libICP

package module
v0.0.0-...-34faafe Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 24, 2018 License: AGPL-3.0 Imports: 34 Imported by: 0

README

libICP

Build Status Code Coverage GoDoc Semantic Version

A golang library for CAdES (CMS Advanced Electronic Signatures) for the Brazilian Public Key Infrastructure (ICP-Brasil).

Features

  • Verify X509 digital certificates.
    • Validity check.
    • Integrity/signature check.
    • Download all CAs on request.
    • Check CRLs.
    • Auto download CRLs.
    • Auto download CAs when needed.
    • Support certificate extensions.
      • Basic Constraints.
      • Key Usage.
      • Authority Key Identifier.
      • Subject Key Identifier.
      • Key Usage.
      • Certificate Policies.
      • CRL Distribution Points.
      • Fail when critical extensions are not supported.
  • CMS Content type support.
    • protection content
    • ContentInfo
    • data
    • signed-data
    • enveloped-data
  • Join multiple signatures files into a single signature file.¹
  • Support for smartcard certificates.
  • Support for usb certificates.
  • Support creation of AD-RB (Digital Signatures with Basic Reference).
    • Add detached signature to unsigned file.
    • Add attached signature to unsigned file.
    • Add cosignature to already signed file.
    • Add countersignature to already signed file.
  • Support verification of AD-RB (Digital Signatures with Basic Reference).
  • Support creation of AD-RT (Digital Signatures with Time Reference).
  • Support verification of AD-RT (Digital Signatures with Time Reference).
  • Support creation of AD-RV (Digital Signatures with References for Validation).
  • Support verification of AD-RV (Digital Signatures with References for Validation).
  • Support creation of AD-RC (Digital Signatures with Complete References).
  • Support verification of AD-RC (Digital Signatures with Complete References).
  • Support creation of AD-RA (Digital Signatures with References for Archival).
  • Support verification of AD-RA (Digital Signatures with References for Archival).

¹: This is intended to handle situations in which multiple people signed a document "in parallel". Ex: a company contract is sent to five people via email. Each of the recipients generates their own signature file and send them back to the company. The company can simply "merge" these signatures into a single signature file as long as they are all valid and about the same document.

Limitations

  • Only idPbeWithSHAAnd3KeyTripleDES_CBC (1.2.840.113549.1.12.1.3) using SHA1 is supported for key encryption. (this will change in the future)
  • The PFX decoding is a total mess that should be rewritten at some point.

C Wrapper

A C wrapper is available under the c-wrapper directory. See the man files for reference.

If you can't run make docs, look at the .pod file in c-wrapper/docs/src.

License

AGPL - Affero GNU Public License

Documentation

Index

Constants

View Source 
const (
	ERR_OK = iota
	ERR_BAD_SIGNATURE
	ERR_BASIC_CONSTRAINTS_MAX_PATH_EXCEDED
	ERR_FAILED_ABS_PATH
	ERR_FAILED_HASH
	ERR_FAILED_TO_DECODE
	ERR_FAILED_TO_ENCODE
	ERR_FAILED_TO_OPEN_FILE
	ERR_FAILED_TO_SIGN
	ERR_FAILED_TO_WRITE_FILE
	ERR_FILE_NOT_EXISTS
	ERR_GEN_KEYS
	ERR_HTTP
	ERR_ISSUER_NOT_FOUND
	ERR_LOCKED_MULTI_ERROR
	ERR_MAX_DEPTH_REACHED
	ERR_NETWORK_ERROR
	ERR_NO_CERT_PATH
	ERR_NO_CONTENT
	ERR_NOT_AFTER_DATE
	ERR_NOT_BEFORE_DATE
	ERR_NOT_CA
	ERR_NOT_IMPLEMENTED
	ERR_PARSE_CERT
	ERR_PARSE_CRL
	ERR_PARSE_EXTENSION
	ERR_PARSE_PFX
	ERR_PARSE_RSA_PRIVKEY
	ERR_PARSE_RSA_PUBKEY
	ERR_READ_FILE
	ERR_REVOKED
	ERR_SECURE_RANDOM
	ERR_TEST_CA_IMPROPPER_NAME
	ERR_UNKOWN_ALGORITHM
	ERR_UNKOWN_REVOCATION_STATUS
	ERR_UNSUPORTED_CRITICAL_EXTENSION
	ERR_UNZIP_ERROR
)
View Source 
const (
	CRL_UNSURE_OR_NOT_FOUND = 0
	// CRL_NOT_REVOKED is also used when the CA offers no means to check revocation status.
	CRL_NOT_REVOKED = 1
	CRL_REVOKED     = 2
)
View Source 
const ALL_CAs_ZIP_URL = "http://acraiz.icpbrasil.gov.br/credenciadas/CertificadosAC-ICP-Brasil/ACcompactado.zip"

The lack of HTTPS is not a security problem because the root CAs are embedded in libICP and all CAs are checked against them. (see file `data.go`)

View Source 
const ROOT_CA_BR_ICP_V1 = "" /* 1650-byte string literal not displayed */

PEM encoded root CA: Autoridade Certificadora Raiz Brasileira v1

View Source 
const ROOT_CA_BR_ICP_V2 = "" /* 2396-byte string literal not displayed */

PEM encoded root CA: Autoridade Certificadora Raiz Brasileira v2

View Source 
const ROOT_CA_BR_ICP_V5 = "" /* 2396-byte string literal not displayed */

PEM encoded root CA: Autoridade Certificadora Raiz Brasileira v5

View Source 
const TESTING_ROOT_CA_SUBJECT = "C=BR/O=Fake ICP-Brasil/OU=Apenas para testes - SEM VALOR LEGAL/CN=Autoridade Certificadora Raiz de Testes - SEM VALOR LEGAL"
View Source 
const VERSION_MAJOR = 0
View Source 
const VERSION_MINOR = 1
View Source 
const VERSION_PATCH = 0

Variables

This section is empty.

Functions

func NewCertAndKey 

func NewCertAndKey(subject map[string]string, issuer Certificate, serial *big.Int, not_before, not_after time.Time) (pfx PFX, cerr CodedError)

func NewCertificateFromBytes 

func NewCertificateFromBytes(raw []byte) ([]*Certificate, []CodedError)

Accepts PEM, DER and a mix of both.

func NewCertificateFromFile 

func NewCertificateFromFile(path string) ([]*Certificate, []CodedError)

Accepts PEM, DER and a mix of both.

func NewPFXFromDER 

func NewPFXFromDER(dat []byte, password string) (PFX, CodedError)

func NewPFXFromFile 

func NewPFXFromFile(path string, password string) (PFX, CodedError)

func NewRootCA 

func NewRootCA(not_before, not_after time.Time) (PFX, CodedError)

Generates a new root CA with subject and issuer TESTING_ROOT_CA_SUBJECT

BUG: Subject Public Key Info leads to PKEY_SET_TYPE:unsupported algorithm and X509_PUBKEY_get:unsupported algorithm on openssl

BUG: Lack of propper extensions leads the rest of the code to not consider it as a CA (key usage and extended key usage).

func Version 

func Version() string

Returns this library version as a string

Types

type CAStore 

type CAStore struct {
	// If true, it will attempt to download missing CAs and CRLs
	AutoDownload bool

	Debug     bool
	CachePath string
	// contains filtered or unexported fields
}

func NewCAStore 

func NewCAStore(AutoDownload bool) *CAStore

func (*CAStore) AddCA 

func (store *CAStore) AddCA(cert *Certificate) []CodedError

func (*CAStore) AddCAsFromDir 

func (store *CAStore) AddCAsFromDir(path string) error

func (*CAStore) AddTestingRootCA 

func (store *CAStore) AddTestingRootCA(cert *Certificate) []CodedError

Adds a new root CA for testing proposes. It MUST have as subject and issuer: TESTING_ROOT_CA_SUBJECT

This should NEVER be used in production!

func (*CAStore) DownloadAllCAs 

func (store *CAStore) DownloadAllCAs() CodedError

This function will attempt download all CAs from ALL_CAs_ZIP_URL. This runs regardless of CAStore.AutoDownload

func (*CAStore) Init 

func (store *CAStore) Init()

This function MUST be called before using this struct. It makes a few maps and adds the following root CAs: ROOT_CA_BR_ICP_V1, ROOT_CA_BR_ICP_V2, ROOT_CA_BR_ICP_V5

func (CAStore) VerifyCert 

func (store CAStore) VerifyCert(cert_to_verify *Certificate) ([]*Certificate, []CodedError, []CodedWarning)

For now, this functions verifies: validity, integrity, propper chain of certification.

Some of the error codes this may return are: ERR_NOT_BEFORE_DATE, ERR_NOT_AFTER_DATE, ERR_BAD_SIGNATURE, ERR_ISSUER_NOT_FOUND, ERR_MAX_DEPTH_REACHED

func (CAStore) WaitDownloads 

func (store CAStore) WaitDownloads()

type CRLStatus 

type CRLStatus int

func (CRLStatus) String 

func (err CRLStatus) String() string

type Certificate 

type Certificate struct {
	Serial           string
	Subject          string
	SubjectMap       map[string]string
	Issuer           string
	IssuerMap        map[string]string
	NotBefore        time.Time
	NotAfter         time.Time
	SubjectKeyId     string
	AuthorityKeyId   string
	FingerPrintAlg   string
	FingerPrint      []byte
	FingerPrintHuman string

	// These are calculated based on the CRL made by this cert issuer
	CRL_LastUpdate time.Time
	CRL_NextUpdate time.Time
	CRL_Status     CRLStatus
	CRL_LastCheck  time.Time
	CRL_LastError  CodedError
	// contains filtered or unexported fields
}

func (Certificate) IsCA 

func (cert Certificate) IsCA() bool

Returns true if this certificate is a certificate authority. This is checked via the following extensions: key usage and basic constraints extension. (see RFC 5280 Section 4.2.1.3 and Section 4.2.1.9, respectively)

func (Certificate) IsSelfSigned 

func (cert Certificate) IsSelfSigned() bool

Returns true if the subject is equal to the issuer.

type CodedError 

type CodedError interface {
	error
	Code() ErrorCode
	CodeString() string
}

func Sign 

func Sign(object signable, privkey *rsa.PrivateKey) CodedError

func VerifySignaure 

func VerifySignaure(object signature_verifiable, pubkey rsa.PublicKey) CodedError

type CodedWarning 

type CodedWarning interface {
	CodedError
}

This is the same as CodedError. There are two names just to make the API more obvious to the reader when a functions returns an array of errors and an array of warnings.

type ErrorCode 

type ErrorCode int

func (ErrorCode) String 

func (err ErrorCode) String() string

type MultSignature 

type MultSignature struct {
	FilePath        string
	FileName        string
	ContentFilePath string
	ContentFileName string
	ContentAttached []byte
	Signatures      []Signature
	// contains filtered or unexported fields
}

Represents a .p7s file containing one or more signatures and, sometimes, the content being signed.

func (*MultSignature) CheckAll 

func (msig *MultSignature) CheckAll(store *CAStore) CodedError

Verify all signatures recursively

func (*MultSignature) SaveToP7SFile 

func (msig *MultSignature) SaveToP7SFile() CodedError

Will attempt to save as a detached signature with file name "[content file with extension].sig" Ex: "contract.txt.sig"

type MultiError 

type MultiError struct {
	// contains filtered or unexported fields
}

func NewMultiError 

func NewMultiError(message string, code ErrorCode, parameters map[string]interface{}, errors ...interface{}) MultiError

func (*MultiError) AppendError 

func (merr *MultiError) AppendError(err error) error

func (MultiError) Code 

func (merr MultiError) Code() ErrorCode

func (MultiError) CodeString 

func (merr MultiError) CodeString() string

func (MultiError) Error 

func (merr MultiError) Error() string

func (*MultiError) Finish 

func (merr *MultiError) Finish() *MultiError

Sets the line number and function to match where this function is called and prevents further editing. Also returns itself.

func (*MultiError) SetParam 

func (merr *MultiError) SetParam(key string, val interface{}) error

type PFX 

type PFX struct {
	Cert *Certificate
	// contains filtered or unexported fields
}

Represents a .p12/.pfx file containing a public certificate and a private key which is usually encrypted.

Only password privacy mode and password integrity mode are supported.

func (PFX) HasKey 

func (pfx PFX) HasKey() bool

func (PFX) SaveCertToFile 

func (pfx PFX) SaveCertToFile(path string) CodedError

Saves the certificate to an unencrypted DER file. The private key is NOT included in the output.

func (PFX) SaveToFile 

func (pfx PFX) SaveToFile(path, password string) CodedError

Saves the certificate and the private key to a DER file.

type Signature 

type Signature struct {
	Signer      Certificate
	SigningTime time.Time
	// Format: "[ISO 3166-1 numeric]:[Text]" Ex: "076:Brasília-DF"
	SignerLocation string
	// Possible values: proofOfOrigin, proofOfReceipt, proofOfDelivery, proofOfSender, proofOfApproval, proofOfCreation (or the OID for unknown commitment types)
	Commitment   string
	CounterSigns []Signature
	Status       SignatureCheck
	// contains filtered or unexported fields
}

type SignatureCheck 

type SignatureCheck struct {
	Integrity       bool
	RootCA          string
	CRL_Status      CRLStatus
	SignerCertError CodedError
	PolicyErrors    []CodedError
}

func (SignatureCheck) IsPolicyCompliant 

func (sig SignatureCheck) IsPolicyCompliant() bool

func (SignatureCheck) IsSignerCertValid 

func (sig SignatureCheck) IsSignerCertValid() bool

Source Files

View all Source files

Directories

Path Synopsis
c-wrapper
stage1
dependencies
rc2
Package rc2 implements the RC2 cipher https://www.ietf.org/rfc/rfc2268.txt http://people.csail.mit.edu/rivest/pubs/KRRR98.pdf This code is licensed under the MIT license.
 Package rc2 implements the RC2 cipher https://www.ietf.org/rfc/rfc2268.txt http://people.csail.mit.edu/rivest/pubs/KRRR98.pdf This code is licensed under the MIT license.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.