1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
package main
import (
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"gopkg.in/square/go-jose.v2"
"io/ioutil"
)
type KeyValidator interface {
Validate(jose.JSONWebKey) error
LoadRootPEM(string) error
}
type keyValidator struct {
pkiSubject string
algorithms *stringSet
roots *x509.CertPool
}
func NewKeyValidator(subject string) KeyValidator {
return &keyValidator{
pkiSubject: subject,
algorithms: NewStringSet("PS256", "PS385", "PS512"),
roots: x509.NewCertPool(),
}
}
func (v *keyValidator) LoadRootPEM(filename string) error {
pem_data, err := ioutil.ReadFile(filename)
if err != nil {
return err
}
pem_block, _ := pem.Decode(pem_data)
if pem_block == nil {
return fmt.Errorf("PEM decode failed")
}
cert, err := x509.ParseCertificate(pem_block.Bytes)
if err != nil {
return err
}
v.roots.AddCert(cert)
return nil
}
func (v *keyValidator) Validate(key jose.JSONWebKey) error {
pk, ok := key.Key.(*rsa.PublicKey)
if !ok {
return fmt.Errorf("Key type is not RSA")
}
if !v.algorithms.Contains(key.Algorithm) {
return fmt.Errorf("Key algorithm is not supported")
}
cert := key.Certificates[0]
cpk, ok := cert.PublicKey.(*rsa.PublicKey)
if !ok {
return fmt.Errorf("Public key is not RSA")
}
if cpk.N.BitLen() < 2048 {
return fmt.Errorf("Key length less than 2048 bits")
}
if cert.KeyUsage&x509.KeyUsageDigitalSignature != 1 {
return fmt.Errorf("Certificate not valid for digital signatures")
}
err := v.validateCertificateChain(key.Certificates)
if err != nil {
return err
}
err = v.validateCertificateCRL(cert)
if err != nil {
return err
}
err = v.validatePublicKeyInCertificate(pk, cpk)
if err != nil {
return err
}
return nil
}
// TODO
// Fetch CRL from distrubtion point in cert
// Validate CRL signed by trusted CA
// Validate cert not in CRL
func (v *keyValidator) validateCertificateCRL(cert *x509.Certificate) error {
return nil
}
func (v *keyValidator) validateCertificateChain(chain []*x509.Certificate) error {
vo := x509.VerifyOptions{
Roots: v.roots,
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
}
if len(chain) > 1 {
ip := x509.NewCertPool()
for _, i := range chain[1:] {
ip.AddCert(i)
}
vo.Intermediates = ip
}
chains, err := chain[0].Verify(vo)
if err != nil {
return err
}
if len(chains) <= 0 {
return fmt.Errorf("No valid certificate chains found")
}
if chain[0].Subject.CommonName != v.pkiSubject {
return fmt.Errorf("Invalid certificate subject name")
}
return nil
}
// validate first item of x5c matches n and e
func (v *keyValidator) validatePublicKeyInCertificate(pk *rsa.PublicKey, cpk *rsa.PublicKey) error {
if cpk.E != pk.E {
return fmt.Errorf("E in key and E in cert do not match")
}
if pk.N.Cmp(cpk.N) != 0 {
return fmt.Errorf("N in key and N in cert do not match")
}
return nil
}
|
