// Copyright (C) 2017. See AUTHORS. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package openssl // #include "shim.h" import "C" import ( "errors" "io" "math/big" "runtime" "time" "unsafe" ) type EVP_MD int const ( EVP_NULL EVP_MD = iota EVP_MD5 EVP_MD = iota EVP_MD4 EVP_MD = iota EVP_SHA EVP_MD = iota EVP_SHA1 EVP_MD = iota EVP_DSS EVP_MD = iota EVP_DSS1 EVP_MD = iota EVP_MDC2 EVP_MD = iota EVP_RIPEMD160 EVP_MD = iota EVP_SHA224 EVP_MD = iota EVP_SHA256 EVP_MD = iota EVP_SHA384 EVP_MD = iota EVP_SHA512 EVP_MD = iota ) // X509_Version represents a version on an x509 certificate. type X509_Version int // Specify constants for x509 versions because the standard states that they // are represented internally as one lower than the common version name. const ( X509_V1 X509_Version = 0 X509_V3 X509_Version = 2 ) type Certificate struct { x *C.X509 Issuer *Certificate ref interface{} pubKey PublicKey } type CertificateInfo struct { Serial *big.Int Issued time.Duration Expires time.Duration Country string Organization string CommonName string } type Name struct { name *C.X509_NAME } // Allocate and return a new Name object. func NewName() (*Name, error) { n := C.X509_NAME_new() if n == nil { return nil, errors.New("could not create x509 name") } name := &Name{name: n} runtime.SetFinalizer(name, func(n *Name) { C.X509_NAME_free(n.name) }) return name, nil } // AddTextEntry appends a text entry to an X509 NAME. func (n *Name) AddTextEntry(field, value string) error { cfield := C.CString(field) defer C.free(unsafe.Pointer(cfield)) cvalue := (*C.uchar)(unsafe.Pointer(C.CString(value))) defer C.free(unsafe.Pointer(cvalue)) ret := C.X509_NAME_add_entry_by_txt( n.name, cfield, C.MBSTRING_ASC, cvalue, -1, -1, 0) if ret != 1 { return errors.New("failed to add x509 name text entry") } return nil } // AddTextEntries allows adding multiple entries to a name in one call. func (n *Name) AddTextEntries(entries map[string]string) error { for f, v := range entries { if err := n.AddTextEntry(f, v); err != nil { return err } } return nil } // GetEntry returns a name entry based on NID. If no entry, then ("", false) is // returned. func (n *Name) GetEntry(nid NID) (entry string, ok bool) { entrylen := C.X509_NAME_get_text_by_NID(n.name, C.int(nid), nil, 0) if entrylen == -1 { return "", false } buf := (*C.char)(C.malloc(C.size_t(entrylen + 1))) defer C.free(unsafe.Pointer(buf)) C.X509_NAME_get_text_by_NID(n.name, C.int(nid), buf, entrylen+1) return C.GoStringN(buf, entrylen), true } // NewCertificate generates a basic certificate based // on the provided CertificateInfo struct func NewCertificate(info *CertificateInfo, key PublicKey) (*Certificate, error) { c := &Certificate{x: C.X509_new()} runtime.SetFinalizer(c, func(c *Certificate) { C.X509_free(c.x) }) name, err := c.GetSubjectName() if err != nil { return nil, err } err = name.AddTextEntries(map[string]string{ "C": info.Country, "O": info.Organization, "CN": info.CommonName, }) if err != nil { return nil, err } // self-issue for now if err := c.SetIssuerName(name); err != nil { return nil, err } if err := c.SetSerial(info.Serial); err != nil { return nil, err } if err := c.SetIssueDate(info.Issued); err != nil { return nil, err } if err := c.SetExpireDate(info.Expires); err != nil { return nil, err } if err := c.SetPubKey(key); err != nil { return nil, err } return c, nil } func (c *Certificate) GetSubjectName() (*Name, error) { n := C.X509_get_subject_name(c.x) if n == nil { return nil, errors.New("failed to get subject name") } return &Name{name: n}, nil } func (c *Certificate) GetIssuerName() (*Name, error) { n := C.X509_get_issuer_name(c.x) if n == nil { return nil, errors.New("failed to get issuer name") } return &Name{name: n}, nil } func (c *Certificate) SetSubjectName(name *Name) error { if C.X509_set_subject_name(c.x, name.name) != 1 { return errors.New("failed to set subject name") } return nil } // SetIssuer updates the stored Issuer cert // and the internal x509 Issuer Name of a certificate. // The stored Issuer reference is used when adding extensions. func (c *Certificate) SetIssuer(issuer *Certificate) error { name, err := issuer.GetSubjectName() if err != nil { return err } if err = c.SetIssuerName(name); err != nil { return err } c.Issuer = issuer return nil } // SetIssuerName populates the issuer name of a certificate. // Use SetIssuer instead, if possible. func (c *Certificate) SetIssuerName(name *Name) error { if C.X509_set_issuer_name(c.x, name.name) != 1 { return errors.New("failed to set subject name") } return nil } // SetSerial sets the serial of a certificate. func (c *Certificate) SetSerial(serial *big.Int) error { sno := C.ASN1_INTEGER_new() defer C.ASN1_INTEGER_free(sno) bn := C.BN_new() defer C.BN_free(bn) serialBytes := serial.Bytes() if bn = C.BN_bin2bn((*C.uchar)(unsafe.Pointer(&serialBytes[0])), C.int(len(serialBytes)), bn); bn == nil { return errors.New("failed to set serial") } if sno = C.BN_to_ASN1_INTEGER(bn, sno); sno == nil { return errors.New("failed to set serial") } if C.X509_set_serialNumber(c.x, sno) != 1 { return errors.New("failed to set serial") } return nil } // SetIssueDate sets the certificate issue date relative to the current time. func (c *Certificate) SetIssueDate(when time.Duration) error { offset := C.long(when / time.Second) result := C.X509_gmtime_adj(C.X_X509_get0_notBefore(c.x), offset) if result == nil { return errors.New("failed to set issue date") } return nil } // SetExpireDate sets the certificate issue date relative to the current time. func (c *Certificate) SetExpireDate(when time.Duration) error { offset := C.long(when / time.Second) result := C.X509_gmtime_adj(C.X_X509_get0_notAfter(c.x), offset) if result == nil { return errors.New("failed to set expire date") } return nil } // SetPubKey assigns a new public key to a certificate. func (c *Certificate) SetPubKey(pubKey PublicKey) error { c.pubKey = pubKey if C.X509_set_pubkey(c.x, pubKey.evpPKey()) != 1 { return errors.New("failed to set public key") } return nil } // Sign a certificate using a private key and a digest name. // Accepted digest names are 'sha256', 'sha384', and 'sha512'. func (c *Certificate) Sign(privKey PrivateKey, digest EVP_MD) error { switch digest { case EVP_SHA256: case EVP_SHA384: case EVP_SHA512: default: return errors.New("unsupported digest; " + "you're probably looking for 'EVP_SHA256' or 'EVP_SHA512'") } return c.insecureSign(privKey, digest) } func (c *Certificate) insecureSign(privKey PrivateKey, digest EVP_MD) error { var md *C.EVP_MD = getDigestFunction(digest) if C.X509_sign(c.x, privKey.evpPKey(), md) <= 0 { return errors.New("failed to sign certificate") } return nil } func getDigestFunction(digest EVP_MD) (md *C.EVP_MD) { switch digest { // please don't use these digest functions case EVP_NULL: md = C.X_EVP_md_null() case EVP_MD5: md = C.X_EVP_md5() case EVP_SHA: md = C.X_EVP_sha() case EVP_SHA1: md = C.X_EVP_sha1() case EVP_DSS: md = C.X_EVP_dss() case EVP_DSS1: md = C.X_EVP_dss1() case EVP_RIPEMD160: md = C.X_EVP_ripemd160() case EVP_SHA224: md = C.X_EVP_sha224() // you actually want one of these case EVP_SHA256: md = C.X_EVP_sha256() case EVP_SHA384: md = C.X_EVP_sha384() case EVP_SHA512: md = C.X_EVP_sha512() } return md } // Add an extension to a certificate. // Extension constants are NID_* as found in openssl. func (c *Certificate) AddExtension(nid NID, value string) error { issuer := c if c.Issuer != nil { issuer = c.Issuer } var ctx C.X509V3_CTX C.X509V3_set_ctx(&ctx, c.x, issuer.x, nil, nil, 0) ex := C.X509V3_EXT_conf_nid(nil, &ctx, C.int(nid), C.CString(value)) if ex == nil { return errors.New("failed to create x509v3 extension") } defer C.X509_EXTENSION_free(ex) if C.X509_add_ext(c.x, ex, -1) <= 0 { return errors.New("failed to add x509v3 extension") } return nil } // AddCustomExtension add custom extenstion to the certificate. func (c *Certificate) AddCustomExtension(nid NID, value []byte) error { val := (*C.char)(C.CBytes(value)) defer C.free(unsafe.Pointer(val)) if int(C.add_custom_ext(c.x, C.int(nid), val, C.int(len(value)))) == 0 { return errors.New("unable to add extension") } return nil } // Wraps AddExtension using a map of NID to text extension. // Will return without finishing if it encounters an error. func (c *Certificate) AddExtensions(extensions map[NID]string) error { for nid, value := range extensions { if err := c.AddExtension(nid, value); err != nil { return err } } return nil } // LoadCertificateFromPEM loads an X509 certificate from a PEM-encoded block. func LoadCertificateFromPEM(pem_block []byte) (*Certificate, error) { if len(pem_block) == 0 { return nil, errors.New("empty pem block") } runtime.LockOSThread() defer runtime.UnlockOSThread() bio := C.BIO_new_mem_buf(unsafe.Pointer(&pem_block[0]), C.int(len(pem_block))) cert := C.PEM_read_bio_X509(bio, nil, nil, nil) C.BIO_free(bio) if cert == nil { return nil, errorFromErrorQueue() } x := &Certificate{x: cert} runtime.SetFinalizer(x, func(x *Certificate) { C.X509_free(x.x) }) return x, nil } // MarshalPEM converts the X509 certificate to PEM-encoded format func (c *Certificate) MarshalPEM() (pem_block []byte, err error) { bio := C.BIO_new(C.BIO_s_mem()) if bio == nil { return nil, errors.New("failed to allocate memory BIO") } defer C.BIO_free(bio) if int(C.PEM_write_bio_X509(bio, c.x)) != 1 { return nil, errors.New("failed dumping certificate") } return io.ReadAll(asAnyBio(bio)) } // PublicKey returns the public key embedded in the X509 certificate. func (c *Certificate) PublicKey() (PublicKey, error) { pkey := C.X509_get_pubkey(c.x) if pkey == nil { return nil, errors.New("no public key found") } key := &pKey{key: pkey} runtime.SetFinalizer(key, func(key *pKey) { C.EVP_PKEY_free(key.key) }) return key, nil } // GetSerialNumberHex returns the certificate's serial number in hex format func (c *Certificate) GetSerialNumberHex() (serial string) { asn1_i := C.X509_get_serialNumber(c.x) bignum := C.ASN1_INTEGER_to_BN(asn1_i, nil) hex := C.BN_bn2hex(bignum) serial = C.GoString(hex) C.BN_free(bignum) C.X_OPENSSL_free(unsafe.Pointer(hex)) return } // GetVersion returns the X509 version of the certificate. func (c *Certificate) GetVersion() X509_Version { return X509_Version(C.X_X509_get_version(c.x)) } // SetVersion sets the X509 version of the certificate. func (c *Certificate) SetVersion(version X509_Version) error { cvers := C.long(version) if C.X_X509_set_version(c.x, cvers) != 1 { return errors.New("failed to set certificate version") } return nil } // GetExtensionValue returns the value of the given NID's extension. func (c *Certificate) GetExtensionValue(nid NID) []byte { dataLength := C.int(0) val := C.get_extention(c.x, C.int(nid), &dataLength) return C.GoBytes(unsafe.Pointer(val), dataLength) }