...

Source file src/crypto/x509/parser.go

Documentation: crypto/x509

     1  // Copyright 2021 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package x509
     6  
     7  import (
     8  	"bytes"
     9  	"crypto/dsa"
    10  	"crypto/ecdh"
    11  	"crypto/ecdsa"
    12  	"crypto/ed25519"
    13  	"crypto/elliptic"
    14  	"crypto/rsa"
    15  	"crypto/x509/pkix"
    16  	"encoding/asn1"
    17  	"errors"
    18  	"fmt"
    19  	"math/big"
    20  	"net"
    21  	"net/url"
    22  	"strconv"
    23  	"strings"
    24  	"time"
    25  	"unicode/utf16"
    26  	"unicode/utf8"
    27  
    28  	"golang.org/x/crypto/cryptobyte"
    29  	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
    30  )
    31  
    32  // isPrintable reports whether the given b is in the ASN.1 PrintableString set.
    33  // This is a simplified version of encoding/asn1.isPrintable.
    34  func isPrintable(b byte) bool {
    35  	return 'a' <= b && b <= 'z' ||
    36  		'A' <= b && b <= 'Z' ||
    37  		'0' <= b && b <= '9' ||
    38  		'\'' <= b && b <= ')' ||
    39  		'+' <= b && b <= '/' ||
    40  		b == ' ' ||
    41  		b == ':' ||
    42  		b == '=' ||
    43  		b == '?' ||
    44  		// This is technically not allowed in a PrintableString.
    45  		// However, x509 certificates with wildcard strings don't
    46  		// always use the correct string type so we permit it.
    47  		b == '*' ||
    48  		// This is not technically allowed either. However, not
    49  		// only is it relatively common, but there are also a
    50  		// handful of CA certificates that contain it. At least
    51  		// one of which will not expire until 2027.
    52  		b == '&'
    53  }
    54  
    55  // parseASN1String parses the ASN.1 string types T61String, PrintableString,
    56  // UTF8String, BMPString, IA5String, and NumericString. This is mostly copied
    57  // from the respective encoding/asn1.parse... methods, rather than just
    58  // increasing the API surface of that package.
    59  func parseASN1String(tag cryptobyte_asn1.Tag, value []byte) (string, error) {
    60  	switch tag {
    61  	case cryptobyte_asn1.T61String:
    62  		return string(value), nil
    63  	case cryptobyte_asn1.PrintableString:
    64  		for _, b := range value {
    65  			if !isPrintable(b) {
    66  				return "", errors.New("invalid PrintableString")
    67  			}
    68  		}
    69  		return string(value), nil
    70  	case cryptobyte_asn1.UTF8String:
    71  		if !utf8.Valid(value) {
    72  			return "", errors.New("invalid UTF-8 string")
    73  		}
    74  		return string(value), nil
    75  	case cryptobyte_asn1.Tag(asn1.TagBMPString):
    76  		if len(value)%2 != 0 {
    77  			return "", errors.New("invalid BMPString")
    78  		}
    79  
    80  		// Strip terminator if present.
    81  		if l := len(value); l >= 2 && value[l-1] == 0 && value[l-2] == 0 {
    82  			value = value[:l-2]
    83  		}
    84  
    85  		s := make([]uint16, 0, len(value)/2)
    86  		for len(value) > 0 {
    87  			s = append(s, uint16(value[0])<<8+uint16(value[1]))
    88  			value = value[2:]
    89  		}
    90  
    91  		return string(utf16.Decode(s)), nil
    92  	case cryptobyte_asn1.IA5String:
    93  		s := string(value)
    94  		if isIA5String(s) != nil {
    95  			return "", errors.New("invalid IA5String")
    96  		}
    97  		return s, nil
    98  	case cryptobyte_asn1.Tag(asn1.TagNumericString):
    99  		for _, b := range value {
   100  			if !('0' <= b && b <= '9' || b == ' ') {
   101  				return "", errors.New("invalid NumericString")
   102  			}
   103  		}
   104  		return string(value), nil
   105  	}
   106  	return "", fmt.Errorf("unsupported string type: %v", tag)
   107  }
   108  
   109  // parseName parses a DER encoded Name as defined in RFC 5280. We may
   110  // want to export this function in the future for use in crypto/tls.
   111  func parseName(raw cryptobyte.String) (*pkix.RDNSequence, error) {
   112  	if !raw.ReadASN1(&raw, cryptobyte_asn1.SEQUENCE) {
   113  		return nil, errors.New("x509: invalid RDNSequence")
   114  	}
   115  
   116  	var rdnSeq pkix.RDNSequence
   117  	for !raw.Empty() {
   118  		var rdnSet pkix.RelativeDistinguishedNameSET
   119  		var set cryptobyte.String
   120  		if !raw.ReadASN1(&set, cryptobyte_asn1.SET) {
   121  			return nil, errors.New("x509: invalid RDNSequence")
   122  		}
   123  		for !set.Empty() {
   124  			var atav cryptobyte.String
   125  			if !set.ReadASN1(&atav, cryptobyte_asn1.SEQUENCE) {
   126  				return nil, errors.New("x509: invalid RDNSequence: invalid attribute")
   127  			}
   128  			var attr pkix.AttributeTypeAndValue
   129  			if !atav.ReadASN1ObjectIdentifier(&attr.Type) {
   130  				return nil, errors.New("x509: invalid RDNSequence: invalid attribute type")
   131  			}
   132  			var rawValue cryptobyte.String
   133  			var valueTag cryptobyte_asn1.Tag
   134  			if !atav.ReadAnyASN1(&rawValue, &valueTag) {
   135  				return nil, errors.New("x509: invalid RDNSequence: invalid attribute value")
   136  			}
   137  			var err error
   138  			attr.Value, err = parseASN1String(valueTag, rawValue)
   139  			if err != nil {
   140  				return nil, fmt.Errorf("x509: invalid RDNSequence: invalid attribute value: %s", err)
   141  			}
   142  			rdnSet = append(rdnSet, attr)
   143  		}
   144  
   145  		rdnSeq = append(rdnSeq, rdnSet)
   146  	}
   147  
   148  	return &rdnSeq, nil
   149  }
   150  
   151  func parseAI(der cryptobyte.String) (pkix.AlgorithmIdentifier, error) {
   152  	ai := pkix.AlgorithmIdentifier{}
   153  	if !der.ReadASN1ObjectIdentifier(&ai.Algorithm) {
   154  		return ai, errors.New("x509: malformed OID")
   155  	}
   156  	if der.Empty() {
   157  		return ai, nil
   158  	}
   159  	var params cryptobyte.String
   160  	var tag cryptobyte_asn1.Tag
   161  	if !der.ReadAnyASN1Element(&params, &tag) {
   162  		return ai, errors.New("x509: malformed parameters")
   163  	}
   164  	ai.Parameters.Tag = int(tag)
   165  	ai.Parameters.FullBytes = params
   166  	return ai, nil
   167  }
   168  
   169  func parseTime(der *cryptobyte.String) (time.Time, error) {
   170  	var t time.Time
   171  	switch {
   172  	case der.PeekASN1Tag(cryptobyte_asn1.UTCTime):
   173  		if !der.ReadASN1UTCTime(&t) {
   174  			return t, errors.New("x509: malformed UTCTime")
   175  		}
   176  	case der.PeekASN1Tag(cryptobyte_asn1.GeneralizedTime):
   177  		if !der.ReadASN1GeneralizedTime(&t) {
   178  			return t, errors.New("x509: malformed GeneralizedTime")
   179  		}
   180  	default:
   181  		return t, errors.New("x509: unsupported time format")
   182  	}
   183  	return t, nil
   184  }
   185  
   186  func parseValidity(der cryptobyte.String) (time.Time, time.Time, error) {
   187  	notBefore, err := parseTime(&der)
   188  	if err != nil {
   189  		return time.Time{}, time.Time{}, err
   190  	}
   191  	notAfter, err := parseTime(&der)
   192  	if err != nil {
   193  		return time.Time{}, time.Time{}, err
   194  	}
   195  
   196  	return notBefore, notAfter, nil
   197  }
   198  
   199  func parseExtension(der cryptobyte.String) (pkix.Extension, error) {
   200  	var ext pkix.Extension
   201  	if !der.ReadASN1ObjectIdentifier(&ext.Id) {
   202  		return ext, errors.New("x509: malformed extension OID field")
   203  	}
   204  	if der.PeekASN1Tag(cryptobyte_asn1.BOOLEAN) {
   205  		if !der.ReadASN1Boolean(&ext.Critical) {
   206  			return ext, errors.New("x509: malformed extension critical field")
   207  		}
   208  	}
   209  	var val cryptobyte.String
   210  	if !der.ReadASN1(&val, cryptobyte_asn1.OCTET_STRING) {
   211  		return ext, errors.New("x509: malformed extension value field")
   212  	}
   213  	ext.Value = val
   214  	return ext, nil
   215  }
   216  
   217  func parsePublicKey(keyData *publicKeyInfo) (any, error) {
   218  	oid := keyData.Algorithm.Algorithm
   219  	params := keyData.Algorithm.Parameters
   220  	der := cryptobyte.String(keyData.PublicKey.RightAlign())
   221  	switch {
   222  	case oid.Equal(oidPublicKeyRSA):
   223  		// RSA public keys must have a NULL in the parameters.
   224  		// See RFC 3279, Section 2.3.1.
   225  		if !bytes.Equal(params.FullBytes, asn1.NullBytes) {
   226  			return nil, errors.New("x509: RSA key missing NULL parameters")
   227  		}
   228  
   229  		p := &pkcs1PublicKey{N: new(big.Int)}
   230  		if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
   231  			return nil, errors.New("x509: invalid RSA public key")
   232  		}
   233  		if !der.ReadASN1Integer(p.N) {
   234  			return nil, errors.New("x509: invalid RSA modulus")
   235  		}
   236  		if !der.ReadASN1Integer(&p.E) {
   237  			return nil, errors.New("x509: invalid RSA public exponent")
   238  		}
   239  
   240  		if p.N.Sign() <= 0 {
   241  			return nil, errors.New("x509: RSA modulus is not a positive number")
   242  		}
   243  		if p.E <= 0 {
   244  			return nil, errors.New("x509: RSA public exponent is not a positive number")
   245  		}
   246  
   247  		pub := &rsa.PublicKey{
   248  			E: p.E,
   249  			N: p.N,
   250  		}
   251  		return pub, nil
   252  	case oid.Equal(oidPublicKeyECDSA):
   253  		paramsDer := cryptobyte.String(params.FullBytes)
   254  		namedCurveOID := new(asn1.ObjectIdentifier)
   255  		if !paramsDer.ReadASN1ObjectIdentifier(namedCurveOID) {
   256  			return nil, errors.New("x509: invalid ECDSA parameters")
   257  		}
   258  		namedCurve := namedCurveFromOID(*namedCurveOID)
   259  		if namedCurve == nil {
   260  			return nil, errors.New("x509: unsupported elliptic curve")
   261  		}
   262  		x, y := elliptic.Unmarshal(namedCurve, der)
   263  		if x == nil {
   264  			return nil, errors.New("x509: failed to unmarshal elliptic curve point")
   265  		}
   266  		pub := &ecdsa.PublicKey{
   267  			Curve: namedCurve,
   268  			X:     x,
   269  			Y:     y,
   270  		}
   271  		return pub, nil
   272  	case oid.Equal(oidPublicKeyEd25519):
   273  		// RFC 8410, Section 3
   274  		// > For all of the OIDs, the parameters MUST be absent.
   275  		if len(params.FullBytes) != 0 {
   276  			return nil, errors.New("x509: Ed25519 key encoded with illegal parameters")
   277  		}
   278  		if len(der) != ed25519.PublicKeySize {
   279  			return nil, errors.New("x509: wrong Ed25519 public key size")
   280  		}
   281  		return ed25519.PublicKey(der), nil
   282  	case oid.Equal(oidPublicKeyX25519):
   283  		// RFC 8410, Section 3
   284  		// > For all of the OIDs, the parameters MUST be absent.
   285  		if len(params.FullBytes) != 0 {
   286  			return nil, errors.New("x509: X25519 key encoded with illegal parameters")
   287  		}
   288  		return ecdh.X25519().NewPublicKey(der)
   289  	case oid.Equal(oidPublicKeyDSA):
   290  		y := new(big.Int)
   291  		if !der.ReadASN1Integer(y) {
   292  			return nil, errors.New("x509: invalid DSA public key")
   293  		}
   294  		pub := &dsa.PublicKey{
   295  			Y: y,
   296  			Parameters: dsa.Parameters{
   297  				P: new(big.Int),
   298  				Q: new(big.Int),
   299  				G: new(big.Int),
   300  			},
   301  		}
   302  		paramsDer := cryptobyte.String(params.FullBytes)
   303  		if !paramsDer.ReadASN1(&paramsDer, cryptobyte_asn1.SEQUENCE) ||
   304  			!paramsDer.ReadASN1Integer(pub.Parameters.P) ||
   305  			!paramsDer.ReadASN1Integer(pub.Parameters.Q) ||
   306  			!paramsDer.ReadASN1Integer(pub.Parameters.G) {
   307  			return nil, errors.New("x509: invalid DSA parameters")
   308  		}
   309  		if pub.Y.Sign() <= 0 || pub.Parameters.P.Sign() <= 0 ||
   310  			pub.Parameters.Q.Sign() <= 0 || pub.Parameters.G.Sign() <= 0 {
   311  			return nil, errors.New("x509: zero or negative DSA parameter")
   312  		}
   313  		return pub, nil
   314  	default:
   315  		return nil, errors.New("x509: unknown public key algorithm")
   316  	}
   317  }
   318  
   319  func parseKeyUsageExtension(der cryptobyte.String) (KeyUsage, error) {
   320  	var usageBits asn1.BitString
   321  	if !der.ReadASN1BitString(&usageBits) {
   322  		return 0, errors.New("x509: invalid key usage")
   323  	}
   324  
   325  	var usage int
   326  	for i := 0; i < 9; i++ {
   327  		if usageBits.At(i) != 0 {
   328  			usage |= 1 << uint(i)
   329  		}
   330  	}
   331  	return KeyUsage(usage), nil
   332  }
   333  
   334  func parseBasicConstraintsExtension(der cryptobyte.String) (bool, int, error) {
   335  	var isCA bool
   336  	if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
   337  		return false, 0, errors.New("x509: invalid basic constraints")
   338  	}
   339  	if der.PeekASN1Tag(cryptobyte_asn1.BOOLEAN) {
   340  		if !der.ReadASN1Boolean(&isCA) {
   341  			return false, 0, errors.New("x509: invalid basic constraints")
   342  		}
   343  	}
   344  	maxPathLen := -1
   345  	if der.PeekASN1Tag(cryptobyte_asn1.INTEGER) {
   346  		if !der.ReadASN1Integer(&maxPathLen) {
   347  			return false, 0, errors.New("x509: invalid basic constraints")
   348  		}
   349  	}
   350  
   351  	// TODO: map out.MaxPathLen to 0 if it has the -1 default value? (Issue 19285)
   352  	return isCA, maxPathLen, nil
   353  }
   354  
   355  func forEachSAN(der cryptobyte.String, callback func(tag int, data []byte) error) error {
   356  	if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
   357  		return errors.New("x509: invalid subject alternative names")
   358  	}
   359  	for !der.Empty() {
   360  		var san cryptobyte.String
   361  		var tag cryptobyte_asn1.Tag
   362  		if !der.ReadAnyASN1(&san, &tag) {
   363  			return errors.New("x509: invalid subject alternative name")
   364  		}
   365  		if err := callback(int(tag^0x80), san); err != nil {
   366  			return err
   367  		}
   368  	}
   369  
   370  	return nil
   371  }
   372  
   373  func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error) {
   374  	err = forEachSAN(der, func(tag int, data []byte) error {
   375  		switch tag {
   376  		case nameTypeEmail:
   377  			email := string(data)
   378  			if err := isIA5String(email); err != nil {
   379  				return errors.New("x509: SAN rfc822Name is malformed")
   380  			}
   381  			emailAddresses = append(emailAddresses, email)
   382  		case nameTypeDNS:
   383  			name := string(data)
   384  			if err := isIA5String(name); err != nil {
   385  				return errors.New("x509: SAN dNSName is malformed")
   386  			}
   387  			dnsNames = append(dnsNames, string(name))
   388  		case nameTypeURI:
   389  			uriStr := string(data)
   390  			if err := isIA5String(uriStr); err != nil {
   391  				return errors.New("x509: SAN uniformResourceIdentifier is malformed")
   392  			}
   393  			uri, err := url.Parse(uriStr)
   394  			if err != nil {
   395  				return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err)
   396  			}
   397  			if len(uri.Host) > 0 {
   398  				if _, ok := domainToReverseLabels(uri.Host); !ok {
   399  					return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr)
   400  				}
   401  			}
   402  			uris = append(uris, uri)
   403  		case nameTypeIP:
   404  			switch len(data) {
   405  			case net.IPv4len, net.IPv6len:
   406  				ipAddresses = append(ipAddresses, data)
   407  			default:
   408  				return errors.New("x509: cannot parse IP address of length " + strconv.Itoa(len(data)))
   409  			}
   410  		}
   411  
   412  		return nil
   413  	})
   414  
   415  	return
   416  }
   417  
   418  func parseExtKeyUsageExtension(der cryptobyte.String) ([]ExtKeyUsage, []asn1.ObjectIdentifier, error) {
   419  	var extKeyUsages []ExtKeyUsage
   420  	var unknownUsages []asn1.ObjectIdentifier
   421  	if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
   422  		return nil, nil, errors.New("x509: invalid extended key usages")
   423  	}
   424  	for !der.Empty() {
   425  		var eku asn1.ObjectIdentifier
   426  		if !der.ReadASN1ObjectIdentifier(&eku) {
   427  			return nil, nil, errors.New("x509: invalid extended key usages")
   428  		}
   429  		if extKeyUsage, ok := extKeyUsageFromOID(eku); ok {
   430  			extKeyUsages = append(extKeyUsages, extKeyUsage)
   431  		} else {
   432  			unknownUsages = append(unknownUsages, eku)
   433  		}
   434  	}
   435  	return extKeyUsages, unknownUsages, nil
   436  }
   437  
   438  func parseCertificatePoliciesExtension(der cryptobyte.String) ([]OID, error) {
   439  	var oids []OID
   440  	if !der.ReadASN1(&der, cryptobyte_asn1.SEQUENCE) {
   441  		return nil, errors.New("x509: invalid certificate policies")
   442  	}
   443  	for !der.Empty() {
   444  		var cp cryptobyte.String
   445  		var OIDBytes cryptobyte.String
   446  		if !der.ReadASN1(&cp, cryptobyte_asn1.SEQUENCE) || !cp.ReadASN1(&OIDBytes, cryptobyte_asn1.OBJECT_IDENTIFIER) {
   447  			return nil, errors.New("x509: invalid certificate policies")
   448  		}
   449  		oid, ok := newOIDFromDER(OIDBytes)
   450  		if !ok {
   451  			return nil, errors.New("x509: invalid certificate policies")
   452  		}
   453  		oids = append(oids, oid)
   454  	}
   455  	return oids, nil
   456  }
   457  
   458  // isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.
   459  func isValidIPMask(mask []byte) bool {
   460  	seenZero := false
   461  
   462  	for _, b := range mask {
   463  		if seenZero {
   464  			if b != 0 {
   465  				return false
   466  			}
   467  
   468  			continue
   469  		}
   470  
   471  		switch b {
   472  		case 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe:
   473  			seenZero = true
   474  		case 0xff:
   475  		default:
   476  			return false
   477  		}
   478  	}
   479  
   480  	return true
   481  }
   482  
   483  func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error) {
   484  	// RFC 5280, 4.2.1.10
   485  
   486  	// NameConstraints ::= SEQUENCE {
   487  	//      permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
   488  	//      excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
   489  	//
   490  	// GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
   491  	//
   492  	// GeneralSubtree ::= SEQUENCE {
   493  	//      base                    GeneralName,
   494  	//      minimum         [0]     BaseDistance DEFAULT 0,
   495  	//      maximum         [1]     BaseDistance OPTIONAL }
   496  	//
   497  	// BaseDistance ::= INTEGER (0..MAX)
   498  
   499  	outer := cryptobyte.String(e.Value)
   500  	var toplevel, permitted, excluded cryptobyte.String
   501  	var havePermitted, haveExcluded bool
   502  	if !outer.ReadASN1(&toplevel, cryptobyte_asn1.SEQUENCE) ||
   503  		!outer.Empty() ||
   504  		!toplevel.ReadOptionalASN1(&permitted, &havePermitted, cryptobyte_asn1.Tag(0).ContextSpecific().Constructed()) ||
   505  		!toplevel.ReadOptionalASN1(&excluded, &haveExcluded, cryptobyte_asn1.Tag(1).ContextSpecific().Constructed()) ||
   506  		!toplevel.Empty() {
   507  		return false, errors.New("x509: invalid NameConstraints extension")
   508  	}
   509  
   510  	if !havePermitted && !haveExcluded || len(permitted) == 0 && len(excluded) == 0 {
   511  		// From RFC 5280, Section 4.2.1.10:
   512  		//   “either the permittedSubtrees field
   513  		//   or the excludedSubtrees MUST be
   514  		//   present”
   515  		return false, errors.New("x509: empty name constraints extension")
   516  	}
   517  
   518  	getValues := func(subtrees cryptobyte.String) (dnsNames []string, ips []*net.IPNet, emails, uriDomains []string, err error) {
   519  		for !subtrees.Empty() {
   520  			var seq, value cryptobyte.String
   521  			var tag cryptobyte_asn1.Tag
   522  			if !subtrees.ReadASN1(&seq, cryptobyte_asn1.SEQUENCE) ||
   523  				!seq.ReadAnyASN1(&value, &tag) {
   524  				return nil, nil, nil, nil, fmt.Errorf("x509: invalid NameConstraints extension")
   525  			}
   526  
   527  			var (
   528  				dnsTag   = cryptobyte_asn1.Tag(2).ContextSpecific()
   529  				emailTag = cryptobyte_asn1.Tag(1).ContextSpecific()
   530  				ipTag    = cryptobyte_asn1.Tag(7).ContextSpecific()
   531  				uriTag   = cryptobyte_asn1.Tag(6).ContextSpecific()
   532  			)
   533  
   534  			switch tag {
   535  			case dnsTag:
   536  				domain := string(value)
   537  				if err := isIA5String(domain); err != nil {
   538  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
   539  				}
   540  
   541  				trimmedDomain := domain
   542  				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
   543  					// constraints can have a leading
   544  					// period to exclude the domain
   545  					// itself, but that's not valid in a
   546  					// normal domain name.
   547  					trimmedDomain = trimmedDomain[1:]
   548  				}
   549  				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
   550  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
   551  				}
   552  				dnsNames = append(dnsNames, domain)
   553  
   554  			case ipTag:
   555  				l := len(value)
   556  				var ip, mask []byte
   557  
   558  				switch l {
   559  				case 8:
   560  					ip = value[:4]
   561  					mask = value[4:]
   562  
   563  				case 32:
   564  					ip = value[:16]
   565  					mask = value[16:]
   566  
   567  				default:
   568  					return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained value of length %d", l)
   569  				}
   570  
   571  				if !isValidIPMask(mask) {
   572  					return nil, nil, nil, nil, fmt.Errorf("x509: IP constraint contained invalid mask %x", mask)
   573  				}
   574  
   575  				ips = append(ips, &net.IPNet{IP: net.IP(ip), Mask: net.IPMask(mask)})
   576  
   577  			case emailTag:
   578  				constraint := string(value)
   579  				if err := isIA5String(constraint); err != nil {
   580  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
   581  				}
   582  
   583  				// If the constraint contains an @ then
   584  				// it specifies an exact mailbox name.
   585  				if strings.Contains(constraint, "@") {
   586  					if _, ok := parseRFC2821Mailbox(constraint); !ok {
   587  						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
   588  					}
   589  				} else {
   590  					// Otherwise it's a domain name.
   591  					domain := constraint
   592  					if len(domain) > 0 && domain[0] == '.' {
   593  						domain = domain[1:]
   594  					}
   595  					if _, ok := domainToReverseLabels(domain); !ok {
   596  						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
   597  					}
   598  				}
   599  				emails = append(emails, constraint)
   600  
   601  			case uriTag:
   602  				domain := string(value)
   603  				if err := isIA5String(domain); err != nil {
   604  					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
   605  				}
   606  
   607  				if net.ParseIP(domain) != nil {
   608  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
   609  				}
   610  
   611  				trimmedDomain := domain
   612  				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
   613  					// constraints can have a leading
   614  					// period to exclude the domain itself,
   615  					// but that's not valid in a normal
   616  					// domain name.
   617  					trimmedDomain = trimmedDomain[1:]
   618  				}
   619  				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
   620  					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
   621  				}
   622  				uriDomains = append(uriDomains, domain)
   623  
   624  			default:
   625  				unhandled = true
   626  			}
   627  		}
   628  
   629  		return dnsNames, ips, emails, uriDomains, nil
   630  	}
   631  
   632  	if out.PermittedDNSDomains, out.PermittedIPRanges, out.PermittedEmailAddresses, out.PermittedURIDomains, err = getValues(permitted); err != nil {
   633  		return false, err
   634  	}
   635  	if out.ExcludedDNSDomains, out.ExcludedIPRanges, out.ExcludedEmailAddresses, out.ExcludedURIDomains, err = getValues(excluded); err != nil {
   636  		return false, err
   637  	}
   638  	out.PermittedDNSDomainsCritical = e.Critical
   639  
   640  	return unhandled, nil
   641  }
   642  
   643  func processExtensions(out *Certificate) error {
   644  	var err error
   645  	for _, e := range out.Extensions {
   646  		unhandled := false
   647  
   648  		if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 {
   649  			switch e.Id[3] {
   650  			case 15:
   651  				out.KeyUsage, err = parseKeyUsageExtension(e.Value)
   652  				if err != nil {
   653  					return err
   654  				}
   655  			case 19:
   656  				out.IsCA, out.MaxPathLen, err = parseBasicConstraintsExtension(e.Value)
   657  				if err != nil {
   658  					return err
   659  				}
   660  				out.BasicConstraintsValid = true
   661  				out.MaxPathLenZero = out.MaxPathLen == 0
   662  			case 17:
   663  				out.DNSNames, out.EmailAddresses, out.IPAddresses, out.URIs, err = parseSANExtension(e.Value)
   664  				if err != nil {
   665  					return err
   666  				}
   667  
   668  				if len(out.DNSNames) == 0 && len(out.EmailAddresses) == 0 && len(out.IPAddresses) == 0 && len(out.URIs) == 0 {
   669  					// If we didn't parse anything then we do the critical check, below.
   670  					unhandled = true
   671  				}
   672  
   673  			case 30:
   674  				unhandled, err = parseNameConstraintsExtension(out, e)
   675  				if err != nil {
   676  					return err
   677  				}
   678  
   679  			case 31:
   680  				// RFC 5280, 4.2.1.13
   681  
   682  				// CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
   683  				//
   684  				// DistributionPoint ::= SEQUENCE {
   685  				//     distributionPoint       [0]     DistributionPointName OPTIONAL,
   686  				//     reasons                 [1]     ReasonFlags OPTIONAL,
   687  				//     cRLIssuer               [2]     GeneralNames OPTIONAL }
   688  				//
   689  				// DistributionPointName ::= CHOICE {
   690  				//     fullName                [0]     GeneralNames,
   691  				//     nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
   692  				val := cryptobyte.String(e.Value)
   693  				if !val.ReadASN1(&val, cryptobyte_asn1.SEQUENCE) {
   694  					return errors.New("x509: invalid CRL distribution points")
   695  				}
   696  				for !val.Empty() {
   697  					var dpDER cryptobyte.String
   698  					if !val.ReadASN1(&dpDER, cryptobyte_asn1.SEQUENCE) {
   699  						return errors.New("x509: invalid CRL distribution point")
   700  					}
   701  					var dpNameDER cryptobyte.String
   702  					var dpNamePresent bool
   703  					if !dpDER.ReadOptionalASN1(&dpNameDER, &dpNamePresent, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific()) {
   704  						return errors.New("x509: invalid CRL distribution point")
   705  					}
   706  					if !dpNamePresent {
   707  						continue
   708  					}
   709  					if !dpNameDER.ReadASN1(&dpNameDER, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific()) {
   710  						return errors.New("x509: invalid CRL distribution point")
   711  					}
   712  					for !dpNameDER.Empty() {
   713  						if !dpNameDER.PeekASN1Tag(cryptobyte_asn1.Tag(6).ContextSpecific()) {
   714  							break
   715  						}
   716  						var uri cryptobyte.String
   717  						if !dpNameDER.ReadASN1(&uri, cryptobyte_asn1.Tag(6).ContextSpecific()) {
   718  							return errors.New("x509: invalid CRL distribution point")
   719  						}
   720  						out.CRLDistributionPoints = append(out.CRLDistributionPoints, string(uri))
   721  					}
   722  				}
   723  
   724  			case 35:
   725  				// RFC 5280, 4.2.1.1
   726  				val := cryptobyte.String(e.Value)
   727  				var akid cryptobyte.String
   728  				if !val.ReadASN1(&akid, cryptobyte_asn1.SEQUENCE) {
   729  					return errors.New("x509: invalid authority key identifier")
   730  				}
   731  				if akid.PeekASN1Tag(cryptobyte_asn1.Tag(0).ContextSpecific()) {
   732  					if !akid.ReadASN1(&akid, cryptobyte_asn1.Tag(0).ContextSpecific()) {
   733  						return errors.New("x509: invalid authority key identifier")
   734  					}
   735  					out.AuthorityKeyId = akid
   736  				}
   737  			case 37:
   738  				out.ExtKeyUsage, out.UnknownExtKeyUsage, err = parseExtKeyUsageExtension(e.Value)
   739  				if err != nil {
   740  					return err
   741  				}
   742  			case 14:
   743  				// RFC 5280, 4.2.1.2
   744  				val := cryptobyte.String(e.Value)
   745  				var skid cryptobyte.String
   746  				if !val.ReadASN1(&skid, cryptobyte_asn1.OCTET_STRING) {
   747  					return errors.New("x509: invalid subject key identifier")
   748  				}
   749  				out.SubjectKeyId = skid
   750  			case 32:
   751  				out.Policies, err = parseCertificatePoliciesExtension(e.Value)
   752  				if err != nil {
   753  					return err
   754  				}
   755  				out.PolicyIdentifiers = make([]asn1.ObjectIdentifier, 0, len(out.Policies))
   756  				for _, oid := range out.Policies {
   757  					if oid, ok := oid.toASN1OID(); ok {
   758  						out.PolicyIdentifiers = append(out.PolicyIdentifiers, oid)
   759  					}
   760  				}
   761  			default:
   762  				// Unknown extensions are recorded if critical.
   763  				unhandled = true
   764  			}
   765  		} else if e.Id.Equal(oidExtensionAuthorityInfoAccess) {
   766  			// RFC 5280 4.2.2.1: Authority Information Access
   767  			val := cryptobyte.String(e.Value)
   768  			if !val.ReadASN1(&val, cryptobyte_asn1.SEQUENCE) {
   769  				return errors.New("x509: invalid authority info access")
   770  			}
   771  			for !val.Empty() {
   772  				var aiaDER cryptobyte.String
   773  				if !val.ReadASN1(&aiaDER, cryptobyte_asn1.SEQUENCE) {
   774  					return errors.New("x509: invalid authority info access")
   775  				}
   776  				var method asn1.ObjectIdentifier
   777  				if !aiaDER.ReadASN1ObjectIdentifier(&method) {
   778  					return errors.New("x509: invalid authority info access")
   779  				}
   780  				if !aiaDER.PeekASN1Tag(cryptobyte_asn1.Tag(6).ContextSpecific()) {
   781  					continue
   782  				}
   783  				if !aiaDER.ReadASN1(&aiaDER, cryptobyte_asn1.Tag(6).ContextSpecific()) {
   784  					return errors.New("x509: invalid authority info access")
   785  				}
   786  				switch {
   787  				case method.Equal(oidAuthorityInfoAccessOcsp):
   788  					out.OCSPServer = append(out.OCSPServer, string(aiaDER))
   789  				case method.Equal(oidAuthorityInfoAccessIssuers):
   790  					out.IssuingCertificateURL = append(out.IssuingCertificateURL, string(aiaDER))
   791  				}
   792  			}
   793  		} else {
   794  			// Unknown extensions are recorded if critical.
   795  			unhandled = true
   796  		}
   797  
   798  		if e.Critical && unhandled {
   799  			out.UnhandledCriticalExtensions = append(out.UnhandledCriticalExtensions, e.Id)
   800  		}
   801  	}
   802  
   803  	return nil
   804  }
   805  
   806  func parseCertificate(der []byte) (*Certificate, error) {
   807  	cert := &Certificate{}
   808  
   809  	input := cryptobyte.String(der)
   810  	// we read the SEQUENCE including length and tag bytes so that
   811  	// we can populate Certificate.Raw, before unwrapping the
   812  	// SEQUENCE so it can be operated on
   813  	if !input.ReadASN1Element(&input, cryptobyte_asn1.SEQUENCE) {
   814  		return nil, errors.New("x509: malformed certificate")
   815  	}
   816  	cert.Raw = input
   817  	if !input.ReadASN1(&input, cryptobyte_asn1.SEQUENCE) {
   818  		return nil, errors.New("x509: malformed certificate")
   819  	}
   820  
   821  	var tbs cryptobyte.String
   822  	// do the same trick again as above to extract the raw
   823  	// bytes for Certificate.RawTBSCertificate
   824  	if !input.ReadASN1Element(&tbs, cryptobyte_asn1.SEQUENCE) {
   825  		return nil, errors.New("x509: malformed tbs certificate")
   826  	}
   827  	cert.RawTBSCertificate = tbs
   828  	if !tbs.ReadASN1(&tbs, cryptobyte_asn1.SEQUENCE) {
   829  		return nil, errors.New("x509: malformed tbs certificate")
   830  	}
   831  
   832  	if !tbs.ReadOptionalASN1Integer(&cert.Version, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific(), 0) {
   833  		return nil, errors.New("x509: malformed version")
   834  	}
   835  	if cert.Version < 0 {
   836  		return nil, errors.New("x509: malformed version")
   837  	}
   838  	// for backwards compat reasons Version is one-indexed,
   839  	// rather than zero-indexed as defined in 5280
   840  	cert.Version++
   841  	if cert.Version > 3 {
   842  		return nil, errors.New("x509: invalid version")
   843  	}
   844  
   845  	serial := new(big.Int)
   846  	if !tbs.ReadASN1Integer(serial) {
   847  		return nil, errors.New("x509: malformed serial number")
   848  	}
   849  	// we ignore the presence of negative serial numbers because
   850  	// of their prevalence, despite them being invalid
   851  	// TODO(rolandshoemaker): revisit this decision, there are currently
   852  	// only 10 trusted certificates with negative serial numbers
   853  	// according to censys.io.
   854  	cert.SerialNumber = serial
   855  
   856  	var sigAISeq cryptobyte.String
   857  	if !tbs.ReadASN1(&sigAISeq, cryptobyte_asn1.SEQUENCE) {
   858  		return nil, errors.New("x509: malformed signature algorithm identifier")
   859  	}
   860  	// Before parsing the inner algorithm identifier, extract
   861  	// the outer algorithm identifier and make sure that they
   862  	// match.
   863  	var outerSigAISeq cryptobyte.String
   864  	if !input.ReadASN1(&outerSigAISeq, cryptobyte_asn1.SEQUENCE) {
   865  		return nil, errors.New("x509: malformed algorithm identifier")
   866  	}
   867  	if !bytes.Equal(outerSigAISeq, sigAISeq) {
   868  		return nil, errors.New("x509: inner and outer signature algorithm identifiers don't match")
   869  	}
   870  	sigAI, err := parseAI(sigAISeq)
   871  	if err != nil {
   872  		return nil, err
   873  	}
   874  	cert.SignatureAlgorithm = getSignatureAlgorithmFromAI(sigAI)
   875  
   876  	var issuerSeq cryptobyte.String
   877  	if !tbs.ReadASN1Element(&issuerSeq, cryptobyte_asn1.SEQUENCE) {
   878  		return nil, errors.New("x509: malformed issuer")
   879  	}
   880  	cert.RawIssuer = issuerSeq
   881  	issuerRDNs, err := parseName(issuerSeq)
   882  	if err != nil {
   883  		return nil, err
   884  	}
   885  	cert.Issuer.FillFromRDNSequence(issuerRDNs)
   886  
   887  	var validity cryptobyte.String
   888  	if !tbs.ReadASN1(&validity, cryptobyte_asn1.SEQUENCE) {
   889  		return nil, errors.New("x509: malformed validity")
   890  	}
   891  	cert.NotBefore, cert.NotAfter, err = parseValidity(validity)
   892  	if err != nil {
   893  		return nil, err
   894  	}
   895  
   896  	var subjectSeq cryptobyte.String
   897  	if !tbs.ReadASN1Element(&subjectSeq, cryptobyte_asn1.SEQUENCE) {
   898  		return nil, errors.New("x509: malformed issuer")
   899  	}
   900  	cert.RawSubject = subjectSeq
   901  	subjectRDNs, err := parseName(subjectSeq)
   902  	if err != nil {
   903  		return nil, err
   904  	}
   905  	cert.Subject.FillFromRDNSequence(subjectRDNs)
   906  
   907  	var spki cryptobyte.String
   908  	if !tbs.ReadASN1Element(&spki, cryptobyte_asn1.SEQUENCE) {
   909  		return nil, errors.New("x509: malformed spki")
   910  	}
   911  	cert.RawSubjectPublicKeyInfo = spki
   912  	if !spki.ReadASN1(&spki, cryptobyte_asn1.SEQUENCE) {
   913  		return nil, errors.New("x509: malformed spki")
   914  	}
   915  	var pkAISeq cryptobyte.String
   916  	if !spki.ReadASN1(&pkAISeq, cryptobyte_asn1.SEQUENCE) {
   917  		return nil, errors.New("x509: malformed public key algorithm identifier")
   918  	}
   919  	pkAI, err := parseAI(pkAISeq)
   920  	if err != nil {
   921  		return nil, err
   922  	}
   923  	cert.PublicKeyAlgorithm = getPublicKeyAlgorithmFromOID(pkAI.Algorithm)
   924  	var spk asn1.BitString
   925  	if !spki.ReadASN1BitString(&spk) {
   926  		return nil, errors.New("x509: malformed subjectPublicKey")
   927  	}
   928  	if cert.PublicKeyAlgorithm != UnknownPublicKeyAlgorithm {
   929  		cert.PublicKey, err = parsePublicKey(&publicKeyInfo{
   930  			Algorithm: pkAI,
   931  			PublicKey: spk,
   932  		})
   933  		if err != nil {
   934  			return nil, err
   935  		}
   936  	}
   937  
   938  	if cert.Version > 1 {
   939  		if !tbs.SkipOptionalASN1(cryptobyte_asn1.Tag(1).ContextSpecific()) {
   940  			return nil, errors.New("x509: malformed issuerUniqueID")
   941  		}
   942  		if !tbs.SkipOptionalASN1(cryptobyte_asn1.Tag(2).ContextSpecific()) {
   943  			return nil, errors.New("x509: malformed subjectUniqueID")
   944  		}
   945  		if cert.Version == 3 {
   946  			var extensions cryptobyte.String
   947  			var present bool
   948  			if !tbs.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.Tag(3).Constructed().ContextSpecific()) {
   949  				return nil, errors.New("x509: malformed extensions")
   950  			}
   951  			if present {
   952  				seenExts := make(map[string]bool)
   953  				if !extensions.ReadASN1(&extensions, cryptobyte_asn1.SEQUENCE) {
   954  					return nil, errors.New("x509: malformed extensions")
   955  				}
   956  				for !extensions.Empty() {
   957  					var extension cryptobyte.String
   958  					if !extensions.ReadASN1(&extension, cryptobyte_asn1.SEQUENCE) {
   959  						return nil, errors.New("x509: malformed extension")
   960  					}
   961  					ext, err := parseExtension(extension)
   962  					if err != nil {
   963  						return nil, err
   964  					}
   965  					oidStr := ext.Id.String()
   966  					if seenExts[oidStr] {
   967  						return nil, errors.New("x509: certificate contains duplicate extensions")
   968  					}
   969  					seenExts[oidStr] = true
   970  					cert.Extensions = append(cert.Extensions, ext)
   971  				}
   972  				err = processExtensions(cert)
   973  				if err != nil {
   974  					return nil, err
   975  				}
   976  			}
   977  		}
   978  	}
   979  
   980  	var signature asn1.BitString
   981  	if !input.ReadASN1BitString(&signature) {
   982  		return nil, errors.New("x509: malformed signature")
   983  	}
   984  	cert.Signature = signature.RightAlign()
   985  
   986  	return cert, nil
   987  }
   988  
   989  // ParseCertificate parses a single certificate from the given ASN.1 DER data.
   990  func ParseCertificate(der []byte) (*Certificate, error) {
   991  	cert, err := parseCertificate(der)
   992  	if err != nil {
   993  		return nil, err
   994  	}
   995  	if len(der) != len(cert.Raw) {
   996  		return nil, errors.New("x509: trailing data")
   997  	}
   998  	return cert, err
   999  }
  1000  
  1001  // ParseCertificates parses one or more certificates from the given ASN.1 DER
  1002  // data. The certificates must be concatenated with no intermediate padding.
  1003  func ParseCertificates(der []byte) ([]*Certificate, error) {
  1004  	var certs []*Certificate
  1005  	for len(der) > 0 {
  1006  		cert, err := parseCertificate(der)
  1007  		if err != nil {
  1008  			return nil, err
  1009  		}
  1010  		certs = append(certs, cert)
  1011  		der = der[len(cert.Raw):]
  1012  	}
  1013  	return certs, nil
  1014  }
  1015  
  1016  // The X.509 standards confusingly 1-indexed the version names, but 0-indexed
  1017  // the actual encoded version, so the version for X.509v2 is 1.
  1018  const x509v2Version = 1
  1019  
  1020  // ParseRevocationList parses a X509 v2 [Certificate] Revocation List from the given
  1021  // ASN.1 DER data.
  1022  func ParseRevocationList(der []byte) (*RevocationList, error) {
  1023  	rl := &RevocationList{}
  1024  
  1025  	input := cryptobyte.String(der)
  1026  	// we read the SEQUENCE including length and tag bytes so that
  1027  	// we can populate RevocationList.Raw, before unwrapping the
  1028  	// SEQUENCE so it can be operated on
  1029  	if !input.ReadASN1Element(&input, cryptobyte_asn1.SEQUENCE) {
  1030  		return nil, errors.New("x509: malformed crl")
  1031  	}
  1032  	rl.Raw = input
  1033  	if !input.ReadASN1(&input, cryptobyte_asn1.SEQUENCE) {
  1034  		return nil, errors.New("x509: malformed crl")
  1035  	}
  1036  
  1037  	var tbs cryptobyte.String
  1038  	// do the same trick again as above to extract the raw
  1039  	// bytes for Certificate.RawTBSCertificate
  1040  	if !input.ReadASN1Element(&tbs, cryptobyte_asn1.SEQUENCE) {
  1041  		return nil, errors.New("x509: malformed tbs crl")
  1042  	}
  1043  	rl.RawTBSRevocationList = tbs
  1044  	if !tbs.ReadASN1(&tbs, cryptobyte_asn1.SEQUENCE) {
  1045  		return nil, errors.New("x509: malformed tbs crl")
  1046  	}
  1047  
  1048  	var version int
  1049  	if !tbs.PeekASN1Tag(cryptobyte_asn1.INTEGER) {
  1050  		return nil, errors.New("x509: unsupported crl version")
  1051  	}
  1052  	if !tbs.ReadASN1Integer(&version) {
  1053  		return nil, errors.New("x509: malformed crl")
  1054  	}
  1055  	if version != x509v2Version {
  1056  		return nil, fmt.Errorf("x509: unsupported crl version: %d", version)
  1057  	}
  1058  
  1059  	var sigAISeq cryptobyte.String
  1060  	if !tbs.ReadASN1(&sigAISeq, cryptobyte_asn1.SEQUENCE) {
  1061  		return nil, errors.New("x509: malformed signature algorithm identifier")
  1062  	}
  1063  	// Before parsing the inner algorithm identifier, extract
  1064  	// the outer algorithm identifier and make sure that they
  1065  	// match.
  1066  	var outerSigAISeq cryptobyte.String
  1067  	if !input.ReadASN1(&outerSigAISeq, cryptobyte_asn1.SEQUENCE) {
  1068  		return nil, errors.New("x509: malformed algorithm identifier")
  1069  	}
  1070  	if !bytes.Equal(outerSigAISeq, sigAISeq) {
  1071  		return nil, errors.New("x509: inner and outer signature algorithm identifiers don't match")
  1072  	}
  1073  	sigAI, err := parseAI(sigAISeq)
  1074  	if err != nil {
  1075  		return nil, err
  1076  	}
  1077  	rl.SignatureAlgorithm = getSignatureAlgorithmFromAI(sigAI)
  1078  
  1079  	var signature asn1.BitString
  1080  	if !input.ReadASN1BitString(&signature) {
  1081  		return nil, errors.New("x509: malformed signature")
  1082  	}
  1083  	rl.Signature = signature.RightAlign()
  1084  
  1085  	var issuerSeq cryptobyte.String
  1086  	if !tbs.ReadASN1Element(&issuerSeq, cryptobyte_asn1.SEQUENCE) {
  1087  		return nil, errors.New("x509: malformed issuer")
  1088  	}
  1089  	rl.RawIssuer = issuerSeq
  1090  	issuerRDNs, err := parseName(issuerSeq)
  1091  	if err != nil {
  1092  		return nil, err
  1093  	}
  1094  	rl.Issuer.FillFromRDNSequence(issuerRDNs)
  1095  
  1096  	rl.ThisUpdate, err = parseTime(&tbs)
  1097  	if err != nil {
  1098  		return nil, err
  1099  	}
  1100  	if tbs.PeekASN1Tag(cryptobyte_asn1.GeneralizedTime) || tbs.PeekASN1Tag(cryptobyte_asn1.UTCTime) {
  1101  		rl.NextUpdate, err = parseTime(&tbs)
  1102  		if err != nil {
  1103  			return nil, err
  1104  		}
  1105  	}
  1106  
  1107  	if tbs.PeekASN1Tag(cryptobyte_asn1.SEQUENCE) {
  1108  		var revokedSeq cryptobyte.String
  1109  		if !tbs.ReadASN1(&revokedSeq, cryptobyte_asn1.SEQUENCE) {
  1110  			return nil, errors.New("x509: malformed crl")
  1111  		}
  1112  		for !revokedSeq.Empty() {
  1113  			rce := RevocationListEntry{}
  1114  
  1115  			var certSeq cryptobyte.String
  1116  			if !revokedSeq.ReadASN1Element(&certSeq, cryptobyte_asn1.SEQUENCE) {
  1117  				return nil, errors.New("x509: malformed crl")
  1118  			}
  1119  			rce.Raw = certSeq
  1120  			if !certSeq.ReadASN1(&certSeq, cryptobyte_asn1.SEQUENCE) {
  1121  				return nil, errors.New("x509: malformed crl")
  1122  			}
  1123  
  1124  			rce.SerialNumber = new(big.Int)
  1125  			if !certSeq.ReadASN1Integer(rce.SerialNumber) {
  1126  				return nil, errors.New("x509: malformed serial number")
  1127  			}
  1128  			rce.RevocationTime, err = parseTime(&certSeq)
  1129  			if err != nil {
  1130  				return nil, err
  1131  			}
  1132  			var extensions cryptobyte.String
  1133  			var present bool
  1134  			if !certSeq.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.SEQUENCE) {
  1135  				return nil, errors.New("x509: malformed extensions")
  1136  			}
  1137  			if present {
  1138  				for !extensions.Empty() {
  1139  					var extension cryptobyte.String
  1140  					if !extensions.ReadASN1(&extension, cryptobyte_asn1.SEQUENCE) {
  1141  						return nil, errors.New("x509: malformed extension")
  1142  					}
  1143  					ext, err := parseExtension(extension)
  1144  					if err != nil {
  1145  						return nil, err
  1146  					}
  1147  					if ext.Id.Equal(oidExtensionReasonCode) {
  1148  						val := cryptobyte.String(ext.Value)
  1149  						if !val.ReadASN1Enum(&rce.ReasonCode) {
  1150  							return nil, fmt.Errorf("x509: malformed reasonCode extension")
  1151  						}
  1152  					}
  1153  					rce.Extensions = append(rce.Extensions, ext)
  1154  				}
  1155  			}
  1156  
  1157  			rl.RevokedCertificateEntries = append(rl.RevokedCertificateEntries, rce)
  1158  			rcDeprecated := pkix.RevokedCertificate{
  1159  				SerialNumber:   rce.SerialNumber,
  1160  				RevocationTime: rce.RevocationTime,
  1161  				Extensions:     rce.Extensions,
  1162  			}
  1163  			rl.RevokedCertificates = append(rl.RevokedCertificates, rcDeprecated)
  1164  		}
  1165  	}
  1166  
  1167  	var extensions cryptobyte.String
  1168  	var present bool
  1169  	if !tbs.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.Tag(0).Constructed().ContextSpecific()) {
  1170  		return nil, errors.New("x509: malformed extensions")
  1171  	}
  1172  	if present {
  1173  		if !extensions.ReadASN1(&extensions, cryptobyte_asn1.SEQUENCE) {
  1174  			return nil, errors.New("x509: malformed extensions")
  1175  		}
  1176  		for !extensions.Empty() {
  1177  			var extension cryptobyte.String
  1178  			if !extensions.ReadASN1(&extension, cryptobyte_asn1.SEQUENCE) {
  1179  				return nil, errors.New("x509: malformed extension")
  1180  			}
  1181  			ext, err := parseExtension(extension)
  1182  			if err != nil {
  1183  				return nil, err
  1184  			}
  1185  			if ext.Id.Equal(oidExtensionAuthorityKeyId) {
  1186  				rl.AuthorityKeyId = ext.Value
  1187  			} else if ext.Id.Equal(oidExtensionCRLNumber) {
  1188  				value := cryptobyte.String(ext.Value)
  1189  				rl.Number = new(big.Int)
  1190  				if !value.ReadASN1Integer(rl.Number) {
  1191  					return nil, errors.New("x509: malformed crl number")
  1192  				}
  1193  			}
  1194  			rl.Extensions = append(rl.Extensions, ext)
  1195  		}
  1196  	}
  1197  
  1198  	return rl, nil
  1199  }
  1200  

View as plain text