1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
// Package crtutil provides utility functions for working with certificates.
package crtutil
import (
"encoding/pem"
"fmt"
ct "github.com/google/certificate-transparency-go"
"github.com/google/certificate-transparency-go/x509"
)
// CertificateChainFromPEM parses a certificate chain in PEM format. At least
// one certificate must be in the chain. The first certificate must be a leaf,
// whereas all other certificates must CA certificates (intermdiates/roots).
func CertificateChainFromPEM(b []byte) ([]x509.Certificate, error) {
var chain []x509.Certificate
for {
block, rest := pem.Decode(b)
if block == nil {
break
}
crt, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, fmt.Errorf("parse certificate: %v", err)
}
chain = append(chain, *crt)
b = rest
}
if len(chain) == 0 {
return nil, fmt.Errorf("no certificates in the provided chain")
}
if chain[0].IsCA {
return nil, fmt.Errorf("leaf certificate has the CA bit set")
}
for _, crt := range chain[1:] {
if !crt.IsCA {
return nil, fmt.Errorf("non-leaf certificate without the CA bit set")
}
}
return chain, nil
}
// CertificateFromLogEntry parses the (pre-)certificate in a log entry
func CertificateFromLogEntry(leafData, extraData []byte) (x509.Certificate, error) {
entry, err := ct.LogEntryFromLeaf(0, &ct.LeafEntry{LeafInput: leafData, ExtraData: extraData})
if err != nil {
return x509.Certificate{}, fmt.Errorf("parse leaf: %v", err)
}
if entry.Precert == nil && entry.X509Cert == nil {
return x509.Certificate{}, fmt.Errorf("neither precertificate nor certificate in leaf")
}
if entry.Precert != nil && entry.X509Cert != nil {
return x509.Certificate{}, fmt.Errorf("both certificate and precertificate in leaf")
}
if entry.Precert != nil {
return *entry.Precert.TBSCertificate, nil
}
return *entry.X509Cert, nil
}
// UniqueID derives a unique certificate ID. The same value is derived
// regardless of if the (pre-)certificate is logged multiple times.
func UniqueID(crt x509.Certificate) string {
// The CAB BRs state in §7.1.2.7 that serial numbers "MUST be a
// non‐sequential number greater than zero (0) and less than 2^159".
// https://cabforum.org/working-groups/server/baseline-requirements/documents/TLSBRv2.0.4.pdf
//
// So, we can assume that serial numbers are unique across CAs. It would be
// an improvement to derive this from the certificate bytes though, such
// that the identifier is the same for certificates and pre-certificates.
return crt.SerialNumber.String()
}
|
