1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
|
package cose
import (
"errors"
"fmt"
"io"
"github.com/fxamacker/cbor/v2"
)
// Countersignature represents a decoded COSE_Countersignature.
//
// Reference: https://tools.ietf.org/html/rfc9338#section-3.1
//
// # Experimental
//
// Notice: The COSE Countersignature API is EXPERIMENTAL and may be changed or
// removed in a later release.
type Countersignature Signature
// NewCountersignature returns a Countersignature with header initialized.
//
// # Experimental
//
// Notice: The COSE Countersignature API is EXPERIMENTAL and may be changed or
// removed in a later release.
func NewCountersignature() *Countersignature {
return (*Countersignature)(NewSignature())
}
// MarshalCBOR encodes Countersignature into a COSE_Countersignature object.
//
// # Experimental
//
// Notice: The COSE Countersignature API is EXPERIMENTAL and may be changed or
// removed in a later release.
func (s *Countersignature) MarshalCBOR() ([]byte, error) {
if s == nil {
return nil, errors.New("cbor: MarshalCBOR on nil Countersignature pointer")
}
// COSE_Countersignature share the exact same format as COSE_Signature
return (*Signature)(s).MarshalCBOR()
}
// UnmarshalCBOR decodes a COSE_Countersignature object into Countersignature.
//
// # Experimental
//
// Notice: The COSE Countersignature API is EXPERIMENTAL and may be changed or
// removed in a later release.
func (s *Countersignature) UnmarshalCBOR(data []byte) error {
if s == nil {
return errors.New("cbor: UnmarshalCBOR on nil Countersignature pointer")
}
// COSE_Countersignature share the exact same format as COSE_Signature
return (*Signature)(s).UnmarshalCBOR(data)
}
// Sign signs a Countersignature using the provided Signer.
// Signing a COSE_Countersignature requires the parent message to be completely
// fulfilled.
//
// Reference: https://datatracker.ietf.org/doc/html/rfc9338#section-3.3
//
// # Experimental
//
// Notice: The COSE Countersignature API is EXPERIMENTAL and may be changed or
// removed in a later release.
func (s *Countersignature) Sign(rand io.Reader, signer Signer, parent any, external []byte) error {
if s == nil {
return errors.New("signing nil Countersignature")
}
if len(s.Signature) > 0 {
return errors.New("Countersignature already has signature bytes")
}
// check algorithm if present.
// `alg` header MUST present if there is no externally supplied data.
alg := signer.Algorithm()
if err := s.Headers.ensureSigningAlgorithm(alg, external); err != nil {
return err
}
// sign the message
toBeSigned, err := s.toBeSigned(parent, external)
if err != nil {
return err
}
sig, err := signer.Sign(rand, toBeSigned)
if err != nil {
return err
}
s.Signature = sig
return nil
}
// Verify verifies the countersignature, returning nil on success or a suitable error
// if verification fails.
// Verifying a COSE_Countersignature requires the parent message.
//
// Reference: https://datatracker.ietf.org/doc/html/rfc8152#section-4.4
//
// # Experimental
//
// Notice: The COSE Sign API is EXPERIMENTAL and may be changed or removed in a
// later release.
func (s *Countersignature) Verify(verifier Verifier, parent any, external []byte) error {
if s == nil {
return errors.New("verifying nil Countersignature")
}
if len(s.Signature) == 0 {
return ErrEmptySignature
}
// check algorithm if present.
// `alg` header MUST present if there is no externally supplied data.
alg := verifier.Algorithm()
err := s.Headers.ensureVerificationAlgorithm(alg, external)
if err != nil {
return err
}
// verify the message
toBeSigned, err := s.toBeSigned(parent, external)
if err != nil {
return err
}
return verifier.Verify(toBeSigned, s.Signature)
}
// toBeSigned returns ToBeSigned from COSE_Countersignature object.
//
// Reference: https://datatracker.ietf.org/doc/html/rfc9338#section-3.3
func (s *Countersignature) toBeSigned(target any, external []byte) ([]byte, error) {
var signProtected cbor.RawMessage
signProtected, err := s.Headers.MarshalProtected()
if err != nil {
return nil, err
}
return countersignToBeSigned(false, target, signProtected, external)
}
// countersignToBeSigned constructs Countersign_structure, computes and returns ToBeSigned.
//
// Reference: https://datatracker.ietf.org/doc/html/rfc9338#section-3.3
func countersignToBeSigned(abbreviated bool, target any, signProtected cbor.RawMessage, external []byte) ([]byte, error) {
// create a Countersign_structure and populate it with the appropriate fields.
//
// Countersign_structure = [
// context : "CounterSignature" / "CounterSignature0" /
// "CounterSignatureV2" / "CounterSignature0V2" /,
// body_protected : empty_or_serialized_map,
// ? sign_protected : empty_or_serialized_map,
// external_aad : bstr,
// payload : bstr,
// ? other_fields : [+ bstr ]
// ]
var err error
var bodyProtected cbor.RawMessage
var otherFields []cbor.RawMessage
var payload []byte
switch t := target.(type) {
case *SignMessage:
return countersignToBeSigned(abbreviated, *t, signProtected, external)
case SignMessage:
if len(t.Signatures) == 0 {
return nil, errors.New("SignMessage has no signatures yet")
}
bodyProtected, err = t.Headers.MarshalProtected()
if err != nil {
return nil, err
}
if t.Payload == nil {
return nil, ErrMissingPayload
}
payload = t.Payload
case *Sign1Message:
return countersignToBeSigned(abbreviated, *t, signProtected, external)
case Sign1Message:
if len(t.Signature) == 0 {
return nil, errors.New("Sign1Message was not signed yet")
}
bodyProtected, err = t.Headers.MarshalProtected()
if err != nil {
return nil, err
}
if t.Payload == nil {
return nil, ErrMissingPayload
}
payload = t.Payload
signature, err := encMode.Marshal(t.Signature)
if err != nil {
return nil, err
}
signature, err = deterministicBinaryString(signature)
if err != nil {
return nil, err
}
otherFields = []cbor.RawMessage{signature}
case *Signature:
return countersignToBeSigned(abbreviated, *t, signProtected, external)
case Signature:
bodyProtected, err = t.Headers.MarshalProtected()
if err != nil {
return nil, err
}
if len(t.Signature) == 0 {
return nil, errors.New("Signature was not signed yet")
}
payload = t.Signature
case *Countersignature:
return countersignToBeSigned(abbreviated, *t, signProtected, external)
case Countersignature:
bodyProtected, err = t.Headers.MarshalProtected()
if err != nil {
return nil, err
}
if len(t.Signature) == 0 {
return nil, errors.New("Countersignature was not signed yet")
}
payload = t.Signature
default:
return nil, fmt.Errorf("unsupported target %T", target)
}
var context string
if len(otherFields) == 0 {
if abbreviated {
context = "CounterSignature0"
} else {
context = "CounterSignature"
}
} else {
if abbreviated {
context = "CounterSignature0V2"
} else {
context = "CounterSignatureV2"
}
}
bodyProtected, err = deterministicBinaryString(bodyProtected)
if err != nil {
return nil, err
}
signProtected, err = deterministicBinaryString(signProtected)
if err != nil {
return nil, err
}
if external == nil {
external = []byte{}
}
countersigStructure := []any{
context, // context
bodyProtected, // body_protected
signProtected, // sign_protected
external, // external_aad
payload, // payload
}
if len(otherFields) > 0 {
countersigStructure = append(countersigStructure, otherFields)
}
// create the value ToBeSigned by encoding the Countersign_structure to a byte
// string.
return encMode.Marshal(countersigStructure)
}
// Countersign0 performs an abbreviated signature over a parent message using
// the provided Signer.
//
// The parent message must be completely fulfilled prior signing.
//
// Reference: https://datatracker.ietf.org/doc/html/rfc9338#section-3.2
//
// # Experimental
//
// Notice: The COSE Countersignature API is EXPERIMENTAL and may be changed or
// removed in a later release.
func Countersign0(rand io.Reader, signer Signer, parent any, external []byte) ([]byte, error) {
toBeSigned, err := countersignToBeSigned(true, parent, []byte{0x40}, external)
if err != nil {
return nil, err
}
return signer.Sign(rand, toBeSigned)
}
// VerifyCountersign0 verifies an abbreviated signature over a parent message
// using the provided Verifier.
//
// Reference: https://datatracker.ietf.org/doc/html/rfc9338#section-3.2
//
// # Experimental
//
// Notice: The COSE Countersignature API is EXPERIMENTAL and may be changed or
// removed in a later release.
func VerifyCountersign0(verifier Verifier, parent any, external, signature []byte) error {
toBeSigned, err := countersignToBeSigned(true, parent, []byte{0x40}, external)
if err != nil {
return err
}
return verifier.Verify(toBeSigned, signature)
}
|
