feat(certificate): add RFC 9399 logotype parsing to inspect command

octaviera · octaviera · commit ba3a93c23485 · 2026-05-27T03:12:08.000+07:00
This parses the logotype extension (OID 1.3.6.1.5.5.7.1.12) and prints the URI to the console output. Includes unit tests for all logotype categories.
diff --git a/command/certificate/inspect.go b/command/certificate/inspect.go
@@ -2,6 +2,8 @@ package certificate
 
 import (
 	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
@@ -263,6 +265,7 @@ func inspectCertificates(ctx *cli.Context, crts []*x509.Certificate, w io.Writer
 				}
 			}
 			fmt.Fprint(w, text)
+			printLogotypes(crt, w)
 		}
 		return nil
 	case "json":
@@ -344,3 +347,148 @@ func inspectCertificateRequest(ctx *cli.Context, csr *x509.CertificateRequest, w
 		return errs.InvalidFlagValue(ctx, "format", format, "text, json")
 	}
 }
+
+type HashAlgAndValue struct {
+	HashAlgorithm pkix.AlgorithmIdentifier
+	HashValue     []byte
+}
+
+type LogotypeDetails struct {
+	MediaType    string `asn1:"ia5"`
+	LogotypeHash []HashAlgAndValue
+	LogotypeURI  []string
+}
+
+type LogotypeImageInfo struct {
+	Type       int `asn1:"optional,tag:0"`
+	FileSize   int
+	XSize      int
+	YSize      int
+	Resolution asn1.RawValue `asn1:"optional"`
+	Language   string        `asn1:"optional,ia5,tag:4"`
+}
+
+type LogotypeImage struct {
+	ImageDetails LogotypeDetails
+	ImageInfo    LogotypeImageInfo `asn1:"optional"`
+}
+
+type LogotypeAudioInfo struct {
+	FileSize   int
+	PlayTime   int
+	Channels   int
+	SampleRate int    `asn1:"optional,tag:3"`
+	Language   string `asn1:"optional,ia5,tag:4"`
+}
+
+type LogotypeAudio struct {
+	AudioDetails LogotypeDetails
+	AudioInfo    LogotypeAudioInfo `asn1:"optional"`
+}
+
+type LogotypeData struct {
+	Image []LogotypeImage `asn1:"optional"`
+	Audio []LogotypeAudio `asn1:"optional,tag:1"`
+}
+
+type LogotypeReference struct {
+	RefStructHash []HashAlgAndValue
+	RefStructURI  []string
+}
+
+type OtherLogotypeInfo struct {
+	LogotypeType asn1.ObjectIdentifier
+	Info         asn1.RawValue
+}
+
+type LogotypeExtn struct {
+	CommunityLogos []asn1.RawValue `asn1:"explicit,optional,tag:0"`
+	IssuerLogo     asn1.RawValue   `asn1:"explicit,optional,tag:1"`
+	SubjectLogo    asn1.RawValue   `asn1:"explicit,optional,tag:2"`
+	OtherLogos     []asn1.RawValue `asn1:"explicit,optional,tag:3"`
+}
+
+func unmarshalImplicitSequence(val asn1.RawValue, out interface{}) error {
+	der := val.FullBytes
+	if len(der) == 0 {
+		return io.EOF
+	}
+	derCopy := make([]byte, len(der))
+	copy(derCopy, der)
+	derCopy[0] = 0x30
+	_, err := asn1.Unmarshal(derCopy, out)
+	return err
+}
+
+func parseLogotypeURIs(value []byte) ([]string, error) {
+	var ext LogotypeExtn
+	if _, err := asn1.Unmarshal(value, &ext); err != nil {
+		return nil, err
+	}
+
+	var uris []string
+
+	extractFromInfo := func(raw asn1.RawValue) {
+		switch raw.Tag {
+		case 0: // direct (LogotypeData)
+			var data LogotypeData
+			if err := unmarshalImplicitSequence(raw, &data); err == nil {
+				for _, img := range data.Image {
+					uris = append(uris, img.ImageDetails.LogotypeURI...)
+				}
+				for _, aud := range data.Audio {
+					uris = append(uris, aud.AudioDetails.LogotypeURI...)
+				}
+			}
+		case 1: // indirect (LogotypeReference)
+			var ref LogotypeReference
+			if err := unmarshalImplicitSequence(raw, &ref); err == nil {
+				uris = append(uris, ref.RefStructURI...)
+			}
+		}
+	}
+
+	// 1. communityLogos
+	for _, logoInfo := range ext.CommunityLogos {
+		extractFromInfo(logoInfo)
+	}
+
+	// 2. issuerLogo
+	if len(ext.IssuerLogo.Bytes) > 0 {
+		var choice asn1.RawValue
+		if _, err := asn1.Unmarshal(ext.IssuerLogo.Bytes, &choice); err == nil {
+			extractFromInfo(choice)
+		}
+	}
+
+	// 3. subjectLogo
+	if len(ext.SubjectLogo.Bytes) > 0 {
+		var choice asn1.RawValue
+		if _, err := asn1.Unmarshal(ext.SubjectLogo.Bytes, &choice); err == nil {
+			extractFromInfo(choice)
+		}
+	}
+
+	// 4. otherLogos
+	for _, other := range ext.OtherLogos {
+		var otherInfo OtherLogotypeInfo
+		if _, err := asn1.Unmarshal(other.FullBytes, &otherInfo); err == nil {
+			extractFromInfo(otherInfo.Info)
+		}
+	}
+
+	return uris, nil
+}
+
+func printLogotypes(crt *x509.Certificate, w io.Writer) {
+	for _, ext := range crt.Extensions {
+		if ext.Id.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12}) {
+			uris, err := parseLogotypeURIs(ext.Value)
+			if err == nil && len(uris) > 0 {
+				for _, uri := range uris {
+					fmt.Fprintf(w, "Logotype URI: %s\n", uri)
+				}
+			}
+		}
+	}
+}
diff --git a/command/certificate/inspect_test.go b/command/certificate/inspect_test.go
@@ -2,8 +2,12 @@ package certificate
 
 import (
 	"bytes"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/json"
 	"flag"
+	"strings"
 	"testing"
 
 	"github.com/smallstep/assert"
@@ -138,3 +142,148 @@ func TestInspectCertificateRequest(t *testing.T) {
 	}
 
 }
+
+func TestInspectCertificates_Logotypes(t *testing.T) {
+	mustMarshal := func(val interface{}) []byte {
+		b, err := asn1.Marshal(val)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return b
+	}
+
+	wrapExplicit := func(tag int, payload []byte) []byte {
+		var lenBytes []byte
+		length := len(payload)
+		if length < 128 {
+			lenBytes = []byte{byte(length)}
+		} else if length < 256 {
+			lenBytes = []byte{0x81, byte(length)}
+		} else {
+			lenBytes = []byte{0x82, byte(length >> 8), byte(length & 0xff)}
+		}
+		result := []byte{byte(0xa0 | tag)}
+		result = append(result, lenBytes...)
+		result = append(result, payload...)
+		return result
+	}
+
+	wrapSequence := func(payload []byte) []byte {
+		var lenBytes []byte
+		length := len(payload)
+		if length < 128 {
+			lenBytes = []byte{byte(length)}
+		} else if length < 256 {
+			lenBytes = []byte{0x81, byte(length)}
+		} else {
+			lenBytes = []byte{0x82, byte(length >> 8), byte(length & 0xff)}
+		}
+		result := []byte{0x30}
+		result = append(result, lenBytes...)
+		result = append(result, payload...)
+		return result
+	}
+
+	// Direct CHOICE value [0] LogotypeData
+	directDataBytes := mustMarshal(LogotypeData{
+		Image: []LogotypeImage{
+			{
+				ImageDetails: LogotypeDetails{
+					MediaType:   "image/png",
+					LogotypeURI: []string{"https://example.com/subject-direct.png"},
+				},
+			},
+		},
+	})
+	directDataBytes[0] = 0xa0 // choice tag [0] implicit
+
+	// Indirect CHOICE value [1] LogotypeReference
+	indirectRefBytes := mustMarshal(LogotypeReference{
+		RefStructURI: []string{"https://example.com/issuer-indirect.png"},
+	})
+	indirectRefBytes[0] = 0xa1 // choice tag [1] implicit
+
+	// Community LOGOS list element (direct Choice [0] LogotypeData)
+	communityDirectBytes := mustMarshal(LogotypeData{
+		Image: []LogotypeImage{
+			{
+				ImageDetails: LogotypeDetails{
+					MediaType:   "image/svg+xml",
+					LogotypeURI: []string{"https://example.com/community-direct.svg"},
+				},
+			},
+		},
+	})
+	communityDirectBytes[0] = 0xa0
+
+	// Community LOGOS list element (indirect Choice [1] LogotypeReference)
+	communityIndirectBytes := mustMarshal(LogotypeReference{
+		RefStructURI: []string{"https://example.com/community-indirect.png"},
+	})
+	communityIndirectBytes[0] = 0xa1
+
+	// OtherLogotypeInfo element
+	otherInfoBytes := mustMarshal(OtherLogotypeInfo{
+		LogotypeType: asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12, 99},
+		Info: asn1.RawValue{
+			FullBytes: communityDirectBytes,
+		},
+	})
+
+	// Wrap in communityLogos explicit tag [0]
+	communitySeqBytes := append(communityDirectBytes, communityIndirectBytes...)
+	communityLogosDER := wrapExplicit(0, wrapSequence(communitySeqBytes))
+
+	// Wrap in issuerLogo explicit tag [1]
+	issuerLogoDER := wrapExplicit(1, indirectRefBytes)
+
+	// Wrap in subjectLogo explicit tag [2]
+	subjectLogoDER := wrapExplicit(2, directDataBytes)
+
+	// Wrap in otherLogos explicit tag [3]
+	otherLogosDER := wrapExplicit(3, wrapSequence(otherInfoBytes))
+
+	var extnBytes []byte
+	extnBytes = append(extnBytes, communityLogosDER...)
+	extnBytes = append(extnBytes, issuerLogoDER...)
+	extnBytes = append(extnBytes, subjectLogoDER...)
+	extnBytes = append(extnBytes, otherLogosDER...)
+
+	extDER := wrapSequence(extnBytes)
+
+	certs, err := pemutil.ParseCertificateBundle(pemData)
+	if err != nil {
+		t.Fatal(err)
+	}
+	crt := certs[0]
+	crt.Extensions = append(crt.Extensions, pkix.Extension{
+		Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12},
+		Value: extDER,
+	})
+
+	app := &cli.App{}
+	set := flag.NewFlagSet("contrive", 0)
+	_ = set.String("format", "text", "")
+	ctx := cli.NewContext(app, set, nil)
+
+	var buf bytes.Buffer
+	err = inspectCertificates(ctx, []*x509.Certificate{crt}, &buf)
+	assert.NoError(t, err)
+
+	output := buf.String()
+	t.Logf("Output:\n%s", output)
+
+	if !strings.Contains(output, "Logotype URI: https://example.com/community-direct.svg") {
+		t.Error("missing community-direct URI")
+	}
+	if !strings.Contains(output, "Logotype URI: https://example.com/community-indirect.png") {
+		t.Error("missing community-indirect URI")
+	}
+	if !strings.Contains(output, "Logotype URI: https://example.com/issuer-indirect.png") {
+		t.Error("missing issuer-indirect URI")
+	}
+	if !strings.Contains(output, "Logotype URI: https://example.com/subject-direct.png") {
+		t.Error("missing subject-direct URI")
+	}
+}
+
