pkcs9

package
v7.5.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 19, 2023 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

PKCS#9 is a specification for trusted timestamping. Timestamping services create a timestamp token which includes a known-good timestamp with a signature over it. The token can be attached to a document to prove that it existed at the indicated time. When attached to a PKCS#7 signedData structure, the timestamp proves that the primary signature was created during the valid lifespan of the signing certificate, allowing it to be validated after the certificates have expired.

See RFC 3161

Index

Constants

View Source
const (
	StatusGranted = iota
	StatusGrantedWithMods
	StatusRejection
	StatusWaiting
	StatusRevocationWarning
	StatusRevocationNotification

	FailureBadAlg              = 0
	FailureBadRequest          = 2
	FailureBadDataFormat       = 5
	FailureTimeNotAvailable    = 14
	FailureUnacceptedPolicy    = 15
	FailureUnacceptedExtension = 16
	FailureAddInfoNotAvailable = 17
	SystemFailure              = 25
)

Variables

View Source
var (
	OidKeyPurposeTimeStamping  = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
	OidTSTInfo                 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 1, 4}
	OidAttributeTimeStampToken = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 2, 14}
	OidAttributeCounterSign    = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 6}

	OidSpcTimeStampRequest = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 3, 2, 1}
	// undocumented(?) alternative to OidAttributeTimeStampToken found in Authenticode signatures
	OidSpcTimeStampToken = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 3, 3, 1}
)

Functions

func AddStampToSignedAuthenticode

func AddStampToSignedAuthenticode(signerInfo *pkcs7.SignerInfo, token pkcs7.ContentInfoSignedData) error

Attach a RFC 3161 timestamp to a PKCS#7 SignerInfo using the OID for authenticode signatures

func AddStampToSignedData

func AddStampToSignedData(signerInfo *pkcs7.SignerInfo, token pkcs7.ContentInfoSignedData) error

Attach a RFC 3161 timestamp to a PKCS#7 SignerInfo

func NewLegacyRequest

func NewLegacyRequest(url string, encryptedDigest []byte) (*http.Request, error)

func ParseLegacyResponse

func ParseLegacyResponse(body []byte) (*pkcs7.ContentInfoSignedData, error)

Types

type Accuracy

type Accuracy struct {
	Seconds int `asn1:"optional"`
	Millis  int `asn1:"optional,tag:0"`
	Micros  int `asn1:"optional,tag:1"`
}

type CounterSignature

type CounterSignature struct {
	pkcs7.Signature
	Hash        crypto.Hash
	SigningTime time.Time
}

Validated timestamp token

func Verify

func Verify(tst *pkcs7.ContentInfoSignedData, data []byte, certs []*x509.Certificate) (*CounterSignature, error)

Verify a timestamp token using external data

func VerifyMicrosoftToken

func VerifyMicrosoftToken(token *pkcs7.ContentInfoSignedData, encryptedDigest []byte) (*CounterSignature, error)

Verify a non-RFC-3161 timestamp token against the given encrypted digest from the primary signature.

func VerifyPkcs7

func VerifyPkcs7(sig pkcs7.Signature) (*CounterSignature, error)

Look for a timestamp (counter-signature or timestamp token) in the UnauthenticatedAttributes of the given already-validated signature and check its integrity. The certificate chain is not checked; call VerifyChain() on the result to validate it fully. Returns nil if no timestamp is present.

func (CounterSignature) VerifyChain

func (cs CounterSignature) VerifyChain(roots *x509.CertPool, extraCerts []*x509.Certificate) error

Verify that the timestamp token has a valid certificate chain

type GeneralName

type GeneralName struct {
	// See RFC 3280
	Value asn1.RawValue
}

type MessageImprint

type MessageImprint struct {
	HashAlgorithm pkix.AlgorithmIdentifier
	HashedMessage []byte
}

func (MessageImprint) Verify

func (i MessageImprint) Verify(data []byte) error

Verify that the digest (imprint) in a timestamp token matches the given data

type MicrosoftTimeStampRequest

type MicrosoftTimeStampRequest struct {
	CounterSignatureType asn1.ObjectIdentifier
	Attributes           struct{} `asn1:"optional"`
	Content              struct {
		ContentType asn1.ObjectIdentifier
		Content     []byte `asn1:"explicit,tag:0"`
	}
}

type PKIStatusInfo

type PKIStatusInfo struct {
	Status       int
	StatusString []string       `asn1:"optional"`
	FailInfo     asn1.BitString `asn1:"optional"`
}

type Request

type Request struct {
	// EncryptedDigest is the raw encrypted signature value
	EncryptedDigest []byte
	// Hash is the desired hash function for the timestamp. Ignored for legacy requests.
	Hash crypto.Hash
	// Legacy indicates a nonstandard microsoft timestamp request, otherwise RFC 3161 is used
	Legacy bool
}

Request holds parameters for a timestamp operation

type TSTInfo

type TSTInfo struct {
	Version        int
	Policy         asn1.ObjectIdentifier
	MessageImprint MessageImprint
	SerialNumber   *big.Int
	GenTime        asn1.RawValue
	Accuracy       Accuracy         `asn1:"optional"`
	Ordering       bool             `asn1:"optional,default:false"`
	Nonce          *big.Int         `asn1:"optional"`
	TSA            GeneralName      `asn1:"optional,implicit,tag:0"`
	Extensions     []pkix.Extension `asn1:"optional,implicit,tag:1"`
}

func (*TSTInfo) SigningTime

func (i *TSTInfo) SigningTime() (time.Time, error)

type TimeStampReq

type TimeStampReq struct {
	Version        int
	MessageImprint MessageImprint
	ReqPolicy      asn1.ObjectIdentifier `asn1:"optional"`
	Nonce          *big.Int              `asn1:"optional"`
	CertReq        bool                  `asn1:"default:false"`
	Extensions     []pkix.Extension      `asn1:"optional,implicit,tag:0"`
}

func NewRequest

func NewRequest(url string, hash crypto.Hash, hashValue []byte) (msg *TimeStampReq, req *http.Request, err error)

Create a HTTP request to request a token from the given URL

func (*TimeStampReq) ParseResponse

func (req *TimeStampReq) ParseResponse(body []byte) (*pkcs7.ContentInfoSignedData, error)

Parse a timestamp token from a HTTP response, sanity checking it against the original request nonce

func (*TimeStampReq) SanityCheckToken

func (req *TimeStampReq) SanityCheckToken(psd *pkcs7.ContentInfoSignedData) error

Sanity check a timestamp token against the nonce in the original request

type TimeStampResp

type TimeStampResp struct {
	Status         PKIStatusInfo
	TimeStampToken pkcs7.ContentInfoSignedData `asn1:"optional"`
}

type TimestampedSignature

type TimestampedSignature struct {
	pkcs7.Signature
	CounterSignature *CounterSignature
	Raw              []byte
}

Validated signature containing a optional timestamp token

func TimestampAndMarshal

func TimestampAndMarshal(ctx context.Context, psd *pkcs7.ContentInfoSignedData, timestamper Timestamper, authenticode bool) (*TimestampedSignature, error)

func VerifyOptionalTimestamp

func VerifyOptionalTimestamp(sig pkcs7.Signature) (TimestampedSignature, error)

Look for a timestamp token or counter-signature in the given signature and return a structure that can be used to validate the signature's certificate chain. If no timestamp is present, then the current time will be used when validating the chain.

func (TimestampedSignature) VerifyChain

func (sig TimestampedSignature) VerifyChain(roots *x509.CertPool, extraCerts []*x509.Certificate, usage x509.ExtKeyUsage) error

Verify the certificate chain of a PKCS#7 signature. If the signature has a valid timestamp token attached, then the timestamp is used for validating the primary signature's chain, making the signature valid after the certificates have expired.

type Timestamper

type Timestamper interface {
	Timestamp(ctx context.Context, req *Request) (*pkcs7.ContentInfoSignedData, error)
}

Timestamper is the common interface for the timestamp client and middleware

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL