  
  2273  	Subject pkix.Name
  2274  
  2275  	// Attributes contains the CSR attributes that can parse as
  2276  	// pkix.AttributeTypeAndValueSET.
  2277  	//
  2278  	// Deprecated: use Extensions and ExtraExtensions instead for parsing and
  2279  	// generating the requestedExtensions attribute.
  2280  	Attributes []pkix.AttributeTypeAndValueSET
  2281  
  2282  	// Extensions contains all requested extensions, in raw form. When parsing
  2283  	// CSRs, this can be used to extract extensions that are not parsed by this
  2284  	// package.
  2285  	Extensions []pkix.Extension
  2286  
  2287  	// ExtraExtensions contains extensions to be copied, raw, into any CSR
  2288  	// marshaled by CreateCertificateRequest. Values override any extensions
  2289  	// that would otherwise be produced based on the other fields but are
  2290  	// overridden by any extensions specified in Attributes.
  2291  	//
  2292  	// The ExtraExtensions field is not populated by ParseCertificateRequest,
  2293  	// see Extensions instead.
  2294  	ExtraExtensions []pkix.Extension
  2295  
  2296  	// Subject Alternate Name values.
  2297  	DNSNames       []string
  2298  	EmailAddresses []string
  2299  	IPAddresses    []net.IP
  2300  	URIs           []*url.URL
  2301  }
  2302  
  2303  // These structures reflect the ASN.1 structure of X.509 certificate
  2304  // signature requests (see RFC 2986):
  2305  
  2306  type tbsCertificateRequest struct {
  2307  	Raw           asn1.RawContent
  2308  	Version       int
  2309  	Subject       asn1.RawValue
  2310  	PublicKey     publicKeyInfo
  2311  	RawAttributes []asn1.RawValue `asn1:"tag:0"`
  2312  }
  2313  
  2314  type certificateRequest struct {
  2315  	Raw                asn1.RawContent
  2316  	TBSCSR             tbsCertificateRequest
  2317  	SignatureAlgorithm pkix.AlgorithmIdentifier
  2318  	SignatureValue     asn1.BitString
  2319  }
  2320  
  2321  // oidExtensionRequest is a PKCS#9 OBJECT IDENTIFIER that indicates requested
  2322  // extensions in a CSR.
  2323  var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14}
  2324  
  2325  // newRawAttributes converts AttributeTypeAndValueSETs from a template
  2326  // CertificateRequest's Attributes into tbsCertificateRequest RawAttributes.
  2327  func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) {
  2328  	var rawAttributes []asn1.RawValue
  2329  	b, err := asn1.Marshal(attributes)
  2330  	if err != nil {
  2331  		return nil, err
  2332  	}
  2333  	rest, err := asn1.Unmarshal(b, &rawAttributes)
  2334  	if err != nil {
  2335  		return nil, err
  2336  	}
  2337  	if len(rest) != 0 {
  2338  		return nil, errors.New("x509: failed to unmarshal raw CSR Attributes")
  2339  	}
  2340  	return rawAttributes, nil
  2341  }
  2342  
  2343  // parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs.
  2344  func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET {
  2345  	var attributes []pkix.AttributeTypeAndValueSET
  2346  	for _, rawAttr := range rawAttributes {
  2347  		var attr pkix.AttributeTypeAndValueSET
  2348  		rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr)
  2349  		// Ignore attributes that don't parse into pkix.AttributeTypeAndValueSET
  2350  		// (i.e.: challengePassword or unstructuredName).
  2351  		if err == nil && len(rest) == 0 {
  2352  			attributes = append(attributes, attr)
  2353  		}
  2354  	}
  2355  	return attributes
  2356  }
  2357  
  2358  // parseCSRExtensions parses the attributes from a CSR and extracts any
  2359  // requested extensions.
  2360  func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) {
  2361  	// pkcs10Attribute reflects the Attribute structure from RFC 2986, Section 4.1.
  2362  	type pkcs10Attribute struct {
  2363  		Id     asn1.ObjectIdentifier
  2364  		Values []asn1.RawValue `asn1:"set"`
  2365  	}
  2366  
  2367  	var ret []pkix.Extension
  2368  	for _, rawAttr := range rawAttributes {
  2369  		var attr pkcs10Attribute
  2370  		if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 {
  2371  			// Ignore attributes that don't parse.
  2372  			continue
  2373  		}
  2374  
  2375  		if !attr.Id.Equal(oidExtensionRequest) {
  2376  			continue
  2377  		}
  2378  
  2379  		var extensions []pkix.Extension
  2380  		if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil {
  2381  			return nil, err
  2382  		}
  2383  		ret = append(ret, extensions...)
  2384  	}
  2385  
  2386  	return ret, nil
  2387  }
  2388  
  2389  // CreateCertificateRequest creates a new certificate request based on a
  2390  // template. The following members of template are used:
  2391  //
  2392  //  - SignatureAlgorithm
  2393  //  - Subject
  2394  //  - DNSNames
  2395  //  - EmailAddresses
  2396  //  - IPAddresses
  2397  //  - URIs
  2398  //  - ExtraExtensions
  2399  //  - Attributes (deprecated)
  2400  //
  2401  // priv is the private key to sign the CSR with, and the corresponding public
  2402  // key will be included in the CSR. It must implement crypto.Signer and its
  2403  // Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey. (A
  2404  // *rsa.PrivateKey or *ecdsa.PrivateKey satisfies this.)
  2405  //
  2406  // The returned slice is the certificate request in DER encoding.
  2407  func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error) {
  2408  	key, ok := priv.(crypto.Signer)
  2409  	if !ok {
  2410  		return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  2411  	}
  2412  
  2413  	var hashFunc crypto.Hash
  2414  	var sigAlgo pkix.AlgorithmIdentifier
  2415  	hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
  2416  	if err != nil {
  2417  		return nil, err
  2418  	}
  2419  
  2420  	var publicKeyBytes []byte
  2421  	var publicKeyAlgorithm pkix.AlgorithmIdentifier
  2422  	publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public())
  2423  	if err != nil {
  2424  		return nil, err
  2425  	}
  2426  
  2427  	var extensions []pkix.Extension
  2428  
  2429  	if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
  2430  		!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
  2431  		sanBytes, err := marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
  2432  		if err != nil {
  2433  			return nil, err
  2434  		}
  2435  
  2436  		extensions = append(extensions, pkix.Extension{
  2437  			Id:    oidExtensionSubjectAltName,
  2438  			Value: sanBytes,
  2439  		})
  2440  	}
  2441  
  2442  	extensions = append(extensions, template.ExtraExtensions...)
  2443  
  2444  	// Make a copy of template.Attributes because we may alter it below.
  2445  	attributes := make([]pkix.AttributeTypeAndValueSET, 0, len(template.Attributes))
  2446  	for _, attr := range template.Attributes {
  2447  		values := make([][]pkix.AttributeTypeAndValue, len(attr.Value))
  2448  		copy(values, attr.Value)
  2449  		attributes = append(attributes, pkix.AttributeTypeAndValueSET{
  2450  			Type:  attr.Type,
  2451  			Value: values,
  2452  		})
  2453  	}
  2454  
  2455  	extensionsAppended := false
  2456  	if len(extensions) > 0 {
  2457  		// Append the extensions to an existing attribute if possible.
  2458  		for _, atvSet := range attributes {
  2459  			if !atvSet.Type.Equal(oidExtensionRequest) || len(atvSet.Value) == 0 {
  2460  				continue
  2461  			}
  2462  
  2463  			// specifiedExtensions contains all the extensions that we
  2464  			// found specified via template.Attributes.
  2465  			specifiedExtensions := make(map[string]bool)
  2466  
  2467  			for _, atvs := range atvSet.Value {
  2468  				for _, atv := range atvs {
  2469  					specifiedExtensions[atv.Type.String()] = true
  2470  				}
  2471  			}
  2472  
  2473  			newValue := make([]pkix.AttributeTypeAndValue, 0, len(atvSet.Value[0])+len(extensions))
  2474  			newValue = append(newValue, atvSet.Value[0]...)
  2475  
  2476  			for _, e := range extensions {
  2477  				if specifiedExtensions[e.Id.String()] {
  2478  					// Attributes already contained a value for
  2479  					// this extension and it takes priority.
  2480  					continue
  2481  				}
  2482  
  2483  				newValue = append(newValue, pkix.AttributeTypeAndValue{
  2484  					// There is no place for the critical
  2485  					// flag in an AttributeTypeAndValue.
  2486  					Type:  e.Id,
  2487  					Value: e.Value,
  2488  				})
  2489  			}
  2490  
  2491  			atvSet.Value[0] = newValue
  2492  			extensionsAppended = true
  2493  			break
  2494  		}
  2495  	}
  2496  
  2497  	rawAttributes, err := newRawAttributes(attributes)
  2498  	if err != nil {
  2499  		return
  2500  	}
  2501  
  2502  	// If not included in attributes, add a new attribute for the
  2503  	// extensions.
  2504  	if len(extensions) > 0 && !extensionsAppended {
  2505  		attr := struct {
  2506  			Type  asn1.ObjectIdentifier
  2507  			Value [][]pkix.Extension `asn1:"set"`
  2508  		}{
  2509  			Type:  oidExtensionRequest,
  2510  			Value: [][]pkix.Extension{extensions},
  2511  		}
  2512  
  2513  		b, err := asn1.Marshal(attr)
  2514  		if err != nil {
  2515  			return nil, errors.New("x509: failed to serialise extensions attribute: " + err.Error())
  2516  		}
  2517  
  2518  		var rawValue asn1.RawValue
  2519  		if _, err := asn1.Unmarshal(b, &rawValue); err != nil {
  2520  			return nil, err
  2521  		}
  2522  
  2523  		rawAttributes = append(rawAttributes, rawValue)
  2524  	}
  2525  
  2526  	asn1Subject := template.RawSubject
  2527  	if len(asn1Subject) == 0 {
  2528  		asn1Subject, err = asn1.Marshal(template.Subject.ToRDNSequence())
  2529  		if err != nil {
  2530  			return nil, err
  2531  		}
  2532  	}
  2533  
  2534  	tbsCSR := tbsCertificateRequest{
  2535  		Version: 0, // PKCS #10, RFC 2986
  2536  		Subject: asn1.RawValue{FullBytes: asn1Subject},
  2537  		PublicKey: publicKeyInfo{
  2538  			Algorithm: publicKeyAlgorithm,
  2539  			PublicKey: asn1.BitString{
  2540  				Bytes:     publicKeyBytes,
  2541  				BitLength: len(publicKeyBytes) * 8,
  2542  			},
  2543  		},
  2544  		RawAttributes: rawAttributes,
  2545  	}
  2546  
  2547  	tbsCSRContents, err := asn1.Marshal(tbsCSR)
  2548  	if err != nil {
  2549  		return
  2550  	}
  2551  	tbsCSR.Raw = tbsCSRContents
  2552  
  2553  	h := hashFunc.New()
  2554  	h.Write(tbsCSRContents)
  2555  	digest := h.Sum(nil)
  2556  
  2557  	var signature []byte
  2558  	signature, err = key.Sign(rand, digest, hashFunc)
  2559  	if err != nil {
  2560  		return
  2561  	}
  2562  
  2563  	return asn1.Marshal(certificateRequest{
  2564  		TBSCSR:             tbsCSR,
  2565  		SignatureAlgorithm: sigAlgo,
  2566  		SignatureValue: asn1.BitString{
  2567  			Bytes:     signature,
  2568  			BitLength: len(signature) * 8,
  2569  		},
  2570  	})
  2571  }
  2572  
  2573  // ParseCertificateRequest parses a single certificate request from the
  2574  // given ASN.1 DER data.
  2575  func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) {
  2576  	var csr certificateRequest
  2577  
  2578  	rest, err := asn1.Unmarshal(asn1Data, &csr)
  2579  	if err != nil {
  2580  		return nil, err
  2581  	} else if len(rest) != 0 {
  2582  		return nil, asn1.SyntaxError{Msg: "trailing data"}
  2583  	}
  2584  
  2585  	return parseCertificateRequest(&csr)
  2586  }
  2587  
  2588  func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) {
  2589  	out := &CertificateRequest{
  2590  		Raw:                      in.Raw,
  2591  		RawTBSCertificateRequest: in.TBSCSR.Raw,
  2592  		RawSubjectPublicKeyInfo:  in.TBSCSR.PublicKey.Raw,
  2593  		RawSubject:               in.TBSCSR.Subject.FullBytes,
  2594  
  2595  		Signature:          in.SignatureValue.RightAlign(),
  2596  		SignatureAlgorithm: getSignatureAlgorithmFromAI(in.SignatureAlgorithm),
  2597  
  2598  		PublicKeyAlgorithm: getPublicKeyAlgorithmFromOID(in.TBSCSR.PublicKey.Algorithm.Algorithm),
  2599  
  2600  		Version:    in.TBSCSR.Version,
  2601  		Attributes: parseRawAttributes(in.TBSCSR.RawAttributes),
  2602  	}
  2603  
  2604  	var err error
  2605  	out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey)
  2606  	if err != nil {
  2607  		return nil, err
  2608  	}
  2609  
  2610  	var subject pkix.RDNSequence
  2611  	if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil {
  2612  		return nil, err
  2613  	} else if len(rest) != 0 {
  2614  		return nil, errors.New("x509: trailing data after X.509 Subject")
  2615  	}
  2616  
  2617  	out.Subject.FillFromRDNSequence(&subject)
  2618  
  2619  	if out.Extensions, err = parseCSRExtensions(in.TBSCSR.RawAttributes); err != nil {
  2620  		return nil, err
  2621  	}
  2622  
  2623  	for _, extension := range out.Extensions {
  2624  		if extension.Id.Equal(oidExtensionSubjectAltName) {
  2625  			out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value)
  2626  			if err != nil {
  2627  				return nil, err
  2628  			}
  2629  		}
  2630  	}
  2631  
  2632  	return out, nil
  2633  }
  2634  
  2635  // CheckSignature reports whether the signature on c is valid.
  2636  func (c *CertificateRequest) CheckSignature() error {
  2637  	return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey)
  2638  }
  2639  

View as plain text