Description

Package pkcs7 implements the subset of the CMS PKCS #7 datatype that is typically used to package certificates and CRLs. Using openssl, every certificate converted to PKCS #7 format from another encoding such as PEM conforms to this implementation. reference: https://www.openssl.org/docs/apps/crl2pkcs7.html

PKCS #7 Data type, reference: https://tools.ietf.org/html/rfc2315

The full pkcs#7 cryptographic message syntax allows for cryptographic enhancements, for example data can be encrypted and signed and then packaged through pkcs#7 to be sent over a network and then verified and decrypted. It is asn1, and the type of PKCS #7 ContentInfo, which comprises the PKCS #7 structure, is:

ContentInfo ::= SEQUENCE {
	contentType ContentType,
	content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}

There are 6 possible ContentTypes, data, signedData, envelopedData, signedAndEnvelopedData, digestedData, and encryptedData. Here signedData, Data, and encrypted Data are implemented, as the degenerate case of signedData without a signature is the typical format for transferring certificates and CRLS, and Data and encryptedData are used in PKCS #12 formats. The ContentType signedData has the form:

signedData ::= SEQUENCE {
	version Version,
	digestAlgorithms DigestAlgorithmIdentifiers,
	contentInfo ContentInfo,
	certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL
	crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
	signerInfos SignerInfos
}

As of yet signerInfos and digestAlgorithms are not parsed, as they are not relevant to this system's use of PKCS #7 data. Version is an integer type, note that PKCS #7 is recursive, this second layer of ContentInfo is similar ignored for our degenerate usage. The ExtendedCertificatesAndCertificates type consists of a sequence of choices between PKCS #6 extended certificates and x509 certificates. Any sequence consisting of any number of extended certificates is not yet supported in this implementation.

The ContentType Data is simply a raw octet string and is parsed directly into a Go []byte slice.

The ContentType encryptedData is the most complicated and its form can be gathered by the go type below. It essentially contains a raw octet string of encrypted data and an algorithm identifier for use in decrypting this data.

pkcs7 is referenced in 0 repositories