diff options
author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2020-10-26 10:55:29 +0100 |
---|---|---|
committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2020-10-26 10:55:29 +0100 |
commit | ace94cc001e51ef52aebf34c1fe39ad0f3501981 (patch) | |
tree | 3373eb6c1a3cbfc7adb087e08835508741baa2e5 /reqres.go | |
parent | 134f7e1cb59b7c1bd4f2eadfebe7f65da1264988 (diff) |
added signature verification for add-entry
Diffstat (limited to 'reqres.go')
-rw-r--r-- | reqres.go | 30 |
1 files changed, 22 insertions, 8 deletions
@@ -158,23 +158,37 @@ func NewGetAnchorsResponse(anchors []*x509.Certificate) GetAnchorsResponse { // VerifyAddEntryRequest determines whether a well-formed AddEntryRequest should // be inserted into the log. If so, the serialized leaf value is returned. -func VerifyAddEntryRequest(a ctfe.CertValidationOpts, r AddEntryRequest) ([]byte, error) { - item, _ := StItemFromB64(r.Item) // r.Item is a well-formed ChecksumV1 - leaf, _ := tls.Marshal(item) // again, r.Item is well-formed +func VerifyAddEntryRequest(anchors ctfe.CertValidationOpts, r AddEntryRequest) ([]byte, error) { + item, err := StItemFromB64(r.Item) + if err != nil { + fmt.Errorf("failed decoding StItem: %v", err) + } - chainBytes, err := base64.StdEncoding.DecodeString(r.Certificate) + leaf, err := tls.Marshal(item) if err != nil { - return nil, fmt.Errorf("failed decoding certificate: %v", err) + return nil, fmt.Errorf("failed tls marshaling StItem: %v", err) } + certificate, err := base64.StdEncoding.DecodeString(r.Certificate) + if err != nil { + return nil, fmt.Errorf("failed decoding certificate: %v", err) + } chain := make([][]byte, 0, 1) - chain = append(chain, chainBytes) - _, err = ctfe.ValidateChain(chain, a) + chain = append(chain, certificate) + x509chain, err := ctfe.ValidateChain(chain, anchors) if err != nil { return nil, fmt.Errorf("chain verification failed: %v", err) } + c := x509chain[0] + + signature, err := base64.StdEncoding.DecodeString(r.Signature) + if err != nil { + return nil, fmt.Errorf("failed decoding signature: %v", err) + } + if err := c.CheckSignature(c.SignatureAlgorithm, leaf, signature); err != nil { + return nil, fmt.Errorf("invalid signature: %v", err) + } - // TODO: verify signature return leaf, nil } |