Source file src/crypto/x509/x509.go

     1	// Copyright 2009 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	// Package x509 parses X.509-encoded keys and certificates.
     6	//
     7	// On UNIX systems the environment variables SSL_CERT_FILE and SSL_CERT_DIR
     8	// can be used to override the system default locations for the SSL certificate
     9	// file and SSL certificate files directory, respectively.
    10	package x509
    11	
    12	import (
    13		"bytes"
    14		"crypto"
    15		"crypto/dsa"
    16		"crypto/ecdsa"
    17		"crypto/ed25519"
    18		"crypto/elliptic"
    19		"crypto/rsa"
    20		_ "crypto/sha1"
    21		_ "crypto/sha256"
    22		_ "crypto/sha512"
    23		"crypto/x509/pkix"
    24		"encoding/asn1"
    25		"encoding/pem"
    26		"errors"
    27		"fmt"
    28		"golang.org/x/crypto/cryptobyte"
    29		cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
    30		"io"
    31		"math/big"
    32		"net"
    33		"net/url"
    34		"strconv"
    35		"strings"
    36		"time"
    37		"unicode/utf8"
    38	)
    39	
    40	// pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo
    41	// in RFC 3280.
    42	type pkixPublicKey struct {
    43		Algo      pkix.AlgorithmIdentifier
    44		BitString asn1.BitString
    45	}
    46	
    47	// ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
    48	//
    49	// It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or
    50	// ed25519.PublicKey. More types might be supported in the future.
    51	//
    52	// This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
    53	func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) {
    54		var pki publicKeyInfo
    55		if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil {
    56			if _, err := asn1.Unmarshal(derBytes, &pkcs1PublicKey{}); err == nil {
    57				return nil, errors.New("x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)")
    58			}
    59			return nil, err
    60		} else if len(rest) != 0 {
    61			return nil, errors.New("x509: trailing data after ASN.1 of public-key")
    62		}
    63		algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm)
    64		if algo == UnknownPublicKeyAlgorithm {
    65			return nil, errors.New("x509: unknown public key algorithm")
    66		}
    67		return parsePublicKey(algo, &pki)
    68	}
    69	
    70	func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) {
    71		switch pub := pub.(type) {
    72		case *rsa.PublicKey:
    73			publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{
    74				N: pub.N,
    75				E: pub.E,
    76			})
    77			if err != nil {
    78				return nil, pkix.AlgorithmIdentifier{}, err
    79			}
    80			publicKeyAlgorithm.Algorithm = oidPublicKeyRSA
    81			// This is a NULL parameters value which is required by
    82			// RFC 3279, Section 2.3.1.
    83			publicKeyAlgorithm.Parameters = asn1.NullRawValue
    84		case *ecdsa.PublicKey:
    85			publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
    86			oid, ok := oidFromNamedCurve(pub.Curve)
    87			if !ok {
    88				return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve")
    89			}
    90			publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA
    91			var paramBytes []byte
    92			paramBytes, err = asn1.Marshal(oid)
    93			if err != nil {
    94				return
    95			}
    96			publicKeyAlgorithm.Parameters.FullBytes = paramBytes
    97		case ed25519.PublicKey:
    98			publicKeyBytes = pub
    99			publicKeyAlgorithm.Algorithm = oidPublicKeyEd25519
   100		default:
   101			return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: only RSA and ECDSA public keys supported")
   102		}
   103	
   104		return publicKeyBytes, publicKeyAlgorithm, nil
   105	}
   106	
   107	// MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
   108	//
   109	// The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey
   110	// and ed25519.PublicKey. Unsupported key types result in an error.
   111	//
   112	// This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
   113	func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) {
   114		var publicKeyBytes []byte
   115		var publicKeyAlgorithm pkix.AlgorithmIdentifier
   116		var err error
   117	
   118		if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil {
   119			return nil, err
   120		}
   121	
   122		pkix := pkixPublicKey{
   123			Algo: publicKeyAlgorithm,
   124			BitString: asn1.BitString{
   125				Bytes:     publicKeyBytes,
   126				BitLength: 8 * len(publicKeyBytes),
   127			},
   128		}
   129	
   130		ret, _ := asn1.Marshal(pkix)
   131		return ret, nil
   132	}
   133	
   134	// These structures reflect the ASN.1 structure of X.509 certificates.:
   135	
   136	type certificate struct {
   137		Raw                asn1.RawContent
   138		TBSCertificate     tbsCertificate
   139		SignatureAlgorithm pkix.AlgorithmIdentifier
   140		SignatureValue     asn1.BitString
   141	}
   142	
   143	type tbsCertificate struct {
   144		Raw                asn1.RawContent
   145		Version            int `asn1:"optional,explicit,default:0,tag:0"`
   146		SerialNumber       *big.Int
   147		SignatureAlgorithm pkix.AlgorithmIdentifier
   148		Issuer             asn1.RawValue
   149		Validity           validity
   150		Subject            asn1.RawValue
   151		PublicKey          publicKeyInfo
   152		UniqueId           asn1.BitString   `asn1:"optional,tag:1"`
   153		SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`
   154		Extensions         []pkix.Extension `asn1:"optional,explicit,tag:3"`
   155	}
   156	
   157	type dsaAlgorithmParameters struct {
   158		P, Q, G *big.Int
   159	}
   160	
   161	type dsaSignature struct {
   162		R, S *big.Int
   163	}
   164	
   165	type ecdsaSignature dsaSignature
   166	
   167	type validity struct {
   168		NotBefore, NotAfter time.Time
   169	}
   170	
   171	type publicKeyInfo struct {
   172		Raw       asn1.RawContent
   173		Algorithm pkix.AlgorithmIdentifier
   174		PublicKey asn1.BitString
   175	}
   176	
   177	// RFC 5280,  4.2.1.1
   178	type authKeyId struct {
   179		Id []byte `asn1:"optional,tag:0"`
   180	}
   181	
   182	type SignatureAlgorithm int
   183	
   184	const (
   185		UnknownSignatureAlgorithm SignatureAlgorithm = iota
   186		MD2WithRSA
   187		MD5WithRSA
   188		SHA1WithRSA
   189		SHA256WithRSA
   190		SHA384WithRSA
   191		SHA512WithRSA
   192		DSAWithSHA1
   193		DSAWithSHA256
   194		ECDSAWithSHA1
   195		ECDSAWithSHA256
   196		ECDSAWithSHA384
   197		ECDSAWithSHA512
   198		SHA256WithRSAPSS
   199		SHA384WithRSAPSS
   200		SHA512WithRSAPSS
   201		PureEd25519
   202	)
   203	
   204	func (algo SignatureAlgorithm) isRSAPSS() bool {
   205		switch algo {
   206		case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS:
   207			return true
   208		default:
   209			return false
   210		}
   211	}
   212	
   213	func (algo SignatureAlgorithm) String() string {
   214		for _, details := range signatureAlgorithmDetails {
   215			if details.algo == algo {
   216				return details.name
   217			}
   218		}
   219		return strconv.Itoa(int(algo))
   220	}
   221	
   222	type PublicKeyAlgorithm int
   223	
   224	const (
   225		UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
   226		RSA
   227		DSA
   228		ECDSA
   229		Ed25519
   230	)
   231	
   232	var publicKeyAlgoName = [...]string{
   233		RSA:     "RSA",
   234		DSA:     "DSA",
   235		ECDSA:   "ECDSA",
   236		Ed25519: "Ed25519",
   237	}
   238	
   239	func (algo PublicKeyAlgorithm) String() string {
   240		if 0 < algo && int(algo) < len(publicKeyAlgoName) {
   241			return publicKeyAlgoName[algo]
   242		}
   243		return strconv.Itoa(int(algo))
   244	}
   245	
   246	// OIDs for signature algorithms
   247	//
   248	// pkcs-1 OBJECT IDENTIFIER ::= {
   249	//    iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
   250	//
   251	//
   252	// RFC 3279 2.2.1 RSA Signature Algorithms
   253	//
   254	// md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
   255	//
   256	// md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
   257	//
   258	// sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
   259	//
   260	// dsaWithSha1 OBJECT IDENTIFIER ::= {
   261	//    iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 }
   262	//
   263	// RFC 3279 2.2.3 ECDSA Signature Algorithm
   264	//
   265	// ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
   266	// 	  iso(1) member-body(2) us(840) ansi-x962(10045)
   267	//    signatures(4) ecdsa-with-SHA1(1)}
   268	//
   269	//
   270	// RFC 4055 5 PKCS #1 Version 1.5
   271	//
   272	// sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
   273	//
   274	// sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
   275	//
   276	// sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
   277	//
   278	//
   279	// RFC 5758 3.1 DSA Signature Algorithms
   280	//
   281	// dsaWithSha256 OBJECT IDENTIFIER ::= {
   282	//    joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
   283	//    csor(3) algorithms(4) id-dsa-with-sha2(3) 2}
   284	//
   285	// RFC 5758 3.2 ECDSA Signature Algorithm
   286	//
   287	// ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   288	//    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
   289	//
   290	// ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   291	//    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
   292	//
   293	// ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
   294	//    us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 }
   295	//
   296	//
   297	// RFC 8410 3 Curve25519 and Curve448 Algorithm Identifiers
   298	//
   299	// id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 }
   300	
   301	var (
   302		oidSignatureMD2WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
   303		oidSignatureMD5WithRSA      = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
   304		oidSignatureSHA1WithRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
   305		oidSignatureSHA256WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
   306		oidSignatureSHA384WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
   307		oidSignatureSHA512WithRSA   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
   308		oidSignatureRSAPSS          = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
   309		oidSignatureDSAWithSHA1     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
   310		oidSignatureDSAWithSHA256   = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
   311		oidSignatureECDSAWithSHA1   = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
   312		oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
   313		oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
   314		oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
   315		oidSignatureEd25519         = asn1.ObjectIdentifier{1, 3, 101, 112}
   316	
   317		oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
   318		oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
   319		oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
   320	
   321		oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
   322	
   323		// oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA
   324		// but it's specified by ISO. Microsoft's makecert.exe has been known
   325		// to produce certificates with this OID.
   326		oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29}
   327	)
   328	
   329	var signatureAlgorithmDetails = []struct {
   330		algo       SignatureAlgorithm
   331		name       string
   332		oid        asn1.ObjectIdentifier
   333		pubKeyAlgo PublicKeyAlgorithm
   334		hash       crypto.Hash
   335	}{
   336		{MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
   337		{MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5},
   338		{SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1},
   339		{SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1},
   340		{SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256},
   341		{SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384},
   342		{SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512},
   343		{SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256},
   344		{SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384},
   345		{SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512},
   346		{DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1},
   347		{DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256},
   348		{ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1},
   349		{ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256},
   350		{ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384},
   351		{ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512},
   352		{PureEd25519, "Ed25519", oidSignatureEd25519, Ed25519, crypto.Hash(0) /* no pre-hashing */},
   353	}
   354	
   355	// pssParameters reflects the parameters in an AlgorithmIdentifier that
   356	// specifies RSA PSS. See RFC 3447, Appendix A.2.3.
   357	type pssParameters struct {
   358		// The following three fields are not marked as
   359		// optional because the default values specify SHA-1,
   360		// which is no longer suitable for use in signatures.
   361		Hash         pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"`
   362		MGF          pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"`
   363		SaltLength   int                      `asn1:"explicit,tag:2"`
   364		TrailerField int                      `asn1:"optional,explicit,tag:3,default:1"`
   365	}
   366	
   367	// rsaPSSParameters returns an asn1.RawValue suitable for use as the Parameters
   368	// in an AlgorithmIdentifier that specifies RSA PSS.
   369	func rsaPSSParameters(hashFunc crypto.Hash) asn1.RawValue {
   370		var hashOID asn1.ObjectIdentifier
   371	
   372		switch hashFunc {
   373		case crypto.SHA256:
   374			hashOID = oidSHA256
   375		case crypto.SHA384:
   376			hashOID = oidSHA384
   377		case crypto.SHA512:
   378			hashOID = oidSHA512
   379		}
   380	
   381		params := pssParameters{
   382			Hash: pkix.AlgorithmIdentifier{
   383				Algorithm:  hashOID,
   384				Parameters: asn1.NullRawValue,
   385			},
   386			MGF: pkix.AlgorithmIdentifier{
   387				Algorithm: oidMGF1,
   388			},
   389			SaltLength:   hashFunc.Size(),
   390			TrailerField: 1,
   391		}
   392	
   393		mgf1Params := pkix.AlgorithmIdentifier{
   394			Algorithm:  hashOID,
   395			Parameters: asn1.NullRawValue,
   396		}
   397	
   398		var err error
   399		params.MGF.Parameters.FullBytes, err = asn1.Marshal(mgf1Params)
   400		if err != nil {
   401			panic(err)
   402		}
   403	
   404		serialized, err := asn1.Marshal(params)
   405		if err != nil {
   406			panic(err)
   407		}
   408	
   409		return asn1.RawValue{FullBytes: serialized}
   410	}
   411	
   412	func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm {
   413		if ai.Algorithm.Equal(oidSignatureEd25519) {
   414			// RFC 8410, Section 3
   415			// > For all of the OIDs, the parameters MUST be absent.
   416			if len(ai.Parameters.FullBytes) != 0 {
   417				return UnknownSignatureAlgorithm
   418			}
   419		}
   420	
   421		if !ai.Algorithm.Equal(oidSignatureRSAPSS) {
   422			for _, details := range signatureAlgorithmDetails {
   423				if ai.Algorithm.Equal(details.oid) {
   424					return details.algo
   425				}
   426			}
   427			return UnknownSignatureAlgorithm
   428		}
   429	
   430		// RSA PSS is special because it encodes important parameters
   431		// in the Parameters.
   432	
   433		var params pssParameters
   434		if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, &params); err != nil {
   435			return UnknownSignatureAlgorithm
   436		}
   437	
   438		var mgf1HashFunc pkix.AlgorithmIdentifier
   439		if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil {
   440			return UnknownSignatureAlgorithm
   441		}
   442	
   443		// PSS is greatly overburdened with options. This code forces them into
   444		// three buckets by requiring that the MGF1 hash function always match the
   445		// message hash function (as recommended in RFC 3447, Section 8.1), that the
   446		// salt length matches the hash length, and that the trailer field has the
   447		// default value.
   448		if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) ||
   449			!params.MGF.Algorithm.Equal(oidMGF1) ||
   450			!mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) ||
   451			(len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) ||
   452			params.TrailerField != 1 {
   453			return UnknownSignatureAlgorithm
   454		}
   455	
   456		switch {
   457		case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32:
   458			return SHA256WithRSAPSS
   459		case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48:
   460			return SHA384WithRSAPSS
   461		case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64:
   462			return SHA512WithRSAPSS
   463		}
   464	
   465		return UnknownSignatureAlgorithm
   466	}
   467	
   468	// RFC 3279, 2.3 Public Key Algorithms
   469	//
   470	// pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   471	//    rsadsi(113549) pkcs(1) 1 }
   472	//
   473	// rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 }
   474	//
   475	// id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
   476	//    x9-57(10040) x9cm(4) 1 }
   477	//
   478	// RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters
   479	//
   480	// id-ecPublicKey OBJECT IDENTIFIER ::= {
   481	//       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
   482	var (
   483		oidPublicKeyRSA     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
   484		oidPublicKeyDSA     = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
   485		oidPublicKeyECDSA   = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
   486		oidPublicKeyEd25519 = oidSignatureEd25519
   487	)
   488	
   489	func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm {
   490		switch {
   491		case oid.Equal(oidPublicKeyRSA):
   492			return RSA
   493		case oid.Equal(oidPublicKeyDSA):
   494			return DSA
   495		case oid.Equal(oidPublicKeyECDSA):
   496			return ECDSA
   497		case oid.Equal(oidPublicKeyEd25519):
   498			return Ed25519
   499		}
   500		return UnknownPublicKeyAlgorithm
   501	}
   502	
   503	// RFC 5480, 2.1.1.1. Named Curve
   504	//
   505	// secp224r1 OBJECT IDENTIFIER ::= {
   506	//   iso(1) identified-organization(3) certicom(132) curve(0) 33 }
   507	//
   508	// secp256r1 OBJECT IDENTIFIER ::= {
   509	//   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
   510	//   prime(1) 7 }
   511	//
   512	// secp384r1 OBJECT IDENTIFIER ::= {
   513	//   iso(1) identified-organization(3) certicom(132) curve(0) 34 }
   514	//
   515	// secp521r1 OBJECT IDENTIFIER ::= {
   516	//   iso(1) identified-organization(3) certicom(132) curve(0) 35 }
   517	//
   518	// NB: secp256r1 is equivalent to prime256v1
   519	var (
   520		oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
   521		oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
   522		oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
   523		oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
   524	)
   525	
   526	func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
   527		switch {
   528		case oid.Equal(oidNamedCurveP224):
   529			return elliptic.P224()
   530		case oid.Equal(oidNamedCurveP256):
   531			return elliptic.P256()
   532		case oid.Equal(oidNamedCurveP384):
   533			return elliptic.P384()
   534		case oid.Equal(oidNamedCurveP521):
   535			return elliptic.P521()
   536		}
   537		return nil
   538	}
   539	
   540	func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
   541		switch curve {
   542		case elliptic.P224():
   543			return oidNamedCurveP224, true
   544		case elliptic.P256():
   545			return oidNamedCurveP256, true
   546		case elliptic.P384():
   547			return oidNamedCurveP384, true
   548		case elliptic.P521():
   549			return oidNamedCurveP521, true
   550		}
   551	
   552		return nil, false
   553	}
   554	
   555	// KeyUsage represents the set of actions that are valid for a given key. It's
   556	// a bitmap of the KeyUsage* constants.
   557	type KeyUsage int
   558	
   559	const (
   560		KeyUsageDigitalSignature KeyUsage = 1 << iota
   561		KeyUsageContentCommitment
   562		KeyUsageKeyEncipherment
   563		KeyUsageDataEncipherment
   564		KeyUsageKeyAgreement
   565		KeyUsageCertSign
   566		KeyUsageCRLSign
   567		KeyUsageEncipherOnly
   568		KeyUsageDecipherOnly
   569	)
   570	
   571	// RFC 5280, 4.2.1.12  Extended Key Usage
   572	//
   573	// anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
   574	//
   575	// id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
   576	//
   577	// id-kp-serverAuth             OBJECT IDENTIFIER ::= { id-kp 1 }
   578	// id-kp-clientAuth             OBJECT IDENTIFIER ::= { id-kp 2 }
   579	// id-kp-codeSigning            OBJECT IDENTIFIER ::= { id-kp 3 }
   580	// id-kp-emailProtection        OBJECT IDENTIFIER ::= { id-kp 4 }
   581	// id-kp-timeStamping           OBJECT IDENTIFIER ::= { id-kp 8 }
   582	// id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
   583	var (
   584		oidExtKeyUsageAny                            = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
   585		oidExtKeyUsageServerAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
   586		oidExtKeyUsageClientAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
   587		oidExtKeyUsageCodeSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
   588		oidExtKeyUsageEmailProtection                = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
   589		oidExtKeyUsageIPSECEndSystem                 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
   590		oidExtKeyUsageIPSECTunnel                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
   591		oidExtKeyUsageIPSECUser                      = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
   592		oidExtKeyUsageTimeStamping                   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
   593		oidExtKeyUsageOCSPSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
   594		oidExtKeyUsageMicrosoftServerGatedCrypto     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
   595		oidExtKeyUsageNetscapeServerGatedCrypto      = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
   596		oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
   597		oidExtKeyUsageMicrosoftKernelCodeSigning     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
   598	)
   599	
   600	// ExtKeyUsage represents an extended set of actions that are valid for a given key.
   601	// Each of the ExtKeyUsage* constants define a unique action.
   602	type ExtKeyUsage int
   603	
   604	const (
   605		ExtKeyUsageAny ExtKeyUsage = iota
   606		ExtKeyUsageServerAuth
   607		ExtKeyUsageClientAuth
   608		ExtKeyUsageCodeSigning
   609		ExtKeyUsageEmailProtection
   610		ExtKeyUsageIPSECEndSystem
   611		ExtKeyUsageIPSECTunnel
   612		ExtKeyUsageIPSECUser
   613		ExtKeyUsageTimeStamping
   614		ExtKeyUsageOCSPSigning
   615		ExtKeyUsageMicrosoftServerGatedCrypto
   616		ExtKeyUsageNetscapeServerGatedCrypto
   617		ExtKeyUsageMicrosoftCommercialCodeSigning
   618		ExtKeyUsageMicrosoftKernelCodeSigning
   619	)
   620	
   621	// extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.
   622	var extKeyUsageOIDs = []struct {
   623		extKeyUsage ExtKeyUsage
   624		oid         asn1.ObjectIdentifier
   625	}{
   626		{ExtKeyUsageAny, oidExtKeyUsageAny},
   627		{ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth},
   628		{ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth},
   629		{ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning},
   630		{ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection},
   631		{ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem},
   632		{ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel},
   633		{ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser},
   634		{ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping},
   635		{ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning},
   636		{ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto},
   637		{ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto},
   638		{ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning},
   639		{ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning},
   640	}
   641	
   642	func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) {
   643		for _, pair := range extKeyUsageOIDs {
   644			if oid.Equal(pair.oid) {
   645				return pair.extKeyUsage, true
   646			}
   647		}
   648		return
   649	}
   650	
   651	func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
   652		for _, pair := range extKeyUsageOIDs {
   653			if eku == pair.extKeyUsage {
   654				return pair.oid, true
   655			}
   656		}
   657		return
   658	}
   659	
   660	// A Certificate represents an X.509 certificate.
   661	type Certificate struct {
   662		Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
   663		RawTBSCertificate       []byte // Certificate part of raw ASN.1 DER content.
   664		RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
   665		RawSubject              []byte // DER encoded Subject
   666		RawIssuer               []byte // DER encoded Issuer
   667	
   668		Signature          []byte
   669		SignatureAlgorithm SignatureAlgorithm
   670	
   671		PublicKeyAlgorithm PublicKeyAlgorithm
   672		PublicKey          interface{}
   673	
   674		Version             int
   675		SerialNumber        *big.Int
   676		Issuer              pkix.Name
   677		Subject             pkix.Name
   678		NotBefore, NotAfter time.Time // Validity bounds.
   679		KeyUsage            KeyUsage
   680	
   681		// Extensions contains raw X.509 extensions. When parsing certificates,
   682		// this can be used to extract non-critical extensions that are not
   683		// parsed by this package. When marshaling certificates, the Extensions
   684		// field is ignored, see ExtraExtensions.
   685		Extensions []pkix.Extension
   686	
   687		// ExtraExtensions contains extensions to be copied, raw, into any
   688		// marshaled certificates. Values override any extensions that would
   689		// otherwise be produced based on the other fields. The ExtraExtensions
   690		// field is not populated when parsing certificates, see Extensions.
   691		ExtraExtensions []pkix.Extension
   692	
   693		// UnhandledCriticalExtensions contains a list of extension IDs that
   694		// were not (fully) processed when parsing. Verify will fail if this
   695		// slice is non-empty, unless verification is delegated to an OS
   696		// library which understands all the critical extensions.
   697		//
   698		// Users can access these extensions using Extensions and can remove
   699		// elements from this slice if they believe that they have been
   700		// handled.
   701		UnhandledCriticalExtensions []asn1.ObjectIdentifier
   702	
   703		ExtKeyUsage        []ExtKeyUsage           // Sequence of extended key usages.
   704		UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.
   705	
   706		// BasicConstraintsValid indicates whether IsCA, MaxPathLen,
   707		// and MaxPathLenZero are valid.
   708		BasicConstraintsValid bool
   709		IsCA                  bool
   710	
   711		// MaxPathLen and MaxPathLenZero indicate the presence and
   712		// value of the BasicConstraints' "pathLenConstraint".
   713		//
   714		// When parsing a certificate, a positive non-zero MaxPathLen
   715		// means that the field was specified, -1 means it was unset,
   716		// and MaxPathLenZero being true mean that the field was
   717		// explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
   718		// should be treated equivalent to -1 (unset).
   719		//
   720		// When generating a certificate, an unset pathLenConstraint
   721		// can be requested with either MaxPathLen == -1 or using the
   722		// zero value for both MaxPathLen and MaxPathLenZero.
   723		MaxPathLen int
   724		// MaxPathLenZero indicates that BasicConstraintsValid==true
   725		// and MaxPathLen==0 should be interpreted as an actual
   726		// maximum path length of zero. Otherwise, that combination is
   727		// interpreted as MaxPathLen not being set.
   728		MaxPathLenZero bool
   729	
   730		SubjectKeyId   []byte
   731		AuthorityKeyId []byte
   732	
   733		// RFC 5280, 4.2.2.1 (Authority Information Access)
   734		OCSPServer            []string
   735		IssuingCertificateURL []string
   736	
   737		// Subject Alternate Name values. (Note that these values may not be valid
   738		// if invalid values were contained within a parsed certificate. For
   739		// example, an element of DNSNames may not be a valid DNS domain name.)
   740		DNSNames       []string
   741		EmailAddresses []string
   742		IPAddresses    []net.IP
   743		URIs           []*url.URL
   744	
   745		// Name constraints
   746		PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical.
   747		PermittedDNSDomains         []string
   748		ExcludedDNSDomains          []string
   749		PermittedIPRanges           []*net.IPNet
   750		ExcludedIPRanges            []*net.IPNet
   751		PermittedEmailAddresses     []string
   752		ExcludedEmailAddresses      []string
   753		PermittedURIDomains         []string
   754		ExcludedURIDomains          []string
   755	
   756		// CRL Distribution Points
   757		CRLDistributionPoints []string
   758	
   759		PolicyIdentifiers []asn1.ObjectIdentifier
   760	}
   761	
   762	// ErrUnsupportedAlgorithm results from attempting to perform an operation that
   763	// involves algorithms that are not currently implemented.
   764	var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")
   765	
   766	// An InsecureAlgorithmError
   767	type InsecureAlgorithmError SignatureAlgorithm
   768	
   769	func (e InsecureAlgorithmError) Error() string {
   770		return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e))
   771	}
   772	
   773	// ConstraintViolationError results when a requested usage is not permitted by
   774	// a certificate. For example: checking a signature when the public key isn't a
   775	// certificate signing key.
   776	type ConstraintViolationError struct{}
   777	
   778	func (ConstraintViolationError) Error() string {
   779		return "x509: invalid signature: parent certificate cannot sign this kind of certificate"
   780	}
   781	
   782	func (c *Certificate) Equal(other *Certificate) bool {
   783		return bytes.Equal(c.Raw, other.Raw)
   784	}
   785	
   786	func (c *Certificate) hasSANExtension() bool {
   787		return oidInExtensions(oidExtensionSubjectAltName, c.Extensions)
   788	}
   789	
   790	// Entrust have a broken root certificate (CN=Entrust.net Certification
   791	// Authority (2048)) which isn't marked as a CA certificate and is thus invalid
   792	// according to PKIX.
   793	// We recognise this certificate by its SubjectPublicKeyInfo and exempt it
   794	// from the Basic Constraints requirement.
   795	// See http://www.entrust.net/knowledge-base/technote.cfm?tn=7869
   796	//
   797	// TODO(agl): remove this hack once their reissued root is sufficiently
   798	// widespread.
   799	var entrustBrokenSPKI = []byte{
   800		0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
   801		0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
   802		0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
   803		0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
   804		0x00, 0x97, 0xa3, 0x2d, 0x3c, 0x9e, 0xde, 0x05,
   805		0xda, 0x13, 0xc2, 0x11, 0x8d, 0x9d, 0x8e, 0xe3,
   806		0x7f, 0xc7, 0x4b, 0x7e, 0x5a, 0x9f, 0xb3, 0xff,
   807		0x62, 0xab, 0x73, 0xc8, 0x28, 0x6b, 0xba, 0x10,
   808		0x64, 0x82, 0x87, 0x13, 0xcd, 0x57, 0x18, 0xff,
   809		0x28, 0xce, 0xc0, 0xe6, 0x0e, 0x06, 0x91, 0x50,
   810		0x29, 0x83, 0xd1, 0xf2, 0xc3, 0x2a, 0xdb, 0xd8,
   811		0xdb, 0x4e, 0x04, 0xcc, 0x00, 0xeb, 0x8b, 0xb6,
   812		0x96, 0xdc, 0xbc, 0xaa, 0xfa, 0x52, 0x77, 0x04,
   813		0xc1, 0xdb, 0x19, 0xe4, 0xae, 0x9c, 0xfd, 0x3c,
   814		0x8b, 0x03, 0xef, 0x4d, 0xbc, 0x1a, 0x03, 0x65,
   815		0xf9, 0xc1, 0xb1, 0x3f, 0x72, 0x86, 0xf2, 0x38,
   816		0xaa, 0x19, 0xae, 0x10, 0x88, 0x78, 0x28, 0xda,
   817		0x75, 0xc3, 0x3d, 0x02, 0x82, 0x02, 0x9c, 0xb9,
   818		0xc1, 0x65, 0x77, 0x76, 0x24, 0x4c, 0x98, 0xf7,
   819		0x6d, 0x31, 0x38, 0xfb, 0xdb, 0xfe, 0xdb, 0x37,
   820		0x02, 0x76, 0xa1, 0x18, 0x97, 0xa6, 0xcc, 0xde,
   821		0x20, 0x09, 0x49, 0x36, 0x24, 0x69, 0x42, 0xf6,
   822		0xe4, 0x37, 0x62, 0xf1, 0x59, 0x6d, 0xa9, 0x3c,
   823		0xed, 0x34, 0x9c, 0xa3, 0x8e, 0xdb, 0xdc, 0x3a,
   824		0xd7, 0xf7, 0x0a, 0x6f, 0xef, 0x2e, 0xd8, 0xd5,
   825		0x93, 0x5a, 0x7a, 0xed, 0x08, 0x49, 0x68, 0xe2,
   826		0x41, 0xe3, 0x5a, 0x90, 0xc1, 0x86, 0x55, 0xfc,
   827		0x51, 0x43, 0x9d, 0xe0, 0xb2, 0xc4, 0x67, 0xb4,
   828		0xcb, 0x32, 0x31, 0x25, 0xf0, 0x54, 0x9f, 0x4b,
   829		0xd1, 0x6f, 0xdb, 0xd4, 0xdd, 0xfc, 0xaf, 0x5e,
   830		0x6c, 0x78, 0x90, 0x95, 0xde, 0xca, 0x3a, 0x48,
   831		0xb9, 0x79, 0x3c, 0x9b, 0x19, 0xd6, 0x75, 0x05,
   832		0xa0, 0xf9, 0x88, 0xd7, 0xc1, 0xe8, 0xa5, 0x09,
   833		0xe4, 0x1a, 0x15, 0xdc, 0x87, 0x23, 0xaa, 0xb2,
   834		0x75, 0x8c, 0x63, 0x25, 0x87, 0xd8, 0xf8, 0x3d,
   835		0xa6, 0xc2, 0xcc, 0x66, 0xff, 0xa5, 0x66, 0x68,
   836		0x55, 0x02, 0x03, 0x01, 0x00, 0x01,
   837	}
   838	
   839	// CheckSignatureFrom verifies that the signature on c is a valid signature
   840	// from parent.
   841	func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
   842		// RFC 5280, 4.2.1.9:
   843		// "If the basic constraints extension is not present in a version 3
   844		// certificate, or the extension is present but the cA boolean is not
   845		// asserted, then the certified public key MUST NOT be used to verify
   846		// certificate signatures."
   847		// (except for Entrust, see comment above entrustBrokenSPKI)
   848		if (parent.Version == 3 && !parent.BasicConstraintsValid ||
   849			parent.BasicConstraintsValid && !parent.IsCA) &&
   850			!bytes.Equal(c.RawSubjectPublicKeyInfo, entrustBrokenSPKI) {
   851			return ConstraintViolationError{}
   852		}
   853	
   854		if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 {
   855			return ConstraintViolationError{}
   856		}
   857	
   858		if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm {
   859			return ErrUnsupportedAlgorithm
   860		}
   861	
   862		// TODO(agl): don't ignore the path length constraint.
   863	
   864		return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
   865	}
   866	
   867	// CheckSignature verifies that signature is a valid signature over signed from
   868	// c's public key.
   869	func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error {
   870		return checkSignature(algo, signed, signature, c.PublicKey)
   871	}
   872	
   873	func (c *Certificate) hasNameConstraints() bool {
   874		return oidInExtensions(oidExtensionNameConstraints, c.Extensions)
   875	}
   876	
   877	func (c *Certificate) getSANExtension() []byte {
   878		for _, e := range c.Extensions {
   879			if e.Id.Equal(oidExtensionSubjectAltName) {
   880				return e.Value
   881			}
   882		}
   883		return nil
   884	}
   885	
   886	func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error {
   887		return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
   888	}
   889	
   890	// CheckSignature verifies that signature is a valid signature over signed from
   891	// a crypto.PublicKey.
   892	func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
   893		var hashType crypto.Hash
   894		var pubKeyAlgo PublicKeyAlgorithm
   895	
   896		for _, details := range signatureAlgorithmDetails {
   897			if details.algo == algo {
   898				hashType = details.hash
   899				pubKeyAlgo = details.pubKeyAlgo
   900			}
   901		}
   902	
   903		switch hashType {
   904		case crypto.Hash(0):
   905			if pubKeyAlgo != Ed25519 {
   906				return ErrUnsupportedAlgorithm
   907			}
   908		case crypto.MD5:
   909			return InsecureAlgorithmError(algo)
   910		default:
   911			if !hashType.Available() {
   912				return ErrUnsupportedAlgorithm
   913			}
   914			h := hashType.New()
   915			h.Write(signed)
   916			signed = h.Sum(nil)
   917		}
   918	
   919		switch pub := publicKey.(type) {
   920		case *rsa.PublicKey:
   921			if pubKeyAlgo != RSA {
   922				return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   923			}
   924			if algo.isRSAPSS() {
   925				return rsa.VerifyPSS(pub, hashType, signed, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash})
   926			} else {
   927				return rsa.VerifyPKCS1v15(pub, hashType, signed, signature)
   928			}
   929		case *dsa.PublicKey:
   930			if pubKeyAlgo != DSA {
   931				return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   932			}
   933			dsaSig := new(dsaSignature)
   934			if rest, err := asn1.Unmarshal(signature, dsaSig); err != nil {
   935				return err
   936			} else if len(rest) != 0 {
   937				return errors.New("x509: trailing data after DSA signature")
   938			}
   939			if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 {
   940				return errors.New("x509: DSA signature contained zero or negative values")
   941			}
   942			if !dsa.Verify(pub, signed, dsaSig.R, dsaSig.S) {
   943				return errors.New("x509: DSA verification failure")
   944			}
   945			return
   946		case *ecdsa.PublicKey:
   947			if pubKeyAlgo != ECDSA {
   948				return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   949			}
   950			ecdsaSig := new(ecdsaSignature)
   951			if rest, err := asn1.Unmarshal(signature, ecdsaSig); err != nil {
   952				return err
   953			} else if len(rest) != 0 {
   954				return errors.New("x509: trailing data after ECDSA signature")
   955			}
   956			if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
   957				return errors.New("x509: ECDSA signature contained zero or negative values")
   958			}
   959			if !ecdsa.Verify(pub, signed, ecdsaSig.R, ecdsaSig.S) {
   960				return errors.New("x509: ECDSA verification failure")
   961			}
   962			return
   963		case ed25519.PublicKey:
   964			if pubKeyAlgo != Ed25519 {
   965				return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
   966			}
   967			if !ed25519.Verify(pub, signed, signature) {
   968				return errors.New("x509: Ed25519 verification failure")
   969			}
   970			return
   971		}
   972		return ErrUnsupportedAlgorithm
   973	}
   974	
   975	// CheckCRLSignature checks that the signature in crl is from c.
   976	func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error {
   977		algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm)
   978		return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign())
   979	}
   980	
   981	type UnhandledCriticalExtension struct{}
   982	
   983	func (h UnhandledCriticalExtension) Error() string {
   984		return "x509: unhandled critical extension"
   985	}
   986	
   987	type basicConstraints struct {
   988		IsCA       bool `asn1:"optional"`
   989		MaxPathLen int  `asn1:"optional,default:-1"`
   990	}
   991	
   992	// RFC 5280 4.2.1.4
   993	type policyInformation struct {
   994		Policy asn1.ObjectIdentifier
   995		// policyQualifiers omitted
   996	}
   997	
   998	const (
   999		nameTypeEmail = 1
  1000		nameTypeDNS   = 2
  1001		nameTypeURI   = 6
  1002		nameTypeIP    = 7
  1003	)
  1004	
  1005	// RFC 5280, 4.2.2.1
  1006	type authorityInfoAccess struct {
  1007		Method   asn1.ObjectIdentifier
  1008		Location asn1.RawValue
  1009	}
  1010	
  1011	// RFC 5280, 4.2.1.14
  1012	type distributionPoint struct {
  1013		DistributionPoint distributionPointName `asn1:"optional,tag:0"`
  1014		Reason            asn1.BitString        `asn1:"optional,tag:1"`
  1015		CRLIssuer         asn1.RawValue         `asn1:"optional,tag:2"`
  1016	}
  1017	
  1018	type distributionPointName struct {
  1019		FullName     []asn1.RawValue  `asn1:"optional,tag:0"`
  1020		RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
  1021	}
  1022	
  1023	func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) {
  1024		asn1Data := keyData.PublicKey.RightAlign()
  1025		switch algo {
  1026		case RSA:
  1027			// RSA public keys must have a NULL in the parameters.
  1028			// See RFC 3279, Section 2.3.1.
  1029			if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) {
  1030				return nil, errors.New("x509: RSA key missing NULL parameters")
  1031			}
  1032	
  1033			p := new(pkcs1PublicKey)
  1034			rest, err := asn1.Unmarshal(asn1Data, p)
  1035			if err != nil {
  1036				return nil, err
  1037			}
  1038			if len(rest) != 0 {
  1039				return nil, errors.New("x509: trailing data after RSA public key")
  1040			}
  1041	
  1042			if p.N.Sign() <= 0 {
  1043				return nil, errors.New("x509: RSA modulus is not a positive number")
  1044			}
  1045			if p.E <= 0 {
  1046				return nil, errors.New("x509: RSA public exponent is not a positive number")
  1047			}
  1048	
  1049			pub := &rsa.PublicKey{
  1050				E: p.E,
  1051				N: p.N,
  1052			}
  1053			return pub, nil
  1054		case DSA:
  1055			var p *big.Int
  1056			rest, err := asn1.Unmarshal(asn1Data, &p)
  1057			if err != nil {
  1058				return nil, err
  1059			}
  1060			if len(rest) != 0 {
  1061				return nil, errors.New("x509: trailing data after DSA public key")
  1062			}
  1063			paramsData := keyData.Algorithm.Parameters.FullBytes
  1064			params := new(dsaAlgorithmParameters)
  1065			rest, err = asn1.Unmarshal(paramsData, params)
  1066			if err != nil {
  1067				return nil, err
  1068			}
  1069			if len(rest) != 0 {
  1070				return nil, errors.New("x509: trailing data after DSA parameters")
  1071			}
  1072			if p.Sign() <= 0 || params.P.Sign() <= 0 || params.Q.Sign() <= 0 || params.G.Sign() <= 0 {
  1073				return nil, errors.New("x509: zero or negative DSA parameter")
  1074			}
  1075			pub := &dsa.PublicKey{
  1076				Parameters: dsa.Parameters{
  1077					P: params.P,
  1078					Q: params.Q,
  1079					G: params.G,
  1080				},
  1081				Y: p,
  1082			}
  1083			return pub, nil
  1084		case ECDSA:
  1085			paramsData := keyData.Algorithm.Parameters.FullBytes
  1086			namedCurveOID := new(asn1.ObjectIdentifier)
  1087			rest, err := asn1.Unmarshal(paramsData, namedCurveOID)
  1088			if err != nil {
  1089				return nil, errors.New("x509: failed to parse ECDSA parameters as named curve")
  1090			}
  1091			if len(rest) != 0 {
  1092				return nil, errors.New("x509: trailing data after ECDSA parameters")
  1093			}
  1094			namedCurve := namedCurveFromOID(*namedCurveOID)
  1095			if namedCurve == nil {
  1096				return nil, errors.New("x509: unsupported elliptic curve")
  1097			}
  1098			x, y := elliptic.Unmarshal(namedCurve, asn1Data)
  1099			if x == nil {
  1100				return nil, errors.New("x509: failed to unmarshal elliptic curve point")
  1101			}
  1102			pub := &ecdsa.PublicKey{
  1103				Curve: namedCurve,
  1104				X:     x,
  1105				Y:     y,
  1106			}
  1107			return pub, nil
  1108		case Ed25519:
  1109			// RFC 8410, Section 3
  1110			// > For all of the OIDs, the parameters MUST be absent.
  1111			if len(keyData.Algorithm.Parameters.FullBytes) != 0 {
  1112				return nil, errors.New("x509: Ed25519 key encoded with illegal parameters")
  1113			}
  1114			if len(asn1Data) != ed25519.PublicKeySize {
  1115				return nil, errors.New("x509: wrong Ed25519 public key size")
  1116			}
  1117			pub := make([]byte, ed25519.PublicKeySize)
  1118			copy(pub, asn1Data)
  1119			return ed25519.PublicKey(pub), nil
  1120		default:
  1121			return nil, nil
  1122		}
  1123	}
  1124	
  1125	func forEachSAN(extension []byte, callback func(tag int, data []byte) error) error {
  1126		// RFC 5280, 4.2.1.6
  1127	
  1128		// SubjectAltName ::= GeneralNames
  1129		//
  1130		// GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
  1131		//
  1132		// GeneralName ::= CHOICE {
  1133		//      otherName                       [0]     OtherName,
  1134		//      rfc822Name                      [1]     IA5String,
  1135		//      dNSName                         [2]     IA5String,
  1136		//      x400Address                     [3]     ORAddress,
  1137		//      directoryName                   [4]     Name,
  1138		//      ediPartyName                    [5]     EDIPartyName,
  1139		//      uniformResourceIdentifier       [6]     IA5String,
  1140		//      iPAddress                       [7]     OCTET STRING,
  1141		//      registeredID                    [8]     OBJECT IDENTIFIER }
  1142		var seq asn1.RawValue
  1143		rest, err := asn1.Unmarshal(extension, &seq)
  1144		if err != nil {
  1145			return err
  1146		} else if len(rest) != 0 {
  1147			return errors.New("x509: trailing data after X.509 extension")
  1148		}
  1149		if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
  1150			return asn1.StructuralError{Msg: "bad SAN sequence"}
  1151		}
  1152	
  1153		rest = seq.Bytes
  1154		for len(rest) > 0 {
  1155			var v asn1.RawValue
  1156			rest, err = asn1.Unmarshal(rest, &v)
  1157			if err != nil {
  1158				return err
  1159			}
  1160	
  1161			if err := callback(v.Tag, v.Bytes); err != nil {
  1162				return err
  1163			}
  1164		}
  1165	
  1166		return nil
  1167	}
  1168	
  1169	func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error) {
  1170		err = forEachSAN(value, func(tag int, data []byte) error {
  1171			switch tag {
  1172			case nameTypeEmail:
  1173				emailAddresses = append(emailAddresses, string(data))
  1174			case nameTypeDNS:
  1175				dnsNames = append(dnsNames, string(data))
  1176			case nameTypeURI:
  1177				uri, err := url.Parse(string(data))
  1178				if err != nil {
  1179					return fmt.Errorf("x509: cannot parse URI %q: %s", string(data), err)
  1180				}
  1181				if len(uri.Host) > 0 {
  1182					if _, ok := domainToReverseLabels(uri.Host); !ok {
  1183						return fmt.Errorf("x509: cannot parse URI %q: invalid domain", string(data))
  1184					}
  1185				}
  1186				uris = append(uris, uri)
  1187			case nameTypeIP:
  1188				switch len(data) {
  1189				case net.IPv4len, net.IPv6len:
  1190					ipAddresses = append(ipAddresses, data)
  1191				default:
  1192					return errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(data)))
  1193				}
  1194			}
  1195	
  1196			return nil
  1197		})
  1198	
  1199		return
  1200	}
  1201	
  1202	// isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.
  1203	func isValidIPMask(mask []byte) bool {
  1204		seenZero := false
  1205	
  1206		for _, b := range mask {
  1207			if seenZero {
  1208				if b != 0 {
  1209					return false
  1210				}
  1211	
  1212				continue
  1213			}
  1214	
  1215			switch b {
  1216			case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe:
  1217				seenZero = true
  1218			case 0xff:
  1219			default:
  1220				return false
  1221			}
  1222		}
  1223	
  1224		return true
  1225	}
  1226	
  1227	func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) {
  1228		// RFC 5280, 4.2.1.10
  1229	
  1230		// NameConstraints ::= SEQUENCE {
  1231		//      permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
  1232		//      excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
  1233		//
  1234		// GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
  1235		//
  1236		// GeneralSubtree ::= SEQUENCE {
  1237		//      base                    GeneralName,
  1238		//      minimum         [0]     BaseDistance DEFAULT 0,
  1239		//      maximum         [1]     BaseDistance OPTIONAL }
  1240		//
  1241		// BaseDistance ::= INTEGER (0..MAX)
  1242	
  1243		outer := cryptobyte.String(e.Value)
  1244		var toplevel, permitted, excluded cryptobyte.String
  1245		var havePermitted, haveExcluded bool
  1246		if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) ||
  1247			!outer.Empty() ||
  1248			!toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) ||
  1249			!toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) ||
  1250			!toplevel.Empty() {
  1251			return false, errors.New("x509: invalid NameConstraints extension")
  1252		}
  1253	
  1254		if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 {
  1255			// From RFC 5280, Section 4.2.1.10:
  1256			//   “either the permittedSubtrees field
  1257			//   or the excludedSubtrees MUST be
  1258			//   present”
  1259			return false, errors.New("x509: empty name constraints extension")
  1260		}
  1261	
  1262		getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) {
  1263			for !subtrees.Empty() {
  1264				var seq, value cryptobyte.String
  1265				var tag cryptobyte_asn1.Tag
  1266				if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) ||
  1267					!seq.ReadAnyASN1(&value, &tag) {
  1268					return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension")
  1269				}
  1270	
  1271				var (
  1272					dnsTag   = cryptobyte_asn1.Tag(2).ContextSpecific()
  1273					emailTag = cryptobyte_asn1.Tag(1).ContextSpecific()
  1274					ipTag    = cryptobyte_asn1.Tag(7).ContextSpecific()
  1275					uriTag   = cryptobyte_asn1.Tag(6).ContextSpecific()
  1276				)
  1277	
  1278				switch tag {
  1279				case dnsTag:
  1280					domain := string(value)
  1281					if err := isIA5String(domain); err != nil {
  1282						return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
  1283					}
  1284	
  1285					trimmedDomain := domain
  1286					if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
  1287						// constraints can have a leading
  1288						// period to exclude the domain
  1289						// itself, but that's not valid in a
  1290						// normal domain name.
  1291						trimmedDomain = trimmedDomain[1:]
  1292					}
  1293					if _, ok := domainToReverseLabels(trimmedDomain); !ok {
  1294						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
  1295					}
  1296					dnsNames = append(dnsNames, domain)
  1297	
  1298				case ipTag:
  1299					l := len(value)
  1300					var ip, mask []byte
  1301	
  1302					switch l {
  1303					case 8:
  1304						ip = value[:4]
  1305						mask = value[4:]
  1306	
  1307					case 32:
  1308						ip = value[:16]
  1309						mask = value[16:]
  1310	
  1311					default:
  1312						return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l)
  1313					}
  1314	
  1315					if !isValidIPMask(mask) {
  1316						return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask)
  1317					}
  1318	
  1319					ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)})
  1320	
  1321				case emailTag:
  1322					constraint := string(value)
  1323					if err := isIA5String(constraint); err != nil {
  1324						return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
  1325					}
  1326	
  1327					// If the constraint contains an @ then
  1328					// it specifies an exact mailbox name.
  1329					if strings.Contains(constraint, "@") {
  1330						if _, ok := parseRFC2821Mailbox(constraint); !ok {
  1331							return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
  1332						}
  1333					} else {
  1334						// Otherwise it's a domain name.
  1335						domain := constraint
  1336						if len(domain) > 0 && domain[0] == '.' {
  1337							domain = domain[1:]
  1338						}
  1339						if _, ok := domainToReverseLabels(domain); !ok {
  1340							return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
  1341						}
  1342					}
  1343					emails = append(emails, constraint)
  1344	
  1345				case uriTag:
  1346					domain := string(value)
  1347					if err := isIA5String(domain); err != nil {
  1348						return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
  1349					}
  1350	
  1351					if net.ParseIP(domain) != nil {
  1352						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
  1353					}
  1354	
  1355					trimmedDomain := domain
  1356					if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
  1357						// constraints can have a leading
  1358						// period to exclude the domain itself,
  1359						// but that's not valid in a normal
  1360						// domain name.
  1361						trimmedDomain = trimmedDomain[1:]
  1362					}
  1363					if _, ok := domainToReverseLabels(trimmedDomain); !ok {
  1364						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
  1365					}
  1366					uriDomains = append(uriDomains, domain)
  1367	
  1368				default:
  1369					unhandled = true
  1370				}
  1371			}
  1372	
  1373			return dnsNames, ips, emails, uriDomains, nil
  1374		}
  1375	
  1376		if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil {
  1377			return false, err
  1378		}
  1379		if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil {
  1380			return false, err
  1381		}
  1382		out.PermittedDNSDomainsCritical = e.Critical
  1383	
  1384		return unhandled, nil
  1385	}
  1386	
  1387	func parseCertificate(in *certificate) (*Certificate, error) {
  1388		out := new(Certificate)
  1389		out.Raw = in.Raw
  1390		out.RawTBSCertificate = in.TBSCertificate.Raw
  1391		out.RawSubjectPublicKeyInfo = in.TBSCertificate.PublicKey.Raw
  1392		out.RawSubject = in.TBSCertificate.Subject.FullBytes
  1393		out.RawIssuer = in.TBSCertificate.Issuer.FullBytes
  1394	
  1395		out.Signature = in.SignatureValue.RightAlign()
  1396		out.SignatureAlgorithm =
  1397			getSignatureAlgorithmFromAI(in.TBSCertificate.SignatureAlgorithm)
  1398	
  1399		out.PublicKeyAlgorithm =
  1400			getPublicKeyAlgorithmFromOID(in.TBSCertificate.PublicKey.Algorithm.Algorithm)
  1401		var err error
  1402		out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCertificate.PublicKey)
  1403		if err != nil {
  1404			return nil, err
  1405		}
  1406	
  1407		out.Version = in.TBSCertificate.Version + 1
  1408		out.SerialNumber = in.TBSCertificate.SerialNumber
  1409	
  1410		var issuer, subject pkix.RDNSequence
  1411		if rest, err := asn1.Unmarshal(in.TBSCertificate.Subject.FullBytes, &subject); err != nil {
  1412			return nil, err
  1413		} else if len(rest) != 0 {
  1414			return nil, errors.New("x509: trailing data after X.509 subject")
  1415		}
  1416		if rest, err := asn1.Unmarshal(in.TBSCertificate.Issuer.FullBytes, &issuer); err != nil {
  1417			return nil, err
  1418		} else if len(rest) != 0 {
  1419			return nil, errors.New("x509: trailing data after X.509 subject")
  1420		}
  1421	
  1422		out.Issuer.FillFromRDNSequence(&issuer)
  1423		out.Subject.FillFromRDNSequence(&subject)
  1424	
  1425		out.NotBefore = in.TBSCertificate.Validity.NotBefore
  1426		out.NotAfter = in.TBSCertificate.Validity.NotAfter
  1427	
  1428		for _, e := range in.TBSCertificate.Extensions {
  1429			out.Extensions = append(out.Extensions, e)
  1430			unhandled := false
  1431	
  1432			if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 {
  1433				switch e.Id[3] {
  1434				case 15:
  1435					// RFC 5280, 4.2.1.3
  1436					var usageBits asn1.BitString
  1437					if rest, err := asn1.Unmarshal(e.Value, &usageBits); err != nil {
  1438						return nil, err
  1439					} else if len(rest) != 0 {
  1440						return nil, errors.New("x509: trailing data after X.509 KeyUsage")
  1441					}
  1442	
  1443					var usage int
  1444					for i := 0; i < 9; i++ {
  1445						if usageBits.At(i) != 0 {
  1446							usage |= 1 << uint(i)
  1447						}
  1448					}
  1449					out.KeyUsage = KeyUsage(usage)
  1450	
  1451				case 19:
  1452					// RFC 5280, 4.2.1.9
  1453					var constraints basicConstraints
  1454					if rest, err := asn1.Unmarshal(e.Value, &constraints); err != nil {
  1455						return nil, err
  1456					} else if len(rest) != 0 {
  1457						return nil, errors.New("x509: trailing data after X.509 BasicConstraints")
  1458					}
  1459	
  1460					out.BasicConstraintsValid = true
  1461					out.IsCA = constraints.IsCA
  1462					out.MaxPathLen = constraints.MaxPathLen
  1463					out.MaxPathLenZero = out.MaxPathLen == 0
  1464					// TODO: map out.MaxPathLen to 0 if it has the -1 default value? (Issue 19285)
  1465				case 17:
  1466					out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(e.Value)
  1467					if err != nil {
  1468						return nil, err
  1469					}
  1470	
  1471					if len(out.DNSNames) == 0 && len(out.EmailAddresses) == 0 && len(out.IPAddresses) == 0 && len(out.URIs) == 0 {
  1472						// If we didn't parse anything then we do the critical check, below.
  1473						unhandled = true
  1474					}
  1475	
  1476				case 30:
  1477					unhandled, err = parseNameConstraintsExtension(out, e)
  1478					if err != nil {
  1479						return nil, err
  1480					}
  1481	
  1482				case 31:
  1483					// RFC 5280, 4.2.1.13
  1484	
  1485					// CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
  1486					//
  1487					// DistributionPoint ::= SEQUENCE {
  1488					//     distributionPoint       [0]     DistributionPointName OPTIONAL,
  1489					//     reasons                 [1]     ReasonFlags OPTIONAL,
  1490					//     cRLIssuer               [2]     GeneralNames OPTIONAL }
  1491					//
  1492					// DistributionPointName ::= CHOICE {
  1493					//     fullName                [0]     GeneralNames,
  1494					//     nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
  1495	
  1496					var cdp []distributionPoint
  1497					if rest, err := asn1.Unmarshal(e.Value, &cdp); err != nil {
  1498						return nil, err
  1499					} else if len(rest) != 0 {
  1500						return nil, errors.New("x509: trailing data after X.509 CRL distribution point")
  1501					}
  1502	
  1503					for _, dp := range cdp {
  1504						// Per RFC 5280, 4.2.1.13, one of distributionPoint or cRLIssuer may be empty.
  1505						if len(dp.DistributionPoint.FullName) == 0 {
  1506							continue
  1507						}
  1508	
  1509						for _, fullName := range dp.DistributionPoint.FullName {
  1510							if fullName.Tag == 6 {
  1511								out.CRLDistributionPoints = append(out.CRLDistributionPoints, string(fullName.Bytes))
  1512							}
  1513						}
  1514					}
  1515	
  1516				case 35:
  1517					// RFC 5280, 4.2.1.1
  1518					var a authKeyId
  1519					if rest, err := asn1.Unmarshal(e.Value, &a); err != nil {
  1520						return nil, err
  1521					} else if len(rest) != 0 {
  1522						return nil, errors.New("x509: trailing data after X.509 authority key-id")
  1523					}
  1524					out.AuthorityKeyId = a.Id
  1525	
  1526				case 37:
  1527					// RFC 5280, 4.2.1.12.  Extended Key Usage
  1528	
  1529					// id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
  1530					//
  1531					// ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
  1532					//
  1533					// KeyPurposeId ::= OBJECT IDENTIFIER
  1534	
  1535					var keyUsage []asn1.ObjectIdentifier
  1536					if rest, err := asn1.Unmarshal(e.Value, &keyUsage); err != nil {
  1537						return nil, err
  1538					} else if len(rest) != 0 {
  1539						return nil, errors.New("x509: trailing data after X.509 ExtendedKeyUsage")
  1540					}
  1541	
  1542					for _, u := range keyUsage {
  1543						if extKeyUsage, ok := extKeyUsageFromOID(u); ok {
  1544							out.ExtKeyUsage = append(out.ExtKeyUsage, extKeyUsage)
  1545						} else {
  1546							out.UnknownExtKeyUsage = append(out.UnknownExtKeyUsage, u)
  1547						}
  1548					}
  1549	
  1550				case 14:
  1551					// RFC 5280, 4.2.1.2
  1552					var keyid []byte
  1553					if rest, err := asn1.Unmarshal(e.Value, &keyid); err != nil {
  1554						return nil, err
  1555					} else if len(rest) != 0 {
  1556						return nil, errors.New("x509: trailing data after X.509 key-id")
  1557					}
  1558					out.SubjectKeyId = keyid
  1559	
  1560				case 32:
  1561					// RFC 5280 4.2.1.4: Certificate Policies
  1562					var policies []policyInformation
  1563					if rest, err := asn1.Unmarshal(e.Value, &policies); err != nil {
  1564						return nil, err
  1565					} else if len(rest) != 0 {
  1566						return nil, errors.New("x509: trailing data after X.509 certificate policies")
  1567					}
  1568					out.PolicyIdentifiers = make([]asn1.ObjectIdentifier, len(policies))
  1569					for i, policy := range policies {
  1570						out.PolicyIdentifiers[i] = policy.Policy
  1571					}
  1572	
  1573				default:
  1574					// Unknown extensions are recorded if critical.
  1575					unhandled = true
  1576				}
  1577			} else if e.Id.Equal(oidExtensionAuthorityInfoAccess) {
  1578				// RFC 5280 4.2.2.1: Authority Information Access
  1579				var aia []authorityInfoAccess
  1580				if rest, err := asn1.Unmarshal(e.Value, &aia); err != nil {
  1581					return nil, err
  1582				} else if len(rest) != 0 {
  1583					return nil, errors.New("x509: trailing data after X.509 authority information")
  1584				}
  1585	
  1586				for _, v := range aia {
  1587					// GeneralName: uniformResourceIdentifier [6] IA5String
  1588					if v.Location.Tag != 6 {
  1589						continue
  1590					}
  1591					if v.Method.Equal(oidAuthorityInfoAccessOcsp) {
  1592						out.OCSPServer = append(out.OCSPServer, string(v.Location.Bytes))
  1593					} else if v.Method.Equal(oidAuthorityInfoAccessIssuers) {
  1594						out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(v.Location.Bytes))
  1595					}
  1596				}
  1597			} else {
  1598				// Unknown extensions are recorded if critical.
  1599				unhandled = true
  1600			}
  1601	
  1602			if e.Critical && unhandled {
  1603				out.UnhandledCriticalExtensions = append(out.UnhandledCriticalExtensions, e.Id)
  1604			}
  1605		}
  1606	
  1607		return out, nil
  1608	}
  1609	
  1610	// ParseCertificate parses a single certificate from the given ASN.1 DER data.
  1611	func ParseCertificate(asn1Data []byte) (*Certificate, error) {
  1612		var cert certificate
  1613		rest, err := asn1.Unmarshal(asn1Data, &cert)
  1614		if err != nil {
  1615			return nil, err
  1616		}
  1617		if len(rest) > 0 {
  1618			return nil, asn1.SyntaxError{Msg: "trailing data"}
  1619		}
  1620	
  1621		return parseCertificate(&cert)
  1622	}
  1623	
  1624	// ParseCertificates parses one or more certificates from the given ASN.1 DER
  1625	// data. The certificates must be concatenated with no intermediate padding.
  1626	func ParseCertificates(asn1Data []byte) ([]*Certificate, error) {
  1627		var v []*certificate
  1628	
  1629		for len(asn1Data) > 0 {
  1630			cert := new(certificate)
  1631			var err error
  1632			asn1Data, err = asn1.Unmarshal(asn1Data, cert)
  1633			if err != nil {
  1634				return nil, err
  1635			}
  1636			v = append(v, cert)
  1637		}
  1638	
  1639		ret := make([]*Certificate, len(v))
  1640		for i, ci := range v {
  1641			cert, err := parseCertificate(ci)
  1642			if err != nil {
  1643				return nil, err
  1644			}
  1645			ret[i] = cert
  1646		}
  1647	
  1648		return ret, nil
  1649	}
  1650	
  1651	func reverseBitsInAByte(in byte) byte {
  1652		b1 := in>>4 | in<<4
  1653		b2 := b1>>2&0x33 | b1<<2&0xcc
  1654		b3 := b2>>1&0x55 | b2<<1&0xaa
  1655		return b3
  1656	}
  1657	
  1658	// asn1BitLength returns the bit-length of bitString by considering the
  1659	// most-significant bit in a byte to be the "first" bit. This convention
  1660	// matches ASN.1, but differs from almost everything else.
  1661	func asn1BitLength(bitString []byte) int {
  1662		bitLen := len(bitString) * 8
  1663	
  1664		for i := range bitString {
  1665			b := bitString[len(bitString)-i-1]
  1666	
  1667			for bit := uint(0); bit < 8; bit++ {
  1668				if (b>>bit)&1 == 1 {
  1669					return bitLen
  1670				}
  1671				bitLen--
  1672			}
  1673		}
  1674	
  1675		return 0
  1676	}
  1677	
  1678	var (
  1679		oidExtensionSubjectKeyId          = []int{2, 5, 29, 14}
  1680		oidExtensionKeyUsage              = []int{2, 5, 29, 15}
  1681		oidExtensionExtendedKeyUsage      = []int{2, 5, 29, 37}
  1682		oidExtensionAuthorityKeyId        = []int{2, 5, 29, 35}
  1683		oidExtensionBasicConstraints      = []int{2, 5, 29, 19}
  1684		oidExtensionSubjectAltName        = []int{2, 5, 29, 17}
  1685		oidExtensionCertificatePolicies   = []int{2, 5, 29, 32}
  1686		oidExtensionNameConstraints       = []int{2, 5, 29, 30}
  1687		oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31}
  1688		oidExtensionAuthorityInfoAccess   = []int{1, 3, 6, 1, 5, 5, 7, 1, 1}
  1689	)
  1690	
  1691	var (
  1692		oidAuthorityInfoAccessOcsp    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
  1693		oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
  1694	)
  1695	
  1696	// oidNotInExtensions reports whether an extension with the given oid exists in
  1697	// extensions.
  1698	func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool {
  1699		for _, e := range extensions {
  1700			if e.Id.Equal(oid) {
  1701				return true
  1702			}
  1703		}
  1704		return false
  1705	}
  1706	
  1707	// marshalSANs marshals a list of addresses into a the contents of an X.509
  1708	// SubjectAlternativeName extension.
  1709	func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) {
  1710		var rawValues []asn1.RawValue
  1711		for _, name := range dnsNames {
  1712			rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)})
  1713		}
  1714		for _, email := range emailAddresses {
  1715			rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)})
  1716		}
  1717		for _, rawIP := range ipAddresses {
  1718			// If possible, we always want to encode IPv4 addresses in 4 bytes.
  1719			ip := rawIP.To4()
  1720			if ip == nil {
  1721				ip = rawIP
  1722			}
  1723			rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip})
  1724		}
  1725		for _, uri := range uris {
  1726			rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uri.String())})
  1727		}
  1728		return asn1.Marshal(rawValues)
  1729	}
  1730	
  1731	func isIA5String(s string) error {
  1732		for _, r := range s {
  1733			if r >= utf8.RuneSelf {
  1734				return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
  1735			}
  1736		}
  1737	
  1738		return nil
  1739	}
  1740	
  1741	func buildExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte) (ret []pkix.Extension, err error) {
  1742		ret = make([]pkix.Extension, 10 /* maximum number of elements. */)
  1743		n := 0
  1744	
  1745		if template.KeyUsage != 0 &&
  1746			!oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) {
  1747			ret[n].Id = oidExtensionKeyUsage
  1748			ret[n].Critical = true
  1749	
  1750			var a [2]byte
  1751			a[0] = reverseBitsInAByte(byte(template.KeyUsage))
  1752			a[1] = reverseBitsInAByte(byte(template.KeyUsage >> 8))
  1753	
  1754			l := 1
  1755			if a[1] != 0 {
  1756				l = 2
  1757			}
  1758	
  1759			bitString := a[:l]
  1760			ret[n].Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)})
  1761			if err != nil {
  1762				return
  1763			}
  1764			n++
  1765		}
  1766	
  1767		if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) &&
  1768			!oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) {
  1769			ret[n].Id = oidExtensionExtendedKeyUsage
  1770	
  1771			var oids []asn1.ObjectIdentifier
  1772			for _, u := range template.ExtKeyUsage {
  1773				if oid, ok := oidFromExtKeyUsage(u); ok {
  1774					oids = append(oids, oid)
  1775				} else {
  1776					panic("internal error")
  1777				}
  1778			}
  1779	
  1780			oids = append(oids, template.UnknownExtKeyUsage...)
  1781	
  1782			ret[n].Value, err = asn1.Marshal(oids)
  1783			if err != nil {
  1784				return
  1785			}
  1786			n++
  1787		}
  1788	
  1789		if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) {
  1790			// Leaving MaxPathLen as zero indicates that no maximum path
  1791			// length is desired, unless MaxPathLenZero is set. A value of
  1792			// -1 causes encoding/asn1 to omit the value as desired.
  1793			maxPathLen := template.MaxPathLen
  1794			if maxPathLen == 0 && !template.MaxPathLenZero {
  1795				maxPathLen = -1
  1796			}
  1797			ret[n].Id = oidExtensionBasicConstraints
  1798			ret[n].Value, err = asn1.Marshal(basicConstraints{template.IsCA, maxPathLen})
  1799			ret[n].Critical = true
  1800			if err != nil {
  1801				return
  1802			}
  1803			n++
  1804		}
  1805	
  1806		if len(template.SubjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) {
  1807			ret[n].Id = oidExtensionSubjectKeyId
  1808			ret[n].Value, err = asn1.Marshal(template.SubjectKeyId)
  1809			if err != nil {
  1810				return
  1811			}
  1812			n++
  1813		}
  1814	
  1815		if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) {
  1816			ret[n].Id = oidExtensionAuthorityKeyId
  1817			ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId})
  1818			if err != nil {
  1819				return
  1820			}
  1821			n++
  1822		}
  1823	
  1824		if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) &&
  1825			!oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) {
  1826			ret[n].Id = oidExtensionAuthorityInfoAccess
  1827			var aiaValues []authorityInfoAccess
  1828			for _, name := range template.OCSPServer {
  1829				aiaValues = append(aiaValues, authorityInfoAccess{
  1830					Method:   oidAuthorityInfoAccessOcsp,
  1831					Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1832				})
  1833			}
  1834			for _, name := range template.IssuingCertificateURL {
  1835				aiaValues = append(aiaValues, authorityInfoAccess{
  1836					Method:   oidAuthorityInfoAccessIssuers,
  1837					Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
  1838				})
  1839			}
  1840			ret[n].Value, err = asn1.Marshal(aiaValues)
  1841			if err != nil {
  1842				return
  1843			}
  1844			n++
  1845		}
  1846	
  1847		if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
  1848			!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
  1849			ret[n].Id = oidExtensionSubjectAltName
  1850			// From RFC 5280, Section 4.2.1.6:
  1851			// “If the subject field contains an empty sequence ... then
  1852			// subjectAltName extension ... is marked as critical”
  1853			ret[n].Critical = subjectIsEmpty
  1854			ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
  1855			if err != nil {
  1856				return
  1857			}
  1858			n++
  1859		}
  1860	
  1861		if len(template.PolicyIdentifiers) > 0 &&
  1862			!oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) {
  1863			ret[n].Id = oidExtensionCertificatePolicies
  1864			policies := make([]policyInformation, len(template.PolicyIdentifiers))
  1865			for i, policy := range template.PolicyIdentifiers {
  1866				policies[i].Policy = policy
  1867			}
  1868			ret[n].Value, err = asn1.Marshal(policies)
  1869			if err != nil {
  1870				return
  1871			}
  1872			n++
  1873		}
  1874	
  1875		if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 ||
  1876			len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 ||
  1877			len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 ||
  1878			len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) &&
  1879			!oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) {
  1880			ret[n].Id = oidExtensionNameConstraints
  1881			ret[n].Critical = template.PermittedDNSDomainsCritical
  1882	
  1883			ipAndMask := func(ipNet *net.IPNet) []byte {
  1884				maskedIP := ipNet.IP.Mask(ipNet.Mask)
  1885				ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask))
  1886				ipAndMask = append(ipAndMask, maskedIP...)
  1887				ipAndMask = append(ipAndMask, ipNet.Mask...)
  1888				return ipAndMask
  1889			}
  1890	
  1891			serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) {
  1892				var b cryptobyte.Builder
  1893	
  1894				for _, name := range dns {
  1895					if err = isIA5String(name); err != nil {
  1896						return nil, err
  1897					}
  1898	
  1899					b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1900						b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) {
  1901							b.AddBytes([]byte(name))
  1902						})
  1903					})
  1904				}
  1905	
  1906				for _, ipNet := range ips {
  1907					b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1908						b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) {
  1909							b.AddBytes(ipAndMask(ipNet))
  1910						})
  1911					})
  1912				}
  1913	
  1914				for _, email := range emails {
  1915					if err = isIA5String(email); err != nil {
  1916						return nil, err
  1917					}
  1918	
  1919					b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1920						b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) {
  1921							b.AddBytes([]byte(email))
  1922						})
  1923					})
  1924				}
  1925	
  1926				for _, uriDomain := range uriDomains {
  1927					if err = isIA5String(uriDomain); err != nil {
  1928						return nil, err
  1929					}
  1930	
  1931					b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1932						b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) {
  1933							b.AddBytes([]byte(uriDomain))
  1934						})
  1935					})
  1936				}
  1937	
  1938				return b.Bytes()
  1939			}
  1940	
  1941			permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains)
  1942			if err != nil {
  1943				return nil, err
  1944			}
  1945	
  1946			excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains)
  1947			if err != nil {
  1948				return nil, err
  1949			}
  1950	
  1951			var b cryptobyte.Builder
  1952			b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
  1953				if len(permitted) > 0 {
  1954					b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
  1955						b.AddBytes(permitted)
  1956					})
  1957				}
  1958	
  1959				if len(excluded) > 0 {
  1960					b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
  1961						b.AddBytes(excluded)
  1962					})
  1963				}
  1964			})
  1965	
  1966			ret[n].Value, err = b.Bytes()
  1967			if err != nil {
  1968				return nil, err
  1969			}
  1970			n++
  1971		}
  1972	
  1973		if len(template.CRLDistributionPoints) > 0 &&
  1974			!oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) {
  1975			ret[n].Id = oidExtensionCRLDistributionPoints
  1976	
  1977			var crlDp []distributionPoint
  1978			for _, name := range template.CRLDistributionPoints {
  1979				dp := distributionPoint{
  1980					DistributionPoint: distributionPointName{
  1981						FullName: []asn1.RawValue{
  1982							{Tag: 6, Class: 2, Bytes: []byte(name)},
  1983						},
  1984					},
  1985				}
  1986				crlDp = append(crlDp, dp)
  1987			}
  1988	
  1989			ret[n].Value, err = asn1.Marshal(crlDp)
  1990			if err != nil {
  1991				return
  1992			}
  1993			n++
  1994		}
  1995	
  1996		// Adding another extension here? Remember to update the maximum number
  1997		// of elements in the make() at the top of the function and the list of
  1998		// template fields used in CreateCertificate documentation.
  1999	
  2000		return append(ret[:n], template.ExtraExtensions...), nil
  2001	}
  2002	
  2003	func subjectBytes(cert *Certificate) ([]byte, error) {
  2004		if len(cert.RawSubject) > 0 {
  2005			return cert.RawSubject, nil
  2006		}
  2007	
  2008		return asn1.Marshal(cert.Subject.ToRDNSequence())
  2009	}
  2010	
  2011	// signingParamsForPublicKey returns the parameters to use for signing with
  2012	// priv. If requestedSigAlgo is not zero then it overrides the default
  2013	// signature algorithm.
  2014	func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
  2015		var pubType PublicKeyAlgorithm
  2016	
  2017		switch pub := pub.(type) {
  2018		case *rsa.PublicKey:
  2019			pubType = RSA
  2020			hashFunc = crypto.SHA256
  2021			sigAlgo.Algorithm = oidSignatureSHA256WithRSA
  2022			sigAlgo.Parameters = asn1.NullRawValue
  2023	
  2024		case *ecdsa.PublicKey:
  2025			pubType = ECDSA
  2026	
  2027			switch pub.Curve {
  2028			case elliptic.P224(), elliptic.P256():
  2029				hashFunc = crypto.SHA256
  2030				sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
  2031			case elliptic.P384():
  2032				hashFunc = crypto.SHA384
  2033				sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
  2034			case elliptic.P521():
  2035				hashFunc = crypto.SHA512
  2036				sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
  2037			default:
  2038				err = errors.New("x509: unknown elliptic curve")
  2039			}
  2040	
  2041		case ed25519.PublicKey:
  2042			pubType = Ed25519
  2043			sigAlgo.Algorithm = oidSignatureEd25519
  2044	
  2045		default:
  2046			err = errors.New("x509: only RSA, ECDSA and Ed25519 keys supported")
  2047		}
  2048	
  2049		if err != nil {
  2050			return
  2051		}
  2052	
  2053		if requestedSigAlgo == 0 {
  2054			return
  2055		}
  2056	
  2057		found := false
  2058		for _, details := range signatureAlgorithmDetails {
  2059			if details.algo == requestedSigAlgo {
  2060				if details.pubKeyAlgo != pubType {
  2061					err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
  2062					return
  2063				}
  2064				sigAlgo.Algorithm, hashFunc = details.oid, details.hash
  2065				if hashFunc == 0 && pubType != Ed25519 {
  2066					err = errors.New("x509: cannot sign with hash function requested")
  2067					return
  2068				}
  2069				if requestedSigAlgo.isRSAPSS() {
  2070					sigAlgo.Parameters = rsaPSSParameters(hashFunc)
  2071				}
  2072				found = true
  2073				break
  2074			}
  2075		}
  2076	
  2077		if !found {
  2078			err = errors.New("x509: unknown SignatureAlgorithm")
  2079		}
  2080	
  2081		return
  2082	}
  2083	
  2084	// emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is
  2085	// just an empty SEQUENCE.
  2086	var emptyASN1Subject = []byte{0x30, 0}
  2087	
  2088	// CreateCertificate creates a new X.509v3 certificate based on a template.
  2089	// The following members of template are used:
  2090	//
  2091	//  - AuthorityKeyId
  2092	//  - BasicConstraintsValid
  2093	//  - CRLDistributionPoints
  2094	//  - DNSNames
  2095	//  - EmailAddresses
  2096	//  - ExcludedDNSDomains
  2097	//  - ExcludedEmailAddresses
  2098	//  - ExcludedIPRanges
  2099	//  - ExcludedURIDomains
  2100	//  - ExtKeyUsage
  2101	//  - ExtraExtensions
  2102	//  - IsCA
  2103	//  - IssuingCertificateURL
  2104	//  - KeyUsage
  2105	//  - MaxPathLen
  2106	//  - MaxPathLenZero
  2107	//  - NotAfter
  2108	//  - NotBefore
  2109	//  - OCSPServer
  2110	//  - PermittedDNSDomains
  2111	//  - PermittedDNSDomainsCritical
  2112	//  - PermittedEmailAddresses
  2113	//  - PermittedIPRanges
  2114	//  - PermittedURIDomains
  2115	//  - PolicyIdentifiers
  2116	//  - SerialNumber
  2117	//  - SignatureAlgorithm
  2118	//  - Subject
  2119	//  - SubjectKeyId
  2120	//  - URIs
  2121	//  - UnknownExtKeyUsage
  2122	//
  2123	// The certificate is signed by parent. If parent is equal to template then the
  2124	// certificate is self-signed. The parameter pub is the public key of the
  2125	// signee and priv is the private key of the signer.
  2126	//
  2127	// The returned slice is the certificate in DER encoding.
  2128	//
  2129	// The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and
  2130	// ed25519.PublicKey. pub must be a supported key type, and priv must be a
  2131	// crypto.Signer with a supported public key.
  2132	//
  2133	// The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any,
  2134	// unless the resulting certificate is self-signed. Otherwise the value from
  2135	// template will be used.
  2136	func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error) {
  2137		key, ok := priv.(crypto.Signer)
  2138		if !ok {
  2139			return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  2140		}
  2141	
  2142		if template.SerialNumber == nil {
  2143			return nil, errors.New("x509: no SerialNumber given")
  2144		}
  2145	
  2146		hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
  2147		if err != nil {
  2148			return nil, err
  2149		}
  2150	
  2151		publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub)
  2152		if err != nil {
  2153			return nil, err
  2154		}
  2155	
  2156		asn1Issuer, err := subjectBytes(parent)
  2157		if err != nil {
  2158			return
  2159		}
  2160	
  2161		asn1Subject, err := subjectBytes(template)
  2162		if err != nil {
  2163			return
  2164		}
  2165	
  2166		authorityKeyId := template.AuthorityKeyId
  2167		if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 {
  2168			authorityKeyId = parent.SubjectKeyId
  2169		}
  2170	
  2171		extensions, err := buildExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId)
  2172		if err != nil {
  2173			return
  2174		}
  2175	
  2176		encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
  2177		c := tbsCertificate{
  2178			Version:            2,
  2179			SerialNumber:       template.SerialNumber,
  2180			SignatureAlgorithm: signatureAlgorithm,
  2181			Issuer:             asn1.RawValue{FullBytes: asn1Issuer},
  2182			Validity:           validity{template.NotBefore.UTC(), template.NotAfter.UTC()},
  2183			Subject:            asn1.RawValue{FullBytes: asn1Subject},
  2184			PublicKey:          publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey},
  2185			Extensions:         extensions,
  2186		}
  2187	
  2188		tbsCertContents, err := asn1.Marshal(c)
  2189		if err != nil {
  2190			return
  2191		}
  2192		c.Raw = tbsCertContents
  2193	
  2194		signed := tbsCertContents
  2195		if hashFunc != 0 {
  2196			h := hashFunc.New()
  2197			h.Write(signed)
  2198			signed = h.Sum(nil)
  2199		}
  2200	
  2201		var signerOpts crypto.SignerOpts = hashFunc
  2202		if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() {
  2203			signerOpts = &rsa.PSSOptions{
  2204				SaltLength: rsa.PSSSaltLengthEqualsHash,
  2205				Hash:       hashFunc,
  2206			}
  2207		}
  2208	
  2209		var signature []byte
  2210		signature, err = key.Sign(rand, signed, signerOpts)
  2211		if err != nil {
  2212			return
  2213		}
  2214	
  2215		return asn1.Marshal(certificate{
  2216			nil,
  2217			c,
  2218			signatureAlgorithm,
  2219			asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
  2220		})
  2221	}
  2222	
  2223	// pemCRLPrefix is the magic string that indicates that we have a PEM encoded
  2224	// CRL.
  2225	var pemCRLPrefix = []byte("-----BEGIN X509 CRL")
  2226	
  2227	// pemType is the type of a PEM encoded CRL.
  2228	var pemType = "X509 CRL"
  2229	
  2230	// ParseCRL parses a CRL from the given bytes. It's often the case that PEM
  2231	// encoded CRLs will appear where they should be DER encoded, so this function
  2232	// will transparently handle PEM encoding as long as there isn't any leading
  2233	// garbage.
  2234	func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) {
  2235		if bytes.HasPrefix(crlBytes, pemCRLPrefix) {
  2236			block, _ := pem.Decode(crlBytes)
  2237			if block != nil && block.Type == pemType {
  2238				crlBytes = block.Bytes
  2239			}
  2240		}
  2241		return ParseDERCRL(crlBytes)
  2242	}
  2243	
  2244	// ParseDERCRL parses a DER encoded CRL from the given bytes.
  2245	func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) {
  2246		certList := new(pkix.CertificateList)
  2247		if rest, err := asn1.Unmarshal(derBytes, certList); err != nil {
  2248			return nil, err
  2249		} else if len(rest) != 0 {
  2250			return nil, errors.New("x509: trailing data after CRL")
  2251		}
  2252		return certList, nil
  2253	}
  2254	
  2255	// CreateCRL returns a DER encoded CRL, signed by this Certificate, that
  2256	// contains the given list of revoked certificates.
  2257	func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
  2258		key, ok := priv.(crypto.Signer)
  2259		if !ok {
  2260			return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  2261		}
  2262	
  2263		hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), 0)
  2264		if err != nil {
  2265			return nil, err
  2266		}
  2267	
  2268		// Force revocation times to UTC per RFC 5280.
  2269		revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts))
  2270		for i, rc := range revokedCerts {
  2271			rc.RevocationTime = rc.RevocationTime.UTC()
  2272			revokedCertsUTC[i] = rc
  2273		}
  2274	
  2275		tbsCertList := pkix.TBSCertificateList{
  2276			Version:             1,
  2277			Signature:           signatureAlgorithm,
  2278			Issuer:              c.Subject.ToRDNSequence(),
  2279			ThisUpdate:          now.UTC(),
  2280			NextUpdate:          expiry.UTC(),
  2281			RevokedCertificates: revokedCertsUTC,
  2282		}
  2283	
  2284		// Authority Key Id
  2285		if len(c.SubjectKeyId) > 0 {
  2286			var aki pkix.Extension
  2287			aki.Id = oidExtensionAuthorityKeyId
  2288			aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId})
  2289			if err != nil {
  2290				return
  2291			}
  2292			tbsCertList.Extensions = append(tbsCertList.Extensions, aki)
  2293		}
  2294	
  2295		tbsCertListContents, err := asn1.Marshal(tbsCertList)
  2296		if err != nil {
  2297			return
  2298		}
  2299	
  2300		h := hashFunc.New()
  2301		h.Write(tbsCertListContents)
  2302		digest := h.Sum(nil)
  2303	
  2304		var signature []byte
  2305		signature, err = key.Sign(rand, digest, hashFunc)
  2306		if err != nil {
  2307			return
  2308		}
  2309	
  2310		return asn1.Marshal(pkix.CertificateList{
  2311			TBSCertList:        tbsCertList,
  2312			SignatureAlgorithm: signatureAlgorithm,
  2313			SignatureValue:     asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
  2314		})
  2315	}
  2316	
  2317	// CertificateRequest represents a PKCS #10, certificate signature request.
  2318	type CertificateRequest struct {
  2319		Raw                      []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature).
  2320		RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content.
  2321		RawSubjectPublicKeyInfo  []byte // DER encoded SubjectPublicKeyInfo.
  2322		RawSubject               []byte // DER encoded Subject.
  2323	
  2324		Version            int
  2325		Signature          []byte
  2326		SignatureAlgorithm SignatureAlgorithm
  2327	
  2328		PublicKeyAlgorithm PublicKeyAlgorithm
  2329		PublicKey          interface{}
  2330	
  2331		Subject pkix.Name
  2332	
  2333		// Attributes contains the CSR attributes that can parse as
  2334		// pkix.AttributeTypeAndValueSET.
  2335		//
  2336		// Deprecated: Use Extensions and ExtraExtensions instead for parsing and
  2337		// generating the requestedExtensions attribute.
  2338		Attributes []pkix.AttributeTypeAndValueSET
  2339	
  2340		// Extensions contains all requested extensions, in raw form. When parsing
  2341		// CSRs, this can be used to extract extensions that are not parsed by this
  2342		// package.
  2343		Extensions []pkix.Extension
  2344	
  2345		// ExtraExtensions contains extensions to be copied, raw, into any CSR
  2346		// marshaled by CreateCertificateRequest. Values override any extensions
  2347		// that would otherwise be produced based on the other fields but are
  2348		// overridden by any extensions specified in Attributes.
  2349		//
  2350		// The ExtraExtensions field is not populated by ParseCertificateRequest,
  2351		// see Extensions instead.
  2352		ExtraExtensions []pkix.Extension
  2353	
  2354		// Subject Alternate Name values.
  2355		DNSNames       []string
  2356		EmailAddresses []string
  2357		IPAddresses    []net.IP
  2358		URIs           []*url.URL
  2359	}
  2360	
  2361	// These structures reflect the ASN.1 structure of X.509 certificate
  2362	// signature requests (see RFC 2986):
  2363	
  2364	type tbsCertificateRequest struct {
  2365		Raw           asn1.RawContent
  2366		Version       int
  2367		Subject       asn1.RawValue
  2368		PublicKey     publicKeyInfo
  2369		RawAttributes []asn1.RawValue `asn1:"tag:0"`
  2370	}
  2371	
  2372	type certificateRequest struct {
  2373		Raw                asn1.RawContent
  2374		TBSCSR             tbsCertificateRequest
  2375		SignatureAlgorithm pkix.AlgorithmIdentifier
  2376		SignatureValue     asn1.BitString
  2377	}
  2378	
  2379	// oidExtensionRequest is a PKCS#9 OBJECT IDENTIFIER that indicates requested
  2380	// extensions in a CSR.
  2381	var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14}
  2382	
  2383	// newRawAttributes converts AttributeTypeAndValueSETs from a template
  2384	// CertificateRequest's Attributes into tbsCertificateRequest RawAttributes.
  2385	func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) {
  2386		var rawAttributes []asn1.RawValue
  2387		b, err := asn1.Marshal(attributes)
  2388		if err != nil {
  2389			return nil, err
  2390		}
  2391		rest, err := asn1.Unmarshal(b, &rawAttributes)
  2392		if err != nil {
  2393			return nil, err
  2394		}
  2395		if len(rest) != 0 {
  2396			return nil, errors.New("x509: failed to unmarshal raw CSR Attributes")
  2397		}
  2398		return rawAttributes, nil
  2399	}
  2400	
  2401	// parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs.
  2402	func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET {
  2403		var attributes []pkix.AttributeTypeAndValueSET
  2404		for _, rawAttr := range rawAttributes {
  2405			var attr pkix.AttributeTypeAndValueSET
  2406			rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr)
  2407			// Ignore attributes that don't parse into pkix.AttributeTypeAndValueSET
  2408			// (i.e.: challengePassword or unstructuredName).
  2409			if err == nil && len(rest) == 0 {
  2410				attributes = append(attributes, attr)
  2411			}
  2412		}
  2413		return attributes
  2414	}
  2415	
  2416	// parseCSRExtensions parses the attributes from a CSR and extracts any
  2417	// requested extensions.
  2418	func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) {
  2419		// pkcs10Attribute reflects the Attribute structure from RFC 2986, Section 4.1.
  2420		type pkcs10Attribute struct {
  2421			Id     asn1.ObjectIdentifier
  2422			Values []asn1.RawValue `asn1:"set"`
  2423		}
  2424	
  2425		var ret []pkix.Extension
  2426		for _, rawAttr := range rawAttributes {
  2427			var attr pkcs10Attribute
  2428			if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 {
  2429				// Ignore attributes that don't parse.
  2430				continue
  2431			}
  2432	
  2433			if !attr.Id.Equal(oidExtensionRequest) {
  2434				continue
  2435			}
  2436	
  2437			var extensions []pkix.Extension
  2438			if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil {
  2439				return nil, err
  2440			}
  2441			ret = append(ret, extensions...)
  2442		}
  2443	
  2444		return ret, nil
  2445	}
  2446	
  2447	// CreateCertificateRequest creates a new certificate request based on a
  2448	// template. The following members of template are used:
  2449	//
  2450	//  - SignatureAlgorithm
  2451	//  - Subject
  2452	//  - DNSNames
  2453	//  - EmailAddresses
  2454	//  - IPAddresses
  2455	//  - URIs
  2456	//  - ExtraExtensions
  2457	//  - Attributes (deprecated)
  2458	//
  2459	// priv is the private key to sign the CSR with, and the corresponding public
  2460	// key will be included in the CSR. It must implement crypto.Signer and its
  2461	// Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a
  2462	// ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or
  2463	// ed25519.PrivateKey satisfies this.)
  2464	//
  2465	// The returned slice is the certificate request in DER encoding.
  2466	func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error) {
  2467		key, ok := priv.(crypto.Signer)
  2468		if !ok {
  2469			return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
  2470		}
  2471	
  2472		var hashFunc crypto.Hash
  2473		var sigAlgo pkix.AlgorithmIdentifier
  2474		hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
  2475		if err != nil {
  2476			return nil, err
  2477		}
  2478	
  2479		var publicKeyBytes []byte
  2480		var publicKeyAlgorithm pkix.AlgorithmIdentifier
  2481		publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public())
  2482		if err != nil {
  2483			return nil, err
  2484		}
  2485	
  2486		var extensions []pkix.Extension
  2487	
  2488		if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
  2489			!oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
  2490			sanBytes, err := marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
  2491			if err != nil {
  2492				return nil, err
  2493			}
  2494	
  2495			extensions = append(extensions, pkix.Extension{
  2496				Id:    oidExtensionSubjectAltName,
  2497				Value: sanBytes,
  2498			})
  2499		}
  2500	
  2501		extensions = append(extensions, template.ExtraExtensions...)
  2502	
  2503		// Make a copy of template.Attributes because we may alter it below.
  2504		attributes := make([]pkix.AttributeTypeAndValueSET, 0, len(template.Attributes))
  2505		for _, attr := range template.Attributes {
  2506			values := make([][]pkix.AttributeTypeAndValue, len(attr.Value))
  2507			copy(values, attr.Value)
  2508			attributes = append(attributes, pkix.AttributeTypeAndValueSET{
  2509				Type:  attr.Type,
  2510				Value: values,
  2511			})
  2512		}
  2513	
  2514		extensionsAppended := false
  2515		if len(extensions) > 0 {
  2516			// Append the extensions to an existing attribute if possible.
  2517			for _, atvSet := range attributes {
  2518				if !atvSet.Type.Equal(oidExtensionRequest) || len(atvSet.Value) == 0 {
  2519					continue
  2520				}
  2521	
  2522				// specifiedExtensions contains all the extensions that we
  2523				// found specified via template.Attributes.
  2524				specifiedExtensions := make(map[string]bool)
  2525	
  2526				for _, atvs := range atvSet.Value {
  2527					for _, atv := range atvs {
  2528						specifiedExtensions[atv.Type.String()] = true
  2529					}
  2530				}
  2531	
  2532				newValue := make([]pkix.AttributeTypeAndValue, 0, len(atvSet.Value[0])+len(extensions))
  2533				newValue = append(newValue, atvSet.Value[0]...)
  2534	
  2535				for _, e := range extensions {
  2536					if specifiedExtensions[e.Id.String()] {
  2537						// Attributes already contained a value for
  2538						// this extension and it takes priority.
  2539						continue
  2540					}
  2541	
  2542					newValue = append(newValue, pkix.AttributeTypeAndValue{
  2543						// There is no place for the critical
  2544						// flag in an AttributeTypeAndValue.
  2545						Type:  e.Id,
  2546						Value: e.Value,
  2547					})
  2548				}
  2549	
  2550				atvSet.Value[0] = newValue
  2551				extensionsAppended = true
  2552				break
  2553			}
  2554		}
  2555	
  2556		rawAttributes, err := newRawAttributes(attributes)
  2557		if err != nil {
  2558			return
  2559		}
  2560	
  2561		// If not included in attributes, add a new attribute for the
  2562		// extensions.
  2563		if len(extensions) > 0 && !extensionsAppended {
  2564			attr := struct {
  2565				Type  asn1.ObjectIdentifier
  2566				Value [][]pkix.Extension `asn1:"set"`
  2567			}{
  2568				Type:  oidExtensionRequest,
  2569				Value: [][]pkix.Extension{extensions},
  2570			}
  2571	
  2572			b, err := asn1.Marshal(attr)
  2573			if err != nil {
  2574				return nil, errors.New("x509: failed to serialise extensions attribute: " + err.Error())
  2575			}
  2576	
  2577			var rawValue asn1.RawValue
  2578			if _, err := asn1.Unmarshal(b, &rawValue); err != nil {
  2579				return nil, err
  2580			}
  2581	
  2582			rawAttributes = append(rawAttributes, rawValue)
  2583		}
  2584	
  2585		asn1Subject := template.RawSubject
  2586		if len(asn1Subject) == 0 {
  2587			asn1Subject, err = asn1.Marshal(template.Subject.ToRDNSequence())
  2588			if err != nil {
  2589				return nil, err
  2590			}
  2591		}
  2592	
  2593		tbsCSR := tbsCertificateRequest{
  2594			Version: 0, // PKCS #10, RFC 2986
  2595			Subject: asn1.RawValue{FullBytes: asn1Subject},
  2596			PublicKey: publicKeyInfo{
  2597				Algorithm: publicKeyAlgorithm,
  2598				PublicKey: asn1.BitString{
  2599					Bytes:     publicKeyBytes,
  2600					BitLength: len(publicKeyBytes) * 8,
  2601				},
  2602			},
  2603			RawAttributes: rawAttributes,
  2604		}
  2605	
  2606		tbsCSRContents, err := asn1.Marshal(tbsCSR)
  2607		if err != nil {
  2608			return
  2609		}
  2610		tbsCSR.Raw = tbsCSRContents
  2611	
  2612		signed := tbsCSRContents
  2613		if hashFunc != 0 {
  2614			h := hashFunc.New()
  2615			h.Write(signed)
  2616			signed = h.Sum(nil)
  2617		}
  2618	
  2619		var signature []byte
  2620		signature, err = key.Sign(rand, signed, hashFunc)
  2621		if err != nil {
  2622			return
  2623		}
  2624	
  2625		return asn1.Marshal(certificateRequest{
  2626			TBSCSR:             tbsCSR,
  2627			SignatureAlgorithm: sigAlgo,
  2628			SignatureValue: asn1.BitString{
  2629				Bytes:     signature,
  2630				BitLength: len(signature) * 8,
  2631			},
  2632		})
  2633	}
  2634	
  2635	// ParseCertificateRequest parses a single certificate request from the
  2636	// given ASN.1 DER data.
  2637	func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) {
  2638		var csr certificateRequest
  2639	
  2640		rest, err := asn1.Unmarshal(asn1Data, &csr)
  2641		if err != nil {
  2642			return nil, err
  2643		} else if len(rest) != 0 {
  2644			return nil, asn1.SyntaxError{Msg: "trailing data"}
  2645		}
  2646	
  2647		return parseCertificateRequest(&csr)
  2648	}
  2649	
  2650	func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) {
  2651		out := &CertificateRequest{
  2652			Raw:                      in.Raw,
  2653			RawTBSCertificateRequest: in.TBSCSR.Raw,
  2654			RawSubjectPublicKeyInfo:  in.TBSCSR.PublicKey.Raw,
  2655			RawSubject:               in.TBSCSR.Subject.FullBytes,
  2656	
  2657			Signature:          in.SignatureValue.RightAlign(),
  2658			SignatureAlgorithm: getSignatureAlgorithmFromAI(in.SignatureAlgorithm),
  2659	
  2660			PublicKeyAlgorithm: getPublicKeyAlgorithmFromOID(in.TBSCSR.PublicKey.Algorithm.Algorithm),
  2661	
  2662			Version:    in.TBSCSR.Version,
  2663			Attributes: parseRawAttributes(in.TBSCSR.RawAttributes),
  2664		}
  2665	
  2666		var err error
  2667		out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey)
  2668		if err != nil {
  2669			return nil, err
  2670		}
  2671	
  2672		var subject pkix.RDNSequence
  2673		if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil {
  2674			return nil, err
  2675		} else if len(rest) != 0 {
  2676			return nil, errors.New("x509: trailing data after X.509 Subject")
  2677		}
  2678	
  2679		out.Subject.FillFromRDNSequence(&subject)
  2680	
  2681		if out.Extensions, err = parseCSRExtensions(in.TBSCSR.RawAttributes); err != nil {
  2682			return nil, err
  2683		}
  2684	
  2685		for _, extension := range out.Extensions {
  2686			if extension.Id.Equal(oidExtensionSubjectAltName) {
  2687				out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value)
  2688				if err != nil {
  2689					return nil, err
  2690				}
  2691			}
  2692		}
  2693	
  2694		return out, nil
  2695	}
  2696	
  2697	// CheckSignature reports whether the signature on c is valid.
  2698	func (c *CertificateRequest) CheckSignature() error {
  2699		return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey)
  2700	}
  2701	

View as plain text