parser.go

     1  // Copyright 2021 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  package x509
     5  
     6  import (
     7  	"bytes"
     8  	"crypto/dsa"
     9  	"crypto/ecdsa"
    10  	"crypto/ed25519"
    11  	"crypto/elliptic"
    12  	"crypto/rsa"
    13  	"crypto/x509/pkix"
    14  	"encoding/asn1"
    15  	"errors"
    16  	"fmt"
    17  	"math/big"
    18  	"net"
    19  	"net/url"
    20  	"strconv"
    21  	"strings"
    22  	"time"
    23  	"unicode/utf16"
    24  	"unicode/utf8"
    25  
    26  	"golang.org/x/crypto/cryptobyte"
    27  	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
    28  )
    29  
    30  // isPrintable reports whether the given b is in the ASN.1 PrintableString set.
    31  // This is a simplified version of encoding/asn1.isPrintable.
    32  func isPrintable(b byte) bool {
    33  	return 'a' <= b && b <= 'z' ||
    34  		'A' <= b && b <= 'Z' ||
    35  		'0' <= b && b <= '9' ||
    36  		'\'' <= b && b <= ')' ||
    37  		'+' <= b && b <= '/' ||
    38  		b == ' ' ||
    39  		b == ':' ||
    40  		b == '=' ||
    41  		b == '?' ||
    42  		// This is technically not allowed in a PrintableString.
    43  		// However, x509 certificates with wildcard strings don't
    44  		// always use the correct string type so we permit it.
    45  		b == '*' ||
    46  		// This is not technically allowed either. However, not
    47  		// only is it relatively common, but there are also a
    48  		// handful of CA certificates that contain it. At least
    49  		// one of which will not expire until 2027.
    50  		b == '&'
    51  }
    52  
    53  // parseASN1String parses the ASN.1 string types T61String, PrintableString,
    54  // UTF8String, BMPString, IA5String, and NumericString. This is mostly copied
    55  // from the respective encoding/asn1.parse... methods, rather than just
    56  // increasing the API surface of that package.
    57  func parseASN1String(tag cryptobyte_asn1.Tag, value []byte) (string, error) {
    58  	switch tag {
    59  	case cryptobyte_asn1.T61String:
    60  		return string(value), nil
    61  	case cryptobyte_asn1.PrintableString:
    62  		for _, b := range value {
    63  			if !isPrintable(b) {
    64  				return "", errors.New("invalid PrintableString")
    65  			}
    66  		}
    67  		return string(value), nil
    68  	case cryptobyte_asn1.UTF8String:
    69  		if !utf8.Valid(value) {
    70  			return "", errors.New("invalid UTF-8 string")
    71  		}
    72  		return string(value), nil
    73  	case cryptobyte_asn1.Tag(asn1.TagBMPString):
    74  		if len(value)%2 != 0 {
    75  			return "", errors.New("invalid BMPString")
    76  		}
    77  
    78  		// Strip terminator if present.
    79  		if l := len(value); l >= 2 && value[l-1] == 0 && value[l-2] == 0 {
    80  			value = value[:l-2]
    81  		}
    82  
    83  		s := make([]uint16, 0, len(value)/2)
    84  		for len(value) > 0 {
    85  			s = append(s, uint16(value[0])<<8+uint16(value[1]))
    86  			value = value[2:]
    87  		}
    88  
    89  		return string(utf16.Decode(s)), nil
    90  	case cryptobyte_asn1.IA5String:
    91  		s := string(value)
    92  		if isIA5String(s) != nil {
    93  			return "", errors.New("invalid IA5String")
    94  		}
    95  		return s, nil
    96  	case cryptobyte_asn1.Tag(asn1.TagNumericString):
    97  		for _, b := range value {
    98  			if !('0' <= b && b <= '9' || b == ' ') {
    99  				return "", errors.New("invalid NumericString")
   100  			}
   101  		}
   102  		return string(value), nil
   103  	}
   104  	return "", fmt.Errorf("unsupported string type: %v", tag)
   105  }
   106  
   107  // parseName parses a DER encoded Name as defined in RFC 5280. We may
   108  // want to export this function in the future for use in crypto/tls.
   109  func parseName(raw cryptobyte.String) (*pkix.RDNSequence, error) {
   110  	if !raw.ReadASN1(&raw, cryptobyte_asn1.SEQUENCE) {
   111  		return nil, errors.New("x509: invalid RDNSequence")
   112  	}
   113  
   114  	var rdnSeq pkix.RDNSequence
   115  	for !raw.Empty() {
   116  		var rdnSet pkix.RelativeDistinguishedNameSET
   117  		var set cryptobyte.String
   118  		if !raw.ReadASN1(&set, cryptobyte_asn1.SET) {
   119  			return nil, errors.New("x509: invalid RDNSequence")
   120  		}
   121  		for !set.Empty() {
   122  			var atav cryptobyte.String
   123  			if !set.ReadASN1(&atav, cryptobyte_asn1.SEQUENCE) {
   124  				return nil, errors.New("x509: invalid RDNSequence: invalid attribute")
   125  			}
   126  			var attr pkix.AttributeTypeAndValue
   127  			if !atav.ReadASN1ObjectIdentifier(&attr.Type) {
   128  				return nil, errors.New("x509: invalid RDNSequence: invalid attribute type")
   129  			}
   130  			var rawValue cryptobyte.String
   131  			var valueTag cryptobyte_asn1.Tag
   132  			if !atav.ReadAnyASN1(&rawValue, &valueTag) {
   133  				return nil, errors.New("x509: invalid RDNSequence: invalid attribute value")
   134  			}
   135  			var err error
   136  			attr.Value, err = parseASN1String(valueTag, rawValue)
   137  			if err != nil {
   138  				return nil, fmt.Errorf("x509: invalid RDNSequence: invalid attribute value: %s", err)
   139  			}
   140  			rdnSet = append(rdnSet, attr)
   141  		}
   142  
   143  		rdnSeq = append(rdnSeq, rdnSet)
   144  	}
   145  
   146  	return &rdnSeq, nil
   147  }
   148  
   149  func parseAI(der cryptobyte.String) (pkix.AlgorithmIdentifier, error) {
   150  	ai := pkix.AlgorithmIdentifier{}
   151  	if !der.ReadASN1ObjectIdentifier(&ai.Algorithm) {
   152  		return ai, errors.New("x509: malformed OID")
   153  	}
   154  	if der.Empty() {
   155  		return ai, nil
   156  	}
   157  	var params cryptobyte.String
   158  	var tag cryptobyte_asn1.Tag
   159  	if !der.ReadAnyASN1Element(&params, &tag) {
   160  		return ai, errors.New("x509: malformed parameters")
   161  	}
   162  	ai.Parameters.Tag = int(tag)
   163  	ai.Parameters.FullBytes = params
   164  	return ai, nil
   165  }
   166  
   167  func parseValidity(der cryptobyte.String) (time.Time, time.Time, error) {
   168  	extract := func() (time.Time, error) {
   169  		var t time.Time
   170  		switch {
   171  		case der.PeekASN1Tag(cryptobyte_asn1.UTCTime):
   172  			// TODO(rolandshoemaker): once #45411 is fixed, the following code
   173  			// should be replaced with a call to der.ReadASN1UTCTime.
   174  			var utc cryptobyte.String
   175  			if !der.ReadASN1(&utc, cryptobyte_asn1.UTCTime) {
   176  				return t, errors.New("x509: malformed UTCTime")
   177  			}
   178  			s := string(utc)
   179  
   180  			formatStr := "0601021504Z0700"
   181  			var err error
   182  			t, err = time.Parse(formatStr, s)
   183  			if err != nil {
   184  				formatStr = "060102150405Z0700"
   185  				t, err = time.Parse(formatStr, s)
   186  			}
   187  			if err != nil {
   188  				return t, err
   189  			}
   190  
   191  			if serialized := t.Format(formatStr); serialized != s {
   192  				return t, errors.New("x509: malformed UTCTime")
   193  			}
   194  
   195  			if t.Year() >= 2050 {
   196  				// UTCTime only encodes times prior to 2050. See https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1
   197  				t = t.AddDate(-100, 0, 0)
   198  			}
   199  		case der.PeekASN1Tag(cryptobyte_asn1.GeneralizedTime):
   200  			if !der.ReadASN1GeneralizedTime(&t) {
   201  				return t, errors.New("x509: malformed GeneralizedTime")
   202  			}
   203  		default:
   204  			return t, errors.New("x509: unsupported time format")
   205  		}
   206  		return t, nil
   207  	}
   208  
   209  	notBefore, err := extract()
   210  	if err != nil {
   211  		return time.Time{}, time.Time{}, err
   212  	}
   213  	notAfter, err := extract()
   214  	if err != nil {
   215  		return time.Time{}, time.Time{}, err
   216  	}
   217  
   218  	return notBefore, notAfter, nil
   219  }
   220  
   221  func parseExtension(der cryptobyte.String) (pkix.Extension, error) {
   222  	var ext pkix.Extension
   223  	if !der.ReadASN1ObjectIdentifier(&ext.Id) {
   224  		return ext, errors.New("x509: malformed extension OID field")
   225  	}
   226  	if der.PeekASN1Tag(cryptobyte_asn1.BOOLEAN) {
   227  		if !der.ReadASN1Boolean(&ext.Critical) {
   228  			return ext, errors.New("x509: malformed extension critical field")
   229  		}
   230  	}
   231  	var val cryptobyte.String
   232  	if !der.ReadASN1(&val, cryptobyte_asn1.OCTET_STRING) {
   233  		return ext, errors.New("x509: malformed extension value field")
   234  	}
   235  	ext.Value = val
   236  	return ext, nil
   237  }
   238  
   239  func parsePublicKey(algo PublicKeyAlgorithm, keyData *publicKeyInfo) (any, error) {
   240  	der := cryptobyte.String(keyData.PublicKey.RightAlign())
   241  	switch algo {
   242  	case RSA:
   243  		// RSA public keys must have a NULL in the parameters.
   244  		// See RFC 3279, Section 2.3.1.
   245  		if !bytes.Equal(keyData.Algorithm.Parameters.FullBytes, asn1.NullBytes) {
   246  			return nil, errors.New("x509: RSA key missing NULL parameters")
   247  		}
   248  
   249  		p := &pkcs1PublicKey{N: new(big.Int)}
   250  		if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
   251  			return nil, errors.New("x509: invalid RSA public key")
   252  		}
   253  		if !der.ReadASN1Integer(p.N) {
   254  			return nil, errors.New("x509: invalid RSA modulus")
   255  		}
   256  		if !der.ReadASN1Integer(&p.E) {
   257  			return nil, errors.New("x509: invalid RSA public exponent")
   258  		}
   259  
   260  		if p.N.Sign() <= 0 {
   261  			return nil, errors.New("x509: RSA modulus is not a positive number")
   262  		}
   263  		if p.E <= 0 {
   264  			return nil, errors.New("x509: RSA public exponent is not a positive number")
   265  		}
   266  
   267  		pub := &rsa.PublicKey{
   268  			E: p.E,
   269  			N: p.N,
   270  		}
   271  		return pub, nil
   272  	case ECDSA:
   273  		paramsDer := cryptobyte.String(keyData.Algorithm.Parameters.FullBytes)
   274  		namedCurveOID := new(asn1.ObjectIdentifier)
   275  		if !paramsDer.ReadASN1ObjectIdentifier(namedCurveOID) {
   276  			return nil, errors.New("x509: invalid ECDSA parameters")
   277  		}
   278  		namedCurve := namedCurveFromOID(*namedCurveOID)
   279  		if namedCurve == nil {
   280  			return nil, errors.New("x509: unsupported elliptic curve")
   281  		}
   282  		x, y := elliptic.Unmarshal(namedCurve, der)
   283  		if x == nil {
   284  			return nil, errors.New("x509: failed to unmarshal elliptic curve point")
   285  		}
   286  		pub := &ecdsa.PublicKey{
   287  			Curve: namedCurve,
   288  			X:     x,
   289  			Y:     y,
   290  		}
   291  		return pub, nil
   292  	case Ed25519:
   293  		// RFC 8410, Section 3
   294  		// > For all of the OIDs, the parameters MUST be absent.
   295  		if len(keyData.Algorithm.Parameters.FullBytes) != 0 {
   296  			return nil, errors.New("x509: Ed25519 key encoded with illegal parameters")
   297  		}
   298  		if len(der) != ed25519.PublicKeySize {
   299  			return nil, errors.New("x509: wrong Ed25519 public key size")
   300  		}
   301  		return ed25519.PublicKey(der), nil
   302  	case DSA:
   303  		y := new(big.Int)
   304  		if !der.ReadASN1Integer(y) {
   305  			return nil, errors.New("x509: invalid DSA public key")
   306  		}
   307  		pub := &dsa.PublicKey{
   308  			Y: y,
   309  			Parameters: dsa.Parameters{
   310  				P: new(big.Int),
   311  				Q: new(big.Int),
   312  				G: new(big.Int),
   313  			},
   314  		}
   315  		paramsDer := cryptobyte.String(keyData.Algorithm.Parameters.FullBytes)
   316  		if !paramsDer.ReadASN1(&paramsDer, cryptobyte_asn1.SEQUENCE) ||
   317  			!paramsDer.ReadASN1Integer(pub.Parameters.P) ||
   318  			!paramsDer.ReadASN1Integer(pub.Parameters.Q) ||
   319  			!paramsDer.ReadASN1Integer(pub.Parameters.G) {
   320  			return nil, errors.New("x509: invalid DSA parameters")
   321  		}
   322  		if pub.Y.Sign() <= 0 || pub.Parameters.P.Sign() <= 0 ||
   323  			pub.Parameters.Q.Sign() <= 0 || pub.Parameters.G.Sign() <= 0 {
   324  			return nil, errors.New("x509: zero or negative DSA parameter")
   325  		}
   326  		return pub, nil
   327  	default:
   328  		return nil, nil
   329  	}
   330  }
   331  
   332  func parseKeyUsageExtension(der cryptobyte.String) (KeyUsage, error) {
   333  	var usageBits asn1.BitString
   334  	if !der.ReadASN1BitString(&usageBits) {
   335  		return 0, errors.New("x509: invalid key usage")
   336  	}
   337  
   338  	var usage int
   339  	for i := 0; i < 9; i++ {
   340  		if usageBits.At(i) != 0 {
   341  			usage |= 1 << uint(i)
   342  		}
   343  	}
   344  	return KeyUsage(usage), nil
   345  }
   346  
   347  func parseBasicConstraintsExtension(der cryptobyte.String) (bool, int, error) {
   348  	var isCA bool
   349  	if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
   350  		return false, 0, errors.New("x509: invalid basic constraints a")
   351  	}
   352  	if der.PeekASN1Tag(cryptobyte_asn1.BOOLEAN) {
   353  		if !der.ReadASN1Boolean(&isCA) {
   354  			return false, 0, errors.New("x509: invalid basic constraints b")
   355  		}
   356  	}
   357  	maxPathLen := -1
   358  	if !der.Empty() && der.PeekASN1Tag(cryptobyte_asn1.INTEGER) {
   359  		if !der.ReadASN1Integer(&maxPathLen) {
   360  			return false, 0, errors.New("x509: invalid basic constraints c")
   361  		}
   362  	}
   363  
   364  	// TODO: map out.MaxPathLen to 0 if it has the -1 default value? (Issue 19285)
   365  	return isCA, maxPathLen, nil
   366  }
   367  
   368  func forEachSAN(der cryptobyte.String, callback func(tag int, data []byte) error) error {
   369  	if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
   370  		return errors.New("x509: invalid subject alternative names")
   371  	}
   372  	for !der.Empty() {
   373  		var san cryptobyte.String
   374  		var tag cryptobyte_asn1.Tag
   375  		if !der.ReadAnyASN1(&san, &tag) {
   376  			return errors.New("x509: invalid subject alternative name")
   377  		}
   378  		if err := callback(int(tag^0x80), san); err != nil {
   379  			return err
   380  		}
   381  	}
   382  
   383  	return nil
   384  }
   385  
   386  func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error) {
   387  	err = forEachSAN(der, func(tag int, data []byte) error {
   388  		switch tag {
   389  		case nameTypeEmail:
   390  			email := string(data)
   391  			if err := isIA5String(email); err != nil {
   392  				return errors.New("x509: SAN rfc822Name is malformed")
   393  			}
   394  			emailAddresses = append(emailAddresses, email)
   395  		case nameTypeDNS:
   396  			name := string(data)
   397  			if err := isIA5String(name); err != nil {
   398  				return errors.New("x509: SAN dNSName is malformed")
   399  			}
   400  			dnsNames = append(dnsNames, string(name))
   401  		case nameTypeURI:
   402  			uriStr := string(data)
   403  			if err := isIA5String(uriStr); err != nil {
   404  				return errors.New("x509: SAN uniformResourceIdentifier is malformed")
   405  			}
   406  			uri, err := url.Parse(uriStr)
   407  			if err != nil {
   408  				return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err)
   409  			}
   410  			if len(uri.Host) > 0 {
   411  				if _, ok := domainToReverseLabels(uri.Host); !ok {
   412  					return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr)
   413  				}
   414  			}
   415  			uris = append(uris, uri)
   416  		case nameTypeIP:
   417  			switch len(data) {
   418  			case net.IPv4len, net.IPv6len:
   419  				ipAddresses = append(ipAddresses, data)
   420  			default:
   421  				return errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(data)))
   422  			}
   423  		}
   424  
   425  		return nil
   426  	})
   427  
   428  	return
   429  }
   430  
   431  func parseExtKeyUsageExtension(der cryptobyte.String) ([]ExtKeyUsage, []asn1.ObjectIdentifier, error) {
   432  	var extKeyUsages []ExtKeyUsage
   433  	var unknownUsages []asn1.ObjectIdentifier
   434  	if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
   435  		return nil, nil, errors.New("x509: invalid extended key usages")
   436  	}
   437  	for !der.Empty() {
   438  		var eku asn1.ObjectIdentifier
   439  		if !der.ReadASN1ObjectIdentifier(&eku) {
   440  			return nil, nil, errors.New("x509: invalid extended key usages")
   441  		}
   442  		if extKeyUsage, ok := extKeyUsageFromOID(eku); ok {
   443  			extKeyUsages = append(extKeyUsages, extKeyUsage)
   444  		} else {
   445  			unknownUsages = append(unknownUsages, eku)
   446  		}
   447  	}
   448  	return extKeyUsages, unknownUsages, nil
   449  }
   450  
   451  func parseCertificatePoliciesExtension(der cryptobyte.String) ([]asn1.ObjectIdentifier, error) {
   452  	var oids []asn1.ObjectIdentifier
   453  	if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
   454  		return nil, errors.New("x509: invalid certificate policies")
   455  	}
   456  	for !der.Empty() {
   457  		var cp cryptobyte.String
   458  		if !der.ReadASN1(&cp, cryptobyte_asn1.SEQUENCE) {
   459  			return nil, errors.New("x509: invalid certificate policies")
   460  		}
   461  		var oid asn1.ObjectIdentifier
   462  		if !cp.ReadASN1ObjectIdentifier(&oid) {
   463  			return nil, errors.New("x509: invalid certificate policies")
   464  		}
   465  		oids = append(oids, oid)
   466  	}
   467  
   468  	return oids, nil
   469  }
   470  
   471  // isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.
   472  func isValidIPMask(mask []byte) bool {
   473  	seenZero := false
   474  
   475  	for _, b := range mask {
   476  		if seenZero {
   477  			if b != 0 {
   478  				return false
   479  			}
   480  
   481  			continue
   482  		}
   483  
   484  		switch b {
   485  		case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe:
   486  			seenZero = true
   487  		case 0xff:
   488  		default:
   489  			return false
   490  		}
   491  	}
   492  
   493  	return true
   494  }
   495  
   496  func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) {
   497  	// RFC 5280, 4.2.1.10
   498  
   499  	// NameConstraints ::= SEQUENCE {
   500  	//      permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
   501  	//      excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
   502  	//
   503  	// GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
   504  	//
   505  	// GeneralSubtree ::= SEQUENCE {
   506  	//      base                    GeneralName,
   507  	//      minimum         [0]     BaseDistance DEFAULT 0,
   508  	//      maximum         [1]     BaseDistance OPTIONAL }
   509  	//
   510  	// BaseDistance ::= INTEGER (0..MAX)
   511  
   512  	outer := cryptobyte.String(e.Value)
   513  	var toplevel, permitted, excluded cryptobyte.String
   514  	var havePermitted, haveExcluded bool
   515  	if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) ||
   516  		!outer.Empty() ||
   517  		!toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) ||
   518  		!toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) ||
   519  		!toplevel.Empty() {
   520  		return false, errors.New("x509: invalid NameConstraints extension")
   521  	}
   522  
   523  	if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 {
   524  		// From RFC 5280, Section 4.2.1.10:
   525  		//   “either the permittedSubtrees field
   526  		//   or the excludedSubtrees MUST be
   527  		//   present”
   528  		return false, errors.New("x509: empty name constraints extension")
   529  	}
   530  
   531  	getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) {
   532  		for !subtrees.Empty() {
   533  			var seq, value cryptobyte.String
   534  			var tag cryptobyte_asn1.Tag
   535  			if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) ||
   536  				!seq.ReadAnyASN1(&value, &tag) {
   537  				return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension")
   538  			}
   539  
   540  			var (
   541  				dnsTag   = cryptobyte_asn1.Tag(2).ContextSpecific()
   542  				emailTag = cryptobyte_asn1.Tag(1).ContextSpecific()
   543  				ipTag    = cryptobyte_asn1.Tag(7).ContextSpecific()
   544  				uriTag   = cryptobyte_asn1.Tag(6).ContextSpecific()
   545  			)
   546  
   547  			switch tag {
   548  			case dnsTag:
   549  				domain := string(value)
   550  				if err := isIA5String(domain); err != nil {
   551  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
   552  				}
   553  
   554  				trimmedDomain := domain
   555  				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
   556  					// constraints can have a leading
   557  					// period to exclude the domain
   558  					// itself, but that's not valid in a
   559  					// normal domain name.
   560  					trimmedDomain = trimmedDomain[1:]
   561  				}
   562  				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
   563  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
   564  				}
   565  				dnsNames = append(dnsNames, domain)
   566  
   567  			case ipTag:
   568  				l := len(value)
   569  				var ip, mask []byte
   570  
   571  				switch l {
   572  				case 8:
   573  					ip = value[:4]
   574  					mask = value[4:]
   575  
   576  				case 32:
   577  					ip = value[:16]
   578  					mask = value[16:]
   579  
   580  				default:
   581  					return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l)
   582  				}
   583  
   584  				if !isValidIPMask(mask) {
   585  					return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask)
   586  				}
   587  
   588  				ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)})
   589  
   590  			case emailTag:
   591  				constraint := string(value)
   592  				if err := isIA5String(constraint); err != nil {
   593  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
   594  				}
   595  
   596  				// If the constraint contains an @ then
   597  				// it specifies an exact mailbox name.
   598  				if strings.Contains(constraint, "@") {
   599  					if _, ok := parseRFC2821Mailbox(constraint); !ok {
   600  						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
   601  					}
   602  				} else {
   603  					// Otherwise it's a domain name.
   604  					domain := constraint
   605  					if len(domain) > 0 && domain[0] == '.' {
   606  						domain = domain[1:]
   607  					}
   608  					if _, ok := domainToReverseLabels(domain); !ok {
   609  						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
   610  					}
   611  				}
   612  				emails = append(emails, constraint)
   613  
   614  			case uriTag:
   615  				domain := string(value)
   616  				if err := isIA5String(domain); err != nil {
   617  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
   618  				}
   619  
   620  				if net.ParseIP(domain) != nil {
   621  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
   622  				}
   623  
   624  				trimmedDomain := domain
   625  				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
   626  					// constraints can have a leading
   627  					// period to exclude the domain itself,
   628  					// but that's not valid in a normal
   629  					// domain name.
   630  					trimmedDomain = trimmedDomain[1:]
   631  				}
   632  				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
   633  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
   634  				}
   635  				uriDomains = append(uriDomains, domain)
   636  
   637  			default:
   638  				unhandled = true
   639  			}
   640  		}
   641  
   642  		return dnsNames, ips, emails, uriDomains, nil
   643  	}
   644  
   645  	if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil {
   646  		return false, err
   647  	}
   648  	if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil {
   649  		return false, err
   650  	}
   651  	out.PermittedDNSDomainsCritical = e.Critical
   652  
   653  	return unhandled, nil
   654  }
   655  
   656  func processExtensions(out *Certificate) error {
   657  	var err error
   658  	for _, e := range out.Extensions {
   659  		unhandled := false
   660  
   661  		if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 {
   662  			switch e.Id[3] {
   663  			case 15:
   664  				out.KeyUsage, err = parseKeyUsageExtension(e.Value)
   665  				if err != nil {
   666  					return err
   667  				}
   668  			case 19:
   669  				out.IsCA, out.MaxPathLen, err = parseBasicConstraintsExtension(e.Value)
   670  				if err != nil {
   671  					return err
   672  				}
   673  				out.BasicConstraintsValid = true
   674  				out.MaxPathLenZero = out.MaxPathLen == 0
   675  			case 17:
   676  				out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(e.Value)
   677  				if err != nil {
   678  					return err
   679  				}
   680  
   681  				if len(out.DNSNames) == 0 && len(out.EmailAddresses) == 0 && len(out.IPAddresses) == 0 && len(out.URIs) == 0 {
   682  					// If we didn't parse anything then we do the critical check, below.
   683  					unhandled = true
   684  				}
   685  
   686  			case 30:
   687  				unhandled, err = parseNameConstraintsExtension(out, e)
   688  				if err != nil {
   689  					return err
   690  				}
   691  
   692  			case 31:
   693  				// RFC 5280, 4.2.1.13
   694  
   695  				// CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
   696  				//
   697  				// DistributionPoint ::= SEQUENCE {
   698  				//     distributionPoint       [0]     DistributionPointName OPTIONAL,
   699  				//     reasons                 [1]     ReasonFlags OPTIONAL,
   700  				//     cRLIssuer               [2]     GeneralNames OPTIONAL }
   701  				//
   702  				// DistributionPointName ::= CHOICE {
   703  				//     fullName                [0]     GeneralNames,
   704  				//     nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
   705  				val := cryptobyte.String(e.Value)
   706  				if !val.ReadASN1(&val, cryptobyte_asn1.SEQUENCE) {
   707  					return errors.New("x509: invalid CRL distribution points")
   708  				}
   709  				for !val.Empty() {
   710  					var dpDER cryptobyte.String
   711  					if !val.ReadASN1(&dpDER, cryptobyte_asn1.SEQUENCE) {
   712  						return errors.New("x509: invalid CRL distribution point")
   713  					}
   714  					var dpNameDER cryptobyte.String
   715  					var dpNamePresent bool
   716  					if !dpDER.ReadOptionalASN1(&dpNameDER, &dpNamePresent, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific()) {
   717  						return errors.New("x509: invalid CRL distribution point")
   718  					}
   719  					if !dpNamePresent {
   720  						continue
   721  					}
   722  					if !dpNameDER.ReadASN1(&dpNameDER, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific()) {
   723  						return errors.New("x509: invalid CRL distribution point")
   724  					}
   725  					for !dpNameDER.Empty() {
   726  						if !dpNameDER.PeekASN1Tag(cryptobyte_asn1.Tag(6).ContextSpecific()) {
   727  							break
   728  						}
   729  						var uri cryptobyte.String
   730  						if !dpNameDER.ReadASN1(&uri, cryptobyte_asn1.Tag(6).ContextSpecific()) {
   731  							return errors.New("x509: invalid CRL distribution point")
   732  						}
   733  						out.CRLDistributionPoints = append(out.CRLDistributionPoints, string(uri))
   734  					}
   735  				}
   736  
   737  			case 35:
   738  				// RFC 5280, 4.2.1.1
   739  				val := cryptobyte.String(e.Value)
   740  				var akid cryptobyte.String
   741  				if !val.ReadASN1(&akid, cryptobyte_asn1.SEQUENCE) {
   742  					return errors.New("x509: invalid authority key identifier")
   743  				}
   744  				if akid.PeekASN1Tag(cryptobyte_asn1.Tag(0).ContextSpecific()) {
   745  					if !akid.ReadASN1(&akid, cryptobyte_asn1.Tag(0).ContextSpecific()) {
   746  						return errors.New("x509: invalid authority key identifier")
   747  					}
   748  					out.AuthorityKeyId = akid
   749  				}
   750  			case 37:
   751  				out.ExtKeyUsage, out.UnknownExtKeyUsage, err = parseExtKeyUsageExtension(e.Value)
   752  				if err != nil {
   753  					return err
   754  				}
   755  			case 14:
   756  				// RFC 5280, 4.2.1.2
   757  				val := cryptobyte.String(e.Value)
   758  				var skid cryptobyte.String
   759  				if !val.ReadASN1(&skid, cryptobyte_asn1.OCTET_STRING) {
   760  					return errors.New("x509: invalid subject key identifier")
   761  				}
   762  				out.SubjectKeyId = skid
   763  			case 32:
   764  				out.PolicyIdentifiers, err = parseCertificatePoliciesExtension(e.Value)
   765  				if err != nil {
   766  					return err
   767  				}
   768  			default:
   769  				// Unknown extensions are recorded if critical.
   770  				unhandled = true
   771  			}
   772  		} else if e.Id.Equal(oidExtensionAuthorityInfoAccess) {
   773  			// RFC 5280 4.2.2.1: Authority Information Access
   774  			val := cryptobyte.String(e.Value)
   775  			if !val.ReadASN1(&val, cryptobyte_asn1.SEQUENCE) {
   776  				return errors.New("x509: invalid authority info access")
   777  			}
   778  			for !val.Empty() {
   779  				var aiaDER cryptobyte.String
   780  				if !val.ReadASN1(&aiaDER, cryptobyte_asn1.SEQUENCE) {
   781  					return errors.New("x509: invalid authority info access")
   782  				}
   783  				var method asn1.ObjectIdentifier
   784  				if !aiaDER.ReadASN1ObjectIdentifier(&method) {
   785  					return errors.New("x509: invalid authority info access")
   786  				}
   787  				if !aiaDER.PeekASN1Tag(cryptobyte_asn1.Tag(6).ContextSpecific()) {
   788  					continue
   789  				}
   790  				if !aiaDER.ReadASN1(&aiaDER, cryptobyte_asn1.Tag(6).ContextSpecific()) {
   791  					return errors.New("x509: invalid authority info access")
   792  				}
   793  				switch {
   794  				case method.Equal(oidAuthorityInfoAccessOcsp):
   795  					out.OCSPServer = append(out.OCSPServer, string(aiaDER))
   796  				case method.Equal(oidAuthorityInfoAccessIssuers):
   797  					out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(aiaDER))
   798  				}
   799  			}
   800  		} else {
   801  			// Unknown extensions are recorded if critical.
   802  			unhandled = true
   803  		}
   804  
   805  		if e.Critical && unhandled {
   806  			out.UnhandledCriticalExtensions = append(out.UnhandledCriticalExtensions, e.Id)
   807  		}
   808  	}
   809  
   810  	return nil
   811  }
   812  
   813  func parseCertificate(der []byte) (*Certificate, error) {
   814  	cert := &Certificate{}
   815  
   816  	input := cryptobyte.String(der)
   817  	// we read the SEQUENCE including length and tag bytes so that
   818  	// we can populate Certificate.Raw, before unwrapping the
   819  	// SEQUENCE so it can be operated on
   820  	if !input.ReadASN1Element(&input, cryptobyte_asn1.SEQUENCE) {
   821  		return nil, errors.New("x509: malformed certificate")
   822  	}
   823  	cert.Raw = input
   824  	if !input.ReadASN1(&input, cryptobyte_asn1.SEQUENCE) {
   825  		return nil, errors.New("x509: malformed certificate")
   826  	}
   827  
   828  	var tbs cryptobyte.String
   829  	// do the same trick again as above to extract the raw
   830  	// bytes for Certificate.RawTBSCertificate
   831  	if !input.ReadASN1Element(&tbs, cryptobyte_asn1.SEQUENCE) {
   832  		return nil, errors.New("x509: malformed tbs certificate")
   833  	}
   834  	cert.RawTBSCertificate = tbs
   835  	if !tbs.ReadASN1(&tbs, cryptobyte_asn1.SEQUENCE) {
   836  		return nil, errors.New("x509: malformed tbs certificate")
   837  	}
   838  
   839  	if !tbs.ReadOptionalASN1Integer(&cert.Version, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific(), 0) {
   840  		return nil, errors.New("x509: malformed version")
   841  	}
   842  	if cert.Version < 0 {
   843  		return nil, errors.New("x509: malformed version")
   844  	}
   845  	// for backwards compat reasons Version is one-indexed,
   846  	// rather than zero-indexed as defined in 5280
   847  	cert.Version++
   848  	if cert.Version > 3 {
   849  		return nil, errors.New("x509: invalid version")
   850  	}
   851  
   852  	serial := new(big.Int)
   853  	if !tbs.ReadASN1Integer(serial) {
   854  		return nil, errors.New("x509: malformed serial number")
   855  	}
   856  	// we ignore the presence of negative serial numbers because
   857  	// of their prevalence, despite them being invalid
   858  	// TODO(rolandshoemaker): revist this decision, there are currently
   859  	// only 10 trusted certificates with negative serial numbers
   860  	// according to censys.io.
   861  	cert.SerialNumber = serial
   862  
   863  	var sigAISeq cryptobyte.String
   864  	if !tbs.ReadASN1(&sigAISeq, cryptobyte_asn1.SEQUENCE) {
   865  		return nil, errors.New("x509: malformed signature algorithm identifier")
   866  	}
   867  	// Before parsing the inner algorithm identifier, extract
   868  	// the outer algorithm identifier and make sure that they
   869  	// match.
   870  	var outerSigAISeq cryptobyte.String
   871  	if !input.ReadASN1(&outerSigAISeq, cryptobyte_asn1.SEQUENCE) {
   872  		return nil, errors.New("x509: malformed algorithm identifier")
   873  	}
   874  	if !bytes.Equal(outerSigAISeq, sigAISeq) {
   875  		return nil, errors.New("x509: inner and outer signature algorithm identifiers don't match")
   876  	}
   877  	sigAI, err := parseAI(sigAISeq)
   878  	if err != nil {
   879  		return nil, err
   880  	}
   881  	cert.SignatureAlgorithm = getSignatureAlgorithmFromAI(sigAI)
   882  
   883  	var issuerSeq cryptobyte.String
   884  	if !tbs.ReadASN1Element(&issuerSeq, cryptobyte_asn1.SEQUENCE) {
   885  		return nil, errors.New("x509: malformed issuer")
   886  	}
   887  	cert.RawIssuer = issuerSeq
   888  	issuerRDNs, err := parseName(issuerSeq)
   889  	if err != nil {
   890  		return nil, err
   891  	}
   892  	cert.Issuer.FillFromRDNSequence(issuerRDNs)
   893  
   894  	var validity cryptobyte.String
   895  	if !tbs.ReadASN1(&validity, cryptobyte_asn1.SEQUENCE) {
   896  		return nil, errors.New("x509: malformed validity")
   897  	}
   898  	cert.NotBefore, cert.NotAfter, err = parseValidity(validity)
   899  	if err != nil {
   900  		return nil, err
   901  	}
   902  
   903  	var subjectSeq cryptobyte.String
   904  	if !tbs.ReadASN1Element(&subjectSeq, cryptobyte_asn1.SEQUENCE) {
   905  		return nil, errors.New("x509: malformed issuer")
   906  	}
   907  	cert.RawSubject = subjectSeq
   908  	subjectRDNs, err := parseName(subjectSeq)
   909  	if err != nil {
   910  		return nil, err
   911  	}
   912  	cert.Subject.FillFromRDNSequence(subjectRDNs)
   913  
   914  	var spki cryptobyte.String
   915  	if !tbs.ReadASN1Element(&spki, cryptobyte_asn1.SEQUENCE) {
   916  		return nil, errors.New("x509: malformed spki")
   917  	}
   918  	cert.RawSubjectPublicKeyInfo = spki
   919  	if !spki.ReadASN1(&spki, cryptobyte_asn1.SEQUENCE) {
   920  		return nil, errors.New("x509: malformed spki")
   921  	}
   922  	var pkAISeq cryptobyte.String
   923  	if !spki.ReadASN1(&pkAISeq, cryptobyte_asn1.SEQUENCE) {
   924  		return nil, errors.New("x509: malformed public key algorithm identifier")
   925  	}
   926  	pkAI, err := parseAI(pkAISeq)
   927  	if err != nil {
   928  		return nil, err
   929  	}
   930  	cert.PublicKeyAlgorithm = getPublicKeyAlgorithmFromOID(pkAI.Algorithm)
   931  	var spk asn1.BitString
   932  	if !spki.ReadASN1BitString(&spk) {
   933  		return nil, errors.New("x509: malformed subjectPublicKey")
   934  	}
   935  	cert.PublicKey, err = parsePublicKey(cert.PublicKeyAlgorithm, &publicKeyInfo{
   936  		Algorithm: pkAI,
   937  		PublicKey: spk,
   938  	})
   939  	if err != nil {
   940  		return nil, err
   941  	}
   942  
   943  	if cert.Version > 1 {
   944  		if !tbs.SkipOptionalASN1(cryptobyte_asn1.Tag(1).ContextSpecific()) {
   945  			return nil, errors.New("x509: malformed issuerUniqueID")
   946  		}
   947  		if !tbs.SkipOptionalASN1(cryptobyte_asn1.Tag(2).ContextSpecific()) {
   948  			return nil, errors.New("x509: malformed subjectUniqueID")
   949  		}
   950  		if cert.Version == 3 {
   951  			var extensions cryptobyte.String
   952  			var present bool
   953  			if !tbs.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.Tag(3).Constructed().ContextSpecific()) {
   954  				return nil, errors.New("x509: malformed extensions")
   955  			}
   956  			if present {
   957  				if !extensions.ReadASN1(&extensions, cryptobyte_asn1.SEQUENCE) {
   958  					return nil, errors.New("x509: malformed extensions")
   959  				}
   960  				for !extensions.Empty() {
   961  					var extension cryptobyte.String
   962  					if !extensions.ReadASN1(&extension, cryptobyte_asn1.SEQUENCE) {
   963  						return nil, errors.New("x509: malformed extension")
   964  					}
   965  					ext, err := parseExtension(extension)
   966  					if err != nil {
   967  						return nil, err
   968  					}
   969  					cert.Extensions = append(cert.Extensions, ext)
   970  				}
   971  				err = processExtensions(cert)
   972  				if err != nil {
   973  					return nil, err
   974  				}
   975  			}
   976  		}
   977  	}
   978  
   979  	var signature asn1.BitString
   980  	if !input.ReadASN1BitString(&signature) {
   981  		return nil, errors.New("x509: malformed signature")
   982  	}
   983  	cert.Signature = signature.RightAlign()
   984  
   985  	return cert, nil
   986  }
   987  
   988  // ParseCertificate parses a single certificate from the given ASN.1 DER data.
   989  func ParseCertificate(der []byte) (*Certificate, error) {
   990  	cert, err := parseCertificate(der)
   991  	if err != nil {
   992  		return nil, err
   993  	}
   994  	if len(der) != len(cert.Raw) {
   995  		return nil, errors.New("x509: trailing data")
   996  	}
   997  	return cert, err
   998  }
   999  
  1000  // ParseCertificates parses one or more certificates from the given ASN.1 DER
  1001  // data. The certificates must be concatenated with no intermediate padding.
  1002  func ParseCertificates(der []byte) ([]*Certificate, error) {
  1003  	var certs []*Certificate
  1004  	for len(der) > 0 {
  1005  		cert, err := parseCertificate(der)
  1006  		if err != nil {
  1007  			return nil, err
  1008  		}
  1009  		certs = append(certs, cert)
  1010  		der = der[len(cert.Raw):]
  1011  	}
  1012  	return certs, nil
  1013  }
  1014
View as plain text