migrate x509/ct.go away from c-t-go

transparency-dev · Feb 18, 2025 · 40b0ee6 · 40b0ee6
1 parent 296e63b
commit 40b0ee6
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 26 deletions.
diff --git a/internal/x509util/ct.go b/internal/x509util/ct.go
@@ -14,14 +14,20 @@
 package x509util
 
 import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
 	"errors"
 	"fmt"
 	"math/big"
 	"time"
+)
 
-	"github.com/google/certificate-transparency-go/asn1"
-	"github.com/google/certificate-transparency-go/x509"
-	"github.com/google/certificate-transparency-go/x509/pkix"
+var (
+	oidExtensionAuthorityKeyId = asn1.ObjectIdentifier{2, 5, 29, 35}
+	// OIDExtensionCTPoison is defined in RFC 6962 s3.1.
+	oidExtensionCTPoison                        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3}
+	oidExtensionKeyUsageCertificateTransparency = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 4}
 )
 
 type tbsCertificate struct {
@@ -100,7 +106,7 @@ func removeExtension(tbsData []byte, oid asn1.ObjectIdentifier) ([]byte, error)
 //   - The precert's AuthorityKeyId is changed to the AuthorityKeyId of the
 //     intermediate.
 func BuildPrecertTBS(tbsData []byte, preIssuer *x509.Certificate) ([]byte, error) {
-	data, err := removeExtension(tbsData, x509.OIDExtensionCTPoison)
+	data, err := removeExtension(tbsData, oidExtensionCTPoison)
 	if err != nil {
 		return nil, err
 	}
@@ -123,16 +129,17 @@ func BuildPrecertTBS(tbsData []byte, preIssuer *x509.Certificate) ([]byte, error
 		// to that of the preIssuer.
 		var issuerKeyID []byte
 		for _, ext := range preIssuer.Extensions {
-			if ext.Id.Equal(x509.OIDExtensionAuthorityKeyId) {
+			if ext.Id.Equal(oidExtensionAuthorityKeyId) {
 				issuerKeyID = ext.Value
 				break
 			}
 		}
 
-		// Check the preIssuer has the CT EKU.
+		// The x509 package does not parse CT EKU, so look for it in
+		// extensions directly.
 		seenCTEKU := false
-		for _, eku := range preIssuer.ExtKeyUsage {
-			if eku == x509.ExtKeyUsageCertificateTransparency {
+		for _, ext := range preIssuer.Extensions {
+			if ext.Id.Equal(oidExtensionKeyUsageCertificateTransparency) {
 				seenCTEKU = true
 				break
 			}
@@ -143,7 +150,7 @@ func BuildPrecertTBS(tbsData []byte, preIssuer *x509.Certificate) ([]byte, error
 
 		keyAt := -1
 		for i, ext := range tbs.Extensions {
-			if ext.Id.Equal(x509.OIDExtensionAuthorityKeyId) {
+			if ext.Id.Equal(oidExtensionAuthorityKeyId) {
 				keyAt = i
 				break
 			}
@@ -158,7 +165,7 @@ func BuildPrecertTBS(tbsData []byte, preIssuer *x509.Certificate) ([]byte, error
 		} else if issuerKeyID != nil {
 			// PreCert did not have an auth-key-id, but the preIssuer does, so add it at the end.
 			authKeyIDExt := pkix.Extension{
-				Id:       x509.OIDExtensionAuthorityKeyId,
+				Id:       oidExtensionAuthorityKeyId,
 				Critical: false,
 				Value:    issuerKeyID,
 			}

diff --git a/internal/x509util/ct_test.go b/internal/x509util/ct_test.go
@@ -17,17 +17,16 @@ import (
 	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/hex"
 	"encoding/pem"
 	"math/big"
 	"reflect"
 	"strings"
 	"testing"
 	"time"
-
-	"github.com/google/certificate-transparency-go/asn1"
-	"github.com/google/certificate-transparency-go/x509"
-	"github.com/google/certificate-transparency-go/x509/pkix"
 )
 
 var pemPrivateKey = testingKey(`
@@ -75,7 +74,9 @@ func makeCert(t *testing.T, template, issuer *x509.Certificate) *x509.Certificat
 }
 
 func TestBuildPrecertTBS(t *testing.T) {
-	poisonExt := pkix.Extension{Id: x509.OIDExtensionCTPoison, Critical: true, Value: asn1.NullBytes}
+	poisonExt := pkix.Extension{Id: oidExtensionCTPoison, Critical: true, Value: asn1.NullBytes}
+	// TODO(phboneff): check Critical and value are ok.
+	ctExt := pkix.Extension{Id: oidExtensionKeyUsageCertificateTransparency}
 	preIssuerKeyID := []byte{0x19, 0x09, 0x19, 0x70}
 	issuerKeyID := []byte{0x07, 0x07, 0x20, 0x07}
 	preCertTemplate := x509.Certificate{
@@ -89,15 +90,15 @@ func TestBuildPrecertTBS(t *testing.T) {
 		AuthorityKeyId:  preIssuerKeyID,
 	}
 	preIssuerTemplate := x509.Certificate{
-		Version:        3,
-		SerialNumber:   big.NewInt(1234),
-		Issuer:         pkix.Name{CommonName: "real Issuer"},
-		Subject:        pkix.Name{CommonName: "precert Issuer"},
-		NotBefore:      time.Now(),
-		NotAfter:       time.Now().Add(3 * time.Hour),
-		AuthorityKeyId: issuerKeyID,
-		SubjectKeyId:   preIssuerKeyID,
-		ExtKeyUsage:    []x509.ExtKeyUsage{x509.ExtKeyUsageCertificateTransparency},
+		Version:         3,
+		SerialNumber:    big.NewInt(1234),
+		Issuer:          pkix.Name{CommonName: "real Issuer"},
+		Subject:         pkix.Name{CommonName: "precert Issuer"},
+		NotBefore:       time.Now(),
+		NotAfter:        time.Now().Add(3 * time.Hour),
+		ExtraExtensions: []pkix.Extension{ctExt},
+		AuthorityKeyId:  issuerKeyID,
+		SubjectKeyId:    preIssuerKeyID,
 	}
 	actualIssuerTemplate := x509.Certificate{
 		Version:      3,
@@ -119,7 +120,7 @@ func TestBuildPrecertTBS(t *testing.T) {
 	preIssuerTemplate.SubjectKeyId = nil
 	preCertWithoutAKI := makeCert(t, &preCertTemplate, &preIssuerTemplate)
 
-	preIssuerTemplate.ExtKeyUsage = nil
+	preIssuerTemplate.ExtraExtensions = nil
 	invalidPreIssuer := makeCert(t, &preIssuerTemplate, &actualIssuerTemplate)
 
 	akiPrefix := []byte{0x30, 0x06, 0x80, 0x04} // SEQUENCE { [0] { ... } }
@@ -190,7 +191,7 @@ func TestBuildPrecertTBS(t *testing.T) {
 		}
 		var gotAKI []byte
 		for _, ext := range tbs.Extensions {
-			if ext.Id.Equal(x509.OIDExtensionAuthorityKeyId) {
+			if ext.Id.Equal(oidExtensionAuthorityKeyId) {
 				gotAKI = ext.Value
 				break
 			}