chore: update vendor

2018-07-03 18:25:07 +11:00
parent ecb3e9c868
commit f91ae88876
211 changed files with 18789 additions and 46221 deletions
--- a/vendor/github.com/google/certificate-transparency-go/x509util/files.go
+++ b/vendor/github.com/google/certificate-transparency-go/x509util/files.go
@ -19,7 +19,10 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"strings"
+
+	"github.com/google/certificate-transparency-go/x509"
 )

 // ReadPossiblePEMFile loads data from a file which may be in DER format
@ -71,3 +74,42 @@ func dePEM(data []byte, blockname string) [][]byte {
 	}
 	return results
 }
+
+// ReadFileOrURL returns the data from a target which may be either a filename
+// or an HTTP(S) URL.
+func ReadFileOrURL(target string, client *http.Client) ([]byte, error) {
+	u, err := url.Parse(target)
+	if err != nil || (u.Scheme != "http" && u.Scheme != "https") {
+		return ioutil.ReadFile(target)
+	}
+
+	rsp, err := client.Get(u.String())
+	if err != nil {
+		return nil, fmt.Errorf("failed to http.Get(%q): %v", target, err)
+	}
+	return ioutil.ReadAll(rsp.Body)
+}
+
+// GetIssuer attempts to retrieve the issuer for a certificate, by examining
+// the cert's Authority Information Access extension (if present) for the
+// issuer's URL and retrieving from there.
+func GetIssuer(cert *x509.Certificate, client *http.Client) (*x509.Certificate, error) {
+	if len(cert.IssuingCertificateURL) == 0 {
+		return nil, nil
+	}
+	issuerURL := cert.IssuingCertificateURL[0]
+	rsp, err := client.Get(issuerURL)
+	if err != nil || rsp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("failed to get issuer from %q: %v", issuerURL, err)
+	}
+	defer rsp.Body.Close()
+	body, err := ioutil.ReadAll(rsp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read issuer from %q: %v", issuerURL, err)
+	}
+	issuers, err := x509.ParseCertificates(body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse issuer cert: %v", err)
+	}
+	return issuers[0], nil
+}
--- a/vendor/github.com/google/certificate-transparency-go/x509util/x509util.go
+++ b/vendor/github.com/google/certificate-transparency-go/x509util/x509util.go
@ -659,12 +659,86 @@ func oidAlreadyPrinted(oid asn1.ObjectIdentifier) bool {
 	return false
 }

-// CertificateFromPEM takes a string representing a certificate in PEM format
-// and returns the corresponding x509.Certificate object.
-func CertificateFromPEM(pemBytes string) (*x509.Certificate, error) {
-	block, _ := pem.Decode([]byte(pemBytes))
+// CertificateFromPEM takes a certificate in PEM format and returns the
+// corresponding x509.Certificate object.
+func CertificateFromPEM(pemBytes []byte) (*x509.Certificate, error) {
+	block, rest := pem.Decode(pemBytes)
+	if len(rest) != 0 {
+		return nil, errors.New("trailing data found after PEM block")
+	}
 	if block == nil {
-		return nil, errors.New("failed to decode PEM")
+		return nil, errors.New("PEM block is nil")
+	}
+	if block.Type != "CERTIFICATE" {
+		return nil, errors.New("PEM block is not a CERTIFICATE")
 	}
 	return x509.ParseCertificate(block.Bytes)
 }
+
+// CertificatesFromPEM parses one or more certificates from the given PEM data.
+// The PEM certificates must be concatenated.  This function can be used for
+// parsing PEM-formatted certificate chains, but does not verify that the
+// resulting chain is a valid certificate chain.
+func CertificatesFromPEM(pemBytes []byte) ([]*x509.Certificate, error) {
+	var chain []*x509.Certificate
+	for {
+		var block *pem.Block
+		block, pemBytes = pem.Decode(pemBytes)
+		if block == nil {
+			return chain, nil
+		}
+		if block.Type != "CERTIFICATE" {
+			return nil, fmt.Errorf("PEM block is not a CERTIFICATE")
+		}
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, errors.New("failed to parse certificate")
+		}
+		chain = append(chain, cert)
+	}
+}
+
+// ParseSCTsFromSCTList parses each of the SCTs contained within an SCT list.
+func ParseSCTsFromSCTList(sctList *x509.SignedCertificateTimestampList) ([]*ct.SignedCertificateTimestamp, error) {
+	var scts []*ct.SignedCertificateTimestamp
+	for i, data := range sctList.SCTList {
+		sct, err := ExtractSCT(&data)
+		if err != nil {
+			return nil, fmt.Errorf("error extracting SCT number %d: %s", i, err)
+		}
+		scts = append(scts, sct)
+	}
+	return scts, nil
+}
+
+// ExtractSCT deserializes an SCT from a TLS-encoded SCT.
+func ExtractSCT(sctData *x509.SerializedSCT) (*ct.SignedCertificateTimestamp, error) {
+	if sctData == nil {
+		return nil, errors.New("SCT is nil")
+	}
+	var sct ct.SignedCertificateTimestamp
+	if _, err := tls.Unmarshal(sctData.Val, &sct); err != nil {
+		return nil, fmt.Errorf("error parsing SCT: %s", err)
+	}
+	return &sct, nil
+}
+
+var pemCertificatePrefix = []byte("-----BEGIN CERTIFICATE")
+
+// ParseSCTsFromCertificate parses any SCTs that are embedded in the
+// certificate provided.  The certificate bytes provided can be either DER or
+// PEM, provided the PEM data starts with the PEM block marker (i.e. has no
+// leading text).
+func ParseSCTsFromCertificate(certBytes []byte) ([]*ct.SignedCertificateTimestamp, error) {
+	var cert *x509.Certificate
+	var err error
+	if bytes.HasPrefix(certBytes, pemCertificatePrefix) {
+		cert, err = CertificateFromPEM(certBytes)
+	} else {
+		cert, err = x509.ParseCertificate(certBytes)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse certificate: %s", err)
+	}
+	return ParseSCTsFromSCTList(&cert.SCTList)
+}