aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-10-26 10:55:29 +0100
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-10-26 10:55:29 +0100
commitace94cc001e51ef52aebf34c1fe39ad0f3501981 (patch)
tree3373eb6c1a3cbfc7adb087e08835508741baa2e5
parent134f7e1cb59b7c1bd4f2eadfebe7f65da1264988 (diff)
added signature verification for add-entry
-rw-r--r--reqres.go30
1 files changed, 22 insertions, 8 deletions
diff --git a/reqres.go b/reqres.go
index a12892e..f35ddc3 100644
--- a/reqres.go
+++ b/reqres.go
@@ -158,23 +158,37 @@ func NewGetAnchorsResponse(anchors []*x509.Certificate) GetAnchorsResponse {
// VerifyAddEntryRequest determines whether a well-formed AddEntryRequest should
// be inserted into the log. If so, the serialized leaf value is returned.
-func VerifyAddEntryRequest(a ctfe.CertValidationOpts, r AddEntryRequest) ([]byte, error) {
- item, _ := StItemFromB64(r.Item) // r.Item is a well-formed ChecksumV1
- leaf, _ := tls.Marshal(item) // again, r.Item is well-formed
+func VerifyAddEntryRequest(anchors ctfe.CertValidationOpts, r AddEntryRequest) ([]byte, error) {
+ item, err := StItemFromB64(r.Item)
+ if err != nil {
+ fmt.Errorf("failed decoding StItem: %v", err)
+ }
- chainBytes, err := base64.StdEncoding.DecodeString(r.Certificate)
+ leaf, err := tls.Marshal(item)
if err != nil {
- return nil, fmt.Errorf("failed decoding certificate: %v", err)
+ return nil, fmt.Errorf("failed tls marshaling StItem: %v", err)
}
+ certificate, err := base64.StdEncoding.DecodeString(r.Certificate)
+ if err != nil {
+ return nil, fmt.Errorf("failed decoding certificate: %v", err)
+ }
chain := make([][]byte, 0, 1)
- chain = append(chain, chainBytes)
- _, err = ctfe.ValidateChain(chain, a)
+ chain = append(chain, certificate)
+ x509chain, err := ctfe.ValidateChain(chain, anchors)
if err != nil {
return nil, fmt.Errorf("chain verification failed: %v", err)
}
+ c := x509chain[0]
+
+ signature, err := base64.StdEncoding.DecodeString(r.Signature)
+ if err != nil {
+ return nil, fmt.Errorf("failed decoding signature: %v", err)
+ }
+ if err := c.CheckSignature(c.SignatureAlgorithm, leaf, signature); err != nil {
+ return nil, fmt.Errorf("invalid signature: %v", err)
+ }
- // TODO: verify signature
return leaf, nil
}