Commit a99e35b6 authored by Adam Langley's avatar Adam Langley

crypto/x509: remove explicit uses of rsa.

(Sending to r because of the API change.)

Over time we might want to add support for other key types.

While I was in the code, I also made the use of RawSubject the same
between Subject and Issuer when creating certificates.

R=r, rsc
CC=golang-dev
https://golang.org/cl/5554049
parent 247799ce
...@@ -592,7 +592,7 @@ the correct function or method for the old functionality, but ...@@ -592,7 +592,7 @@ the correct function or method for the old functionality, but
may have the wrong type or require further analysis. may have the wrong type or require further analysis.
</p> </p>
<h3 id="hash">The crypto/elliptic package</h3> <h3 id="crypto/elliptic">The crypto/elliptic package</h3>
<p> <p>
In Go 1, <a href="/pkg/crypto/elliptic/#Curve"><code>elliptic.Curve</code></a> In Go 1, <a href="/pkg/crypto/elliptic/#Curve"><code>elliptic.Curve</code></a>
...@@ -607,10 +607,28 @@ structure. ...@@ -607,10 +607,28 @@ structure.
Existing users of <code>*elliptic.Curve</code> will need to change to Existing users of <code>*elliptic.Curve</code> will need to change to
simply <code>elliptic.Curve</code>. Calls to <code>Marshal</code>, simply <code>elliptic.Curve</code>. Calls to <code>Marshal</code>,
<code>Unmarshal</code> and <code>GenerateKey</code> are now functions <code>Unmarshal</code> and <code>GenerateKey</code> are now functions
in <code>crypto.elliptic</code> that take an <code>elliptic.Curve</code> in <code>crypto/elliptic</code> that take an <code>elliptic.Curve</code>
as their first argument. as their first argument.
</p> </p>
<h3 id="crypto/x509">The crypto/x509 package</h3>
<p>
In Go 1, the
<a href="/pkg/crypto/x509/#CreateCertificate"><code>CreateCertificate</code></a>
and
<a href="/pkg/crypto/x509/#CreateCRL"><code>CreateCRL</code></a>
functions in <code>crypto/x509</code> have been altered to take an
<code>interface{}</code> where they previously took a <code>*rsa.PublicKey</code>
or <code>*rsa.PrivateKey</code>. This will allow other public key algorithms
to be implemented in the future.
</p>
<p>
<em>Updating</em>:
No changes will be needed.
</p>
<h3 id="hash">The hash package</h3> <h3 id="hash">The hash package</h3>
<p> <p>
......
...@@ -899,6 +899,14 @@ var ( ...@@ -899,6 +899,14 @@ var (
oidRSA = []int{1, 2, 840, 113549, 1, 1, 1} oidRSA = []int{1, 2, 840, 113549, 1, 1, 1}
) )
func subjectBytes(cert *Certificate) ([]byte, error) {
if len(cert.RawSubject) > 0 {
return cert.RawSubject, nil
}
return asn1.Marshal(cert.Subject.ToRDNSequence())
}
// CreateCertificate creates a new certificate based on a template. The // CreateCertificate creates a new certificate based on a template. The
// following members of template are used: SerialNumber, Subject, NotBefore, // following members of template are used: SerialNumber, Subject, NotBefore,
// NotAfter, KeyUsage, BasicConstraintsValid, IsCA, MaxPathLen, SubjectKeyId, // NotAfter, KeyUsage, BasicConstraintsValid, IsCA, MaxPathLen, SubjectKeyId,
...@@ -909,10 +917,23 @@ var ( ...@@ -909,10 +917,23 @@ var (
// signee and priv is the private key of the signer. // signee and priv is the private key of the signer.
// //
// The returned slice is the certificate in DER encoding. // The returned slice is the certificate in DER encoding.
func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.PublicKey, priv *rsa.PrivateKey) (cert []byte, err error) { //
// The only supported key type is RSA (*rsa.PublicKey for pub, *rsa.PrivateKey
// for priv).
func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interface{}, priv interface{}) (cert []byte, err error) {
rsaPub, ok := pub.(*rsa.PublicKey)
if !ok {
return nil, errors.New("x509: non-RSA public keys not supported")
}
rsaPriv, ok := priv.(*rsa.PrivateKey)
if !ok {
return nil, errors.New("x509: non-RSA private keys not supported")
}
asn1PublicKey, err := asn1.Marshal(rsaPublicKey{ asn1PublicKey, err := asn1.Marshal(rsaPublicKey{
N: pub.N, N: rsaPub.N,
E: pub.E, E: rsaPub.E,
}) })
if err != nil { if err != nil {
return return
...@@ -927,16 +948,12 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.P ...@@ -927,16 +948,12 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.P
return return
} }
var asn1Issuer []byte asn1Issuer, err := subjectBytes(parent)
if len(parent.RawSubject) > 0 { if err != nil {
asn1Issuer = parent.RawSubject return
} else {
if asn1Issuer, err = asn1.Marshal(parent.Subject.ToRDNSequence()); err != nil {
return
}
} }
asn1Subject, err := asn1.Marshal(template.Subject.ToRDNSequence()) asn1Subject, err := subjectBytes(template)
if err != nil { if err != nil {
return return
} }
...@@ -964,7 +981,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.P ...@@ -964,7 +981,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.P
h.Write(tbsCertContents) h.Write(tbsCertContents)
digest := h.Sum(nil) digest := h.Sum(nil)
signature, err := rsa.SignPKCS1v15(rand, priv, crypto.SHA1, digest) signature, err := rsa.SignPKCS1v15(rand, rsaPriv, crypto.SHA1, digest)
if err != nil { if err != nil {
return return
} }
...@@ -1011,7 +1028,13 @@ func ParseDERCRL(derBytes []byte) (certList *pkix.CertificateList, err error) { ...@@ -1011,7 +1028,13 @@ func ParseDERCRL(derBytes []byte) (certList *pkix.CertificateList, err error) {
// CreateCRL returns a DER encoded CRL, signed by this Certificate, that // CreateCRL returns a DER encoded CRL, signed by this Certificate, that
// contains the given list of revoked certificates. // contains the given list of revoked certificates.
func (c *Certificate) CreateCRL(rand io.Reader, priv *rsa.PrivateKey, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { //
// The only supported key type is RSA (*rsa.PrivateKey for priv).
func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
rsaPriv, ok := priv.(*rsa.PrivateKey)
if !ok {
return nil, errors.New("x509: non-RSA private keys not supported")
}
tbsCertList := pkix.TBSCertificateList{ tbsCertList := pkix.TBSCertificateList{
Version: 2, Version: 2,
Signature: pkix.AlgorithmIdentifier{ Signature: pkix.AlgorithmIdentifier{
...@@ -1032,7 +1055,7 @@ func (c *Certificate) CreateCRL(rand io.Reader, priv *rsa.PrivateKey, revokedCer ...@@ -1032,7 +1055,7 @@ func (c *Certificate) CreateCRL(rand io.Reader, priv *rsa.PrivateKey, revokedCer
h.Write(tbsCertListContents) h.Write(tbsCertListContents)
digest := h.Sum(nil) digest := h.Sum(nil)
signature, err := rsa.SignPKCS1v15(rand, priv, crypto.SHA1, digest) signature, err := rsa.SignPKCS1v15(rand, rsaPriv, crypto.SHA1, digest)
if err != nil { if err != nil {
return return
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment