pkcs7

package
v7.5.8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 9, 2023 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

PKCS#7 is a specification for signing or encrypting data using ASN.1 structures. It is also known as CMS (cryptographic message syntax) and is discussed in RFC 2315, RFC 3369, RFC 3852, and RFC 5652.

This package implements signature operations needed for creating and validating signature technologies based on PKCS#7 including Java and Microsoft Authenticode

Index

Constants

View Source
const MimeType = "application/pkcs7-mime"

Variables

View Source
var (
	OidData                   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 1}
	OidSignedData             = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2}
	OidAttributeContentType   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 3}
	OidAttributeMessageDigest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 4}
	OidAttributeSigningTime   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 5}
)

Functions

func ParseTime

func ParseTime(raw asn1.RawValue) (ret time.Time, err error)

ParseTime parses a GeneralizedTime or UTCTime value that potentially has a fractional seconds part

Types

type Attribute

type Attribute struct {
	Type   asn1.ObjectIdentifier
	Values asn1.RawValue
}

type AttributeList

type AttributeList []Attribute

func (*AttributeList) Add

func (l *AttributeList) Add(oid asn1.ObjectIdentifier, obj interface{}) error

create or append to an attribute

func (*AttributeList) Bytes

func (l *AttributeList) Bytes() ([]byte, error)

Bytes returns a SET OF form of the attribute list for digesting, per RFC 2315 9.3, 2nd paragraph

func (AttributeList) Exists

func (l AttributeList) Exists(oid asn1.ObjectIdentifier) bool

func (*AttributeList) GetAll

func (l *AttributeList) GetAll(oid asn1.ObjectIdentifier, dest interface{}) error

GetAll unmarshals all values for an attribute. dest should be a pointer to a slice.

func (*AttributeList) GetOne

func (l *AttributeList) GetOne(oid asn1.ObjectIdentifier, dest interface{}) error

GetOne unmarshals a single attribute, if it exists

type CertificateError

type CertificateError struct {
	Invalid [][]byte
	Err     error
}

func (CertificateError) Error

func (c CertificateError) Error() string

func (CertificateError) Unwrap

func (c CertificateError) Unwrap() error

type ContentInfo

type ContentInfo struct {
	Raw         asn1.RawContent
	ContentType asn1.ObjectIdentifier
}

func NewContentInfo

func NewContentInfo(contentType asn1.ObjectIdentifier, data interface{}) (ci ContentInfo, err error)

Create a ContentInfo structure for the given bytes or structure. data can be nil for detached signatures.

func (ContentInfo) Bytes

func (ci ContentInfo) Bytes() ([]byte, error)

Get raw content in DER encoding, or nil if it's not present

func (ContentInfo) Unmarshal

func (ci ContentInfo) Unmarshal(dest interface{}) (err error)

Unmarshal a structure from a ContentInfo.

type ContentInfoSignedData

type ContentInfoSignedData struct {
	ContentType asn1.ObjectIdentifier
	Content     SignedData `asn1:"explicit,optional,tag:0"`
}

func Unmarshal

func Unmarshal(blob []byte) (*ContentInfoSignedData, error)

Parse a signature from bytes

func (*ContentInfoSignedData) Detach

func (psd *ContentInfoSignedData) Detach() ([]byte, error)

Remove and return inlined content from the document, leaving a detached signature

func (*ContentInfoSignedData) Marshal

func (psd *ContentInfoSignedData) Marshal() ([]byte, error)

Marshal the signature to bytes

type ErrNoAttribute

type ErrNoAttribute struct {
	ID asn1.ObjectIdentifier
}

func (ErrNoAttribute) Error

func (e ErrNoAttribute) Error() string

type IssuerAndSerial

type IssuerAndSerial struct {
	IssuerName   asn1.RawValue
	SerialNumber *big.Int
}

type MissingCertificateError

type MissingCertificateError struct {
	Issuer       asn1.RawValue
	SerialNumber *big.Int
}

func (MissingCertificateError) Error

func (e MissingCertificateError) Error() string

type RawCertificates

type RawCertificates []asn1.RawValue

func (RawCertificates) Parse

func (raw RawCertificates) Parse() ([]*x509.Certificate, error)

Parse raw certificates from structure. If any cert is invalid, the remaining valid certs are returned along with a CertificateError.

type Signature

type Signature struct {
	SignerInfo    *SignerInfo
	Certificate   *x509.Certificate
	Intermediates []*x509.Certificate
	CertError     error
}

func (Signature) VerifyChain

func (info Signature) VerifyChain(roots *x509.CertPool, extraCerts []*x509.Certificate, usage x509.ExtKeyUsage, currentTime time.Time) error

Verify the X509 chain from a signature against the given roots. extraCerts will be added to the intermediates if provided. usage gives the certificate usage required for the leaf certificate, or ExtKeyUsageAny otherwise. If a PKCS#9 trusted timestamp was found, pass that timestamp in currentTime to validate the chain as of the time of the signature.

type SignatureBuilder

type SignatureBuilder struct {
	// contains filtered or unexported fields
}

func NewBuilder

func NewBuilder(privKey crypto.Signer, certs []*x509.Certificate, opts crypto.SignerOpts) *SignatureBuilder

Build a PKCS#7 signature procedurally. Returns a structure that can have content and attributes attached to it.

func (*SignatureBuilder) AddAuthenticatedAttribute

func (sb *SignatureBuilder) AddAuthenticatedAttribute(oid asn1.ObjectIdentifier, data interface{}) error

Add an authenticated attribute to SignerInfo

func (*SignatureBuilder) SetContent

func (sb *SignatureBuilder) SetContent(ctype asn1.ObjectIdentifier, data interface{}) error

Embed bytes or a structure into the PKCS#7 content

func (*SignatureBuilder) SetContentData

func (sb *SignatureBuilder) SetContentData(data []byte) error

Set content to a generic "data" blob

func (*SignatureBuilder) SetContentInfo

func (sb *SignatureBuilder) SetContentInfo(cinfo ContentInfo) error

Set a ContentInfo structure as the PKCS#7 content

func (*SignatureBuilder) SetDetachedContent

func (sb *SignatureBuilder) SetDetachedContent(ctype asn1.ObjectIdentifier, digest []byte) error

Set a "detached" content type, with digest

func (*SignatureBuilder) Sign

Complete the signature and return the full PKCS#7 structure

type SignedData

type SignedData struct {
	Version                    int                        `asn1:"default:1"`
	DigestAlgorithmIdentifiers []pkix.AlgorithmIdentifier `asn1:"set"`
	ContentInfo                ContentInfo                ``
	Certificates               RawCertificates            `asn1:"optional,tag:0"`
	CRLs                       []pkix.CertificateList     `asn1:"optional,tag:1"`
	SignerInfos                []SignerInfo               `asn1:"set"`
}

func (*SignedData) Verify

func (sd *SignedData) Verify(externalContent []byte, skipDigests bool) (Signature, error)

Verify the content in a SignedData structure. External content may be provided if it is a detached signature. Information about the signature is returned, however X509 chains are not validated. Call VerifyChain() to complete the verification process.

If skipDigests is true, then the main content section is not checked, but the SignerInfos are still checked for a valid signature.

type SignerInfo

type SignerInfo struct {
	RawContent asn1.RawContent

	Version                   int                      `asn1:"default:1"`
	IssuerAndSerialNumber     IssuerAndSerial          ``
	DigestAlgorithm           pkix.AlgorithmIdentifier ``
	AuthenticatedAttributes   AttributeList            `asn1:"optional,tag:0"`
	DigestEncryptionAlgorithm pkix.AlgorithmIdentifier ``
	EncryptedDigest           []byte                   ``
	UnauthenticatedAttributes AttributeList            `asn1:"optional,tag:1"`
}

func (SignerInfo) AuthenticatedAttributesBytes

func (i SignerInfo) AuthenticatedAttributesBytes() ([]byte, error)

AuthenticatedAttributesBytes returns a SET OF form of the attribute list for digesting, per RFC 2315 9.3, 2nd paragraph

func (*SignerInfo) FindCertificate

func (si *SignerInfo) FindCertificate(certs []*x509.Certificate) (*x509.Certificate, error)

Find the certificate that signed this SignerInfo from the bucket of certs

func (SignerInfo) SigningTime

func (i SignerInfo) SigningTime() (time.Time, error)

func (*SignerInfo) Verify

func (si *SignerInfo) Verify(content []byte, skipDigests bool, certs []*x509.Certificate) (*x509.Certificate, error)

Verify the signature contained in this SignerInfo and return the leaf certificate. X509 chains are not validated.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL