From 9c09ed13d28474ef76a73c533dc75da586f657d3 Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@golang.org>
Date: Wed, 30 Jun 2010 18:02:31 -0400
Subject: [PATCH] x509: support non-self-signed certs.

For generating non-self-signed certs we need to be able to specify a
public key (for the signee) which is different from the private key (of
the signer).

R=rsc
CC=golang-dev
https://golang.org/cl/1741045
---
 src/pkg/crypto/x509/x509.go      | 11 ++++++-----
 src/pkg/crypto/x509/x509_test.go |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/pkg/crypto/x509/x509.go b/src/pkg/crypto/x509/x509.go
index 45197497cc4..c4c79eb0de5 100644
--- a/src/pkg/crypto/x509/x509.go
+++ b/src/pkg/crypto/x509/x509.go
@@ -761,19 +761,20 @@ var (
 // MaxPathLen, SubjectKeyId, DNSNames.
 //
 // The certificate is signed by parent. If parent is equal to template then the
-// certificate is self-signed.
+// certificate is self-signed. pub is the public key of the signee. priv is the
+// private key of the signer.
 //
 // The returned slice is the certificate in DER encoding.
-func CreateCertificate(rand io.Reader, template, parent *Certificate, priv *rsa.PrivateKey) (cert []byte, err os.Error) {
+func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.PublicKey, priv *rsa.PrivateKey) (cert []byte, err os.Error) {
 	asn1PublicKey, err := asn1.MarshalToMemory(rsaPublicKey{
-		N: asn1.RawValue{Tag: 2, Bytes: priv.PublicKey.N.Bytes()},
-		E: priv.PublicKey.E,
+		N: asn1.RawValue{Tag: 2, Bytes: pub.N.Bytes()},
+		E: pub.E,
 	})
 	if err != nil {
 		return
 	}
 
-	if len(template.SubjectKeyId) > 0 && len(parent.SubjectKeyId) > 0 {
+	if len(parent.SubjectKeyId) > 0 {
 		template.AuthorityKeyId = parent.SubjectKeyId
 	}
 
diff --git a/src/pkg/crypto/x509/x509_test.go b/src/pkg/crypto/x509/x509_test.go
index 85e9e1bc835..23ce1ad11fe 100644
--- a/src/pkg/crypto/x509/x509_test.go
+++ b/src/pkg/crypto/x509/x509_test.go
@@ -174,7 +174,7 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
 		DNSNames:              []string{"test.example.com"},
 	}
 
-	derBytes, err := CreateCertificate(urandom, &template, &template, priv)
+	derBytes, err := CreateCertificate(urandom, &template, &template, &priv.PublicKey, priv)
 	if err != nil {
 		t.Errorf("Failed to create certificate: %s", err)
 		return