feat(SignedData): Allow verification with signer's public key

Instead of certificate
relaycorp · Aug 5, 2020 · c370850 · c370850
1 parent 8c34c3a
commit c370850
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 19 deletions.
diff --git a/src/main/kotlin/tech/relaycorp/relaynet/crypto/SignedData.kt b/src/main/kotlin/tech/relaycorp/relaynet/crypto/SignedData.kt
@@ -23,6 +23,7 @@ import tech.relaycorp.relaynet.HashingAlgorithm
 import tech.relaycorp.relaynet.wrappers.x509.Certificate
 import java.io.IOException
 import java.security.PrivateKey
+import java.security.PublicKey
 
 /**
  * Relaynet-specific, CMS SignedData representation.
@@ -65,11 +66,12 @@ class SignedData(internal val bcSignedData: CMSSignedData) {
     /**
      * Verify signature.
      *
-     * @param expectedPlaintext The plaintext to be verified, if none is encapsulated
-     * @param signerCertificate The signer's certificate if it isn't encapsulated
+     * @param expectedPlaintext The plaintext to be verified if none is encapsulated
+     * @param signerPublicKey The signer's public key if a corresponding certificate isn't
+     *     encapsulated
      */
     @Throws(SignedDataException::class)
-    fun verify(expectedPlaintext: ByteArray? = null, signerCertificate: Certificate? = null) {
+    fun verify(expectedPlaintext: ByteArray? = null, signerPublicKey: PublicKey? = null) {
         if (plaintext != null && expectedPlaintext != null) {
             throw SignedDataException(
                 "No specific plaintext should be expected because one is already encapsulated"
@@ -79,26 +81,26 @@ class SignedData(internal val bcSignedData: CMSSignedData) {
             ?: expectedPlaintext
             ?: throw SignedDataException("Plaintext should be encapsulated or explicitly set")
 
-        if (this.signerCertificate != null && signerCertificate != null) {
+        if (this.signerCertificate != null && signerPublicKey != null) {
             throw SignedDataException(
                 "No specific signer certificate should be expected because one is already " +
                     "encapsulated"
             )
-        }
-        val finalSignerCert = this.signerCertificate
-            ?: signerCertificate
-            ?: throw SignedDataException(
+        } else if (this.signerCertificate == null && signerPublicKey == null) {
+            throw SignedDataException(
                 "Signer certificate should be encapsulated or explicitly set"
             )
-
+        }
         val signedData = CMSSignedData(
             CMSProcessableByteArray(signedPlaintext),
             bcSignedData.toASN1Structure()
         )
         val signerInfo = getSignerInfo(signedData)
-        val verifier = JcaSimpleSignerInfoVerifierBuilder()
-            .setProvider(BC_PROVIDER)
-            .build(finalSignerCert.certificateHolder)
+        val verifierBuilder = JcaSimpleSignerInfoVerifierBuilder().setProvider(BC_PROVIDER)
+        val verifier = if (this.signerCertificate != null)
+            verifierBuilder.build(this.signerCertificate!!.certificateHolder)
+        else
+            verifierBuilder.build(signerPublicKey)
         try {
             signerInfo.verify(verifier)
         } catch (exc: CMSException) {
@@ -132,9 +134,7 @@ class SignedData(internal val bcSignedData: CMSSignedData) {
                 JcaDigestCalculatorProviderBuilder()
                     .build()
             ).build(contentSigner, signerCertificate.certificateHolder)
-            signedDataGenerator.addSignerInfoGenerator(
-                signerInfoGenerator
-            )
+            signedDataGenerator.addSignerInfoGenerator(signerInfoGenerator)
 
             val certs = JcaCertStore(encapsulatedCertificates.map { it.certificateHolder })
             signedDataGenerator.addCertificates(certs)

diff --git a/src/test/kotlin/tech/relaycorp/relaynet/crypto/SignedDataTest.kt b/src/test/kotlin/tech/relaycorp/relaynet/crypto/SignedDataTest.kt
@@ -502,7 +502,7 @@ class SignedDataTest {
         }
 
         @Test
-        fun `Explicit signer certificate should be refused if one is already encapsulated`() {
+        fun `Explicit signer key should be refused if a certificate is already encapsulated`() {
             val signedData = SignedData.sign(
                 stubPlaintext,
                 stubKeyPair.private,
@@ -511,7 +511,7 @@ class SignedDataTest {
             )
 
             val exception = assertThrows<SignedDataException> {
-                signedData.verify(signerCertificate = stubCertificate)
+                signedData.verify(signerPublicKey = stubKeyPair.public)
             }
 
             assertEquals(
@@ -534,14 +534,14 @@ class SignedDataTest {
         }
 
         @Test
-        fun `Valid signature with explicit signer certificate should be accepted`() {
+        fun `Valid signature with explicit signer key should be accepted`() {
             val cmsSignedData = SignedData.sign(
                 stubPlaintext,
                 stubKeyPair.private,
                 stubCertificate
             )
 
-            cmsSignedData.verify(signerCertificate = stubCertificate)
+            cmsSignedData.verify(signerPublicKey = stubKeyPair.public)
         }
     }