| package pkcs7 |
| |
| import ( |
| "crypto" |
| "crypto/dsa" |
| "crypto/subtle" |
| "crypto/x509" |
| "crypto/x509/pkix" |
| "encoding/asn1" |
| "errors" |
| "fmt" |
| "time" |
| ) |
| |
| // Verify is a wrapper around VerifyWithChain() that initializes an empty |
| // trust store, effectively disabling certificate verification when validating |
| // a signature. |
| func (p7 *PKCS7) Verify() (err error) { |
| return p7.VerifyWithChain(nil) |
| } |
| |
| // VerifyWithChain checks the signatures of a PKCS7 object. |
| // |
| // If truststore is not nil, it also verifies the chain of trust of |
| // the end-entity signer cert to one of the roots in the |
| // truststore. When the PKCS7 object includes the signing time |
| // authenticated attr verifies the chain at that time and UTC now |
| // otherwise. |
| func (p7 *PKCS7) VerifyWithChain(truststore *x509.CertPool) (err error) { |
| if len(p7.Signers) == 0 { |
| return errors.New("pkcs7: Message has no signers") |
| } |
| for _, signer := range p7.Signers { |
| if err := verifySignature(p7, signer, truststore); err != nil { |
| return err |
| } |
| } |
| return nil |
| } |
| |
| // VerifyWithChainAtTime checks the signatures of a PKCS7 object. |
| // |
| // If truststore is not nil, it also verifies the chain of trust of |
| // the end-entity signer cert to a root in the truststore at |
| // currentTime. It does not use the signing time authenticated |
| // attribute. |
| func (p7 *PKCS7) VerifyWithChainAtTime(truststore *x509.CertPool, currentTime time.Time) (err error) { |
| if len(p7.Signers) == 0 { |
| return errors.New("pkcs7: Message has no signers") |
| } |
| for _, signer := range p7.Signers { |
| if err := verifySignatureAtTime(p7, signer, truststore, currentTime); err != nil { |
| return err |
| } |
| } |
| return nil |
| } |
| |
| func verifySignatureAtTime(p7 *PKCS7, signer signerInfo, truststore *x509.CertPool, currentTime time.Time) (err error) { |
| signedData := p7.Content |
| ee := getCertFromCertsByIssuerAndSerial(p7.Certificates, signer.IssuerAndSerialNumber) |
| if ee == nil { |
| return errors.New("pkcs7: No certificate for signer") |
| } |
| if len(signer.AuthenticatedAttributes) > 0 { |
| // TODO(fullsailor): First check the content type match |
| var ( |
| digest []byte |
| signingTime time.Time |
| ) |
| err := unmarshalAttribute(signer.AuthenticatedAttributes, OIDAttributeMessageDigest, &digest) |
| if err != nil { |
| return err |
| } |
| hash, err := getHashForOID(signer.DigestAlgorithm.Algorithm) |
| if err != nil { |
| return err |
| } |
| h := hash.New() |
| h.Write(p7.Content) |
| computed := h.Sum(nil) |
| if subtle.ConstantTimeCompare(digest, computed) != 1 { |
| return &MessageDigestMismatchError{ |
| ExpectedDigest: digest, |
| ActualDigest: computed, |
| } |
| } |
| signedData, err = marshalAttributes(signer.AuthenticatedAttributes) |
| if err != nil { |
| return err |
| } |
| err = unmarshalAttribute(signer.AuthenticatedAttributes, OIDAttributeSigningTime, &signingTime) |
| if err == nil { |
| // signing time found, performing validity check |
| if signingTime.After(ee.NotAfter) || signingTime.Before(ee.NotBefore) { |
| return fmt.Errorf("pkcs7: signing time %q is outside of certificate validity %q to %q", |
| signingTime.Format(time.RFC3339), |
| ee.NotBefore.Format(time.RFC3339), |
| ee.NotAfter.Format(time.RFC3339)) |
| } |
| } |
| } |
| if truststore != nil { |
| _, err = verifyCertChain(ee, p7.Certificates, truststore, currentTime) |
| if err != nil { |
| return err |
| } |
| } |
| sigalg, err := getSignatureAlgorithm(signer.DigestEncryptionAlgorithm, signer.DigestAlgorithm) |
| if err != nil { |
| return err |
| } |
| switch sigalg { |
| case x509.DSAWithSHA1, x509.DSAWithSHA256: |
| return dsaCheckSignature(sigalg, signedData, signer.EncryptedDigest, ee.PublicKey) |
| default: |
| return ee.CheckSignature(sigalg, signedData, signer.EncryptedDigest) |
| } |
| } |
| |
| // dsaSignature verifies the DSA signature on a PKCS7 document. DSA support was |
| // removed from Go's crypto/x509 support prior to Go 1.16. This allows |
| // verifying legacy signatures until affected applications can be migrated off |
| // of DSA. |
| func dsaCheckSignature(algo x509.SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) error { |
| dsaKey, ok := publicKey.(*dsa.PublicKey) |
| if !ok { |
| return ErrUnsupportedAlgorithm |
| } |
| |
| var hashType crypto.Hash |
| switch algo { |
| case x509.DSAWithSHA1: |
| hashType = crypto.SHA1 |
| case x509.DSAWithSHA256: |
| hashType = crypto.SHA256 |
| default: |
| return ErrUnsupportedAlgorithm |
| } |
| h := hashType.New() |
| h.Write(signed) |
| signed = h.Sum(nil) |
| |
| dsaSig := new(dsaSignature) |
| if rest, err := asn1.Unmarshal(signature, dsaSig); err != nil { |
| return err |
| } else if len(rest) != 0 { |
| return errors.New("x509: trailing data after DSA signature") |
| } |
| if dsaSig.R.Sign() <= 0 || dsaSig.S.Sign() <= 0 { |
| return errors.New("x509: DSA signature contained zero or negative values") |
| } |
| // According to FIPS 186-3, section 4.6, the hash must be truncated if it is longer |
| // than the key length, but crypto/dsa doesn't do it automatically. |
| if maxHashLen := dsaKey.Q.BitLen() / 8; maxHashLen < len(signed) { |
| signed = signed[:maxHashLen] |
| } |
| if !dsa.Verify(dsaKey, signed, dsaSig.R, dsaSig.S) { |
| return errors.New("x509: DSA verification failure") |
| } |
| return nil |
| } |
| |
| func verifySignature(p7 *PKCS7, signer signerInfo, truststore *x509.CertPool) (err error) { |
| signedData := p7.Content |
| ee := getCertFromCertsByIssuerAndSerial(p7.Certificates, signer.IssuerAndSerialNumber) |
| if ee == nil { |
| return errors.New("pkcs7: No certificate for signer") |
| } |
| signingTime := time.Now().UTC() |
| if len(signer.AuthenticatedAttributes) > 0 { |
| // TODO(fullsailor): First check the content type match |
| var digest []byte |
| err := unmarshalAttribute(signer.AuthenticatedAttributes, OIDAttributeMessageDigest, &digest) |
| if err != nil { |
| return err |
| } |
| hash, err := getHashForOID(signer.DigestAlgorithm.Algorithm) |
| if err != nil { |
| return err |
| } |
| h := hash.New() |
| h.Write(p7.Content) |
| computed := h.Sum(nil) |
| if subtle.ConstantTimeCompare(digest, computed) != 1 { |
| return &MessageDigestMismatchError{ |
| ExpectedDigest: digest, |
| ActualDigest: computed, |
| } |
| } |
| signedData, err = marshalAttributes(signer.AuthenticatedAttributes) |
| if err != nil { |
| return err |
| } |
| err = unmarshalAttribute(signer.AuthenticatedAttributes, OIDAttributeSigningTime, &signingTime) |
| if err == nil { |
| // signing time found, performing validity check |
| if signingTime.After(ee.NotAfter) || signingTime.Before(ee.NotBefore) { |
| return fmt.Errorf("pkcs7: signing time %q is outside of certificate validity %q to %q", |
| signingTime.Format(time.RFC3339), |
| ee.NotBefore.Format(time.RFC3339), |
| ee.NotAfter.Format(time.RFC3339)) |
| } |
| } |
| } |
| if truststore != nil { |
| _, err = verifyCertChain(ee, p7.Certificates, truststore, signingTime) |
| if err != nil { |
| return err |
| } |
| } |
| sigalg, err := getSignatureAlgorithm(signer.DigestEncryptionAlgorithm, signer.DigestAlgorithm) |
| if err != nil { |
| return err |
| } |
| |
| switch sigalg { |
| case x509.DSAWithSHA1, x509.DSAWithSHA256: |
| return dsaCheckSignature(sigalg, signedData, signer.EncryptedDigest, ee.PublicKey) |
| default: |
| return ee.CheckSignature(sigalg, signedData, signer.EncryptedDigest) |
| } |
| } |
| |
| // GetOnlySigner returns an x509.Certificate for the first signer of the signed |
| // data payload. If there are more or less than one signer, nil is returned |
| func (p7 *PKCS7) GetOnlySigner() *x509.Certificate { |
| if len(p7.Signers) != 1 { |
| return nil |
| } |
| signer := p7.Signers[0] |
| return getCertFromCertsByIssuerAndSerial(p7.Certificates, signer.IssuerAndSerialNumber) |
| } |
| |
| // UnmarshalSignedAttribute decodes a single attribute from the signer info |
| func (p7 *PKCS7) UnmarshalSignedAttribute(attributeType asn1.ObjectIdentifier, out interface{}) error { |
| sd, ok := p7.raw.(signedData) |
| if !ok { |
| return errors.New("pkcs7: payload is not signedData content") |
| } |
| if len(sd.SignerInfos) < 1 { |
| return errors.New("pkcs7: payload has no signers") |
| } |
| attributes := sd.SignerInfos[0].AuthenticatedAttributes |
| return unmarshalAttribute(attributes, attributeType, out) |
| } |
| |
| func parseSignedData(data []byte) (*PKCS7, error) { |
| var sd signedData |
| asn1.Unmarshal(data, &sd) |
| certs, err := sd.Certificates.Parse() |
| if err != nil { |
| return nil, err |
| } |
| // fmt.Printf("--> Signed Data Version %d\n", sd.Version) |
| |
| var compound asn1.RawValue |
| var content unsignedData |
| |
| // The Content.Bytes maybe empty on PKI responses. |
| if len(sd.ContentInfo.Content.Bytes) > 0 { |
| if _, err := asn1.Unmarshal(sd.ContentInfo.Content.Bytes, &compound); err != nil { |
| return nil, err |
| } |
| } |
| // Compound octet string |
| if compound.IsCompound { |
| if compound.Tag == 4 { |
| if _, err = asn1.Unmarshal(compound.Bytes, &content); err != nil { |
| return nil, err |
| } |
| } else { |
| content = compound.Bytes |
| } |
| } else { |
| // assuming this is tag 04 |
| content = compound.Bytes |
| } |
| return &PKCS7{ |
| Content: content, |
| Certificates: certs, |
| CRLs: sd.CRLs, |
| Signers: sd.SignerInfos, |
| raw: sd, |
| }, nil |
| } |
| |
| // verifyCertChain takes an end-entity certs, a list of potential intermediates and a |
| // truststore, and built all potential chains between the EE and a trusted root. |
| // |
| // When verifying chains that may have expired, currentTime can be set to a past date |
| // to allow the verification to pass. If unset, currentTime is set to the current UTC time. |
| func verifyCertChain(ee *x509.Certificate, certs []*x509.Certificate, truststore *x509.CertPool, currentTime time.Time) (chains [][]*x509.Certificate, err error) { |
| intermediates := x509.NewCertPool() |
| for _, intermediate := range certs { |
| intermediates.AddCert(intermediate) |
| } |
| verifyOptions := x509.VerifyOptions{ |
| Roots: truststore, |
| Intermediates: intermediates, |
| KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, |
| CurrentTime: currentTime, |
| } |
| chains, err = ee.Verify(verifyOptions) |
| if err != nil { |
| return chains, fmt.Errorf("pkcs7: failed to verify certificate chain: %v", err) |
| } |
| return |
| } |
| |
| // MessageDigestMismatchError is returned when the signer data digest does not |
| // match the computed digest for the contained content |
| type MessageDigestMismatchError struct { |
| ExpectedDigest []byte |
| ActualDigest []byte |
| } |
| |
| func (err *MessageDigestMismatchError) Error() string { |
| return fmt.Sprintf("pkcs7: Message digest mismatch\n\tExpected: %X\n\tActual : %X", err.ExpectedDigest, err.ActualDigest) |
| } |
| |
| func getSignatureAlgorithm(digestEncryption, digest pkix.AlgorithmIdentifier) (x509.SignatureAlgorithm, error) { |
| switch { |
| case digestEncryption.Algorithm.Equal(OIDDigestAlgorithmECDSASHA1): |
| return x509.ECDSAWithSHA1, nil |
| case digestEncryption.Algorithm.Equal(OIDDigestAlgorithmECDSASHA256): |
| return x509.ECDSAWithSHA256, nil |
| case digestEncryption.Algorithm.Equal(OIDDigestAlgorithmECDSASHA384): |
| return x509.ECDSAWithSHA384, nil |
| case digestEncryption.Algorithm.Equal(OIDDigestAlgorithmECDSASHA512): |
| return x509.ECDSAWithSHA512, nil |
| case digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmRSA), |
| digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmRSASHA1), |
| digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmRSASHA256), |
| digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmRSASHA384), |
| digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmRSASHA512): |
| switch { |
| case digest.Algorithm.Equal(OIDDigestAlgorithmSHA1): |
| return x509.SHA1WithRSA, nil |
| case digest.Algorithm.Equal(OIDDigestAlgorithmSHA256): |
| return x509.SHA256WithRSA, nil |
| case digest.Algorithm.Equal(OIDDigestAlgorithmSHA384): |
| return x509.SHA384WithRSA, nil |
| case digest.Algorithm.Equal(OIDDigestAlgorithmSHA512): |
| return x509.SHA512WithRSA, nil |
| default: |
| return -1, fmt.Errorf("pkcs7: unsupported digest %q for encryption algorithm %q", |
| digest.Algorithm.String(), digestEncryption.Algorithm.String()) |
| } |
| case digestEncryption.Algorithm.Equal(OIDDigestAlgorithmDSA), |
| digestEncryption.Algorithm.Equal(OIDDigestAlgorithmDSASHA1): |
| switch { |
| case digest.Algorithm.Equal(OIDDigestAlgorithmSHA1): |
| return x509.DSAWithSHA1, nil |
| case digest.Algorithm.Equal(OIDDigestAlgorithmSHA256): |
| return x509.DSAWithSHA256, nil |
| default: |
| return -1, fmt.Errorf("pkcs7: unsupported digest %q for encryption algorithm %q", |
| digest.Algorithm.String(), digestEncryption.Algorithm.String()) |
| } |
| case digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmECDSAP256), |
| digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmECDSAP384), |
| digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmECDSAP521): |
| switch { |
| case digest.Algorithm.Equal(OIDDigestAlgorithmSHA1): |
| return x509.ECDSAWithSHA1, nil |
| case digest.Algorithm.Equal(OIDDigestAlgorithmSHA256): |
| return x509.ECDSAWithSHA256, nil |
| case digest.Algorithm.Equal(OIDDigestAlgorithmSHA384): |
| return x509.ECDSAWithSHA384, nil |
| case digest.Algorithm.Equal(OIDDigestAlgorithmSHA512): |
| return x509.ECDSAWithSHA512, nil |
| default: |
| return -1, fmt.Errorf("pkcs7: unsupported digest %q for encryption algorithm %q", |
| digest.Algorithm.String(), digestEncryption.Algorithm.String()) |
| } |
| default: |
| return -1, fmt.Errorf("pkcs7: unsupported algorithm %q", |
| digestEncryption.Algorithm.String()) |
| } |
| } |
| |
| func getCertFromCertsByIssuerAndSerial(certs []*x509.Certificate, ias issuerAndSerial) *x509.Certificate { |
| for _, cert := range certs { |
| if isCertMatchForIssuerAndSerial(cert, ias) { |
| return cert |
| } |
| } |
| return nil |
| } |
| |
| func unmarshalAttribute(attrs []attribute, attributeType asn1.ObjectIdentifier, out interface{}) error { |
| for _, attr := range attrs { |
| if attr.Type.Equal(attributeType) { |
| _, err := asn1.Unmarshal(attr.Value.Bytes, out) |
| return err |
| } |
| } |
| return errors.New("pkcs7: attribute type not in attributes") |
| } |
