Documentation
¶
Overview ¶
Package pkcs7 implements parsing and generation of some PKCS#7 structures.
Index ¶
- Constants
- Variables
- func DefaultEmbedRevocationStatusFunction(cert, issuer *x509.Certificate, i *revocation.InfoArchival) error
- func EncodePNGSUBBytes(columns int, data []byte) ([]byte, error)
- func EncodePNGUPBytes(columns int, data []byte) ([]byte, error)
- func Encrypt(content []byte, recipients []*x509.Certificate) ([]byte, error)
- func EncryptUsingPSK(content []byte, key []byte) ([]byte, error)
- func Sign(input io.ReadSeeker, rdr *pdf.Reader, size int64, sign_data SignData) ([]byte, error)
- func SignFile(r io.Reader, sd SignData) ([]byte, error)
- type Attribute
- type CatalogData
- type InfoData
- type MessageDigestMismatchError
- type PKCS7
- func (p7 *PKCS7) GetOnlySigner() *x509.Certificate
- func (p7 *PKCS7) UnmarshalSignedAttribute(attributeType asn1.ObjectIdentifier, out interface{}) error
- func (p7 *PKCS7) Verify() (err error)
- func (p7 *PKCS7) VerifyWithChain(truststore *x509.CertPool) (err error)
- func (p7 *PKCS7) VerifyWithChainAtTime(truststore *x509.CertPool, currentTime time.Time) (err error)
- func (p7 *PKCS7) VerifyWithOpts(opts x509.VerifyOptions) (err error)
- type RevocationFunction
- type SignContext
- type SignData
- type SignDataSignature
- type SignDataSignatureInfo
- type SignedData
- type SignerInfoConfig
- type TSA
- type VisualSignData
Constants ¶
const ( // EncryptionAlgorithmDESCBC is the DES CBC encryption algorithm EncryptionAlgorithmDESCBC = iota // EncryptionAlgorithmAES128CBC is the AES 128 bits with CBC encryption algorithm // Avoid this algorithm unless required for interoperability; use AES GCM instead. EncryptionAlgorithmAES128CBC // EncryptionAlgorithmAES256CBC is the AES 256 bits with CBC encryption algorithm // Avoid this algorithm unless required for interoperability; use AES GCM instead. EncryptionAlgorithmAES256CBC // EncryptionAlgorithmAES128GCM is the AES 128 bits with GCM encryption algorithm EncryptionAlgorithmAES128GCM // EncryptionAlgorithmAES256GCM is the AES 256 bits with GCM encryption algorithm EncryptionAlgorithmAES256GCM )
const ( CertificationSignature = iota + 1 ApprovalSignature UsageRightsSignature )
const ( DoNotAllowAnyChangesPerms = iota + 1 AllowFillingExistingFormFieldsAndSignaturesPerms AllowFillingExistingFormFieldsAndSignaturesAndCRUDAnnotationsPerms )
Variables ¶
var ( // Signed Data OIDs OIDData = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 1} OIDSignedData = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2} OIDEnvelopedData = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 3} OIDEncryptedData = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 6} OIDAttributeContentType = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 3} OIDAttributeMessageDigest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 4} OIDAttributeSigningTime = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 5} // Digest Algorithms OIDDigestAlgorithmSHA1 = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 26} OIDDigestAlgorithmSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1} OIDDigestAlgorithmSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} OIDDigestAlgorithmSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3} OIDDigestAlgorithmDSA = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1} OIDDigestAlgorithmDSASHA1 = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3} OIDDigestAlgorithmECDSASHA1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1} OIDDigestAlgorithmECDSASHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2} OIDDigestAlgorithmECDSASHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3} OIDDigestAlgorithmECDSASHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4} // Signature Algorithms OIDEncryptionAlgorithmRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} OIDEncryptionAlgorithmRSASHA1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} OIDEncryptionAlgorithmRSASHA256 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} OIDEncryptionAlgorithmRSASHA384 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} OIDEncryptionAlgorithmRSASHA512 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} OIDEncryptionAlgorithmECDSAP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7} OIDEncryptionAlgorithmECDSAP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34} OIDEncryptionAlgorithmECDSAP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35} OIDEncryptionAlgorithmEDDSA25519 = asn1.ObjectIdentifier{1, 3, 101, 112} // Encryption Algorithms OIDEncryptionAlgorithmDESCBC = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 7} OIDEncryptionAlgorithmDESEDE3CBC = asn1.ObjectIdentifier{1, 2, 840, 113549, 3, 7} OIDEncryptionAlgorithmAES256CBC = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 1, 42} OIDEncryptionAlgorithmAES128GCM = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 1, 6} OIDEncryptionAlgorithmAES128CBC = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 1, 2} OIDEncryptionAlgorithmAES256GCM = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 1, 46} )
var ContentEncryptionAlgorithm = EncryptionAlgorithmDESCBC
ContentEncryptionAlgorithm determines the algorithm used to encrypt the plaintext message. Change the value of this variable to change which algorithm is used in the Encrypt() function.
var ErrPSKNotProvided = errors.New("pkcs7: cannot encrypt content: PSK not provided")
ErrPSKNotProvided is returned when attempting to encrypt using a PSK without actually providing the PSK.
var ErrUnsupportedAlgorithm = errors.New("pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, AES-256-CBC and AES-128-GCM supported")
var ErrUnsupportedContentType = errors.New("pkcs7: cannot parse data: unimplemented content type")
ErrUnsupportedContentType is returned when a PKCS7 content is not supported. Currently only Data (1.2.840.113549.1.7.1), Signed Data (1.2.840.113549.1.7.2), and Enveloped Data are supported (1.2.840.113549.1.7.3)
var ErrUnsupportedEncryptionAlgorithm = errors.New("pkcs7: cannot encrypt content: only DES-CBC, AES-CBC, and AES-GCM supported")
ErrUnsupportedEncryptionAlgorithm is returned when attempting to encrypt content with an unsupported algorithm.
Functions ¶
func DefaultEmbedRevocationStatusFunction ¶
func DefaultEmbedRevocationStatusFunction(cert, issuer *x509.Certificate, i *revocation.InfoArchival) error
func Encrypt ¶
func Encrypt(content []byte, recipients []*x509.Certificate) ([]byte, error)
Encrypt creates and returns an envelope data PKCS7 structure with encrypted recipient keys for each recipient public key.
The algorithm used to perform encryption is determined by the current value of the global ContentEncryptionAlgorithm package variable. By default, the value is EncryptionAlgorithmDESCBC. To use a different algorithm, change the value before calling Encrypt(). For example:
ContentEncryptionAlgorithm = EncryptionAlgorithmAES128GCM
TODO(fullsailor): Add support for encrypting content with other algorithms
func EncryptUsingPSK ¶
EncryptUsingPSK creates and returns an encrypted data PKCS7 structure, encrypted using caller provided pre-shared secret.
Types ¶
type Attribute ¶
type Attribute struct {
Type asn1.ObjectIdentifier
Value interface{}
}
Attribute represents a key value pair attribute. Value must be marshalable byte `encoding/asn1`
type CatalogData ¶
type MessageDigestMismatchError ¶
MessageDigestMismatchError is returned when the signer data digest does not match the computed digest for the contained content
func (*MessageDigestMismatchError) Error ¶
func (err *MessageDigestMismatchError) Error() string
type PKCS7 ¶
type PKCS7 struct {
Content []byte
Certificates []*x509.Certificate
CRLs []pkix.CertificateList
Signers []signerInfo
// contains filtered or unexported fields
}
PKCS7 Represents a PKCS7 structure
func (*PKCS7) GetOnlySigner ¶
func (p7 *PKCS7) GetOnlySigner() *x509.Certificate
GetOnlySigner returns an x509.Certificate for the first signer of the signed data payload. If there are more or less than one signer, nil is returned
func (*PKCS7) UnmarshalSignedAttribute ¶
func (p7 *PKCS7) UnmarshalSignedAttribute(attributeType asn1.ObjectIdentifier, out interface{}) error
UnmarshalSignedAttribute decodes a single attribute from the signer info
func (*PKCS7) Verify ¶
Verify is a wrapper around VerifyWithChain() that initializes an empty trust store, effectively disabling certificate verification when validating a signature.
func (*PKCS7) VerifyWithChain ¶
VerifyWithChain checks the signatures of a PKCS7 object.
If truststore is not nil, it also verifies the chain of trust of the end-entity signer cert to one of the roots in the truststore. When the PKCS7 object includes the signing time authenticated attr it verifies the chain at that time and UTC now otherwise.
func (*PKCS7) VerifyWithChainAtTime ¶
func (p7 *PKCS7) VerifyWithChainAtTime(truststore *x509.CertPool, currentTime time.Time) (err error)
VerifyWithChainAtTime checks the signatures of a PKCS7 object.
If truststore is not nil, it also verifies the chain of trust of the end-entity signer cert to a root in the truststore at currentTime. It does not use the signing time authenticated attribute.
func (*PKCS7) VerifyWithOpts ¶
func (p7 *PKCS7) VerifyWithOpts(opts x509.VerifyOptions) (err error)
If VerifyOpts.Roots is not nil it verifies the chain of trust of the end-entity signer cert to one of the roots in the truststore. When the PKCS7 object includes the signing time authenticated attr it verifies the chain at that time and UTC now otherwise.
type RevocationFunction ¶
type RevocationFunction func(cert, issuer *x509.Certificate, i *revocation.InfoArchival) error
type SignContext ¶
type SignContext struct {
Filesize int64
InputFile io.ReadSeeker
OutputFile io.Writer
OutputBuffer *filebuffer.Buffer
SignData SignData
CatalogData CatalogData
VisualSignData VisualSignData
InfoData InfoData
PDFReader *pdf.Reader
NewXrefStart int64
ByteRangeStartByte int64
SignatureContentsStartByte int64
ByteRangeValues []int64
SignatureMaxLength uint32
SignatureMaxLengthBase uint32
}
func (*SignContext) GetTSA ¶
func (context *SignContext) GetTSA(sign_content []byte) (timestamp_response []byte, err error)
func (*SignContext) SignPDF ¶
func (context *SignContext) SignPDF() ([]byte, error)
type SignData ¶
type SignData struct {
ObjectId uint32
Signature SignDataSignature
TPPOpts signers.SignOpts
DigestAlgorithm crypto.Hash
Certificate *x509.Certificate
CertificateChains [][]*x509.Certificate
TSA TSA
RevocationData revocation.InfoArchival
RevocationFunction RevocationFunction
}
type SignDataSignature ¶
type SignDataSignature struct {
CertType uint
DocMDPPerm uint
Info SignDataSignatureInfo
}
type SignDataSignatureInfo ¶
type SignedData ¶
type SignedData struct {
// contains filtered or unexported fields
}
SignedData is an opaque data structure for creating signed data payloads
func NewSignedData ¶
func NewSignedData(data []byte) (*SignedData, error)
NewSignedData takes data and initializes a PKCS7 SignedData struct that is ready to be signed via AddSigner. The digest algorithm is set to SHA1 by default and can be changed by calling SetDigestAlgorithm.
func (*SignedData) Detach ¶
func (sd *SignedData) Detach()
Detach removes content from the signed data struct to make it a detached signature. This must be called right before Finish()
func (*SignedData) Finish ¶
func (sd *SignedData) Finish() ([]byte, error)
Finish marshals the content and its signers
func (*SignedData) GetSignedData ¶
func (sd *SignedData) GetSignedData() *signedData
GetSignedData returns the private Signed Data
func (*SignedData) SetDigestAlgorithm ¶
func (sd *SignedData) SetDigestAlgorithm(d asn1.ObjectIdentifier)
SetDigestAlgorithm sets the digest algorithm to be used in the signing process.
This should be called before adding signers
Source Files
Directories