diff options
author | Adam Langley <agl@golang.org> | 2012-01-19 08:49:52 -0500 |
---|---|---|
committer | Adam Langley <agl@golang.org> | 2012-01-19 08:49:52 -0500 |
commit | a99e35b625cd5ec4b33c7c07377d6a65e142641d (patch) | |
tree | 1969c7f501bb2c0e0c8caddc1d4ca566a5cd306d | |
parent | 247799ce8a0867351b4570b2f62947ff10334ea8 (diff) | |
download | go-a99e35b625cd5ec4b33c7c07377d6a65e142641d.tar.gz go-a99e35b625cd5ec4b33c7c07377d6a65e142641d.zip |
crypto/x509: remove explicit uses of rsa.
(Sending to r because of the API change.)
Over time we might want to add support for other key types.
While I was in the code, I also made the use of RawSubject the same
between Subject and Issuer when creating certificates.
R=r, rsc
CC=golang-dev
https://golang.org/cl/5554049
-rw-r--r-- | doc/go1.tmpl | 22 | ||||
-rw-r--r-- | src/pkg/crypto/x509/x509.go | 51 |
2 files changed, 57 insertions, 16 deletions
diff --git a/doc/go1.tmpl b/doc/go1.tmpl index 185d9d42c1..ff58d16c34 100644 --- a/doc/go1.tmpl +++ b/doc/go1.tmpl @@ -592,7 +592,7 @@ the correct function or method for the old functionality, but may have the wrong type or require further analysis. </p> -<h3 id="hash">The crypto/elliptic package</h3> +<h3 id="crypto/elliptic">The crypto/elliptic package</h3> <p> In Go 1, <a href="/pkg/crypto/elliptic/#Curve"><code>elliptic.Curve</code></a> @@ -607,10 +607,28 @@ structure. Existing users of <code>*elliptic.Curve</code> will need to change to simply <code>elliptic.Curve</code>. Calls to <code>Marshal</code>, <code>Unmarshal</code> and <code>GenerateKey</code> are now functions -in <code>crypto.elliptic</code> that take an <code>elliptic.Curve</code> +in <code>crypto/elliptic</code> that take an <code>elliptic.Curve</code> as their first argument. </p> +<h3 id="crypto/x509">The crypto/x509 package</h3> + +<p> +In Go 1, the +<a href="/pkg/crypto/x509/#CreateCertificate"><code>CreateCertificate</code></a> +and +<a href="/pkg/crypto/x509/#CreateCRL"><code>CreateCRL</code></a> +functions in <code>crypto/x509</code> have been altered to take an +<code>interface{}</code> where they previously took a <code>*rsa.PublicKey</code> +or <code>*rsa.PrivateKey</code>. This will allow other public key algorithms +to be implemented in the future. +</p> + +<p> +<em>Updating</em>: +No changes will be needed. +</p> + <h3 id="hash">The hash package</h3> <p> diff --git a/src/pkg/crypto/x509/x509.go b/src/pkg/crypto/x509/x509.go index 28c7880e53..bf39c5dec0 100644 --- a/src/pkg/crypto/x509/x509.go +++ b/src/pkg/crypto/x509/x509.go @@ -899,6 +899,14 @@ var ( oidRSA = []int{1, 2, 840, 113549, 1, 1, 1} ) +func subjectBytes(cert *Certificate) ([]byte, error) { + if len(cert.RawSubject) > 0 { + return cert.RawSubject, nil + } + + return asn1.Marshal(cert.Subject.ToRDNSequence()) +} + // CreateCertificate creates a new certificate based on a template. The // following members of template are used: SerialNumber, Subject, NotBefore, // NotAfter, KeyUsage, BasicConstraintsValid, IsCA, MaxPathLen, SubjectKeyId, @@ -909,10 +917,23 @@ var ( // signee and priv is the private key of the signer. // // The returned slice is the certificate in DER encoding. -func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.PublicKey, priv *rsa.PrivateKey) (cert []byte, err error) { +// +// The only supported key type is RSA (*rsa.PublicKey for pub, *rsa.PrivateKey +// for priv). +func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interface{}, priv interface{}) (cert []byte, err error) { + rsaPub, ok := pub.(*rsa.PublicKey) + if !ok { + return nil, errors.New("x509: non-RSA public keys not supported") + } + + rsaPriv, ok := priv.(*rsa.PrivateKey) + if !ok { + return nil, errors.New("x509: non-RSA private keys not supported") + } + asn1PublicKey, err := asn1.Marshal(rsaPublicKey{ - N: pub.N, - E: pub.E, + N: rsaPub.N, + E: rsaPub.E, }) if err != nil { return @@ -927,16 +948,12 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.P return } - var asn1Issuer []byte - if len(parent.RawSubject) > 0 { - asn1Issuer = parent.RawSubject - } else { - if asn1Issuer, err = asn1.Marshal(parent.Subject.ToRDNSequence()); err != nil { - return - } + asn1Issuer, err := subjectBytes(parent) + if err != nil { + return } - asn1Subject, err := asn1.Marshal(template.Subject.ToRDNSequence()) + asn1Subject, err := subjectBytes(template) if err != nil { return } @@ -964,7 +981,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.P h.Write(tbsCertContents) digest := h.Sum(nil) - signature, err := rsa.SignPKCS1v15(rand, priv, crypto.SHA1, digest) + signature, err := rsa.SignPKCS1v15(rand, rsaPriv, crypto.SHA1, digest) if err != nil { return } @@ -1011,7 +1028,13 @@ func ParseDERCRL(derBytes []byte) (certList *pkix.CertificateList, err error) { // CreateCRL returns a DER encoded CRL, signed by this Certificate, that // contains the given list of revoked certificates. -func (c *Certificate) CreateCRL(rand io.Reader, priv *rsa.PrivateKey, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { +// +// The only supported key type is RSA (*rsa.PrivateKey for priv). +func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { + rsaPriv, ok := priv.(*rsa.PrivateKey) + if !ok { + return nil, errors.New("x509: non-RSA private keys not supported") + } tbsCertList := pkix.TBSCertificateList{ Version: 2, Signature: pkix.AlgorithmIdentifier{ @@ -1032,7 +1055,7 @@ func (c *Certificate) CreateCRL(rand io.Reader, priv *rsa.PrivateKey, revokedCer h.Write(tbsCertListContents) digest := h.Sum(nil) - signature, err := rsa.SignPKCS1v15(rand, priv, crypto.SHA1, digest) + signature, err := rsa.SignPKCS1v15(rand, rsaPriv, crypto.SHA1, digest) if err != nil { return } |