Documentation ¶
Overview ¶
Package pkcs7 implements parsing and generation of some PKCS#7 structures.
Index ¶
Examples ¶
Constants ¶
const ( EncryptionAlgorithmDESCBC = iota EncryptionAlgorithmAES128GCM )
Variables ¶
var ContentEncryptionAlgorithm = EncryptionAlgorithmDESCBC
ContentEncryptionAlgorithm determines the algorithm used to encrypt the plaintext message. Change the value of this variable to change which algorithm is used in the Encrypt() function.
var ErrNotEncryptedContent = errors.New("pkcs7: content data is a decryptable data type")
ErrNotEncryptedContent is returned when attempting to Decrypt data that is not encrypted data
var ErrUnsupportedAlgorithm = errors.New("pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, AES-256-CBC and AES-128-GCM supported")
ErrUnsupportedAlgorithm tells you when our quick dev assumptions have failed
var ErrUnsupportedContentType = errors.New("pkcs7: cannot parse data: unimplemented content type")
ErrUnsupportedContentType is returned when a PKCS7 content is not supported. Currently only Data (1.2.840.113549.1.7.1), Signed Data (1.2.840.113549.1.7.2), and Enveloped Data are supported (1.2.840.113549.1.7.3)
var ErrUnsupportedEncryptionAlgorithm = errors.New("pkcs7: cannot encrypt content: only DES-CBC and AES-128-GCM supported")
ErrUnsupportedEncryptionAlgorithm is returned when attempting to encrypt content with an unsupported algorithm.
Functions ¶
func DegenerateCertificate ¶
DegenerateCertificate creates a signed data structure containing only the provided certificate or certificate chain.
func Encrypt ¶
func Encrypt(content []byte, recipients []*x509.Certificate) ([]byte, error)
Encrypt creates and returns an envelope data PKCS7 structure with encrypted recipient keys for each recipient public key.
The algorithm used to perform encryption is determined by the current value of the global ContentEncryptionAlgorithm package variable. By default, the value is EncryptionAlgorithmDESCBC. To use a different algorithm, change the value before calling Encrypt(). For example:
ContentEncryptionAlgorithm = EncryptionAlgorithmAES128GCM
TODO(fullsailor): Add support for encrypting content with other algorithms
Types ¶
type Attribute ¶
type Attribute struct { Type asn1.ObjectIdentifier Value interface{} }
Attribute represents a key value pair attribute. Value must be marshalable byte `encoding/asn1`
type MessageDigestMismatchError ¶
MessageDigestMismatchError is returned when the signer data digest does not match the computed digest for the contained content
func (*MessageDigestMismatchError) Error ¶
func (err *MessageDigestMismatchError) Error() string
type PKCS7 ¶
type PKCS7 struct { Content []byte Certificates []*x509.Certificate CertsRaw []byte CRLs []pkix.CertificateList Signers []signerInfo // contains filtered or unexported fields }
PKCS7 Represents a PKCS7 structure
func ParseRaw ¶
ParseRaw decodes a DER encoded PKCS7 package and returns raw byte arrays rather than fully parsed x509 certificates.
func (*PKCS7) Decrypt ¶
func (p7 *PKCS7) Decrypt(cert *x509.Certificate, pk crypto.PrivateKey) ([]byte, error)
Decrypt decrypts encrypted content info for recipient cert and private key
func (*PKCS7) GetOnlySigner ¶
func (p7 *PKCS7) GetOnlySigner() *x509.Certificate
GetOnlySigner returns an x509.Certificate for the first signer of the signed data payload. If there are more or less than one signer, nil is returned
func (*PKCS7) UnmarshalSignedAttribute ¶
func (p7 *PKCS7) UnmarshalSignedAttribute(attributeType asn1.ObjectIdentifier, out interface{}) error
UnmarshalSignedAttribute decodes a single attribute from the signer info
type SignedData ¶
type SignedData struct {
// contains filtered or unexported fields
}
SignedData is an opaque data structure for creating signed data payloads
Example ¶
// generate a signing cert or load a key pair cert, err := createTestCertificate() if err != nil { fmt.Printf("Cannot create test certificates: %s", err) } // Initialize a SignedData struct with content to be signed signedData, err := NewSignedData([]byte("Example data to be signed")) if err != nil { fmt.Printf("Cannot initialize signed data: %s", err) } // Add the signing cert and private key if err := signedData.AddSigner(cert.Certificate, cert.PrivateKey, SignerInfoConfig{}); err != nil { fmt.Printf("Cannot add signer: %s", err) } // Call Detach() is you want to remove content from the signature // and generate an S/MIME detached signature signedData.Detach() // Finish() to obtain the signature bytes detachedSignature, err := signedData.Finish() if err != nil { fmt.Printf("Cannot finish signing data: %s", err) } pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: detachedSignature})
Output:
func NewSignedData ¶
func NewSignedData(data []byte) (*SignedData, error)
NewSignedData initializes a SignedData with content
func (*SignedData) AddCertificate ¶
func (sd *SignedData) AddCertificate(cert *x509.Certificate)
AddCertificate adds the certificate to the payload. Useful for parent certificates
func (*SignedData) AddSigner ¶
func (sd *SignedData) AddSigner(cert *x509.Certificate, pkey crypto.PrivateKey, config SignerInfoConfig) error
AddSigner signs attributes about the content and adds certificate to payload
func (*SignedData) Detach ¶
func (sd *SignedData) Detach()
Detach removes content from the signed data struct to make it a detached signature. This must be called right before Finish()
func (*SignedData) Finish ¶
func (sd *SignedData) Finish() ([]byte, error)
Finish marshals the content and its signers
type SignerInfoConfig ¶
type SignerInfoConfig struct {
ExtraSignedAttributes []Attribute
}
SignerInfoConfig are optional values to include when adding a signer