README
¶
crl/x509
The contents of this directory were forked from the Go stdlib's crypto/x509 package at version go1.19beta1.
We created this fork in order to have greater agility and control over our CRL generation capabilities, including but not limited to:
- enforce that CRL Numbers are not more than 20 octets;
- raising the ReasonCode from an extension to a top-level field in each CRL Entry; and
- adding a streaming API which computes the CRL signature without having to hold all of the bytes of the CRL in memory at the same time.
The vast majority of our edits are in crl.go; the other files here are forked only to provide access to the private helper methods used internally by the CRL code.
We intend to upstream as many of our changes here as the Go maintainers will accept.
Documentation
¶
Overview ¶
Package crl_x509 parses X.509-encoded certificate revocation lists.
Copyright 2021 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.
Package x509 parses X.509-encoded keys and certificates.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateRevocationList ¶
func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *x509.Certificate, priv crypto.Signer) ([]byte, error)
CreateRevocationList creates a new X.509 v2 Certificate Revocation List, according to RFC 5280, based on template.
The CRL is signed by priv which should be the private key associated with the public key in the issuer certificate.
The issuer may not be nil, and the crlSign bit must be set in KeyUsage in order to use it as a CRL issuer.
The issuer distinguished name CRL field and authority key identifier extension are populated using the issuer certificate. issuer must have SubjectKeyId set.
Types ¶
type PublicKeyAlgorithm ¶
type PublicKeyAlgorithm int
const ( UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota RSA DSA // Unsupported. ECDSA Ed25519 )
func (PublicKeyAlgorithm) String ¶
func (algo PublicKeyAlgorithm) String() string
type RevocationList ¶
type RevocationList struct {
// Raw, RawTBSRevocationList, and RawIssuer contain the raw bytes of the whole
// CRL, the tbsCertList field, and the issuer field, respectively. They are
// populated when parsing a CRL; they are ignored when creating a CRL.
Raw []byte
RawTBSRevocationList []byte
RawIssuer []byte
// Issuer is the name of the issuer which issued the CRL. It is ignored when
// creating a CRL.
Issuer pkix.Name
// Signature is the signature contained within the CRL. It is ignored when
// creating a CRL.
Signature []byte
// SignatureAlgorithm is the signature algorithm used when signing the CRL.
// When creating a CRL, a value of 0 means that the default algorithm for the
// signing key will be used.
SignatureAlgorithm SignatureAlgorithm
// ThisUpdate represents the thisUpdate field in the CRL, which indicates the
// issuance date of the CRL. It is both used when creating a CRL and populated
// when parsing a CRL.
ThisUpdate time.Time
// NextUpdate represents the nextUpdate field in the CRL, which indicates the
// date by which the next CRL will be issued. NextUpdate must be greater than
// ThisUpdate. It is both used when creating a CRL and populated when parsing
// a CRL.
NextUpdate time.Time
// RevokedCertificates represents the revokedCertificates sequence in the CRL.
// It is both used when creating a CRL and populated when parsing a CRL. When
// creating a CRL, it may be empty or nil, in which case the
// revokedCertificates sequence will be omitted from the CRL entirely.
RevokedCertificates []RevokedCertificate
// Number represents the CRLNumber extension, which should be a monotonically
// increasing sequence number for a given CRL scope and CRL issuer. It is both
// used when creating a CRL and populated when parsing a CRL. When creating a
// CRL, it MUST NOT be nil, and MUST NOT be longer than 20 bytes.
Number *big.Int
// AuthorityKeyId is populated from the authorityKeyIdentifier extension in
// the CRL. It is ignored when creating a CRL: the extension is populated from
// the issuer information instead.
AuthorityKeyId []byte
// Extensions contains raw X.509 extensions. When creating a CRL, the
// Extensions field is ignored, see ExtraExtensions.
Extensions []pkix.Extension
// ExtraExtensions contains any additional extensions to add directly to the
// CRL. It is up to the caller to ensure that this field does not contain any
// extensions which duplicate extensions created by this package (currently,
// the number and authorityKeyIdentifier extensions). The ExtraExtensions
// field is not populated when parsing a CRL, see Extensions.
ExtraExtensions []pkix.Extension
}
RevocationList represents a Certificate Revocation List (CRL) as specified by RFC 5280.
func ParseRevocationList ¶
func ParseRevocationList(der []byte) (*RevocationList, error)
ParseRevocationList parses a X509 v2 Certificate Revocation List from the given ASN.1 DER data.
func (*RevocationList) CheckSignatureFrom ¶
func (rl *RevocationList) CheckSignatureFrom(parent *x509.Certificate) error
CheckSignatureFrom verifies that the signature on rl is a valid signature from issuer.
type RevokedCertificate ¶
type RevokedCertificate struct {
// Raw contains the raw bytes of the revokedCertificates entry. It is set when
// parsing a CRL; it is ignored when generating a CRL.
Raw []byte
// SerialNumber represents the serial number of a revoked certificate. It is
// both used when creating a CRL and populated when parsing a CRL. It MUST NOT
// be nil.
SerialNumber *big.Int
// RevocationTime represents the time at which the certificate was revoked. It
// is both used when creating a CRL and populated when parsing a CRL. It MUST
// NOT be nil.
RevocationTime time.Time
// ReasonCode represents the reason for revocation, using the integer enum
// values specified in RFC 5280 Section 5.3.1. When creating a CRL, a value of
// nil or zero will result in the reasonCode extension being omitted. When
// parsing a CRL, a value of nil represents a no reasonCode extension, while a
// value of 0 represents a reasonCode extension containing enum value 0 (this
// SHOULD NOT happen, but can and does).
ReasonCode *int
// Extensions contains raw X.509 extensions. When creating a CRL, the
// Extensions field is ignored, see ExtraExtensions.
Extensions []pkix.Extension
// ExtraExtensions contains any additional extensions to add directly to the
// revokedCertificate entry. It is up to the caller to ensure that this field
// does not contain any extensions which duplicate extensions created by this
// package (currently, the reasonCode extension). The ExtraExtensions field is
// not populated when parsing a CRL, see Extensions.
ExtraExtensions []pkix.Extension
}
RevokedCertificate represents an entry in the revokedCertificates sequence of a CRL. NOTE: This type does not exist in upstream.
type SignatureAlgorithm ¶
type SignatureAlgorithm int
const ( UnknownSignatureAlgorithm SignatureAlgorithm = iota MD2WithRSA // Unsupported. MD5WithRSA // Only supported for signing, not verification. SHA1WithRSA // Only supported for signing, and verification of CRLs, CSRs, and OCSP responses. SHA256WithRSA SHA384WithRSA SHA512WithRSA DSAWithSHA1 // Unsupported. DSAWithSHA256 // Unsupported. ECDSAWithSHA1 // Only supported for signing, and verification of CRLs, CSRs, and OCSP responses. ECDSAWithSHA256 ECDSAWithSHA384 ECDSAWithSHA512 SHA256WithRSAPSS SHA384WithRSAPSS SHA512WithRSAPSS PureEd25519 )
func (SignatureAlgorithm) String ¶
func (algo SignatureAlgorithm) String() string
Source Files