README
¶
libICP
A golang library for CAdES (CMS Advanced Electronic Signatures) for the Brazilian Public Key Infrastructure (ICP-Brasil).
Features
- Verify X509 digital certificates.
- Validity check.
- Integrity/signature check.
- Download all CAs on request.
- Check CRLs.
- Auto download CRLs.
- Auto download CAs when needed.
- Support certificate extensions.
- Basic Constraints.
- Key Usage.
- Authority Key Identifier.
- Subject Key Identifier.
- Key Usage.
- Certificate Policies.
- CRL Distribution Points.
- Fail when critical extensions are not supported.
- CMS Content type support.
- protection content
- ContentInfo
- data
- signed-data
- enveloped-data
- Join multiple signatures files into a single signature file.¹
- Support for smartcard certificates.
- Support for usb certificates.
- Support creation of AD-RB (Digital Signatures with Basic Reference).
- Add detached signature to unsigned file.
- Add attached signature to unsigned file.
- Add cosignature to already signed file.
- Add countersignature to already signed file.
- Support verification of AD-RB (Digital Signatures with Basic Reference).
- Support creation of AD-RT (Digital Signatures with Time Reference).
- Support verification of AD-RT (Digital Signatures with Time Reference).
- Support creation of AD-RV (Digital Signatures with References for Validation).
- Support verification of AD-RV (Digital Signatures with References for Validation).
- Support creation of AD-RC (Digital Signatures with Complete References).
- Support verification of AD-RC (Digital Signatures with Complete References).
- Support creation of AD-RA (Digital Signatures with References for Archival).
- Support verification of AD-RA (Digital Signatures with References for Archival).
¹: This is intended to handle situations in which multiple people signed a document "in parallel". Ex: a company contract is sent to five people via email. Each of the recipients generates their own signature file and send them back to the company. The company can simply "merge" these signatures into a single signature file as long as they are all valid and about the same document.
Limitations
- Only idPbeWithSHAAnd3KeyTripleDES_CBC (1.2.840.113549.1.12.1.3) using SHA1 is supported for key encryption. (this will change in the future)
- The PFX decoding is a total mess that should be rewritten at some point.
C Wrapper
A C wrapper is available under the c-wrapper directory. See the man files for reference.
If you can't run make docs, look at the .pod file in c-wrapper/docs/src.
License
Documentation
¶
Index ¶
- Constants
- func NewCertAndKey(subject map[string]string, issuer Certificate, serial *big.Int, ...) (pfx PFX, cerr CodedError)
- func NewCertificateFromBytes(raw []byte) ([]*Certificate, []CodedError)
- func NewCertificateFromFile(path string) ([]*Certificate, []CodedError)
- func NewPFXFromDER(dat []byte, password string) (PFX, CodedError)
- func NewPFXFromFile(path string, password string) (PFX, CodedError)
- func NewRootCA(not_before, not_after time.Time) (PFX, CodedError)
- func Version() string
- type CAStore
- func (store *CAStore) AddCA(cert *Certificate) []CodedError
- func (store *CAStore) AddCAsFromDir(path string) error
- func (store *CAStore) AddTestingRootCA(cert *Certificate) []CodedError
- func (store *CAStore) DownloadAllCAs() CodedError
- func (store *CAStore) Init()
- func (store CAStore) VerifyCert(cert_to_verify *Certificate) ([]*Certificate, []CodedError, []CodedWarning)
- func (store CAStore) WaitDownloads()
- type CRLStatus
- type Certificate
- type CodedError
- type CodedWarning
- type ErrorCode
- type MultSignature
- type MultiError
- type PFX
- type Signature
- type SignatureCheck
Constants ¶
const ( ERR_OK = iota ERR_BAD_SIGNATURE ERR_BASIC_CONSTRAINTS_MAX_PATH_EXCEDED ERR_FAILED_ABS_PATH ERR_FAILED_HASH ERR_FAILED_TO_DECODE ERR_FAILED_TO_ENCODE ERR_FAILED_TO_OPEN_FILE ERR_FAILED_TO_SIGN ERR_FAILED_TO_WRITE_FILE ERR_FILE_NOT_EXISTS ERR_GEN_KEYS ERR_HTTP ERR_ISSUER_NOT_FOUND ERR_LOCKED_MULTI_ERROR ERR_MAX_DEPTH_REACHED ERR_NETWORK_ERROR ERR_NO_CERT_PATH ERR_NO_CONTENT ERR_NOT_AFTER_DATE ERR_NOT_BEFORE_DATE ERR_NOT_CA ERR_NOT_IMPLEMENTED ERR_PARSE_CERT ERR_PARSE_CRL ERR_PARSE_EXTENSION ERR_PARSE_PFX ERR_PARSE_RSA_PRIVKEY ERR_PARSE_RSA_PUBKEY ERR_READ_FILE ERR_REVOKED ERR_SECURE_RANDOM ERR_TEST_CA_IMPROPPER_NAME ERR_UNKOWN_ALGORITHM ERR_UNKOWN_REVOCATION_STATUS ERR_UNSUPORTED_CRITICAL_EXTENSION ERR_UNZIP_ERROR )
const ( CRL_UNSURE_OR_NOT_FOUND = 0 // CRL_NOT_REVOKED is also used when the CA offers no means to check revocation status. CRL_NOT_REVOKED = 1 CRL_REVOKED = 2 )
const ALL_CAs_ZIP_URL = "http://acraiz.icpbrasil.gov.br/credenciadas/CertificadosAC-ICP-Brasil/ACcompactado.zip"
The lack of HTTPS is not a security problem because the root CAs are embedded in libICP and all CAs are checked against them. (see file `data.go`)
const ROOT_CA_BR_ICP_V1 = "" /* 1650-byte string literal not displayed */
PEM encoded root CA: Autoridade Certificadora Raiz Brasileira v1
const ROOT_CA_BR_ICP_V2 = "" /* 2396-byte string literal not displayed */
PEM encoded root CA: Autoridade Certificadora Raiz Brasileira v2
const ROOT_CA_BR_ICP_V5 = "" /* 2396-byte string literal not displayed */
PEM encoded root CA: Autoridade Certificadora Raiz Brasileira v5
const TESTING_ROOT_CA_SUBJECT = "C=BR/O=Fake ICP-Brasil/OU=Apenas para testes - SEM VALOR LEGAL/CN=Autoridade Certificadora Raiz de Testes - SEM VALOR LEGAL"
const VERSION_MAJOR = 0
const VERSION_MINOR = 1
const VERSION_PATCH = 0
Variables ¶
This section is empty.
Functions ¶
func NewCertAndKey ¶
func NewCertAndKey(subject map[string]string, issuer Certificate, serial *big.Int, not_before, not_after time.Time) (pfx PFX, cerr CodedError)
func NewCertificateFromBytes ¶
func NewCertificateFromBytes(raw []byte) ([]*Certificate, []CodedError)
Accepts PEM, DER and a mix of both.
func NewCertificateFromFile ¶
func NewCertificateFromFile(path string) ([]*Certificate, []CodedError)
Accepts PEM, DER and a mix of both.
func NewPFXFromDER ¶
func NewPFXFromDER(dat []byte, password string) (PFX, CodedError)
func NewPFXFromFile ¶
func NewPFXFromFile(path string, password string) (PFX, CodedError)
func NewRootCA ¶
func NewRootCA(not_before, not_after time.Time) (PFX, CodedError)
Generates a new root CA with subject and issuer TESTING_ROOT_CA_SUBJECT
BUG: Subject Public Key Info leads to PKEY_SET_TYPE:unsupported algorithm and X509_PUBKEY_get:unsupported algorithm on openssl
BUG: Lack of propper extensions leads the rest of the code to not consider it as a CA (key usage and extended key usage).
Types ¶
type CAStore ¶
type CAStore struct {
// If true, it will attempt to download missing CAs and CRLs
AutoDownload bool
Debug bool
CachePath string
// contains filtered or unexported fields
}
func NewCAStore ¶
func (*CAStore) AddCA ¶
func (store *CAStore) AddCA(cert *Certificate) []CodedError
func (*CAStore) AddCAsFromDir ¶
func (*CAStore) AddTestingRootCA ¶
func (store *CAStore) AddTestingRootCA(cert *Certificate) []CodedError
Adds a new root CA for testing proposes. It MUST have as subject and issuer: TESTING_ROOT_CA_SUBJECT
This should NEVER be used in production!
func (*CAStore) DownloadAllCAs ¶
func (store *CAStore) DownloadAllCAs() CodedError
This function will attempt download all CAs from ALL_CAs_ZIP_URL. This runs regardless of CAStore.AutoDownload
func (*CAStore) Init ¶
func (store *CAStore) Init()
This function MUST be called before using this struct. It makes a few maps and adds the following root CAs: ROOT_CA_BR_ICP_V1, ROOT_CA_BR_ICP_V2, ROOT_CA_BR_ICP_V5
func (CAStore) VerifyCert ¶
func (store CAStore) VerifyCert(cert_to_verify *Certificate) ([]*Certificate, []CodedError, []CodedWarning)
For now, this functions verifies: validity, integrity, propper chain of certification.
Some of the error codes this may return are: ERR_NOT_BEFORE_DATE, ERR_NOT_AFTER_DATE, ERR_BAD_SIGNATURE, ERR_ISSUER_NOT_FOUND, ERR_MAX_DEPTH_REACHED
func (CAStore) WaitDownloads ¶
func (store CAStore) WaitDownloads()
type Certificate ¶
type Certificate struct {
Serial string
Subject string
SubjectMap map[string]string
Issuer string
IssuerMap map[string]string
NotBefore time.Time
NotAfter time.Time
SubjectKeyId string
AuthorityKeyId string
FingerPrintAlg string
FingerPrint []byte
FingerPrintHuman string
// These are calculated based on the CRL made by this cert issuer
CRL_LastUpdate time.Time
CRL_NextUpdate time.Time
CRL_Status CRLStatus
CRL_LastCheck time.Time
CRL_LastError CodedError
// contains filtered or unexported fields
}
func (Certificate) IsCA ¶
func (cert Certificate) IsCA() bool
Returns true if this certificate is a certificate authority. This is checked via the following extensions: key usage and basic constraints extension. (see RFC 5280 Section 4.2.1.3 and Section 4.2.1.9, respectively)
func (Certificate) IsSelfSigned ¶
func (cert Certificate) IsSelfSigned() bool
Returns true if the subject is equal to the issuer.
type CodedError ¶
func Sign ¶
func Sign(object signable, privkey *rsa.PrivateKey) CodedError
func VerifySignaure ¶
func VerifySignaure(object signature_verifiable, pubkey rsa.PublicKey) CodedError
type CodedWarning ¶
type CodedWarning interface {
CodedError
}
This is the same as CodedError. There are two names just to make the API more obvious to the reader when a functions returns an array of errors and an array of warnings.
type MultSignature ¶
type MultSignature struct {
FilePath string
FileName string
ContentFilePath string
ContentFileName string
ContentAttached []byte
Signatures []Signature
// contains filtered or unexported fields
}
Represents a .p7s file containing one or more signatures and, sometimes, the content being signed.
func (*MultSignature) CheckAll ¶
func (msig *MultSignature) CheckAll(store *CAStore) CodedError
Verify all signatures recursively
func (*MultSignature) SaveToP7SFile ¶
func (msig *MultSignature) SaveToP7SFile() CodedError
Will attempt to save as a detached signature with file name "[content file with extension].sig" Ex: "contract.txt.sig"
type MultiError ¶
type MultiError struct {
// contains filtered or unexported fields
}
func NewMultiError ¶
func NewMultiError(message string, code ErrorCode, parameters map[string]interface{}, errors ...interface{}) MultiError
func (*MultiError) AppendError ¶
func (merr *MultiError) AppendError(err error) error
func (MultiError) Code ¶
func (merr MultiError) Code() ErrorCode
func (MultiError) CodeString ¶
func (merr MultiError) CodeString() string
func (MultiError) Error ¶
func (merr MultiError) Error() string
func (*MultiError) Finish ¶
func (merr *MultiError) Finish() *MultiError
Sets the line number and function to match where this function is called and prevents further editing. Also returns itself.
func (*MultiError) SetParam ¶
func (merr *MultiError) SetParam(key string, val interface{}) error
type PFX ¶
type PFX struct {
Cert *Certificate
// contains filtered or unexported fields
}
Represents a .p12/.pfx file containing a public certificate and a private key which is usually encrypted.
Only password privacy mode and password integrity mode are supported.
func (PFX) SaveCertToFile ¶
func (pfx PFX) SaveCertToFile(path string) CodedError
Saves the certificate to an unencrypted DER file. The private key is NOT included in the output.
func (PFX) SaveToFile ¶
func (pfx PFX) SaveToFile(path, password string) CodedError
Saves the certificate and the private key to a DER file.
type Signature ¶
type Signature struct {
Signer Certificate
SigningTime time.Time
// Format: "[ISO 3166-1 numeric]:[Text]" Ex: "076:Brasília-DF"
SignerLocation string
// Possible values: proofOfOrigin, proofOfReceipt, proofOfDelivery, proofOfSender, proofOfApproval, proofOfCreation (or the OID for unknown commitment types)
Commitment string
CounterSigns []Signature
Status SignatureCheck
// contains filtered or unexported fields
}
type SignatureCheck ¶
type SignatureCheck struct {
Integrity bool
RootCA string
CRL_Status CRLStatus
SignerCertError CodedError
PolicyErrors []CodedError
}
func (SignatureCheck) IsPolicyCompliant ¶
func (sig SignatureCheck) IsPolicyCompliant() bool
func (SignatureCheck) IsSignerCertValid ¶
func (sig SignatureCheck) IsSignerCertValid() bool
Source Files
Directories