openssl

package module
v0.0.0-...-500a817 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 2, 2014 License: Apache-2.0 Imports: 16 Imported by: 0

README

OpenSSL bindings for Go

Please see http://godoc.org/github.com/spacemonkeygo/openssl for more info

License

Copyright (C) 2014 Space Monkey, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Using on Windows
  1. Install mingw-w64
  2. Install pkg-config-lite
  3. Build (or install precompiled) openssl for mingw32-w64
  4. Set PKG_CONFIG_PATH to the directory containing openssl.pc (i.e. c:\mingw64\mingw64\lib\pkgconfig)

Documentation

Overview

Package openssl is a light wrapper around OpenSSL for Go.

It strives to provide a near-drop-in replacement for the Go standard library tls package, while allowing for:

Performance

OpenSSL is battle-tested and optimized C. While Go's built-in library shows great promise, it is still young and in some places, inefficient. This simple OpenSSL wrapper can often do at least 2x with the same cipher and protocol.

On my lappytop, I get the following benchmarking speeds: 

BenchmarkSHA1Large_openssl      1000  2611282 ns/op  401.56 MB/s
BenchmarkSHA1Large_stdlib        500  3963983 ns/op  264.53 MB/s
BenchmarkSHA1Small_openssl   1000000     3476 ns/op    0.29 MB/s
BenchmarkSHA1Small_stdlib    5000000      550 ns/op    1.82 MB/s
BenchmarkSHA256Large_openssl     200  8085314 ns/op  129.69 MB/s
BenchmarkSHA256Large_stdlib      100 18948189 ns/op   55.34 MB/s
BenchmarkSHA256Small_openssl 1000000     4262 ns/op    0.23 MB/s
BenchmarkSHA256Small_stdlib  1000000     1444 ns/op    0.69 MB/s
BenchmarkOpenSSLThroughput    100000    21634 ns/op   47.33 MB/s
BenchmarkStdlibThroughput      50000    58974 ns/op   17.36 MB/s

Interoperability

Many systems support OpenSSL with a variety of plugins and modules for things, such as hardware acceleration in embedded devices.

Greater flexibility and configuration

OpenSSL allows for far greater configuration of corner cases and backwards compatibility (such as support of SSLv2). You shouldn't be using SSLv2 if you can help but, but sometimes you can't help it.

Security

Yeah yeah, Heartbleed. But according to the author of the standard library's TLS implementation, Go's TLS library is vulnerable to timing attacks. And whether or not OpenSSL received the appropriate amount of scrutiny pre-Heartbleed, it sure is receiving it now.

Usage

Starting an HTTP server that uses OpenSSL is very easy. It's as simple as: 

log.Fatal(openssl.ListenAndServeTLS(
      ":8443", "my_server.crt", "my_server.key", myHandler))

Getting a net.Listener that uses OpenSSL is also easy: 

ctx, err := openssl.NewCtxFromFiles("my_server.crt", "my_server.key")
if err != nil {
        log.Fatal(err)
}
l, err := openssl.Listen("tcp", ":7777", ctx)

Making a client connection is straightforward too: 

ctx, err := NewCtx()
if err != nil {
        log.Fatal(err)
}
err = ctx.LoadVerifyLocations("/etc/ssl/certs/ca-certificates.crt", "")
if err != nil {
        log.Fatal(err)
}
conn, err := openssl.Dial("tcp", "localhost:7777", ctx, 0)

Help wanted: To get this library to work with net/http's client, we had to fork net/http. It would be nice if an alternate http client library supported the generality needed to use OpenSSL instead of crypto/tls.

Index

Constants

View Source 
const (
	GCM_TAG_MAXLEN = 16
)
View Source 
const (
	SSLRecordSize = 16 * 1024
)

Variables

View Source 
var (
	ValidationError = errors.New("Host validation error")
)

Functions

func Listen 

func Listen(network, laddr string, ctx *Ctx) (net.Listener, error)

Listen is a wrapper around net.Listen that wraps incoming connections with an OpenSSL server connection using the provided context ctx.

func ListenAndServeTLS 

func ListenAndServeTLS(addr string, cert_file string, key_file string,
	handler http.Handler) error

ListenAndServeTLS will take an http.Handler and serve it using OpenSSL over the given tcp address, configured to use the provided cert and key files.

func NewListener 

func NewListener(inner net.Listener, ctx *Ctx) net.Listener

NewListener wraps an existing net.Listener such that all accepted connections are wrapped as OpenSSL server connections using the provided context ctx.

func Nid2ShortName 

func Nid2ShortName(nid int) (string, error)

func SHA1 

func SHA1(data []byte) (result [20]byte, err error)

func SHA256 

func SHA256(data []byte) (result [32]byte, err error)

func ServerListenAndServeTLS 

func ServerListenAndServeTLS(srv *http.Server,
	cert_file, key_file string) error

ServerListenAndServeTLS will take an http.Server and serve it using OpenSSL configured to use the provided cert and key files.

Types

type Certificate 

type Certificate struct {
	// contains filtered or unexported fields
}

func LoadCertificateFromPEM 

func LoadCertificateFromPEM(pem_block []byte) (*Certificate, error)

LoadCertificateFromPEM loads an X509 certificate from a PEM-encoded block.

func (*Certificate) CheckEmail 

func (c *Certificate) CheckEmail(email string, flags CheckFlags) error

CheckEmail checks that the X509 certificate is signed for the provided email address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.

func (*Certificate) CheckHost 

func (c *Certificate) CheckHost(host string, flags CheckFlags) error

CheckHost checks that the X509 certificate is signed for the provided host name. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Note that CheckHost does not check the IP field. See VerifyHostname. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.

func (*Certificate) CheckIP 

func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error

CheckIP checks that the X509 certificate is signed for the provided IP address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.

func (*Certificate) GetSerialNumberHex 

func (c *Certificate) GetSerialNumberHex() (serial string)

GetSerialNumberHex returns the certificate's serial number in hex format

func (*Certificate) MarshalPEM 

func (c *Certificate) MarshalPEM() (pem_block []byte, err error)

MarshalPEM converts the X509 certificate to PEM-encoded format

func (*Certificate) PublicKey 

func (c *Certificate) PublicKey() (PublicKey, error)

PublicKey returns the public key embedded in the X509 certificate.

func (*Certificate) VerifyHostname 

func (c *Certificate) VerifyHostname(host string) error

VerifyHostname is a combination of CheckHost and CheckIP. If the provided hostname looks like an IP address, it will be checked as an IP address, otherwise it will be checked as a hostname. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.

func (*Certificate) X509NamePrintEx 

func (c *Certificate) X509NamePrintEx() (out []byte, err error)

type CertificateStore 

type CertificateStore struct {
	// contains filtered or unexported fields
}

func (*CertificateStore) AddCertificate 

func (s *CertificateStore) AddCertificate(cert *Certificate) error

AddCertificate marks the provided Certificate as a trusted certificate in the given CertificateStore.

func (*CertificateStore) AddLookup 

func (s *CertificateStore) AddLookup(method X509LookupMethod) (*CertificateStoreLookup, error)

AddLookup creates a CertificateStoreLookup of type X509LookupMethod in the CertificateStore

func (*CertificateStore) SetFlags 

func (s *CertificateStore) SetFlags(flags X509VerificationFlag) error

type CertificateStoreCtx 

type CertificateStoreCtx struct {
	// contains filtered or unexported fields
}

func (*CertificateStoreCtx) Depth 

func (self *CertificateStoreCtx) Depth() int

func (*CertificateStoreCtx) Err 

func (self *CertificateStoreCtx) Err() error

func (*CertificateStoreCtx) GetCurrentCert 

func (self *CertificateStoreCtx) GetCurrentCert() *Certificate

the certicate returned is only valid for the lifetime of the underlying X509_STORE_CTX

type CertificateStoreLookup 

type CertificateStoreLookup struct {
	// contains filtered or unexported fields
}

func (*CertificateStoreLookup) LoadCRLFile 

func (l *CertificateStoreLookup) LoadCRLFile(crl_file string) error

LoadCRLFile adds a file to a CertificateStoreLookup in the CertificateStore I suspect that the CertificateStoreLookup needs to have been created with X509LookupFile as the lookup method

type CheckFlags 

type CheckFlags int
const (
	AlwaysCheckSubject CheckFlags = C.X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
	NoWildcards        CheckFlags = C.X509_CHECK_FLAG_NO_WILDCARDS
)

type Cipher 

type Cipher struct {
	// contains filtered or unexported fields
}

func GetCipherByName 

func GetCipherByName(name string) (*Cipher, error)

func GetCipherByNid 

func GetCipherByNid(nid int) (*Cipher, error)

func (*Cipher) BlockSize 

func (c *Cipher) BlockSize() int

func (*Cipher) IVSize 

func (c *Cipher) IVSize() int

func (*Cipher) KeySize 

func (c *Cipher) KeySize() int

func (*Cipher) Nid 

func (c *Cipher) Nid() int

func (*Cipher) ShortName 

func (c *Cipher) ShortName() (string, error)

type CipherCtx 

type CipherCtx interface {
	Cipher() *Cipher
	BlockSize() int
	KeySize() int
	IVSize() int
}

type Conn 

type Conn struct {
	// contains filtered or unexported fields
}

func Client 

func Client(conn net.Conn, ctx *Ctx) (*Conn, error)

Client wraps an existing stream connection and puts it in the connect state for any subsequent handshakes.

IMPORTANT NOTE: if you use this method instead of Dial to construct an SSL connection, you are responsible for verifying the peer's hostname. Otherwise, you are vulnerable to MITM attacks.

Client also does not set up SNI for you like Dial does.

Client connections probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.

func Dial 

func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error)

Dial will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.

Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.

func Server 

func Server(conn net.Conn, ctx *Ctx) (*Conn, error)

Server wraps an existing stream connection and puts it in the accept state for any subsequent handshakes.

func (*Conn) Close 

func (c *Conn) Close() error

Close shuts down the SSL connection and closes the underlying wrapped connection.

func (*Conn) ConnectionState 

func (c *Conn) ConnectionState() (rv ConnectionState)

func (*Conn) GetVerifyResults 

func (c *Conn) GetVerifyResults() error

GetVerifyResult gets result of peer certificate verification SSL_get_verify_result() returns the result of the verification of the X509 certificate presented by the peer, if any. See https://www.openssl.org/docs/ssl/SSL_get_verify_result.html

func (*Conn) Handshake 

func (c *Conn) Handshake() error

Handshake performs an SSL handshake. If a handshake is not manually triggered, it will run before the first I/O on the encrypted stream.

func (*Conn) LocalAddr 

func (c *Conn) LocalAddr() net.Addr

LocalAddr returns the underlying connection's local address

func (*Conn) PeerCertificate 

func (c *Conn) PeerCertificate() (*Certificate, error)

PeerCertificate returns the Certificate of the peer with which you're communicating. Only valid after a handshake.

func (*Conn) PeerCertificateChain 

func (c *Conn) PeerCertificateChain() (rv []*Certificate, err error)

PeerCertificateChain returns the certificate chain of the peer. If called on the client side, the stack also contains the peer's certificate; if called on the server side, the peer's certificate must be obtained separately using PeerCertificate.

func (*Conn) Read 

func (c *Conn) Read(b []byte) (n int, err error)

Read reads up to len(b) bytes into b. It returns the number of bytes read and an error if applicable. io.EOF is returned when the caller can expect to see no more data.

func (*Conn) RemoteAddr 

func (c *Conn) RemoteAddr() net.Addr

RemoteAddr returns the underlying connection's remote address

func (*Conn) SetDeadline 

func (c *Conn) SetDeadline(t time.Time) error

SetDeadline calls SetDeadline on the underlying connection.

func (*Conn) SetReadDeadline 

func (c *Conn) SetReadDeadline(t time.Time) error

SetReadDeadline calls SetReadDeadline on the underlying connection.

func (*Conn) SetWriteDeadline 

func (c *Conn) SetWriteDeadline(t time.Time) error

SetWriteDeadline calls SetWriteDeadline on the underlying connection.

func (*Conn) UnderlyingConn 

func (c *Conn) UnderlyingConn() net.Conn

func (*Conn) VerifyHostname 

func (c *Conn) VerifyHostname(host string) error

VerifyHostname pulls the PeerCertificate and calls VerifyHostname on the certificate.

func (*Conn) Write 

func (c *Conn) Write(b []byte) (written int, err error)

Write will encrypt the contents of b and write it to the underlying stream. Performance will be vastly improved if the size of b is a multiple of SSLRecordSize.

type ConnectionState 

type ConnectionState struct {
	Certificate           *Certificate
	CertificateError      error
	CertificateChain      []*Certificate
	CertificateChainError error
}

type Ctx 

type Ctx struct {
	// contains filtered or unexported fields
}

func NewCtx 

func NewCtx() (*Ctx, error)

NewCtx creates a context that supports any TLS version 1.0 and newer.

func NewCtxFromFiles 

func NewCtxFromFiles(cert_file string, key_file string) (*Ctx, error)

NewCtxFromFiles calls NewCtx, loads the provided files, and configures the context to use them.

func NewCtxWithVersion 

func NewCtxWithVersion(version SSLVersion) (*Ctx, error)

NewCtxWithVersion creates an SSL context that is specific to the provided SSL version. See http://www.openssl.org/docs/ssl/SSL_CTX_new.html for more.

func (*Ctx) AddChainCertificate 

func (c *Ctx) AddChainCertificate(cert *Certificate) error

AddChainCertificate adds a certificate to the chain presented in the handshake.

func (*Ctx) CheckPrivateKey 

func (c *Ctx) CheckPrivateKey() error

CheckPrivateKey verifies that the private key agrees with the corresponding public key in the certificate

func (*Ctx) GetCertificateStore 

func (c *Ctx) GetCertificateStore() *CertificateStore

GetCertificateStore returns the context's certificate store that will be used for peer validation.

func (*Ctx) GetMode 

func (c *Ctx) GetMode() Modes

GetMode returns context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html

func (*Ctx) LoadVerifyLocations 

func (c *Ctx) LoadVerifyLocations(ca_file string, ca_path string) error

LoadVerifyLocations tells the context to trust all certificate authorities provided in either the ca_file or the ca_path. See http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html for more.

func (*Ctx) SetCipherList 

func (c *Ctx) SetCipherList(list string) error

SetCipherList sets the list of available ciphers. The format of the list is described at http://www.openssl.org/docs/apps/ciphers.html, but see http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html for more.

func (*Ctx) SetClientCAList 

func (c *Ctx) SetClientCAList(caList *StackOfX509Name)

SetClientCAList sets the list of CAs sent to the client when requesting a client certificate for Ctx. See https://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html

func (*Ctx) SetMode 

func (c *Ctx) SetMode(modes Modes) Modes

SetMode sets context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html

func (*Ctx) SetOptions 

func (c *Ctx) SetOptions(options Options) Options

SetOptions sets context options. See http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*Ctx) SetSessionCacheMode 

func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes

SetSessionCacheMode enables or disables session caching. See http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html

func (*Ctx) SetSessionId 

func (c *Ctx) SetSessionId(session_id []byte) error

func (*Ctx) SetVerify 

func (c *Ctx) SetVerify(options VerifyOptions, verify_cb VerifyCallback)

SetVerify controls peer verification settings. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*Ctx) SetVerifyCallback 

func (c *Ctx) SetVerifyCallback(verify_cb VerifyCallback)

func (*Ctx) SetVerifyDepth 

func (c *Ctx) SetVerifyDepth(depth int)

SetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*Ctx) SetVerifyMode 

func (c *Ctx) SetVerifyMode(options VerifyOptions)

func (*Ctx) UseCertificate 

func (c *Ctx) UseCertificate(cert *Certificate) error

UseCertificate configures the context to present the given certificate to peers.

func (*Ctx) UseCertificateChainFile 

func (c *Ctx) UseCertificateChainFile(cert_file string) error

UseCertificateChainFromFile loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. See https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html

func (*Ctx) UsePrivateKey 

func (c *Ctx) UsePrivateKey(key PrivateKey) error

UsePrivateKey configures the context to use the given private key for SSL handshakes.

func (*Ctx) UsePrivateKeyFile 

func (c *Ctx) UsePrivateKeyFile(key_file string, file_type Filetypes) error

UsePrivateKeyFile adds the first private key found in file to the *Ctx, c. The formatting type of the certificate must be specified from the known types FiletypePEM, and FiletypeASN1

func (*Ctx) UsePrivateKeyFileWithPassword 

func (c *Ctx) UsePrivateKeyFileWithPassword(key_file string, file_type Filetypes, password string) error

func (*Ctx) VerifyMode 

func (c *Ctx) VerifyMode() VerifyOptions

type DecryptionCipherCtx 

type DecryptionCipherCtx interface {
	CipherCtx

	// pass in ciphertext, get back plaintext. can be called
	// multiple times as needed
	DecryptUpdate(input []byte) ([]byte, error)

	// call after all ciphertext has been passed in; may return
	// additional plaintext if needed to finish off a block
	DecryptFinal() ([]byte, error)
}

func NewDecryptionCipherCtx 

func NewDecryptionCipherCtx(c *Cipher, e *Engine, key, iv []byte) (
	DecryptionCipherCtx, error)

type DialFlags 

type DialFlags int
const (
	InsecureSkipHostVerification DialFlags = 1 << iota
	DisableSNI
)

type EllipticCurve 

type EllipticCurve int

EllipticCurve repesents the ASN.1 OID of an elliptic curve. see https://www.openssl.org/docs/apps/ecparam.html for a list of implemented curves. 

const (
	// P-256: X9.62/SECG curve over a 256 bit prime field
	Prime256v1 EllipticCurve = C.NID_X9_62_prime256v1
	// P-384: NIST/SECG curve over a 384 bit prime field
	Secp384r1 EllipticCurve = C.NID_secp384r1
)

type EncryptionCipherCtx 

type EncryptionCipherCtx interface {
	CipherCtx

	// pass in plaintext, get back ciphertext. can be called
	// multiple times as needed
	EncryptUpdate(input []byte) ([]byte, error)

	// call after all plaintext has been passed in; may return
	// additional ciphertext if needed to finish off a block
	// or extra padding information
	EncryptFinal() ([]byte, error)
}

func NewEncryptionCipherCtx 

func NewEncryptionCipherCtx(c *Cipher, e *Engine, key, iv []byte) (
	EncryptionCipherCtx, error)

type Engine 

type Engine struct {
	// contains filtered or unexported fields
}

func EngineById 

func EngineById(name string) (*Engine, error)

type Filetypes 

type Filetypes int
const (
	FiletypePEM  Filetypes = C.SSL_FILETYPE_PEM
	FiletypeASN1 Filetypes = C.SSL_FILETYPE_ASN1
)

type Method 

type Method *C.EVP_MD
var (
	SHA256_Method Method = C.EVP_sha256()
)

type Modes 

type Modes int
const (
	// ReleaseBuffers is only valid if you are using OpenSSL 1.0.1 or newer
	ReleaseBuffers Modes = C.SSL_MODE_RELEASE_BUFFERS
	AutoRetry      Modes = C.SSL_MODE_AUTO_RETRY
)

type Options 

type Options int
const (
	// NoCompression is only valid if you are using OpenSSL 1.0.1 or newer
	NoCompression                      Options = C.SSL_OP_NO_COMPRESSION
	NoSSLv2                            Options = C.SSL_OP_NO_SSLv2
	NoSSLv3                            Options = C.SSL_OP_NO_SSLv3
	NoTLSv1                            Options = C.SSL_OP_NO_TLSv1
	CipherServerPreference             Options = C.SSL_OP_CIPHER_SERVER_PREFERENCE
	NoSessionResumptionOrRenegotiation Options = C.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
	OpAll                              Options = C.SSL_OP_ALL
)

type PrivateKey 

type PrivateKey interface {
	PublicKey

	// Signs the data using PKCS1.15
	SignPKCS1v15(Method, []byte) ([]byte, error)

	// MarshalPKCS1PrivateKeyPEM converts the private key to PEM-encoded PKCS1
	// format
	MarshalPKCS1PrivateKeyPEM() (pem_block []byte, err error)

	// MarshalPKCS1PrivateKeyDER converts the private key to DER-encoded PKCS1
	// format
	MarshalPKCS1PrivateKeyDER() (der_block []byte, err error)
}

func LoadPrivateKeyFromPEM 

func LoadPrivateKeyFromPEM(pem_block []byte) (PrivateKey, error)

LoadPrivateKeyFromPEM loads a private key from a PEM-encoded block.

type PublicKey 

type PublicKey interface {
	// Verifies the data signature using PKCS1.15
	VerifyPKCS1v15(method Method, data, sig []byte) error

	// MarshalPKIXPublicKeyPEM converts the public key to PEM-encoded PKIX
	// format
	MarshalPKIXPublicKeyPEM() (pem_block []byte, err error)

	// MarshalPKIXPublicKeyDER converts the public key to DER-encoded PKIX
	// format
	MarshalPKIXPublicKeyDER() (der_block []byte, err error)
	// contains filtered or unexported methods
}

func LoadPublicKeyFromDER 

func LoadPublicKeyFromDER(der_block []byte) (PublicKey, error)

LoadPublicKeyFromDER loads a public key from a DER-encoded block.

func LoadPublicKeyFromPEM 

func LoadPublicKeyFromPEM(pem_block []byte) (PublicKey, error)

LoadPublicKeyFromPEM loads a public key from a PEM-encoded block.

type SHA1Hash 

type SHA1Hash struct {
	// contains filtered or unexported fields
}

func NewSHA1Hash 

func NewSHA1Hash() (*SHA1Hash, error)

func NewSHA1HashWithEngine 

func NewSHA1HashWithEngine(e *Engine) (*SHA1Hash, error)

func (*SHA1Hash) Close 

func (s *SHA1Hash) Close()

func (*SHA1Hash) Reset 

func (s *SHA1Hash) Reset() error

func (*SHA1Hash) Sum 

func (s *SHA1Hash) Sum() (result [20]byte, err error)

func (*SHA1Hash) Write 

func (s *SHA1Hash) Write(p []byte) (n int, err error)

type SHA256Hash 

type SHA256Hash struct {
	// contains filtered or unexported fields
}

func NewSHA256Hash 

func NewSHA256Hash() (*SHA256Hash, error)

func NewSHA256HashWithEngine 

func NewSHA256HashWithEngine(e *Engine) (*SHA256Hash, error)

func (*SHA256Hash) Close 

func (s *SHA256Hash) Close()

func (*SHA256Hash) Reset 

func (s *SHA256Hash) Reset() error

func (*SHA256Hash) Sum 

func (s *SHA256Hash) Sum() (result [32]byte, err error)

func (*SHA256Hash) Write 

func (s *SHA256Hash) Write(p []byte) (n int, err error)

type SSLVersion 

type SSLVersion int
const (
	SSLv3      SSLVersion = 0x02
	TLSv1      SSLVersion = 0x03
	TLSv1_1    SSLVersion = 0x04
	TLSv1_2    SSLVersion = 0x05
	AnyVersion SSLVersion = 0x06
)

type SessionCacheModes 

type SessionCacheModes int
const (
	SessionCacheOff    SessionCacheModes = C.SSL_SESS_CACHE_OFF
	SessionCacheClient SessionCacheModes = C.SSL_SESS_CACHE_CLIENT
	SessionCacheServer SessionCacheModes = C.SSL_SESS_CACHE_SERVER
	SessionCacheBoth   SessionCacheModes = C.SSL_SESS_CACHE_BOTH
	NoAutoClear        SessionCacheModes = C.SSL_SESS_CACHE_NO_AUTO_CLEAR
	NoInternalLookup   SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
	NoInternalStore    SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_STORE
	NoInternal         SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL
)

type StackOfX509Name 

type StackOfX509Name struct {
	// contains filtered or unexported fields
}

func LoadClientCAFile 

func LoadClientCAFile(ca_file string) (*StackOfX509Name, error)

LoadClientCAFile reads certificates from file and returns a StackOfX509Name with the subject names found. See https://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html

type VerifyCallback 

type VerifyCallback func(ok bool, store *CertificateStoreCtx) bool

type VerifyOptions 

type VerifyOptions int
const (
	VerifyNone             VerifyOptions = C.SSL_VERIFY_NONE
	VerifyPeer             VerifyOptions = C.SSL_VERIFY_PEER
	VerifyFailIfNoPeerCert VerifyOptions = C.SSL_VERIFY_FAIL_IF_NO_PEER_CERT
	VerifyClientOnce       VerifyOptions = C.SSL_VERIFY_CLIENT_ONCE
)

type X509LookupMethod 

type X509LookupMethod *C.X509_LOOKUP_METHOD

an X509LookupMethod is required to build a a CertificateStoreLookup in a CertificateStore. The X509LookupMethod indicates the type or functionality of the CertificateStoreLookup

func X509LookupFile 

func X509LookupFile() X509LookupMethod

CertificateStoreLookups with X509LookupFile methods look for certs in a file

func X509LookupHashDir 

func X509LookupHashDir() X509LookupMethod

CertificateStoreLookups with X509LookupHashDir methods look for certs in a directory

type X509VerificationFlag 

type X509VerificationFlag int
const (
	CBIssuerCheck   X509VerificationFlag = C.X509_V_FLAG_CB_ISSUER_CHECK
	UseCheckTime    X509VerificationFlag = C.X509_V_FLAG_USE_CHECK_TIME
	CRLCheck        X509VerificationFlag = C.X509_V_FLAG_CRL_CHECK
	CRLCheckAll     X509VerificationFlag = C.X509_V_FLAG_CRL_CHECK_ALL
	IgnoreCritical  X509VerificationFlag = C.X509_V_FLAG_IGNORE_CRITICAL
	X509Strict      X509VerificationFlag = C.X509_V_FLAG_X509_STRICT
	AllowProxyCerts X509VerificationFlag = C.X509_V_FLAG_ALLOW_PROXY_CERTS
	PolicyCheck     X509VerificationFlag = C.X509_V_FLAG_POLICY_CHECK
	ExplicitPolicy  X509VerificationFlag = C.X509_V_FLAG_EXPLICIT_POLICY
	InhibitAny      X509VerificationFlag = C.X509_V_FLAG_INHIBIT_ANY
	InhibitMap      X509VerificationFlag = C.X509_V_FLAG_INHIBIT_MAP
	NotifyPolicy    X509VerificationFlag = C.X509_V_FLAG_NOTIFY_POLICY
	//	ExtendedCRLSupport X509VerificationFlag = C.X509_V_FLAG_EXTENDED_CRL_SUPPORT
	//	UseDeltas          X509VerificationFlag = C.X509_V_FLAG_USE_DELTAS
	//	CheckSsSignature   X509VerificationFlag = C.X509_V_FLAG_CHECK_SS_SIGNATURE
	//	TrustedFirst       X509VerificationFlag = C.X509_V_FLAG_TRUSTED_FIRST
	PolicyMask X509VerificationFlag = C.X509_V_FLAG_POLICY_MASK
)

See https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.