util

package
v3.0.0-...-cfbdf18 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 7, 2022 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// Tags
	DNSNameTag = 2
)
View Source
const (
	GTLDPeriodDateFormat = "2006-01-02"
)
View Source
const OnionTLD = ".onion"

Variables

View Source
var (
	//extension OIDs
	AiaOID                  = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1}        // Authority Information Access
	AuthkeyOID              = asn1.ObjectIdentifier{2, 5, 29, 35}                     // Authority Key Identifier
	BasicConstOID           = asn1.ObjectIdentifier{2, 5, 29, 19}                     // Basic Constraints
	CertPolicyOID           = asn1.ObjectIdentifier{2, 5, 29, 32}                     // Certificate Policies
	CrlDistOID              = asn1.ObjectIdentifier{2, 5, 29, 31}                     // CRL Distribution Points
	CtPoisonOID             = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison
	EkuSynOid               = asn1.ObjectIdentifier{2, 5, 29, 37}                     // Extended Key Usage Syntax
	FreshCRLOID             = asn1.ObjectIdentifier{2, 5, 29, 46}                     // Freshest CRL
	InhibitAnyPolicyOID     = asn1.ObjectIdentifier{2, 5, 29, 54}                     // Inhibit Any Policy
	IssuerAlternateNameOID  = asn1.ObjectIdentifier{2, 5, 29, 18}                     // Issuer Alt Name
	KeyUsageOID             = asn1.ObjectIdentifier{2, 5, 29, 15}                     // Key Usage
	LogoTypeOID             = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12}       // Logo Type Ext
	NameConstOID            = asn1.ObjectIdentifier{2, 5, 29, 30}                     // Name Constraints
	OscpNoCheckOID          = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5}    // OSCP No Check
	PolicyConstOID          = asn1.ObjectIdentifier{2, 5, 29, 36}                     // Policy Constraints
	PolicyMapOID            = asn1.ObjectIdentifier{2, 5, 29, 33}                     // Policy Mappings
	PrivKeyUsageOID         = asn1.ObjectIdentifier{2, 5, 29, 16}                     // Private Key Usage Period
	QcStateOid              = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3}        // QC Statements
	TimestampOID            = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List
	SmimeOID                = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15}      // Smime Capabilities
	SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17}                     // Subject Alt Name
	SubjectDirAttrOID       = asn1.ObjectIdentifier{2, 5, 29, 9}                      // Subject Directory Attributes
	SubjectInfoAccessOID    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11}       // Subject Info Access Syntax
	SubjectKeyIdentityOID   = asn1.ObjectIdentifier{2, 5, 29, 14}                     // Subject Key Identifier
	// CA/B reserved policies
	BRDomainValidatedOID                = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated
	BROrganizationValidatedOID          = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated
	BRIndividualValidatedOID            = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Individual-Validated
	BRTorServiceDescriptor              = asn1.ObjectIdentifier{2, 23, 140, 1, 31}   // CA/B BR Tor Service Descriptor
	CabfExtensionOrganizationIdentifier = asn1.ObjectIdentifier{2, 23, 140, 3, 1}    // CA/B EV 9.8.2 cabfOrganizationIdentifier
	//X.500 attribute types
	CommonNameOID             = asn1.ObjectIdentifier{2, 5, 4, 3}
	SurnameOID                = asn1.ObjectIdentifier{2, 5, 4, 4}
	SerialOID                 = asn1.ObjectIdentifier{2, 5, 4, 5}
	CountryNameOID            = asn1.ObjectIdentifier{2, 5, 4, 6}
	LocalityNameOID           = asn1.ObjectIdentifier{2, 5, 4, 7}
	StateOrProvinceNameOID    = asn1.ObjectIdentifier{2, 5, 4, 8}
	StreetAddressOID          = asn1.ObjectIdentifier{2, 5, 4, 9}
	OrganizationNameOID       = asn1.ObjectIdentifier{2, 5, 4, 10}
	OrganizationalUnitNameOID = asn1.ObjectIdentifier{2, 5, 4, 11}
	BusinessOID               = asn1.ObjectIdentifier{2, 5, 4, 15}
	PostalCodeOID             = asn1.ObjectIdentifier{2, 5, 4, 17}
	GivenNameOID              = asn1.ObjectIdentifier{2, 5, 4, 42}
	// Hash algorithms - see https://golang.org/src/crypto/x509/x509.go
	SHA256OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
	SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
	SHA512OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
	// other OIDs
	OidRSAEncryption           = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
	OidRSASSAPSS               = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
	OidMD2WithRSAEncryption    = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
	OidMD5WithRSAEncryption    = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
	OidSHA1WithRSAEncryption   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
	OidSHA224WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 14}
	OidSHA256WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
	OidSHA384WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
	OidSHA512WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
	AnyPolicyOID               = asn1.ObjectIdentifier{2, 5, 29, 32, 0}
	UserNoticeOID              = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 2}
	CpsOID                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 1}
	IdEtsiQcsQcCompliance      = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 1}
	IdEtsiQcsQcLimitValue      = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 2}
	IdEtsiQcsQcRetentionPeriod = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 3}
	IdEtsiQcsQcSSCD            = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 4}
	IdEtsiQcsQcEuPDS           = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 5}
	IdEtsiQcsQcType            = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6}
	IdEtsiQcsQctEsign          = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 1}
	IdEtsiQcsQctEseal          = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 2}
	IdEtsiQcsQctWeb            = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 3}
)
View Source
var (
	ZeroDate                   = time.Date(0000, time.January, 1, 0, 0, 0, 0, time.UTC)
	RFC1035Date                = time.Date(1987, time.January, 1, 0, 0, 0, 0, time.UTC)
	RFC2459Date                = time.Date(1999, time.January, 1, 0, 0, 0, 0, time.UTC)
	RFC3279Date                = time.Date(2002, time.April, 1, 0, 0, 0, 0, time.UTC)
	RFC3280Date                = time.Date(2002, time.April, 1, 0, 0, 0, 0, time.UTC)
	RFC3490Date                = time.Date(2003, time.March, 1, 0, 0, 0, 0, time.UTC)
	RFC8399Date                = time.Date(2018, time.May, 1, 0, 0, 0, 0, time.UTC)
	RFC4325Date                = time.Date(2005, time.December, 1, 0, 0, 0, 0, time.UTC)
	RFC4630Date                = time.Date(2006, time.August, 1, 0, 0, 0, 0, time.UTC)
	RFC5280Date                = time.Date(2008, time.May, 1, 0, 0, 0, 0, time.UTC)
	RFC6818Date                = time.Date(2013, time.January, 1, 0, 0, 0, 0, time.UTC)
	RFC8813Date                = time.Date(2020, time.August, 1, 0, 0, 0, 0, time.UTC)
	CABEffectiveDate           = time.Date(2012, time.July, 1, 0, 0, 0, 0, time.UTC)
	CABReservedIPDate          = time.Date(2016, time.October, 1, 0, 0, 0, 0, time.UTC)
	CABGivenNameDate           = time.Date(2016, time.September, 7, 0, 0, 0, 0, time.UTC)
	CABSerialNumberEntropyDate = time.Date(2016, time.September, 30, 0, 0, 0, 0, time.UTC)
	CABV102Date                = time.Date(2012, time.June, 8, 0, 0, 0, 0, time.UTC)
	CABV113Date                = time.Date(2013, time.February, 21, 0, 0, 0, 0, time.UTC)
	CABV114Date                = time.Date(2013, time.May, 3, 0, 0, 0, 0, time.UTC)
	CABV116Date                = time.Date(2013, time.July, 29, 0, 0, 0, 0, time.UTC)
	CABV130Date                = time.Date(2015, time.April, 16, 0, 0, 0, 0, time.UTC)
	CABV131Date                = time.Date(2015, time.September, 28, 0, 0, 0, 0, time.UTC)
	// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.7.0.pdf
	CABV170Date                                      = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC)
	NO_SHA1                                          = time.Date(2016, time.January, 1, 0, 0, 0, 0, time.UTC)
	NoRSA1024RootDate                                = time.Date(2011, time.January, 1, 0, 0, 0, 0, time.UTC)
	NoRSA1024Date                                    = time.Date(2014, time.January, 1, 0, 0, 0, 0, time.UTC)
	GeneralizedDate                                  = time.Date(2050, time.January, 1, 0, 0, 0, 0, time.UTC)
	NoReservedIP                                     = time.Date(2015, time.November, 1, 0, 0, 0, 0, time.UTC)
	SubCert39Month                                   = time.Date(2016, time.July, 2, 0, 0, 0, 0, time.UTC)
	SubCert825Days                                   = time.Date(2018, time.March, 2, 0, 0, 0, 0, time.UTC)
	CABV148Date                                      = time.Date(2017, time.June, 8, 0, 0, 0, 0, time.UTC)
	EtsiEn319_412_5_V2_2_1_Date                      = time.Date(2017, time.November, 1, 0, 0, 0, 0, time.UTC)
	OnionOnlyEVDate                                  = time.Date(2015, time.May, 1, 0, 0, 0, 0, time.UTC)
	CABV201Date                                      = time.Date(2017, time.July, 28, 0, 0, 0, 0, time.UTC)
	AppleCTPolicyDate                                = time.Date(2018, time.October, 15, 0, 0, 0, 0, time.UTC)
	MozillaPolicy22Date                              = time.Date(2013, time.July, 26, 0, 0, 0, 0, time.UTC)
	MozillaPolicy24Date                              = time.Date(2017, time.February, 28, 0, 0, 0, 0, time.UTC)
	MozillaPolicy241Date                             = time.Date(2017, time.March, 31, 0, 0, 0, 0, time.UTC)
	MozillaPolicy27Date                              = time.Date(2020, time.January, 1, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate = time.Date(2019, time.April, 1, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_6_2_Date                               = time.Date(2018, time.December, 10, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_2_1_Date                               = time.Date(2015, time.January, 16, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_6_9_Date                               = time.Date(2020, time.March, 27, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_7_1_Date                               = time.Date(2020, time.August, 20, 0, 0, 0, 0, time.UTC)
	AppleReducedLifetimeDate                         = time.Date(2020, time.September, 1, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_7_9_Date                               = time.Date(2021, time.August, 16, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_8_0_Date                               = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC)
	NoReservedDomainLabelsDate                       = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC)
	CABFBRs_OU_Prohibited_Date                       = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC)
)
View Source
var (
	CABFEV_9_8_2 = CABV170Date
)
View Source
var (
	// KeyUsageToString maps an x509.KeyUsage bitmask to its name.
	KeyUsageToString = map[x509.KeyUsage]string{
		x509.KeyUsageDigitalSignature:  "KeyUsageDigitalSignature",
		x509.KeyUsageContentCommitment: "KeyUsageContentCommitment",
		x509.KeyUsageKeyEncipherment:   "KeyUsageKeyEncipherment",
		x509.KeyUsageDataEncipherment:  "KeyUsageDataEncipherment",
		x509.KeyUsageKeyAgreement:      "KeyUsageKeyAgreement",
		x509.KeyUsageCertSign:          "KeyUsageCertSign",
		x509.KeyUsageCRLSign:           "KeyUsageCRLSign",
		x509.KeyUsageEncipherOnly:      "KeyUsageEncipherOnly",
		x509.KeyUsageDecipherOnly:      "KeyUsageDecipherOnly",
	}
)
View Source
var (
	// 1.2.840.10045.4.3.1 is SHA224withECDSA
	OidSignatureSHA224withECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 1}
)

additional OIDs not provided by the x509 package.

View Source
var RSAAlgorithmIDToDER = map[string][]byte{

	"1.2.840.113549.1.1.1": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x1, 0x5, 0x0},

	"1.2.840.113549.1.1.2": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x2, 0x5, 0x0},

	"1.2.840.113549.1.1.4": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x4, 0x5, 0x0},

	"1.2.840.113549.1.1.5": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x5, 0x5, 0x0},

	"1.2.840.113549.1.1.14": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xe, 0x5, 0x0},

	"1.2.840.113549.1.1.11": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xb, 0x5, 0x0},

	"1.2.840.113549.1.1.12": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xc, 0x5, 0x0},

	"1.2.840.113549.1.1.13": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xd, 0x5, 0x0},
}

RSAAlgorithmIDToDER contains DER representations of pkix.AlgorithmIdentifier for different RSA OIDs with Parameters as asn1.NULL.

Functions

func AllAlternateNameWithTagAreIA5

func AllAlternateNameWithTagAreIA5(ext *pkix.Extension, tag int) (bool, error)

AllAlternateNameWithTagAreIA5 returns true if all sequence members with the given tag are encoded as IA5 strings, and false otherwise. If it encounters errors parsing asn1, err will be non-nil.

func AppendToStringSemicolonDelim

func AppendToStringSemicolonDelim(this *string, s string)

func AuthIsFQDNOrIP

func AuthIsFQDNOrIP(auth string) bool

func BeforeOrOn

func BeforeOrOn(left, right time.Time) bool

BeforeOrOn returns whether left is before or strictly equal to right.

func CertificateSubjInTLD

func CertificateSubjInTLD(c *x509.Certificate, label string) bool

CertificateSubjContainsTLD checks whether the provided Certificate has a Subject Common Name or DNS Subject Alternate Name that ends in the provided TLD label. If IsInTLDMap(label) returns false then CertificateSubjInTLD will return false.

func CheckAlgorithmIDParamNotNULL

func CheckAlgorithmIDParamNotNULL(algorithmIdentifier []byte, requiredAlgoID asn1.ObjectIdentifier) error

CheckAlgorithmIDParamNotNULL parses an AlgorithmIdentifier with algorithm OID rsaEncryption to check the Param field is asn1.NULL Expects DER-encoded AlgorithmIdentifier including tag and length.

func CheckRDNSequenceWhiteSpace

func CheckRDNSequenceWhiteSpace(raw []byte) (leading, trailing bool, err error)

CheckRDNSequenceWhiteSpace returns true if there is leading or trailing whitespace in any name attribute in the sequence, respectively.

func CommonNameIsIP

func CommonNameIsIP(cert *x509.Certificate) bool

func DNSNamesExist

func DNSNamesExist(cert *x509.Certificate) bool

func FindTimeType

func FindTimeType(firstDate, secondDate asn1.RawValue) (int, int)

func GetAuthority

func GetAuthority(uri string) string

func GetExtFromCert

func GetExtFromCert(cert *x509.Certificate, oid asn1.ObjectIdentifier) *pkix.Extension

GetExtFromCert returns the extension with the matching OID, if present. If the extension if not present, it returns nil.

func GetHost

func GetHost(auth string) string

func GetMappedPolicies

func GetMappedPolicies(polMap *pkix.Extension) ([][2]asn1.ObjectIdentifier, error)

helper function to parse policyMapping extensions, returns slices of CertPolicyIds separated by domain

func GetPublicKeyAidEncoded

func GetPublicKeyAidEncoded(c *x509.Certificate) ([]byte, error)

Returns the algorithm field of the SubjectPublicKeyInfo of the certificate in its encoded form (containing Tag and Length) or an error if the algorithm field could not be extracted.

SubjectPublicKeyInfo  ::=  SEQUENCE  {
    algorithm            AlgorithmIdentifier,
    subjectPublicKey     BIT STRING  }

func GetPublicKeyOID

func GetPublicKeyOID(c *x509.Certificate) (asn1.ObjectIdentifier, error)

Returns the algorithm field of the SubjectPublicKeyInfo of the certificate or an error if the algorithm field could not be extracted.

SubjectPublicKeyInfo  ::=  SEQUENCE  {
    algorithm            AlgorithmIdentifier,
    subjectPublicKey     BIT STRING  }

func GetSignatureAlgorithmInTBSEncoded

func GetSignatureAlgorithmInTBSEncoded(c *x509.Certificate) ([]byte, error)

Returns the signature field of the tbsCertificate of this certificate in a DER encoded form or an error if the signature field could not be extracted. The encoded form contains the tag and the length.

TBSCertificate  ::=  SEQUENCE  {
    version         [0]  EXPLICIT Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    signature            AlgorithmIdentifier,
    issuer               Name,
    validity             Validity,
    subject              Name,
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version MUST be v2 or v3
    subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version MUST be v2 or v3
    extensions      [3]  EXPLICIT Extensions OPTIONAL
                         -- If present, version MUST be v3
    }

func GetTimes

func GetTimes(cert *x509.Certificate) (asn1.RawValue, asn1.RawValue)

TODO(@cpu): This function is a little bit rough around the edges (especially after my quick fixes for the ineffassigns) and would be a good candidate for clean-up/refactoring.

func HasEKU

func HasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool

HasEKU tests whether an Extended Key Usage (EKU) is present in a certificate.

func HasKeyUsage

func HasKeyUsage(c *x509.Certificate, usage x509.KeyUsage) bool

HasKeyUsage returns whether-or-not the given x509.KeyUsage is present within the given certificate's KeyUsage bitmap. The certificate, however, is NOT checked for whether-or-not it actually has a key usage OID. If you wish to check for the presence of the key usage OID, please use HasKeyUsageOID.

func HasKeyUsageOID

func HasKeyUsageOID(c *x509.Certificate) bool

HasKeyUsageOID returns whether-or-not the OID 2.5.29.15 is present in the given certificate's extensions.

func HasReservedLabelPrefix

func HasReservedLabelPrefix(s string) bool

HasReservedLabelPrefix checks whether the given string (presumably a domain label) has hyphens ("-") as the third and fourth characters. Domain labels with hyphens in these positions are considered to be "Reserved Labels" per RFC 5890, section 2.3.1. (https://datatracker.ietf.org/doc/html/rfc5890#section-2.3.1)

func HasValidTLD

func HasValidTLD(domain string, when time.Time) bool

HasValidTLD checks that a domain ends in a valid TLD that was delegated in the root DNS at the time specified.

func HasXNLabelPrefix

func HasXNLabelPrefix(s string) bool

HasXNLabelPrefix checks whether the given string (presumably a domain label) is prefixed with the case-insensitive string "xn--" (the IDNA ACE prefix).

This check is useful given the bug following bug report for IDNA wherein the ACE prefix incorrectly taken to be case-sensitive.

https://github.com/golang/go/issues/48778

func IdnaToUnicode

func IdnaToUnicode(s string) (string, error)

IdnaToUnicode is a wrapper around idna.ToUnicode.

If the provided string starts with the IDNA ACE prefix ("xn--", case insensitive), then that ACE prefix is coerced to a lowercase "xn--" before processing by the idna package.

This is only necessary due to the bug at https://github.com/golang/go/issues/48778

func IntersectsIANAReserved

func IntersectsIANAReserved(net net.IPNet) bool

IntersectsIANAReserved checks if a CIDR intersects any IANA reserved CIDRs

func IsAnyEtsiQcStatementPresent

func IsAnyEtsiQcStatementPresent(extVal []byte) bool

func IsCACert

func IsCACert(c *x509.Certificate) bool

IsCACert returns true if c has IsCA set.

func IsDelegatedOCSPResponderCert

func IsDelegatedOCSPResponderCert(cert *x509.Certificate) bool

IsDelegatedOCSPResponderCert returns true if the id-kp-OCSPSigning EKU is set According https://tools.ietf.org/html/rfc6960#section-4.2.2.2 it is not sufficient to have only the id-kp-anyExtendedKeyUsage included

func IsEV

func IsEV(in []asn1.ObjectIdentifier) bool

IsEV returns true if the input is a known Extended Validation OID.

func IsEmptyASN1Sequence

func IsEmptyASN1Sequence(input []byte) bool

func IsExtInCert

func IsExtInCert(cert *x509.Certificate, oid asn1.ObjectIdentifier) bool

IsExtInCert is equivalent to GetExtFromCert() != nil.

func IsFQDN

func IsFQDN(domain string) bool

func IsFQDNOrIP

func IsFQDNOrIP(host string) bool

func IsIA5String

func IsIA5String(raw []byte) bool

IsIA5String returns true if raw is an IA5String, and returns false otherwise.

func IsIANAReserved

func IsIANAReserved(ip net.IP) bool

IsIANAReserved checks IP validity as per IANA reserved IPs

IPv4
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
IPv6
https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml

func IsISOCountryCode

func IsISOCountryCode(in string) bool

IsISOCountryCode returns true if the input is a known two-letter country code.

TODO: Document where the list of known countries came from.

func IsInPrefSyn

func IsInPrefSyn(name string) bool

func IsInTLDMap

func IsInTLDMap(label string) bool

IsInTLDMap checks that a label is present in the TLD map. It does not consider the TLD's validity period and whether the TLD may have been removed, only whether it was ever a TLD that was delegated.

func IsNameAttribute

func IsNameAttribute(oid asn1.ObjectIdentifier) bool

IsNameAttribute returns true if the given ObjectIdentifier corresponds with the type of any name attribute for PKIX.

func IsOnionV2Address

func IsOnionV2Address(dnsName string) bool

IsOnionV2Address returns whether-or-not the give address appears to be an Onion V2 address.

In order to be an Onion V2 encoded address, the DNS name must satisfy the following:

  1. The address has at least two labels.
  2. The right most label is the .onion TLD.
  3. The second-to-the-right most label is a 16 character long, base32.

func IsOnionV2Cert

func IsOnionV2Cert(c *x509.Certificate) bool

IsOnionV2Cert returns whether-or-not at least one of the provided certificates subject common name, or any of its DNS names, are version 2 Onion addresses.

func IsOnionV3Address

func IsOnionV3Address(dnsName string) bool

IsOnionV3Address returns whether or not the provided DNS name is an Onion V3 encoded address.

In order to be an Onion V3 encoded address, the DNS name must satisfy the following:

  1. Contain at least two labels.
  2. The right most label MUST be "onion".
  3. The second to the right most label MUST be exactly 56 characters long.
  4. The second to the right most label MUST be base32 encoded against the lowercase standard encoding.
  5. The final byte of the decoded result from #4 MUST be equal to 0x03.

func IsOnionV3Cert

func IsOnionV3Cert(c *x509.Certificate) bool

IsOnionV3Cert returns whether-or-not at least one of the provided certificates subject common name, or any of its DNS names, are version 3 Onion addresses.

func IsRootCA

func IsRootCA(c *x509.Certificate) bool

IsRootCA returns true if c has IsCA set and is also self-signed.

func IsSelfSigned

func IsSelfSigned(c *x509.Certificate) bool

IsSelfSigned returns true if SelfSigned is set.

func IsServerAuthCert

func IsServerAuthCert(cert *x509.Certificate) bool

func IsSubCA

func IsSubCA(c *x509.Certificate) bool

IsSubCA returns true if c has IsCA set, but is not self-signed.

func IsSubscriberCert

func IsSubscriberCert(c *x509.Certificate) bool

IsSubscriberCert returns true for if a certificate is not a CA and not self-signed.

func KeyUsageIsPresent

func KeyUsageIsPresent(keyUsages x509.KeyUsage, usage x509.KeyUsage) bool

KeyUsageIsPresent checks the provided bitmap (keyUsages) for presence of the provided x509.KeyUsage.

func NotAllNameFieldsAreEmpty

func NotAllNameFieldsAreEmpty(name *pkix.Name) bool

func OnOrAfter

func OnOrAfter(left, right time.Time) bool

OnOrAfter returns whether left is after or strictly equal to right.

func ParseBMPString

func ParseBMPString(bmpString []byte) (string, error)

ParseBMPString returns a uint16 encoded string following the specification for a BMPString type

func PrimeNoSmallerThan752

func PrimeNoSmallerThan752(dividend *big.Int) bool

func RemovePrependedQuestionMarks

func RemovePrependedQuestionMarks(domain string) string

func RemovePrependedWildcard

func RemovePrependedWildcard(domain string) string

func SliceContainsOID

func SliceContainsOID(list []asn1.ObjectIdentifier, oid asn1.ObjectIdentifier) bool

Helper function that checks if an []asn1.ObjectIdentifier slice contains an asn1.ObjectIdentifier

func TypeInName

func TypeInName(name *pkix.Name, oid asn1.ObjectIdentifier) bool

Helper function that checks for a name type in a pkix.Name

Types

type AttributeTypeAndRawValue

type AttributeTypeAndRawValue struct {
	Type  asn1.ObjectIdentifier
	Value asn1.RawValue
}

type AttributeTypeAndRawValueSET

type AttributeTypeAndRawValueSET []AttributeTypeAndRawValue

type Etsi421QualEuCert

type Etsi421QualEuCert struct {
	// contains filtered or unexported fields
}

func (Etsi421QualEuCert) GetErrorInfo

func (this Etsi421QualEuCert) GetErrorInfo() string

func (Etsi421QualEuCert) IsPresent

func (this Etsi421QualEuCert) IsPresent() bool

type Etsi423QcType

type Etsi423QcType struct {
	TypeOids []asn1.ObjectIdentifier
	// contains filtered or unexported fields
}

func (Etsi423QcType) GetErrorInfo

func (this Etsi423QcType) GetErrorInfo() string

func (Etsi423QcType) IsPresent

func (this Etsi423QcType) IsPresent() bool

type EtsiMonetaryValueAlph

type EtsiMonetaryValueAlph struct {
	Iso4217CurrencyCodeAlph string `asn1:"printable"`
	Amount                  int
	Exponent                int
}

type EtsiMonetaryValueNum

type EtsiMonetaryValueNum struct {
	Iso4217CurrencyCodeNum int
	Amount                 int
	Exponent               int
}

type EtsiQcLimitValue

type EtsiQcLimitValue struct {
	Amount       int
	Exponent     int
	IsNum        bool
	CurrencyAlph string
	CurrencyNum  int
	// contains filtered or unexported fields
}

func (EtsiQcLimitValue) GetErrorInfo

func (this EtsiQcLimitValue) GetErrorInfo() string

func (EtsiQcLimitValue) IsPresent

func (this EtsiQcLimitValue) IsPresent() bool

type EtsiQcPds

type EtsiQcPds struct {
	PdsLocations []PdsLocation
	// contains filtered or unexported fields
}

func (EtsiQcPds) GetErrorInfo

func (this EtsiQcPds) GetErrorInfo() string

func (EtsiQcPds) IsPresent

func (this EtsiQcPds) IsPresent() bool

type EtsiQcRetentionPeriod

type EtsiQcRetentionPeriod struct {
	Period int
	// contains filtered or unexported fields
}

func (EtsiQcRetentionPeriod) GetErrorInfo

func (this EtsiQcRetentionPeriod) GetErrorInfo() string

func (EtsiQcRetentionPeriod) IsPresent

func (this EtsiQcRetentionPeriod) IsPresent() bool

type EtsiQcSscd

type EtsiQcSscd struct {
	// contains filtered or unexported fields
}

func (EtsiQcSscd) GetErrorInfo

func (this EtsiQcSscd) GetErrorInfo() string

func (EtsiQcSscd) IsPresent

func (this EtsiQcSscd) IsPresent() bool

type EtsiQcStmtIf

type EtsiQcStmtIf interface {
	GetErrorInfo() string
	IsPresent() bool
}

func ParseQcStatem

func ParseQcStatem(extVal []byte, sought asn1.ObjectIdentifier) EtsiQcStmtIf

type GTLDPeriod

type GTLDPeriod struct {
	// GTLD is the GTLD the period corresponds to. It is used only for friendly
	// error messages from `Valid`
	GTLD string
	// DelegationDate is the date at which ICANN delegated the gTLD into existence
	// from the root DNS, or is empty if the gTLD was never delegated.
	DelegationDate string
	// RemovalDate is the date at which ICANN removed the gTLD delegation from the
	// root DNS, or is empty if the gTLD is still delegated and has not been
	// removed.
	RemovalDate string
}

GTLDPeriod is a struct representing a gTLD's validity period. The field names are chosen to match the data returned by the ICANN gTLD v2 JSON registry[0]. See the `zlint-gtld-update` command for more information. [0] - https://www.icann.org/resources/registries/gtlds/v2/gtlds.json

func (GTLDPeriod) Valid

func (p GTLDPeriod) Valid(when time.Time) error

Valid determines if the provided `when` time is within the GTLDPeriod for the gTLD. E.g. whether a certificate issued at `when` with a subject identifier using the specified gTLD can be considered a valid use of the gTLD.

type PdsLocation

type PdsLocation struct {
	Url      string `asn1:"ia5"`
	Language string `asn1:"printable"`
}

type RawRDNSequence

type RawRDNSequence []AttributeTypeAndRawValueSET

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL