https://github.com/purehyperbole/ietf-cms

CMS (PKCS#7) library for Go
https://github.com/purehyperbole/ietf-cms

Last synced: 5 months ago
JSON representation

CMS (PKCS#7) library for Go

• Host: GitHub
• URL: https://github.com/purehyperbole/ietf-cms
• Owner: purehyperbole
• License: mit
• Fork: true (github/ietf-cms)
• Created: 2021-03-09T22:33:45.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2021-09-10T16:00:48.000Z (almost 5 years ago)
• Last Synced: 2024-06-21T11:49:36.674Z (about 2 years ago)
• Language: Go
• Size: 326 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md

Awesome Lists containing this project

README

          
# CMS [![PkgGoDev](https://pkg.go.dev/badge/github.com/github/ietf-cms?tab=doc)](https://pkg.go.dev/github.com/github/ietf-cms?tab=doc) [![Report card](https://goreportcard.com/badge/github.com/github/ietf-cms)](https://goreportcard.com/report/github.com/github/ietf-cms)

[![Test (recent Go versions)]()](https://github.com/github/ietf-cms/actions?query=workflow%3A%22Test+%28recent+Go+versions%29%22)  

[![Test (Go 1.10)]()](https://github.com/github/ietf-cms/actions?query=workflow%3A%22Test+%28Go+1.10%29%22)

[CMS (Cryptographic Message Syntax)](https://tools.ietf.org/html/rfc5652) is a syntax for signing, digesting, and encrypting arbitrary messages. It evolved from PKCS#7 and is the basis for higher level protocols such as S/MIME. This package implements the SignedData CMS content-type, allowing users to digitally sign data as well as verify data signed by others.

## Signing and Verifying Data

High level APIs are provided for signing a message with a certificate and key:

```go

msg := []byte("some data")

cert, _ := x509.ParseCertificate(someCertificateData)

key, _ := x509.ParseECPrivateKey(somePrivateKeyData)

der, _ := cms.Sign(msg, []*x509.Certificate{cert}, key)

////

/// At another time, in another place...

//

sd, _ := ParseSignedData(der)

if err, _ := sd.Verify(x509.VerifyOptions{}); err != nil {

  panic(err)

}

```

By default, CMS SignedData includes the original message. High level APIs are also available for creating and verifying detached signatures:

```go

msg := []byte("some data")

cert, _ := x509.ParseCertificate(someCertificateData)

key, _ := x509.ParseECPrivateKey(somePrivateKeyData)

der, _ := cms.SignDetached(msg, cert, key)

////

/// At another time, in another place...

//

sd, _ := ParseSignedData(der)

if err, _ := sd.VerifyDetached(msg, x509.VerifyOptions{}); err != nil {

  panic(err)

}

```

## Timestamping

Because certificates expire and can be revoked, it is may be helpful to attach certified timestamps to signatures, proving that they existed at a given time. RFC3161 timestamps can be added to signatures like so:

```go

signedData, _ := NewSignedData([]byte("Hello, world!"))

signedData.Sign(identity.Chain(), identity.PrivateKey)

signedData.AddTimestamps("http://timestamp.digicert.com")

derEncoded, _ := signedData.ToDER()

io.Copy(os.Stdout, bytes.NewReader(derEncoded))

```

Verification functions implicitly verify timestamps as well. Without a timestamp, verification will fail if the certificate is no longer valid.