pkcs7

package
v7.2.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 31, 2019 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

PKCS#7 is a specification for signing or encrypting data using ASN.1 structures. It is also known as CMS (cryptographic message syntax) and is discussed in RFC 2315, RFC 3369, RFC 3852, and RFC 5652.

This package implements signature operations needed for creating and validating signature technologies based on PKCS#7 including Java and Microsoft Authenticode

Index

Constants

View Source 
const MimeType = "application/pkcs7-mime"

Variables

View Source 
var (
	OidData                   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 1}
	OidSignedData             = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2}
	OidAttributeContentType   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 3}
	OidAttributeMessageDigest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 4}
	OidAttributeSigningTime   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 5}
)

Functions

This section is empty.

Types

type Attribute 

type Attribute struct {
	Type   asn1.ObjectIdentifier
	Values asn1.RawValue
}

type AttributeList 

type AttributeList []Attribute

func (*AttributeList) Add 

func (l *AttributeList) Add(oid asn1.ObjectIdentifier, obj interface{}) error

create or append to an attribute

func (*AttributeList) Bytes 

func (l *AttributeList) Bytes() ([]byte, error)

marshal authenticated attributes for digesting

func (*AttributeList) GetOne 

func (l *AttributeList) GetOne(oid asn1.ObjectIdentifier, dest interface{}) error

unmarshal a single attribute, if it exists

type ContentInfo 

type ContentInfo struct {
	Raw         asn1.RawContent
	ContentType asn1.ObjectIdentifier
}

func NewContentInfo 

func NewContentInfo(contentType asn1.ObjectIdentifier, data interface{}) (ci ContentInfo, err error)

Create a ContentInfo structure for the given bytes or structure. data can be nil for detached signatures.

func (ContentInfo) Bytes 

func (ci ContentInfo) Bytes() ([]byte, error)

Get raw content in DER encoding, or nil if it's not present

func (ContentInfo) Unmarshal 

func (ci ContentInfo) Unmarshal(dest interface{}) (err error)

Unmarshal a structure from a ContentInfo.

type ContentInfoSignedData 

type ContentInfoSignedData struct {
	ContentType asn1.ObjectIdentifier
	Content     SignedData `asn1:"explicit,optional,tag:0"`
}

func Unmarshal 

func Unmarshal(blob []byte) (*ContentInfoSignedData, error)

Parse a signature from bytes

func (*ContentInfoSignedData) Detach 

func (psd *ContentInfoSignedData) Detach() ([]byte, error)

Remove and return inlined content from the document, leaving a detached signature

func (*ContentInfoSignedData) Marshal 

func (psd *ContentInfoSignedData) Marshal() ([]byte, error)

Marshal the signature to bytes

type ErrNoAttribute 

type ErrNoAttribute struct {
	ID asn1.ObjectIdentifier
}

func (ErrNoAttribute) Error 

func (e ErrNoAttribute) Error() string

type IssuerAndSerial 

type IssuerAndSerial struct {
	IssuerName   asn1.RawValue
	SerialNumber *big.Int
}

type RawCertificates 

type RawCertificates struct {
	Raw asn1.RawContent
}

func (RawCertificates) Parse 

func (raw RawCertificates) Parse() ([]*x509.Certificate, error)

parse raw certificates from structure

type Signature 

type Signature struct {
	SignerInfo    *SignerInfo
	Certificate   *x509.Certificate
	Intermediates []*x509.Certificate
}

func (Signature) VerifyChain 

func (info Signature) VerifyChain(roots *x509.CertPool, extraCerts []*x509.Certificate, usage x509.ExtKeyUsage, currentTime time.Time) error

Verify the X509 chain from a signature against the given roots. extraCerts will be added to the intermediates if provided. usage gives the certificate usage required for the leaf certificate, or ExtKeyUsageAny otherwise. If a PKCS#9 trusted timestamp was found, pass that timestamp in currentTime to validate the chain as of the time of the signature.

type SignatureBuilder 

type SignatureBuilder struct {
	// contains filtered or unexported fields
}

func NewBuilder 

func NewBuilder(privKey crypto.Signer, certs []*x509.Certificate, opts crypto.SignerOpts) *SignatureBuilder

Build a PKCS#7 signature procedurally. Returns a structure that can have content and attributes attached to it.

func (*SignatureBuilder) AddAuthenticatedAttribute 

func (sb *SignatureBuilder) AddAuthenticatedAttribute(oid asn1.ObjectIdentifier, data interface{}) error

Add an authenticated attribute to SignerInfo

func (*SignatureBuilder) SetContent 

func (sb *SignatureBuilder) SetContent(ctype asn1.ObjectIdentifier, data interface{}) error

Embed bytes or a structure into the PKCS#7 content

func (*SignatureBuilder) SetContentData 

func (sb *SignatureBuilder) SetContentData(data []byte) error

Set content to a generic "data" blob

func (*SignatureBuilder) SetContentInfo 

func (sb *SignatureBuilder) SetContentInfo(cinfo ContentInfo) error

Set a ContentInfo structure as the PKCS#7 content

func (*SignatureBuilder) SetDetachedContent 

func (sb *SignatureBuilder) SetDetachedContent(ctype asn1.ObjectIdentifier, digest []byte) error

Set a "detached" content type, with digest

func (*SignatureBuilder) Sign 

func (sb *SignatureBuilder) Sign() (*ContentInfoSignedData, error)

Complete the signature and return the full PKCS#7 structure

type SignedData 

type SignedData struct {
	Version                    int                        `asn1:"default:1"`
	DigestAlgorithmIdentifiers []pkix.AlgorithmIdentifier `asn1:"set"`
	ContentInfo                ContentInfo                ``
	Certificates               RawCertificates            `asn1:"optional,tag:0"`
	CRLs                       []pkix.CertificateList     `asn1:"optional,tag:1"`
	SignerInfos                []SignerInfo               `asn1:"set"`
}

func (*SignedData) Verify 

func (sd *SignedData) Verify(externalContent []byte, skipDigests bool) (Signature, error)

Verify the content in a SignedData structure. External content may be provided if it is a detached signature. Information about the signature is returned, however X509 chains are not validated. Call VerifyChain() to complete the verification process.

If skipDigests is true, then the main content section is not checked, but the SignerInfos are still checked for a valid signature.

type SignerInfo 

type SignerInfo struct {
	Version                   int                      `asn1:"default:1"`
	IssuerAndSerialNumber     IssuerAndSerial          ``
	DigestAlgorithm           pkix.AlgorithmIdentifier ``
	AuthenticatedAttributes   AttributeList            `asn1:"optional,tag:0"`
	DigestEncryptionAlgorithm pkix.AlgorithmIdentifier ``
	EncryptedDigest           []byte                   ``
	UnauthenticatedAttributes AttributeList            `asn1:"optional,tag:1"`
}

func (*SignerInfo) FindCertificate 

func (si *SignerInfo) FindCertificate(certs []*x509.Certificate) (*x509.Certificate, error)

Find the certificate that signed this SignerInfo from the bucket of certs

func (*SignerInfo) Verify 

func (si *SignerInfo) Verify(content []byte, skipDigests bool, certs []*x509.Certificate) (*x509.Certificate, error)

Verify the signature contained in this SignerInfo and return the leaf certificate. X509 chains are not validated.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.