Documentation ¶
Overview ¶
Package openssl is a light wrapper around OpenSSL for Go.
It strives to provide a near-drop-in replacement for the Go standard library tls package, while allowing for:
Performance ¶
OpenSSL is battle-tested and optimized C. While Go's built-in library shows great promise, it is still young and in some places, inefficient. This simple OpenSSL wrapper can often do at least 2x with the same cipher and protocol.
On my lappytop, I get the following benchmarking speeds:
BenchmarkSHA1Large_openssl 1000 2611282 ns/op 401.56 MB/s BenchmarkSHA1Large_stdlib 500 3963983 ns/op 264.53 MB/s BenchmarkSHA1Small_openssl 1000000 3476 ns/op 0.29 MB/s BenchmarkSHA1Small_stdlib 5000000 550 ns/op 1.82 MB/s BenchmarkSHA256Large_openssl 200 8085314 ns/op 129.69 MB/s BenchmarkSHA256Large_stdlib 100 18948189 ns/op 55.34 MB/s BenchmarkSHA256Small_openssl 1000000 4262 ns/op 0.23 MB/s BenchmarkSHA256Small_stdlib 1000000 1444 ns/op 0.69 MB/s BenchmarkOpenSSLThroughput 100000 21634 ns/op 47.33 MB/s BenchmarkStdlibThroughput 50000 58974 ns/op 17.36 MB/s
Interoperability ¶
Many systems support OpenSSL with a variety of plugins and modules for things, such as hardware acceleration in embedded devices.
Greater flexibility and configuration ¶
OpenSSL allows for far greater configuration of corner cases and backwards compatibility (such as support of SSLv2). You shouldn't be using SSLv2 if you can help but, but sometimes you can't help it.
Security ¶
Yeah yeah, Heartbleed. But according to the author of the standard library's TLS implementation, Go's TLS library is vulnerable to timing attacks. And whether or not OpenSSL received the appropriate amount of scrutiny pre-Heartbleed, it sure is receiving it now.
Usage ¶
Starting an HTTP server that uses OpenSSL is very easy. It's as simple as:
log.Fatal(openssl.ListenAndServeTLS( ":8443", "my_server.crt", "my_server.key", myHandler))
Getting a net.Listener that uses OpenSSL is also easy:
ctx, err := openssl.NewCtxFromFiles("my_server.crt", "my_server.key") if err != nil { log.Fatal(err) } l, err := openssl.Listen("tcp", ":7777", ctx)
Making a client connection is straightforward too:
ctx, err := NewCtx() if err != nil { log.Fatal(err) } err = ctx.LoadVerifyLocations("/etc/ssl/certs/ca-certificates.crt", "") if err != nil { log.Fatal(err) } conn, err := openssl.Dial("tcp", "localhost:7777", ctx, 0)
Help wanted: To get this library to work with net/http's client, we had to fork net/http. It would be nice if an alternate http client library supported the generality needed to use OpenSSL instead of crypto/tls.
Index ¶
- Constants
- Variables
- func CipherRequiresLegacyProvider(algorithm string) bool
- func DeriveSharedSecret(private PrivateKey, public PublicKey) ([]byte, error)
- func DigestRequiresLegacyProvider(algorithm string) bool
- func GenerateRandomSerial() (serial big.Int, err error)
- func Listen(network, laddr string, ctx *Ctx) (net.Listener, error)
- func ListenAndServeTLS(addr string, cert_file string, key_file string, handler http.Handler) error
- func MD4(data []byte, allowNonFIPS bool) (result [16]byte, err error)
- func MD5(data []byte) (result [16]byte, err error)
- func NewListener(inner net.Listener, ctx *Ctx) net.Listener
- func Nid2ShortName(nid NID) (string, error)
- func SHA1(data []byte) (result [20]byte, err error)
- func SHA256(data []byte) (result [32]byte, err error)
- func ServerListenAndServeTLS(srv *http.Server, certFile, keyFile string) error
- func SplitPEM(data []byte) [][]byte
- type AuthenticatedCipherJob
- type AuthenticatedDecryptionCipherCtx
- type AuthenticatedEncryptionCipherJob
- type Bignum
- type Bio
- type Certificate
- func (c *Certificate) AddCustomExtension(nid NID, value []byte) error
- func (c *Certificate) AddExtension(nid NID, value string) error
- func (c *Certificate) AddExtensions(extensions map[NID]string) error
- func (c *Certificate) CheckEmail(email string, flags CheckFlags) error
- func (c *Certificate) CheckHost(host string, flags CheckFlags) error
- func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error
- func (c *Certificate) ComputeFingerprint(digest *Digest) ([]byte, error)
- func (c *Certificate) GetExtensionValue(nid NID) []byte
- func (c *Certificate) GetIssuerName() (*Name, error)
- func (c *Certificate) GetSerialNumberHex() (serial string)
- func (c *Certificate) GetSubjectName() (*Name, error)
- func (c *Certificate) GetVersion() X509_Version
- func (c *Certificate) MarshalDER() (derBlock []byte, err error)
- func (c *Certificate) MarshalPEM() (pemBlock []byte, err error)
- func (c *Certificate) PublicKey() (PublicKey, error)
- func (c *Certificate) SetExpireDate(when time.Duration) error
- func (c *Certificate) SetIssueDate(when time.Duration) error
- func (c *Certificate) SetIssuer(issuer *Certificate) error
- func (c *Certificate) SetIssuerName(name *Name) error
- func (c *Certificate) SetPubKey(pubKey PublicKey) error
- func (c *Certificate) SetSerial(serial *big.Int) error
- func (c *Certificate) SetSubjectName(name *Name) error
- func (c *Certificate) SetVersion(version X509_Version) error
- func (c *Certificate) Sign(privKey PrivateKey, digest EVP_MD) error
- func (c *Certificate) VerifyHostname(host string) error
- type CertificateInfo
- type CertificateStore
- type CertificateStoreCtx
- type CheckFlags
- type Cipher
- type CipherCtx
- type CipherJob
- type Conn
- func Client(conn net.Conn, ctx *Ctx) (*Conn, error)
- func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error)
- func DialSession(network, addr string, ctx *Ctx, flags DialFlags, session []byte) (*Conn, error)
- func DialTimeout(network, addr string, timeout time.Duration, ctx *Ctx, flags DialFlags) (*Conn, error)
- func Server(conn net.Conn, ctx *Ctx) (*Conn, error)
- func (c *Conn) Close() error
- func (c *Conn) ConnectionState() (rv ConnectionState)
- func (c *Conn) CurrentCipher() (string, error)
- func (c *Conn) GetCtx() *Ctx
- func (c *Conn) GetSession() ([]byte, error)
- func (c *Conn) Handshake() error
- func (c *Conn) LocalAddr() net.Addr
- func (c *Conn) PeerCertificate() (*Certificate, error)
- func (c *Conn) PeerCertificateChain() (rv []*Certificate, err error)
- func (c *Conn) Read(b []byte) (n int, err error)
- func (c *Conn) RemoteAddr() net.Addr
- func (c *Conn) SessionReused() bool
- func (c *Conn) SetDeadline(t time.Time) error
- func (c *Conn) SetReadDeadline(t time.Time) error
- func (c *Conn) SetTlsExtHostName(name string) error
- func (c *Conn) SetWriteDeadline(t time.Time) error
- func (c *Conn) UnderlyingConn() net.Conn
- func (c *Conn) VerifyHostname(host string) error
- func (c *Conn) VerifyResult() VerifyResult
- func (c *Conn) Write(b []byte) (written int, err error)
- type ConnectionState
- type Ctx
- func (c *Ctx) AddChainCertificate(cert *Certificate) error
- func (c *Ctx) ClearOptions(options Options) Options
- func (c *Ctx) GetCertificateStore() *CertificateStore
- func (c *Ctx) GetMode() Modes
- func (c *Ctx) GetOptions() Options
- func (c *Ctx) GetSessionCacheSize() int
- func (c *Ctx) GetTimeout() time.Duration
- func (c *Ctx) GetVerifyCallback() VerifyCallback
- func (c *Ctx) GetVerifyDepth() int
- func (c *Ctx) LoadVerifyLocations(caFile string, caPath string) error
- func (c *Ctx) SetCipherList(list string) error
- func (c *Ctx) SetDHParameters(dh *DH) error
- func (c *Ctx) SetEllipticCurve(curve EllipticCurve) error
- func (c *Ctx) SetMaxProtoVersion(version Version) bool
- func (c *Ctx) SetMinProtoVersion(version Version) bool
- func (c *Ctx) SetMode(modes Modes) Modes
- func (c *Ctx) SetNextProtos(protos []string) error
- func (c *Ctx) SetOptions(options Options) Options
- func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes
- func (c *Ctx) SetSessionCacheSize(t int) int
- func (c *Ctx) SetSessionId(sessionID []byte) error
- func (c *Ctx) SetTLSExtServernameCallback(sniCb TLSExtServernameCallback)
- func (c *Ctx) SetTimeout(t time.Duration) time.Duration
- func (c *Ctx) SetVerify(options VerifyOptions, verifyCb VerifyCallback)
- func (c *Ctx) SetVerifyCallback(verifyCb VerifyCallback)
- func (c *Ctx) SetVerifyDepth(depth int)
- func (c *Ctx) SetVerifyMode(options VerifyOptions)
- func (c *Ctx) UseCertificate(cert *Certificate) error
- func (c *Ctx) UsePrivateKey(key PrivateKey) error
- func (c *Ctx) VerifyMode() VerifyOptions
- type DH
- type DecryptionCipherJob
- type DialFlags
- type Digest
- type EVP_MD
- type EllipticCurve
- type EncryptionCipherJob
- type HMAC
- type KeyType
- type LibraryContext
- type MD4Hash
- type MD5Hash
- type Modes
- type NID
- type Name
- type Options
- type Param
- type ParamBld
- type ParamPair
- type PrivateKey
- func GenerateECKey(curve EllipticCurve) (PrivateKey, error)
- func GenerateED25519Key() (PrivateKey, error)
- func GenerateRSAKey(bits int) (PrivateKey, error)
- func GenerateRSAKeyWithExponent(bits int, exponent int) (PrivateKey, error)
- func LoadPrivateKeyFromDER(derBlock []byte) (PrivateKey, error)
- func LoadPrivateKeyFromPEM(pemBlock []byte) (PrivateKey, error)
- func LoadPrivateKeyFromPEMWithPassword(pemBlock []byte, password string) (PrivateKey, error)
- type PrivateKeyContext
- type PrivateKeyDeriveContext
- type PrivateKeyGenerationContext
- type PrivateKeyParamGenerationContext
- type PublicKey
- type SHA1Hash
- type SHA256Hash
- type SSL
- func (s *SSL) ClearOptions(options Options) Options
- func (s *SSL) GetOptions() Options
- func (s *SSL) GetServername() string
- func (s *SSL) GetVerifyCallback() VerifyCallback
- func (s *SSL) GetVerifyDepth() int
- func (s *SSL) SetOptions(options Options) Options
- func (s *SSL) SetSSLCtx(ctx *Ctx)
- func (s *SSL) SetVerify(options VerifyOptions, verifyCb VerifyCallback)
- func (s *SSL) SetVerifyCallback(verifyCb VerifyCallback)
- func (s *SSL) SetVerifyDepth(depth int)
- func (s *SSL) SetVerifyMode(options VerifyOptions)
- func (s *SSL) VerifyMode() VerifyOptions
- type SSLTLSExtErr
- type SessionCacheModes
- type TLSExtServernameCallback
- type VerifyCallback
- type VerifyOptions
- type VerifyResult
- type Version
- type X509_Version
Constants ¶
const (
GCMTagLen = 16
)
const (
SSLRecordSize = 16 * 1024
)
Variables ¶
var ( ErrUnknownCipher = errors.New("unknown cipher") ErrLegacyCipher = errors.New("legacy cipher requested") ErrNullCipher = errors.New("null cipher") ErrInvalidKeyLength = errors.New("invalid key length") ErrInvalidIVLength = errors.New("invalid IV length") ErrCipherFinalised = errors.New("cipher job already finalised") )
var ( ErrUnknownTLSVersion = errors.New("unknown ssl/tls version") ErrInvalidPEM = errors.New("invalid PEM") ErrProtoTooLong = errors.New("proto length is longer than 255") )
var ( ErrUnknownDigest = errors.New("unknown digest") ErrLegacyDigest = errors.New("legacy digest requested") ErrDigestFinalised = errors.New("digest job already finalised") )
var ( ErrHostValidation = errors.New("host validation error") ErrHostInvalidInput = errors.New("invalid hostname input") ErrHostInternalError = errors.New("host internal error") )
var ( ErrEmptyBlock = errors.New("empty block") ErrLoadingKey = errors.New("failed loading private key") )
var ( ErrCreateLibraryCtx = errors.New("failed to create library context") ErrProviderLoad = errors.New("failed to load provider") )
var ErrCipherInvalidBlockSize = errors.New("invalid block size")
var (
ErrCreateBio = errors.New("failed to allocate BIO")
)
Functions ¶
func CipherRequiresLegacyProvider ¶ added in v0.2.0
func DeriveSharedSecret ¶
func DeriveSharedSecret(private PrivateKey, public PublicKey) ([]byte, error)
DeriveSharedSecret derives a shared secret using a private key and a peer's public key. The specific algorithm that is used depends on the types of the keys, but it is most commonly a variant of Diffie-Hellman.
func DigestRequiresLegacyProvider ¶ added in v0.2.0
func GenerateRandomSerial ¶ added in v0.2.2
GenerateRandomSerial generates a random serial number
func Listen ¶
Listen is a wrapper around net.Listen that wraps incoming connections with an OpenSSL server connection using the provided context ctx.
func ListenAndServeTLS ¶
ListenAndServeTLS will take an http.Handler and serve it using OpenSSL over the given tcp address, configured to use the provided cert and key files.
func NewListener ¶
NewListener wraps an existing net.Listener such that all accepted connections are wrapped as OpenSSL server connections using the provided context ctx.
func Nid2ShortName ¶
func ServerListenAndServeTLS ¶
ServerListenAndServeTLS will take an http.Server and serve it using OpenSSL configured to use the provided cert and key files.
Types ¶
type AuthenticatedCipherJob ¶ added in v0.2.0
type AuthenticatedDecryptionCipherCtx ¶
type AuthenticatedDecryptionCipherCtx interface { AuthenticatedCipherJob DecryptionCipherJob // ExtraData pass in any extra authenticated data that was added during encryption ExtraData([]byte) error // SetTag sets the expected authentication tag to be checked when finalising the decryption SetTag([]byte) error }
func NewGCMDecryptionCipherCtx ¶
func NewGCMDecryptionCipherCtx(blocksize int, key, iv []byte) (AuthenticatedDecryptionCipherCtx, error)
type AuthenticatedEncryptionCipherJob ¶ added in v0.2.0
type AuthenticatedEncryptionCipherJob interface { AuthenticatedCipherJob EncryptionCipherJob // ExtraData data passed in to ExtraData() is part of the final output; it is // not encrypted itself, but is part of the authenticated data. when // decrypting or authenticating, pass back with the decryption // context's ExtraData() ExtraData([]byte) error // GetTag gets the authentication tag after finalising the encryption GetTag() ([]byte, error) }
func NewGCMEncryptionCipherJob ¶ added in v0.2.0
func NewGCMEncryptionCipherJob(blocksize int, key, iv []byte) (AuthenticatedEncryptionCipherJob, error)
type Certificate ¶
type Certificate struct { Issuer *Certificate // contains filtered or unexported fields }
func LoadCertificateFromPEM ¶
func LoadCertificateFromPEM(pemBlock []byte) (*Certificate, error)
LoadCertificateFromPEM loads an X509 certificate from a PEM-encoded block.
func NewCertificate ¶
func NewCertificate(info *CertificateInfo, key PublicKey) (*Certificate, error)
NewCertificate generates a basic certificate based on the provided CertificateInfo struct
func (*Certificate) AddCustomExtension ¶
func (c *Certificate) AddCustomExtension(nid NID, value []byte) error
AddCustomExtension add custom extensions to the certificate.
func (*Certificate) AddExtension ¶
func (c *Certificate) AddExtension(nid NID, value string) error
AddExtension Add an extension to a certificate. Extension constants are NID_* as found in openssl.
func (*Certificate) AddExtensions ¶
func (c *Certificate) AddExtensions(extensions map[NID]string) error
AddExtensions wraps AddExtension using a map of NID to text extension. Will return without finishing if it encounters an error.
func (*Certificate) CheckEmail ¶
func (c *Certificate) CheckEmail(email string, flags CheckFlags) error
CheckEmail checks that the X509 certificate is signed for the provided email address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ErrHostValidation if the Certificate didn't match but there was no internal error.
func (*Certificate) CheckHost ¶
func (c *Certificate) CheckHost(host string, flags CheckFlags) error
CheckHost checks that the X509 certificate is signed for the provided host name. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Note that CheckHost does not check the IP field. See VerifyHostname. Specifically returns ErrHostValidation if the Certificate didn't match but there was no internal error.
func (*Certificate) CheckIP ¶
func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error
CheckIP checks that the X509 certificate is signed for the provided IP address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ErrHostValidation if the Certificate didn't match but there was no internal error.
func (*Certificate) ComputeFingerprint ¶
func (c *Certificate) ComputeFingerprint(digest *Digest) ([]byte, error)
ComputeFingerprint compute the fingerprint of the cert using the provided digest
func (*Certificate) GetExtensionValue ¶
func (c *Certificate) GetExtensionValue(nid NID) []byte
GetExtensionValue returns the value of the given NID's extension.
func (*Certificate) GetIssuerName ¶
func (c *Certificate) GetIssuerName() (*Name, error)
func (*Certificate) GetSerialNumberHex ¶
func (c *Certificate) GetSerialNumberHex() (serial string)
GetSerialNumberHex returns the certificate's serial number in hex format
func (*Certificate) GetSubjectName ¶
func (c *Certificate) GetSubjectName() (*Name, error)
func (*Certificate) GetVersion ¶
func (c *Certificate) GetVersion() X509_Version
GetVersion returns the X509 version of the certificate.
func (*Certificate) MarshalDER ¶
func (c *Certificate) MarshalDER() (derBlock []byte, err error)
MarshalDER converts the X509 certificate to DER-encoded format
func (*Certificate) MarshalPEM ¶
func (c *Certificate) MarshalPEM() (pemBlock []byte, err error)
MarshalPEM converts the X509 certificate to PEM-encoded format
func (*Certificate) PublicKey ¶
func (c *Certificate) PublicKey() (PublicKey, error)
PublicKey returns the public key embedded in the X509 certificate.
func (*Certificate) SetExpireDate ¶
func (c *Certificate) SetExpireDate(when time.Duration) error
SetExpireDate sets the certificate issue date relative to the current time.
func (*Certificate) SetIssueDate ¶
func (c *Certificate) SetIssueDate(when time.Duration) error
SetIssueDate sets the certificate issue date relative to the current time.
func (*Certificate) SetIssuer ¶
func (c *Certificate) SetIssuer(issuer *Certificate) error
SetIssuer updates the stored Issuer cert and the internal x509 Issuer Name of a certificate. The stored Issuer reference is used when adding extensions.
func (*Certificate) SetIssuerName ¶
func (c *Certificate) SetIssuerName(name *Name) error
SetIssuerName populates the issuer name of a certificate. Use SetIssuer instead, if possible.
func (*Certificate) SetPubKey ¶
func (c *Certificate) SetPubKey(pubKey PublicKey) error
SetPubKey assigns a new public key to a certificate.
func (*Certificate) SetSerial ¶
func (c *Certificate) SetSerial(serial *big.Int) error
SetSerial sets the serial of a certificate.
func (*Certificate) SetSubjectName ¶
func (c *Certificate) SetSubjectName(name *Name) error
func (*Certificate) SetVersion ¶
func (c *Certificate) SetVersion(version X509_Version) error
SetVersion sets the X509 version of the certificate.
func (*Certificate) Sign ¶
func (c *Certificate) Sign(privKey PrivateKey, digest EVP_MD) error
Sign a certificate using a private key and a digest name. Accepted digest names are 'sha256', 'sha384', and 'sha512'.
func (*Certificate) VerifyHostname ¶
func (c *Certificate) VerifyHostname(host string) error
VerifyHostname is a combination of CheckHost and CheckIP. If the provided hostname looks like an IP address, it will be checked as an IP address, otherwise it will be checked as a hostname. Specifically returns ErrHostValidation if the Certificate didn't match but there was no internal error.
type CertificateInfo ¶
type CertificateStore ¶
type CertificateStore struct {
// contains filtered or unexported fields
}
func NewCertificateStore ¶
func NewCertificateStore() (*CertificateStore, error)
NewCertificateStore Allocate a new, empty CertificateStore
func (*CertificateStore) AddCertificate ¶
func (s *CertificateStore) AddCertificate(cert *Certificate) error
AddCertificate marks the provided Certificate as a trusted certificate in the given CertificateStore.
func (*CertificateStore) LoadCertificatesFromPEM ¶
func (s *CertificateStore) LoadCertificatesFromPEM(data []byte) error
LoadCertificatesFromPEM Loads all certificates into the Store from the parsed PEM
type CertificateStoreCtx ¶
type CertificateStoreCtx struct {
// contains filtered or unexported fields
}
func (*CertificateStoreCtx) Depth ¶
func (csc *CertificateStoreCtx) Depth() int
func (*CertificateStoreCtx) Err ¶
func (csc *CertificateStoreCtx) Err() error
func (*CertificateStoreCtx) GetCurrentCert ¶
func (csc *CertificateStoreCtx) GetCurrentCert() *Certificate
GetCurrentCert fetches the current cert in the store. The certificate returned is only valid for the lifetime of the underlying X509_STORE_CTX
func (*CertificateStoreCtx) VerifyResult ¶
func (csc *CertificateStoreCtx) VerifyResult() VerifyResult
type CheckFlags ¶
type CheckFlags int
const ( AlwaysCheckSubject CheckFlags = C.X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT NoWildcards CheckFlags = C.X509_CHECK_FLAG_NO_WILDCARDS NoPartialWildcards CheckFlags = C.X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS MultiLabelWildcards CheckFlags = C.X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS SingleLabelSubdomains CheckFlags = C.X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS NeverCheckSubject CheckFlags = C.X509_CHECK_FLAG_NEVER_CHECK_SUBJECT )
type Cipher ¶
type Cipher struct {
// contains filtered or unexported fields
}
func GetCipherByName ¶
GetCipherByName returns the Cipher with the name or nil and an error if the cipher was not found.
func GetCipherByNid ¶
type CipherJob ¶ added in v0.2.0
type Conn ¶
type Conn struct { *SSL // contains filtered or unexported fields }
func Client ¶
Client wraps an existing stream connection and puts it in the connect state for any subsequent handshakes.
IMPORTANT NOTE: if you use this method instead of Dial to construct an SSL connection, you are responsible for verifying the peer's hostname. Otherwise, you are vulnerable to MITM attacks.
Client also does not set up SNI for you like Dial does.
Client connections probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.
func Dial ¶
Dial will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.
Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.
func DialSession ¶
DialSession will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.
Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.
If session is not nil it will be used to resume the tls state. The session can be retrieved from the GetSession method on the Conn.
func DialTimeout ¶
func DialTimeout(network, addr string, timeout time.Duration, ctx *Ctx, flags DialFlags) (*Conn, error)
DialTimeout acts like Dial but takes a timeout for network dial.
The timeout includes only network dial. It does not include OpenSSL calls.
See func Dial for a description of the network, addr, ctx and flags parameters.
func Server ¶
Server wraps an existing stream connection and puts it in the accept state for any subsequent handshakes.
func (*Conn) Close ¶
Close shuts down the SSL connection and closes the underlying wrapped connection.
func (*Conn) ConnectionState ¶
func (c *Conn) ConnectionState() (rv ConnectionState)
func (*Conn) CurrentCipher ¶
func (*Conn) GetSession ¶
func (*Conn) Handshake ¶
Handshake performs an SSL handshake. If a handshake is not manually triggered, it will run before the first I/O on the encrypted stream.
func (*Conn) PeerCertificate ¶
func (c *Conn) PeerCertificate() (*Certificate, error)
PeerCertificate returns the Certificate of the peer with which you're communicating. Only valid after a handshake.
func (*Conn) PeerCertificateChain ¶
func (c *Conn) PeerCertificateChain() (rv []*Certificate, err error)
PeerCertificateChain returns the certificate chain of the peer. If called on the client side, the stack also contains the peer's certificate; if called on the server side, the peer's certificate must be obtained separately using PeerCertificate.
func (*Conn) Read ¶
Read reads up to len(b) bytes into b. It returns the number of bytes read and an error if applicable. io.EOF is returned when the caller can expect to see no more data.
func (*Conn) RemoteAddr ¶
RemoteAddr returns the underlying connection's remote address
func (*Conn) SessionReused ¶
func (*Conn) SetDeadline ¶
SetDeadline calls SetDeadline on the underlying connection.
func (*Conn) SetReadDeadline ¶
SetReadDeadline calls SetReadDeadline on the underlying connection.
func (*Conn) SetTlsExtHostName ¶
func (*Conn) SetWriteDeadline ¶
SetWriteDeadline calls SetWriteDeadline on the underlying connection.
func (*Conn) UnderlyingConn ¶
func (*Conn) VerifyHostname ¶
VerifyHostname pulls the PeerCertificate and calls VerifyHostname on the certificate.
func (*Conn) VerifyResult ¶
func (c *Conn) VerifyResult() VerifyResult
type ConnectionState ¶
type ConnectionState struct { Certificate *Certificate CertificateError error CertificateChain []*Certificate CertificateChainError error SessionReused bool }
type Ctx ¶
type Ctx struct {
// contains filtered or unexported fields
}
func NewCtx ¶
NewCtx creates a new context. The minimum supported SSL/TLS version is inherited from the library default. To change the min/max support SSL/TLS versions, use Ctx.SetMinProtoVersion and Ctx.SetMaxProtoVersion respectively.
func NewCtxFromFiles ¶
NewCtxFromFiles calls NewCtx, loads the provided files, and configures the context to use them.
func (*Ctx) AddChainCertificate ¶
func (c *Ctx) AddChainCertificate(cert *Certificate) error
AddChainCertificate adds a certificate to the chain presented in the handshake.
func (*Ctx) ClearOptions ¶
func (*Ctx) GetCertificateStore ¶
func (c *Ctx) GetCertificateStore() *CertificateStore
GetCertificateStore returns the context's certificate store that will be used for peer validation.
func (*Ctx) GetMode ¶
GetMode returns context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
func (*Ctx) GetOptions ¶
GetOptions returns context options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*Ctx) GetSessionCacheSize ¶ added in v0.2.0
GetSessionCacheSize gets the session cache size. https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html
func (*Ctx) GetTimeout ¶
GetTimeout gets the session cache timeout. See https://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
func (*Ctx) GetVerifyCallback ¶
func (c *Ctx) GetVerifyCallback() VerifyCallback
func (*Ctx) GetVerifyDepth ¶
GetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*Ctx) LoadVerifyLocations ¶
LoadVerifyLocations tells the context to trust all certificate authorities provided in either the ca_file or the ca_path. See http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html for more.
func (*Ctx) SetCipherList ¶
SetCipherList sets the list of available ciphers. The format of the list is described at http://www.openssl.org/docs/apps/ciphers.html, but see http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html for more.
func (*Ctx) SetDHParameters ¶
SetDHParameters sets the DH group (DH parameters) used to negotiate an ephemeral DH key during handshaking.
func (*Ctx) SetEllipticCurve ¶
func (c *Ctx) SetEllipticCurve(curve EllipticCurve) error
SetEllipticCurve sets the elliptic curve used by the SSL context to enable an ECDH cipher suite to be selected during the handshake.
func (*Ctx) SetMaxProtoVersion ¶
SetMaxProtoVersion sets the maximum supported protocol version for the Ctx. http://www.openssl.org/docs/ssl/SSL_CTX_set_max_proto_version.html
func (*Ctx) SetMinProtoVersion ¶
SetMinProtoVersion sets the minimum supported protocol version for the Ctx. http://www.openssl.org/docs/ssl/SSL_CTX_set_min_proto_version.html
func (*Ctx) SetMode ¶
SetMode sets context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
func (*Ctx) SetNextProtos ¶
SetNextProtos sets Negotiation protocol to the ctx.
func (*Ctx) SetOptions ¶
SetOptions sets context options. See http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*Ctx) SetSessionCacheMode ¶
func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes
SetSessionCacheMode enables or disables session caching. See http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html
func (*Ctx) SetSessionCacheSize ¶ added in v0.2.0
SetSessionCacheSize sets the session cache size. Returns previously set value. https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html
func (*Ctx) SetSessionId ¶
func (*Ctx) SetTLSExtServernameCallback ¶
func (c *Ctx) SetTLSExtServernameCallback(sniCb TLSExtServernameCallback)
SetTLSExtServernameCallback sets callback function for Server Name Indication (SNI) rfc6066 (http://tools.ietf.org/html/rfc6066). See http://stackoverflow.com/questions/22373332/serving-multiple-domains-in-one-box-with-sni
func (*Ctx) SetTimeout ¶
SetTimeout sets session cache timeout. Returns previously set value. See https://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
func (*Ctx) SetVerify ¶
func (c *Ctx) SetVerify(options VerifyOptions, verifyCb VerifyCallback)
SetVerify controls peer verification settings. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*Ctx) SetVerifyCallback ¶
func (c *Ctx) SetVerifyCallback(verifyCb VerifyCallback)
func (*Ctx) SetVerifyDepth ¶
SetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*Ctx) SetVerifyMode ¶
func (c *Ctx) SetVerifyMode(options VerifyOptions)
func (*Ctx) UseCertificate ¶
func (c *Ctx) UseCertificate(cert *Certificate) error
UseCertificate configures the context to present the given certificate to peers.
func (*Ctx) UsePrivateKey ¶
func (c *Ctx) UsePrivateKey(key PrivateKey) error
UsePrivateKey configures the context to use the given private key for SSL handshakes.
func (*Ctx) VerifyMode ¶
func (c *Ctx) VerifyMode() VerifyOptions
type DH ¶
type DH struct {
// contains filtered or unexported fields
}
func LoadDHParametersFromPEM ¶
LoadDHParametersFromPEM loads the Diffie-Hellman parameters from a PEM-encoded block.
type DecryptionCipherJob ¶ added in v0.2.0
type DecryptionCipherJob interface { CipherJob // DecryptUpdate takes ciphertext and returns the plaintext. // It can be called multiple times as needed. // // Deprecated: use CipherJob.Update instead DecryptUpdate(input []byte) ([]byte, error) // DecryptFinal should be called after all ciphertext has been processed. // It *may* return additional plaintext if required to complete a block. // // Deprecated: use CipherJob.Final instead DecryptFinal() ([]byte, error) }
func NewDecryptionCipherJob ¶ added in v0.2.0
func NewDecryptionCipherJob(c *Cipher, key, iv []byte) (DecryptionCipherJob, error)
NewDecryptionCipherJob creates a new encryption job Deprecated: use NewCipherJob with encrypt=false
type Digest ¶
type Digest struct {
// contains filtered or unexported fields
}
Digest represents and openssl message digest.
func GetDigestByName ¶
GetDigestByName returns the Digest with the name or nil and an error if the digest was not found.
func GetDigestByNid ¶
GetDigestByNid returns the Digest with the NID or nil and an error if the digest was not found.
type EVP_MD ¶
type EVP_MD int
const ( EVP_NULL EVP_MD = iota EVP_MD5 EVP_MD = iota EVP_MD4 EVP_MD = iota EVP_SHA EVP_MD = iota EVP_SHA1 EVP_MD = iota EVP_DSS EVP_MD = iota EVP_DSS1 EVP_MD = iota EVP_MDC2 EVP_MD = iota EVP_RIPEMD160 EVP_MD = iota EVP_SHA224 EVP_MD = iota EVP_SHA256 EVP_MD = iota EVP_SHA384 EVP_MD = iota EVP_SHA512 EVP_MD = iota )
type EllipticCurve ¶
type EllipticCurve int
EllipticCurve represents the ASN.1 OID of an elliptic curve. see https://www.openssl.org/docs/apps/ecparam.html for a list of implemented curves.
const ( // Prime256v1 P-256: X9.62/SECG curve over a 256 bit prime field Prime256v1 EllipticCurve = C.NID_X9_62_prime256v1 // Secp384r1 P-384: NIST/SECG curve over a 384 bit prime field Secp384r1 EllipticCurve = C.NID_secp384r1 // Secp521r1 P-521: NIST/SECG curve over a 521 bit prime field Secp521r1 EllipticCurve = C.NID_secp521r1 )
type EncryptionCipherJob ¶ added in v0.2.0
type EncryptionCipherJob interface { CipherJob // EncryptUpdate takes plaintext and returns the ciphertext. // It can be called multiple times as needed. // // Deprecated: use CipherJob.Update instead EncryptUpdate(input []byte) ([]byte, error) // EncryptFinal should be called after all plaintext has been processed. // It *may* return additional ciphertext if required to complete a block. // // Deprecated: use CipherJob.Final instead EncryptFinal() ([]byte, error) }
func NewEncryptionCipherJob ¶ added in v0.2.0
func NewEncryptionCipherJob(c *Cipher, key, iv []byte) (EncryptionCipherJob, error)
NewEncryptionCipherJob creates a new encryption job Deprecated: use NewCipherJob with encrypt=true
type HMAC ¶
type HMAC struct {
// contains filtered or unexported fields
}
type KeyType ¶ added in v0.2.0
type KeyType int
const ( KeyTypeNone KeyType = C.EVP_PKEY_NONE KeyTypeRSA KeyType = C.EVP_PKEY_RSA KeyTypeRSA2 KeyType = C.EVP_PKEY_RSA2 KeyTypeRSAPSS KeyType = C.EVP_PKEY_RSA_PSS KeyTypeDSA KeyType = C.EVP_PKEY_DSA KeyTypeDSA1 KeyType = C.EVP_PKEY_DSA1 KeyTypeDSA2 KeyType = C.EVP_PKEY_DSA2 KeyTypeDSA3 KeyType = C.EVP_PKEY_DSA3 KeyTypeDSA4 KeyType = C.EVP_PKEY_DSA4 KeyTypeDH KeyType = C.EVP_PKEY_DH KeyTypeDHX KeyType = C.EVP_PKEY_DHX KeyTypeEC KeyType = C.EVP_PKEY_EC KeyTypeSM2 KeyType = C.EVP_PKEY_SM2 KeyTypeHMAC KeyType = C.EVP_PKEY_HMAC KeyTypeCMAC KeyType = C.EVP_PKEY_CMAC KeyTypeScrypt KeyType = C.EVP_PKEY_SCRYPT KeyTypeTLS1PRF KeyType = C.EVP_PKEY_TLS1_PRF KeyTypeHKDF KeyType = C.EVP_PKEY_HKDF KeyTypePoly1305 KeyType = C.EVP_PKEY_POLY1305 KeyTypeSIPHash KeyType = C.EVP_PKEY_SIPHASH KeyTypeX25519 KeyType = C.EVP_PKEY_X25519 KeyTypeED25519 KeyType = C.EVP_PKEY_ED25519 KeyTypeX448 KeyType = C.EVP_PKEY_X448 KeyTypeED448 KeyType = C.EVP_PKEY_ED448 )
Constants for the various key types.
type LibraryContext ¶ added in v0.2.0
type LibraryContext struct {
// contains filtered or unexported fields
}
func GetNonFIPSCtx ¶ added in v0.2.0
func GetNonFIPSCtx(withLegacy bool) (*LibraryContext, error)
GetNonFIPSCtx gets a non-FIPS context
func (*LibraryContext) LoadProvider ¶ added in v0.2.0
func (c *LibraryContext) LoadProvider(name string) error
func (*LibraryContext) UnloadProvider ¶ added in v0.2.0
func (c *LibraryContext) UnloadProvider(name string)
type Modes ¶
type Modes int
const ( // ReleaseBuffers is only valid if you are using OpenSSL 1.0.1 or newer ReleaseBuffers Modes = C.SSL_MODE_RELEASE_BUFFERS )
type NID ¶
type NID int
const ( NID_undef NID = 0 NID_rsadsi NID = 1 NID_pkcs NID = 2 NID_md2 NID = 3 NID_md5 NID = 4 NID_rc4 NID = 5 NID_rsaEncryption NID = 6 NID_md2WithRSAEncryption NID = 7 NID_md5WithRSAEncryption NID = 8 NID_pbeWithMD2AndDES_CBC NID = 9 NID_pbeWithMD5AndDES_CBC NID = 10 NID_X500 NID = 11 NID_X509 NID = 12 NID_commonName NID = 13 NID_countryName NID = 14 NID_localityName NID = 15 NID_stateOrProvinceName NID = 16 NID_organizationName NID = 17 NID_organizationalUnitName NID = 18 NID_rsa NID = 19 NID_pkcs7 NID = 20 NID_pkcs7_data NID = 21 NID_pkcs7_signed NID = 22 NID_pkcs7_enveloped NID = 23 NID_pkcs7_signedAndEnveloped NID = 24 NID_pkcs7_digest NID = 25 NID_pkcs7_encrypted NID = 26 NID_pkcs3 NID = 27 NID_dhKeyAgreement NID = 28 NID_des_ecb NID = 29 NID_des_cfb64 NID = 30 NID_des_cbc NID = 31 NID_des_ede NID = 32 NID_des_ede3 NID = 33 NID_idea_cbc NID = 34 NID_idea_cfb64 NID = 35 NID_idea_ecb NID = 36 NID_rc2_cbc NID = 37 NID_rc2_ecb NID = 38 NID_rc2_cfb64 NID = 39 NID_rc2_ofb64 NID = 40 NID_sha NID = 41 NID_shaWithRSAEncryption NID = 42 NID_des_ede_cbc NID = 43 NID_des_ede3_cbc NID = 44 NID_des_ofb64 NID = 45 NID_idea_ofb64 NID = 46 NID_pkcs9 NID = 47 NID_pkcs9_emailAddress NID = 48 NID_pkcs9_unstructuredName NID = 49 NID_pkcs9_contentType NID = 50 NID_pkcs9_messageDigest NID = 51 NID_pkcs9_signingTime NID = 52 NID_pkcs9_countersignature NID = 53 NID_pkcs9_challengePassword NID = 54 NID_pkcs9_unstructuredAddress NID = 55 NID_pkcs9_extCertAttributes NID = 56 NID_netscape NID = 57 NID_netscape_cert_extension NID = 58 NID_netscape_data_type NID = 59 NID_des_ede_cfb64 NID = 60 NID_des_ede3_cfb64 NID = 61 NID_des_ede_ofb64 NID = 62 NID_des_ede3_ofb64 NID = 63 NID_sha1 NID = 64 NID_sha1WithRSAEncryption NID = 65 NID_dsaWithSHA NID = 66 NID_dsa_2 NID = 67 NID_pbeWithSHA1AndRC2_CBC NID = 68 NID_id_pbkdf2 NID = 69 NID_dsaWithSHA1_2 NID = 70 NID_netscape_cert_type NID = 71 NID_netscape_base_url NID = 72 NID_netscape_revocation_url NID = 73 NID_netscape_ca_revocation_url NID = 74 NID_netscape_renewal_url NID = 75 NID_netscape_ca_policy_url NID = 76 NID_netscape_ssl_server_name NID = 77 NID_netscape_comment NID = 78 NID_netscape_cert_sequence NID = 79 NID_desx_cbc NID = 80 NID_id_ce NID = 81 NID_subject_key_identifier NID = 82 NID_key_usage NID = 83 NID_private_key_usage_period NID = 84 NID_subject_alt_name NID = 85 NID_issuer_alt_name NID = 86 NID_basic_constraints NID = 87 NID_crl_number NID = 88 NID_certificate_policies NID = 89 NID_bf_cbc NID = 91 NID_bf_ecb NID = 92 NID_bf_cfb64 NID = 93 NID_bf_ofb64 NID = 94 NID_mdc2 NID = 95 NID_mdc2WithRSA NID = 96 NID_rc4_40 NID = 97 NID_rc2_40_cbc NID = 98 NID_givenName NID = 99 NID_surname NID = 100 NID_initials NID = 101 NID_uniqueIdentifier NID = 102 NID_crl_distribution_points NID = 103 NID_md5WithRSA NID = 104 NID_serialNumber NID = 105 NID_title NID = 106 NID_description NID = 107 NID_cast5_cbc NID = 108 NID_cast5_ecb NID = 109 NID_cast5_cfb64 NID = 110 NID_cast5_ofb64 NID = 111 NID_pbeWithMD5AndCast5_CBC NID = 112 NID_dsaWithSHA1 NID = 113 NID_md5_sha1 NID = 114 NID_sha1WithRSA NID = 115 NID_dsa NID = 116 NID_ripemd160 NID = 117 NID_ripemd160WithRSA NID = 119 NID_rc5_cbc NID = 120 NID_rc5_ecb NID = 121 NID_rc5_cfb64 NID = 122 NID_rc5_ofb64 NID = 123 NID_rle_compression NID = 124 NID_zlib_compression NID = 125 NID_ext_key_usage NID = 126 NID_id_pkix NID = 127 NID_id_kp NID = 128 NID_server_auth NID = 129 NID_client_auth NID = 130 NID_code_sign NID = 131 NID_email_protect NID = 132 NID_time_stamp NID = 133 NID_ms_code_ind NID = 134 NID_ms_code_com NID = 135 NID_ms_ctl_sign NID = 136 NID_ms_sgc NID = 137 NID_ms_efs NID = 138 NID_ns_sgc NID = 139 NID_delta_crl NID = 140 NID_crl_reason NID = 141 NID_invalidity_date NID = 142 NID_sxnet NID = 143 NID_pbe_WithSHA1And128BitRC4 NID = 144 NID_pbe_WithSHA1And40BitRC4 NID = 145 NID_pbe_WithSHA1And3_Key_TripleDES_CBC NID = 146 NID_pbe_WithSHA1And2_Key_TripleDES_CBC NID = 147 NID_pbe_WithSHA1And128BitRC2_CBC NID = 148 NID_pbe_WithSHA1And40BitRC2_CBC NID = 149 NID_keyBag NID = 150 NID_pkcs8ShroudedKeyBag NID = 151 NID_certBag NID = 152 NID_crlBag NID = 153 NID_secretBag NID = 154 NID_safeContentsBag NID = 155 NID_friendlyName NID = 156 NID_localKeyID NID = 157 NID_x509Certificate NID = 158 NID_sdsiCertificate NID = 159 NID_x509Crl NID = 160 NID_pbes2 NID = 161 NID_pbmac1 NID = 162 NID_hmacWithSHA1 NID = 163 NID_id_qt_cps NID = 164 NID_id_qt_unotice NID = 165 NID_rc2_64_cbc NID = 166 NID_SMIMECapabilities NID = 167 NID_pbeWithMD2AndRC2_CBC NID = 168 NID_pbeWithMD5AndRC2_CBC NID = 169 NID_pbeWithSHA1AndDES_CBC NID = 170 NID_ms_ext_req NID = 171 NID_ext_req NID = 172 NID_name NID = 173 NID_dnQualifier NID = 174 NID_id_pe NID = 175 NID_id_ad NID = 176 NID_info_access NID = 177 NID_ad_OCSP NID = 178 NID_ad_ca_issuers NID = 179 NID_OCSP_sign NID = 180 NID_X9_62_id_ecPublicKey NID = 408 NID_hmac NID = 855 NID_cmac NID = 894 NID_dhpublicnumber NID = 920 NID_tls1_prf NID = 1021 NID_hkdf NID = 1036 NID_X25519 NID = 1034 NID_X448 NID = 1035 NID_ED25519 NID = 1087 NID_ED448 NID = 1088 )
type Name ¶
type Name struct {
// contains filtered or unexported fields
}
func (*Name) AddTextEntries ¶
AddTextEntries allows adding multiple entries to a name in one call.
func (*Name) AddTextEntry ¶
AddTextEntry appends a text entry to an X509 NAME.
type Options ¶
type Options int
const ( NoCompression Options = C.SSL_OP_NO_COMPRESSION NoSSLv2 Options = C.SSL_OP_NO_SSLv2 NoSSLv3 Options = C.SSL_OP_NO_SSLv3 NoTLSv1 Options = C.SSL_OP_NO_TLSv1 NoTLSv11 Options = C.SSL_OP_NO_TLSv1_1 NoTLSv12 Options = C.SSL_OP_NO_TLSv1_2 NoTLSv13 Options = C.SSL_OP_NO_TLSv1_3 NoDTLSv1 Options = C.SSL_OP_NO_DTLSv1 NoDTLSv12 Options = C.SSL_OP_NO_DTLSv1_2 CipherServerPreference Options = C.SSL_OP_CIPHER_SERVER_PREFERENCE NoSessionResumptionOrRenegotiation Options = C.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION NoTicket Options = C.SSL_OP_NO_TICKET )
type ParamBld ¶ added in v0.2.0
type ParamBld struct {
// contains filtered or unexported fields
}
func NewParamBld ¶ added in v0.2.0
func (*ParamBld) PushOctetString ¶ added in v0.2.0
func (*ParamBld) PushString ¶ added in v0.2.0
type ParamPair ¶ added in v0.2.0
type ParamPair struct {
// contains filtered or unexported fields
}
type PrivateKey ¶
type PrivateKey interface { PublicKey // SignPKCS1v15 signs the data using PKCS1.15 SignPKCS1v15(*Digest, []byte) ([]byte, error) // MarshalPKCS1PrivateKeyPEM converts the private key to PEM-encoded PKCS1 format MarshalPKCS1PrivateKeyPEM() (pemBlock []byte, err error) // MarshalPKCS1PrivateKeyDER converts the private key to DER-encoded PKCS1 format MarshalPKCS1PrivateKeyDER() (derBlock []byte, err error) }
func GenerateECKey ¶
func GenerateECKey(curve EllipticCurve) (PrivateKey, error)
GenerateECKey generates a new elliptic curve private key on the specified curve.
func GenerateED25519Key ¶
func GenerateED25519Key() (PrivateKey, error)
GenerateED25519Key generates a Ed25519 key
func GenerateRSAKey ¶
func GenerateRSAKey(bits int) (PrivateKey, error)
GenerateRSAKey generates a new RSA private key with an exponent of 3.
func GenerateRSAKeyWithExponent ¶
func GenerateRSAKeyWithExponent(bits int, exponent int) (PrivateKey, error)
GenerateRSAKeyWithExponent generates a new RSA private key.
func LoadPrivateKeyFromDER ¶
func LoadPrivateKeyFromDER(derBlock []byte) (PrivateKey, error)
LoadPrivateKeyFromDER loads a private key from a DER-encoded block.
func LoadPrivateKeyFromPEM ¶
func LoadPrivateKeyFromPEM(pemBlock []byte) (PrivateKey, error)
LoadPrivateKeyFromPEM loads a private key from a PEM-encoded block.
func LoadPrivateKeyFromPEMWithPassword ¶
func LoadPrivateKeyFromPEMWithPassword(pemBlock []byte, password string) (PrivateKey, error)
LoadPrivateKeyFromPEMWithPassword loads a private key from a PEM-encoded block.
type PrivateKeyContext ¶ added in v0.2.0
type PrivateKeyDeriveContext ¶ added in v0.2.0
type PrivateKeyDeriveContext interface { PrivateKeyContext SetPeer(peer PublicKey) error Derive() ([]byte, error) }
func NewPKeyDeriveContextFromKey ¶ added in v0.2.0
func NewPKeyDeriveContextFromKey(key PrivateKey) (PrivateKeyDeriveContext, error)
type PrivateKeyGenerationContext ¶ added in v0.2.0
type PrivateKeyGenerationContext interface { PrivateKeyContext Generate() (PrivateKey, error) }
func NewPKeyGenerationContextFromKey ¶ added in v0.2.0
func NewPKeyGenerationContextFromKey(key PrivateKey) (PrivateKeyGenerationContext, error)
func NewPKeyGenerationContextFromKeyType ¶ added in v0.2.0
func NewPKeyGenerationContextFromKeyType(keyType KeyType) (PrivateKeyGenerationContext, error)
type PrivateKeyParamGenerationContext ¶ added in v0.2.0
type PrivateKeyParamGenerationContext interface { PrivateKeyContext Generate() (PrivateKey, error) SetECParamGenCurveNID(curve EllipticCurve) error }
func NewPKeyParamGenerationCtx ¶ added in v0.2.0
func NewPKeyParamGenerationCtx(keyID KeyType) (PrivateKeyParamGenerationContext, error)
type PublicKey ¶
type PublicKey interface { // VerifyPKCS1v15 verifies the data signature using PKCS1.15 VerifyPKCS1v15(digest *Digest, data, sig []byte) error // MarshalPKIXPublicKeyPEM converts the public key to PEM-encoded PKIX format MarshalPKIXPublicKeyPEM() (pemBlock []byte, err error) // MarshalPKIXPublicKeyDER converts the public key to DER-encoded PKIX format MarshalPKIXPublicKeyDER() (derBlock []byte, err error) // KeyType returns an identifier for what kind of key is represented by this object. KeyType() KeyType // BaseType returns an identifier for what kind of key is represented // by this object. // Keys that share same algorithm but use different legacy formats // will have the same BaseType. // // For example, a key with a `KeyType() == KeyTypeRSA` and a key with a // `KeyType() == KeyTypeRSA2` would both have `BaseType() == KeyTypeRSA`. BaseType() NID // Equal compares the key with the passed in key. Equal(key PublicKey) bool // Size returns the size (in bytes) of signatures created with this key. Size() int // contains filtered or unexported methods }
func LoadPublicKeyFromDER ¶
LoadPublicKeyFromDER loads a public key from a DER-encoded block.
func LoadPublicKeyFromPEM ¶
LoadPublicKeyFromPEM loads a public key from a PEM-encoded block.
type SHA256Hash ¶
type SHA256Hash = digestJob
func NewSHA256Hash ¶
func NewSHA256Hash() (*SHA256Hash, error)
type SSL ¶
type SSL struct {
// contains filtered or unexported fields
}
func (*SSL) ClearOptions ¶
ClearOptions clear SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*SSL) GetOptions ¶
GetOptions returns SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*SSL) GetServername ¶
GetServername returns server name according to rfc6066. See http://tools.ietf.org/html/rfc6066.
func (*SSL) GetVerifyCallback ¶
func (s *SSL) GetVerifyCallback() VerifyCallback
GetVerifyCallback returns callback function. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) GetVerifyDepth ¶
GetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) SetOptions ¶
SetOptions sets SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*SSL) SetSSLCtx ¶
SetSSLCtx changes context to new one. Useful for Server Name Indication (SNI) rfc6066 http://tools.ietf.org/html/rfc6066. See http://stackoverflow.com/questions/22373332/serving-multiple-domains-in-one-box-with-sni
func (*SSL) SetVerify ¶
func (s *SSL) SetVerify(options VerifyOptions, verifyCb VerifyCallback)
SetVerify controls peer verification settings. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) SetVerifyCallback ¶
func (s *SSL) SetVerifyCallback(verifyCb VerifyCallback)
SetVerifyCallback controls peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) SetVerifyDepth ¶
SetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) SetVerifyMode ¶
func (s *SSL) SetVerifyMode(options VerifyOptions)
SetVerifyMode controls peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) VerifyMode ¶
func (s *SSL) VerifyMode() VerifyOptions
VerifyMode returns peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
type SSLTLSExtErr ¶
type SSLTLSExtErr int
const ( SSLTLSExtErrOK SSLTLSExtErr = C.SSL_TLSEXT_ERR_OK SSLTLSExtErrAlertWarning SSLTLSExtErr = C.SSL_TLSEXT_ERR_ALERT_WARNING SSLTLSEXTErrAlertFatal SSLTLSExtErr = C.SSL_TLSEXT_ERR_ALERT_FATAL SSLTLSEXTErrNoAck SSLTLSExtErr = C.SSL_TLSEXT_ERR_NOACK )
type SessionCacheModes ¶
type SessionCacheModes int
const ( SessionCacheOff SessionCacheModes = C.SSL_SESS_CACHE_OFF SessionCacheClient SessionCacheModes = C.SSL_SESS_CACHE_CLIENT SessionCacheServer SessionCacheModes = C.SSL_SESS_CACHE_SERVER SessionCacheBoth SessionCacheModes = C.SSL_SESS_CACHE_BOTH NoAutoClear SessionCacheModes = C.SSL_SESS_CACHE_NO_AUTO_CLEAR NoInternalLookup SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP NoInternalStore SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_STORE NoInternal SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL )
type TLSExtServernameCallback ¶
type TLSExtServernameCallback func(ssl *SSL) SSLTLSExtErr
type VerifyCallback ¶
type VerifyCallback func(ok bool, store *CertificateStoreCtx) bool
type VerifyOptions ¶
type VerifyOptions int
const ( VerifyNone VerifyOptions = C.SSL_VERIFY_NONE VerifyPeer VerifyOptions = C.SSL_VERIFY_PEER VerifyFailIfNoPeerCert VerifyOptions = C.SSL_VERIFY_FAIL_IF_NO_PEER_CERT VerifyClientOnce VerifyOptions = C.SSL_VERIFY_CLIENT_ONCE VerifyPostHandshake VerifyOptions = C.SSL_VERIFY_POST_HANDSHAKE )
type VerifyResult ¶
type VerifyResult int
const ( Ok VerifyResult = C.X509_V_OK UnableToGetIssuerCert VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT UnableToGetCrl VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL UnableToDecryptCertSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE UnableToDecryptCrlSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE UnableToDecodeIssuerPublicKey VerifyResult = C.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY CertSignatureFailure VerifyResult = C.X509_V_ERR_CERT_SIGNATURE_FAILURE CrlSignatureFailure VerifyResult = C.X509_V_ERR_CRL_SIGNATURE_FAILURE CertNotYetValid VerifyResult = C.X509_V_ERR_CERT_NOT_YET_VALID CertHasExpired VerifyResult = C.X509_V_ERR_CERT_HAS_EXPIRED CrlNotYetValid VerifyResult = C.X509_V_ERR_CRL_NOT_YET_VALID CrlHasExpired VerifyResult = C.X509_V_ERR_CRL_HAS_EXPIRED ErrorInCertNotBeforeField VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ErrorInCertNotAfterField VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD ErrorInCrlLastUpdateField VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD ErrorInCrlNextUpdateField VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD OutOfMem VerifyResult = C.X509_V_ERR_OUT_OF_MEM DepthZeroSelfSignedCert VerifyResult = C.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT SelfSignedCertInChain VerifyResult = C.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN UnableToGetIssuerCertLocally VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY UnableToVerifyLeafSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE CertChainTooLong VerifyResult = C.X509_V_ERR_CERT_CHAIN_TOO_LONG CertRevoked VerifyResult = C.X509_V_ERR_CERT_REVOKED InvalidCa VerifyResult = C.X509_V_ERR_INVALID_CA PathLengthExceeded VerifyResult = C.X509_V_ERR_PATH_LENGTH_EXCEEDED InvalidPurpose VerifyResult = C.X509_V_ERR_INVALID_PURPOSE CertUntrusted VerifyResult = C.X509_V_ERR_CERT_UNTRUSTED CertRejected VerifyResult = C.X509_V_ERR_CERT_REJECTED SubjectIssuerMismatch VerifyResult = C.X509_V_ERR_SUBJECT_ISSUER_MISMATCH AkidSkidMismatch VerifyResult = C.X509_V_ERR_AKID_SKID_MISMATCH AkidIssuerSerialMismatch VerifyResult = C.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH KeyusageNoCertsign VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CERTSIGN UnableToGetCrlIssuer VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER UnhandledCriticalExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION KeyusageNoCrlSign VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN UnhandledCriticalCrlExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION InvalidNonCa VerifyResult = C.X509_V_ERR_INVALID_NON_CA ProxyPathLengthExceeded VerifyResult = C.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED KeyusageNoDigitalSignature VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE ProxyCertificatesNotAllowed VerifyResult = C.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED InvalidExtension VerifyResult = C.X509_V_ERR_INVALID_EXTENSION InvalidPolicyExtension VerifyResult = C.X509_V_ERR_INVALID_POLICY_EXTENSION NoExplicitPolicy VerifyResult = C.X509_V_ERR_NO_EXPLICIT_POLICY UnnestedResource VerifyResult = C.X509_V_ERR_UNNESTED_RESOURCE ApplicationVerification VerifyResult = C.X509_V_ERR_APPLICATION_VERIFICATION )
type Version ¶
type Version int
const ( SSL3version Version = C.SSL3_VERSION TLS1version Version = C.TLS1_VERSION TLS11version Version = C.TLS1_1_VERSION TLS12version Version = C.TLS1_2_VERSION TLS13version Version = C.TLS1_3_VERSION DTLS1version Version = C.DTLS1_VERSION DTLS12version Version = C.DTLS1_2_VERSION )
type X509_Version ¶
type X509_Version int
X509_Version represents a version on an x509 certificate.
const ( X509_V1 X509_Version = 0 X509_V3 X509_Version = 2 )
Specify constants for x509 versions because the standard states that they are represented internally as one lower than the common version name.