Add functions for PKCS7, ASN1, CMS, CRL, RSA, & ECDSA

asn1.go

@@ -0,0 +1,47 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package openssl
+
+// #include "shim.h"
+import "C"
+
+import (
+	"errors"
+	"io/ioutil"
+)
+
+// ASN1Parse parses and extracts ASN.1 structure and returns the data in text format
+func ASN1Parse(asn1 []byte) (string, error) {
+	if len(asn1) == 0 {
+		return "", errors.New("empty asn1 structure")
+	}
+
+	out := C.BIO_new(C.BIO_s_mem())
+	if out == nil {
+		return "", errors.New("failed allocating output buffer")
+	}
+	defer C.BIO_free(out)
+
+	if int(C.ASN1_parse_dump(out, (*C.uchar)(&asn1[0]), C.long(len(asn1)), 1, 0)) == 0 {
+		return "", errors.New("failed to parse asn1 data")
+	}
+
+	parsed, err := ioutil.ReadAll(asAnyBio(out))
+	if err != nil {
+		return "", errors.New("failed to read bio data as bytes")
+	}
+
+	return string(parsed), nil
+}

cert.go

@@ -19,6 +19,7 @@ import "C"
 
 import (
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"math/big"
 	"runtime"
@@ -230,6 +231,21 @@ func (c *Certificate) SetSerial(serial *big.Int) error {
 	return nil
 }
 
+// GetIssueDate retrieves the certificate issue date.
+func (c *Certificate) GetIssueDate() (time.Time, error) {
+	var ts time.Time
+	result := C.X_X509_get0_notBefore(c.x)
+	if result == nil {
+		return ts, errors.New("failed to get issue date")
+	}
+	str := C.GoString((*C.char)(unsafe.Pointer(result.data)))
+	ts, err := time.Parse("060102150405Z", str)
+	if err != nil {
+		return ts, fmt.Errorf("unable to parse timestamp: %v", err)
+	}
+	return ts, nil
+}
+
 // SetIssueDate sets the certificate issue date relative to the current time.
 func (c *Certificate) SetIssueDate(when time.Duration) error {
 	offset := C.long(when / time.Second)
@@ -240,6 +256,21 @@ func (c *Certificate) SetIssueDate(when time.Duration) error {
 	return nil
 }
 
+// GetExpireDate retrieves the certificate expiry date.
+func (c *Certificate) GetExpireDate() (time.Time, error) {
+	var ts time.Time
+	result := C.X_X509_get0_notAfter(c.x)
+	if result == nil {
+		return ts, errors.New("failed to get expiry date")
+	}
+	str := C.GoString((*C.char)(unsafe.Pointer(result.data)))
+	ts, err := time.Parse("060102150405Z", str)
+	if err != nil {
+		return ts, fmt.Errorf("unable to parse timestamp: %v", err)
+	}
+	return ts, nil
+}
+
 // SetExpireDate sets the certificate issue date relative to the current time.
 func (c *Certificate) SetExpireDate(when time.Duration) error {
 	offset := C.long(when / time.Second)
@@ -363,6 +394,27 @@ func LoadCertificateFromPEM(pem_block []byte) (*Certificate, error) {
 	return x, nil
 }
 
+// LoadCertificateFromDER loads an X509 certificate from a DER-encoded block.
+func LoadCertificateFromDER(der_block []byte) (*Certificate, error) {
+	if len(der_block) == 0 {
+		return nil, errors.New("empty der block")
+	}
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+	bio := C.BIO_new_mem_buf(unsafe.Pointer(&der_block[0]),
+		C.int(len(der_block)))
+	cert := C.d2i_X509_bio(bio, nil)
+	C.BIO_free(bio)
+	if cert == nil {
+		return nil, errorFromErrorQueue()
+	}
+	x := &Certificate{x: cert}
+	runtime.SetFinalizer(x, func(x *Certificate) {
+		C.X509_free(x.x)
+	})
+	return x, nil
+}
+
 // MarshalPEM converts the X509 certificate to PEM-encoded format
 func (c *Certificate) MarshalPEM() (pem_block []byte, err error) {
 	bio := C.BIO_new(C.BIO_s_mem())
@@ -413,3 +465,114 @@ func (c *Certificate) SetVersion(version X509_Version) error {
 	}
 	return nil
 }
+
+type PKCS7 struct {
+	p7    *C.PKCS7
+	Certs []*Certificate
+}
+
+// LoadCertificatesFromPKCS7 loads certificates from a DER-encoded pkcs7.
+func LoadCertificatesFromPKCS7(der_block []byte) (*PKCS7, error) {
+	if len(der_block) == 0 {
+		return nil, errors.New("empty der block")
+	}
+	bio := C.BIO_new_mem_buf(unsafe.Pointer(&der_block[0]),
+		C.int(len(der_block)))
+	if bio == nil {
+		return nil, errors.New("failed creating bio")
+	}
+	defer C.BIO_free(bio)
+
+	var p7 *C.PKCS7
+	p7 = C.d2i_PKCS7_bio(bio, nil)
+	if p7 == nil {
+		return nil, errors.New("failed reading pkcs7 data")
+	}
+	ret := &PKCS7{
+		p7: p7,
+	}
+	runtime.SetFinalizer(ret, func(pkcs7 *PKCS7) {
+		C.PKCS7_free(pkcs7.p7)
+	})
+
+	var certs *C.struct_stack_st_X509
+	i := C.OBJ_obj2nid(p7._type)
+
+	// credit goes to Chris Bandy who referenced Alan Shen's article for this cgo representation of a union:
+	// https://sunzenshen.github.io/tutorials/2015/05/09/cgotchas-intro.html
+	switch i {
+	case C.NID_pkcs7_signed:
+		signed := *(**C.PKCS7_SIGNED)(unsafe.Pointer(&p7.d[0]))
+		certs = signed.cert
+	case C.NID_pkcs7_signedAndEnveloped:
+		signedAndEnveloped := *(**C.PKCS7_SIGN_ENVELOPE)(unsafe.Pointer(&p7.d[0]))
+		certs = signedAndEnveloped.cert
+	}
+
+	err := ret.loadCertificateStack(certs)
+	if err != nil {
+		return nil, err
+	}
+	return ret, nil
+}
+
+// loadCertificateStack loads up a stack of x509 certificates into the PKCS7 struct.
+func (p *PKCS7) loadCertificateStack(sk *C.struct_stack_st_X509) error {
+	sk_num := int(C.X_sk_X509_num(sk))
+	if sk_num < 0 {
+		return fmt.Errorf("invalid value returned by sk_X509_num: %d", sk_num)
+	}
+	p.Certs = make([]*Certificate, 0, sk_num)
+	for i := 0; i < sk_num; i++ {
+		x := C.X_sk_X509_value(sk, C.int(i))
+
+		// add a ref
+		if 1 != C.X_X509_add_ref(x) {
+			return errors.New("unable to add ref for X509")
+		}
+		cert := &Certificate{x: x}
+		runtime.SetFinalizer(cert, func(cert *Certificate) {
+			C.X509_free(cert.x)
+		})
+		p.Certs = append(p.Certs, cert)
+	}
+	return nil
+}
+
+// VerifyTrustAndGetIssuerCertificate takes a CertificateStore and verifies trust for the certificate.
+// The issuing certificate from the CertificateStore is returned if found.
+func (c *Certificate) VerifyTrustAndGetIssuerCertificate(store *CertificateStore) (*Certificate, VerifyResult, error) {
+	storeCtx := C.X509_STORE_CTX_new()
+	if storeCtx == nil {
+		return nil, 0, errors.New("failed to create new X509_STORE_CTX")
+	}
+	defer C.X509_STORE_CTX_free(storeCtx)
+
+	rc := C.X509_STORE_CTX_init(storeCtx, store.store, c.x, nil)
+	if rc == 0 {
+		return nil, 0, errors.New("unable to init X509_STORE_CTX")
+	}
+
+	i := C.X509_verify_cert(storeCtx)
+	var issuer *Certificate
+	verifyResult := Ok
+	if i != 1 {
+		verifyResult = VerifyResult(C.X509_STORE_CTX_get_error(storeCtx))
+	}
+
+	currentIssuer := C.X509_STORE_CTX_get0_current_issuer(storeCtx)
+	if currentIssuer != nil {
+		// need to clone the issuer cert so that it is not cleaned up when C.X509_STORE_CTX_free is called
+		ic := &Certificate{x: currentIssuer}
+		data, err := ic.MarshalPEM()
+		if err != nil {
+			return nil, 0, errors.New("error copying issuer cert")
+		}
+		issuer, err = LoadCertificateFromPEM(data)
+		if err != nil {
+			return nil, 0, errors.New("error loading issuer cert")
+		}
+	}
+
+	return issuer, verifyResult, nil
+}

cert_test.go

@@ -138,6 +138,63 @@ func TestCertGetNameEntry(t *testing.T) {
 	}
 }
 
+func TestCertIssueDate(t *testing.T) {
+	key, err := GenerateRSAKey(768)
+	if err != nil {
+		t.Fatal(err)
+	}
+	info := &CertificateInfo{
+		Serial:       big.NewInt(int64(1)),
+		Expires:      24 * time.Hour,
+		Country:      "US",
+		Organization: "Test",
+		CommonName:   "localhost",
+	}
+	cert, err := NewCertificate(info, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := cert.SetIssueDate(0); err != nil {
+		t.Fatal(err)
+	}
+	issue, err := cert.GetIssueDate()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if issue.IsZero() || issue.After(time.Now()) {
+		t.Fatalf("invalid issue date")
+	}
+}
+
+func TestCertExpireDate(t *testing.T) {
+	key, err := GenerateRSAKey(768)
+	if err != nil {
+		t.Fatal(err)
+	}
+	info := &CertificateInfo{
+		Serial:       big.NewInt(int64(1)),
+		Issued:       0,
+		Country:      "US",
+		Organization: "Test",
+		CommonName:   "localhost",
+	}
+	cert, err := NewCertificate(info, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := cert.SetExpireDate(30 * time.Minute); err != nil {
+		t.Fatal(err)
+	}
+	exp, err := cert.GetExpireDate()
+	if err != nil {
+		t.Fatal(err)
+	}
+	now := time.Now()
+	if exp.IsZero() || exp.Before(now) || exp.After(now.Add(30*time.Minute)) {
+		t.Fatalf("invalid expire date")
+	}
+}
+
 func TestCertVersion(t *testing.T) {
 	key, err := GenerateRSAKey(768)
 	if err != nil {

cms.go

@@ -0,0 +1,67 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package openssl
+
+// #include "shim.h"
+import "C"
+
+import (
+	"errors"
+	"unsafe"
+)
+
+// VerifyAndGetSignedDataFromPKCS7 verifies a CMS SignedData structure from a DER-encoded PKCS7,
+// and returns the signed content if the verification is successful.
+// It does not verify the signing certificates.
+func VerifyAndGetSignedDataFromPKCS7(der []byte) ([]byte, error) {
+	if len(der) == 0 {
+		return nil, errors.New("empty der block")
+	}
+
+	in := C.BIO_new_mem_buf(unsafe.Pointer(&der[0]), C.int(len(der)))
+	if in == nil {
+		return nil, errors.New("failed creating input buffer")
+	}
+	defer C.BIO_free(in)
+
+	var cms *C.CMS_ContentInfo
+	cms = C.d2i_CMS_bio(in, nil)
+	if cms == nil {
+		return nil, errors.New("failed creating cms")
+	}
+	defer C.CMS_ContentInfo_free(cms)
+
+	out := C.BIO_new(C.BIO_s_mem())
+	if out == nil {
+		return nil, errors.New("failed allocating output buffer")
+	}
+	defer C.BIO_free(out)
+	flags := C.uint(C.CMS_NO_SIGNER_CERT_VERIFY)
+
+	if int(C.CMS_verify(cms, nil, nil, nil, out, flags)) != 1 {
+		return nil, errors.New("failed to verify signature")
+	}
+
+	bufLen := C.BIO_ctrl(out, C.BIO_CTRL_PENDING, 0, nil)
+	buffer := C.X_OPENSSL_malloc(C.ulong(bufLen))
+	if buffer == nil {
+		return nil, errors.New("failed allocating buffer for signed data")
+	}
+	defer C.X_OPENSSL_free(buffer)
+	C.BIO_read(out, buffer, C.int(bufLen))
+	sigData := C.GoBytes(unsafe.Pointer(buffer), C.int(bufLen))
+
+	return sigData, nil
+}