func TestNewCRLFromFileWithoutRevocations(t *testing.T) {
tryTwoKeyBytes, err := ioutil.ReadFile(tryTwoKey)
if err != nil {
t.Fatal(err)
}
tryTwoCertBytes, err := ioutil.ReadFile(tryTwoCert)
if err != nil {
t.Fatal(err)
}
crl, err := NewCRLFromFile([]byte("\n \n"), tryTwoCertBytes, tryTwoKeyBytes, "0")
if err != nil {
t.Fatal(err)
}
certList, err := x509.ParseDERCRL(crl)
if err != nil {
t.Fatal(err)
}
numCerts := len(certList.TBSCertList.RevokedCertificates)
expectedNum := 0
if expectedNum != numCerts {
t.Fatal("Wrong number of expired certificates")
}
}
// ParsePKCS7 attempts to parse the DER encoded bytes of a
// PKCS7 structure
func ParsePKCS7(raw []byte) (msg *PKCS7, err error) {
var pkcs7 initPKCS7
_, err = asn1.Unmarshal(raw, &pkcs7)
if err != nil {
return nil, err
}
msg = new(PKCS7)
msg.Raw = pkcs7.Raw
msg.Version = pkcs7.Content.SignedData.Version
if len(pkcs7.Content.SignedData.Certificates.Bytes) == 0 {
msg.Certificates = nil
} else {
msg.Certificates, err = x509.ParseCertificates(pkcs7.Content.SignedData.Certificates.Bytes)
if err != nil {
return nil, err
}
}
if len(pkcs7.Content.SignedData.Crls.Bytes) == 0 {
msg.Crl = nil
} else {
msg.Crl, err = x509.ParseDERCRL(pkcs7.Content.SignedData.Crls.Bytes)
if err != nil {
return nil, err
}
}
return msg, nil
}
// ParsePKCS7 attempts to parse the DER encoded bytes of a
// PKCS7 structure
func ParsePKCS7(raw []byte) (msg *PKCS7, err error) {
var pkcs7 initPKCS7
_, err = asn1.Unmarshal(raw, &pkcs7)
if err != nil {
return nil, cferr.Wrap(cferr.CertificateError, cferr.ParseFailed, err)
}
msg = new(PKCS7)
msg.Raw = pkcs7.Raw
msg.ContentInfo = pkcs7.ContentType.String()
switch {
case msg.ContentInfo == ObjIDData:
msg.ContentInfo = "Data"
_, err = asn1.Unmarshal(pkcs7.Content.Bytes, &msg.Content.Data)
if err != nil {
return nil, cferr.Wrap(cferr.CertificateError, cferr.ParseFailed, err)
}
case msg.ContentInfo == ObjIDSignedData:
msg.ContentInfo = "SignedData"
var signedData signedData
_, err = asn1.Unmarshal(pkcs7.Content.Bytes, &signedData)
if err != nil {
return nil, cferr.Wrap(cferr.CertificateError, cferr.ParseFailed, err)
}
if len(signedData.Certificates.Bytes) != 0 {
msg.Content.SignedData.Certificates, err = x509.ParseCertificates(signedData.Certificates.Bytes)
if err != nil {
return nil, cferr.Wrap(cferr.CertificateError, cferr.ParseFailed, err)
}
}
if len(signedData.Crls.Bytes) != 0 {
msg.Content.SignedData.Crl, err = x509.ParseDERCRL(signedData.Crls.Bytes)
if err != nil {
return nil, cferr.Wrap(cferr.CertificateError, cferr.ParseFailed, err)
}
}
msg.Content.SignedData.Version = signedData.Version
msg.Content.SignedData.Raw = pkcs7.Content.Bytes
case msg.ContentInfo == ObjIDEncryptedData:
msg.ContentInfo = "EncryptedData"
var encryptedData EncryptedData
_, err = asn1.Unmarshal(pkcs7.Content.Bytes, &encryptedData)
if err != nil {
return nil, cferr.Wrap(cferr.CertificateError, cferr.ParseFailed, err)
}
if encryptedData.Version != 0 {
return nil, cferr.Wrap(cferr.CertificateError, cferr.ParseFailed, errors.New("Only support for PKCS #7 encryptedData version 0"))
}
msg.Content.EncryptedData = encryptedData
default:
return nil, cferr.Wrap(cferr.CertificateError, cferr.ParseFailed, errors.New("Attempt to parse PKCS# 7 Content not of type data, signed data or encrypted data"))
}
return msg, nil
}
func FuzzDERCRL(data []byte) int {
list, err := x509.ParseDERCRL(data)
if err != nil {
if list != nil {
panic("list is not nil on error")
}
return 0
}
return 1
}
func createSigningCertificate(signerId string) error {
// generate private key
fmt.Println("Generating signing keys. This may take a minute...")
signerKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return err
}
signerCert, err := su3.NewSigningCertificate(signerId, signerKey)
if nil != err {
return err
}
// save cert
certFile := signerFile(signerId) + ".crt"
certOut, err := os.Create(certFile)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s\n", certFile, err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert})
certOut.Close()
fmt.Println("\tSigning certificate saved to:", certFile)
// save signing private key
privFile := signerFile(signerId) + ".pem"
keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s\n", privFile, err)
}
pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(signerKey)})
pem.Encode(keyOut, &pem.Block{Type: "CERTIFICATE", Bytes: signerCert})
keyOut.Close()
fmt.Println("\tSigning private key saved to:", privFile)
// CRL
crlFile := signerFile(signerId) + ".crl"
crlOut, err := os.OpenFile(crlFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s", crlFile, err)
}
crlcert, err := x509.ParseCertificate(signerCert)
if err != nil {
return fmt.Errorf("Certificate with unknown critical extension was not parsed: %s", err)
}
now := time.Now()
revokedCerts := []pkix.RevokedCertificate{
{
SerialNumber: crlcert.SerialNumber,
RevocationTime: now,
},
}
crlBytes, err := crlcert.CreateCRL(rand.Reader, signerKey, revokedCerts, now, now)
if err != nil {
return fmt.Errorf("error creating CRL: %s", err)
}
_, err = x509.ParseDERCRL(crlBytes)
if err != nil {
return fmt.Errorf("error reparsing CRL: %s", err)
}
pem.Encode(crlOut, &pem.Block{Type: "X509 CRL", Bytes: crlBytes})
crlOut.Close()
fmt.Printf("\tSigning CRL saved to: %s\n", crlFile)
return nil
}
func createTLSCertificate(host string) error {
fmt.Println("Generating TLS keys. This may take a minute...")
// priv, err := rsa.GenerateKey(rand.Reader, 4096)
priv, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
if err != nil {
return err
}
tlsCert, err := reseed.NewTLSCertificate(host, priv)
if nil != err {
return err
}
// save the TLS certificate
certOut, err := os.Create(host + ".crt")
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s", host+".crt", err)
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert})
certOut.Close()
fmt.Printf("\tTLS certificate saved to: %s\n", host+".crt")
// save the TLS private key
privFile := host + ".pem"
keyOut, err := os.OpenFile(privFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s\n", privFile, err)
}
// pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
secp384r1, err := asn1.Marshal(asn1.ObjectIdentifier{1, 3, 132, 0, 34}) // http://www.ietf.org/rfc/rfc5480.txt
pem.Encode(keyOut, &pem.Block{Type: "EC PARAMETERS", Bytes: secp384r1})
ecder, err := x509.MarshalECPrivateKey(priv)
pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: ecder})
pem.Encode(keyOut, &pem.Block{Type: "CERTIFICATE", Bytes: tlsCert})
keyOut.Close()
fmt.Printf("\tTLS private key saved to: %s\n", privFile)
// CRL
crlFile := host + ".crl"
crlOut, err := os.OpenFile(crlFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("failed to open %s for writing: %s", crlFile, err)
}
crlcert, err := x509.ParseCertificate(tlsCert)
if err != nil {
return fmt.Errorf("Certificate with unknown critical extension was not parsed: %s", err)
}
now := time.Now()
revokedCerts := []pkix.RevokedCertificate{
{
SerialNumber: crlcert.SerialNumber,
RevocationTime: now,
},
}
crlBytes, err := crlcert.CreateCRL(rand.Reader, priv, revokedCerts, now, now)
if err != nil {
return fmt.Errorf("error creating CRL: %s", err)
}
_, err = x509.ParseDERCRL(crlBytes)
if err != nil {
return fmt.Errorf("error reparsing CRL: %s", err)
}
pem.Encode(crlOut, &pem.Block{Type: "X509 CRL", Bytes: crlBytes})
crlOut.Close()
fmt.Printf("\tTLS CRL saved to: %s\n", crlFile)
return nil
}
