From eef31fbdc41b61a80da860e45c4cc5f3c621602b Mon Sep 17 00:00:00 2001
From: Jeremy Rand <jeremyrand@airmail.cc>
Date: Sun, 22 Nov 2020 14:05:33 +0000
Subject: [PATCH] Use splicesign and standard x509

Thanks to Filippo Valsorda for the tip.
---
 .travis.yml                         |  8 --------
 README.md                           | 28 ++++------------------------
 certdehydrate/certdehydrate.go      | 14 +++++++++++---
 certdehydrate/certdehydrate_test.go |  2 +-
 generate_nmc_cert/falsehost.go      |  4 +---
 generate_nmc_cert/main.go           |  3 +--
 generate_nmc_cert/parent.go         |  4 +---
 ncdomain/convert_tls.go             |  2 +-
 8 files changed, 20 insertions(+), 45 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index b2d00bb..92a41aa 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -27,13 +27,6 @@ install:
   - if [[ "${NO_NAMECOIN_TLS}" = 1 ]]; then TAGS="no_namecoin_tls"; fi
   - if [[ "${NO_NAMECOIN_TLS}" = 0 ]]; then TAGS=""; fi
   - go get -tags "$TAGS" -d -v -t ./...
-  - X509_BRANCH=master
-  - if [[ "$(go version)" =~ go1.[5678] ]]; then X509_BRANCH=go1.6; fi
-  - if [[ "$(go version)" =~ go1.9 ]]; then X509_BRANCH=go1.9; fi
-  - if [[ "$(go version)" =~ go1.10 ]]; then X509_BRANCH=go1.10; fi
-  - if [[ "$(go version)" =~ go1.11 ]]; then X509_BRANCH=go1.11; fi
-  - if [[ "$(go version)" =~ go1.12 ]]; then X509_BRANCH=go1.12; fi
-  - pushd $(go env GOPATH)/src/github.com/namecoin/x509-signature-splice; git checkout $X509_BRANCH; popd
   - GOXSYS_BRANCH=master
   # goxsys bug for Go 1.11 and earlier: https://github.com/golang/go/issues/34742
   - if [[ "$(go version)" =~ go1.[56789] ]]; then GOXSYS_BRANCH=release-branch.go1.13; fi
@@ -44,7 +37,6 @@ install:
   - if [[ "$(go version)" =~ go1.[56789] ]]; then GOXNET_BRANCH=release-branch.go1.12; fi
   - if [[ "$(go version)" =~ go1.1[01] ]]; then GOXNET_BRANCH=release-branch.go1.12; fi
   - pushd $(go env GOPATH)/src/golang.org/x/net; git checkout $GOXNET_BRANCH; popd
-  - go generate -v github.com/namecoin/x509-signature-splice/...
   - go get -tags "$TAGS" -v -t ./...
   - env GOOS=windows GOARCH=amd64 go get -tags "$TAGS" -d -v -t ./...
 script:
diff --git a/README.md b/README.md
index 0041117..35161a9 100644
--- a/README.md
+++ b/README.md
@@ -90,35 +90,15 @@ Prerequisites:
    installed. (Most distributions will have a package called `libcap-dev` or
    similar.)
 
-Option A: Using Go build commands (works on any platform with Bash):
+Option A: Using Go build commands (works on any platform):
 
 1. Ensure you have the GOPATH environment variable set. (For those not
    familar with Go, setting it to the path to an empty directory will suffice.
    The directory will be filled with build files.)
 
-2. Run `go get -d -t -u github.com/namecoin/ncdns/...`. The ncdns source code will be
-   retrieved automatically.
-
-3. Run `pushd $(go env GOPATH)/src/github.com/namecoin/x509-signature-splice`.
-
-4. Depending on your Go version (run `go version` to check), run one of the following:
-   
-   | **Go version**   | **Run this**          |
-   -------------------|-----------------------|
-   | 1.8.x or earlier | `git checkout go1.6`  |
-   | 1.9.x            | `git checkout go1.9`  |
-   | 1.10.x           | `git checkout go1.10` |
-   | 1.11.x           | `git checkout go1.11` |
-   | 1.12.x           | `git checkout go1.12` |
-   | 1.13.x or later  | `git checkout master` |
-   
-
-5. Run `popd`.
-
-6. Run `go generate github.com/namecoin/x509-signature-splice/...`.  Some source code will be generated.
-
-7. Run `go get -t github.com/namecoin/ncdns/...`.  ncdns will be built. The binaries will be at
-   $GOPATH/bin/ncdns.
+2. Run `go get -t -u github.com/namecoin/ncdns/...`. The ncdns source code will be
+   retrieved automatically, and ncdns will be built. The binaries will be at
+   $GOPATH/bin/ncdns..
 
 Option B: Using Makefile (non-Windows platforms):
 
diff --git a/certdehydrate/certdehydrate.go b/certdehydrate/certdehydrate.go
index deca4e0..a953723 100644
--- a/certdehydrate/certdehydrate.go
+++ b/certdehydrate/certdehydrate.go
@@ -2,7 +2,9 @@ package certdehydrate
 
 import (
 	"bytes"
+	"crypto/rand"
 	"crypto/sha256"
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/binary"
@@ -10,9 +12,9 @@ import (
 	"fmt"
 	"math/big"
 	"time"
-)
 
-import "github.com/namecoin/x509-signature-splice/x509"
+	"github.com/namecoin/splicesign"
+)
 
 // A DehydratedCertificate represents the (nearly) minimal set of data required
 // to deterministically construct a valid x509 certificate when combined with a
@@ -252,7 +254,13 @@ func FillRehydratedCertTemplate(template x509.Certificate, name string) ([]byte,
 	}
 	template.SerialNumber.SetBytes(serialNumberBytes)
 
-	derBytes, err := x509.CreateCertificateWithSplicedSignature(&template, &template)
+	pub := template.PublicKey
+	priv := &splicesign.SpliceSigner{
+		PublicKey: pub,
+		Signature: template.Signature,
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
 	if err != nil {
 		return nil, fmt.Errorf("Error splicing signature: %s", err)
 	}
diff --git a/certdehydrate/certdehydrate_test.go b/certdehydrate/certdehydrate_test.go
index c70c918..a528bf3 100644
--- a/certdehydrate/certdehydrate_test.go
+++ b/certdehydrate/certdehydrate_test.go
@@ -1,12 +1,12 @@
 package certdehydrate_test
 
 import (
+	"crypto/x509"
 	"encoding/json"
 	"reflect"
 	"testing"
 
 	"github.com/namecoin/ncdns/certdehydrate"
-	"github.com/namecoin/x509-signature-splice/x509"
 )
 
 func TestDehydratedCertIdentityOperation(t *testing.T) {
diff --git a/generate_nmc_cert/falsehost.go b/generate_nmc_cert/falsehost.go
index f4d0f16..48ed716 100644
--- a/generate_nmc_cert/falsehost.go
+++ b/generate_nmc_cert/falsehost.go
@@ -23,7 +23,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	//"crypto/rsa"
-	//"crypto/x509"
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	//"flag"
@@ -34,8 +34,6 @@ import (
 	"os"
 	//"strings"
 	"time"
-
-	"github.com/namecoin/x509-signature-splice/x509"
 )
 
 //var (
diff --git a/generate_nmc_cert/main.go b/generate_nmc_cert/main.go
index 4b35f46..c547552 100644
--- a/generate_nmc_cert/main.go
+++ b/generate_nmc_cert/main.go
@@ -24,7 +24,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
-	//"crypto/x509"
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/pem"
@@ -38,7 +38,6 @@ import (
 	"time"
 
 	"github.com/namecoin/ncdns/certdehydrate"
-	"github.com/namecoin/x509-signature-splice/x509"
 )
 
 var (
diff --git a/generate_nmc_cert/parent.go b/generate_nmc_cert/parent.go
index 5f65e04..e378ed2 100644
--- a/generate_nmc_cert/parent.go
+++ b/generate_nmc_cert/parent.go
@@ -23,7 +23,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	//"crypto/rsa"
-	//"crypto/x509"
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/pem"
@@ -36,8 +36,6 @@ import (
 	"os"
 	//"strings"
 	"time"
-
-	"github.com/namecoin/x509-signature-splice/x509"
 )
 
 //var (
diff --git a/ncdomain/convert_tls.go b/ncdomain/convert_tls.go
index daf5506..3cd9fb9 100644
--- a/ncdomain/convert_tls.go
+++ b/ncdomain/convert_tls.go
@@ -3,6 +3,7 @@
 package ncdomain
 
 import (
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
@@ -12,7 +13,6 @@ import (
 
 	"github.com/namecoin/ncdns/certdehydrate"
 	"github.com/namecoin/ncdns/util"
-	"github.com/namecoin/x509-signature-splice/x509"
 )
 
 type Value struct {