openssl

package module
v0.2.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 31, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

README

OpenSSL bindings for Go

Forked from https://github.com/libp2p/openssl (archived)

Please see http://godoc.org/github.com/pexip/go-openssl for more info

License

Copyright (C) 2017. See AUTHORS.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Using on macOS
  1. Install homebrew
  2. $ brew install openssl or $ brew install openssl@3
Using on Windows
  1. Install mingw-w64
  2. Install pkg-config-lite
  3. Build (or install precompiled) openssl for mingw32-w64
  4. Set PKG_CONFIG_PATH to the directory containing openssl.pc (i.e. c:\mingw64\mingw64\lib\pkgconfig)

Documentation

Overview

Package openssl is a light wrapper around OpenSSL for Go.

It strives to provide a near-drop-in replacement for the Go standard library tls package, while allowing for:

Performance

OpenSSL is battle-tested and optimized C. While Go's built-in library shows great promise, it is still young and in some places, inefficient. This simple OpenSSL wrapper can often do at least 2x with the same cipher and protocol.

On my lappytop, I get the following benchmarking speeds: 

BenchmarkSHA1Large_openssl      1000  2611282 ns/op  401.56 MB/s
BenchmarkSHA1Large_stdlib        500  3963983 ns/op  264.53 MB/s
BenchmarkSHA1Small_openssl   1000000     3476 ns/op    0.29 MB/s
BenchmarkSHA1Small_stdlib    5000000      550 ns/op    1.82 MB/s
BenchmarkSHA256Large_openssl     200  8085314 ns/op  129.69 MB/s
BenchmarkSHA256Large_stdlib      100 18948189 ns/op   55.34 MB/s
BenchmarkSHA256Small_openssl 1000000     4262 ns/op    0.23 MB/s
BenchmarkSHA256Small_stdlib  1000000     1444 ns/op    0.69 MB/s
BenchmarkOpenSSLThroughput    100000    21634 ns/op   47.33 MB/s
BenchmarkStdlibThroughput      50000    58974 ns/op   17.36 MB/s

Interoperability

Many systems support OpenSSL with a variety of plugins and modules for things, such as hardware acceleration in embedded devices.

Greater flexibility and configuration

OpenSSL allows for far greater configuration of corner cases and backwards compatibility (such as support of SSLv2). You shouldn't be using SSLv2 if you can help but, but sometimes you can't help it.

Security

Yeah yeah, Heartbleed. But according to the author of the standard library's TLS implementation, Go's TLS library is vulnerable to timing attacks. And whether or not OpenSSL received the appropriate amount of scrutiny pre-Heartbleed, it sure is receiving it now.

Usage

Starting an HTTP server that uses OpenSSL is very easy. It's as simple as: 

log.Fatal(openssl.ListenAndServeTLS(
      ":8443", "my_server.crt", "my_server.key", myHandler))

Getting a net.Listener that uses OpenSSL is also easy: 

ctx, err := openssl.NewCtxFromFiles("my_server.crt", "my_server.key")
if err != nil {
        log.Fatal(err)
}
l, err := openssl.Listen("tcp", ":7777", ctx)

Making a client connection is straightforward too: 

ctx, err := NewCtx()
if err != nil {
        log.Fatal(err)
}
err = ctx.LoadVerifyLocations("/etc/ssl/certs/ca-certificates.crt", "")
if err != nil {
        log.Fatal(err)
}
conn, err := openssl.Dial("tcp", "localhost:7777", ctx, 0)

Help wanted: To get this library to work with net/http's client, we had to fork net/http. It would be nice if an alternate http client library supported the generality needed to use OpenSSL instead of crypto/tls.

Index

Constants

View Source 
const (
	GCMTagLen = 16
)
View Source 
const (
	SSLRecordSize = 16 * 1024
)

Variables

View Source 
var (
	ErrUnknownCipher    = errors.New("unknown cipher")
	ErrLegacyCipher     = errors.New("legacy cipher requested")
	ErrNullCipher       = errors.New("null cipher")
	ErrInvalidKeyLength = errors.New("invalid key length")
	ErrInvalidIVLength  = errors.New("invalid IV length")
	ErrCipherFinalised  = errors.New("cipher job already finalised")
)
View Source 
var (
	ErrUnknownTLSVersion = errors.New("unknown ssl/tls version")
	ErrInvalidPEM        = errors.New("invalid PEM")
	ErrProtoTooLong      = errors.New("proto length is longer than 255")
)
View Source 
var (
	ErrUnknownDigest   = errors.New("unknown digest")
	ErrLegacyDigest    = errors.New("legacy digest requested")
	ErrDigestFinalised = errors.New("digest job already finalised")
)
View Source 
var (
	ErrHostValidation    = errors.New("host validation error")
	ErrHostInvalidInput  = errors.New("invalid hostname input")
	ErrHostInternalError = errors.New("host internal error")
)
View Source 
var (
	ErrEmptyBlock = errors.New("empty block")
	ErrLoadingKey = errors.New("failed loading private key")
)
View Source 
var (
	ErrCreateLibraryCtx = errors.New("failed to create library context")
	ErrProviderLoad     = errors.New("failed to load provider")
)
View Source 
var ErrCipherInvalidBlockSize = errors.New("invalid block size")
View Source 
var (
	ErrCreateBio = errors.New("failed to allocate BIO")
)

Functions

func CipherRequiresLegacyProvider added in v0.2.0 

func CipherRequiresLegacyProvider(algorithm string) bool

func DeriveSharedSecret 

func DeriveSharedSecret(private PrivateKey, public PublicKey) ([]byte, error)

DeriveSharedSecret derives a shared secret using a private key and a peer's public key. The specific algorithm that is used depends on the types of the keys, but it is most commonly a variant of Diffie-Hellman.

func DigestRequiresLegacyProvider added in v0.2.0 

func DigestRequiresLegacyProvider(algorithm string) bool

func GenerateRandomSerial added in v0.2.2 

func GenerateRandomSerial() (serial big.Int, err error)

GenerateRandomSerial generates a random serial number

func Listen 

func Listen(network, laddr string, ctx *Ctx) (net.Listener, error)

Listen is a wrapper around net.Listen that wraps incoming connections with an OpenSSL server connection using the provided context ctx.

func ListenAndServeTLS 

func ListenAndServeTLS(addr string, cert_file string, key_file string,
	handler http.Handler) error

ListenAndServeTLS will take an http.Handler and serve it using OpenSSL over the given tcp address, configured to use the provided cert and key files.

func MD4 

func MD4(data []byte, allowNonFIPS bool) (result [16]byte, err error)

func MD5 

func MD5(data []byte) (result [16]byte, err error)

func NewListener 

func NewListener(inner net.Listener, ctx *Ctx) net.Listener

NewListener wraps an existing net.Listener such that all accepted connections are wrapped as OpenSSL server connections using the provided context ctx.

func Nid2ShortName 

func Nid2ShortName(nid NID) (string, error)

func SHA1 

func SHA1(data []byte) (result [20]byte, err error)

func SHA256 

func SHA256(data []byte) (result [32]byte, err error)

func ServerListenAndServeTLS 

func ServerListenAndServeTLS(srv *http.Server,
	certFile, keyFile string) error

ServerListenAndServeTLS will take an http.Server and serve it using OpenSSL configured to use the provided cert and key files.

func SplitPEM 

func SplitPEM(data []byte) [][]byte

Types

type AuthenticatedCipherJob added in v0.2.0 

type AuthenticatedCipherJob interface {
	// ExtraData add extra data that
	// pass in any extra data that was added during encryption with the
	// encryption context's ExtraData()
	ExtraData([]byte) error
}

type AuthenticatedDecryptionCipherCtx 

type AuthenticatedDecryptionCipherCtx interface {
	AuthenticatedCipherJob
	DecryptionCipherJob

	// ExtraData pass in any extra authenticated data that was added during encryption
	ExtraData([]byte) error

	// SetTag sets the expected authentication tag to be checked when finalising the decryption
	SetTag([]byte) error
}

func NewGCMDecryptionCipherCtx 

func NewGCMDecryptionCipherCtx(blocksize int, key, iv []byte) (AuthenticatedDecryptionCipherCtx, error)

type AuthenticatedEncryptionCipherJob added in v0.2.0 

type AuthenticatedEncryptionCipherJob interface {
	AuthenticatedCipherJob
	EncryptionCipherJob

	// ExtraData data passed in to ExtraData() is part of the final output; it is
	// not encrypted itself, but is part of the authenticated data. when
	// decrypting or authenticating, pass back with the decryption
	// context's ExtraData()
	ExtraData([]byte) error

	// GetTag gets the authentication tag after finalising the encryption
	GetTag() ([]byte, error)
}

func NewGCMEncryptionCipherJob added in v0.2.0 

func NewGCMEncryptionCipherJob(blocksize int, key, iv []byte) (AuthenticatedEncryptionCipherJob, error)

type Bignum added in v0.2.0 

type Bignum struct {
	// contains filtered or unexported fields
}

func (*Bignum) GetValue added in v0.2.0 

func (b *Bignum) GetValue() int

func (*Bignum) NumBytes added in v0.2.0 

func (b *Bignum) NumBytes() int

func (*Bignum) SetValue added in v0.2.0 

func (b *Bignum) SetValue(v int) error

type Bio added in v0.2.0 

type Bio struct {
	// contains filtered or unexported fields
}

type Certificate 

type Certificate struct {
	Issuer *Certificate
	// contains filtered or unexported fields
}

func LoadCertificateFromPEM 

func LoadCertificateFromPEM(pemBlock []byte) (*Certificate, error)

LoadCertificateFromPEM loads an X509 certificate from a PEM-encoded block.

func NewCertificate 

func NewCertificate(info *CertificateInfo, key PublicKey) (*Certificate, error)

NewCertificate generates a basic certificate based on the provided CertificateInfo struct

func (*Certificate) AddCustomExtension 

func (c *Certificate) AddCustomExtension(nid NID, value []byte) error

AddCustomExtension add custom extensions to the certificate.

func (*Certificate) AddExtension 

func (c *Certificate) AddExtension(nid NID, value string) error

AddExtension Add an extension to a certificate. Extension constants are NID_* as found in openssl.

func (*Certificate) AddExtensions 

func (c *Certificate) AddExtensions(extensions map[NID]string) error

AddExtensions wraps AddExtension using a map of NID to text extension. Will return without finishing if it encounters an error.

func (*Certificate) CheckEmail 

func (c *Certificate) CheckEmail(email string, flags CheckFlags) error

CheckEmail checks that the X509 certificate is signed for the provided email address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ErrHostValidation if the Certificate didn't match but there was no internal error.

func (*Certificate) CheckHost 

func (c *Certificate) CheckHost(host string, flags CheckFlags) error

CheckHost checks that the X509 certificate is signed for the provided host name. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Note that CheckHost does not check the IP field. See VerifyHostname. Specifically returns ErrHostValidation if the Certificate didn't match but there was no internal error.

func (*Certificate) CheckIP 

func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error

CheckIP checks that the X509 certificate is signed for the provided IP address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ErrHostValidation if the Certificate didn't match but there was no internal error.

func (*Certificate) ComputeFingerprint 

func (c *Certificate) ComputeFingerprint(digest *Digest) ([]byte, error)

ComputeFingerprint compute the fingerprint of the cert using the provided digest

func (*Certificate) GetExtensionValue 

func (c *Certificate) GetExtensionValue(nid NID) []byte

GetExtensionValue returns the value of the given NID's extension.

func (*Certificate) GetIssuerName 

func (c *Certificate) GetIssuerName() (*Name, error)

func (*Certificate) GetSerialNumberHex 

func (c *Certificate) GetSerialNumberHex() (serial string)

GetSerialNumberHex returns the certificate's serial number in hex format

func (*Certificate) GetSubjectName 

func (c *Certificate) GetSubjectName() (*Name, error)

func (*Certificate) GetVersion 

func (c *Certificate) GetVersion() X509_Version

GetVersion returns the X509 version of the certificate.

func (*Certificate) MarshalDER 

func (c *Certificate) MarshalDER() (derBlock []byte, err error)

MarshalDER converts the X509 certificate to DER-encoded format

func (*Certificate) MarshalPEM 

func (c *Certificate) MarshalPEM() (pemBlock []byte, err error)

MarshalPEM converts the X509 certificate to PEM-encoded format

func (*Certificate) PublicKey 

func (c *Certificate) PublicKey() (PublicKey, error)

PublicKey returns the public key embedded in the X509 certificate.

func (*Certificate) SetExpireDate 

func (c *Certificate) SetExpireDate(when time.Duration) error

SetExpireDate sets the certificate issue date relative to the current time.

func (*Certificate) SetIssueDate 

func (c *Certificate) SetIssueDate(when time.Duration) error

SetIssueDate sets the certificate issue date relative to the current time.

func (*Certificate) SetIssuer 

func (c *Certificate) SetIssuer(issuer *Certificate) error

SetIssuer updates the stored Issuer cert and the internal x509 Issuer Name of a certificate. The stored Issuer reference is used when adding extensions.

func (*Certificate) SetIssuerName 

func (c *Certificate) SetIssuerName(name *Name) error

SetIssuerName populates the issuer name of a certificate. Use SetIssuer instead, if possible.

func (*Certificate) SetPubKey 

func (c *Certificate) SetPubKey(pubKey PublicKey) error

SetPubKey assigns a new public key to a certificate.

func (*Certificate) SetSerial 

func (c *Certificate) SetSerial(serial *big.Int) error

SetSerial sets the serial of a certificate.

func (*Certificate) SetSubjectName 

func (c *Certificate) SetSubjectName(name *Name) error

func (*Certificate) SetVersion 

func (c *Certificate) SetVersion(version X509_Version) error

SetVersion sets the X509 version of the certificate.

func (*Certificate) Sign 

func (c *Certificate) Sign(privKey PrivateKey, digest EVP_MD) error

Sign a certificate using a private key and a digest name. Accepted digest names are 'sha256', 'sha384', and 'sha512'.

func (*Certificate) VerifyHostname 

func (c *Certificate) VerifyHostname(host string) error

VerifyHostname is a combination of CheckHost and CheckIP. If the provided hostname looks like an IP address, it will be checked as an IP address, otherwise it will be checked as a hostname. Specifically returns ErrHostValidation if the Certificate didn't match but there was no internal error.

type CertificateInfo 

type CertificateInfo struct {
	Serial       *big.Int
	Issued       time.Duration
	Expires      time.Duration
	Country      string
	Organization string
	CommonName   string
}

type CertificateStore 

type CertificateStore struct {
	// contains filtered or unexported fields
}

func NewCertificateStore 

func NewCertificateStore() (*CertificateStore, error)

NewCertificateStore Allocate a new, empty CertificateStore

func (*CertificateStore) AddCertificate 

func (s *CertificateStore) AddCertificate(cert *Certificate) error

AddCertificate marks the provided Certificate as a trusted certificate in the given CertificateStore.

func (*CertificateStore) LoadCertificatesFromPEM 

func (s *CertificateStore) LoadCertificatesFromPEM(data []byte) error

LoadCertificatesFromPEM Loads all certificates into the Store from the parsed PEM

type CertificateStoreCtx 

type CertificateStoreCtx struct {
	// contains filtered or unexported fields
}

func (*CertificateStoreCtx) Depth 

func (csc *CertificateStoreCtx) Depth() int

func (*CertificateStoreCtx) Err 

func (csc *CertificateStoreCtx) Err() error

func (*CertificateStoreCtx) GetCurrentCert 

func (csc *CertificateStoreCtx) GetCurrentCert() *Certificate

GetCurrentCert fetches the current cert in the store. The certificate returned is only valid for the lifetime of the underlying X509_STORE_CTX

func (*CertificateStoreCtx) VerifyResult 

func (csc *CertificateStoreCtx) VerifyResult() VerifyResult

type CheckFlags 

type CheckFlags int
const (
	AlwaysCheckSubject    CheckFlags = C.X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
	NoWildcards           CheckFlags = C.X509_CHECK_FLAG_NO_WILDCARDS
	NoPartialWildcards    CheckFlags = C.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
	MultiLabelWildcards   CheckFlags = C.X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
	SingleLabelSubdomains CheckFlags = C.X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
	NeverCheckSubject     CheckFlags = C.X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
)

type Cipher 

type Cipher struct {
	// contains filtered or unexported fields
}

func GetCipherByName 

func GetCipherByName(algorithm string, allowNonFIPS bool) (*Cipher, error)

GetCipherByName returns the Cipher with the name or nil and an error if the cipher was not found.

func GetCipherByNid 

func GetCipherByNid(nid NID) (*Cipher, error)

func (*Cipher) BlockSize 

func (c *Cipher) BlockSize() int

func (*Cipher) IVSize 

func (c *Cipher) IVSize() int

func (*Cipher) KeySize 

func (c *Cipher) KeySize() int

func (*Cipher) Nid 

func (c *Cipher) Nid() NID

func (*Cipher) ShortName 

func (c *Cipher) ShortName() (string, error)

type CipherCtx 

type CipherCtx interface {
	Cipher() *Cipher
	BlockSize() int
	KeySize() int
	IVSize() int
}

type CipherJob added in v0.2.0 

type CipherJob interface {
	Cipher() *Cipher
	Update(data []byte) ([]byte, error)
	Final() ([]byte, error)
}

func NewCipherJob added in v0.2.0 

func NewCipherJob(cipher *Cipher, key []byte, iv []byte, encrypt bool) (CipherJob, error)

NewCipherJob creates a new cipher job using the given cipher/key/iv

type Conn 

type Conn struct {
	*SSL
	// contains filtered or unexported fields
}

func Client 

func Client(conn net.Conn, ctx *Ctx) (*Conn, error)

Client wraps an existing stream connection and puts it in the connect state for any subsequent handshakes.

IMPORTANT NOTE: if you use this method instead of Dial to construct an SSL connection, you are responsible for verifying the peer's hostname. Otherwise, you are vulnerable to MITM attacks.

Client also does not set up SNI for you like Dial does.

Client connections probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.

func Dial 

func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error)

Dial will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.

Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.

func DialSession 

func DialSession(network, addr string, ctx *Ctx, flags DialFlags,
	session []byte) (*Conn, error)

DialSession will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.

Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.

If session is not nil it will be used to resume the tls state. The session can be retrieved from the GetSession method on the Conn.

func DialTimeout 

func DialTimeout(network, addr string, timeout time.Duration, ctx *Ctx,
	flags DialFlags) (*Conn, error)

DialTimeout acts like Dial but takes a timeout for network dial.

The timeout includes only network dial. It does not include OpenSSL calls.

See func Dial for a description of the network, addr, ctx and flags parameters.

func Server 

func Server(conn net.Conn, ctx *Ctx) (*Conn, error)

Server wraps an existing stream connection and puts it in the accept state for any subsequent handshakes.

func (*Conn) Close 

func (c *Conn) Close() error

Close shuts down the SSL connection and closes the underlying wrapped connection.

func (*Conn) ConnectionState 

func (c *Conn) ConnectionState() (rv ConnectionState)

func (*Conn) CurrentCipher 

func (c *Conn) CurrentCipher() (string, error)

func (*Conn) GetCtx 

func (c *Conn) GetCtx() *Ctx

func (*Conn) GetSession 

func (c *Conn) GetSession() ([]byte, error)

func (*Conn) Handshake 

func (c *Conn) Handshake() error

Handshake performs an SSL handshake. If a handshake is not manually triggered, it will run before the first I/O on the encrypted stream.

func (*Conn) LocalAddr 

func (c *Conn) LocalAddr() net.Addr

LocalAddr returns the underlying connection's local address

func (*Conn) PeerCertificate 

func (c *Conn) PeerCertificate() (*Certificate, error)

PeerCertificate returns the Certificate of the peer with which you're communicating. Only valid after a handshake.

func (*Conn) PeerCertificateChain 

func (c *Conn) PeerCertificateChain() (rv []*Certificate, err error)

PeerCertificateChain returns the certificate chain of the peer. If called on the client side, the stack also contains the peer's certificate; if called on the server side, the peer's certificate must be obtained separately using PeerCertificate.

func (*Conn) Read 

func (c *Conn) Read(b []byte) (n int, err error)

Read reads up to len(b) bytes into b. It returns the number of bytes read and an error if applicable. io.EOF is returned when the caller can expect to see no more data.

func (*Conn) RemoteAddr 

func (c *Conn) RemoteAddr() net.Addr

RemoteAddr returns the underlying connection's remote address

func (*Conn) SessionReused 

func (c *Conn) SessionReused() bool

func (*Conn) SetDeadline 

func (c *Conn) SetDeadline(t time.Time) error

SetDeadline calls SetDeadline on the underlying connection.

func (*Conn) SetReadDeadline 

func (c *Conn) SetReadDeadline(t time.Time) error

SetReadDeadline calls SetReadDeadline on the underlying connection.

func (*Conn) SetTlsExtHostName 

func (c *Conn) SetTlsExtHostName(name string) error

func (*Conn) SetWriteDeadline 

func (c *Conn) SetWriteDeadline(t time.Time) error

SetWriteDeadline calls SetWriteDeadline on the underlying connection.

func (*Conn) UnderlyingConn 

func (c *Conn) UnderlyingConn() net.Conn

func (*Conn) VerifyHostname 

func (c *Conn) VerifyHostname(host string) error

VerifyHostname pulls the PeerCertificate and calls VerifyHostname on the certificate.

func (*Conn) VerifyResult 

func (c *Conn) VerifyResult() VerifyResult

func (*Conn) Write 

func (c *Conn) Write(b []byte) (written int, err error)

Write will encrypt the contents of b and write it to the underlying stream. Performance will be vastly improved if the size of b is a multiple of SSLRecordSize.

type ConnectionState 

type ConnectionState struct {
	Certificate           *Certificate
	CertificateError      error
	CertificateChain      []*Certificate
	CertificateChainError error
	SessionReused         bool
}

type Ctx 

type Ctx struct {
	// contains filtered or unexported fields
}

func NewCtx 

func NewCtx() (*Ctx, error)

NewCtx creates a new context. The minimum supported SSL/TLS version is inherited from the library default. To change the min/max support SSL/TLS versions, use Ctx.SetMinProtoVersion and Ctx.SetMaxProtoVersion respectively.

func NewCtxFromFiles 

func NewCtxFromFiles(certFile string, keyFile string) (*Ctx, error)

NewCtxFromFiles calls NewCtx, loads the provided files, and configures the context to use them.

func (*Ctx) AddChainCertificate 

func (c *Ctx) AddChainCertificate(cert *Certificate) error

AddChainCertificate adds a certificate to the chain presented in the handshake.

func (*Ctx) ClearOptions 

func (c *Ctx) ClearOptions(options Options) Options

func (*Ctx) GetCertificateStore 

func (c *Ctx) GetCertificateStore() *CertificateStore

GetCertificateStore returns the context's certificate store that will be used for peer validation.

func (*Ctx) GetMode 

func (c *Ctx) GetMode() Modes

GetMode returns context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html

func (*Ctx) GetOptions 

func (c *Ctx) GetOptions() Options

GetOptions returns context options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*Ctx) GetSessionCacheSize added in v0.2.0 

func (c *Ctx) GetSessionCacheSize() int

GetSessionCacheSize gets the session cache size. https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html

func (*Ctx) GetTimeout 

func (c *Ctx) GetTimeout() time.Duration

GetTimeout gets the session cache timeout. See https://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html

func (*Ctx) GetVerifyCallback 

func (c *Ctx) GetVerifyCallback() VerifyCallback

func (*Ctx) GetVerifyDepth 

func (c *Ctx) GetVerifyDepth() int

GetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*Ctx) LoadVerifyLocations 

func (c *Ctx) LoadVerifyLocations(caFile string, caPath string) error

LoadVerifyLocations tells the context to trust all certificate authorities provided in either the ca_file or the ca_path. See http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html for more.

func (*Ctx) SetCipherList 

func (c *Ctx) SetCipherList(list string) error

SetCipherList sets the list of available ciphers. The format of the list is described at http://www.openssl.org/docs/apps/ciphers.html, but see http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html for more.

func (*Ctx) SetDHParameters 

func (c *Ctx) SetDHParameters(dh *DH) error

SetDHParameters sets the DH group (DH parameters) used to negotiate an ephemeral DH key during handshaking.

func (*Ctx) SetEllipticCurve 

func (c *Ctx) SetEllipticCurve(curve EllipticCurve) error

SetEllipticCurve sets the elliptic curve used by the SSL context to enable an ECDH cipher suite to be selected during the handshake.

func (*Ctx) SetMaxProtoVersion 

func (c *Ctx) SetMaxProtoVersion(version Version) bool

SetMaxProtoVersion sets the maximum supported protocol version for the Ctx. http://www.openssl.org/docs/ssl/SSL_CTX_set_max_proto_version.html

func (*Ctx) SetMinProtoVersion 

func (c *Ctx) SetMinProtoVersion(version Version) bool

SetMinProtoVersion sets the minimum supported protocol version for the Ctx. http://www.openssl.org/docs/ssl/SSL_CTX_set_min_proto_version.html

func (*Ctx) SetMode 

func (c *Ctx) SetMode(modes Modes) Modes

SetMode sets context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html

func (*Ctx) SetNextProtos 

func (c *Ctx) SetNextProtos(protos []string) error

SetNextProtos sets Negotiation protocol to the ctx.

func (*Ctx) SetOptions 

func (c *Ctx) SetOptions(options Options) Options

SetOptions sets context options. See http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*Ctx) SetSessionCacheMode 

func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes

SetSessionCacheMode enables or disables session caching. See http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html

func (*Ctx) SetSessionCacheSize added in v0.2.0 

func (c *Ctx) SetSessionCacheSize(t int) int

SetSessionCacheSize sets the session cache size. Returns previously set value. https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html

func (*Ctx) SetSessionId 

func (c *Ctx) SetSessionId(sessionID []byte) error

func (*Ctx) SetTLSExtServernameCallback 

func (c *Ctx) SetTLSExtServernameCallback(sniCb TLSExtServernameCallback)

SetTLSExtServernameCallback sets callback function for Server Name Indication (SNI) rfc6066 (http://tools.ietf.org/html/rfc6066). See http://stackoverflow.com/questions/22373332/serving-multiple-domains-in-one-box-with-sni

func (*Ctx) SetTimeout 

func (c *Ctx) SetTimeout(t time.Duration) time.Duration

SetTimeout sets session cache timeout. Returns previously set value. See https://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html

func (*Ctx) SetVerify 

func (c *Ctx) SetVerify(options VerifyOptions, verifyCb VerifyCallback)

SetVerify controls peer verification settings. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*Ctx) SetVerifyCallback 

func (c *Ctx) SetVerifyCallback(verifyCb VerifyCallback)

func (*Ctx) SetVerifyDepth 

func (c *Ctx) SetVerifyDepth(depth int)

SetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*Ctx) SetVerifyMode 

func (c *Ctx) SetVerifyMode(options VerifyOptions)

func (*Ctx) UseCertificate 

func (c *Ctx) UseCertificate(cert *Certificate) error

UseCertificate configures the context to present the given certificate to peers.

func (*Ctx) UsePrivateKey 

func (c *Ctx) UsePrivateKey(key PrivateKey) error

UsePrivateKey configures the context to use the given private key for SSL handshakes.

func (*Ctx) VerifyMode 

func (c *Ctx) VerifyMode() VerifyOptions

type DH 

type DH struct {
	// contains filtered or unexported fields
}

func LoadDHParametersFromPEM 

func LoadDHParametersFromPEM(pem_block []byte) (*DH, error)

LoadDHParametersFromPEM loads the Diffie-Hellman parameters from a PEM-encoded block.

type DecryptionCipherJob added in v0.2.0 

type DecryptionCipherJob interface {
	CipherJob

	// DecryptUpdate takes ciphertext and returns the plaintext.
	// It can be called multiple times as needed.
	//
	// Deprecated: use CipherJob.Update instead
	DecryptUpdate(input []byte) ([]byte, error)

	// DecryptFinal should be called after all ciphertext has been processed.
	// It *may* return additional plaintext if required to complete a block.
	//
	// Deprecated: use CipherJob.Final instead
	DecryptFinal() ([]byte, error)
}

func NewDecryptionCipherJob added in v0.2.0 

func NewDecryptionCipherJob(c *Cipher, key, iv []byte) (DecryptionCipherJob, error)

NewDecryptionCipherJob creates a new encryption job Deprecated: use NewCipherJob with encrypt=false

type DialFlags 

type DialFlags int
const (
	InsecureSkipHostVerification DialFlags = 1 << iota
	DisableSNI
)

type Digest 

type Digest struct {
	// contains filtered or unexported fields
}

Digest represents and openssl message digest.

func GetDigestByName 

func GetDigestByName(algorithm string, allowNonFIPS bool) (*Digest, error)

GetDigestByName returns the Digest with the name or nil and an error if the digest was not found.

func GetDigestByNid 

func GetDigestByNid(nid NID, allowNonFIPS bool) (*Digest, error)

GetDigestByNid returns the Digest with the NID or nil and an error if the digest was not found.

func (*Digest) GetSize added in v0.2.0 

func (d *Digest) GetSize() int

GetSize gets the size of the digest

type EVP_MD 

type EVP_MD int
const (
	EVP_NULL      EVP_MD = iota
	EVP_MD5       EVP_MD = iota
	EVP_MD4       EVP_MD = iota
	EVP_SHA       EVP_MD = iota
	EVP_SHA1      EVP_MD = iota
	EVP_DSS       EVP_MD = iota
	EVP_DSS1      EVP_MD = iota
	EVP_MDC2      EVP_MD = iota
	EVP_RIPEMD160 EVP_MD = iota
	EVP_SHA224    EVP_MD = iota
	EVP_SHA256    EVP_MD = iota
	EVP_SHA384    EVP_MD = iota
	EVP_SHA512    EVP_MD = iota
)

type EllipticCurve 

type EllipticCurve int

EllipticCurve represents the ASN.1 OID of an elliptic curve. see https://www.openssl.org/docs/apps/ecparam.html for a list of implemented curves. 

const (
	// Prime256v1 P-256: X9.62/SECG curve over a 256 bit prime field
	Prime256v1 EllipticCurve = C.NID_X9_62_prime256v1
	// Secp384r1 P-384: NIST/SECG curve over a 384 bit prime field
	Secp384r1 EllipticCurve = C.NID_secp384r1
	// Secp521r1 P-521: NIST/SECG curve over a 521 bit prime field
	Secp521r1 EllipticCurve = C.NID_secp521r1
)

type EncryptionCipherJob added in v0.2.0 

type EncryptionCipherJob interface {
	CipherJob

	// EncryptUpdate takes plaintext and returns the ciphertext.
	// It can be called multiple times as needed.
	//
	// Deprecated: use CipherJob.Update instead
	EncryptUpdate(input []byte) ([]byte, error)

	// EncryptFinal should be called after all plaintext has been processed.
	// It *may* return additional ciphertext if required to complete a block.
	//
	// Deprecated: use CipherJob.Final instead
	EncryptFinal() ([]byte, error)
}

func NewEncryptionCipherJob added in v0.2.0 

func NewEncryptionCipherJob(c *Cipher, key, iv []byte) (EncryptionCipherJob, error)

NewEncryptionCipherJob creates a new encryption job Deprecated: use NewCipherJob with encrypt=true

type HMAC 

type HMAC struct {
	// contains filtered or unexported fields
}

func NewHMAC 

func NewHMAC(algorithm string, key []byte, allowNonFIPS bool) (*HMAC, error)

func (*HMAC) Close 

func (h *HMAC) Close()

func (*HMAC) Final 

func (h *HMAC) Final() ([]byte, error)

Final finalises the HMAC job and returns the digest sum

func (*HMAC) Reset 

func (h *HMAC) Reset() error

Reset initialises (and therefore resets) the HMAC job

func (*HMAC) Update added in v0.2.0 

func (h *HMAC) Update(data []byte) error

Update updates an HMAC job

func (*HMAC) Write 

func (h *HMAC) Write(data []byte) (n int, err error)

Write writes data to be HMACed and returns number of bytes written

type KeyType added in v0.2.0 

type KeyType int
const (
	KeyTypeNone     KeyType = C.EVP_PKEY_NONE
	KeyTypeRSA      KeyType = C.EVP_PKEY_RSA
	KeyTypeRSA2     KeyType = C.EVP_PKEY_RSA2
	KeyTypeRSAPSS   KeyType = C.EVP_PKEY_RSA_PSS
	KeyTypeDSA      KeyType = C.EVP_PKEY_DSA
	KeyTypeDSA1     KeyType = C.EVP_PKEY_DSA1
	KeyTypeDSA2     KeyType = C.EVP_PKEY_DSA2
	KeyTypeDSA3     KeyType = C.EVP_PKEY_DSA3
	KeyTypeDSA4     KeyType = C.EVP_PKEY_DSA4
	KeyTypeDH       KeyType = C.EVP_PKEY_DH
	KeyTypeDHX      KeyType = C.EVP_PKEY_DHX
	KeyTypeEC       KeyType = C.EVP_PKEY_EC
	KeyTypeSM2      KeyType = C.EVP_PKEY_SM2
	KeyTypeHMAC     KeyType = C.EVP_PKEY_HMAC
	KeyTypeCMAC     KeyType = C.EVP_PKEY_CMAC
	KeyTypeScrypt   KeyType = C.EVP_PKEY_SCRYPT
	KeyTypeTLS1PRF  KeyType = C.EVP_PKEY_TLS1_PRF
	KeyTypeHKDF     KeyType = C.EVP_PKEY_HKDF
	KeyTypePoly1305 KeyType = C.EVP_PKEY_POLY1305
	KeyTypeSIPHash  KeyType = C.EVP_PKEY_SIPHASH
	KeyTypeX25519   KeyType = C.EVP_PKEY_X25519
	KeyTypeED25519  KeyType = C.EVP_PKEY_ED25519
	KeyTypeX448     KeyType = C.EVP_PKEY_X448
	KeyTypeED448    KeyType = C.EVP_PKEY_ED448
)

Constants for the various key types.

type LibraryContext added in v0.2.0 

type LibraryContext struct {
	// contains filtered or unexported fields
}

func GetNonFIPSCtx added in v0.2.0 

func GetNonFIPSCtx(withLegacy bool) (*LibraryContext, error)

GetNonFIPSCtx gets a non-FIPS context

func (*LibraryContext) LoadProvider added in v0.2.0 

func (c *LibraryContext) LoadProvider(name string) error

func (*LibraryContext) UnloadProvider added in v0.2.0 

func (c *LibraryContext) UnloadProvider(name string)

type MD4Hash 

type MD4Hash = digestJob

func NewMD4Hash 

func NewMD4Hash(allowNonFIPS bool) (*MD4Hash, error)

type MD5Hash 

type MD5Hash = digestJob

func NewMD5Hash 

func NewMD5Hash() (*MD5Hash, error)

type Modes 

type Modes int
const (
	// ReleaseBuffers is only valid if you are using OpenSSL 1.0.1 or newer
	ReleaseBuffers Modes = C.SSL_MODE_RELEASE_BUFFERS
)

type NID 

type NID int
const (
	NID_undef                              NID = 0
	NID_rsadsi                             NID = 1
	NID_pkcs                               NID = 2
	NID_md2                                NID = 3
	NID_md5                                NID = 4
	NID_rc4                                NID = 5
	NID_rsaEncryption                      NID = 6
	NID_md2WithRSAEncryption               NID = 7
	NID_md5WithRSAEncryption               NID = 8
	NID_pbeWithMD2AndDES_CBC               NID = 9
	NID_pbeWithMD5AndDES_CBC               NID = 10
	NID_X500                               NID = 11
	NID_X509                               NID = 12
	NID_commonName                         NID = 13
	NID_countryName                        NID = 14
	NID_localityName                       NID = 15
	NID_stateOrProvinceName                NID = 16
	NID_organizationName                   NID = 17
	NID_organizationalUnitName             NID = 18
	NID_rsa                                NID = 19
	NID_pkcs7                              NID = 20
	NID_pkcs7_data                         NID = 21
	NID_pkcs7_signed                       NID = 22
	NID_pkcs7_enveloped                    NID = 23
	NID_pkcs7_signedAndEnveloped           NID = 24
	NID_pkcs7_digest                       NID = 25
	NID_pkcs7_encrypted                    NID = 26
	NID_pkcs3                              NID = 27
	NID_dhKeyAgreement                     NID = 28
	NID_des_ecb                            NID = 29
	NID_des_cfb64                          NID = 30
	NID_des_cbc                            NID = 31
	NID_des_ede                            NID = 32
	NID_des_ede3                           NID = 33
	NID_idea_cbc                           NID = 34
	NID_idea_cfb64                         NID = 35
	NID_idea_ecb                           NID = 36
	NID_rc2_cbc                            NID = 37
	NID_rc2_ecb                            NID = 38
	NID_rc2_cfb64                          NID = 39
	NID_rc2_ofb64                          NID = 40
	NID_sha                                NID = 41
	NID_shaWithRSAEncryption               NID = 42
	NID_des_ede_cbc                        NID = 43
	NID_des_ede3_cbc                       NID = 44
	NID_des_ofb64                          NID = 45
	NID_idea_ofb64                         NID = 46
	NID_pkcs9                              NID = 47
	NID_pkcs9_emailAddress                 NID = 48
	NID_pkcs9_unstructuredName             NID = 49
	NID_pkcs9_contentType                  NID = 50
	NID_pkcs9_messageDigest                NID = 51
	NID_pkcs9_signingTime                  NID = 52
	NID_pkcs9_countersignature             NID = 53
	NID_pkcs9_challengePassword            NID = 54
	NID_pkcs9_unstructuredAddress          NID = 55
	NID_pkcs9_extCertAttributes            NID = 56
	NID_netscape                           NID = 57
	NID_netscape_cert_extension            NID = 58
	NID_netscape_data_type                 NID = 59
	NID_des_ede_cfb64                      NID = 60
	NID_des_ede3_cfb64                     NID = 61
	NID_des_ede_ofb64                      NID = 62
	NID_des_ede3_ofb64                     NID = 63
	NID_sha1                               NID = 64
	NID_sha1WithRSAEncryption              NID = 65
	NID_dsaWithSHA                         NID = 66
	NID_dsa_2                              NID = 67
	NID_pbeWithSHA1AndRC2_CBC              NID = 68
	NID_id_pbkdf2                          NID = 69
	NID_dsaWithSHA1_2                      NID = 70
	NID_netscape_cert_type                 NID = 71
	NID_netscape_base_url                  NID = 72
	NID_netscape_revocation_url            NID = 73
	NID_netscape_ca_revocation_url         NID = 74
	NID_netscape_renewal_url               NID = 75
	NID_netscape_ca_policy_url             NID = 76
	NID_netscape_ssl_server_name           NID = 77
	NID_netscape_comment                   NID = 78
	NID_netscape_cert_sequence             NID = 79
	NID_desx_cbc                           NID = 80
	NID_id_ce                              NID = 81
	NID_subject_key_identifier             NID = 82
	NID_key_usage                          NID = 83
	NID_private_key_usage_period           NID = 84
	NID_subject_alt_name                   NID = 85
	NID_issuer_alt_name                    NID = 86
	NID_basic_constraints                  NID = 87
	NID_crl_number                         NID = 88
	NID_certificate_policies               NID = 89
	NID_authority_key_identifier           NID = 90
	NID_bf_cbc                             NID = 91
	NID_bf_ecb                             NID = 92
	NID_bf_cfb64                           NID = 93
	NID_bf_ofb64                           NID = 94
	NID_mdc2                               NID = 95
	NID_mdc2WithRSA                        NID = 96
	NID_rc4_40                             NID = 97
	NID_rc2_40_cbc                         NID = 98
	NID_givenName                          NID = 99
	NID_surname                            NID = 100
	NID_initials                           NID = 101
	NID_uniqueIdentifier                   NID = 102
	NID_crl_distribution_points            NID = 103
	NID_md5WithRSA                         NID = 104
	NID_serialNumber                       NID = 105
	NID_title                              NID = 106
	NID_description                        NID = 107
	NID_cast5_cbc                          NID = 108
	NID_cast5_ecb                          NID = 109
	NID_cast5_cfb64                        NID = 110
	NID_cast5_ofb64                        NID = 111
	NID_pbeWithMD5AndCast5_CBC             NID = 112
	NID_dsaWithSHA1                        NID = 113
	NID_md5_sha1                           NID = 114
	NID_sha1WithRSA                        NID = 115
	NID_dsa                                NID = 116
	NID_ripemd160                          NID = 117
	NID_ripemd160WithRSA                   NID = 119
	NID_rc5_cbc                            NID = 120
	NID_rc5_ecb                            NID = 121
	NID_rc5_cfb64                          NID = 122
	NID_rc5_ofb64                          NID = 123
	NID_rle_compression                    NID = 124
	NID_zlib_compression                   NID = 125
	NID_ext_key_usage                      NID = 126
	NID_id_pkix                            NID = 127
	NID_id_kp                              NID = 128
	NID_server_auth                        NID = 129
	NID_client_auth                        NID = 130
	NID_code_sign                          NID = 131
	NID_email_protect                      NID = 132
	NID_time_stamp                         NID = 133
	NID_ms_code_ind                        NID = 134
	NID_ms_code_com                        NID = 135
	NID_ms_ctl_sign                        NID = 136
	NID_ms_sgc                             NID = 137
	NID_ms_efs                             NID = 138
	NID_ns_sgc                             NID = 139
	NID_delta_crl                          NID = 140
	NID_crl_reason                         NID = 141
	NID_invalidity_date                    NID = 142
	NID_sxnet                              NID = 143
	NID_pbe_WithSHA1And128BitRC4           NID = 144
	NID_pbe_WithSHA1And40BitRC4            NID = 145
	NID_pbe_WithSHA1And3_Key_TripleDES_CBC NID = 146
	NID_pbe_WithSHA1And2_Key_TripleDES_CBC NID = 147
	NID_pbe_WithSHA1And128BitRC2_CBC       NID = 148
	NID_pbe_WithSHA1And40BitRC2_CBC        NID = 149
	NID_keyBag                             NID = 150
	NID_pkcs8ShroudedKeyBag                NID = 151
	NID_certBag                            NID = 152
	NID_crlBag                             NID = 153
	NID_secretBag                          NID = 154
	NID_safeContentsBag                    NID = 155
	NID_friendlyName                       NID = 156
	NID_localKeyID                         NID = 157
	NID_x509Certificate                    NID = 158
	NID_sdsiCertificate                    NID = 159
	NID_x509Crl                            NID = 160
	NID_pbes2                              NID = 161
	NID_pbmac1                             NID = 162
	NID_hmacWithSHA1                       NID = 163
	NID_id_qt_cps                          NID = 164
	NID_id_qt_unotice                      NID = 165
	NID_rc2_64_cbc                         NID = 166
	NID_SMIMECapabilities                  NID = 167
	NID_pbeWithMD2AndRC2_CBC               NID = 168
	NID_pbeWithMD5AndRC2_CBC               NID = 169
	NID_pbeWithSHA1AndDES_CBC              NID = 170
	NID_ms_ext_req                         NID = 171
	NID_ext_req                            NID = 172
	NID_name                               NID = 173
	NID_dnQualifier                        NID = 174
	NID_id_pe                              NID = 175
	NID_id_ad                              NID = 176
	NID_info_access                        NID = 177
	NID_ad_OCSP                            NID = 178
	NID_ad_ca_issuers                      NID = 179
	NID_OCSP_sign                          NID = 180
	NID_X9_62_id_ecPublicKey               NID = 408
	NID_hmac                               NID = 855
	NID_cmac                               NID = 894
	NID_dhpublicnumber                     NID = 920
	NID_tls1_prf                           NID = 1021
	NID_hkdf                               NID = 1036
	NID_X25519                             NID = 1034
	NID_X448                               NID = 1035
	NID_ED25519                            NID = 1087
	NID_ED448                              NID = 1088
)

func CreateObjectIdentifier 

func CreateObjectIdentifier(oid string, shortName string, longName string) NID

CreateObjectIdentifier creates ObjectIdentifier and returns NID for the created ObjectIdentifier

type Name 

type Name struct {
	// contains filtered or unexported fields
}

func NewName 

func NewName() (*Name, error)

Allocate and return a new Name object.

func (*Name) AddTextEntries 

func (n *Name) AddTextEntries(entries map[string]string) error

AddTextEntries allows adding multiple entries to a name in one call.

func (*Name) AddTextEntry 

func (n *Name) AddTextEntry(field, value string) error

AddTextEntry appends a text entry to an X509 NAME.

func (*Name) GetEntry 

func (n *Name) GetEntry(nid NID) (entry string, ok bool)

GetEntry returns a name entry based on NID. If no entry, then ("", false) is returned.

type Options 

type Options int
const (
	NoCompression                      Options = C.SSL_OP_NO_COMPRESSION
	NoSSLv2                            Options = C.SSL_OP_NO_SSLv2
	NoSSLv3                            Options = C.SSL_OP_NO_SSLv3
	NoTLSv1                            Options = C.SSL_OP_NO_TLSv1
	NoTLSv11                           Options = C.SSL_OP_NO_TLSv1_1
	NoTLSv12                           Options = C.SSL_OP_NO_TLSv1_2
	NoTLSv13                           Options = C.SSL_OP_NO_TLSv1_3
	NoDTLSv1                           Options = C.SSL_OP_NO_DTLSv1
	NoDTLSv12                          Options = C.SSL_OP_NO_DTLSv1_2
	CipherServerPreference             Options = C.SSL_OP_CIPHER_SERVER_PREFERENCE
	NoSessionResumptionOrRenegotiation Options = C.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
	NoTicket                           Options = C.SSL_OP_NO_TICKET
)

type Param added in v0.2.0 

type Param struct {
	// contains filtered or unexported fields
}

type ParamBld added in v0.2.0 

type ParamBld struct {
	// contains filtered or unexported fields
}

func NewParamBld added in v0.2.0 

func NewParamBld() (*ParamBld, error)

func (*ParamBld) PushOctetString added in v0.2.0 

func (p *ParamBld) PushOctetString(key string, value []byte) error

func (*ParamBld) PushString added in v0.2.0 

func (p *ParamBld) PushString(key string, value string) error

func (*ParamBld) PushUInt added in v0.2.0 

func (p *ParamBld) PushUInt(key string, value uint) error

func (*ParamBld) ToParam added in v0.2.0 

func (p *ParamBld) ToParam() (*Param, error)

ToParam convert this ParamBld to Param

type ParamPair added in v0.2.0 

type ParamPair struct {
	// contains filtered or unexported fields
}

type PrivateKey 

type PrivateKey interface {
	PublicKey

	// SignPKCS1v15 signs the data using PKCS1.15
	SignPKCS1v15(*Digest, []byte) ([]byte, error)

	// MarshalPKCS1PrivateKeyPEM converts the private key to PEM-encoded PKCS1 format
	MarshalPKCS1PrivateKeyPEM() (pemBlock []byte, err error)

	// MarshalPKCS1PrivateKeyDER converts the private key to DER-encoded PKCS1 format
	MarshalPKCS1PrivateKeyDER() (derBlock []byte, err error)
}

func GenerateECKey 

func GenerateECKey(curve EllipticCurve) (PrivateKey, error)

GenerateECKey generates a new elliptic curve private key on the specified curve.

func GenerateED25519Key 

func GenerateED25519Key() (PrivateKey, error)

GenerateED25519Key generates a Ed25519 key

func GenerateRSAKey 

func GenerateRSAKey(bits int) (PrivateKey, error)

GenerateRSAKey generates a new RSA private key with an exponent of 3.

func GenerateRSAKeyWithExponent 

func GenerateRSAKeyWithExponent(bits int, exponent int) (PrivateKey, error)

GenerateRSAKeyWithExponent generates a new RSA private key.

func LoadPrivateKeyFromDER 

func LoadPrivateKeyFromDER(derBlock []byte) (PrivateKey, error)

LoadPrivateKeyFromDER loads a private key from a DER-encoded block.

func LoadPrivateKeyFromPEM 

func LoadPrivateKeyFromPEM(pemBlock []byte) (PrivateKey, error)

LoadPrivateKeyFromPEM loads a private key from a PEM-encoded block.

func LoadPrivateKeyFromPEMWithPassword 

func LoadPrivateKeyFromPEMWithPassword(pemBlock []byte, password string) (PrivateKey, error)

LoadPrivateKeyFromPEMWithPassword loads a private key from a PEM-encoded block.

type PrivateKeyContext added in v0.2.0 

type PrivateKeyContext interface {
	SetRSAKeygenBits(bits int) error
	SetRSAKeygenPubExp(exponent int) error
	// contains filtered or unexported methods
}

type PrivateKeyDeriveContext added in v0.2.0 

type PrivateKeyDeriveContext interface {
	PrivateKeyContext
	SetPeer(peer PublicKey) error
	Derive() ([]byte, error)
}

func NewPKeyDeriveContextFromKey added in v0.2.0 

func NewPKeyDeriveContextFromKey(key PrivateKey) (PrivateKeyDeriveContext, error)

type PrivateKeyGenerationContext added in v0.2.0 

type PrivateKeyGenerationContext interface {
	PrivateKeyContext
	Generate() (PrivateKey, error)
}

func NewPKeyGenerationContextFromKey added in v0.2.0 

func NewPKeyGenerationContextFromKey(key PrivateKey) (PrivateKeyGenerationContext, error)

func NewPKeyGenerationContextFromKeyType added in v0.2.0 

func NewPKeyGenerationContextFromKeyType(keyType KeyType) (PrivateKeyGenerationContext, error)

type PrivateKeyParamGenerationContext added in v0.2.0 

type PrivateKeyParamGenerationContext interface {
	PrivateKeyContext
	Generate() (PrivateKey, error)
	SetECParamGenCurveNID(curve EllipticCurve) error
}

func NewPKeyParamGenerationCtx added in v0.2.0 

func NewPKeyParamGenerationCtx(keyID KeyType) (PrivateKeyParamGenerationContext, error)

type PublicKey 

type PublicKey interface {
	// VerifyPKCS1v15 verifies the data signature using PKCS1.15
	VerifyPKCS1v15(digest *Digest, data, sig []byte) error

	// MarshalPKIXPublicKeyPEM converts the public key to PEM-encoded PKIX format
	MarshalPKIXPublicKeyPEM() (pemBlock []byte, err error)

	// MarshalPKIXPublicKeyDER converts the public key to DER-encoded PKIX format
	MarshalPKIXPublicKeyDER() (derBlock []byte, err error)

	// KeyType returns an identifier for what kind of key is represented by this object.
	KeyType() KeyType

	// BaseType returns an identifier for what kind of key is represented
	// by this object.
	// Keys that share same algorithm but use different legacy formats
	// will have the same BaseType.
	//
	// For example, a key with a `KeyType() == KeyTypeRSA` and a key with a
	// `KeyType() == KeyTypeRSA2` would both have `BaseType() == KeyTypeRSA`.
	BaseType() NID

	// Equal compares the key with the passed in key.
	Equal(key PublicKey) bool

	// Size returns the size (in bytes) of signatures created with this key.
	Size() int
	// contains filtered or unexported methods
}

func LoadPublicKeyFromDER 

func LoadPublicKeyFromDER(derBlock []byte) (PublicKey, error)

LoadPublicKeyFromDER loads a public key from a DER-encoded block.

func LoadPublicKeyFromPEM 

func LoadPublicKeyFromPEM(pemBlock []byte) (PublicKey, error)

LoadPublicKeyFromPEM loads a public key from a PEM-encoded block.

type SHA1Hash 

type SHA1Hash = digestJob

func NewSHA1Hash 

func NewSHA1Hash() (*SHA1Hash, error)

type SHA256Hash 

type SHA256Hash = digestJob

func NewSHA256Hash 

func NewSHA256Hash() (*SHA256Hash, error)

type SSL 

type SSL struct {
	// contains filtered or unexported fields
}

func (*SSL) ClearOptions 

func (s *SSL) ClearOptions(options Options) Options

ClearOptions clear SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*SSL) GetOptions 

func (s *SSL) GetOptions() Options

GetOptions returns SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*SSL) GetServername 

func (s *SSL) GetServername() string

GetServername returns server name according to rfc6066. See http://tools.ietf.org/html/rfc6066.

func (*SSL) GetVerifyCallback 

func (s *SSL) GetVerifyCallback() VerifyCallback

GetVerifyCallback returns callback function. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) GetVerifyDepth 

func (s *SSL) GetVerifyDepth() int

GetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) SetOptions 

func (s *SSL) SetOptions(options Options) Options

SetOptions sets SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*SSL) SetSSLCtx 

func (s *SSL) SetSSLCtx(ctx *Ctx)

SetSSLCtx changes context to new one. Useful for Server Name Indication (SNI) rfc6066 http://tools.ietf.org/html/rfc6066. See http://stackoverflow.com/questions/22373332/serving-multiple-domains-in-one-box-with-sni

func (*SSL) SetVerify 

func (s *SSL) SetVerify(options VerifyOptions, verifyCb VerifyCallback)

SetVerify controls peer verification settings. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) SetVerifyCallback 

func (s *SSL) SetVerifyCallback(verifyCb VerifyCallback)

SetVerifyCallback controls peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) SetVerifyDepth 

func (s *SSL) SetVerifyDepth(depth int)

SetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) SetVerifyMode 

func (s *SSL) SetVerifyMode(options VerifyOptions)

SetVerifyMode controls peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) VerifyMode 

func (s *SSL) VerifyMode() VerifyOptions

VerifyMode returns peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

type SSLTLSExtErr 

type SSLTLSExtErr int
const (
	SSLTLSExtErrOK           SSLTLSExtErr = C.SSL_TLSEXT_ERR_OK
	SSLTLSExtErrAlertWarning SSLTLSExtErr = C.SSL_TLSEXT_ERR_ALERT_WARNING
	SSLTLSEXTErrAlertFatal   SSLTLSExtErr = C.SSL_TLSEXT_ERR_ALERT_FATAL
	SSLTLSEXTErrNoAck        SSLTLSExtErr = C.SSL_TLSEXT_ERR_NOACK
)

type SessionCacheModes 

type SessionCacheModes int
const (
	SessionCacheOff    SessionCacheModes = C.SSL_SESS_CACHE_OFF
	SessionCacheClient SessionCacheModes = C.SSL_SESS_CACHE_CLIENT
	SessionCacheServer SessionCacheModes = C.SSL_SESS_CACHE_SERVER
	SessionCacheBoth   SessionCacheModes = C.SSL_SESS_CACHE_BOTH
	NoAutoClear        SessionCacheModes = C.SSL_SESS_CACHE_NO_AUTO_CLEAR
	NoInternalLookup   SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
	NoInternalStore    SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_STORE
	NoInternal         SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL
)

type TLSExtServernameCallback 

type TLSExtServernameCallback func(ssl *SSL) SSLTLSExtErr

type VerifyCallback 

type VerifyCallback func(ok bool, store *CertificateStoreCtx) bool

type VerifyOptions 

type VerifyOptions int
const (
	VerifyNone             VerifyOptions = C.SSL_VERIFY_NONE
	VerifyPeer             VerifyOptions = C.SSL_VERIFY_PEER
	VerifyFailIfNoPeerCert VerifyOptions = C.SSL_VERIFY_FAIL_IF_NO_PEER_CERT
	VerifyClientOnce       VerifyOptions = C.SSL_VERIFY_CLIENT_ONCE
	VerifyPostHandshake    VerifyOptions = C.SSL_VERIFY_POST_HANDSHAKE
)

type VerifyResult 

type VerifyResult int
const (
	Ok                            VerifyResult = C.X509_V_OK
	UnableToGetIssuerCert         VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
	UnableToGetCrl                VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL
	UnableToDecryptCertSignature  VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
	UnableToDecryptCrlSignature   VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
	UnableToDecodeIssuerPublicKey VerifyResult = C.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
	CertSignatureFailure          VerifyResult = C.X509_V_ERR_CERT_SIGNATURE_FAILURE
	CrlSignatureFailure           VerifyResult = C.X509_V_ERR_CRL_SIGNATURE_FAILURE
	CertNotYetValid               VerifyResult = C.X509_V_ERR_CERT_NOT_YET_VALID
	CertHasExpired                VerifyResult = C.X509_V_ERR_CERT_HAS_EXPIRED
	CrlNotYetValid                VerifyResult = C.X509_V_ERR_CRL_NOT_YET_VALID
	CrlHasExpired                 VerifyResult = C.X509_V_ERR_CRL_HAS_EXPIRED
	ErrorInCertNotBeforeField     VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
	ErrorInCertNotAfterField      VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
	ErrorInCrlLastUpdateField     VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
	ErrorInCrlNextUpdateField     VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
	OutOfMem                      VerifyResult = C.X509_V_ERR_OUT_OF_MEM
	DepthZeroSelfSignedCert       VerifyResult = C.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
	SelfSignedCertInChain         VerifyResult = C.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
	UnableToGetIssuerCertLocally  VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
	UnableToVerifyLeafSignature   VerifyResult = C.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
	CertChainTooLong              VerifyResult = C.X509_V_ERR_CERT_CHAIN_TOO_LONG
	CertRevoked                   VerifyResult = C.X509_V_ERR_CERT_REVOKED
	InvalidCa                     VerifyResult = C.X509_V_ERR_INVALID_CA
	PathLengthExceeded            VerifyResult = C.X509_V_ERR_PATH_LENGTH_EXCEEDED
	InvalidPurpose                VerifyResult = C.X509_V_ERR_INVALID_PURPOSE
	CertUntrusted                 VerifyResult = C.X509_V_ERR_CERT_UNTRUSTED
	CertRejected                  VerifyResult = C.X509_V_ERR_CERT_REJECTED
	SubjectIssuerMismatch         VerifyResult = C.X509_V_ERR_SUBJECT_ISSUER_MISMATCH
	AkidSkidMismatch              VerifyResult = C.X509_V_ERR_AKID_SKID_MISMATCH
	AkidIssuerSerialMismatch      VerifyResult = C.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
	KeyusageNoCertsign            VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CERTSIGN
	UnableToGetCrlIssuer          VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
	UnhandledCriticalExtension    VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
	KeyusageNoCrlSign             VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
	UnhandledCriticalCrlExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
	InvalidNonCa                  VerifyResult = C.X509_V_ERR_INVALID_NON_CA
	ProxyPathLengthExceeded       VerifyResult = C.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
	KeyusageNoDigitalSignature    VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
	ProxyCertificatesNotAllowed   VerifyResult = C.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
	InvalidExtension              VerifyResult = C.X509_V_ERR_INVALID_EXTENSION
	InvalidPolicyExtension        VerifyResult = C.X509_V_ERR_INVALID_POLICY_EXTENSION
	NoExplicitPolicy              VerifyResult = C.X509_V_ERR_NO_EXPLICIT_POLICY
	UnnestedResource              VerifyResult = C.X509_V_ERR_UNNESTED_RESOURCE
	ApplicationVerification       VerifyResult = C.X509_V_ERR_APPLICATION_VERIFICATION
)

type Version 

type Version int
const (
	SSL3version   Version = C.SSL3_VERSION
	TLS1version   Version = C.TLS1_VERSION
	TLS11version  Version = C.TLS1_1_VERSION
	TLS12version  Version = C.TLS1_2_VERSION
	TLS13version  Version = C.TLS1_3_VERSION
	DTLS1version  Version = C.DTLS1_VERSION
	DTLS12version Version = C.DTLS1_2_VERSION
)

type X509_Version 

type X509_Version int

X509_Version represents a version on an x509 certificate. 

const (
	X509_V1 X509_Version = 0
	X509_V3 X509_Version = 2
)

Specify constants for x509 versions because the standard states that they are represented internally as one lower than the common version name.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.