Black Lives Matter. Support the Equal Justice Initiative.

Source file src/crypto/x509/x509.go

Documentation: crypto/x509

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package x509 parses X.509-encoded keys and certificates.
     6  package x509
     7  
     8  import (
     9  	"bytes"
    10  	"crypto"
    11  	"crypto/ecdsa"
    12  	"crypto/ed25519"
    13  	"crypto/elliptic"
    14  	"crypto/rsa"
    15  	"crypto/sha1"
    16  	"crypto/x509/pkix"
    17  	"encoding/asn1"
    18  	"encoding/pem"
    19  	"errors"
    20  	"fmt"
    21  	"io"
    22  	"math/big"
    23  	"net"
    24  	"net/url"
    25  	"strconv"
    26  	"time"
    27  	"unicode"
    28  
    29  	// Explicitly import these for their crypto.RegisterHash init side-effects.
    30  	// Keep these as blank imports, even if they're imported above.
    31  	_ "crypto/sha1"
    32  	_ "crypto/sha256"
    33  	_ "crypto/sha512"
    34  
    35  	"golang.org/x/crypto/cryptobyte"
    36  	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
    37  )
    38  
    39  // pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo
    40  // in RFC 3280.
    41  type pkixPublicKey struct {
    42  	Algo      pkix.AlgorithmIdentifier
    43  	BitString asn1.BitString
    44  }
    45  
    46  // ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
    47  // The encoded public key is a SubjectPublicKeyInfo structure
    48  // (see RFC 5280, Section 4.1).
    49  //
    50  // It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or
    51  // ed25519.PublicKey. More types might be supported in the future.
    52  //
    53  // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
    54  func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) {
    55  	var pki publicKeyInfo
    56  	if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil {
    57  		if _, err := asn1.Unmarshal(derBytes, &pkcs1PublicKey{}); err == nil {
    58  			return nil, errors.New("x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)")
    59  		}
    60  		return nil, err
    61  	} else if len(rest) != 0 {
    62  		return nil, errors.New("x509: trailing data after ASN.1 of public-key")
    63  	}
    64  	algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm)
    65  	if algo == UnknownPublicKeyAlgorithm {
    66  		return nil, errors.New("x509: unknown public key algorithm")
    67  	}
    68  	return parsePublicKey(algo, &pki)
    69  }
    70  
    71  func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) {
    72  	switch pub := pub.(type) {
    73  	case *rsa.PublicKey:
    74  		publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{
    75  			N: pub.N,
    76  			E: pub.E,
    77  		})
    78  		if err != nil {
    79  			return nil, pkix.AlgorithmIdentifier{}, err
    80  		}
    81  		publicKeyAlgorithm.Algorithm = oidPublicKeyRSA
    82  		// This is a NULL parameters value which is required by
    83  		// RFC 3279, Section 2.3.1.
    84  		publicKeyAlgorithm.Parameters = asn1.NullRawValue
    85  	case *ecdsa.PublicKey:
    86  		publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
    87  		oid, ok := oidFromNamedCurve(pub.Curve)
    88  		if !ok {
    89  			return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve")
    90  		}
    91  		publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA
    92  		var paramBytes []byte
    93  		paramBytes, err = asn1.Marshal(oid)
    94  		if err != nil {
    95  			return
    96  		}
    97  		publicKeyAlgorithm.Parameters.FullBytes = paramBytes
    98  	case ed25519.PublicKey:
    99  		publicKeyBytes = pub
   100  		publicKeyAlgorithm.Algorithm = oidPublicKeyEd25519
   101  	default:
   102  		return nil, pkix.AlgorithmIdentifier{}, fmt.Errorf("x509: unsupported public key type: %T", pub)
   103  	}
   104  
   105  	return publicKeyBytes, publicKeyAlgorithm, nil
   106  }
   107  
   108  // MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
   109  // The encoded public key is a SubjectPublicKeyInfo structure
   110  // (see RFC 5280, Section 4.1).
   111  //
   112  // The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey
   113  // and ed25519.PublicKey. Unsupported key types result in an error.
   114  //
   115  // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
   116  func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) {
   117  	var publicKeyBytes []byte
   118  	var publicKeyAlgorithm pkix.AlgorithmIdentifier
   119  	var err error
   120  
   121  	if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil {
   122  		return nil, err
   123  	}
   124  
   125  	pkix := pkixPublicKey{
   126  		Algo: publicKeyAlgorithm,
   127  		BitString: asn1.BitString{
   128  			Bytes:     publicKeyBytes,
   129  			BitLength: 8 * len(publicKeyBytes),
   130  		},
   131  	}
   132  
   133  	ret, _ := asn1.Marshal(pkix)
   134  	return ret, nil
   135  }
   136  
   137  // These structures reflect the ASN.1 structure of X.509 certificates.:
   138  
   139  type certificate struct {
   140  	Raw                asn1.RawContent
   141  	TBSCertificate     tbsCertificate
   142  	SignatureAlgorithm pkix.AlgorithmIdentifier
   143  	SignatureValue     asn1.BitString
   144  }
   145  
   146  type tbsCertificate struct {
   147  	Raw                asn1.RawContent
   148  	Version            int `asn1:"optional,explicit,default:0,tag:0"`
   149  	SerialNumber       *big.Int
   150  	SignatureAlgorithm pkix.AlgorithmIdentifier
   151  	Issuer             asn1.RawValue
   152  	Validity           validity
   153  	Subject            asn1.RawValue
   154  	PublicKey          publicKeyInfo
   155  	UniqueId           asn1.BitString   `asn1:"optional,tag:1"`
   156  	SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`
   157  	Extensions         []pkix.Extension `asn1:"optional,explicit,tag:3"`
   158  }
   159  
   160  type dsaAlgorithmParameters struct {
   161  	P, Q, G *big.Int
   162  }
   163  
   164  type validity struct {
   165  	NotBefore, NotAfter time.Time
   166  }
   167  
   168  type publicKeyInfo struct {
   169  	Raw       asn1.RawContent
   170  	Algorithm pkix.AlgorithmIdentifier
   171  	PublicKey asn1.BitString
   172  }
   173  
   174  // RFC 5280,  4.2.1.1
   175  type authKeyId struct {
   176  	Id []byte `asn1:"optional,tag:0"`
   177  }
   178  
   179  type SignatureAlgorithm int
   180  
   181  const (
   182  	UnknownSignatureAlgorithm SignatureAlgorithm = iota
   183  
   184  	MD2WithRSA // Unsupported.
   185  	MD5WithRSA // Only supported for signing, not verification.
   186  	SHA1WithRSA
   187  	SHA256WithRSA
   188  	SHA384WithRSA
   189  	SHA512WithRSA
   190  	DSAWithSHA1   // Unsupported.
   191  	DSAWithSHA256 // Unsupported.
   192  	ECDSAWithSHA1
   193  	ECDSAWithSHA256
   194  	ECDSAWithSHA384
   195  	ECDSAWithSHA512
   196  	SHA256WithRSAPSS
   197  	SHA384WithRSAPSS
   198  	SHA512WithRSAPSS
   199  	PureEd25519
   200  )
   201  
   202  func (algo SignatureAlgorithm) isRSAPSS() bool {
   203  	switch algo {
   204  	case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS:
   205  		return true
   206  	default:
   207  		return false
   208  	}
   209  }
   210  
   211  func (algo SignatureAlgorithm) String() string {
   212  	for _, details := range signatureAlgorithmDetails {
   213  		if details.algo == algo {
   214  			return details.name
   215  		}
   216  	}
   217  	return strconv.Itoa(int(algo))
   218  }
   219  
   220  type PublicKeyAlgorithm int
   221  
   222  const (
   223  	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
   224  	RSA
   225  	DSA // Unsupported.
   226  	ECDSA
   227  	Ed25519
   228  )
   229  
   230  var publicKeyAlgoName = [...]string{
   231  	RSA:     "RSA",
   232  	DSA:     "DSA",
   233  	ECDSA:   "ECDSA",
   234  	Ed25519: "Ed25519",
   235  }
   236  
   237  func (algo PublicKeyAlgorithm) String() string {
   238  	if 0 < algo && int(algo) < len(publicKeyAlgoName) {
   239  		return publicKeyAlgoName[algo]
   240  	}
   241  	return strconv.Itoa(int(algo))
   242  }
   243  
   244  // OIDs for signature algorithms
   245  //
   246  // pkcs-1 OBJECT IDENTIFIER ::= {
   247  //    iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
   248  //
   249  //
   250  // RFC 3279 2.2.1 RSA Signature Algorithms
   251  //
   252  // md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
   253  //
   254  // md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
   255  //
   256  // sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
   257  //
   258  // dsaWithSha1 OBJECT IDENTIFIER ::= {
   259  //    iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 }
   260  //
   261  // RFC 3279 2.2.3 ECDSA Signature Algorithm
   262  //
   263  // ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
   264  // 	  iso(1) member-body(2) us(840) ansi-x962(10045)
   265  //    signatures(4) ecdsa-with-SHA1(1)}
   266  //
   267  //
   268  // RFC 4055 5 PKCS #1 Version 1.5
   269  //
   270  // sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
   271  //
   272  // sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
   273  //
   274  // sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
   275  //
   276  //
   277  // RFC 5758 3.1 DSA Signature Algorithms
   278  //
   279  // dsaWithSha256 OBJECT IDENTIFIER ::= {
   280  //    joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
   281  //    csor(3) algorithms(4) id-dsa-with-sha2(3) 2}
   282  //
   283  // RFC 5758 3.2 ECDSA Signature Algorithm
   284  //
   285  // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   286  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
   287  //
   288  // ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   289  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
   290  //
   291  // ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   292  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 }
   293  //
   294  //
   295  // RFC 8410 3 Curve25519 and Curve448 Algorithm Identifiers
   296  //
   297  // id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 }
   298  
   299  var (
   300  	oidSignatureMD2WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
   301  	oidSignatureMD5WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
   302  	oidSignatureSHA1WithRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
   303  	oidSignatureSHA256WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
   304  	oidSignatureSHA384WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
   305  	oidSignatureSHA512WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
   306  	oidSignatureRSAPSS          = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
   307  	oidSignatureDSAWithSHA1     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
   308  	oidSignatureDSAWithSHA256   = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
   309  	oidSignatureECDSAWithSHA1   = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
   310  	oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
   311  	oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
   312  	oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
   313  	oidSignatureEd25519         = asn1.ObjectIdentifier{1, 3, 101, 112}
   314  
   315  	oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
   316  	oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
   317  	oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
   318  
   319  	oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
   320  
   321  	// oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA
   322  	// but it's specified by ISO. Microsoft's makecert.exe has been known
   323  	// to produce certificates with this OID.
   324  	oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29}
   325  )
   326  
   327  var signatureAlgorithmDetails = []struct {
   328  	algo       SignatureAlgorithm
   329  	name       string
   330  	oid        asn1.ObjectIdentifier
   331  	pubKeyAlgo PublicKeyAlgorithm
   332  	hash       crypto.Hash
   333  }{
   334  	{MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
   335  	{MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5},
   336  	{SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1},
   337  	{SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1},
   338  	{SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256},
   339  	{SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384},
   340  	{SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512},
   341  	{SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256},
   342  	{SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384},
   343  	{SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512},
   344  	{DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1},
   345  	{DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256},
   346  	{ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1},
   347  	{ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256},
   348  	{ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384},
   349  	{ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512},
   350  	{PureEd25519, "Ed25519", oidSignatureEd25519, Ed25519, crypto.Hash(0) /* no pre-hashing */},
   351  }
   352  
   353  // hashToPSSParameters contains the DER encoded RSA PSS parameters for the
   354  // SHA256, SHA384, and SHA512 hashes as defined in RFC 3447, Appendix A.2.3.
   355  // The parameters contain the following values:
   356  //   * hashAlgorithm contains the associated hash identifier with NULL parameters
   357  //   * maskGenAlgorithm always contains the default mgf1SHA1 identifier
   358  //   * saltLength contains the length of the associated hash
   359  //   * trailerField always contains the default trailerFieldBC value
   360  var hashToPSSParameters = map[crypto.Hash]asn1.RawValue{
   361  	crypto.SHA256: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 162, 3, 2, 1, 32}},
   362  	crypto.SHA384: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 162, 3, 2, 1, 48}},
   363  	crypto.SHA512: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 162, 3, 2, 1, 64}},
   364  }
   365  
   366  // pssParameters reflects the parameters in an AlgorithmIdentifier that
   367  // specifies RSA PSS. See RFC 3447, Appendix A.2.3.
   368  type pssParameters struct {
   369  	// The following three fields are not marked as
   370  	// optional because the default values specify SHA-1,
   371  	// which is no longer suitable for use in signatures.
   372  	Hash         pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"`
   373  	MGF          pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"`
   374  	SaltLength   int                      `asn1:"explicit,tag:2"`
   375  	TrailerField int                      `asn1:"optional,explicit,tag:3,default:1"`
   376  }
   377  
   378  func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm {
   379  	if ai.Algorithm.Equal(oidSignatureEd25519) {
   380  		// RFC 8410, Section 3
   381  		// > For all of the OIDs, the parameters MUST be absent.
   382  		if len(ai.Parameters.FullBytes) != 0 {
   383  			return UnknownSignatureAlgorithm
   384  		}
   385  	}
   386  
   387  	if !ai.Algorithm.Equal(oidSignatureRSAPSS) {
   388  		for _, details := range signatureAlgorithmDetails {
   389  			if ai.Algorithm.Equal(details.oid) {
   390  				return details.algo
   391  			}
   392  		}
   393  		return UnknownSignatureAlgorithm
   394  	}
   395  
   396  	// RSA PSS is special because it encodes important parameters
   397  	// in the Parameters.
   398  
   399  	var params pssParameters
   400  	if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, &params); err != nil {
   401  		return UnknownSignatureAlgorithm
   402  	}
   403  
   404  	var mgf1HashFunc pkix.AlgorithmIdentifier
   405  	if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil {
   406  		return UnknownSignatureAlgorithm
   407  	}
   408  
   409  	// PSS is greatly overburdened with options. This code forces them into
   410  	// three buckets by requiring that the MGF1 hash function always match the
   411  	// message hash function (as recommended in RFC 3447, Section 8.1), that the
   412  	// salt length matches the hash length, and that the trailer field has the
   413  	// default value.
   414  	if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) ||
   415  		!params.MGF.Algorithm.Equal(oidMGF1) ||
   416  		!mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) ||
   417  		(len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) ||
   418  		params.TrailerField != 1 {
   419  		return UnknownSignatureAlgorithm
   420  	}
   421  
   422  	switch {
   423  	case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32:
   424  		return SHA256WithRSAPSS
   425  	case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48:
   426  		return SHA384WithRSAPSS
   427  	case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64:
   428  		return SHA512WithRSAPSS
   429  	}
   430  
   431  	return UnknownSignatureAlgorithm
   432  }
   433  
   434  // RFC 3279, 2.3 Public Key Algorithms
   435  //
   436  // pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   437  //    rsadsi(113549) pkcs(1) 1 }
   438  //
   439  // rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 }
   440  //
   441  // id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   442  //    x9-57(10040) x9cm(4) 1 }
   443  //
   444  // RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters
   445  //
   446  // id-ecPublicKey OBJECT IDENTIFIER ::= {
   447  //       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
   448  var (
   449  	oidPublicKeyRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
   450  	oidPublicKeyDSA     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
   451  	oidPublicKeyECDSA   = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
   452  	oidPublicKeyEd25519 = oidSignatureEd25519
   453  )
   454  
   455  func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm {
   456  	switch {
   457  	case oid.Equal(oidPublicKeyRSA):
   458  		return RSA
   459  	case oid.Equal(oidPublicKeyDSA):
   460  		return DSA
   461  	case oid.Equal(oidPublicKeyECDSA):
   462  		return ECDSA
   463  	case oid.Equal(oidPublicKeyEd25519):
   464  		return Ed25519
   465  	}
   466  	return UnknownPublicKeyAlgorithm
   467  }
   468  
   469  // RFC 5480, 2.1.1.1. Named Curve
   470  //
   471  // secp224r1 OBJECT IDENTIFIER ::= {
   472  //   iso(1) identified-organization(3) certicom(132) curve(0) 33 }
   473  //
   474  // secp256r1 OBJECT IDENTIFIER ::= {
   475  //   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
   476  //   prime(1) 7 }
   477  //
   478  // secp384r1 OBJECT IDENTIFIER ::= {
   479  //   iso(1) identified-organization(3) certicom(132) curve(0) 34 }
   480  //
   481  // secp521r1 OBJECT IDENTIFIER ::= {
   482  //   iso(1) identified-organization(3) certicom(132) curve(0) 35 }
   483  //
   484  // NB: secp256r1 is equivalent to prime256v1
   485  var (
   486  	oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
   487  	oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
   488  	oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
   489  	oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
   490  )
   491  
   492  func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
   493  	switch {
   494  	case oid.Equal(oidNamedCurveP224):
   495  		return elliptic.P224()
   496  	case oid.Equal(oidNamedCurveP256):
   497  		return elliptic.P256()
   498  	case oid.Equal(oidNamedCurveP384):
   499  		return elliptic.P384()
   500  	case oid.Equal(oidNamedCurveP521):
   501  		return elliptic.P521()
   502  	}
   503  	return nil
   504  }
   505  
   506  func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
   507  	switch curve {
   508  	case elliptic.P224():
   509  		return oidNamedCurveP224, true
   510  	case elliptic.P256():
   511  		return oidNamedCurveP256, true
   512  	case elliptic.P384():
   513  		return oidNamedCurveP384, true
   514  	case elliptic.P521():
   515  		return oidNamedCurveP521, true
   516  	}
   517  
   518  	return nil, false
   519  }
   520  
   521  // KeyUsage represents the set of actions that are valid for a given key. It's
   522  // a bitmap of the KeyUsage* constants.
   523  type KeyUsage int
   524  
   525  const (
   526  	KeyUsageDigitalSignature KeyUsage = 1 << iota
   527  	KeyUsageContentCommitment
   528  	KeyUsageKeyEncipherment
   529  	KeyUsageDataEncipherment
   530  	KeyUsageKeyAgreement
   531  	KeyUsageCertSign
   532  	KeyUsageCRLSign
   533  	KeyUsageEncipherOnly
   534  	KeyUsageDecipherOnly
   535  )
   536  
   537  // RFC 5280, 4.2.1.12  Extended Key Usage
   538  //
   539  // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
   540  //
   541  // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
   542  //
   543  // id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   544  // id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
   545  // id-kp-codeSigning            OBJECT IDENTIFIER ::= { id-kp 3 }
   546  // id-kp-emailProtection        OBJECT IDENTIFIER ::= { id-kp 4 }
   547  // id-kp-timeStamping           OBJECT IDENTIFIER ::= { id-kp 8 }
   548  // id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
   549  var (
   550  	oidExtKeyUsageAny                            = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
   551  	oidExtKeyUsageServerAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
   552  	oidExtKeyUsageClientAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
   553  	oidExtKeyUsageCodeSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
   554  	oidExtKeyUsageEmailProtection                = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
   555  	oidExtKeyUsageIPSECEndSystem                 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
   556  	oidExtKeyUsageIPSECTunnel                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
   557  	oidExtKeyUsageIPSECUser                      = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
   558  	oidExtKeyUsageTimeStamping                   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
   559  	oidExtKeyUsageOCSPSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
   560  	oidExtKeyUsageMicrosoftServerGatedCrypto     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
   561  	oidExtKeyUsageNetscapeServerGatedCrypto      = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
   562  	oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
   563  	oidExtKeyUsageMicrosoftKernelCodeSigning     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
   564  )
   565  
   566  // ExtKeyUsage represents an extended set of actions that are valid for a given key.
   567  // Each of the ExtKeyUsage* constants define a unique action.
   568  type ExtKeyUsage int
   569  
   570  const (
   571  	ExtKeyUsageAny ExtKeyUsage = iota
   572  	ExtKeyUsageServerAuth
   573  	ExtKeyUsageClientAuth
   574  	ExtKeyUsageCodeSigning
   575  	ExtKeyUsageEmailProtection
   576  	ExtKeyUsageIPSECEndSystem
   577  	ExtKeyUsageIPSECTunnel
   578  	ExtKeyUsageIPSECUser
   579  	ExtKeyUsageTimeStamping
   580  	ExtKeyUsageOCSPSigning
   581  	ExtKeyUsageMicrosoftServerGatedCrypto
   582  	ExtKeyUsageNetscapeServerGatedCrypto
   583  	ExtKeyUsageMicrosoftCommercialCodeSigning
   584  	ExtKeyUsageMicrosoftKernelCodeSigning
   585  )
   586  
   587  // extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.
   588  var extKeyUsageOIDs = []struct {
   589  	extKeyUsage ExtKeyUsage
   590  	oid         asn1.ObjectIdentifier
   591