1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 // Package x509 parses X.509-encoded keys and certificates.
33 "golang.org/x/crypto/cryptobyte"
34 cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
37 // pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo
39 type pkixPublicKey struct {
40 Algo pkix.AlgorithmIdentifier
41 BitString asn1.BitString
44 // ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
45 // The encoded public key is a SubjectPublicKeyInfo structure
46 // (see RFC 5280, Section 4.1).
48 // It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or
49 // ed25519.PublicKey. More types might be supported in the future.
51 // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
52 func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) {
54 if rest, err := asn1.Unmarshal(derBytes, &pki); err != nil {
55 if _, err := asn1.Unmarshal(derBytes, &pkcs1PublicKey{}); err == nil {
56 return nil, errors.New("x509: failed to parse public key (use ParsePKCS1PublicKey instead for this key format)")
59 } else if len(rest) != 0 {
60 return nil, errors.New("x509: trailing data after ASN.1 of public-key")
62 algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm)
63 if algo == UnknownPublicKeyAlgorithm {
64 return nil, errors.New("x509: unknown public key algorithm")
66 return parsePublicKey(algo, &pki)
69 func marshalPublicKey(pub interface{}) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) {
70 switch pub := pub.(type) {
72 publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{
77 return nil, pkix.AlgorithmIdentifier{}, err
79 publicKeyAlgorithm.Algorithm = oidPublicKeyRSA
80 // This is a NULL parameters value which is required by
81 // RFC 3279, Section 2.3.1.
82 publicKeyAlgorithm.Parameters = asn1.NullRawValue
83 case *ecdsa.PublicKey:
84 publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y)
85 oid, ok := oidFromNamedCurve(pub.Curve)
87 return nil, pkix.AlgorithmIdentifier{}, errors.New("x509: unsupported elliptic curve")
89 publicKeyAlgorithm.Algorithm = oidPublicKeyECDSA
91 paramBytes, err = asn1.Marshal(oid)
95 publicKeyAlgorithm.Parameters.FullBytes = paramBytes
96 case ed25519.PublicKey:
98 publicKeyAlgorithm.Algorithm = oidPublicKeyEd25519
100 return nil, pkix.AlgorithmIdentifier{}, fmt.Errorf("x509: unsupported public key type: %T", pub)
103 return publicKeyBytes, publicKeyAlgorithm, nil
106 // MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
107 // The encoded public key is a SubjectPublicKeyInfo structure
108 // (see RFC 5280, Section 4.1).
110 // The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey
111 // and ed25519.PublicKey. Unsupported key types result in an error.
113 // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
114 func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) {
115 var publicKeyBytes []byte
116 var publicKeyAlgorithm pkix.AlgorithmIdentifier
119 if publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(pub); err != nil {
123 pkix := pkixPublicKey{
124 Algo: publicKeyAlgorithm,
125 BitString: asn1.BitString{
126 Bytes: publicKeyBytes,
127 BitLength: 8 * len(publicKeyBytes),
131 ret, _ := asn1.Marshal(pkix)
135 // These structures reflect the ASN.1 structure of X.509 certificates.:
137 type certificate struct {
139 TBSCertificate tbsCertificate
140 SignatureAlgorithm pkix.AlgorithmIdentifier
141 SignatureValue asn1.BitString
144 type tbsCertificate struct {
146 Version int `asn1:"optional,explicit,default:0,tag:0"`
147 SerialNumber *big.Int
148 SignatureAlgorithm pkix.AlgorithmIdentifier
151 Subject asn1.RawValue
152 PublicKey publicKeyInfo
153 UniqueId asn1.BitString `asn1:"optional,tag:1"`
154 SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"`
155 Extensions []pkix.Extension `asn1:"optional,explicit,tag:3"`
158 type dsaAlgorithmParameters struct {
162 type dsaSignature struct {
166 type validity struct {
167 NotBefore, NotAfter time.Time
170 type publicKeyInfo struct {
172 Algorithm pkix.AlgorithmIdentifier
173 PublicKey asn1.BitString
177 type authKeyId struct {
178 Id []byte `asn1:"optional,tag:0"`
181 type SignatureAlgorithm int
184 UnknownSignatureAlgorithm SignatureAlgorithm = iota
203 func (algo SignatureAlgorithm) isRSAPSS() bool {
205 case SHA256WithRSAPSS, SHA384WithRSAPSS, SHA512WithRSAPSS:
212 func (algo SignatureAlgorithm) String() string {
213 for _, details := range signatureAlgorithmDetails {
214 if details.algo == algo {
218 return strconv.Itoa(int(algo))
221 type PublicKeyAlgorithm int
224 UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
231 var publicKeyAlgoName = [...]string{
238 func (algo PublicKeyAlgorithm) String() string {
239 if 0 < algo && int(algo) < len(publicKeyAlgoName) {
240 return publicKeyAlgoName[algo]
242 return strconv.Itoa(int(algo))
245 // OIDs for signature algorithms
247 // pkcs-1 OBJECT IDENTIFIER ::= {
248 // iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
251 // RFC 3279 2.2.1 RSA Signature Algorithms
253 // md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
255 // md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
257 // sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }
259 // dsaWithSha1 OBJECT IDENTIFIER ::= {
260 // iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 }
262 // RFC 3279 2.2.3 ECDSA Signature Algorithm
264 // ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
265 // iso(1) member-body(2) us(840) ansi-x962(10045)
266 // signatures(4) ecdsa-with-SHA1(1)}
269 // RFC 4055 5 PKCS #1 Version 1.5
271 // sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
273 // sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
275 // sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
278 // RFC 5758 3.1 DSA Signature Algorithms
280 // dsaWithSha256 OBJECT IDENTIFIER ::= {
281 // joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
282 // csor(3) algorithms(4) id-dsa-with-sha2(3) 2}
284 // RFC 5758 3.2 ECDSA Signature Algorithm
286 // ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
287 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
289 // ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
290 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
292 // ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
293 // us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 }
296 // RFC 8410 3 Curve25519 and Curve448 Algorithm Identifiers
298 // id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 }
301 oidSignatureMD2WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
302 oidSignatureMD5WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
303 oidSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
304 oidSignatureSHA256WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
305 oidSignatureSHA384WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
306 oidSignatureSHA512WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
307 oidSignatureRSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
308 oidSignatureDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
309 oidSignatureDSAWithSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}
310 oidSignatureECDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
311 oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
312 oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
313 oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
314 oidSignatureEd25519 = asn1.ObjectIdentifier{1, 3, 101, 112}
316 oidSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
317 oidSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
318 oidSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
320 oidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
322 // oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA
323 // but it's specified by ISO. Microsoft's makecert.exe has been known
324 // to produce certificates with this OID.
325 oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 29}
328 var signatureAlgorithmDetails = []struct {
329 algo SignatureAlgorithm
331 oid asn1.ObjectIdentifier
332 pubKeyAlgo PublicKeyAlgorithm
335 {MD2WithRSA, "MD2-RSA", oidSignatureMD2WithRSA, RSA, crypto.Hash(0) /* no value for MD2 */},
336 {MD5WithRSA, "MD5-RSA", oidSignatureMD5WithRSA, RSA, crypto.MD5},
337 {SHA1WithRSA, "SHA1-RSA", oidSignatureSHA1WithRSA, RSA, crypto.SHA1},
338 {SHA1WithRSA, "SHA1-RSA", oidISOSignatureSHA1WithRSA, RSA, crypto.SHA1},
339 {SHA256WithRSA, "SHA256-RSA", oidSignatureSHA256WithRSA, RSA, crypto.SHA256},
340 {SHA384WithRSA, "SHA384-RSA", oidSignatureSHA384WithRSA, RSA, crypto.SHA384},
341 {SHA512WithRSA, "SHA512-RSA", oidSignatureSHA512WithRSA, RSA, crypto.SHA512},
342 {SHA256WithRSAPSS, "SHA256-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA256},
343 {SHA384WithRSAPSS, "SHA384-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA384},
344 {SHA512WithRSAPSS, "SHA512-RSAPSS", oidSignatureRSAPSS, RSA, crypto.SHA512},
345 {DSAWithSHA1, "DSA-SHA1", oidSignatureDSAWithSHA1, DSA, crypto.SHA1},
346 {DSAWithSHA256, "DSA-SHA256", oidSignatureDSAWithSHA256, DSA, crypto.SHA256},
347 {ECDSAWithSHA1, "ECDSA-SHA1", oidSignatureECDSAWithSHA1, ECDSA, crypto.SHA1},
348 {ECDSAWithSHA256, "ECDSA-SHA256", oidSignatureECDSAWithSHA256, ECDSA, crypto.SHA256},
349 {ECDSAWithSHA384, "ECDSA-SHA384", oidSignatureECDSAWithSHA384, ECDSA, crypto.SHA384},
350 {ECDSAWithSHA512, "ECDSA-SHA512", oidSignatureECDSAWithSHA512, ECDSA, crypto.SHA512},
351 {PureEd25519, "Ed25519", oidSignatureEd25519, Ed25519, crypto.Hash(0) /* no pre-hashing */},
354 // hashToPSSParameters contains the DER encoded RSA PSS parameters for the
355 // SHA256, SHA384, and SHA512 hashes as defined in RFC 3447, Appendix A.2.3.
356 // The parameters contain the following values:
357 // * hashAlgorithm contains the associated hash identifier with NULL parameters
358 // * maskGenAlgorithm always contains the default mgf1SHA1 identifier
359 // * saltLength contains the length of the associated hash
360 // * trailerField always contains the default trailerFieldBC value
361 var hashToPSSParameters = map[crypto.Hash]asn1.RawValue{
362 crypto.SHA256: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 1, 5, 0, 162, 3, 2, 1, 32}},
363 crypto.SHA384: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 2, 5, 0, 162, 3, 2, 1, 48}},
364 crypto.SHA512: asn1.RawValue{FullBytes: []byte{48, 52, 160, 15, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 161, 28, 48, 26, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 8, 48, 13, 6, 9, 96, 134, 72, 1, 101, 3, 4, 2, 3, 5, 0, 162, 3, 2, 1, 64}},
367 // pssParameters reflects the parameters in an AlgorithmIdentifier that
368 // specifies RSA PSS. See RFC 3447, Appendix A.2.3.
369 type pssParameters struct {
370 // The following three fields are not marked as
371 // optional because the default values specify SHA-1,
372 // which is no longer suitable for use in signatures.
373 Hash pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"`
374 MGF pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"`
375 SaltLength int `asn1:"explicit,tag:2"`
376 TrailerField int `asn1:"optional,explicit,tag:3,default:1"`
379 func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm {
380 if ai.Algorithm.Equal(oidSignatureEd25519) {
381 // RFC 8410, Section 3
382 // > For all of the OIDs, the parameters MUST be absent.
383 if len(ai.Parameters.FullBytes) != 0 {
384 return UnknownSignatureAlgorithm
388 if !ai.Algorithm.Equal(oidSignatureRSAPSS) {
389 for _, details := range signatureAlgorithmDetails {
390 if ai.Algorithm.Equal(details.oid) {
394 return UnknownSignatureAlgorithm
397 // RSA PSS is special because it encodes important parameters
398 // in the Parameters.
400 var params pssParameters
401 if _, err := asn1.Unmarshal(ai.Parameters.FullBytes, ¶ms); err != nil {
402 return UnknownSignatureAlgorithm
405 var mgf1HashFunc pkix.AlgorithmIdentifier
406 if _, err := asn1.Unmarshal(params.MGF.Parameters.FullBytes, &mgf1HashFunc); err != nil {
407 return UnknownSignatureAlgorithm
410 // PSS is greatly overburdened with options. This code forces them into
411 // three buckets by requiring that the MGF1 hash function always match the
412 // message hash function (as recommended in RFC 3447, Section 8.1), that the
413 // salt length matches the hash length, and that the trailer field has the
415 if (len(params.Hash.Parameters.FullBytes) != 0 && !bytes.Equal(params.Hash.Parameters.FullBytes, asn1.NullBytes)) ||
416 !params.MGF.Algorithm.Equal(oidMGF1) ||
417 !mgf1HashFunc.Algorithm.Equal(params.Hash.Algorithm) ||
418 (len(mgf1HashFunc.Parameters.FullBytes) != 0 && !bytes.Equal(mgf1HashFunc.Parameters.FullBytes, asn1.NullBytes)) ||
419 params.TrailerField != 1 {
420 return UnknownSignatureAlgorithm
424 case params.Hash.Algorithm.Equal(oidSHA256) && params.SaltLength == 32:
425 return SHA256WithRSAPSS
426 case params.Hash.Algorithm.Equal(oidSHA384) && params.SaltLength == 48:
427 return SHA384WithRSAPSS
428 case params.Hash.Algorithm.Equal(oidSHA512) && params.SaltLength == 64:
429 return SHA512WithRSAPSS
432 return UnknownSignatureAlgorithm
435 // RFC 3279, 2.3 Public Key Algorithms
437 // pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
438 // rsadsi(113549) pkcs(1) 1 }
440 // rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 }
442 // id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840)
443 // x9-57(10040) x9cm(4) 1 }
445 // RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters
447 // id-ecPublicKey OBJECT IDENTIFIER ::= {
448 // iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }
450 oidPublicKeyRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
451 oidPublicKeyDSA = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
452 oidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
453 oidPublicKeyEd25519 = oidSignatureEd25519
456 func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm {
458 case oid.Equal(oidPublicKeyRSA):
460 case oid.Equal(oidPublicKeyDSA):
462 case oid.Equal(oidPublicKeyECDSA):
464 case oid.Equal(oidPublicKeyEd25519):
467 return UnknownPublicKeyAlgorithm
470 // RFC 5480, 2.1.1.1. Named Curve
472 // secp224r1 OBJECT IDENTIFIER ::= {
473 // iso(1) identified-organization(3) certicom(132) curve(0) 33 }
475 // secp256r1 OBJECT IDENTIFIER ::= {
476 // iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
479 // secp384r1 OBJECT IDENTIFIER ::= {
480 // iso(1) identified-organization(3) certicom(132) curve(0) 34 }
482 // secp521r1 OBJECT IDENTIFIER ::= {
483 // iso(1) identified-organization(3) certicom(132) curve(0) 35 }
485 // NB: secp256r1 is equivalent to prime256v1
487 oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
488 oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
489 oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
490 oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
493 func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
495 case oid.Equal(oidNamedCurveP224):
496 return elliptic.P224()
497 case oid.Equal(oidNamedCurveP256):
498 return elliptic.P256()
499 case oid.Equal(oidNamedCurveP384):
500 return elliptic.P384()
501 case oid.Equal(oidNamedCurveP521):
502 return elliptic.P521()
507 func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) {
509 case elliptic.P224():
510 return oidNamedCurveP224, true
511 case elliptic.P256():
512 return oidNamedCurveP256, true
513 case elliptic.P384():
514 return oidNamedCurveP384, true
515 case elliptic.P521():
516 return oidNamedCurveP521, true
522 // KeyUsage represents the set of actions that are valid for a given key. It's
523 // a bitmap of the KeyUsage* constants.
527 KeyUsageDigitalSignature KeyUsage = 1 << iota
528 KeyUsageContentCommitment
529 KeyUsageKeyEncipherment
530 KeyUsageDataEncipherment
538 // RFC 5280, 4.2.1.12 Extended Key Usage
540 // anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }
542 // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
544 // id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
545 // id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
546 // id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 }
547 // id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
548 // id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 }
549 // id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
551 oidExtKeyUsageAny = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
552 oidExtKeyUsageServerAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
553 oidExtKeyUsageClientAuth = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
554 oidExtKeyUsageCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
555 oidExtKeyUsageEmailProtection = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
556 oidExtKeyUsageIPSECEndSystem = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
557 oidExtKeyUsageIPSECTunnel = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
558 oidExtKeyUsageIPSECUser = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
559 oidExtKeyUsageTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
560 oidExtKeyUsageOCSPSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
561 oidExtKeyUsageMicrosoftServerGatedCrypto = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
562 oidExtKeyUsageNetscapeServerGatedCrypto = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
563 oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
564 oidExtKeyUsageMicrosoftKernelCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
567 // ExtKeyUsage represents an extended set of actions that are valid for a given key.
568 // Each of the ExtKeyUsage* constants define a unique action.
572 ExtKeyUsageAny ExtKeyUsage = iota
573 ExtKeyUsageServerAuth
574 ExtKeyUsageClientAuth
575 ExtKeyUsageCodeSigning
576 ExtKeyUsageEmailProtection
577 ExtKeyUsageIPSECEndSystem
578 ExtKeyUsageIPSECTunnel
580 ExtKeyUsageTimeStamping
581 ExtKeyUsageOCSPSigning
582 ExtKeyUsageMicrosoftServerGatedCrypto
583 ExtKeyUsageNetscapeServerGatedCrypto
584 ExtKeyUsageMicrosoftCommercialCodeSigning
585 ExtKeyUsageMicrosoftKernelCodeSigning
588 // extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.
589 var extKeyUsageOIDs = []struct {
590 extKeyUsage ExtKeyUsage
591 oid asn1.ObjectIdentifier
593 {ExtKeyUsageAny, oidExtKeyUsageAny},
594 {ExtKeyUsageServerAuth, oidExtKeyUsageServerAuth},
595 {ExtKeyUsageClientAuth, oidExtKeyUsageClientAuth},
596 {ExtKeyUsageCodeSigning, oidExtKeyUsageCodeSigning},
597 {ExtKeyUsageEmailProtection, oidExtKeyUsageEmailProtection},
598 {ExtKeyUsageIPSECEndSystem, oidExtKeyUsageIPSECEndSystem},
599 {ExtKeyUsageIPSECTunnel, oidExtKeyUsageIPSECTunnel},
600 {ExtKeyUsageIPSECUser, oidExtKeyUsageIPSECUser},
601 {ExtKeyUsageTimeStamping, oidExtKeyUsageTimeStamping},
602 {ExtKeyUsageOCSPSigning, oidExtKeyUsageOCSPSigning},
603 {ExtKeyUsageMicrosoftServerGatedCrypto, oidExtKeyUsageMicrosoftServerGatedCrypto},
604 {ExtKeyUsageNetscapeServerGatedCrypto, oidExtKeyUsageNetscapeServerGatedCrypto},
605 {ExtKeyUsageMicrosoftCommercialCodeSigning, oidExtKeyUsageMicrosoftCommercialCodeSigning},
606 {ExtKeyUsageMicrosoftKernelCodeSigning, oidExtKeyUsageMicrosoftKernelCodeSigning},
609 func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) {
610 for _, pair := range extKeyUsageOIDs {
611 if oid.Equal(pair.oid) {
612 return pair.extKeyUsage, true
618 func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
619 for _, pair := range extKeyUsageOIDs {
620 if eku == pair.extKeyUsage {
621 return pair.oid, true
627 // A Certificate represents an X.509 certificate.
628 type Certificate struct {
629 Raw []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
630 RawTBSCertificate []byte // Certificate part of raw ASN.1 DER content.
631 RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
632 RawSubject []byte // DER encoded Subject
633 RawIssuer []byte // DER encoded Issuer
636 SignatureAlgorithm SignatureAlgorithm
638 PublicKeyAlgorithm PublicKeyAlgorithm
639 PublicKey interface{}
642 SerialNumber *big.Int
645 NotBefore, NotAfter time.Time // Validity bounds.
648 // Extensions contains raw X.509 extensions. When parsing certificates,
649 // this can be used to extract non-critical extensions that are not
650 // parsed by this package. When marshaling certificates, the Extensions
651 // field is ignored, see ExtraExtensions.
652 Extensions []pkix.Extension
654 // ExtraExtensions contains extensions to be copied, raw, into any
655 // marshaled certificates. Values override any extensions that would
656 // otherwise be produced based on the other fields. The ExtraExtensions
657 // field is not populated when parsing certificates, see Extensions.
658 ExtraExtensions []pkix.Extension
660 // UnhandledCriticalExtensions contains a list of extension IDs that
661 // were not (fully) processed when parsing. Verify will fail if this
662 // slice is non-empty, unless verification is delegated to an OS
663 // library which understands all the critical extensions.
665 // Users can access these extensions using Extensions and can remove
666 // elements from this slice if they believe that they have been
668 UnhandledCriticalExtensions []asn1.ObjectIdentifier
670 ExtKeyUsage []ExtKeyUsage // Sequence of extended key usages.
671 UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.
673 // BasicConstraintsValid indicates whether IsCA, MaxPathLen,
674 // and MaxPathLenZero are valid.
675 BasicConstraintsValid bool
678 // MaxPathLen and MaxPathLenZero indicate the presence and
679 // value of the BasicConstraints' "pathLenConstraint".
681 // When parsing a certificate, a positive non-zero MaxPathLen
682 // means that the field was specified, -1 means it was unset,
683 // and MaxPathLenZero being true mean that the field was
684 // explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
685 // should be treated equivalent to -1 (unset).
687 // When generating a certificate, an unset pathLenConstraint
688 // can be requested with either MaxPathLen == -1 or using the
689 // zero value for both MaxPathLen and MaxPathLenZero.
691 // MaxPathLenZero indicates that BasicConstraintsValid==true
692 // and MaxPathLen==0 should be interpreted as an actual
693 // maximum path length of zero. Otherwise, that combination is
694 // interpreted as MaxPathLen not being set.
698 AuthorityKeyId []byte
700 // RFC 5280, 4.2.2.1 (Authority Information Access)
702 IssuingCertificateURL []string
704 // Subject Alternate Name values. (Note that these values may not be valid
705 // if invalid values were contained within a parsed certificate. For
706 // example, an element of DNSNames may not be a valid DNS domain name.)
708 EmailAddresses []string
713 PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical.
714 PermittedDNSDomains []string
715 ExcludedDNSDomains []string
716 PermittedIPRanges []*net.IPNet
717 ExcludedIPRanges []*net.IPNet
718 PermittedEmailAddresses []string
719 ExcludedEmailAddresses []string
720 PermittedURIDomains []string
721 ExcludedURIDomains []string
723 // CRL Distribution Points
724 CRLDistributionPoints []string
726 PolicyIdentifiers []asn1.ObjectIdentifier
729 // ErrUnsupportedAlgorithm results from attempting to perform an operation that
730 // involves algorithms that are not currently implemented.
731 var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")
733 // An InsecureAlgorithmError
734 type InsecureAlgorithmError SignatureAlgorithm
736 func (e InsecureAlgorithmError) Error() string {
737 return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e))
740 // ConstraintViolationError results when a requested usage is not permitted by
741 // a certificate. For example: checking a signature when the public key isn't a
742 // certificate signing key.
743 type ConstraintViolationError struct{}
745 func (ConstraintViolationError) Error() string {
746 return "x509: invalid signature: parent certificate cannot sign this kind of certificate"
749 func (c *Certificate) Equal(other *Certificate) bool {
750 if c == nil || other == nil {
753 return bytes.Equal(c.Raw, other.Raw)
756 func (c *Certificate) hasSANExtension() bool {
757 return oidInExtensions(oidExtensionSubjectAltName, c.Extensions)
760 // CheckSignatureFrom verifies that the signature on c is a valid signature
762 func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
763 // RFC 5280, 4.2.1.9:
764 // "If the basic constraints extension is not present in a version 3
765 // certificate, or the extension is present but the cA boolean is not
766 // asserted, then the certified public key MUST NOT be used to verify
767 // certificate signatures."
768 if parent.Version == 3 && !parent.BasicConstraintsValid ||
769 parent.BasicConstraintsValid && !parent.IsCA {
770 return ConstraintViolationError{}
773 if parent.KeyUsage != 0 && parent.KeyUsage&KeyUsageCertSign == 0 {
774 return ConstraintViolationError{}
777 if parent.PublicKeyAlgorithm == UnknownPublicKeyAlgorithm {
778 return ErrUnsupportedAlgorithm
781 // TODO(agl): don't ignore the path length constraint.
783 return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
786 // CheckSignature verifies that signature is a valid signature over signed from
788 func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error {
789 return checkSignature(algo, signed, signature, c.PublicKey)
792 func (c *Certificate) hasNameConstraints() bool {
793 return oidInExtensions(oidExtensionNameConstraints, c.Extensions)
796 func (c *Certificate) getSANExtension() []byte {
797 for _, e := range c.Extensions {
798 if e.Id.Equal(oidExtensionSubjectAltName) {
805 func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey interface{}) error {
806 return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
809 // CheckSignature verifies that signature is a valid signature over signed from
810 // a crypto.PublicKey.
811 func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
812 var hashType crypto.Hash
813 var pubKeyAlgo PublicKeyAlgorithm
815 for _, details := range signatureAlgorithmDetails {
816 if details.algo == algo {
817 hashType = details.hash
818 pubKeyAlgo = details.pubKeyAlgo
824 if pubKeyAlgo != Ed25519 {
825 return ErrUnsupportedAlgorithm
828 return InsecureAlgorithmError(algo)
830 if !hashType.Available() {
831 return ErrUnsupportedAlgorithm
838 switch pub := publicKey.(type) {
840 if pubKeyAlgo != RSA {
841 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
844 return rsa.VerifyPSS(pub, hashType, signed, signature, &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash})
846 return rsa.VerifyPKCS1v15(pub, hashType, signed, signature)
849 if pubKeyAlgo != DSA {
850 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
852 dsaSig := new(dsaSignature)
853 if rest, err := asn1.Unmarshal(signature, dsaSig); err != nil {
855 } else if len(rest) != 0 {
856 return errors.New("x509: trailing data after DSA signature")
858 if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 {
859 return errors.New("x509: DSA signature contained zero or negative values")
861 // According to FIPS 186-3, section 4.6, the hash must be truncated if it is longer
862 // than the key length, but crypto/dsa doesn't do it automatically.
863 if maxHashLen := pub.Q.BitLen() / 8; maxHashLen < len(signed) {
864 signed = signed[:maxHashLen]
866 if !dsa.Verify(pub, signed, dsaSig.R, dsaSig.S) {
867 return errors.New("x509: DSA verification failure")
870 case *ecdsa.PublicKey:
871 if pubKeyAlgo != ECDSA {
872 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
874 if !ecdsa.VerifyASN1(pub, signed, signature) {
875 return errors.New("x509: ECDSA verification failure")
878 case ed25519.PublicKey:
879 if pubKeyAlgo != Ed25519 {
880 return signaturePublicKeyAlgoMismatchError(pubKeyAlgo, pub)
882 if !ed25519.Verify(pub, signed, signature) {
883 return errors.New("x509: Ed25519 verification failure")
887 return ErrUnsupportedAlgorithm
890 // CheckCRLSignature checks that the signature in crl is from c.
891 func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error {
892 algo := getSignatureAlgorithmFromAI(crl.SignatureAlgorithm)
893 return c.CheckSignature(algo, crl.TBSCertList.Raw, crl.SignatureValue.RightAlign())
896 type UnhandledCriticalExtension struct{}
898 func (h UnhandledCriticalExtension) Error() string {
899 return "x509: unhandled critical extension"
902 type basicConstraints struct {
903 IsCA bool `asn1:"optional"`
904 MaxPathLen int `asn1:"optional,default:-1"`
908 type policyInformation struct {
909 Policy asn1.ObjectIdentifier
910 // policyQualifiers omitted
921 type authorityInfoAccess struct {
922 Method asn1.ObjectIdentifier
923 Location asn1.RawValue
926 // RFC 5280, 4.2.1.14
927 type distributionPoint struct {
928 DistributionPoint distributionPointName `asn1:"optional,tag:0"`
929 Reason asn1.BitString `asn1:"optional,tag:1"`
930 CRLIssuer asn1.RawValue `asn1:"optional,tag:2"`
933 type distributionPointName struct {
934 FullName []asn1.RawValue `asn1:"optional,tag:0"`
935 RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
938 func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, error) {
939 asn1Data := keyData.PublicKey.RightAlign()
942 // RSA public keys must have a NULL in the parameters.
943 // See RFC 3279, Section 2.3.1.
944 if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) {
945 return nil, errors.New("x509: RSA key missing NULL parameters")
948 p := new(pkcs1PublicKey)
949 rest, err := asn1.Unmarshal(asn1Data, p)
954 return nil, errors.New("x509: trailing data after RSA public key")
958 return nil, errors.New("x509: RSA modulus is not a positive number")
961 return nil, errors.New("x509: RSA public exponent is not a positive number")
964 pub := &rsa.PublicKey{
971 rest, err := asn1.Unmarshal(asn1Data, &p)
976 return nil, errors.New("x509: trailing data after DSA public key")
978 paramsData := keyData.Algorithm.Parameters.FullBytes
979 params := new(dsaAlgorithmParameters)
980 rest, err = asn1.Unmarshal(paramsData, params)
985 return nil, errors.New("x509: trailing data after DSA parameters")
987 if p.Sign() <= 0 || params.P.Sign() <= 0 || params.Q.Sign() <= 0 || params.G.Sign() <= 0 {
988 return nil, errors.New("x509: zero or negative DSA parameter")
990 pub := &dsa.PublicKey{
991 Parameters: dsa.Parameters{
1000 paramsData := keyData.Algorithm.Parameters.FullBytes
1001 namedCurveOID := new(asn1.ObjectIdentifier)
1002 rest, err := asn1.Unmarshal(paramsData, namedCurveOID)
1004 return nil, errors.New("x509: failed to parse ECDSA parameters as named curve")
1007 return nil, errors.New("x509: trailing data after ECDSA parameters")
1009 namedCurve := namedCurveFromOID(*namedCurveOID)
1010 if namedCurve == nil {
1011 return nil, errors.New("x509: unsupported elliptic curve")
1013 x, y := elliptic.Unmarshal(namedCurve, asn1Data)
1015 return nil, errors.New("x509: failed to unmarshal elliptic curve point")
1017 pub := &ecdsa.PublicKey{
1024 // RFC 8410, Section 3
1025 // > For all of the OIDs, the parameters MUST be absent.
1026 if len(keyData.Algorithm.Parameters.FullBytes) != 0 {
1027 return nil, errors.New("x509: Ed25519 key encoded with illegal parameters")
1029 if len(asn1Data) != ed25519.PublicKeySize {
1030 return nil, errors.New("x509: wrong Ed25519 public key size")
1032 pub := make([]byte, ed25519.PublicKeySize)
1034 return ed25519.PublicKey(pub), nil
1040 func forEachSAN(extension []byte, callback func(tag int, data []byte) error) error {
1041 // RFC 5280, 4.2.1.6
1043 // SubjectAltName ::= GeneralNames
1045 // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
1047 // GeneralName ::= CHOICE {
1048 // otherName [0] OtherName,
1049 // rfc822Name [1] IA5String,
1050 // dNSName [2] IA5String,
1051 // x400Address [3] ORAddress,
1052 // directoryName [4] Name,
1053 // ediPartyName [5] EDIPartyName,
1054 // uniformResourceIdentifier [6] IA5String,
1055 // iPAddress [7] OCTET STRING,
1056 // registeredID [8] OBJECT IDENTIFIER }
1057 var seq asn1.RawValue
1058 rest, err := asn1.Unmarshal(extension, &seq)
1061 } else if len(rest) != 0 {
1062 return errors.New("x509: trailing data after X.509 extension")
1064 if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
1065 return asn1.StructuralError{Msg: "bad SAN sequence"}
1071 rest, err = asn1.Unmarshal(rest, &v)
1076 if err := callback(v.Tag, v.Bytes); err != nil {
1084 func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error) {
1085 err = forEachSAN(value, func(tag int, data []byte) error {
1088 emailAddresses = append(emailAddresses, string(data))
1090 dnsNames = append(dnsNames, string(data))
1092 uri, err := url.Parse(string(data))
1094 return fmt.Errorf("x509: cannot parse URI %q: %s", string(data), err)
1096 if len(uri.Host) > 0 {
1097 if _, ok := domainToReverseLabels(uri.Host); !ok {
1098 return fmt.Errorf("x509: cannot parse URI %q: invalid domain", string(data))
1101 uris = append(uris, uri)
1104 case net.IPv4len, net.IPv6len:
1105 ipAddresses = append(ipAddresses, data)
1107 return errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(data)))
1117 // isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.
1118 func isValidIPMask(mask []byte) bool {
1121 for _, b := range mask {
1131 case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe:
1142 func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) {
1143 // RFC 5280, 4.2.1.10
1145 // NameConstraints ::= SEQUENCE {
1146 // permittedSubtrees [0] GeneralSubtrees OPTIONAL,
1147 // excludedSubtrees [1] GeneralSubtrees OPTIONAL }
1149 // GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
1151 // GeneralSubtree ::= SEQUENCE {
1152 // base GeneralName,
1153 // minimum [0] BaseDistance DEFAULT 0,
1154 // maximum [1] BaseDistance OPTIONAL }
1156 // BaseDistance ::= INTEGER (0..MAX)
1158 outer := cryptobyte.String(e.Value)
1159 var toplevel, permitted, excluded cryptobyte.String
1160 var havePermitted, haveExcluded bool
1161 if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) ||
1163 !toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) ||
1164 !toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) ||
1166 return false, errors.New("x509: invalid NameConstraints extension")
1169 if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 {
1170 // From RFC 5280, Section 4.2.1.10:
1171 // “either the permittedSubtrees field
1172 // or the excludedSubtrees MUST be
1174 return false, errors.New("x509: empty name constraints extension")
1177 getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) {
1178 for !subtrees.Empty() {
1179 var seq, value cryptobyte.String
1180 var tag cryptobyte_asn1.Tag
1181 if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) ||
1182 !seq.ReadAnyASN1(&value, &tag) {
1183 return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension")
1187 dnsTag = cryptobyte_asn1.Tag(2).ContextSpecific()
1188 emailTag = cryptobyte_asn1.Tag(1).ContextSpecific()
1189 ipTag = cryptobyte_asn1.Tag(7).ContextSpecific()
1190 uriTag = cryptobyte_asn1.Tag(6).ContextSpecific()
1195 domain := string(value)
1196 if err := isIA5String(domain); err != nil {
1197 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
1200 trimmedDomain := domain
1201 if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
1202 // constraints can have a leading
1203 // period to exclude the domain
1204 // itself, but that's not valid in a
1205 // normal domain name.
1206 trimmedDomain = trimmedDomain[1:]
1208 if _, ok := domainToReverseLabels(trimmedDomain); !ok {
1209 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
1211 dnsNames = append(dnsNames, domain)
1227 return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l)
1230 if !isValidIPMask(mask) {
1231 return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask)
1234 ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)})
1237 constraint := string(value)
1238 if err := isIA5String(constraint); err != nil {
1239 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
1242 // If the constraint contains an @ then
1243 // it specifies an exact mailbox name.
1244 if strings.Contains(constraint, "@") {
1245 if _, ok := parseRFC2821Mailbox(constraint); !ok {
1246 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
1249 // Otherwise it's a domain name.
1250 domain := constraint
1251 if len(domain) > 0 && domain[0] == '.' {
1254 if _, ok := domainToReverseLabels(domain); !ok {
1255 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
1258 emails = append(emails, constraint)
1261 domain := string(value)
1262 if err := isIA5String(domain); err != nil {
1263 return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
1266 if net.ParseIP(domain) != nil {
1267 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
1270 trimmedDomain := domain
1271 if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
1272 // constraints can have a leading
1273 // period to exclude the domain itself,
1274 // but that's not valid in a normal
1276 trimmedDomain = trimmedDomain[1:]
1278 if _, ok := domainToReverseLabels(trimmedDomain); !ok {
1279 return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
1281 uriDomains = append(uriDomains, domain)
1288 return dnsNames, ips, emails, uriDomains, nil
1291 if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil {
1294 if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil {
1297 out.PermittedDNSDomainsCritical = e.Critical
1299 return unhandled, nil
1302 func parseCertificate(in *certificate) (*Certificate, error) {
1303 out := new(Certificate)
1305 out.RawTBSCertificate = in.TBSCertificate.Raw
1306 out.RawSubjectPublicKeyInfo = in.TBSCertificate.PublicKey.Raw
1307 out.RawSubject = in.TBSCertificate.Subject.FullBytes
1308 out.RawIssuer = in.TBSCertificate.Issuer.FullBytes
1310 out.Signature = in.SignatureValue.RightAlign()
1311 out.SignatureAlgorithm =
1312 getSignatureAlgorithmFromAI(in.TBSCertificate.SignatureAlgorithm)
1314 out.PublicKeyAlgorithm =
1315 getPublicKeyAlgorithmFromOID(in.TBSCertificate.PublicKey.Algorithm.Algorithm)
1317 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCertificate.PublicKey)
1322 out.Version = in.TBSCertificate.Version + 1
1323 out.SerialNumber = in.TBSCertificate.SerialNumber
1325 var issuer, subject pkix.RDNSequence
1326 if rest, err := asn1.Unmarshal(in.TBSCertificate.Subject.FullBytes, &subject); err != nil {
1328 } else if len(rest) != 0 {
1329 return nil, errors.New("x509: trailing data after X.509 subject")
1331 if rest, err := asn1.Unmarshal(in.TBSCertificate.Issuer.FullBytes, &issuer); err != nil {
1333 } else if len(rest) != 0 {
1334 return nil, errors.New("x509: trailing data after X.509 issuer")
1337 out.Issuer.FillFromRDNSequence(&issuer)
1338 out.Subject.FillFromRDNSequence(&subject)
1340 out.NotBefore = in.TBSCertificate.Validity.NotBefore
1341 out.NotAfter = in.TBSCertificate.Validity.NotAfter
1343 for _, e := range in.TBSCertificate.Extensions {
1344 out.Extensions = append(out.Extensions, e)
1347 if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 {
1350 // RFC 5280, 4.2.1.3
1351 var usageBits asn1.BitString
1352 if rest, err := asn1.Unmarshal(e.Value, &usageBits); err != nil {
1354 } else if len(rest) != 0 {
1355 return nil, errors.New("x509: trailing data after X.509 KeyUsage")
1359 for i := 0; i < 9; i++ {
1360 if usageBits.At(i) != 0 {
1361 usage |= 1 << uint(i)
1364 out.KeyUsage = KeyUsage(usage)
1367 // RFC 5280, 4.2.1.9
1368 var constraints basicConstraints
1369 if rest, err := asn1.Unmarshal(e.Value, &constraints); err != nil {
1371 } else if len(rest) != 0 {
1372 return nil, errors.New("x509: trailing data after X.509 BasicConstraints")
1375 out.BasicConstraintsValid = true
1376 out.IsCA = constraints.IsCA
1377 out.MaxPathLen = constraints.MaxPathLen
1378 out.MaxPathLenZero = out.MaxPathLen == 0
1379 // TODO: map out.MaxPathLen to 0 if it has the -1 default value? (Issue 19285)
1381 out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(e.Value)
1386 if len(out.DNSNames) == 0 && len(out.EmailAddresses) == 0 && len(out.IPAddresses) == 0 && len(out.URIs) == 0 {
1387 // If we didn't parse anything then we do the critical check, below.
1392 unhandled, err = parseNameConstraintsExtension(out, e)
1398 // RFC 5280, 4.2.1.13
1400 // CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
1402 // DistributionPoint ::= SEQUENCE {
1403 // distributionPoint [0] DistributionPointName OPTIONAL,
1404 // reasons [1] ReasonFlags OPTIONAL,
1405 // cRLIssuer [2] GeneralNames OPTIONAL }
1407 // DistributionPointName ::= CHOICE {
1408 // fullName [0] GeneralNames,
1409 // nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
1411 var cdp []distributionPoint
1412 if rest, err := asn1.Unmarshal(e.Value, &cdp); err != nil {
1414 } else if len(rest) != 0 {
1415 return nil, errors.New("x509: trailing data after X.509 CRL distribution point")
1418 for _, dp := range cdp {
1419 // Per RFC 5280, 4.2.1.13, one of distributionPoint or cRLIssuer may be empty.
1420 if len(dp.DistributionPoint.FullName) == 0 {
1424 for _, fullName := range dp.DistributionPoint.FullName {
1425 if fullName.Tag == 6 {
1426 out.CRLDistributionPoints = append(out.CRLDistributionPoints, string(fullName.Bytes))
1432 // RFC 5280, 4.2.1.1
1434 if rest, err := asn1.Unmarshal(e.Value, &a); err != nil {
1436 } else if len(rest) != 0 {
1437 return nil, errors.New("x509: trailing data after X.509 authority key-id")
1439 out.AuthorityKeyId = a.Id
1442 // RFC 5280, 4.2.1.12. Extended Key Usage
1444 // id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }
1446 // ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
1448 // KeyPurposeId ::= OBJECT IDENTIFIER
1450 var keyUsage []asn1.ObjectIdentifier
1451 if rest, err := asn1.Unmarshal(e.Value, &keyUsage); err != nil {
1453 } else if len(rest) != 0 {
1454 return nil, errors.New("x509: trailing data after X.509 ExtendedKeyUsage")
1457 for _, u := range keyUsage {
1458 if extKeyUsage, ok := extKeyUsageFromOID(u); ok {
1459 out.ExtKeyUsage = append(out.ExtKeyUsage, extKeyUsage)
1461 out.UnknownExtKeyUsage = append(out.UnknownExtKeyUsage, u)
1466 // RFC 5280, 4.2.1.2
1468 if rest, err := asn1.Unmarshal(e.Value, &keyid); err != nil {
1470 } else if len(rest) != 0 {
1471 return nil, errors.New("x509: trailing data after X.509 key-id")
1473 out.SubjectKeyId = keyid
1476 // RFC 5280 4.2.1.4: Certificate Policies
1477 var policies []policyInformation
1478 if rest, err := asn1.Unmarshal(e.Value, &policies); err != nil {
1480 } else if len(rest) != 0 {
1481 return nil, errors.New("x509: trailing data after X.509 certificate policies")
1483 out.PolicyIdentifiers = make([]asn1.ObjectIdentifier, len(policies))
1484 for i, policy := range policies {
1485 out.PolicyIdentifiers[i] = policy.Policy
1489 // Unknown extensions are recorded if critical.
1492 } else if e.Id.Equal(oidExtensionAuthorityInfoAccess) {
1493 // RFC 5280 4.2.2.1: Authority Information Access
1494 var aia []authorityInfoAccess
1495 if rest, err := asn1.Unmarshal(e.Value, &aia); err != nil {
1497 } else if len(rest) != 0 {
1498 return nil, errors.New("x509: trailing data after X.509 authority information")
1501 for _, v := range aia {
1502 // GeneralName: uniformResourceIdentifier [6] IA5String
1503 if v.Location.Tag != 6 {
1506 if v.Method.Equal(oidAuthorityInfoAccessOcsp) {
1507 out.OCSPServer = append(out.OCSPServer, string(v.Location.Bytes))
1508 } else if v.Method.Equal(oidAuthorityInfoAccessIssuers) {
1509 out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(v.Location.Bytes))
1513 // Unknown extensions are recorded if critical.
1517 if e.Critical && unhandled {
1518 out.UnhandledCriticalExtensions = append(out.UnhandledCriticalExtensions, e.Id)
1525 // ParseCertificate parses a single certificate from the given ASN.1 DER data.
1526 func ParseCertificate(asn1Data []byte) (*Certificate, error) {
1527 var cert certificate
1528 rest, err := asn1.Unmarshal(asn1Data, &cert)
1533 return nil, asn1.SyntaxError{Msg: "trailing data"}
1536 return parseCertificate(&cert)
1539 // ParseCertificates parses one or more certificates from the given ASN.1 DER
1540 // data. The certificates must be concatenated with no intermediate padding.
1541 func ParseCertificates(asn1Data []byte) ([]*Certificate, error) {
1542 var v []*certificate
1544 for len(asn1Data) > 0 {
1545 cert := new(certificate)
1547 asn1Data, err = asn1.Unmarshal(asn1Data, cert)
1554 ret := make([]*Certificate, len(v))
1555 for i, ci := range v {
1556 cert, err := parseCertificate(ci)
1566 func reverseBitsInAByte(in byte) byte {
1568 b2 := b1>>2&0x33 | b1<<2&0xcc
1569 b3 := b2>>1&0x55 | b2<<1&0xaa
1573 // asn1BitLength returns the bit-length of bitString by considering the
1574 // most-significant bit in a byte to be the "first" bit. This convention
1575 // matches ASN.1, but differs from almost everything else.
1576 func asn1BitLength(bitString []byte) int {
1577 bitLen := len(bitString) * 8
1579 for i := range bitString {
1580 b := bitString[len(bitString)-i-1]
1582 for bit := uint(0); bit < 8; bit++ {
1583 if (b>>bit)&1 == 1 {
1594 oidExtensionSubjectKeyId = []int{2, 5, 29, 14}
1595 oidExtensionKeyUsage = []int{2, 5, 29, 15}
1596 oidExtensionExtendedKeyUsage = []int{2, 5, 29, 37}
1597 oidExtensionAuthorityKeyId = []int{2, 5, 29, 35}
1598 oidExtensionBasicConstraints = []int{2, 5, 29, 19}
1599 oidExtensionSubjectAltName = []int{2, 5, 29, 17}
1600 oidExtensionCertificatePolicies = []int{2, 5, 29, 32}
1601 oidExtensionNameConstraints = []int{2, 5, 29, 30}
1602 oidExtensionCRLDistributionPoints = []int{2, 5, 29, 31}
1603 oidExtensionAuthorityInfoAccess = []int{1, 3, 6, 1, 5, 5, 7, 1, 1}
1604 oidExtensionCRLNumber = []int{2, 5, 29, 20}
1608 oidAuthorityInfoAccessOcsp = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
1609 oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
1612 // oidNotInExtensions reports whether an extension with the given oid exists in
1614 func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool {
1615 for _, e := range extensions {
1616 if e.Id.Equal(oid) {
1623 // marshalSANs marshals a list of addresses into a the contents of an X.509
1624 // SubjectAlternativeName extension.
1625 func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) {
1626 var rawValues []asn1.RawValue
1627 for _, name := range dnsNames {
1628 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeDNS, Class: 2, Bytes: []byte(name)})
1630 for _, email := range emailAddresses {
1631 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeEmail, Class: 2, Bytes: []byte(email)})
1633 for _, rawIP := range ipAddresses {
1634 // If possible, we always want to encode IPv4 addresses in 4 bytes.
1639 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeIP, Class: 2, Bytes: ip})
1641 for _, uri := range uris {
1642 rawValues = append(rawValues, asn1.RawValue{Tag: nameTypeURI, Class: 2, Bytes: []byte(uri.String())})
1644 return asn1.Marshal(rawValues)
1647 func isIA5String(s string) error {
1648 for _, r := range s {
1649 if r >= utf8.RuneSelf {
1650 return fmt.Errorf("x509: %q cannot be encoded as an IA5String", s)
1657 func buildExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte, subjectKeyId []byte) (ret []pkix.Extension, err error) {
1658 ret = make([]pkix.Extension, 10 /* maximum number of elements. */)
1661 if template.KeyUsage != 0 &&
1662 !oidInExtensions(oidExtensionKeyUsage, template.ExtraExtensions) {
1663 ret[n].Id = oidExtensionKeyUsage
1664 ret[n].Critical = true
1667 a[0] = reverseBitsInAByte(byte(template.KeyUsage))
1668 a[1] = reverseBitsInAByte(byte(template.KeyUsage >> 8))
1676 ret[n].Value, err = asn1.Marshal(asn1.BitString{Bytes: bitString, BitLength: asn1BitLength(bitString)})
1683 if (len(template.ExtKeyUsage) > 0 || len(template.UnknownExtKeyUsage) > 0) &&
1684 !oidInExtensions(oidExtensionExtendedKeyUsage, template.ExtraExtensions) {
1685 ret[n].Id = oidExtensionExtendedKeyUsage
1687 var oids []asn1.ObjectIdentifier
1688 for _, u := range template.ExtKeyUsage {
1689 if oid, ok := oidFromExtKeyUsage(u); ok {
1690 oids = append(oids, oid)
1692 panic("internal error")
1696 oids = append(oids, template.UnknownExtKeyUsage...)
1698 ret[n].Value, err = asn1.Marshal(oids)
1705 if template.BasicConstraintsValid && !oidInExtensions(oidExtensionBasicConstraints, template.ExtraExtensions) {
1706 // Leaving MaxPathLen as zero indicates that no maximum path
1707 // length is desired, unless MaxPathLenZero is set. A value of
1708 // -1 causes encoding/asn1 to omit the value as desired.
1709 maxPathLen := template.MaxPathLen
1710 if maxPathLen == 0 && !template.MaxPathLenZero {
1713 ret[n].Id = oidExtensionBasicConstraints
1714 ret[n].Value, err = asn1.Marshal(basicConstraints{template.IsCA, maxPathLen})
1715 ret[n].Critical = true
1722 if len(subjectKeyId) > 0 && !oidInExtensions(oidExtensionSubjectKeyId, template.ExtraExtensions) {
1723 ret[n].Id = oidExtensionSubjectKeyId
1724 ret[n].Value, err = asn1.Marshal(subjectKeyId)
1731 if len(authorityKeyId) > 0 && !oidInExtensions(oidExtensionAuthorityKeyId, template.ExtraExtensions) {
1732 ret[n].Id = oidExtensionAuthorityKeyId
1733 ret[n].Value, err = asn1.Marshal(authKeyId{authorityKeyId})
1740 if (len(template.OCSPServer) > 0 || len(template.IssuingCertificateURL) > 0) &&
1741 !oidInExtensions(oidExtensionAuthorityInfoAccess, template.ExtraExtensions) {
1742 ret[n].Id = oidExtensionAuthorityInfoAccess
1743 var aiaValues []authorityInfoAccess
1744 for _, name := range template.OCSPServer {
1745 aiaValues = append(aiaValues, authorityInfoAccess{
1746 Method: oidAuthorityInfoAccessOcsp,
1747 Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
1750 for _, name := range template.IssuingCertificateURL {
1751 aiaValues = append(aiaValues, authorityInfoAccess{
1752 Method: oidAuthorityInfoAccessIssuers,
1753 Location: asn1.RawValue{Tag: 6, Class: 2, Bytes: []byte(name)},
1756 ret[n].Value, err = asn1.Marshal(aiaValues)
1763 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
1764 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
1765 ret[n].Id = oidExtensionSubjectAltName
1766 // From RFC 5280, Section 4.2.1.6:
1767 // “If the subject field contains an empty sequence ... then
1768 // subjectAltName extension ... is marked as critical”
1769 ret[n].Critical = subjectIsEmpty
1770 ret[n].Value, err = marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
1777 if len(template.PolicyIdentifiers) > 0 &&
1778 !oidInExtensions(oidExtensionCertificatePolicies, template.ExtraExtensions) {
1779 ret[n].Id = oidExtensionCertificatePolicies
1780 policies := make([]policyInformation, len(template.PolicyIdentifiers))
1781 for i, policy := range template.PolicyIdentifiers {
1782 policies[i].Policy = policy
1784 ret[n].Value, err = asn1.Marshal(policies)
1791 if (len(template.PermittedDNSDomains) > 0 || len(template.ExcludedDNSDomains) > 0 ||
1792 len(template.PermittedIPRanges) > 0 || len(template.ExcludedIPRanges) > 0 ||
1793 len(template.PermittedEmailAddresses) > 0 || len(template.ExcludedEmailAddresses) > 0 ||
1794 len(template.PermittedURIDomains) > 0 || len(template.ExcludedURIDomains) > 0) &&
1795 !oidInExtensions(oidExtensionNameConstraints, template.ExtraExtensions) {
1796 ret[n].Id = oidExtensionNameConstraints
1797 ret[n].Critical = template.PermittedDNSDomainsCritical
1799 ipAndMask := func(ipNet *net.IPNet) []byte {
1800 maskedIP := ipNet.IP.Mask(ipNet.Mask)
1801 ipAndMask := make([]byte, 0, len(maskedIP)+len(ipNet.Mask))
1802 ipAndMask = append(ipAndMask, maskedIP...)
1803 ipAndMask = append(ipAndMask, ipNet.Mask...)
1807 serialiseConstraints := func(dns []string, ips []*net.IPNet, emails []string, uriDomains []string) (der []byte, err error) {
1808 var b cryptobyte.Builder
1810 for _, name := range dns {
1811 if err = isIA5String(name); err != nil {
1815 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
1816 b.AddASN1(cryptobyte_asn1.Tag(2).ContextSpecific(), func(b *cryptobyte.Builder) {
1817 b.AddBytes([]byte(name))
1822 for _, ipNet := range ips {
1823 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
1824 b.AddASN1(cryptobyte_asn1.Tag(7).ContextSpecific(), func(b *cryptobyte.Builder) {
1825 b.AddBytes(ipAndMask(ipNet))
1830 for _, email := range emails {
1831 if err = isIA5String(email); err != nil {
1835 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
1836 b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific(), func(b *cryptobyte.Builder) {
1837 b.AddBytes([]byte(email))
1842 for _, uriDomain := range uriDomains {
1843 if err = isIA5String(uriDomain); err != nil {
1847 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
1848 b.AddASN1(cryptobyte_asn1.Tag(6).ContextSpecific(), func(b *cryptobyte.Builder) {
1849 b.AddBytes([]byte(uriDomain))
1857 permitted, err := serialiseConstraints(template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains)
1862 excluded, err := serialiseConstraints(template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains)
1867 var b cryptobyte.Builder
1868 b.AddASN1(cryptobyte_asn1.SEQUENCE, func(b *cryptobyte.Builder) {
1869 if len(permitted) > 0 {
1870 b.AddASN1(cryptobyte_asn1.Tag(0).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
1871 b.AddBytes(permitted)
1875 if len(excluded) > 0 {
1876 b.AddASN1(cryptobyte_asn1.Tag(1).ContextSpecific().Constructed(), func(b *cryptobyte.Builder) {
1877 b.AddBytes(excluded)
1882 ret[n].Value, err = b.Bytes()
1889 if len(template.CRLDistributionPoints) > 0 &&
1890 !oidInExtensions(oidExtensionCRLDistributionPoints, template.ExtraExtensions) {
1891 ret[n].Id = oidExtensionCRLDistributionPoints
1893 var crlDp []distributionPoint
1894 for _, name := range template.CRLDistributionPoints {
1895 dp := distributionPoint{
1896 DistributionPoint: distributionPointName{
1897 FullName: []asn1.RawValue{
1898 {Tag: 6, Class: 2, Bytes: []byte(name)},
1902 crlDp = append(crlDp, dp)
1905 ret[n].Value, err = asn1.Marshal(crlDp)
1912 // Adding another extension here? Remember to update the maximum number
1913 // of elements in the make() at the top of the function and the list of
1914 // template fields used in CreateCertificate documentation.
1916 return append(ret[:n], template.ExtraExtensions...), nil
1919 func subjectBytes(cert *Certificate) ([]byte, error) {
1920 if len(cert.RawSubject) > 0 {
1921 return cert.RawSubject, nil
1924 return asn1.Marshal(cert.Subject.ToRDNSequence())
1927 // signingParamsForPublicKey returns the parameters to use for signing with
1928 // priv. If requestedSigAlgo is not zero then it overrides the default
1929 // signature algorithm.
1930 func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) {
1931 var pubType PublicKeyAlgorithm
1933 switch pub := pub.(type) {
1934 case *rsa.PublicKey:
1936 hashFunc = crypto.SHA256
1937 sigAlgo.Algorithm = oidSignatureSHA256WithRSA
1938 sigAlgo.Parameters = asn1.NullRawValue
1940 case *ecdsa.PublicKey:
1944 case elliptic.P224(), elliptic.P256():
1945 hashFunc = crypto.SHA256
1946 sigAlgo.Algorithm = oidSignatureECDSAWithSHA256
1947 case elliptic.P384():
1948 hashFunc = crypto.SHA384
1949 sigAlgo.Algorithm = oidSignatureECDSAWithSHA384
1950 case elliptic.P521():
1951 hashFunc = crypto.SHA512
1952 sigAlgo.Algorithm = oidSignatureECDSAWithSHA512
1954 err = errors.New("x509: unknown elliptic curve")
1957 case ed25519.PublicKey:
1959 sigAlgo.Algorithm = oidSignatureEd25519
1962 err = errors.New("x509: only RSA, ECDSA and Ed25519 keys supported")
1969 if requestedSigAlgo == 0 {
1974 for _, details := range signatureAlgorithmDetails {
1975 if details.algo == requestedSigAlgo {
1976 if details.pubKeyAlgo != pubType {
1977 err = errors.New("x509: requested SignatureAlgorithm does not match private key type")
1980 sigAlgo.Algorithm, hashFunc = details.oid, details.hash
1981 if hashFunc == 0 && pubType != Ed25519 {
1982 err = errors.New("x509: cannot sign with hash function requested")
1985 if requestedSigAlgo.isRSAPSS() {
1986 sigAlgo.Parameters = hashToPSSParameters[hashFunc]
1994 err = errors.New("x509: unknown SignatureAlgorithm")
2000 // emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is
2001 // just an empty SEQUENCE.
2002 var emptyASN1Subject = []byte{0x30, 0}
2004 // CreateCertificate creates a new X.509v3 certificate based on a template.
2005 // The following members of template are used:
2008 // - BasicConstraintsValid
2009 // - CRLDistributionPoints
2012 // - ExcludedDNSDomains
2013 // - ExcludedEmailAddresses
2014 // - ExcludedIPRanges
2015 // - ExcludedURIDomains
2017 // - ExtraExtensions
2020 // - IssuingCertificateURL
2027 // - PermittedDNSDomains
2028 // - PermittedDNSDomainsCritical
2029 // - PermittedEmailAddresses
2030 // - PermittedIPRanges
2031 // - PermittedURIDomains
2032 // - PolicyIdentifiers
2034 // - SignatureAlgorithm
2038 // - UnknownExtKeyUsage
2040 // The certificate is signed by parent. If parent is equal to template then the
2041 // certificate is self-signed. The parameter pub is the public key of the
2042 // signee and priv is the private key of the signer.
2044 // The returned slice is the certificate in DER encoding.
2046 // The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and
2047 // ed25519.PublicKey. pub must be a supported key type, and priv must be a
2048 // crypto.Signer with a supported public key.
2050 // The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any,
2051 // unless the resulting certificate is self-signed. Otherwise the value from
2052 // template will be used.
2054 // If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId
2055 // will be generated from the hash of the public key.
2056 func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error) {
2057 key, ok := priv.(crypto.Signer)
2059 return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
2062 if template.SerialNumber == nil {
2063 return nil, errors.New("x509: no SerialNumber given")
2066 if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
2067 return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
2070 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
2075 publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub)
2080 asn1Issuer, err := subjectBytes(parent)
2085 asn1Subject, err := subjectBytes(template)
2090 authorityKeyId := template.AuthorityKeyId
2091 if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 {
2092 authorityKeyId = parent.SubjectKeyId
2095 subjectKeyId := template.SubjectKeyId
2096 if len(subjectKeyId) == 0 && template.IsCA {
2097 // SubjectKeyId generated using method 1 in RFC 5280, Section 4.2.1.2:
2098 // (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
2099 // value of the BIT STRING subjectPublicKey (excluding the tag,
2100 // length, and number of unused bits).
2101 h := sha1.Sum(publicKeyBytes)
2105 extensions, err := buildExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId, subjectKeyId)
2110 encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
2111 c := tbsCertificate{
2113 SerialNumber: template.SerialNumber,
2114 SignatureAlgorithm: signatureAlgorithm,
2115 Issuer: asn1.RawValue{FullBytes: asn1Issuer},
2116 Validity: validity{template.NotBefore.UTC(), template.NotAfter.UTC()},
2117 Subject: asn1.RawValue{FullBytes: asn1Subject},
2118 PublicKey: publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey},
2119 Extensions: extensions,
2122 tbsCertContents, err := asn1.Marshal(c)
2126 c.Raw = tbsCertContents
2128 signed := tbsCertContents
2135 var signerOpts crypto.SignerOpts = hashFunc
2136 if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() {
2137 signerOpts = &rsa.PSSOptions{
2138 SaltLength: rsa.PSSSaltLengthEqualsHash,
2143 var signature []byte
2144 signature, err = key.Sign(rand, signed, signerOpts)
2149 return asn1.Marshal(certificate{
2153 asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
2157 // pemCRLPrefix is the magic string that indicates that we have a PEM encoded
2159 var pemCRLPrefix = []byte("-----BEGIN X509 CRL")
2161 // pemType is the type of a PEM encoded CRL.
2162 var pemType = "X509 CRL"
2164 // ParseCRL parses a CRL from the given bytes. It's often the case that PEM
2165 // encoded CRLs will appear where they should be DER encoded, so this function
2166 // will transparently handle PEM encoding as long as there isn't any leading
2168 func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) {
2169 if bytes.HasPrefix(crlBytes, pemCRLPrefix) {
2170 block, _ := pem.Decode(crlBytes)
2171 if block != nil && block.Type == pemType {
2172 crlBytes = block.Bytes
2175 return ParseDERCRL(crlBytes)
2178 // ParseDERCRL parses a DER encoded CRL from the given bytes.
2179 func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) {
2180 certList := new(pkix.CertificateList)
2181 if rest, err := asn1.Unmarshal(derBytes, certList); err != nil {
2183 } else if len(rest) != 0 {
2184 return nil, errors.New("x509: trailing data after CRL")
2186 return certList, nil
2189 // CreateCRL returns a DER encoded CRL, signed by this Certificate, that
2190 // contains the given list of revoked certificates.
2192 // Note: this method does not generate an RFC 5280 conformant X.509 v2 CRL.
2193 // To generate a standards compliant CRL, use CreateRevocationList instead.
2194 func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
2195 key, ok := priv.(crypto.Signer)
2197 return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
2200 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), 0)
2205 // Force revocation times to UTC per RFC 5280.
2206 revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts))
2207 for i, rc := range revokedCerts {
2208 rc.RevocationTime = rc.RevocationTime.UTC()
2209 revokedCertsUTC[i] = rc
2212 tbsCertList := pkix.TBSCertificateList{
2214 Signature: signatureAlgorithm,
2215 Issuer: c.Subject.ToRDNSequence(),
2216 ThisUpdate: now.UTC(),
2217 NextUpdate: expiry.UTC(),
2218 RevokedCertificates: revokedCertsUTC,
2222 if len(c.SubjectKeyId) > 0 {
2223 var aki pkix.Extension
2224 aki.Id = oidExtensionAuthorityKeyId
2225 aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId})
2229 tbsCertList.Extensions = append(tbsCertList.Extensions, aki)
2232 tbsCertListContents, err := asn1.Marshal(tbsCertList)
2237 signed := tbsCertListContents
2244 var signature []byte
2245 signature, err = key.Sign(rand, signed, hashFunc)
2250 return asn1.Marshal(pkix.CertificateList{
2251 TBSCertList: tbsCertList,
2252 SignatureAlgorithm: signatureAlgorithm,
2253 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
2257 // CertificateRequest represents a PKCS #10, certificate signature request.
2258 type CertificateRequest struct {
2259 Raw []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature).
2260 RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content.
2261 RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
2262 RawSubject []byte // DER encoded Subject.
2266 SignatureAlgorithm SignatureAlgorithm
2268 PublicKeyAlgorithm PublicKeyAlgorithm
2269 PublicKey interface{}
2273 // Attributes contains the CSR attributes that can parse as
2274 // pkix.AttributeTypeAndValueSET.
2276 // Deprecated: Use Extensions and ExtraExtensions instead for parsing and
2277 // generating the requestedExtensions attribute.
2278 Attributes []pkix.AttributeTypeAndValueSET
2280 // Extensions contains all requested extensions, in raw form. When parsing
2281 // CSRs, this can be used to extract extensions that are not parsed by this
2283 Extensions []pkix.Extension
2285 // ExtraExtensions contains extensions to be copied, raw, into any CSR
2286 // marshaled by CreateCertificateRequest. Values override any extensions
2287 // that would otherwise be produced based on the other fields but are
2288 // overridden by any extensions specified in Attributes.
2290 // The ExtraExtensions field is not populated by ParseCertificateRequest,
2291 // see Extensions instead.
2292 ExtraExtensions []pkix.Extension
2294 // Subject Alternate Name values.
2296 EmailAddresses []string
2297 IPAddresses []net.IP
2301 // These structures reflect the ASN.1 structure of X.509 certificate
2302 // signature requests (see RFC 2986):
2304 type tbsCertificateRequest struct {
2307 Subject asn1.RawValue
2308 PublicKey publicKeyInfo
2309 RawAttributes []asn1.RawValue `asn1:"tag:0"`
2312 type certificateRequest struct {
2314 TBSCSR tbsCertificateRequest
2315 SignatureAlgorithm pkix.AlgorithmIdentifier
2316 SignatureValue asn1.BitString
2319 // oidExtensionRequest is a PKCS #9 OBJECT IDENTIFIER that indicates requested
2320 // extensions in a CSR.
2321 var oidExtensionRequest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 14}
2323 // newRawAttributes converts AttributeTypeAndValueSETs from a template
2324 // CertificateRequest's Attributes into tbsCertificateRequest RawAttributes.
2325 func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) {
2326 var rawAttributes []asn1.RawValue
2327 b, err := asn1.Marshal(attributes)
2331 rest, err := asn1.Unmarshal(b, &rawAttributes)
2336 return nil, errors.New("x509: failed to unmarshal raw CSR Attributes")
2338 return rawAttributes, nil
2341 // parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs.
2342 func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET {
2343 var attributes []pkix.AttributeTypeAndValueSET
2344 for _, rawAttr := range rawAttributes {
2345 var attr pkix.AttributeTypeAndValueSET
2346 rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr)
2347 // Ignore attributes that don't parse into pkix.AttributeTypeAndValueSET
2348 // (i.e.: challengePassword or unstructuredName).
2349 if err == nil && len(rest) == 0 {
2350 attributes = append(attributes, attr)
2356 // parseCSRExtensions parses the attributes from a CSR and extracts any
2357 // requested extensions.
2358 func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) {
2359 // pkcs10Attribute reflects the Attribute structure from RFC 2986, Section 4.1.
2360 type pkcs10Attribute struct {
2361 Id asn1.ObjectIdentifier
2362 Values []asn1.RawValue `asn1:"set"`
2365 var ret []pkix.Extension
2366 for _, rawAttr := range rawAttributes {
2367 var attr pkcs10Attribute
2368 if rest, err := asn1.Unmarshal(rawAttr.FullBytes, &attr); err != nil || len(rest) != 0 || len(attr.Values) == 0 {
2369 // Ignore attributes that don't parse.
2373 if !attr.Id.Equal(oidExtensionRequest) {
2377 var extensions []pkix.Extension
2378 if _, err := asn1.Unmarshal(attr.Values[0].FullBytes, &extensions); err != nil {
2381 ret = append(ret, extensions...)
2387 // CreateCertificateRequest creates a new certificate request based on a
2388 // template. The following members of template are used:
2390 // - SignatureAlgorithm
2396 // - ExtraExtensions
2397 // - Attributes (deprecated)
2399 // priv is the private key to sign the CSR with, and the corresponding public
2400 // key will be included in the CSR. It must implement crypto.Signer and its
2401 // Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a
2402 // ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or
2403 // ed25519.PrivateKey satisfies this.)
2405 // The returned slice is the certificate request in DER encoding.
2406 func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error) {
2407 key, ok := priv.(crypto.Signer)
2409 return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
2412 var hashFunc crypto.Hash
2413 var sigAlgo pkix.AlgorithmIdentifier
2414 hashFunc, sigAlgo, err = signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
2419 var publicKeyBytes []byte
2420 var publicKeyAlgorithm pkix.AlgorithmIdentifier
2421 publicKeyBytes, publicKeyAlgorithm, err = marshalPublicKey(key.Public())
2426 var extensions []pkix.Extension
2428 if (len(template.DNSNames) > 0 || len(template.EmailAddresses) > 0 || len(template.IPAddresses) > 0 || len(template.URIs) > 0) &&
2429 !oidInExtensions(oidExtensionSubjectAltName, template.ExtraExtensions) {
2430 sanBytes, err := marshalSANs(template.DNSNames, template.EmailAddresses, template.IPAddresses, template.URIs)
2435 extensions = append(extensions, pkix.Extension{
2436 Id: oidExtensionSubjectAltName,
2441 extensions = append(extensions, template.ExtraExtensions...)
2443 // Make a copy of template.Attributes because we may alter it below.
2444 attributes := make([]pkix.AttributeTypeAndValueSET, 0, len(template.Attributes))
2445 for _, attr := range template.Attributes {
2446 values := make([][]pkix.AttributeTypeAndValue, len(attr.Value))
2447 copy(values, attr.Value)
2448 attributes = append(attributes, pkix.AttributeTypeAndValueSET{
2454 extensionsAppended := false
2455 if len(extensions) > 0 {
2456 // Append the extensions to an existing attribute if possible.
2457 for _, atvSet := range attributes {
2458 if !atvSet.Type.Equal(oidExtensionRequest) || len(atvSet.Value) == 0 {
2462 // specifiedExtensions contains all the extensions that we
2463 // found specified via template.Attributes.
2464 specifiedExtensions := make(map[string]bool)
2466 for _, atvs := range atvSet.Value {
2467 for _, atv := range atvs {
2468 specifiedExtensions[atv.Type.String()] = true
2472 newValue := make([]pkix.AttributeTypeAndValue, 0, len(atvSet.Value[0])+len(extensions))
2473 newValue = append(newValue, atvSet.Value[0]...)
2475 for _, e := range extensions {
2476 if specifiedExtensions[e.Id.String()] {
2477 // Attributes already contained a value for
2478 // this extension and it takes priority.
2482 newValue = append(newValue, pkix.AttributeTypeAndValue{
2483 // There is no place for the critical
2484 // flag in an AttributeTypeAndValue.
2490 atvSet.Value[0] = newValue
2491 extensionsAppended = true
2496 rawAttributes, err := newRawAttributes(attributes)
2501 // If not included in attributes, add a new attribute for the
2503 if len(extensions) > 0 && !extensionsAppended {
2505 Type asn1.ObjectIdentifier
2506 Value [][]pkix.Extension `asn1:"set"`
2508 Type: oidExtensionRequest,
2509 Value: [][]pkix.Extension{extensions},
2512 b, err := asn1.Marshal(attr)
2514 return nil, errors.New("x509: failed to serialise extensions attribute: " + err.Error())
2517 var rawValue asn1.RawValue
2518 if _, err := asn1.Unmarshal(b, &rawValue); err != nil {
2522 rawAttributes = append(rawAttributes, rawValue)
2525 asn1Subject := template.RawSubject
2526 if len(asn1Subject) == 0 {
2527 asn1Subject, err = asn1.Marshal(template.Subject.ToRDNSequence())
2533 tbsCSR := tbsCertificateRequest{
2534 Version: 0, // PKCS #10, RFC 2986
2535 Subject: asn1.RawValue{FullBytes: asn1Subject},
2536 PublicKey: publicKeyInfo{
2537 Algorithm: publicKeyAlgorithm,
2538 PublicKey: asn1.BitString{
2539 Bytes: publicKeyBytes,
2540 BitLength: len(publicKeyBytes) * 8,
2543 RawAttributes: rawAttributes,
2546 tbsCSRContents, err := asn1.Marshal(tbsCSR)
2550 tbsCSR.Raw = tbsCSRContents
2552 signed := tbsCSRContents
2559 var signature []byte
2560 signature, err = key.Sign(rand, signed, hashFunc)
2565 return asn1.Marshal(certificateRequest{
2567 SignatureAlgorithm: sigAlgo,
2568 SignatureValue: asn1.BitString{
2570 BitLength: len(signature) * 8,
2575 // ParseCertificateRequest parses a single certificate request from the
2576 // given ASN.1 DER data.
2577 func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) {
2578 var csr certificateRequest
2580 rest, err := asn1.Unmarshal(asn1Data, &csr)
2583 } else if len(rest) != 0 {
2584 return nil, asn1.SyntaxError{Msg: "trailing data"}
2587 return parseCertificateRequest(&csr)
2590 func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) {
2591 out := &CertificateRequest{
2593 RawTBSCertificateRequest: in.TBSCSR.Raw,
2594 RawSubjectPublicKeyInfo: in.TBSCSR.PublicKey.Raw,
2595 RawSubject: in.TBSCSR.Subject.FullBytes,
2597 Signature: in.SignatureValue.RightAlign(),
2598 SignatureAlgorithm: getSignatureAlgorithmFromAI(in.SignatureAlgorithm),
2600 PublicKeyAlgorithm: getPublicKeyAlgorithmFromOID(in.TBSCSR.PublicKey.Algorithm.Algorithm),
2602 Version: in.TBSCSR.Version,
2603 Attributes: parseRawAttributes(in.TBSCSR.RawAttributes),
2607 out.PublicKey, err = parsePublicKey(out.PublicKeyAlgorithm, &in.TBSCSR.PublicKey)
2612 var subject pkix.RDNSequence
2613 if rest, err := asn1.Unmarshal(in.TBSCSR.Subject.FullBytes, &subject); err != nil {
2615 } else if len(rest) != 0 {
2616 return nil, errors.New("x509: trailing data after X.509 Subject")
2619 out.Subject.FillFromRDNSequence(&subject)
2621 if out.Extensions, err = parseCSRExtensions(in.TBSCSR.RawAttributes); err != nil {
2625 for _, extension := range out.Extensions {
2626 if extension.Id.Equal(oidExtensionSubjectAltName) {
2627 out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(extension.Value)
2637 // CheckSignature reports whether the signature on c is valid.
2638 func (c *CertificateRequest) CheckSignature() error {
2639 return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey)
2642 // RevocationList contains the fields used to create an X.509 v2 Certificate
2643 // Revocation list with CreateRevocationList.
2644 type RevocationList struct {
2645 // SignatureAlgorithm is used to determine the signature algorithm to be
2646 // used when signing the CRL. If 0 the default algorithm for the signing
2647 // key will be used.
2648 SignatureAlgorithm SignatureAlgorithm
2650 // RevokedCertificates is used to populate the revokedCertificates
2651 // sequence in the CRL, it may be empty. RevokedCertificates may be nil,
2652 // in which case an empty CRL will be created.
2653 RevokedCertificates []pkix.RevokedCertificate
2655 // Number is used to populate the X.509 v2 cRLNumber extension in the CRL,
2656 // which should be a monotonically increasing sequence number for a given
2657 // CRL scope and CRL issuer.
2659 // ThisUpdate is used to populate the thisUpdate field in the CRL, which
2660 // indicates the issuance date of the CRL.
2661 ThisUpdate time.Time
2662 // NextUpdate is used to populate the nextUpdate field in the CRL, which
2663 // indicates the date by which the next CRL will be issued. NextUpdate
2664 // must be greater than ThisUpdate.
2665 NextUpdate time.Time
2666 // ExtraExtensions contains any additional extensions to add directly to
2668 ExtraExtensions []pkix.Extension
2671 // CreateRevocationList creates a new X.509 v2 Certificate Revocation List,
2672 // according to RFC 5280, based on template.
2674 // The CRL is signed by priv which should be the private key associated with
2675 // the public key in the issuer certificate.
2677 // The issuer may not be nil, and the crlSign bit must be set in KeyUsage in
2678 // order to use it as a CRL issuer.
2680 // The issuer distinguished name CRL field and authority key identifier
2681 // extension are populated using the issuer certificate. issuer must have
2682 // SubjectKeyId set.
2683 func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer) ([]byte, error) {
2684 if template == nil {
2685 return nil, errors.New("x509: template can not be nil")
2688 return nil, errors.New("x509: issuer can not be nil")
2690 if (issuer.KeyUsage & KeyUsageCRLSign) == 0 {
2691 return nil, errors.New("x509: issuer must have the crlSign key usage bit set")
2693 if len(issuer.SubjectKeyId) == 0 {
2694 return nil, errors.New("x509: issuer certificate doesn't contain a subject key identifier")
2696 if template.NextUpdate.Before(template.ThisUpdate) {
2697 return nil, errors.New("x509: template.ThisUpdate is after template.NextUpdate")
2699 if template.Number == nil {
2700 return nil, errors.New("x509: template contains nil Number field")
2703 hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm)
2708 // Force revocation times to UTC per RFC 5280.
2709 revokedCertsUTC := make([]pkix.RevokedCertificate, len(template.RevokedCertificates))
2710 for i, rc := range template.RevokedCertificates {
2711 rc.RevocationTime = rc.RevocationTime.UTC()
2712 revokedCertsUTC[i] = rc
2715 aki, err := asn1.Marshal(authKeyId{Id: issuer.SubjectKeyId})
2719 crlNum, err := asn1.Marshal(template.Number)
2724 tbsCertList := pkix.TBSCertificateList{
2726 Signature: signatureAlgorithm,
2727 Issuer: issuer.Subject.ToRDNSequence(),
2728 ThisUpdate: template.ThisUpdate.UTC(),
2729 NextUpdate: template.NextUpdate.UTC(),
2730 Extensions: []pkix.Extension{
2732 Id: oidExtensionAuthorityKeyId,
2736 Id: oidExtensionCRLNumber,
2741 if len(revokedCertsUTC) > 0 {
2742 tbsCertList.RevokedCertificates = revokedCertsUTC
2745 if len(template.ExtraExtensions) > 0 {
2746 tbsCertList.Extensions = append(tbsCertList.Extensions, template.ExtraExtensions...)
2749 tbsCertListContents, err := asn1.Marshal(tbsCertList)
2754 input := tbsCertListContents
2757 h.Write(tbsCertListContents)
2760 var signerOpts crypto.SignerOpts = hashFunc
2761 if template.SignatureAlgorithm.isRSAPSS() {
2762 signerOpts = &rsa.PSSOptions{
2763 SaltLength: rsa.PSSSaltLengthEqualsHash,
2768 signature, err := priv.Sign(rand, input, signerOpts)
2773 return asn1.Marshal(pkix.CertificateList{
2774 TBSCertList: tbsCertList,
2775 SignatureAlgorithm: signatureAlgorithm,
2776 SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},