func DecodeCertificate(data []byte) (*x509.Certificate, error) {
if IsPEM(data) {
block, _ := pem.Decode(data)
if block == nil {
return nil, errors.New("Invalid certificate.")
}
if block.Type != certBlockType {
return nil, errors.New("Invalid certificate.")
}
data = block.Bytes
}
cert, err := x509.ParseCertificate(data)
if err == nil {
return cert, nil
}
p, err := pkcs7.Parse(data)
if err == nil {
return p.Certificates[0], nil
}
return nil, errors.New("Invalid certificate.")
}
// Verifies the correctness of the authenticated attributes present in the PKCS#7
// signature. After verification, extracts the instance identity document from the
// signature, parses it and returns it.
func (b *backend) parseIdentityDocument(s logical.Storage, pkcs7B64 string) (*identityDocument, error) {
// Insert the header and footer for the signature to be able to pem decode it.
pkcs7B64 = fmt.Sprintf("-----BEGIN PKCS7-----\n%s\n-----END PKCS7-----", pkcs7B64)
// Decode the PEM encoded signature.
pkcs7BER, pkcs7Rest := pem.Decode([]byte(pkcs7B64))
if len(pkcs7Rest) != 0 {
return nil, fmt.Errorf("failed to decode the PEM encoded PKCS#7 signature")
}
// Parse the signature from asn1 format into a struct.
pkcs7Data, err := pkcs7.Parse(pkcs7BER.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse the BER encoded PKCS#7 signature: %s\n", err)
}
// Get the public certificates that are used to verify the signature.
// This returns a slice of certificates containing the default certificate
// and all the registered certificates via 'config/certificate/<cert_name>' endpoint
publicCerts, err := b.awsPublicCertificates(s)
if err != nil {
return nil, err
}
if publicCerts == nil || len(publicCerts) == 0 {
return nil, fmt.Errorf("certificates to verify the signature are not found")
}
// Before calling Verify() on the PKCS#7 struct, set the certificates to be used
// to verify the contents in the signer information.
pkcs7Data.Certificates = publicCerts
// Verify extracts the authenticated attributes in the PKCS#7 signature, and verifies
// the authenticity of the content using 'dsa.PublicKey' embedded in the public certificate.
if pkcs7Data.Verify() != nil {
return nil, fmt.Errorf("failed to verify the signature")
}
// Check if the signature has content inside of it.
if len(pkcs7Data.Content) == 0 {
return nil, fmt.Errorf("instance identity document could not be found in the signature")
}
var identityDoc identityDocument
err = json.Unmarshal(pkcs7Data.Content, &identityDoc)
if err != nil {
return nil, err
}
return &identityDoc, nil
}
// check the signature of the token
func (validator *Validator) checkSignature(data []byte) ([]byte, error) {
p7, err := pkcs7.Parse(data)
if err != nil {
return nil, err
}
if len(p7.Signers) != 1 {
return nil, errors.New("should be only one signature found")
}
signer := p7.Signers[0]
cert, err := validator.getSigningCert()
if err != nil {
return nil, err
}
err = cert.CheckSignature(x509.SHA256WithRSA, p7.Content, signer.EncryptedDigest)
if err != nil {
return nil, err
}
return p7.Content, nil
}
