diff options
author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2020-10-27 16:22:13 +0100 |
---|---|---|
committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2020-10-27 16:22:13 +0100 |
commit | 13dd306e69b26ab8b7aedcd6ed915df4b6672a01 (patch) | |
tree | 4b2b5456f5c979ce13f6419b676af165bb55fe3d /reqres.go | |
parent | dd19521190f39a8b1704adb724f5f812040f91e4 (diff) |
isolated chain and signature verification
Diffstat (limited to 'reqres.go')
-rw-r--r-- | reqres.go | 41 |
1 files changed, 11 insertions, 30 deletions
@@ -4,8 +4,6 @@ import ( "fmt" "strconv" - "crypto/ecdsa" - "crypto/rsa" "crypto/x509" "encoding/base64" "encoding/json" @@ -186,50 +184,33 @@ func VerifyAddEntryRequest(ld *LogParameters, r AddEntryRequest) ([]byte, []byte leaf, err := tls.Marshal(item) if err != nil { return nil, nil, fmt.Errorf("failed tls marshaling StItem: %v", err) - } + } // leaf is the serialized data that should be added to the tree - certificate, err := base64.StdEncoding.DecodeString(r.Certificate) + c, err := base64.StdEncoding.DecodeString(r.Certificate) if err != nil { return nil, nil, fmt.Errorf("failed decoding certificate: %v", err) } - c, err := x509.ParseCertificate(certificate) + certificate, err := x509.ParseCertificate(c) if err != nil { return nil, nil, fmt.Errorf("failed decoding certificate: %v", err) - } - opts := x509.VerifyOptions{ - Roots: ld.AnchorPool, - } - chains, err := c.Verify(opts) + } // certificate is the end-entity certificate that signed leaf + + chain, err := VerifyChain(ld, certificate) if err != nil { return nil, nil, fmt.Errorf("chain verification failed: %v", err) - } - if len(chains) == 0 { - return nil, nil, fmt.Errorf("chain verification failed: no chain") - } - x509chain := chains[0] + } // chain is a valid path to some trust anchor signature, err := base64.StdEncoding.DecodeString(r.Signature) if err != nil { return nil, nil, fmt.Errorf("failed decoding signature: %v", err) } + if err := VerifySignature(leaf, signature, certificate); err != nil { + return nil, nil, fmt.Errorf("signature verification failed: %v", err) + } // signature is valid for certificate - var algo x509.SignatureAlgorithm - switch t := c.PublicKey.(type) { - case *rsa.PublicKey: - algo = x509.SHA256WithRSA - case *ecdsa.PublicKey: - algo = x509.ECDSAWithSHA256 - default: - return nil, nil, fmt.Errorf("unsupported public key algorithm: %v", t) - } - - if err := c.CheckSignature(algo, leaf, signature); err != nil { - return nil, nil, fmt.Errorf("invalid signature: %v", err) - } // TODO: update doc of what signature "is", i.e., w/e x509 does // TODO: doc in markdown/api.md what signature schemes we expect - - appendix, err := tls.Marshal(NewAppendix(x509chain, signature)) + appendix, err := tls.Marshal(NewAppendix(chain, signature)) if err != nil { return nil, nil, fmt.Errorf("failed tls marshaling appendix: %v", err) } |