Support signing Firefox Addons #14
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Support S/MIME detached signatures, and improve tests
Add more checks around BER processing, fixes #2
This patch adds the ability to both sign and verify signatures that contain a certificate chain. The root of the chain is expected to be provided separately via an x509.CertPool passed to the Verifier. The added FirefoxAddon test case uses a certificate chain to check the addon signature against the Firefox Root CA.
Add support for certificate chains
Adding RSA SHA1-SHA512 support
Minor fixes to implement addon signing in firefox
Added support for encrypting using a pre-shared key
Implement crypto.Signer to support keys where the private part is kept in, for example, a hardware module.
Implement crypto.Signer for pkcs11/hsm support
Closed
The private key might not always be availible to determine the Encryption Algorithm, for example when the key is stored in hardware. This change brings the pkcs7 package in-line with the go crypto packages by using the crypto.Singer interface to obtain the public key.
Use public key for getOIDForEncryptionAlgorithm
Support for AES-256-GCM
This patch add a new method SetDigestAlgorithm to set the digest algorihm used when signing data. It also exports all the OIDs to make them usable outside the package, which artificially inflates the size of this change.
Make the signing digest algorithm configurable
add initial go.mod file
Fix go.mod module address
Fixes error message in Verify()
Replace travis CI with Github Actions.
ignore DSA tests on unsupported golang versions
fix go get and go build
readme: make CI badge a link
Go 1.10 is more strict about Asn.1 annotations. This removes the incorrect “explicit” annotation from encryptedContentInfo.EncryptedContent. I’m also using openssl to generate the fixture now so that we aren’t testing with our own output for `Decrypt()` Cherry-pick upstream fullsailor@cddbb99
…ontent Fix failure to parse enveloped data in Go 1.10
add VerifyWithChainAtTime
The test now validates a chain against a fixed time that is known to be valid for the entire certificate chain. Also fix an error in the same test with date/time parsing.
Fix FirefoxAddon test to not use current time.
from the wild.
Fix indefinite length asn1 parsing
encodeIndent was only there for debugging and not currently used for anything. This was causing some projects downstream to fail testing with -race enabled. + Added `-race` to go test and made ber.go tests run in parallel
Fix race condition with unused code
Remove coverage.out file
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a massive pull request, and I would understand if you do not want to merge it, but I thought I should share it and leave it up to you.
I am using this package to sign Firefox addons, and had to fix a number of limitations as well as add support for certificate chains for this to happen. I also added support for ECDSA and SHA2 algorithms. The code has been restructured in separate files to help with readability, and tests that use OpenSSL helped me make sure the PKCS7 structures are compatible with other implementations.
Ultimately, I think we'll keep referring to our fork from
go.mozilla.org/pkcs7, since this is a sensitive piece of code for us, but would love to maintain upstream compatibility as much as possible.Note: I couldn't figure out how to address the README changes. I might have to drop that patch.