cfssl: Index | Files

package pkcs7

import ""

Package pkcs7 implements the subset of the CMS PKCS #7 datatype that is typically used to package certificates and CRLs. Using openssl, every certificate converted to PKCS #7 format from another encoding such as PEM conforms to this implementation. reference:

PKCS #7 Data type, reference:

The full pkcs#7 cryptographic message syntax allows for cryptographic enhancements, for example data can be encrypted and signed and then packaged through pkcs#7 to be sent over a network and then verified and decrypted. It is asn1, and the type of PKCS #7 ContentInfo, which comprises the PKCS #7 structure, is:

ContentInfo ::= SEQUENCE {
	contentType ContentType,

There are 6 possible ContentTypes, data, signedData, envelopedData, signedAndEnvelopedData, digestedData, and encryptedData. Here signedData, Data, and encrypted Data are implemented, as the degenerate case of signedData without a signature is the typical format for transferring certificates and CRLS, and Data and encryptedData are used in PKCS #12 formats. The ContentType signedData has the form:

signedData ::= SEQUENCE {
	version Version,
	digestAlgorithms DigestAlgorithmIdentifiers,
	contentInfo ContentInfo,
	certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL
	crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
	signerInfos SignerInfos

As of yet signerInfos and digestAlgorithms are not parsed, as they are not relevant to this system's use of PKCS #7 data. Version is an integer type, note that PKCS #7 is recursive, this second layer of ContentInfo is similar ignored for our degenerate usage. The ExtendedCertificatesAndCertificates type consists of a sequence of choices between PKCS #6 extended certificates and x509 certificates. Any sequence consisting of any number of extended certificates is not yet supported in this implementation.

The ContentType Data is simply a raw octet string and is parsed directly into a Go []byte slice.

The ContentType encryptedData is the most complicated and its form can be gathered by the go type below. It essentially contains a raw octet string of encrypted data and an algorithm identifier for use in decrypting this data.


Package Files



const (
    ObjIDData          = "1.2.840.113549.1.7.1"
    ObjIDSignedData    = "1.2.840.113549.1.7.2"
    ObjIDEncryptedData = "1.2.840.113549.1.7.6"

Object identifier strings of the three implemented PKCS7 types.

type Content Uses

type Content struct {
    Data          []byte
    SignedData    SignedData
    EncryptedData EncryptedData

Content implements three of the six possible PKCS7 data types. Only one is non-nil.

type Data Uses

type Data struct {
    Bytes []byte

Data contains raw bytes. Used as a subtype in PKCS12.

type EncryptedContentInfo Uses

type EncryptedContentInfo struct {
    Raw                        asn1.RawContent
    ContentType                asn1.ObjectIdentifier
    ContentEncryptionAlgorithm pkix.AlgorithmIdentifier
    EncryptedContent           []byte `asn1:"tag:0,optional"`

EncryptedContentInfo is a subtype of PKCS7EncryptedData.

type EncryptedData Uses

type EncryptedData struct {
    Raw                  asn1.RawContent
    Version              int
    EncryptedContentInfo EncryptedContentInfo

EncryptedData contains encrypted data. Used as a subtype in PKCS12.

type PKCS7 Uses

type PKCS7 struct {
    Raw         asn1.RawContent
    ContentInfo string
    Content     Content

PKCS7 represents the ASN1 PKCS #7 Content type. It contains one of three possible types of Content objects, as denoted by the object identifier in the ContentInfo field, the other two being nil. SignedData is the degenerate SignedData Content info without signature used to hold certificates and crls. Data is raw bytes, and EncryptedData is as defined in PKCS #7 standard.

func ParsePKCS7 Uses

func ParsePKCS7(raw []byte) (msg *PKCS7, err error)

ParsePKCS7 attempts to parse the DER encoded bytes of a PKCS7 structure.

type SignedData Uses

type SignedData struct {
    Raw          asn1.RawContent
    Version      int
    Certificates []*x509.Certificate
    Crl          *pkix.CertificateList

SignedData defines the typical carrier of certificates and crls.

Package pkcs7 imports 5 packages (graph) and is imported by 74 packages. Updated 2017-02-11. Refresh now. Tools for package owners.