URL https://opencores.org/ocsvn/openrisc/openrisc/trunk

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [gnu-dev/] [or1k-gcc/] [libgo/] [go/] [crypto/] [x509/] [verify.go] - Blame information for rev 858

Go to most recent revision | Details | Compare with Previous | View Log


// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
 
package x509
 
import (
        "strings"
        "time"
        "unicode/utf8"
)
 
type InvalidReason int
 
const (
        // NotAuthorizedToSign results when a certificate is signed by another
        // which isn't marked as a CA certificate.
        NotAuthorizedToSign InvalidReason = iota
        // Expired results when a certificate has expired, based on the time
        // given in the VerifyOptions.
        Expired
        // CANotAuthorizedForThisName results when an intermediate or root
        // certificate has a name constraint which doesn't include the name
        // being checked.
        CANotAuthorizedForThisName
)
 
// CertificateInvalidError results when an odd error occurs. Users of this
// library probably want to handle all these errors uniformly.
type CertificateInvalidError struct {
        Cert   *Certificate
        Reason InvalidReason
}
 
func (e CertificateInvalidError) Error() string {
        switch e.Reason {
        case NotAuthorizedToSign:
                return "x509: certificate is not authorized to sign other other certificates"
        case Expired:
                return "x509: certificate has expired or is not yet valid"
        case CANotAuthorizedForThisName:
                return "x509: a root or intermediate certificate is not authorized to sign in this domain"
        }
        return "x509: unknown error"
}
 
// HostnameError results when the set of authorized names doesn't match the
// requested name.
type HostnameError struct {
        Certificate *Certificate
        Host        string
}
 
func (h HostnameError) Error() string {
        var valid string
        c := h.Certificate
        if len(c.DNSNames) > 0 {
                valid = strings.Join(c.DNSNames, ", ")
        } else {
                valid = c.Subject.CommonName
        }
        return "certificate is valid for " + valid + ", not " + h.Host
}
 
// UnknownAuthorityError results when the certificate issuer is unknown
type UnknownAuthorityError struct {
        cert *Certificate
}
 
func (e UnknownAuthorityError) Error() string {
        return "x509: certificate signed by unknown authority"
}
 
// VerifyOptions contains parameters for Certificate.Verify. It's a structure
// because other PKIX verification APIs have ended up needing many options.
type VerifyOptions struct {
        DNSName       string
        Intermediates *CertPool
        Roots         *CertPool
        CurrentTime   time.Time // if zero, the current time is used
}
 
const (
        leafCertificate = iota
        intermediateCertificate
        rootCertificate
)
 
// isValid performs validity checks on the c.
func (c *Certificate) isValid(certType int, opts *VerifyOptions) error {
        now := opts.CurrentTime
        if now.IsZero() {
                now = time.Now()
        }
        if now.Before(c.NotBefore) || now.After(c.NotAfter) {
                return CertificateInvalidError{c, Expired}
        }
 
        if len(c.PermittedDNSDomains) > 0 {
                for _, domain := range c.PermittedDNSDomains {
                        if opts.DNSName == domain ||
                                (strings.HasSuffix(opts.DNSName, domain) &&
                                        len(opts.DNSName) >= 1+len(domain) &&
                                        opts.DNSName[len(opts.DNSName)-len(domain)-1] == '.') {
                                continue
                        }
 
                        return CertificateInvalidError{c, CANotAuthorizedForThisName}
                }
        }
 
        // KeyUsage status flags are ignored. From Engineering Security, Peter
        // Gutmann: A European government CA marked its signing certificates as
        // being valid for encryption only, but no-one noticed. Another
        // European CA marked its signature keys as not being valid for
        // signatures. A different CA marked its own trusted root certificate
        // as being invalid for certificate signing.  Another national CA
        // distributed a certificate to be used to encrypt data for the
        // country’s tax authority that was marked as only being usable for
        // digital signatures but not for encryption. Yet another CA reversed
        // the order of the bit flags in the keyUsage due to confusion over
        // encoding endianness, essentially setting a random keyUsage in
        // certificates that it issued. Another CA created a self-invalidating
        // certificate by adding a certificate policy statement stipulating
        // that the certificate had to be used strictly as specified in the
        // keyUsage, and a keyUsage containing a flag indicating that the RSA
        // encryption key could only be used for Diffie-Hellman key agreement.
 
        if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) {
                return CertificateInvalidError{c, NotAuthorizedToSign}
        }
 
        return nil
}
 
// Verify attempts to verify c by building one or more chains from c to a
// certificate in opts.roots, using certificates in opts.Intermediates if
// needed. If successful, it returns one or chains where the first element of
// the chain is c and the last element is from opts.Roots.
//
// WARNING: this doesn't do any revocation checking.
func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) {
        err = c.isValid(leafCertificate, &opts)
        if err != nil {
                return
        }
        if len(opts.DNSName) > 0 {
                err = c.VerifyHostname(opts.DNSName)
                if err != nil {
                        return
                }
        }
        return c.buildChains(make(map[int][][]*Certificate), []*Certificate{c}, &opts)
}
 
func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate {
        n := make([]*Certificate, len(chain)+1)
        copy(n, chain)
        n[len(chain)] = cert
        return n
}
 
func (c *Certificate) buildChains(cache map[int][][]*Certificate, currentChain []*Certificate, opts *VerifyOptions) (chains [][]*Certificate, err error) {
        for _, rootNum := range opts.Roots.findVerifiedParents(c) {
                root := opts.Roots.certs[rootNum]
                err = root.isValid(rootCertificate, opts)
                if err != nil {
                        continue
                }
                chains = append(chains, appendToFreshChain(currentChain, root))
        }
 
nextIntermediate:
        for _, intermediateNum := range opts.Intermediates.findVerifiedParents(c) {
                intermediate := opts.Intermediates.certs[intermediateNum]
                for _, cert := range currentChain {
                        if cert == intermediate {
                                continue nextIntermediate
                        }
                }
                err = intermediate.isValid(intermediateCertificate, opts)
                if err != nil {
                        continue
                }
                var childChains [][]*Certificate
                childChains, ok := cache[intermediateNum]
                if !ok {
                        childChains, err = intermediate.buildChains(cache, appendToFreshChain(currentChain, intermediate), opts)
                        cache[intermediateNum] = childChains
                }
                chains = append(chains, childChains...)
        }
 
        if len(chains) > 0 {
                err = nil
        }
 
        if len(chains) == 0 && err == nil {
                err = UnknownAuthorityError{c}
        }
 
        return
}
 
func matchHostnames(pattern, host string) bool {
        if len(pattern) == 0 || len(host) == 0 {
                return false
        }
 
        patternParts := strings.Split(pattern, ".")
        hostParts := strings.Split(host, ".")
 
        if len(patternParts) != len(hostParts) {
                return false
        }
 
        for i, patternPart := range patternParts {
                if patternPart == "*" {
                        continue
                }
                if patternPart != hostParts[i] {
                        return false
                }
        }
 
        return true
}
 
// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use
// an explicitly ASCII function to avoid any sharp corners resulting from
// performing Unicode operations on DNS labels.
func toLowerCaseASCII(in string) string {
        // If the string is already lower-case then there's nothing to do.
        isAlreadyLowerCase := true
        for _, c := range in {
                if c == utf8.RuneError {
                        // If we get a UTF-8 error then there might be
                        // upper-case ASCII bytes in the invalid sequence.
                        isAlreadyLowerCase = false
                        break
                }
                if 'A' <= c && c <= 'Z' {
                        isAlreadyLowerCase = false
                        break
                }
        }
 
        if isAlreadyLowerCase {
                return in
        }
 
        out := []byte(in)
        for i, c := range out {
                if 'A' <= c && c <= 'Z' {
                        out[i] += 'a' - 'A'
                }
        }
        return string(out)
}
 
// VerifyHostname returns nil if c is a valid certificate for the named host.
// Otherwise it returns an error describing the mismatch.
func (c *Certificate) VerifyHostname(h string) error {
        lowered := toLowerCaseASCII(h)
 
        if len(c.DNSNames) > 0 {
                for _, match := range c.DNSNames {
                        if matchHostnames(toLowerCaseASCII(match), lowered) {
                                return nil
                        }
                }
                // If Subject Alt Name is given, we ignore the common name.
        } else if matchHostnames(toLowerCaseASCII(c.Subject.CommonName), lowered) {
                return nil
        }
 
        return HostnameError{c, h}
}

Browse

Tools

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [gnu-dev/] [or1k-gcc/] [libgo/] [go/] [crypto/] [x509/] [verify.go] - Blame information for rev 858

Line No.	Rev	Author	Line
1	747	jeremybenn	`// Copyright 2011 The Go Authors. All rights reserved.`
2			`// Use of this source code is governed by a BSD-style`
3			`// license that can be found in the LICENSE file.`
4
5			`package x509`
6
7			`import (`
8			`"strings"`
9			`"time"`
10			`"unicode/utf8"`
11			`)`
12
13			`type InvalidReason int`
14
15			`const (`
16			`// NotAuthorizedToSign results when a certificate is signed by another`
17			`// which isn't marked as a CA certificate.`
18			`NotAuthorizedToSign InvalidReason = iota`
19			`// Expired results when a certificate has expired, based on the time`
20			`// given in the VerifyOptions.`
21			`Expired`
22			`// CANotAuthorizedForThisName results when an intermediate or root`
23			`// certificate has a name constraint which doesn't include the name`
24			`// being checked.`
25			`CANotAuthorizedForThisName`
26			`)`
27
28			`// CertificateInvalidError results when an odd error occurs. Users of this`
29			`// library probably want to handle all these errors uniformly.`
30			`type CertificateInvalidError struct {`
31			`Cert *Certificate`
32			`Reason InvalidReason`
33			`}`
34
35			`func (e CertificateInvalidError) Error() string {`
36			`switch e.Reason {`
37			`case NotAuthorizedToSign:`
38			`return "x509: certificate is not authorized to sign other other certificates"`
39			`case Expired:`
40			`return "x509: certificate has expired or is not yet valid"`
41			`case CANotAuthorizedForThisName:`
42			`return "x509: a root or intermediate certificate is not authorized to sign in this domain"`
43			`}`
44			`return "x509: unknown error"`
45			`}`
46
47			`// HostnameError results when the set of authorized names doesn't match the`
48			`// requested name.`
49			`type HostnameError struct {`
50			`Certificate *Certificate`
51			`Host string`
52			`}`
53
54			`func (h HostnameError) Error() string {`
55			`var valid string`
56			`c := h.Certificate`
57			`if len(c.DNSNames) > 0 {`
58			`valid = strings.Join(c.DNSNames, ", ")`
59			`} else {`
60			`valid = c.Subject.CommonName`
61			`}`
62			`return "certificate is valid for " + valid + ", not " + h.Host`
63			`}`
64
65			`// UnknownAuthorityError results when the certificate issuer is unknown`
66			`type UnknownAuthorityError struct {`
67			`cert *Certificate`
68			`}`
69
70			`func (e UnknownAuthorityError) Error() string {`
71			`return "x509: certificate signed by unknown authority"`
72			`}`
73
74			`// VerifyOptions contains parameters for Certificate.Verify. It's a structure`
75			`// because other PKIX verification APIs have ended up needing many options.`
76			`type VerifyOptions struct {`
77			`DNSName string`
78			`Intermediates *CertPool`
79			`Roots *CertPool`
80			`CurrentTime time.Time // if zero, the current time is used`
81			`}`
82
83			`const (`
84			`leafCertificate = iota`
85			`intermediateCertificate`
86			`rootCertificate`
87			`)`
88
89			`// isValid performs validity checks on the c.`
90			`func (c Certificate) isValid(certType int, opts VerifyOptions) error {`
91			`now := opts.CurrentTime`
92			`if now.IsZero() {`
93			`now = time.Now()`
94			`}`
95			`if now.Before(c.NotBefore) \|\| now.After(c.NotAfter) {`
96			`return CertificateInvalidError{c, Expired}`
97			`}`
98
99			`if len(c.PermittedDNSDomains) > 0 {`
100			`for _, domain := range c.PermittedDNSDomains {`
101			`if opts.DNSName == domain \|\|`
102			`(strings.HasSuffix(opts.DNSName, domain) &&`
103			`len(opts.DNSName) >= 1+len(domain) &&`
104			`opts.DNSName[len(opts.DNSName)-len(domain)-1] == '.') {`
105			`continue`
106			`}`
107
108			`return CertificateInvalidError{c, CANotAuthorizedForThisName}`
109			`}`
110			`}`
111
112			`// KeyUsage status flags are ignored. From Engineering Security, Peter`
113			`// Gutmann: A European government CA marked its signing certificates as`
114			`// being valid for encryption only, but no-one noticed. Another`
115			`// European CA marked its signature keys as not being valid for`
116			`// signatures. A different CA marked its own trusted root certificate`
117			`// as being invalid for certificate signing. Another national CA`
118			`// distributed a certificate to be used to encrypt data for the`
119			`// country’s tax authority that was marked as only being usable for`
120			`// digital signatures but not for encryption. Yet another CA reversed`
121			`// the order of the bit flags in the keyUsage due to confusion over`
122			`// encoding endianness, essentially setting a random keyUsage in`
123			`// certificates that it issued. Another CA created a self-invalidating`
124			`// certificate by adding a certificate policy statement stipulating`
125			`// that the certificate had to be used strictly as specified in the`
126			`// keyUsage, and a keyUsage containing a flag indicating that the RSA`
127			`// encryption key could only be used for Diffie-Hellman key agreement.`
128
129			`if certType == intermediateCertificate && (!c.BasicConstraintsValid \|\| !c.IsCA) {`
130			`return CertificateInvalidError{c, NotAuthorizedToSign}`
131			`}`
132
133			`return nil`
134			`}`
135
136			`// Verify attempts to verify c by building one or more chains from c to a`
137			`// certificate in opts.roots, using certificates in opts.Intermediates if`
138			`// needed. If successful, it returns one or chains where the first element of`
139			`// the chain is c and the last element is from opts.Roots.`
140			`//`
141			`// WARNING: this doesn't do any revocation checking.`
142			`func (c Certificate) Verify(opts VerifyOptions) (chains [][]Certificate, err error) {`
143			`err = c.isValid(leafCertificate, &opts)`
144			`if err != nil {`
145			`return`
146			`}`
147			`if len(opts.DNSName) > 0 {`
148			`err = c.VerifyHostname(opts.DNSName)`
149			`if err != nil {`
150			`return`
151			`}`
152			`}`
153			`return c.buildChains(make(map[int][][]Certificate), []Certificate{c}, &opts)`
154			`}`
155
156			`func appendToFreshChain(chain []Certificate, cert Certificate) []*Certificate {`
157			`n := make([]*Certificate, len(chain)+1)`
158			`copy(n, chain)`
159			`n[len(chain)] = cert`
160			`return n`
161			`}`
162
163			`func (c Certificate) buildChains(cache map[int][][]Certificate, currentChain []Certificate, opts VerifyOptions) (chains [][]*Certificate, err error) {`
164			`for _, rootNum := range opts.Roots.findVerifiedParents(c) {`
165			`root := opts.Roots.certs[rootNum]`
166			`err = root.isValid(rootCertificate, opts)`
167			`if err != nil {`
168			`continue`
169			`}`
170			`chains = append(chains, appendToFreshChain(currentChain, root))`
171			`}`
172
173			`nextIntermediate:`
174			`for _, intermediateNum := range opts.Intermediates.findVerifiedParents(c) {`
175			`intermediate := opts.Intermediates.certs[intermediateNum]`
176			`for _, cert := range currentChain {`
177			`if cert == intermediate {`
178			`continue nextIntermediate`
179			`}`
180			`}`
181			`err = intermediate.isValid(intermediateCertificate, opts)`
182			`if err != nil {`
183			`continue`
184			`}`
185			`var childChains [][]*Certificate`
186			`childChains, ok := cache[intermediateNum]`
187			`if !ok {`
188			`childChains, err = intermediate.buildChains(cache, appendToFreshChain(currentChain, intermediate), opts)`
189			`cache[intermediateNum] = childChains`
190			`}`
191			`chains = append(chains, childChains...)`
192			`}`
193
194			`if len(chains) > 0 {`
195			`err = nil`
196			`}`
197
198			`if len(chains) == 0 && err == nil {`
199			`err = UnknownAuthorityError{c}`
200			`}`
201
202			`return`
203			`}`
204
205			`func matchHostnames(pattern, host string) bool {`
206			`if len(pattern) == 0 \|\| len(host) == 0 {`
207			`return false`
208			`}`
209
210			`patternParts := strings.Split(pattern, ".")`
211			`hostParts := strings.Split(host, ".")`
212
213			`if len(patternParts) != len(hostParts) {`
214			`return false`
215			`}`
216
217			`for i, patternPart := range patternParts {`
218			`if patternPart == "*" {`
219			`continue`
220			`}`
221			`if patternPart != hostParts[i] {`
222			`return false`
223			`}`
224			`}`
225
226			`return true`
227			`}`
228
229			`// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use`
230			`// an explicitly ASCII function to avoid any sharp corners resulting from`
231			`// performing Unicode operations on DNS labels.`
232			`func toLowerCaseASCII(in string) string {`
233			`// If the string is already lower-case then there's nothing to do.`
234			`isAlreadyLowerCase := true`
235			`for _, c := range in {`
236			`if c == utf8.RuneError {`
237			`// If we get a UTF-8 error then there might be`
238			`// upper-case ASCII bytes in the invalid sequence.`
239			`isAlreadyLowerCase = false`
240			`break`
241			`}`
242			`if 'A' <= c && c <= 'Z' {`
243			`isAlreadyLowerCase = false`
244			`break`
245			`}`
246			`}`
247
248			`if isAlreadyLowerCase {`
249			`return in`
250			`}`
251
252			`out := []byte(in)`
253			`for i, c := range out {`
254			`if 'A' <= c && c <= 'Z' {`
255			`out[i] += 'a' - 'A'`
256			`}`
257			`}`
258			`return string(out)`
259			`}`
260
261			`// VerifyHostname returns nil if c is a valid certificate for the named host.`
262			`// Otherwise it returns an error describing the mismatch.`
263			`func (c *Certificate) VerifyHostname(h string) error {`
264			`lowered := toLowerCaseASCII(h)`
265
266			`if len(c.DNSNames) > 0 {`
267			`for _, match := range c.DNSNames {`
268			`if matchHostnames(toLowerCaseASCII(match), lowered) {`
269			`return nil`
270			`}`
271			`}`
272			`// If Subject Alt Name is given, we ignore the common name.`
273			`} else if matchHostnames(toLowerCaseASCII(c.Subject.CommonName), lowered) {`
274			`return nil`
275			`}`
276
277			`return HostnameError{c, h}`
278			`}`