isolated chain and signature verification

1 files changed, 35 insertions, 0 deletions

diff --git a/x509.go b/x509.go
index cdcd523..4e5a4d6 100644
--- a/x509.go
+++ b/x509.go
@@ -3,6 +3,8 @@ package stfe
 import (
 	"fmt"
 
+	"crypto/ecdsa"
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"io/ioutil"
@@ -41,3 +43,36 @@ func LoadTrustAnchors(path string) ([]*x509.Certificate, *x509.CertPool, error)
 	}
 	return anchors, pool, nil
 }
+
+func VerifyChain(ld *LogParameters, certificate *x509.Certificate) ([]*x509.Certificate, error) {
+	opts := x509.VerifyOptions{
+		Roots:     ld.AnchorPool,
+		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, // TODO: move to ld
+	} // TODO: add intermediates
+
+	chains, err := certificate.Verify(opts)
+	if err != nil {
+		return nil, fmt.Errorf("chain verification failed: %v", err)
+	}
+	if len(chains) == 0 {
+		return nil, fmt.Errorf("chain verification failed: no chain")
+	}
+	return chains[0], nil // if we found multiple paths just pick the first one
+}
+
+func VerifySignature(leaf, signature []byte, certificate *x509.Certificate) error {
+	var algo x509.SignatureAlgorithm
+	switch t := certificate.PublicKey.(type) {
+	case *rsa.PublicKey:
+		algo = x509.SHA256WithRSA
+	case *ecdsa.PublicKey:
+		algo = x509.ECDSAWithSHA256
+	default:
+		return fmt.Errorf("unsupported public key algorithm: %v", t)
+	}
+
+	if err := certificate.CheckSignature(algo, leaf, signature); err != nil {
+		return fmt.Errorf("invalid signature: %v", err)
+	}
+	return nil
+}