// Verify verifies all the signatures and returns the list of // public keys used to sign. Any x509 chains are not checked. func (js *JSONSignature) Verify() ([]libtrust.PublicKey, error) { keys := make([]libtrust.PublicKey, len(js.signatures)) for i, signature := range js.signatures { signBytes, err := js.signBytes(signature.Protected) if err != nil { return nil, err } var publicKey libtrust.PublicKey if len(signature.Header.Chain) > 0 { certBytes, err := base64.StdEncoding.DecodeString(signature.Header.Chain[0]) if err != nil { return nil, err } cert, err := x509.ParseCertificate(certBytes) if err != nil { return nil, err } publicKey, err = FromCryptoPublicKey(cert.PublicKey) if err != nil { return nil, err } } else if signature.Header.JWK != nil { publicKey = signature.Header.JWK } else { return nil, errors.New("missing public key") } sigBytes, err := joseBase64UrlDecode(signature.Signature) if err != nil { return nil, err } err = publicKey.Verify(bytes.NewReader(signBytes), signature.Header.Algorithm, sigBytes) if err != nil { return nil, err } keys[i] = publicKey } return keys, nil }
// VerifyChains verifies all the signatures and the chains associated // with each signature and returns the list of verified chains. // Signatures without an x509 chain are not checked. func (js *JSONSignature) VerifyChains(ca *x509.CertPool) ([][]*x509.Certificate, error) { chains := make([][]*x509.Certificate, 0, len(js.signatures)) for _, signature := range js.signatures { signBytes, err := js.signBytes(signature.Protected) if err != nil { return nil, err } var publicKey libtrust.PublicKey if len(signature.Header.Chain) > 0 { certBytes, err := base64.StdEncoding.DecodeString(signature.Header.Chain[0]) if err != nil { return nil, err } cert, err := x509.ParseCertificate(certBytes) if err != nil { return nil, err } publicKey, err = FromCryptoPublicKey(cert.PublicKey) if err != nil { return nil, err } intermediates := x509.NewCertPool() if len(signature.Header.Chain) > 1 { intermediateChain := signature.Header.Chain[1:] for i := range intermediateChain { certBytes, err := base64.StdEncoding.DecodeString(intermediateChain[i]) if err != nil { return nil, err } intermediate, err := x509.ParseCertificate(certBytes) if err != nil { return nil, err } intermediates.AddCert(intermediate) } } verifyOptions := x509.VerifyOptions{ Intermediates: intermediates, Roots: ca, } verifiedChains, err := cert.Verify(verifyOptions) if err != nil { return nil, err } chains = append(chains, verifiedChains...) sigBytes, err := joseBase64UrlDecode(signature.Signature) if err != nil { return nil, err } err = publicKey.Verify(bytes.NewReader(signBytes), signature.Header.Algorithm, sigBytes) if err != nil { return nil, err } } } return chains, nil }