Re-vendor golang.org/x/crypto/... (#3457)

In #3454, I tried to update certificate-transparency-go, but that pulled in a bunch of extra package updates, making for a complicated PR. This PR breaks out one of the packages that needed update, to allow us to bring things up to date in a simpler, more piecemeal fashion.

$ go test golang.org/x/crypto/...
ok      golang.org/x/crypto/acme        2.564s
ok      golang.org/x/crypto/acme/autocert       0.634s
ok      golang.org/x/crypto/argon2      0.118s
ok      golang.org/x/crypto/bcrypt      2.282s
ok      golang.org/x/crypto/blake2b     0.103s
ok      golang.org/x/crypto/blake2s     0.072s
ok      golang.org/x/crypto/blowfish    0.006s
ok      golang.org/x/crypto/bn256       0.462s
2ok     golang.org/x/crypto/cast5       4.288s
ok      golang.org/x/crypto/chacha20poly1305    0.037s
ok      golang.org/x/crypto/cryptobyte  0.012s
?       golang.org/x/crypto/cryptobyte/asn1     [no test files]
ok      golang.org/x/crypto/curve25519  0.029s
ok      golang.org/x/crypto/ed25519     0.082s
?       golang.org/x/crypto/ed25519/internal/edwards25519       [no test files]
ok      golang.org/x/crypto/hkdf        0.003s
ok      golang.org/x/crypto/internal/chacha20   0.002s
ok      golang.org/x/crypto/md4 0.002s
ok      golang.org/x/crypto/nacl/auth   1.473s
ok      golang.org/x/crypto/nacl/box    0.007s
ok      golang.org/x/crypto/nacl/secretbox      0.004s
ok      golang.org/x/crypto/ocsp        0.034s
ok      golang.org/x/crypto/openpgp     7.275s
ok      golang.org/x/crypto/openpgp/armor       0.015s
ok      golang.org/x/crypto/openpgp/clearsign   0.028s
ok      golang.org/x/crypto/openpgp/elgamal     0.015s
?       golang.org/x/crypto/openpgp/errors      [no test files]
ok      golang.org/x/crypto/openpgp/packet      0.170s
ok      golang.org/x/crypto/openpgp/s2k 9.401s
ok      golang.org/x/crypto/otr 0.321s
ok      golang.org/x/crypto/pbkdf2      0.046s
ok      golang.org/x/crypto/pkcs12      0.065s
ok      golang.org/x/crypto/pkcs12/internal/rc2 0.014s
ok      golang.org/x/crypto/poly1305    0.023s
ok      golang.org/x/crypto/ripemd160   0.061s
ok      golang.org/x/crypto/salsa20     0.029s
ok      golang.org/x/crypto/salsa20/salsa       0.043s
ok      golang.org/x/crypto/scrypt      0.815s
ok      golang.org/x/crypto/sha3        0.263s
ok      golang.org/x/crypto/ssh 1.175s
ok      golang.org/x/crypto/ssh/agent   0.827s
ok      golang.org/x/crypto/ssh/knownhosts      0.038s
ok      golang.org/x/crypto/ssh/terminal        0.029s
ok      golang.org/x/crypto/ssh/test    0.148s
ok      golang.org/x/crypto/tea 0.012s
ok      golang.org/x/crypto/twofish     0.013s
ok      golang.org/x/crypto/xtea        0.002s
ok      golang.org/x/crypto/xts 0.016s
This commit is contained in:
Jacob Hoffman-Andrews 2018-02-20 14:32:11 -08:00 committed by Roland Bracewell Shoemaker
parent 28e1f6c7ef
commit f3fb418fb1
9 changed files with 62 additions and 54 deletions

10
Godeps/Godeps.json generated
View File

@ -259,23 +259,23 @@
}, },
{ {
"ImportPath": "golang.org/x/crypto/ed25519", "ImportPath": "golang.org/x/crypto/ed25519",
"Rev": "7c6cc321c680f03b9ef0764448e780704f486b51" "Rev": "650f4a345ab4e5b245a3034b110ebc7299e68186"
}, },
{ {
"ImportPath": "golang.org/x/crypto/ed25519/internal/edwards25519", "ImportPath": "golang.org/x/crypto/ed25519/internal/edwards25519",
"Rev": "7c6cc321c680f03b9ef0764448e780704f486b51" "Rev": "650f4a345ab4e5b245a3034b110ebc7299e68186"
}, },
{ {
"ImportPath": "golang.org/x/crypto/ocsp", "ImportPath": "golang.org/x/crypto/ocsp",
"Rev": "7c6cc321c680f03b9ef0764448e780704f486b51" "Rev": "650f4a345ab4e5b245a3034b110ebc7299e68186"
}, },
{ {
"ImportPath": "golang.org/x/crypto/pkcs12", "ImportPath": "golang.org/x/crypto/pkcs12",
"Rev": "7c6cc321c680f03b9ef0764448e780704f486b51" "Rev": "650f4a345ab4e5b245a3034b110ebc7299e68186"
}, },
{ {
"ImportPath": "golang.org/x/crypto/pkcs12/internal/rc2", "ImportPath": "golang.org/x/crypto/pkcs12/internal/rc2",
"Rev": "7c6cc321c680f03b9ef0764448e780704f486b51" "Rev": "650f4a345ab4e5b245a3034b110ebc7299e68186"
}, },
{ {
"ImportPath": "golang.org/x/net/context", "ImportPath": "golang.org/x/net/context",

2
vendor/golang.org/x/crypto/AUTHORS generated vendored
View File

@ -1,3 +1,3 @@
# This source code refers to The Go Authors for copyright purposes. # This source code refers to The Go Authors for copyright purposes.
# The master list of authors is in the main Go distribution, # The master list of authors is in the main Go distribution,
# visible at http://tip.golang.org/AUTHORS. # visible at https://tip.golang.org/AUTHORS.

View File

@ -1,3 +1,3 @@
# This source code was written by the Go contributors. # This source code was written by the Go contributors.
# The master list of contributors is in the main Go distribution, # The master list of contributors is in the main Go distribution,
# visible at http://tip.golang.org/CONTRIBUTORS. # visible at https://tip.golang.org/CONTRIBUTORS.

View File

@ -3,20 +3,20 @@
// license that can be found in the LICENSE file. // license that can be found in the LICENSE file.
// Package ed25519 implements the Ed25519 signature algorithm. See // Package ed25519 implements the Ed25519 signature algorithm. See
// http://ed25519.cr.yp.to/. // https://ed25519.cr.yp.to/.
// //
// These functions are also compatible with the “Ed25519” function defined in // These functions are also compatible with the “Ed25519” function defined in
// https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-05. // RFC 8032.
package ed25519 package ed25519
// This code is a port of the public domain, “ref10” implementation of ed25519 // This code is a port of the public domain, “ref10” implementation of ed25519
// from SUPERCOP. // from SUPERCOP.
import ( import (
"bytes"
"crypto" "crypto"
cryptorand "crypto/rand" cryptorand "crypto/rand"
"crypto/sha512" "crypto/sha512"
"crypto/subtle"
"errors" "errors"
"io" "io"
"strconv" "strconv"
@ -177,5 +177,5 @@ func Verify(publicKey PublicKey, message, sig []byte) bool {
var checkR [32]byte var checkR [32]byte
R.ToBytes(&checkR) R.ToBytes(&checkR)
return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1 return bytes.Equal(sig[:32], checkR[:])
} }

View File

@ -295,17 +295,17 @@ const (
// The enumerated reasons for revoking a certificate. See RFC 5280. // The enumerated reasons for revoking a certificate. See RFC 5280.
const ( const (
Unspecified = iota Unspecified = 0
KeyCompromise = iota KeyCompromise = 1
CACompromise = iota CACompromise = 2
AffiliationChanged = iota AffiliationChanged = 3
Superseded = iota Superseded = 4
CessationOfOperation = iota CessationOfOperation = 5
CertificateHold = iota CertificateHold = 6
_ = iota
RemoveFromCRL = iota RemoveFromCRL = 8
PrivilegeWithdrawn = iota PrivilegeWithdrawn = 9
AACompromise = iota AACompromise = 10
) )
// Request represents an OCSP request. See RFC 6960. // Request represents an OCSP request. See RFC 6960.
@ -450,8 +450,8 @@ func ParseRequest(bytes []byte) (*Request, error) {
// then the signature over the response is checked. If issuer is not nil then // then the signature over the response is checked. If issuer is not nil then
// it will be used to validate the signature or embedded certificate. // it will be used to validate the signature or embedded certificate.
// //
// Invalid signatures or parse failures will result in a ParseError. Error // Invalid responses and parse failures will result in a ParseError.
// responses will result in a ResponseError. // Error responses will result in a ResponseError.
func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) { func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) {
return ParseResponseForCert(bytes, nil, issuer) return ParseResponseForCert(bytes, nil, issuer)
} }
@ -462,8 +462,8 @@ func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) {
// issuer is not nil then it will be used to validate the signature or embedded // issuer is not nil then it will be used to validate the signature or embedded
// certificate. // certificate.
// //
// Invalid signatures or parse failures will result in a ParseError. Error // Invalid responses and parse failures will result in a ParseError.
// responses will result in a ResponseError. // Error responses will result in a ResponseError.
func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Response, error) { func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Response, error) {
var resp responseASN1 var resp responseASN1
rest, err := asn1.Unmarshal(bytes, &resp) rest, err := asn1.Unmarshal(bytes, &resp)
@ -496,10 +496,32 @@ func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Respon
return nil, ParseError("OCSP response contains bad number of responses") return nil, ParseError("OCSP response contains bad number of responses")
} }
var singleResp singleResponse
if cert == nil {
singleResp = basicResp.TBSResponseData.Responses[0]
} else {
match := false
for _, resp := range basicResp.TBSResponseData.Responses {
if cert.SerialNumber.Cmp(resp.CertID.SerialNumber) == 0 {
singleResp = resp
match = true
break
}
}
if !match {
return nil, ParseError("no response matching the supplied certificate")
}
}
ret := &Response{ ret := &Response{
TBSResponseData: basicResp.TBSResponseData.Raw, TBSResponseData: basicResp.TBSResponseData.Raw,
Signature: basicResp.Signature.RightAlign(), Signature: basicResp.Signature.RightAlign(),
SignatureAlgorithm: getSignatureAlgorithmFromOID(basicResp.SignatureAlgorithm.Algorithm), SignatureAlgorithm: getSignatureAlgorithmFromOID(basicResp.SignatureAlgorithm.Algorithm),
Extensions: singleResp.SingleExtensions,
SerialNumber: singleResp.CertID.SerialNumber,
ProducedAt: basicResp.TBSResponseData.ProducedAt,
ThisUpdate: singleResp.ThisUpdate,
NextUpdate: singleResp.NextUpdate,
} }
// Handle the ResponderID CHOICE tag. ResponderID can be flattened into // Handle the ResponderID CHOICE tag. ResponderID can be flattened into
@ -542,25 +564,14 @@ func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Respon
} }
} }
var r singleResponse for _, ext := range singleResp.SingleExtensions {
for _, resp := range basicResp.TBSResponseData.Responses {
if cert == nil || cert.SerialNumber.Cmp(resp.CertID.SerialNumber) == 0 {
r = resp
break
}
}
for _, ext := range r.SingleExtensions {
if ext.Critical { if ext.Critical {
return nil, ParseError("unsupported critical extension") return nil, ParseError("unsupported critical extension")
} }
} }
ret.Extensions = r.SingleExtensions
ret.SerialNumber = r.CertID.SerialNumber
for h, oid := range hashOIDs { for h, oid := range hashOIDs {
if r.CertID.HashAlgorithm.Algorithm.Equal(oid) { if singleResp.CertID.HashAlgorithm.Algorithm.Equal(oid) {
ret.IssuerHash = h ret.IssuerHash = h
break break
} }
@ -570,20 +581,16 @@ func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Respon
} }
switch { switch {
case bool(r.Good): case bool(singleResp.Good):
ret.Status = Good ret.Status = Good
case bool(r.Unknown): case bool(singleResp.Unknown):
ret.Status = Unknown ret.Status = Unknown
default: default:
ret.Status = Revoked ret.Status = Revoked
ret.RevokedAt = r.Revoked.RevocationTime ret.RevokedAt = singleResp.Revoked.RevocationTime
ret.RevocationReason = int(r.Revoked.Reason) ret.RevocationReason = int(singleResp.Revoked.Reason)
} }
ret.ProducedAt = basicResp.TBSResponseData.ProducedAt
ret.ThisUpdate = r.ThisUpdate
ret.NextUpdate = r.NextUpdate
return ret, nil return ret, nil
} }
@ -652,7 +659,7 @@ func CreateRequest(cert, issuer *x509.Certificate, opts *RequestOptions) ([]byte
// //
// The issuer cert is used to puplate the IssuerNameHash and IssuerKeyHash fields. // The issuer cert is used to puplate the IssuerNameHash and IssuerKeyHash fields.
// //
// The template is used to populate the SerialNumber, RevocationStatus, RevokedAt, // The template is used to populate the SerialNumber, Status, RevokedAt,
// RevocationReason, ThisUpdate, and NextUpdate fields. // RevocationReason, ThisUpdate, and NextUpdate fields.
// //
// If template.IssuerHash is not set, SHA1 will be used. // If template.IssuerHash is not set, SHA1 will be used.
@ -753,7 +760,7 @@ func CreateResponse(issuer, responderCert *x509.Certificate, template Response,
} }
if template.Certificate != nil { if template.Certificate != nil {
response.Certificates = []asn1.RawValue{ response.Certificates = []asn1.RawValue{
asn1.RawValue{FullBytes: template.Certificate.Raw}, {FullBytes: template.Certificate.Raw},
} }
} }
responseDER, err := asn1.Marshal(response) responseDER, err := asn1.Marshal(response)

View File

@ -13,7 +13,7 @@ import (
func bmpString(s string) ([]byte, error) { func bmpString(s string) ([]byte, error) {
// References: // References:
// https://tools.ietf.org/html/rfc7292#appendix-B.1 // https://tools.ietf.org/html/rfc7292#appendix-B.1
// http://en.wikipedia.org/wiki/Plane_(Unicode)#Basic_Multilingual_Plane // https://en.wikipedia.org/wiki/Plane_(Unicode)#Basic_Multilingual_Plane
// - non-BMP characters are encoded in UTF 16 by using a surrogate pair of 16-bit codes // - non-BMP characters are encoded in UTF 16 by using a surrogate pair of 16-bit codes
// EncodeRune returns 0xfffd if the rune does not need special encoding // EncodeRune returns 0xfffd if the rune does not need special encoding
// - the above RFC provides the info that BMPStrings are NULL terminated. // - the above RFC provides the info that BMPStrings are NULL terminated.

View File

@ -124,7 +124,7 @@ func pbDecrypt(info decryptable, password []byte) (decrypted []byte, err error)
return return
} }
// decryptable abstracts a object that contains ciphertext. // decryptable abstracts an object that contains ciphertext.
type decryptable interface { type decryptable interface {
Algorithm() pkix.AlgorithmIdentifier Algorithm() pkix.AlgorithmIdentifier
Data() []byte Data() []byte

View File

@ -122,7 +122,6 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
r3 = r3 + c.k[r2&63] r3 = r3 + c.k[r2&63]
for j <= 40 { for j <= 40 {
// mix r0 // mix r0
r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
r0 = rotl16(r0, 1) r0 = rotl16(r0, 1)
@ -151,7 +150,6 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
r3 = r3 + c.k[r2&63] r3 = r3 + c.k[r2&63]
for j <= 60 { for j <= 60 {
// mix r0 // mix r0
r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
r0 = rotl16(r0, 1) r0 = rotl16(r0, 1)
@ -244,7 +242,6 @@ func (c *rc2Cipher) Decrypt(dst, src []byte) {
r0 = r0 - c.k[r3&63] r0 = r0 - c.k[r3&63]
for j >= 0 { for j >= 0 {
// unmix r3 // unmix r3
r3 = rotl16(r3, 16-5) r3 = rotl16(r3, 16-5)
r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0) r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)

View File

@ -109,6 +109,10 @@ func ToPEM(pfxData []byte, password string) ([]*pem.Block, error) {
bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword) bags, encodedPassword, err := getSafeContents(pfxData, encodedPassword)
if err != nil {
return nil, err
}
blocks := make([]*pem.Block, 0, len(bags)) blocks := make([]*pem.Block, 0, len(bags))
for _, bag := range bags { for _, bag := range bags {
block, err := convertBag(&bag, encodedPassword) block, err := convertBag(&bag, encodedPassword)