409b4f6048
This commit updates to images v0.117.0 so that the cross-distro.sh test works again (images removed fedora-39.json in main but the uses the previous version of images that includes fedora-39 so there is a mismatch (we should look into if there is a way to get github.com/osbuild/images@latest instead of main in the cross-arch test). It also updates all the vendor stuff that got pulled via the new images release (which is giantonormous). This update requires updating the Go version to 1.22.8
1.8 KiB
1.8 KiB
pkcs7
pkcs7 implements parsing and creating signed and enveloped messages.
package main
import (
"bytes"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"os"
"github.com/smallstep/pkcs7"
)
func SignAndDetach(content []byte, cert *x509.Certificate, privkey *rsa.PrivateKey) (signed []byte, err error) {
toBeSigned, err := NewSignedData(content)
if err != nil {
return fmt.Errorf("Cannot initialize signed data: %w", err)
}
if err = toBeSigned.AddSigner(cert, privkey, SignerInfoConfig{}); err != nil {
return fmt.Errorf("Cannot add signer: %w", err)
}
// Detach signature, omit if you want an embedded signature
toBeSigned.Detach()
signed, err = toBeSigned.Finish()
if err != nil {
return fmt.Errorf("Cannot finish signing data: %w", err)
}
// Verify the signature
pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: signed})
p7, err := pkcs7.Parse(signed)
if err != nil {
return fmt.Errorf("Cannot parse our signed data: %w", err)
}
// since the signature was detached, reattach the content here
p7.Content = content
if bytes.Compare(content, p7.Content) != 0 {
return fmt.Errorf("Our content was not in the parsed data:\n\tExpected: %s\n\tActual: %s", content, p7.Content)
}
if err = p7.Verify(); err != nil {
return fmt.Errorf("Cannot verify our signed data: %w", err)
}
return signed, nil
}
Credits
This is a fork of mozilla-services/pkcs7 which, itself, was a fork of fullsailor/pkcs7.