Bump cfssl to 56268a6

2018-08-08 21:22:01 -07:00
parent 952fc9f6f8
commit ed7304b30c
45 changed files with 7832 additions and 241 deletions
--- a/vendor/github.com/cloudflare/cfssl/helpers/BUILD
+++ b/vendor/github.com/cloudflare/cfssl/helpers/BUILD
@@ -13,6 +13,7 @@ go_library(
        "//vendor/github.com/cloudflare/cfssl/log:go_default_library",
        "//vendor/github.com/google/certificate-transparency-go:go_default_library",
        "//vendor/github.com/google/certificate-transparency-go/tls:go_default_library",
+        "//vendor/github.com/google/certificate-transparency-go/x509:go_default_library",
        "//vendor/golang.org/x/crypto/ocsp:go_default_library",
        "//vendor/golang.org/x/crypto/pkcs12:go_default_library",
    ],
--- a/vendor/github.com/cloudflare/cfssl/helpers/derhelpers/BUILD
+++ b/vendor/github.com/cloudflare/cfssl/helpers/derhelpers/BUILD
@@ -2,11 +2,17 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library")

 go_library(
    name = "go_default_library",
-    srcs = ["derhelpers.go"],
+    srcs = [
+        "derhelpers.go",
+        "ed25519.go",
+    ],
    importmap = "k8s.io/kubernetes/vendor/github.com/cloudflare/cfssl/helpers/derhelpers",
    importpath = "github.com/cloudflare/cfssl/helpers/derhelpers",
    visibility = ["//visibility:public"],
-    deps = ["//vendor/github.com/cloudflare/cfssl/errors:go_default_library"],
+    deps = [
+        "//vendor/github.com/cloudflare/cfssl/errors:go_default_library",
+        "//vendor/golang.org/x/crypto/ed25519:go_default_library",
+    ],
 )

 filegroup(
--- a/vendor/github.com/cloudflare/cfssl/helpers/derhelpers/derhelpers.go
+++ b/vendor/github.com/cloudflare/cfssl/helpers/derhelpers/derhelpers.go
@@ -9,10 +9,11 @@ import (
 	"crypto/x509"

 	cferr "github.com/cloudflare/cfssl/errors"
+	"golang.org/x/crypto/ed25519"
 )

-// ParsePrivateKeyDER parses a PKCS #1, PKCS #8, or elliptic curve
-// DER-encoded private key. The key must not be in PEM format.
+// ParsePrivateKeyDER parses a PKCS #1, PKCS #8, ECDSA, or Ed25519 DER-encoded
+// private key. The key must not be in PEM format.
 func ParsePrivateKeyDER(keyDER []byte) (key crypto.Signer, err error) {
 	generalKey, err := x509.ParsePKCS8PrivateKey(keyDER)
 	if err != nil {
@@ -20,12 +21,15 @@ func ParsePrivateKeyDER(keyDER []byte) (key crypto.Signer, err error) {
 		if err != nil {
 			generalKey, err = x509.ParseECPrivateKey(keyDER)
 			if err != nil {
-				// We don't include the actual error into
-				// the final error. The reason might be
-				// we don't want to leak any info about
-				// the private key.
-				return nil, cferr.New(cferr.PrivateKeyError,
-					cferr.ParseFailed)
+				generalKey, err = ParseEd25519PrivateKey(keyDER)
+				if err != nil {
+					// We don't include the actual error into
+					// the final error. The reason might be
+					// we don't want to leak any info about
+					// the private key.
+					return nil, cferr.New(cferr.PrivateKeyError,
+						cferr.ParseFailed)
+				}
 			}
 		}
 	}
@@ -35,6 +39,8 @@ func ParsePrivateKeyDER(keyDER []byte) (key crypto.Signer, err error) {
 		return generalKey.(*rsa.PrivateKey), nil
 	case *ecdsa.PrivateKey:
 		return generalKey.(*ecdsa.PrivateKey), nil
+	case ed25519.PrivateKey:
+		return generalKey.(ed25519.PrivateKey), nil
 	}

 	// should never reach here
--- a/vendor/github.com/cloudflare/cfssl/helpers/derhelpers/ed25519.go
+++ b/vendor/github.com/cloudflare/cfssl/helpers/derhelpers/ed25519.go
@@ -0,0 +1,133 @@
+package derhelpers
+
+import (
+	"crypto"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"errors"
+
+	"golang.org/x/crypto/ed25519"
+)
+
+var errEd25519WrongID = errors.New("incorrect object identifier")
+var errEd25519WrongKeyType = errors.New("incorrect key type")
+
+// ed25519OID is the OID for the Ed25519 signature scheme: see
+// https://datatracker.ietf.org/doc/draft-ietf-curdle-pkix-04.
+var ed25519OID = asn1.ObjectIdentifier{1, 3, 101, 112}
+
+// subjectPublicKeyInfo reflects the ASN.1 object defined in the X.509 standard.
+//
+// This is defined in crypto/x509 as "publicKeyInfo".
+type subjectPublicKeyInfo struct {
+	Algorithm pkix.AlgorithmIdentifier
+	PublicKey asn1.BitString
+}
+
+// MarshalEd25519PublicKey creates a DER-encoded SubjectPublicKeyInfo for an
+// ed25519 public key, as defined in
+// https://tools.ietf.org/html/draft-ietf-curdle-pkix-04. This is analagous to
+// MarshalPKIXPublicKey in crypto/x509, which doesn't currently support Ed25519.
+func MarshalEd25519PublicKey(pk crypto.PublicKey) ([]byte, error) {
+	pub, ok := pk.(ed25519.PublicKey)
+	if !ok {
+		return nil, errEd25519WrongKeyType
+	}
+
+	spki := subjectPublicKeyInfo{
+		Algorithm: pkix.AlgorithmIdentifier{
+			Algorithm: ed25519OID,
+		},
+		PublicKey: asn1.BitString{
+			BitLength: len(pub) * 8,
+			Bytes:     pub,
+		},
+	}
+
+	return asn1.Marshal(spki)
+}
+
+// ParseEd25519PublicKey returns the Ed25519 public key encoded by the input.
+func ParseEd25519PublicKey(der []byte) (crypto.PublicKey, error) {
+	var spki subjectPublicKeyInfo
+	if rest, err := asn1.Unmarshal(der, &spki); err != nil {
+		return nil, err
+	} else if len(rest) > 0 {
+		return nil, errors.New("SubjectPublicKeyInfo too long")
+	}
+
+	if !spki.Algorithm.Algorithm.Equal(ed25519OID) {
+		return nil, errEd25519WrongID
+	}
+
+	if spki.PublicKey.BitLength != ed25519.PublicKeySize*8 {
+		return nil, errors.New("SubjectPublicKeyInfo PublicKey length mismatch")
+	}
+
+	return ed25519.PublicKey(spki.PublicKey.Bytes), nil
+}
+
+// oneAsymmetricKey reflects the ASN.1 structure for storing private keys in
+// https://tools.ietf.org/html/draft-ietf-curdle-pkix-04, excluding the optional
+// fields, which we don't use here.
+//
+// This is identical to pkcs8 in crypto/x509.
+type oneAsymmetricKey struct {
+	Version    int
+	Algorithm  pkix.AlgorithmIdentifier
+	PrivateKey []byte
+}
+
+// curvePrivateKey is the innter type of the PrivateKey field of
+// oneAsymmetricKey.
+type curvePrivateKey []byte
+
+// MarshalEd25519PrivateKey returns a DER encdoing of the input private key as
+// specified in https://tools.ietf.org/html/draft-ietf-curdle-pkix-04.
+func MarshalEd25519PrivateKey(sk crypto.PrivateKey) ([]byte, error) {
+	priv, ok := sk.(ed25519.PrivateKey)
+	if !ok {
+		return nil, errEd25519WrongKeyType
+	}
+
+	// Marshal the innter CurvePrivateKey.
+	curvePrivateKey, err := asn1.Marshal(priv.Seed())
+	if err != nil {
+		return nil, err
+	}
+
+	// Marshal the OneAsymmetricKey.
+	asym := oneAsymmetricKey{
+		Version: 0,
+		Algorithm: pkix.AlgorithmIdentifier{
+			Algorithm: ed25519OID,
+		},
+		PrivateKey: curvePrivateKey,
+	}
+	return asn1.Marshal(asym)
+}
+
+// ParseEd25519PrivateKey returns the Ed25519 private key encoded by the input.
+func ParseEd25519PrivateKey(der []byte) (crypto.PrivateKey, error) {
+	asym := new(oneAsymmetricKey)
+	if rest, err := asn1.Unmarshal(der, asym); err != nil {
+		return nil, err
+	} else if len(rest) > 0 {
+		return nil, errors.New("OneAsymmetricKey too long")
+	}
+
+	// Check that the key type is correct.
+	if !asym.Algorithm.Algorithm.Equal(ed25519OID) {
+		return nil, errEd25519WrongID
+	}
+
+	// Unmarshal the inner CurvePrivateKey.
+	seed := new(curvePrivateKey)
+	if rest, err := asn1.Unmarshal(asym.PrivateKey, seed); err != nil {
+		return nil, err
+	} else if len(rest) > 0 {
+		return nil, errors.New("CurvePrivateKey too long")
+	}
+
+	return ed25519.NewKeyFromSeed(*seed), nil
+}
--- a/vendor/github.com/cloudflare/cfssl/helpers/helpers.go
+++ b/vendor/github.com/cloudflare/cfssl/helpers/helpers.go
@@ -12,16 +12,15 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
-	"encoding/binary"
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io"
 	"io/ioutil"
 	"os"

 	"github.com/google/certificate-transparency-go"
 	cttls "github.com/google/certificate-transparency-go/tls"
+	ctx509 "github.com/google/certificate-transparency-go/x509"
 	"golang.org/x/crypto/ocsp"

 	"strings"
@@ -185,7 +184,20 @@ func HashAlgoString(alg x509.SignatureAlgorithm) string {
 	}
 }

-// EncodeCertificatesPEM encodes a number of x509 certficates to PEM
+// StringTLSVersion returns underlying enum values from human names for TLS
+// versions, defaults to current golang default of TLS 1.0
+func StringTLSVersion(version string) uint16 {
+	switch version {
+	case "1.2":
+		return tls.VersionTLS12
+	case "1.1":
+		return tls.VersionTLS11
+	default:
+		return tls.VersionTLS10
+	}
+}
+
+// EncodeCertificatesPEM encodes a number of x509 certificates to PEM
 func EncodeCertificatesPEM(certs []*x509.Certificate) []byte {
 	var buffer bytes.Buffer
 	for _, cert := range certs {
@@ -198,7 +210,7 @@ func EncodeCertificatesPEM(certs []*x509.Certificate) []byte {
 	return buffer.Bytes()
 }

-// EncodeCertificatePEM encodes a single x509 certficates to PEM
+// EncodeCertificatePEM encodes a single x509 certificates to PEM
 func EncodeCertificatePEM(cert *x509.Certificate) []byte {
 	return EncodeCertificatesPEM([]*x509.Certificate{cert})
 }
@@ -408,7 +420,7 @@ func ParseCSR(in []byte) (csr *x509.CertificateRequest, rest []byte, err error)
 	return csr, rest, nil
 }

-// ParseCSRPEM parses a PEM-encoded certificiate signing request.
+// ParseCSRPEM parses a PEM-encoded certificate signing request.
 // It does not check the signature. This is useful for dumping data from a CSR
 // locally.
 func ParseCSRPEM(csrPEM []byte) (*x509.CertificateRequest, error) {
@@ -484,64 +496,40 @@ func CreateTLSConfig(remoteCAs *x509.CertPool, cert *tls.Certificate) *tls.Confi

 // SerializeSCTList serializes a list of SCTs.
 func SerializeSCTList(sctList []ct.SignedCertificateTimestamp) ([]byte, error) {
-	var buf bytes.Buffer
+	list := ctx509.SignedCertificateTimestampList{}
 	for _, sct := range sctList {
-		sct, err := cttls.Marshal(sct)
+		sctBytes, err := cttls.Marshal(sct)
 		if err != nil {
 			return nil, err
 		}
-		binary.Write(&buf, binary.BigEndian, uint16(len(sct)))
-		buf.Write(sct)
+		list.SCTList = append(list.SCTList, ctx509.SerializedSCT{Val: sctBytes})
 	}
-
-	var sctListLengthField = make([]byte, 2)
-	binary.BigEndian.PutUint16(sctListLengthField, uint16(buf.Len()))
-	return bytes.Join([][]byte{sctListLengthField, buf.Bytes()}, nil), nil
+	return cttls.Marshal(list)
 }

 // DeserializeSCTList deserializes a list of SCTs.
-func DeserializeSCTList(serializedSCTList []byte) (*[]ct.SignedCertificateTimestamp, error) {
-	sctList := new([]ct.SignedCertificateTimestamp)
-	sctReader := bytes.NewBuffer(serializedSCTList)
-
-	var sctListLen uint16
-	err := binary.Read(sctReader, binary.BigEndian, &sctListLen)
+func DeserializeSCTList(serializedSCTList []byte) ([]ct.SignedCertificateTimestamp, error) {
+	var sctList ctx509.SignedCertificateTimestampList
+	rest, err := cttls.Unmarshal(serializedSCTList, &sctList)
 	if err != nil {
-		if err == io.EOF {
-			return sctList, cferr.Wrap(cferr.CTError, cferr.Unknown,
-				errors.New("serialized SCT list could not be read"))
-		}
-		return sctList, cferr.Wrap(cferr.CTError, cferr.Unknown, err)
+		return nil, err
 	}
-	if sctReader.Len() != int(sctListLen) {
-		return sctList, errors.New("SCT length field and SCT length don't match")
+	if len(rest) != 0 {
+		return nil, cferr.Wrap(cferr.CTError, cferr.Unknown, errors.New("serialized SCT list contained trailing garbage"))
 	}
-
-	for err != io.EOF {
-		var sctLen uint16
-		err = binary.Read(sctReader, binary.BigEndian, &sctLen)
-		if err != nil {
-			if err == io.EOF {
-				return sctList, nil
-			}
-			return sctList, cferr.Wrap(cferr.CTError, cferr.Unknown, err)
-		}
-
-		if sctReader.Len() < int(sctLen) {
-			return sctList, errors.New("SCT length field and SCT length don't match")
-		}
-
-		serializedSCT := sctReader.Next(int(sctLen))
+	list := make([]ct.SignedCertificateTimestamp, len(sctList.SCTList))
+	for i, serializedSCT := range sctList.SCTList {
 		var sct ct.SignedCertificateTimestamp
-		if _, err := cttls.Unmarshal(serializedSCT, &sct); err != nil {
-			return sctList, cferr.Wrap(cferr.CTError, cferr.Unknown, err)
+		rest, err := cttls.Unmarshal(serializedSCT.Val, &sct)
+		if err != nil {
+			return nil, err
 		}
-
-		temp := append(*sctList, sct)
-		sctList = &temp
+		if len(rest) != 0 {
+			return nil, cferr.Wrap(cferr.CTError, cferr.Unknown, errors.New("serialized SCT contained trailing garbage"))
+		}
+		list[i] = sct
 	}
-
-	return sctList, cferr.Wrap(cferr.CTError, cferr.Unknown, err)
+	return list, nil
 }

 // SCTListFromOCSPResponse extracts the SCTList from an ocsp.Response,
@@ -560,22 +548,21 @@ func SCTListFromOCSPResponse(response *ocsp.Response) ([]ct.SignedCertificateTim
 	}

 	// This code block extracts the sctList from the SCT extension.
-	var emptySCTList []ct.SignedCertificateTimestamp
-	sctList := &emptySCTList
+	var sctList []ct.SignedCertificateTimestamp
 	var err error
 	if numBytes := len(SCTListExtension.Value); numBytes != 0 {
-		serializedSCTList := new([]byte)
+		var serializedSCTList []byte
 		rest := make([]byte, numBytes)
 		copy(rest, SCTListExtension.Value)
 		for len(rest) != 0 {
-			rest, err = asn1.Unmarshal(rest, serializedSCTList)
+			rest, err = asn1.Unmarshal(rest, &serializedSCTList)
 			if err != nil {
 				return nil, cferr.Wrap(cferr.CTError, cferr.Unknown, err)
 			}
 		}
-		sctList, err = DeserializeSCTList(*serializedSCTList)
+		sctList, err = DeserializeSCTList(serializedSCTList)
 	}
-	return *sctList, err
+	return sctList, err
 }

 // ReadBytes reads a []byte either from a file or an environment variable.