-
Notifications
You must be signed in to change notification settings - Fork 109
/
cert.go
121 lines (101 loc) · 3.01 KB
/
cert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
// Copyright Fuzamei Corp. 2018 All Rights Reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package core
import (
"bytes"
"crypto/ecdsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"errors"
"math/big"
"time"
ecdsa_util "github.com/33cn/chain33/system/crypto/secp256r1"
"github.com/tjfoc/gmsm/sm2"
)
type validity struct {
NotBefore, NotAfter time.Time
}
type publicKeyInfo struct {
Raw asn1.RawContent
Algorithm pkix.AlgorithmIdentifier
PublicKey asn1.BitString
}
type certificate struct {
Raw asn1.RawContent
TBSCertificate tbsCertificate
SignatureAlgorithm pkix.AlgorithmIdentifier
SignatureValue asn1.BitString
}
type tbsCertificate struct {
Raw asn1.RawContent
Version int `asn1:"optional,explicit,default:0,tag:0"`
SerialNumber *big.Int
SignatureAlgorithm pkix.AlgorithmIdentifier
Issuer asn1.RawValue
Validity validity
Subject asn1.RawValue
PublicKey publicKeyInfo
UniqueID asn1.BitString `asn1:"optional,tag:1"`
SubjectUniqueID asn1.BitString `asn1:"optional,tag:2"`
Extensions []pkix.Extension `asn1:"optional,explicit,tag:3"`
}
func isECDSASignedCert(cert *x509.Certificate) bool {
return cert.SignatureAlgorithm == x509.ECDSAWithSHA1 ||
cert.SignatureAlgorithm == x509.ECDSAWithSHA256 ||
cert.SignatureAlgorithm == x509.ECDSAWithSHA384 ||
cert.SignatureAlgorithm == x509.ECDSAWithSHA512
}
func sanitizeECDSASignedCert(cert *x509.Certificate, parentCert *x509.Certificate) (*x509.Certificate, error) {
if cert == nil {
return nil, errors.New("Certificate must be different from nil")
}
if parentCert == nil {
return nil, errors.New("Parent certificate must be different from nil")
}
expectedSig, err := signatureToLowS(parentCert.PublicKey.(*ecdsa.PublicKey), cert.Signature)
if err != nil {
return nil, err
}
if bytes.Equal(cert.Signature, expectedSig) {
return cert, nil
}
var newCert certificate
newCert, err = certFromX509Cert(cert)
if err != nil {
return nil, err
}
newCert.SignatureValue = asn1.BitString{Bytes: expectedSig, BitLength: len(expectedSig) * 8}
newCert.Raw = nil
newRaw, err := asn1.Marshal(newCert)
if err != nil {
return nil, err
}
return x509.ParseCertificate(newRaw)
}
func signatureToLowS(k *ecdsa.PublicKey, signature []byte) ([]byte, error) {
r, s, err := ecdsa_util.UnmarshalECDSASignature(signature)
if err != nil {
return nil, err
}
s = ecdsa_util.ToLowS(k, s)
return ecdsa_util.MarshalECDSASignature(r, s)
}
func certFromX509Cert(cert *x509.Certificate) (certificate, error) {
var newCert certificate
_, err := asn1.Unmarshal(cert.Raw, &newCert)
if err != nil {
return certificate{}, err
}
return newCert, nil
}
// ParseECDSAPubKey2SM2PubKey 将ECDSA的公钥转成SM2公钥
func ParseECDSAPubKey2SM2PubKey(key *ecdsa.PublicKey) *sm2.PublicKey {
sm2Key := &sm2.PublicKey{
Curve: key.Curve,
X: key.X,
Y: key.Y,
}
return sm2Key
}