From d66840f9a5ead48ecbd6ad22e01da138db8f3b05 Mon Sep 17 00:00:00 2001 From: Florent CHAUVEAU Date: Fri, 24 Jun 2022 13:02:15 +0200 Subject: [PATCH] Export SignedData in cms. Fixes #89 --- ietf-cms/sign.go | 2 +- ietf-cms/sign_test.go | 8 ++++---- ietf-cms/signed_data.go | 24 ++++++++++++------------ ietf-cms/timestamp.go | 8 ++++---- ietf-cms/timestamp_test.go | 22 +++++++++++----------- ietf-cms/verify.go | 16 ++++++++-------- ietf-cms/verify_test.go | 4 ++-- 7 files changed, 42 insertions(+), 42 deletions(-) diff --git a/ietf-cms/sign.go b/ietf-cms/sign.go index dd2de9e..0db3d38 100644 --- a/ietf-cms/sign.go +++ b/ietf-cms/sign.go @@ -45,5 +45,5 @@ func SignDetached(data []byte, chain []*x509.Certificate, signer crypto.Signer) // leaf certificate associated with the signer. Any additional intermediates // will also be added to the SignedData. func (sd *SignedData) Sign(chain []*x509.Certificate, signer crypto.Signer) error { - return sd.psd.AddSignerInfo(chain, signer) + return sd.AddSignerInfo(chain, signer) } diff --git a/ietf-cms/sign_test.go b/ietf-cms/sign_test.go index 21d210f..4aec0ab 100644 --- a/ietf-cms/sign_test.go +++ b/ietf-cms/sign_test.go @@ -33,7 +33,7 @@ func TestSign(t *testing.T) { } // test that we're including whole chain in sd - sdCerts, err := sd2.psd.X509Certificates() + sdCerts, err := sd2.X509Certificates() if err != nil { t.Fatal(err) } @@ -53,7 +53,7 @@ func TestSign(t *testing.T) { } // check that we're including signing time attribute - st, err := sd2.psd.SignerInfos[0].GetSigningTimeAttribute() + st, err := sd2.SignerInfos[0].GetSigningTimeAttribute() if st.After(time.Now().Add(time.Second)) || st.Before(time.Now().Add(-time.Second)) { t.Fatal("expected SigningTime to be now. Difference was", st.Sub(time.Now())) } @@ -77,7 +77,7 @@ func TestSignDetached(t *testing.T) { } // test that we're including whole chain in sd - sdCerts, err := sd2.psd.X509Certificates() + sdCerts, err := sd2.X509Certificates() if err != nil { t.Fatal(err) } @@ -97,7 +97,7 @@ func TestSignDetached(t *testing.T) { } // check that we're including signing time attribute - st, err := sd2.psd.SignerInfos[0].GetSigningTimeAttribute() + st, err := sd2.SignerInfos[0].GetSigningTimeAttribute() if st.After(time.Now().Add(time.Second)) || st.Before(time.Now().Add(-time.Second)) { t.Fatal("expected SigningTime to be now. Difference was", st.Sub(time.Now())) } diff --git a/ietf-cms/signed_data.go b/ietf-cms/signed_data.go index edfcf41..9700cbd 100644 --- a/ietf-cms/signed_data.go +++ b/ietf-cms/signed_data.go @@ -9,7 +9,7 @@ import ( // SignedData represents a signed message or detached signature. type SignedData struct { - psd *protocol.SignedData + *protocol.SignedData } // NewSignedData creates a new SignedData from the given data. @@ -19,12 +19,12 @@ func NewSignedData(data []byte) (*SignedData, error) { return nil, err } - psd, err := protocol.NewSignedData(eci) + sd, err := protocol.NewSignedData(eci) if err != nil { return nil, err } - return &SignedData{psd}, nil + return &SignedData{sd}, nil } // ParseSignedData parses a SignedData from BER encoded data. @@ -34,32 +34,32 @@ func ParseSignedData(ber []byte) (*SignedData, error) { return nil, err } - psd, err := ci.SignedDataContent() + sd, err := ci.SignedDataContent() if err != nil { return nil, err } - return &SignedData{psd}, nil + return &SignedData{sd}, nil } // GetData gets the encapsulated data from the SignedData. Nil will be returned // if this is a detached signature. A protocol.ErrWrongType will be returned if // the SignedData encapsulates something other than data (1.2.840.113549.1.7.1). func (sd *SignedData) GetData() ([]byte, error) { - return sd.psd.EncapContentInfo.DataEContent() + return sd.EncapContentInfo.DataEContent() } // GetCertificates gets all the certificates stored in the SignedData. func (sd *SignedData) GetCertificates() ([]*x509.Certificate, error) { - return sd.psd.X509Certificates() + return sd.X509Certificates() } // SetCertificates replaces the certificates stored in the SignedData with new // ones. func (sd *SignedData) SetCertificates(certs []*x509.Certificate) error { - sd.psd.ClearCertificates() + sd.ClearCertificates() for _, cert := range certs { - if err := sd.psd.AddCertificate(cert); err != nil { + if err := sd.AddCertificate(cert); err != nil { return err } } @@ -69,15 +69,15 @@ func (sd *SignedData) SetCertificates(certs []*x509.Certificate) error { // Detached removes the data content from this SignedData. No more signatures // can be added after this method has been called. func (sd *SignedData) Detached() { - sd.psd.EncapContentInfo.EContent = asn1.RawValue{} + sd.EncapContentInfo.EContent = asn1.RawValue{} } // IsDetached checks if this SignedData has data content. func (sd *SignedData) IsDetached() bool { - return sd.psd.EncapContentInfo.EContent.Bytes == nil + return sd.EncapContentInfo.EContent.Bytes == nil } // ToDER encodes this SignedData message using DER. func (sd *SignedData) ToDER() ([]byte, error) { - return sd.psd.ContentInfoDER() + return sd.ContentInfoDER() } diff --git a/ietf-cms/timestamp.go b/ietf-cms/timestamp.go index 6b561a4..3f5ad6c 100644 --- a/ietf-cms/timestamp.go +++ b/ietf-cms/timestamp.go @@ -16,20 +16,20 @@ import ( // in old messages signed with revoked keys. func (sd *SignedData) AddTimestamps(url string) error { var ( - attrs = make([]protocol.Attribute, len(sd.psd.SignerInfos)) + attrs = make([]protocol.Attribute, len(sd.SignerInfos)) err error ) // Fetch all timestamp tokens before adding any to sd. This avoids a partial // failure. for i := range attrs { - if attrs[i], err = fetchTS(url, sd.psd.SignerInfos[i]); err != nil { + if attrs[i], err = fetchTS(url, sd.SignerInfos[i]); err != nil { return err } } for i := range attrs { - sd.psd.SignerInfos[i].UnsignedAttrs = append(sd.psd.SignerInfos[i].UnsignedAttrs, attrs[i]) + sd.SignerInfos[i].UnsignedAttrs = append(sd.SignerInfos[i].UnsignedAttrs, attrs[i]) } return nil @@ -88,7 +88,7 @@ func getTimestamp(si protocol.SignerInfo, opts x509.VerifyOptions) (timestamp.In return timestamp.Info{}, err } - tsti, err := timestamp.ParseInfo(tst.psd.EncapContentInfo) + tsti, err := timestamp.ParseInfo(tst.EncapContentInfo) if err != nil { return timestamp.Info{}, err } diff --git a/ietf-cms/timestamp_test.go b/ietf-cms/timestamp_test.go index 4c377e0..3c86179 100644 --- a/ietf-cms/timestamp_test.go +++ b/ietf-cms/timestamp_test.go @@ -24,7 +24,7 @@ func TestAddTimestamps(t *testing.T) { if _, err := sd.Verify(intermediateOpts); err != nil { t.Fatal(err) } - if _, err := getTimestamp(sd.psd.SignerInfos[0], intermediateOpts); err != nil { + if _, err := getTimestamp(sd.SignerInfos[0], intermediateOpts); err != nil { t.Fatal(err) } @@ -68,17 +68,17 @@ func TestTimestampsVerifications(t *testing.T) { getTimestampedSignedData := func() *SignedData { sd, _ := NewSignedData([]byte("hi")) sd.Sign(leaf.Chain(), leaf.PrivateKey) - tsReq, _ := tsRequest(sd.psd.SignerInfos[0]) + tsReq, _ := tsRequest(sd.SignerInfos[0]) tsResp, _ := tsa.Do(tsReq) tsAttr, _ := protocol.NewAttribute(oid.AttributeTimeStampToken, tsResp.TimeStampToken) - sd.psd.SignerInfos[0].UnsignedAttrs = append(sd.psd.SignerInfos[0].UnsignedAttrs, tsAttr) + sd.SignerInfos[0].UnsignedAttrs = append(sd.SignerInfos[0].UnsignedAttrs, tsAttr) return sd } // Good timestamp tsa.Clear() sd := getTimestampedSignedData() - if _, err := getTimestamp(sd.psd.SignerInfos[0], intermediateOpts); err != nil { + if _, err := getTimestamp(sd.SignerInfos[0], intermediateOpts); err != nil { t.Fatal(err) } if _, err := sd.Verify(intermediateOpts); err != nil { @@ -97,7 +97,7 @@ func TestTimestampsVerifications(t *testing.T) { return info }) sd = getTimestampedSignedData() - if _, err := getTimestamp(sd.psd.SignerInfos[0], intermediateOpts); err != nil { + if _, err := getTimestamp(sd.SignerInfos[0], intermediateOpts); err != nil { t.Fatal(err) } if _, err := sd.Verify(intermediateOpts); err == nil || !strings.HasPrefix(err.Error(), "x509: certificate has expired") { @@ -116,7 +116,7 @@ func TestTimestampsVerifications(t *testing.T) { return info }) sd = getTimestampedSignedData() - if _, err := getTimestamp(sd.psd.SignerInfos[0], intermediateOpts); err != nil { + if _, err := getTimestamp(sd.SignerInfos[0], intermediateOpts); err != nil { t.Fatal(err) } if _, err := sd.Verify(intermediateOpts); err != nil { @@ -135,7 +135,7 @@ func TestTimestampsVerifications(t *testing.T) { return info }) sd = getTimestampedSignedData() - if _, err := getTimestamp(sd.psd.SignerInfos[0], intermediateOpts); err != nil { + if _, err := getTimestamp(sd.SignerInfos[0], intermediateOpts); err != nil { t.Fatal(err) } if _, err := sd.Verify(intermediateOpts); err == nil || !strings.HasPrefix(err.Error(), "x509: certificate has expired") { @@ -154,7 +154,7 @@ func TestTimestampsVerifications(t *testing.T) { return info }) sd = getTimestampedSignedData() - if _, err := getTimestamp(sd.psd.SignerInfos[0], intermediateOpts); err != nil { + if _, err := getTimestamp(sd.SignerInfos[0], intermediateOpts); err != nil { t.Fatal(err) } if _, err := sd.Verify(intermediateOpts); err != nil { @@ -167,7 +167,7 @@ func TestTimestampsVerifications(t *testing.T) { return info }) sd = getTimestampedSignedData() - if _, err := getTimestamp(sd.psd.SignerInfos[0], intermediateOpts); err == nil || err.Error() != "invalid message imprint" { + if _, err := getTimestamp(sd.SignerInfos[0], intermediateOpts); err == nil || err.Error() != "invalid message imprint" { t.Fatalf("expected 'invalid message imprint', got %v", err) } @@ -179,7 +179,7 @@ func TestTimestampsVerifications(t *testing.T) { return tst }) sd = getTimestampedSignedData() - if _, err := getTimestamp(sd.psd.SignerInfos[0], intermediateOpts); err == nil { + if _, err := getTimestamp(sd.SignerInfos[0], intermediateOpts); err == nil { t.Fatal("expected error") } else if _, ok := err.(x509.UnknownAuthorityError); !ok { t.Fatalf("expected x509.UnknownAuthorityError, got %v", err) @@ -191,7 +191,7 @@ func TestTimestampsVerifications(t *testing.T) { return tst }) sd = getTimestampedSignedData() - if _, err := getTimestamp(sd.psd.SignerInfos[0], intermediateOpts); err != rsa.ErrVerification { + if _, err := getTimestamp(sd.SignerInfos[0], intermediateOpts); err != rsa.ErrVerification { t.Fatalf("expected %v, got %v", rsa.ErrVerification, err) } } diff --git a/ietf-cms/verify.go b/ietf-cms/verify.go index 70a956c..a7bed8c 100644 --- a/ietf-cms/verify.go +++ b/ietf-cms/verify.go @@ -16,7 +16,7 @@ import ( // // WARNING: this function doesn't do any revocation checking. func (sd *SignedData) Verify(opts x509.VerifyOptions) ([][][]*x509.Certificate, error) { - econtent, err := sd.psd.EncapContentInfo.EContentValue() + econtent, err := sd.EncapContentInfo.EContentValue() if err != nil { return nil, err } @@ -35,18 +35,18 @@ func (sd *SignedData) Verify(opts x509.VerifyOptions) ([][][]*x509.Certificate, // // WARNING: this function doesn't do any revocation checking. func (sd *SignedData) VerifyDetached(message []byte, opts x509.VerifyOptions) ([][][]*x509.Certificate, error) { - if sd.psd.EncapContentInfo.EContent.Bytes != nil { + if sd.EncapContentInfo.EContent.Bytes != nil { return nil, errors.New("signature not detached") } return sd.verify(message, opts) } func (sd *SignedData) verify(econtent []byte, opts x509.VerifyOptions) ([][][]*x509.Certificate, error) { - if len(sd.psd.SignerInfos) == 0 { + if len(sd.SignerInfos) == 0 { return nil, protocol.ASN1Error{Message: "no signatures found"} } - certs, err := sd.psd.X509Certificates() + certs, err := sd.X509Certificates() if err != nil { return nil, err } @@ -64,16 +64,16 @@ func (sd *SignedData) verify(econtent []byte, opts x509.VerifyOptions) ([][][]*x tsOpts := opts tsOpts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageTimeStamping} - chains := make([][][]*x509.Certificate, 0, len(sd.psd.SignerInfos)) + chains := make([][][]*x509.Certificate, 0, len(sd.SignerInfos)) - for _, si := range sd.psd.SignerInfos { + for _, si := range sd.SignerInfos { var signedMessage []byte // SignedAttrs is optional if EncapContentInfo eContentType isn't id-data. if si.SignedAttrs == nil { // SignedAttrs may only be absent if EncapContentInfo eContentType is // id-data. - if !sd.psd.EncapContentInfo.IsTypeData() { + if !sd.EncapContentInfo.IsTypeData() { return nil, protocol.ASN1Error{Message: "missing SignedAttrs"} } @@ -87,7 +87,7 @@ func (sd *SignedData) verify(econtent []byte, opts x509.VerifyOptions) ([][][]*x if err != nil { return nil, err } - if !siContentType.Equal(sd.psd.EncapContentInfo.EContentType) { + if !siContentType.Equal(sd.EncapContentInfo.EContentType) { return nil, protocol.ASN1Error{Message: "invalid SignerInfo ContentType attribute"} } diff --git a/ietf-cms/verify_test.go b/ietf-cms/verify_test.go index 2adc35a..82b861a 100644 --- a/ietf-cms/verify_test.go +++ b/ietf-cms/verify_test.go @@ -36,7 +36,7 @@ func ExampleSignedData() { func verifyOptionsForSignedData(sd *SignedData) (opts x509.VerifyOptions) { // add self-signed cert as trusted root - certs, err := sd.psd.X509Certificates() + certs, err := sd.X509Certificates() if err != nil { panic(err) } @@ -46,7 +46,7 @@ func verifyOptionsForSignedData(sd *SignedData) (opts x509.VerifyOptions) { } // trust signing time - signingTime, err := sd.psd.SignerInfos[0].GetSigningTimeAttribute() + signingTime, err := sd.SignerInfos[0].GetSigningTimeAttribute() if err != nil { panic(err) }