-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsubject.go
100 lines (91 loc) · 2.74 KB
/
subject.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
package authrootstl
import (
"encoding/asn1"
"encoding/binary"
"fmt"
"time"
"unicode/utf16"
)
// ctl object ids
const (
ctlOidFriendlyName = "1.3.6.1.4.1.311.10.11.11"
ctlOidKeyId = "1.3.6.1.4.1.311.10.11.20"
ctlOidSubjectNameMD5 = "1.3.6.1.4.1.311.10.11.29"
ctlOidSHA256Fingerprint = "1.3.6.1.4.1.311.10.11.98"
ctlOidEKU = "1.3.6.1.4.1.311.10.11.9"
ctlOidNotBeforeEKU = "1.3.6.1.4.1.311.10.11.127"
ctlOidDisabledDate = "1.3.6.1.4.1.311.10.11.104"
ctlOidNotBeforeDate = "1.3.6.1.4.1.311.10.11.126"
)
func (subject trustedSubjectType) Subject() (*Subject, error) {
result := Subject{
SHA1Fingerprint: fmt.Sprintf("%X", subject.SubjectIdentifier),
}
for _, attribute := range subject.SubjectAttributes {
if err := processAttribute(attribute, &result); err != nil {
return nil, err
}
}
if result.FriendlyName == "" {
return nil, fmt.Errorf("no friendly name")
}
if result.SHA256Fingerprint == "" {
return nil, fmt.Errorf("no sha256 fingerprint")
}
if result.SHA1Fingerprint == "" {
return nil, fmt.Errorf("no sha1 fingerprint")
}
return &result, nil
}
func processAttribute(attribute attributeType, subject *Subject) error {
attrOid := attribute.Identifier.String()
switch attrOid {
case ctlOidFriendlyName:
subject.FriendlyName = decodeUTF16Bytes(attribute.Values[0])
case ctlOidKeyId:
subject.KeyID = fmt.Sprintf("%0X", attribute.Values[0])
case ctlOidSubjectNameMD5:
subject.SubjectNameMD5 = fmt.Sprintf("%X", attribute.Values[0])
case ctlOidSHA256Fingerprint:
subject.SHA256Fingerprint = fmt.Sprintf("%X", attribute.Values[0])
case ctlOidEKU, ctlOidNotBeforeEKU:
var v []asn1.ObjectIdentifier
if _, err := asn1.Unmarshal(attribute.Values[0], &v); err != nil {
return fmt.Errorf("stl: invalid attribute value for key usage attribute: %s", err.Error())
}
if attrOid == ctlOidEKU {
subject.MicrosoftExtendedKeyUsage = v
} else {
subject.NotBeforeEKU = v
}
case ctlOidDisabledDate:
if len(attribute.Values[0]) != 8 {
return nil
}
t := filetimeBytesToTime(attribute.Values[0])
subject.DisabledDate = &t
case ctlOidNotBeforeDate:
if len(attribute.Values[0]) != 8 {
return nil
}
t := filetimeBytesToTime(attribute.Values[0])
subject.NotBefore = &t
}
return nil
}
func filetimeBytesToTime(ft []byte) time.Time {
low := binary.LittleEndian.Uint32(ft[:4])
high := binary.LittleEndian.Uint32(ft[4:])
nsec := int64(high)<<32 + int64(low)
nsec -= 116444736000000000
nsec *= 100
return time.Unix(0, nsec)
}
func decodeUTF16Bytes(b []byte) string {
utf := make([]uint16, (len(b)+1)/2)
for i := 0; i+1 < len(b); i += 2 {
utf[i/2] = binary.LittleEndian.Uint16(b[i:])
}
r := utf16.Decode(utf)
return string(r[0 : len(r)-1]) // strip the \NUL terminator
}