Sha256 support #19
Open
Sha256 support #19
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
copies a few private methods from the stdlib x509 package.
Uses the x509util package to get a wider range of supported hash functions.
|
Travis fails with 1.6/1.7 but passes with 1.8+ I can put those behind a build flag |
groob
commented
Jul 10, 2017
pkcs7.go
Outdated
| @@ -864,13 +934,19 @@ func encryptDESCBC(content []byte) ([]byte, *encryptedContentInfo, error) { | |||
| // ContentEncryptionAlgorithm = EncryptionAlgorithmAES128GCM | |||
| // | |||
| // TODO(fullsailor): Add support for encrypting content with other algorithms | |||
| func Encrypt(content []byte, recipients []*x509.Certificate) ([]byte, error) { | |||
| func Encrypt(content []byte, recipients []*x509.Certificate, opts ...Option) ([]byte, error) { | |||
There was a problem hiding this comment.
This changes the function signature, but is still backwards compatible depending on how Encrypt is called.
pkcs7.Encrypt(content, recipients) would still compile, but if someone created a callback, or interface their code would break.
Possible solutions:
- break compatibility and create a release with a new git tag
- create a new EncryptWithOptions function
- use global variables (personally I would avoid but I can work with that option if required)
|
Any hopes of this seeing a merge? |
|
@groob This breaks the |
|
The algorithm could be composed, because: |
Go 1.10 is more strict about Asn.1 annotations. This removes the incorrect “explicit” annotation from encryptedContentInfo.EncryptedContent. I’m also using openssl to generate the fixture now so that we aren’t testing with our own output for `Decrypt()` Fixes fullsailor#31
Fix failure to parse enveloped data in Go 1.10
Fix signer digest algorithm
Previously the encrypt method was grouping together multiple algorithms and handling them the same. In the decryption code this somewhat makes sense because the crypto.Cipher will take care of figuring out which algorithm it needs to use. When encrypting though if AES-128-CBC is requested we were encrypting as AES-128-GCM which didn't make sense.
Add AES-128-CBC support
chrisccoulson
pushed a commit
to chrisccoulson/pkcs7
that referenced
this pull request
Apr 25, 2020
Support setting the encalg when signing without attr
jessepeterson
pushed a commit
to jessepeterson/pkcs7
that referenced
this pull request
Apr 30, 2024
…content EncryptedContent needs to be implicitly tagged and not explicit (updated)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi @fullsailor,
I use the pkcs7 package in my SCEP implementation. Although SCEP supports SHA1 and 3DES the recommended defaults are AES with SHA256.
I began working on implementing support for SHA256 and possibly SHA512 as well in this branch.
Most of the code in this pull request is actually coming from a new package,
github.com/fullsailor/pkcs7/internal/x509utilwhich is just some exported helpers fromcrypto/x509. I use the helpers to determine the hash function/signature algorithm when needed.I would love your input on the direction on this pull request, and what requirements you would have for getting a change like this into the pkcs7 package.
Thanks!