-
Notifications
You must be signed in to change notification settings - Fork 18
/
cert.go
71 lines (65 loc) · 1.9 KB
/
cert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package signing
import (
"crypto/x509"
"crypto/x509/pkix"
"time"
"github.com/mandelsoft/goutils/errors"
"github.com/open-component-model/ocm/pkg/signing/signutils"
)
func VerifyCert(intermediate signutils.GenericCertificateChain, root signutils.GenericCertificatePool, name string, cert *x509.Certificate) error {
return VerifyCertDN(intermediate, root, signutils.CommonName(name), cert)
}
func VerifyCertDN(intermediate signutils.GenericCertificateChain, root signutils.GenericCertificatePool, name *pkix.Name, cert *x509.Certificate) error {
rootPool, err := signutils.GetCertPool(root, false)
if err != nil {
return err
}
interPool, err := signutils.GetCertPool(intermediate, false)
if err != nil {
return err
}
opts := x509.VerifyOptions{
Intermediates: interPool,
Roots: rootPool,
CurrentTime: cert.NotBefore,
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
}
_, err = cert.Verify(opts)
if err != nil {
return err
}
if name != nil {
if err := signutils.MatchDN(cert.Subject, *name); err != nil {
return err
}
}
if cert.KeyUsage&x509.KeyUsageDigitalSignature != 0 {
return nil
}
for _, k := range cert.ExtKeyUsage {
if k == x509.ExtKeyUsageCodeSigning {
return nil
}
}
return errors.ErrNotSupported("codesign", "", "certificate")
}
// Deprecated: use signutils.CreateCertificate.
func CreateCertificate(subject pkix.Name, validFrom *time.Time,
validity time.Duration, pub interface{},
ca *x509.Certificate, priv interface{}, isCA bool, names ...string,
) ([]byte, error) {
spec := &signutils.Specification{
RootCAs: ca,
IsCA: isCA,
PublicKey: pub,
CAPrivateKey: priv,
CAChain: ca,
Subject: subject,
Usages: signutils.Usages{x509.ExtKeyUsageCodeSigning},
Validity: validity,
NotBefore: validFrom,
Hosts: names,
}
_, data, err := signutils.CreateCertificate(spec)
return data, err
}