Creation of chain, add chain to signing, fetch OCSP/CRL for chain

sign/pdfsignature.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/digitorus/pkcs7"
 	"github.com/digitorus/timestamp"
+	"crypto/x509"
 )
 
 type pkiStatusInfo struct {
@@ -28,7 +29,7 @@ type TSAResponse struct {
 	TimeStampToken asn1.RawValue
 }
 
-var signatureMaxLength = uint32(11742)
+var signatureMaxLength = uint32(1000000)
 var signatureByteRangePlaceholder = "/ByteRange[0 ********** ********** **********]"
 
 func (context *SignContext) createSignaturePlaceholder() (signature string, byte_range_start_byte int64, signature_contents_start_byte int64) {
@@ -139,16 +140,21 @@ func (context *SignContext) createSignature() ([]byte, error) {
 	}
 
 	if context.SignData.RevocationFunction != nil {
-		err = context.SignData.RevocationFunction(context.SignData.Certificate, nil, &context.SignData.RevocationData)
-		if err != nil {
-			return nil, err
-		}
-
-		if context.SignData.CertificateChain != nil && len(context.SignData.CertificateChain) > 0 {
-			for _, cert := range context.SignData.CertificateChain {
-				err = context.SignData.RevocationFunction(cert, nil, &context.SignData.RevocationData)
-				if err != nil {
-					return nil, err
+		if (len(context.SignData.CertificateChains) > 0) {
+			certificate_chain := context.SignData.CertificateChains[0]
+			if (len(certificate_chain) > 0) {
+				for i, certificate := range certificate_chain {
+					if i < len(certificate_chain)-1 {
+						err = context.SignData.RevocationFunction(certificate, certificate_chain[i + 1], &context.SignData.RevocationData)
+						if err != nil {
+							return nil, err
+						}
+					} else {
+						err = context.SignData.RevocationFunction(certificate, nil, &context.SignData.RevocationData)
+						if err != nil {
+							return nil, err
+						}
+					}
 				}
 			}
 		}
@@ -160,8 +166,14 @@ func (context *SignContext) createSignature() ([]byte, error) {
 		signer_config.ExtraSignedAttributes = append(signer_config.ExtraSignedAttributes, revocation_attribute)
 	}
 
+	// Add the first certificate chain without our own certificate.
+	var certificate_chain []*x509.Certificate
+	if (len(context.SignData.CertificateChains) > 0 && len(context.SignData.CertificateChains[0]) > 1) {
+		certificate_chain = context.SignData.CertificateChains[0][1:]
+	}
+
 	// Add the signer and sign the data.
-	if err := signed_data.AddSignerChain(context.SignData.Certificate, context.SignData.Signer, context.SignData.CertificateChain, signer_config); err != nil {
+	if err := signed_data.AddSignerChain(context.SignData.Certificate, context.SignData.Signer, certificate_chain, signer_config); err != nil {
 		return nil, err
 	}
 

sign/revocation.go

@@ -21,6 +21,7 @@ func embedOCSPRevocationStatus(cert, issuer *x509.Certificate, i *revocation.Inf
 
 	ocspUrl := fmt.Sprintf("%s/%s", strings.TrimRight(cert.OCSPServer[0], "/"),
 		base64.StdEncoding.EncodeToString(req))
+
 	resp, err := http.Get(ocspUrl)
 	if err != nil {
 		return err
@@ -70,7 +71,8 @@ func DefaultEmbedRevocationStatusFunction(cert, issuer *x509.Certificate, i *rev
 	// TODO: Implement revocation status caching (required for higher volume signing)
 
 	// using an OCSP server
-	if len(cert.OCSPServer) > 0 {
+	// OCSP requires issuer certificate.
+	if issuer != nil && len(cert.OCSPServer) > 0 {
 		err := embedOCSPRevocationStatus(cert, issuer, i)
 		if err != nil {
 			return err

sign/sign.go

@@ -30,7 +30,7 @@ type SignData struct {
 	Signature          SignDataSignature
 	Signer             crypto.Signer
 	Certificate        *x509.Certificate
-	CertificateChain   []*x509.Certificate
+	CertificateChains  [][]*x509.Certificate
 	TSA                TSA
 	RevocationData     revocation.InfoArchival
 	RevocationFunction RevocationFunction