diff --git a/.travis.yml b/.travis.yml index 49923bb..039778d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,7 +16,8 @@ addons: sudo: false install: - - go generate -v ./... + - go get -d -v -t ./... + - go generate -v github.com/namecoin/x509-signature-splice/... - go get -v -t ./... - env GOOS=windows GOARCH=amd64 go get -d -v -t ./... script: diff --git a/certdehydrate/certdehydrate.go b/certdehydrate/certdehydrate.go index bcd6c75..deca4e0 100644 --- a/certdehydrate/certdehydrate.go +++ b/certdehydrate/certdehydrate.go @@ -12,7 +12,7 @@ import ( "time" ) -import "github.com/namecoin/ncdns/x509" +import "github.com/namecoin/x509-signature-splice/x509" // A DehydratedCertificate represents the (nearly) minimal set of data required // to deterministically construct a valid x509 certificate when combined with a diff --git a/certdehydrate/certdehydrate_test.go b/certdehydrate/certdehydrate_test.go index 5d6e05f..c70c918 100644 --- a/certdehydrate/certdehydrate_test.go +++ b/certdehydrate/certdehydrate_test.go @@ -6,7 +6,7 @@ import ( "testing" "github.com/namecoin/ncdns/certdehydrate" - "github.com/namecoin/ncdns/x509" + "github.com/namecoin/x509-signature-splice/x509" ) func TestDehydratedCertIdentityOperation(t *testing.T) { diff --git a/generate_nmc_cert/falsehost.go b/generate_nmc_cert/falsehost.go index d3e62ee..95b253b 100644 --- a/generate_nmc_cert/falsehost.go +++ b/generate_nmc_cert/falsehost.go @@ -35,7 +35,7 @@ import ( //"strings" "time" - "github.com/namecoin/ncdns/x509" + "github.com/namecoin/x509-signature-splice/x509" ) //var ( diff --git a/generate_nmc_cert/main.go b/generate_nmc_cert/main.go index e63185d..b4052a4 100644 --- a/generate_nmc_cert/main.go +++ b/generate_nmc_cert/main.go @@ -38,7 +38,7 @@ import ( "time" "github.com/namecoin/ncdns/certdehydrate" - "github.com/namecoin/ncdns/x509" + "github.com/namecoin/x509-signature-splice/x509" ) var ( diff --git a/ncdomain/convert.go b/ncdomain/convert.go index 1cd1cd4..d2f401d 100644 --- a/ncdomain/convert.go +++ b/ncdomain/convert.go @@ -10,8 +10,8 @@ import "github.com/namecoin/ncdns/util" import "strings" import "strconv" -import "github.com/namecoin/ncdns/x509" import "github.com/namecoin/ncdns/certdehydrate" +import "github.com/namecoin/x509-signature-splice/x509" const depthLimit = 16 const mergeDepthLimit = 4 diff --git a/x509/install.sh b/x509/install.sh deleted file mode 100755 index 9c1d9ad..0000000 --- a/x509/install.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -set -eu -o pipefail -shopt -s failglob - -cp -a $(go env GOROOT)/src/crypto/x509/* ./ -rm ./x509_test.go - -# Stdlib x509 relies on "internal" packages in Go, which aren't importable -# outside of stdlib. So we copy those packages and rename them. -OLD_INTERNAL_PATH=$(go env GOROOT)/src/internal/x/crypto/cryptobyte -NEW_INTERNAL_PATH=$(go env GOPATH)/src/github.com/namecoin/ncdns/x509/golang/x/crypto/cryptobyte -mkdir -p ${NEW_INTERNAL_PATH}/ -cp -R ${OLD_INTERNAL_PATH}/* ${NEW_INTERNAL_PATH}/ -OLD_PACKAGE='"internal/x/crypto/cryptobyte' -NEW_PACKAGE='"github.com/namecoin/ncdns/x509/golang/x/crypto/cryptobyte' -sed -i "s_${OLD_PACKAGE}_${NEW_PACKAGE}_g" ./*.go ${NEW_INTERNAL_PATH}/*.go diff --git a/x509/x509_splice.go b/x509/x509_splice.go deleted file mode 100644 index a0ae298..0000000 --- a/x509/x509_splice.go +++ /dev/null @@ -1,192 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Modifications Copyright 2015-2019 Jeremy Rand. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This code is modified from the stock CreateCertificate to use a -// pre-existing signature. - -// Last rebased on Go 1.12 -// Remove all content between "import" and "CreateCertificate" in original. -// Remove all content after "CreateCertificate" in original. -//go:generate bash install.sh - -// Package x509 parses X.509-encoded keys and certificates. -// -// On UNIX systems the environment variables SSL_CERT_FILE and SSL_CERT_DIR -// can be used to override the system default locations for the SSL certificate -// file and SSL certificate files directory, respectively. -package x509 - -import ( - "bytes" - //"crypto" - //"crypto/dsa" - //"crypto/ecdsa" - //"crypto/elliptic" - //"crypto/rsa" - _ "crypto/sha1" - _ "crypto/sha256" - _ "crypto/sha512" - //"crypto/x509/pkix" - "encoding/asn1" - //"encoding/pem" - "errors" - //"fmt" - //"internal/x/crypto/cryptobyte" - //cryptobyte_asn1 "internal/x/crypto/cryptobyte/asn1" - //"io" - //"math/big" - //"net" - //"net/url" - //"strconv" - //"strings" - //"time" - //"unicode/utf8" -) - -// CreateCertificate creates a new X.509v3 certificate based on a template. -// The following members of template are used: -// -// - AuthorityKeyId -// - BasicConstraintsValid -// - CRLDistributionPoints -// - DNSNames -// - EmailAddresses -// - ExcludedDNSDomains -// - ExcludedEmailAddresses -// - ExcludedIPRanges -// - ExcludedURIDomains -// - ExtKeyUsage -// - ExtraExtensions -// - IsCA -// - IssuingCertificateURL -// - KeyUsage -// - MaxPathLen -// - MaxPathLenZero -// - NotAfter -// - NotBefore -// - OCSPServer -// - PermittedDNSDomains -// - PermittedDNSDomainsCritical -// - PermittedEmailAddresses -// - PermittedIPRanges -// - PermittedURIDomains -// - PolicyIdentifiers -// - SerialNumber -// - SignatureAlgorithm -// - Subject -// - SubjectKeyId -// - URIs -// - UnknownExtKeyUsage -// -// The certificate is signed by parent. If parent is equal to template then the -// certificate is self-signed. The parameter pub is the public key of the -// signee and priv is the private key of the signer. -// -// The returned slice is the certificate in DER encoding. -// -// All keys types that are implemented via crypto.Signer are supported (This -// includes *rsa.PublicKey and *ecdsa.PublicKey.) -// -// The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any, -// unless the resulting certificate is self-signed. Otherwise the value from -// template will be used. -//func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error) { -func CreateCertificateWithSplicedSignature(template, parent *Certificate) (cert []byte, err error) { - //key, ok := priv.(crypto.Signer) - //if !ok { - // return nil, errors.New("x509: certificate private key does not implement crypto.Signer") - //} - - if template.SerialNumber == nil { - return nil, errors.New("x509: no SerialNumber given") - } - - //hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm) - //if err != nil { - // return nil, err - //} - - // This block added - _, signatureAlgorithm, err := signingParamsForPublicKey(parent.PublicKey, template.SignatureAlgorithm) - if err != nil { - return nil, err - } - - // This line added - pub := template.PublicKey - - publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub) - if err != nil { - return nil, err - } - - asn1Issuer, err := subjectBytes(parent) - if err != nil { - return - } - - asn1Subject, err := subjectBytes(template) - if err != nil { - return - } - - authorityKeyId := template.AuthorityKeyId - if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 { - authorityKeyId = parent.SubjectKeyId - } - - extensions, err := buildExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId) - if err != nil { - return - } - - encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes} - c := tbsCertificate{ - Version: 2, - SerialNumber: template.SerialNumber, - SignatureAlgorithm: signatureAlgorithm, - Issuer: asn1.RawValue{FullBytes: asn1Issuer}, - Validity: validity{template.NotBefore.UTC(), template.NotAfter.UTC()}, - Subject: asn1.RawValue{FullBytes: asn1Subject}, - PublicKey: publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey}, - Extensions: extensions, - } - - tbsCertContents, err := asn1.Marshal(c) - if err != nil { - return - } - - c.Raw = tbsCertContents - - //h := hashFunc.New() - //h.Write(tbsCertContents) - //digest := h.Sum(nil) - - //var signerOpts crypto.SignerOpts - //signerOpts = hashFunc - //if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() { - // signerOpts = &rsa.PSSOptions{ - // SaltLength: rsa.PSSSaltLengthEqualsHash, - // Hash: hashFunc, - // } - //} - - //var signature []byte - //signature, err = key.Sign(rand, digest, signerOpts) - //if err != nil { - // return - //} - - // This line added - signature := template.Signature - - return asn1.Marshal(certificate{ - nil, - c, - signatureAlgorithm, - asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, - }) -}