CMS (PKCS#7) library for Go
Перейти к файлу
Matt Martin 051715c972 Add mapping from algo OID to x509 SignatureAlgorithm for DSAWithSHA1 2019-05-17 10:27:50 -05:00
oid Add mapping from algo OID to x509 SignatureAlgorithm for DSAWithSHA1 2019-05-17 10:27:50 -05:00
protocol use utc for signingtime (gpgsm interoperability) 2018-12-04 12:51:55 -07:00
timestamp oid: be more consistent in OID variable namning 2018-09-06 13:52:54 -06:00
.gitignore Initial commit 2015-04-09 11:53:02 -04:00
.travis.yml add go 1.12.x to the build matrix 2019-05-01 15:50:59 -06:00
LICENSE.md add license/readmme 2017-11-21 08:51:58 -07:00
README.md provide working example of sign/verify 2018-08-07 16:12:57 -06:00
go.mod add go.mod and go.sum 2019-05-01 15:43:59 -06:00
go.sum add go.mod and go.sum 2019-05-01 15:43:59 -06:00
main_test.go oid: be more consistent in OID variable namning 2018-09-06 13:52:54 -06:00
sign.go allow intermediates to be added in addition to leaf cert 2017-11-27 16:22:30 -07:00
sign_test.go include SigningTime attribute in signatures 2018-12-04 12:33:30 -07:00
signed_data.go methods for getting/setting certificates from SignedData 2018-07-25 17:58:00 -06:00
timestamp.go make timestamp checking implicit in SignedData verification 2018-06-20 15:53:59 -06:00
timestamp_test.go make timestamp checking implicit in SignedData verification 2018-06-20 15:53:59 -06:00
verify.go always check for ExtKeyUsageTimeStamping when verifying timestamp 2018-09-13 10:19:18 -06:00
verify_test.go always check for ExtKeyUsageTimeStamping when verifying timestamp 2018-09-13 10:19:18 -06:00

README.md

CMS GoDoc Report card Build Status

CMS (Cryptographic Message Syntax) is a syntax for signing, digesting, and encrypting arbitrary messages. It evolved from PKCS#7 and is the basis for higher level protocols such as S/MIME. This package implements the SignedData CMS content-type, allowing users to digitally sign data as well as verify data signed by others.

Signing and Verifying Data

High level APIs are provided for signing a message with a certificate and key:

msg := []byte("some data")
cert, _ := x509.ParseCertificate(someCertificateData)
key, _ := x509.ParseECPrivateKey(somePrivateKeyData)

der, _ := cms.Sign(msg, []*x509.Certificate{cert}, key)

////
/// At another time, in another place...
//

sd, _ := ParseSignedData(der)
if err, _ := sd.Verify(x509.VerifyOptions{}); err != nil {
  panic(err)
}

By default, CMS SignedData includes the original message. High level APIs are also available for creating and verifying detached signatures:

msg := []byte("some data")
cert, _ := x509.ParseCertificate(someCertificateData)
key, _ := x509.ParseECPrivateKey(somePrivateKeyData)

der, _ := cms.SignDetached(msg, cert, key)

////
/// At another time, in another place...
//

sd, _ := ParseSignedData(der)
if err, _ := sd.VerifyDetached(msg, x509.VerifyOptions{}); err != nil {
  panic(err)
}

Timestamping

Because certificates expire and can be revoked, it is may be helpful to attach certified timestamps to signatures, proving that they existed at a given time. RFC3161 timestamps can be added to signatures like so:

signedData, _ := NewSignedData([]byte("Hello, world!"))
signedData.Sign(identity.Chain(), identity.PrivateKey)
signedData.AddTimestamps("http://timestamp.digicert.com")

derEncoded, _ := signedData.ToDER()
io.Copy(os.Stdout, bytes.NewReader(derEncoded))

Verification functions implicitly verify timestamps as well. Without a timestamp, verification will fail if the certificate is no longer valid.