func namedCurveFromOID(oid asn1.ObjectIdentifier) *bitelliptic.BitCurve {
switch {
case oid.Equal(oidNamedCurveS256):
return bitelliptic.S256()
}
return nil
}
func getHashForOID(oid asn1.ObjectIdentifier) (crypto.Hash, error) {
switch {
case oid.Equal(oidDigestAlgorithmSHA1):
return crypto.SHA1, nil
}
return crypto.Hash(0), ErrUnsupportedAlgorithm
}
func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) {
for _, pair := range extKeyUsageOIDs {
if oid.Equal(pair.oid) {
return pair.extKeyUsage, true
}
}
return
}
// TODO(agl): this is taken from crypto/x509 and so should probably be exported
// from crypto/x509 or crypto/x509/pkix.
func getSignatureAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.SignatureAlgorithm {
for _, details := range signatureAlgorithmDetails {
if oid.Equal(details.oid) {
return details.algo
}
}
return x509.UnknownSignatureAlgorithm
}
func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm {
switch {
case oid.Equal(oidPublicKeyRsa):
return RSA
case oid.Equal(oidPublicKeyDsa):
return DSA
}
return UnknownPublicKeyAlgorithm
}
func getAttributeNameFromOID(oid asn1.ObjectIdentifier) CsrAttribute {
switch {
case oid.Equal(oidAttrUnstructuredName):
return CsrAttrUnstructuredName
case oid.Equal(oidAttrChallengePassword):
return CsrAttrChallengePassword
}
return CsrAttrUnknown
}
func hashFromOID(oid asn1.ObjectIdentifier) func() hash.Hash {
switch {
case oid.Equal(oidSHA1):
return sha1.New
case oid.Equal(oidSHA224):
return sha256.New224
case oid.Equal(oidSHA256):
return sha256.New
case oid.Equal(oidSHA384):
return sha512.New384
case oid.Equal(oidSHA512):
return sha512.New
}
return nil
}
func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
switch {
case oid.Equal(oidNamedCurveP224):
return elliptic.P224()
case oid.Equal(oidNamedCurveP256):
return elliptic.P256()
case oid.Equal(oidNamedCurveP384):
return elliptic.P384()
case oid.Equal(oidNamedCurveP521):
return elliptic.P521()
}
return nil
}
func getTagForOid(oid asn1.ObjectIdentifier) string {
type oidNameMap struct {
oid []int
name string
}
oidTags := []oidNameMap{
{[]int{2, 5, 4, 3}, "CN"},
{[]int{2, 5, 4, 5}, "SN"},
{[]int{2, 5, 4, 6}, "C"},
{[]int{2, 5, 4, 7}, "L"},
{[]int{2, 5, 4, 8}, "ST"},
{[]int{2, 5, 4, 10}, "O"},
{[]int{2, 5, 4, 11}, "OU"},
{[]int{1, 2, 840, 113549, 1, 9, 1}, "E"}}
for _, v := range oidTags {
if oid.Equal(v.oid) {
return v.name
}
}
return fmt.Sprint(oid)
}
func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.PublicKeyAlgorithm {
switch {
case oid.Equal(oidPublicKeyRSA):
return x509.RSA
case oid.Equal(oidPublicKeyDSA):
return x509.DSA
case oid.Equal(oidPublicKeyECDSA):
return x509.ECDSA
}
return x509.UnknownPublicKeyAlgorithm
}
func oidToCurve(oid asn1.ObjectIdentifier) elliptic.Curve {
switch {
case oid.Equal(asn1secp256r1):
return elliptic.P256()
case oid.Equal(asn1secp384r1):
return elliptic.P384()
case oid.Equal(asn1secp521r1):
return elliptic.P521()
default:
return nil
}
}
func getSignatureAlgorithmFromOID(oid asn1.ObjectIdentifier) SignatureAlgorithm {
switch {
case oid.Equal(oidSignatureMD2WithRSA):
return MD2WithRSA
case oid.Equal(oidSignatureMD5WithRSA):
return MD5WithRSA
case oid.Equal(oidSignatureSHA1WithRSA):
return SHA1WithRSA
case oid.Equal(oidSignatureSHA256WithRSA):
return SHA256WithRSA
case oid.Equal(oidSignatureSHA384WithRSA):
return SHA384WithRSA
case oid.Equal(oidSignatureSHA512WithRSA):
return SHA512WithRSA
case oid.Equal(oidSignatureDSAWithSHA1):
return DSAWithSHA1
case oid.Equal(oidSignatureDSAWithSHA256):
return DSAWithSHA256
}
return UnknownSignatureAlgorithm
}
b.Bytes, err = x509.MarshalECPrivateKey(key)
if err != nil {
return nil, err
}
default:
return nil, errors.New("found unknown private key type in PKCS#8 wrapping")
}
default:
return nil, errors.New("don't know how to convert a safe bag of type " + bag.ID.String())
}
return b, nil
}
var (
oidFriendlyName = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 20}
oidLocalKeyID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 21}
oidMicrosoftCSPName = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 17, 1}
)
var attributeNameByOID = map[string]string{
oidFriendlyName.String(): "friendlyName",
oidLocalKeyID.String(): "localKeyId",
oidMicrosoftCSPName.String(): "Microsoft CSP Name", // openssl-compatible
}
func convertAttribute(attribute *pkcs12Attribute) (key, value string, err error) {
key = attributeNameByOID[attribute.ID.String()]
switch {
case attribute.ID.Equal(oidMicrosoftCSPName):
fallthrough
case attribute.ID.Equal(oidFriendlyName):
// from PKCS#7:
type digestInfo struct {
Algorithm pkix.AlgorithmIdentifier
Digest []byte
}
const (
sha1Algorithm = "SHA-1"
)
var (
oidSha1Algorithm = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 26}
hashNameByID = map[string]string{
oidSha1Algorithm.String(): sha1Algorithm,
}
hashByName = map[string]func() hash.Hash{
sha1Algorithm: sha1.New,
}
)
func verifyMac(macData *macData, message, password []byte) error {
name, ok := hashNameByID[macData.Mac.Algorithm.Algorithm.String()]
if !ok {
return NotImplementedError("unknown digest algorithm: " + macData.Mac.Algorithm.Algorithm.String())
}
k := deriveMacKeyByAlg[name](macData.MacSalt, password, macData.Iterations)
password = nil
mac := hmac.New(hashByName[name], k)
mac.Write(message)
func getSignatureAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.SignatureAlgorithm {
switch {
case oid.Equal(oidSignatureMD2WithRSA):
return x509.MD2WithRSA
case oid.Equal(oidSignatureMD5WithRSA):
return x509.MD5WithRSA
case oid.Equal(oidSignatureSHA1WithRSA):
return x509.SHA1WithRSA
case oid.Equal(oidSignatureSHA256WithRSA):
return x509.SHA256WithRSA
case oid.Equal(oidSignatureSHA384WithRSA):
return x509.SHA384WithRSA
case oid.Equal(oidSignatureSHA512WithRSA):
return x509.SHA512WithRSA
case oid.Equal(oidSignatureDSAWithSHA1):
return x509.DSAWithSHA1
case oid.Equal(oidSignatureDSAWithSHA256):
return x509.DSAWithSHA256
case oid.Equal(oidSignatureECDSAWithSHA1):
return x509.ECDSAWithSHA1
case oid.Equal(oidSignatureECDSAWithSHA256):
return x509.ECDSAWithSHA256
case oid.Equal(oidSignatureECDSAWithSHA384):
return x509.ECDSAWithSHA384
case oid.Equal(oidSignatureECDSAWithSHA512):
return x509.ECDSAWithSHA512
}
return x509.UnknownSignatureAlgorithm
}
"bytes"
"crypto/cipher"
"crypto/des"
"crypto/x509/pkix"
"encoding/asn1"
"github.com/dgryski/go-rc2"
)
const (
pbeWithSHAAnd3KeyTripleDESCBC = "pbeWithSHAAnd3-KeyTripleDES-CBC"
pbewithSHAAnd40BitRC2CBC = "pbewithSHAAnd40BitRC2-CBC"
)
var (
oidPbeWithSHAAnd3KeyTripleDESCBC = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 12, 1, 3}
oidPbewithSHAAnd40BitRC2CBC = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 12, 1, 6}
)
var algByOID = map[string]string{
oidPbeWithSHAAnd3KeyTripleDESCBC.String(): pbeWithSHAAnd3KeyTripleDESCBC,
oidPbewithSHAAnd40BitRC2CBC.String(): pbewithSHAAnd40BitRC2CBC,
}
var blockcodeByAlg = map[string]func(key []byte) (cipher.Block, error){
pbeWithSHAAnd3KeyTripleDESCBC: des.NewTripleDESCipher,
pbewithSHAAnd40BitRC2CBC: func(key []byte) (cipher.Block, error) {
return rc2.New(key, len(key)*8)
},
}
type pbeParams struct {
func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.PublicKeyAlgorithm {
if oid.Equal(oidPublicKeyRSA) {
return x509.RSA
}
return x509.UnknownPublicKeyAlgorithm
}
// MarshalJSON implements the json.Marshaler interface
func (aux *AuxOID) MarshalJSON() ([]byte, error) {
var oid asn1.ObjectIdentifier
oid = []int(*aux)
return json.Marshal(oid.String())
}
func oidToHash(oid asn1.ObjectIdentifier) crypto.Hash {
switch {
case oid.Equal(asn1SHA1withRSA):
return crypto.SHA1
case oid.Equal(asn1SHA224withRSA):
return crypto.SHA224
case oid.Equal(asn1SHA256withRSA):
return crypto.SHA256
case oid.Equal(asn1SHA384withRSA):
return crypto.SHA384
case oid.Equal(asn1SHA512withRSA):
return crypto.SHA512
case oid.Equal(asn1SHA1withECDSA):
return crypto.SHA1
case oid.Equal(asn1SHA224withECDSA):
return crypto.SHA224
case oid.Equal(asn1SHA256withECDSA):
return crypto.SHA256
case oid.Equal(asn1SHA384withECDSA):
return crypto.SHA384
case oid.Equal(asn1SHA512withECDSA):
return crypto.SHA512
default:
return 0
}
}
// Returns human-readable information about cert.
func CertificateInfo(cert *x509.Certificate) string {
s := []string{}
s = append(s, fmt.Sprintf("Version: %v\nSerial no.: %v\nIssuer: %v\nSubject: %v\nNotBefore: %v\nNotAfter: %v\n", cert.Version, cert.SerialNumber, cert.Issuer, cert.Subject, cert.NotBefore, cert.NotAfter))
for k := range KeyUsageString {
if cert.KeyUsage&k != 0 {
s = append(s, fmt.Sprintf("KeyUsage: %v\n", KeyUsageString[k]))
}
}
for _, ext := range cert.Extensions {
s = append(s, fmt.Sprintf("Extension: %v critical=%v % 02X\n", ext.Id, ext.Critical, ext.Value))
}
for _, ext := range cert.ExtKeyUsage {
s = append(s, fmt.Sprintf("ExtKeyUsage: %v\n", ExtKeyUsageString[ext]))
}
for _, ext := range cert.UnknownExtKeyUsage {
s = append(s, fmt.Sprintf("ExtKeyUsage: %v\n", ext))
}
if cert.BasicConstraintsValid {
s = append(s, fmt.Sprintf("IsCA: %v\n", cert.IsCA))
if cert.MaxPathLen > 0 {
s = append(s, fmt.Sprintf("MaxPathLen: %v\n", cert.MaxPathLen))
}
}
s = append(s, fmt.Sprintf("SubjectKeyId: % 02X\nAuthorityKeyId: % 02X\n", cert.SubjectKeyId, cert.AuthorityKeyId))
s = append(s, fmt.Sprintf("OCSPServer: %v\nIssuingCertificateURL: %v\n", cert.OCSPServer, cert.IssuingCertificateURL))
oids := []string{}
for _, e := range cert.Extensions {
if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 && e.Id[3] == 17 {
var seq asn1.RawValue
var rest []byte
var err error
if rest, err = asn1.Unmarshal(e.Value, &seq); err != nil {
continue
} else if len(rest) != 0 {
continue
}
if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
continue
}
rest = seq.Bytes
for len(rest) > 0 {
var v asn1.RawValue
rest, err = asn1.Unmarshal(rest, &v)
if err != nil {
break
}
if v.Tag == 8 { // registeredID
var oid asn1.ObjectIdentifier
_, err = asn1.Unmarshal(v.FullBytes, &oid)
if err != nil {
oids = append(oids, oid.String())
}
}
}
}
}
s = append(s, fmt.Sprintf("DNSNames: %v\nEmailAddresses: %v\nIPAddresses: %v\nRegisteredIDs: %v\n", cert.DNSNames, cert.EmailAddresses, cert.IPAddresses, oids))
s = append(s, fmt.Sprintf("PermittedDNSDomainsCritical: %v\nPermittedDNSDomains: %v\n", cert.PermittedDNSDomainsCritical, cert.PermittedDNSDomains))
s = append(s, fmt.Sprintf("CRLDistributionPoints: %v\nPolicyIdentifiers: %v\n", cert.CRLDistributionPoints, cert.PolicyIdentifiers))
return strings.Join(s, "")
}
