pkcs7

package

v7.2.1+incompatible Latest Latest Go to latest Published: Jul 31, 2019 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

Documentation ¶

Overview ¶

PKCS#7 is a specification for signing or encrypting data using ASN.1 structures. It is also known as CMS (cryptographic message syntax) and is discussed in RFC 2315, RFC 3369, RFC 3852, and RFC 5652.

This package implements signature operations needed for creating and validating signature technologies based on PKCS#7 including Java and Microsoft Authenticode

Index ¶

Constants
Variables
type Attribute
type AttributeList
- func (l *AttributeList) Add(oid asn1.ObjectIdentifier, obj interface{}) error
- func (l *AttributeList) Bytes() ([]byte, error)
- func (l *AttributeList) GetOne(oid asn1.ObjectIdentifier, dest interface{}) error
type ContentInfo
- func NewContentInfo(contentType asn1.ObjectIdentifier, data interface{}) (ci ContentInfo, err error)
- func (ci ContentInfo) Bytes() ([]byte, error)
- func (ci ContentInfo) Unmarshal(dest interface{}) (err error)
type ContentInfoSignedData
- func Unmarshal(blob []byte) (*ContentInfoSignedData, error)
- func (psd *ContentInfoSignedData) Detach() ([]byte, error)
- func (psd *ContentInfoSignedData) Marshal() ([]byte, error)
type ErrNoAttribute
- func (e ErrNoAttribute) Error() string
type IssuerAndSerial
type RawCertificates
- func (raw RawCertificates) Parse() ([]*x509.Certificate, error)
type Signature
- func (info Signature) VerifyChain(roots *x509.CertPool, extraCerts []*x509.Certificate, usage x509.ExtKeyUsage, ...) error
type SignatureBuilder
- func NewBuilder(privKey crypto.Signer, certs []*x509.Certificate, opts crypto.SignerOpts) *SignatureBuilder
- func (sb *SignatureBuilder) AddAuthenticatedAttribute(oid asn1.ObjectIdentifier, data interface{}) error
- func (sb *SignatureBuilder) SetContent(ctype asn1.ObjectIdentifier, data interface{}) error
- func (sb *SignatureBuilder) SetContentData(data []byte) error
- func (sb *SignatureBuilder) SetContentInfo(cinfo ContentInfo) error
- func (sb *SignatureBuilder) SetDetachedContent(ctype asn1.ObjectIdentifier, digest []byte) error
- func (sb *SignatureBuilder) Sign() (*ContentInfoSignedData, error)
type SignedData
- func (sd *SignedData) Verify(externalContent []byte, skipDigests bool) (Signature, error)
type SignerInfo
- func (si *SignerInfo) FindCertificate(certs []*x509.Certificate) (*x509.Certificate, error)
- func (si *SignerInfo) Verify(content []byte, skipDigests bool, certs []*x509.Certificate) (*x509.Certificate, error)

Constants ¶

View Source

const MimeType = "application/pkcs7-mime"

Variables ¶

View Source

var (
	OidData                   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 1}
	OidSignedData             = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2}
	OidAttributeContentType   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 3}
	OidAttributeMessageDigest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 4}
	OidAttributeSigningTime   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 5}
)

Functions ¶

This section is empty.

Types ¶

type Attribute ¶

type Attribute struct {
	Type   asn1.ObjectIdentifier
	Values asn1.RawValue
}

type AttributeList ¶

type AttributeList []Attribute

func (*AttributeList) Add ¶

func (l *AttributeList) Add(oid asn1.ObjectIdentifier, obj interface{}) error

create or append to an attribute

func (*AttributeList) Bytes ¶

func (l *AttributeList) Bytes() ([]byte, error)

marshal authenticated attributes for digesting

func (*AttributeList) GetOne ¶

func (l *AttributeList) GetOne(oid asn1.ObjectIdentifier, dest interface{}) error

unmarshal a single attribute, if it exists

type ContentInfo ¶

type ContentInfo struct {
	Raw         asn1.RawContent
	ContentType asn1.ObjectIdentifier
}

func NewContentInfo ¶

func NewContentInfo(contentType asn1.ObjectIdentifier, data interface{}) (ci ContentInfo, err error)

Create a ContentInfo structure for the given bytes or structure. data can be nil for detached signatures.

func (ContentInfo) Bytes ¶

func (ci ContentInfo) Bytes() ([]byte, error)

Get raw content in DER encoding, or nil if it's not present

func (ContentInfo) Unmarshal ¶

func (ci ContentInfo) Unmarshal(dest interface{}) (err error)

Unmarshal a structure from a ContentInfo.

type ContentInfoSignedData ¶

type ContentInfoSignedData struct {
	ContentType asn1.ObjectIdentifier
	Content     SignedData `asn1:"explicit,optional,tag:0"`
}

func (*ContentInfoSignedData) Detach ¶

func (psd *ContentInfoSignedData) Detach() ([]byte, error)

Remove and return inlined content from the document, leaving a detached signature

func (*ContentInfoSignedData) Marshal ¶

func (psd *ContentInfoSignedData) Marshal() ([]byte, error)

Marshal the signature to bytes

type ErrNoAttribute ¶

type ErrNoAttribute struct {
	ID asn1.ObjectIdentifier
}

func (ErrNoAttribute) Error ¶

func (e ErrNoAttribute) Error() string

type IssuerAndSerial ¶

type IssuerAndSerial struct {
	IssuerName   asn1.RawValue
	SerialNumber *big.Int
}

type RawCertificates ¶

type RawCertificates struct {
	Raw asn1.RawContent
}

func (RawCertificates) Parse ¶

func (raw RawCertificates) Parse() ([]*x509.Certificate, error)

parse raw certificates from structure

type Signature ¶

type Signature struct {
	SignerInfo    *SignerInfo
	Certificate   *x509.Certificate
	Intermediates []*x509.Certificate
}

func (Signature) VerifyChain ¶

func (info Signature) VerifyChain(roots *x509.CertPool, extraCerts []*x509.Certificate, usage x509.ExtKeyUsage, currentTime time.Time) error

Verify the X509 chain from a signature against the given roots. extraCerts will be added to the intermediates if provided. usage gives the certificate usage required for the leaf certificate, or ExtKeyUsageAny otherwise. If a PKCS#9 trusted timestamp was found, pass that timestamp in currentTime to validate the chain as of the time of the signature.

type SignatureBuilder ¶

type SignatureBuilder struct {
	// contains filtered or unexported fields
}

func NewBuilder ¶

func NewBuilder(privKey crypto.Signer, certs []*x509.Certificate, opts crypto.SignerOpts) *SignatureBuilder

Build a PKCS#7 signature procedurally. Returns a structure that can have content and attributes attached to it.

func (*SignatureBuilder) AddAuthenticatedAttribute ¶

func (sb *SignatureBuilder) AddAuthenticatedAttribute(oid asn1.ObjectIdentifier, data interface{}) error

Add an authenticated attribute to SignerInfo

func (*SignatureBuilder) SetContent ¶

func (sb *SignatureBuilder) SetContent(ctype asn1.ObjectIdentifier, data interface{}) error

Embed bytes or a structure into the PKCS#7 content

func (*SignatureBuilder) SetContentData ¶

func (sb *SignatureBuilder) SetContentData(data []byte) error

Set content to a generic "data" blob

func (*SignatureBuilder) SetContentInfo ¶

func (sb *SignatureBuilder) SetContentInfo(cinfo ContentInfo) error

Set a ContentInfo structure as the PKCS#7 content

func (*SignatureBuilder) SetDetachedContent ¶

func (sb *SignatureBuilder) SetDetachedContent(ctype asn1.ObjectIdentifier, digest []byte) error

Set a "detached" content type, with digest

func (*SignatureBuilder) Sign ¶

func (sb *SignatureBuilder) Sign() (*ContentInfoSignedData, error)

Complete the signature and return the full PKCS#7 structure

type SignedData ¶

type SignedData struct {
	Version                    int                        `asn1:"default:1"`
	DigestAlgorithmIdentifiers []pkix.AlgorithmIdentifier `asn1:"set"`
	ContentInfo                ContentInfo                ``
	Certificates               RawCertificates            `asn1:"optional,tag:0"`
	CRLs                       []pkix.CertificateList     `asn1:"optional,tag:1"`
	SignerInfos                []SignerInfo               `asn1:"set"`
}

func (*SignedData) Verify ¶

func (sd *SignedData) Verify(externalContent []byte, skipDigests bool) (Signature, error)

Verify the content in a SignedData structure. External content may be provided if it is a detached signature. Information about the signature is returned, however X509 chains are not validated. Call VerifyChain() to complete the verification process.

If skipDigests is true, then the main content section is not checked, but the SignerInfos are still checked for a valid signature.

type SignerInfo ¶

type SignerInfo struct {
	Version                   int                      `asn1:"default:1"`
	IssuerAndSerialNumber     IssuerAndSerial          ``
	DigestAlgorithm           pkix.AlgorithmIdentifier ``
	AuthenticatedAttributes   AttributeList            `asn1:"optional,tag:0"`
	DigestEncryptionAlgorithm pkix.AlgorithmIdentifier ``
	EncryptedDigest           []byte                   ``
	UnauthenticatedAttributes AttributeList            `asn1:"optional,tag:1"`
}

func (*SignerInfo) FindCertificate ¶

func (si *SignerInfo) FindCertificate(certs []*x509.Certificate) (*x509.Certificate, error)

Find the certificate that signed this SignerInfo from the bucket of certs

func (*SignerInfo) Verify ¶

func (si *SignerInfo) Verify(content []byte, skipDigests bool, certs []*x509.Certificate) (*x509.Certificate, error)

Verify the signature contained in this SignerInfo and return the leaf certificate. X509 chains are not validated.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL