crypto/x509: add ExtKeyUsage.OID method

And OIDFromASN1OID for converting between asn1.ObjectIdentifier and OID.

Fixes #75325

Change-Id: I3b84dce54346d88aab731ffe30d0fef07b014f04
Reviewed-on: https://go-review.googlesource.com/c/go/+/724761
Reviewed-by: Neal Patel <nealpatel@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Commit-Queue: Neal Patel <nealpatel@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

api/next/75325.txt

@@ -0,0 +1,2 @@
+pkg crypto/x509, func OIDFromASN1OID(asn1.ObjectIdentifier) (OID, error) #75325
+pkg crypto/x509, method (ExtKeyUsage) OID() OID #75325

doc/next/6-stdlib/99-minor/crypto/x509/75325.md

@@ -0,0 +1,4 @@
+The [ExtKeyUsage] type now has an OID method that returns the corresponding OID for the EKU.
+
+The new [OIDFromASN1OID] function allows converting an [encoding/asn1.ObjectIdentifier] into
+an [OID].

src/crypto/x509/oid.go

@@ -393,3 +393,15 @@ func (oid OID) toASN1OID() (asn1.ObjectIdentifier, bool) {
 
 	return out, true
 }
+
+// OIDFromASN1OID creates a new OID using asn1OID.
+func OIDFromASN1OID(asn1OID asn1.ObjectIdentifier) (OID, error) {
+	uint64OID := make([]uint64, 0, len(asn1OID))
+	for _, component := range asn1OID {
+		if component < 0 {
+			return OID{}, errors.New("x509: OID components must be non-negative")
+		}
+		uint64OID = append(uint64OID, uint64(component))
+	}
+	return OIDFromInts(uint64OID)
+}

src/crypto/x509/oid_test.go

@@ -343,3 +343,27 @@ func BenchmarkOIDMarshalUnmarshalText(b *testing.B) {
 		}
 	}
 }
+
+func TestOIDFromASN1OID(t *testing.T) {
+	negativeComponentOID := asn1.ObjectIdentifier{-1}
+	_, err := OIDFromASN1OID(negativeComponentOID)
+	if err == nil || err.Error() != "x509: OID components must be non-negative" {
+		t.Fatalf("OIDFromASN1OID() = %v; want = \"x509: OID components must be non-negative\"", err)
+	}
+
+	shortOID := asn1.ObjectIdentifier{1}
+	_, err = OIDFromASN1OID(shortOID)
+	if err == nil || err != errInvalidOID {
+		t.Fatalf("OIDFromASN1OID() = %v; want = %q", err, errInvalidOID)
+	}
+	invalidOIDFirstComponent := asn1.ObjectIdentifier{255, 1}
+	_, err = OIDFromASN1OID(invalidOIDFirstComponent)
+	if err == nil || err != errInvalidOID {
+		t.Fatalf("OIDFromASN1OID() = %v; want = %q", err, errInvalidOID)
+	}
+	invalidOIDSecondComponent := asn1.ObjectIdentifier{1, 255}
+	_, err = OIDFromASN1OID(invalidOIDSecondComponent)
+	if err == nil || err != errInvalidOID {
+		t.Fatalf("OIDFromASN1OID() = %v; want = %q", err, errInvalidOID)
+	}
+}

src/crypto/x509/x509.go

@@ -687,6 +687,19 @@ func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
 	return
 }
 
+// OID returns the ASN.1 object identifier of the EKU.
+func (eku ExtKeyUsage) OID() OID {
+	asn1OID, ok := oidFromExtKeyUsage(eku)
+	if !ok {
+		panic("x509: internal error: known ExtKeyUsage has no OID")
+	}
+	oid, err := OIDFromASN1OID(asn1OID)
+	if err != nil {
+		panic("x509: internal error: known ExtKeyUsage has invalid OID")
+	}
+	return oid
+}
+
 // A Certificate represents an X.509 certificate.
 type Certificate struct {
 	Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).

src/crypto/x509/x509_test.go

@@ -4263,3 +4263,12 @@ func TestCreateCertificateNegativeMaxPathLength(t *testing.T) {
 		t.Fatalf(`CreateCertificate() = %v; want = "x509: invalid MaxPathLen, must be greater or equal to -1"`, err)
 	}
 }
+
+func TestEKUOIDS(t *testing.T) {
+	for _, eku := range extKeyUsageOIDs {
+		oid := eku.extKeyUsage.OID()
+		if !oid.EqualASN1OID(eku.oid) {
+			t.Errorf("extKeyUsage %v: expected OID %v, got %v", eku.extKeyUsage, eku.oid, oid)
+		}
+	}
+}