xmlenc: RSA: expect key passed to Encrypt() to be *x509.Certificate n…

…ot []byte Before this commit, we expected that the `interface{}` value we pass to Encrypt() for RSA should be a []byte, but that was before I knew that the raw certificate bytes are available. Having the raw certificate bytes available makes *x509.Certificate a better choice for `key`.
dherbst · May 23, 2017 · 05bca43 · 05bca43
1 parent d36626c
commit 05bca43
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 12 deletions.
diff --git a/xmlenc/encrypt_test.go b/xmlenc/encrypt_test.go
@@ -6,6 +6,8 @@ import (
 	"math/rand"
 	"strings"
 
+	"crypto/x509"
+
 	"github.com/beevik/etree"
 	"github.com/kr/pretty"
 	. "gopkg.in/check.v1"
@@ -47,9 +49,9 @@ func (test *EncryptTest) SetUpTest(c *C) {
 }
 
 func (test *EncryptTest) TestCanEncryptOAEP(c *C) {
-	var err error
 	pemBlock, _ := pem.Decode([]byte(testCertificate))
-	certificate := []byte(pemBlock.Bytes)
+	certificate, err := x509.ParseCertificate(pemBlock.Bytes)
+	c.Assert(err, IsNil)
 
 	e := OAEP()
 	e.BlockCipher = AES128CBC

diff --git a/xmlenc/pubkey.go b/xmlenc/pubkey.go
@@ -30,23 +30,19 @@ func (e RSA) Algorithm() string {
 // Encrypt implements encrypter. certificate must be a []byte containing the ASN.1 bytes
 // of certificate containing an RSA public key.
 func (e RSA) Encrypt(certificate interface{}, plaintext []byte) (*etree.Element, error) {
-	certBuf, ok := certificate.([]byte)
+	cert, ok := certificate.(*x509.Certificate)
 	if !ok {
-		return nil, ErrIncorrectKeyType("certificate must be a []byte")
+		return nil, ErrIncorrectKeyType("*x.509 certificate")
 	}
 
-	cert, err := x509.ParseCertificate(certBuf)
-	if err != nil {
-		return nil, ErrIncorrectKeyType("certificate must be ASN.1 bytes of an x.509 certificate")
-	}
 	pubKey, ok := cert.PublicKey.(*rsa.PublicKey)
 	if !ok {
-		return nil, ErrIncorrectKeyType("certificate must be ASN.1 bytes of an x.509 certificate with an RSA public key")
+		return nil, ErrIncorrectKeyType("x.509 certificate with an RSA public key")
 	}
 
 	// generate a key
 	key := make([]byte, e.BlockCipher.KeySize())
-	if _, err = RandReader.Read(key); err != nil {
+	if _, err := RandReader.Read(key); err != nil {
 		return nil, err
 	}
 
@@ -56,7 +52,7 @@ func (e RSA) Encrypt(certificate interface{}, plaintext []byte) (*etree.Element,
 	encryptedKey := keyInfoEl.CreateElement("xenc:EncryptedKey")
 	{
 		randBuf := make([]byte, 16)
-		if _, err = RandReader.Read(randBuf); err != nil {
+		if _, err := RandReader.Read(randBuf); err != nil {
 			return nil, err
 		}
 		encryptedKey.CreateAttr("Id", fmt.Sprintf("_%x", randBuf))
@@ -75,7 +71,7 @@ func (e RSA) Encrypt(certificate interface{}, plaintext []byte) (*etree.Element,
 		innerKeyInfoEl := encryptedKey.CreateElement("ds:KeyInfo")
 		x509data := innerKeyInfoEl.CreateElement("ds:X509Data")
 		x509data.CreateElement("ds:X509Certificate").SetText(
-			base64.StdEncoding.EncodeToString(certBuf),
+			base64.StdEncoding.EncodeToString(cert.Raw),
 		)
 	}