Categorygithub.com/smallstep/pkcs7
modulepackage
0.0.0-20240723090913-5e2c6a136dfa
Repository: https://github.com/smallstep/pkcs7.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
24
Dependents
23
Files
2k SLOC

# README

pkcs7

Go Reference Build Status

pkcs7 implements parsing and creating signed and enveloped messages.

package main

import (
	"bytes"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"os"

    "github.com/smallstep/pkcs7"
)

func SignAndDetach(content []byte, cert *x509.Certificate, privkey *rsa.PrivateKey) (signed []byte, err error) {
	toBeSigned, err := NewSignedData(content)
	if err != nil {
		return fmt.Errorf("Cannot initialize signed data: %w", err)
	}
	if err = toBeSigned.AddSigner(cert, privkey, SignerInfoConfig{}); err != nil {
		return fmt.Errorf("Cannot add signer: %w", err)
	}

	// Detach signature, omit if you want an embedded signature
	toBeSigned.Detach()

	signed, err = toBeSigned.Finish()
	if err != nil {
		return fmt.Errorf("Cannot finish signing data: %w", err)
	}

	// Verify the signature
	pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: signed})
	p7, err := pkcs7.Parse(signed)
	if err != nil {
		return fmt.Errorf("Cannot parse our signed data: %w", err)
	}

	// since the signature was detached, reattach the content here
	p7.Content = content

	if bytes.Compare(content, p7.Content) != 0 {
		return fmt.Errorf("Our content was not in the parsed data:\n\tExpected: %s\n\tActual: %s", content, p7.Content)
	}
	if err = p7.Verify(); err != nil {
		return fmt.Errorf("Cannot verify our signed data: %w", err)
	}

	return signed, nil
}

Credits

This is a fork of mozilla-services/pkcs7 which, itself, was a fork of fullsailor/pkcs7.

# Functions

DegenerateCertificate creates a signed data structure containing only the provided certificate or certificate chain.
Encrypt creates and returns an envelope data PKCS7 structure with encrypted recipient keys for each recipient public key.
EncryptUsingPSK creates and returns an encrypted data PKCS7 structure, encrypted using caller provided pre-shared secret.
NewSignedData takes data and initializes a PKCS7 SignedData struct that is ready to be signed via AddSigner.
Parse decodes a DER encoded PKCS7 package.
No description provided by the author
No description provided by the author
No description provided by the author

# Constants

EncryptionAlgorithmAES128CBC is the AES 128 bits with CBC encryption algorithm Avoid this algorithm unless required for interoperability; use AES GCM instead.
EncryptionAlgorithmAES128GCM is the AES 128 bits with GCM encryption algorithm.
EncryptionAlgorithmAES256CBC is the AES 256 bits with CBC encryption algorithm Avoid this algorithm unless required for interoperability; use AES GCM instead.
EncryptionAlgorithmAES256GCM is the AES 256 bits with GCM encryption algorithm.
EncryptionAlgorithmDESCBC is the DES CBC encryption algorithm.

# Variables

ContentEncryptionAlgorithm determines the algorithm used to encrypt the plaintext message.
No description provided by the author
ErrNotEncryptedContent is returned when attempting to Decrypt data that is not encrypted data.
ErrPSKNotProvided is returned when attempting to encrypt using a PSK without actually providing the PSK.
ErrUnsupportedAlgorithm tells you when our quick dev assumptions have failed.
ErrUnsupportedAsymmetricEncryptionAlgorithm is returned when attempting to use an unknown asymmetric encryption algorithm.
ErrUnsupportedContentType is returned when a PKCS7 content type is not supported.
ErrUnsupportedEncryptionAlgorithm is returned when attempting to encrypt content with an unsupported algorithm.
ErrUnsupportedKeyEncryptionAlgorithm is returned when an unsupported key encryption algorithm OID is provided.
ErrUnsupportedKeyEncryptionHash is returned when an unsupported key encryption hash is provided.
ErrUnsupportedKeyType is returned when attempting to encrypting keys using a key that's not an RSA key.
KeyEncryptionAlgorithm determines the algorithm used to encrypt a content key.
KeyEncryptionHash determines the crypto.Hash algorithm to use when encrypting a content key.
No description provided by the author
No description provided by the author
No description provided by the author
Signed Data OIDs.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Digest Algorithms.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
see https://www.rfc-editor.org/rfc/rfc8018.html#appendix-B.2.5.
see https://www.rfc-editor.org/rfc/rfc5084.html#section-3.2.
see https://www.rfc-editor.org/rfc/rfc3565.html#section-4.1.
see https://www.rfc-editor.org/rfc/rfc5084.html#section-3.2.
see https://www.rfc-editor.org/rfc/rfc8018.html#appendix-B.2.1.
see https://www.rfc-editor.org/rfc/rfc8018.html#appendix-B.2.2.
No description provided by the author
No description provided by the author
No description provided by the author
see https://www.rfc-editor.org/rfc/rfc8017#appendix-A.2.2.
see https://www.rfc-editor.org/rfc/rfc8017#appendix-A.2.1.
see https://www.rfc-editor.org/rfc/rfc8017#appendix-A.2.4.
ditto.
ditto.
ditto.
ditto.
ditto.
No description provided by the author
No description provided by the author

# Structs

Attribute represents a key value pair attribute.
No description provided by the author
MessageDigestMismatchError is returned when the signer data digest does not match the computed digest for the contained content.
PKCS7 Represents a PKCS7 structure.
SignedData is an opaque data structure for creating signed data payloads.
SignerInfoConfig are optional values to include when adding a signer.
SigningTimeNotValidError is returned when the signing time attribute falls outside of the signer certificate validity.