aboutsummaryrefslogtreecommitdiff
path: root/x509.go
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-10-27 16:22:13 +0100
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2020-10-27 16:22:13 +0100
commit13dd306e69b26ab8b7aedcd6ed915df4b6672a01 (patch)
tree4b2b5456f5c979ce13f6419b676af165bb55fe3d /x509.go
parentdd19521190f39a8b1704adb724f5f812040f91e4 (diff)
isolated chain and signature verification
Diffstat (limited to 'x509.go')
-rw-r--r--x509.go35
1 files changed, 35 insertions, 0 deletions
diff --git a/x509.go b/x509.go
index cdcd523..4e5a4d6 100644
--- a/x509.go
+++ b/x509.go
@@ -3,6 +3,8 @@ package stfe
import (
"fmt"
+ "crypto/ecdsa"
+ "crypto/rsa"
"crypto/x509"
"encoding/pem"
"io/ioutil"
@@ -41,3 +43,36 @@ func LoadTrustAnchors(path string) ([]*x509.Certificate, *x509.CertPool, error)
}
return anchors, pool, nil
}
+
+func VerifyChain(ld *LogParameters, certificate *x509.Certificate) ([]*x509.Certificate, error) {
+ opts := x509.VerifyOptions{
+ Roots: ld.AnchorPool,
+ KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, // TODO: move to ld
+ } // TODO: add intermediates
+
+ chains, err := certificate.Verify(opts)
+ if err != nil {
+ return nil, fmt.Errorf("chain verification failed: %v", err)
+ }
+ if len(chains) == 0 {
+ return nil, fmt.Errorf("chain verification failed: no chain")
+ }
+ return chains[0], nil // if we found multiple paths just pick the first one
+}
+
+func VerifySignature(leaf, signature []byte, certificate *x509.Certificate) error {
+ var algo x509.SignatureAlgorithm
+ switch t := certificate.PublicKey.(type) {
+ case *rsa.PublicKey:
+ algo = x509.SHA256WithRSA
+ case *ecdsa.PublicKey:
+ algo = x509.ECDSAWithSHA256
+ default:
+ return fmt.Errorf("unsupported public key algorithm: %v", t)
+ }
+
+ if err := certificate.CheckSignature(algo, leaf, signature); err != nil {
+ return fmt.Errorf("invalid signature: %v", err)
+ }
+ return nil
+}