protocol

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 16, 2023 License: Apache-2.0, MIT, MIT Imports: 15 Imported by: 3

README

cms/protocol

cms/protocol implements low-level parsing of CMS (PKCS#7) data.

This package is based off github/cms which is based on fullsailor/pkcs7 and contains the license from that repository.

Documentation

Overview

Package protocol implements low level CMS types, parsing and generation.

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrWrongType is returned by methods that make assumptions about types.
	// Helper methods are defined for accessing CHOICE and  ANY feilds. These
	// helper methods get the value of the field, assuming it is of a given type.
	// This error is returned if that assumption is wrong and the field has a
	// different type.
	ErrWrongType = errors.New("cms/protocol: wrong choice or any type")

	// ErrNoCertificate is returned when a requested certificate cannot be found.
	ErrNoCertificate = errors.New("no certificate found")

	// ErrUnsupported is returned when an unsupported type or version
	// is encountered.
	ErrUnsupported = ASN1Error{"unsupported type or version"}

	// ErrTrailingData is returned when extra data is found after parsing an ASN.1
	// structure.
	ErrTrailingData = ASN1Error{"unexpected trailing data"}
)

Functions

func NewIssuerAndSerialNumber

func NewIssuerAndSerialNumber(cert *x509.Certificate) (asn1.RawValue, error)

NewIssuerAndSerialNumber creates a IssuerAndSerialNumber SID for the given cert.

Types

type ASN1Error

type ASN1Error struct {
	Message string
}

ASN1Error is an error from parsing ASN.1 structures.

func (ASN1Error) Error

func (err ASN1Error) Error() string

Error implements the error interface.

type AnySet

type AnySet struct {
	Elements []asn1.RawValue `asn1:"set"`
}

AnySet is a helper for dealing with SET OF ANY types.

func DecodeAnySet

func DecodeAnySet(rv asn1.RawValue) (as AnySet, err error)

DecodeAnySet manually decodes a SET OF ANY type, since Go's parser can't handle them.

func NewAnySet

func NewAnySet(elts ...asn1.RawValue) AnySet

NewAnySet creates a new AnySet.

func (AnySet) Encode

func (as AnySet) Encode(dst *asn1.RawValue) (err error)

Encode manually encodes a SET OF ANY type, since Go's parser can't handle them.

type Attribute

type Attribute struct {
	Type asn1.ObjectIdentifier

	// This should be a SET OF ANY, but Go's asn1 parser can't handle slices of
	// RawValues. Use value() to get an AnySet of the value.
	RawValue asn1.RawValue
}
Attribute ::= SEQUENCE {
  attrType OBJECT IDENTIFIER,
  attrValues SET OF AttributeValue }

AttributeValue ::= ANY

func NewAttribute

func NewAttribute(typ asn1.ObjectIdentifier, val interface{}) (Attribute, error)

NewAttribute creates a single-value Attribute.

func (Attribute) Value

func (a Attribute) Value() (AnySet, error)

Value further decodes the attribute Value as a SET OF ANY, which Go's asn1 parser can't handle directly.

type Attributes

type Attributes []Attribute

Attributes is a common Go type for SignedAttributes and UnsignedAttributes.

SignedAttributes ::= SET SIZE (1..MAX) OF Attribute

UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute

func (Attributes) GetOnlyAttributeValueBytes

func (attrs Attributes) GetOnlyAttributeValueBytes(
	oid asn1.ObjectIdentifier) (asn1.RawValue, error)

GetOnlyAttributeValueBytes gets an attribute value, returning an error if the attribute occurs multiple times or has multiple values.

func (Attributes) GetValues

func (attrs Attributes) GetValues(oid asn1.ObjectIdentifier) ([]AnySet, error)

GetValues retreives the attributes with the given OID. A nil value is returned if the OPTIONAL SET of Attributes is missing from the SignerInfo. An empty slice is returned if the specified attribute isn't in the set.

func (Attributes) HasAttribute

func (attrs Attributes) HasAttribute(oid asn1.ObjectIdentifier) bool

HasAttribute checks if an attribute is present.

func (Attributes) MarshaledForSigning

func (attrs Attributes) MarshaledForSigning() ([]byte, error)

MarshaledForSigning DER encodes the Attributes as needed for signing SignedAttributes. RFC5652 explains this encoding:

A separate encoding of the signedAttrs field is performed for message
digest calculation. The IMPLICIT [0] tag in the signedAttrs is not used for
the DER encoding, rather an EXPLICIT SET OF tag is used.  That is, the DER
encoding of the EXPLICIT SET OF tag, rather than of the IMPLICIT [0] tag,
MUST be included in the message digest calculation along with the length
and content octets of the SignedAttributes value.

When verifying, use MarshaledForVerifying to guarantee backwards compatibility.

func (Attributes) MarshaledForVerifying

func (attrs Attributes) MarshaledForVerifying() ([]byte, error)

MarshaledForVerifying DER encodes the Attributes as needed for verifying SignedAttributes. The order of the attributes is preserved to allow verifying signatures that were produced by applications running go1.14 or older.

As of go1.15 marshalling a SET in DER adheres to X690 Section 11.6 and produces an ordered set. (https://github.com/golang/go/commit/f0cea848679b8f8cdc5f76e1b1e36ebb924a68f8)

Signatures produced by applications using go1.14 or older have unsorted attributes and would fail to verify if order is not preserved.

type ContentInfo

type ContentInfo struct {
	ContentType asn1.ObjectIdentifier
	Content     asn1.RawValue `asn1:"explicit,tag:0"`
}
ContentInfo ::= SEQUENCE {
  contentType ContentType,
  content [0] EXPLICIT ANY DEFINED BY contentType }

ContentType ::= OBJECT IDENTIFIER

func ParseContentInfo

func ParseContentInfo(der []byte) (ContentInfo, error)

ParseContentInfo parses a top-level ContentInfo type from DER encoded data.

func (ContentInfo) SignedDataContent

func (ci ContentInfo) SignedDataContent() (*SignedData, error)

SignedDataContent gets the content assuming contentType is signedData.

type EncapsulatedContentInfo

type EncapsulatedContentInfo struct {
	EContentType asn1.ObjectIdentifier
	EContent     asn1.RawValue `asn1:"optional,explicit,tag:0"`
}
EncapsulatedContentInfo ::= SEQUENCE {
  eContentType ContentType,
  eContent [0] EXPLICIT OCTET STRING OPTIONAL }

ContentType ::= OBJECT IDENTIFIER

func NewDataEncapsulatedContentInfo

func NewDataEncapsulatedContentInfo(data []byte) (EncapsulatedContentInfo, error)

NewDataEncapsulatedContentInfo creates a new EncapsulatedContentInfo of type id-data.

func NewEncapsulatedContentInfo

func NewEncapsulatedContentInfo(contentType asn1.ObjectIdentifier,
	content []byte) (EncapsulatedContentInfo, error)

NewEncapsulatedContentInfo creates a new EncapsulatedContentInfo.

func (EncapsulatedContentInfo) DataEContent

func (eci EncapsulatedContentInfo) DataEContent() ([]byte, error)

DataEContent gets the EContent assuming EContentType is data.

func (EncapsulatedContentInfo) EContentValue

func (eci EncapsulatedContentInfo) EContentValue() ([]byte, error)

EContentValue gets the OCTET STRING EContent value without tag or length. This is what the message digest is calculated over. A nil byte slice is returned if the OPTIONAL eContent field is missing.

func (EncapsulatedContentInfo) IsTypeData

func (eci EncapsulatedContentInfo) IsTypeData() bool

IsTypeData checks if the EContentType is id-data.

type IssuerAndSerialNumber

type IssuerAndSerialNumber struct {
	Issuer       asn1.RawValue
	SerialNumber *big.Int
}
IssuerAndSerialNumber ::= SEQUENCE {
	issuer Name,
	serialNumber CertificateSerialNumber }

CertificateSerialNumber ::= INTEGER

type SignedData

type SignedData struct {
	Version          int
	DigestAlgorithms []pkix.AlgorithmIdentifier `asn1:"set"`
	EncapContentInfo EncapsulatedContentInfo
	Certificates     []asn1.RawValue `asn1:"optional,set,tag:0"`
	CRLs             []asn1.RawValue `asn1:"optional,set,tag:1"`
	SignerInfos      []SignerInfo    `asn1:"set"`
}
SignedData ::= SEQUENCE {
  version CMSVersion,
  digestAlgorithms DigestAlgorithmIdentifiers,
  encapContentInfo EncapsulatedContentInfo,
  certificates [0] IMPLICIT CertificateSet OPTIONAL,
  crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
  signerInfos SignerInfos }

CMSVersion ::= INTEGER

{ v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }

DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier

CertificateSet ::= SET OF CertificateChoices

CertificateChoices ::= CHOICE {
  certificate Certificate,
  extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
  v1AttrCert [1] IMPLICIT AttributeCertificateV1,       -- Obsolete
  v2AttrCert [2] IMPLICIT AttributeCertificateV2,
  other [3] IMPLICIT OtherCertificateFormat }

OtherCertificateFormat ::= SEQUENCE {
  otherCertFormat OBJECT IDENTIFIER,
  otherCert ANY DEFINED BY otherCertFormat }

RevocationInfoChoices ::= SET OF RevocationInfoChoice

RevocationInfoChoice ::= CHOICE {
  crl CertificateList,
  other [1] IMPLICIT OtherRevocationInfoFormat }

OtherRevocationInfoFormat ::= SEQUENCE {
  otherRevInfoFormat OBJECT IDENTIFIER,
  otherRevInfo ANY DEFINED BY otherRevInfoFormat }

SignerInfos ::= SET OF SignerInfo

func NewSignedData

func NewSignedData(eci EncapsulatedContentInfo) (*SignedData, error)

NewSignedData creates a new SignedData.

func (*SignedData) AddCertificate

func (sd *SignedData) AddCertificate(cert *x509.Certificate) error

AddCertificate adds a *x509.Certificate.

func (*SignedData) AddDigestAlgorithm

func (sd *SignedData) AddDigestAlgorithm(algo pkix.AlgorithmIdentifier)

AddDigestAlgorithm adds a new AlgorithmIdentifier if it doesn't exist yet.

func (*SignedData) AddSignerInfo

func (sd *SignedData) AddSignerInfo(chain []*x509.Certificate, signer crypto.Signer) error

AddSignerInfo adds a SignerInfo to the SignedData.

func (*SignedData) ClearCertificates

func (sd *SignedData) ClearCertificates()

ClearCertificates removes all certificates.

func (*SignedData) ContentInfo

func (sd *SignedData) ContentInfo() (ContentInfo, error)

ContentInfo returns the SignedData wrapped in a ContentInfo packet.

func (*SignedData) ContentInfoDER

func (sd *SignedData) ContentInfoDER() ([]byte, error)

ContentInfoDER returns the SignedData wrapped in a ContentInfo packet and DER encoded.

func (*SignedData) X509Certificates

func (sd *SignedData) X509Certificates() ([]*x509.Certificate, error)

X509Certificates gets the certificates, assuming that they're X.509 encoded.

type SignerInfo

type SignerInfo struct {
	Version            int
	SID                asn1.RawValue
	DigestAlgorithm    pkix.AlgorithmIdentifier
	SignedAttrs        Attributes `asn1:"set,optional,tag:0"`
	SignatureAlgorithm pkix.AlgorithmIdentifier
	Signature          []byte
	UnsignedAttrs      Attributes `asn1:"set,optional,tag:1"`
}
SignerInfo ::= SEQUENCE {
  version CMSVersion,
  sid SignerIdentifier,
  digestAlgorithm DigestAlgorithmIdentifier,
  signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
  signatureAlgorithm SignatureAlgorithmIdentifier,
  signature SignatureValue,
  unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }

CMSVersion ::= INTEGER

{ v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }

SignerIdentifier ::= CHOICE {
  issuerAndSerialNumber IssuerAndSerialNumber,
  subjectKeyIdentifier [0] SubjectKeyIdentifier }

DigestAlgorithmIdentifier ::= AlgorithmIdentifier

SignedAttributes ::= SET SIZE (1..MAX) OF Attribute

SignatureAlgorithmIdentifier ::= AlgorithmIdentifier

SignatureValue ::= OCTET STRING

UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute

func (SignerInfo) FindCertificate

func (si SignerInfo) FindCertificate(certs []*x509.Certificate) (*x509.Certificate, error)

FindCertificate finds this SignerInfo's certificate in a slice of certificates.

func (SignerInfo) GetContentTypeAttribute

func (si SignerInfo) GetContentTypeAttribute() (asn1.ObjectIdentifier, error)

GetContentTypeAttribute gets the signed ContentType attribute from the SignerInfo.

func (SignerInfo) GetMessageDigestAttribute

func (si SignerInfo) GetMessageDigestAttribute() ([]byte, error)

GetMessageDigestAttribute gets the signed MessageDigest attribute from the SignerInfo.

func (SignerInfo) GetSigningTimeAttribute

func (si SignerInfo) GetSigningTimeAttribute() (time.Time, error)

GetSigningTimeAttribute gets the signed SigningTime attribute from the SignerInfo.

func (SignerInfo) Hash

func (si SignerInfo) Hash() (crypto.Hash, error)

Hash gets the crypto.Hash associated with this SignerInfo's DigestAlgorithm. 0 is returned for unrecognized algorithms.

func (SignerInfo) X509SignatureAlgorithm

func (si SignerInfo) X509SignatureAlgorithm() x509.SignatureAlgorithm

X509SignatureAlgorithm gets the x509.SignatureAlgorithm that should be used for verifying this SignerInfo's signature.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL