From 9c86d2969ff17835cb88f19857ff4a0190af4558686e4b7203af12a24dce7dd8 Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Mon, 11 Nov 2024 13:07:33 +0300 Subject: [PATCH] More general CanSign replacement --- gyac/yacpki/cer.go | 22 +++++++++++----------- gyac/yacpki/cmd/yacsdtool/main.go | 2 +- gyac/yacpki/signed-data.go | 2 +- spec/format/cer.texi | 4 ++-- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/gyac/yacpki/cer.go b/gyac/yacpki/cer.go index 1c83c08..a1c7e2e 100644 --- a/gyac/yacpki/cer.go +++ b/gyac/yacpki/cer.go @@ -13,8 +13,8 @@ import ( ) const ( - KUCA = "ca" - KUSign = "sig" + KUCA = "ca" + KUSig = "sig" ) type Pub struct { @@ -98,14 +98,11 @@ func (sd *SignedData) CerParse() error { return nil } -func (cer *CerLoad) CanSign() bool { +func (cer *CerLoad) Can(ku string) bool { if cer.KU == nil { return false } - if _, ok := (*cer.KU)[KUSign]; !ok { - return false - } - if len(cer.Pub) != 1 { + if _, ok := (*cer.KU)[ku]; !ok { return false } return true @@ -127,7 +124,7 @@ func (sd *SignedData) CerIssueWith( var ErrSigInvalid = errors.New("signature is invalid") func (cer *CerLoad) CheckSignature(signed, signature []byte) (err error) { - if !cer.CanSign() { + if !cer.Can(KUSig) || len(cer.Pub) != 1 { err = errors.New("cer can not sign") return } @@ -159,7 +156,7 @@ func (sd *SignedData) CerCheckSignatureFrom(parent *CerLoad) (err error) { err = errors.New("can verify only single signature") return } - if !parent.CanSign() { + if !parent.Can(KUSig) || len(parent.Pub) != 1 { err = errors.New("parent can not sign") return } @@ -176,6 +173,9 @@ func (sd *SignedData) CerCheckSignatureFrom(parent *CerLoad) (err error) { } func (sd *SignedData) CerLoad() *CerLoad { + if sd.Load.T != "cer" { + return nil + } l, ok := sd.Load.V.(CerLoad) if ok { return &l @@ -202,11 +202,11 @@ func (sd *SignedData) CerVerify(cers []*SignedData, t time.Time) (err error) { idToCer := make(map[uuid.UUID]*SignedData, len(cers)) for _, cer := range cers { cerLoad := cer.CerLoad() - if !cerLoad.CanSign() { + if !cerLoad.Can(KUSig) || len(cerLoad.Pub) != 1 { err = errors.New("cer can not sign") return } - if _, ok := (*cerLoad.KU)[KUCA]; !ok { + if !cerLoad.Can(KUCA) { err = errors.New("cer can not ca") return } diff --git a/gyac/yacpki/cmd/yacsdtool/main.go b/gyac/yacpki/cmd/yacsdtool/main.go index 6a62aee..fe5bb53 100644 --- a/gyac/yacpki/cmd/yacsdtool/main.go +++ b/gyac/yacpki/cmd/yacsdtool/main.go @@ -74,7 +74,7 @@ func main() { log.Fatal("hash mismatch") } signer := cer.CerLoad() - if !signer.CanSign() { + if !signer.Can(yacpki.KUSig) || len(signer.Pub) != 1 { log.Fatal("cer can not sign") } if sig.Sign.A != signer.Pub[0].A { diff --git a/gyac/yacpki/signed-data.go b/gyac/yacpki/signed-data.go index 366340f..305c8b7 100644 --- a/gyac/yacpki/signed-data.go +++ b/gyac/yacpki/signed-data.go @@ -124,7 +124,7 @@ func SignedDataParseItem(item *gyac.Item) (sd *SignedData, err error) { } func (sd *SignedData) SignWith(parent *CerLoad, prv crypto.Signer, sigTBS SigTBS) error { - if !parent.CanSign() { + if !parent.Can(KUSig) || len(parent.Pub) != 1 { return errors.New("parent can not sign") } sigTBS.SID = parent.Pub[0].Id diff --git a/spec/format/cer.texi b/spec/format/cer.texi index d54c800..2632eff 100644 --- a/spec/format/cer.texi +++ b/spec/format/cer.texi @@ -34,8 +34,8 @@ identifier, that @strong{should} be generated as an UUIDv4 based on the hash of the key. @item ku -Intended public key usage. Certificate @strong{must} be signed with the -key having "ca" key usage, unless it is self-signed. +Intended public key(s) usage. Certificate @strong{must} be signed with +the certificate having "ca" key usage, unless it is self-signed. Application-specific example with multiple public keys is described above. It @strong{must} be absent if empty. -- 2.48.1