mirror of
https://github.com/golang/go
synced 2024-11-24 02:30:12 -07:00
crypto/x509: remove explicit uses of rsa.
(Sending to r because of the API change.) Over time we might want to add support for other key types. While I was in the code, I also made the use of RawSubject the same between Subject and Issuer when creating certificates. R=r, rsc CC=golang-dev https://golang.org/cl/5554049
This commit is contained in:
parent
247799ce8a
commit
a99e35b625
22
doc/go1.tmpl
22
doc/go1.tmpl
@ -592,7 +592,7 @@ the correct function or method for the old functionality, but
|
|||||||
may have the wrong type or require further analysis.
|
may have the wrong type or require further analysis.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<h3 id="hash">The crypto/elliptic package</h3>
|
<h3 id="crypto/elliptic">The crypto/elliptic package</h3>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
In Go 1, <a href="/pkg/crypto/elliptic/#Curve"><code>elliptic.Curve</code></a>
|
In Go 1, <a href="/pkg/crypto/elliptic/#Curve"><code>elliptic.Curve</code></a>
|
||||||
@ -607,10 +607,28 @@ structure.
|
|||||||
Existing users of <code>*elliptic.Curve</code> will need to change to
|
Existing users of <code>*elliptic.Curve</code> will need to change to
|
||||||
simply <code>elliptic.Curve</code>. Calls to <code>Marshal</code>,
|
simply <code>elliptic.Curve</code>. Calls to <code>Marshal</code>,
|
||||||
<code>Unmarshal</code> and <code>GenerateKey</code> are now functions
|
<code>Unmarshal</code> and <code>GenerateKey</code> are now functions
|
||||||
in <code>crypto.elliptic</code> that take an <code>elliptic.Curve</code>
|
in <code>crypto/elliptic</code> that take an <code>elliptic.Curve</code>
|
||||||
as their first argument.
|
as their first argument.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
<h3 id="crypto/x509">The crypto/x509 package</h3>
|
||||||
|
|
||||||
|
<p>
|
||||||
|
In Go 1, the
|
||||||
|
<a href="/pkg/crypto/x509/#CreateCertificate"><code>CreateCertificate</code></a>
|
||||||
|
and
|
||||||
|
<a href="/pkg/crypto/x509/#CreateCRL"><code>CreateCRL</code></a>
|
||||||
|
functions in <code>crypto/x509</code> have been altered to take an
|
||||||
|
<code>interface{}</code> where they previously took a <code>*rsa.PublicKey</code>
|
||||||
|
or <code>*rsa.PrivateKey</code>. This will allow other public key algorithms
|
||||||
|
to be implemented in the future.
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<p>
|
||||||
|
<em>Updating</em>:
|
||||||
|
No changes will be needed.
|
||||||
|
</p>
|
||||||
|
|
||||||
<h3 id="hash">The hash package</h3>
|
<h3 id="hash">The hash package</h3>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
|
@ -899,6 +899,14 @@ var (
|
|||||||
oidRSA = []int{1, 2, 840, 113549, 1, 1, 1}
|
oidRSA = []int{1, 2, 840, 113549, 1, 1, 1}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func subjectBytes(cert *Certificate) ([]byte, error) {
|
||||||
|
if len(cert.RawSubject) > 0 {
|
||||||
|
return cert.RawSubject, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return asn1.Marshal(cert.Subject.ToRDNSequence())
|
||||||
|
}
|
||||||
|
|
||||||
// CreateCertificate creates a new certificate based on a template. The
|
// CreateCertificate creates a new certificate based on a template. The
|
||||||
// following members of template are used: SerialNumber, Subject, NotBefore,
|
// following members of template are used: SerialNumber, Subject, NotBefore,
|
||||||
// NotAfter, KeyUsage, BasicConstraintsValid, IsCA, MaxPathLen, SubjectKeyId,
|
// NotAfter, KeyUsage, BasicConstraintsValid, IsCA, MaxPathLen, SubjectKeyId,
|
||||||
@ -909,10 +917,23 @@ var (
|
|||||||
// signee and priv is the private key of the signer.
|
// signee and priv is the private key of the signer.
|
||||||
//
|
//
|
||||||
// The returned slice is the certificate in DER encoding.
|
// The returned slice is the certificate in DER encoding.
|
||||||
func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.PublicKey, priv *rsa.PrivateKey) (cert []byte, err error) {
|
//
|
||||||
|
// The only supported key type is RSA (*rsa.PublicKey for pub, *rsa.PrivateKey
|
||||||
|
// for priv).
|
||||||
|
func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interface{}, priv interface{}) (cert []byte, err error) {
|
||||||
|
rsaPub, ok := pub.(*rsa.PublicKey)
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.New("x509: non-RSA public keys not supported")
|
||||||
|
}
|
||||||
|
|
||||||
|
rsaPriv, ok := priv.(*rsa.PrivateKey)
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.New("x509: non-RSA private keys not supported")
|
||||||
|
}
|
||||||
|
|
||||||
asn1PublicKey, err := asn1.Marshal(rsaPublicKey{
|
asn1PublicKey, err := asn1.Marshal(rsaPublicKey{
|
||||||
N: pub.N,
|
N: rsaPub.N,
|
||||||
E: pub.E,
|
E: rsaPub.E,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
@ -927,16 +948,12 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.P
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
var asn1Issuer []byte
|
asn1Issuer, err := subjectBytes(parent)
|
||||||
if len(parent.RawSubject) > 0 {
|
if err != nil {
|
||||||
asn1Issuer = parent.RawSubject
|
return
|
||||||
} else {
|
|
||||||
if asn1Issuer, err = asn1.Marshal(parent.Subject.ToRDNSequence()); err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
asn1Subject, err := asn1.Marshal(template.Subject.ToRDNSequence())
|
asn1Subject, err := subjectBytes(template)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -964,7 +981,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.P
|
|||||||
h.Write(tbsCertContents)
|
h.Write(tbsCertContents)
|
||||||
digest := h.Sum(nil)
|
digest := h.Sum(nil)
|
||||||
|
|
||||||
signature, err := rsa.SignPKCS1v15(rand, priv, crypto.SHA1, digest)
|
signature, err := rsa.SignPKCS1v15(rand, rsaPriv, crypto.SHA1, digest)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -1011,7 +1028,13 @@ func ParseDERCRL(derBytes []byte) (certList *pkix.CertificateList, err error) {
|
|||||||
|
|
||||||
// CreateCRL returns a DER encoded CRL, signed by this Certificate, that
|
// CreateCRL returns a DER encoded CRL, signed by this Certificate, that
|
||||||
// contains the given list of revoked certificates.
|
// contains the given list of revoked certificates.
|
||||||
func (c *Certificate) CreateCRL(rand io.Reader, priv *rsa.PrivateKey, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
|
//
|
||||||
|
// The only supported key type is RSA (*rsa.PrivateKey for priv).
|
||||||
|
func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
|
||||||
|
rsaPriv, ok := priv.(*rsa.PrivateKey)
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.New("x509: non-RSA private keys not supported")
|
||||||
|
}
|
||||||
tbsCertList := pkix.TBSCertificateList{
|
tbsCertList := pkix.TBSCertificateList{
|
||||||
Version: 2,
|
Version: 2,
|
||||||
Signature: pkix.AlgorithmIdentifier{
|
Signature: pkix.AlgorithmIdentifier{
|
||||||
@ -1032,7 +1055,7 @@ func (c *Certificate) CreateCRL(rand io.Reader, priv *rsa.PrivateKey, revokedCer
|
|||||||
h.Write(tbsCertListContents)
|
h.Write(tbsCertListContents)
|
||||||
digest := h.Sum(nil)
|
digest := h.Sum(nil)
|
||||||
|
|
||||||
signature, err := rsa.SignPKCS1v15(rand, priv, crypto.SHA1, digest)
|
signature, err := rsa.SignPKCS1v15(rand, rsaPriv, crypto.SHA1, digest)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user