Freshgomod (#106)
* initial go modules, fresh start to find breaking change * change dep to go mod vendor * main go modules done, tests passed locally * upgrade go in dockerfileserver
This commit is contained in:
Amrit K Kandola
committed by
GitHub Enterprise
GitHub Enterprise
parent
a2940a4ba8
commit
678a62f152
147
vendor/software.sslmate.com/src/go-pkcs12/pkcs12.go
generated
vendored
147
vendor/software.sslmate.com/src/go-pkcs12/pkcs12.go
generated
vendored
@@ -4,11 +4,14 @@
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// Package pkcs12 implements some of PKCS#12 (also known as P12 or PFX).
|
||||
// It is intended for decoding P12/PFX files for use with the crypto/tls
|
||||
// It is intended for decoding DER-encoded P12/PFX files for use with the crypto/tls
|
||||
// package, and for encoding P12/PFX files for use by legacy applications which
|
||||
// do not support newer formats. Since PKCS#12 uses weak encryption
|
||||
// primitives, it SHOULD NOT be used for new applications.
|
||||
//
|
||||
// Note that only DER-encoded PKCS#12 files are supported, even though PKCS#12
|
||||
// allows BER encoding. This is becuase encoding/asn1 only supports DER.
|
||||
//
|
||||
// This package is forked from golang.org/x/crypto/pkcs12, which is frozen.
|
||||
// The implementation is distilled from https://tools.ietf.org/html/rfc7292
|
||||
// and referenced documents.
|
||||
@@ -40,6 +43,8 @@ var (
|
||||
oidFriendlyName = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 9, 20})
|
||||
oidLocalKeyID = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 9, 21})
|
||||
oidMicrosoftCSPName = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 4, 1, 311, 17, 1})
|
||||
|
||||
oidJavaTrustStore = asn1.ObjectIdentifier([]int{2, 16, 840, 1, 113894, 746875, 1, 1})
|
||||
)
|
||||
|
||||
type pfxPdu struct {
|
||||
@@ -78,6 +83,15 @@ type safeBag struct {
|
||||
Attributes []pkcs12Attribute `asn1:"set,optional"`
|
||||
}
|
||||
|
||||
func (bag *safeBag) hasAttribute(id asn1.ObjectIdentifier) bool {
|
||||
for _, attr := range bag.Attributes {
|
||||
if attr.Id.Equal(id) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
type pkcs12Attribute struct {
|
||||
Id asn1.ObjectIdentifier
|
||||
Value asn1.RawValue `asn1:"set"`
|
||||
@@ -130,7 +144,7 @@ func ToPEM(pfxData []byte, password string) ([]*pem.Block, error) {
|
||||
return nil, ErrIncorrectPassword
|
||||
}
|
||||
|
||||
bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword)
|
||||
bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword, 2)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -229,7 +243,7 @@ func convertAttribute(attribute *pkcs12Attribute) (key, value string, err error)
|
||||
return key, value, nil
|
||||
}
|
||||
|
||||
// Decode extracts a certificate and private key from pfxData. This function
|
||||
// Decode extracts a certificate and private key from pfxData, which must be a DER-encoded PKCS#12 file. This function
|
||||
// assumes that there is only one certificate and only one private key in the
|
||||
// pfxData. Since PKCS#12 files often contain more than one certificate, you
|
||||
// probably want to use DecodeChain instead.
|
||||
@@ -243,7 +257,7 @@ func Decode(pfxData []byte, password string) (privateKey interface{}, certificat
|
||||
}
|
||||
|
||||
// DecodeChain extracts a certificate, a CA certificate chain, and private key
|
||||
// from pfxData. This function assumes that there is at least one certificate
|
||||
// from pfxData, which must be a DER-encoded PKCS#12 file. This function assumes that there is at least one certificate
|
||||
// and only one private key in the pfxData. The first certificate is assumed to
|
||||
// be the leaf certificate, and subsequent certificates, if any, are assumed to
|
||||
// comprise the CA certificate chain.
|
||||
@@ -253,7 +267,7 @@ func DecodeChain(pfxData []byte, password string) (privateKey interface{}, certi
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword)
|
||||
bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword, 2)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
@@ -301,7 +315,51 @@ func DecodeChain(pfxData []byte, password string) (privateKey interface{}, certi
|
||||
return
|
||||
}
|
||||
|
||||
func getSafeContents(p12Data, password []byte) (bags []safeBag, updatedPassword []byte, err error) {
|
||||
// DecodeTrustStore extracts the certificates from pfxData, which must be a DER-encoded
|
||||
// PKCS#12 file containing exclusively certificates with attribute 2.16.840.1.113894.746875.1.1,
|
||||
// which is used by Java to designate a trust anchor.
|
||||
func DecodeTrustStore(pfxData []byte, password string) (certs []*x509.Certificate, err error) {
|
||||
encodedPassword, err := bmpString(password)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword, 1)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for _, bag := range bags {
|
||||
switch {
|
||||
case bag.Id.Equal(oidCertBag):
|
||||
if !bag.hasAttribute(oidJavaTrustStore) {
|
||||
return nil, errors.New("pkcs12: trust store contains a certificate that is not marked as trusted")
|
||||
}
|
||||
certsData, err := decodeCertBag(bag.Value.Bytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
parsedCerts, err := x509.ParseCertificates(certsData)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if len(parsedCerts) != 1 {
|
||||
err = errors.New("pkcs12: expected exactly one certificate in the certBag")
|
||||
return nil, err
|
||||
}
|
||||
|
||||
certs = append(certs, parsedCerts[0])
|
||||
|
||||
default:
|
||||
return nil, errors.New("pkcs12: expected only certificate bags")
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func getSafeContents(p12Data, password []byte, expectedItems int) (bags []safeBag, updatedPassword []byte, err error) {
|
||||
pfx := new(pfxPdu)
|
||||
if err := unmarshal(p12Data, pfx); err != nil {
|
||||
return nil, nil, errors.New("pkcs12: error reading P12 data: " + err.Error())
|
||||
@@ -342,7 +400,7 @@ func getSafeContents(p12Data, password []byte) (bags []safeBag, updatedPassword
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
if len(authenticatedSafe) != 2 {
|
||||
if len(authenticatedSafe) != expectedItems {
|
||||
return nil, nil, NotImplementedError("expected exactly two items in the authenticated safe")
|
||||
}
|
||||
|
||||
@@ -481,6 +539,81 @@ func Encode(rand io.Reader, privateKey interface{}, certificate *x509.Certificat
|
||||
return
|
||||
}
|
||||
|
||||
// EncodeTrustStore produces pfxData containing any number of CA certificates
|
||||
// (certs) to be trusted. The certificates will be marked with a special OID that
|
||||
// allow it to be used as a Java TrustStore in Java 1.8 and newer.
|
||||
//
|
||||
// Due to the weak encryption primitives used by PKCS#12, it is RECOMMENDED that
|
||||
// you specify a hard-coded password (such as pkcs12.DefaultPassword) and protect
|
||||
// the resulting pfxData using other means.
|
||||
//
|
||||
// The rand argument is used to provide entropy for the encryption, and
|
||||
// can be set to rand.Reader from the crypto/rand package.
|
||||
//
|
||||
// EncodeTrustStore creates a single SafeContents that's encrypted with RC2
|
||||
// and contains the certificates.
|
||||
func EncodeTrustStore(rand io.Reader, certs []*x509.Certificate, password string) (pfxData []byte, err error) {
|
||||
encodedPassword, err := bmpString(password)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var pfx pfxPdu
|
||||
pfx.Version = 3
|
||||
|
||||
// Setting this attribute will make the certificates trusted in Java >= 1.8
|
||||
var javaTrustStoreAttr pkcs12Attribute
|
||||
javaTrustStoreAttr.Id = oidJavaTrustStore
|
||||
javaTrustStoreAttr.Value.Class = 0
|
||||
javaTrustStoreAttr.Value.Tag = 17
|
||||
javaTrustStoreAttr.Value.IsCompound = true
|
||||
|
||||
var certBags []safeBag
|
||||
for _, cert := range certs {
|
||||
certBag, err := makeCertBag(cert.Raw, []pkcs12Attribute{javaTrustStoreAttr})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
certBags = append(certBags, *certBag)
|
||||
}
|
||||
|
||||
// Construct an authenticated safe with one SafeContent.
|
||||
// The SafeContents is encrypted and contains the cert bags.
|
||||
var authenticatedSafe [1]contentInfo
|
||||
if authenticatedSafe[0], err = makeSafeContents(rand, certBags, encodedPassword); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var authenticatedSafeBytes []byte
|
||||
if authenticatedSafeBytes, err = asn1.Marshal(authenticatedSafe[:]); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// compute the MAC
|
||||
pfx.MacData.Mac.Algorithm.Algorithm = oidSHA1
|
||||
pfx.MacData.MacSalt = make([]byte, 8)
|
||||
if _, err = rand.Read(pfx.MacData.MacSalt); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
pfx.MacData.Iterations = 1
|
||||
if err = computeMac(&pfx.MacData, authenticatedSafeBytes, encodedPassword); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
pfx.AuthSafe.ContentType = oidDataContentType
|
||||
pfx.AuthSafe.Content.Class = 2
|
||||
pfx.AuthSafe.Content.Tag = 0
|
||||
pfx.AuthSafe.Content.IsCompound = true
|
||||
if pfx.AuthSafe.Content.Bytes, err = asn1.Marshal(authenticatedSafeBytes); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if pfxData, err = asn1.Marshal(pfx); err != nil {
|
||||
return nil, errors.New("pkcs12: error writing P12 data: " + err.Error())
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func makeCertBag(certBytes []byte, attributes []pkcs12Attribute) (certBag *safeBag, err error) {
|
||||
certBag = new(safeBag)
|
||||
certBag.Id = oidCertBag
|
||||
|
||||
Reference in New Issue
Block a user