revoke

package
v0.0.0-...-71f93e5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 18, 2024 License: Zlib Imports: 13 Imported by: 0

Documentation

Overview

Package pkcs7 implements the subset of the CMS PKCS #7 datatype that is typically used to package certificates and CRLs. Using openssl, every certificate converted to PKCS #7 format from another encoding such as PEM conforms to this implementation. reference: https://www.openssl.org/docs/man1.1.0/apps/crl2pkcs7.html

PKCS #7 Data type, reference: https://tools.ietf.org/html/rfc2315

The full pkcs#7 cryptographic message syntax allows for cryptographic enhancements, for example data can be encrypted and signed and then packaged through pkcs#7 to be sent over a network and then verified and decrypted. It is asn1, and the type of PKCS #7 ContentInfo, which comprises the PKCS #7 structure, is:

ContentInfo ::= SEQUENCE {
	contentType ContentType,
	content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}

There are 6 possible ContentTypes, data, signedData, envelopedData, signedAndEnvelopedData, digestedData, and encryptedData. Here signedData, Data, and encrypted Data are implemented, as the degenerate case of signedData without a signature is the typical format for transferring certificates and CRLS, and Data and encryptedData are used in PKCS #12 formats. The ContentType signedData has the form:

signedData ::= SEQUENCE {
	version Version,
	digestAlgorithms DigestAlgorithmIdentifiers,
	contentInfo ContentInfo,
	certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL
	crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
	signerInfos SignerInfos
}

As of yet signerInfos and digestAlgorithms are not parsed, as they are not relevant to this system's use of PKCS #7 data. Version is an integer type, note that PKCS #7 is recursive, this second layer of ContentInfo is similar ignored for our degenerate usage. The ExtendedCertificatesAndCertificates type consists of a sequence of choices between PKCS #6 extended certificates and x509 certificates. Any sequence consisting of any number of extended certificates is not yet supported in this implementation.

The ContentType Data is simply a raw octet string and is parsed directly into a Go []byte slice.

The ContentType encryptedData is the most complicated and its form can be gathered by the go type below. It essentially contains a raw octet string of encrypted data and an algorithm identifier for use in decrypting this data.

Package revoke provides functionality for checking the validity of a cert. Specifically, the temporal validity of the certificate is checked first, then any CRL and OCSP url in the cert is checked. ported from https://github.com/cloudflare/cfssl/blob/master/revoke/revoke.go

Index

Constants

View Source
const (
	ObjIDData          = "1.2.840.113549.1.7.1"
	ObjIDSignedData    = "1.2.840.113549.1.7.2"
	ObjIDEncryptedData = "1.2.840.113549.1.7.6"
)

Object identifier strings of the three implemented PKCS7 types.

Variables

This section is empty.

Functions

This section is empty.

Types

type Content

type Content struct {
	Data          []byte
	SignedData    SignedData
	EncryptedData EncryptedData
}

Content implements three of the six possible PKCS7 data types. Only one is non-nil.

type Data

type Data struct {
	Bytes []byte
}

Data contains raw bytes. Used as a subtype in PKCS12.

type EncryptedContentInfo

type EncryptedContentInfo struct {
	Raw                        asn1.RawContent
	ContentType                asn1.ObjectIdentifier
	ContentEncryptionAlgorithm pkix.AlgorithmIdentifier
	EncryptedContent           []byte `asn1:"tag:0,optional"`
}

EncryptedContentInfo is a subtype of PKCS7EncryptedData.

type EncryptedData

type EncryptedData struct {
	Raw                  asn1.RawContent
	Version              int
	EncryptedContentInfo EncryptedContentInfo
}

EncryptedData contains encrypted data. Used as a subtype in PKCS12.

type PKCS7

type PKCS7 struct {
	Raw         asn1.RawContent
	ContentInfo string
	Content     Content
}

PKCS7 represents the ASN1 PKCS #7 Content type. It contains one of three possible types of Content objects, as denoted by the object identifier in the ContentInfo field, the other two being nil. SignedData is the degenerate SignedData Content info without signature used to hold certificates and crls. Data is raw bytes, and EncryptedData is as defined in PKCS #7 standard.

type Service

type Service struct {
	// contains filtered or unexported fields
}

func NewService

func NewService() *Service

func (*Service) VerifyCertificate

func (service *Service) VerifyCertificate(cert *x509.Certificate) (revoked bool, err error)

VerifyCertificate ensures that the certificate passed in hasn't expired and checks the CRL for the server.

type SignedData

type SignedData struct {
	Raw          asn1.RawContent
	Version      int
	Certificates []*x509.Certificate
	Crl          *pkix.CertificateList
}

SignedData defines the typical carrier of certificates and crls.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL