signer.go

Documentation: github.com/sassoftware/relic/signers/appmanifest

     1  //
     2  // Copyright (c) SAS Institute Inc.
     3  //
     4  // Licensed under the Apache License, Version 2.0 (the "License");
     5  // you may not use this file except in compliance with the License.
     6  // You may obtain a copy of the License at
     7  //
     8  //     http://www.apache.org/licenses/LICENSE-2.0
     9  //
    10  // Unless required by applicable law or agreed to in writing, software
    11  // distributed under the License is distributed on an "AS IS" BASIS,
    12  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  // See the License for the specific language governing permissions and
    14  // limitations under the License.
    15  //
    16  
    17  package appmanifest
    18  
    19  // Sign Microsoft ClickOnce application manifests and deployment manifests.
    20  // These take the form of an XML file using XML DSIG signatures and, unlike all
    21  // other Microsoft signatures, does not use an Authenticode PKCS#7 structure.
    22  
    23  import (
    24  	"fmt"
    25  	"io"
    26  	"io/ioutil"
    27  
    28  	"github.com/sassoftware/relic/lib/appmanifest"
    29  	"github.com/sassoftware/relic/lib/audit"
    30  	"github.com/sassoftware/relic/lib/certloader"
    31  	"github.com/sassoftware/relic/lib/magic"
    32  	"github.com/sassoftware/relic/lib/pkcs9"
    33  	"github.com/sassoftware/relic/signers"
    34  )
    35  
    36  var AppSigner = &signers.Signer{
    37  	Name:         "appmanifest",
    38  	Magic:        magic.FileTypeAppManifest,
    39  	CertTypes:    signers.CertTypeX509,
    40  	FormatLog:    formatLog,
    41  	Sign:         sign,
    42  	VerifyStream: verify,
    43  }
    44  
    45  func init() {
    46  	AppSigner.Flags().Bool("rfc3161-timestamp", true, "(APPMANIFEST) Timestamp with RFC3161 server")
    47  	signers.Register(AppSigner)
    48  }
    49  
    50  func formatLog(info *audit.Info) string {
    51  	return fmt.Sprintf("assembly=%s version=%s publicKeyToken=%s",
    52  		info.Attributes["assembly.name"],
    53  		info.Attributes["assembly.version"],
    54  		info.Attributes["assembly.publicKeyToken"],
    55  	)
    56  }
    57  
    58  func sign(r io.Reader, cert *certloader.Certificate, opts signers.SignOpts) ([]byte, error) {
    59  	blob, err := ioutil.ReadAll(r)
    60  	if err != nil {
    61  		return nil, err
    62  	}
    63  	signed, err := appmanifest.Sign(blob, cert, opts.Hash)
    64  	if err != nil {
    65  		return nil, err
    66  	}
    67  	if cert.Timestamper != nil {
    68  		tsreq := &pkcs9.Request{
    69  			EncryptedDigest: signed.EncryptedDigest,
    70  			Legacy:          !opts.Flags.GetBool("rfc3161-timestamp"),
    71  			Hash:            opts.Hash,
    72  		}
    73  
    74  		token, err := cert.Timestamper.Timestamp(opts.Context(), tsreq)
    75  		if err != nil {
    76  			return nil, err
    77  		}
    78  		if err := signed.AddTimestamp(token); err != nil {
    79  			return nil, err
    80  		}
    81  	}
    82  	opts.Audit.SetMimeType("application/xml")
    83  	opts.Audit.Attributes["assembly.name"] = signed.AssemblyName
    84  	opts.Audit.Attributes["assembly.version"] = signed.AssemblyVersion
    85  	opts.Audit.Attributes["assembly.publicKeyToken"] = signed.PublicKeyToken
    86  	opts.Audit.SetCounterSignature(signed.Signature.CounterSignature)
    87  	return signed.Signed, nil
    88  }
    89  
    90  func verify(r io.Reader, opts signers.VerifyOpts) ([]*signers.Signature, error) {
    91  	blob, err := ioutil.ReadAll(r)
    92  	if err != nil {
    93  		return nil, err
    94  	}
    95  	sig, err := appmanifest.Verify(blob)
    96  	if err != nil {
    97  		return nil, err
    98  	}
    99  	return []*signers.Signature{&signers.Signature{
   100  		Package:       fmt.Sprintf("%s %s", sig.AssemblyName, sig.AssemblyVersion),
   101  		Hash:          sig.Hash,
   102  		X509Signature: sig.Signature,
   103  	}}, nil
   104  }
   105
View as plain text