openssl: github.com/spacemonkeygo/openssl Index | Files | Directories

package openssl

import "github.com/spacemonkeygo/openssl"

Package openssl is a light wrapper around OpenSSL for Go.

It strives to provide a near-drop-in replacement for the Go standard library tls package, while allowing for:

Performance

OpenSSL is battle-tested and optimized C. While Go's built-in library shows great promise, it is still young and in some places, inefficient. This simple OpenSSL wrapper can often do at least 2x with the same cipher and protocol.

On my lappytop, I get the following benchmarking speeds:

BenchmarkSHA1Large_openssl      1000  2611282 ns/op  401.56 MB/s
BenchmarkSHA1Large_stdlib        500  3963983 ns/op  264.53 MB/s
BenchmarkSHA1Small_openssl   1000000     3476 ns/op    0.29 MB/s
BenchmarkSHA1Small_stdlib    5000000      550 ns/op    1.82 MB/s
BenchmarkSHA256Large_openssl     200  8085314 ns/op  129.69 MB/s
BenchmarkSHA256Large_stdlib      100 18948189 ns/op   55.34 MB/s
BenchmarkSHA256Small_openssl 1000000     4262 ns/op    0.23 MB/s
BenchmarkSHA256Small_stdlib  1000000     1444 ns/op    0.69 MB/s
BenchmarkOpenSSLThroughput    100000    21634 ns/op   47.33 MB/s
BenchmarkStdlibThroughput      50000    58974 ns/op   17.36 MB/s

Interoperability

Many systems support OpenSSL with a variety of plugins and modules for things, such as hardware acceleration in embedded devices.

Greater flexibility and configuration

OpenSSL allows for far greater configuration of corner cases and backwards compatibility (such as support of SSLv2). You shouldn't be using SSLv2 if you can help but, but sometimes you can't help it.

Security

Yeah yeah, Heartbleed. But according to the author of the standard library's TLS implementation, Go's TLS library is vulnerable to timing attacks. And whether or not OpenSSL received the appropriate amount of scrutiny pre-Heartbleed, it sure is receiving it now.

Usage

Starting an HTTP server that uses OpenSSL is very easy. It's as simple as:

log.Fatal(openssl.ListenAndServeTLS(
      ":8443", "my_server.crt", "my_server.key", myHandler))

Getting a net.Listener that uses OpenSSL is also easy:

ctx, err := openssl.NewCtxFromFiles("my_server.crt", "my_server.key")
if err != nil {
        log.Fatal(err)
}
l, err := openssl.Listen("tcp", ":7777", ctx)

Making a client connection is straightforward too:

ctx, err := NewCtx()
if err != nil {
        log.Fatal(err)
}
err = ctx.LoadVerifyLocations("/etc/ssl/certs/ca-certificates.crt", "")
if err != nil {
        log.Fatal(err)
}
conn, err := openssl.Dial("tcp", "localhost:7777", ctx, 0)

Help wanted: To get this library to work with net/http's client, we had to fork net/http. It would be nice if an alternate http client library supported the generality needed to use OpenSSL instead of crypto/tls.

Index

Package Files

bio.go build.go cert.go ciphers.go ciphers_gcm.go conn.go ctx.go dhparam.go digest.go engine.go fips.go hmac.go hostname.go http.go init.go init_posix.go key.go mapping.go net.go nid.go pem.go sha1.go sha256.go ssl.go tickets.go

Constants

const (
    GCM_TAG_MAXLEN = 16
)
const (
    KeyNameSize = 16
)
const (
    SSLRecordSize = 16 * 1024
)

Variables

var (
    ValidationError = errors.New("Host validation error")
)

func FIPSModeSet Uses

func FIPSModeSet(mode bool) error

FIPSModeSet enables a FIPS 140-2 validated mode of operation. https://wiki.openssl.org/index.php/FIPS_mode_set()

func Listen Uses

func Listen(network, laddr string, ctx *Ctx) (net.Listener, error)

Listen is a wrapper around net.Listen that wraps incoming connections with an OpenSSL server connection using the provided context ctx.

func ListenAndServeTLS Uses

func ListenAndServeTLS(addr string, cert_file string, key_file string,
    handler http.Handler) error

ListenAndServeTLS will take an http.Handler and serve it using OpenSSL over the given tcp address, configured to use the provided cert and key files.

func NewListener Uses

func NewListener(inner net.Listener, ctx *Ctx) net.Listener

NewListener wraps an existing net.Listener such that all accepted connections are wrapped as OpenSSL server connections using the provided context ctx.

func Nid2ShortName Uses

func Nid2ShortName(nid NID) (string, error)

func SHA1 Uses

func SHA1(data []byte) (result [20]byte, err error)

func SHA256 Uses

func SHA256(data []byte) (result [32]byte, err error)

func ServerListenAndServeTLS Uses

func ServerListenAndServeTLS(srv *http.Server,
    cert_file, key_file string) error

ServerListenAndServeTLS will take an http.Server and serve it using OpenSSL configured to use the provided cert and key files.

func SplitPEM Uses

func SplitPEM(data []byte) [][]byte

type AuthenticatedDecryptionCipherCtx Uses

type AuthenticatedDecryptionCipherCtx interface {
    DecryptionCipherCtx

    // pass in any extra data that was added during encryption with the
    // encryption context's ExtraData()
    ExtraData([]byte) error

    // use before finalizing decryption to tell the library what the
    // tag is expected to be
    SetTag([]byte) error
}

func NewGCMDecryptionCipherCtx Uses

func NewGCMDecryptionCipherCtx(blocksize int, e *Engine, key, iv []byte) (
    AuthenticatedDecryptionCipherCtx, error)

type AuthenticatedEncryptionCipherCtx Uses

type AuthenticatedEncryptionCipherCtx interface {
    EncryptionCipherCtx

    // data passed in to ExtraData() is part of the final output; it is
    // not encrypted itself, but is part of the authenticated data. when
    // decrypting or authenticating, pass back with the decryption
    // context's ExtraData()
    ExtraData([]byte) error

    // use after finalizing encryption to get the authenticating tag
    GetTag() ([]byte, error)
}

func NewGCMEncryptionCipherCtx Uses

func NewGCMEncryptionCipherCtx(blocksize int, e *Engine, key, iv []byte) (
    AuthenticatedEncryptionCipherCtx, error)

type Certificate Uses

type Certificate struct {
    Issuer *Certificate
    // contains filtered or unexported fields
}

func LoadCertificateFromPEM Uses

func LoadCertificateFromPEM(pem_block []byte) (*Certificate, error)

LoadCertificateFromPEM loads an X509 certificate from a PEM-encoded block.

func NewCertificate Uses

func NewCertificate(info *CertificateInfo, key PublicKey) (*Certificate, error)

NewCertificate generates a basic certificate based on the provided CertificateInfo struct

func (*Certificate) AddExtension Uses

func (c *Certificate) AddExtension(nid NID, value string) error

Add an extension to a certificate. Extension constants are NID_* as found in openssl.

func (*Certificate) AddExtensions Uses

func (c *Certificate) AddExtensions(extensions map[NID]string) error

Wraps AddExtension using a map of NID to text extension. Will return without finishing if it encounters an error.

func (*Certificate) CheckEmail Uses

func (c *Certificate) CheckEmail(email string, flags CheckFlags) error

CheckEmail checks that the X509 certificate is signed for the provided email address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.

func (*Certificate) CheckHost Uses

func (c *Certificate) CheckHost(host string, flags CheckFlags) error

CheckHost checks that the X509 certificate is signed for the provided host name. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Note that CheckHost does not check the IP field. See VerifyHostname. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.

func (*Certificate) CheckIP Uses

func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error

CheckIP checks that the X509 certificate is signed for the provided IP address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.

func (*Certificate) GetIssuerName Uses

func (c *Certificate) GetIssuerName() (*Name, error)

func (*Certificate) GetSerialNumberHex Uses

func (c *Certificate) GetSerialNumberHex() (serial string)

GetSerialNumberHex returns the certificate's serial number in hex format

func (*Certificate) GetSubjectName Uses

func (c *Certificate) GetSubjectName() (*Name, error)

func (*Certificate) MarshalPEM Uses

func (c *Certificate) MarshalPEM() (pem_block []byte, err error)

MarshalPEM converts the X509 certificate to PEM-encoded format

func (*Certificate) PublicKey Uses

func (c *Certificate) PublicKey() (PublicKey, error)

PublicKey returns the public key embedded in the X509 certificate.

func (*Certificate) SetExpireDate Uses

func (c *Certificate) SetExpireDate(when time.Duration) error

SetExpireDate sets the certificate issue date relative to the current time.

func (*Certificate) SetIssueDate Uses

func (c *Certificate) SetIssueDate(when time.Duration) error

SetIssueDate sets the certificate issue date relative to the current time.

func (*Certificate) SetIssuer Uses

func (c *Certificate) SetIssuer(issuer *Certificate) error

SetIssuer updates the stored Issuer cert and the internal x509 Issuer Name of a certificate. The stored Issuer reference is used when adding extensions.

func (*Certificate) SetIssuerName Uses

func (c *Certificate) SetIssuerName(name *Name) error

SetIssuerName populates the issuer name of a certificate. Use SetIssuer instead, if possible.

func (*Certificate) SetPubKey Uses

func (c *Certificate) SetPubKey(pubKey PublicKey) error

SetPubKey assigns a new public key to a certificate.

func (*Certificate) SetSerial Uses

func (c *Certificate) SetSerial(serial *big.Int) error

SetSerial sets the serial of a certificate.

func (*Certificate) SetSubjectName Uses

func (c *Certificate) SetSubjectName(name *Name) error

func (*Certificate) Sign Uses

func (c *Certificate) Sign(privKey PrivateKey, digest EVP_MD) error

Sign a certificate using a private key and a digest name. Accepted digest names are 'sha256', 'sha384', and 'sha512'.

func (*Certificate) VerifyHostname Uses

func (c *Certificate) VerifyHostname(host string) error

VerifyHostname is a combination of CheckHost and CheckIP. If the provided hostname looks like an IP address, it will be checked as an IP address, otherwise it will be checked as a hostname. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.

type CertificateInfo Uses

type CertificateInfo struct {
    Serial       *big.Int
    Issued       time.Duration
    Expires      time.Duration
    Country      string
    Organization string
    CommonName   string
}

type CertificateStore Uses

type CertificateStore struct {
    // contains filtered or unexported fields
}

func NewCertificateStore Uses

func NewCertificateStore() (*CertificateStore, error)

Allocate a new, empty CertificateStore

func (*CertificateStore) AddCertificate Uses

func (s *CertificateStore) AddCertificate(cert *Certificate) error

AddCertificate marks the provided Certificate as a trusted certificate in the given CertificateStore.

func (*CertificateStore) LoadCertificatesFromPEM Uses

func (s *CertificateStore) LoadCertificatesFromPEM(data []byte) error

Parse a chained PEM file, loading all certificates into the Store.

type CertificateStoreCtx Uses

type CertificateStoreCtx struct {
    // contains filtered or unexported fields
}

func (*CertificateStoreCtx) Depth Uses

func (self *CertificateStoreCtx) Depth() int

func (*CertificateStoreCtx) Err Uses

func (self *CertificateStoreCtx) Err() error

func (*CertificateStoreCtx) GetCurrentCert Uses

func (self *CertificateStoreCtx) GetCurrentCert() *Certificate

the certicate returned is only valid for the lifetime of the underlying X509_STORE_CTX

func (*CertificateStoreCtx) VerifyResult Uses

func (self *CertificateStoreCtx) VerifyResult() VerifyResult

type CheckFlags Uses

type CheckFlags int
const (
    AlwaysCheckSubject CheckFlags = C.X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
    NoWildcards        CheckFlags = C.X509_CHECK_FLAG_NO_WILDCARDS
)

type Cipher Uses

type Cipher struct {
    // contains filtered or unexported fields
}

func GetCipherByName Uses

func GetCipherByName(name string) (*Cipher, error)

func GetCipherByNid Uses

func GetCipherByNid(nid NID) (*Cipher, error)

func (*Cipher) BlockSize Uses

func (c *Cipher) BlockSize() int

func (*Cipher) IVSize Uses

func (c *Cipher) IVSize() int

func (*Cipher) KeySize Uses

func (c *Cipher) KeySize() int

func (*Cipher) Nid Uses

func (c *Cipher) Nid() NID

func (*Cipher) ShortName Uses

func (c *Cipher) ShortName() (string, error)

type CipherCtx Uses

type CipherCtx interface {
    Cipher() *Cipher
    BlockSize() int
    KeySize() int
    IVSize() int
}

type Conn Uses

type Conn struct {
    *SSL
    // contains filtered or unexported fields
}

func Client Uses

func Client(conn net.Conn, ctx *Ctx) (*Conn, error)

Client wraps an existing stream connection and puts it in the connect state for any subsequent handshakes.

IMPORTANT NOTE: if you use this method instead of Dial to construct an SSL connection, you are responsible for verifying the peer's hostname. Otherwise, you are vulnerable to MITM attacks.

Client also does not set up SNI for you like Dial does.

Client connections probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.

func Dial Uses

func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error)

Dial will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.

Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.

func DialSession Uses

func DialSession(network, addr string, ctx *Ctx, flags DialFlags,
    session []byte) (*Conn, error)

DialSession will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.

Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.

If session is not nil it will be used to resume the tls state. The session can be retrieved from the GetSession method on the Conn.

func Server Uses

func Server(conn net.Conn, ctx *Ctx) (*Conn, error)

Server wraps an existing stream connection and puts it in the accept state for any subsequent handshakes.

func (*Conn) Close Uses

func (c *Conn) Close() error

Close shuts down the SSL connection and closes the underlying wrapped connection.

func (*Conn) ConnectionState Uses

func (c *Conn) ConnectionState() (rv ConnectionState)

func (*Conn) CurrentCipher Uses

func (c *Conn) CurrentCipher() (string, error)

func (*Conn) GetCtx Uses

func (c *Conn) GetCtx() *Ctx

func (*Conn) GetSession Uses

func (c *Conn) GetSession() ([]byte, error)

func (*Conn) Handshake Uses

func (c *Conn) Handshake() error

Handshake performs an SSL handshake. If a handshake is not manually triggered, it will run before the first I/O on the encrypted stream.

func (*Conn) LocalAddr Uses

func (c *Conn) LocalAddr() net.Addr

LocalAddr returns the underlying connection's local address

func (*Conn) PeerCertificate Uses

func (c *Conn) PeerCertificate() (*Certificate, error)

PeerCertificate returns the Certificate of the peer with which you're communicating. Only valid after a handshake.

func (*Conn) PeerCertificateChain Uses

func (c *Conn) PeerCertificateChain() (rv []*Certificate, err error)

PeerCertificateChain returns the certificate chain of the peer. If called on the client side, the stack also contains the peer's certificate; if called on the server side, the peer's certificate must be obtained separately using PeerCertificate.

func (*Conn) Read Uses

func (c *Conn) Read(b []byte) (n int, err error)

Read reads up to len(b) bytes into b. It returns the number of bytes read and an error if applicable. io.EOF is returned when the caller can expect to see no more data.

func (*Conn) RemoteAddr Uses

func (c *Conn) RemoteAddr() net.Addr

RemoteAddr returns the underlying connection's remote address

func (*Conn) SessionReused Uses

func (c *Conn) SessionReused() bool

func (*Conn) SetDeadline Uses

func (c *Conn) SetDeadline(t time.Time) error

SetDeadline calls SetDeadline on the underlying connection.

func (*Conn) SetReadDeadline Uses

func (c *Conn) SetReadDeadline(t time.Time) error

SetReadDeadline calls SetReadDeadline on the underlying connection.

func (*Conn) SetTlsExtHostName Uses

func (c *Conn) SetTlsExtHostName(name string) error

func (*Conn) SetWriteDeadline Uses

func (c *Conn) SetWriteDeadline(t time.Time) error

SetWriteDeadline calls SetWriteDeadline on the underlying connection.

func (*Conn) UnderlyingConn Uses

func (c *Conn) UnderlyingConn() net.Conn

func (*Conn) VerifyHostname Uses

func (c *Conn) VerifyHostname(host string) error

VerifyHostname pulls the PeerCertificate and calls VerifyHostname on the certificate.

func (*Conn) VerifyResult Uses

func (c *Conn) VerifyResult() VerifyResult

func (*Conn) Write Uses

func (c *Conn) Write(b []byte) (written int, err error)

Write will encrypt the contents of b and write it to the underlying stream. Performance will be vastly improved if the size of b is a multiple of SSLRecordSize.

type ConnectionState Uses

type ConnectionState struct {
    Certificate           *Certificate
    CertificateError      error
    CertificateChain      []*Certificate
    CertificateChainError error
    SessionReused         bool
}

type Ctx Uses

type Ctx struct {
    // contains filtered or unexported fields
}

func NewCtx Uses

func NewCtx() (*Ctx, error)

NewCtx creates a context that supports any TLS version 1.0 and newer.

func NewCtxFromFiles Uses

func NewCtxFromFiles(cert_file string, key_file string) (*Ctx, error)

NewCtxFromFiles calls NewCtx, loads the provided files, and configures the context to use them.

func NewCtxWithVersion Uses

func NewCtxWithVersion(version SSLVersion) (*Ctx, error)

NewCtxWithVersion creates an SSL context that is specific to the provided SSL version. See http://www.openssl.org/docs/ssl/SSL_CTX_new.html for more.

func (*Ctx) AddChainCertificate Uses

func (c *Ctx) AddChainCertificate(cert *Certificate) error

AddChainCertificate adds a certificate to the chain presented in the handshake.

func (*Ctx) ClearOptions Uses

func (c *Ctx) ClearOptions(options Options) Options

func (*Ctx) GetCertificateStore Uses

func (c *Ctx) GetCertificateStore() *CertificateStore

GetCertificateStore returns the context's certificate store that will be used for peer validation.

func (*Ctx) GetMode Uses

func (c *Ctx) GetMode() Modes

GetMode returns context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html

func (*Ctx) GetOptions Uses

func (c *Ctx) GetOptions() Options

GetOptions returns context options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*Ctx) GetTimeout Uses

func (c *Ctx) GetTimeout() time.Duration

Get session cache timeout. See https://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html

func (*Ctx) GetVerifyCallback Uses

func (c *Ctx) GetVerifyCallback() VerifyCallback

func (*Ctx) GetVerifyDepth Uses

func (c *Ctx) GetVerifyDepth() int

GetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*Ctx) LoadVerifyLocations Uses

func (c *Ctx) LoadVerifyLocations(ca_file string, ca_path string) error

LoadVerifyLocations tells the context to trust all certificate authorities provided in either the ca_file or the ca_path. See http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html for more.

func (*Ctx) SessGetCacheSize Uses

func (c *Ctx) SessGetCacheSize() int

Get session cache size. https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html

func (*Ctx) SessSetCacheSize Uses

func (c *Ctx) SessSetCacheSize(t int) int

Set session cache size. Returns previously set value. https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html

func (*Ctx) SetCipherList Uses

func (c *Ctx) SetCipherList(list string) error

SetCipherList sets the list of available ciphers. The format of the list is described at http://www.openssl.org/docs/apps/ciphers.html, but see http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html for more.

func (*Ctx) SetDHParameters Uses

func (c *Ctx) SetDHParameters(dh *DH) error

SetDHParameters sets the DH group (DH parameters) used to negotiate an emphemeral DH key during handshaking.

func (*Ctx) SetEllipticCurve Uses

func (c *Ctx) SetEllipticCurve(curve EllipticCurve) error

SetEllipticCurve sets the elliptic curve used by the SSL context to enable an ECDH cipher suite to be selected during the handshake.

func (*Ctx) SetMode Uses

func (c *Ctx) SetMode(modes Modes) Modes

SetMode sets context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html

func (*Ctx) SetOptions Uses

func (c *Ctx) SetOptions(options Options) Options

SetOptions sets context options. See http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*Ctx) SetSessionCacheMode Uses

func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes

SetSessionCacheMode enables or disables session caching. See http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html

func (*Ctx) SetSessionId Uses

func (c *Ctx) SetSessionId(session_id []byte) error

func (*Ctx) SetTLSExtServernameCallback Uses

func (c *Ctx) SetTLSExtServernameCallback(sni_cb TLSExtServernameCallback)

SetTLSExtServernameCallback sets callback function for Server Name Indication (SNI) rfc6066 (http://tools.ietf.org/html/rfc6066). See http://stackoverflow.com/questions/22373332/serving-multiple-domains-in-one-box-with-sni

func (*Ctx) SetTicketStore Uses

func (c *Ctx) SetTicketStore(store *TicketStore)

SetTicketStore sets the ticket store for the context so that clients can do ticket based session resumption. If the store is nil, the

func (*Ctx) SetTimeout Uses

func (c *Ctx) SetTimeout(t time.Duration) time.Duration

Set session cache timeout. Returns previously set value. See https://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html

func (*Ctx) SetVerify Uses

func (c *Ctx) SetVerify(options VerifyOptions, verify_cb VerifyCallback)

SetVerify controls peer verification settings. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*Ctx) SetVerifyCallback Uses

func (c *Ctx) SetVerifyCallback(verify_cb VerifyCallback)

func (*Ctx) SetVerifyDepth Uses

func (c *Ctx) SetVerifyDepth(depth int)

SetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*Ctx) SetVerifyMode Uses

func (c *Ctx) SetVerifyMode(options VerifyOptions)

func (*Ctx) UseCertificate Uses

func (c *Ctx) UseCertificate(cert *Certificate) error

UseCertificate configures the context to present the given certificate to peers.

func (*Ctx) UsePrivateKey Uses

func (c *Ctx) UsePrivateKey(key PrivateKey) error

UsePrivateKey configures the context to use the given private key for SSL handshakes.

func (*Ctx) VerifyMode Uses

func (c *Ctx) VerifyMode() VerifyOptions

type DH Uses

type DH struct {
    // contains filtered or unexported fields
}

func LoadDHParametersFromPEM Uses

func LoadDHParametersFromPEM(pem_block []byte) (*DH, error)

LoadDHParametersFromPEM loads the Diffie-Hellman parameters from a PEM-encoded block.

type DecryptionCipherCtx Uses

type DecryptionCipherCtx interface {
    CipherCtx

    // pass in ciphertext, get back plaintext. can be called
    // multiple times as needed
    DecryptUpdate(input []byte) ([]byte, error)

    // call after all ciphertext has been passed in; may return
    // additional plaintext if needed to finish off a block
    DecryptFinal() ([]byte, error)
}

func NewDecryptionCipherCtx Uses

func NewDecryptionCipherCtx(c *Cipher, e *Engine, key, iv []byte) (
    DecryptionCipherCtx, error)

type DialFlags Uses

type DialFlags int
const (
    InsecureSkipHostVerification DialFlags = 1 << iota
    DisableSNI
)

type Digest Uses

type Digest struct {
    // contains filtered or unexported fields
}

Digest represents and openssl message digest.

func GetDigestByName Uses

func GetDigestByName(name string) (*Digest, error)

GetDigestByName returns the Digest with the name or nil and an error if the digest was not found.

func GetDigestByNid Uses

func GetDigestByNid(nid NID) (*Digest, error)

GetDigestByName returns the Digest with the NID or nil and an error if the digest was not found.

type EVP_MD Uses

type EVP_MD int
const (
    EVP_NULL      EVP_MD = iota
    EVP_MD5       EVP_MD = iota
    EVP_SHA       EVP_MD = iota
    EVP_SHA1      EVP_MD = iota
    EVP_DSS       EVP_MD = iota
    EVP_DSS1      EVP_MD = iota
    EVP_MDC2      EVP_MD = iota
    EVP_RIPEMD160 EVP_MD = iota
    EVP_SHA224    EVP_MD = iota
    EVP_SHA256    EVP_MD = iota
    EVP_SHA384    EVP_MD = iota
    EVP_SHA512    EVP_MD = iota
)

type EllipticCurve Uses

type EllipticCurve int

EllipticCurve repesents the ASN.1 OID of an elliptic curve. see https://www.openssl.org/docs/apps/ecparam.html for a list of implemented curves.

const (
    // P-256: X9.62/SECG curve over a 256 bit prime field
    Prime256v1 EllipticCurve = C.NID_X9_62_prime256v1
    // P-384: NIST/SECG curve over a 384 bit prime field
    Secp384r1 EllipticCurve = C.NID_secp384r1
)

type EncryptionCipherCtx Uses

type EncryptionCipherCtx interface {
    CipherCtx

    // pass in plaintext, get back ciphertext. can be called
    // multiple times as needed
    EncryptUpdate(input []byte) ([]byte, error)

    // call after all plaintext has been passed in; may return
    // additional ciphertext if needed to finish off a block
    // or extra padding information
    EncryptFinal() ([]byte, error)
}

func NewEncryptionCipherCtx Uses

func NewEncryptionCipherCtx(c *Cipher, e *Engine, key, iv []byte) (
    EncryptionCipherCtx, error)

type Engine Uses

type Engine struct {
    // contains filtered or unexported fields
}

func EngineById Uses

func EngineById(name string) (*Engine, error)

type HMAC Uses

type HMAC struct {
    // contains filtered or unexported fields
}

func NewHMAC Uses

func NewHMAC(key []byte, digestAlgorithm EVP_MD) (*HMAC, error)

func NewHMACWithEngine Uses

func NewHMACWithEngine(key []byte, digestAlgorithm EVP_MD, e *Engine) (*HMAC, error)

func (*HMAC) Close Uses

func (h *HMAC) Close()

func (*HMAC) Final Uses

func (h *HMAC) Final() (result []byte, err error)

func (*HMAC) Reset Uses

func (h *HMAC) Reset() error

func (*HMAC) Write Uses

func (h *HMAC) Write(data []byte) (n int, err error)

type Method Uses

type Method *C.EVP_MD
var (
    SHA1_Method   Method = C.X_EVP_sha1()
    SHA256_Method Method = C.X_EVP_sha256()
    SHA512_Method Method = C.X_EVP_sha512()
)

type Modes Uses

type Modes int
const (
    // ReleaseBuffers is only valid if you are using OpenSSL 1.0.1 or newer
    ReleaseBuffers Modes = C.SSL_MODE_RELEASE_BUFFERS
)

type NID Uses

type NID int
const (
    NID_rsadsi                             NID = 1
    NID_pkcs                               NID = 2
    NID_md2                                NID = 3
    NID_md5                                NID = 4
    NID_rc4                                NID = 5
    NID_rsaEncryption                      NID = 6
    NID_md2WithRSAEncryption               NID = 7
    NID_md5WithRSAEncryption               NID = 8
    NID_pbeWithMD2AndDES_CBC               NID = 9
    NID_pbeWithMD5AndDES_CBC               NID = 10
    NID_X500                               NID = 11
    NID_X509                               NID = 12
    NID_commonName                         NID = 13
    NID_countryName                        NID = 14
    NID_localityName                       NID = 15
    NID_stateOrProvinceName                NID = 16
    NID_organizationName                   NID = 17
    NID_organizationalUnitName             NID = 18
    NID_rsa                                NID = 19
    NID_pkcs7                              NID = 20
    NID_pkcs7_data                         NID = 21
    NID_pkcs7_signed                       NID = 22
    NID_pkcs7_enveloped                    NID = 23
    NID_pkcs7_signedAndEnveloped           NID = 24
    NID_pkcs7_digest                       NID = 25
    NID_pkcs7_encrypted                    NID = 26
    NID_pkcs3                              NID = 27
    NID_dhKeyAgreement                     NID = 28
    NID_des_ecb                            NID = 29
    NID_des_cfb64                          NID = 30
    NID_des_cbc                            NID = 31
    NID_des_ede                            NID = 32
    NID_des_ede3                           NID = 33
    NID_idea_cbc                           NID = 34
    NID_idea_cfb64                         NID = 35
    NID_idea_ecb                           NID = 36
    NID_rc2_cbc                            NID = 37
    NID_rc2_ecb                            NID = 38
    NID_rc2_cfb64                          NID = 39
    NID_rc2_ofb64                          NID = 40
    NID_sha                                NID = 41
    NID_shaWithRSAEncryption               NID = 42
    NID_des_ede_cbc                        NID = 43
    NID_des_ede3_cbc                       NID = 44
    NID_des_ofb64                          NID = 45
    NID_idea_ofb64                         NID = 46
    NID_pkcs9                              NID = 47
    NID_pkcs9_emailAddress                 NID = 48
    NID_pkcs9_unstructuredName             NID = 49
    NID_pkcs9_contentType                  NID = 50
    NID_pkcs9_messageDigest                NID = 51
    NID_pkcs9_signingTime                  NID = 52
    NID_pkcs9_countersignature             NID = 53
    NID_pkcs9_challengePassword            NID = 54
    NID_pkcs9_unstructuredAddress          NID = 55
    NID_pkcs9_extCertAttributes            NID = 56
    NID_netscape                           NID = 57
    NID_netscape_cert_extension            NID = 58
    NID_netscape_data_type                 NID = 59
    NID_des_ede_cfb64                      NID = 60
    NID_des_ede3_cfb64                     NID = 61
    NID_des_ede_ofb64                      NID = 62
    NID_des_ede3_ofb64                     NID = 63
    NID_sha1                               NID = 64
    NID_sha1WithRSAEncryption              NID = 65
    NID_dsaWithSHA                         NID = 66
    NID_dsa_2                              NID = 67
    NID_pbeWithSHA1AndRC2_CBC              NID = 68
    NID_id_pbkdf2                          NID = 69
    NID_dsaWithSHA1_2                      NID = 70
    NID_netscape_cert_type                 NID = 71
    NID_netscape_base_url                  NID = 72
    NID_netscape_revocation_url            NID = 73
    NID_netscape_ca_revocation_url         NID = 74
    NID_netscape_renewal_url               NID = 75
    NID_netscape_ca_policy_url             NID = 76
    NID_netscape_ssl_server_name           NID = 77
    NID_netscape_comment                   NID = 78
    NID_netscape_cert_sequence             NID = 79
    NID_desx_cbc                           NID = 80
    NID_id_ce                              NID = 81
    NID_subject_key_identifier             NID = 82
    NID_key_usage                          NID = 83
    NID_private_key_usage_period           NID = 84
    NID_subject_alt_name                   NID = 85
    NID_issuer_alt_name                    NID = 86
    NID_basic_constraints                  NID = 87
    NID_crl_number                         NID = 88
    NID_certificate_policies               NID = 89
    NID_authority_key_identifier           NID = 90
    NID_bf_cbc                             NID = 91
    NID_bf_ecb                             NID = 92
    NID_bf_cfb64                           NID = 93
    NID_bf_ofb64                           NID = 94
    NID_mdc2                               NID = 95
    NID_mdc2WithRSA                        NID = 96
    NID_rc4_40                             NID = 97
    NID_rc2_40_cbc                         NID = 98
    NID_givenName                          NID = 99
    NID_surname                            NID = 100
    NID_initials                           NID = 101
    NID_uniqueIdentifier                   NID = 102
    NID_crl_distribution_points            NID = 103
    NID_md5WithRSA                         NID = 104
    NID_serialNumber                       NID = 105
    NID_title                              NID = 106
    NID_description                        NID = 107
    NID_cast5_cbc                          NID = 108
    NID_cast5_ecb                          NID = 109
    NID_cast5_cfb64                        NID = 110
    NID_cast5_ofb64                        NID = 111
    NID_pbeWithMD5AndCast5_CBC             NID = 112
    NID_dsaWithSHA1                        NID = 113
    NID_md5_sha1                           NID = 114
    NID_sha1WithRSA                        NID = 115
    NID_dsa                                NID = 116
    NID_ripemd160                          NID = 117
    NID_ripemd160WithRSA                   NID = 119
    NID_rc5_cbc                            NID = 120
    NID_rc5_ecb                            NID = 121
    NID_rc5_cfb64                          NID = 122
    NID_rc5_ofb64                          NID = 123
    NID_rle_compression                    NID = 124
    NID_zlib_compression                   NID = 125
    NID_ext_key_usage                      NID = 126
    NID_id_pkix                            NID = 127
    NID_id_kp                              NID = 128
    NID_server_auth                        NID = 129
    NID_client_auth                        NID = 130
    NID_code_sign                          NID = 131
    NID_email_protect                      NID = 132
    NID_time_stamp                         NID = 133
    NID_ms_code_ind                        NID = 134
    NID_ms_code_com                        NID = 135
    NID_ms_ctl_sign                        NID = 136
    NID_ms_sgc                             NID = 137
    NID_ms_efs                             NID = 138
    NID_ns_sgc                             NID = 139
    NID_delta_crl                          NID = 140
    NID_crl_reason                         NID = 141
    NID_invalidity_date                    NID = 142
    NID_sxnet                              NID = 143
    NID_pbe_WithSHA1And128BitRC4           NID = 144
    NID_pbe_WithSHA1And40BitRC4            NID = 145
    NID_pbe_WithSHA1And3_Key_TripleDES_CBC NID = 146
    NID_pbe_WithSHA1And2_Key_TripleDES_CBC NID = 147
    NID_pbe_WithSHA1And128BitRC2_CBC       NID = 148
    NID_pbe_WithSHA1And40BitRC2_CBC        NID = 149
    NID_keyBag                             NID = 150
    NID_pkcs8ShroudedKeyBag                NID = 151
    NID_certBag                            NID = 152
    NID_crlBag                             NID = 153
    NID_secretBag                          NID = 154
    NID_safeContentsBag                    NID = 155
    NID_friendlyName                       NID = 156
    NID_localKeyID                         NID = 157
    NID_x509Certificate                    NID = 158
    NID_sdsiCertificate                    NID = 159
    NID_x509Crl                            NID = 160
    NID_pbes2                              NID = 161
    NID_pbmac1                             NID = 162
    NID_hmacWithSHA1                       NID = 163
    NID_id_qt_cps                          NID = 164
    NID_id_qt_unotice                      NID = 165
    NID_rc2_64_cbc                         NID = 166
    NID_SMIMECapabilities                  NID = 167
    NID_pbeWithMD2AndRC2_CBC               NID = 168
    NID_pbeWithMD5AndRC2_CBC               NID = 169
    NID_pbeWithSHA1AndDES_CBC              NID = 170
    NID_ms_ext_req                         NID = 171
    NID_ext_req                            NID = 172
    NID_name                               NID = 173
    NID_dnQualifier                        NID = 174
    NID_id_pe                              NID = 175
    NID_id_ad                              NID = 176
    NID_info_access                        NID = 177
    NID_ad_OCSP                            NID = 178
    NID_ad_ca_issuers                      NID = 179
    NID_OCSP_sign                          NID = 180
)

type Name Uses

type Name struct {
    // contains filtered or unexported fields
}

func NewName Uses

func NewName() (*Name, error)

Allocate and return a new Name object.

func (*Name) AddTextEntries Uses

func (n *Name) AddTextEntries(entries map[string]string) error

AddTextEntries allows adding multiple entries to a name in one call.

func (*Name) AddTextEntry Uses

func (n *Name) AddTextEntry(field, value string) error

AddTextEntry appends a text entry to an X509 NAME.

func (*Name) GetEntry Uses

func (n *Name) GetEntry(nid NID) (entry string, ok bool)

GetEntry returns a name entry based on NID. If no entry, then ("", false) is returned.

type Options Uses

type Options int
const (
    // NoCompression is only valid if you are using OpenSSL 1.0.1 or newer
    NoCompression                      Options = C.SSL_OP_NO_COMPRESSION
    NoSSLv2                            Options = C.SSL_OP_NO_SSLv2
    NoSSLv3                            Options = C.SSL_OP_NO_SSLv3
    NoTLSv1                            Options = C.SSL_OP_NO_TLSv1
    CipherServerPreference             Options = C.SSL_OP_CIPHER_SERVER_PREFERENCE
    NoSessionResumptionOrRenegotiation Options = C.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
    NoTicket                           Options = C.SSL_OP_NO_TICKET
)

type PrivateKey Uses

type PrivateKey interface {
    PublicKey

    // Signs the data using PKCS1.15
    SignPKCS1v15(Method, []byte) ([]byte, error)

    // MarshalPKCS1PrivateKeyPEM converts the private key to PEM-encoded PKCS1
    // format
    MarshalPKCS1PrivateKeyPEM() (pem_block []byte, err error)

    // MarshalPKCS1PrivateKeyDER converts the private key to DER-encoded PKCS1
    // format
    MarshalPKCS1PrivateKeyDER() (der_block []byte, err error)
}

func GenerateRSAKey Uses

func GenerateRSAKey(bits int) (PrivateKey, error)

GenerateRSAKey generates a new RSA private key with an exponent of 3.

func GenerateRSAKeyWithExponent Uses

func GenerateRSAKeyWithExponent(bits int, exponent int) (PrivateKey, error)

GenerateRSAKeyWithExponent generates a new RSA private key.

func LoadPrivateKeyFromDER Uses

func LoadPrivateKeyFromDER(der_block []byte) (PrivateKey, error)

LoadPrivateKeyFromDER loads a private key from a DER-encoded block.

func LoadPrivateKeyFromPEM Uses

func LoadPrivateKeyFromPEM(pem_block []byte) (PrivateKey, error)

LoadPrivateKeyFromPEM loads a private key from a PEM-encoded block.

func LoadPrivateKeyFromPEMWidthPassword Uses

func LoadPrivateKeyFromPEMWidthPassword(pem_block []byte, password string) (
    PrivateKey, error)

LoadPrivateKeyFromPEMWidthPassword loads a private key from a PEM-encoded block. Backwards-compatible with typo

func LoadPrivateKeyFromPEMWithPassword Uses

func LoadPrivateKeyFromPEMWithPassword(pem_block []byte, password string) (
    PrivateKey, error)

LoadPrivateKeyFromPEMWithPassword loads a private key from a PEM-encoded block.

type PublicKey Uses

type PublicKey interface {
    // Verifies the data signature using PKCS1.15
    VerifyPKCS1v15(method Method, data, sig []byte) error

    // MarshalPKIXPublicKeyPEM converts the public key to PEM-encoded PKIX
    // format
    MarshalPKIXPublicKeyPEM() (pem_block []byte, err error)

    // MarshalPKIXPublicKeyDER converts the public key to DER-encoded PKIX
    // format
    MarshalPKIXPublicKeyDER() (der_block []byte, err error)
    // contains filtered or unexported methods
}

func LoadPublicKeyFromDER Uses

func LoadPublicKeyFromDER(der_block []byte) (PublicKey, error)

LoadPublicKeyFromDER loads a public key from a DER-encoded block.

func LoadPublicKeyFromPEM Uses

func LoadPublicKeyFromPEM(pem_block []byte) (PublicKey, error)

LoadPublicKeyFromPEM loads a public key from a PEM-encoded block.

type SHA1Hash Uses

type SHA1Hash struct {
    // contains filtered or unexported fields
}

func NewSHA1Hash Uses

func NewSHA1Hash() (*SHA1Hash, error)

func NewSHA1HashWithEngine Uses

func NewSHA1HashWithEngine(e *Engine) (*SHA1Hash, error)

func (*SHA1Hash) Close Uses

func (s *SHA1Hash) Close()

func (*SHA1Hash) Reset Uses

func (s *SHA1Hash) Reset() error

func (*SHA1Hash) Sum Uses

func (s *SHA1Hash) Sum() (result [20]byte, err error)

func (*SHA1Hash) Write Uses

func (s *SHA1Hash) Write(p []byte) (n int, err error)

type SHA256Hash Uses

type SHA256Hash struct {
    // contains filtered or unexported fields
}

func NewSHA256Hash Uses

func NewSHA256Hash() (*SHA256Hash, error)

func NewSHA256HashWithEngine Uses

func NewSHA256HashWithEngine(e *Engine) (*SHA256Hash, error)

func (*SHA256Hash) Close Uses

func (s *SHA256Hash) Close()

func (*SHA256Hash) Reset Uses

func (s *SHA256Hash) Reset() error

func (*SHA256Hash) Sum Uses

func (s *SHA256Hash) Sum() (result [32]byte, err error)

func (*SHA256Hash) Write Uses

func (s *SHA256Hash) Write(p []byte) (n int, err error)

type SSL Uses

type SSL struct {
    // contains filtered or unexported fields
}

func (*SSL) ClearOptions Uses

func (s *SSL) ClearOptions(options Options) Options

ClearOptions clear SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*SSL) GetOptions Uses

func (s *SSL) GetOptions() Options

GetOptions returns SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*SSL) GetServername Uses

func (s *SSL) GetServername() string

Wrapper around SSL_get_servername. Returns server name according to rfc6066 http://tools.ietf.org/html/rfc6066.

func (*SSL) GetVerifyCallback Uses

func (s *SSL) GetVerifyCallback() VerifyCallback

GetVerifyCallback returns callback function. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) GetVerifyDepth Uses

func (s *SSL) GetVerifyDepth() int

GetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) SetOptions Uses

func (s *SSL) SetOptions(options Options) Options

SetOptions sets SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

func (*SSL) SetSSLCtx Uses

func (s *SSL) SetSSLCtx(ctx *Ctx)

SetSSLCtx changes context to new one. Useful for Server Name Indication (SNI) rfc6066 http://tools.ietf.org/html/rfc6066. See http://stackoverflow.com/questions/22373332/serving-multiple-domains-in-one-box-with-sni

func (*SSL) SetVerify Uses

func (s *SSL) SetVerify(options VerifyOptions, verify_cb VerifyCallback)

SetVerify controls peer verification settings. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) SetVerifyCallback Uses

func (s *SSL) SetVerifyCallback(verify_cb VerifyCallback)

SetVerifyCallback controls peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) SetVerifyDepth Uses

func (s *SSL) SetVerifyDepth(depth int)

SetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) SetVerifyMode Uses

func (s *SSL) SetVerifyMode(options VerifyOptions)

SetVerifyMode controls peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

func (*SSL) VerifyMode Uses

func (s *SSL) VerifyMode() VerifyOptions

VerifyMode returns peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

type SSLTLSExtErr Uses

type SSLTLSExtErr int
const (
    SSLTLSExtErrOK           SSLTLSExtErr = C.SSL_TLSEXT_ERR_OK
    SSLTLSExtErrAlertWarning SSLTLSExtErr = C.SSL_TLSEXT_ERR_ALERT_WARNING
    SSLTLSEXTErrAlertFatal   SSLTLSExtErr = C.SSL_TLSEXT_ERR_ALERT_FATAL
    SSLTLSEXTErrNoAck        SSLTLSExtErr = C.SSL_TLSEXT_ERR_NOACK
)

type SSLVersion Uses

type SSLVersion int
const (
    SSLv3   SSLVersion = 0x02 // Vulnerable to "POODLE" attack.
    TLSv1   SSLVersion = 0x03
    TLSv1_1 SSLVersion = 0x04
    TLSv1_2 SSLVersion = 0x05

    // Make sure to disable SSLv2 and SSLv3 if you use this. SSLv3 is vulnerable
    // to the "POODLE" attack, and SSLv2 is what, just don't even.
    AnyVersion SSLVersion = 0x06
)

type SessionCacheModes Uses

type SessionCacheModes int
const (
    SessionCacheOff    SessionCacheModes = C.SSL_SESS_CACHE_OFF
    SessionCacheClient SessionCacheModes = C.SSL_SESS_CACHE_CLIENT
    SessionCacheServer SessionCacheModes = C.SSL_SESS_CACHE_SERVER
    SessionCacheBoth   SessionCacheModes = C.SSL_SESS_CACHE_BOTH
    NoAutoClear        SessionCacheModes = C.SSL_SESS_CACHE_NO_AUTO_CLEAR
    NoInternalLookup   SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
    NoInternalStore    SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_STORE
    NoInternal         SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL
)

type TLSExtServernameCallback Uses

type TLSExtServernameCallback func(ssl *SSL) SSLTLSExtErr

type TicketCipherCtx Uses

type TicketCipherCtx struct {
    Cipher *Cipher
    Engine *Engine
}

TicketCipherCtx describes the cipher that will be used by the ticket store for encrypting the tickets. Engine may be nil if no engine is desired.

type TicketDigestCtx Uses

type TicketDigestCtx struct {
    Digest *Digest
    Engine *Engine
}

TicketDigestCtx describes the digest that will be used by the ticket store to authenticate the data. Engine may be nil if no engine is desired.

type TicketKey Uses

type TicketKey struct {
    Name      TicketName
    CipherKey []byte
    HMACKey   []byte
    IV        []byte
}

TicketKey is the key material for a ticket. If this is lost, forward secrecy is lost as it allows decrypting TLS sessions retroactively.

type TicketKeyManager Uses

type TicketKeyManager interface {
    // New should create a brand new TicketKey with a new name.
    New() *TicketKey

    // Current should return a key that is still valid.
    Current() *TicketKey

    // Lookup should return a key with the given name, or nil if no name
    // exists.
    Lookup(name TicketName) *TicketKey

    // Expired should return if the key with the given name is expired and
    // should not be used any more.
    Expired(name TicketName) bool

    // ShouldRenew should return if the key is still ok to use for the current
    // session, but we should send a new key for the client.
    ShouldRenew(name TicketName) bool
}

TicketKeyManager is a manager for TicketKeys. It allows one to control the lifetime of tickets, causing renewals and expirations for keys that are created. Calls to the manager are serialized.

type TicketName Uses

type TicketName [KeyNameSize]byte

TicketName is an identifier for the key material for a ticket.

type TicketStore Uses

type TicketStore struct {
    CipherCtx TicketCipherCtx
    DigestCtx TicketDigestCtx
    Keys      TicketKeyManager
}

TicketStore descibes the encryption and authentication methods the tickets will use along with a key manager for generating and keeping track of the secrets.

type VerifyCallback Uses

type VerifyCallback func(ok bool, store *CertificateStoreCtx) bool

type VerifyOptions Uses

type VerifyOptions int
const (
    VerifyNone             VerifyOptions = C.SSL_VERIFY_NONE
    VerifyPeer             VerifyOptions = C.SSL_VERIFY_PEER
    VerifyFailIfNoPeerCert VerifyOptions = C.SSL_VERIFY_FAIL_IF_NO_PEER_CERT
    VerifyClientOnce       VerifyOptions = C.SSL_VERIFY_CLIENT_ONCE
)

type VerifyResult Uses

type VerifyResult int
const (
    Ok                            VerifyResult = C.X509_V_OK
    UnableToGetIssuerCert         VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
    UnableToGetCrl                VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL
    UnableToDecryptCertSignature  VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
    UnableToDecryptCrlSignature   VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
    UnableToDecodeIssuerPublicKey VerifyResult = C.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
    CertSignatureFailure          VerifyResult = C.X509_V_ERR_CERT_SIGNATURE_FAILURE
    CrlSignatureFailure           VerifyResult = C.X509_V_ERR_CRL_SIGNATURE_FAILURE
    CertNotYetValid               VerifyResult = C.X509_V_ERR_CERT_NOT_YET_VALID
    CertHasExpired                VerifyResult = C.X509_V_ERR_CERT_HAS_EXPIRED
    CrlNotYetValid                VerifyResult = C.X509_V_ERR_CRL_NOT_YET_VALID
    CrlHasExpired                 VerifyResult = C.X509_V_ERR_CRL_HAS_EXPIRED
    ErrorInCertNotBeforeField     VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
    ErrorInCertNotAfterField      VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
    ErrorInCrlLastUpdateField     VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
    ErrorInCrlNextUpdateField     VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
    OutOfMem                      VerifyResult = C.X509_V_ERR_OUT_OF_MEM
    DepthZeroSelfSignedCert       VerifyResult = C.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
    SelfSignedCertInChain         VerifyResult = C.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
    UnableToGetIssuerCertLocally  VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
    UnableToVerifyLeafSignature   VerifyResult = C.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
    CertChainTooLong              VerifyResult = C.X509_V_ERR_CERT_CHAIN_TOO_LONG
    CertRevoked                   VerifyResult = C.X509_V_ERR_CERT_REVOKED
    InvalidCa                     VerifyResult = C.X509_V_ERR_INVALID_CA
    PathLengthExceeded            VerifyResult = C.X509_V_ERR_PATH_LENGTH_EXCEEDED
    InvalidPurpose                VerifyResult = C.X509_V_ERR_INVALID_PURPOSE
    CertUntrusted                 VerifyResult = C.X509_V_ERR_CERT_UNTRUSTED
    CertRejected                  VerifyResult = C.X509_V_ERR_CERT_REJECTED
    SubjectIssuerMismatch         VerifyResult = C.X509_V_ERR_SUBJECT_ISSUER_MISMATCH
    AkidSkidMismatch              VerifyResult = C.X509_V_ERR_AKID_SKID_MISMATCH
    AkidIssuerSerialMismatch      VerifyResult = C.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
    KeyusageNoCertsign            VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CERTSIGN
    UnableToGetCrlIssuer          VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
    UnhandledCriticalExtension    VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
    KeyusageNoCrlSign             VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
    UnhandledCriticalCrlExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
    InvalidNonCa                  VerifyResult = C.X509_V_ERR_INVALID_NON_CA
    ProxyPathLengthExceeded       VerifyResult = C.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
    KeyusageNoDigitalSignature    VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
    ProxyCertificatesNotAllowed   VerifyResult = C.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
    InvalidExtension              VerifyResult = C.X509_V_ERR_INVALID_EXTENSION
    InvalidPolicyExtension        VerifyResult = C.X509_V_ERR_INVALID_POLICY_EXTENSION
    NoExplicitPolicy              VerifyResult = C.X509_V_ERR_NO_EXPLICIT_POLICY
    UnnestedResource              VerifyResult = C.X509_V_ERR_UNNESTED_RESOURCE
    ApplicationVerification       VerifyResult = C.X509_V_ERR_APPLICATION_VERIFICATION
)

Directories

PathSynopsis
utils

Package openssl imports 18 packages (graph) and is imported by 11 packages. Updated 2017-10-29. Refresh now. Tools for package owners.