protocol

package
v0.0.0-...-4636b0e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 24, 2019 License: MIT, MIT Imports: 14 Imported by: 0

README

cms/protocol GoDoc

cms/protocol implements low-level parsing of CMS (PKCS#7) data.

This package is based off https://github.com/fullsailor/pkcs7 and contains the license from that repository.

Documentation

Overview

Package protocol implements low level CMS types, parsing and generation.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrWrongType is returned by methods that make assumptions about types.
	// Helper methods are defined for accessing CHOICE and  ANY feilds. These
	// helper methods get the value of the field, assuming it is of a given type.
	// This error is returned if that assumption is wrong and the field has a
	// different type.
	ErrWrongType = errors.New("cms/protocol: wrong choice or any type")

	// ErrNoCertificate is returned when a requested certificate cannot be found.
	ErrNoCertificate = errors.New("no certificate found")

	// ErrUnsupported is returned when an unsupported type or version
	// is encountered.
	ErrUnsupported = ASN1Error{"unsupported type or version"}

	// ErrTrailingData is returned when extra data is found after parsing an ASN.1
	// structure.
	ErrTrailingData = ASN1Error{"unexpected trailing data"}
)

Functions

func BER2DER

func BER2DER(ber []byte) ([]byte, error)

BER2DER attempts to convert BER encoded data to DER encoding.

func NewIssuerAndSerialNumber

func NewIssuerAndSerialNumber(cert *x509.Certificate) (rv asn1.RawValue, err error)

NewIssuerAndSerialNumber creates a IssuerAndSerialNumber SID for the given cert.

Types

type ASN1Error

type ASN1Error struct {
	Message string
}

ASN1Error is an error from parsing ASN.1 structures.

func (ASN1Error) Error

func (err ASN1Error) Error() string

Error implements the error interface.

type AnySet

type AnySet struct {
	Elements []asn1.RawValue `asn1:"set"`
}

AnySet is a helper for dealing with SET OF ANY types.

func DecodeAnySet

func DecodeAnySet(rv asn1.RawValue) (as AnySet, err error)

DecodeAnySet manually decodes a SET OF ANY type, since Go's parser can't handle them.

func NewAnySet

func NewAnySet(elts ...asn1.RawValue) AnySet

NewAnySet creates a new AnySet.

func (AnySet) Encode

func (as AnySet) Encode(dst *asn1.RawValue) (err error)

Encode manually encodes a SET OF ANY type, since Go's parser can't handle them.

type Attribute

type Attribute struct {
	Type asn1.ObjectIdentifier

	// This should be a SET OF ANY, but Go's asn1 parser can't handle slices of
	// RawValues. Use value() to get an AnySet of the value.
	RawValue asn1.RawValue
}
Attribute ::= SEQUENCE {
  attrType OBJECT IDENTIFIER,
  attrValues SET OF AttributeValue }

AttributeValue ::= ANY

func NewAttribute

func NewAttribute(typ asn1.ObjectIdentifier, val interface{}) (attr Attribute, err error)

NewAttribute creates a single-value Attribute.

func (Attribute) Value

func (a Attribute) Value() (AnySet, error)

Value further decodes the attribute Value as a SET OF ANY, which Go's asn1 parser can't handle directly.

type Attributes

type Attributes []Attribute

Attributes is a common Go type for SignedAttributes and UnsignedAttributes.

SignedAttributes ::= SET SIZE (1..MAX) OF Attribute

UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute

func (Attributes) GetOnlyAttributeValueBytes

func (attrs Attributes) GetOnlyAttributeValueBytes(oid asn1.ObjectIdentifier) (rv asn1.RawValue, err error)

GetOnlyAttributeValueBytes gets an attribute value, returning an error if the attribute occurs multiple times or has multiple values.

func (Attributes) GetValues

func (attrs Attributes) GetValues(oid asn1.ObjectIdentifier) ([]AnySet, error)

GetValues retreives the attributes with the given OID. A nil value is returned if the OPTIONAL SET of Attributes is missing from the SignerInfo. An empty slice is returned if the specified attribute isn't in the set.

func (Attributes) HasAttribute

func (attrs Attributes) HasAttribute(oid asn1.ObjectIdentifier) bool

HasAttribute checks if an attribute is present.

func (Attributes) MarshaledForSigning

func (attrs Attributes) MarshaledForSigning() ([]byte, error)

MarshaledForSigning DER encodes the Attributes as needed for signing SignedAttributes. RFC5652 explains this encoding:

A separate encoding of the signedAttrs field is performed for message
digest calculation. The IMPLICIT [0] tag in the signedAttrs is not used for
the DER encoding, rather an EXPLICIT SET OF tag is used.  That is, the DER
encoding of the EXPLICIT SET OF tag, rather than of the IMPLICIT [0] tag,
MUST be included in the message digest calculation along with the length
and content octets of the SignedAttributes value.

type ContentInfo

type ContentInfo struct {
	ContentType asn1.ObjectIdentifier
	Content     asn1.RawValue `asn1:"explicit,tag:0"`
}
ContentInfo ::= SEQUENCE {
  contentType ContentType,
  content [0] EXPLICIT ANY DEFINED BY contentType }

ContentType ::= OBJECT IDENTIFIER

func ParseContentInfo

func ParseContentInfo(ber []byte) (ci ContentInfo, err error)

ParseContentInfo parses a top-level ContentInfo type from BER encoded data.

func (ContentInfo) SignedDataContent

func (ci ContentInfo) SignedDataContent() (*SignedData, error)

SignedDataContent gets the content assuming contentType is signedData.

type EncapsulatedContentInfo

type EncapsulatedContentInfo struct {
	EContentType asn1.ObjectIdentifier
	EContent     asn1.RawValue `asn1:"optional,explicit,tag:0"`
}
EncapsulatedContentInfo ::= SEQUENCE {
  eContentType ContentType,
  eContent [0] EXPLICIT OCTET STRING OPTIONAL }

ContentType ::= OBJECT IDENTIFIER

func NewDataEncapsulatedContentInfo

func NewDataEncapsulatedContentInfo(data []byte) (EncapsulatedContentInfo, error)

NewDataEncapsulatedContentInfo creates a new EncapsulatedContentInfo of type id-data.

func NewEncapsulatedContentInfo

func NewEncapsulatedContentInfo(contentType asn1.ObjectIdentifier, content []byte) (EncapsulatedContentInfo, error)

NewEncapsulatedContentInfo creates a new EncapsulatedContentInfo.

func (EncapsulatedContentInfo) DataEContent

func (eci EncapsulatedContentInfo) DataEContent() ([]byte, error)

DataEContent gets the EContent assuming EContentType is data.

func (EncapsulatedContentInfo) EContentValue

func (eci EncapsulatedContentInfo) EContentValue() ([]byte, error)

EContentValue gets the OCTET STRING EContent value without tag or length. This is what the message digest is calculated over. A nil byte slice is returned if the OPTIONAL eContent field is missing.

func (EncapsulatedContentInfo) IsTypeData

func (eci EncapsulatedContentInfo) IsTypeData() bool

IsTypeData checks if the EContentType is id-data.

type IssuerAndSerialNumber

type IssuerAndSerialNumber struct {
	Issuer       asn1.RawValue
	SerialNumber *big.Int
}
IssuerAndSerialNumber ::= SEQUENCE {
 issuer Name,
 serialNumber CertificateSerialNumber }

CertificateSerialNumber ::= INTEGER

type SignedData

type SignedData struct {
	Version          int
	DigestAlgorithms []pkix.AlgorithmIdentifier `asn1:"set"`
	EncapContentInfo EncapsulatedContentInfo
	Certificates     []asn1.RawValue `asn1:"optional,set,tag:0"`
	CRLs             []asn1.RawValue `asn1:"optional,set,tag:1"`
	SignerInfos      []SignerInfo    `asn1:"set"`
}
SignedData ::= SEQUENCE {
  version CMSVersion,
  digestAlgorithms DigestAlgorithmIdentifiers,
  encapContentInfo EncapsulatedContentInfo,
  certificates [0] IMPLICIT CertificateSet OPTIONAL,
  crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
  signerInfos SignerInfos }

CMSVersion ::= INTEGER

{ v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }

DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier

CertificateSet ::= SET OF CertificateChoices

CertificateChoices ::= CHOICE {
  certificate Certificate,
  extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
  v1AttrCert [1] IMPLICIT AttributeCertificateV1,       -- Obsolete
  v2AttrCert [2] IMPLICIT AttributeCertificateV2,
  other [3] IMPLICIT OtherCertificateFormat }
OtherCertificateFormat ::= SEQUENCE {
  otherCertFormat OBJECT IDENTIFIER,
  otherCert ANY DEFINED BY otherCertFormat }

RevocationInfoChoices ::= SET OF RevocationInfoChoice

RevocationInfoChoice ::= CHOICE {
  crl CertificateList,
  other [1] IMPLICIT OtherRevocationInfoFormat }
OtherRevocationInfoFormat ::= SEQUENCE {
  otherRevInfoFormat OBJECT IDENTIFIER,
  otherRevInfo ANY DEFINED BY otherRevInfoFormat }

SignerInfos ::= SET OF SignerInfo

func NewSignedData

func NewSignedData(eci EncapsulatedContentInfo) (*SignedData, error)

NewSignedData creates a new SignedData.

func (*SignedData) AddCertificate

func (sd *SignedData) AddCertificate(cert *x509.Certificate) error

AddCertificate adds a *x509.Certificate.

func (*SignedData) AddSignerInfo

func (sd *SignedData) AddSignerInfo(chain []*x509.Certificate, signer crypto.Signer) error

AddSignerInfo adds a SignerInfo to the SignedData, digesting the content in the process.

func (*SignedData) AddSignerInfoDetached

func (sd *SignedData) AddSignerInfoDetached(chain []*x509.Certificate, signer crypto.Signer, digest []byte, signAttrs Attributes) error

func (*SignedData) ClearCertificates

func (sd *SignedData) ClearCertificates()

ClearCertificates removes all certificates.

func (*SignedData) ContentInfo

func (sd *SignedData) ContentInfo() (ContentInfo, error)

ContentInfo returns the SignedData wrapped in a ContentInfo packet.

func (*SignedData) ContentInfoDER

func (sd *SignedData) ContentInfoDER() ([]byte, error)

ContentInfoDER returns the SignedData wrapped in a ContentInfo packet and DER encoded.

func (*SignedData) X509Certificates

func (sd *SignedData) X509Certificates() ([]*x509.Certificate, error)

X509Certificates gets the certificates, assuming that they're X.509 encoded.

type SignerInfo

type SignerInfo struct {
	Version            int
	SID                asn1.RawValue
	DigestAlgorithm    pkix.AlgorithmIdentifier
	SignedAttrs        Attributes `asn1:"optional,tag:0"`
	SignatureAlgorithm pkix.AlgorithmIdentifier
	Signature          []byte
	UnsignedAttrs      Attributes `asn1:"set,optional,tag:1"`
}
SignerInfo ::= SEQUENCE {
  version CMSVersion,
  sid SignerIdentifier,
  digestAlgorithm DigestAlgorithmIdentifier,
  signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
  signatureAlgorithm SignatureAlgorithmIdentifier,
  signature SignatureValue,
  unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }

CMSVersion ::= INTEGER

{ v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
SignerIdentifier ::= CHOICE {
  issuerAndSerialNumber IssuerAndSerialNumber,
  subjectKeyIdentifier [0] SubjectKeyIdentifier }

DigestAlgorithmIdentifier ::= AlgorithmIdentifier

SignedAttributes ::= SET SIZE (1..MAX) OF Attribute

SignatureAlgorithmIdentifier ::= AlgorithmIdentifier

SignatureValue ::= OCTET STRING

UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute

func NewSignerInfo

func NewSignerInfo(chain []*x509.Certificate, signer crypto.Signer) (si *SignerInfo, err error)

NewSignerInfo creates a populated, but not yet signed signer info object

func (SignerInfo) FindCertificate

func (si SignerInfo) FindCertificate(certs []*x509.Certificate) (*x509.Certificate, error)

FindCertificate finds this SignerInfo's certificate in a slice of certificates.

func (SignerInfo) GetContentTypeAttribute

func (si SignerInfo) GetContentTypeAttribute() (asn1.ObjectIdentifier, error)

GetContentTypeAttribute gets the signed ContentType attribute from the SignerInfo.

func (SignerInfo) GetMessageDigestAttribute

func (si SignerInfo) GetMessageDigestAttribute() ([]byte, error)

GetMessageDigestAttribute gets the signed MessageDigest attribute from the SignerInfo.

func (SignerInfo) GetSigningTimeAttribute

func (si SignerInfo) GetSigningTimeAttribute() (time.Time, error)

GetSigningTimeAttribute gets the signed SigningTime attribute from the SignerInfo.

func (SignerInfo) Hash

func (si SignerInfo) Hash() (crypto.Hash, error)

Hash gets the crypto.Hash associated with this SignerInfo's DigestAlgorithm. 0 is returned for unrecognized algorithms.

func (SignerInfo) X509SignatureAlgorithm

func (si SignerInfo) X509SignatureAlgorithm() x509.SignatureAlgorithm

X509SignatureAlgorithm gets the x509.SignatureAlgorithm that should be used for verifying this SignerInfo's signature.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL