protocol

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 10, 2024 License: Apache-2.0, MIT, MIT Imports: 15 Imported by: 1

README

cms/protocol

cms/protocol implements low-level parsing of CMS (PKCS#7) data.

This package is based off github/cms which is based on fullsailor/pkcs7 and contains the license from that repository.

Documentation

Overview

Package protocol implements low level CMS types, parsing and generation.

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrWrongType is returned by methods that make assumptions about types.
	// Helper methods are defined for accessing CHOICE and  ANY feilds. These
	// helper methods get the value of the field, assuming it is of a given type.
	// This error is returned if that assumption is wrong and the field has a
	// different type.
	ErrWrongType = errors.New("cms/protocol: wrong choice or any type")

	// ErrNoCertificate is returned when a requested certificate cannot be found.
	ErrNoCertificate = errors.New("no certificate found")

	// ErrUnsupported is returned when an unsupported type or version
	// is encountered.
	ErrUnsupported = ASN1Error{"unsupported type or version"}

	// ErrTrailingData is returned when extra data is found after parsing an ASN.1
	// structure.
	ErrTrailingData = ASN1Error{"unexpected trailing data"}
)

Functions

func NewIssuerAndSerialNumber 

func NewIssuerAndSerialNumber(cert *x509.Certificate) (asn1.RawValue, error)

NewIssuerAndSerialNumber creates a IssuerAndSerialNumber SID for the given cert.

Types

type ASN1Error 

type ASN1Error struct {
	Message string
}

ASN1Error is an error from parsing ASN.1 structures.

func (ASN1Error) Error 

func (err ASN1Error) Error() string

Error implements the error interface.

type AnySet 

type AnySet struct {
	Elements []asn1.RawValue `asn1:"set"`
}

AnySet is a helper for dealing with SET OF ANY types.

func DecodeAnySet 

func DecodeAnySet(rv asn1.RawValue) (as AnySet, err error)

DecodeAnySet manually decodes a SET OF ANY type, since Go's parser can't handle them.

func NewAnySet 

func NewAnySet(elts ...asn1.RawValue) AnySet

NewAnySet creates a new AnySet.

func (AnySet) Encode 

func (as AnySet) Encode(dst *asn1.RawValue) (err error)

Encode manually encodes a SET OF ANY type, since Go's parser can't handle them.

type Attribute 

type Attribute struct {
	Type asn1.ObjectIdentifier

	// This should be a SET OF ANY, but Go's asn1 parser can't handle slices of
	// RawValues. Use value() to get an AnySet of the value.
	RawValue asn1.RawValue
}
Attribute ::= SEQUENCE {
  attrType OBJECT IDENTIFIER,
  attrValues SET OF AttributeValue }

AttributeValue ::= ANY

func NewAttribute 

func NewAttribute(typ asn1.ObjectIdentifier, val interface{}) (Attribute, error)

NewAttribute creates a single-value Attribute.

func (Attribute) Value 

func (a Attribute) Value() (AnySet, error)

Value further decodes the attribute Value as a SET OF ANY, which Go's asn1 parser can't handle directly.

type Attributes 

type Attributes []Attribute

Attributes is a common Go type for SignedAttributes and UnsignedAttributes.

SignedAttributes ::= SET SIZE (1..MAX) OF Attribute

UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute

func (Attributes) GetOnlyAttributeValueBytes 

func (attrs Attributes) GetOnlyAttributeValueBytes(
	oid asn1.ObjectIdentifier) (asn1.RawValue, error)

GetOnlyAttributeValueBytes gets an attribute value, returning an error if the attribute occurs multiple times or has multiple values.

func (Attributes) GetValues 

func (attrs Attributes) GetValues(oid asn1.ObjectIdentifier) ([]AnySet, error)

GetValues retreives the attributes with the given OID. A nil value is returned if the OPTIONAL SET of Attributes is missing from the SignerInfo. An empty slice is returned if the specified attribute isn't in the set.

func (Attributes) HasAttribute 

func (attrs Attributes) HasAttribute(oid asn1.ObjectIdentifier) bool

HasAttribute checks if an attribute is present.

func (Attributes) MarshaledForSigning 

func (attrs Attributes) MarshaledForSigning() ([]byte, error)

MarshaledForSigning DER encodes the Attributes as needed for signing SignedAttributes. RFC5652 explains this encoding: 

A separate encoding of the signedAttrs field is performed for message
digest calculation. The IMPLICIT [0] tag in the signedAttrs is not used for
the DER encoding, rather an EXPLICIT SET OF tag is used.  That is, the DER
encoding of the EXPLICIT SET OF tag, rather than of the IMPLICIT [0] tag,
MUST be included in the message digest calculation along with the length
and content octets of the SignedAttributes value.

When verifying, use MarshaledForVerifying to guarantee backwards compatibility.

func (Attributes) MarshaledForVerifying 

func (attrs Attributes) MarshaledForVerifying() ([]byte, error)

MarshaledForVerifying DER encodes the Attributes as needed for verifying SignedAttributes. The order of the attributes is preserved to allow verifying signatures that were produced by applications running go1.14 or older.

As of go1.15 marshalling a SET in DER adheres to X690 Section 11.6 and produces an ordered set. (https://github.com/golang/go/commit/f0cea848679b8f8cdc5f76e1b1e36ebb924a68f8)

Signatures produced by applications using go1.14 or older have unsorted attributes and would fail to verify if order is not preserved.

type ContentInfo 

type ContentInfo struct {
	ContentType asn1.ObjectIdentifier
	Content     asn1.RawValue `asn1:"explicit,tag:0"`
}
ContentInfo ::= SEQUENCE {
  contentType ContentType,
  content [0] EXPLICIT ANY DEFINED BY contentType }

ContentType ::= OBJECT IDENTIFIER

func ParseContentInfo 

func ParseContentInfo(der []byte) (ContentInfo, error)

ParseContentInfo parses a top-level ContentInfo type from DER encoded data.

func (ContentInfo) SignedDataContent 

func (ci ContentInfo) SignedDataContent() (*SignedData, error)

SignedDataContent gets the content assuming contentType is signedData.

type EncapsulatedContentInfo 

type EncapsulatedContentInfo struct {
	EContentType asn1.ObjectIdentifier
	EContent     asn1.RawValue `asn1:"optional,explicit,tag:0"`
}
EncapsulatedContentInfo ::= SEQUENCE {
  eContentType ContentType,
  eContent [0] EXPLICIT OCTET STRING OPTIONAL }

ContentType ::= OBJECT IDENTIFIER

func NewDataEncapsulatedContentInfo 

func NewDataEncapsulatedContentInfo(data []byte) (EncapsulatedContentInfo, error)

NewDataEncapsulatedContentInfo creates a new EncapsulatedContentInfo of type id-data.

func NewEncapsulatedContentInfo 

func NewEncapsulatedContentInfo(contentType asn1.ObjectIdentifier,
	content []byte) (EncapsulatedContentInfo, error)

NewEncapsulatedContentInfo creates a new EncapsulatedContentInfo.

func (EncapsulatedContentInfo) DataEContent 

func (eci EncapsulatedContentInfo) DataEContent() ([]byte, error)

DataEContent gets the EContent assuming EContentType is data.

func (EncapsulatedContentInfo) EContentValue 

func (eci EncapsulatedContentInfo) EContentValue() ([]byte, error)

EContentValue gets the OCTET STRING EContent value without tag or length. This is what the message digest is calculated over. A nil byte slice is returned if the OPTIONAL eContent field is missing.

func (EncapsulatedContentInfo) IsTypeData 

func (eci EncapsulatedContentInfo) IsTypeData() bool

IsTypeData checks if the EContentType is id-data.

type IssuerAndSerialNumber 

type IssuerAndSerialNumber struct {
	Issuer       asn1.RawValue
	SerialNumber *big.Int
}
IssuerAndSerialNumber ::= SEQUENCE {
	issuer Name,
	serialNumber CertificateSerialNumber }

CertificateSerialNumber ::= INTEGER

type SignedData 

type SignedData struct {
	Version          int
	DigestAlgorithms []pkix.AlgorithmIdentifier `asn1:"set"`
	EncapContentInfo EncapsulatedContentInfo
	Certificates     []asn1.RawValue `asn1:"optional,set,tag:0"`
	CRLs             []asn1.RawValue `asn1:"optional,set,tag:1"`
	SignerInfos      []SignerInfo    `asn1:"set"`
}
SignedData ::= SEQUENCE {
  version CMSVersion,
  digestAlgorithms DigestAlgorithmIdentifiers,
  encapContentInfo EncapsulatedContentInfo,
  certificates [0] IMPLICIT CertificateSet OPTIONAL,
  crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
  signerInfos SignerInfos }

CMSVersion ::= INTEGER 

{ v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }

DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier

CertificateSet ::= SET OF CertificateChoices 

CertificateChoices ::= CHOICE {
  certificate Certificate,
  extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
  v1AttrCert [1] IMPLICIT AttributeCertificateV1,       -- Obsolete
  v2AttrCert [2] IMPLICIT AttributeCertificateV2,
  other [3] IMPLICIT OtherCertificateFormat }

OtherCertificateFormat ::= SEQUENCE {
  otherCertFormat OBJECT IDENTIFIER,
  otherCert ANY DEFINED BY otherCertFormat }

RevocationInfoChoices ::= SET OF RevocationInfoChoice 

RevocationInfoChoice ::= CHOICE {
  crl CertificateList,
  other [1] IMPLICIT OtherRevocationInfoFormat }

OtherRevocationInfoFormat ::= SEQUENCE {
  otherRevInfoFormat OBJECT IDENTIFIER,
  otherRevInfo ANY DEFINED BY otherRevInfoFormat }

SignerInfos ::= SET OF SignerInfo

func NewSignedData 

func NewSignedData(eci EncapsulatedContentInfo) (*SignedData, error)

NewSignedData creates a new SignedData.

func (*SignedData) AddCertificate 

func (sd *SignedData) AddCertificate(cert *x509.Certificate) error

AddCertificate adds a *x509.Certificate.

func (*SignedData) AddDigestAlgorithm 

func (sd *SignedData) AddDigestAlgorithm(algo pkix.AlgorithmIdentifier)

AddDigestAlgorithm adds a new AlgorithmIdentifier if it doesn't exist yet.

func (*SignedData) AddSignerInfo 

func (sd *SignedData) AddSignerInfo(chain []*x509.Certificate, signer crypto.Signer) error

AddSignerInfo adds a SignerInfo to the SignedData.

func (*SignedData) ClearCertificates 

func (sd *SignedData) ClearCertificates()

ClearCertificates removes all certificates.

func (*SignedData) ContentInfo 

func (sd *SignedData) ContentInfo() (ContentInfo, error)

ContentInfo returns the SignedData wrapped in a ContentInfo packet.

func (*SignedData) ContentInfoDER 

func (sd *SignedData) ContentInfoDER() ([]byte, error)

ContentInfoDER returns the SignedData wrapped in a ContentInfo packet and DER encoded.

func (*SignedData) X509Certificates 

func (sd *SignedData) X509Certificates() ([]*x509.Certificate, error)

X509Certificates gets the certificates, assuming that they're X.509 encoded.

type SignerInfo 

type SignerInfo struct {
	Version            int
	SID                asn1.RawValue
	DigestAlgorithm    pkix.AlgorithmIdentifier
	SignedAttrs        Attributes `asn1:"set,optional,tag:0"`
	SignatureAlgorithm pkix.AlgorithmIdentifier
	Signature          []byte
	UnsignedAttrs      Attributes `asn1:"set,optional,tag:1"`
}
SignerInfo ::= SEQUENCE {
  version CMSVersion,
  sid SignerIdentifier,
  digestAlgorithm DigestAlgorithmIdentifier,
  signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
  signatureAlgorithm SignatureAlgorithmIdentifier,
  signature SignatureValue,
  unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }

CMSVersion ::= INTEGER 

{ v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }

SignerIdentifier ::= CHOICE {
  issuerAndSerialNumber IssuerAndSerialNumber,
  subjectKeyIdentifier [0] SubjectKeyIdentifier }

DigestAlgorithmIdentifier ::= AlgorithmIdentifier

SignedAttributes ::= SET SIZE (1..MAX) OF Attribute

SignatureAlgorithmIdentifier ::= AlgorithmIdentifier

SignatureValue ::= OCTET STRING

UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute

func (SignerInfo) FindCertificate 

func (si SignerInfo) FindCertificate(certs []*x509.Certificate) (*x509.Certificate, error)

FindCertificate finds this SignerInfo's certificate in a slice of certificates.

func (SignerInfo) GetContentTypeAttribute 

func (si SignerInfo) GetContentTypeAttribute() (asn1.ObjectIdentifier, error)

GetContentTypeAttribute gets the signed ContentType attribute from the SignerInfo.

func (SignerInfo) GetMessageDigestAttribute 

func (si SignerInfo) GetMessageDigestAttribute() ([]byte, error)

GetMessageDigestAttribute gets the signed MessageDigest attribute from the SignerInfo.

func (SignerInfo) GetSigningTimeAttribute 

func (si SignerInfo) GetSigningTimeAttribute() (time.Time, error)

GetSigningTimeAttribute gets the signed SigningTime attribute from the SignerInfo.

func (SignerInfo) Hash 

func (si SignerInfo) Hash() (crypto.Hash, error)

Hash gets the crypto.Hash associated with this SignerInfo's DigestAlgorithm. 0 is returned for unrecognized algorithms.

func (SignerInfo) X509SignatureAlgorithm 

func (si SignerInfo) X509SignatureAlgorithm() x509.SignatureAlgorithm

X509SignatureAlgorithm gets the x509.SignatureAlgorithm that should be used for verifying this SignerInfo's signature.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.