// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package connect
import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"fmt"
"net"
"net/url"
"unicode"
)
// NOTE: the contents of this file were lifted from
// $GOROOT/src/crypto/x509/x509.go from a Go 1.16.5 checkout.
//
//
// After https://go-review.googlesource.com/c/go/+/329129 lands in a Go release
// we are compiling against we can safely remove all of this code.
var (
x509_oidExtensionSubjectAltName = [ ] int { 2 , 5 , 29 , 17 }
)
const (
x509_nameTypeEmail = 1
x509_nameTypeDNS = 2
x509_nameTypeURI = 6
x509_nameTypeIP = 7
)
// HackSANExtensionForCSR will create a SAN extension on the CSR off of the
// convenience fields (DNSNames, EmailAddresses, IPAddresses, URIs) and
// appropriately marks that SAN extension as critical if the CSR has an empty
// subject.
//
// This is basically attempting to repeat this blob of code from the stdlib
// ourselves:
//
// https://github.com/golang/go/blob/0e67ce3d28320e816dd8e7cf7d701c1804fb977e/src/crypto/x509/x509.go#L1088
func HackSANExtensionForCSR ( template * x509 . CertificateRequest ) {
switch {
case len ( template . DNSNames ) > 0 :
case len ( template . EmailAddresses ) > 0 :
case len ( template . IPAddresses ) > 0 :
case len ( template . URIs ) > 0 :
default :
return
}
if x509_oidInExtensions ( x509_oidExtensionSubjectAltName , template . ExtraExtensions ) {
return
}
value , err := x509_marshalSANs ( template . DNSNames , template . EmailAddresses , template . IPAddresses , template . URIs )
if err != nil {
return
}
ext := pkix . Extension {
Id : x509_oidExtensionSubjectAltName ,
// From RFC 5280, Section 4.2.1.6:
// “If the subject field contains an empty sequence ... then
// subjectAltName extension ... is marked as critical”
//
// Since we just cleared the subject above, it's critical.
Critical : true ,
Value : value ,
}
template . ExtraExtensions = append ( template . ExtraExtensions , ext )
}
// x509_oidInExtensions reports whether an extension with the given oid exists in
// extensions.
func x509_oidInExtensions ( oid asn1 . ObjectIdentifier , extensions [ ] pkix . Extension ) bool {
for _ , e := range extensions {
if e . Id . Equal ( oid ) {
return true
}
}
return false
}
// x509_marshalSANs marshals a list of addresses into a the contents of an X.509
// SubjectAlternativeName extension.
func x509_marshalSANs ( dnsNames , emailAddresses [ ] string , ipAddresses [ ] net . IP , uris [ ] * url . URL ) ( derBytes [ ] byte , err error ) {
var rawValues [ ] asn1 . RawValue
for _ , name := range dnsNames {
if err := x509_isIA5String ( name ) ; err != nil {
return nil , err
}
rawValues = append ( rawValues , asn1 . RawValue { Tag : x509_nameTypeDNS , Class : 2 , Bytes : [ ] byte ( name ) } )
}
for _ , email := range emailAddresses {
if err := x509_isIA5String ( email ) ; err != nil {
return nil , err
}
rawValues = append ( rawValues , asn1 . RawValue { Tag : x509_nameTypeEmail , Class : 2 , Bytes : [ ] byte ( email ) } )
}
for _ , rawIP := range ipAddresses {
// If possible, we always want to encode IPv4 addresses in 4 bytes.
ip := rawIP . To4 ( )
if ip == nil {
ip = rawIP
}
rawValues = append ( rawValues , asn1 . RawValue { Tag : x509_nameTypeIP , Class : 2 , Bytes : ip } )
}
for _ , uri := range uris {
uriStr := uri . String ( )
if err := x509_isIA5String ( uriStr ) ; err != nil {
return nil , err
}
rawValues = append ( rawValues , asn1 . RawValue { Tag : x509_nameTypeURI , Class : 2 , Bytes : [ ] byte ( uriStr ) } )
}
return asn1 . Marshal ( rawValues )
}
func x509_isIA5String ( s string ) error {
for _ , r := range s {
// Per RFC5280 "IA5String is limited to the set of ASCII characters"
if r > unicode . MaxASCII {
return fmt . Errorf ( "x509: %q cannot be encoded as an IA5String" , s )
}
}
return nil
}