Documentation ¶
Overview ¶
Package pkcs7 implements the subset of the CMS PKCS #7 datatype that is typically used to package certificates and CRLs. Using openssl, every certificate converted to PKCS #7 format from another encoding such as PEM conforms to this implementation. reference: https://www.openssl.org/docs/man1.1.0/apps/crl2pkcs7.html
PKCS #7 Data type, reference: https://tools.ietf.org/html/rfc2315
The full pkcs#7 cryptographic message syntax allows for cryptographic enhancements, for example data can be encrypted and signed and then packaged through pkcs#7 to be sent over a network and then verified and decrypted. It is asn1, and the type of PKCS #7 ContentInfo, which comprises the PKCS #7 structure, is:
ContentInfo ::= SEQUENCE { contentType ContentType, content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
There are 6 possible ContentTypes, data, signedData, envelopedData, signedAndEnvelopedData, digestedData, and encryptedData. Here signedData, Data, and encrypted Data are implemented, as the degenerate case of signedData without a signature is the typical format for transferring certificates and CRLS, and Data and encryptedData are used in PKCS #12 formats. The ContentType signedData has the form:
signedData ::= SEQUENCE { version Version, digestAlgorithms DigestAlgorithmIdentifiers, contentInfo ContentInfo, certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos }
As of yet signerInfos and digestAlgorithms are not parsed, as they are not relevant to this system's use of PKCS #7 data. Version is an integer type, note that PKCS #7 is recursive, this second layer of ContentInfo is similar ignored for our degenerate usage. The ExtendedCertificatesAndCertificates type consists of a sequence of choices between PKCS #6 extended certificates and x509 certificates. Any sequence consisting of any number of extended certificates is not yet supported in this implementation.
The ContentType Data is simply a raw octet string and is parsed directly into a Go []byte slice.
The ContentType encryptedData is the most complicated and its form can be gathered by the go type below. It essentially contains a raw octet string of encrypted data and an algorithm identifier for use in decrypting this data.
Package revoke provides functionality for checking the validity of a cert. Specifically, the temporal validity of the certificate is checked first, then any CRL and OCSP url in the cert is checked. ported from https://github.com/cloudflare/cfssl/blob/master/revoke/revoke.go
Index ¶
Constants ¶
const ( ObjIDData = "1.2.840.113549.1.7.1" ObjIDSignedData = "1.2.840.113549.1.7.2" ObjIDEncryptedData = "1.2.840.113549.1.7.6" )
Object identifier strings of the three implemented PKCS7 types.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Content ¶
type Content struct { Data []byte SignedData SignedData EncryptedData EncryptedData }
Content implements three of the six possible PKCS7 data types. Only one is non-nil.
type EncryptedContentInfo ¶
type EncryptedContentInfo struct { Raw asn1.RawContent ContentType asn1.ObjectIdentifier ContentEncryptionAlgorithm pkix.AlgorithmIdentifier EncryptedContent []byte `asn1:"tag:0,optional"` }
EncryptedContentInfo is a subtype of PKCS7EncryptedData.
type EncryptedData ¶
type EncryptedData struct { Raw asn1.RawContent Version int EncryptedContentInfo EncryptedContentInfo }
EncryptedData contains encrypted data. Used as a subtype in PKCS12.
type PKCS7 ¶
type PKCS7 struct { Raw asn1.RawContent ContentInfo string Content Content }
PKCS7 represents the ASN1 PKCS #7 Content type. It contains one of three possible types of Content objects, as denoted by the object identifier in the ContentInfo field, the other two being nil. SignedData is the degenerate SignedData Content info without signature used to hold certificates and crls. Data is raw bytes, and EncryptedData is as defined in PKCS #7 standard.
type Service ¶
type Service struct {
// contains filtered or unexported fields
}
func NewService ¶
func NewService() *Service
func (*Service) VerifyCertificate ¶
func (service *Service) VerifyCertificate(cert *x509.Certificate) (revoked bool, err error)
VerifyCertificate ensures that the certificate passed in hasn't expired and checks the CRL for the server.
type SignedData ¶
type SignedData struct { Raw asn1.RawContent Version int Certificates []*x509.Certificate Crl *pkix.CertificateList }
SignedData defines the typical carrier of certificates and crls.