README
¶
CMS (Cryptographic Message Syntax) Golang library with GOST cryptography support
designed primarily for Rutoken authentication Rutoken Plugin Doc
based on RFC5652 CMS syntax.
verifies encapContentInfo signature with messageDigest verifies SigningTime in the range notBefore - notAfter verifies SignedAttributes that signature is valid verifies attached certificates that it has valid ca signature
Features
- GOST R 34.11-94 hash function (RFC 5831)
- GOST R 34.11-2012 Стрибог (Streebog) hash function (RFC 6986)
- GOST R 34.10-2001 (RFC 5832) public key signature function
- GOST R 34.10-2012 256 and 512 bit (RFC 7091) public key signature function
- as well as RSA with SHA256/SHA512
- DSA , ECDSA, RSA PSS not supported
- Validate Content Data, Signing time, Signers certificates against provided CA
Issues
implement only Signed-data Content Type. ignore signature algorithm parameters (use only GOST A-ParamSets)
See documentation
- https://tc26.ru/
- https://datatracker.ietf.org/doc/rfc4491/?include_text=1
- https://tools.ietf.org/html/rfc5652#page-13
- https://www.cryptopro.ru/sites/default/files/products/tls/tk26iok.pdf
- https://www.streebog.net/en/
GOST crypto algogithms oids
https://cpdn.cryptopro.ru/content/csp40/html/group___pro_c_s_p_ex_CP_PARAM_OIDS.html http://cpdn.cryptopro.ru/content/csp36/html/group___pro_c_s_p_ex_DP8.html
Requirements
- Go 1.11 or higher.
- gogost https://github.com/ddulesov/gogost
Installation
Install:
go get -u github.com/ddulesov/pkcs7
Import:
import "github.com/ddulesov/pkcs7"
Quickstart
package main
import (
"log"
"os"
"github.com/ddulesov/pkcs7"
"encoding/pem"
"errors"
"io/ioutil"
"time"
)
func check(err error) {
if err != nil {
log.Fatal(err)
}
}
func loadCertificatesFromFile(filename string) ([]*pkcs7.Certificate, error) {
var ber *pem.Block
buff, err := ioutil.ReadFile(filename)
if err != nil {
return nil, err
}
calist := make([]*pkcs7.Certificate, 0)
for len(buff) > 0 {
ber, buff = pem.Decode(buff)
if ber == nil || ber.Type != "CERTIFICATE" {
return nil, errors.New("invalid certificate file format")
}
ca, err := pkcs7.ParseCertificate(ber.Bytes)
if err != nil {
return nil, err
}
calist = append(calist, ca)
}
return calist, nil
}
func main() {
if len(os.Args) < 2 {
log.Printf("%s <cms.file> <ca.cert>", os.Args[0])
return
}
file := os.Args[1]
buff, err := ioutil.ReadFile(file)
check(err)
ber, _ := pem.Decode(buff)
if ber == nil || ber.Type != "CMS" {
log.Fatal("not PEM encoded")
}
cms, err := pkcs7.ParseCMS(ber.Bytes)
check(err)
file = os.Args[2]
calist, err := loadCertificatesFromFile(file)
check(err)
err = cms.VerifyCertificates(calist)
check(err)
time1 := time.Date(2019, time.August, 23, 0, 0, 0, 0, time.UTC)
time2 := time.Date(2019, time.August, 25, 0, 0, 0, 0, time.UTC)
data := []byte{116, 101, 115, 116, 32, 115, 116, 114, 105, 110, 103, 10}
err = cms.Verify(data, time1, time2)
check(err)
log.Printf("%s valid!", os.Args[1])
}
Tools
PEM encoded certificates, cms, csr online viewer http://gostcrypto.com/tool-asn1.html
Documentation
¶
Index ¶
Constants ¶
const GOSTR3410_2012_256 = GOSTR3410_2001
Variables ¶
Functions ¶
Types ¶
type Attribute ¶
type Attribute struct {
Type asn1.ObjectIdentifier
Value interface{}
}
asn.1 CMS::SignerInfo RFC5652
type CMS ¶
type CMS struct {
Content []byte
Certificates []*Certificate
CRLs []pkix.CertificateList
Signers []signerInfo
// contains filtered or unexported fields
}
CMS represent Cryptographic Message Syntax (CMS) with Signed-data Content Type RFC5652
func (*CMS) CertificateSerial ¶
CertificateSerial returns Signer first Certificate serial number.
func (*CMS) Verify ¶
Verify CMS validity. check equality CMS content and provided value @content check signing time in the range between notBefore-notAfter check content digest check content signature over provided signer certificates
func (*CMS) VerifyCertificates ¶
func (cms *CMS) VerifyCertificates(ca []*Certificate) error
VerifyCertificates validate CMS signer certificates over proived Certificate Authority
type Certificate ¶
type Certificate struct {
Raw asn1.RawContent
TBSCertificate tbsCertificate
SignatureAlgorithm pkix.AlgorithmIdentifier
SignatureValue asn1.BitString
}
func ParseCertificate ¶
func ParseCertificate(asn1Data []byte) (*Certificate, error)
ParseCertificate parses a single certificate from the given ASN.1 DER data.
func (*Certificate) CheckSignature ¶
func (c *Certificate) CheckSignature(algo *SignatureAlgorithm, signed, signature []byte) error
Verifies signature over certificate public key
func (*Certificate) CheckSignatureFrom ¶
func (c *Certificate) CheckSignatureFrom(parent *Certificate) error
CheckSignatureFrom verifies that the signature on c is a valid signature from parent.
type GOSTCryptoProParameters ¶
type GOSTCryptoProParameters struct {
ParamSet []asn1.ObjectIdentifier
}
type HashFunction ¶
type HashFunction int
const ( UnknownHashFunction HashFunction = iota SHA1 SHA256 SHA384 SHA512 GOSTR3411_94 GOSTR3411_2012_256 //Stribog GOST R 34.11-2012 256-bit GOSTR3411_2012_512 //Stribog GOST R 34.11-2012 512-bit )
func GetHashForOid ¶
func GetHashForOid(oid asn1.ObjectIdentifier) HashFunction
func (HashFunction) Actual ¶
func (h HashFunction) Actual() bool
func (HashFunction) CryptoHash ¶
func (h HashFunction) CryptoHash() crypto.Hash
func (HashFunction) New ¶
func (h HashFunction) New() hash.Hash
type PublicKeyAlgorithm ¶
type PublicKeyAlgorithm int
const ( UnknownAlgorithm PublicKeyAlgorithm = iota RSA DSA RSAPSS ECDSA GOSTR3410_2001 GOSTR3410_2012_512 )
func (PublicKeyAlgorithm) Actual ¶
func (h PublicKeyAlgorithm) Actual() bool
type SignatureAlgorithm ¶
type SignatureAlgorithm struct {
// contains filtered or unexported fields
}
func GetSignatureAlgorithmForOid ¶
func GetSignatureAlgorithmForOid(oid asn1.ObjectIdentifier) *SignatureAlgorithm
func (*SignatureAlgorithm) Family ¶
func (algo *SignatureAlgorithm) Family() CryptoFamily
Source Files