From 0205d1ae478433b2aad4d2ed5d030a9edd17bf9d Mon Sep 17 00:00:00 2001 From: Sun Yimin Date: Wed, 20 Nov 2024 08:22:43 +0800 Subject: [PATCH] pkcs7: improve compatibility with CFCA #270 --- pkcs7/decrypt.go | 24 +++++- pkcs7/envelope.go | 126 +++++++++++++++++++--------- pkcs7/envelope_test.go | 179 +++++++++++++++++++++++++++++++++++++++- pkcs7/pkcs7.go | 2 +- pkcs7/pkcs7_test.go | 4 +- pkcs7/sign_enveloped.go | 6 +- pkcs7/sign_test.go | 10 +-- 7 files changed, 295 insertions(+), 56 deletions(-) diff --git a/pkcs7/decrypt.go b/pkcs7/decrypt.go index 032fb971..43df7845 100644 --- a/pkcs7/decrypt.go +++ b/pkcs7/decrypt.go @@ -15,10 +15,17 @@ import ( // IssuerAndSerial is a structure that holds the issuer name and serial number type IssuerAndSerial struct { - RawIssuer []byte + RawIssuer []byte SerialNumber *big.Int } +// RecipientInfo is a structure that holds the recipient information +// supports IssuerAndSerial and SubjectKeyIdentifier. +type RecipientInfo struct { + IssuerAndSerial + SubjectKeyIdentifier []byte +} + func newIssuerAndSerial(issuerAndSerial issuerAndSerial) IssuerAndSerial { is := IssuerAndSerial{} if len(issuerAndSerial.IssuerName.FullBytes) > 0 { @@ -31,6 +38,17 @@ func newIssuerAndSerial(issuerAndSerial issuerAndSerial) IssuerAndSerial { return is } +func newRecipientInfo(recipientInfo recipientInfo) RecipientInfo { + ri := RecipientInfo{ + IssuerAndSerial: newIssuerAndSerial(recipientInfo.IssuerAndSerialNumber), + } + if len(recipientInfo.SubjectKeyIdentifier.Bytes) > 0 { + ri.SubjectKeyIdentifier = append(ri.SubjectKeyIdentifier, recipientInfo.SubjectKeyIdentifier.Bytes...) + } + + return ri +} + // ErrUnsupportedAlgorithm tells you when our quick dev assumptions have failed var ErrUnsupportedAlgorithm = errors.New("pkcs7: cannot decrypt data: only RSA, SM2, DES, DES-EDE3, AES and SM4 supported") @@ -42,12 +60,12 @@ var ErrNotEnvelopedData = errors.New("pkcs7: content data is NOT an enveloped da type decryptable interface { GetRecipient(cert *smx509.Certificate) *recipientInfo - GetRecipients() ([]IssuerAndSerial, error) + GetRecipients() ([]RecipientInfo, error) GetEncryptedContentInfo() *encryptedContentInfo } // GetRecipients returns the list of recipients for the enveloped data -func (p7 *PKCS7) GetRecipients() ([]IssuerAndSerial, error) { +func (p7 *PKCS7) GetRecipients() ([]RecipientInfo, error) { decryptableData, ok := p7.raw.(decryptable) if !ok { return nil, ErrNotEnvelopedData diff --git a/pkcs7/envelope.go b/pkcs7/envelope.go index 2ad1719b..33dcf64b 100644 --- a/pkcs7/envelope.go +++ b/pkcs7/envelope.go @@ -1,9 +1,11 @@ package pkcs7 import ( + "bytes" "crypto/ecdsa" "crypto/rand" "crypto/rsa" + "crypto/sha1" "crypto/x509/pkix" "encoding/asn1" "errors" @@ -11,6 +13,8 @@ import ( "github.com/emmansun/gmsm/pkcs" "github.com/emmansun/gmsm/sm2" "github.com/emmansun/gmsm/smx509" + "golang.org/x/crypto/cryptobyte" + cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" ) type EnvelopedData struct { @@ -28,7 +32,8 @@ type envelopedData struct { type recipientInfo struct { Version int - IssuerAndSerialNumber issuerAndSerial + IssuerAndSerialNumber issuerAndSerial `asn1:"optional"` + SubjectKeyIdentifier asn1.RawValue `asn1:"tag:0,optional"` KeyEncryptionAlgorithm pkix.AlgorithmIdentifier EncryptedKey []byte } @@ -43,16 +48,39 @@ func (data envelopedData) GetRecipient(cert *smx509.Certificate) *recipientInfo for _, recp := range data.RecipientInfos { if isCertMatchForIssuerAndSerial(cert, recp.IssuerAndSerialNumber) { return &recp + } else if len(recp.SubjectKeyIdentifier.Bytes) > 0 { + // This is for the case when the recipient is identified by the SubjectKeyId instead of the IssuerAndSerial + subjectKeyID := cert.SubjectKeyId + // SubjectKeyId is optional, so we need to check if it's set before comparing + if len(subjectKeyID) == 0 { + var ( + inner cryptobyte.String + pub asn1.BitString + ) + input := cryptobyte.String(cert.RawSubjectPublicKeyInfo) + if input.ReadASN1(&inner, cryptobyte_asn1.SEQUENCE) && + input.Empty() && + inner.SkipASN1(cryptobyte_asn1.SEQUENCE) && + inner.ReadASN1BitString(&pub) && + inner.Empty() { + h := sha1.Sum(pub.RightAlign()) + subjectKeyID = h[:] + } + } + + if len(subjectKeyID) > 0 && bytes.Equal(subjectKeyID, recp.SubjectKeyIdentifier.Bytes) { + return &recp + } } } return nil } // GetRecipients returns the list of recipients (READONLY) for the enveloped data -func (data envelopedData) GetRecipients() ([]IssuerAndSerial, error) { - var recipients []IssuerAndSerial +func (data envelopedData) GetRecipients() ([]RecipientInfo, error) { + var recipients []RecipientInfo for _, recp := range data.RecipientInfos { - recipients = append(recipients, newIssuerAndSerial(recp.IssuerAndSerialNumber)) + recipients = append(recipients, newRecipientInfo(recp)) } return recipients, nil } @@ -92,7 +120,7 @@ func Encrypt(cipher pkcs.Cipher, content []byte, recipients []*smx509.Certificat // // The algorithm used to perform encryption is determined by the argument cipher func EncryptSM(cipher pkcs.Cipher, content []byte, recipients []*smx509.Certificate) ([]byte, error) { - return encryptSM(cipher, content, recipients, false) + return encryptSM(cipher, content, recipients, 1, false) } // EncryptCFCA creates and returns an envelope data PKCS7 structure with encrypted @@ -101,16 +129,25 @@ func EncryptSM(cipher pkcs.Cipher, content []byte, recipients []*smx509.Certific // // The algorithm used to perform encryption is determined by the argument cipher func EncryptCFCA(cipher pkcs.Cipher, content []byte, recipients []*smx509.Certificate) ([]byte, error) { - return encryptSM(cipher, content, recipients, true) + return encryptSM(cipher, content, recipients, 1, true) +} + +// EnvelopeMessageCFCA creates and returns an envelope data PKCS7 structure with encrypted +// recipient keys for each recipient public key. +// The OIDs use GM/T 0010 - 2012 set and the encrypted key uses ASN.1 format. +// This function uses recipient's SubjectKeyIdentifier to identify the recipient. +// This function is used for CFCA compatibility. +func EnvelopeMessageCFCA(cipher pkcs.Cipher, content []byte, recipients []*smx509.Certificate) ([]byte, error) { + return encryptSM(cipher, content, recipients, 2, false) } -func encryptSM(cipher pkcs.Cipher, content []byte, recipients []*smx509.Certificate, isLegacyCFCA bool) ([]byte, error) { +func encryptSM(cipher pkcs.Cipher, content []byte, recipients []*smx509.Certificate, version int, isLegacyCFCA bool) ([]byte, error) { ed, err := NewSM2EnvelopedData(cipher, content) if err != nil { return nil, err } for _, recipient := range recipients { - if err := ed.AddRecipient(recipient, 1, func(cert *smx509.Certificate, key []byte) ([]byte, error) { + if err := ed.AddRecipient(recipient, version, func(cert *smx509.Certificate, key []byte) ([]byte, error) { return encryptKey(key, cert, isLegacyCFCA) }); err != nil { return nil, err @@ -121,33 +158,16 @@ func encryptSM(cipher pkcs.Cipher, content []byte, recipients []*smx509.Certific // NewEnvelopedData creates a new EnvelopedData structure with the provided cipher and content. func NewEnvelopedData(cipher pkcs.Cipher, content []byte) (*EnvelopedData, error) { - var key []byte - var err error - - // Create key - key = make([]byte, cipher.KeySize()) - if _, err = rand.Read(key); err != nil { - return nil, err - } - - id, ciphertext, err := cipher.Encrypt(rand.Reader, key, content) - if err != nil { - return nil, err - } - ed := &EnvelopedData{} - ed.contentType = OIDEnvelopedData - ed.encryptedContentType = OIDData - ed.key = key - ed.ed = envelopedData{ - Version: 0, - EncryptedContentInfo: newEncryptedContent(ed.encryptedContentType, id, marshalEncryptedContent(ciphertext)), - } - return ed, nil + return newEnvelopedData(cipher, content, OIDEnvelopedData) } // NewSM2EnvelopedData creates a new EnvelopedData structure with the provided cipher and content. // The OIDs use GM/T 0010 - 2012 set. func NewSM2EnvelopedData(cipher pkcs.Cipher, content []byte) (*EnvelopedData, error) { + return newEnvelopedData(cipher, content, SM2OIDEnvelopedData) +} + +func newEnvelopedData(cipher pkcs.Cipher, content []byte, contentType asn1.ObjectIdentifier) (*EnvelopedData, error) { var key []byte var err error @@ -162,23 +182,30 @@ func NewSM2EnvelopedData(cipher pkcs.Cipher, content []byte) (*EnvelopedData, er return nil, err } ed := &EnvelopedData{} - ed.contentType = SM2OIDEnvelopedData - ed.encryptedContentType = SM2OIDData + ed.contentType = contentType + ed.encryptedContentType = OIDData + version := 0 + if SM2OIDEnvelopedData.Equal(contentType) { + ed.encryptedContentType = SM2OIDData + version = 1 + } ed.key = key ed.ed = envelopedData{ - Version: 1, + Version: version, EncryptedContentInfo: newEncryptedContent(ed.encryptedContentType, id, marshalEncryptedContent(ciphertext)), } return ed, nil } // AddRecipient adds a recipient to the EnvelopedData structure. +// version 0: IssuerAndSerialNumber +// version 1: SM2 +// version 2: SubjectKeyIdentifier func (ed *EnvelopedData) AddRecipient(cert *smx509.Certificate, version int, encryptKeyFunc func(cert *smx509.Certificate, key []byte) ([]byte, error)) error { - encrypted, err := encryptKeyFunc(cert, ed.key) - if err != nil { - return err + if version < 0 || version > 2 { + return errors.New("pkcs7: invalid recipient version") } - ias, err := cert2issuerAndSerial(cert) + encrypted, err := encryptKeyFunc(cert, ed.key) if err != nil { return err } @@ -188,20 +215,41 @@ func (ed *EnvelopedData) AddRecipient(cert *smx509.Certificate, version int, enc } info := recipientInfo{ - Version: version, - IssuerAndSerialNumber: ias, + Version: version, KeyEncryptionAlgorithm: pkix.AlgorithmIdentifier{ Algorithm: keyEncryptionAlgorithm, Parameters: asn1.NullRawValue, }, EncryptedKey: encrypted, } + + if version == 2 { + if len(cert.SubjectKeyId) == 0 { + return errors.New("pkcs7: envelope required certificate extension SubjectKeyIdentifier") + } + info.SubjectKeyIdentifier = asn1.RawValue{Tag: 0, Class: asn1.ClassContextSpecific, Bytes: cert.SubjectKeyId} + } else { + ias, err := cert2issuerAndSerial(cert) + if err != nil { + return err + } + info.IssuerAndSerialNumber = ias + } ed.ed.RecipientInfos = append(ed.ed.RecipientInfos, info) + return nil } // Finish creates the final PKCS7 structure. func (ed *EnvelopedData) Finish() ([]byte, error) { + // Check if we need to upgrade the version to 2 + for _, recp := range ed.ed.RecipientInfos { + if recp.Version == 2 { + ed.ed.Version = 2 + break + } + } + innerContent, err := asn1.Marshal(ed.ed) if err != nil { return nil, err diff --git a/pkcs7/envelope_test.go b/pkcs7/envelope_test.go index bfed8605..efa6ea45 100644 --- a/pkcs7/envelope_test.go +++ b/pkcs7/envelope_test.go @@ -3,14 +3,67 @@ package pkcs7 import ( "bytes" "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" + "encoding/hex" "encoding/pem" + "math/big" "os" "testing" "github.com/emmansun/gmsm/pkcs" + "github.com/emmansun/gmsm/sm2" "github.com/emmansun/gmsm/smx509" ) +func TestRecipientInfo(t *testing.T) { + recipientInfo := recipientInfo{ + Version: 1, + IssuerAndSerialNumber: issuerAndSerial{}, + SubjectKeyIdentifier: asn1.RawValue{}, + KeyEncryptionAlgorithm: pkix.AlgorithmIdentifier{ + Algorithm: OIDEncryptionAlgorithmRSA, + Parameters: asn1.NullRawValue, + }, + EncryptedKey: []byte("encrypted key"), + } + + bytes, err := asn1.Marshal(recipientInfo) + if err != nil { + t.Fatal(err) + } + if hex.EncodeToString(bytes) != "3021020101300d06092a864886f70d0101010500040d656e63727970746564206b6579" { + t.Fatal("failed to marshal recipient info, expected: 3021020101300d06092a864886f70d0101010500040d656e63727970746564206b6579, got:", hex.EncodeToString(bytes)) + } + + recipientInfo.IssuerAndSerialNumber = issuerAndSerial{ + IssuerName: asn1.RawValue{}, + SerialNumber: big.NewInt(123456), + } + bytes, err = asn1.Marshal(recipientInfo) + if err != nil { + t.Fatal(err) + } + if hex.EncodeToString(bytes) != "302a02010130070000020301e240300d06092a864886f70d0101010500040d656e63727970746564206b6579" { + t.Fatal("failed to marshal recipient info, expected: 302a02010130070000020301e240300d06092a864886f70d0101010500040d656e63727970746564206b6579, got:", hex.EncodeToString(bytes)) + } + + recipientInfo.SubjectKeyIdentifier = asn1.RawValue{ + Class: asn1.ClassContextSpecific, + Tag: 0, + IsCompound: false, + Bytes: []byte("subject key identifier"), + } + recipientInfo.IssuerAndSerialNumber.SerialNumber = nil + bytes, err = asn1.Marshal(recipientInfo) + if err != nil { + t.Fatal(err) + } + if hex.EncodeToString(bytes) != "303902010180167375626a656374206b6579206964656e746966696572300d06092a864886f70d0101010500040d656e63727970746564206b6579" { + t.Fatal("failed to marshal recipient info, expected: 303902010180167375626a656374206b6579206964656e746966696572300d06092a864886f70d0101010500040d656e63727970746564206b6579, got:", hex.EncodeToString(bytes)) + } +} + func TestEncrypt(t *testing.T) { ciphers := []pkcs.Cipher{ pkcs.DESCBC, @@ -33,7 +86,7 @@ func TestEncrypt(t *testing.T) { for _, cipher := range ciphers { for _, sigalg := range sigalgs { plaintext := []byte("Hello Secret World!") - cert, err := createTestCertificate(sigalg) + cert, err := createTestCertificate(sigalg, false) if err != nil { t.Fatal(err) } @@ -67,7 +120,7 @@ func TestEncryptSM(t *testing.T) { for _, cipher := range ciphers { for _, sigalg := range sigalgs { plaintext := []byte("Hello Secret World!") - cert, err := createTestCertificate(sigalg) + cert, err := createTestCertificate(sigalg, false) if err != nil { t.Fatal(err) } @@ -103,7 +156,7 @@ func TestEncryptCFCA(t *testing.T) { for _, cipher := range ciphers { for _, sigalg := range sigalgs { plaintext := []byte("Hello Secret World!") - cert, err := createTestCertificate(sigalg) + cert, err := createTestCertificate(sigalg, false) if err != nil { t.Fatal(err) } @@ -126,3 +179,123 @@ func TestEncryptCFCA(t *testing.T) { } } } + +func TestOpenEnvelopedMessageWithSubjectKeyID(t *testing.T) { + cases := []struct { + cert, pk, envelopedMsg string + }{ + { // case with recipient_policy_requiredSubjectKeyId + cert: ` +-----BEGIN CERTIFICATE----- +MIIBuDCCAV+gAwIBAgIFAJFSEacwCgYIKoEcz1UBg3UwKTEQMA4GA1UEChMHQWNt +ZSBDbzEVMBMGA1UEAxMMRWRkYXJkIFN0YXJrMB4XDTI0MTExODA3MzE0NVoXDTI1 +MTExODA3MzE0NlowJTEQMA4GA1UEChMHQWNtZSBDbzERMA8GA1UEAxMISm9uIFNu +b3cwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAASghjdohTwJilIskjwM8cCujIxc +aZ4t1PdRE3TSihbfnifJF+q55qR88pC+SJwl6U2Wpr5sz4TOmmrPp6437oazo3gw +djAOBgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDwYDVR0TAQH/ +BAUwAwEB/zAdBgNVHQ4EFgQU0M8ZE1AABLJjOnDM8sjQ/Z8dsPYwHwYDVR0jBBgw +FoAUZOzkEm2S511/1i/JnKEe7DrX1U0wCgYIKoEcz1UBg3UDRwAwRAIgGvXkxK+X +Hv1BCzwKwmR598C8TL3ocRWawh3AroRj9eACIAW6aRyqEsv44if5qO9vlfgreODv +heM60r948JI2OvMW +-----END CERTIFICATE----- + `, + pk: "f043481ce3ba1332cc266ae795f2a41f100e52e47ee560de15d9e014acab35c9", + envelopedMsg: ` +-----BEGIN PKCS7----- +MIH9BgoqgRzPVQYBBAIDoIHuMIHrAgECMYGoMIGlAgECgBTQzxkTUAAEsmM6cMzy +yND9nx2w9jANBgkqgRzPVQGCLQMFAAR7MHkCIBKzH9XkTn+cOb8SGcXPk//8pRFC +n13W+AQiZyb9/R53AiEA5U4c+efh30mWd2sXtE1+MrvUUSg8X4nu+VKRze5Oq3gE +IFi6CF7AXjFgt4t7TVxpn0uLMrz3HljWDKkIqsYNOCzsBBB2NSP32EJPrw+rCzO2 +z408MDsGCiqBHM9VBgEEAgEwGwYHKoEcz1UBaAQQb88RbJjqyynzqbSgUpQMaYAQ +rwVyRbByCMGE5zrbo6EwAg== +-----END PKCS7----- + `, + }, + { // case with recipient_policy_useSubjectKeyIdExt + cert: ` +-----BEGIN CERTIFICATE----- +MIIBiDCCAS6gAwIBAgIENWipfDAKBggqgRzPVQGDdTApMRAwDgYDVQQKEwdBY21l +IENvMRUwEwYDVQQDEwxFZGRhcmQgU3RhcmswHhcNMjQxMTE5MDIyNzE4WhcNMjUx +MTE5MDIyNzE5WjAlMRAwDgYDVQQKEwdBY21lIENvMREwDwYDVQQDEwhKb24gU25v +dzBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABJFW5KAFkKFMMdCnRg7B6ntwSqRR +rmcyelmENz3ZXGDj0TcGCuScOCgtMQOFZTwGeu7TlLd1L6tRrh6rFStuv+2jSDBG +MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDBDAfBgNVHSMEGDAW +gBQVt+9uB19T4yA+R34KmqNXHI4SLTAKBggqgRzPVQGDdQNIADBFAiEA+cvUlTDE +Ydqxaqvj1LNNxGpoYBEfAuQlKoK+xuSTVToCIHg8dnm7FTB79Gx4qGK/nCgGNqK4 +Bz90uNf5gvRXF0mU +-----END CERTIFICATE----- + `, + pk: "8f3d7f612401b9fa80ababb603e8e2ae977cc171c75e97b0b103b9db1d7d190e", + envelopedMsg: ` +-----BEGIN PKCS7----- +MIH8BgoqgRzPVQYBBAIDoIHtMIHqAgECMYGnMIGkAgECgBS2m2LapHwibk3oObGg +5+JRDnDKPDANBgkqgRzPVQGCLQMFAAR6MHgCIFQQZYPJVXnSibUq87DKTMoHcLLM +brCBPz3RF/3Vp9AZAiAkETF7Gbyv3cg7vt48qPoPs4HH4TDRjpgiQk+8oPCmqAQg +ImgG5JOVBU3aoxeSCotYs3cUwAzWZyEi9pxQY2+3znIEEF0zrswN4wdXae/SelQU +RmgwOwYKKoEcz1UGAQQCATAbBgcqgRzPVQFoBBAZJrpOlPlWo4VvWEpHkGfDgBAV +4QgsbZcB/rIV1btrG0yq +-----END PKCS7----- + `, + }, + } + + for _, c := range cases { + msgBytes, _ := pem.Decode([]byte(c.envelopedMsg)) + p7, err := Parse(msgBytes.Bytes) + if err != nil { + t.Fatalf("cannot Parse encrypted result: %s", err) + } + certificate, err := smx509.ParseCertificatePEM([]byte(c.cert)) + if err != nil { + t.Fatalf("cannot Parse certificate: %s", err) + } + sm2pkBytes, _ := hex.DecodeString(c.pk) + sm2pk, err := sm2.NewPrivateKeyFromInt(new(big.Int).SetBytes(sm2pkBytes)) + if err != nil { + t.Fatalf("cannot Parse private key: %s", err) + } + result, err := p7.Decrypt(certificate, sm2pk) + if err != nil { + t.Fatalf("cannot Decrypt encrypted result: %s", err) + } + expected := []byte("Hello World!") + if !bytes.Equal(expected, result) { + t.Errorf("encrypted data does not match plaintext:\n\tExpected: %s\n\tActual: %s", expected, result) + } + } +} + +func TestEnvelopeMessageCFCA(t *testing.T) { + ciphers := []pkcs.Cipher{ + pkcs.SM4, + pkcs.SM4CBC, + } + sigalgs := []x509.SignatureAlgorithm{ + smx509.SM2WithSM3, + } + for _, cipher := range ciphers { + for _, sigalg := range sigalgs { + plaintext := []byte("Hello Secret World!") + cert, err := createTestCertificate(sigalg, true) + if err != nil { + t.Fatal(err) + } + encrypted, err := EnvelopeMessageCFCA(cipher, plaintext, []*smx509.Certificate{cert.Certificate}) + if err != nil { + t.Fatal(err) + } + pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: encrypted}) + p7, err := Parse(encrypted) + if err != nil { + t.Fatalf("cannot Parse encrypted result: %s", err) + } + result, err := p7.Decrypt(cert.Certificate, *cert.PrivateKey) + if err != nil { + t.Fatalf("cannot Decrypt encrypted result: %s", err) + } + if !bytes.Equal(plaintext, result) { + t.Errorf("encrypted data does not match plaintext:\n\tExpected: %s\n\tActual: %s", plaintext, result) + } + } + } +} diff --git a/pkcs7/pkcs7.go b/pkcs7/pkcs7.go index 3e820b90..4594ca10 100644 --- a/pkcs7/pkcs7.go +++ b/pkcs7/pkcs7.go @@ -262,7 +262,7 @@ func (raw rawCertificates) Parse() ([]*smx509.Certificate, error) { } func isCertMatchForIssuerAndSerial(cert *smx509.Certificate, ias issuerAndSerial) bool { - return cert.SerialNumber.Cmp(ias.SerialNumber) == 0 && bytes.Equal(cert.RawIssuer, ias.IssuerName.FullBytes) + return ias.SerialNumber != nil && cert.SerialNumber.Cmp(ias.SerialNumber) == 0 && bytes.Equal(cert.RawIssuer, ias.IssuerName.FullBytes) } // Attribute represents a key value pair attribute. Value must be marshalable byte diff --git a/pkcs7/pkcs7_test.go b/pkcs7/pkcs7_test.go index 3f9f5f14..ec707d67 100644 --- a/pkcs7/pkcs7_test.go +++ b/pkcs7/pkcs7_test.go @@ -86,12 +86,12 @@ type certKeyPair struct { PrivateKey *crypto.PrivateKey } -func createTestCertificate(sigAlg x509.SignatureAlgorithm) (certKeyPair, error) { +func createTestCertificate(sigAlg x509.SignatureAlgorithm, allCA bool) (certKeyPair, error) { signer, err := createTestCertificateByIssuer("Eddard Stark", nil, sigAlg, true) if err != nil { return certKeyPair{}, err } - pair, err := createTestCertificateByIssuer("Jon Snow", signer, sigAlg, false) + pair, err := createTestCertificateByIssuer("Jon Snow", signer, sigAlg, allCA) if err != nil { return certKeyPair{}, err } diff --git a/pkcs7/sign_enveloped.go b/pkcs7/sign_enveloped.go index 9c3787fd..d2bb4f39 100644 --- a/pkcs7/sign_enveloped.go +++ b/pkcs7/sign_enveloped.go @@ -35,10 +35,10 @@ func (data signedEnvelopedData) GetRecipient(cert *smx509.Certificate) *recipien } // GetRecipients returns the list of recipients (READONLY) for the enveloped data -func (data signedEnvelopedData) GetRecipients() ([]IssuerAndSerial, error) { - var recipients []IssuerAndSerial +func (data signedEnvelopedData) GetRecipients() ([]RecipientInfo, error) { + var recipients []RecipientInfo for _, recp := range data.RecipientInfos { - recipients = append(recipients, newIssuerAndSerial(recp.IssuerAndSerialNumber)) + recipients = append(recipients, newRecipientInfo(recp)) } return recipients, nil } diff --git a/pkcs7/sign_test.go b/pkcs7/sign_test.go index 37c47501..4f370794 100644 --- a/pkcs7/sign_test.go +++ b/pkcs7/sign_test.go @@ -112,7 +112,7 @@ func TestSignSM(t *testing.T) { func ExampleSignedData() { // generate a signing cert or load a key pair - cert, err := createTestCertificate(x509.SHA256WithRSA) + cert, err := createTestCertificate(x509.SHA256WithRSA, false) if err != nil { fmt.Printf("Cannot create test certificates: %s", err) } @@ -141,7 +141,7 @@ func ExampleSignedData() { } func TestUnmarshalSignedAttribute(t *testing.T) { - cert, err := createTestCertificate(x509.SHA512WithRSA) + cert, err := createTestCertificate(x509.SHA512WithRSA, false) if err != nil { t.Fatal(err) } @@ -180,7 +180,7 @@ func TestUnmarshalSignedAttribute(t *testing.T) { } func TestSkipCertificates(t *testing.T) { - cert, err := createTestCertificate(x509.SHA512WithRSA) + cert, err := createTestCertificate(x509.SHA512WithRSA, false) if err != nil { t.Fatal(err) } @@ -234,7 +234,7 @@ func TestSkipCertificates(t *testing.T) { } func TestDegenerateCertificate(t *testing.T) { - cert, err := createTestCertificate(x509.SHA1WithRSA) + cert, err := createTestCertificate(x509.SHA1WithRSA, false) if err != nil { t.Fatal(err) } @@ -298,7 +298,7 @@ func TestSignWithoutAttr(t *testing.T) { }, } for _, sigalg := range sigalgs { - cert, err := createTestCertificate(sigalg.sigAlg) + cert, err := createTestCertificate(sigalg.sigAlg, false) if err != nil { t.Fatal(err) }