x509

package
v0.0.0-...-b578434 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 8, 2021 License: Apache-2.0, ISC, MIT Imports: 33 Imported by: 0

README

Originally based on the go/crypto/x509 standard library, this package has now diverged enough that it is no longer updated with direct correspondence to new go releases.

Approximately supports all the features of github.com/golang/go/crypto/x509 package at: branch: release-branch.go1.10 revision: dea961ebd9f871b39b3bdaab32f952037f28cd71

Documentation

Overview

Example (X509_ParseCertificate)
package main

import (
	"encoding/pem"

	"github.com/zmap/zcrypto/x509"
)

func main() {
	// Verifying with a custom list of root certificates.

	const rootPEM = `
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----`

	const certPEM = `
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q
5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC
7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAa
BgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUF
BwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2Nz
cDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAf
BgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisG
AQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+
gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283
TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq
0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoW
RvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOh
yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
-----END CERTIFICATE-----`

	// First, create the set of root certificates. For this example we only
	// have one. It's also possible to omit this in order to use the
	// default root set of the current operating system.
	roots := x509.NewCertPool()
	ok := roots.AppendCertsFromPEM([]byte(rootPEM))
	if !ok {
		panic("failed to parse root certificate")
	}

	block, _ := pem.Decode([]byte(certPEM))
	if block == nil {
		panic("failed to parse certificate PEM")
	}
	_, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic("failed to parse certificate: " + err.Error())
	}
}
Output:

Index

Examples

Constants

View Source
const (
	OID_EKU_APPLE_CODE_SIGNING                 = "1.2.840.113635.100.4.1"
	OID_EKU_APPLE_CODE_SIGNING_DEVELOPMENT     = "1.2.840.113635.100.4.1.1"
	OID_EKU_APPLE_SOFTWARE_UPDATE_SIGNING      = "1.2.840.113635.100.4.1.2"
	OID_EKU_APPLE_CODE_SIGNING_THIRD_PARTY     = "1.2.840.113635.100.4.1.3"
	OID_EKU_APPLE_RESOURCE_SIGNING             = "1.2.840.113635.100.4.1.4"
	OID_EKU_APPLE_ICHAT_SIGNING                = "1.2.840.113635.100.4.2"
	OID_EKU_APPLE_ICHAT_ENCRYPTION             = "1.2.840.113635.100.4.3"
	OID_EKU_APPLE_SYSTEM_IDENTITY              = "1.2.840.113635.100.4.4"
	OID_EKU_APPLE_CRYPTO_ENV                   = "1.2.840.113635.100.4.5"
	OID_EKU_APPLE_CRYPTO_PRODUCTION_ENV        = "1.2.840.113635.100.4.5.1"
	OID_EKU_APPLE_CRYPTO_MAINTENANCE_ENV       = "1.2.840.113635.100.4.5.2"
	OID_EKU_APPLE_CRYPTO_TEST_ENV              = "1.2.840.113635.100.4.5.3"
	OID_EKU_APPLE_CRYPTO_DEVELOPMENT_ENV       = "1.2.840.113635.100.4.5.4"
	OID_EKU_APPLE_CRYPTO_QOS                   = "1.2.840.113635.100.4.6"
	OID_EKU_APPLE_CRYPTO_TIER0_QOS             = "1.2.840.113635.100.4.6.1"
	OID_EKU_APPLE_CRYPTO_TIER1_QOS             = "1.2.840.113635.100.4.6.2"
	OID_EKU_APPLE_CRYPTO_TIER2_QOS             = "1.2.840.113635.100.4.6.3"
	OID_EKU_APPLE_CRYPTO_TIER3_QOS             = "1.2.840.113635.100.4.6.4"
	OID_EKU_MICROSOFT_CERT_TRUST_LIST_SIGNING  = "1.3.6.1.4.1.311.10.3.1"
	OID_EKU_MICROSOFT_QUALIFIED_SUBORDINATE    = "1.3.6.1.4.1.311.10.3.10"
	OID_EKU_MICROSOFT_KEY_RECOVERY_3           = "1.3.6.1.4.1.311.10.3.11"
	OID_EKU_MICROSOFT_DOCUMENT_SIGNING         = "1.3.6.1.4.1.311.10.3.12"
	OID_EKU_MICROSOFT_LIFETIME_SIGNING         = "1.3.6.1.4.1.311.10.3.13"
	OID_EKU_MICROSOFT_MOBILE_DEVICE_SOFTWARE   = "1.3.6.1.4.1.311.10.3.14"
	OID_EKU_MICROSOFT_SMART_DISPLAY            = "1.3.6.1.4.1.311.10.3.15"
	OID_EKU_MICROSOFT_CSP_SIGNATURE            = "1.3.6.1.4.1.311.10.3.16"
	OID_EKU_MICROSOFT_TIMESTAMP_SIGNING        = "1.3.6.1.4.1.311.10.3.2"
	OID_EKU_MICROSOFT_SERVER_GATED_CRYPTO      = "1.3.6.1.4.1.311.10.3.3"
	OID_EKU_MICROSOFT_SGC_SERIALIZED           = "1.3.6.1.4.1.311.10.3.3.1"
	OID_EKU_MICROSOFT_ENCRYPTED_FILE_SYSTEM    = "1.3.6.1.4.1.311.10.3.4"
	OID_EKU_MICROSOFT_EFS_RECOVERY             = "1.3.6.1.4.1.311.10.3.4.1"
	OID_EKU_MICROSOFT_WHQL_CRYPTO              = "1.3.6.1.4.1.311.10.3.5"
	OID_EKU_MICROSOFT_NT5_CRYPTO               = "1.3.6.1.4.1.311.10.3.6"
	OID_EKU_MICROSOFT_OEM_WHQL_CRYPTO          = "1.3.6.1.4.1.311.10.3.7"
	OID_EKU_MICROSOFT_EMBEDDED_NT_CRYPTO       = "1.3.6.1.4.1.311.10.3.8"
	OID_EKU_MICROSOFT_ROOT_LIST_SIGNER         = "1.3.6.1.4.1.311.10.3.9"
	OID_EKU_MICROSOFT_DRM                      = "1.3.6.1.4.1.311.10.5.1"
	OID_EKU_MICROSOFT_DRM_INDIVIDUALIZATION    = "1.3.6.1.4.1.311.10.5.2"
	OID_EKU_MICROSOFT_LICENSES                 = "1.3.6.1.4.1.311.10.5.3"
	OID_EKU_MICROSOFT_LICENSE_SERVER           = "1.3.6.1.4.1.311.10.5.4"
	OID_EKU_MICROSOFT_ENROLLMENT_AGENT         = "1.3.6.1.4.1.311.20.2.1"
	OID_EKU_MICROSOFT_SMARTCARD_LOGON          = "1.3.6.1.4.1.311.20.2.2"
	OID_EKU_MICROSOFT_CA_EXCHANGE              = "1.3.6.1.4.1.311.21.5"
	OID_EKU_MICROSOFT_KEY_RECOVERY_21          = "1.3.6.1.4.1.311.21.6"
	OID_EKU_MICROSOFT_SYSTEM_HEALTH            = "1.3.6.1.4.1.311.47.1.1"
	OID_EKU_MICROSOFT_SYSTEM_HEALTH_LOOPHOLE   = "1.3.6.1.4.1.311.47.1.3"
	OID_EKU_MICROSOFT_KERNEL_MODE_CODE_SIGNING = "1.3.6.1.4.1.311.61.1.1"
	OID_EKU_SERVER_AUTH                        = "1.3.6.1.5.5.7.3.1"
	OID_EKU_DVCS                               = "1.3.6.1.5.5.7.3.10"
	OID_EKU_SBGP_CERT_AA_SERVICE_AUTH          = "1.3.6.1.5.5.7.3.11"
	OID_EKU_EAP_OVER_PPP                       = "1.3.6.1.5.5.7.3.13"
	OID_EKU_EAP_OVER_LAN                       = "1.3.6.1.5.5.7.3.14"
	OID_EKU_CLIENT_AUTH                        = "1.3.6.1.5.5.7.3.2"
	OID_EKU_CODE_SIGNING                       = "1.3.6.1.5.5.7.3.3"
	OID_EKU_EMAIL_PROTECTION                   = "1.3.6.1.5.5.7.3.4"
	OID_EKU_IPSEC_END_SYSTEM                   = "1.3.6.1.5.5.7.3.5"
	OID_EKU_IPSEC_TUNNEL                       = "1.3.6.1.5.5.7.3.6"
	OID_EKU_IPSEC_USER                         = "1.3.6.1.5.5.7.3.7"
	OID_EKU_TIME_STAMPING                      = "1.3.6.1.5.5.7.3.8"
	OID_EKU_OCSP_SIGNING                       = "1.3.6.1.5.5.7.3.9"
	OID_EKU_IPSEC_INTERMEDIATE_SYSTEM_USAGE    = "1.3.6.1.5.5.8.2.2"
	OID_EKU_NETSCAPE_SERVER_GATED_CRYPTO       = "2.16.840.1.113730.4.1"
	OID_EKU_ANY                                = "2.5.29.37.0"
)

Variables

View Source
var DomainValidationOIDs = map[string]interface{}{

	"1.3.6.1.4.1.4146.1.10.10": nil,

	"1.3.6.1.4.1.44947.1.1.1": nil,

	"1.3.6.1.4.1.6449.1.2.2.10": nil,

	"1.3.6.1.4.1.6449.1.2.2.15": nil,

	"1.3.6.1.4.1.6449.1.2.2.16": nil,

	"1.3.6.1.4.1.6449.1.2.2.17": nil,

	"1.3.6.1.4.1.6449.1.2.2.18": nil,

	"1.3.6.1.4.1.6449.1.2.2.19": nil,

	"1.3.6.1.4.1.6449.1.2.2.21": nil,

	"1.3.6.1.4.1.6449.1.2.2.22": nil,

	"1.3.6.1.4.1.6449.1.2.2.24": nil,

	"1.3.6.1.4.1.6449.1.2.2.25": nil,

	"1.3.6.1.4.1.6449.1.2.2.26": nil,

	"1.3.6.1.4.1.6449.1.2.2.27": nil,

	"1.3.6.1.4.1.6449.1.2.2.28": nil,

	"1.3.6.1.4.1.6449.1.2.2.29": nil,

	"1.3.6.1.4.1.6449.1.2.2.31": nil,

	"1.3.6.1.4.1.6449.1.2.2.35": nil,

	"1.3.6.1.4.1.6449.1.2.2.37": nil,

	"1.3.6.1.4.1.6449.1.2.2.38": nil,

	"1.3.6.1.4.1.6449.1.2.2.39": nil,

	"1.3.6.1.4.1.6449.1.2.2.40": nil,

	"1.3.6.1.4.1.6449.1.2.2.41": nil,

	"1.3.6.1.4.1.6449.1.2.2.42": nil,

	"1.3.6.1.4.1.6449.1.2.2.44": nil,

	"1.3.6.1.4.1.6449.1.2.2.45": nil,

	"1.3.6.1.4.1.6449.1.2.2.47": nil,

	"1.3.6.1.4.1.6449.1.2.2.49": nil,

	"1.3.6.1.4.1.6449.1.2.2.50": nil,

	"1.3.6.1.4.1.6449.1.2.2.51": nil,

	"1.3.6.1.4.1.6449.1.2.2.52": nil,

	"1.3.6.1.4.1.6449.1.2.2.53": nil,

	"1.3.6.1.4.1.6449.1.2.2.54": nil,

	"1.3.6.1.4.1.6449.1.2.2.7": nil,

	"1.3.6.1.4.1.6449.1.2.2.8": nil,

	"2.16.840.1.114412.1.2": nil,

	"2.16.840.1.114413.1.7.23.1": nil,

	"2.16.840.1.114414.1.7.23.1": nil,

	"2.23.140.1.2.1": nil,
}

DomainValidationOIDs contain OIDs that identify DV certs.

View Source
var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")

ErrUnsupportedAlgorithm results from attempting to perform an operation that involves algorithms that are not currently implemented.

View Source
var ExtendedValidationOIDs = map[string]interface{}{

	"2.23.140.1.1": nil,

	"2.23.140.1.3": nil,

	"2.23.140.1.31": nil,

	"1.3.6.1.4.1.17326.10.14.2.1.2": nil,
	"1.3.6.1.4.1.17326.10.14.2.2.2": nil,

	"1.3.6.1.4.1.17326.10.8.12.1.2": nil,
	"1.3.6.1.4.1.17326.10.8.12.2.2": nil,

	"1.3.159.1.17.1": nil,

	"1.3.6.1.4.1.34697.2.1": nil,

	"1.3.6.1.4.1.34697.2.2": nil,

	"1.3.6.1.4.1.34697.2.3": nil,

	"1.3.6.1.4.1.34697.2.4": nil,

	"1.3.6.1.4.1.13177.10.1.3.10": nil,

	"2.16.578.1.26.1.3.3": nil,

	"1.3.6.1.4.1.36305.2": nil,

	"1.3.6.1.4.1.22234.2.5.2.3.1": nil,

	"1.2.616.1.113527.2.5.1.1": nil,

	"1.3.6.1.4.1.29836.1.10": nil,

	"1.3.6.1.4.1.6449.1.2.1.5.1": nil,

	"1.3.6.1.4.1.6334.1.100.1": nil,

	"2.16.840.1.114412.2.1": nil,

	"1.3.6.1.4.1.4788.2.202.1": nil,

	"2.16.840.1.114028.10.1.2": nil,

	"2.16.792.3.0.4.1.1.4": nil,

	"1.3.6.1.4.1.14370.1.6": nil,

	"1.3.6.1.4.1.4146.1.1": nil,

	"2.16.840.1.114413.1.7.23.3": nil,

	"1.3.6.1.4.1.14777.6.1.1": nil,
	"1.3.6.1.4.1.14777.6.1.2": nil,

	"1.3.6.1.4.1.782.1.2.1.8.1": nil,

	"1.3.6.1.4.1.8024.0.2.100.1.2": nil,

	"2.16.840.1.114404.1.1.2.4.1": nil,

	"1.2.392.200091.100.721.1": nil,

	"2.16.528.1.1003.1.2.7": nil,

	"1.3.6.1.4.1.23223.1.1.1": nil,

	"2.16.840.1.114414.1.7.23.3": nil,

	"2.16.840.1.114414.1.7.24.3": nil,

	"2.16.756.1.89.1.2.1.1": nil,

	"2.16.756.1.83.21.0": nil,

	"2.16.840.1.113733.1.7.48.1": nil,

	"1.3.6.1.4.1.40869.1.1.22.3": nil,

	"1.3.6.1.4.1.7879.13.24.1": nil,

	"2.16.840.1.113733.1.7.23.6": nil,

	"2.16.840.1.114171.500.9": nil,

	"2.16.156.112554.3": nil,

	"2.16.756.5.14.7.4.8": nil,

	"2.16.792.3.0.3.1.1.5": nil,
}

ExtendedValidationOIDs contains the UNION of Chromium (https://chromium.googlesource.com/chromium/src/net/+/master/cert/ev_root_ca_metadata.cc) and Firefox (http://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/ExtendedValidation.cpp) EV OID lists

View Source
var IncorrectPasswordError = errors.New("x509: decryption password incorrect")

IncorrectPasswordError is returned when an incorrect password is detected.

View Source
var OrganizationValidationOIDs = map[string]interface{}{

	"2.23.140.1.2.2": nil,

	"2.23.140.1.2.3": nil,

	"2.16.840.1.114412.1.1": nil,

	"1.3.6.1.4.1.4788.2.200.1": nil,

	"2.16.840.1.114413.1.7.23.2": nil,

	"2.16.528.1.1003.1.2.5.6": nil,

	"1.3.6.1.4.1.8024.0.2.100.1.1": nil,

	"2.16.840.1.114414.1.7.23.2": nil,

	"2.16.792.3.0.3.1.1.2": nil,
}

OrganizationValidationOIDs contains CA specific OV OIDs from https://cabforum.org/object-registry/

Functions

func CheckSignatureFromKey

func CheckSignatureFromKey(publicKey interface{}, algo SignatureAlgorithm, signed, signature []byte) (err error)

func CreateCertificate

func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error)

CreateCertificate creates a new certificate based on a template. The following members of template are used: AuthorityKeyId, BasicConstraintsValid, DNSNames, ExcludedDNSDomains, ExtKeyUsage, IsCA, KeyUsage, MaxPathLen, MaxPathLenZero, NotAfter, NotBefore, PermittedDNSDomains, PermittedDNSDomainsCritical, SerialNumber, SignatureAlgorithm, Subject, SubjectKeyId, and UnknownExtKeyUsage.

The certificate is signed by parent. If parent is equal to template then the certificate is self-signed. The parameter pub is the public key of the signee and priv is the private key of the signer.

The returned slice is the certificate in DER encoding.

All keys types that are implemented via crypto.Signer are supported (This includes *rsa.PublicKey and *ecdsa.PublicKey.)

The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any, unless the resulting certificate is self-signed. Otherwise the value from template will be used.

func CreateCertificateRequest

func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error)

CreateCertificateRequest creates a new certificate request based on a template. The following members of template are used: Attributes, DNSNames, EmailAddresses, ExtraExtensions, IPAddresses, SignatureAlgorithm, and Subject. The private key is the private key of the signer.

The returned slice is the certificate request in DER encoding.

All keys types that are implemented via crypto.Signer are supported (This includes *rsa.PublicKey and *ecdsa.PublicKey.)

func DecryptPEMBlock

func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error)

DecryptPEMBlock takes a password encrypted PEM block and the password used to encrypt it and returns a slice of decrypted DER encoded bytes. It inspects the DEK-Info header to determine the algorithm used for decryption. If no DEK-Info header is present, an error is returned. If an incorrect password is detected an IncorrectPasswordError is returned. Because of deficiencies in the encrypted-PEM format, it's not always possible to detect an incorrect password. In these cases no error will be returned but the decrypted DER bytes will be random noise.

func EncryptPEMBlock

func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error)

EncryptPEMBlock returns a PEM block of the specified type holding the given DER-encoded data encrypted with the specified algorithm and password.

func GetRSAPublicKeyJSON

func GetRSAPublicKeyJSON(key *rsa.PublicKey) *jsonKeys.RSAPublicKey

GetRSAPublicKeyJSON - get the jsonKeys.RSAPublicKey for the given standard RSA PublicKey.

func IsEncryptedPEMBlock

func IsEncryptedPEMBlock(b *pem.Block) bool

IsEncryptedPEMBlock returns if the PEM block is password encrypted.

func MarshalECPrivateKey

func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error)

MarshalECPrivateKey marshals an EC private key into ASN.1, DER format.

func MarshalPKCS1PrivateKey

func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte

MarshalPKCS1PrivateKey converts a private key to ASN.1 DER encoded form.

func MarshalPKIXPublicKey

func MarshalPKIXPublicKey(pub interface{}) ([]byte, error)

MarshalPKIXPublicKey serialises a public key to DER-encoded PKIX format.

func ParseCRL

func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error)

ParseCRL parses a CRL from the given bytes. It's often the case that PEM encoded CRLs will appear where they should be DER encoded, so this function will transparently handle PEM encoding as long as there isn't any leading garbage.

func ParseDERCRL

func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error)

ParseDERCRL parses a DER encoded CRL from the given bytes.

func ParseECPrivateKey

func ParseECPrivateKey(der []byte) (*ecdsa.PrivateKey, error)

ParseECPrivateKey parses an ASN.1 Elliptic Curve Private Key Structure.

func ParsePKCS1PrivateKey

func ParsePKCS1PrivateKey(der []byte) (*rsa.PrivateKey, error)

ParsePKCS1PrivateKey returns an RSA private key from its ASN.1 PKCS#1 DER encoded form.

func ParsePKCS8PrivateKey

func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error)

ParsePKCS8PrivateKey parses an unencrypted, PKCS#8 private key. See RFC 5208.

func ParsePKIXPublicKey

func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)

ParsePKIXPublicKey parses a DER encoded public key. These values are typically found in PEM blocks with "BEGIN PUBLIC KEY".

Supported key types include RSA, DSA, and ECDSA. Unknown key types result in an error.

On success, pub will be of type *rsa.PublicKey, *dsa.PublicKey, or *ecdsa.PublicKey.

Types

type AugmentedECDSA

type AugmentedECDSA struct {
	Pub *ecdsa.PublicKey
	Raw asn1.BitString
}

type AuthorityInfoAccess

type AuthorityInfoAccess struct {
	OCSPServer            []string `json:"ocsp_urls,omitempty"`
	IssuingCertificateURL []string `json:"issuer_urls,omitempty"`
}

TODO pull out other types

type BasicConstraints

type BasicConstraints struct {
	IsCA       bool `json:"is_ca"`
	MaxPathLen *int `json:"max_path_len,omitempty"`
}

type CABFOrganizationIDASN

type CABFOrganizationIDASN struct {
	RegistrationSchemeIdentifier string `asn1:"printable"`
	RegistrationCountry          string `asn1:"printable"`
	RegistrationStateOrProvince  string `asn1:"printable,optional,tag:0"`
	RegistrationReference        string `asn1:"utf8"`
}
    id-CABFOrganizationIdentifier OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organization-identifier(1) }

    ext-CABFOrganizationIdentifier EXTENSION ::= { SYNTAX CABFOrganizationIdentifier IDENTIFIED BY id-CABFOrganizationIdentifier }

    CABFOrganizationIdentifier ::= SEQUENCE {

        registrationSchemeIdentifier   PrintableString (SIZE(3)),

        registrationCountry            PrintableString (SIZE(2)),

        registrationStateOrProvince    [0] IMPLICIT PrintableString OPTIONAL (SIZE(0..128)),

        registrationReference          UTF8String

	}

type CABFOrganizationIdentifier

type CABFOrganizationIdentifier struct {
	Scheme    string `json:"scheme,omitempty"`
	Country   string `json:"country,omitempty"`
	State     string `json:"state,omitempty"`
	Reference string `json:"reference,omitempty"`
}

type CRLDistributionPoints

type CRLDistributionPoints []string

type CertPool

type CertPool struct {
	// contains filtered or unexported fields
}

CertPool is a set of certificates.

func NewCertPool

func NewCertPool() *CertPool

NewCertPool returns a new, empty CertPool.

func (*CertPool) AddCert

func (s *CertPool) AddCert(cert *Certificate)

AddCert adds a certificate to a pool.

func (*CertPool) AppendCertsFromPEM

func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)

AppendCertsFromPEM attempts to parse a series of PEM encoded certificates. It appends any certificates found to s and reports whether any certificates were successfully parsed.

On many Linux systems, /etc/ssl/cert.pem will contain the system wide set of root CAs in a format suitable for this function.

func (*CertPool) Certificates

func (s *CertPool) Certificates() []*Certificate

Certificates returns a list of parsed certificates in the pool.

func (*CertPool) Contains

func (s *CertPool) Contains(c *Certificate) bool

Contains returns true if c is in s.

func (*CertPool) Covers

func (s *CertPool) Covers(pool *CertPool) bool

Covers returns true if all certs in pool are in s.

func (*CertPool) Size

func (s *CertPool) Size() int

Size returns the number of unique certificates in the CertPool.

func (*CertPool) Subjects

func (s *CertPool) Subjects() [][]byte

Subjects returns a list of the DER-encoded subjects of all of the certificates in the pool.

func (*CertPool) Sum

func (s *CertPool) Sum(other *CertPool) (sum *CertPool)

Sum returns the union of two certificate pools as a new certificate pool.

type CertValidationLevel

type CertValidationLevel int

The string functions for CertValidationLevel are auto-generated via `go generate <full_path_to_x509_package>` or running `go generate` in the package directory

const (
	UnknownValidationLevel CertValidationLevel = 0
	DV                     CertValidationLevel = 1
	OV                     CertValidationLevel = 2
	EV                     CertValidationLevel = 3
)

func (*CertValidationLevel) MarshalJSON

func (c *CertValidationLevel) MarshalJSON() ([]byte, error)

func (CertValidationLevel) String

func (i CertValidationLevel) String() string

type Certificate

type Certificate struct {
	Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
	RawTBSCertificate       []byte // Certificate part of raw ASN.1 DER content.
	RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
	RawSubject              []byte // DER encoded Subject
	RawIssuer               []byte // DER encoded Issuer

	Signature          []byte
	SignatureAlgorithm SignatureAlgorithm

	SelfSigned bool

	SignatureAlgorithmOID asn1.ObjectIdentifier

	PublicKeyAlgorithm PublicKeyAlgorithm
	PublicKey          interface{}

	PublicKeyAlgorithmOID asn1.ObjectIdentifier

	Version             int
	SerialNumber        *big.Int
	Issuer              pkix.Name
	Subject             pkix.Name
	NotBefore, NotAfter time.Time // Validity bounds.
	ValidityPeriod      int
	KeyUsage            KeyUsage

	IssuerUniqueId  asn1.BitString
	SubjectUniqueId asn1.BitString

	// Extensions contains raw X.509 extensions. When parsing certificates,
	// this can be used to extract non-critical extensions that are not
	// parsed by this package. When marshaling certificates, the Extensions
	// field is ignored, see ExtraExtensions.
	Extensions []pkix.Extension

	// ExtensionsMap contains raw x.509 extensions keyed by OID (in string
	// representation). It allows fast membership testing of specific OIDs. Like
	// the Extensions field this field is ignored when marshaling certificates. If
	// multiple extensions with the same OID are present only the last
	// pkix.Extension will be in this map. Consult the `Extensions` slice when it
	// is required to process all extensions including duplicates.
	ExtensionsMap map[string]pkix.Extension

	// ExtraExtensions contains extensions to be copied, raw, into any
	// marshaled certificates. Values override any extensions that would
	// otherwise be produced based on the other fields. The ExtraExtensions
	// field is not populated when parsing certificates, see Extensions.
	ExtraExtensions []pkix.Extension

	// UnhandledCriticalExtensions contains a list of extension IDs that
	// were not (fully) processed when parsing. Verify will fail if this
	// slice is non-empty, unless verification is delegated to an OS
	// library which understands all the critical extensions.
	//
	// Users can access these extensions using Extensions and can remove
	// elements from this slice if they believe that they have been
	// handled.
	UnhandledCriticalExtensions []asn1.ObjectIdentifier

	ExtKeyUsage        []ExtKeyUsage           // Sequence of extended key usages.
	UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.

	BasicConstraintsValid bool // if true then the next two fields are valid.
	IsCA                  bool

	// MaxPathLen and MaxPathLenZero indicate the presence and
	// value of the BasicConstraints' "pathLenConstraint".
	//
	// When parsing a certificate, a positive non-zero MaxPathLen
	// means that the field was specified, -1 means it was unset,
	// and MaxPathLenZero being true mean that the field was
	// explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
	// should be treated equivalent to -1 (unset).
	//
	// When generating a certificate, an unset pathLenConstraint
	// can be requested with either MaxPathLen == -1 or using the
	// zero value for both MaxPathLen and MaxPathLenZero.
	MaxPathLen int
	// MaxPathLenZero indicates that BasicConstraintsValid==true and
	// MaxPathLen==0 should be interpreted as an actual Max path length
	// of zero. Otherwise, that combination is interpreted as MaxPathLen
	// not being set.
	MaxPathLenZero bool

	SubjectKeyId   []byte
	AuthorityKeyId []byte

	// RFC 5280, 4.2.2.1 (Authority Information Access)
	OCSPServer            []string
	IssuingCertificateURL []string

	// Subject Alternate Name values
	OtherNames     []pkix.OtherName
	DNSNames       []string
	EmailAddresses []string
	DirectoryNames []pkix.Name
	EDIPartyNames  []pkix.EDIPartyName
	URIs           []string
	IPAddresses    []net.IP
	RegisteredIDs  []asn1.ObjectIdentifier

	// Issuer Alternative Name values
	IANOtherNames     []pkix.OtherName
	IANDNSNames       []string
	IANEmailAddresses []string
	IANDirectoryNames []pkix.Name
	IANEDIPartyNames  []pkix.EDIPartyName
	IANURIs           []string
	IANIPAddresses    []net.IP
	IANRegisteredIDs  []asn1.ObjectIdentifier

	// Certificate Policies values
	QualifierId          [][]asn1.ObjectIdentifier
	CPSuri               [][]string
	ExplicitTexts        [][]asn1.RawValue
	NoticeRefOrgnization [][]asn1.RawValue
	NoticeRefNumbers     [][]NoticeNumber

	ParsedExplicitTexts         [][]string
	ParsedNoticeRefOrganization [][]string

	// Name constraints
	NameConstraintsCritical bool // if true then the name constraints are marked critical.
	PermittedDNSNames       []GeneralSubtreeString
	ExcludedDNSNames        []GeneralSubtreeString
	PermittedEmailAddresses []GeneralSubtreeString
	ExcludedEmailAddresses  []GeneralSubtreeString
	PermittedURIs           []GeneralSubtreeString
	ExcludedURIs            []GeneralSubtreeString
	PermittedIPAddresses    []GeneralSubtreeIP
	ExcludedIPAddresses     []GeneralSubtreeIP
	PermittedDirectoryNames []GeneralSubtreeName
	ExcludedDirectoryNames  []GeneralSubtreeName
	PermittedEdiPartyNames  []GeneralSubtreeEdi
	ExcludedEdiPartyNames   []GeneralSubtreeEdi
	PermittedRegisteredIDs  []GeneralSubtreeOid
	ExcludedRegisteredIDs   []GeneralSubtreeOid
	PermittedX400Addresses  []GeneralSubtreeRaw
	ExcludedX400Addresses   []GeneralSubtreeRaw

	// CRL Distribution Points
	CRLDistributionPoints []string

	PolicyIdentifiers []asn1.ObjectIdentifier
	ValidationLevel   CertValidationLevel

	// Fingerprints
	FingerprintMD5    CertificateFingerprint
	FingerprintSHA1   CertificateFingerprint
	FingerprintSHA256 CertificateFingerprint
	FingerprintNoCT   CertificateFingerprint

	// SPKI
	SPKIFingerprint           CertificateFingerprint
	SPKISubjectFingerprint    CertificateFingerprint
	TBSCertificateFingerprint CertificateFingerprint

	IsPrecert bool

	// CT
	SignedCertificateTimestampList []*ct.SignedCertificateTimestamp

	// QWACS
	CABFOrganizationIdentifier *CABFOrganizationIdentifier
	QCStatements               *QCStatements

	// CAB Forum Tor Service Descriptor Hash Extensions (see EV Guidelines
	// Appendix F)
	TorServiceDescriptors []*TorServiceDescriptorHash
	// contains filtered or unexported fields
}

A Certificate represents an X.509 certificate.

func ParseCertificate

func ParseCertificate(asn1Data []byte) (*Certificate, error)

ParseCertificate parses a single certificate from the given ASN.1 DER data.

func ParseCertificates

func ParseCertificates(asn1Data []byte) ([]*Certificate, error)

ParseCertificates parses one or more certificates from the given ASN.1 DER data. The certificates must be concatenated with no intermediate padding.

func ParseTBSCertificate

func ParseTBSCertificate(asn1Data []byte) (*Certificate, error)

func (*Certificate) CheckCRLSignature

func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error

CheckCRLSignature checks that the signature in crl is from c.

func (*Certificate) CheckSignature

func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) (err error)

CheckSignature verifies that signature is a valid signature over signed from c's public key.

func (*Certificate) CheckSignatureFrom

func (c *Certificate) CheckSignatureFrom(parent *Certificate) (err error)

CheckSignatureFrom verifies that the signature on c is a valid signature from parent.

func (*Certificate) CollectAllNames

func (c *Certificate) CollectAllNames() []string

CollectAllNames - Collect and validate all DNS / URI / IP Address names for a given certificate

func (*Certificate) CreateCRL

func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error)

CreateCRL returns a DER encoded CRL, signed by this Certificate, that contains the given list of revoked certificates.

func (*Certificate) Equal

func (c *Certificate) Equal(other *Certificate) bool

func (*Certificate) GetParsedDNSNames

func (c *Certificate) GetParsedDNSNames(invalidateCache bool) []ParsedDomainName

GetParsedDNSNames returns a list of parsed SAN DNS names. It is used to cache the parsing result and speed up zlint linters. If invalidateCache is true, then the cache is repopulated with current list of string from Certificate.DNSNames. This parameter should always be false, unless the Certificate.DNSNames have been modified after calling GetParsedDNSNames the previous time.

func (*Certificate) GetParsedSubjectCommonName

func (c *Certificate) GetParsedSubjectCommonName(invalidateCache bool) ParsedDomainName

GetParsedCommonName returns parsed subject CommonName. It is used to cache the parsing result and speed up zlint linters. If invalidateCache is true, then the cache is repopulated with current subject CommonName. This parameter should always be false, unless the Certificate.Subject.CommonName have been modified after calling GetParsedSubjectCommonName the previous time.

func (*Certificate) MarshalJSON

func (c *Certificate) MarshalJSON() ([]byte, error)

func (*Certificate) PublicKeyAlgorithmName

func (c *Certificate) PublicKeyAlgorithmName() string

func (*Certificate) SignatureAlgorithmName

func (c *Certificate) SignatureAlgorithmName() string

func (*Certificate) SubjectAndKey

func (c *Certificate) SubjectAndKey() *SubjectAndKey

SubjectAndKey returns a SubjectAndKey for this certificate.

func (*Certificate) TimeInValidityPeriod

func (c *Certificate) TimeInValidityPeriod(t time.Time) bool

TimeInValidityPeriod returns true if NotBefore < t < NotAfter

func (*Certificate) UnmarshalJSON

func (c *Certificate) UnmarshalJSON(b []byte) error

UnmarshalJSON - intentionally implimented to always error, as this method should not be used. The MarshalJSON method on Certificate condenses data in a way that is not recoverable. Use the x509.ParseCertificate function instead or JSONCertificateWithRaw Marshal method

func (*Certificate) ValidateWithStupidDetail deprecated

func (c *Certificate) ValidateWithStupidDetail(opts VerifyOptions) (chains []CertificateChain, validation *Validation, err error)

ValidateWithStupidDetail fills out a Validation struct given a leaf certificate and intermediates / roots. If opts.DNSName is set, then it will also check if the domain matches.

Deprecated: Use verifier.Verify() instead.

func (*Certificate) Verify

func (c *Certificate) Verify(opts VerifyOptions) (current, expired, never []CertificateChain, err error)

Verify attempts to verify c by building one or more chains from c to a certificate in opts.Roots, using certificates in opts.Intermediates if needed. If successful, it returns one or more chains where the first element of the chain is c and the last element is from opts.Roots.

If opts.Roots is nil and system roots are unavailable the returned error will be of type SystemRootsError.

WARNING: this doesn't do any revocation checking.

func (*Certificate) VerifyHostname

func (c *Certificate) VerifyHostname(h string) error

VerifyHostname returns nil if c is a valid certificate for the named host. Otherwise it returns an error describing the mismatch.

type CertificateChain

type CertificateChain []*Certificate

CertificateChain is a slice of certificates. The 0'th element is the leaf, and the last element is a root. Successive elements have a child-parent relationship.

func FilterByDate

func FilterByDate(chains []CertificateChain, now time.Time) (current, expired, never []CertificateChain)

check expirations divides chains into a set of disjoint chains, containing current chains valid now, expired chains that were valid at some point, and the set of chains that were never valid.

func (CertificateChain) AppendToFreshChain

func (chain CertificateChain) AppendToFreshChain(c *Certificate) CertificateChain

func (CertificateChain) CertificateInChain

func (chain CertificateChain) CertificateInChain(c *Certificate) bool

CertificateInChain returns true if c is in the chain.

func (CertificateChain) CertificateSubjectAndKeyInChain

func (chain CertificateChain) CertificateSubjectAndKeyInChain(c *Certificate) bool

CertificateSubjectAndKeyInChain returns true if the SubjectAndKey from c is found in any certificate in the chain.

func (CertificateChain) Range

func (chain CertificateChain) Range(f func(int, *Certificate))

Range runs a function on each element of chain. It can modify each certificate in place.

func (CertificateChain) SubjectAndKeyInChain

func (chain CertificateChain) SubjectAndKeyInChain(sk *SubjectAndKey) bool

SubjectAndKeyInChain returns true if the given SubjectAndKey is found in any certificate in the chain.

type CertificateExtensions

type CertificateExtensions struct {
	KeyUsage                       KeyUsage                         `json:"key_usage,omitempty"`
	BasicConstraints               *BasicConstraints                `json:"basic_constraints,omitempty"`
	SubjectAltName                 *GeneralNames                    `json:"subject_alt_name,omitempty"`
	IssuerAltName                  *GeneralNames                    `json:"issuer_alt_name,omitempty"`
	NameConstraints                *NameConstraints                 `json:"name_constraints,omitempty"`
	CRLDistributionPoints          CRLDistributionPoints            `json:"crl_distribution_points,omitempty"`
	AuthKeyID                      SubjAuthKeyId                    `json:"authority_key_id,omitempty"`
	SubjectKeyID                   SubjAuthKeyId                    `json:"subject_key_id,omitempty"`
	ExtendedKeyUsage               *ExtendedKeyUsageExtension       `json:"extended_key_usage,omitempty"`
	CertificatePolicies            *CertificatePoliciesData         `json:"certificate_policies,omitempty"`
	AuthorityInfoAccess            *AuthorityInfoAccess             `json:"authority_info_access,omitempty"`
	IsPrecert                      IsPrecert                        `json:"ct_poison,omitempty"`
	SignedCertificateTimestampList []*ct.SignedCertificateTimestamp `json:"signed_certificate_timestamps,omitempty"`
	TorServiceDescriptors          []*TorServiceDescriptorHash      `json:"tor_service_descriptors,omitempty"`
	CABFOrganizationIdentifier     *CABFOrganizationIdentifier      `json:"cabf_organization_id,omitempty"`
	QCStatements                   *QCStatements                    `json:"qc_statements,omitempty"`
}

type CertificateFingerprint

type CertificateFingerprint []byte

CertificateFingerprint represents a digest/fingerprint of some data. It can easily be encoded to hex and JSON (as a hex string).

func MD5Fingerprint

func MD5Fingerprint(data []byte) CertificateFingerprint

MD5Fingerprint creates a fingerprint of data using the MD5 hash algorithm.

func SHA1Fingerprint

func SHA1Fingerprint(data []byte) CertificateFingerprint

SHA1Fingerprint creates a fingerprint of data using the SHA1 hash algorithm.

func SHA256Fingerprint

func SHA256Fingerprint(data []byte) CertificateFingerprint

SHA256Fingerprint creates a fingerprint of data using the SHA256 hash algorithm.

func SHA512Fingerprint

func SHA512Fingerprint(data []byte) CertificateFingerprint

SHA512Fingerprint creates a fingerprint of data using the SHA256 hash algorithm.

func (CertificateFingerprint) Equal

Equal returns true if the fingerprints are bytewise-equal.

func (CertificateFingerprint) Hex

Hex returns the given fingerprint encoded as a hex string.

func (*CertificateFingerprint) MarshalJSON

func (f *CertificateFingerprint) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface, and marshals the fingerprint as a hex string.

type CertificateInvalidError

type CertificateInvalidError struct {
	Cert   *Certificate
	Reason InvalidReason
}

CertificateInvalidError results when an odd error occurs. Users of this library probably want to handle all these errors uniformly.

func (CertificateInvalidError) Error

func (e CertificateInvalidError) Error() string

type CertificatePolicies

type CertificatePolicies []CertificatePoliciesJSON

type CertificatePoliciesData

type CertificatePoliciesData struct {
	PolicyIdentifiers     []asn1.ObjectIdentifier
	QualifierId           [][]asn1.ObjectIdentifier
	CPSUri                [][]string
	ExplicitTexts         [][]string
	NoticeRefOrganization [][]string
	NoticeRefNumbers      [][]NoticeNumber
}

func (*CertificatePoliciesData) MarshalJSON

func (cp *CertificatePoliciesData) MarshalJSON() ([]byte, error)

type CertificatePoliciesJSON

type CertificatePoliciesJSON struct {
	PolicyIdentifier string           `json:"id,omitempty"`
	CPSUri           []string         `json:"cps,omitempty"`
	UserNotice       []UserNoticeData `json:"user_notice,omitempty"`
}

type CertificateRequest

type CertificateRequest struct {
	Raw                      []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature).
	RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content.
	RawSubjectPublicKeyInfo  []byte // DER encoded SubjectPublicKeyInfo.
	RawSubject               []byte // DER encoded Subject.

	Version            int
	Signature          []byte
	SignatureAlgorithm SignatureAlgorithm

	PublicKeyAlgorithm PublicKeyAlgorithm
	PublicKey          interface{}

	Subject pkix.Name

	// Attributes is the dried husk of a bug and shouldn't be used.
	Attributes []pkix.AttributeTypeAndValueSET

	// Extensions contains raw X.509 extensions. When parsing CSRs, this
	// can be used to extract extensions that are not parsed by this
	// package.
	Extensions []pkix.Extension

	// ExtraExtensions contains extensions to be copied, raw, into any
	// marshaled CSR. Values override any extensions that would otherwise
	// be produced based on the other fields but are overridden by any
	// extensions specified in Attributes.
	//
	// The ExtraExtensions field is not populated when parsing CSRs, see
	// Extensions.
	ExtraExtensions []pkix.Extension

	// Subject Alternate Name values.
	DNSNames       []string
	EmailAddresses []string
	IPAddresses    []net.IP
}

CertificateRequest represents a PKCS #10, certificate signature request.

func ParseCertificateRequest

func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error)

ParseCertificateRequest parses a single certificate request from the given ASN.1 DER data.

func (*CertificateRequest) CheckSignature

func (c *CertificateRequest) CheckSignature() error

CheckSignature reports whether the signature on c is valid.

type CertificateType

type CertificateType int

CertificateType represents whether a certificate is a root, intermediate, or leaf.

const (
	CertificateTypeUnknown      CertificateType = 0
	CertificateTypeLeaf         CertificateType = 1
	CertificateTypeIntermediate CertificateType = 2
	CertificateTypeRoot         CertificateType = 3
)

CertificateType constants. Values should not be considered significant aside from CertificateTypeUnknown is the zero value.

func (CertificateType) MarshalJSON

func (t CertificateType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. Any unknown integer value is considered the same as CertificateTypeUnknown.

func (*CertificateType) UnmarshalJSON

func (t *CertificateType) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. Any unknown string is considered the same CertificateTypeUnknown.

type ConstraintViolationError

type ConstraintViolationError struct{}

ConstraintViolationError results when a requested usage is not permitted by a certificate. For example: checking a signature when the public key isn't a certificate signing key.

func (ConstraintViolationError) Error

type DSAPublicKeyJSON

type DSAPublicKeyJSON struct {
	G []byte `json:"g"`
	P []byte `json:"p"`
	Q []byte `json:"q"`
	Y []byte `json:"y"`
}

DSAPublicKeyJSON - used to condense several fields from a DSA public key into one field for use in JSONCertificate. Uses default JSON marshal and unmarshal methods

func GetDSAPublicKeyJSON

func GetDSAPublicKeyJSON(key *dsa.PublicKey) *DSAPublicKeyJSON

GetDSAPublicKeyJSON - get the DSAPublicKeyJSON for the given standard DSA PublicKey.

type ECDSAPublicKeyJSON

type ECDSAPublicKeyJSON struct {
	B      []byte `json:"b"`
	Curve  string `json:"curve"`
	Gx     []byte `json:"gx"`
	Gy     []byte `json:"gy"`
	Length int    `json:"length"`
	N      []byte `json:"n"`
	P      []byte `json:"p"`
	Pub    []byte `json:"pub,omitempty"`
	X      []byte `json:"x"`
	Y      []byte `json:"y"`
}

ECDSAPublicKeyJSON - used to condense several fields from a ECDSA public key into one field for use in JSONCertificate. Uses default JSON marshal and unmarshal methods

func GetAugmentedECDSAPublicKeyJSON

func GetAugmentedECDSAPublicKeyJSON(key *AugmentedECDSA) *ECDSAPublicKeyJSON

GetAugmentedECDSAPublicKeyJSON - get the GetECDSAPublicKeyJSON for the given "augmented" ECDSA PublicKey.

func GetECDSAPublicKeyJSON

func GetECDSAPublicKeyJSON(key *ecdsa.PublicKey) *ECDSAPublicKeyJSON

GetECDSAPublicKeyJSON - get the GetECDSAPublicKeyJSON for the given standard ECDSA PublicKey.

type ExtKeyUsage

type ExtKeyUsage int

ExtKeyUsage represents an extended set of actions that are valid for a given key. Each of the ExtKeyUsage* constants define a unique action.

const (
	ExtKeyUsageAppleCodeSigning ExtKeyUsage = iota
	ExtKeyUsageAppleCodeSigningDevelopment
	ExtKeyUsageAppleSoftwareUpdateSigning
	ExtKeyUsageAppleCodeSigningThirdParty
	ExtKeyUsageAppleResourceSigning
	ExtKeyUsageAppleIchatSigning
	ExtKeyUsageAppleIchatEncryption
	ExtKeyUsageAppleSystemIdentity
	ExtKeyUsageAppleCryptoEnv
	ExtKeyUsageAppleCryptoProductionEnv
	ExtKeyUsageAppleCryptoMaintenanceEnv
	ExtKeyUsageAppleCryptoTestEnv
	ExtKeyUsageAppleCryptoDevelopmentEnv
	ExtKeyUsageAppleCryptoQos
	ExtKeyUsageAppleCryptoTier0Qos
	ExtKeyUsageAppleCryptoTier1Qos
	ExtKeyUsageAppleCryptoTier2Qos
	ExtKeyUsageAppleCryptoTier3Qos
	ExtKeyUsageMicrosoftCertTrustListSigning
	ExtKeyUsageMicrosoftQualifiedSubordinate
	ExtKeyUsageMicrosoftKeyRecovery3
	ExtKeyUsageMicrosoftDocumentSigning
	ExtKeyUsageMicrosoftLifetimeSigning
	ExtKeyUsageMicrosoftMobileDeviceSoftware
	ExtKeyUsageMicrosoftSmartDisplay
	ExtKeyUsageMicrosoftCspSignature
	ExtKeyUsageMicrosoftTimestampSigning
	ExtKeyUsageMicrosoftServerGatedCrypto
	ExtKeyUsageMicrosoftSgcSerialized
	ExtKeyUsageMicrosoftEncryptedFileSystem
	ExtKeyUsageMicrosoftEfsRecovery
	ExtKeyUsageMicrosoftWhqlCrypto
	ExtKeyUsageMicrosoftNt5Crypto
	ExtKeyUsageMicrosoftOemWhqlCrypto
	ExtKeyUsageMicrosoftEmbeddedNtCrypto
	ExtKeyUsageMicrosoftRootListSigner
	ExtKeyUsageMicrosoftDrm
	ExtKeyUsageMicrosoftDrmIndividualization
	ExtKeyUsageMicrosoftLicenses
	ExtKeyUsageMicrosoftLicenseServer
	ExtKeyUsageMicrosoftEnrollmentAgent
	ExtKeyUsageMicrosoftSmartcardLogon
	ExtKeyUsageMicrosoftCaExchange
	ExtKeyUsageMicrosoftKeyRecovery21
	ExtKeyUsageMicrosoftSystemHealth
	ExtKeyUsageMicrosoftSystemHealthLoophole
	ExtKeyUsageMicrosoftKernelModeCodeSigning
	ExtKeyUsageServerAuth
	ExtKeyUsageDvcs
	ExtKeyUsageSbgpCertAaServiceAuth
	ExtKeyUsageEapOverPpp
	ExtKeyUsageEapOverLan
	ExtKeyUsageClientAuth
	ExtKeyUsageCodeSigning
	ExtKeyUsageEmailProtection
	ExtKeyUsageIpsecEndSystem
	ExtKeyUsageIpsecTunnel
	ExtKeyUsageIpsecUser
	ExtKeyUsageTimeStamping
	ExtKeyUsageOcspSigning
	ExtKeyUsageIpsecIntermediateSystemUsage
	ExtKeyUsageNetscapeServerGatedCrypto
	ExtKeyUsageAny
)

type ExtendedKeyUsage

type ExtendedKeyUsage []ExtKeyUsage

type ExtendedKeyUsageExtension

type ExtendedKeyUsageExtension struct {
	Known   ExtendedKeyUsage
	Unknown []asn1.ObjectIdentifier
}

func (*ExtendedKeyUsageExtension) MarshalJSON

func (e *ExtendedKeyUsageExtension) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshal interface. The output is a struct of bools, with an additional `Value` field containing the actual OIDs.

func (*ExtendedKeyUsageExtension) UnmarshalJSON

func (e *ExtendedKeyUsageExtension) UnmarshalJSON(b []byte) error

type GeneralNames

type GeneralNames struct {
	DirectoryNames []pkix.Name
	DNSNames       []string
	EDIPartyNames  []pkix.EDIPartyName
	EmailAddresses []string
	IPAddresses    []net.IP
	OtherNames     []pkix.OtherName
	RegisteredIDs  []asn1.ObjectIdentifier
	URIs           []string
}

GeneralNames corresponds an X.509 GeneralName defined in Section 4.2.1.6 of RFC 5280.

GeneralName ::= CHOICE {
     otherName                 [0]  AnotherName,
     rfc822Name                [1]  IA5String,
     dNSName                   [2]  IA5String,
     x400Address               [3]  ORAddress,
     directoryName             [4]  Name,
     ediPartyName              [5]  EDIPartyName,
     uniformResourceIdentifier [6]  IA5String,
     iPAddress                 [7]  OCTET STRING,
     registeredID              [8]  OBJECT IDENTIFIER }

func (*GeneralNames) MarshalJSON

func (gn *GeneralNames) MarshalJSON() ([]byte, error)

func (*GeneralNames) UnmarshalJSON

func (gn *GeneralNames) UnmarshalJSON(b []byte) error

type GeneralSubtreeEdi

type GeneralSubtreeEdi struct {
	Data pkix.EDIPartyName
	Max  int
	Min  int
}

type GeneralSubtreeIP

type GeneralSubtreeIP struct {
	Data net.IPNet
	Max  int
	Min  int
}

func (*GeneralSubtreeIP) MarshalJSON

func (g *GeneralSubtreeIP) MarshalJSON() ([]byte, error)

func (*GeneralSubtreeIP) UnmarshalJSON

func (g *GeneralSubtreeIP) UnmarshalJSON(b []byte) error

type GeneralSubtreeName

type GeneralSubtreeName struct {
	Data pkix.Name
	Max  int
	Min  int
}

type GeneralSubtreeOid

type GeneralSubtreeOid struct {
	Data asn1.ObjectIdentifier
	Max  int
	Min  int
}

type GeneralSubtreeRaw

type GeneralSubtreeRaw struct {
	Data asn1.RawValue
	Max  int
	Min  int
}

type GeneralSubtreeString

type GeneralSubtreeString struct {
	Data string
	Max  int
	Min  int
}

type HostnameError

type HostnameError struct {
	Certificate *Certificate
	Host        string
}

HostnameError results when the set of authorized names doesn't match the requested name.

func (HostnameError) Error

func (h HostnameError) Error() string

type InsecureAlgorithmError

type InsecureAlgorithmError SignatureAlgorithm

An InsecureAlgorithmError

func (InsecureAlgorithmError) Error

func (e InsecureAlgorithmError) Error() string

type InvalidReason

type InvalidReason int
const (
	// NotAuthorizedToSign results when a certificate is signed by another
	// which isn't marked as a CA certificate.
	NotAuthorizedToSign InvalidReason = iota

	// Expired results when a certificate has expired, based on the time
	// given in the VerifyOptions.
	Expired

	// CANotAuthorizedForThisName results when an intermediate or root
	// certificate has a name constraint which doesn't include the name
	// being checked.
	CANotAuthorizedForThisName

	// CANotAuthorizedForThisEmail results when an intermediate or root
	// certificate has a name constraint which doesn't include the email
	// being checked.
	CANotAuthorizedForThisEmail

	// CANotAuthorizedForThisIP results when an intermediate or root
	// certificate has a name constraint which doesn't include the IP
	// being checked.
	CANotAuthorizedForThisIP

	// CANotAuthorizedForThisDirectory results when an intermediate or root
	// certificate has a name constraint which doesn't include the directory
	// being checked.
	CANotAuthorizedForThisDirectory

	// TooManyIntermediates results when a path length constraint is
	// violated.
	TooManyIntermediates

	// IncompatibleUsage results when the certificate's key usage indicates
	// that it may only be used for a different purpose.
	IncompatibleUsage

	// NameMismatch results when the subject name of a parent certificate
	// does not match the issuer name in the child.
	NameMismatch

	// NeverValid results when the certificate could never have been valid due to
	// some date-related issue, e.g. NotBefore > NotAfter.
	NeverValid

	// IsSelfSigned results when the certificate is self-signed and not a trusted
	// root.
	IsSelfSigned
)

type IsPrecert

type IsPrecert bool

type JSONCertificate

type JSONCertificate struct {
	Version                   int                          `json:"version"`
	SerialNumber              string                       `json:"serial_number"`
	SignatureAlgorithm        JSONSignatureAlgorithm       `json:"signature_algorithm"`
	Issuer                    pkix.Name                    `json:"issuer"`
	IssuerDN                  string                       `json:"issuer_dn,omitempty"`
	Validity                  JSONValidity                 `json:"validity"`
	Subject                   pkix.Name                    `json:"subject"`
	SubjectDN                 string                       `json:"subject_dn,omitempty"`
	SubjectKeyInfo            JSONSubjectKeyInfo           `json:"subject_key_info"`
	Extensions                *CertificateExtensions       `json:"extensions,omitempty"`
	UnknownExtensions         UnknownCertificateExtensions `json:"unknown_extensions,omitempty"`
	Signature                 JSONSignature                `json:"signature"`
	FingerprintMD5            CertificateFingerprint       `json:"fingerprint_md5"`
	FingerprintSHA1           CertificateFingerprint       `json:"fingerprint_sha1"`
	FingerprintSHA256         CertificateFingerprint       `json:"fingerprint_sha256"`
	FingerprintNoCT           CertificateFingerprint       `json:"tbs_noct_fingerprint"`
	SPKISubjectFingerprint    CertificateFingerprint       `json:"spki_subject_fingerprint"`
	TBSCertificateFingerprint CertificateFingerprint       `json:"tbs_fingerprint"`
	ValidationLevel           CertValidationLevel          `json:"validation_level"`
	Names                     []string                     `json:"names,omitempty"`
	Redacted                  bool                         `json:"redacted"`
}

JSONCertificate - used to condense data from x509.Certificate when marhsaling into JSON. This struct has a distinct and independent layout from x509.Certificate, mostly for condensing data across repetitive fields and making it more presentable.

func (*JSONCertificate) UnmarshalJSON

func (jc *JSONCertificate) UnmarshalJSON(b []byte) error

UnmarshalJSON - intentionally implimented to always error, as this method should not be used. The MarshalJSON method on Certificate condenses data in a way that is not recoverable. Use the x509.ParseCertificate function instead or JSONCertificateWithRaw Marshal method

type JSONCertificateWithRaw

type JSONCertificateWithRaw struct {
	Raw []byte `json:"raw,omitempty"`
}

JSONCertificateWithRaw - intermediate struct for unmarshaling json of a certificate - the raw is require since the MarshalJSON method on Certificate condenses data in a way that makes extraction to the original in Unmarshal impossible. The JSON output of Marshal is not even used to construct a certificate, all we need is raw

func (*JSONCertificateWithRaw) ParseRaw

func (c *JSONCertificateWithRaw) ParseRaw() (*Certificate, error)

ParseRaw - for converting the intermediate object JSONCertificateWithRaw into a parsed Certificate see description of JSONCertificateWithRaw for why this is used instead of UnmarshalJSON methods

type JSONSignature

type JSONSignature struct {
	SignatureAlgorithm JSONSignatureAlgorithm `json:"signature_algorithm"`
	Value              []byte                 `json:"value"`
	Valid              bool                   `json:"valid"`
	SelfSigned         bool                   `json:"self_signed"`
}

JSONSignature - used to condense several fields from x509.Certificate related to the signature into one field within JSONCertificate Unfortunately, this struct cannot have its own Marshal method since it needs information from multiple fields in x509.Certificate

type JSONSignatureAlgorithm

type JSONSignatureAlgorithm struct {
	Name string      `json:"name,omitempty"`
	OID  pkix.AuxOID `json:"oid"`
}

JSONSignatureAlgorithm is the intermediate type used when marshaling a PublicKeyAlgorithm out to JSON.

type JSONSubjectKeyInfo

type JSONSubjectKeyInfo struct {
	KeyAlgorithm    PublicKeyAlgorithm     `json:"key_algorithm"`
	RSAPublicKey    *jsonKeys.RSAPublicKey `json:"rsa_public_key,omitempty"`
	DSAPublicKey    *DSAPublicKeyJSON      `json:"dsa_public_key,omitempty"`
	ECDSAPublicKey  *ECDSAPublicKeyJSON    `json:"ecdsa_public_key,omitempty"`
	SPKIFingerprint CertificateFingerprint `json:"fingerprint_sha256"`
}

JSONSubjectKeyInfo - used to condense several fields from x509.Certificate related to the subject public key into one field within JSONCertificate Unfortunately, this struct cannot have its own Marshal method since it needs information from multiple fields in x509.Certificate

type JSONValidity

type JSONValidity struct {
	ValidityPeriod int
	// contains filtered or unexported fields
}

JSONValidity - used to condense several fields related to validity in x509.Certificate into one field within JSONCertificate Unfortunately, this struct cannot have its own Marshal method since it needs information from multiple fields in x509.Certificate

func (*JSONValidity) MarshalJSON

func (v *JSONValidity) MarshalJSON() ([]byte, error)

func (*JSONValidity) UnmarshalJSON

func (v *JSONValidity) UnmarshalJSON(b []byte) error

type KeyUsage

type KeyUsage int

KeyUsage represents the set of actions that are valid for a given key. It's a bitmap of the KeyUsage* constants.

const (
	KeyUsageDigitalSignature KeyUsage = 1 << iota
	KeyUsageContentCommitment
	KeyUsageKeyEncipherment
	KeyUsageDataEncipherment
	KeyUsageKeyAgreement
	KeyUsageCertSign
	KeyUsageCRLSign
	KeyUsageEncipherOnly
	KeyUsageDecipherOnly
)

func (KeyUsage) MarshalJSON

func (k KeyUsage) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*KeyUsage) UnmarshalJSON

func (k *KeyUsage) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshler interface

type MonetaryValue

type MonetaryValue struct {
	Currency       string `json:"currency,omitempty"`
	CurrencyNumber int    `json:"currency_number,omitempty"`
	Amount         int    `json:"amount,omitempty"`
	Exponent       int    `json:"exponent,omitempty"`
}

type NameConstraints

type NameConstraints struct {
	Critical bool `json:"critical"`

	PermittedDNSNames       []GeneralSubtreeString
	PermittedEmailAddresses []GeneralSubtreeString
	PermittedURIs           []GeneralSubtreeString
	PermittedIPAddresses    []GeneralSubtreeIP
	PermittedDirectoryNames []GeneralSubtreeName
	PermittedEdiPartyNames  []GeneralSubtreeEdi
	PermittedRegisteredIDs  []GeneralSubtreeOid

	ExcludedEmailAddresses []GeneralSubtreeString
	ExcludedDNSNames       []GeneralSubtreeString
	ExcludedURIs           []GeneralSubtreeString
	ExcludedIPAddresses    []GeneralSubtreeIP
	ExcludedDirectoryNames []GeneralSubtreeName
	ExcludedEdiPartyNames  []GeneralSubtreeEdi
	ExcludedRegisteredIDs  []GeneralSubtreeOid
}

func (NameConstraints) MarshalJSON

func (nc NameConstraints) MarshalJSON() ([]byte, error)

func (*NameConstraints) UnmarshalJSON

func (nc *NameConstraints) UnmarshalJSON(b []byte) error

type NameConstraintsJSON

type NameConstraintsJSON struct {
	Critical bool `json:"critical"`

	PermittedDNSNames       []string            `json:"permitted_names,omitempty"`
	PermittedEmailAddresses []string            `json:"permitted_email_addresses,omitempty"`
	PermittedURIs           []string            `json:"permitted_uris,omitempty"`
	PermittedIPAddresses    []GeneralSubtreeIP  `json:"permitted_ip_addresses,omitempty"`
	PermittedDirectoryNames []pkix.Name         `json:"permitted_directory_names,omitempty"`
	PermittedEdiPartyNames  []pkix.EDIPartyName `json:"permitted_edi_party_names,omitempty"`
	PermittedRegisteredIDs  []string            `json:"permitted_registred_id,omitempty"`

	ExcludedDNSNames       []string            `json:"excluded_names,omitempty"`
	ExcludedEmailAddresses []string            `json:"excluded_email_addresses,omitempty"`
	ExcludedURIs           []string            `json:"excluded_uris,omitempty"`
	ExcludedIPAddresses    []GeneralSubtreeIP  `json:"excluded_ip_addresses,omitempty"`
	ExcludedDirectoryNames []pkix.Name         `json:"excluded_directory_names,omitempty"`
	ExcludedEdiPartyNames  []pkix.EDIPartyName `json:"excluded_edi_party_names,omitempty"`
	ExcludedRegisteredIDs  []string            `json:"excluded_registred_id,omitempty"`
}

type NoticeNumber

type NoticeNumber []int

type NoticeReference

type NoticeReference struct {
	Organization  string       `json:"organization,omitempty"`
	NoticeNumbers NoticeNumber `json:"notice_numbers,omitempty"`
}

type PDSLocation

type PDSLocation struct {
	URL      string `json:"url,omitempty" asn1:"ia5"`
	Language string `json:"language,omitempty" asn1:"printable"`
}

type PDSLocations

type PDSLocations struct {
	Locations []PDSLocation `json:"locations,omitempty"`
}

type PEMCipher

type PEMCipher int
const (
	PEMCipherDES PEMCipher
	PEMCipher3DES
	PEMCipherAES128
	PEMCipherAES192
	PEMCipherAES256
)

Possible values for the EncryptPEMBlock encryption algorithm.

type ParsedDomainName

type ParsedDomainName struct {
	DomainString string
	ParsedDomain *publicsuffix.DomainName
	ParseError   error
}

ParsedDomainName is a structure holding a parsed domain name (CommonName or DNS SAN) and a parsing error.

type ParsedQCStatements

type ParsedQCStatements struct {
	ETSICompliance  []bool          `json:"etsi_compliance,omitempty"`
	SSCD            []bool          `json:"sscd,omitempty"`
	Types           []QCType        `json:"types,omitempty"`
	Limit           []MonetaryValue `json:"limit,omitempty"`
	PDSLocations    []PDSLocations  `json:"pds_locations,omitempty"`
	RetentionPeriod []int           `json:"retention_period,omitempty"`
	Legislation     []QCLegistation `json:"legislation,omitempty"`
}

type PublicKeyAlgorithm

type PublicKeyAlgorithm int
const (
	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
	RSA
	DSA
	ECDSA
	Ed25519
	X25519
)

func (*PublicKeyAlgorithm) MarshalJSON

func (p *PublicKeyAlgorithm) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (PublicKeyAlgorithm) String

func (p PublicKeyAlgorithm) String() string

func (*PublicKeyAlgorithm) UnmarshalJSON

func (p *PublicKeyAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type QCLegistation

type QCLegistation struct {
	CountryCodes []string `json:"country_codes,omitempty"`
}

type QCStatementASN

type QCStatementASN struct {
	StatementID   asn1.ObjectIdentifier
	StatementInfo asn1.RawValue `asn1:"optional"`
}

func (*QCStatementASN) MarshalJSON

func (s *QCStatementASN) MarshalJSON() ([]byte, error)

type QCStatements

type QCStatements struct {
	StatementIDs     []string            `json:"ids,omitempty"`
	ParsedStatements *ParsedQCStatements `json:"parsed,omitempty"`
}

func (*QCStatements) Parse

func (q *QCStatements) Parse(in *QCStatementsASN) error

type QCStatementsASN

type QCStatementsASN struct {
	QCStatements []QCStatementASN
}

type QCType

type QCType struct {
	TypeIdentifiers []asn1.ObjectIdentifier
}

func (*QCType) MarshalJSON

func (qt *QCType) MarshalJSON() ([]byte, error)

type SignatureAlgorithm

type SignatureAlgorithm int
const (
	UnknownSignatureAlgorithm SignatureAlgorithm = iota
	MD2WithRSA
	MD5WithRSA
	SHA1WithRSA
	SHA256WithRSA
	SHA384WithRSA
	SHA512WithRSA
	DSAWithSHA1
	DSAWithSHA256
	ECDSAWithSHA1
	ECDSAWithSHA256
	ECDSAWithSHA384
	ECDSAWithSHA512
	SHA256WithRSAPSS
	SHA384WithRSAPSS
	SHA512WithRSAPSS
	Ed25519Sig
)

func GetSignatureAlgorithmFromAI

func GetSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm

GetSignatureAlgorithmFromAI converts asn1 AlgorithmIdentifier to SignatureAlgorithm int

func (*SignatureAlgorithm) MarshalJSON

func (s *SignatureAlgorithm) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface MAY NOT PRESERVE ORIGINAL OID FROM CERTIFICATE - CONSIDER USING jsonifySignatureAlgorithm INSTEAD!

func (SignatureAlgorithm) String

func (algo SignatureAlgorithm) String() string

func (*SignatureAlgorithm) UnmarshalJSON

func (s *SignatureAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshler interface

type SignatureAlgorithmOID

type SignatureAlgorithmOID asn1.ObjectIdentifier

type SubjAuthKeyId

type SubjAuthKeyId []byte

func (SubjAuthKeyId) MarshalJSON

func (kid SubjAuthKeyId) MarshalJSON() ([]byte, error)

type SubjectAndKey

type SubjectAndKey struct {
	RawSubject              []byte
	RawSubjectPublicKeyInfo []byte
	Fingerprint             CertificateFingerprint
	PublicKey               interface{}
	PublicKeyAlgorithm      PublicKeyAlgorithm
}

SubjectAndKey represents a (subjecty, subject public key info) tuple.

type SystemRootsError

type SystemRootsError struct {
	Err error
}

SystemRootsError results when we fail to load the system root certificates.

func (SystemRootsError) Error

func (se SystemRootsError) Error() string

type TorServiceDescriptorHash

type TorServiceDescriptorHash struct {
	Onion         string                   `json:"onion"`
	Algorithm     pkix.AlgorithmIdentifier `json:"-"`
	AlgorithmName string                   `json:"algorithm_name"`
	Hash          CertificateFingerprint   `json:"hash"`
	HashBits      int                      `json:"hash_bits"`
}

TorServiceDescriptorHash is a structure corrsponding to the TorServiceDescriptorHash SEQUENCE described in Appendix F ("Issuance of Certificates for .onion Domain Names").

Each TorServiceDescriptorHash holds an onion URI (a utf8 string with the .onion address that was validated), a hash algorithm name (computed based on the pkix.AlgorithmIdentifier in the TorServiceDescriptorHash), the hash bytes (computed over the DER encoding of the ASN.1 SubjectPublicKey of the .onion service), and the number of bits in the hash bytes.

type UnhandledCriticalExtension

type UnhandledCriticalExtension struct {
	// contains filtered or unexported fields
}

UnhandledCriticalExtension results when the certificate contains an unimplemented X.509 extension marked as critical.

func (UnhandledCriticalExtension) Error

type UnknownAuthorityError

type UnknownAuthorityError struct {
	Cert *Certificate
	// contains filtered or unexported fields
}

UnknownAuthorityError results when the certificate issuer is unknown

func (UnknownAuthorityError) Error

func (e UnknownAuthorityError) Error() string

type UnknownCertificateExtensions

type UnknownCertificateExtensions []pkix.Extension

type UserNoticeData

type UserNoticeData struct {
	ExplicitText    string            `json:"explicit_text,omitempty"`
	NoticeReference []NoticeReference `json:"notice_reference,omitempty"`
}

type Validation

type Validation struct {
	BrowserTrusted bool   `json:"browser_trusted"`
	BrowserError   string `json:"browser_error,omitempty"`
	MatchesDomain  bool   `json:"matches_domain,omitempty"`
	Domain         string `json:"-"`
}

Validation stores different validation levels for a given certificate

type VerifyOptions

type VerifyOptions struct {
	DNSName      string
	EmailAddress string
	IPAddress    net.IP

	Intermediates *CertPool
	Roots         *CertPool // if nil, the system roots are used
	CurrentTime   time.Time // if zero, the current time is used
	// KeyUsage specifies which Extended Key Usage values are acceptable.
	// An empty list means ExtKeyUsageServerAuth. Key usage is considered a
	// constraint down the chain which mirrors Windows CryptoAPI behaviour,
	// but not the spec. To accept any key usage, include ExtKeyUsageAny.
	KeyUsages []ExtKeyUsage
}

VerifyOptions contains parameters for Certificate.Verify. It's a structure because other PKIX verification APIs have ended up needing many options.

type X25519PublicKey

type X25519PublicKey []byte

curve25519 package does not expose key types

Directories

Path Synopsis
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
revocation
crl
ZIntermediate is a command line utility for verifying a set prospective intermediate certificates against a root store.
ZIntermediate is a command line utility for verifying a set prospective intermediate certificates against a root store.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL