1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package x509 parses X.509-encoded keys and certificates.
31 // Explicitly import these for their crypto.RegisterHash init side-effects.
32 // Keep these as blank imports, even if they're imported above.
37 "golang.org/x/crypto/cryptobyte"
38 cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
41 // pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo
43 type pkixPublicKey struct {
44 Algo pkix.AlgorithmIdentifier
45 BitString asn1.BitString
48 // ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
49 // The encoded public key is a SubjectPublicKeyInfo structure
50 // (see RFC 5280, Section 4.1).
52 // It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or
53 // ed25519.PublicKey. More types might be supported in the future.
55 // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
56 func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) {
58 if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil {
59 if _, err := asn1.Unmarshal(derBytes, &pkcs1PublicKey{}); err == nil {
60 return nil, errors.New("x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)")
63 } else if len(rest) != 0 {
64 return nil, errors.New("x509: trailing data after ASN.1 of public-key")
66 algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm)
67 if algo == UnknownPublicKeyAlgorithm {
68 return nil, errors.New("x509: unknown public key algorithm")
70 return parsePublicKey(algo, &pki)
73 func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) {
74 switch pub := pub.(type) {
76 publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{
81 return nil, pkix.AlgorithmIdentifier{}, err
83 publicKeyAlgorithm.Algorithm = oidPublicKeyRSA
84 // This is a NULL parameters value which is required by
85 // RFC 3279, Section 2.3.1.
86 publicKeyAlgorithm.Parameters = asn1.NullRawValue
87 case *ecdsa.PublicKey:
88 publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
89 oid, ok := oidFromNamedCurve(pub.Curve)
91 return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve")
93 publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA
95 paramBytes, err = asn1.Marshal(oid)
99 publicKeyAlgorithm.Parameters.FullBytes = paramBytes
100 case ed25519.PublicKey:
102 publicKeyAlgorithm.Algorithm = oidPublicKeyEd25519
104 return nil, pkix.AlgorithmIdentifier{}, fmt.Errorf("x509: unsupported public key type: %T", pub)
107 return publicKeyBytes, publicKeyAlgorithm, nil
110 // MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
111 // The encoded public key is a SubjectPublicKeyInfo structure
112 // (see RFC 5280, Section 4.1).
114 // The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey
115 // and ed25519.PublicKey. Unsupported key types result in an error.
117 // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
118 func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) {
119 var publicKeyBytes []byte
120 var publicKeyAlgorithm pkix.AlgorithmIdentifier
123 if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil {
127 pkix := pkixPublicKey{
128 Algo: publicKeyAlgorithm,
129 BitString: asn1.BitString{
130 Bytes: publicKeyBytes,
131 BitLength: 8 * len(publicKeyBytes),
135 ret, _ := asn1.Marshal(pkix)
139 // These structures reflect the ASN.1 structure of X.509 certificates.:
141 type certificate struct {
143 TBSCertificate tbsCertificate
144 SignatureAlgorithm pkix.AlgorithmIdentifier
145 SignatureValue asn1.BitString
148 type tbsCertificate struct {
150 Version int `asn1:"optional,explicit,default:0,tag:0"`
151 SerialNumber *big.Int
152 SignatureAlgorithm pkix.AlgorithmIdentifier
155 Subject asn1.RawValue
156 PublicKey publicKeyInfo
157 UniqueId asn1.BitString `asn1:"optional,tag:1"`
158 SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"`
159 Extensions []pkix.Extension `asn1:"optional,explicit,tag:3"`
162 type dsaAlgorithmParameters struct {
166 type validity struct {
167 NotBefore, NotAfter time.Time
170 type publicKeyInfo struct {
172 Algorithm pkix.AlgorithmIdentifier
173 PublicKey asn1.BitString
177 type authKeyId struct {
178 Id []byte `asn1:"optional,tag:0"`
181 type SignatureAlgorithm int
184 UnknownSignatureAlgorithm SignatureAlgorithm = iota
186 MD2WithRSA // Unsupported.
187 MD5WithRSA // Only supported for signing, not verification.
192 DSAWithSHA1 // Unsupported.
193 DSAWithSHA256 // Unsupported.
204 func (algo SignatureAlgorithm) isRSAPSS() bool {
206 case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS:
213 func (algo SignatureAlgorithm) String() string {
214 for _, details := range signatureAlgorithmDetails {
215 if details.algo == algo {
219 return strconv.Itoa(int(algo))
222 type PublicKeyAlgorithm int
225 UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
232 var publicKeyAlgoName = [...]string{
239 func (algo PublicKeyAlgorithm) String() string {
240 if 0 < algo && int(algo) < len(publicKeyAlgoName) {
241 return publicKeyAlgoName[algo]
243 return strconv.Itoa(int(algo))
246 // OIDs for signature algorithms
248 // pkcs-1 OBJECT IDENTIFIER ::= {
249 // iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
252 // RFC 3279 2.2.1 RSA Signature Algorithms
254 // md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
256 // md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
258 // sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
260 // dsaWithSha1 OBJECT IDENTIFIER ::= {
261 // iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 }
263 // RFC 3279 2.2.3 ECDSA Signature Algorithm
265 // ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
266 // iso(1) member-body(2) us(840) ansi-x962(10045)
267 // signatures(4) ecdsa-with-SHA1(1)}
270 // RFC 4055 5 PKCS #1 Version 1.5
272 // sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
274 // sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
276 // sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
279 // RFC 5758 3.1 DSA Signature Algorithms
281 // dsaWithSha256 OBJECT IDENTIFIER ::= {
282 // joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
283 // csor(3) algorithms(4) id-dsa-with-sha2(3) 2}
285 // RFC 5758 3.2 ECDSA Signature Algorithm
287 // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
288 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
290 // ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
291 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
293 // ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
294 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 }
297 // RFC 8410 3 Curve25519 and Curve448 Algorithm Identifiers
299 // id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 }
302 oidSignatureMD2WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
303 oidSignatureMD5WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
304 oidSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
305 oidSignatureSHA256WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
306 oidSignatureSHA384WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
307 oidSignatureSHA512WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
308 oidSignatureRSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
309 oidSignatureDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
310 oidSignatureDSAWithSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
311 oidSignatureECDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
312 oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
313 oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
314 oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
315 oidSignatureEd25519 = asn1.ObjectIdentifier{1, 3, 101, 112}
317 oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
318 oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
319 oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
321 oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
323 // oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA
324 // but it's specified by ISO. Microsoft's makecert.exe has been known
325 // to produce certificates with this OID.
326 oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29}
329 var signatureAlgorithmDetails = []struct {
330 algo SignatureAlgorithm
332 oid asn1.ObjectIdentifier
333 pubKeyAlgo PublicKeyAlgorithm
336 {MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
337 {MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5},
338 {SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1},
339 {SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1},
340 {SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256},
341 {SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384},
342 {SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512},
343 {SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256},
344 {SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384},
345 {SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512},
346 {DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1},
347 {DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256},
348 {ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1},
349 {ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256},
350 {ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384},
351 {ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512},
352 {PureEd25519, "Ed25519", oidSignatureEd25519, Ed25519, crypto.Hash(0) /* no pre-hashing */},
355 // hashToPSSParameters contains the DER encoded RSA PSS parameters for the
356 // SHA256, SHA384, and SHA512 hashes as defined in RFC 3447, Appendix A.2.3.
357 // The parameters contain the following values:
358 // * hashAlgorithm contains the associated hash identifier with NULL parameters
359 // * maskGenAlgorithm always contains the default mgf1SHA1 identifier
360 // * saltLength contains the length of the associated hash
361 // * trailerField always contains the default trailerFieldBC value
362 var hashToPSSParameters = map[crypto.Hash]asn1.RawValue{
363 crypto.SHA256: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 162, 3, 2, 1, 32}},
364 crypto.SHA384: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 162, 3, 2, 1, 48}},
365 crypto.SHA512: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 162, 3, 2, 1, 64}},
368 // pssParameters reflects the parameters in an AlgorithmIdentifier that
369 // specifies RSA PSS. See RFC 3447, Appendix A.2.3.
370 type pssParameters struct {
371 // The following three fields are not marked as
372 // optional because the default values specify SHA-1,
373 // which is no longer suitable for use in signatures.
374 Hash pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"`
375 MGF pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"`
376 SaltLength int `asn1:"explicit,tag:2"`
377 TrailerField int `asn1:"optional,explicit,tag:3,default:1"`
380 func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm {
381 if ai.Algorithm.Equal(oidSignatureEd25519) {
382 // RFC 8410, Section 3
383 // > For all of the OIDs, the parameters MUST be absent.
384 if len(ai.Parameters.FullBytes) != 0 {
385 return UnknownSignatureAlgorithm
389 if !ai.Algorithm.Equal(oidSignatureRSAPSS) {
390 for _, details := range signatureAlgorithmDetails {
391 if ai.Algorithm.Equal(details.oid) {
395 return UnknownSignatureAlgorithm
398 // RSA PSS is special because it encodes important parameters
399 // in the Parameters.
401 var params pssParameters
402 if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, ¶ms); err != nil {
403 return UnknownSignatureAlgorithm
406 var mgf1HashFunc pkix.AlgorithmIdentifier
407 if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil {
408 return UnknownSignatureAlgorithm
411 // PSS is greatly overburdened with options. This code forces them into
412 // three buckets by requiring that the MGF1 hash function always match the
413 // message hash function (as recommended in RFC 3447, Section 8.1), that the
414 // salt length matches the hash length, and that the trailer field has the
416 if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) ||
417 !params.MGF.Algorithm.Equal(oidMGF1) ||
418 !mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) ||
419 (len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) ||
420 params.TrailerField != 1 {
421 return UnknownSignatureAlgorithm
425 case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32:
426 return SHA256WithRSAPSS
427 case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48:
428 return SHA384WithRSAPSS
429 case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64:
430 return SHA512WithRSAPSS
433 return UnknownSignatureAlgorithm
436 // RFC 3279, 2.3 Public Key Algorithms
438 // pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
439 // rsadsi(113549) pkcs(1) 1 }
441 // rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 }
443 // id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
444 // x9-57(10040) x9cm(4) 1 }
446 // RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters
448 // id-ecPublicKey OBJECT IDENTIFIER ::= {
449 // iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
451 oidPublicKeyRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
452 oidPublicKeyDSA = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
453 oidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
454 oidPublicKeyEd25519 = oidSignatureEd25519
457 func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm {
459 case oid.Equal(oidPublicKeyRSA):
461 case oid.Equal(oidPublicKeyDSA):
463 case oid.Equal(oidPublicKeyECDSA):
465 case oid.Equal(oidPublicKeyEd25519):
468 return UnknownPublicKeyAlgorithm
471 // RFC 5480, 2.1.1.1. Named Curve
473 // secp224r1 OBJECT IDENTIFIER ::= {
474 // iso(1) identified-organization(3) certicom(132) curve(0) 33 }
476 // secp256r1 OBJECT IDENTIFIER ::= {
477 // iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
480 // secp384r1 OBJECT IDENTIFIER ::= {
481 // iso(1) identified-organization(3) certicom(132) curve(0) 34 }
483 // secp521r1 OBJECT IDENTIFIER ::= {
484 // iso(1) identified-organization(3) certicom(132) curve(0) 35 }
486 // NB: secp256r1 is equivalent to prime256v1
488 oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
489 oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
490 oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
491 oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
494 func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
496 case oid.Equal(oidNamedCurveP224):
497 return elliptic.P224()
498 case oid.Equal(oidNamedCurveP256):
499 return elliptic.P256()
500 case oid.Equal(oidNamedCurveP384):
501 return elliptic.P384()
502 case oid.Equal(oidNamedCurveP521):
503 return elliptic.P521()
508 func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
510 case elliptic.P224():
511 return oidNamedCurveP224, true
512 case elliptic.P256():
513 return oidNamedCurveP256, true
514 case elliptic.P384():
515 return oidNamedCurveP384, true
516 case elliptic.P521():
517 return oidNamedCurveP521, true
523 // KeyUsage represents the set of actions that are valid for a given key. It's
524 // a bitmap of the KeyUsage* constants.
528 KeyUsageDigitalSignature KeyUsage = 1 << iota
529 KeyUsageContentCommitment
530 KeyUsageKeyEncipherment
531 KeyUsageDataEncipherment
539 // RFC 5280, 4.2.1.12 Extended Key Usage
541 // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
543 // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
545 // id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
546 // id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
547 // id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
548 // id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
549 // id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
550 // id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
552 oidExtKeyUsageAny = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
553 oidExtKeyUsageServerAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
554 oidExtKeyUsageClientAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
555 oidExtKeyUsageCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
556 oidExtKeyUsageEmailProtection = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
557 oidExtKeyUsageIPSECEndSystem = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
558 oidExtKeyUsageIPSECTunnel = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
559 oidExtKeyUsageIPSECUser = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
560 oidExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
561 oidExtKeyUsageOCSPSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
562 oidExtKeyUsageMicrosoftServerGatedCrypto = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
563 oidExtKeyUsageNetscapeServerGatedCrypto = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
564 oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
565 oidExtKeyUsageMicrosoftKernelCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
568 // ExtKeyUsage represents an extended set of actions that are valid for a given key.
569 // Each of the ExtKeyUsage* constants define a unique action.
573 ExtKeyUsageAny ExtKeyUsage = iota
574 ExtKeyUsageServerAuth
575 ExtKeyUsageClientAuth
576 ExtKeyUsageCodeSigning
577 ExtKeyUsageEmailProtection
578 ExtKeyUsageIPSECEndSystem
579 ExtKeyUsageIPSECTunnel
581 ExtKeyUsageTimeStamping
582 ExtKeyUsageOCSPSigning
583 ExtKeyUsageMicrosoftServerGatedCrypto
584 ExtKeyUsageNetscapeServerGatedCrypto
585 ExtKeyUsageMicrosoftCommercialCodeSigning
586 ExtKeyUsageMicrosoftKernelCodeSigning
589 // extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.
590 var extKeyUsageOIDs = []struct {
591 extKeyUsage ExtKeyUsage
592 oid asn1.ObjectIdentifier
594 {ExtKeyUsageAny, oidExtKeyUsageAny},
595 {ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth},
596 {ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth},
597 {ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning},
598 {ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection},
599 {ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem},
600 {ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel},
601 {ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser},
602 {ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping},
603 {ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning},
604 {ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto},
605 {ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto},
606 {ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning},
607 {ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning},
610 func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) {
611 for _, pair := range extKeyUsageOIDs {
612 if oid.Equal(pair.oid) {
613 return pair.extKeyUsage, true
619 func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
620 for _, pair := range extKeyUsageOIDs {
621 if eku == pair.extKeyUsage {
622 return pair.oid, true
628 // A Certificate represents an X.509 certificate.
629 type Certificate struct {
630 Raw []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
631 RawTBSCertificate []byte // Certificate part of raw ASN.1 DER content.
632 RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
633 RawSubject []byte // DER encoded Subject
634 RawIssuer []byte // DER encoded Issuer
637 SignatureAlgorithm SignatureAlgorithm
639 PublicKeyAlgorithm PublicKeyAlgorithm
640 PublicKey interface{}
643 SerialNumber *big.Int
646 NotBefore, NotAfter time.Time // Validity bounds.
649 // Extensions contains raw X.509 extensions. When parsing certificates,
650 // this can be used to extract non-critical extensions that are not
651 // parsed by this package. When marshaling certificates, the Extensions
652 // field is ignored, see ExtraExtensions.
653 Extensions []pkix.Extension
655 // ExtraExtensions contains extensions to be copied, raw, into any
656 // marshaled certificates. Values override any extensions that would
657 // otherwise be produced based on the other fields. The ExtraExtensions
658 // field is not populated when parsing certificates, see Extensions.
659 ExtraExtensions []pkix.Extension
661 // UnhandledCriticalExtensions contains a list of extension IDs that
662 // were not (fully) processed when parsing. Verify will fail if this
663 // slice is non-empty, unless verification is delegated to an OS
664 // library which understands all the critical extensions.
666 // Users can access these extensions using Extensions and can remove
667 // elements from this slice if they believe that they have been
669 UnhandledCriticalExtensions []asn1.ObjectIdentifier
671 ExtKeyUsage []ExtKeyUsage // Sequence of extended key usages.
672 UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.
674 // BasicConstraintsValid indicates whether IsCA, MaxPathLen,
675 // and MaxPathLenZero are valid.
676 BasicConstraintsValid bool
679 // MaxPathLen and MaxPathLenZero indicate the presence and
680 // value of the BasicConstraints' "pathLenConstraint".
682 // When parsing a certificate, a positive non-zero MaxPathLen
683 // means that the field was specified, -1 means it was unset,
684 // and MaxPathLenZero being true mean that the field was
685 // explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
686 // should be treated equivalent to -1 (unset).
688 // When generating a certificate, an unset pathLenConstraint
689 // can be requested with either MaxPathLen == -1 or using the
690 // zero value for both MaxPathLen and MaxPathLenZero.
692 // MaxPathLenZero indicates that BasicConstraintsValid==true
693 // and MaxPathLen==0 should be interpreted as an actual
694 // maximum path length of zero. Otherwise, that combination is
695 // interpreted as MaxPathLen not being set.
699 AuthorityKeyId []byte
701 // RFC 5280, 4.2.2.1 (Authority Information Access)
703 IssuingCertificateURL []string
705 // Subject Alternate Name values. (Note that these values may not be valid
706 // if invalid values were contained within a parsed certificate. For
707 // example, an element of DNSNames may not be a valid DNS domain name.)
709 EmailAddresses []string
714 PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical.
715 PermittedDNSDomains []string
716 ExcludedDNSDomains []string
717 PermittedIPRanges []*net.IPNet
718 ExcludedIPRanges []*net.IPNet
719 PermittedEmailAddresses []string
720 ExcludedEmailAddresses []string
721 PermittedURIDomains []string
722 ExcludedURIDomains []string
724 // CRL Distribution Points
725 CRLDistributionPoints []string
727 PolicyIdentifiers []asn1.ObjectIdentifier
730 // ErrUnsupportedAlgorithm results from attempting to perform an operation that
731 // involves algorithms that are not currently implemented.
732 var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")
734 // An InsecureAlgorithmError
735 type InsecureAlgorithmError SignatureAlgorithm
737 func (e InsecureAlgorithmError) Error() string {
738 return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e))
741 // ConstraintViolationError results when a requested usage is not permitted by
742 // a certificate. For example: checking a signature when the public key isn't a
743 // certificate signing key.
744 type ConstraintViolationError struct{}
746 func (ConstraintViolationError) Error() string {
747 return "x509: invalid signature: parent certificate cannot sign this kind of certificate"
750 func (c *Certificate) Equal(other *Certificate) bool {
751 if c == nil || other == nil {
754 return bytes.Equal(c.Raw, other.Raw)
757 func (c *Certificate) hasSANExtension() bool {
758 return oidInExtensions(oidExtensionSubjectAltName, c.Extensions)
761 // CheckSignatureFrom verifies that the signature on c is a valid signature
763 func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
764 // RFC 5280, 4.2.1.9:
765 // "If the basic constraints extension is not present in a version 3
766 // certificate, or the extension is present but the cA boolean is not
767 // asserted, then the certified public key MUST NOT be used to verify
768 // certificate signatures."
769 if parent.Version == 3 && !parent.BasicConstraintsValid ||
770 parent.BasicConstraintsValid && !parent.IsCA {
771 return ConstraintViolationError{}
774 if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 {
775 return ConstraintViolationError{}
778 if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm {
779 return ErrUnsupportedAlgorithm
782 // TODO(agl): don't ignore the path length constraint.
784 return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
787 // CheckSignature verifies that signature is a valid signature over signed from
789 func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error {
790 return checkSignature(algo, signed, signature, c.PublicKey)
793 func (c *Certificate) hasNameConstraints() bool {
794 return oidInExtensions(oidExtensionNameConstraints, c.Extensions)
797 func (c *Certificate) getSANExtension() []byte {
798 for _, e := range c.Extensions {
799 if e.Id.Equal(oidExtensionSubjectAltName) {
806 func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error {
807 return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
810 // CheckSignature verifies that signature is a valid signature over signed from
811 // a crypto.PublicKey.
812 func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
813 var hashType crypto.Hash
814 var pubKeyAlgo PublicKeyAlgorithm
816 for _, details := range signatureAlgorithmDetails {
817 if details.algo == algo {
818 hashType = details.hash
819 pubKeyAlgo = details.pubKeyAlgo
825 if pubKeyAlgo != Ed25519 {
826 return ErrUnsupportedAlgorithm
829 return InsecureAlgorithmError(algo)
831 if !hashType.Available() {
832 return ErrUnsupportedAlgorithm
839 switch pub := publicKey.(type) {
841 if pubKeyAlgo != RSA {
842 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
845 return rsa.VerifyPSS(pub, hashType, signed, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash})
847 return rsa.VerifyPKCS1v15(pub, hashType, signed, signature)
849 case *ecdsa.PublicKey:
850 if pubKeyAlgo != ECDSA {
851 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
853 if !ecdsa.VerifyASN1(pub, signed, signature) {
854 return errors.New("x509: ECDSA verification failure")
857 case ed25519.PublicKey:
858 if pubKeyAlgo != Ed25519 {
859 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
861 if !ed25519.Verify(pub, signed, signature) {
862 return errors.New("x509: Ed25519 verification failure")
866 return ErrUnsupportedAlgorithm
869 // CheckCRLSignature checks that the signature in crl is from c.
870 func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error {
871 algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm)
872 return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign())
875 type UnhandledCriticalExtension struct{}
877 func (h UnhandledCriticalExtension) Error() string {
878 return "x509: unhandled critical extension"
881 type basicConstraints struct {
882 IsCA bool `asn1:"optional"`
883 MaxPathLen int `asn1:"optional,default:-1"`
887 type policyInformation struct {
888 Policy asn1.ObjectIdentifier
889 // policyQualifiers omitted
900 type authorityInfoAccess struct {
901 Method asn1.ObjectIdentifier
902 Location asn1.RawValue
905 // RFC 5280, 4.2.1.14
906 type distributionPoint struct {
907 DistributionPoint distributionPointName `asn1:"optional,tag:0"`
908 Reason asn1.BitString `asn1:"optional,tag:1"`
909 CRLIssuer asn1.RawValue `asn1:"optional,tag:2"`
912 type distributionPointName struct {
913 FullName []asn1.RawValue `asn1:"optional,tag:0"`
914 RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
917 func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) {
918 asn1Data := keyData.PublicKey.RightAlign()
921 // RSA public keys must have a NULL in the parameters.
922 // See RFC 3279, Section 2.3.1.
923 if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) {
924 return nil, errors.New("x509: RSA key missing NULL parameters")
927 p := new(pkcs1PublicKey)
928 rest, err := asn1.Unmarshal(asn1Data, p)
933 return nil, errors.New("x509: trailing data after RSA public key")
937 return nil, errors.New("x509: RSA modulus is not a positive number")
940 return nil, errors.New("x509: RSA public exponent is not a positive number")
943 pub := &rsa.PublicKey{
950 rest, err := asn1.Unmarshal(asn1Data, &p)
955 return nil, errors.New("x509: trailing data after DSA public key")
957 paramsData := keyData.Algorithm.Parameters.FullBytes
958 params := new(dsaAlgorithmParameters)
959 rest, err = asn1.Unmarshal(paramsData, params)
964 return nil, errors.New("x509: trailing data after DSA parameters")
966 if p.Sign() <= 0 || params.P.Sign() <= 0 || params.Q.Sign() <= 0 || params.G.Sign() <= 0 {
967 return nil, errors.New("x509: zero or negative DSA parameter")
969 pub := &dsa.PublicKey{
970 Parameters: dsa.Parameters{
979 paramsData := keyData.Algorithm.Parameters.FullBytes
980 namedCurveOID := new(asn1.ObjectIdentifier)
981 rest, err := asn1.Unmarshal(paramsData, namedCurveOID)
983 return nil, errors.New("x509: failed to parse ECDSA parameters as named curve")
986 return nil, errors.New("x509: trailing data after ECDSA parameters")
988 namedCurve := namedCurveFromOID(*namedCurveOID)
989 if namedCurve == nil {
990 return nil, errors.New("x509: unsupported elliptic curve")
992 x, y := elliptic.Unmarshal(namedCurve, asn1Data)
994 return nil, errors.New("x509: failed to unmarshal elliptic curve point")
996 pub := &ecdsa.PublicKey{
1003 // RFC 8410, Section 3
1004 // > For all of the OIDs, the parameters MUST be absent.
1005 if len(keyData.Algorithm.Parameters.FullBytes) != 0 {
1006 return nil, errors.New("x509: Ed25519 key encoded with illegal parameters")
1008 if len(asn1Data) != ed25519.PublicKeySize {
1009 return nil, errors.New("x509: wrong Ed25519 public key size")
1011 pub := make([]byte, ed25519.PublicKeySize)
1013 return ed25519.PublicKey(pub), nil
1019 func forEachSAN(extension []byte, callback func(tag int, data []byte) error) error {
1020 // RFC 5280, 4.2.1.6
1022 // SubjectAltName ::= GeneralNames
1024 // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
1026 // GeneralName ::= CHOICE {
1027 // otherName [0] OtherName,
1028 // rfc822Name [1] IA5String,
1029 // dNSName [2] IA5String,
1030 // x400Address [3] ORAddress,
1031 // directoryName [4] Name,
1032 // ediPartyName [5] EDIPartyName,
1033 // uniformResourceIdentifier [6] IA5String,
1034 // iPAddress [7] OCTET STRING,
1035 // registeredID [8] OBJECT IDENTIFIER }
1036 var seq asn1.RawValue
1037 rest, err := asn1.Unmarshal(extension, &seq)
1040 } else if len(rest) != 0 {
1041 return errors.New("x509: trailing data after X.509 extension")
1043 if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
1044 return asn1.StructuralError{Msg: "bad SAN sequence"}
1050 rest, err = asn1.Unmarshal(rest, &v)
1055 if err := callback(v.Tag, v.Bytes); err != nil {
1063 func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error) {
1064 err = forEachSAN(value, func(tag int, data []byte) error {
1067 email := string(data)
1068 if err := isIA5String(email); err != nil {
1069 return errors.New("x509: SAN rfc822Name is malformed")
1071 emailAddresses = append(emailAddresses, email)
1073 name := string(data)
1074 if err := isIA5String(name); err != nil {
1075 return errors.New("x509: SAN dNSName is malformed")
1077 dnsNames = append(dnsNames, string(name))
1079 uriStr := string(data)
1080 if err := isIA5String(uriStr); err != nil {
1081 return errors.New("x509: SAN uniformResourceIdentifier is malformed")
1083 uri, err := url.Parse(uriStr)
1085 return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err)
1087 if len(uri.Host) > 0 {
1088 if _, ok := domainToReverseLabels(uri.Host); !ok {
1089 return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr)
1092 uris = append(uris, uri)
1095 case net.IPv4len, net.IPv6len:
1096 ipAddresses = append(ipAddresses, data)
1098 return errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(data)))
1108 // isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.
1109 func isValidIPMask(mask []byte) bool {
1112 for _, b := range mask {
1122 case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe:
1133 func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) {
1134 // RFC 5280, 4.2.1.10
1136 // NameConstraints ::= SEQUENCE {
1137 // permittedSubtrees [0] GeneralSubtrees OPTIONAL,
1138 // excludedSubtrees [1] GeneralSubtrees OPTIONAL }
1140 // GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
1142 // GeneralSubtree ::= SEQUENCE {
1143 // base GeneralName,
1144 // minimum [0] BaseDistance DEFAULT 0,
1145 // maximum [1] BaseDistance OPTIONAL }
1147 // BaseDistance ::= INTEGER (0..MAX)
1149 outer := cryptobyte.String(e.Value)
1150 var toplevel, permitted, excluded cryptobyte.String
1151 var havePermitted, haveExcluded bool
1152 if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) ||
1154 !toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) ||
1155 !toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) ||
1157 return false, errors.New("x509: invalid NameConstraints extension")
1160 if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 {
1161 // From RFC 5280, Section 4.2.1.10:
1162 // “either the permittedSubtrees field
1163 // or the excludedSubtrees MUST be
1165 return false, errors.New("x509: empty name constraints extension")
1168 getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) {
1169 for !subtrees.Empty() {
1170 var seq, value cryptobyte.String
1171 var tag cryptobyte_asn1.Tag
1172 if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) ||
1173 !seq.ReadAnyASN1(&value, &tag) {
1174 return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension")
1178 dnsTag = cryptobyte_asn1.Tag(2).ContextSpecific()
1179 emailTag = cryptobyte_asn1.Tag(1).ContextSpecific()
1180 ipTag = cryptobyte_asn1.Tag(7).ContextSpecific()
1181 uriTag = cryptobyte_asn1.Tag(6).ContextSpecific()
1186 domain := string(value)
1187 if err := isIA5String(domain); err != nil {
1188 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
1191 trimmedDomain := domain
1192 if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
1193 // constraints can have a leading
1194 // period to exclude the domain
1195 // itself, but that's not valid in a
1196 // normal domain name.
1197 trimmedDomain = trimmedDomain[1:]
1199 if _, ok := domainToReverseLabels(trimmedDomain); !ok {
1200 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
1202 dnsNames = append(dnsNames, domain)
1218 return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l)
1221 if !isValidIPMask(mask) {
1222 return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask)
1225 ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)})
1228 constraint := string(value)
1229 if err := isIA5String(constraint); err != nil {
1230 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
1233 // If the constraint contains an @ then
1234 // it specifies an exact mailbox name.
1235 if strings.Contains(constraint, "@") {
1236 if _, ok := parseRFC2821Mailbox(constraint); !ok {
1237 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
1240 // Otherwise it's a domain name.
1241 domain := constraint
1242 if len(domain) > 0 && domain[0] == '.' {
1245 if _, ok := domainToReverseLabels(domain); !ok {
1246 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
1249 emails = append(emails, constraint)
1252 domain := string(value)
1253 if err := isIA5String(domain); err != nil {
1254 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
1257 if net.ParseIP(domain) != nil {
1258 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
1261 trimmedDomain := domain
1262 if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
1263 // constraints can have a leading
1264 // period to exclude the domain itself,
1265 // but that's not valid in a normal
1267 trimmedDomain = trimmedDomain[1:]
1269 if _, ok := domainToReverseLabels(trimmedDomain); !ok {
1270 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
1272 uriDomains = append(uriDomains, domain)
1279 return dnsNames, ips, emails, uriDomains, nil
1282 if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil {
1285 if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil {
1288 out.PermittedDNSDomainsCritical = e.Critical
1290 return unhandled, nil
1293 func parseCertificate(in *certificate) (*Certificate, error) {
1294 out := new(Certificate)
1296 out.RawTBSCertificate = in.TBSCertificate.Raw
1297 out.RawSubjectPublicKeyInfo = in.TBSCertificate.PublicKey.Raw
1298 out.RawSubject = in.TBSCertificate.Subject.FullBytes
1299 out.RawIssuer = in.TBSCertificate.Issuer.FullBytes
1301 out.Signature = in.SignatureValue.RightAlign()
1302 out.SignatureAlgorithm =
1303 getSignatureAlgorithmFromAI(in.TBSCertificate.SignatureAlgorithm)
1305 out.PublicKeyAlgorithm =
1306 getPublicKeyAlgorithmFromOID(in.TBSCertificate.PublicKey.Algorithm.Algorithm)
1308 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCertificate.PublicKey)
1313 out.Version = in.TBSCertificate.Version + 1
1314 out.SerialNumber = in.TBSCertificate.SerialNumber
1316 var issuer, subject pkix.RDNSequence
1317 if rest, err := asn1.Unmarshal(in.TBSCertificate.Subject.FullBytes, &subject); err != nil {
1319 } else if len(rest) != 0 {
1320 return nil, errors.New("x509: trailing data after X.509 subject")
1322 if rest, err := asn1.Unmarshal(in.TBSCertificate.Issuer.FullBytes, &issuer); err != nil {
1324 } else if len(rest) != 0 {
1325 return nil, errors.New("x509: trailing data after X.509 issuer")
1328 out.Issuer.FillFromRDNSequence(&issuer)
1329 out.Subject.FillFromRDNSequence(&subject)
1331 out.NotBefore = in.TBSCertificate.Validity.NotBefore
1332 out.NotAfter = in.TBSCertificate.Validity.NotAfter
1334 for _, e := range in.TBSCertificate.Extensions {
1335 out.Extensions = append(out.Extensions, e)
1338 if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 {
1341 out.KeyUsage, err = parseKeyUsageExtension(e.Value)
1346 out.IsCA, out.MaxPathLen, err = parseBasicConstraintsExtension(e.Value)
1350 out.BasicConstraintsValid = true
1351 out.MaxPathLenZero = out.MaxPathLen == 0
1353 out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(e.Value)
1358 if len(out.DNSNames) == 0 && len(out.EmailAddresses) == 0 && len(out.IPAddresses) == 0 && len(out.URIs) == 0 {
1359 // If we didn't parse anything then we do the critical check, below.
1364 unhandled, err = parseNameConstraintsExtension(out, e)
1370 // RFC 5280, 4.2.1.13
1372 // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
1374 // DistributionPoint ::= SEQUENCE {
1375 // distributionPoint [0] DistributionPointName OPTIONAL,
1376 // reasons [1] ReasonFlags OPTIONAL,
1377 // cRLIssuer [2] GeneralNames OPTIONAL }
1379 // DistributionPointName ::= CHOICE {
1380 // fullName [0] GeneralNames,
1381 // nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
1383 var cdp []distributionPoint
1384 if rest, err := asn1.Unmarshal(e.Value, &cdp); err != nil {
1386 } else if len(rest) != 0 {
1387 return nil, errors.New("x509: trailing data after X.509 CRL distribution point")
1390 for _, dp := range cdp {
1391 // Per RFC 5280, 4.2.1.13, one of distributionPoint or cRLIssuer may be empty.
1392 if len(dp.DistributionPoint.FullName) == 0 {
1396 for _, fullName := range dp.DistributionPoint.FullName {
1397 if fullName.Tag == 6 {
1398 out.CRLDistributionPoints = append(out.CRLDistributionPoints, string(fullName.Bytes))
1404 // RFC 5280, 4.2.1.1
1406 if rest, err := asn1.Unmarshal(e.Value, &a); err != nil {
1408 } else if len(rest) != 0 {
1409 return nil, errors.New("x509: trailing data after X.509 authority key-id")
1411 out.AuthorityKeyId = a.Id
1414 out.ExtKeyUsage, out.UnknownExtKeyUsage, err = parseExtKeyUsageExtension(e.Value)
1419 out.SubjectKeyId, err = parseSubjectKeyIdExtension(e.Value)
1424 out.PolicyIdentifiers, err = parseCertificatePoliciesExtension(e.Value)
1429 // Unknown extensions are recorded if critical.
1432 } else if e.Id.Equal(oidExtensionAuthorityInfoAccess) {
1433 // RFC 5280 4.2.2.1: Authority Information Access
1434 var aia []authorityInfoAccess
1435 if rest, err := asn1.Unmarshal(e.Value, &aia); err != nil {
1437 } else if len(rest) != 0 {
1438 return nil, errors.New("x509: trailing data after X.509 authority information")
1441 for _, v := range aia {
1442 // GeneralName: uniformResourceIdentifier [6] IA5String
1443 if v.Location.Tag != 6 {
1446 if v.Method.Equal(oidAuthorityInfoAccessOcsp) {
1447 out.OCSPServer = append(out.OCSPServer, string(v.Location.Bytes))
1448 } else if v.Method.Equal(oidAuthorityInfoAccessIssuers) {
1449 out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(v.Location.Bytes))
1453 // Unknown extensions are recorded if critical.
1457 if e.Critical && unhandled {
1458 out.UnhandledCriticalExtensions = append(out.UnhandledCriticalExtensions, e.Id)
1465 // parseKeyUsageExtension parses id-ce-keyUsage (2.5.29.15) from RFC 5280
1467 func parseKeyUsageExtension(ext []byte) (KeyUsage, error) {
1468 var usageBits asn1.BitString
1469 if rest, err := asn1.Unmarshal(ext, &usageBits); err != nil {
1471 } else if len(rest) != 0 {
1472 return 0, errors.New("x509: trailing data after X.509 KeyUsage")
1476 for i := 0; i < 9; i++ {
1477 if usageBits.At(i) != 0 {
1478 usage |= 1 << uint(i)
1481 return KeyUsage(usage), nil
1484 // parseBasicConstraintsExtension parses id-ce-basicConstraints (2.5.29.19)
1485 // from RFC 5280 Section 4.2.1.9
1486 func parseBasicConstraintsExtension(ext []byte) (isCA bool, maxPathLen int, err error) {
1487 var constraints basicConstraints
1488 if rest, err := asn1.Unmarshal(ext, &constraints); err != nil {
1489 return false, 0, err
1490 } else if len(rest) != 0 {
1491 return false, 0, errors.New("x509: trailing data after X.509 BasicConstraints")
1494 // TODO: map out.MaxPathLen to 0 if it has the -1 default value? (Issue 19285)
1495 return constraints.IsCA, constraints.MaxPathLen, nil
1498 // parseExtKeyUsageExtension parses id-ce-extKeyUsage (2.5.29.37) from
1499 // RFC 5280 Section 4.2.1.12
1500 func parseExtKeyUsageExtension(ext []byte) ([]ExtKeyUsage, []asn1.ObjectIdentifier, error) {
1501 var keyUsage []asn1.ObjectIdentifier
1502 if rest, err := asn1.Unmarshal(ext, &keyUsage); err != nil {
1503 return nil, nil, err
1504 } else if len(rest) != 0 {
1505 return nil, nil, errors.New("x509: trailing data after X.509 ExtendedKeyUsage")
1508 var extKeyUsages []ExtKeyUsage
1509 var unknownUsages []asn1.ObjectIdentifier
1510 for _, u := range keyUsage {
1511 if extKeyUsage, ok := extKeyUsageFromOID(u); ok {
1512 extKeyUsages = append(extKeyUsages, extKeyUsage)
1514 unknownUsages = append(unknownUsages, u)
1517 return extKeyUsages, unknownUsages, nil
1520 // parseSubjectKeyIdExtension parses id-ce-subjectKeyIdentifier (2.5.29.14)
1521 // from RFC 5280 Section 4.2.1.2
1522 func parseSubjectKeyIdExtension(ext []byte) ([]byte, error) {
1524 if rest, err := asn1.Unmarshal(ext, &keyid); err != nil {
1526 } else if len(rest) != 0 {
1527 return nil, errors.New("x509: trailing data after X.509 key-id")
1532 func parseCertificatePoliciesExtension(ext []byte) ([]asn1.ObjectIdentifier, error) {
1533 var policies []policyInformation
1534 if rest, err := asn1.Unmarshal(ext, &policies); err != nil {
1536 } else if len(rest) != 0 {
1537 return nil, errors.New("x509: trailing data after X.509 certificate policies")
1539 oids := make([]asn1.ObjectIdentifier, len(policies))
1540 for i, policy := range policies {
1541 oids[i] = policy.Policy
1546 // ParseCertificate parses a single certificate from the given ASN.1 DER data.
1547 func ParseCertificate(asn1Data []byte) (*Certificate, error) {
1548 var cert certificate
1549 rest, err := asn1.Unmarshal(asn1Data, &cert)
1554 return nil, asn1.SyntaxError{Msg: "trailing data"}
1557 return parseCertificate(&cert)
1560 // ParseCertificates parses one or more certificates from the given ASN.1 DER
1561 // data. The certificates must be concatenated with no intermediate padding.
1562 func ParseCertificates(asn1Data []byte) ([]*Certificate, error) {
1563 var v []*certificate
1565 for len(asn1Data) > 0 {
1566 cert := new(certificate)
1568 asn1Data, err = asn1.Unmarshal(asn1Data, cert)
1575 ret := make([]*Certificate, len(v))
1576 for i, ci := range v {
1577 cert, err := parseCertificate(ci)
1587 func reverseBitsInAByte(in byte) byte {
1589 b2 := b1>>2&0x33 | b1<<2&0xcc
1590 b3 := b2>>1&0x55 | b2<<1&0xaa
1594 // asn1BitLength returns the bit-length of bitString by considering the
1595 // most-significant bit in a byte to be the "first" bit. This convention
1596 // matches ASN.1, but differs from almost everything else.
1597 func asn1BitLength(bitString []byte) int {
1598 bitLen := len(bitString) * 8
1600 for i := range bitString {
1601 b := bitString[len(bitString)-i-1]
1603 for bit := uint(0); bit < 8; bit++ {
1604 if (b>>bit)&1 == 1 {
1615 oidExtensionSubjectKeyId = []int{2, 5, 29, 14}
1616 oidExtensionKeyUsage = []int{2, 5, 29, 15}
1617 oidExtensionExtendedKeyUsage = []int{2, 5, 29, 37}
1618 oidExtensionAuthorityKeyId = []int{2, 5, 29, 35}
1619 oidExtensionBasicConstraints = []int{2, 5, 29, 19}
1620 oidExtensionSubjectAltName = []int{2, 5, 29, 17}
1621 oidExtensionCertificatePolicies = []int{2, 5, 29, 32}
1622 oidExtensionNameConstraints = []int{2, 5, 29, 30}
1623 oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31}
1624 oidExtensionAuthorityInfoAccess = []int{1, 3, 6, 1, 5, 5, 7, 1, 1}
1625 oidExtensionCRLNumber = []int{2, 5, 29, 20}
1629 oidAuthorityInfoAccessOcsp = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
1630 oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
1633 // oidNotInExtensions reports whether an extension with the given oid exists in
1635 func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool {
1636 for _, e := range extensions {
1637 if e.Id.Equal(oid) {
1644 // marshalSANs marshals a list of addresses into a the contents of an X.509
1645 // SubjectAlternativeName extension.
1646 func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) {
1647 var rawValues []asn1.RawValue
1648 for _, name := range dnsNames {
1649 if err := isIA5String(name); err != nil {
1652 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)})
1654 for _, email := range emailAddresses {
1655 if err := isIA5String(email); err != nil {
1658 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)})
1660 for _, rawIP := range ipAddresses {
1661 // If possible, we always want to encode IPv4 addresses in 4 bytes.
1666 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip})
1668 for _, uri := range uris {
1669 uriStr := uri.String()
1670 if err := isIA5String(uriStr); err != nil {
1673 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uriStr)})
1675 return asn1.Marshal(rawValues)
1678 func isIA5String(s string) error {
1679 for _, r := range s {
1680 // Per RFC5280 "IA5String is limited to the set of ASCII characters"
1681 if r > unicode.MaxASCII {
1682 return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
1689 func buildCertExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte, subjectKeyId []byte) (ret []pkix.Extension, err error) {
1690 ret = make([]pkix.Extension, 10 /* maximum number of elements. */)
1693 if template.KeyUsage != 0 &&
1694 !oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) {
1695 ret[n], err = marshalKeyUsage(template.KeyUsage)
1702 if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) &&
1703 !oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) {
1704 ret[n], err = marshalExtKeyUsage(template.ExtKeyUsage, template.UnknownExtKeyUsage)
1711 if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) {
1712 ret[n], err = marshalBasicConstraints(template.IsCA, template.MaxPathLen, template.MaxPathLenZero)
1719 if len(subjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) {
1720 ret[n].Id = oidExtensionSubjectKeyId
1721 ret[n].Value, err = asn1.Marshal(subjectKeyId)
1728 if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) {
1729 ret[n].Id = oidExtensionAuthorityKeyId
1730 ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId})
1737 if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) &&
1738 !oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) {
1739 ret[n].Id = oidExtensionAuthorityInfoAccess
1740 var aiaValues []authorityInfoAccess
1741 for _, name := range template.OCSPServer {
1742 aiaValues = append(aiaValues, authorityInfoAccess{
1743 Method: oidAuthorityInfoAccessOcsp,
1744 Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
1747 for _, name := range template.IssuingCertificateURL {
1748 aiaValues = append(aiaValues, authorityInfoAccess{
1749 Method: oidAuthorityInfoAccessIssuers,
1750 Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
1753 ret[n].Value, err = asn1.Marshal(aiaValues)
1760 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
1761 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
1762 ret[n].Id = oidExtensionSubjectAltName
1763 // From RFC 5280, Section 4.2.1.6:
1764 // “If the subject field contains an empty sequence ... then
1765 // subjectAltName extension ... is marked as critical”
1766 ret[n].Critical = subjectIsEmpty
1767 ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
1774 if len(template.PolicyIdentifiers) > 0 &&
1775 !oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) {
1776 ret[n], err = marshalCertificatePolicies(template.PolicyIdentifiers)
1783 if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 ||
1784 len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 ||
1785 len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 ||
1786 len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) &&
1787 !oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) {
1788 ret[n].Id = oidExtensionNameConstraints
1789 ret[n].Critical = template.PermittedDNSDomainsCritical
1791 ipAndMask := func(ipNet *net.IPNet) []byte {
1792 maskedIP := ipNet.IP.Mask(ipNet.Mask)
1793 ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask))
1794 ipAndMask = append(ipAndMask, maskedIP...)
1795 ipAndMask = append(ipAndMask, ipNet.Mask...)
1799 serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) {
1800 var b cryptobyte.Builder
1802 for _, name := range dns {
1803 if err = isIA5String(name); err != nil {
1807 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
1808 b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) {
1809 b.AddBytes([]byte(name))
1814 for _, ipNet := range ips {
1815 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
1816 b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) {
1817 b.AddBytes(ipAndMask(ipNet))
1822 for _, email := range emails {
1823 if err = isIA5String(email); err != nil {
1827 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
1828 b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) {
1829 b.AddBytes([]byte(email))
1834 for _, uriDomain := range uriDomains {
1835 if err = isIA5String(uriDomain); err != nil {
1839 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
1840 b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) {
1841 b.AddBytes([]byte(uriDomain))
1849 permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains)
1854 excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains)
1859 var b cryptobyte.Builder
1860 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
1861 if len(permitted) > 0 {
1862 b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
1863 b.AddBytes(permitted)
1867 if len(excluded) > 0 {
1868 b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
1869 b.AddBytes(excluded)
1874 ret[n].Value, err = b.Bytes()
1881 if len(template.CRLDistributionPoints) > 0 &&
1882 !oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) {
1883 ret[n].Id = oidExtensionCRLDistributionPoints
1885 var crlDp []distributionPoint
1886 for _, name := range template.CRLDistributionPoints {
1887 dp := distributionPoint{
1888 DistributionPoint: distributionPointName{
1889 FullName: []asn1.RawValue{
1890 {Tag: 6, Class: 2, Bytes: []byte(name)},
1894 crlDp = append(crlDp, dp)
1897 ret[n].Value, err = asn1.Marshal(crlDp)
1904 // Adding another extension here? Remember to update the maximum number
1905 // of elements in the make() at the top of the function and the list of
1906 // template fields used in CreateCertificate documentation.
1908 return append(ret[:n], template.ExtraExtensions...), nil
1911 func marshalKeyUsage(ku KeyUsage) (pkix.Extension, error) {
1912 ext := pkix.Extension{Id: oidExtensionKeyUsage, Critical: true}
1915 a[0] = reverseBitsInAByte(byte(ku))
1916 a[1] = reverseBitsInAByte(byte(ku >> 8))
1925 ext.Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)})
1932 func marshalExtKeyUsage(extUsages []ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error) {
1933 ext := pkix.Extension{Id: oidExtensionExtendedKeyUsage}
1935 oids := make([]asn1.ObjectIdentifier, len(extUsages)+len(unknownUsages))
1936 for i, u := range extUsages {
1937 if oid, ok := oidFromExtKeyUsage(u); ok {
1940 return ext, errors.New("x509: unknown extended key usage")
1944 copy(oids[len(extUsages):], unknownUsages)
1947 ext.Value, err = asn1.Marshal(oids)
1954 func marshalBasicConstraints(isCA bool, maxPathLen int, maxPathLenZero bool) (pkix.Extension, error) {
1955 ext := pkix.Extension{Id: oidExtensionBasicConstraints, Critical: true}
1956 // Leaving MaxPathLen as zero indicates that no maximum path
1957 // length is desired, unless MaxPathLenZero is set. A value of
1958 // -1 causes encoding/asn1 to omit the value as desired.
1959 if maxPathLen == 0 && !maxPathLenZero {
1963 ext.Value, err = asn1.Marshal(basicConstraints{isCA, maxPathLen})
1970 func marshalCertificatePolicies(policyIdentifiers []asn1.ObjectIdentifier) (pkix.Extension, error) {
1971 ext := pkix.Extension{Id: oidExtensionCertificatePolicies}
1972 policies := make([]policyInformation, len(policyIdentifiers))
1973 for i, policy := range policyIdentifiers {
1974 policies[i].Policy = policy
1977 ext.Value, err = asn1.Marshal(policies)
1984 func buildCSRExtensions(template *CertificateRequest) ([]pkix.Extension, error) {
1985 var ret []pkix.Extension
1987 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
1988 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
1989 sanBytes, err := marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
1994 ret = append(ret, pkix.Extension{
1995 Id: oidExtensionSubjectAltName,
2000 if template.KeyUsage != 0 &&
2001 !oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) {
2002 ext, err := marshalKeyUsage(template.KeyUsage)
2006 ret = append(ret, ext)
2009 return append(ret, template.ExtraExtensions...), nil
2012 func subjectBytes(cert *Certificate) ([]byte, error) {
2013 if len(cert.RawSubject) > 0 {
2014 return cert.RawSubject, nil
2017 return asn1.Marshal(cert.Subject.ToRDNSequence())
2020 // signingParamsForPublicKey returns the parameters to use for signing with
2021 // priv. If requestedSigAlgo is not zero then it overrides the default
2022 // signature algorithm.
2023 func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
2024 var pubType PublicKeyAlgorithm
2026 switch pub := pub.(type) {
2027 case *rsa.PublicKey:
2029 hashFunc = crypto.SHA256
2030 sigAlgo.Algorithm = oidSignatureSHA256WithRSA
2031 sigAlgo.Parameters = asn1.NullRawValue
2033 case *ecdsa.PublicKey:
2037 case elliptic.P224(), elliptic.P256():
2038 hashFunc = crypto.SHA256
2039 sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
2040 case elliptic.P384():
2041 hashFunc = crypto.SHA384
2042 sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
2043 case elliptic.P521():
2044 hashFunc = crypto.SHA512
2045 sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
2047 err = errors.New("x509: unknown elliptic curve")
2050 case ed25519.PublicKey:
2052 sigAlgo.Algorithm = oidSignatureEd25519
2055 err = errors.New("x509: only RSA, ECDSA and Ed25519 keys supported")
2062 if requestedSigAlgo == 0 {
2067 for _, details := range signatureAlgorithmDetails {
2068 if details.algo == requestedSigAlgo {
2069 if details.pubKeyAlgo != pubType {
2070 err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
2073 sigAlgo.Algorithm, hashFunc = details.oid, details.hash
2074 if hashFunc == 0 && pubType != Ed25519 {
2075 err = errors.New("x509: cannot sign with hash function requested")
2078 if requestedSigAlgo.isRSAPSS() {
2079 sigAlgo.Parameters = hashToPSSParameters[hashFunc]
2087 err = errors.New("x509: unknown SignatureAlgorithm")
2093 // emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is
2094 // just an empty SEQUENCE.
2095 var emptyASN1Subject = []byte{0x30, 0}
2097 // CreateCertificate creates a new X.509v3 certificate based on a template.
2098 // The following members of template are used:
2101 // - BasicConstraintsValid
2102 // - CRLDistributionPoints
2105 // - ExcludedDNSDomains
2106 // - ExcludedEmailAddresses
2107 // - ExcludedIPRanges
2108 // - ExcludedURIDomains
2110 // - ExtraExtensions
2113 // - IssuingCertificateURL
2120 // - PermittedDNSDomains
2121 // - PermittedDNSDomainsCritical
2122 // - PermittedEmailAddresses
2123 // - PermittedIPRanges
2124 // - PermittedURIDomains
2125 // - PolicyIdentifiers
2127 // - SignatureAlgorithm
2131 // - UnknownExtKeyUsage
2133 // The certificate is signed by parent. If parent is equal to template then the
2134 // certificate is self-signed. The parameter pub is the public key of the
2135 // signee and priv is the private key of the signer.
2137 // The returned slice is the certificate in DER encoding.
2139 // The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and
2140 // ed25519.PublicKey. pub must be a supported key type, and priv must be a
2141 // crypto.Signer with a supported public key.
2143 // The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any,
2144 // unless the resulting certificate is self-signed. Otherwise the value from
2145 // template will be used.
2147 // If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId
2148 // will be generated from the hash of the public key.
2149 func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error) {
2150 key, ok := priv.(crypto.Signer)
2152 return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
2155 if template.SerialNumber == nil {
2156 return nil, errors.New("x509: no SerialNumber given")
2159 if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
2160 return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
2163 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
2168 publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub)
2173 asn1Issuer, err := subjectBytes(parent)
2178 asn1Subject, err := subjectBytes(template)
2183 authorityKeyId := template.AuthorityKeyId
2184 if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 {
2185 authorityKeyId = parent.SubjectKeyId
2188 subjectKeyId := template.SubjectKeyId
2189 if len(subjectKeyId) == 0 && template.IsCA {
2190 // SubjectKeyId generated using method 1 in RFC 5280, Section 4.2.1.2:
2191 // (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
2192 // value of the BIT STRING subjectPublicKey (excluding the tag,
2193 // length, and number of unused bits).
2194 h := sha1.Sum(publicKeyBytes)
2198 extensions, err := buildCertExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId, subjectKeyId)
2203 encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
2204 c := tbsCertificate{
2206 SerialNumber: template.SerialNumber,
2207 SignatureAlgorithm: signatureAlgorithm,
2208 Issuer: asn1.RawValue{FullBytes: asn1Issuer},
2209 Validity: validity{template.NotBefore.UTC(), template.NotAfter.UTC()},
2210 Subject: asn1.RawValue{FullBytes: asn1Subject},
2211 PublicKey: publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey},
2212 Extensions: extensions,
2215 tbsCertContents, err := asn1.Marshal(c)
2219 c.Raw = tbsCertContents
2221 signed := tbsCertContents
2228 var signerOpts crypto.SignerOpts = hashFunc
2229 if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() {
2230 signerOpts = &rsa.PSSOptions{
2231 SaltLength: rsa.PSSSaltLengthEqualsHash,
2236 var signature []byte
2237 signature, err = key.Sign(rand, signed, signerOpts)
2242 signedCert, err := asn1.Marshal(certificate{
2246 asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
2252 // Check the signature to ensure the crypto.Signer behaved correctly.
2253 // We skip this check if the signature algorithm is MD5WithRSA as we
2254 // only support this algorithm for signing, and not verification.
2255 if sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm); sigAlg != MD5WithRSA {
2256 if err := checkSignature(sigAlg, c.Raw, signature, key.Public()); err != nil {
2257 return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err)
2261 return signedCert, nil
2264 // pemCRLPrefix is the magic string that indicates that we have a PEM encoded
2266 var pemCRLPrefix = []byte("-----BEGIN X509 CRL")
2268 // pemType is the type of a PEM encoded CRL.
2269 var pemType = "X509 CRL"
2271 // ParseCRL parses a CRL from the given bytes. It's often the case that PEM
2272 // encoded CRLs will appear where they should be DER encoded, so this function
2273 // will transparently handle PEM encoding as long as there isn't any leading
2275 func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) {
2276 if bytes.HasPrefix(crlBytes, pemCRLPrefix) {
2277 block, _ := pem.Decode(crlBytes)
2278 if block != nil && block.Type == pemType {
2279 crlBytes = block.Bytes
2282 return ParseDERCRL(crlBytes)
2285 // ParseDERCRL parses a DER encoded CRL from the given bytes.
2286 func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) {
2287 certList := new(pkix.CertificateList)
2288 if rest, err := asn1.Unmarshal(derBytes, certList); err != nil {
2290 } else if len(rest) != 0 {
2291 return nil, errors.New("x509: trailing data after CRL")
2293 return certList, nil
2296 // CreateCRL returns a DER encoded CRL, signed by this Certificate, that
2297 // contains the given list of revoked certificates.
2299 // Note: this method does not generate an RFC 5280 conformant X.509 v2 CRL.
2300 // To generate a standards compliant CRL, use CreateRevocationList instead.
2301 func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
2302 key, ok := priv.(crypto.Signer)
2304 return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
2307 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), 0)
2312 // Force revocation times to UTC per RFC 5280.
2313 revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts))
2314 for i, rc := range revokedCerts {
2315 rc.RevocationTime = rc.RevocationTime.UTC()
2316 revokedCertsUTC[i] = rc
2319 tbsCertList := pkix.TBSCertificateList{
2321 Signature: signatureAlgorithm,
2322 Issuer: c.Subject.ToRDNSequence(),
2323 ThisUpdate: now.UTC(),
2324 NextUpdate: expiry.UTC(),
2325 RevokedCertificates: revokedCertsUTC,
2329 if len(c.SubjectKeyId) > 0 {
2330 var aki pkix.Extension
2331 aki.Id = oidExtensionAuthorityKeyId
2332 aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId})
2336 tbsCertList.Extensions = append(tbsCertList.Extensions, aki)
2339 tbsCertListContents, err := asn1.Marshal(tbsCertList)
2344 signed := tbsCertListContents
2351 var signature []byte
2352 signature, err = key.Sign(rand, signed, hashFunc)
2357 return asn1.Marshal(pkix.CertificateList{
2358 TBSCertList: tbsCertList,
2359 SignatureAlgorithm: signatureAlgorithm,
2360 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
2364 // CertificateRequest represents a PKCS #10, certificate signature request.
2365 type CertificateRequest struct {
2366 Raw []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature).
2367 RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content.
2368 RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
2369 RawSubject []byte // DER encoded Subject.
2373 SignatureAlgorithm SignatureAlgorithm
2376 PublicKeyAlgorithm PublicKeyAlgorithm
2377 PublicKey interface{}
2381 // Attributes contains the CSR attributes that can parse as
2382 // pkix.AttributeTypeAndValueSET.
2384 // Deprecated: Use Extensions and ExtraExtensions instead for parsing and
2385 // generating the requestedExtensions attribute.
2386 Attributes []pkix.AttributeTypeAndValueSET
2388 // Extensions contains all requested extensions, in raw form. When parsing
2389 // CSRs, this can be used to extract extensions that are not parsed by this
2391 Extensions []pkix.Extension
2393 // ExtraExtensions contains extensions to be copied, raw, into any CSR
2394 // marshaled by CreateCertificateRequest. Values override any extensions
2395 // that would otherwise be produced based on the other fields but are
2396 // overridden by any extensions specified in Attributes.
2398 // The ExtraExtensions field is not populated by ParseCertificateRequest,
2399 // see Extensions instead.
2400 ExtraExtensions []pkix.Extension
2402 // Subject Alternate Name values.
2404 EmailAddresses []string
2405 IPAddresses []net.IP
2409 // These structures reflect the ASN.1 structure of X.509 certificate
2410 // signature requests (see RFC 2986):
2412 type tbsCertificateRequest struct {
2415 Subject asn1.RawValue
2416 PublicKey publicKeyInfo
2417 RawAttributes []asn1.RawValue `asn1:"tag:0"`
2420 type certificateRequest struct {
2422 TBSCSR tbsCertificateRequest
2423 SignatureAlgorithm pkix.AlgorithmIdentifier
2424 SignatureValue asn1.BitString
2427 // oidExtensionRequest is a PKCS #9 OBJECT IDENTIFIER that indicates requested
2428 // extensions in a CSR.
2429 var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14}
2431 // newRawAttributes converts AttributeTypeAndValueSETs from a template
2432 // CertificateRequest's Attributes into tbsCertificateRequest RawAttributes.
2433 func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) {
2434 var rawAttributes []asn1.RawValue
2435 b, err := asn1.Marshal(attributes)
2439 rest, err := asn1.Unmarshal(b, &rawAttributes)
2444 return nil, errors.New("x509: failed to unmarshal raw CSR Attributes")
2446 return rawAttributes, nil
2449 // parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs.
2450 func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET {
2451 var attributes []pkix.AttributeTypeAndValueSET
2452 for _, rawAttr := range rawAttributes {
2453 var attr pkix.AttributeTypeAndValueSET
2454 rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr)
2455 // Ignore attributes that don't parse into pkix.AttributeTypeAndValueSET
2456 // (i.e.: challengePassword or unstructuredName).
2457 if err == nil && len(rest) == 0 {
2458 attributes = append(attributes, attr)
2464 // parseCSRExtensions parses the attributes from a CSR and extracts any
2465 // requested extensions.
2466 func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) {
2467 // pkcs10Attribute reflects the Attribute structure from RFC 2986, Section 4.1.
2468 type pkcs10Attribute struct {
2469 Id asn1.ObjectIdentifier
2470 Values []asn1.RawValue `asn1:"set"`
2473 var ret []pkix.Extension
2474 for _, rawAttr := range rawAttributes {
2475 var attr pkcs10Attribute
2476 if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 {
2477 // Ignore attributes that don't parse.
2481 if !attr.Id.Equal(oidExtensionRequest) {
2485 var extensions []pkix.Extension
2486 if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil {
2489 ret = append(ret, extensions...)
2495 // CreateCertificateRequest creates a new certificate request based on a
2496 // template. The following members of template are used:
2498 // - SignatureAlgorithm
2506 // - UnknownExtKeyUsage
2507 // - BasicConstraintsValid
2512 // - PolicyIdentifiers
2513 // - ExtraExtensions
2514 // - Attributes (deprecated)
2516 // priv is the private key to sign the CSR with, and the corresponding public
2517 // key will be included in the CSR. It must implement crypto.Signer and its
2518 // Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a
2519 // ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or
2520 // ed25519.PrivateKey satisfies this.)
2522 // The returned slice is the certificate request in DER encoding.
2523 func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error) {
2524 key, ok := priv.(crypto.Signer)
2526 return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
2529 var hashFunc crypto.Hash
2530 var sigAlgo pkix.AlgorithmIdentifier
2531 hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
2536 var publicKeyBytes []byte
2537 var publicKeyAlgorithm pkix.AlgorithmIdentifier
2538 publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public())
2543 extensions, err := buildCSRExtensions(template)
2548 // Make a copy of template.Attributes because we may alter it below.
2549 attributes := make([]pkix.AttributeTypeAndValueSET, 0, len(template.Attributes))
2550 for _, attr := range template.Attributes {
2551 values := make([][]pkix.AttributeTypeAndValue, len(attr.Value))
2552 copy(values, attr.Value)
2553 attributes = append(attributes, pkix.AttributeTypeAndValueSET{
2559 extensionsAppended := false
2560 if len(extensions) > 0 {
2561 // Append the extensions to an existing attribute if possible.
2562 for _, atvSet := range attributes {
2563 if !atvSet.Type.Equal(oidExtensionRequest) || len(atvSet.Value) == 0 {
2567 // specifiedExtensions contains all the extensions that we
2568 // found specified via template.Attributes.
2569 specifiedExtensions := make(map[string]bool)
2571 for _, atvs := range atvSet.Value {
2572 for _, atv := range atvs {
2573 specifiedExtensions[atv.Type.String()] = true
2577 newValue := make([]pkix.AttributeTypeAndValue, 0, len(atvSet.Value[0])+len(extensions))
2578 newValue = append(newValue, atvSet.Value[0]...)
2580 for _, e := range extensions {
2581 if specifiedExtensions[e.Id.String()] {
2582 // Attributes already contained a value for
2583 // this extension and it takes priority.
2587 newValue = append(newValue, pkix.AttributeTypeAndValue{
2588 // There is no place for the critical
2589 // flag in an AttributeTypeAndValue.
2595 atvSet.Value[0] = newValue
2596 extensionsAppended = true
2601 rawAttributes, err := newRawAttributes(attributes)
2606 // If not included in attributes, add a new attribute for the
2608 if len(extensions) > 0 && !extensionsAppended {
2610 Type asn1.ObjectIdentifier
2611 Value [][]pkix.Extension `asn1:"set"`
2613 Type: oidExtensionRequest,
2614 Value: [][]pkix.Extension{extensions},
2617 b, err := asn1.Marshal(attr)
2619 return nil, errors.New("x509: failed to serialise extensions attribute: " + err.Error())
2622 var rawValue asn1.RawValue
2623 if _, err := asn1.Unmarshal(b, &rawValue); err != nil {
2627 rawAttributes = append(rawAttributes, rawValue)
2630 asn1Subject := template.RawSubject
2631 if len(asn1Subject) == 0 {
2632 asn1Subject, err = asn1.Marshal(template.Subject.ToRDNSequence())
2638 tbsCSR := tbsCertificateRequest{
2639 Version: 0, // PKCS #10, RFC 2986
2640 Subject: asn1.RawValue{FullBytes: asn1Subject},
2641 PublicKey: publicKeyInfo{
2642 Algorithm: publicKeyAlgorithm,
2643 PublicKey: asn1.BitString{
2644 Bytes: publicKeyBytes,
2645 BitLength: len(publicKeyBytes) * 8,
2648 RawAttributes: rawAttributes,
2651 tbsCSRContents, err := asn1.Marshal(tbsCSR)
2655 tbsCSR.Raw = tbsCSRContents
2657 signed := tbsCSRContents
2664 var signature []byte
2665 signature, err = key.Sign(rand, signed, hashFunc)
2670 return asn1.Marshal(certificateRequest{
2672 SignatureAlgorithm: sigAlgo,
2673 SignatureValue: asn1.BitString{
2675 BitLength: len(signature) * 8,
2680 // ParseCertificateRequest parses a single certificate request from the
2681 // given ASN.1 DER data.
2682 func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) {
2683 var csr certificateRequest
2685 rest, err := asn1.Unmarshal(asn1Data, &csr)
2688 } else if len(rest) != 0 {
2689 return nil, asn1.SyntaxError{Msg: "trailing data"}
2692 return parseCertificateRequest(&csr)
2695 func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) {
2696 out := &CertificateRequest{
2698 RawTBSCertificateRequest: in.TBSCSR.Raw,
2699 RawSubjectPublicKeyInfo: in.TBSCSR.PublicKey.Raw,
2700 RawSubject: in.TBSCSR.Subject.FullBytes,
2702 Signature: in.SignatureValue.RightAlign(),
2703 SignatureAlgorithm: getSignatureAlgorithmFromAI(in.SignatureAlgorithm),
2705 PublicKeyAlgorithm: getPublicKeyAlgorithmFromOID(in.TBSCSR.PublicKey.Algorithm.Algorithm),
2707 Version: in.TBSCSR.Version,
2708 Attributes: parseRawAttributes(in.TBSCSR.RawAttributes),
2712 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey)
2717 var subject pkix.RDNSequence
2718 if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil {
2720 } else if len(rest) != 0 {
2721 return nil, errors.New("x509: trailing data after X.509 Subject")
2724 out.Subject.FillFromRDNSequence(&subject)
2726 if out.Extensions, err = parseCSRExtensions(in.TBSCSR.RawAttributes); err != nil {
2730 for _, extension := range out.Extensions {
2732 case extension.Id.Equal(oidExtensionSubjectAltName):
2733 out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value)
2737 case extension.Id.Equal(oidExtensionKeyUsage):
2738 out.KeyUsage, err = parseKeyUsageExtension(extension.Value)
2748 // CheckSignature reports whether the signature on c is valid.
2749 func (c *CertificateRequest) CheckSignature() error {
2750 return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey)
2753 // RevocationList contains the fields used to create an X.509 v2 Certificate
2754 // Revocation list with CreateRevocationList.
2755 type RevocationList struct {
2756 // SignatureAlgorithm is used to determine the signature algorithm to be
2757 // used when signing the CRL. If 0 the default algorithm for the signing
2758 // key will be used.
2759 SignatureAlgorithm SignatureAlgorithm
2761 // RevokedCertificates is used to populate the revokedCertificates
2762 // sequence in the CRL, it may be empty. RevokedCertificates may be nil,
2763 // in which case an empty CRL will be created.
2764 RevokedCertificates []pkix.RevokedCertificate
2766 // Number is used to populate the X.509 v2 cRLNumber extension in the CRL,
2767 // which should be a monotonically increasing sequence number for a given
2768 // CRL scope and CRL issuer.
2770 // ThisUpdate is used to populate the thisUpdate field in the CRL, which
2771 // indicates the issuance date of the CRL.
2772 ThisUpdate time.Time
2773 // NextUpdate is used to populate the nextUpdate field in the CRL, which
2774 // indicates the date by which the next CRL will be issued. NextUpdate
2775 // must be greater than ThisUpdate.
2776 NextUpdate time.Time
2777 // ExtraExtensions contains any additional extensions to add directly to
2779 ExtraExtensions []pkix.Extension
2782 // CreateRevocationList creates a new X.509 v2 Certificate Revocation List,
2783 // according to RFC 5280, based on template.
2785 // The CRL is signed by priv which should be the private key associated with
2786 // the public key in the issuer certificate.
2788 // The issuer may not be nil, and the crlSign bit must be set in KeyUsage in
2789 // order to use it as a CRL issuer.
2791 // The issuer distinguished name CRL field and authority key identifier
2792 // extension are populated using the issuer certificate. issuer must have
2793 // SubjectKeyId set.
2794 func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer) ([]byte, error) {
2795 if template == nil {
2796 return nil, errors.New("x509: template can not be nil")
2799 return nil, errors.New("x509: issuer can not be nil")
2801 if (issuer.KeyUsage & KeyUsageCRLSign) == 0 {
2802 return nil, errors.New("x509: issuer must have the crlSign key usage bit set")
2804 if len(issuer.SubjectKeyId) == 0 {
2805 return nil, errors.New("x509: issuer certificate doesn't contain a subject key identifier")
2807 if template.NextUpdate.Before(template.ThisUpdate) {
2808 return nil, errors.New("x509: template.ThisUpdate is after template.NextUpdate")
2810 if template.Number == nil {
2811 return nil, errors.New("x509: template contains nil Number field")
2814 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm)
2819 // Force revocation times to UTC per RFC 5280.
2820 revokedCertsUTC := make([]pkix.RevokedCertificate, len(template.RevokedCertificates))
2821 for i, rc := range template.RevokedCertificates {
2822 rc.RevocationTime = rc.RevocationTime.UTC()
2823 revokedCertsUTC[i] = rc
2826 aki, err := asn1.Marshal(authKeyId{Id: issuer.SubjectKeyId})
2830 crlNum, err := asn1.Marshal(template.Number)
2835 tbsCertList := pkix.TBSCertificateList{
2837 Signature: signatureAlgorithm,
2838 Issuer: issuer.Subject.ToRDNSequence(),
2839 ThisUpdate: template.ThisUpdate.UTC(),
2840 NextUpdate: template.NextUpdate.UTC(),
2841 Extensions: []pkix.Extension{
2843 Id: oidExtensionAuthorityKeyId,
2847 Id: oidExtensionCRLNumber,
2852 if len(revokedCertsUTC) > 0 {
2853 tbsCertList.RevokedCertificates = revokedCertsUTC
2856 if len(template.ExtraExtensions) > 0 {
2857 tbsCertList.Extensions = append(tbsCertList.Extensions, template.ExtraExtensions...)
2860 tbsCertListContents, err := asn1.Marshal(tbsCertList)
2865 input := tbsCertListContents
2868 h.Write(tbsCertListContents)
2871 var signerOpts crypto.SignerOpts = hashFunc
2872 if template.SignatureAlgorithm.isRSAPSS() {
2873 signerOpts = &rsa.PSSOptions{
2874 SaltLength: rsa.PSSSaltLengthEqualsHash,
2879 signature, err := priv.Sign(rand, input, signerOpts)
2884 return asn1.Marshal(pkix.CertificateList{
2885 TBSCertList: tbsCertList,
2886 SignatureAlgorithm: signatureAlgorithm,
2887 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},