sign

package
v1.0.2039 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 21, 2023 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrUnsupportedContentType = errors.New("pkcs7: cannot parse data: unimplemented content type")

ErrUnsupportedContentType is returned when a PKCS7 content is not supported. Currently only Data (1.2.840.113549.1.7.1), Signed Data (1.2.840.113549.1.7.2), and Enveloped Data are supported (1.2.840.113549.1.7.3)

View Source 
var KeySignWithDSASHA1 = KeySignWithDSA{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithDSASHA224 = KeySignWithDSA{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithDSASHA256 = KeySignWithDSA{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithEcdsaSHA1 = KeySignWithEcdsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithEcdsaSHA224 = KeySignWithEcdsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithEcdsaSHA256 = KeySignWithEcdsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithEcdsaSHA384 = KeySignWithEcdsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithEcdsaSHA512 = KeySignWithEcdsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithEdDsaSHA1 = KeySignWithRsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithRsaMD5 = KeySignWithRsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithRsaSHA1 = KeySignWithRsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithRsaSHA224 = KeySignWithRsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithRsaSHA256 = KeySignWithRsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithRsaSHA384 = KeySignWithRsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithRsaSHA512 = KeySignWithRsa{
	// contains filtered or unexported fields
}
View Source 
var KeySignWithSM2SM3 = KeySignWithSM2{
	// contains filtered or unexported fields
}
View Source 
var SignHashWithSHA1 = SignHashWithFunc{
	// contains filtered or unexported fields
}

各种 hash

View Source 
var SignHashWithSHA224 = SignHashWithFunc{
	// contains filtered or unexported fields
}
View Source 
var SignHashWithSHA256 = SignHashWithFunc{
	// contains filtered or unexported fields
}
View Source 
var SignHashWithSHA384 = SignHashWithFunc{
	// contains filtered or unexported fields
}
View Source 
var SignHashWithSHA512 = SignHashWithFunc{
	// contains filtered or unexported fields
}
View Source 
var SignHashWithSM3 = SignHashWithFunc{
	// contains filtered or unexported fields
}

Functions

func AddKeySign 

func AddKeySign(oid asn1.ObjectIdentifier, keySign func() KeySign)

添加签名

func AddSignHash 

func AddSignHash(oid asn1.ObjectIdentifier, signHash func() SignHash)

添加 hash

func DegenerateCertificate 

func DegenerateCertificate(cert []byte) ([]byte, error)

DegenerateCertificate creates a signed data structure containing only the provided certificate or certificate chain.

Types

type Attribute 

type Attribute struct {
	Type  asn1.ObjectIdentifier
	Value interface{}
}

Attribute represents a key value pair attribute. Value must be marshalable byte `encoding/asn1`

type KeySign 

type KeySign interface {
	// oid
	OID() asn1.ObjectIdentifier

	// HashOID
	HashOID() asn1.ObjectIdentifier

	// 签名
	Sign(pkey crypto.PrivateKey, data []byte) (hashData []byte, signData []byte, err error)

	// 解密
	Verify(pkey crypto.PublicKey, signed []byte, signature []byte) (bool, error)
}

签名接口

type KeySignWithDSA 

type KeySignWithDSA struct {
	// contains filtered or unexported fields
}

rsa 签名

func (KeySignWithDSA) HashOID 

func (this KeySignWithDSA) HashOID() asn1.ObjectIdentifier

oid

func (KeySignWithDSA) OID 

func (this KeySignWithDSA) OID() asn1.ObjectIdentifier

oid

func (KeySignWithDSA) Sign 

func (this KeySignWithDSA) Sign(pkey crypto.PrivateKey, data []byte) ([]byte, []byte, error)

签名

func (KeySignWithDSA) Verify 

func (this KeySignWithDSA) Verify(pkey crypto.PublicKey, signed []byte, signature []byte) (bool, error)

验证

type KeySignWithEcdsa 

type KeySignWithEcdsa struct {
	// contains filtered or unexported fields
}

ecdsa 签名

func (KeySignWithEcdsa) HashOID 

func (this KeySignWithEcdsa) HashOID() asn1.ObjectIdentifier

oid

func (KeySignWithEcdsa) OID 

func (this KeySignWithEcdsa) OID() asn1.ObjectIdentifier

oid

func (KeySignWithEcdsa) Sign 

func (this KeySignWithEcdsa) Sign(pkey crypto.PrivateKey, data []byte) ([]byte, []byte, error)

签名

func (KeySignWithEcdsa) Verify 

func (this KeySignWithEcdsa) Verify(pkey crypto.PublicKey, signed []byte, signature []byte) (bool, error)

验证

type KeySignWithEdDsa 

type KeySignWithEdDsa struct {
	// contains filtered or unexported fields
}

EdDsa 签名

func (KeySignWithEdDsa) HashOID 

func (this KeySignWithEdDsa) HashOID() asn1.ObjectIdentifier

oid

func (KeySignWithEdDsa) OID 

func (this KeySignWithEdDsa) OID() asn1.ObjectIdentifier

oid

func (KeySignWithEdDsa) Sign 

func (this KeySignWithEdDsa) Sign(pkey crypto.PrivateKey, data []byte) ([]byte, []byte, error)

签名

func (KeySignWithEdDsa) Verify 

func (this KeySignWithEdDsa) Verify(pkey crypto.PublicKey, signed []byte, signature []byte) (bool, error)

验证

type KeySignWithRsa 

type KeySignWithRsa struct {
	// contains filtered or unexported fields
}

rsa 签名

func (KeySignWithRsa) HashOID 

func (this KeySignWithRsa) HashOID() asn1.ObjectIdentifier

oid

func (KeySignWithRsa) OID 

func (this KeySignWithRsa) OID() asn1.ObjectIdentifier

oid

func (KeySignWithRsa) Sign 

func (this KeySignWithRsa) Sign(pkey crypto.PrivateKey, data []byte) ([]byte, []byte, error)

签名

func (KeySignWithRsa) Verify 

func (this KeySignWithRsa) Verify(pkey crypto.PublicKey, data []byte, signature []byte) (bool, error)

验证

type KeySignWithSM2 

type KeySignWithSM2 struct {
	// contains filtered or unexported fields
}

sm2 签名

func (KeySignWithSM2) HashOID 

func (this KeySignWithSM2) HashOID() asn1.ObjectIdentifier

oid

func (KeySignWithSM2) OID 

func (this KeySignWithSM2) OID() asn1.ObjectIdentifier

oid

func (KeySignWithSM2) Sign 

func (this KeySignWithSM2) Sign(pkey crypto.PrivateKey, data []byte) ([]byte, []byte, error)

签名

func (KeySignWithSM2) Verify 

func (this KeySignWithSM2) Verify(pkey crypto.PublicKey, signed []byte, signature []byte) (bool, error)

验证

type MessageDigestMismatchError 

type MessageDigestMismatchError struct {
	ExpectedDigest []byte
	ActualDigest   []byte
}

MessageDigestMismatchError is returned when the signer data digest does not match the computed digest for the contained content

func (*MessageDigestMismatchError) Error 

func (err *MessageDigestMismatchError) Error() string

type PKCS7 

type PKCS7 struct {
	Content      []byte
	Certificates []*x509.Certificate
	CRLs         []pkix.CertificateList
	Signers      []signerInfo
	// contains filtered or unexported fields
}

PKCS7 Represents a PKCS7 structure

func Parse 

func Parse(data []byte) (p7 *PKCS7, err error)

Parse decodes a DER encoded PKCS7 package

func (*PKCS7) GetOnlySigner 

func (this *PKCS7) GetOnlySigner() *x509.Certificate

GetOnlySigner returns an x509.Certificate for the first signer of the signed data payload. If there are more or less than one signer, nil is returned

func (*PKCS7) UnmarshalSignedAttribute 

func (this *PKCS7) UnmarshalSignedAttribute(attributeType asn1.ObjectIdentifier, out interface{}) error

UnmarshalSignedAttribute decodes a single attribute from the signer info

func (*PKCS7) Verify 

func (this *PKCS7) Verify() (err error)

Verify is a wrapper around VerifyWithChain() that initializes an empty trust store, effectively disabling certificate verification when validating a signature.

func (*PKCS7) VerifyWithChain 

func (this *PKCS7) VerifyWithChain(truststore *x509.CertPool) (err error)

VerifyWithChain checks the signatures of a PKCS7 object.

If truststore is not nil, it also verifies the chain of trust of the end-entity signer cert to one of the roots in the truststore. When the PKCS7 object includes the signing time authenticated attr verifies the chain at that time and UTC now otherwise.

func (*PKCS7) VerifyWithChainAtTime 

func (this *PKCS7) VerifyWithChainAtTime(truststore *x509.CertPool, currentTime time.Time) (err error)

VerifyWithChainAtTime checks the signatures of a PKCS7 object.

If truststore is not nil, it also verifies the chain of trust of the end-entity signer cert to a root in the truststore at currentTime. It does not use the signing time authenticated attribute.

type SignHash 

type SignHash interface {
	// oid
	OID() asn1.ObjectIdentifier

	// 加密
	Sum(data []byte) []byte
}

hash 接口

type SignHashWithFunc 

type SignHashWithFunc struct {
	// contains filtered or unexported fields
}

hash

func (SignHashWithFunc) OID 

func (this SignHashWithFunc) OID() asn1.ObjectIdentifier

oid

func (SignHashWithFunc) Sum 

func (this SignHashWithFunc) Sum(data []byte) []byte

值大小

type SignedData 

type SignedData struct {
	// contains filtered or unexported fields
}

SignedData is an opaque data structure for creating signed data payloads

func NewSignedData 

func NewSignedData(data []byte) (*SignedData, error)

NewSignedData takes data and initializes a PKCS7 SignedData struct that is ready to be signed via AddSigner. The digest algorithm is set to SHA1 by default and can be changed by calling SetDigestAlgorithm.

func (*SignedData) AddCertificate 

func (this *SignedData) AddCertificate(cert *x509.Certificate)

AddCertificate adds the certificate to the payload. Useful for parent certificates

func (*SignedData) AddSigner 

func (this *SignedData) AddSigner(ee *x509.Certificate, pkey crypto.PrivateKey, config SignerInfoConfig) error

AddSigner is a wrapper around AddSignerChain() that adds a signer without any parent.

func (*SignedData) AddSignerChain 

func (this *SignedData) AddSignerChain(ee *x509.Certificate, pkey crypto.PrivateKey, parents []*x509.Certificate, config SignerInfoConfig) error

AddSignerChain signs attributes about the content and adds certificates and signers infos to the Signed Data. The certificate and private key of the end-entity signer are used to issue the signature, and any parent of that end-entity that need to be added to the list of certifications can be specified in the parents slice.

The signature algorithm used to hash the data is the one of the end-entity certificate.

func (*SignedData) Detach 

func (this *SignedData) Detach()

Detach removes content from the signed data struct to make it a detached signature. This must be called right before Finish()

func (*SignedData) Finish 

func (this *SignedData) Finish() ([]byte, error)

Finish marshals the content and its signers

func (*SignedData) GetSignedData 

func (this *SignedData) GetSignedData() *signedData

GetSignedData returns the private Signed Data

func (*SignedData) RemoveAuthenticatedAttributes 

func (this *SignedData) RemoveAuthenticatedAttributes()

RemoveAuthenticatedAttributes removes authenticated attributes from signedData similar to OpenSSL's PKCS7_NOATTR or -noattr flags

func (*SignedData) RemoveUnauthenticatedAttributes 

func (this *SignedData) RemoveUnauthenticatedAttributes()

RemoveUnauthenticatedAttributes removes unauthenticated attributes from signedData

func (*SignedData) SetContentType 

func (this *SignedData) SetContentType(contentType asn1.ObjectIdentifier)

SetContentType sets the content type of the SignedData. For example to specify the content type of a time-stamp token according to RFC 3161 section 2.4.2.

func (*SignedData) SetDigestAlgorithm 

func (this *SignedData) SetDigestAlgorithm(d asn1.ObjectIdentifier)

SetDigestAlgorithm sets the digest algorithm to be used in the signing process.

This should be called before adding signers

func (*SignedData) SetEncryptionAlgorithm 

func (this *SignedData) SetEncryptionAlgorithm(d asn1.ObjectIdentifier)

SetEncryptionAlgorithm sets the encryption algorithm to be used in the signing process.

This should be called before adding signers

func (*SignedData) SignWithoutAttr 

func (this *SignedData) SignWithoutAttr(ee *x509.Certificate, pkey crypto.PrivateKey, config SignerInfoConfig) error

SignWithoutAttr issues a signature on the content of the pkcs7 SignedData. Unlike AddSigner/AddSignerChain, it calculates the digest on the data alone and does not include any signed attributes like timestamp and so on.

This function is needed to sign old Android APKs, something you probably shouldn't do unless you're maintaining backward compatibility for old applications.

type SignerInfoConfig 

type SignerInfoConfig struct {
	ExtraSignedAttributes   []Attribute
	ExtraUnsignedAttributes []Attribute
}

SignerInfoConfig are optional values to include when adding a signer

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.