Black Lives Matter. Support the Equal Justice Initiative.

Source file src/crypto/x509/x509.go

Documentation: crypto/x509

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package x509 parses X.509-encoded keys and certificates.
     6  package x509
     7  
     8  import (
     9  	"bytes"
    10  	"crypto"
    11  	"crypto/ecdsa"
    12  	"crypto/ed25519"
    13  	"crypto/elliptic"
    14  	"crypto/rsa"
    15  	"crypto/sha1"
    16  	"crypto/x509/pkix"
    17  	"encoding/asn1"
    18  	"encoding/pem"
    19  	"errors"
    20  	"fmt"
    21  	"io"
    22  	"math/big"
    23  	"net"
    24  	"net/url"
    25  	"strconv"
    26  	"time"
    27  	"unicode"
    28  
    29  	// Explicitly import these for their crypto.RegisterHash init side-effects.
    30  	// Keep these as blank imports, even if they're imported above.
    31  	_ "crypto/sha1"
    32  	_ "crypto/sha256"
    33  	_ "crypto/sha512"
    34  
    35  	"golang.org/x/crypto/cryptobyte"
    36  	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
    37  )
    38  
    39  // pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo
    40  // in RFC 3280.
    41  type pkixPublicKey struct {
    42  	Algo      pkix.AlgorithmIdentifier
    43  	BitString asn1.BitString
    44  }
    45  
    46  // ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
    47  // The encoded public key is a SubjectPublicKeyInfo structure
    48  // (see RFC 5280, Section 4.1).
    49  //
    50  // It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or
    51  // ed25519.PublicKey. More types might be supported in the future.
    52  //
    53  // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
    54  func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) {
    55  	var pki publicKeyInfo
    56  	if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil {
    57  		if _, err := asn1.Unmarshal(derBytes, &pkcs1PublicKey{}); err == nil {
    58  			return nil, errors.New("x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)")
    59  		}
    60  		return nil, err
    61  	} else if len(rest) != 0 {
    62  		return nil, errors.New("x509: trailing data after ASN.1 of public-key")
    63  	}
    64  	algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm)
    65  	if algo == UnknownPublicKeyAlgorithm {
    66  		return nil, errors.New("x509: unknown public key algorithm")
    67  	}
    68  	return parsePublicKey(algo, &pki)
    69  }
    70  
    71  func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) {
    72  	switch pub := pub.(type) {
    73  	case *rsa.PublicKey:
    74  		publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{
    75  			N: pub.N,
    76  			E: pub.E,
    77  		})
    78  		if err != nil {
    79  			return nil, pkix.AlgorithmIdentifier{}, err
    80  		}
    81  		publicKeyAlgorithm.Algorithm = oidPublicKeyRSA
    82  		// This is a NULL parameters value which is required by
    83  		// RFC 3279, Section 2.3.1.
    84  		publicKeyAlgorithm.Parameters = asn1.NullRawValue
    85  	case *ecdsa.PublicKey:
    86  		publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
    87  		oid, ok := oidFromNamedCurve(pub.Curve)
    88  		if !ok {
    89  			return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve")
    90  		}
    91  		publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA
    92  		var paramBytes []byte
    93  		paramBytes, err = asn1.Marshal(oid)
    94  		if err != nil {
    95  			return
    96  		}
    97  		publicKeyAlgorithm.Parameters.FullBytes = paramBytes
    98  	case ed25519.PublicKey:
    99  		publicKeyBytes = pub
   100  		publicKeyAlgorithm.Algorithm = oidPublicKeyEd25519
   101  	default:
   102  		return nil, pkix.AlgorithmIdentifier{}, fmt.Errorf("x509: unsupported public key type: %T", pub)
   103  	}
   104  
   105  	return publicKeyBytes, publicKeyAlgorithm, nil
   106  }
   107  
   108  // MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
   109  // The encoded public key is a SubjectPublicKeyInfo structure
   110  // (see RFC 5280, Section 4.1).
   111  //
   112  // The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey
   113  // and ed25519.PublicKey. Unsupported key types result in an error.
   114  //
   115  // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
   116  func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) {
   117  	var publicKeyBytes []byte
   118  	var publicKeyAlgorithm pkix.AlgorithmIdentifier
   119  	var err error
   120  
   121  	if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil {
   122  		return nil, err
   123  	}
   124  
   125  	pkix := pkixPublicKey{
   126  		Algo: publicKeyAlgorithm,
   127  		BitString: asn1.BitString{
   128  			Bytes:     publicKeyBytes,
   129  			BitLength: 8 * len(publicKeyBytes),
   130  		},
   131  	}
   132  
   133  	ret, _ := asn1.Marshal(pkix)
   134  	return ret, nil
   135  }
   136  
   137  // These structures reflect the ASN.1 structure of X.509 certificates.:
   138  
   139  type certificate struct {
   140  	Raw                asn1.RawContent
   141  	TBSCertificate     tbsCertificate
   142  	SignatureAlgorithm pkix.AlgorithmIdentifier
   143  	SignatureValue     asn1.BitString
   144  }
   145  
   146  type tbsCertificate struct {
   147  	Raw                asn1.RawContent
   148  	Version            int `asn1:"optional,explicit,default:0,tag:0"`
   149  	SerialNumber       *big.Int
   150  	SignatureAlgorithm pkix.AlgorithmIdentifier
   151  	Issuer             asn1.RawValue
   152  	Validity           validity
   153  	Subject            asn1.RawValue
   154  	PublicKey          publicKeyInfo
   155  	UniqueId           asn1.BitString   `asn1:"optional,tag:1"`
   156  	SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`
   157  	Extensions         []pkix.Extension `asn1:"optional,explicit,tag:3"`
   158  }
   159  
   160  type dsaAlgorithmParameters struct {
   161  	P, Q, G *big.Int
   162  }
   163  
   164  type validity struct {
   165  	NotBefore, NotAfter time.Time
   166  }
   167  
   168  type publicKeyInfo struct {
   169  	Raw       asn1.RawContent
   170  	Algorithm pkix.AlgorithmIdentifier
   171  	PublicKey asn1.BitString
   172  }
   173  
   174  // RFC 5280,  4.2.1.1
   175  type authKeyId struct {
   176  	Id []byte `asn1:"optional,tag:0"`
   177  }
   178  
   179  type SignatureAlgorithm int
   180  
   181  const (
   182  	UnknownSignatureAlgorithm SignatureAlgorithm = iota
   183  
   184  	MD2WithRSA // Unsupported.
   185  	MD5WithRSA // Only supported for signing, not verification.
   186  	SHA1WithRSA
   187  	SHA256WithRSA
   188  	SHA384WithRSA
   189  	SHA512WithRSA
   190  	DSAWithSHA1   // Unsupported.
   191  	DSAWithSHA256 // Unsupported.
   192  	ECDSAWithSHA1
   193  	ECDSAWithSHA256
   194  	ECDSAWithSHA384
   195  	ECDSAWithSHA512
   196  	SHA256WithRSAPSS
   197  	SHA384WithRSAPSS
   198  	SHA512WithRSAPSS
   199  	PureEd25519
   200  )
   201  
   202  func (algo SignatureAlgorithm) isRSAPSS() bool {
   203  	switch algo {
   204  	case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS:
   205  		return true
   206  	default:
   207  		return false
   208  	}
   209  }
   210  
   211  func (algo SignatureAlgorithm) String() string {
   212  	for _, details := range signatureAlgorithmDetails {
   213  		if details.algo == algo {
   214  			return details.name
   215  		}
   216  	}
   217  	return strconv.Itoa(int(algo))
   218  }
   219  
   220  type PublicKeyAlgorithm int
   221  
   222  const (
   223  	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
   224  	RSA
   225  	DSA // Unsupported.
   226  	ECDSA
   227  	Ed25519
   228  )
   229  
   230  var publicKeyAlgoName = [...]string{
   231  	RSA:     "RSA",
   232  	DSA:     "DSA",
   233  	ECDSA:   "ECDSA",
   234  	Ed25519: "Ed25519",
   235  }
   236  
   237  func (algo PublicKeyAlgorithm) String() string {
   238  	if 0 < algo && int(algo) < len(publicKeyAlgoName) {
   239  		return publicKeyAlgoName[algo]
   240  	}
   241  	return strconv.Itoa(int(algo))
   242  }
   243  
   244  // OIDs for signature algorithms
   245  //
   246  // pkcs-1 OBJECT IDENTIFIER ::= {
   247  //    iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
   248  //
   249  //
   250  // RFC 3279 2.2.1 RSA Signature Algorithms
   251  //
   252  // md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
   253  //
   254  // md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
   255  //
   256  // sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
   257  //
   258  // dsaWithSha1 OBJECT IDENTIFIER ::= {
   259  //    iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 }
   260  //
   261  // RFC 3279 2.2.3 ECDSA Signature Algorithm
   262  //
   263  // ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
   264  // 	  iso(1) member-body(2) us(840) ansi-x962(10045)
   265  //    signatures(4) ecdsa-with-SHA1(1)}
   266  //
   267  //
   268  // RFC 4055 5 PKCS #1 Version 1.5
   269  //
   270  // sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
   271  //
   272  // sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
   273  //
   274  // sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
   275  //
   276  //
   277  // RFC 5758 3.1 DSA Signature Algorithms
   278  //
   279  // dsaWithSha256 OBJECT IDENTIFIER ::= {
   280  //    joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
   281  //    csor(3) algorithms(4) id-dsa-with-sha2(3) 2}
   282  //
   283  // RFC 5758 3.2 ECDSA Signature Algorithm
   284  //
   285  // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   286  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
   287  //
   288  // ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   289  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
   290  //
   291  // ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   292  //    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 }
   293  //
   294  //
   295  // RFC 8410 3 Curve25519 and Curve448 Algorithm Identifiers
   296  //
   297  // id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 }
   298  
   299  var (
   300  	oidSignatureMD2WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
   301  	oidSignatureMD5WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
   302  	oidSignatureSHA1WithRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
   303  	oidSignatureSHA256WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
   304  	oidSignatureSHA384WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
   305  	oidSignatureSHA512WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
   306  	oidSignatureRSAPSS          = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
   307  	oidSignatureDSAWithSHA1     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
   308  	oidSignatureDSAWithSHA256   = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
   309  	oidSignatureECDSAWithSHA1   = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
   310  	oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
   311  	oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
   312  	oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
   313  	oidSignatureEd25519         = asn1.ObjectIdentifier{1, 3, 101, 112}
   314  
   315  	oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
   316  	oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
   317  	oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
   318  
   319  	oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
   320  
   321  	// oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA
   322  	// but it's specified by ISO. Microsoft's makecert.exe has been known
   323  	// to produce certificates with this OID.
   324  	oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29}
   325  )
   326  
   327  var signatureAlgorithmDetails = []struct {
   328  	algo       SignatureAlgorithm
   329  	name       string
   330  	oid        asn1.ObjectIdentifier
   331  	pubKeyAlgo PublicKeyAlgorithm
   332  	hash       crypto.Hash
   333  }{
   334  	{MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
   335  	{MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5},
   336  	{SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1},
   337  	{SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1},
   338  	{SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256},
   339  	{SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384},
   340  	{SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512},
   341  	{SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256},
   342  	{SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384},
   343  	{SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512},
   344  	{DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1},
   345  	{DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256},
   346  	{ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1},
   347  	{ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256},
   348  	{ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384},
   349  	{ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512},
   350  	{PureEd25519, "Ed25519", oidSignatureEd25519, Ed25519, crypto.Hash(0) /* no pre-hashing */},
   351  }
   352  
   353  // hashToPSSParameters contains the DER encoded RSA PSS parameters for the
   354  // SHA256, SHA384, and SHA512 hashes as defined in RFC 3447, Appendix A.2.3.
   355  // The parameters contain the following values:
   356  //   * hashAlgorithm contains the associated hash identifier with NULL parameters
   357  //   * maskGenAlgorithm always contains the default mgf1SHA1 identifier
   358  //   * saltLength contains the length of the associated hash
   359  //   * trailerField always contains the default trailerFieldBC value
   360  var hashToPSSParameters = map[crypto.Hash]asn1.RawValue{
   361  	crypto.SHA256: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 162, 3, 2, 1, 32}},
   362  	crypto.SHA384: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 162, 3, 2, 1, 48}},
   363  	crypto.SHA512: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 162, 3, 2, 1, 64}},
   364  }
   365  
   366  // pssParameters reflects the parameters in an AlgorithmIdentifier that
   367  // specifies RSA PSS. See RFC 3447, Appendix A.2.3.
   368  type pssParameters struct {
   369  	// The following three fields are not marked as
   370  	// optional because the default values specify SHA-1,
   371  	// which is no longer suitable for use in signatures.
   372  	Hash         pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"`
   373  	MGF          pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"`
   374  	SaltLength   int                      `asn1:"explicit,tag:2"`
   375  	TrailerField int                      `asn1:"optional,explicit,tag:3,default:1"`
   376  }
   377  
   378  func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm {
   379  	if ai.Algorithm.Equal(oidSignatureEd25519) {
   380  		// RFC 8410, Section 3
   381  		// > For all of the OIDs, the parameters MUST be absent.
   382  		if len(ai.Parameters.FullBytes) != 0 {
   383  			return UnknownSignatureAlgorithm
   384  		}
   385  	}
   386  
   387  	if !ai.Algorithm.Equal(oidSignatureRSAPSS) {
   388  		for _, details := range signatureAlgorithmDetails {
   389  			if ai.Algorithm.Equal(details.oid) {
   390  				return details.algo
   391  			}
   392  		}
   393  		return UnknownSignatureAlgorithm
   394  	}
   395  
   396  	// RSA PSS is special because it encodes important parameters
   397  	// in the Parameters.
   398  
   399  	var params pssParameters
   400  	if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, &params); err != nil {
   401  		return UnknownSignatureAlgorithm
   402  	}
   403  
   404  	var mgf1HashFunc pkix.AlgorithmIdentifier
   405  	if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil {
   406  		return UnknownSignatureAlgorithm
   407  	}
   408  
   409  	// PSS is greatly overburdened with options. This code forces them into
   410  	// three buckets by requiring that the MGF1 hash function always match the
   411  	// message hash function (as recommended in RFC 3447, Section 8.1), that the
   412  	// salt length matches the hash length, and that the trailer field has the
   413  	// default value.
   414  	if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) ||
   415  		!params.MGF.Algorithm.Equal(oidMGF1) ||
   416  		!mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) ||
   417  		(len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) ||
   418  		params.TrailerField != 1 {
   419  		return UnknownSignatureAlgorithm
   420  	}
   421  
   422  	switch {
   423  	case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32:
   424  		return SHA256WithRSAPSS
   425  	case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48:
   426  		return SHA384WithRSAPSS
   427  	case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64:
   428  		return SHA512WithRSAPSS
   429  	}
   430  
   431  	return UnknownSignatureAlgorithm
   432  }
   433  
   434  // RFC 3279, 2.3 Public Key Algorithms
   435  //
   436  // pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   437  //    rsadsi(113549) pkcs(1) 1 }
   438  //
   439  // rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 }
   440  //
   441  // id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   442  //    x9-57(10040) x9cm(4) 1 }
   443  //
   444  // RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters
   445  //
   446  // id-ecPublicKey OBJECT IDENTIFIER ::= {
   447  //       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
   448  var (
   449  	oidPublicKeyRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
   450  	oidPublicKeyDSA     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
   451  	oidPublicKeyECDSA   = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
   452  	oidPublicKeyEd25519 = oidSignatureEd25519
   453  )
   454  
   455  func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm {
   456  	switch {
   457  	case oid.Equal(oidPublicKeyRSA):
   458  		return RSA
   459  	case oid.Equal(oidPublicKeyDSA):
   460  		return DSA
   461  	case oid.Equal(oidPublicKeyECDSA):
   462  		return ECDSA
   463  	case oid.Equal(oidPublicKeyEd25519):
   464  		return Ed25519
   465  	}
   466  	return UnknownPublicKeyAlgorithm
   467  }
   468  
   469  // RFC 5480, 2.1.1.1. Named Curve
   470  //
   471  // secp224r1 OBJECT IDENTIFIER ::= {
   472  //   iso(1) identified-organization(3) certicom(132) curve(0) 33 }
   473  //
   474  // secp256r1 OBJECT IDENTIFIER ::= {
   475  //   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
   476  //   prime(1) 7 }
   477  //
   478  // secp384r1 OBJECT IDENTIFIER ::= {
   479  //   iso(1) identified-organization(3) certicom(132) curve(0) 34 }
   480  //
   481  // secp521r1 OBJECT IDENTIFIER ::= {
   482  //   iso(1) identified-organization(3) certicom(132) curve(0) 35 }
   483  //
   484  // NB: secp256r1 is equivalent to prime256v1
   485  var (
   486  	oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
   487  	oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
   488  	oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
   489  	oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
   490  )
   491  
   492  func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
   493  	switch {
   494  	case oid.Equal(oidNamedCurveP224):
   495  		return elliptic.P224()
   496  	case oid.Equal(oidNamedCurveP256):
   497  		return elliptic.P256()
   498  	case oid.Equal(oidNamedCurveP384):
   499  		return elliptic.P384()
   500  	case oid.Equal(oidNamedCurveP521):
   501  		return elliptic.P521()
   502  	}
   503  	return nil
   504  }
   505  
   506  func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
   507  	switch curve {
   508  	case elliptic.P224():
   509  		return oidNamedCurveP224, true
   510  	case elliptic.P256():
   511  		return oidNamedCurveP256, true
   512  	case elliptic.P384():
   513  		return oidNamedCurveP384, true
   514  	case elliptic.P521():
   515  		return oidNamedCurveP521, true
   516  	}
   517  
   518  	return nil, false
   519  }
   520  
   521  // KeyUsage represents the set of actions that are valid for a given key. It's
   522  // a bitmap of the KeyUsage* constants.
   523  type KeyUsage int
   524  
   525  const (
   526  	KeyUsageDigitalSignature KeyUsage = 1 << iota
   527  	KeyUsageContentCommitment
   528  	KeyUsageKeyEncipherment
   529  	KeyUsageDataEncipherment
   530  	KeyUsageKeyAgreement
   531  	KeyUsageCertSign
   532  	KeyUsageCRLSign
   533  	KeyUsageEncipherOnly
   534  	KeyUsageDecipherOnly
   535  )
   536  
   537  // RFC 5280, 4.2.1.12  Extended Key Usage
   538  //
   539  // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
   540  //
   541  // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
   542  //
   543  // id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   544  // id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
   545  // id-kp-codeSigning            OBJECT IDENTIFIER ::= { id-kp 3 }
   546  // id-kp-emailProtection        OBJECT IDENTIFIER ::= { id-kp 4 }
   547  // id-kp-timeStamping           OBJECT IDENTIFIER ::= { id-kp 8 }
   548  // id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
   549  var (
   550  	oidExtKeyUsageAny                            = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
   551  	oidExtKeyUsageServerAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
   552  	oidExtKeyUsageClientAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
   553  	oidExtKeyUsageCodeSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
   554  	oidExtKeyUsageEmailProtection                = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
   555  	oidExtKeyUsageIPSECEndSystem                 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
   556  	oidExtKeyUsageIPSECTunnel                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
   557  	oidExtKeyUsageIPSECUser                      = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
   558  	oidExtKeyUsageTimeStamping                   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
   559  	oidExtKeyUsageOCSPSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
   560  	oidExtKeyUsageMicrosoftServerGatedCrypto     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
   561  	oidExtKeyUsageNetscapeServerGatedCrypto      = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
   562  	oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
   563  	oidExtKeyUsageMicrosoftKernelCodeSigning     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
   564  )
   565  
   566  // ExtKeyUsage represents an extended set of actions that are valid for a given key.
   567  // Each of the ExtKeyUsage* constants define a unique action.
   568  type ExtKeyUsage int
   569  
   570  const (
   571  	ExtKeyUsageAny ExtKeyUsage = iota
   572  	ExtKeyUsageServerAuth
   573  	ExtKeyUsageClientAuth
   574  	ExtKeyUsageCodeSigning
   575  	ExtKeyUsageEmailProtection
   576  	ExtKeyUsageIPSECEndSystem
   577  	ExtKeyUsageIPSECTunnel
   578  	ExtKeyUsageIPSECUser
   579  	ExtKeyUsageTimeStamping
   580  	ExtKeyUsageOCSPSigning
   581  	ExtKeyUsageMicrosoftServerGatedCrypto
   582  	ExtKeyUsageNetscapeServerGatedCrypto
   583  	ExtKeyUsageMicrosoftCommercialCodeSigning
   584  	ExtKeyUsageMicrosoftKernelCodeSigning
   585  )
   586  
   587  // extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.
   588  var extKeyUsageOIDs = []struct {
   589  	extKeyUsage ExtKeyUsage
   590  	oid         asn1.ObjectIdentifier
   591  }{
   592  	{ExtKeyUsageAny, oidExtKeyUsageAny},
   593  	{ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth},
   594  	{ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth},
   595  	{ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning},
   596  	{ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection},
   597  	{ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem},
   598  	{ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel},
   599  	{ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser},
   600  	{ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping},
   601  	{ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning},
   602  	{ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto},
   603  	{ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto},
   604  	{ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning},
   605  	{ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning},
   606  }
   607  
   608  func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) {
   609  	for _, pair := range extKeyUsageOIDs {
   610  		if oid.Equal(pair.oid) {
   611  			return pair.extKeyUsage, true
   612  		}
   613  	}
   614  	return
   615  }
   616  
   617  func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
   618  	for _, pair := range extKeyUsageOIDs {
   619  		if eku == pair.extKeyUsage {
   620  			return pair.oid, true
   621  		}
   622  	}
   623  	return
   624  }
   625  
   626  // A Certificate represents an X.509 certificate.
   627  type Certificate struct {
   628  	Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
   629  	RawTBSCertificate       []byte // Certificate part of raw ASN.1 DER content.
   630  	RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
   631  	RawSubject              []byte // DER encoded Subject
   632  	RawIssuer               []byte // DER encoded Issuer
   633  
   634  	Signature          []byte
   635  	SignatureAlgorithm SignatureAlgorithm
   636  
   637  	PublicKeyAlgorithm PublicKeyAlgorithm
   638  	PublicKey          interface{}
   639  
   640  	Version             int
   641  	SerialNumber        *big.Int
   642  	Issuer              pkix.Name
   643  	Subject             pkix.Name
   644  	NotBefore, NotAfter time.Time // Validity bounds.
   645  	KeyUsage            KeyUsage
   646  
   647  	// Extensions contains raw X.509 extensions. When parsing certificates,
   648  	// this can be used to extract non-critical extensions that are not
   649  	// parsed by this package. When marshaling certificates, the Extensions
   650  	// field is ignored, see ExtraExtensions.
   651  	Extensions []pkix.Extension
   652  
   653  	// ExtraExtensions contains extensions to be copied, raw, into any
   654  	// marshaled certificates. Values override any extensions that would
   655  	// otherwise be produced based on the other fields. The ExtraExtensions
   656  	// field is not populated when parsing certificates, see Extensions.
   657  	ExtraExtensions []pkix.Extension
   658  
   659  	// UnhandledCriticalExtensions contains a list of extension IDs that
   660  	// were not (fully) processed when parsing. Verify will fail if this
   661  	// slice is non-empty, unless verification is delegated to an OS
   662  	// library which understands all the critical extensions.
   663  	//
   664  	// Users can access these extensions using Extensions and can remove
   665  	// elements from this slice if they believe that they have been
   666  	// handled.
   667  	UnhandledCriticalExtensions []asn1.ObjectIdentifier
   668  
   669  	ExtKeyUsage        []ExtKeyUsage           // Sequence of extended key usages.
   670  	UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.
   671  
   672  	// BasicConstraintsValid indicates whether IsCA, MaxPathLen,
   673  	// and MaxPathLenZero are valid.
   674  	BasicConstraintsValid bool
   675  	IsCA                  bool
   676  
   677  	// MaxPathLen and MaxPathLenZero indicate the presence and
   678  	// value of the BasicConstraints' "pathLenConstraint".
   679  	//
   680  	// When parsing a certificate, a positive non-zero MaxPathLen
   681  	// means that the field was specified, -1 means it was unset,
   682  	// and MaxPathLenZero being true mean that the field was
   683  	// explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
   684  	// should be treated equivalent to -1 (unset).
   685  	//
   686  	// When generating a certificate, an unset pathLenConstraint
   687  	// can be requested with either MaxPathLen == -1 or using the
   688  	// zero value for both MaxPathLen and MaxPathLenZero.
   689  	MaxPathLen int
   690  	// MaxPathLenZero indicates that BasicConstraintsValid==true
   691  	// and MaxPathLen==0 should be interpreted as an actual
   692  	// maximum path length of zero. Otherwise, that combination is
   693  	// interpreted as MaxPathLen not being set.
   694  	MaxPathLenZero bool
   695  
   696  	SubjectKeyId   []byte
   697  	AuthorityKeyId []byte
   698  
   699  	// RFC 5280, 4.2.2.1 (Authority Information Access)
   700  	OCSPServer            []string
   701  	IssuingCertificateURL []string
   702  
   703  	// Subject Alternate Name values. (Note that these values may not be valid
   704  	// if invalid values were contained within a parsed certificate. For
   705  	// example, an element of DNSNames may not be a valid DNS domain name.)
   706  	DNSNames       []string
   707  	EmailAddresses []string
   708  	IPAddresses    []net.IP
   709  	URIs           []*url.URL
   710  
   711  	// Name constraints
   712  	PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical.
   713  	PermittedDNSDomains         []string
   714  	ExcludedDNSDomains          []string
   715  	PermittedIPRanges           []*net.IPNet
   716  	ExcludedIPRanges            []*net.IPNet
   717  	PermittedEmailAddresses     []string
   718  	ExcludedEmailAddresses      []string
   719  	PermittedURIDomains         []string
   720  	ExcludedURIDomains          []string
   721  
   722  	// CRL Distribution Points
   723  	CRLDistributionPoints []string
   724  
   725  	PolicyIdentifiers []asn1.ObjectIdentifier
   726  }
   727  
   728  // ErrUnsupportedAlgorithm results from attempting to perform an operation that
   729  // involves algorithms that are not currently implemented.
   730  var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")
   731  
   732  // An InsecureAlgorithmError
   733  type InsecureAlgorithmError SignatureAlgorithm
   734  
   735  func (e InsecureAlgorithmError) Error() string {
   736  	return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e))
   737  }
   738  
   739  // ConstraintViolationError results when a requested usage is not permitted by
   740  // a certificate. For example: checking a signature when the public key isn't a
   741  // certificate signing key.
   742  type ConstraintViolationError struct{}
   743  
   744  func (ConstraintViolationError) Error() string {
   745  	return "x509: invalid signature: parent certificate cannot sign this kind of certificate"
   746  }
   747  
   748  func (c *Certificate) Equal(other *Certificate) bool {
   749  	if c == nil || other == nil {
   750  		return c == other
   751  	}
   752  	return bytes.Equal(c.Raw, other.Raw)
   753  }
   754  
   755  func (c *Certificate) hasSANExtension() bool {
   756  	return oidInExtensions(oidExtensionSubjectAltName, c.Extensions)
   757  }
   758  
   759  // CheckSignatureFrom verifies that the signature on c is a valid signature
   760  // from parent.
   761  func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
   762  	// RFC 5280, 4.2.1.9:
   763  	// "If the basic constraints extension is not present in a version 3
   764  	// certificate, or the extension is present but the cA boolean is not
   765  	// asserted, then the certified public key MUST NOT be used to verify
   766  	// certificate signatures."
   767  	if parent.Version == 3 && !parent.BasicConstraintsValid ||
   768  		parent.BasicConstraintsValid && !parent.IsCA {
   769  		return ConstraintViolationError{}
   770  	}
   771  
   772  	if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 {
   773  		return ConstraintViolationError{}
   774  	}
   775  
   776  	if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm {
   777  		return ErrUnsupportedAlgorithm
   778  	}
   779  
   780  	// TODO(agl): don't ignore the path length constraint.
   781  
   782  	return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
   783  }
   784  
   785  // CheckSignature verifies that signature is a valid signature over signed from
   786  // c's public key.
   787  func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error {
   788  	return checkSignature(algo, signed, signature, c.PublicKey)
   789  }
   790  
   791  func (c *Certificate) hasNameConstraints() bool {
   792  	return oidInExtensions(oidExtensionNameConstraints, c.Extensions)
   793  }
   794  
   795  func (c *Certificate) getSANExtension() []byte {
   796  	for _, e := range c.Extensions {
   797  		if e.Id.Equal(oidExtensionSubjectAltName) {
   798  			return e.Value
   799  		}
   800  	}
   801  	return nil
   802  }
   803  
   804  func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error {
   805  	return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
   806  }
   807  
   808  // CheckSignature verifies that signature is a valid signature over signed from
   809  // a crypto.PublicKey.
   810  func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
   811  	var hashType crypto.Hash
   812  	var pubKeyAlgo PublicKeyAlgorithm
   813  
   814  	for _, details := range signatureAlgorithmDetails {
   815  		if details.algo == algo {
   816  			hashType = details.hash
   817  			pubKeyAlgo = details.pubKeyAlgo
   818  		}
   819  	}
   820  
   821  	switch hashType {
   822  	case crypto.Hash(0):
   823  		if pubKeyAlgo != Ed25519 {
   824  			return ErrUnsupportedAlgorithm
   825  		}
   826  	case crypto.MD5:
   827  		return InsecureAlgorithmError(algo)
   828  	default:
   829  		if !hashType.Available() {
   830  			return ErrUnsupportedAlgorithm
   831  		}
   832  		h := hashType.New()
   833  		h.Write(signed)
   834  		signed = h.Sum(nil)
   835  	}
   836  
   837  	switch pub := publicKey.(type) {
   838  	case *rsa.PublicKey:
   839  		if pubKeyAlgo != RSA {
   840  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   841  		}
   842  		if algo.isRSAPSS() {
   843  			return rsa.VerifyPSS(pub, hashType, signed, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash})
   844  		} else {
   845  			return rsa.VerifyPKCS1v15(pub, hashType, signed, signature)
   846  		}
   847  	case *ecdsa.PublicKey:
   848  		if pubKeyAlgo != ECDSA {
   849  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   850  		}
   851  		if !ecdsa.VerifyASN1(pub, signed, signature) {
   852  			return errors.New("x509: ECDSA verification failure")
   853  		}
   854  		return
   855  	case ed25519.PublicKey:
   856  		if pubKeyAlgo != Ed25519 {
   857  			return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   858  		}
   859  		if !ed25519.Verify(pub, signed, signature) {
   860  			return errors.New("x509: Ed25519 verification failure")
   861  		}
   862  		return
   863  	}
   864  	return ErrUnsupportedAlgorithm
   865  }
   866  
   867  // CheckCRLSignature checks that the signature in crl is from c.
   868  func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error {
   869  	algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm)
   870  	return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign())
   871  }
   872  
   873  type UnhandledCriticalExtension struct{}
   874  
   875  func (h UnhandledCriticalExtension) Error() string {
   876  	return "x509: unhandled critical extension"
   877  }
   878  
   879  type basicConstraints struct {
   880  	IsCA       bool `asn1:"optional"`
   881  	MaxPathLen int  `asn1:"optional,default:-1"`
   882  }
   883  
   884  // RFC 5280 4.2.1.4
   885  type policyInformation struct {
   886  	Policy asn1.ObjectIdentifier
   887  	// policyQualifiers omitted
   888  }
   889  
   890  const (
   891  	nameTypeEmail = 1
   892  	nameTypeDNS   = 2
   893  	nameTypeURI   = 6
   894  	nameTypeIP    = 7
   895  )
   896  
   897  // RFC 5280, 4.2.2.1
   898  type authorityInfoAccess struct {
   899  	Method   asn1.ObjectIdentifier
   900  	Location asn1.RawValue
   901  }
   902  
   903  // RFC 5280, 4.2.1.14
   904  type distributionPoint struct {
   905  	DistributionPoint distributionPointName `asn1:"optional,tag:0"`
   906  	Reason            asn1.BitString        `asn1:"optional,tag:1"`
   907  	CRLIssuer         asn1.RawValue         `asn1:"optional,tag:2"`
   908  }
   909  
   910  type distributionPointName struct {
   911  	FullName     []asn1.RawValue  `asn1:"optional,tag:0"`
   912  	RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
   913  }
   914  
   915  func reverseBitsInAByte(in byte) byte {
   916  	b1 := in>>4 | in<<4
   917  	b2 := b1>>2&0x33 | b1<<2&0xcc
   918  	b3 := b2>>1&0x55 | b2<<1&0xaa
   919  	return b3
   920  }
   921  
   922  // asn1BitLength returns the bit-length of bitString by considering the
   923  // most-significant bit in a byte to be the "first" bit. This convention
   924  // matches ASN.1, but differs from almost everything else.
   925  func asn1BitLength(bitString []byte) int {
   926  	bitLen := len(bitString) * 8
   927  
   928  	for i := range bitString {
   929  		b := bitString[len(bitString)-i-1]
   930  
   931  		for bit := uint(0); bit < 8; bit++ {
   932  			if (b>>bit)&1 == 1 {
   933  				return bitLen
   934  			}
   935  			bitLen--
   936  		}
   937  	}
   938  
   939  	return 0
   940  }
   941  
   942  var (
   943  	oidExtensionSubjectKeyId          = []int{2, 5, 29, 14}
   944  	oidExtensionKeyUsage              = []int{2, 5, 29, 15}
   945  	oidExtensionExtendedKeyUsage      = []int{2, 5, 29, 37}
   946  	oidExtensionAuthorityKeyId        = []int{2, 5, 29, 35}
   947  	oidExtensionBasicConstraints      = []int{2, 5, 29, 19}
   948  	oidExtensionSubjectAltName        = []int{2, 5, 29, 17}
   949  	oidExtensionCertificatePolicies   = []int{2, 5, 29, 32}
   950  	oidExtensionNameConstraints       = []int{2, 5, 29, 30}
   951  	oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31}
   952  	oidExtensionAuthorityInfoAccess   = []int{1, 3, 6, 1, 5, 5, 7, 1, 1}
   953  	oidExtensionCRLNumber             = []int{2, 5, 29, 20}
   954  )
   955  
   956  var (
   957  	oidAuthorityInfoAccessOcsp    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
   958  	oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
   959  )
   960  
   961  // oidNotInExtensions reports whether an extension with the given oid exists in
   962  // extensions.
   963  func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool {
   964  	for _, e := range extensions {
   965  		if e.Id.Equal(oid) {
   966  			return true
   967  		}
   968  	}
   969  	return false
   970  }
   971  
   972  // marshalSANs marshals a list of addresses into a the contents of an X.509
   973  // SubjectAlternativeName extension.
   974  func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) {
   975  	var rawValues []asn1.RawValue
   976  	for _, name := range dnsNames {
   977  		if err := isIA5String(name); err != nil {
   978  			return nil, err
   979  		}
   980  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)})
   981  	}
   982  	for _, email := range emailAddresses {
   983  		if err := isIA5String(email); err != nil {
   984  			return nil, err
   985  		}
   986  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)})
   987  	}
   988  	for _, rawIP := range ipAddresses {
   989  		// If possible, we always want to encode IPv4 addresses in 4 bytes.
   990  		ip := rawIP.To4()
   991  		if ip == nil {
   992  			ip = rawIP
   993  		}
   994  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip})
   995  	}
   996  	for _, uri := range uris {
   997  		uriStr := uri.String()
   998  		if err := isIA5String(uriStr); err != nil {
   999  			return nil, err
  1000  		}
  1001  		rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uriStr)})
  1002  	}
  1003  	return asn1.Marshal(rawValues)
  1004  }
  1005  
  1006  func isIA5String(s string) error {
  1007  	for _, r := range s {
  1008  		// Per RFC5280 "IA5String is limited to the set of ASCII characters"
  1009  		if r > unicode.MaxASCII {
  1010  			return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
  1011  		}
  1012  	}
  1013  
  1014  	return nil
  1015  }
  1016  
  1017  func buildCertExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte, subjectKeyId []byte) (ret []pkix.Extension, err error) {
  1018  	ret = make([]pkix.Extension, 10 /* maximum number of elements. */)
  1019  	n := 0
  1020  
  1021  	if template.KeyUsage != 0 &&
  1022  		!oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) {
  1023  		ret[n], err = marshalKeyUsage(template.KeyUsage)
  1024  		if err != nil {
  1025  			return nil, err
  1026  		}
  1027  		n++
  1028  	}
  1029  
  1030  	if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) &&
  1031  		!oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) {
  1032  		ret[n], err = marshalExtKeyUsage(template.ExtKeyUsage, template.UnknownExtKeyUsage)
  1033  		if err != nil {
  1034  			return nil, err
  1035  		}
  1036  		n++
  1037  	}
  1038  
  1039  	if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) {
  1040  		ret[n], err = marshalBasicConstraints(template.IsCA, template.MaxPathLen, template.MaxPathLenZero)
  1041  		if err != nil {
  1042  			return nil, err
  1043  		}
  1044  		n++
  1045  	}
  1046  
  1047  	if len(subjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) {
  1048  		ret[n].Id = oidExtensionSubjectKeyId
  1049  		ret[n].Value, err = asn1.Marshal(subjectKeyId)
  1050  		if err != nil {
  1051  			return
  1052  		}
  1053  		n++
  1054  	}
  1055  
  1056  	if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) {
  1057  		ret[n].Id = oidExtensionAuthorityKeyId
  1058  		ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId})
  1059  		if err != nil {
  1060  			return
  1061  		}
  1062  		n++
  1063  	}
  1064  
  1065  	if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) &&
  1066  		!oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) {
  1067  		ret[n].Id = oidExtensionAuthorityInfoAccess
  1068  		var aiaValues []authorityInfoAccess
  1069  		for _, name := range template.OCSPServer {
  1070  			aiaValues = append(aiaValues, authorityInfoAccess{
  1071  				Method:   oidAuthorityInfoAccessOcsp,
  1072  				Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1073  			})
  1074  		}
  1075  		for _, name := range template.IssuingCertificateURL {
  1076  			aiaValues = append(aiaValues, authorityInfoAccess{
  1077  				Method:   oidAuthorityInfoAccessIssuers,
  1078  				Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1079  			})
  1080  		}
  1081  		ret[n].Value, err = asn1.Marshal(aiaValues)
  1082  		if err != nil {
  1083  			return
  1084  		}
  1085  		n++
  1086  	}
  1087  
  1088  	if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
  1089  		!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
  1090  		ret[n].Id = oidExtensionSubjectAltName
  1091  		// From RFC 5280, Section 4.2.1.6:
  1092  		// “If the subject field contains an empty sequence ... then
  1093  		// subjectAltName extension ... is marked as critical”
  1094  		ret[n].Critical = subjectIsEmpty
  1095  		ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
  1096  		if err != nil {
  1097  			return
  1098  		}
  1099  		n++
  1100  	}
  1101  
  1102  	if len(template.PolicyIdentifiers) > 0 &&
  1103  		!oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) {
  1104  		ret[n], err = marshalCertificatePolicies(template.PolicyIdentifiers)
  1105  		if err != nil {
  1106  			return nil, err
  1107  		}
  1108  		n++
  1109  	}
  1110  
  1111  	if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 ||
  1112  		len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 ||
  1113  		len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 ||
  1114  		len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) &&
  1115  		!oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) {
  1116  		ret[n].Id = oidExtensionNameConstraints
  1117  		ret[n].Critical = template.PermittedDNSDomainsCritical
  1118  
  1119  		ipAndMask := func(ipNet *net.IPNet) []byte {
  1120  			maskedIP := ipNet.IP.Mask(ipNet.Mask)
  1121  			ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask))
  1122  			ipAndMask = append(ipAndMask, maskedIP...)
  1123  			ipAndMask = append(ipAndMask, ipNet.Mask...)
  1124  			return ipAndMask
  1125  		}
  1126  
  1127  		serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) {
  1128  			var b cryptobyte.Builder
  1129  
  1130  			for _, name := range dns {
  1131  				if err = isIA5String(name); err != nil {
  1132  					return nil, err
  1133  				}
  1134  
  1135  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1136  					b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) {
  1137  						b.AddBytes([]byte(name))
  1138  					})
  1139  				})
  1140  			}
  1141  
  1142  			for _, ipNet := range ips {
  1143  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1144  					b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) {
  1145  						b.AddBytes(ipAndMask(ipNet))
  1146  					})
  1147  				})
  1148  			}
  1149  
  1150  			for _, email := range emails {
  1151  				if err = isIA5String(email); err != nil {
  1152  					return nil, err
  1153  				}
  1154  
  1155  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1156  					b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) {
  1157  						b.AddBytes([]byte(email))
  1158  					})
  1159  				})
  1160  			}
  1161  
  1162  			for _, uriDomain := range uriDomains {
  1163  				if err = isIA5String(uriDomain); err != nil {
  1164  					return nil, err
  1165  				}
  1166  
  1167  				b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1168  					b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) {
  1169  						b.AddBytes([]byte(uriDomain))
  1170  					})
  1171  				})
  1172  			}
  1173  
  1174  			return b.Bytes()
  1175  		}
  1176  
  1177  		permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains)
  1178  		if err != nil {
  1179  			return nil, err
  1180  		}
  1181  
  1182  		excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains)
  1183  		if err != nil {
  1184  			return nil, err
  1185  		}
  1186  
  1187  		var b cryptobyte.Builder
  1188  		b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1189  			if len(permitted) > 0 {
  1190  				b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
  1191  					b.AddBytes(permitted)
  1192  				})
  1193  			}
  1194  
  1195  			if len(excluded) > 0 {
  1196  				b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
  1197  					b.AddBytes(excluded)
  1198  				})
  1199  			}
  1200  		})
  1201  
  1202  		ret[n].Value, err = b.Bytes()
  1203  		if err != nil {
  1204  			return nil, err
  1205  		}
  1206  		n++
  1207  	}
  1208  
  1209  	if len(template.CRLDistributionPoints) > 0 &&
  1210  		!oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) {
  1211  		ret[n].Id = oidExtensionCRLDistributionPoints
  1212  
  1213  		var crlDp []distributionPoint
  1214  		for _, name := range template.CRLDistributionPoints {
  1215  			dp := distributionPoint{
  1216  				DistributionPoint: distributionPointName{
  1217  					FullName: []asn1.RawValue{
  1218  						{Tag: 6, Class: 2, Bytes: []byte(name)},
  1219  					},
  1220  				},
  1221  			}
  1222  			crlDp = append(crlDp, dp)
  1223