Tryanks/pdfsign
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add revocation information

Browse Source
This commit is contained in:
Jeroen Bobbeldijk
2017-07-13 20:30:18 +02:00
parent ac9e8bb4c1
commit c8e53c9bcf
7 changed files with 77 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
certificate.pem Normal file
View File

@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDBDCCAm2gAwIBAgIJAP6vkkLP72OOMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD
VQQGEwJOTDEVMBMGA1UECAwMWnVpZC1Ib2xsYW5kMRIwEAYDVQQHDAlSb3R0ZXJk
YW0xEjAQBgNVBAoMCVVuaWNvZGVyczELMAkGA1UECwwCSVQxGjAYBgNVBAMMEUpl
cm9lbiBCb2JiZWxkaWprMSIwIAYJKoZIhvcNAQkBFhNqZXJvZW5AdW5pY29kZXJz
Lm5sMCAXDTE3MDcwNjE5MzYwOVoYDzMwMTYxMTA2MTkzNjA5WjCBmTELMAkGA1UE
BhMCTkwxFTATBgNVBAgMDFp1aWQtSG9sbGFuZDESMBAGA1UEBwwJUm90dGVyZGFt
MRIwEAYDVQQKDAlVbmljb2RlcnMxCzAJBgNVBAsMAklUMRowGAYDVQQDDBFKZXJv
ZW4gQm9iYmVsZGlqazEiMCAGCSqGSIb3DQEJARYTamVyb2VuQHVuaWNvZGVycy5u
bDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArpfaVUltYdOSISuc8V5vAy6b
jpqYuxsS5I6jpL1nMKms9IB5+uk+Glo2O/tb+W/R8zxQ3xrQ6JWZ4ZSsBhKNVink
Su3+kdAQJfHn3NLJzx0QGceo0TF2RvVGo5c91zxuA8rchdNz1QxrD6QesGKyfsXn
F+oELezafT346PbeqikCAwEAAaNQME4wHQYDVR0OBBYEFKA68BB0iwhY2RIRFIYs
gmq0l6y7MB8GA1UdIwQYMBaAFKA68BB0iwhY2RIRFIYsgmq0l6y7MAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQELBQADgYEAZ75HjcE/d/nclPTQbCN9qvUyuU76ml4O
jDN8T+loOsUKmI4VVsNLzF6DXq8sg4EP7s8kEEzM7qhoijw09OUhVniBYN3SzJYX
l8AiThPGqcIm1TrkqPULYQBu/FnMoL6SP7kAULcsUvEmn1rPcG9ESQ4sK/ceJhFZ
zk9o3rVC0PU=
-----END CERTIFICATE-----

2
revocation/revocation.go
View File

@@ -1,8 +1,8 @@
package revocation package revocation
import ( import (
"encoding/asn1"
"crypto/x509" "crypto/x509"
"encoding/asn1"
) )
// InfoArchival is the pkcs7 container containing the revocation information for // InfoArchival is the pkcs7 container containing the revocation information for

3
sign.go
View File

@@ -11,6 +11,7 @@ import (
"errors" "errors"
"io/ioutil" "io/ioutil"
"bitbucket.org/digitorus/pdfsign/revocation"
"bitbucket.org/digitorus/pdfsign/sign" "bitbucket.org/digitorus/pdfsign/sign"
"bitbucket.org/digitorus/pdfsign/verify" "bitbucket.org/digitorus/pdfsign/verify"
) )
@@ -106,6 +107,8 @@ func main() {
TSA: sign.TSA{ TSA: sign.TSA{
URL: "http://aatl-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23", URL: "http://aatl-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23",
}, },
RevocationData: revocation.InfoArchival{},
RevocationFunction: sign.DefaultEmbedRevocationStatusFunction,
}) })
if err != nil { if err != nil {
log.Println(err) log.Println(err)

25
sign/pdfsignature.go
View File

@@ -135,12 +135,33 @@ func (context *SignContext) createSignature() ([]byte, error) {
Type: asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 2, 14}, Type: asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 2, 14},
Value: resp.TimeStampToken, Value: resp.TimeStampToken,
} }
signer_config.ExtraUnsignedAttributes = append(signer_config.ExtraSignedAttributes, timestamp_attribute) signer_config.ExtraUnsignedAttributes = append(signer_config.ExtraUnsignedAttributes, timestamp_attribute)
}
if context.SignData.RevocationFunction != nil {
err = context.SignData.RevocationFunction(context.SignData.Certificate, nil, &context.SignData.RevocationData)
if err != nil {
return nil, err
}
if context.SignData.CertificateChain != nil && len(context.SignData.CertificateChain) > 0 {
for _, cert := range context.SignData.CertificateChain {
err = context.SignData.RevocationFunction(cert, nil, &context.SignData.RevocationData)
if err != nil {
return nil, err
}
}
}
revocation_attribute := pkcs7.Attribute{
Type: asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 8},
Value: context.SignData.RevocationData,
}
signer_config.ExtraSignedAttributes = append(signer_config.ExtraSignedAttributes, revocation_attribute)
} }
// Add the signer and sign the data. // Add the signer and sign the data.
if err := signed_data.AddSignerChain(context.SignData.Certificate, context.SignData.Signer, context.SignData.CertificateChain, signer_config); err != nil { if err := signed_data.AddSignerChain(context.SignData.Certificate, context.SignData.Signer, context.SignData.CertificateChain, signer_config); err != nil {
return nil, err return nil, err
} }

23
sign/revocation.go
View File

@@ -3,7 +3,6 @@ package sign
import ( import (
"crypto/x509" "crypto/x509"
"encoding/base64" "encoding/base64"
"errors"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
@@ -38,8 +37,7 @@ func embedOCSPRevocationStatus(cert, issuer *x509.Certificate, i *revocation.Inf
return err return err
} }
i.AddOCSP(body) return i.AddOCSP(body)
return nil
} }
// embedCRLRevocationStatus requires an issuer as it needs to implement the // embedCRLRevocationStatus requires an issuer as it needs to implement the
@@ -56,11 +54,10 @@ func embedCRLRevocationStatus(cert, issuer *x509.Certificate, i *revocation.Info
} }
// TODO: verify crl and certificate before embedding // TODO: verify crl and certificate before embedding
i.AddCRL(body) return i.AddCRL(body)
return nil
} }
func embedRevocationStatus(cert, issuer *x509.Certificate, i *revocation.InfoArchival) error { func DefaultEmbedRevocationStatusFunction(cert, issuer *x509.Certificate, i *revocation.InfoArchival) error {
// For each certificate a revoction status needs to be included, this can be done // For each certificate a revoction status needs to be included, this can be done
// by embedding a CRL or OCSP response. In most cases an OCSP response is smaller // by embedding a CRL or OCSP response. In most cases an OCSP response is smaller
// to embed in the document but and empty CRL (often seen of dediced high volume // to embed in the document but and empty CRL (often seen of dediced high volume
@@ -74,15 +71,19 @@ func embedRevocationStatus(cert, issuer *x509.Certificate, i *revocation.InfoArc
// using an OCSP server // using an OCSP server
if len(cert.OCSPServer) > 0 { if len(cert.OCSPServer) > 0 {
embedOCSPRevocationStatus(cert, issuer, i) err := embedOCSPRevocationStatus(cert, issuer, i)
return nil if err != nil {
return err
}
} }
// using a crl // using a crl
if len(cert.CRLDistributionPoints) > 0 { if len(cert.CRLDistributionPoints) > 0 {
embedCRLRevocationStatus(cert, issuer, i) err := embedCRLRevocationStatus(cert, issuer, i)
return nil if err != nil {
return err
}
} }
return errors.New("certificate contains no information to check status") return nil
} }

2
sign/revocation_test.go
View File

@@ -75,7 +75,7 @@ htN+laG7bS/8xGTPothL9Abgd/9L3X0KKGUDCdcpzRuy20CI7E4uygD8
func TestEmbedRevocationStatus(t *testing.T) { func TestEmbedRevocationStatus(t *testing.T) {
var ia revocation.InfoArchival var ia revocation.InfoArchival
err := embedRevocationStatus(pemToCert(certPem), pemToCert(issuerPem), &ia) err := DefaultEmbedRevocationStatusFunction(pemToCert(certPem), pemToCert(issuerPem), &ia)
if err != nil { if err != nil {
t.Errorf("%s", err.Error()) t.Errorf("%s", err.Error())
} }

5
sign/sign.go
View File

@@ -8,6 +8,7 @@ import (
"time" "time"
"bitbucket.org/digitorus/pdf" "bitbucket.org/digitorus/pdf"
"bitbucket.org/digitorus/pdfsign/revocation"
) )
type CatalogData struct { type CatalogData struct {
@@ -22,6 +23,8 @@ type TSA struct {
Password string Password string
} }
type RevocationFunction func(cert, issuer *x509.Certificate, i *revocation.InfoArchival) error
type SignData struct { type SignData struct {
ObjectId uint32 ObjectId uint32
Signature SignDataSignature Signature SignDataSignature
@@ -29,6 +32,8 @@ type SignData struct {
Certificate *x509.Certificate Certificate *x509.Certificate
CertificateChain []*x509.Certificate CertificateChain []*x509.Certificate
TSA TSA TSA TSA
RevocationData revocation.InfoArchival
RevocationFunction RevocationFunction
} }
type VisualSignData struct { type VisualSignData struct {