crypto/x509: remove explicit uses of rsa.

(Sending to r because of the API change.)

Over time we might want to add support for other key types.

While I was in the code, I also made the use of RawSubject the same
between Subject and Issuer when creating certificates.

R=r, rsc
CC=golang-dev
https://golang.org/cl/5554049

diff --git a/doc/go1.tmpl b/doc/go1.tmpl
index 185d9d42c1f8ddc90c1e394af2f33550893e209c..ff58d16c3451cc57dc7e84e2d4d653e091125d83 100644 (file)
--- a/doc/go1.tmpl
+++ b/doc/go1.tmpl
@@ -592,7 +592,7 @@ the correct function or method for the old functionality, but
 may have the wrong type or require further analysis.
 </p>
 
-<h3 id="hash">The crypto/elliptic package</h3>
+<h3 id="crypto/elliptic">The crypto/elliptic package</h3>
 
 <p>
 In Go 1, <a href="/pkg/crypto/elliptic/#Curve"><code>elliptic.Curve</code></a>
@@ -607,10 +607,28 @@ structure.
 Existing users of <code>*elliptic.Curve</code> will need to change to
 simply <code>elliptic.Curve</code>. Calls to <code>Marshal</code>,
 <code>Unmarshal</code> and <code>GenerateKey</code> are now functions
-in <code>crypto.elliptic</code> that take an <code>elliptic.Curve</code>
+in <code>crypto/elliptic</code> that take an <code>elliptic.Curve</code>
 as their first argument.
 </p>
 
+<h3 id="crypto/x509">The crypto/x509 package</h3>
+
+<p>
+In Go 1, the
+<a href="/pkg/crypto/x509/#CreateCertificate"><code>CreateCertificate</code></a>
+and
+<a href="/pkg/crypto/x509/#CreateCRL"><code>CreateCRL</code></a>
+functions in <code>crypto/x509</code> have been altered to take an
+<code>interface{}</code> where they previously took a <code>*rsa.PublicKey</code>
+or <code>*rsa.PrivateKey</code>. This will allow other public key algorithms
+to be implemented in the future.
+</p>
+
+<p>
+<em>Updating</em>:
+No changes will be needed.
+</p>
+
 <h3 id="hash">The hash package</h3>
 
 <p>

diff --git a/src/pkg/crypto/x509/x509.go b/src/pkg/crypto/x509/x509.go
index 28c7880e531922950c04d9a2d4bee9436103c0be..bf39c5dec0af7cdb99cdd56caaea8383bd9e10b4 100644 (file)
--- a/src/pkg/crypto/x509/x509.go
+++ b/src/pkg/crypto/x509/x509.go
@@ -899,6 +899,14 @@ var (
        oidRSA         = []int{1, 2, 840, 113549, 1, 1, 1}
 )
 
+func subjectBytes(cert *Certificate) ([]byte, error) {
+       if len(cert.RawSubject) > 0 {
+               return cert.RawSubject, nil
+       }
+
+       return asn1.Marshal(cert.Subject.ToRDNSequence())
+}
+
 // CreateCertificate creates a new certificate based on a template. The
 // following members of template are used: SerialNumber, Subject, NotBefore,
 // NotAfter, KeyUsage, BasicConstraintsValid, IsCA, MaxPathLen, SubjectKeyId,
@@ -909,10 +917,23 @@ var (
 // signee and priv is the private key of the signer.
 //
 // The returned slice is the certificate in DER encoding.
-func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.PublicKey, priv *rsa.PrivateKey) (cert []byte, err error) {
+//
+// The only supported key type is RSA (*rsa.PublicKey for pub, *rsa.PrivateKey
+// for priv).
+func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interface{}, priv interface{}) (cert []byte, err error) {
+       rsaPub, ok := pub.(*rsa.PublicKey)
+       if !ok {
+               return nil, errors.New("x509: non-RSA public keys not supported")
+       }
+
+       rsaPriv, ok := priv.(*rsa.PrivateKey)
+       if !ok {
+               return nil, errors.New("x509: non-RSA private keys not supported")
+       }
+
        asn1PublicKey, err := asn1.Marshal(rsaPublicKey{
-               N: pub.N,
-               E: pub.E,
+               N: rsaPub.N,
+               E: rsaPub.E,
        })
        if err != nil {
                return
@@ -927,16 +948,12 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.P
                return
        }
 
-       var asn1Issuer []byte
-       if len(parent.RawSubject) > 0 {
-               asn1Issuer = parent.RawSubject
-       } else {
-               if asn1Issuer, err = asn1.Marshal(parent.Subject.ToRDNSequence()); err != nil {
-                       return
-               }
+       asn1Issuer, err := subjectBytes(parent)
+       if err != nil {
+               return
        }
 
-       asn1Subject, err := asn1.Marshal(template.Subject.ToRDNSequence())
+       asn1Subject, err := subjectBytes(template)
        if err != nil {
                return
        }
@@ -964,7 +981,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub *rsa.P
        h.Write(tbsCertContents)
        digest := h.Sum(nil)
 
-       signature, err := rsa.SignPKCS1v15(rand, priv, crypto.SHA1, digest)
+       signature, err := rsa.SignPKCS1v15(rand, rsaPriv, crypto.SHA1, digest)
        if err != nil {
                return
        }
@@ -1011,7 +1028,13 @@ func ParseDERCRL(derBytes []byte) (certList *pkix.CertificateList, err error) {
 
 // CreateCRL returns a DER encoded CRL, signed by this Certificate, that
 // contains the given list of revoked certificates.
-func (c *Certificate) CreateCRL(rand io.Reader, priv *rsa.PrivateKey, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
+//
+// The only supported key type is RSA (*rsa.PrivateKey for priv).
+func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) {
+       rsaPriv, ok := priv.(*rsa.PrivateKey)
+       if !ok {
+               return nil, errors.New("x509: non-RSA private keys not supported")
+       }
        tbsCertList := pkix.TBSCertificateList{
                Version: 2,
                Signature: pkix.AlgorithmIdentifier{
@@ -1032,7 +1055,7 @@ func (c *Certificate) CreateCRL(rand io.Reader, priv *rsa.PrivateKey, revokedCer
        h.Write(tbsCertListContents)
        digest := h.Sum(nil)
 
-       signature, err := rsa.SignPKCS1v15(rand, priv, crypto.SHA1, digest)
+       signature, err := rsa.SignPKCS1v15(rand, rsaPriv, crypto.SHA1, digest)
        if err != nil {
                return
        }