Add revocation information

2017-07-13 20:30:18 +02:00
parent ac9e8bb4c1
commit c8e53c9bcf
7 changed files with 77 additions and 28 deletions
--- a/sign/pdfsignature.go
+++ b/sign/pdfsignature.go
@@ -135,12 +135,33 @@ func (context *SignContext) createSignature() ([]byte, error) {
 			Type:  asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 2, 14},
 			Value: resp.TimeStampToken,
 		}
-		signer_config.ExtraUnsignedAttributes = append(signer_config.ExtraSignedAttributes, timestamp_attribute)
+		signer_config.ExtraUnsignedAttributes = append(signer_config.ExtraUnsignedAttributes, timestamp_attribute)
+	}
+
+	if context.SignData.RevocationFunction != nil {
+		err = context.SignData.RevocationFunction(context.SignData.Certificate, nil, &context.SignData.RevocationData)
+		if err != nil {
+			return nil, err
+		}
+
+		if context.SignData.CertificateChain != nil && len(context.SignData.CertificateChain) > 0 {
+			for _, cert := range context.SignData.CertificateChain {
+				err = context.SignData.RevocationFunction(cert, nil, &context.SignData.RevocationData)
+				if err != nil {
+					return nil, err
+				}
+			}
+		}
+
+		revocation_attribute := pkcs7.Attribute{
+			Type:  asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 8},
+			Value: context.SignData.RevocationData,
+		}
+		signer_config.ExtraSignedAttributes = append(signer_config.ExtraSignedAttributes, revocation_attribute)
 	}

 	// Add the signer and sign the data.
 	if err := signed_data.AddSignerChain(context.SignData.Certificate, context.SignData.Signer, context.SignData.CertificateChain, signer_config); err != nil {
-
 		return nil, err
 	}

--- a/sign/revocation.go
+++ b/sign/revocation.go
@@ -3,7 +3,6 @@ package sign
 import (
 	"crypto/x509"
 	"encoding/base64"
-	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -38,8 +37,7 @@ func embedOCSPRevocationStatus(cert, issuer *x509.Certificate, i *revocation.Inf
 		return err
 	}

-	i.AddOCSP(body)
-	return nil
+	return i.AddOCSP(body)
 }

 // embedCRLRevocationStatus requires an issuer as it needs to implement the
@@ -56,11 +54,10 @@ func embedCRLRevocationStatus(cert, issuer *x509.Certificate, i *revocation.Info
 	}

 	// TODO: verify crl and certificate before embedding
-	i.AddCRL(body)
-	return nil
+	return i.AddCRL(body)
 }

-func embedRevocationStatus(cert, issuer *x509.Certificate, i *revocation.InfoArchival) error {
+func DefaultEmbedRevocationStatusFunction(cert, issuer *x509.Certificate, i *revocation.InfoArchival) error {
 	// For each certificate a revoction status needs to be included, this can be done
 	// by embedding a CRL or OCSP response. In most cases an OCSP response is smaller
 	// to embed in the document but and empty CRL (often seen of dediced high volume
@@ -74,15 +71,19 @@ func embedRevocationStatus(cert, issuer *x509.Certificate, i *revocation.InfoArc

 	// using an OCSP server
 	if len(cert.OCSPServer) > 0 {
-		embedOCSPRevocationStatus(cert, issuer, i)
-		return nil
+		err := embedOCSPRevocationStatus(cert, issuer, i)
+		if err != nil {
+			return err
+		}
 	}

 	// using a crl
 	if len(cert.CRLDistributionPoints) > 0 {
-		embedCRLRevocationStatus(cert, issuer, i)
-		return nil
+		err := embedCRLRevocationStatus(cert, issuer, i)
+		if err != nil {
+			return err
+		}
 	}

-	return errors.New("certificate contains no information to check status")
+	return nil
 }
--- a/sign/revocation_test.go
+++ b/sign/revocation_test.go
@@ -75,7 +75,7 @@ htN+laG7bS/8xGTPothL9Abgd/9L3X0KKGUDCdcpzRuy20CI7E4uygD8
 func TestEmbedRevocationStatus(t *testing.T) {
 	var ia revocation.InfoArchival

-	err := embedRevocationStatus(pemToCert(certPem), pemToCert(issuerPem), &ia)
+	err := DefaultEmbedRevocationStatusFunction(pemToCert(certPem), pemToCert(issuerPem), &ia)
 	if err != nil {
 		t.Errorf("%s", err.Error())
 	}
--- a/sign/sign.go
+++ b/sign/sign.go
@@ -8,6 +8,7 @@ import (
 	"time"

 	"bitbucket.org/digitorus/pdf"
+	"bitbucket.org/digitorus/pdfsign/revocation"
 )

 type CatalogData struct {
@@ -17,18 +18,22 @@ type CatalogData struct {
 }

 type TSA struct {
-	URL           string
-	Username      string
-	Password      string
+	URL      string
+	Username string
+	Password string
 }

+type RevocationFunction func(cert, issuer *x509.Certificate, i *revocation.InfoArchival) error
+
 type SignData struct {
-	ObjectId         uint32
-	Signature        SignDataSignature
-	Signer           crypto.Signer
-	Certificate      *x509.Certificate
-	CertificateChain []*x509.Certificate
-	TSA              TSA
+	ObjectId           uint32
+	Signature          SignDataSignature
+	Signer             crypto.Signer
+	Certificate        *x509.Certificate
+	CertificateChain   []*x509.Certificate
+	TSA                TSA
+	RevocationData     revocation.InfoArchival
+	RevocationFunction RevocationFunction
 }

 type VisualSignData struct {