LEFT | RIGHT |
1 // Copyright 2009 The Go Authors. All rights reserved. | 1 // Copyright 2009 The Go Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style | 2 // Use of this source code is governed by a BSD-style |
3 // license that can be found in the LICENSE file. | 3 // license that can be found in the LICENSE file. |
4 | 4 |
5 // Package x509 parses X.509-encoded keys and certificates. | 5 // Package x509 parses X.509-encoded keys and certificates. |
6 package x509 | 6 package x509 |
7 | 7 |
8 import ( | 8 import ( |
9 "bytes" | 9 "bytes" |
10 "crypto" | 10 "crypto" |
(...skipping 476 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
487 // otherwise be produced based on the other fields. The ExtraExtensions | 487 // otherwise be produced based on the other fields. The ExtraExtensions |
488 // field is not populated when parsing certificates, see Extensions. | 488 // field is not populated when parsing certificates, see Extensions. |
489 ExtraExtensions []pkix.Extension | 489 ExtraExtensions []pkix.Extension |
490 | 490 |
491 ExtKeyUsage []ExtKeyUsage // Sequence of extended key u
sages. | 491 ExtKeyUsage []ExtKeyUsage // Sequence of extended key u
sages. |
492 UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key u
sages unknown to this package. | 492 UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key u
sages unknown to this package. |
493 | 493 |
494 BasicConstraintsValid bool // if true then the next two fields are valid
. | 494 BasicConstraintsValid bool // if true then the next two fields are valid
. |
495 IsCA bool | 495 IsCA bool |
496 MaxPathLen int | 496 MaxPathLen int |
| 497 // MaxPathLenZero indicates that BasicConstraintsValid==true and |
| 498 // MaxPathLen==0 should be interpreted as an actual maximum path length |
| 499 // of zero. Otherwise, that combination is interpreted as MaxPathLen |
| 500 // not being set. |
| 501 MaxPathLenZero bool |
497 | 502 |
498 SubjectKeyId []byte | 503 SubjectKeyId []byte |
499 AuthorityKeyId []byte | 504 AuthorityKeyId []byte |
500 | 505 |
501 // RFC 5280, 4.2.2.1 (Authority Information Access) | 506 // RFC 5280, 4.2.2.1 (Authority Information Access) |
502 OCSPServer []string | 507 OCSPServer []string |
503 IssuingCertificateURL []string | 508 IssuingCertificateURL []string |
504 | 509 |
505 // Subject Alternate Name values | 510 // Subject Alternate Name values |
506 DNSNames []string | 511 DNSNames []string |
(...skipping 399 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
906 } | 911 } |
907 case 19: | 912 case 19: |
908 // RFC 5280, 4.2.1.9 | 913 // RFC 5280, 4.2.1.9 |
909 var constraints basicConstraints | 914 var constraints basicConstraints |
910 _, err := asn1.Unmarshal(e.Value, &constraints) | 915 _, err := asn1.Unmarshal(e.Value, &constraints) |
911 | 916 |
912 if err == nil { | 917 if err == nil { |
913 out.BasicConstraintsValid = true | 918 out.BasicConstraintsValid = true |
914 out.IsCA = constraints.IsCA | 919 out.IsCA = constraints.IsCA |
915 out.MaxPathLen = constraints.MaxPathLen | 920 out.MaxPathLen = constraints.MaxPathLen |
| 921 out.MaxPathLenZero = out.MaxPathLen == 0 |
916 continue | 922 continue |
917 } | 923 } |
918 case 17: | 924 case 17: |
919 out.DNSNames, out.EmailAddresses, out.IPAddresse
s, err = parseSANExtension(e.Value) | 925 out.DNSNames, out.EmailAddresses, out.IPAddresse
s, err = parseSANExtension(e.Value) |
920 if err != nil { | 926 if err != nil { |
921 return nil, err | 927 return nil, err |
922 } | 928 } |
923 | 929 |
924 if len(out.DNSNames) > 0 || len(out.EmailAddress
es) > 0 || len(out.IPAddresses) > 0 { | 930 if len(out.DNSNames) > 0 || len(out.EmailAddress
es) > 0 || len(out.IPAddresses) > 0 { |
925 continue | 931 continue |
(...skipping 294 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1220 oids = append(oids, template.UnknownExtKeyUsage...) | 1226 oids = append(oids, template.UnknownExtKeyUsage...) |
1221 | 1227 |
1222 ret[n].Value, err = asn1.Marshal(oids) | 1228 ret[n].Value, err = asn1.Marshal(oids) |
1223 if err != nil { | 1229 if err != nil { |
1224 return | 1230 return |
1225 } | 1231 } |
1226 n++ | 1232 n++ |
1227 } | 1233 } |
1228 | 1234 |
1229 if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicC
onstraints, template.ExtraExtensions) { | 1235 if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicC
onstraints, template.ExtraExtensions) { |
| 1236 // Leaving MaxPathLen as zero indicates that no maximum path |
| 1237 // length is desired, unless MaxPathLenZero is set. A value of |
| 1238 // -1 causes encoding/asn1 to omit the value as desired. |
| 1239 maxPathLen := template.MaxPathLen |
| 1240 if maxPathLen == 0 && !template.MaxPathLenZero { |
| 1241 maxPathLen = -1 |
| 1242 } |
1230 ret[n].Id = oidExtensionBasicConstraints | 1243 ret[n].Id = oidExtensionBasicConstraints |
1231 » » ret[n].Value, err = asn1.Marshal(basicConstraints{template.IsCA,
template.MaxPathLen}) | 1244 » » ret[n].Value, err = asn1.Marshal(basicConstraints{template.IsCA,
maxPathLen}) |
1232 ret[n].Critical = true | 1245 ret[n].Critical = true |
1233 if err != nil { | 1246 if err != nil { |
1234 return | 1247 return |
1235 } | 1248 } |
1236 n++ | 1249 n++ |
1237 } | 1250 } |
1238 | 1251 |
1239 if len(template.SubjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjec
tKeyId, template.ExtraExtensions) { | 1252 if len(template.SubjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjec
tKeyId, template.ExtraExtensions) { |
1240 ret[n].Id = oidExtensionSubjectKeyId | 1253 ret[n].Id = oidExtensionSubjectKeyId |
1241 ret[n].Value, err = asn1.Marshal(template.SubjectKeyId) | 1254 ret[n].Value, err = asn1.Marshal(template.SubjectKeyId) |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1321 if len(template.CRLDistributionPoints) > 0 && | 1334 if len(template.CRLDistributionPoints) > 0 && |
1322 !oidInExtensions(oidExtensionCRLDistributionPoints, template.Ext
raExtensions) { | 1335 !oidInExtensions(oidExtensionCRLDistributionPoints, template.Ext
raExtensions) { |
1323 ret[n].Id = oidExtensionCRLDistributionPoints | 1336 ret[n].Id = oidExtensionCRLDistributionPoints |
1324 | 1337 |
1325 var crlDp []distributionPoint | 1338 var crlDp []distributionPoint |
1326 for _, name := range template.CRLDistributionPoints { | 1339 for _, name := range template.CRLDistributionPoints { |
1327 rawFullName, _ := asn1.Marshal(asn1.RawValue{Tag: 6, Cla
ss: 2, Bytes: []byte(name)}) | 1340 rawFullName, _ := asn1.Marshal(asn1.RawValue{Tag: 6, Cla
ss: 2, Bytes: []byte(name)}) |
1328 | 1341 |
1329 dp := distributionPoint{ | 1342 dp := distributionPoint{ |
1330 DistributionPoint: distributionPointName{ | 1343 DistributionPoint: distributionPointName{ |
1331 » » » » » FullName: asn1.RawValue{Tag: 0, Class: 2
, Bytes: rawFullName}, | 1344 » » » » » FullName: asn1.RawValue{Tag: 0, Class: 2
, IsCompound: true, Bytes: rawFullName}, |
1332 }, | 1345 }, |
1333 } | 1346 } |
1334 crlDp = append(crlDp, dp) | 1347 crlDp = append(crlDp, dp) |
1335 } | 1348 } |
1336 | 1349 |
1337 ret[n].Value, err = asn1.Marshal(crlDp) | 1350 ret[n].Value, err = asn1.Marshal(crlDp) |
1338 if err != nil { | 1351 if err != nil { |
1339 return | 1352 return |
1340 } | 1353 } |
1341 n++ | 1354 n++ |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1378 hashFunc = crypto.SHA384 | 1391 hashFunc = crypto.SHA384 |
1379 sigAlgo.Algorithm = oidSignatureECDSAWithSHA384 | 1392 sigAlgo.Algorithm = oidSignatureECDSAWithSHA384 |
1380 case elliptic.P521(): | 1393 case elliptic.P521(): |
1381 hashFunc = crypto.SHA512 | 1394 hashFunc = crypto.SHA512 |
1382 sigAlgo.Algorithm = oidSignatureECDSAWithSHA512 | 1395 sigAlgo.Algorithm = oidSignatureECDSAWithSHA512 |
1383 default: | 1396 default: |
1384 err = errors.New("x509: unknown elliptic curve") | 1397 err = errors.New("x509: unknown elliptic curve") |
1385 } | 1398 } |
1386 | 1399 |
1387 default: | 1400 default: |
1388 » » err = errors.New("x509: only RSA and ECDSA public keys supported
") | 1401 » » err = errors.New("x509: only RSA and ECDSA keys supported") |
1389 } | 1402 } |
1390 | 1403 |
1391 if err != nil { | 1404 if err != nil { |
1392 return | 1405 return |
1393 } | 1406 } |
1394 | 1407 |
1395 if requestedSigAlgo == 0 { | 1408 if requestedSigAlgo == 0 { |
1396 return | 1409 return |
1397 } | 1410 } |
1398 | 1411 |
(...skipping 26 matching lines...) Expand all Loading... |
1425 // NotAfter, KeyUsage, ExtKeyUsage, UnknownExtKeyUsage, BasicConstraintsValid, | 1438 // NotAfter, KeyUsage, ExtKeyUsage, UnknownExtKeyUsage, BasicConstraintsValid, |
1426 // IsCA, MaxPathLen, SubjectKeyId, DNSNames, PermittedDNSDomainsCritical, | 1439 // IsCA, MaxPathLen, SubjectKeyId, DNSNames, PermittedDNSDomainsCritical, |
1427 // PermittedDNSDomains, SignatureAlgorithm. | 1440 // PermittedDNSDomains, SignatureAlgorithm. |
1428 // | 1441 // |
1429 // The certificate is signed by parent. If parent is equal to template then the | 1442 // The certificate is signed by parent. If parent is equal to template then the |
1430 // certificate is self-signed. The parameter pub is the public key of the | 1443 // certificate is self-signed. The parameter pub is the public key of the |
1431 // signee and priv is the private key of the signer. | 1444 // signee and priv is the private key of the signer. |
1432 // | 1445 // |
1433 // The returned slice is the certificate in DER encoding. | 1446 // The returned slice is the certificate in DER encoding. |
1434 // | 1447 // |
1435 // The only supported key types are RSA and ECDSA (*rsa.PublicKey or | 1448 // All keys types that are implemented via crypto.Signer are supported (This |
1436 // *ecdsa.PublicKey for pub, *rsa.PrivateKey or *ecdsa.PrivateKey for priv). | 1449 // includes *rsa.PublicKey and *ecdsa.PublicKey.) |
1437 func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interf
ace{}, priv interface{}) (cert []byte, err error) { | 1450 func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interf
ace{}, priv interface{}) (cert []byte, err error) { |
1438 » hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(pub, temp
late.SignatureAlgorithm) | 1451 » key, ok := priv.(crypto.Signer) |
| 1452 » if !ok { |
| 1453 » » err = errors.New("x509: certificate private key does not impleme
nt crypto.Signer") |
| 1454 » » return |
| 1455 » } |
| 1456 |
| 1457 » hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Publi
c(), template.SignatureAlgorithm) |
1439 if err != nil { | 1458 if err != nil { |
1440 return nil, err | 1459 return nil, err |
1441 } | 1460 } |
1442 | 1461 |
1443 publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub) | 1462 publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub) |
1444 if err != nil { | 1463 if err != nil { |
1445 return nil, err | 1464 return nil, err |
1446 } | |
1447 | |
1448 if err != nil { | |
1449 return | |
1450 } | 1465 } |
1451 | 1466 |
1452 if len(parent.SubjectKeyId) > 0 { | 1467 if len(parent.SubjectKeyId) > 0 { |
1453 template.AuthorityKeyId = parent.SubjectKeyId | 1468 template.AuthorityKeyId = parent.SubjectKeyId |
1454 } | 1469 } |
1455 | 1470 |
1456 extensions, err := buildExtensions(template) | 1471 extensions, err := buildExtensions(template) |
1457 if err != nil { | 1472 if err != nil { |
1458 return | 1473 return |
1459 } | 1474 } |
(...skipping 25 matching lines...) Expand all Loading... |
1485 return | 1500 return |
1486 } | 1501 } |
1487 | 1502 |
1488 c.Raw = tbsCertContents | 1503 c.Raw = tbsCertContents |
1489 | 1504 |
1490 h := hashFunc.New() | 1505 h := hashFunc.New() |
1491 h.Write(tbsCertContents) | 1506 h.Write(tbsCertContents) |
1492 digest := h.Sum(nil) | 1507 digest := h.Sum(nil) |
1493 | 1508 |
1494 var signature []byte | 1509 var signature []byte |
1495 | |
1496 key, ok := priv.(crypto.Signer) | |
1497 if !ok { | |
1498 err = errors.New("x509: certificate private key does not impleme
nt crypto.Signer") | |
1499 return | |
1500 } | |
1501 signature, err = key.Sign(rand, digest, hashFunc) | 1510 signature, err = key.Sign(rand, digest, hashFunc) |
1502 | |
1503 if err != nil { | 1511 if err != nil { |
1504 return | 1512 return |
1505 } | 1513 } |
1506 | 1514 |
1507 cert, err = asn1.Marshal(certificate{ | 1515 cert, err = asn1.Marshal(certificate{ |
1508 nil, | 1516 nil, |
1509 c, | 1517 c, |
1510 signatureAlgorithm, | 1518 signatureAlgorithm, |
1511 asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, | 1519 asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, |
1512 }) | 1520 }) |
(...skipping 27 matching lines...) Expand all Loading... |
1540 _, err = asn1.Unmarshal(derBytes, certList) | 1548 _, err = asn1.Unmarshal(derBytes, certList) |
1541 if err != nil { | 1549 if err != nil { |
1542 certList = nil | 1550 certList = nil |
1543 } | 1551 } |
1544 return | 1552 return |
1545 } | 1553 } |
1546 | 1554 |
1547 // CreateCRL returns a DER encoded CRL, signed by this Certificate, that | 1555 // CreateCRL returns a DER encoded CRL, signed by this Certificate, that |
1548 // contains the given list of revoked certificates. | 1556 // contains the given list of revoked certificates. |
1549 func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts [
]pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { | 1557 func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts [
]pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { |
1550 » hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(c.PublicK
ey, 0) | 1558 » key, ok := priv.(crypto.Signer) |
| 1559 » if !ok { |
| 1560 » » err = errors.New("x509: certificate private key does not impleme
nt crypto.Signer") |
| 1561 » » return |
| 1562 » } |
| 1563 |
| 1564 » hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Publi
c(), 0) |
1551 if err != nil { | 1565 if err != nil { |
1552 return nil, err | 1566 return nil, err |
1553 } | 1567 } |
1554 | 1568 |
1555 tbsCertList := pkix.TBSCertificateList{ | 1569 tbsCertList := pkix.TBSCertificateList{ |
1556 » » Version: 2, | 1570 » » Version: 2, |
1557 » » Signature: pkix.AlgorithmIdentifier{ | 1571 » » Signature: signatureAlgorithm, |
1558 » » » Algorithm: oidSignatureSHA1WithRSA, | |
1559 » » }, | |
1560 Issuer: c.Subject.ToRDNSequence(), | 1572 Issuer: c.Subject.ToRDNSequence(), |
1561 ThisUpdate: now.UTC(), | 1573 ThisUpdate: now.UTC(), |
1562 NextUpdate: expiry.UTC(), | 1574 NextUpdate: expiry.UTC(), |
1563 RevokedCertificates: revokedCerts, | 1575 RevokedCertificates: revokedCerts, |
1564 } | 1576 } |
1565 | 1577 |
1566 tbsCertListContents, err := asn1.Marshal(tbsCertList) | 1578 tbsCertListContents, err := asn1.Marshal(tbsCertList) |
1567 if err != nil { | 1579 if err != nil { |
1568 return | 1580 return |
1569 } | 1581 } |
1570 | 1582 |
1571 h := hashFunc.New() | 1583 h := hashFunc.New() |
1572 h.Write(tbsCertListContents) | 1584 h.Write(tbsCertListContents) |
1573 digest := h.Sum(nil) | 1585 digest := h.Sum(nil) |
1574 | 1586 |
1575 var signature []byte | 1587 var signature []byte |
1576 | |
1577 key, ok := priv.(crypto.Signer) | |
1578 if !ok { | |
1579 err = errors.New("x509: certificate private key does not impleme
nt crypto.Signer") | |
1580 return | |
1581 } | |
1582 signature, err = key.Sign(rand, digest, hashFunc) | 1588 signature, err = key.Sign(rand, digest, hashFunc) |
1583 if err != nil { | 1589 if err != nil { |
1584 return | 1590 return |
1585 } | 1591 } |
1586 | 1592 |
1587 return asn1.Marshal(pkix.CertificateList{ | 1593 return asn1.Marshal(pkix.CertificateList{ |
1588 TBSCertList: tbsCertList, | 1594 TBSCertList: tbsCertList, |
1589 SignatureAlgorithm: signatureAlgorithm, | 1595 SignatureAlgorithm: signatureAlgorithm, |
1590 SignatureValue: asn1.BitString{Bytes: signature, BitLength:
len(signature) * 8}, | 1596 SignatureValue: asn1.BitString{Bytes: signature, BitLength:
len(signature) * 8}, |
1591 }) | 1597 }) |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1649 SignatureAlgorithm pkix.AlgorithmIdentifier | 1655 SignatureAlgorithm pkix.AlgorithmIdentifier |
1650 SignatureValue asn1.BitString | 1656 SignatureValue asn1.BitString |
1651 } | 1657 } |
1652 | 1658 |
1653 // oidExtensionRequest is a PKCS#9 OBJECT IDENTIFIER that indicates requested | 1659 // oidExtensionRequest is a PKCS#9 OBJECT IDENTIFIER that indicates requested |
1654 // extensions in a CSR. | 1660 // extensions in a CSR. |
1655 var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14} | 1661 var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14} |
1656 | 1662 |
1657 // CreateCertificateRequest creates a new certificate based on a template. The | 1663 // CreateCertificateRequest creates a new certificate based on a template. The |
1658 // following members of template are used: Subject, Attributes, | 1664 // following members of template are used: Subject, Attributes, |
1659 // SignatureAlgorithm, Extension, DNSNames, EmailAddresses, and IPAddresses. | 1665 // SignatureAlgorithm, Extensions, DNSNames, EmailAddresses, and IPAddresses. |
1660 // The private key is the private key of the signer. | 1666 // The private key is the private key of the signer. |
1661 // | 1667 // |
1662 // The returned slice is the certificate request in DER encoding. | 1668 // The returned slice is the certificate request in DER encoding. |
1663 // | 1669 // |
1664 // The only supported key types are RSA (*rsa.PrivateKey) and ECDSA | 1670 // All keys types that are implemented via crypto.Signer are supported (This |
1665 // (*ecdsa.PrivateKey). | 1671 // includes *rsa.PublicKey and *ecdsa.PublicKey.) |
1666 func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv
interface{}) (csr []byte, err error) { | 1672 func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv
interface{}) (csr []byte, err error) { |
| 1673 key, ok := priv.(crypto.Signer) |
| 1674 if !ok { |
| 1675 err = errors.New("x509: certificate private key does not impleme
nt crypto.Signer") |
| 1676 return |
| 1677 } |
| 1678 |
1667 var hashFunc crypto.Hash | 1679 var hashFunc crypto.Hash |
1668 var sigAlgo pkix.AlgorithmIdentifier | 1680 var sigAlgo pkix.AlgorithmIdentifier |
1669 | 1681 » hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), templat
e.SignatureAlgorithm) |
1670 » switch priv := priv.(type) { | |
1671 » case *rsa.PrivateKey: | |
1672 » » hashFunc, sigAlgo, err = signingParamsForPublicKey(&priv.PublicK
ey, template.SignatureAlgorithm) | |
1673 » case *ecdsa.PrivateKey: | |
1674 » » hashFunc, sigAlgo, err = signingParamsForPublicKey(&priv.PublicK
ey, template.SignatureAlgorithm) | |
1675 » default: | |
1676 » » panic("internal error") | |
1677 » } | |
1678 | |
1679 if err != nil { | 1682 if err != nil { |
1680 return nil, err | 1683 return nil, err |
1681 } | 1684 } |
1682 | 1685 |
1683 var publicKeyBytes []byte | 1686 var publicKeyBytes []byte |
1684 var publicKeyAlgorithm pkix.AlgorithmIdentifier | 1687 var publicKeyAlgorithm pkix.AlgorithmIdentifier |
1685 | 1688 » publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public()) |
1686 » switch priv := priv.(type) { | |
1687 » case *rsa.PrivateKey: | |
1688 » » publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(&priv
.PublicKey) | |
1689 » case *ecdsa.PrivateKey: | |
1690 » » publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(&priv
.PublicKey) | |
1691 » default: | |
1692 » » panic("internal error") | |
1693 » } | |
1694 | |
1695 if err != nil { | 1689 if err != nil { |
1696 return nil, err | 1690 return nil, err |
1697 } | 1691 } |
1698 | 1692 |
1699 var extensions []pkix.Extension | 1693 var extensions []pkix.Extension |
1700 | 1694 |
1701 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || le
n(template.IPAddresses) > 0) && | 1695 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || le
n(template.IPAddresses) > 0) && |
1702 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExten
sions) { | 1696 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExten
sions) { |
1703 sanBytes, err := marshalSANs(template.DNSNames, template.EmailAd
dresses, template.IPAddresses) | 1697 sanBytes, err := marshalSANs(template.DNSNames, template.EmailAd
dresses, template.IPAddresses) |
1704 if err != nil { | 1698 if err != nil { |
(...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1796 if err != nil { | 1790 if err != nil { |
1797 return | 1791 return |
1798 } | 1792 } |
1799 tbsCSR.Raw = tbsCSRContents | 1793 tbsCSR.Raw = tbsCSRContents |
1800 | 1794 |
1801 h := hashFunc.New() | 1795 h := hashFunc.New() |
1802 h.Write(tbsCSRContents) | 1796 h.Write(tbsCSRContents) |
1803 digest := h.Sum(nil) | 1797 digest := h.Sum(nil) |
1804 | 1798 |
1805 var signature []byte | 1799 var signature []byte |
1806 » switch priv := priv.(type) { | 1800 » signature, err = key.Sign(rand, digest, hashFunc) |
1807 » case *rsa.PrivateKey: | |
1808 » » signature, err = rsa.SignPKCS1v15(rand, priv, hashFunc, digest) | |
1809 » case *ecdsa.PrivateKey: | |
1810 » » var r, s *big.Int | |
1811 » » if r, s, err = ecdsa.Sign(rand, priv, digest); err == nil { | |
1812 » » » signature, err = asn1.Marshal(ecdsaSignature{r, s}) | |
1813 » » } | |
1814 » default: | |
1815 » » panic("internal error") | |
1816 » } | |
1817 | |
1818 if err != nil { | 1801 if err != nil { |
1819 return | 1802 return |
1820 } | 1803 } |
1821 | 1804 |
1822 return asn1.Marshal(certificateRequest{ | 1805 return asn1.Marshal(certificateRequest{ |
1823 TBSCSR: tbsCSR, | 1806 TBSCSR: tbsCSR, |
1824 SignatureAlgorithm: sigAlgo, | 1807 SignatureAlgorithm: sigAlgo, |
1825 SignatureValue: asn1.BitString{ | 1808 SignatureValue: asn1.BitString{ |
1826 Bytes: signature, | 1809 Bytes: signature, |
1827 BitLength: len(signature) * 8, | 1810 BitLength: len(signature) * 8, |
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1904 out.DNSNames, out.EmailAddresses, out.IPAddresse
s, err = parseSANExtension(value) | 1887 out.DNSNames, out.EmailAddresses, out.IPAddresse
s, err = parseSANExtension(value) |
1905 if err != nil { | 1888 if err != nil { |
1906 return nil, err | 1889 return nil, err |
1907 } | 1890 } |
1908 } | 1891 } |
1909 } | 1892 } |
1910 } | 1893 } |
1911 | 1894 |
1912 return out, nil | 1895 return out, nil |
1913 } | 1896 } |
LEFT | RIGHT |