Version: v7.2.1+incompatible Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 31, 2019 License: Apache-2.0 Imports: 14 Imported by: 88



PKCS#7 is a specification for signing or encrypting data using ASN.1 structures. It is also known as CMS (cryptographic message syntax) and is discussed in RFC 2315, RFC 3369, RFC 3852, and RFC 5652.

This package implements signature operations needed for creating and validating signature technologies based on PKCS#7 including Java and Microsoft Authenticode



View Source
const MimeType = "application/pkcs7-mime"


View Source
var (
	OidData                   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 1}
	OidSignedData             = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2}
	OidAttributeContentType   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 3}
	OidAttributeMessageDigest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 4}
	OidAttributeSigningTime   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 5}


This section is empty.


type Attribute

type Attribute struct {
	Type   asn1.ObjectIdentifier
	Values asn1.RawValue

type AttributeList

type AttributeList []Attribute

func (*AttributeList) Add

func (l *AttributeList) Add(oid asn1.ObjectIdentifier, obj interface{}) error

create or append to an attribute

func (*AttributeList) Bytes

func (l *AttributeList) Bytes() ([]byte, error)

marshal authenticated attributes for digesting

func (*AttributeList) GetOne

func (l *AttributeList) GetOne(oid asn1.ObjectIdentifier, dest interface{}) error

unmarshal a single attribute, if it exists

type ContentInfo

type ContentInfo struct {
	Raw         asn1.RawContent
	ContentType asn1.ObjectIdentifier

func NewContentInfo

func NewContentInfo(contentType asn1.ObjectIdentifier, data interface{}) (ci ContentInfo, err error)

Create a ContentInfo structure for the given bytes or structure. data can be nil for detached signatures.

func (ContentInfo) Bytes

func (ci ContentInfo) Bytes() ([]byte, error)

Get raw content in DER encoding, or nil if it's not present

func (ContentInfo) Unmarshal

func (ci ContentInfo) Unmarshal(dest interface{}) (err error)

Unmarshal a structure from a ContentInfo.

type ContentInfoSignedData

type ContentInfoSignedData struct {
	ContentType asn1.ObjectIdentifier
	Content     SignedData `asn1:"explicit,optional,tag:0"`

func Unmarshal

func Unmarshal(blob []byte) (*ContentInfoSignedData, error)

Parse a signature from bytes

func (*ContentInfoSignedData) Detach

func (psd *ContentInfoSignedData) Detach() ([]byte, error)

Remove and return inlined content from the document, leaving a detached signature

func (*ContentInfoSignedData) Marshal

func (psd *ContentInfoSignedData) Marshal() ([]byte, error)

Marshal the signature to bytes

type ErrNoAttribute

type ErrNoAttribute struct {
	ID asn1.ObjectIdentifier

func (ErrNoAttribute) Error

func (e ErrNoAttribute) Error() string

type IssuerAndSerial

type IssuerAndSerial struct {
	IssuerName   asn1.RawValue
	SerialNumber *big.Int

type RawCertificates

type RawCertificates struct {
	Raw asn1.RawContent

func (RawCertificates) Parse

func (raw RawCertificates) Parse() ([]*x509.Certificate, error)

parse raw certificates from structure

type Signature

type Signature struct {
	SignerInfo    *SignerInfo
	Certificate   *x509.Certificate
	Intermediates []*x509.Certificate

func (Signature) VerifyChain

func (info Signature) VerifyChain(roots *x509.CertPool, extraCerts []*x509.Certificate, usage x509.ExtKeyUsage, currentTime time.Time) error

Verify the X509 chain from a signature against the given roots. extraCerts will be added to the intermediates if provided. usage gives the certificate usage required for the leaf certificate, or ExtKeyUsageAny otherwise. If a PKCS#9 trusted timestamp was found, pass that timestamp in currentTime to validate the chain as of the time of the signature.

type SignatureBuilder

type SignatureBuilder struct {
	// contains filtered or unexported fields

func NewBuilder

func NewBuilder(privKey crypto.Signer, certs []*x509.Certificate, opts crypto.SignerOpts) *SignatureBuilder

Build a PKCS#7 signature procedurally. Returns a structure that can have content and attributes attached to it.

func (*SignatureBuilder) AddAuthenticatedAttribute

func (sb *SignatureBuilder) AddAuthenticatedAttribute(oid asn1.ObjectIdentifier, data interface{}) error

Add an authenticated attribute to SignerInfo

func (*SignatureBuilder) SetContent

func (sb *SignatureBuilder) SetContent(ctype asn1.ObjectIdentifier, data interface{}) error

Embed bytes or a structure into the PKCS#7 content

func (*SignatureBuilder) SetContentData

func (sb *SignatureBuilder) SetContentData(data []byte) error

Set content to a generic "data" blob

func (*SignatureBuilder) SetContentInfo

func (sb *SignatureBuilder) SetContentInfo(cinfo ContentInfo) error

Set a ContentInfo structure as the PKCS#7 content

func (*SignatureBuilder) SetDetachedContent

func (sb *SignatureBuilder) SetDetachedContent(ctype asn1.ObjectIdentifier, digest []byte) error

Set a "detached" content type, with digest

func (*SignatureBuilder) Sign

Complete the signature and return the full PKCS#7 structure

type SignedData

type SignedData struct {
	Version                    int                        `asn1:"default:1"`
	DigestAlgorithmIdentifiers []pkix.AlgorithmIdentifier `asn1:"set"`
	ContentInfo                ContentInfo                ``
	Certificates               RawCertificates            `asn1:"optional,tag:0"`
	CRLs                       []pkix.CertificateList     `asn1:"optional,tag:1"`
	SignerInfos                []SignerInfo               `asn1:"set"`

func (*SignedData) Verify

func (sd *SignedData) Verify(externalContent []byte, skipDigests bool) (Signature, error)

Verify the content in a SignedData structure. External content may be provided if it is a detached signature. Information about the signature is returned, however X509 chains are not validated. Call VerifyChain() to complete the verification process.

If skipDigests is true, then the main content section is not checked, but the SignerInfos are still checked for a valid signature.

type SignerInfo

type SignerInfo struct {
	Version                   int                      `asn1:"default:1"`
	IssuerAndSerialNumber     IssuerAndSerial          ``
	DigestAlgorithm           pkix.AlgorithmIdentifier ``
	AuthenticatedAttributes   AttributeList            `asn1:"optional,tag:0"`
	DigestEncryptionAlgorithm pkix.AlgorithmIdentifier ``
	EncryptedDigest           []byte                   ``
	UnauthenticatedAttributes AttributeList            `asn1:"optional,tag:1"`

func (*SignerInfo) FindCertificate

func (si *SignerInfo) FindCertificate(certs []*x509.Certificate) (*x509.Certificate, error)

Find the certificate that signed this SignerInfo from the bucket of certs

func (*SignerInfo) Verify

func (si *SignerInfo) Verify(content []byte, skipDigests bool, certs []*x509.Certificate) (*x509.Certificate, error)

Verify the signature contained in this SignerInfo and return the leaf certificate. X509 chains are not validated.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL