pkcs7

package module
v0.0.0-...-f563555 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 23, 2017 License: MIT Imports: 25 Imported by: 0

README

pkcs7

GoDoc

pkcs7 implements parsing and creating signed and enveloped messages.

Documentation

Overview

Package pkcs7 implements parsing and generation of some PKCS#7 structures.

Index

Constants

This section is empty.

Variables

View Source 
var (

	// ErrBerIsEmpty is returned when BER structure is empty
	ErrBerIsEmpty = errors.New("ber2der: input ber is empty")
	// ErrTagLenTooLong is returned when BER tag length is too long
	ErrTagLenTooLong = errors.New("ber2der: BER tag length too long")
	// ErrTagLenNegative is returned when a BER tag has negative length
	ErrTagLenNegative = errors.New("ber2der: BER tag length is negative")
	// ErrTagLenHasLeadingZero is returned when a BER tag has a negative length
	ErrTagLenHasLeadingZero = errors.New("ber2der: BER tag length has leading zero")
	// ErrTagLenOverflow is returned when a BER tag has a length greater
	// then the whole data length.
	ErrTagLenOverflow = errors.New("ber2der: BER tag length is more than available data")
	// ErrInvalidFormat is returned when the given data does not have
	// correct BER format.
	ErrInvalidFormat = errors.New("ber2der: Invalid BER format")
)
View Source 
var ErrNotEncryptedContent = errors.New("pkcs7: content data is a decryptable data type")

ErrNotEncryptedContent is returned when attempting to Decrypt data that is not encrypted data

View Source 
var ErrUnsupportedAlgorithm = errors.New("pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3 and AES-256-CBC supported")

ErrUnsupportedAlgorithm tells you when our quick dev assumptions have failed

View Source 
var ErrUnsupportedContentType = errors.New("pkcs7: cannot parse data: unimplemented content type")

ErrUnsupportedContentType is returned when a PKCS7 content is not supported. Currently only Data (1.2.840.113549.1.7.1), Signed Data (1.2.840.113549.1.7.2), and Enveloped Data are supported (1.2.840.113549.1.7.3)

Functions

func DegenerateCertificate 

func DegenerateCertificate(cert []byte) ([]byte, error)

DegenerateCertificate creates a signed data structure containing only the provided certificate

func Encrypt 

func Encrypt(content []byte, recipients []*x509.Certificate) ([]byte, error)

Encrypt creates and returns an envelope data PKCS7 structure with encrypted recipient keys for each recipient public key TODO(fullsailor): Add support for encrypting content with other algorithms

func Unmarshal 

func Unmarshal(b []byte, val interface{}) (rest []byte, err error)

Unmarshal parses the DER-encoded ASN.1 data structure b and uses the reflect package to fill in an arbitrary value pointed at by val. Because Unmarshal uses the reflect package, the structs being written to must use upper case field names.

An ASN.1 INTEGER can be written to an int, int32, int64, or *big.Int (from the math/big package). If the encoded value does not fit in the Go type, Unmarshal returns a parse error.

An ASN.1 BIT STRING can be written to a asn1.BitString.

An ASN.1 OCTET STRING can be written to a []byte.

An ASN.1 OBJECT IDENTIFIER can be written to an asn1.ObjectIdentifier.

An ASN.1 ENUMERATED can be written to an asn1.Enumerated.

An ASN.1 UTCTIME or GENERALIZEDTIME can be written to a time.Time.

An ASN.1 PrintableString or IA5String can be written to a string.

Any of the above ASN.1 values can be written to an interface{}. The value stored in the interface has the corresponding Go type. For integers, that type is int64.

An ASN.1 SEQUENCE OF x or SET OF x can be written to a slice if an x can be written to the slice's element type.

An ASN.1 SEQUENCE or SET can be written to a struct if each of the elements in the sequence can be written to the corresponding element in the struct.

The following tags on struct fields have special meaning to Unmarshal: 

application	specifies that a APPLICATION tag is used
default:x	sets the default value for optional integer fields
explicit	specifies that an additional, explicit tag wraps the implicit one
optional	marks the field as ASN.1 OPTIONAL
set		causes a SET, rather than a SEQUENCE type to be expected
tag:x		specifies the ASN.1 tag number; implies ASN.1 CONTEXT SPECIFIC

If the type of the first field of a structure is asn1.RawContent then the raw ASN1 contents of the struct will be stored in it.

If the type name of a slice element ends with "SET" then it's treated as if the "set" tag was set on it. This can be used with nested slices where a struct tag cannot be given.

Other ASN.1 types are not supported; if it encounters them, Unmarshal returns a parse error.

Types

type Attribute 

type Attribute struct {
	Type  asn1.ObjectIdentifier
	Value interface{}
}

Attribute represents a key value pair attribute. Value must be marshalable byte `encoding/asn1`

type MessageDigestMismatchError 

type MessageDigestMismatchError struct {
	ExpectedDigest []byte
	ActualDigest   []byte
}

MessageDigestMismatchError is returned when the signer data digest does not match the computed digest for the contained content

func (*MessageDigestMismatchError) Error 

func (err *MessageDigestMismatchError) Error() string

type PKCS7 

type PKCS7 struct {
	Content      []byte
	Certificates []*x509.Certificate
	CRLs         []pkix.CertificateList
	Signers      []signerInfo
	// contains filtered or unexported fields
}

PKCS7 Represents a PKCS7 structure

func Parse 

func Parse(data []byte) (p7 *PKCS7, err error)

Parse decodes a DER encoded PKCS7 package

func ReadFrom 

func ReadFrom(r io.Reader) (p7 *PKCS7, err error)

ReadFrom reads data from reader

func (*PKCS7) Decrypt 

func (p7 *PKCS7) Decrypt(cert *x509.Certificate, pk crypto.PrivateKey) ([]byte, error)

Decrypt decrypts encrypted content info for recipient cert and private key

func (*PKCS7) GetOnlySigner 

func (p7 *PKCS7) GetOnlySigner() *x509.Certificate

GetOnlySigner returns an x509.Certificate for the first signer of the signed data payload. If there are more or less than one signer, nil is returned

func (*PKCS7) UnmarshalSignedAttribute 

func (p7 *PKCS7) UnmarshalSignedAttribute(attributeType asn1.ObjectIdentifier, out interface{}) error

UnmarshalSignedAttribute decodes a single attribute from the signer info

func (*PKCS7) Verify 

func (p7 *PKCS7) Verify() (err error)

Verify checks the signatures of a PKCS7 object WARNING: Verify does not check signing time or verify certificate chains at this time.

type SignedData 

type SignedData struct {
	// contains filtered or unexported fields
}

SignedData is an opaque data structure for creating signed data payloads

func NewSignedData 

func NewSignedData(data []byte) (*SignedData, error)

NewSignedData initializes a SignedData with content

func (*SignedData) AddCertificate 

func (sd *SignedData) AddCertificate(cert *x509.Certificate)

AddCertificate adds the certificate to the payload. Useful for parent certificates

func (*SignedData) AddSigner 

func (sd *SignedData) AddSigner(cert *x509.Certificate, pkey crypto.PrivateKey, config SignerInfoConfig) error

AddSigner signs attributes about the content and adds certificate to payload

func (*SignedData) Finish 

func (sd *SignedData) Finish() ([]byte, error)

Finish marshals the content and its signers

type SignerInfoConfig 

type SignerInfoConfig struct {
	ExtraSignedAttributes []Attribute
}

SignerInfoConfig are optional values to include when adding a signer

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.