1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
package x509util
import (
"fmt"
"crypto/ed25519"
"crypto/x509"
"encoding/pem"
"io/ioutil"
)
// LoadCertificates loads a PEM-encoded list of certificates from file
func LoadCertificates(path string) ([]*x509.Certificate, error) {
pem, err := ioutil.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("failed reading certificate chain: %v", err)
}
return NewCertificateList(pem)
}
// LoadTrustAnchors loads a list of PEM-encoded certificates from file
func LoadTrustAnchors(path string) ([]*x509.Certificate, *x509.CertPool, error) {
pem, err := ioutil.ReadFile(path)
if err != nil {
return nil, nil, fmt.Errorf("failed reading trust anchors: %v", err)
}
anchorList, err := NewCertificateList(pem)
if err != nil || len(anchorList) == 0 {
return nil, nil, fmt.Errorf("failed parsing trust anchors: %v", err)
}
return anchorList, NewCertPool(anchorList), nil
}
// LoadEd25519SigningKey loads an Ed25519 private key from a given path
func LoadEd25519SigningKey(path string) (ed25519.PrivateKey, error) {
data, err := ioutil.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("failed reading private key: %v", err)
}
return NewEd25519PrivateKey(data)
}
// NewCertificateList parses a block of PEM-encoded certificates
func NewCertificateList(rest []byte) ([]*x509.Certificate, error) {
var certificates []*x509.Certificate
for len(rest) > 0 {
var block *pem.Block
block, rest = pem.Decode(rest)
if block == nil {
break // TODO: fix such that new line in input is OK?
}
if block.Type != "CERTIFICATE" {
return nil, fmt.Errorf("unexpected pem block type: %v", block.Type)
}
certificate, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, fmt.Errorf("failed parsing x509 certificate: %v", err)
}
certificates = append(certificates, certificate)
}
return certificates, nil
}
// NewCertPool returns a new cert pool from a list of certificates
func NewCertPool(certificates []*x509.Certificate) *x509.CertPool {
pool := x509.NewCertPool()
for _, certificate := range certificates {
pool.AddCert(certificate)
}
return pool
}
// NewEd25519PrivateKey creates a new ed25519 private-key from a PEM block
func NewEd25519PrivateKey(data []byte) (ed25519.PrivateKey, error) {
block, rest := pem.Decode(data)
if block == nil {
return nil, fmt.Errorf("pem block: is empty")
}
if block.Type != "PRIVATE KEY" {
return nil, fmt.Errorf("bad pem block type: %v", block.Type)
}
if len(rest) != 0 {
return nil, fmt.Errorf("pem block: trailing data")
}
key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
fmt.Errorf("x509 parser failed: %v", err)
}
switch t := key.(type) {
case ed25519.PrivateKey:
return key.(ed25519.PrivateKey), nil
default:
return nil, fmt.Errorf("unexpected signing key type: %v", t)
}
}
// ParseDerChain parses a list of DER-encoded X.509 certificates, such that the
// first (zero-index) string is interpretted as an end-entity certificate and
// the remaining ones as the an intermediate CertPool.
func ParseDerChain(chain [][]byte) (*x509.Certificate, *x509.CertPool, error) {
certificates, err := ParseDerList(chain)
if err != nil || len(certificates) == 0 {
return nil, nil, err
}
intermediatePool := x509.NewCertPool()
for _, certificate := range certificates[1:] {
intermediatePool.AddCert(certificate)
}
return certificates[0], intermediatePool, nil
}
// ParseDerList parses a list of DER-encoded certificates
func ParseDerList(certificates [][]byte) ([]*x509.Certificate, error) {
ret := make([]*x509.Certificate, 0, len(certificates))
for _, der := range certificates {
c, err := x509.ParseCertificate(der)
if err != nil {
return nil, fmt.Errorf("certificate decoding failed: %v", err)
}
ret = append(ret, c)
}
return ret, nil
}
// VerifyChain checks whether the listed certificates are chained such
// that the first is signed by the second, the second by the third, etc.
func VerifyChain(chain []*x509.Certificate) error {
for i := 0; i < len(chain)-1; i++ {
if err := chain[i].CheckSignatureFrom(chain[i+1]); err != nil {
return err
}
}
return nil
}
|