)
const (
- KUCA = "ca"
- KUSign = "sig"
+ KUCA = "ca"
+ KUSig = "sig"
)
type Pub struct {
return nil
}
-func (cer *CerLoad) CanSign() bool {
+func (cer *CerLoad) Can(ku string) bool {
if cer.KU == nil {
return false
}
- if _, ok := (*cer.KU)[KUSign]; !ok {
- return false
- }
- if len(cer.Pub) != 1 {
+ if _, ok := (*cer.KU)[ku]; !ok {
return false
}
return true
var ErrSigInvalid = errors.New("signature is invalid")
func (cer *CerLoad) CheckSignature(signed, signature []byte) (err error) {
- if !cer.CanSign() {
+ if !cer.Can(KUSig) || len(cer.Pub) != 1 {
err = errors.New("cer can not sign")
return
}
err = errors.New("can verify only single signature")
return
}
- if !parent.CanSign() {
+ if !parent.Can(KUSig) || len(parent.Pub) != 1 {
err = errors.New("parent can not sign")
return
}
}
func (sd *SignedData) CerLoad() *CerLoad {
+ if sd.Load.T != "cer" {
+ return nil
+ }
l, ok := sd.Load.V.(CerLoad)
if ok {
return &l
idToCer := make(map[uuid.UUID]*SignedData, len(cers))
for _, cer := range cers {
cerLoad := cer.CerLoad()
- if !cerLoad.CanSign() {
+ if !cerLoad.Can(KUSig) || len(cerLoad.Pub) != 1 {
err = errors.New("cer can not sign")
return
}
- if _, ok := (*cerLoad.KU)[KUCA]; !ok {
+ if !cerLoad.Can(KUCA) {
err = errors.New("cer can not ca")
return
}
}
func (sd *SignedData) SignWith(parent *CerLoad, prv crypto.Signer, sigTBS SigTBS) error {
- if !parent.CanSign() {
+ if !parent.Can(KUSig) || len(parent.Pub) != 1 {
return errors.New("parent can not sign")
}
sigTBS.SID = parent.Pub[0].Id
hash of the key.
@item ku
-Intended public key usage. Certificate @strong{must} be signed with the
-key having "ca" key usage, unless it is self-signed.
+Intended public key(s) usage. Certificate @strong{must} be signed with
+the certificate having "ca" key usage, unless it is self-signed.
Application-specific example with multiple public keys is described
above. It @strong{must} be absent if empty.