const (
StatusGranted = iota
StatusGrantedWithMods
StatusRejection
StatusWaiting
StatusRevocationWarning
StatusRevocationNotification
FailureBadAlg = 0
FailureBadRequest = 2
FailureBadDataFormat = 5
FailureTimeNotAvailable = 14
FailureUnacceptedPolicy = 15
FailureUnacceptedExtension = 16
FailureAddInfoNotAvailable = 17
SystemFailure = 25
)
var (
OidKeyPurposeTimeStamping = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
OidTSTInfo = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 1, 4}
OidAttributeTimeStampToken = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 2, 14}
OidAttributeCounterSign = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 6}
OidSpcTimeStampRequest = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 3, 2, 1}
// undocumented(?) alternative to OidAttributeTimeStampToken found in Authenticode signatures
OidSpcTimeStampToken = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 3, 3, 1}
)
func AddStampToSignedAuthenticode(signerInfo *pkcs7.SignerInfo, token pkcs7.ContentInfoSignedData) error
Attach a RFC 3161 timestamp to a PKCS#7 SignerInfo using the OID for authenticode signatures
func AddStampToSignedData(signerInfo *pkcs7.SignerInfo, token pkcs7.ContentInfoSignedData) error
Attach a RFC 3161 timestamp to a PKCS#7 SignerInfo
func NewLegacyRequest(url string, encryptedDigest []byte) (*http.Request, error)
func ParseLegacyResponse(body []byte) (*pkcs7.ContentInfoSignedData, error)
type Accuracy struct {
Seconds int `asn1:"optional"`
Millis int `asn1:"optional,tag:0"`
Micros int `asn1:"optional,tag:1"`
}
Validated timestamp token
type CounterSignature struct {
pkcs7.Signature
Hash crypto.Hash
SigningTime time.Time
}
func Verify(tst *pkcs7.ContentInfoSignedData, data []byte, certs []*x509.Certificate) (*CounterSignature, error)
Verify a timestamp token using external data
func VerifyMicrosoftToken(token *pkcs7.ContentInfoSignedData, encryptedDigest []byte) (*CounterSignature, error)
Verify a non-RFC-3161 timestamp token against the given encrypted digest from the primary signature.
func VerifyPkcs7(sig pkcs7.Signature) (*CounterSignature, error)
Look for a timestamp (counter-signature or timestamp token) in the UnauthenticatedAttributes of the given already-validated signature and check its integrity. The certificate chain is not checked; call VerifyChain() on the result to validate it fully. Returns nil if no timestamp is present.
func (cs CounterSignature) VerifyChain(roots *x509.CertPool, extraCerts []*x509.Certificate) error
Verify that the timestamp token has a valid certificate chain
type GeneralName struct {
// See RFC 3280
Value asn1.RawValue
}
type MessageImprint struct {
HashAlgorithm pkix.AlgorithmIdentifier
HashedMessage []byte
}
func (i MessageImprint) Verify(data []byte) error
Verify that the digest (imprint) in a timestamp token matches the given data
type MicrosoftTimeStampRequest struct {
CounterSignatureType asn1.ObjectIdentifier
Attributes struct{} `asn1:"optional"`
Content struct {
ContentType asn1.ObjectIdentifier
Content []byte `asn1:"explicit,tag:0"`
}
}
type PKIStatusInfo struct {
Status int
StatusString []string `asn1:"optional"`
FailInfo asn1.BitString `asn1:"optional"`
}
Request holds parameters for a timestamp operation
type Request struct {
// EncryptedDigest is the raw encrypted signature value
EncryptedDigest []byte
// Hash is the desired hash function for the timestamp. Ignored for legacy requests.
Hash crypto.Hash
// Legacy indicates a nonstandard microsoft timestamp request, otherwise RFC 3161 is used
Legacy bool
}
type TSTInfo struct {
Version int
Policy asn1.ObjectIdentifier
MessageImprint MessageImprint
SerialNumber *big.Int
GenTime time.Time
Accuracy Accuracy `asn1:"optional"`
Ordering bool `asn1:"optional,default:false"`
Nonce *big.Int `asn1:"optional"`
TSA GeneralName `asn1:"optional,implicit,tag:0"`
Extensions []pkix.Extension `asn1:"optional,implicit,tag:1"`
}
type TimeStampReq struct {
Version int
MessageImprint MessageImprint
ReqPolicy asn1.ObjectIdentifier `asn1:"optional"`
Nonce *big.Int `asn1:"optional"`
CertReq bool `asn1:"default:false"`
Extensions []pkix.Extension `asn1:"optional,implicit,tag:0"`
}
func NewRequest(url string, hash crypto.Hash, hashValue []byte) (msg *TimeStampReq, req *http.Request, err error)
Create a HTTP request to request a token from the given URL
func (req *TimeStampReq) ParseResponse(body []byte) (*pkcs7.ContentInfoSignedData, error)
Parse a timestamp token from a HTTP response, sanity checking it against the original request nonce
func (req *TimeStampReq) SanityCheckToken(psd *pkcs7.ContentInfoSignedData) error
Sanity check a timestamp token against the nonce in the original request
type TimeStampResp struct {
Status PKIStatusInfo
TimeStampToken pkcs7.ContentInfoSignedData `asn1:"optional"`
}
Validated signature containing a optional timestamp token
type TimestampedSignature struct {
pkcs7.Signature
CounterSignature *CounterSignature
Raw []byte
}
func TimestampAndMarshal(ctx context.Context, psd *pkcs7.ContentInfoSignedData, timestamper Timestamper, authenticode bool) (*TimestampedSignature, error)
func VerifyOptionalTimestamp(sig pkcs7.Signature) (TimestampedSignature, error)
Look for a timestamp token or counter-signature in the given signature and return a structure that can be used to validate the signature's certificate chain. If no timestamp is present, then the current time will be used when validating the chain.
func (sig TimestampedSignature) VerifyChain(roots *x509.CertPool, extraCerts []*x509.Certificate, usage x509.ExtKeyUsage) error
Verify the certificate chain of a PKCS#7 signature. If the signature has a valid timestamp token attached, then the timestamp is used for validating the primary signature's chain, making the signature valid after the certificates have expired.
Timestamper is the common interface for the timestamp client and middleware
type Timestamper interface {
Timestamp(ctx context.Context, req *Request) (*pkcs7.ContentInfoSignedData, error)
}
| Name | Synopsis |
|---|---|
| .. | |
| ratelimit | |
| timestampcache | |
| tsclient | |