diff options
author | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2020-10-27 16:22:13 +0100 |
---|---|---|
committer | Rasmus Dahlberg <rasmus.dahlberg@kau.se> | 2020-10-27 16:22:13 +0100 |
commit | 13dd306e69b26ab8b7aedcd6ed915df4b6672a01 (patch) | |
tree | 4b2b5456f5c979ce13f6419b676af165bb55fe3d /x509.go | |
parent | dd19521190f39a8b1704adb724f5f812040f91e4 (diff) |
isolated chain and signature verification
Diffstat (limited to 'x509.go')
-rw-r--r-- | x509.go | 35 |
1 files changed, 35 insertions, 0 deletions
@@ -3,6 +3,8 @@ package stfe import ( "fmt" + "crypto/ecdsa" + "crypto/rsa" "crypto/x509" "encoding/pem" "io/ioutil" @@ -41,3 +43,36 @@ func LoadTrustAnchors(path string) ([]*x509.Certificate, *x509.CertPool, error) } return anchors, pool, nil } + +func VerifyChain(ld *LogParameters, certificate *x509.Certificate) ([]*x509.Certificate, error) { + opts := x509.VerifyOptions{ + Roots: ld.AnchorPool, + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, // TODO: move to ld + } // TODO: add intermediates + + chains, err := certificate.Verify(opts) + if err != nil { + return nil, fmt.Errorf("chain verification failed: %v", err) + } + if len(chains) == 0 { + return nil, fmt.Errorf("chain verification failed: no chain") + } + return chains[0], nil // if we found multiple paths just pick the first one +} + +func VerifySignature(leaf, signature []byte, certificate *x509.Certificate) error { + var algo x509.SignatureAlgorithm + switch t := certificate.PublicKey.(type) { + case *rsa.PublicKey: + algo = x509.SHA256WithRSA + case *ecdsa.PublicKey: + algo = x509.ECDSAWithSHA256 + default: + return fmt.Errorf("unsupported public key algorithm: %v", t) + } + + if err := certificate.CheckSignature(algo, leaf, signature); err != nil { + return fmt.Errorf("invalid signature: %v", err) + } + return nil +} |