Documentation ¶
Overview ¶
PKCS#7 is a specification for signing or encrypting data using ASN.1 structures. It is also known as CMS (cryptographic message syntax) and is discussed in RFC 2315, RFC 3369, RFC 3852, and RFC 5652.
This package implements signature operations needed for creating and validating signature technologies based on PKCS#7 including Java and Microsoft Authenticode
Index ¶
- Constants
- Variables
- func ParseTime(raw asn1.RawValue) (ret time.Time, err error)
- type Attribute
- type AttributeList
- func (l *AttributeList) Add(oid asn1.ObjectIdentifier, obj interface{}) error
- func (l *AttributeList) Bytes() ([]byte, error)
- func (l AttributeList) Exists(oid asn1.ObjectIdentifier) bool
- func (l *AttributeList) GetAll(oid asn1.ObjectIdentifier, dest interface{}) error
- func (l *AttributeList) GetOne(oid asn1.ObjectIdentifier, dest interface{}) error
- type CertificateError
- type ContentInfo
- type ContentInfoSignedData
- type ErrNoAttribute
- type IssuerAndSerial
- type MissingCertificateError
- type RawCertificates
- type Signature
- type SignatureBuilder
- func (sb *SignatureBuilder) AddAuthenticatedAttribute(oid asn1.ObjectIdentifier, data interface{}) error
- func (sb *SignatureBuilder) SetContent(ctype asn1.ObjectIdentifier, data interface{}) error
- func (sb *SignatureBuilder) SetContentData(data []byte) error
- func (sb *SignatureBuilder) SetContentInfo(cinfo ContentInfo) error
- func (sb *SignatureBuilder) SetDetachedContent(ctype asn1.ObjectIdentifier, digest []byte) error
- func (sb *SignatureBuilder) Sign() (*ContentInfoSignedData, error)
- type SignedData
- type SignerInfo
- func (i SignerInfo) AuthenticatedAttributesBytes() ([]byte, error)
- func (si *SignerInfo) FindCertificate(certs []*x509.Certificate) (*x509.Certificate, error)
- func (i SignerInfo) SigningTime() (time.Time, error)
- func (si *SignerInfo) Verify(content []byte, skipDigests bool, certs []*x509.Certificate) (*x509.Certificate, error)
Constants ¶
const MimeType = "application/pkcs7-mime"
Variables ¶
var ( OidData = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 1} OidSignedData = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2} OidAttributeContentType = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 3} OidAttributeMessageDigest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 4} OidAttributeSigningTime = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 5} )
Functions ¶
Types ¶
type AttributeList ¶
type AttributeList []Attribute
func (*AttributeList) Add ¶
func (l *AttributeList) Add(oid asn1.ObjectIdentifier, obj interface{}) error
create or append to an attribute
func (*AttributeList) Bytes ¶
func (l *AttributeList) Bytes() ([]byte, error)
Bytes returns a SET OF form of the attribute list for digesting, per RFC 2315 9.3, 2nd paragraph
func (AttributeList) Exists ¶
func (l AttributeList) Exists(oid asn1.ObjectIdentifier) bool
func (*AttributeList) GetAll ¶
func (l *AttributeList) GetAll(oid asn1.ObjectIdentifier, dest interface{}) error
GetAll unmarshals all values for an attribute. dest should be a pointer to a slice.
func (*AttributeList) GetOne ¶
func (l *AttributeList) GetOne(oid asn1.ObjectIdentifier, dest interface{}) error
GetOne unmarshals a single attribute, if it exists
type CertificateError ¶
func (CertificateError) Error ¶
func (c CertificateError) Error() string
func (CertificateError) Unwrap ¶
func (c CertificateError) Unwrap() error
type ContentInfo ¶
type ContentInfo struct { Raw asn1.RawContent ContentType asn1.ObjectIdentifier }
func NewContentInfo ¶
func NewContentInfo(contentType asn1.ObjectIdentifier, data interface{}) (ci ContentInfo, err error)
Create a ContentInfo structure for the given bytes or structure. data can be nil for detached signatures.
func (ContentInfo) Bytes ¶
func (ci ContentInfo) Bytes() ([]byte, error)
Get raw content in DER encoding, or nil if it's not present
func (ContentInfo) Unmarshal ¶
func (ci ContentInfo) Unmarshal(dest interface{}) (err error)
Unmarshal a structure from a ContentInfo.
type ContentInfoSignedData ¶
type ContentInfoSignedData struct { ContentType asn1.ObjectIdentifier Content SignedData `asn1:"explicit,optional,tag:0"` }
func Unmarshal ¶
func Unmarshal(blob []byte) (*ContentInfoSignedData, error)
Parse a signature from bytes
func (*ContentInfoSignedData) Detach ¶
func (psd *ContentInfoSignedData) Detach() ([]byte, error)
Remove and return inlined content from the document, leaving a detached signature
func (*ContentInfoSignedData) Marshal ¶
func (psd *ContentInfoSignedData) Marshal() ([]byte, error)
Marshal the signature to bytes
type ErrNoAttribute ¶
type ErrNoAttribute struct {
ID asn1.ObjectIdentifier
}
func (ErrNoAttribute) Error ¶
func (e ErrNoAttribute) Error() string
type IssuerAndSerial ¶
type MissingCertificateError ¶
func (MissingCertificateError) Error ¶
func (e MissingCertificateError) Error() string
type RawCertificates ¶
func (RawCertificates) Parse ¶
func (raw RawCertificates) Parse() ([]*x509.Certificate, error)
Parse raw certificates from structure. If any cert is invalid, the remaining valid certs are returned along with a CertificateError.
type Signature ¶
type Signature struct { SignerInfo *SignerInfo Certificate *x509.Certificate Intermediates []*x509.Certificate CertError error }
func (Signature) VerifyChain ¶
func (info Signature) VerifyChain(roots *x509.CertPool, extraCerts []*x509.Certificate, usage x509.ExtKeyUsage, currentTime time.Time) error
Verify the X509 chain from a signature against the given roots. extraCerts will be added to the intermediates if provided. usage gives the certificate usage required for the leaf certificate, or ExtKeyUsageAny otherwise. If a PKCS#9 trusted timestamp was found, pass that timestamp in currentTime to validate the chain as of the time of the signature.
type SignatureBuilder ¶
type SignatureBuilder struct {
// contains filtered or unexported fields
}
func NewBuilder ¶
func NewBuilder(privKey crypto.Signer, certs []*x509.Certificate, opts crypto.SignerOpts) *SignatureBuilder
Build a PKCS#7 signature procedurally. Returns a structure that can have content and attributes attached to it.
func (*SignatureBuilder) AddAuthenticatedAttribute ¶
func (sb *SignatureBuilder) AddAuthenticatedAttribute(oid asn1.ObjectIdentifier, data interface{}) error
Add an authenticated attribute to SignerInfo
func (*SignatureBuilder) SetContent ¶
func (sb *SignatureBuilder) SetContent(ctype asn1.ObjectIdentifier, data interface{}) error
Embed bytes or a structure into the PKCS#7 content
func (*SignatureBuilder) SetContentData ¶
func (sb *SignatureBuilder) SetContentData(data []byte) error
Set content to a generic "data" blob
func (*SignatureBuilder) SetContentInfo ¶
func (sb *SignatureBuilder) SetContentInfo(cinfo ContentInfo) error
Set a ContentInfo structure as the PKCS#7 content
func (*SignatureBuilder) SetDetachedContent ¶
func (sb *SignatureBuilder) SetDetachedContent(ctype asn1.ObjectIdentifier, digest []byte) error
Set a "detached" content type, with digest
func (*SignatureBuilder) Sign ¶
func (sb *SignatureBuilder) Sign() (*ContentInfoSignedData, error)
Complete the signature and return the full PKCS#7 structure
type SignedData ¶
type SignedData struct { Version int `asn1:"default:1"` DigestAlgorithmIdentifiers []pkix.AlgorithmIdentifier `asn1:"set"` ContentInfo ContentInfo `` Certificates RawCertificates `asn1:"optional,tag:0"` CRLs []pkix.CertificateList `asn1:"optional,tag:1"` SignerInfos []SignerInfo `asn1:"set"` }
func (*SignedData) Verify ¶
func (sd *SignedData) Verify(externalContent []byte, skipDigests bool) (Signature, error)
Verify the content in a SignedData structure. External content may be provided if it is a detached signature. Information about the signature is returned, however X509 chains are not validated. Call VerifyChain() to complete the verification process.
If skipDigests is true, then the main content section is not checked, but the SignerInfos are still checked for a valid signature.
type SignerInfo ¶
type SignerInfo struct { RawContent asn1.RawContent Version int `asn1:"default:1"` IssuerAndSerialNumber IssuerAndSerial `` DigestAlgorithm pkix.AlgorithmIdentifier `` AuthenticatedAttributes AttributeList `asn1:"optional,tag:0"` DigestEncryptionAlgorithm pkix.AlgorithmIdentifier `` EncryptedDigest []byte `` UnauthenticatedAttributes AttributeList `asn1:"optional,tag:1"` }
func (SignerInfo) AuthenticatedAttributesBytes ¶
func (i SignerInfo) AuthenticatedAttributesBytes() ([]byte, error)
AuthenticatedAttributesBytes returns a SET OF form of the attribute list for digesting, per RFC 2315 9.3, 2nd paragraph
func (*SignerInfo) FindCertificate ¶
func (si *SignerInfo) FindCertificate(certs []*x509.Certificate) (*x509.Certificate, error)
Find the certificate that signed this SignerInfo from the bucket of certs
func (SignerInfo) SigningTime ¶
func (i SignerInfo) SigningTime() (time.Time, error)
func (*SignerInfo) Verify ¶
func (si *SignerInfo) Verify(content []byte, skipDigests bool, certs []*x509.Certificate) (*x509.Certificate, error)
Verify the signature contained in this SignerInfo and return the leaf certificate. X509 chains are not validated.