func DecodeCertificate(data []byte) (*x509.Certificate, error) { if IsPEM(data) { block, _ := pem.Decode(data) if block == nil { return nil, errors.New("Invalid certificate.") } if block.Type != certBlockType { return nil, errors.New("Invalid certificate.") } data = block.Bytes } cert, err := x509.ParseCertificate(data) if err == nil { return cert, nil } p, err := pkcs7.Parse(data) if err == nil { return p.Certificates[0], nil } return nil, errors.New("Invalid certificate.") }
// Verifies the correctness of the authenticated attributes present in the PKCS#7 // signature. After verification, extracts the instance identity document from the // signature, parses it and returns it. func (b *backend) parseIdentityDocument(s logical.Storage, pkcs7B64 string) (*identityDocument, error) { // Insert the header and footer for the signature to be able to pem decode it. pkcs7B64 = fmt.Sprintf("-----BEGIN PKCS7-----\n%s\n-----END PKCS7-----", pkcs7B64) // Decode the PEM encoded signature. pkcs7BER, pkcs7Rest := pem.Decode([]byte(pkcs7B64)) if len(pkcs7Rest) != 0 { return nil, fmt.Errorf("failed to decode the PEM encoded PKCS#7 signature") } // Parse the signature from asn1 format into a struct. pkcs7Data, err := pkcs7.Parse(pkcs7BER.Bytes) if err != nil { return nil, fmt.Errorf("failed to parse the BER encoded PKCS#7 signature: %s\n", err) } // Get the public certificates that are used to verify the signature. // This returns a slice of certificates containing the default certificate // and all the registered certificates via 'config/certificate/<cert_name>' endpoint publicCerts, err := b.awsPublicCertificates(s) if err != nil { return nil, err } if publicCerts == nil || len(publicCerts) == 0 { return nil, fmt.Errorf("certificates to verify the signature are not found") } // Before calling Verify() on the PKCS#7 struct, set the certificates to be used // to verify the contents in the signer information. pkcs7Data.Certificates = publicCerts // Verify extracts the authenticated attributes in the PKCS#7 signature, and verifies // the authenticity of the content using 'dsa.PublicKey' embedded in the public certificate. if pkcs7Data.Verify() != nil { return nil, fmt.Errorf("failed to verify the signature") } // Check if the signature has content inside of it. if len(pkcs7Data.Content) == 0 { return nil, fmt.Errorf("instance identity document could not be found in the signature") } var identityDoc identityDocument err = json.Unmarshal(pkcs7Data.Content, &identityDoc) if err != nil { return nil, err } return &identityDoc, nil }
// check the signature of the token func (validator *Validator) checkSignature(data []byte) ([]byte, error) { p7, err := pkcs7.Parse(data) if err != nil { return nil, err } if len(p7.Signers) != 1 { return nil, errors.New("should be only one signature found") } signer := p7.Signers[0] cert, err := validator.getSigningCert() if err != nil { return nil, err } err = cert.CheckSignature(x509.SHA256WithRSA, p7.Content, signer.EncryptedDigest) if err != nil { return nil, err } return p7.Content, nil }