smallstep · areed · Feb 1, 2024 · Jan 26, 2024 · Jan 31, 2024 · Jan 31, 2024
diff --git a/x509util/extensions.go b/x509util/extensions.go
@@ -23,34 +23,34 @@ func convertName(s string) string {
 }
 
 // Names used for key usages.
-var (
-	KeyUsageDigitalSignature  = convertName("DigitalSignature")
-	KeyUsageContentCommitment = convertName("ContentCommitment")
-	KeyUsageKeyEncipherment   = convertName("KeyEncipherment")
-	KeyUsageDataEncipherment  = convertName("DataEncipherment")
-	KeyUsageKeyAgreement      = convertName("KeyAgreement")
-	KeyUsageCertSign          = convertName("CertSign")
-	KeyUsageCRLSign           = convertName("CRLSign")
-	KeyUsageEncipherOnly      = convertName("EncipherOnly")
-	KeyUsageDecipherOnly      = convertName("DecipherOnly")
+const (
+	KeyUsageDigitalSignature  = "digitalSignature"
+	KeyUsageContentCommitment = "contentCommitment"
+	KeyUsageKeyEncipherment   = "keyEncipherment"
+	KeyUsageDataEncipherment  = "dataEncipherment"
+	KeyUsageKeyAgreement      = "keyAgreement"
+	KeyUsageCertSign          = "certSign"
+	KeyUsageCRLSign           = "crlSign"
+	KeyUsageEncipherOnly      = "encipherOnly"
+	KeyUsageDecipherOnly      = "decipherOnly"
 )
 
 // Names used for extended key usages.
-var (
-	ExtKeyUsageAny                            = convertName("Any")
-	ExtKeyUsageServerAuth                     = convertName("ServerAuth")
-	ExtKeyUsageClientAuth                     = convertName("ClientAuth")
-	ExtKeyUsageCodeSigning                    = convertName("CodeSigning")
-	ExtKeyUsageEmailProtection                = convertName("EmailProtection")
-	ExtKeyUsageIPSECEndSystem                 = convertName("IPSECEndSystem")
-	ExtKeyUsageIPSECTunnel                    = convertName("IPSECTunnel")
-	ExtKeyUsageIPSECUser                      = convertName("IPSECUser")
-	ExtKeyUsageTimeStamping                   = convertName("TimeStamping")
-	ExtKeyUsageOCSPSigning                    = convertName("OCSPSigning")
-	ExtKeyUsageMicrosoftServerGatedCrypto     = convertName("MicrosoftServerGatedCrypto")
-	ExtKeyUsageNetscapeServerGatedCrypto      = convertName("NetscapeServerGatedCrypto")
-	ExtKeyUsageMicrosoftCommercialCodeSigning = convertName("MicrosoftCommercialCodeSigning")
-	ExtKeyUsageMicrosoftKernelCodeSigning     = convertName("MicrosoftKernelCodeSigning")
+const (
+	ExtKeyUsageAny                            = "any"
+	ExtKeyUsageServerAuth                     = "serverAuth"
+	ExtKeyUsageClientAuth                     = "clientAuth"
+	ExtKeyUsageCodeSigning                    = "codeSigning"
+	ExtKeyUsageEmailProtection                = "emailProtection"
+	ExtKeyUsageIPSECEndSystem                 = "ipsecEndSystem"
+	ExtKeyUsageIPSECTunnel                    = "ipsecTunnel"
+	ExtKeyUsageIPSECUser                      = "ipsecUser"
+	ExtKeyUsageTimeStamping                   = "timeStamping"
+	ExtKeyUsageOCSPSigning                    = "ocspSigning"
+	ExtKeyUsageMicrosoftServerGatedCrypto     = "microsoftServerGatedCrypto"
+	ExtKeyUsageNetscapeServerGatedCrypto      = "netscapeServerGatedCrypto"
+	ExtKeyUsageMicrosoftCommercialCodeSigning = "microsoftCommercialCodeSigning"
+	ExtKeyUsageMicrosoftKernelCodeSigning     = "microsoftKernelCodeSigning"
 )
 
 // Names used and SubjectAlternativeNames types.
@@ -439,7 +439,7 @@ func (s SubjectAlternativeName) RawValue() (asn1.RawValue, error) {
 
 		// The default type is printable, but if the value is prefixed with a
 		// type, use that.
-		var value, params = s.Value, "printable"
+		value, params := s.Value, "printable"
 		if strings.Contains(value, sanTypeSeparator) {
 			params = strings.Split(value, sanTypeSeparator)[0]
 			value = value[len(params)+1:]
@@ -616,23 +616,23 @@ func (k *KeyUsage) UnmarshalJSON(data []byte) error {
 	for _, s := range ms {
 		var ku x509.KeyUsage
 		switch convertName(s) {
-		case KeyUsageDigitalSignature:
+		case convertName(KeyUsageDigitalSignature):
 			ku = x509.KeyUsageDigitalSignature
-		case KeyUsageContentCommitment:
+		case convertName(KeyUsageContentCommitment):
 			ku = x509.KeyUsageContentCommitment
-		case KeyUsageKeyEncipherment:
+		case convertName(KeyUsageKeyEncipherment):
 			ku = x509.KeyUsageKeyEncipherment
-		case KeyUsageDataEncipherment:
+		case convertName(KeyUsageDataEncipherment):
 			ku = x509.KeyUsageDataEncipherment
-		case KeyUsageKeyAgreement:
+		case convertName(KeyUsageKeyAgreement):
 			ku = x509.KeyUsageKeyAgreement
-		case KeyUsageCertSign:
+		case convertName(KeyUsageCertSign):
 			ku = x509.KeyUsageCertSign
-		case KeyUsageCRLSign:
+		case convertName(KeyUsageCRLSign):
 			ku = x509.KeyUsageCRLSign
-		case KeyUsageEncipherOnly:
+		case convertName(KeyUsageEncipherOnly):
 			ku = x509.KeyUsageEncipherOnly
-		case KeyUsageDecipherOnly:
+		case convertName(KeyUsageDecipherOnly):
 			ku = x509.KeyUsageDecipherOnly
 		default:
 			return errors.Errorf("unsupported keyUsage %s", s)
@@ -703,33 +703,33 @@ func (k *ExtKeyUsage) UnmarshalJSON(data []byte) error {
 	for i, s := range ms {
 		var ku x509.ExtKeyUsage
 		switch convertName(s) {
-		case ExtKeyUsageAny:
+		case convertName(ExtKeyUsageAny):
 			ku = x509.ExtKeyUsageAny
-		case ExtKeyUsageServerAuth:
+		case convertName(ExtKeyUsageServerAuth):
 			ku = x509.ExtKeyUsageServerAuth
-		case ExtKeyUsageClientAuth:
+		case convertName(ExtKeyUsageClientAuth):
 			ku = x509.ExtKeyUsageClientAuth
-		case ExtKeyUsageCodeSigning:
+		case convertName(ExtKeyUsageCodeSigning):
 			ku = x509.ExtKeyUsageCodeSigning
-		case ExtKeyUsageEmailProtection:
+		case convertName(ExtKeyUsageEmailProtection):
 			ku = x509.ExtKeyUsageEmailProtection
-		case ExtKeyUsageIPSECEndSystem:
+		case convertName(ExtKeyUsageIPSECEndSystem):
 			ku = x509.ExtKeyUsageIPSECEndSystem
-		case ExtKeyUsageIPSECTunnel:
+		case convertName(ExtKeyUsageIPSECTunnel):
 			ku = x509.ExtKeyUsageIPSECTunnel
-		case ExtKeyUsageIPSECUser:
+		case convertName(ExtKeyUsageIPSECUser):
 			ku = x509.ExtKeyUsageIPSECUser
-		case ExtKeyUsageTimeStamping:
+		case convertName(ExtKeyUsageTimeStamping):
 			ku = x509.ExtKeyUsageTimeStamping
-		case ExtKeyUsageOCSPSigning:
+		case convertName(ExtKeyUsageOCSPSigning):
 			ku = x509.ExtKeyUsageOCSPSigning
-		case ExtKeyUsageMicrosoftServerGatedCrypto:
+		case convertName(ExtKeyUsageMicrosoftServerGatedCrypto):
 			ku = x509.ExtKeyUsageMicrosoftServerGatedCrypto
-		case ExtKeyUsageNetscapeServerGatedCrypto:
+		case convertName(ExtKeyUsageNetscapeServerGatedCrypto):
 			ku = x509.ExtKeyUsageNetscapeServerGatedCrypto
-		case ExtKeyUsageMicrosoftCommercialCodeSigning:
+		case convertName(ExtKeyUsageMicrosoftCommercialCodeSigning):
 			ku = x509.ExtKeyUsageMicrosoftCommercialCodeSigning
-		case ExtKeyUsageMicrosoftKernelCodeSigning:
+		case convertName(ExtKeyUsageMicrosoftKernelCodeSigning):
 			ku = x509.ExtKeyUsageMicrosoftKernelCodeSigning
 		default:
 			return errors.Errorf("unsupported extKeyUsage %s", s)
@@ -1117,7 +1117,7 @@ type SubjectAlternativeNames struct {
 	PermanentIdentifiers []PermanentIdentifier
 	HardwareModuleNames  []HardwareModuleName
 	TPMHardwareDetails   TPMHardwareDetails
-	//OtherNames          []OtherName // TODO(hs): unused at the moment; do we need it? what type definition to use?
+	// OtherNames          []OtherName // TODO(hs): unused at the moment; do we need it? what type definition to use?
 }
 
 // TPMHardwareDetails is a container for some details

diff --git a/x509util/extensions_test.go b/x509util/extensions_test.go
@@ -319,16 +319,20 @@ func TestSubjectAlternativeName_RawValue(t *testing.T) {
 			FullBytes: bytes.Join([][]byte{
 				{160, 31, 6, 8, 43, 6, 1, 5, 5, 7, 8, 4},
 				{160, 19, 0x30, 17, asn1.TagOID, 3, 0x20 | 0x0A, 3, 4},
-				{0x80 | asn1.TagOctetString, 10}, []byte("0123456789"),
+				{0x80 | asn1.TagOctetString, 10},
+				[]byte("0123456789"),
 			}, nil),
 		}, false},
 		{"directoryName", fields{"dn", "", []byte(`{"country":"US","organization":"ACME","commonName":"rocket"}`)}, asn1.RawValue{
 			Class: 2, Tag: 4, IsCompound: true,
 			Bytes: bytes.Join([][]byte{
 				{0x30, 45, 49, 11},
-				{48, 9, 6, 3, 85, 4, 6, asn1.TagPrintableString, 2}, []byte("US"),
-				{49, 13, 48, 11, 6, 3, 85, 4, 10, asn1.TagPrintableString, 4}, []byte("ACME"),
-				{49, 15, 48, 13, 6, 3, 85, 4, 3, asn1.TagPrintableString, 6}, []byte("rocket"),
+				{48, 9, 6, 3, 85, 4, 6, asn1.TagPrintableString, 2},
+				[]byte("US"),
+				{49, 13, 48, 11, 6, 3, 85, 4, 10, asn1.TagPrintableString, 4},
+				[]byte("ACME"),
+				{49, 15, 48, 13, 6, 3, 85, 4, 3, asn1.TagPrintableString, 6},
+				[]byte("rocket"),
 			}, nil),
 		}, false},
 		{"userPrincipalName", fields{"userPrincipalName", "foo@bar.com", nil}, asn1.RawValue{
@@ -464,16 +468,16 @@ func TestKeyUsage_MarshalJSON(t *testing.T) {
 		want    string
 		wantErr bool
 	}{
-		{"DigitalSignature", KeyUsage(x509.KeyUsageDigitalSignature), `["digitalsignature"]`, false},
-		{"ContentCommitment", KeyUsage(x509.KeyUsageContentCommitment), `["contentcommitment"]`, false},
-		{"KeyEncipherment", KeyUsage(x509.KeyUsageKeyEncipherment), `["keyencipherment"]`, false},
-		{"DataEncipherment", KeyUsage(x509.KeyUsageDataEncipherment), `["dataencipherment"]`, false},
-		{"KeyAgreement", KeyUsage(x509.KeyUsageKeyAgreement), `["keyagreement"]`, false},
-		{"CertSign", KeyUsage(x509.KeyUsageCertSign), `["certsign"]`, false},
-		{"CRLSign", KeyUsage(x509.KeyUsageCRLSign), `["crlsign"]`, false},
-		{"EncipherOnly", KeyUsage(x509.KeyUsageEncipherOnly), `["encipheronly"]`, false},
-		{"DecipherOnly", KeyUsage(x509.KeyUsageDecipherOnly), `["decipheronly"]`, false},
-		{"DigitalSignature + KeyEncipherment", KeyUsage(x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment), `["digitalsignature","keyencipherment"]`, false},
+		{"DigitalSignature", KeyUsage(x509.KeyUsageDigitalSignature), `["digitalSignature"]`, false},
+		{"ContentCommitment", KeyUsage(x509.KeyUsageContentCommitment), `["contentCommitment"]`, false},
+		{"KeyEncipherment", KeyUsage(x509.KeyUsageKeyEncipherment), `["keyEncipherment"]`, false},
+		{"DataEncipherment", KeyUsage(x509.KeyUsageDataEncipherment), `["dataEncipherment"]`, false},
+		{"KeyAgreement", KeyUsage(x509.KeyUsageKeyAgreement), `["keyAgreement"]`, false},
+		{"CertSign", KeyUsage(x509.KeyUsageCertSign), `["certSign"]`, false},
+		{"CRLSign", KeyUsage(x509.KeyUsageCRLSign), `["crlSign"]`, false},
+		{"EncipherOnly", KeyUsage(x509.KeyUsageEncipherOnly), `["encipherOnly"]`, false},
+		{"DecipherOnly", KeyUsage(x509.KeyUsageDecipherOnly), `["decipherOnly"]`, false},
+		{"DigitalSignature + KeyEncipherment", KeyUsage(x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment), `["digitalSignature","keyEncipherment"]`, false},
 		{"Error", KeyUsage(x509.KeyUsageDecipherOnly << 1), "", true},
 	}
 	for _, tt := range tests {
@@ -589,20 +593,20 @@ func TestExtKeyUsage_MarshalJSON(t *testing.T) {
 		wantErr bool
 	}{
 		{"Any", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageAny}), `["any"]`, false},
-		{"ServerAuth", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}), `["serverauth"]`, false},
-		{"ClientAuth", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}), `["clientauth"]`, false},
-		{"CodeSigning", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning}), `["codesigning"]`, false},
-		{"EmailProtection", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}), `["emailprotection"]`, false},
-		{"IPSECEndSystem", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageIPSECEndSystem}), `["ipsecendsystem"]`, false},
-		{"IPSECTunnel", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageIPSECTunnel}), `["ipsectunnel"]`, false},
-		{"IPSECUser", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageIPSECUser}), `["ipsecuser"]`, false},
-		{"TimeStamping", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageTimeStamping}), `["timestamping"]`, false},
-		{"OCSPSigning", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageOCSPSigning}), `["ocspsigning"]`, false},
-		{"MicrosoftServerGatedCrypto", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageMicrosoftServerGatedCrypto}), `["microsoftservergatedcrypto"]`, false},
-		{"NetscapeServerGatedCrypto", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageNetscapeServerGatedCrypto}), `["netscapeservergatedcrypto"]`, false},
-		{"MicrosoftCommercialCodeSigning", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageMicrosoftCommercialCodeSigning}), `["microsoftcommercialcodesigning"]`, false},
-		{"MicrosoftKernelCodeSigning", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageMicrosoftKernelCodeSigning}), `["microsoftkernelcodesigning"]`, false},
-		{"ServerAuth + ClientAuth", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}), `["serverauth","clientauth"]`, false},
+		{"ServerAuth", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}), `["serverAuth"]`, false},
+		{"ClientAuth", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}), `["clientAuth"]`, false},
+		{"CodeSigning", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning}), `["codeSigning"]`, false},
+		{"EmailProtection", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}), `["emailProtection"]`, false},
+		{"IPSECEndSystem", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageIPSECEndSystem}), `["ipsecEndSystem"]`, false},
+		{"IPSECTunnel", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageIPSECTunnel}), `["ipsecTunnel"]`, false},
+		{"IPSECUser", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageIPSECUser}), `["ipsecUser"]`, false},
+		{"TimeStamping", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageTimeStamping}), `["timeStamping"]`, false},
+		{"OCSPSigning", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageOCSPSigning}), `["ocspSigning"]`, false},
+		{"MicrosoftServerGatedCrypto", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageMicrosoftServerGatedCrypto}), `["microsoftServerGatedCrypto"]`, false},
+		{"NetscapeServerGatedCrypto", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageNetscapeServerGatedCrypto}), `["netscapeServerGatedCrypto"]`, false},
+		{"MicrosoftCommercialCodeSigning", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageMicrosoftCommercialCodeSigning}), `["microsoftCommercialCodeSigning"]`, false},
+		{"MicrosoftKernelCodeSigning", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageMicrosoftKernelCodeSigning}), `["microsoftKernelCodeSigning"]`, false},
+		{"ServerAuth + ClientAuth", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}), `["serverAuth","clientAuth"]`, false},
 		{"Error", ExtKeyUsage([]x509.ExtKeyUsage{x509.ExtKeyUsageMicrosoftKernelCodeSigning + 1}), "", true},
 	}
 	for _, tt := range tests {
@@ -1311,9 +1315,12 @@ func Test_createSubjectAltNameExtension(t *testing.T) {
 			Critical: false,
 			Value: bytes.Join([][]byte{
 				{0x30, (2 + 7) + (2 + 11) + (2 + 11) + (2 + 4)},
-				{0x80 | nameTypeDNS, 7}, []byte("foo.com"),
-				{0x80 | nameTypeEmail, 11}, []byte("bar@foo.com"),
-				{0x80 | nameTypeURI, 11}, []byte("urn:foo:bar"),
+				{0x80 | nameTypeDNS, 7},
+				[]byte("foo.com"),
+				{0x80 | nameTypeEmail, 11},
+				[]byte("bar@foo.com"),
+				{0x80 | nameTypeURI, 11},
+				[]byte("urn:foo:bar"),
 				{0x80 | nameTypeIP, 4, 1, 2, 3, 4},
 			}, nil),
 		}, false},
@@ -1327,9 +1334,11 @@ func Test_createSubjectAltNameExtension(t *testing.T) {
 			Critical: false,
 			Value: bytes.Join([][]byte{
 				{0x30, (2 + 7) + (2 + 20)},
-				{0x80 | nameTypeDNS, 7}, []byte("foo.com"),
+				{0x80 | nameTypeDNS, 7},
+				[]byte("foo.com"),
 				{0xA0, 20, asn1.TagOID, 3, 0x20 | 0x0A, 3, 4},
-				{0xA0, 13, asn1.TagUTF8String, 11}, []byte("bar@foo.com"),
+				{0xA0, 13, asn1.TagUTF8String, 11},
+				[]byte("bar@foo.com"),
 			}, nil),
 		}, false},
 		{"fail dns", args{Certificate{

diff --git a/x509util/name.go b/x509util/name.go
@@ -11,7 +11,7 @@ import (
 )
 
 // attributeTypeNames are the subject attributes managed by Go and this package.
-// newExtraNames will populate .Insecure.CR.ExtraNames with the attributes not
+// NewExtraNames will populate .Insecure.CR.ExtraNames with the attributes not
 // present on this map.
 var attributeTypeNames = map[string]string{
 	"2.5.4.6":  "C",
@@ -54,7 +54,7 @@ func newName(n pkix.Name) Name {
 		PostalCode:         n.PostalCode,
 		SerialNumber:       n.SerialNumber,
 		CommonName:         n.CommonName,
-		ExtraNames:         newExtraNames(n.Names),
+		ExtraNames:         NewExtraNames(n.Names),
 	}
 }
 
@@ -154,9 +154,9 @@ type DistinguishedName struct {
 	Value interface{}      `json:"value"`
 }
 
-// newExtraNames returns a list of DistinguishedName with the attributes not
+// NewExtraNames returns a list of DistinguishedName with the attributes not
 // present in attributeTypeNames.
-func newExtraNames(atvs []pkix.AttributeTypeAndValue) []DistinguishedName {
+func NewExtraNames(atvs []pkix.AttributeTypeAndValue) []DistinguishedName {
 	var extraNames []DistinguishedName
 	for _, atv := range atvs {
 		if _, ok := attributeTypeNames[atv.Type.String()]; !ok {

diff --git a/x509util/name_test.go b/x509util/name_test.go
@@ -519,7 +519,7 @@ func TestIssuer_Set(t *testing.T) {
 	}
 }
 
-func Test_newExtraNames(t *testing.T) {
+func Test_NewExtraNames(t *testing.T) {
 	type args struct {
 		atvs []pkix.AttributeTypeAndValue
 	}
@@ -540,7 +540,7 @@ func Test_newExtraNames(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := newExtraNames(tt.args.atvs); !reflect.DeepEqual(got, tt.want) {
+			if got := NewExtraNames(tt.args.atvs); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("newDistinguisedNames() = %v, want %v", got, tt.want)
 			}
 		})