diff --git a/upstream/go.mod b/upstream/go.mod index 34d4c12475..6c8dba76bb 100644 --- a/upstream/go.mod +++ b/upstream/go.mod @@ -172,7 +172,7 @@ require ( github.com/daixiang0/gci v0.13.5 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/denis-tingaikin/go-header v0.5.0 // indirect - github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect + github.com/digitorus/pkcs7 v0.0.0-20250730155240-ffadbf3f398c // indirect github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/docker/cli v27.5.0+incompatible // indirect diff --git a/upstream/go.sum b/upstream/go.sum index a63031c2ab..ede60a68d3 100644 --- a/upstream/go.sum +++ b/upstream/go.sum @@ -428,8 +428,8 @@ github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936/go.mod github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= -github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE= -github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= +github.com/digitorus/pkcs7 v0.0.0-20250730155240-ffadbf3f398c h1:g349iS+CtAvba7i0Ee9EP1TlTZ9w+UncBY6HSmsFZa0= +github.com/digitorus/pkcs7 v0.0.0-20250730155240-ffadbf3f398c/go.mod h1:mCGGmWkOQvEuLdIRfPIpXViBfpWto4AhwtJlAvo62SQ= github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 h1:lxmTCgmHE1GUYL7P0MlNa00M67axePTq+9nBSGddR8I= github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= diff --git a/upstream/vendor/github.com/digitorus/pkcs7/.gitignore b/upstream/vendor/github.com/digitorus/pkcs7/.gitignore index daf913b1b3..2910bc0061 100644 --- a/upstream/vendor/github.com/digitorus/pkcs7/.gitignore +++ b/upstream/vendor/github.com/digitorus/pkcs7/.gitignore @@ -22,3 +22,6 @@ _testmain.go *.exe *.test *.prof + +# Coverage reports +coverage.out diff --git a/upstream/vendor/github.com/digitorus/pkcs7/.golangci.yml b/upstream/vendor/github.com/digitorus/pkcs7/.golangci.yml new file mode 100644 index 0000000000..78f26752df --- /dev/null +++ b/upstream/vendor/github.com/digitorus/pkcs7/.golangci.yml @@ -0,0 +1,66 @@ +version: "2" +linters: + enable: + - copyloopvar + - goconst + - gocyclo + - gosec + - misspell + - nolintlint + - prealloc + - revive + - unconvert + - unparam + settings: + gocyclo: + min-complexity: 90 # Allow very high complexity for crypto functions and test utilities + gosec: + excludes: + - G401 # Allow weak crypto algorithms as this is a crypto library + - G501 # Allow import of blacklisted crypto/md5 + - G505 # Allow import of blacklisted crypto/sha1 + - G502 # Allow import of blacklisted crypto/des + - G405 # Allow use of weak cryptographic primitive + - G306 # Allow WriteFile permissions for test files + - G204 # Allow subprocess launches in tests (OpenSSL integration) + - G115 # Allow integer overflow conversion + revive: + rules: + - name: exported + disabled: true # Disable exported rule for crypto library + staticcheck: + checks: + - all + exclusions: + generated: lax + presets: + - comments + - common-false-positives + - legacy + - std-error-handling + rules: + # Allow specific deprecated crypto algorithms that are needed for PKCS#7 compatibility + - linters: + - staticcheck + text: SA1019.*crypto/dsa.*has been deprecated + - linters: + - staticcheck + text: SA1019.*crypto/sha1.*is deprecated + - linters: + - staticcheck + text: SA1019.*crypto/md5.*is deprecated + paths: + - third_party$ + - builtin$ + - examples$ +formatters: + enable: + - gofmt + - gofumpt + - goimports + exclusions: + generated: lax + paths: + - third_party$ + - builtin$ + - examples$ diff --git a/upstream/vendor/github.com/digitorus/pkcs7/Makefile b/upstream/vendor/github.com/digitorus/pkcs7/Makefile index 07c78e14c0..f8959faf0f 100644 --- a/upstream/vendor/github.com/digitorus/pkcs7/Makefile +++ b/upstream/vendor/github.com/digitorus/pkcs7/Makefile @@ -1,7 +1,10 @@ -all: vet staticcheck test +all: vet test test: - GODEBUG=x509sha1=1 go test -covermode=count -coverprofile=coverage.out . + go test -covermode=count -coverprofile=coverage.out . + +test-legacy: + GODEBUG=x509sha1=1 go test -tags=legacy -covermode=count -coverprofile=coverage.out . showcoverage: test go tool cover -html=coverage.out @@ -9,12 +12,8 @@ showcoverage: test vet: go vet . -lint: - golint . - -staticcheck: - staticcheck . +golangci-lint: + golangci-lint run gettools: - go get -u honnef.co/go/tools/... - go get -u golang.org/x/lint/golint + go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest diff --git a/upstream/vendor/github.com/digitorus/pkcs7/ber.go b/upstream/vendor/github.com/digitorus/pkcs7/ber.go index 31963b119f..3fd5a1b8cd 100644 --- a/upstream/vendor/github.com/digitorus/pkcs7/ber.go +++ b/upstream/vendor/github.com/digitorus/pkcs7/ber.go @@ -15,7 +15,7 @@ type asn1Structured struct { } func (s asn1Structured) EncodeTo(out *bytes.Buffer) error { - //fmt.Printf("%s--> tag: % X\n", strings.Repeat("| ", encodeIndent), s.tagBytes) + // fmt.Printf("%s--> tag: % X\n", strings.Repeat("| ", encodeIndent), s.tagBytes) inner := new(bytes.Buffer) for _, obj := range s.content { err := obj.EncodeTo(inner) @@ -24,7 +24,7 @@ func (s asn1Structured) EncodeTo(out *bytes.Buffer) error { } } out.Write(s.tagBytes) - encodeLength(out, inner.Len()) + _ = encodeLength(out, inner.Len()) out.Write(inner.Bytes()) return nil } @@ -43,8 +43,8 @@ func (p asn1Primitive) EncodeTo(out *bytes.Buffer) error { if err = encodeLength(out, p.length); err != nil { return err } - //fmt.Printf("%s--> tag: % X length: %d\n", strings.Repeat("| ", encodeIndent), p.tagBytes, p.length) - //fmt.Printf("%s--> content length: %d\n", strings.Repeat("| ", encodeIndent), len(p.content)) + // fmt.Printf("%s--> tag: % X length: %d\n", strings.Repeat("| ", encodeIndent), p.tagBytes, p.length) + // fmt.Printf("%s--> content length: %d\n", strings.Repeat("| ", encodeIndent), len(p.content)) out.Write(p.content) return nil @@ -54,14 +54,14 @@ func ber2der(ber []byte) ([]byte, error) { if len(ber) == 0 { return nil, errors.New("ber2der: input ber is empty") } - //fmt.Printf("--> ber2der: Transcoding %d bytes\n", len(ber)) + // fmt.Printf("--> ber2der: Transcoding %d bytes\n", len(ber)) out := new(bytes.Buffer) obj, _, err := readObject(ber, 0) if err != nil { return nil, err } - obj.EncodeTo(out) + _ = obj.EncodeTo(out) return out.Bytes(), nil } @@ -98,12 +98,12 @@ func lengthLength(i int) (numBytes int) { // added to 0x80. The length is encoded in big endian encoding follow after // // Examples: -// length | byte 1 | bytes n -// 0 | 0x00 | - -// 120 | 0x78 | - -// 200 | 0x81 | 0xC8 -// 500 | 0x82 | 0x01 0xF4 // +// length | byte 1 | bytes n +// 0 | 0x00 | - +// 120 | 0x78 | - +// 200 | 0x81 | 0xC8 +// 500 | 0x82 | 0x01 0xF4 func encodeLength(out *bytes.Buffer, length int) (err error) { if length >= 128 { l := lengthLength(length) @@ -146,7 +146,7 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) { } } // jvehent 20170227: this doesn't appear to be used anywhere... - //tag = tag*128 + ber[offset] - 0x80 + // tag = tag*128 + ber[offset] - 0x80 offset++ if offset >= berLen { return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached") @@ -179,17 +179,17 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) { if numberOfBytes == 4 && (int)(ber[offset]) > 0x7F { return nil, 0, errors.New("ber2der: BER tag length is negative") } - if offset + numberOfBytes > berLen { + if offset+numberOfBytes > berLen { // == condition is not checked here, this allows for a more descreptive error when the parsed length is // compared with the remaining available bytes (`contentEnd > berLen`) return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached") } - if (int)(ber[offset]) == 0x0 && (numberOfBytes == 1 || ber[offset+1] <= 0x7F) { + if (int)(ber[offset]) == 0x0 && (numberOfBytes == 1 || ber[offset+1] <= 0x7F) { // `numberOfBytes == 1` is an important conditional to avoid a potential out of bounds panic with `ber[offset+1]` return nil, 0, errors.New("ber2der: BER tag length has leading zero") } debugprint("--> (compute length) indicator byte: %x\n", l) - //debugprint("--> (compute length) length bytes: %x\n", ber[offset:offset+numberOfBytes]) + // debugprint("--> (compute length) length bytes: %x\n", ber[offset:offset+numberOfBytes]) for i := 0; i < numberOfBytes; i++ { length = length*256 + (int)(ber[offset]) offset++ @@ -202,14 +202,14 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) { if length < 0 { return nil, 0, errors.New("ber2der: invalid negative value found in BER tag length") } - //fmt.Printf("--> length : %d\n", length) + // fmt.Printf("--> length : %d\n", length) contentEnd := offset + length if contentEnd > berLen { return nil, 0, errors.New("ber2der: BER tag length is more than available data") } debugprint("--> content start : %d\n", offset) debugprint("--> content end : %d\n", contentEnd) - //debugprint("--> content : %x\n", ber[offset:contentEnd]) + // debugprint("--> content : %x\n", ber[offset:contentEnd]) var obj asn1Object if indefinite && kind == 0 { return nil, 0, errors.New("ber2der: Indefinite form tag must have constructed encoding") @@ -257,7 +257,7 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) { } func isIndefiniteTermination(ber []byte, offset int) (bool, error) { - if len(ber) - offset < 2 { + if len(ber)-offset < 2 { return false, errors.New("ber2der: Invalid BER format") } @@ -265,5 +265,5 @@ func isIndefiniteTermination(ber []byte, offset int) (bool, error) { } func debugprint(format string, a ...interface{}) { - //fmt.Printf(format, a) + // fmt.Printf(format, a) } diff --git a/upstream/vendor/github.com/digitorus/pkcs7/encrypt.go b/upstream/vendor/github.com/digitorus/pkcs7/encrypt.go index 6b2655708c..883fd81aac 100644 --- a/upstream/vendor/github.com/digitorus/pkcs7/encrypt.go +++ b/upstream/vendor/github.com/digitorus/pkcs7/encrypt.go @@ -256,7 +256,7 @@ func encryptAESCBC(content []byte, key []byte) ([]byte, *encryptedContentInfo, e // value is EncryptionAlgorithmDESCBC. To use a different algorithm, change the // value before calling Encrypt(). For example: // -// ContentEncryptionAlgorithm = EncryptionAlgorithmAES128GCM +// ContentEncryptionAlgorithm = EncryptionAlgorithmAES128GCM // // TODO(fullsailor): Add support for encrypting content with other algorithms func Encrypt(content []byte, recipients []*x509.Certificate) ([]byte, error) { @@ -292,10 +292,7 @@ func Encrypt(content []byte, recipients []*x509.Certificate) ([]byte, error) { if err != nil { return nil, err } - ias, err := cert2issuerAndSerial(recipient) - if err != nil { - return nil, err - } + ias := cert2issuerAndSerial(recipient) info := recipientInfo{ Version: 0, IssuerAndSerialNumber: ias, diff --git a/upstream/vendor/github.com/digitorus/pkcs7/sign.go b/upstream/vendor/github.com/digitorus/pkcs7/sign.go index 6cfd2ab9c2..e5601f9903 100644 --- a/upstream/vendor/github.com/digitorus/pkcs7/sign.go +++ b/upstream/vendor/github.com/digitorus/pkcs7/sign.go @@ -84,7 +84,9 @@ func marshalAttributes(attrs []attribute) ([]byte, error) { // Remove the leading sequence octets var raw asn1.RawValue - asn1.Unmarshal(encodedAttributes, &raw) + if _, err := asn1.Unmarshal(encodedAttributes, &raw); err != nil { + return nil, err + } return raw.Bytes, nil } @@ -359,14 +361,14 @@ func verifyPartialChain(cert *x509.Certificate, parents []*x509.Certificate) err return verifyPartialChain(parents[0], parents[1:]) } -func cert2issuerAndSerial(cert *x509.Certificate) (issuerAndSerial, error) { +func cert2issuerAndSerial(cert *x509.Certificate) issuerAndSerial { var ias issuerAndSerial // The issuer RDNSequence has to match exactly the sequence in the certificate // We cannot use cert.Issuer.ToRDNSequence() here since it mangles the sequence ias.IssuerName = asn1.RawValue{FullBytes: cert.RawIssuer} ias.SerialNumber = cert.SerialNumber - return ias, nil + return ias } // signs the DER encoded form of the attributes with the private key @@ -422,7 +424,7 @@ func marshalCertificates(certs []*x509.Certificate) rawCertificates { // RawContent, we have to encode it into the RawContent. If its missing, // then `asn1.Marshal()` will strip out the certificate wrapper instead. func marshalCertificateBytes(certs []byte) (rawCertificates, error) { - var val = asn1.RawValue{Bytes: certs, Class: 2, Tag: 0, IsCompound: true} + val := asn1.RawValue{Bytes: certs, Class: 2, Tag: 0, IsCompound: true} b, err := asn1.Marshal(val) if err != nil { return rawCertificates{}, err diff --git a/upstream/vendor/github.com/digitorus/pkcs7/verify.go b/upstream/vendor/github.com/digitorus/pkcs7/verify.go index d0e4f0429d..f9a9daf798 100644 --- a/upstream/vendor/github.com/digitorus/pkcs7/verify.go +++ b/upstream/vendor/github.com/digitorus/pkcs7/verify.go @@ -26,12 +26,12 @@ func (p7 *PKCS7) Verify() (err error) { // otherwise. func (p7 *PKCS7) VerifyWithChain(truststore *x509.CertPool) (err error) { intermediates := x509.NewCertPool() - for _, cert := range(p7.Certificates) { + for _, cert := range p7.Certificates { intermediates.AddCert(cert) } opts := x509.VerifyOptions{ - Roots: truststore, + Roots: truststore, Intermediates: intermediates, } @@ -46,14 +46,14 @@ func (p7 *PKCS7) VerifyWithChain(truststore *x509.CertPool) (err error) { // attribute. func (p7 *PKCS7) VerifyWithChainAtTime(truststore *x509.CertPool, currentTime time.Time) (err error) { intermediates := x509.NewCertPool() - for _, cert := range(p7.Certificates) { + for _, cert := range p7.Certificates { intermediates.AddCert(cert) } opts := x509.VerifyOptions{ - Roots: truststore, + Roots: truststore, Intermediates: intermediates, - CurrentTime: currentTime, + CurrentTime: currentTime, } return p7.VerifyWithOpts(opts) @@ -62,7 +62,7 @@ func (p7 *PKCS7) VerifyWithChainAtTime(truststore *x509.CertPool, currentTime ti // VerifyWithOpts checks the signatures of a PKCS7 object. // // It accepts x509.VerifyOptions as a parameter. -// This struct contains a root certificate pool, an intermedate certificate pool, +// This struct contains a root certificate pool, an intermediate certificate pool, // an optional list of EKUs, and an optional time that certificates should be // checked as being valid during. @@ -239,7 +239,9 @@ func (p7 *PKCS7) UnmarshalSignedAttribute(attributeType asn1.ObjectIdentifier, o func parseSignedData(data []byte) (*PKCS7, error) { var sd signedData - asn1.Unmarshal(data, &sd) + if _, err := asn1.Unmarshal(data, &sd); err != nil { + return nil, err + } certs, err := sd.Certificates.Parse() if err != nil { return nil, err @@ -273,7 +275,8 @@ func parseSignedData(data []byte) (*PKCS7, error) { Certificates: certs, CRLs: sd.CRLs, Signers: sd.SignerInfos, - raw: sd}, nil + raw: sd, + }, nil } // MessageDigestMismatchError is returned when the signer data digest does not @@ -317,15 +320,7 @@ func getSignatureAlgorithm(digestEncryption, digest pkix.AlgorithmIdentifier) (x } case digestEncryption.Algorithm.Equal(OIDDigestAlgorithmDSA), digestEncryption.Algorithm.Equal(OIDDigestAlgorithmDSASHA1): - switch { - case digest.Algorithm.Equal(OIDDigestAlgorithmSHA1): - return x509.DSAWithSHA1, nil - case digest.Algorithm.Equal(OIDDigestAlgorithmSHA256): - return x509.DSAWithSHA256, nil - default: - return -1, fmt.Errorf("pkcs7: unsupported digest %q for encryption algorithm %q", - digest.Algorithm.String(), digestEncryption.Algorithm.String()) - } + return -1, errors.New("pkcs7: DSA signature verification is not supported") case digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmECDSAP256), digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmECDSAP384), digestEncryption.Algorithm.Equal(OIDEncryptionAlgorithmECDSAP521): diff --git a/upstream/vendor/github.com/digitorus/pkcs7/verify_test_dsa.go b/upstream/vendor/github.com/digitorus/pkcs7/verify_test_dsa.go deleted file mode 100644 index 1eb05bc3ea..0000000000 --- a/upstream/vendor/github.com/digitorus/pkcs7/verify_test_dsa.go +++ /dev/null @@ -1,182 +0,0 @@ -// +build go1.11 go1.12 go1.13 go1.14 go1.15 - -package pkcs7 - -import ( - "crypto/x509" - "encoding/pem" - "fmt" - "io/ioutil" - "os" - "os/exec" - "testing" -) - -func TestVerifyEC2(t *testing.T) { - fixture := UnmarshalDSATestFixture(EC2IdentityDocumentFixture) - p7, err := Parse(fixture.Input) - if err != nil { - t.Errorf("Parse encountered unexpected error: %v", err) - } - p7.Certificates = []*x509.Certificate{fixture.Certificate} - if err := p7.Verify(); err != nil { - t.Errorf("Verify failed with error: %v", err) - } -} - -var EC2IdentityDocumentFixture = ` ------BEGIN PKCS7----- -MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCA -JIAEggGmewogICJwcml2YXRlSXAiIDogIjE3Mi4zMC4wLjI1MiIsCiAgImRldnBh -eVByb2R1Y3RDb2RlcyIgOiBudWxsLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1 -cy1lYXN0LTFhIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3Rh -bmNlSWQiIDogImktZjc5ZmU1NmMiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVs -bCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIg -OiAiMTIxNjU5MDE0MzM0IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwK -ICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDhUMDM6MDE6MzhaIiwKICAiYXJj -aGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJy -YW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAA -AAAxggEYMIIBFAIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5n -dG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2Vi -IFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0B -CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDgwMzAxNDRaMCMG -CSqGSIb3DQEJBDEWBBTuUc28eBXmImAautC+wOjqcFCBVjAJBgcqhkjOOAQDBC8w -LQIVAKA54NxGHWWCz5InboDmY/GHs33nAhQ6O/ZI86NwjA9Vz3RNMUJrUPU5tAAA -AAAAAA== ------END PKCS7----- ------BEGIN CERTIFICATE----- -MIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw -FwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD -VQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z -ODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u -IFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl -cnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e -ih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3 -VyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P -hviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j -k+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U -hhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF -lRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf -MNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW -MXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw -vSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw -7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K ------END CERTIFICATE-----` - -func TestDSASignWithOpenSSLAndVerify(t *testing.T) { - content := []byte(` -A ship in port is safe, -but that's not what ships are built for. --- Grace Hopper`) - // write the content to a temp file - tmpContentFile, err := ioutil.TempFile("", "TestDSASignWithOpenSSLAndVerify_content") - if err != nil { - t.Fatal(err) - } - ioutil.WriteFile(tmpContentFile.Name(), content, 0755) - - // write the signer cert to a temp file - tmpSignerCertFile, err := ioutil.TempFile("", "TestDSASignWithOpenSSLAndVerify_signer") - if err != nil { - t.Fatal(err) - } - ioutil.WriteFile(tmpSignerCertFile.Name(), dsaPublicCert, 0755) - - // write the signer key to a temp file - tmpSignerKeyFile, err := ioutil.TempFile("", "TestDSASignWithOpenSSLAndVerify_key") - if err != nil { - t.Fatal(err) - } - ioutil.WriteFile(tmpSignerKeyFile.Name(), dsaPrivateKey, 0755) - - tmpSignedFile, err := ioutil.TempFile("", "TestDSASignWithOpenSSLAndVerify_signature") - if err != nil { - t.Fatal(err) - } - // call openssl to sign the content - opensslCMD := exec.Command("openssl", "smime", "-sign", "-nodetach", "-md", "sha1", - "-in", tmpContentFile.Name(), "-out", tmpSignedFile.Name(), - "-signer", tmpSignerCertFile.Name(), "-inkey", tmpSignerKeyFile.Name(), - "-certfile", tmpSignerCertFile.Name(), "-outform", "PEM") - out, err := opensslCMD.CombinedOutput() - if err != nil { - t.Fatalf("openssl command failed with %s: %s", err, out) - } - - // verify the signed content - pemSignature, err := ioutil.ReadFile(tmpSignedFile.Name()) - if err != nil { - t.Fatal(err) - } - fmt.Printf("%s\n", pemSignature) - derBlock, _ := pem.Decode(pemSignature) - if derBlock == nil { - t.Fatalf("failed to read DER block from signature PEM %s", tmpSignedFile.Name()) - } - p7, err := Parse(derBlock.Bytes) - if err != nil { - t.Fatalf("Parse encountered unexpected error: %v", err) - } - if err := p7.Verify(); err != nil { - t.Fatalf("Verify failed with error: %v", err) - } - os.Remove(tmpSignerCertFile.Name()) // clean up - os.Remove(tmpSignerKeyFile.Name()) // clean up - os.Remove(tmpContentFile.Name()) // clean up -} - -var dsaPrivateKey = []byte(`-----BEGIN PRIVATE KEY----- -MIIBSwIBADCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdS -PO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVCl -pJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith -1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7L -vKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3 -zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImo -g9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoEFgIUfW4aPdQBn9gJZp2KuNpzgHzvfsE= ------END PRIVATE KEY-----`) - -var dsaPublicCert = []byte(`-----BEGIN CERTIFICATE----- -MIIDOjCCAvWgAwIBAgIEPCY/UDANBglghkgBZQMEAwIFADBsMRAwDgYDVQQGEwdV -bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD -VQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3du -MB4XDTE4MTAyMjEzNDMwN1oXDTQ2MDMwOTEzNDMwN1owbDEQMA4GA1UEBhMHVW5r -bm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UE -ChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93bjCC -AbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADD -Hj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gE -exAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/Ii -Axmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4 -V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozI -puE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4Vrl -nwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDCriMPbEVBoRK4SOUeFwg7+VRf4TTp -rcOQC9IVVoCjXzuWEGrp3ZI7YWJSpFnSch4lk29RH8O0HpI/NOzKnOBtnKr782pt -1k/bJVMH9EaLd6MKnAVjrCDMYBB0MhebZ8QHY2elZZCWoqDYAcIDOsEx+m4NLErT -ypPnjS5M0jm1PKMhMB8wHQYDVR0OBBYEFC0Yt5XdM0Kc95IX8NQ8XRssGPx7MA0G -CWCGSAFlAwQDAgUAAzAAMC0CFQCIgQtrZZ9hdZG1ROhR5hc8nYEmbgIUAIlgC688 -qzy/7yePTlhlpj+ahMM= ------END CERTIFICATE-----`) - -type DSATestFixture struct { - Input []byte - Certificate *x509.Certificate -} - -func UnmarshalDSATestFixture(testPEMBlock string) DSATestFixture { - var result DSATestFixture - var derBlock *pem.Block - var pemBlock = []byte(testPEMBlock) - for { - derBlock, pemBlock = pem.Decode(pemBlock) - if derBlock == nil { - break - } - switch derBlock.Type { - case "PKCS7": - result.Input = derBlock.Bytes - case "CERTIFICATE": - result.Certificate, _ = x509.ParseCertificate(derBlock.Bytes) - } - } - - return result -} diff --git a/upstream/vendor/modules.txt b/upstream/vendor/modules.txt index 6bfc67ee18..8346579f10 100644 --- a/upstream/vendor/modules.txt +++ b/upstream/vendor/modules.txt @@ -669,8 +669,8 @@ github.com/davecgh/go-spew/spew # github.com/denis-tingaikin/go-header v0.5.0 ## explicit; go 1.21 github.com/denis-tingaikin/go-header -# github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 -## explicit; go 1.13 +# github.com/digitorus/pkcs7 v0.0.0-20250730155240-ffadbf3f398c +## explicit; go 1.19 github.com/digitorus/pkcs7 # github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 ## explicit; go 1.16