Skip to content

Commit

Permalink
Added flag for Legacy timestamp / Fixed verify for RFC3161
Browse files Browse the repository at this point in the history
  • Loading branch information
Dieter Bocklandt committed Mar 30, 2019
1 parent e3222af commit 40b7cc5
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 7 deletions.
2 changes: 1 addition & 1 deletion lib/appmanifest/signmanifest.go
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ func (m *SignedManifest) AddTimestamp(token *pkcs7.ContentInfoSignedData) error
if err != nil {
return err
}
cs, err := pkcs9.VerifyMicrosoftToken(token, m.EncryptedDigest)
cs, err := VerifyTimestamp(token, m.EncryptedDigest, m.Signature.Intermediates)
if err != nil {
return fmt.Errorf("failed to validate timestamp: %s", err)
}
Expand Down
19 changes: 18 additions & 1 deletion lib/appmanifest/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package appmanifest

import (
"crypto"
"crypto/x509"
"encoding/base64"
"errors"
"fmt"
Expand Down Expand Up @@ -91,7 +92,8 @@ func Verify(manifest []byte) (*ManifestSignature, error) {
if err != nil {
return nil, fmt.Errorf("invalid timestamp: %s", err)
}
cs, err := pkcs9.VerifyMicrosoftToken(timestamp, secondary.EncryptedDigest)

cs, err := VerifyTimestamp(timestamp, secondary.EncryptedDigest, secondary.Certificates)
if err != nil {
return nil, fmt.Errorf("invalid timestamp: %s", err)
}
Expand All @@ -105,3 +107,18 @@ func Verify(manifest []byte) (*ManifestSignature, error) {
PublicKeyToken: token,
}, nil
}

func VerifyTimestamp(timestamp *pkcs7.ContentInfoSignedData, encryptedDigest []byte, extraCerts []*x509.Certificate) (*pkcs9.CounterSignature, error) {
var cs *pkcs9.CounterSignature
var err error

if timestamp.Content.ContentInfo.ContentType.Equal(pkcs9.OidTSTInfo) {
// pkcs9 timestamp
cs, err = pkcs9.Verify(timestamp, encryptedDigest, extraCerts)
} else {
// legacy timestamp
cs, err = pkcs9.VerifyMicrosoftToken(timestamp, encryptedDigest)
}

return cs, err
}
4 changes: 1 addition & 3 deletions lib/pkcs9/pkcs7.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ import (
"crypto/x509"
"errors"
"fmt"
"log"
"time"

"github.com/sassoftware/relic/lib/pkcs7"
Expand Down Expand Up @@ -183,8 +182,7 @@ func VerifyMicrosoftToken(token *pkcs7.ContentInfoSignedData, encryptedDigest []
return nil, err
}
if !bytes.Equal(content, encryptedDigest) {
// return nil, errors.New("timestamp does not match the enclosing signature")
log.Printf("warning: timestamp does not match the enclosing signature")
return nil, errors.New("timestamp does not match the enclosing signature")
}
hash, _ := x509tools.PkixDigestToHash(sig.SignerInfo.DigestAlgorithm)
var signingTime time.Time
Expand Down
1 change: 1 addition & 0 deletions lib/pkcs9/structs.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ const (

var (
OidKeyPurposeTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
OidTSTInfo = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 1, 4}
OidAttributeTimeStampToken = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 2, 14}
OidAttributeCounterSign = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 6}

Expand Down
6 changes: 4 additions & 2 deletions signers/appmanifest/signer.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ var AppSigner = &signers.Signer{
}

func init() {
AppSigner.Flags().Bool("rfc3161-timestamp", true, "(APPMANIFEST) Timestamp with RFC3161 server")
signers.Register(AppSigner)
}

Expand All @@ -66,9 +67,10 @@ func sign(r io.Reader, cert *certloader.Certificate, opts signers.SignOpts) ([]b
if cert.Timestamper != nil {
tsreq := &pkcs9.Request{
EncryptedDigest: signed.EncryptedDigest,
Legacy: false,
Hash: opts.Hash,
Legacy: !opts.Flags.GetBool("rfc3161-timestamp"),
Hash: opts.Hash,
}

token, err := cert.Timestamper.Timestamp(opts.Context(), tsreq)
if err != nil {
return nil, err
Expand Down

0 comments on commit 40b7cc5

Please sign in to comment.