1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
package main
import (
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"github.com/pkg/errors"
"gopkg.in/square/go-jose.v2"
"io/ioutil"
)
// TODO: CRL validation
type KeyValidator interface {
Validate(jose.JSONWebKey) error
LoadRootPEM(string) error
}
type keyValidator struct {
pkiSubject string
algorithms *stringSet
roots *x509.CertPool
}
func NewKeyValidator(subject string) KeyValidator {
return &keyValidator{
pkiSubject: subject,
algorithms: NewStringSet("PS256", "PS385", "PS512"),
roots: x509.NewCertPool(),
}
}
func (v *keyValidator) LoadRootPEM(filename string) error {
pem_data, err := ioutil.ReadFile(filename)
if err != nil {
return errors.WithStack(err)
}
pem_block, _ := pem.Decode(pem_data)
if pem_block == nil {
return errors.Errorf("PEM decode failed")
}
cert, err := x509.ParseCertificate(pem_block.Bytes)
if err != nil {
return errors.WithStack(err)
}
v.roots.AddCert(cert)
return nil
}
func (v *keyValidator) Validate(key jose.JSONWebKey) error {
pk, ok := key.Key.(*rsa.PublicKey)
if !ok {
return errors.Errorf("Key type is not RSA")
}
if !v.algorithms.Contains(key.Algorithm) {
return errors.Errorf("Key algorithm is not supported")
}
cert := key.Certificates[0]
cpk, ok := cert.PublicKey.(*rsa.PublicKey)
if !ok {
return errors.Errorf("Public key is not RSA")
}
if cpk.N.BitLen() < 2048 {
return errors.Errorf("Key length less than 2048 bits")
}
if cert.KeyUsage&x509.KeyUsageDigitalSignature != 1 {
return errors.Errorf("Certificate not valid for digital signatures")
}
err := v.validateCertificateChain(key.Certificates)
if err != nil {
return errors.WithStack(err)
}
err = v.validateCertificateCRL(cert)
if err != nil {
return errors.WithStack(err)
}
err = v.validatePublicKeyInCertificate(pk, cpk)
if err != nil {
return errors.WithStack(err)
}
return nil
}
// TODO
// Fetch CRL from distrubtion point in cert
// Validate CRL signed by trusted CA
// Validate cert not in CRL
func (v *keyValidator) validateCertificateCRL(cert *x509.Certificate) error {
return nil
}
func (v *keyValidator) validateCertificateChain(chain []*x509.Certificate) error {
vo := x509.VerifyOptions{
Roots: v.roots,
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
}
if len(chain) > 1 {
ip := x509.NewCertPool()
for _, i := range chain[1:] {
ip.AddCert(i)
}
vo.Intermediates = ip
}
chains, err := chain[0].Verify(vo)
if err != nil {
return errors.WithStack(err)
}
if len(chains) <= 0 {
return errors.Errorf("No valid certificate chains found")
}
if chain[0].Subject.CommonName != v.pkiSubject {
return errors.Errorf("Invalid certificate subject name")
}
return nil
}
// validate first item of x5c matches n and e
func (v *keyValidator) validatePublicKeyInCertificate(pk *rsa.PublicKey, cpk *rsa.PublicKey) error {
if cpk.E != pk.E {
return errors.Errorf("E in key and E in cert do not match")
}
if pk.N.Cmp(cpk.N) != 0 {
return errors.Errorf("N in key and N in cert do not match")
}
return nil
}
|
