diff options
| author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-01-27 19:59:47 +0100 |
|---|---|---|
| committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2021-01-27 19:59:47 +0100 |
| commit | 0284a7460f03799452f4743a0032f2ae1564a3e8 (patch) | |
| tree | f735b7d5aa39b476f008e1d19665354fa5e3d1d4 /crypto.go | |
| parent | f5ad698cdb0fc9ecd8ad4c7b2cb7ec11ac0435ef (diff) | |
started replacing x509 with namespace
Diffstat (limited to 'crypto.go')
| -rw-r--r-- | crypto.go | 47 |
1 files changed, 0 insertions, 47 deletions
@@ -6,55 +6,8 @@ import ( "crypto" "crypto/rand" - "crypto/tls" - "crypto/x509" - - "github.com/system-transparency/stfe/x509util" ) -// buildChainFromDerList builds an X.509 certificate chain from a list of -// DER-encoded certificates using the log's configured trust anchors, extended -// key-usages, and maximum chain length (which includes the trust anchor). -func (lp *LogParameters) buildChainFromDerList(derChain [][]byte) ([]*x509.Certificate, error) { - certificate, intermediatePool, err := x509util.ParseDerChain(derChain) - if err != nil { - return nil, err - } - opts := x509.VerifyOptions{ - Roots: lp.AnchorPool, - Intermediates: intermediatePool, - KeyUsages: lp.KeyUsage, // no extended key usage passes by default - } - - chains, err := certificate.Verify(opts) - if err != nil { - return nil, fmt.Errorf("chain verification failed: %v", err) - } - if len(chains) == 0 { // better safe than sorry - return nil, fmt.Errorf("chain verification failed: no path") - } - - // there might be several valid chains - for _, chain := range chains { - if int64(len(chain)) <= lp.MaxChain { - return chain, nil // just pick the first valid chain - } - } - return nil, fmt.Errorf("bad certificate chain length: too large") -} - -// verifySignature checks if signature is valid for some serialized data. The -// only supported signature scheme is ed25519(0x0807), see ยง4.2.3 in RFC 8446. -func (lp *LogParameters) verifySignature(certificate *x509.Certificate, scheme tls.SignatureScheme, serialized, signature []byte) error { - if scheme != tls.Ed25519 { - return fmt.Errorf("unsupported signature scheme: %v", scheme) - } - if err := certificate.CheckSignature(x509.PureEd25519, serialized, signature); err != nil { - return fmt.Errorf("invalid signature: %v", err) - } - return nil -} - // genV1Sdi issues a new SignedDebugInfoV1 StItem from a serialized leaf value func (lp *LogParameters) genV1Sdi(serialized []byte) (*StItem, error) { sig, err := lp.Signer.Sign(rand.Reader, serialized, crypto.Hash(0)) // ed25519 |