pkcs7

package
v1.0.5006 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 20, 2024 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Examples

Constants

This section is empty.

Variables

View Source
var (
	AddCipher = pbes2.AddCipher
	GetCipher = pbes2.GetCipher

	// 帮助函数
	GetCipherFromName   = pbes2.GetCipherFromName
	CheckCipherFromName = pbes2.CheckCipherFromName
)
View Source
var (
	DESCBC     = pbes2.DESCBC
	DESEDE3CBC = pbes2.DESEDE3CBC

	RC2CBC     = pbes2.RC2CBC
	RC2_40CBC  = pbes2.RC2_40CBC
	RC2_64CBC  = pbes2.RC2_64CBC
	RC2_128CBC = pbes2.RC2_128CBC

	RC5CBC     = pbes2.RC5CBC
	RC5_128CBC = pbes2.RC5_128CBC
	RC5_192CBC = pbes2.RC5_192CBC
	RC5_256CBC = pbes2.RC5_256CBC

	AES128ECB = pbes2.AES128ECB
	AES128CBC = pbes2.AES128CBC
	AES128OFB = pbes2.AES128OFB
	AES128CFB = pbes2.AES128CFB
	AES128GCM = pbes2.AES128GCM
	AES128CCM = pbes2.AES128CCM

	AES192ECB = pbes2.AES192ECB
	AES192CBC = pbes2.AES192CBC
	AES192OFB = pbes2.AES192OFB
	AES192CFB = pbes2.AES192CFB
	AES192GCM = pbes2.AES192GCM
	AES192CCM = pbes2.AES192CCM

	AES256ECB = pbes2.AES256ECB
	AES256CBC = pbes2.AES256CBC
	AES256OFB = pbes2.AES256OFB
	AES256CFB = pbes2.AES256CFB
	AES256GCM = pbes2.AES256GCM
	AES256CCM = pbes2.AES256CCM

	SM4Cipher = pbes2.SM4Cipher
	SM4ECB    = pbes2.SM4ECB
	SM4CBC    = pbes2.SM4CBC
	SM4OFB    = pbes2.SM4OFB
	SM4CFB    = pbes2.SM4CFB
	SM4CFB1   = pbes2.SM4CFB1
	SM4CFB8   = pbes2.SM4CFB8
	SM4GCM    = pbes2.SM4GCM
	SM4CCM    = pbes2.SM4CCM

	GostCipher = pbes2.GostCipher
)

加密方式

View Source
var (
	// Digest Algorithms
	OidDigestAlgorithmMD5    = asn1.ObjectIdentifier{1, 2, 840, 113549, 2, 5}
	OidDigestAlgorithmSHA1   = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 26}
	OidDigestAlgorithmSHA224 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 4}
	OidDigestAlgorithmSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
	OidDigestAlgorithmSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
	OidDigestAlgorithmSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}

	OidDigestAlgorithmSM3 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 401}
)
View Source
var (
	// dsa 签名
	OidEncryptionAlgorithmDSA       = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
	OidEncryptionAlgorithmDSASHA1   = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3}
	OidEncryptionAlgorithmDSASHA224 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 1}
	OidEncryptionAlgorithmDSASHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2}

	// ecdsa 签名
	OidEncryptionAlgorithmECDSASHA1   = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1}
	OidEncryptionAlgorithmECDSASHA224 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 1}
	OidEncryptionAlgorithmECDSASHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
	OidEncryptionAlgorithmECDSASHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3}
	OidEncryptionAlgorithmECDSASHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}

	OidEncryptionAlgorithmECDSAP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
	OidEncryptionAlgorithmECDSAP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
	OidEncryptionAlgorithmECDSAP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}

	// rsa 签名
	OidEncryptionAlgorithmRSA       = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
	OidEncryptionAlgorithmRSAMD5    = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
	OidEncryptionAlgorithmRSASHA1   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
	OidEncryptionAlgorithmRSASHA224 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 14}
	OidEncryptionAlgorithmRSASHA256 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
	OidEncryptionAlgorithmRSASHA384 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
	OidEncryptionAlgorithmRSASHA512 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
	OidEncryptionAlgorithmRSASM3    = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 504}

	// eddsa 签名
	OidEncryptionAlgorithmEd25519 = asn1.ObjectIdentifier{1, 3, 101, 112}

	// sm2 签名
	OidEncryptionAlgorithmSM2SM3    = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 501}
	OidDigestEncryptionAlgorithmSM2 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 301, 1}

	// sm9 签名
	OidDigestAlgorithmSM9SM3        = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 502}
	OidDigestEncryptionAlgorithmSM9 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 302, 1}
)
View Source
var DefaultOpts = Opts{
	Cipher:     AES256CBC,
	KeyEncrypt: KeyEncryptRSA,
	Mode:       DefaultMode,
}

默认配置

View Source
var ErrPSKNotProvided = errors.New("go-cryptobin/pkcs7: cannot encrypt content: PSK not provided")
View Source
var ErrUnsupportedAlgorithm = errors.New("go-cryptobin/pkcs7: cannot decrypt data")
View Source
var ErrUnsupportedContentType = errors.New("go-cryptobin/pkcs7: cannot parse data: unimplemented content type")

ErrUnsupportedContentType is returned when a PKCS7 content is not supported. Currently only Data (1.2.840.113549.1.7.1), Signed Data (1.2.840.113549.1.7.2), and Enveloped Data are supported (1.2.840.113549.1.7.3)

View Source
var ErrUnsupportedEncryptionAlgorithm = errors.New("go-cryptobin/pkcs7: cannot encrypt content: only DES-CBC, AES-CBC, and AES-GCM supported")
View Source
var KeyEncryptRSA = KeyEncryptWithRSA{
	// contains filtered or unexported fields
}

KeyEncryptRSA

View Source
var KeyEncryptRSAESOAEP = KeyEncryptWithRSA{
	// contains filtered or unexported fields
}

KeyEncryptRSAESOAEP

View Source
var KeyEncryptRSASHA1 = KeyEncryptWithRSA{
	// contains filtered or unexported fields
}

KeyEncryptRSASHA1

View Source
var KeyEncryptRSASHA256 = KeyEncryptWithRSA{
	// contains filtered or unexported fields
}

KeyEncryptRSASHA256

View Source
var KeyEncryptRSASHA384 = KeyEncryptWithRSA{
	// contains filtered or unexported fields
}

KeyEncryptRSASHA384

View Source
var KeyEncryptRSASHA512 = KeyEncryptWithRSA{
	// contains filtered or unexported fields
}

KeyEncryptRSASHA512

View Source
var KeyEncryptSM2 = KeyEncryptWithSM2{
	// contains filtered or unexported fields
}

KeyEncryptSM2

View Source
var KeySignWithDSASHA1 = KeySignWithDSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithDSASHA224 = KeySignWithDSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithDSASHA256 = KeySignWithDSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithECDSASHA1 = KeySignWithECDSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithECDSASHA224 = KeySignWithECDSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithECDSASHA256 = KeySignWithECDSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithECDSASHA384 = KeySignWithECDSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithECDSASHA512 = KeySignWithECDSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithEdDSASHA1 = KeySignWithEdDSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithRSAMD5 = KeySignWithRSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithRSASHA1 = KeySignWithRSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithRSASHA224 = KeySignWithRSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithRSASHA256 = KeySignWithRSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithRSASHA384 = KeySignWithRSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithRSASHA512 = KeySignWithRSA{
	// contains filtered or unexported fields
}
View Source
var KeySignWithSM2SM3 = KeySignWithSM2{
	// contains filtered or unexported fields
}
View Source
var KeySignWithSM2WithSM3 = KeySignWithSM2{
	// contains filtered or unexported fields
}
View Source
var SM2Opts = Opts{
	Cipher:     SM4CBC,
	KeyEncrypt: KeyEncryptSM2,
	Mode:       SM2Mode,
}

默认配置

View Source
var SignHashWithMD5 = SignHashWithFunc{
	// contains filtered or unexported fields
}
View Source
var SignHashWithSHA1 = SignHashWithFunc{
	// contains filtered or unexported fields
}
View Source
var SignHashWithSHA224 = SignHashWithFunc{
	// contains filtered or unexported fields
}
View Source
var SignHashWithSHA256 = SignHashWithFunc{
	// contains filtered or unexported fields
}
View Source
var SignHashWithSHA384 = SignHashWithFunc{
	// contains filtered or unexported fields
}
View Source
var SignHashWithSHA512 = SignHashWithFunc{
	// contains filtered or unexported fields
}
View Source
var SignHashWithSM3 = SignHashWithFunc{
	// contains filtered or unexported fields
}

Functions

func AddKeySign added in v1.0.2061

func AddKeySign(oid asn1.ObjectIdentifier, keySign func() KeySign)

添加签名

func AddSignHash added in v1.0.2061

func AddSignHash(oid asn1.ObjectIdentifier, signHash func() SignHash)

添加 hash

func AddkeyEncrypt added in v1.0.2061

func AddkeyEncrypt(oid asn1.ObjectIdentifier, fn func() KeyEncrypt)

添加 key 加密方式

func Decrypt

func Decrypt(data []byte, cert *x509.Certificate, pkey crypto.PrivateKey) ([]byte, error)

解析

func DecryptUsingPSK

func DecryptUsingPSK(data []byte, key []byte) ([]byte, error)

DecryptUsingPSK decrypts encrypted data using caller provided pre-shared secret

func DegenerateCertificate

func DegenerateCertificate(cert []byte, mode ...Mode) ([]byte, error)

DegenerateCertificate creates a signed data structure containing only the provided certificate or certificate chain.

func EncodePkcs7ToPem

func EncodePkcs7ToPem(data []byte, pemType string) []byte

编码到 pem pemType = [PKCS7 | ENCRYPTED PKCS7]

func Encrypt

func Encrypt(rand io.Reader, content []byte, recipients []*x509.Certificate, opts ...Opts) ([]byte, error)

加密

func EncryptUsingPSK

func EncryptUsingPSK(rand io.Reader, content []byte, key []byte, cipher Cipher, mode ...Mode) ([]byte, error)

EncryptUsingPSK creates and returns an encrypted data PKCS7 structure, encrypted using caller provided pre-shared secret.

func ParsePkcs7Pem

func ParsePkcs7Pem(data []byte) ([]byte, error)

解析 pkcs7 pem 数据

Types

type Attribute added in v1.0.2061

type Attribute struct {
	Type  asn1.ObjectIdentifier
	Value interface{}
}

Attribute represents a key value pair attribute. Value must be marshalable byte `encoding/asn1`

type Cipher added in v1.0.2061

type Cipher = pbes2.Cipher

别名

type KeyEncrypt added in v1.0.2061

type KeyEncrypt interface {
	// oid
	OID() asn1.ObjectIdentifier

	// 加密, 返回: [加密后数据, error]
	Encrypt(plaintext []byte, pkey crypto.PublicKey) ([]byte, error)

	// 解密
	Decrypt(ciphertext []byte, pkey crypto.PrivateKey) ([]byte, error)

	// 检测证书
	Check(pkey any) bool
}

非对称加密

type KeyEncryptWithRSA added in v1.0.2061

type KeyEncryptWithRSA struct {
	// contains filtered or unexported fields
}

key 用 rsa 加密

func (KeyEncryptWithRSA) Check added in v1.0.2061

func (this KeyEncryptWithRSA) Check(pkey any) bool

检测证书

func (KeyEncryptWithRSA) Decrypt added in v1.0.2061

func (this KeyEncryptWithRSA) Decrypt(ciphertext []byte, pkey crypto.PrivateKey) ([]byte, error)

解密

func (KeyEncryptWithRSA) Encrypt added in v1.0.2061

func (this KeyEncryptWithRSA) Encrypt(plaintext []byte, pkey crypto.PublicKey) ([]byte, error)

加密

func (KeyEncryptWithRSA) OID added in v1.0.2061

oid

type KeyEncryptWithSM2 added in v1.0.2061

type KeyEncryptWithSM2 struct {
	// contains filtered or unexported fields
}

key 用 sm2 加密

func (KeyEncryptWithSM2) Check added in v1.0.2061

func (this KeyEncryptWithSM2) Check(pkey any) bool

检测证书

func (KeyEncryptWithSM2) Decrypt added in v1.0.2061

func (this KeyEncryptWithSM2) Decrypt(ciphertext []byte, pkey crypto.PrivateKey) ([]byte, error)

解密

func (KeyEncryptWithSM2) Encrypt added in v1.0.2061

func (this KeyEncryptWithSM2) Encrypt(plaintext []byte, pkey crypto.PublicKey) ([]byte, error)

加密

func (KeyEncryptWithSM2) OID added in v1.0.2061

oid

type KeySign added in v1.0.2061

type KeySign interface {
	// oid
	OID() asn1.ObjectIdentifier

	// HashOID
	HashOID() asn1.ObjectIdentifier

	// 签名
	Sign(pkey crypto.PrivateKey, data []byte) (hashData []byte, signData []byte, err error)

	// 解密
	Verify(pkey crypto.PublicKey, signed []byte, signature []byte) (bool, error)

	// 检测证书
	Check(pkey any) bool
}

签名接口

type KeySignWithDSA added in v1.0.2061

type KeySignWithDSA struct {
	// contains filtered or unexported fields
}

rsa 签名

func (KeySignWithDSA) Check added in v1.0.2061

func (this KeySignWithDSA) Check(pkey any) bool

检测证书

func (KeySignWithDSA) HashOID added in v1.0.2061

func (this KeySignWithDSA) HashOID() asn1.ObjectIdentifier

oid

func (KeySignWithDSA) OID added in v1.0.2061

oid

func (KeySignWithDSA) Sign added in v1.0.2061

func (this KeySignWithDSA) Sign(pkey crypto.PrivateKey, data []byte) ([]byte, []byte, error)

签名

func (KeySignWithDSA) Verify added in v1.0.2061

func (this KeySignWithDSA) Verify(pkey crypto.PublicKey, signed []byte, signature []byte) (bool, error)

验证

type KeySignWithECDSA added in v1.0.2061

type KeySignWithECDSA struct {
	// contains filtered or unexported fields
}

ecdsa 签名

func (KeySignWithECDSA) Check added in v1.0.2061

func (this KeySignWithECDSA) Check(pkey any) bool

检测证书

func (KeySignWithECDSA) HashOID added in v1.0.2061

func (this KeySignWithECDSA) HashOID() asn1.ObjectIdentifier

oid

func (KeySignWithECDSA) OID added in v1.0.2061

oid

func (KeySignWithECDSA) Sign added in v1.0.2061

func (this KeySignWithECDSA) Sign(pkey crypto.PrivateKey, data []byte) ([]byte, []byte, error)

签名

func (KeySignWithECDSA) Verify added in v1.0.2061

func (this KeySignWithECDSA) Verify(pkey crypto.PublicKey, signed []byte, signature []byte) (bool, error)

验证

type KeySignWithEdDSA added in v1.0.2061

type KeySignWithEdDSA struct {
	// contains filtered or unexported fields
}

EdDsa 签名

func (KeySignWithEdDSA) Check added in v1.0.2061

func (this KeySignWithEdDSA) Check(pkey any) bool

检测证书

func (KeySignWithEdDSA) HashOID added in v1.0.2061

func (this KeySignWithEdDSA) HashOID() asn1.ObjectIdentifier

oid

func (KeySignWithEdDSA) OID added in v1.0.2061

oid

func (KeySignWithEdDSA) Sign added in v1.0.2061

func (this KeySignWithEdDSA) Sign(pkey crypto.PrivateKey, data []byte) ([]byte, []byte, error)

签名

func (KeySignWithEdDSA) Verify added in v1.0.2061

func (this KeySignWithEdDSA) Verify(pkey crypto.PublicKey, signed []byte, signature []byte) (bool, error)

验证

type KeySignWithRSA added in v1.0.2061

type KeySignWithRSA struct {
	// contains filtered or unexported fields
}

rsa 签名

func (KeySignWithRSA) Check added in v1.0.2061

func (this KeySignWithRSA) Check(pkey any) bool

检测证书

func (KeySignWithRSA) HashOID added in v1.0.2061

func (this KeySignWithRSA) HashOID() asn1.ObjectIdentifier

oid

func (KeySignWithRSA) OID added in v1.0.2061

oid

func (KeySignWithRSA) Sign added in v1.0.2061

func (this KeySignWithRSA) Sign(pkey crypto.PrivateKey, data []byte) ([]byte, []byte, error)

签名

func (KeySignWithRSA) Verify added in v1.0.2061

func (this KeySignWithRSA) Verify(pkey crypto.PublicKey, data []byte, signature []byte) (bool, error)

验证

type KeySignWithSM2 added in v1.0.2061

type KeySignWithSM2 struct {
	// contains filtered or unexported fields
}

sm2 签名

func (KeySignWithSM2) Check added in v1.0.2061

func (this KeySignWithSM2) Check(pkey any) bool

检测证书

func (KeySignWithSM2) HashOID added in v1.0.2061

func (this KeySignWithSM2) HashOID() asn1.ObjectIdentifier

oid

func (KeySignWithSM2) OID added in v1.0.2061

oid

func (KeySignWithSM2) Sign added in v1.0.2061

func (this KeySignWithSM2) Sign(pkey crypto.PrivateKey, data []byte) ([]byte, []byte, error)

签名

func (KeySignWithSM2) Verify added in v1.0.2061

func (this KeySignWithSM2) Verify(pkey crypto.PublicKey, signed []byte, signature []byte) (bool, error)

验证

type MessageDigestMismatchError added in v1.0.2061

type MessageDigestMismatchError struct {
	ExpectedDigest []byte
	ActualDigest   []byte
}

MessageDigestMismatchError is returned when the signer data digest does not match the computed digest for the contained content

func (*MessageDigestMismatchError) Error added in v1.0.2061

func (err *MessageDigestMismatchError) Error() string

type Mode added in v1.0.2061

type Mode uint

模式 Mode list

const (
	DefaultMode Mode = iota
	SM2Mode
	SM9Mode
)

func (Mode) IsData added in v1.0.2061

func (this Mode) IsData(oid asn1.ObjectIdentifier) bool

func (Mode) IsEncryptedData added in v1.0.2061

func (this Mode) IsEncryptedData(oid asn1.ObjectIdentifier) bool

func (Mode) IsEnvelopedData added in v1.0.2061

func (this Mode) IsEnvelopedData(oid asn1.ObjectIdentifier) bool

func (Mode) IsSignedData added in v1.0.2061

func (this Mode) IsSignedData(oid asn1.ObjectIdentifier) bool

func (Mode) IsSignedEnvelopedData added in v1.0.2061

func (this Mode) IsSignedEnvelopedData(oid asn1.ObjectIdentifier) bool

func (Mode) OidData added in v1.0.2061

func (this Mode) OidData() asn1.ObjectIdentifier

func (Mode) OidEncryptedData added in v1.0.2061

func (this Mode) OidEncryptedData() asn1.ObjectIdentifier

func (Mode) OidEnvelopedData added in v1.0.2061

func (this Mode) OidEnvelopedData() asn1.ObjectIdentifier

func (Mode) OidSignedData added in v1.0.2061

func (this Mode) OidSignedData() asn1.ObjectIdentifier

func (Mode) OidSignedEnvelopedData added in v1.0.2061

func (this Mode) OidSignedEnvelopedData() asn1.ObjectIdentifier

type Opts added in v1.0.2061

type Opts struct {
	Cipher     Cipher
	KeyEncrypt KeyEncrypt
	Mode       Mode
}

配置

type PKCS7 added in v1.0.2061

type PKCS7 struct {
	Content      []byte
	Certificates []*x509.Certificate
	CRLs         []pkix.CertificateList
	Signers      []signerInfo
	// contains filtered or unexported fields
}

PKCS7 Represents a PKCS7 structure

func Parse added in v1.0.2061

func Parse(data []byte) (p7 *PKCS7, err error)

Parse decodes a DER encoded PKCS7 package

func (*PKCS7) Decrypt added in v1.0.2061

func (p7 *PKCS7) Decrypt(cert *x509.Certificate, pkey crypto.PrivateKey) (err error)

Decrypt decrypts encrypted content info for recipient cert and private key.

func (*PKCS7) DecryptOnlyOne added in v1.0.2061

func (p7 *PKCS7) DecryptOnlyOne(pkey crypto.PrivateKey) (err error)

DecryptOnlyOne decrypts encrypted content info for the only recipient private key.

func (*PKCS7) GetOnlySigner added in v1.0.2061

func (this *PKCS7) GetOnlySigner() *x509.Certificate

GetOnlySigner returns an x509.Certificate for the first signer of the signed data payload. If there are more or less than one signer, nil is returned

func (*PKCS7) UnmarshalSignedAttribute added in v1.0.2061

func (this *PKCS7) UnmarshalSignedAttribute(attributeType asn1.ObjectIdentifier, out interface{}) error

UnmarshalSignedAttribute decodes a single attribute from the signer info

func (*PKCS7) Verify added in v1.0.2061

func (this *PKCS7) Verify() (err error)

Verify is a wrapper around VerifyWithChain() that initializes an empty trust store, effectively disabling certificate verification when validating a signature.

func (*PKCS7) VerifyWithChain added in v1.0.2061

func (this *PKCS7) VerifyWithChain(truststore *x509.CertPool) (err error)

VerifyWithChain checks the signatures of a PKCS7 object.

If truststore is not nil, it also verifies the chain of trust of the end-entity signer cert to one of the roots in the truststore. When the PKCS7 object includes the signing time authenticated attr verifies the chain at that time and UTC now otherwise.

func (*PKCS7) VerifyWithChainAtTime added in v1.0.2061

func (this *PKCS7) VerifyWithChainAtTime(truststore *x509.CertPool, currentTime time.Time) (err error)

VerifyWithChainAtTime checks the signatures of a PKCS7 object.

If truststore is not nil, it also verifies the chain of trust of the end-entity signer cert to a root in the truststore at currentTime. It does not use the signing time authenticated attribute.

type SignHash added in v1.0.2061

type SignHash interface {
	// oid
	OID() asn1.ObjectIdentifier

	// 加密
	Sum(data []byte) []byte
}

hash 接口

type SignHashWithFunc added in v1.0.2061

type SignHashWithFunc struct {
	// contains filtered or unexported fields
}

hash

func (SignHashWithFunc) OID added in v1.0.2061

oid

func (SignHashWithFunc) Sum added in v1.0.2061

func (this SignHashWithFunc) Sum(data []byte) []byte

hash checksum

type SignedAndEnvelopedData added in v1.0.2061

type SignedAndEnvelopedData struct {
	// contains filtered or unexported fields
}

func NewSMSignedAndEnvelopedData added in v1.0.2061

func NewSMSignedAndEnvelopedData(data []byte, cipher Cipher) (*SignedAndEnvelopedData, error)

func NewSignedAndEnvelopedData added in v1.0.2061

func NewSignedAndEnvelopedData(data []byte, cipher Cipher) (*SignedAndEnvelopedData, error)

func (*SignedAndEnvelopedData) AddCertificate added in v1.0.2061

func (saed *SignedAndEnvelopedData) AddCertificate(cert *x509.Certificate)

AddCertificate adds the certificate to the payload. Useful for parent certificates

func (*SignedAndEnvelopedData) AddRecipient added in v1.0.2061

func (saed *SignedAndEnvelopedData) AddRecipient(recipient *x509.Certificate) error

func (*SignedAndEnvelopedData) AddSigner added in v1.0.2061

func (saed *SignedAndEnvelopedData) AddSigner(ee *x509.Certificate, pkey crypto.PrivateKey) error

AddSigner is a wrapper around AddSignerChain() that adds a signer without any parent.

func (*SignedAndEnvelopedData) AddSignerChain added in v1.0.2061

func (saed *SignedAndEnvelopedData) AddSignerChain(ee *x509.Certificate, pkey crypto.PrivateKey, parents []*x509.Certificate) error

func (*SignedAndEnvelopedData) Finish added in v1.0.2061

func (saed *SignedAndEnvelopedData) Finish() ([]byte, error)

Finish marshals the content and its signers

func (*SignedAndEnvelopedData) SetDigestAlgorithm added in v1.0.2061

func (saed *SignedAndEnvelopedData) SetDigestAlgorithm(oid asn1.ObjectIdentifier)

SetDigestAlgorithm sets the digest algorithm to be used in the signing process.

This should be called before adding signers

func (*SignedAndEnvelopedData) SetMode added in v1.0.2061

func (saed *SignedAndEnvelopedData) SetMode(mode Mode)

This should be called before adding signers

type SignedData added in v1.0.2061

type SignedData struct {
	// contains filtered or unexported fields
}

SignedData is an opaque data structure for creating signed data payloads

Example
// generate a signing cert or load a key pair
cert, err := createTestCertificate(cryptobin_x509.SHA256WithRSA)
if err != nil {
	fmt.Printf("Cannot create test certificates: %s", err)
}

// Initialize a SignedData struct with content to be signed
signedData, err := NewSignedData([]byte("Example data to be signed"))
if err != nil {
	fmt.Printf("Cannot initialize signed data: %s", err)
}

// Add the signing cert and private key
if err := signedData.AddSigner(cert.Certificate, cert.PrivateKey, SignerInfoConfig{}); err != nil {
	fmt.Printf("Cannot add signer: %s", err)
}

// Call Detach() is you want to remove content from the signature
// and generate an S/MIME detached signature
signedData.Detach()

// Finish() to obtain the signature bytes
detachedSignature, err := signedData.Finish()
if err != nil {
	fmt.Printf("Cannot finish signing data: %s", err)
}

if len(detachedSignature) == 0 {
	fmt.Println("Cannot finish signing data: Finish fail")
}

// pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: detachedSignature})
Output:

func NewSMSignedData added in v1.0.2061

func NewSMSignedData(data []byte) (*SignedData, error)

NewSMSignedData takes data and initializes a PKCS7 SignedData struct that is ready to be signed via AddSigner. The digest algorithm is set to SM3 by default and can be changed by calling SetDigestAlgorithm.

func NewSignedData

func NewSignedData(data []byte) (*SignedData, error)

NewSignedData takes data and initializes a PKCS7 SignedData struct that is ready to be signed via AddSigner. The digest algorithm is set to SHA1 by default and can be changed by calling SetDigestAlgorithm.

func (*SignedData) AddCertificate added in v1.0.2061

func (this *SignedData) AddCertificate(cert *x509.Certificate)

AddCertificate adds the certificate to the payload. Useful for parent certificates

func (*SignedData) AddSigner added in v1.0.2061

func (this *SignedData) AddSigner(ee *x509.Certificate, pkey crypto.PrivateKey, config SignerInfoConfig) error

AddSigner is a wrapper around AddSignerChain() that adds a signer without any parent.

func (*SignedData) AddSignerChain added in v1.0.2061

func (this *SignedData) AddSignerChain(ee *x509.Certificate, pkey crypto.PrivateKey, parents []*x509.Certificate, config SignerInfoConfig) error

AddSignerChain signs attributes about the content and adds certificates and signers infos to the Signed Data. The certificate and private key of the end-entity signer are used to issue the signature, and any parent of that end-entity that need to be added to the list of certifications can be specified in the parents slice.

The signature algorithm used to hash the data is the one of the end-entity certificate.

func (*SignedData) Detach added in v1.0.2061

func (this *SignedData) Detach()

Detach removes content from the signed data struct to make it a detached signature. This must be called right before Finish()

func (*SignedData) Finish added in v1.0.2061

func (this *SignedData) Finish() ([]byte, error)

Finish marshals the content and its signers

func (*SignedData) GetSignedData added in v1.0.2061

func (this *SignedData) GetSignedData() *signedData

GetSignedData returns the private Signed Data

func (*SignedData) RemoveAuthenticatedAttributes added in v1.0.2061

func (this *SignedData) RemoveAuthenticatedAttributes()

RemoveAuthenticatedAttributes removes authenticated attributes from signedData similar to OpenSSL's PKCS7_NOATTR or -noattr flags

func (*SignedData) RemoveUnauthenticatedAttributes added in v1.0.2061

func (this *SignedData) RemoveUnauthenticatedAttributes()

RemoveUnauthenticatedAttributes removes unauthenticated attributes from signedData

func (*SignedData) SetContentType added in v1.0.2061

func (this *SignedData) SetContentType(contentType asn1.ObjectIdentifier)

SetContentType sets the content type of the SignedData. For example to specify the content type of a time-stamp token according to RFC 3161 section 2.4.2.

func (*SignedData) SetDigestAlgorithm added in v1.0.2061

func (this *SignedData) SetDigestAlgorithm(oid asn1.ObjectIdentifier)

SetDigestAlgorithm sets the digest algorithm to be used in the signing process.

This should be called before adding signers

func (*SignedData) SetEncryptionAlgorithm added in v1.0.2061

func (this *SignedData) SetEncryptionAlgorithm(oid asn1.ObjectIdentifier)

SetEncryptionAlgorithm sets the encryption algorithm to be used in the signing process.

This should be called before adding signers

func (*SignedData) SetMode added in v1.0.2061

func (this *SignedData) SetMode(mode Mode)

This should be called before adding signers

func (*SignedData) SignWithoutAttr added in v1.0.2061

func (this *SignedData) SignWithoutAttr(ee *x509.Certificate, pkey crypto.PrivateKey, config SignerInfoConfig) error

SignWithoutAttr issues a signature on the content of the pkcs7 SignedData. Unlike AddSigner/AddSignerChain, it calculates the digest on the data alone and does not include any signed attributes like timestamp and so on.

This function is needed to sign old Android APKs, something you probably shouldn't do unless you're maintaining backward compatibility for old applications.

type SignerInfoConfig

type SignerInfoConfig struct {
	ExtraSignedAttributes   []Attribute
	ExtraUnsignedAttributes []Attribute
	SkipCertificates        bool
}

SignerInfoConfig are optional values to include when adding a signer

type VerifyFunc added in v1.0.2061

type VerifyFunc func() error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL