diff --git a/signature/internal/base/envelope.go b/signature/internal/base/envelope.go index a025b195..93d0b46f 100644 --- a/signature/internal/base/envelope.go +++ b/signature/internal/base/envelope.go @@ -28,10 +28,17 @@ func (e *Envelope) Sign(req *signature.SignRequest) ([]byte, error) { return nil, err } - e.Raw, err = e.Envelope.Sign(req) + raw, err := e.Envelope.Sign(req) if err != nil { return nil, err } + + // validate certificate chain + if _, err := e.SignerInfo(); err != nil { + return nil, err + } + + e.Raw = raw return e.Raw, nil } @@ -129,17 +136,8 @@ func validateSignRequest(req *signature.SignRequest) error { return &signature.MalformedSignatureError{Msg: "signer is nil"} } - certs, err := req.Signer.CertificateChain() - if err != nil { - return err - } - - keySpec, err := req.Signer.KeySpec() - if err != nil { - return err - } - - return validateCertificateChain(certs, req.SigningTime, keySpec.SignatureAlgorithm()) + _, err := req.Signer.KeySpec() + return err } // validateSignerInfo performs basic set of validations on SignerInfo struct. diff --git a/signature/signer.go b/signature/signer.go index b4dad866..d224ef3a 100644 --- a/signature/signer.go +++ b/signature/signer.go @@ -11,11 +11,8 @@ import ( // Signer is used to sign bytes generated after signature envelope created. type Signer interface { - // Sign signs the digest and returns the raw signature. - Sign(digest []byte) ([]byte, error) - - // CertificateChain returns the certificate chain. - CertificateChain() ([]*x509.Certificate, error) + // Sign signs the payload and returns the raw signature and certificates. + Sign(payload []byte) ([]byte, []*x509.Certificate, error) // KeySpec returns the key specification. KeySpec() (KeySpec, error) @@ -25,6 +22,9 @@ type Signer interface { type LocalSigner interface { Signer + // CertificateChain returns the certificate chain. + CertificateChain() ([]*x509.Certificate, error) + // PrivateKey returns the private key. PrivateKey() crypto.PrivateKey } @@ -84,15 +84,10 @@ func isKeyPair(priv crypto.PrivateKey, pub crypto.PublicKey, keySpec KeySpec) bo } } -// Sign signs the digest and returns the raw signature. +// Sign signs the digest and returns the raw signature and certificates. // This implementation should never be used by built-in signers. -func (s *signer) Sign(digest []byte) ([]byte, error) { - return nil, fmt.Errorf("local signer doesn't support sign with digest") -} - -// CertificateChain returns the certificate chain. -func (s *signer) CertificateChain() ([]*x509.Certificate, error) { - return s.certs, nil +func (s *signer) Sign(digest []byte) ([]byte, []*x509.Certificate, error) { + return nil, nil, fmt.Errorf("local signer doesn't support sign with digest") } // KeySpec returns the key specification. @@ -100,6 +95,11 @@ func (s *signer) KeySpec() (KeySpec, error) { return s.keySpec, nil } +// CertificateChain returns the certificate chain. +func (s *signer) CertificateChain() ([]*x509.Certificate, error) { + return s.certs, nil +} + // PrivateKey returns the private key. func (s *signer) PrivateKey() crypto.PrivateKey { return s.key diff --git a/signature/signer_test.go b/signature/signer_test.go index 27d5e586..90bbd03d 100644 --- a/signature/signer_test.go +++ b/signature/signer_test.go @@ -107,25 +107,15 @@ func TestNewLocalSigner(t *testing.T) { func TestSign(t *testing.T) { signer := &signer{} - _, err := signer.Sign(make([]byte, 0)) + raw, certs, err := signer.Sign(make([]byte, 0)) if err == nil { t.Errorf("expect error but got nil") } -} - -func TestCertificateChain(t *testing.T) { - expectCerts := []*x509.Certificate{ - testhelper.GetRSALeafCertificate().Cert, - } - signer := &signer{certs: expectCerts} - - certs, err := signer.CertificateChain() - - if err != nil { - t.Errorf("expect no error but got %v", err) + if raw != nil { + t.Errorf("expect nil raw signature but got %v", raw) } - if !reflect.DeepEqual(certs, expectCerts) { - t.Errorf("expect certs %+v, got %+v", expectCerts, certs) + if certs != nil { + t.Errorf("expect nil certs but got %v", certs) } }