| LEFT | RIGHT |
|---|
| 1 // Copyright 2009 The Go Authors. All rights reserved. | 1 // Copyright 2009 The Go Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style | 2 // Use of this source code is governed by a BSD-style |
| 3 // license that can be found in the LICENSE file. | 3 // license that can be found in the LICENSE file. |
| 4 | 4 |
| 5 // Package x509 parses X.509-encoded keys and certificates. | 5 // Package x509 parses X.509-encoded keys and certificates. |
| 6 package x509 | 6 package x509 |
| 7 | 7 |
| 8 import ( | 8 import ( |
| 9 "bytes" | 9 "bytes" |
| 10 "crypto" | 10 "crypto" |
| (...skipping 22 matching lines...) Expand all Loading... |
| 33 | 33 |
| 34 // ParsePKIXPublicKey parses a DER encoded public key. These values are | 34 // ParsePKIXPublicKey parses a DER encoded public key. These values are |
| 35 // typically found in PEM blocks with "BEGIN PUBLIC KEY". | 35 // typically found in PEM blocks with "BEGIN PUBLIC KEY". |
| 36 func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) { | 36 func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) { |
| 37 var pki publicKeyInfo | 37 var pki publicKeyInfo |
| 38 if _, err = asn1.Unmarshal(derBytes, &pki); err != nil { | 38 if _, err = asn1.Unmarshal(derBytes, &pki); err != nil { |
| 39 return | 39 return |
| 40 } | 40 } |
| 41 algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm) | 41 algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm) |
| 42 if algo == UnknownPublicKeyAlgorithm { | 42 if algo == UnknownPublicKeyAlgorithm { |
| 43 » » return nil, errors.New("crypto/x509: unknown public key algorith
m") | 43 » » return nil, errors.New("x509: unknown public key algorithm") |
| 44 } | 44 } |
| 45 return parsePublicKey(algo, &pki) | 45 return parsePublicKey(algo, &pki) |
| 46 } | 46 } |
| 47 | 47 |
| 48 // MarshalPKIXPublicKey serialises a public key to DER-encoded PKIX format. | 48 // MarshalPKIXPublicKey serialises a public key to DER-encoded PKIX format. |
| 49 func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) { | 49 func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) { |
| 50 var pubBytes []byte | 50 var pubBytes []byte |
| 51 | 51 |
| 52 switch pub := pub.(type) { | 52 switch pub := pub.(type) { |
| 53 case *rsa.PublicKey: | 53 case *rsa.PublicKey: |
| 54 pubBytes, _ = asn1.Marshal(rsaPublicKey{ | 54 pubBytes, _ = asn1.Marshal(rsaPublicKey{ |
| 55 N: pub.N, | 55 N: pub.N, |
| 56 E: pub.E, | 56 E: pub.E, |
| 57 }) | 57 }) |
| 58 default: | 58 default: |
| 59 » » return nil, errors.New("crypto/x509: unknown public key type") | 59 » » return nil, errors.New("x509: unknown public key type") |
| 60 } | 60 } |
| 61 | 61 |
| 62 pkix := pkixPublicKey{ | 62 pkix := pkixPublicKey{ |
| 63 Algo: pkix.AlgorithmIdentifier{ | 63 Algo: pkix.AlgorithmIdentifier{ |
| 64 Algorithm: []int{1, 2, 840, 113549, 1, 1, 1}, | 64 Algorithm: []int{1, 2, 840, 113549, 1, 1, 1}, |
| 65 // This is a NULL parameters value which is technically | 65 // This is a NULL parameters value which is technically |
| 66 // superfluous, but most other code includes it and, by | 66 // superfluous, but most other code includes it and, by |
| 67 // doing this, we match their public key hashes. | 67 // doing this, we match their public key hashes. |
| 68 Parameters: asn1.RawValue{ | 68 Parameters: asn1.RawValue{ |
| 69 Tag: 5, | 69 Tag: 5, |
| (...skipping 400 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 470 | 470 |
| 471 // Name constraints | 471 // Name constraints |
| 472 PermittedDNSDomainsCritical bool // if true then the name constraints ar
e marked critical. | 472 PermittedDNSDomainsCritical bool // if true then the name constraints ar
e marked critical. |
| 473 PermittedDNSDomains []string | 473 PermittedDNSDomains []string |
| 474 | 474 |
| 475 PolicyIdentifiers []asn1.ObjectIdentifier | 475 PolicyIdentifiers []asn1.ObjectIdentifier |
| 476 } | 476 } |
| 477 | 477 |
| 478 // ErrUnsupportedAlgorithm results from attempting to perform an operation that | 478 // ErrUnsupportedAlgorithm results from attempting to perform an operation that |
| 479 // involves algorithms that are not currently implemented. | 479 // involves algorithms that are not currently implemented. |
| 480 var ErrUnsupportedAlgorithm = errors.New("crypto/x509: cannot verify signature:
algorithm unimplemented") | 480 var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorit
hm unimplemented") |
| 481 | 481 |
| 482 // ConstraintViolationError results when a requested usage is not permitted by | 482 // ConstraintViolationError results when a requested usage is not permitted by |
| 483 // a certificate. For example: checking a signature when the public key isn't a | 483 // a certificate. For example: checking a signature when the public key isn't a |
| 484 // certificate signing key. | 484 // certificate signing key. |
| 485 type ConstraintViolationError struct{} | 485 type ConstraintViolationError struct{} |
| 486 | 486 |
| 487 func (ConstraintViolationError) Error() string { | 487 func (ConstraintViolationError) Error() string { |
| 488 » return "crypto/x509: invalid signature: parent certificate cannot sign t
his kind of certificate" | 488 » return "x509: invalid signature: parent certificate cannot sign this kin
d of certificate" |
| 489 } | 489 } |
| 490 | 490 |
| 491 func (c *Certificate) Equal(other *Certificate) bool { | 491 func (c *Certificate) Equal(other *Certificate) bool { |
| 492 return bytes.Equal(c.Raw, other.Raw) | 492 return bytes.Equal(c.Raw, other.Raw) |
| 493 } | 493 } |
| 494 | 494 |
| 495 // Entrust have a broken root certificate (CN=Entrust.net Certification | 495 // Entrust have a broken root certificate (CN=Entrust.net Certification |
| 496 // Authority (2048)) which isn't marked as a CA certificate and is thus invalid | 496 // Authority (2048)) which isn't marked as a CA certificate and is thus invalid |
| 497 // according to PKIX. | 497 // according to PKIX. |
| 498 // We recognise this certificate by its SubjectPublicKeyInfo and exempt it | 498 // We recognise this certificate by its SubjectPublicKeyInfo and exempt it |
| (...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 597 | 597 |
| 598 switch pub := c.PublicKey.(type) { | 598 switch pub := c.PublicKey.(type) { |
| 599 case *rsa.PublicKey: | 599 case *rsa.PublicKey: |
| 600 return rsa.VerifyPKCS1v15(pub, hashType, digest, signature) | 600 return rsa.VerifyPKCS1v15(pub, hashType, digest, signature) |
| 601 case *dsa.PublicKey: | 601 case *dsa.PublicKey: |
| 602 dsaSig := new(dsaSignature) | 602 dsaSig := new(dsaSignature) |
| 603 if _, err := asn1.Unmarshal(signature, dsaSig); err != nil { | 603 if _, err := asn1.Unmarshal(signature, dsaSig); err != nil { |
| 604 return err | 604 return err |
| 605 } | 605 } |
| 606 if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 { | 606 if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 { |
| 607 » » » return errors.New("crypto/x509: DSA signature contained
zero or negative values") | 607 » » » return errors.New("x509: DSA signature contained zero or
negative values") |
| 608 } | 608 } |
| 609 if !dsa.Verify(pub, digest, dsaSig.R, dsaSig.S) { | 609 if !dsa.Verify(pub, digest, dsaSig.R, dsaSig.S) { |
| 610 » » » return errors.New("crypto/x509: DSA verification failure
") | 610 » » » return errors.New("x509: DSA verification failure") |
| 611 } | 611 } |
| 612 return | 612 return |
| 613 case *ecdsa.PublicKey: | 613 case *ecdsa.PublicKey: |
| 614 ecdsaSig := new(ecdsaSignature) | 614 ecdsaSig := new(ecdsaSignature) |
| 615 if _, err := asn1.Unmarshal(signature, ecdsaSig); err != nil { | 615 if _, err := asn1.Unmarshal(signature, ecdsaSig); err != nil { |
| 616 return err | 616 return err |
| 617 } | 617 } |
| 618 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { | 618 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { |
| 619 » » » return errors.New("crypto/x509: ECDSA signature containe
d zero or negative values") | 619 » » » return errors.New("x509: ECDSA signature contained zero
or negative values") |
| 620 } | 620 } |
| 621 if !ecdsa.Verify(pub, digest, ecdsaSig.R, ecdsaSig.S) { | 621 if !ecdsa.Verify(pub, digest, ecdsaSig.R, ecdsaSig.S) { |
| 622 » » » return errors.New("crypto/x509: ECDSA verification failu
re") | 622 » » » return errors.New("x509: ECDSA verification failure") |
| 623 } | 623 } |
| 624 return | 624 return |
| 625 } | 625 } |
| 626 return ErrUnsupportedAlgorithm | 626 return ErrUnsupportedAlgorithm |
| 627 } | 627 } |
| 628 | 628 |
| 629 // CheckCRLSignature checks that the signature in crl is from c. | 629 // CheckCRLSignature checks that the signature in crl is from c. |
| 630 func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) (err error) { | 630 func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) (err error) { |
| 631 algo := getSignatureAlgorithmFromOID(crl.SignatureAlgorithm.Algorithm) | 631 algo := getSignatureAlgorithmFromOID(crl.SignatureAlgorithm.Algorithm) |
| 632 return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.Ri
ghtAlign()) | 632 return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.Ri
ghtAlign()) |
| 633 } | 633 } |
| 634 | 634 |
| 635 type UnhandledCriticalExtension struct{} | 635 type UnhandledCriticalExtension struct{} |
| 636 | 636 |
| 637 func (h UnhandledCriticalExtension) Error() string { | 637 func (h UnhandledCriticalExtension) Error() string { |
| 638 » return "crypto/x509: unhandled critical extension" | 638 » return "x509: unhandled critical extension" |
| 639 } | 639 } |
| 640 | 640 |
| 641 type basicConstraints struct { | 641 type basicConstraints struct { |
| 642 IsCA bool `asn1:"optional"` | 642 IsCA bool `asn1:"optional"` |
| 643 MaxPathLen int `asn1:"optional,default:-1"` | 643 MaxPathLen int `asn1:"optional,default:-1"` |
| 644 } | 644 } |
| 645 | 645 |
| 646 // RFC 5280 4.2.1.4 | 646 // RFC 5280 4.2.1.4 |
| 647 type policyInformation struct { | 647 type policyInformation struct { |
| 648 Policy asn1.ObjectIdentifier | 648 Policy asn1.ObjectIdentifier |
| (...skipping 14 matching lines...) Expand all Loading... |
| 663 asn1Data := keyData.PublicKey.RightAlign() | 663 asn1Data := keyData.PublicKey.RightAlign() |
| 664 switch algo { | 664 switch algo { |
| 665 case RSA: | 665 case RSA: |
| 666 p := new(rsaPublicKey) | 666 p := new(rsaPublicKey) |
| 667 _, err := asn1.Unmarshal(asn1Data, p) | 667 _, err := asn1.Unmarshal(asn1Data, p) |
| 668 if err != nil { | 668 if err != nil { |
| 669 return nil, err | 669 return nil, err |
| 670 } | 670 } |
| 671 | 671 |
| 672 if p.N.Sign() <= 0 { | 672 if p.N.Sign() <= 0 { |
| 673 » » » return nil, errors.New("crypto/x509: RSA modulus is not
a positive number") | 673 » » » return nil, errors.New("x509: RSA modulus is not a posit
ive number") |
| 674 } | 674 } |
| 675 if p.E <= 0 { | 675 if p.E <= 0 { |
| 676 » » » return nil, errors.New("crypto/x509: RSA public exponent
is not a positive number") | 676 » » » return nil, errors.New("x509: RSA public exponent is not
a positive number") |
| 677 } | 677 } |
| 678 | 678 |
| 679 pub := &rsa.PublicKey{ | 679 pub := &rsa.PublicKey{ |
| 680 E: p.E, | 680 E: p.E, |
| 681 N: p.N, | 681 N: p.N, |
| 682 } | 682 } |
| 683 return pub, nil | 683 return pub, nil |
| 684 case DSA: | 684 case DSA: |
| 685 var p *big.Int | 685 var p *big.Int |
| 686 _, err := asn1.Unmarshal(asn1Data, &p) | 686 _, err := asn1.Unmarshal(asn1Data, &p) |
| 687 if err != nil { | 687 if err != nil { |
| 688 return nil, err | 688 return nil, err |
| 689 } | 689 } |
| 690 paramsData := keyData.Algorithm.Parameters.FullBytes | 690 paramsData := keyData.Algorithm.Parameters.FullBytes |
| 691 params := new(dsaAlgorithmParameters) | 691 params := new(dsaAlgorithmParameters) |
| 692 _, err = asn1.Unmarshal(paramsData, params) | 692 _, err = asn1.Unmarshal(paramsData, params) |
| 693 if err != nil { | 693 if err != nil { |
| 694 return nil, err | 694 return nil, err |
| 695 } | 695 } |
| 696 if p.Sign() <= 0 || params.P.Sign() <= 0 || params.Q.Sign() <= 0
|| params.G.Sign() <= 0 { | 696 if p.Sign() <= 0 || params.P.Sign() <= 0 || params.Q.Sign() <= 0
|| params.G.Sign() <= 0 { |
| 697 » » » return nil, errors.New("crypto/x509: zero or negative DS
A parameter") | 697 » » » return nil, errors.New("x509: zero or negative DSA param
eter") |
| 698 } | 698 } |
| 699 pub := &dsa.PublicKey{ | 699 pub := &dsa.PublicKey{ |
| 700 Parameters: dsa.Parameters{ | 700 Parameters: dsa.Parameters{ |
| 701 P: params.P, | 701 P: params.P, |
| 702 Q: params.Q, | 702 Q: params.Q, |
| 703 G: params.G, | 703 G: params.G, |
| 704 }, | 704 }, |
| 705 Y: p, | 705 Y: p, |
| 706 } | 706 } |
| 707 return pub, nil | 707 return pub, nil |
| 708 case ECDSA: | 708 case ECDSA: |
| 709 paramsData := keyData.Algorithm.Parameters.FullBytes | 709 paramsData := keyData.Algorithm.Parameters.FullBytes |
| 710 namedCurveOID := new(asn1.ObjectIdentifier) | 710 namedCurveOID := new(asn1.ObjectIdentifier) |
| 711 _, err := asn1.Unmarshal(paramsData, namedCurveOID) | 711 _, err := asn1.Unmarshal(paramsData, namedCurveOID) |
| 712 if err != nil { | 712 if err != nil { |
| 713 return nil, err | 713 return nil, err |
| 714 } | 714 } |
| 715 namedCurve := namedCurveFromOID(*namedCurveOID) | 715 namedCurve := namedCurveFromOID(*namedCurveOID) |
| 716 if namedCurve == nil { | 716 if namedCurve == nil { |
| 717 » » » return nil, errors.New("crypto/x509: unsupported ellipti
c curve") | 717 » » » return nil, errors.New("x509: unsupported elliptic curve
") |
| 718 } | 718 } |
| 719 x, y := elliptic.Unmarshal(namedCurve, asn1Data) | 719 x, y := elliptic.Unmarshal(namedCurve, asn1Data) |
| 720 if x == nil { | 720 if x == nil { |
| 721 » » » return nil, errors.New("crypto/x509: failed to unmarshal
elliptic curve point") | 721 » » » return nil, errors.New("x509: failed to unmarshal ellipt
ic curve point") |
| 722 } | 722 } |
| 723 pub := &ecdsa.PublicKey{ | 723 pub := &ecdsa.PublicKey{ |
| 724 Curve: namedCurve, | 724 Curve: namedCurve, |
| 725 X: x, | 725 X: x, |
| 726 Y: y, | 726 Y: y, |
| 727 } | 727 } |
| 728 return pub, nil | 728 return pub, nil |
| 729 default: | 729 default: |
| 730 return nil, nil | 730 return nil, nil |
| 731 } | 731 } |
| (...skipping 13 matching lines...) Expand all Loading... |
| 745 | 745 |
| 746 out.PublicKeyAlgorithm = | 746 out.PublicKeyAlgorithm = |
| 747 getPublicKeyAlgorithmFromOID(in.TBSCertificate.PublicKey.Algorit
hm.Algorithm) | 747 getPublicKeyAlgorithmFromOID(in.TBSCertificate.PublicKey.Algorit
hm.Algorithm) |
| 748 var err error | 748 var err error |
| 749 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCerti
ficate.PublicKey) | 749 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCerti
ficate.PublicKey) |
| 750 if err != nil { | 750 if err != nil { |
| 751 return nil, err | 751 return nil, err |
| 752 } | 752 } |
| 753 | 753 |
| 754 if in.TBSCertificate.SerialNumber.Sign() < 0 { | 754 if in.TBSCertificate.SerialNumber.Sign() < 0 { |
| 755 » » return nil, errors.New("crypto/x509: negative serial number") | 755 » » return nil, errors.New("x509: negative serial number") |
| 756 } | 756 } |
| 757 | 757 |
| 758 out.Version = in.TBSCertificate.Version + 1 | 758 out.Version = in.TBSCertificate.Version + 1 |
| 759 out.SerialNumber = in.TBSCertificate.SerialNumber | 759 out.SerialNumber = in.TBSCertificate.SerialNumber |
| 760 | 760 |
| 761 var issuer, subject pkix.RDNSequence | 761 var issuer, subject pkix.RDNSequence |
| 762 if _, err := asn1.Unmarshal(in.TBSCertificate.Subject.FullBytes, &subjec
t); err != nil { | 762 if _, err := asn1.Unmarshal(in.TBSCertificate.Subject.FullBytes, &subjec
t); err != nil { |
| 763 return nil, err | 763 return nil, err |
| 764 } | 764 } |
| 765 if _, err := asn1.Unmarshal(in.TBSCertificate.Issuer.FullBytes, &issuer)
; err != nil { | 765 if _, err := asn1.Unmarshal(in.TBSCertificate.Issuer.FullBytes, &issuer)
; err != nil { |
| (...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 841 out.EmailAddresses = append(out.
EmailAddresses, string(v.Bytes)) | 841 out.EmailAddresses = append(out.
EmailAddresses, string(v.Bytes)) |
| 842 parsedName = true | 842 parsedName = true |
| 843 case 2: | 843 case 2: |
| 844 out.DNSNames = append(out.DNSNam
es, string(v.Bytes)) | 844 out.DNSNames = append(out.DNSNam
es, string(v.Bytes)) |
| 845 parsedName = true | 845 parsedName = true |
| 846 case 7: | 846 case 7: |
| 847 switch len(v.Bytes) { | 847 switch len(v.Bytes) { |
| 848 case net.IPv4len, net.IPv6len: | 848 case net.IPv4len, net.IPv6len: |
| 849 out.IPAddresses = append
(out.IPAddresses, v.Bytes) | 849 out.IPAddresses = append
(out.IPAddresses, v.Bytes) |
| 850 default: | 850 default: |
| 851 » » » » » » » return nil, errors.New("
crypto/x509: certificate contained IP address of length " + strconv.Itoa(len(v.B
ytes))) | 851 » » » » » » » return nil, errors.New("
x509: certificate contained IP address of length " + strconv.Itoa(len(v.Bytes))) |
| 852 } | 852 } |
| 853 } | 853 } |
| 854 } | 854 } |
| 855 | 855 |
| 856 if parsedName { | 856 if parsedName { |
| 857 continue | 857 continue |
| 858 } | 858 } |
| 859 // If we didn't parse any of the names then we | 859 // If we didn't parse any of the names then we |
| 860 // fall through to the critical check below. | 860 // fall through to the critical check below. |
| 861 | 861 |
| (...skipping 320 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1182 switch pub := pub.(type) { | 1182 switch pub := pub.(type) { |
| 1183 case *rsa.PublicKey: | 1183 case *rsa.PublicKey: |
| 1184 publicKeyBytes, err = asn1.Marshal(rsaPublicKey{ | 1184 publicKeyBytes, err = asn1.Marshal(rsaPublicKey{ |
| 1185 N: pub.N, | 1185 N: pub.N, |
| 1186 E: pub.E, | 1186 E: pub.E, |
| 1187 }) | 1187 }) |
| 1188 publicKeyAlgorithm.Algorithm = oidPublicKeyRSA | 1188 publicKeyAlgorithm.Algorithm = oidPublicKeyRSA |
| 1189 case *ecdsa.PublicKey: | 1189 case *ecdsa.PublicKey: |
| 1190 oid, ok := oidFromNamedCurve(pub.Curve) | 1190 oid, ok := oidFromNamedCurve(pub.Curve) |
| 1191 if !ok { | 1191 if !ok { |
| 1192 » » » return nil, errors.New("crypto/x509: unknown elliptic cu
rve") | 1192 » » » return nil, errors.New("x509: unknown elliptic curve") |
| 1193 } | 1193 } |
| 1194 publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA | 1194 publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA |
| 1195 var paramBytes []byte | 1195 var paramBytes []byte |
| 1196 paramBytes, err = asn1.Marshal(oid) | 1196 paramBytes, err = asn1.Marshal(oid) |
| 1197 if err != nil { | 1197 if err != nil { |
| 1198 return | 1198 return |
| 1199 } | 1199 } |
| 1200 publicKeyAlgorithm.Parameters.FullBytes = paramBytes | 1200 publicKeyAlgorithm.Parameters.FullBytes = paramBytes |
| 1201 publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y) | 1201 publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y) |
| 1202 default: | 1202 default: |
| 1203 » » return nil, errors.New("crypto/x509: only RSA and ECDSA public k
eys supported") | 1203 » » return nil, errors.New("x509: only RSA and ECDSA public keys sup
ported") |
| 1204 } | 1204 } |
| 1205 | 1205 |
| 1206 var signatureAlgorithm pkix.AlgorithmIdentifier | 1206 var signatureAlgorithm pkix.AlgorithmIdentifier |
| 1207 var hashFunc crypto.Hash | 1207 var hashFunc crypto.Hash |
| 1208 | 1208 |
| 1209 switch priv := priv.(type) { | 1209 switch priv := priv.(type) { |
| 1210 case *rsa.PrivateKey: | 1210 case *rsa.PrivateKey: |
| 1211 signatureAlgorithm.Algorithm = oidSignatureSHA1WithRSA | 1211 signatureAlgorithm.Algorithm = oidSignatureSHA1WithRSA |
| 1212 hashFunc = crypto.SHA1 | 1212 hashFunc = crypto.SHA1 |
| 1213 case *ecdsa.PrivateKey: | 1213 case *ecdsa.PrivateKey: |
| 1214 switch priv.Curve { | 1214 switch priv.Curve { |
| 1215 case elliptic.P224(), elliptic.P256(): | 1215 case elliptic.P224(), elliptic.P256(): |
| 1216 hashFunc = crypto.SHA256 | 1216 hashFunc = crypto.SHA256 |
| 1217 signatureAlgorithm.Algorithm = oidSignatureECDSAWithSHA2
56 | 1217 signatureAlgorithm.Algorithm = oidSignatureECDSAWithSHA2
56 |
| 1218 case elliptic.P384(): | 1218 case elliptic.P384(): |
| 1219 hashFunc = crypto.SHA384 | 1219 hashFunc = crypto.SHA384 |
| 1220 signatureAlgorithm.Algorithm = oidSignatureECDSAWithSHA3
84 | 1220 signatureAlgorithm.Algorithm = oidSignatureECDSAWithSHA3
84 |
| 1221 case elliptic.P521(): | 1221 case elliptic.P521(): |
| 1222 hashFunc = crypto.SHA512 | 1222 hashFunc = crypto.SHA512 |
| 1223 signatureAlgorithm.Algorithm = oidSignatureECDSAWithSHA5
12 | 1223 signatureAlgorithm.Algorithm = oidSignatureECDSAWithSHA5
12 |
| 1224 default: | 1224 default: |
| 1225 » » » return nil, errors.New("crypto/x509: unknown elliptic cu
rve") | 1225 » » » return nil, errors.New("x509: unknown elliptic curve") |
| 1226 } | 1226 } |
| 1227 default: | 1227 default: |
| 1228 » » return nil, errors.New("crypto/x509: only RSA and ECDSA private
keys supported") | 1228 » » return nil, errors.New("x509: only RSA and ECDSA private keys su
pported") |
| 1229 } | 1229 } |
| 1230 | 1230 |
| 1231 if err != nil { | 1231 if err != nil { |
| 1232 return | 1232 return |
| 1233 } | 1233 } |
| 1234 | 1234 |
| 1235 if len(parent.SubjectKeyId) > 0 { | 1235 if len(parent.SubjectKeyId) > 0 { |
| 1236 template.AuthorityKeyId = parent.SubjectKeyId | 1236 template.AuthorityKeyId = parent.SubjectKeyId |
| 1237 } | 1237 } |
| 1238 | 1238 |
| (...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1332 return | 1332 return |
| 1333 } | 1333 } |
| 1334 | 1334 |
| 1335 // CreateCRL returns a DER encoded CRL, signed by this Certificate, that | 1335 // CreateCRL returns a DER encoded CRL, signed by this Certificate, that |
| 1336 // contains the given list of revoked certificates. | 1336 // contains the given list of revoked certificates. |
| 1337 // | 1337 // |
| 1338 // The only supported key type is RSA (*rsa.PrivateKey for priv). | 1338 // The only supported key type is RSA (*rsa.PrivateKey for priv). |
| 1339 func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts [
]pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { | 1339 func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts [
]pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { |
| 1340 rsaPriv, ok := priv.(*rsa.PrivateKey) | 1340 rsaPriv, ok := priv.(*rsa.PrivateKey) |
| 1341 if !ok { | 1341 if !ok { |
| 1342 » » return nil, errors.New("crypto/x509: non-RSA private keys not su
pported") | 1342 » » return nil, errors.New("x509: non-RSA private keys not supported
") |
| 1343 } | 1343 } |
| 1344 tbsCertList := pkix.TBSCertificateList{ | 1344 tbsCertList := pkix.TBSCertificateList{ |
| 1345 Version: 2, | 1345 Version: 2, |
| 1346 Signature: pkix.AlgorithmIdentifier{ | 1346 Signature: pkix.AlgorithmIdentifier{ |
| 1347 Algorithm: oidSignatureSHA1WithRSA, | 1347 Algorithm: oidSignatureSHA1WithRSA, |
| 1348 }, | 1348 }, |
| 1349 Issuer: c.Subject.ToRDNSequence(), | 1349 Issuer: c.Subject.ToRDNSequence(), |
| 1350 ThisUpdate: now.UTC(), | 1350 ThisUpdate: now.UTC(), |
| 1351 NextUpdate: expiry.UTC(), | 1351 NextUpdate: expiry.UTC(), |
| 1352 RevokedCertificates: revokedCerts, | 1352 RevokedCertificates: revokedCerts, |
| (...skipping 14 matching lines...) Expand all Loading... |
| 1367 } | 1367 } |
| 1368 | 1368 |
| 1369 return asn1.Marshal(pkix.CertificateList{ | 1369 return asn1.Marshal(pkix.CertificateList{ |
| 1370 TBSCertList: tbsCertList, | 1370 TBSCertList: tbsCertList, |
| 1371 SignatureAlgorithm: pkix.AlgorithmIdentifier{ | 1371 SignatureAlgorithm: pkix.AlgorithmIdentifier{ |
| 1372 Algorithm: oidSignatureSHA1WithRSA, | 1372 Algorithm: oidSignatureSHA1WithRSA, |
| 1373 }, | 1373 }, |
| 1374 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(
signature) * 8}, | 1374 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(
signature) * 8}, |
| 1375 }) | 1375 }) |
| 1376 } | 1376 } |
| LEFT | RIGHT |
|---|
