README
¶
CMS 
CMS (Cryptographic Message Syntax) is a syntax for signing, digesting, and encrypting arbitrary messages. It evolved from PKCS#7 and is the basis for higher level protocols such as S/MIME. This package implements the SignedData CMS content-type, allowing users to digitally sign data as well as verify data signed by others.
Signing and Verifying Data
High level APIs are provided for signing a message with a certificate and key:
msg := []byte("some data")
cert, _ := x509.ParseCertificate(someCertificateData)
key, _ := x509.ParseECPrivateKey(somePrivateKeyData)
der, _ := cms.Sign(msg, cert, key)
////
/// At another time, in another place...
//
sd, _ := ParseSignedData(der)
if err := sd.Verify(); err != nil {
panic(err)
}
By default, CMS SignedData includes the original message. High level APIs are also available for creating and verifying detached signatures:
msg := []byte("some data")
cert, _ := x509.ParseCertificate(someCertificateData)
key, _ := x509.ParseECPrivateKey(somePrivateKeyData)
der, _ := cms.SignDetached(msg, cert, key)
////
/// At another time, in another place...
//
sd, _ := ParseSignedData(der)
if err := sd.VerifyDetached(msg); err != nil {
panic(err)
}
Documentation
¶
Index ¶
- Variables
- func Sign(data []byte, chain []*x509.Certificate, signer crypto.Signer) ([]byte, error)
- func SignDetached(data []byte, chain []*x509.Certificate, signer crypto.Signer) ([]byte, error)
- type SignedData
- func (sd *SignedData) Detached()
- func (sd *SignedData) GetData() ([]byte, error)
- func (sd *SignedData) IsDetached() bool
- func (sd *SignedData) Sign(chain []*x509.Certificate, signer crypto.Signer) error
- func (sd *SignedData) ToDER() ([]byte, error)
- func (sd *SignedData) Verify(roots *x509.CertPool) ([]*x509.Certificate, error)
- func (sd *SignedData) VerifyDetached(message []byte, roots *x509.CertPool) ([]*x509.Certificate, error)
Constants ¶
This section is empty.
Variables ¶
var UnsafeNoVerify = &x509.CertPool{}
UnsafeNoVerify instructs Verify and VerifyDetached not to verify signature's associated certificates against any set of trusted roots.
Functions ¶
func Sign ¶
Sign creates a CMS SignedData from the content and signs it with signer. At minimum, chain must contain the leaf certificate associated with the signer. Any additional intermediates will also be added to the SignedData. The DER encoded CMS message is returned.
func SignDetached ¶
SignDetached creates a detached CMS SignedData from the content and signs it with signer. At minimum, chain must contain the leaf certificate associated with the signer. Any additional intermediates will also be added to the SignedData. The DER encoded CMS message is returned.
Types ¶
type SignedData ¶
type SignedData struct {
// contains filtered or unexported fields
}
SignedData represents a signed message or detached signature.
func NewSignedData ¶
func NewSignedData(data []byte) (*SignedData, error)
NewSignedData creates a new SignedData from the given data.
func ParseSignedData ¶
func ParseSignedData(ber []byte) (*SignedData, error)
ParseSignedData parses a SignedData from BER encoded data.
func (*SignedData) Detached ¶
func (sd *SignedData) Detached()
Detached removes the data content from this SignedData. No more signatures can be added after this method has been called.
func (*SignedData) GetData ¶
func (sd *SignedData) GetData() ([]byte, error)
GetData gets the encapsulated data from the SignedData. Nil will be returned if this is a detached signature. A protocol.ErrWrongType will be returned if the SignedData encapsulates something other than data (1.2.840.113549.1.7.1).
func (*SignedData) IsDetached ¶
func (sd *SignedData) IsDetached() bool
IsDetached checks if this SignedData has data content.
func (*SignedData) Sign ¶
func (sd *SignedData) Sign(chain []*x509.Certificate, signer crypto.Signer) error
Sign adds a signature to the SignedData.At minimum, chain must contain the leaf certificate associated with the signer. Any additional intermediates will also be added to the SignedData.
func (*SignedData) ToDER ¶
func (sd *SignedData) ToDER() ([]byte, error)
ToDER encodes this SignedData message using DER.
func (*SignedData) Verify ¶
func (sd *SignedData) Verify(roots *x509.CertPool) ([]*x509.Certificate, error)
Verify verifies the SingerInfos' signatures. Each signature's associated certificate is verified using the provided roots. UnsafeNoVerify may be specified to skip this verification. Nil may be provided to use system roots. The certificates whose keys made the signatures are returned regardless of success.
func (*SignedData) VerifyDetached ¶
func (sd *SignedData) VerifyDetached(message []byte, roots *x509.CertPool) ([]*x509.Certificate, error)
VerifyDetached verifies the SingerInfos' detached signatures over the provided message. Each signature's associated certificate is verified using the provided roots. UnsafeNoVerify may be specified to skip this verification. Nil may be provided to use system roots. The certificates whose keys made the signatures are returned regardless of success.
Source Files
Directories