diff options
Diffstat (limited to 'src/pkg/crypto/x509')
| -rw-r--r-- | src/pkg/crypto/x509/pkix/pkix.go | 12 | ||||
| -rw-r--r-- | src/pkg/crypto/x509/verify.go | 10 | ||||
| -rw-r--r-- | src/pkg/crypto/x509/verify_test.go | 13 | ||||
| -rw-r--r-- | src/pkg/crypto/x509/x509.go | 46 |
4 files changed, 44 insertions, 37 deletions
diff --git a/src/pkg/crypto/x509/pkix/pkix.go b/src/pkg/crypto/x509/pkix/pkix.go index 7806b2a2e..266fd557a 100644 --- a/src/pkg/crypto/x509/pkix/pkix.go +++ b/src/pkg/crypto/x509/pkix/pkix.go @@ -16,7 +16,7 @@ import ( // 5280, section 4.1.1.2. type AlgorithmIdentifier struct { Algorithm asn1.ObjectIdentifier - Parameters asn1.RawValue "optional" + Parameters asn1.RawValue `asn1:"optional"` } type RDNSequence []RelativeDistinguishedNameSET @@ -32,7 +32,7 @@ type AttributeTypeAndValue struct { // 5280, section 4.2. type Extension struct { Id asn1.ObjectIdentifier - Critical bool "optional" + Critical bool `asn1:"optional"` Value []byte } @@ -149,13 +149,13 @@ func (certList *CertificateList) HasExpired(currentTimeSeconds int64) bool { // 5280, section 5.1. type TBSCertificateList struct { Raw asn1.RawContent - Version int "optional,default:2" + Version int `asn1:"optional,default:2"` Signature AlgorithmIdentifier Issuer RDNSequence ThisUpdate *time.Time NextUpdate *time.Time - RevokedCertificates []RevokedCertificate "optional" - Extensions []Extension "tag:0,optional,explicit" + RevokedCertificates []RevokedCertificate `asn1:"optional"` + Extensions []Extension `asn1:"tag:0,optional,explicit"` } // RevokedCertificate represents the ASN.1 structure of the same name. See RFC @@ -163,5 +163,5 @@ type TBSCertificateList struct { type RevokedCertificate struct { SerialNumber *big.Int RevocationTime *time.Time - Extensions []Extension "optional" + Extensions []Extension `asn1:"optional"` } diff --git a/src/pkg/crypto/x509/verify.go b/src/pkg/crypto/x509/verify.go index 9145880a2..cad863db8 100644 --- a/src/pkg/crypto/x509/verify.go +++ b/src/pkg/crypto/x509/verify.go @@ -171,8 +171,14 @@ func (c *Certificate) buildChains(cache map[int][][]*Certificate, currentChain [ chains = append(chains, appendToFreshChain(currentChain, root)) } +nextIntermediate: for _, intermediateNum := range opts.Intermediates.findVerifiedParents(c) { intermediate := opts.Intermediates.certs[intermediateNum] + for _, cert := range currentChain { + if cert == intermediate { + continue nextIntermediate + } + } err = intermediate.isValid(intermediateCertificate, opts) if err != nil { continue @@ -202,8 +208,8 @@ func matchHostnames(pattern, host string) bool { return false } - patternParts := strings.Split(pattern, ".", -1) - hostParts := strings.Split(host, ".", -1) + patternParts := strings.Split(pattern, ".") + hostParts := strings.Split(host, ".") if len(patternParts) != len(hostParts) { return false diff --git a/src/pkg/crypto/x509/verify_test.go b/src/pkg/crypto/x509/verify_test.go index 6a103dcfb..111f60eb1 100644 --- a/src/pkg/crypto/x509/verify_test.go +++ b/src/pkg/crypto/x509/verify_test.go @@ -72,23 +72,24 @@ var verifyTests = []verifyTest{ }, }, { - leaf: googleLeaf, - intermediates: []string{verisignRoot, thawteIntermediate}, - roots: []string{verisignRoot}, + leaf: dnssecExpLeaf, + intermediates: []string{startComIntermediate}, + roots: []string{startComRoot}, currentTime: 1302726541, expectedChains: [][]string{ - []string{"Google", "Thawte", "VeriSign"}, + []string{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority"}, }, }, { leaf: dnssecExpLeaf, - intermediates: []string{startComIntermediate}, + intermediates: []string{startComIntermediate, startComRoot}, roots: []string{startComRoot}, currentTime: 1302726541, expectedChains: [][]string{ []string{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority"}, + []string{"dnssec-exp", "StartCom Class 1", "StartCom Certification Authority", "StartCom Certification Authority"}, }, }, } @@ -120,7 +121,7 @@ func expectAuthorityUnknown(t *testing.T, i int, err os.Error) (ok bool) { func certificateFromPEM(pemBytes string) (*Certificate, os.Error) { block, _ := pem.Decode([]byte(pemBytes)) if block == nil { - return nil, os.ErrorString("failed to decode PEM") + return nil, os.NewError("failed to decode PEM") } return ParseCertificate(block.Bytes) } diff --git a/src/pkg/crypto/x509/x509.go b/src/pkg/crypto/x509/x509.go index b10ffb0a2..348727a26 100644 --- a/src/pkg/crypto/x509/x509.go +++ b/src/pkg/crypto/x509/x509.go @@ -30,11 +30,11 @@ type pkcs1PrivateKey struct { P *big.Int Q *big.Int // We ignore these values, if present, because rsa will calculate them. - Dp *big.Int "optional" - Dq *big.Int "optional" - Qinv *big.Int "optional" + Dp *big.Int `asn1:"optional"` + Dq *big.Int `asn1:"optional"` + Qinv *big.Int `asn1:"optional"` - AdditionalPrimes []pkcs1AdditionalRSAPrime "optional" + AdditionalPrimes []pkcs1AdditionalRSAPrime `asn1:"optional"` } type pkcs1AdditionalRSAPrime struct { @@ -58,11 +58,11 @@ func ParsePKCS1PrivateKey(der []byte) (key *rsa.PrivateKey, err os.Error) { } if priv.Version > 1 { - return nil, os.ErrorString("x509: unsupported private key version") + return nil, os.NewError("x509: unsupported private key version") } if priv.N.Sign() <= 0 || priv.D.Sign() <= 0 || priv.P.Sign() <= 0 || priv.Q.Sign() <= 0 { - return nil, os.ErrorString("private key contains zero or negative value") + return nil, os.NewError("private key contains zero or negative value") } key = new(rsa.PrivateKey) @@ -77,7 +77,7 @@ func ParsePKCS1PrivateKey(der []byte) (key *rsa.PrivateKey, err os.Error) { key.Primes[1] = priv.Q for i, a := range priv.AdditionalPrimes { if a.Prime.Sign() <= 0 { - return nil, os.ErrorString("private key contains zero or negative prime") + return nil, os.NewError("private key contains zero or negative prime") } key.Primes[i+2] = a.Prime // We ignore the other two values because rsa will calculate @@ -136,16 +136,16 @@ type certificate struct { type tbsCertificate struct { Raw asn1.RawContent - Version int "optional,explicit,default:1,tag:0" + Version int `asn1:"optional,explicit,default:1,tag:0"` SerialNumber *big.Int SignatureAlgorithm pkix.AlgorithmIdentifier Issuer pkix.RDNSequence Validity validity Subject pkix.RDNSequence PublicKey publicKeyInfo - UniqueId asn1.BitString "optional,tag:1" - SubjectUniqueId asn1.BitString "optional,tag:2" - Extensions []pkix.Extension "optional,explicit,tag:3" + UniqueId asn1.BitString `asn1:"optional,tag:1"` + SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"` + Extensions []pkix.Extension `asn1:"optional,explicit,tag:3"` } type dsaAlgorithmParameters struct { @@ -168,7 +168,7 @@ type publicKeyInfo struct { // RFC 5280, 4.2.1.1 type authKeyId struct { - Id []byte "optional,tag:0" + Id []byte `asn1:"optional,tag:0"` } type SignatureAlgorithm int @@ -457,10 +457,10 @@ func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature return err } if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 { - return os.ErrorString("DSA signature contained zero or negative values") + return os.NewError("DSA signature contained zero or negative values") } if !dsa.Verify(pub, digest, dsaSig.R, dsaSig.S) { - return os.ErrorString("DSA verification failure") + return os.NewError("DSA verification failure") } return } @@ -480,8 +480,8 @@ func (h UnhandledCriticalExtension) String() string { } type basicConstraints struct { - IsCA bool "optional" - MaxPathLen int "optional" + IsCA bool `asn1:"optional"` + MaxPathLen int `asn1:"optional"` } type rsaPublicKey struct { @@ -497,14 +497,14 @@ type policyInformation struct { // RFC 5280, 4.2.1.10 type nameConstraints struct { - Permitted []generalSubtree "optional,tag:0" - Excluded []generalSubtree "optional,tag:1" + Permitted []generalSubtree `asn1:"optional,tag:0"` + Excluded []generalSubtree `asn1:"optional,tag:1"` } type generalSubtree struct { - Name string "tag:2,optional,ia5" - Min int "optional,tag:0" - Max int "optional,tag:1" + Name string `asn1:"tag:2,optional,ia5"` + Min int `asn1:"optional,tag:0"` + Max int `asn1:"optional,tag:1"` } func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{}, os.Error) { @@ -535,7 +535,7 @@ func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (interface{ return nil, err } if p.Sign() <= 0 || params.P.Sign() <= 0 || params.Q.Sign() <= 0 || params.G.Sign() <= 0 { - return nil, os.ErrorString("zero or negative DSA parameter") + return nil, os.NewError("zero or negative DSA parameter") } pub := &dsa.PublicKey{ Parameters: dsa.Parameters{ @@ -571,7 +571,7 @@ func parseCertificate(in *certificate) (*Certificate, os.Error) { } if in.TBSCertificate.SerialNumber.Sign() < 0 { - return nil, os.ErrorString("negative serial number") + return nil, os.NewError("negative serial number") } out.Version = in.TBSCertificate.Version + 1 |