Add sign functionality

sign.go

@@ -0,0 +1,117 @@
+package main
+
+import (
+	"flag"
+	"log"
+	"os"
+	"time"
+
+	"crypto"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"io/ioutil"
+
+	"bitbucket.org/digitorus/pdfsign/sign"
+	"bitbucket.org/digitorus/pdfsign/verify"
+)
+
+func usage() {
+	log.Fatal("Usage: sign input.pdf output.pdf certificate.crt private_key.key OR verify input.pdf")
+}
+
+func main() {
+	flag.Parse()
+
+	if len(flag.Args()) < 2 {
+		usage()
+	}
+
+	method := flag.Arg(0)
+	if method != "sign" && method != "verify" {
+		usage()
+	}
+
+	input := flag.Arg(1)
+	if len(input) == 0 {
+		usage()
+	}
+
+	if method == "verify" {
+		input_file, err := os.Open(input)
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer input_file.Close()
+
+		resp, err := verify.Verify(input_file)
+		log.Println(resp)
+		if err != nil {
+			log.Println(err)
+		}
+	}
+
+	if method == "sign" {
+		if len(flag.Args()) < 5 {
+			usage()
+		}
+
+		output := flag.Arg(2)
+		if len(output) == 0 {
+			usage()
+		}
+
+		certificate_data, err := ioutil.ReadFile(flag.Arg(3))
+		if err != nil {
+			log.Fatal(err)
+
+		}
+		certificate_data_block, _ := pem.Decode(certificate_data)
+		if certificate_data_block == nil {
+			log.Fatal(errors.New("failed to parse PEM block containing the certificate"))
+		}
+
+		cert, err := x509.ParseCertificate(certificate_data_block.Bytes)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		key_data, err := ioutil.ReadFile(flag.Arg(4))
+		if err != nil {
+			log.Fatal(err)
+		}
+		key_data_block, _ := pem.Decode(key_data)
+		if key_data_block == nil {
+			log.Fatal(errors.New("failed to parse PEM block containing the private key"))
+		}
+
+		pkey, err := x509.ParsePKCS8PrivateKey(key_data_block.Bytes)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		key, ok := pkey.(crypto.Signer)
+		if !ok {
+			log.Fatal(errors.New("private key does not implement crypto.Signer"))
+		}
+
+		err = sign.SignFile(input, output, sign.SignData{
+			Signature: sign.SignDataSignature{
+				Info: sign.SignDataSignatureInfo{
+					Name:        "Jeroen Bobbeldijk",
+					Location:    "Rotterdam",
+					Reason:      "Test",
+					ContactInfo: "Geen",
+					Date:        time.Now().Local(),
+				},
+			},
+			Signer:      key,
+			Certificate: cert,
+		})
+		if err != nil {
+			log.Println(err)
+		} else {
+			log.Println("Signed PDF written to " + output)
+		}
+	}
+}

sign/helpers.go

@@ -0,0 +1,109 @@
+package sign
+
+import (
+	"fmt"
+	"io"
+	"math"
+	"os"
+	"strings"
+	"time"
+)
+
+func pdfString(text string) string {
+	text = strings.Replace(text, "\\", "\\\\", -1)
+	text = strings.Replace(text, ")", "\\)", -1)
+	text = strings.Replace(text, "(", "\\(", -1)
+	text = strings.Replace(text, "\r", "\\r", -1)
+
+	text = "(" + text + ")"
+
+	return text
+}
+
+func pdfDateTime(date time.Time) string {
+	// Calculate timezone offset from GMT.
+	_, original_offset := date.Zone()
+	offset := original_offset
+	if offset < 0 {
+		offset = (offset - offset) - offset
+	}
+
+	offset_duration := time.Duration(offset) * time.Second
+	offset_hours := int(math.Floor(offset_duration.Hours()))
+	offset_minutes := int(math.Floor(offset_duration.Minutes()))
+	offset_minutes = offset_minutes - (offset_hours * 60)
+
+	dateString := "D:" + date.Format("20060102150405")
+
+	// Do some special formatting as the PDF timezone format isn't supported by Go.
+	if original_offset < 0 {
+		dateString += "-"
+	} else {
+		dateString += "+"
+	}
+
+	offset_hours_formatted := fmt.Sprintf("%d", offset_hours)
+	offset_minutes_formatted := fmt.Sprintf("%d", offset_minutes)
+	dateString += leftPad(offset_hours_formatted, "0", 2-len(offset_hours_formatted)) + "'" + leftPad(offset_minutes_formatted, "0", 2-len(offset_minutes_formatted)) + "'"
+
+	return pdfString(dateString)
+}
+
+func leftPad(s string, padStr string, pLen int) string {
+	return strings.Repeat(padStr, pLen) + s
+}
+
+func writePartFromSourceFileToTargetFile(input_file *os.File, output_file *os.File, offset int64, length int64) error {
+	input_file.Seek(offset, 0)
+
+	// Create a small buffer for proper IO handling.
+	max_chunk_length := int64(1024)
+
+	// If the target length is smaller than our chunk size, use that as chunk size.
+	if length < max_chunk_length {
+		max_chunk_length = length
+	}
+
+	// Track read/written bytes so we know when we're done.
+	read_bytes := int64(0)
+
+	// Create a buffer for the chunks.
+	buf := make([]byte, max_chunk_length)
+	for {
+		// Read the chunk from the input file.
+		n, err := input_file.Read(buf)
+		if err != nil && err != io.EOF {
+			return err
+		}
+
+		// If we got to the end of the file, break.
+		if err == io.EOF {
+			break
+		}
+
+		// If nothing was read, break.
+		if n == 0 {
+			break
+		}
+
+		// Write the chunk to the output file.
+		if _, err := output_file.Write(buf[:n]); err != nil {
+			return err
+		}
+
+		read_bytes += int64(n)
+
+		// If we read enough bytes, break.
+		if read_bytes >= length {
+			break
+		}
+
+		// If our next chunk will be too big, make a smaller buffer.
+		// If we won't do this, we might end up with more data than we want.
+		if length-read_bytes < max_chunk_length {
+			buf = make([]byte, length-read_bytes)
+		}
+	}
+
+	return nil
+}

sign/pdfbyterange.go

@@ -0,0 +1,45 @@
+package sign
+
+import (
+	"fmt"
+	"strings"
+)
+
+func (context *SignContext) updateByteRange() error {
+	// Get current filesize. Easier than what should be the current size.
+	// @todo: find out of this is safe.
+	output_file_stat, _ := context.OutputFile.Stat()
+
+	// Don't count last newline as file length.
+	output_file_size := output_file_stat.Size() - 1
+
+	// Calculate ByteRange values to replace them.
+	context.ByteRangeValues = make([]int64, 4)
+
+	// Signature ByteRange part 1 start byte is always byte 0.
+	context.ByteRangeValues[0] = int64(0)
+
+	// Signature ByteRange part 1 length always stops at the actual signature start byte.
+	context.ByteRangeValues[1] = context.SignatureContentsStartByte
+
+	// Signature ByteRange part 2 start byte directly starts after the actual signature.
+	context.ByteRangeValues[2] = context.ByteRangeValues[1] + int64(signatureMaxLength)
+
+	// Signature ByteRange part 2 length is everything else of the file.
+	context.ByteRangeValues[3] = output_file_size - context.ByteRangeValues[2]
+
+	new_byte_range := fmt.Sprintf("/ByteRange[%d %d %d %d]", context.ByteRangeValues[0], context.ByteRangeValues[1], context.ByteRangeValues[2], context.ByteRangeValues[3])
+
+	// Make sure our ByteRange string didn't shrink in length.
+	new_byte_range += strings.Repeat(" ", len(signatureByteRangePlaceholder)-len(new_byte_range))
+
+	// Seek to ByteRange position in file.
+	context.OutputFile.Seek(context.ByteRangeStartByte, 0)
+
+	// Write new ByteRange.
+	if _, err := context.OutputFile.Write([]byte(new_byte_range)); err != nil {
+		return err
+	}
+
+	return nil
+}

sign/pdfcatalog.go

@@ -0,0 +1,60 @@
+package sign
+
+import (
+	"errors"
+	"strconv"
+)
+
+func (context *SignContext) createCatalog() (catalog string, err error) {
+	catalog = strconv.Itoa(int(context.CatalogData.ObjectId)) + " 0 obj\n"
+	catalog += "<< /Type /Catalog"
+	catalog += " /Version /" + context.PDFReader.PDFVersion
+
+	root := context.PDFReader.Trailer().Key("Root")
+	root_keys := root.Keys()
+	found_pages := false
+	for _, key := range root_keys {
+		if key == "Pages" {
+			found_pages = true
+			break
+		}
+	}
+
+	if !found_pages {
+		return "", errors.New("Didn't find pages in PDF trailer Root.")
+	}
+
+	rootPtr := root.GetPtr()
+	context.CatalogData.RootString = strconv.Itoa(int(rootPtr.GetID())) + " " + strconv.Itoa(int(rootPtr.GetGen())) + " R"
+
+	pages := root.Key("Pages").GetPtr()
+	catalog += " /Pages " + strconv.Itoa(int(pages.GetID())) + " " + strconv.Itoa(int(pages.GetGen())) + " R"
+	catalog += " /AcroForm <<"
+	catalog += " /Fields [" + strconv.Itoa(int(context.SignData.ObjectId)) + " 0 R]"
+
+	if !context.SignData.Signature.Approval {
+		catalog += " /NeedAppearances false"
+	}
+
+	if context.SignData.Signature.CertType > 0 {
+		catalog += " /SigFlags 3"
+	} else {
+		catalog += " /SigFlags 1"
+	}
+
+	catalog += " >>"
+
+	// @todo: what do these do?
+	if !context.SignData.Signature.Approval {
+		if context.SignData.Signature.CertType > 0 {
+			//catalog += " /Perms << /DocMDP " + strconv.Itoa(int(context.SignData.ObjectId)) + " 0 R >>";
+		} else {
+			//catalog += " /Perms << /UR3 " + strconv.Itoa(int(context.SignData.ObjectId)) + " 0 R >>";
+		}
+	}
+
+	catalog += " >>"
+	catalog += "\nendobj\n"
+
+	return catalog, nil
+}

sign/pdfsignature.go

@@ -0,0 +1,117 @@
+package sign
+
+import (
+	"bytes"
+	"encoding/hex"
+	"io"
+	"strconv"
+	"strings"
+
+	"github.com/digitorus/pkcs7"
+)
+
+var signatureMaxLength = uint32(11742)
+var signatureByteRangePlaceholder = "/ByteRange[0 ********** ********** **********]"
+
+func (context *SignContext) createSignaturePlaceholder() (signature string, byte_range_start_byte int64, signature_contents_start_byte int64) {
+	signature = strconv.Itoa(int(context.SignData.ObjectId)) + " 0 obj\n"
+	signature += "<< /Type /Sig"
+	signature += " /Filter /Adobe.PPKLite"
+	signature += " /SubFilter /adbe.pkcs7.detached"
+
+	byte_range_start_byte = int64(len(signature)) + 1
+
+	// Create a placeholder for the byte range string, we will replace it later.
+	signature += " " + signatureByteRangePlaceholder
+
+	signature_contents_start_byte = int64(len(signature)) + 11
+
+	// Create a placeholder for the actual signature content, we wil replace it later.
+	signature += " /Contents<" + strings.Repeat("0", int(signatureMaxLength)) + ">"
+
+	if context.SignData.Signature.Approval {
+		signature += " /Reference [" // array of signature reference dictionaries
+		signature += " << /Type /SigRef"
+		if context.SignData.Signature.CertType > 0 {
+			signature += " /TransformMethod /DocMDP"
+			signature += " /TransformParams <<"
+			signature += " /Type /TransformParams"
+			signature += " /P " + strconv.Itoa(int(context.SignData.Signature.CertType))
+			signature += " /V /1.2"
+		} else {
+			signature += " /TransformMethod /UR3"
+			signature += " /TransformParams <<"
+			signature += " /Type /TransformParams"
+			signature += " /V /2.2"
+		}
+
+		signature += " >>" // close TransformParams
+		signature += " >>"
+		signature += " ]" // end of reference
+	}
+
+	if context.SignData.Signature.Info.Name != "" {
+		signature += " /Name " + pdfString(context.SignData.Signature.Info.Name)
+	}
+	if context.SignData.Signature.Info.Location != "" {
+		signature += " /Location " + pdfString(context.SignData.Signature.Info.Location)
+	}
+	if context.SignData.Signature.Info.Reason != "" {
+		signature += " /Reason " + pdfString(context.SignData.Signature.Info.Reason)
+	}
+	if context.SignData.Signature.Info.ContactInfo != "" {
+		signature += " /ContactInfo " + pdfString(context.SignData.Signature.Info.ContactInfo)
+	}
+	signature += " /M " + pdfDateTime(context.SignData.Signature.Info.Date)
+	signature += " >>"
+	signature += "\nendobj\n"
+
+	return signature, byte_range_start_byte, signature_contents_start_byte
+}
+
+func (context *SignContext) createSignature() ([]byte, error) {
+
+	// Sadly we can't efficiently sign a file, we need to read all the bytes we want to sign.
+	context.OutputFile.Seek(0, 0)
+	sign_buf := bytes.NewBuffer(nil)
+	io.Copy(sign_buf, context.OutputFile)
+	file_content := sign_buf.Bytes()
+
+	// Remove trailing newline.
+	file_content = file_content[:len(file_content)-1]
+
+	// Collect the parts to sign.
+	sign_content := make([]byte, context.ByteRangeValues[1]+context.ByteRangeValues[3])
+	sign_content = append(sign_content, file_content[context.ByteRangeValues[0]:(context.ByteRangeValues[0]+context.ByteRangeValues[1])]...)
+	sign_content = append(sign_content, file_content[context.ByteRangeValues[2]:(context.ByteRangeValues[2]+context.ByteRangeValues[3])]...)
+
+	// Initialize pkcs7 signer.
+	signed_data, err := pkcs7.NewSignedData(sign_content)
+	if err != nil {
+		return nil, err
+	}
+
+	// Add the signer and sign the data.
+	if err := signed_data.AddSignerChain(context.SignData.Certificate, context.SignData.Signer, context.SignData.CertificateChain, pkcs7.SignerInfoConfig{}); err != nil {
+		return nil, err
+	}
+
+	// PDF needs a detached signature, meaning the content isn't included.
+	signed_data.Detach()
+
+	return signed_data.Finish()
+}
+
+func (context *SignContext) replaceSignature() error {
+	signature, err := context.createSignature()
+	if err != nil {
+		return err
+	}
+
+	dst := make([]byte, hex.EncodedLen(len(signature)))
+	hex.Encode(dst, signature)
+
+	context.OutputFile.WriteAt(dst, context.ByteRangeValues[0]+context.ByteRangeValues[1])
+
+	return nil
+}

sign/pdftrailer.go

@@ -0,0 +1,44 @@
+package sign
+
+import (
+	"strconv"
+	"strings"
+)
+
+func (context *SignContext) writeTrailer() error {
+	trailer_length := context.PDFReader.XrefInformation.IncludingTrailerEndPos - context.PDFReader.XrefInformation.EndPos
+
+	// Read the trailer so we can replace the size.
+	context.InputFile.Seek(context.PDFReader.XrefInformation.EndPos+1, 0)
+	trailer_buf := make([]byte, trailer_length)
+	if _, err := context.InputFile.Read(trailer_buf); err != nil {
+		return err
+	}
+
+	root_string := "Root " + context.CatalogData.RootString
+	new_root := "Root " + strconv.FormatInt(int64(context.CatalogData.ObjectId), 10) + " 0 R"
+
+	size_string := "Size " + strconv.FormatInt(context.PDFReader.XrefInformation.ItemCount, 10)
+	new_size := "Size " + strconv.FormatInt(context.PDFReader.XrefInformation.ItemCount+2, 10)
+
+	trailer_string := string(trailer_buf)
+	trailer_string = strings.Replace(trailer_string, root_string, new_root, -1)
+	trailer_string = strings.Replace(trailer_string, size_string, new_size, -1)
+
+	// Write the new trailer.
+	if _, err := context.OutputFile.Write([]byte(trailer_string)); err != nil {
+		return err
+	}
+
+	// Write the new xref start position.
+	if _, err := context.OutputFile.Write([]byte(strconv.FormatInt(context.NewXrefStart, 10) + "\n")); err != nil {
+		return err
+	}
+
+	// Write PDF ending.
+	if _, err := context.OutputFile.Write([]byte("%%EOF\n")); err != nil {
+		return err
+	}
+
+	return nil
+}

sign/pdfxref.go

@@ -0,0 +1,55 @@
+package sign
+
+import (
+	"errors"
+	"strconv"
+)
+
+func (context *SignContext) writeXref() error {
+
+	// @todo: support stream xref.
+
+	if context.PDFReader.XrefInformation.Type == "table" {
+		if err := context.writeXrefTable(); err != nil {
+			return err
+		}
+	} else {
+		return errors.New("Unkwn xref type: " + context.PDFReader.XrefInformation.Type)
+	}
+
+	return nil
+}
+
+func (context *SignContext) writeXrefTable() error {
+	xref_size := "xref\n0 " + strconv.FormatInt(context.PDFReader.XrefInformation.ItemCount, 10)
+	new_xref_size := "xref\n0 " + strconv.FormatInt(context.PDFReader.XrefInformation.ItemCount+2, 10)
+
+	if _, err := context.OutputFile.Write([]byte(new_xref_size)); err != nil {
+		return err
+	}
+
+	// Write the old xref table to the output pdf.
+	if err := writePartFromSourceFileToTargetFile(context.InputFile, context.OutputFile, context.PDFReader.XrefInformation.StartPos+int64(len(xref_size)), context.PDFReader.XrefInformation.Length-int64(len(xref_size))); err != nil {
+		return err
+	}
+
+	// Create the new catalog xref line.
+	catalog_object_start_position := strconv.FormatInt(context.PDFReader.XrefInformation.StartPos, 10)
+	catalog_xref_line := leftPad(catalog_object_start_position, "0", 10-len(catalog_object_start_position)) + " 00000 n\n"
+
+	// Write the new catalog xref line.
+	if _, err := context.OutputFile.Write([]byte(catalog_xref_line)); err != nil {
+		return err
+	}
+
+	// Create the new signature xref line.
+	signature_object_start_position := strconv.FormatInt(context.PDFReader.XrefInformation.StartPos+context.CatalogData.Length, 10)
+	signature_xref_line := leftPad(signature_object_start_position, "0", 10-len(signature_object_start_position)) + " 00000 n\n"
+
+	// Write the new signature xref line.
+	if _, err := context.OutputFile.Write([]byte(signature_xref_line)); err != nil {
+		return err
+	}
+
+	return nil
+}

sign/sign.go

@@ -0,0 +1,149 @@
+package sign
+
+import (
+	"crypto"
+	"crypto/x509"
+	"os"
+	"time"
+
+	"bitbucket.org/digitorus/pdf"
+)
+
+type CatalogData struct {
+	ObjectId   uint32
+	Length     int64
+	RootString string
+}
+
+type SignData struct {
+	ObjectId         uint32
+	Signature        SignDataSignature
+	Signer           crypto.Signer
+	Certificate      *x509.Certificate
+	CertificateChain []*x509.Certificate
+}
+
+type SignDataSignature struct {
+	Approval bool
+	CertType uint32
+	Info     SignDataSignatureInfo
+}
+
+type SignDataSignatureInfo struct {
+	Name        string
+	Location    string
+	Reason      string
+	ContactInfo string
+	Date        time.Time
+}
+
+type SignContext struct {
+	InputFile                  *os.File
+	OutputFile                 *os.File
+	SignData                   SignData
+	CatalogData                CatalogData
+	PDFReader                  *pdf.Reader
+	NewXrefStart               int64
+	ByteRangeStartByte         int64
+	SignatureContentsStartByte int64
+	ByteRangeValues            []int64
+}
+
+func SignFile(input string, output string, sign_data SignData) error {
+	input_file, err := os.Open(input)
+	if err != nil {
+		return err
+	}
+	defer input_file.Close()
+
+	output_file, err := os.Create(output)
+	if err != nil {
+		return err
+	}
+	defer output_file.Close()
+
+	finfo, err := input_file.Stat()
+	if err != nil {
+		return err
+	}
+	size := finfo.Size()
+
+	rdr, err := pdf.NewReader(input_file, size)
+	if err != nil {
+		return err
+	}
+
+	sign_data.ObjectId = uint32(rdr.XrefInformation.ItemCount) + 1
+
+	context := SignContext{
+		PDFReader:  rdr,
+		InputFile:  input_file,
+		OutputFile: output_file,
+		CatalogData: CatalogData{
+			ObjectId: uint32(rdr.XrefInformation.ItemCount),
+		},
+		SignData: sign_data,
+	}
+
+	err = context.SignPDF()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (context *SignContext) SignPDF() error {
+	// Write the PDF file to the output up til the xref.
+	if err := writePartFromSourceFileToTargetFile(context.InputFile, context.OutputFile, 0, context.PDFReader.XrefInformation.StartPos); err != nil {
+		return err
+	}
+
+	catalog, err := context.createCatalog()
+	if err != nil {
+		return err
+	}
+
+	context.CatalogData.Length = int64(len(catalog))
+
+	// Write the new catalog object.
+	if _, err := context.OutputFile.Write([]byte(catalog)); err != nil {
+		return err
+	}
+
+	// Create the signature object
+	signature_object, byte_range_start_byte, signature_contents_start_byte := context.createSignaturePlaceholder()
+
+	// Positions are relative to old start position of xref table.
+	byte_range_start_byte += context.PDFReader.XrefInformation.StartPos + int64(len(catalog))
+	signature_contents_start_byte += context.PDFReader.XrefInformation.StartPos + int64(len(catalog))
+
+	context.ByteRangeStartByte = byte_range_start_byte
+	context.SignatureContentsStartByte = signature_contents_start_byte
+
+	// Write the new signature object.
+	if _, err := context.OutputFile.Write([]byte(signature_object)); err != nil {
+		return err
+	}
+
+	// Calculate the new start position of the xref table.
+	context.NewXrefStart = context.PDFReader.XrefInformation.StartPos + int64(len(signature_object)) + int64(len(catalog))
+
+	if err := context.writeXref(); err != nil {
+		return err
+	}
+
+	if err := context.writeTrailer(); err != nil {
+		return err
+	}
+
+	if err := context.updateByteRange(); err != nil {
+		return err
+	}
+
+	if err := context.replaceSignature(); err != nil {
+		return err
+	}
+
+	return nil
+}

verify/verify.go

@@ -1,6 +1,4 @@
-// http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/PDF32000_2008.pdf
+package verify
-
-package signatures
 
 import (
 	"bytes"
@@ -8,15 +6,13 @@ import (
 	"encoding/asn1"
 	"fmt"
 	"io"
-	"os"
 	"io/ioutil"
-//	"log"
+	"os"
-//	"strings"
 	"time"
 
 	"bitbucket.org/digitorus/pdf"
+	"github.com/digitorus/pkcs7"
 	"github.com/digitorus/timestamp"
-	"go.mozilla.org/pkcs7"
 	"golang.org/x/crypto/ocsp"
 )
 
@@ -103,12 +99,12 @@ func Verify(file *os.File) (apiResp *Response, err error) {
 		}
 
 		// (Required) The signature value. When ByteRange is present, the
-		// value shall be a hexadecimal string (see 7.3.4.3, “Hexadecimal
+		// value shall be a hexadecimal string (see 7.3.4.3, “Hexadecimal
-		// Strings”) representing the value of the byte range digest.
+		// Strings”) representing the value of the byte range digest.
 		// For public-key signatures, Contents should be either a DER-encoded
 		// PKCS#1 binary data object or a DER-encoded PKCS#7 binary data object.
 		// Space for the Contents value must be allocated before the message
-		// digest is computed. (See 7.3.4, “String Objects“)
+		// digest is computed. (See 7.3.4, “String Objects“)
 		p7, err := pkcs7.Parse([]byte(v.Key("Contents").RawString()))
 		if err != nil {
 			//fmt.Println(err)
@@ -141,7 +137,7 @@ func Verify(file *os.File) (apiResp *Response, err error) {
 		for _, s := range p7.Signers {
 			isn = s.IssuerAndSerialNumber.IssuerName.FullBytes
 			//for _, a := range s.AuthenticatedAttributes {
-				//fmt.Printf("A: %v, %#v\n", s.IssuerAndSerialNumber.SerialNumber, a.Type)
+			//fmt.Printf("A: %v, %#v\n", s.IssuerAndSerialNumber.SerialNumber, a.Type)
 			//}
 
 			// Timestamp