Move x509 subpackage to its own repo

This avoids tying the ncdns repo to a specific Go version; we can maintain
separate branches of the x509-signature-splice repo per Go version with
much less hassle.

.travis.yml

@@ -16,7 +16,8 @@ addons:
 sudo: false
 
 install:
-  - go generate -v ./...
+  - go get -d -v -t ./...
+  - go generate -v github.com/namecoin/x509-signature-splice/...
   - go get -v -t ./...
   - env GOOS=windows GOARCH=amd64 go get -d -v -t ./...
 script:

certdehydrate/certdehydrate.go

@@ -12,7 +12,7 @@ import (
 	"time"
 )
 
-import "github.com/namecoin/ncdns/x509"
+import "github.com/namecoin/x509-signature-splice/x509"
 
 // A DehydratedCertificate represents the (nearly) minimal set of data required
 // to deterministically construct a valid x509 certificate when combined with a

certdehydrate/certdehydrate_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 
 	"github.com/namecoin/ncdns/certdehydrate"
-	"github.com/namecoin/ncdns/x509"
+	"github.com/namecoin/x509-signature-splice/x509"
 )
 
 func TestDehydratedCertIdentityOperation(t *testing.T) {

generate_nmc_cert/falsehost.go

@@ -35,7 +35,7 @@ import (
 	//"strings"
 	"time"
 
-	"github.com/namecoin/ncdns/x509"
+	"github.com/namecoin/x509-signature-splice/x509"
 )
 
 //var (

generate_nmc_cert/main.go

@@ -38,7 +38,7 @@ import (
 	"time"
 
 	"github.com/namecoin/ncdns/certdehydrate"
-	"github.com/namecoin/ncdns/x509"
+	"github.com/namecoin/x509-signature-splice/x509"
 )
 
 var (

ncdomain/convert.go

@@ -10,8 +10,8 @@ import "github.com/namecoin/ncdns/util"
 import "strings"
 import "strconv"
 
-import "github.com/namecoin/ncdns/x509"
 import "github.com/namecoin/ncdns/certdehydrate"
+import "github.com/namecoin/x509-signature-splice/x509"
 
 const depthLimit = 16
 const mergeDepthLimit = 4

x509/install.sh

@@ -1,17 +0,0 @@
-#!/bin/bash
-
-set -eu -o pipefail
-shopt -s failglob
-
-cp -a $(go env GOROOT)/src/crypto/x509/* ./
-rm ./x509_test.go
-
-# Stdlib x509 relies on "internal" packages in Go, which aren't importable
-# outside of stdlib.  So we copy those packages and rename them.
-OLD_INTERNAL_PATH=$(go env GOROOT)/src/internal/x/crypto/cryptobyte
-NEW_INTERNAL_PATH=$(go env GOPATH)/src/github.com/namecoin/ncdns/x509/golang/x/crypto/cryptobyte
-mkdir -p ${NEW_INTERNAL_PATH}/
-cp -R ${OLD_INTERNAL_PATH}/* ${NEW_INTERNAL_PATH}/
-OLD_PACKAGE='"internal/x/crypto/cryptobyte'
-NEW_PACKAGE='"github.com/namecoin/ncdns/x509/golang/x/crypto/cryptobyte'
-sed -i "s_${OLD_PACKAGE}_${NEW_PACKAGE}_g" ./*.go ${NEW_INTERNAL_PATH}/*.go

x509/x509_splice.go

@@ -1,192 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Modifications Copyright 2015-2019 Jeremy Rand. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code is modified from the stock CreateCertificate to use a
-// pre-existing signature.
-
-// Last rebased on Go 1.12
-// Remove all content between "import" and "CreateCertificate" in original.
-// Remove all content after "CreateCertificate" in original.
-//go:generate bash install.sh
-
-// Package x509 parses X.509-encoded keys and certificates.
-//
-// On UNIX systems the environment variables SSL_CERT_FILE and SSL_CERT_DIR
-// can be used to override the system default locations for the SSL certificate
-// file and SSL certificate files directory, respectively.
-package x509
-
-import (
-	"bytes"
-	//"crypto"
-	//"crypto/dsa"
-	//"crypto/ecdsa"
-	//"crypto/elliptic"
-	//"crypto/rsa"
-	_ "crypto/sha1"
-	_ "crypto/sha256"
-	_ "crypto/sha512"
-	//"crypto/x509/pkix"
-	"encoding/asn1"
-	//"encoding/pem"
-	"errors"
-	//"fmt"
-	//"internal/x/crypto/cryptobyte"
-	//cryptobyte_asn1 "internal/x/crypto/cryptobyte/asn1"
-	//"io"
-	//"math/big"
-	//"net"
-	//"net/url"
-	//"strconv"
-	//"strings"
-	//"time"
-	//"unicode/utf8"
-)
-
-// CreateCertificate creates a new X.509v3 certificate based on a template.
-// The following members of template are used:
-//
-//  - AuthorityKeyId
-//  - BasicConstraintsValid
-//  - CRLDistributionPoints
-//  - DNSNames
-//  - EmailAddresses
-//  - ExcludedDNSDomains
-//  - ExcludedEmailAddresses
-//  - ExcludedIPRanges
-//  - ExcludedURIDomains
-//  - ExtKeyUsage
-//  - ExtraExtensions
-//  - IsCA
-//  - IssuingCertificateURL
-//  - KeyUsage
-//  - MaxPathLen
-//  - MaxPathLenZero
-//  - NotAfter
-//  - NotBefore
-//  - OCSPServer
-//  - PermittedDNSDomains
-//  - PermittedDNSDomainsCritical
-//  - PermittedEmailAddresses
-//  - PermittedIPRanges
-//  - PermittedURIDomains
-//  - PolicyIdentifiers
-//  - SerialNumber
-//  - SignatureAlgorithm
-//  - Subject
-//  - SubjectKeyId
-//  - URIs
-//  - UnknownExtKeyUsage
-//
-// The certificate is signed by parent. If parent is equal to template then the
-// certificate is self-signed. The parameter pub is the public key of the
-// signee and priv is the private key of the signer.
-//
-// The returned slice is the certificate in DER encoding.
-//
-// All keys types that are implemented via crypto.Signer are supported (This
-// includes *rsa.PublicKey and *ecdsa.PublicKey.)
-//
-// The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any,
-// unless the resulting certificate is self-signed. Otherwise the value from
-// template will be used.
-//func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error) {
-func CreateCertificateWithSplicedSignature(template, parent *Certificate) (cert []byte, err error) {
-	//key, ok := priv.(crypto.Signer)
-	//if !ok {
-	//	return nil, errors.New("x509: certificate private key does not implement crypto.Signer")
-	//}
-
-	if template.SerialNumber == nil {
-		return nil, errors.New("x509: no SerialNumber given")
-	}
-
-	//hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(key.Public(), template.SignatureAlgorithm)
-	//if err != nil {
-	//	return nil, err
-	//}
-
-	// This block added
-	_, signatureAlgorithm, err := signingParamsForPublicKey(parent.PublicKey, template.SignatureAlgorithm)
-	if err != nil {
-		return nil, err
-	}
-
-	// This line added
-	pub := template.PublicKey
-
-	publicKeyBytes, publicKeyAlgorithm, err := marshalPublicKey(pub)
-	if err != nil {
-		return nil, err
-	}
-
-	asn1Issuer, err := subjectBytes(parent)
-	if err != nil {
-		return
-	}
-
-	asn1Subject, err := subjectBytes(template)
-	if err != nil {
-		return
-	}
-
-	authorityKeyId := template.AuthorityKeyId
-	if !bytes.Equal(asn1Issuer, asn1Subject) && len(parent.SubjectKeyId) > 0 {
-		authorityKeyId = parent.SubjectKeyId
-	}
-
-	extensions, err := buildExtensions(template, bytes.Equal(asn1Subject, emptyASN1Subject), authorityKeyId)
-	if err != nil {
-		return
-	}
-
-	encodedPublicKey := asn1.BitString{BitLength: len(publicKeyBytes) * 8, Bytes: publicKeyBytes}
-	c := tbsCertificate{
-		Version:            2,
-		SerialNumber:       template.SerialNumber,
-		SignatureAlgorithm: signatureAlgorithm,
-		Issuer:             asn1.RawValue{FullBytes: asn1Issuer},
-		Validity:           validity{template.NotBefore.UTC(), template.NotAfter.UTC()},
-		Subject:            asn1.RawValue{FullBytes: asn1Subject},
-		PublicKey:          publicKeyInfo{nil, publicKeyAlgorithm, encodedPublicKey},
-		Extensions:         extensions,
-	}
-
-	tbsCertContents, err := asn1.Marshal(c)
-	if err != nil {
-		return
-	}
-
-	c.Raw = tbsCertContents
-
-	//h := hashFunc.New()
-	//h.Write(tbsCertContents)
-	//digest := h.Sum(nil)
-
-	//var signerOpts crypto.SignerOpts
-	//signerOpts = hashFunc
-	//if template.SignatureAlgorithm != 0 && template.SignatureAlgorithm.isRSAPSS() {
-	//	signerOpts = &rsa.PSSOptions{
-	//		SaltLength: rsa.PSSSaltLengthEqualsHash,
-	//		Hash:       hashFunc,
-	//	}
-	//}
-
-	//var signature []byte
-	//signature, err = key.Sign(rand, digest, signerOpts)
-	//if err != nil {
-	//	return
-	//}
-
-	// This line added
-	signature := template.Signature
-
-	return asn1.Marshal(certificate{
-		nil,
-		c,
-		signatureAlgorithm,
-		asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
-	})
-}