Documentation ¶
Overview ¶
Package openssl is a light wrapper around OpenSSL for Go.
It strives to provide a near-drop-in replacement for the Go standard library tls package, while allowing for:
Performance ¶
OpenSSL is battle-tested and optimized C. While Go's built-in library shows great promise, it is still young and in some places, inefficient. This simple OpenSSL wrapper can often do at least 2x with the same cipher and protocol.
On my lappytop, I get the following benchmarking speeds:
BenchmarkSHA1Large_openssl 1000 2611282 ns/op 401.56 MB/s BenchmarkSHA1Large_stdlib 500 3963983 ns/op 264.53 MB/s BenchmarkSHA1Small_openssl 1000000 3476 ns/op 0.29 MB/s BenchmarkSHA1Small_stdlib 5000000 550 ns/op 1.82 MB/s BenchmarkSHA256Large_openssl 200 8085314 ns/op 129.69 MB/s BenchmarkSHA256Large_stdlib 100 18948189 ns/op 55.34 MB/s BenchmarkSHA256Small_openssl 1000000 4262 ns/op 0.23 MB/s BenchmarkSHA256Small_stdlib 1000000 1444 ns/op 0.69 MB/s BenchmarkOpenSSLThroughput 100000 21634 ns/op 47.33 MB/s BenchmarkStdlibThroughput 50000 58974 ns/op 17.36 MB/s
Interoperability ¶
Many systems support OpenSSL with a variety of plugins and modules for things, such as hardware acceleration in embedded devices.
Greater flexibility and configuration ¶
OpenSSL allows for far greater configuration of corner cases and backwards compatibility (such as support of SSLv2). You shouldn't be using SSLv2 if you can help but, but sometimes you can't help it.
Security ¶
Yeah yeah, Heartbleed. But according to the author of the standard library's TLS implementation, Go's TLS library is vulnerable to timing attacks. And whether or not OpenSSL received the appropriate amount of scrutiny pre-Heartbleed, it sure is receiving it now.
Usage ¶
Starting an HTTP server that uses OpenSSL is very easy. It's as simple as:
log.Fatal(openssl.ListenAndServeTLS( ":8443", "my_server.crt", "my_server.key", myHandler))
Getting a net.Listener that uses OpenSSL is also easy:
ctx, err := openssl.NewCtxFromFiles("my_server.crt", "my_server.key") if err != nil { log.Fatal(err) } l, err := openssl.Listen("tcp", ":7777", ctx)
Making a client connection is straightforward too:
ctx, err := NewCtx() if err != nil { log.Fatal(err) } err = ctx.LoadVerifyLocations("/etc/ssl/certs/ca-certificates.crt", "") if err != nil { log.Fatal(err) } conn, err := openssl.Dial("tcp", "localhost:7777", ctx, 0)
Help wanted: To get this library to work with net/http's client, we had to fork net/http. It would be nice if an alternate http client library supported the generality needed to use OpenSSL instead of crypto/tls.
Index ¶
- Constants
- Variables
- func DeriveSharedSecret(private PrivateKey, public PublicKey) ([]byte, error)
- func FIPSModeSet(mode bool) error
- func Listen(network, laddr string, ctx *Ctx) (net.Listener, error)
- func ListenAndServeTLS(addr string, cert_file string, key_file string, handler http.Handler) error
- func NewListener(inner net.Listener, ctx *Ctx) net.Listener
- func Nid2ShortName(nid NID) (string, error)
- func PBKDF2(pass []byte, salt []byte, iterations int, digest *Digest, dest []byte) error
- func RandomAdd(buffer []byte, entropy float64) error
- func RandomBytes(buffer []byte) error
- func RandomSeed(buffer []byte) error
- func SHA1(data []byte) (result [20]byte, err error)
- func SHA256(data []byte) (result [32]byte, err error)
- func ServerListenAndServeTLS(srv *http.Server, cert_file, key_file string) error
- func SplitPEM(data []byte) [][]byte
- type AuthenticatedDecryptionCipherCtx
- type AuthenticatedEncryptionCipherCtx
- type Certificate
- func (c *Certificate) AddExtension(nid NID, value string) error
- func (c *Certificate) AddExtensions(extensions map[NID]string) error
- func (c *Certificate) CheckEmail(email string, flags CheckFlags) error
- func (c *Certificate) CheckHost(host string, flags CheckFlags) error
- func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error
- func (c *Certificate) GetIssuerName() (*Name, error)
- func (c *Certificate) GetSerialNumberHex() (serial string)
- func (c *Certificate) GetSubjectName() (*Name, error)
- func (c *Certificate) MarshalPEM() (pem_block []byte, err error)
- func (c *Certificate) PublicKey() (PublicKey, error)
- func (c *Certificate) SetExpireDate(when time.Duration) error
- func (c *Certificate) SetIssueDate(when time.Duration) error
- func (c *Certificate) SetIssuer(issuer *Certificate) error
- func (c *Certificate) SetIssuerName(name *Name) error
- func (c *Certificate) SetPubKey(pubKey PublicKey) error
- func (c *Certificate) SetSerial(serial *big.Int) error
- func (c *Certificate) SetSubjectName(name *Name) error
- func (c *Certificate) Sign(privKey PrivateKey, digest EVP_MD) error
- func (c *Certificate) VerifyHostname(host string) error
- type CertificateInfo
- type CertificateStore
- type CertificateStoreCtx
- type CheckFlags
- type Cipher
- type CipherCtx
- type Conn
- func Client(conn net.Conn, ctx *Ctx) (*Conn, error)
- func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error)
- func DialSession(network, addr string, ctx *Ctx, flags DialFlags, session []byte) (*Conn, error)
- func DialSessionWithDialer(dialer *net.Dialer, network, addr string, ctx *Ctx, flags DialFlags, ...) (*Conn, error)
- func DialWithDialer(dialer *net.Dialer, network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error)
- func Server(conn net.Conn, ctx *Ctx) (*Conn, error)
- func (c *Conn) Close() error
- func (c *Conn) ConnectionState() (rv ConnectionState)
- func (c *Conn) CurrentCipher() (string, error)
- func (c *Conn) GetCtx() *Ctx
- func (c *Conn) GetSession() ([]byte, error)
- func (c *Conn) Handshake() error
- func (c *Conn) LocalAddr() net.Addr
- func (c *Conn) PeerCertificate() (*Certificate, error)
- func (c *Conn) PeerCertificateChain() (rv []*Certificate, err error)
- func (c *Conn) Read(b []byte) (n int, err error)
- func (c *Conn) RemoteAddr() net.Addr
- func (c *Conn) SessionReused() bool
- func (c *Conn) SetDeadline(t time.Time) error
- func (c *Conn) SetReadDeadline(t time.Time) error
- func (c *Conn) SetTlsExtHostName(name string) error
- func (c *Conn) SetWriteDeadline(t time.Time) error
- func (c *Conn) UnderlyingConn() net.Conn
- func (c *Conn) VerifyHostname(host string) error
- func (c *Conn) VerifyResult() VerifyResult
- func (c *Conn) Write(b []byte) (written int, err error)
- type ConnectionState
- type Ctx
- func (c *Ctx) AddChainCertificate(cert *Certificate) error
- func (c *Ctx) ClearOptions(options Options) Options
- func (c *Ctx) GetCertificateStore() *CertificateStore
- func (c *Ctx) GetMode() Modes
- func (c *Ctx) GetOptions() Options
- func (c *Ctx) GetTimeout() time.Duration
- func (c *Ctx) GetVerifyCallback() VerifyCallback
- func (c *Ctx) GetVerifyDepth() int
- func (c *Ctx) LoadVerifyLocations(ca_file string, ca_path string) error
- func (c *Ctx) SessGetCacheSize() int
- func (c *Ctx) SessSetCacheSize(t int) int
- func (c *Ctx) SetCipherList(list string) error
- func (c *Ctx) SetDHParameters(dh *DH) error
- func (c *Ctx) SetEllipticCurve(curve EllipticCurve) error
- func (c *Ctx) SetMode(modes Modes) Modes
- func (c *Ctx) SetOptions(options Options) Options
- func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes
- func (c *Ctx) SetSessionId(session_id []byte) error
- func (c *Ctx) SetTLSExtServernameCallback(sni_cb TLSExtServernameCallback)
- func (c *Ctx) SetTicketStore(store *TicketStore)
- func (c *Ctx) SetTimeout(t time.Duration) time.Duration
- func (c *Ctx) SetVerify(options VerifyOptions, verify_cb VerifyCallback)
- func (c *Ctx) SetVerifyCallback(verify_cb VerifyCallback)
- func (c *Ctx) SetVerifyDepth(depth int)
- func (c *Ctx) SetVerifyMode(options VerifyOptions)
- func (c *Ctx) UseCertificate(cert *Certificate) error
- func (c *Ctx) UsePrivateKey(key PrivateKey) error
- func (c *Ctx) VerifyMode() VerifyOptions
- type DH
- type DecryptionCipherCtx
- type DialFlags
- type Digest
- type EVP_MD
- type EllipticCurve
- type EncryptionCipherCtx
- type Engine
- type HMAC
- type Method
- type Modes
- type NID
- type Name
- type OAEPOptions
- type Options
- type PrivateKey
- func GenerateECKey(curve EllipticCurve) (PrivateKey, error)
- func GenerateRSAKey(bits int) (PrivateKey, error)
- func GenerateRSAKeyWithExponent(bits int, exponent int) (PrivateKey, error)
- func LoadPrivateKeyFromDER(der_block []byte) (PrivateKey, error)
- func LoadPrivateKeyFromPEM(pem_block []byte) (PrivateKey, error)
- func LoadPrivateKeyFromPEMWidthPassword(pem_block []byte, password string) (PrivateKey, error)
- func LoadPrivateKeyFromPEMWithPassword(pem_block []byte, password string) (PrivateKey, error)
- type PublicKey
- type SHA1Hash
- type SHA256Hash
- type SSL
- func (s *SSL) ClearOptions(options Options) Options
- func (s *SSL) GetOptions() Options
- func (s *SSL) GetServername() string
- func (s *SSL) GetVerifyCallback() VerifyCallback
- func (s *SSL) GetVerifyDepth() int
- func (s *SSL) SetOptions(options Options) Options
- func (s *SSL) SetSSLCtx(ctx *Ctx)
- func (s *SSL) SetVerify(options VerifyOptions, verify_cb VerifyCallback)
- func (s *SSL) SetVerifyCallback(verify_cb VerifyCallback)
- func (s *SSL) SetVerifyDepth(depth int)
- func (s *SSL) SetVerifyMode(options VerifyOptions)
- func (s *SSL) VerifyMode() VerifyOptions
- type SSLTLSExtErr
- type SSLVersion
- type SessionCacheModes
- type TLSExtServernameCallback
- type TicketCipherCtx
- type TicketDigestCtx
- type TicketKey
- type TicketKeyManager
- type TicketName
- type TicketStore
- type VerifyCallback
- type VerifyOptions
- type VerifyResult
Constants ¶
const ( KeyTypeNone = NID_undef KeyTypeRSA = NID_rsaEncryption KeyTypeRSA2 = NID_rsa KeyTypeDSA = NID_dsa KeyTypeDSA1 = NID_dsa_2 KeyTypeDSA2 = NID_dsaWithSHA KeyTypeDSA3 = NID_dsaWithSHA1 KeyTypeDSA4 = NID_dsaWithSHA1_2 KeyTypeDH = NID_dhKeyAgreement KeyTypeDHX = NID_dhpublicnumber KeyTypeEC = NID_X9_62_id_ecPublicKey KeyTypeHMAC = NID_hmac KeyTypeCMAC = NID_cmac KeyTypeTLS1PRF = NID_tls1_prf KeyTypeHKDF = NID_hkdf )
Constants for the various key types. Mapping of name -> NID taken from openssl/evp.h
const ( // PSSSaltLengthAuto causes the salt in a PSS signature to be as large // as possible when signing, and to be auto-detected when verifying. PSSSaltLengthAuto int = -2 // PSSSaltLengthEqualsHash causes the salt length to equal the length of // the hash used in the signature. PSSSaltLengthEqualsHash int = -1 )
const (
GCM_TAG_MAXLEN = 16
)
const (
KeyNameSize = 16
)
const (
SSLRecordSize = 16 * 1024
)
Variables ¶
var (
ValidationError = errors.New("Host validation error")
)
Functions ¶
func DeriveSharedSecret ¶
func DeriveSharedSecret(private PrivateKey, public PublicKey) ([]byte, error)
DeriveSharedSecret derives a shared secret using a private key and a peer's public key. The specific algorithm that is used depends on the types of the keys, but it is most commonly a variant of Diffie-Hellman.
func FIPSModeSet ¶
FIPSModeSet enables a FIPS 140-2 validated mode of operation. https://wiki.openssl.org/index.php/FIPS_mode_set()
func Listen ¶
Listen is a wrapper around net.Listen that wraps incoming connections with an OpenSSL server connection using the provided context ctx.
func ListenAndServeTLS ¶
ListenAndServeTLS will take an http.Handler and serve it using OpenSSL over the given tcp address, configured to use the provided cert and key files.
func NewListener ¶
NewListener wraps an existing net.Listener such that all accepted connections are wrapped as OpenSSL server connections using the provided context ctx.
func Nid2ShortName ¶
func PBKDF2 ¶
PBKDF2 derives a key from a password using a salt and iteration count as specified in RFC 2898.
The result of the key derivation is stored in `dest`, which must be a slice of the desired size.
func RandomAdd ¶
RandomAdd uses the given data to add entropty to OpenSSL's random number generator using `RAND_add()`. `entropy“ should be the lower bound of the entropy (in bytes) of the data contained in `buffer`.
Depending on the RNG implementation, this function may not change the state of the generator. An example of this would be hardware RNGs like rdrand. No error will be returned in this case.
func RandomBytes ¶
RandomBytes fills the specified buffer with cryptographically strong random bytes using OpenSSL's `RAND_bytes()` function.
func RandomSeed ¶
RandomSeed uses the given data to reseed OpenSSL's random number generator using `RAND_seed()`. This is equivalent to calling RandomAdd with entropy == len(buffer)
Depending on the RNG implementation, this function may not change the state of the generator. An example of this would be hardware RNGs like rdrand. No error will be returned in this case.
func ServerListenAndServeTLS ¶
ServerListenAndServeTLS will take an http.Server and serve it using OpenSSL configured to use the provided cert and key files.
Types ¶
type AuthenticatedDecryptionCipherCtx ¶
type AuthenticatedDecryptionCipherCtx interface { DecryptionCipherCtx // pass in any extra data that was added during encryption with the // encryption context's ExtraData() ExtraData([]byte) error // use before finalizing decryption to tell the library what the // tag is expected to be SetTag([]byte) error }
func NewGCMDecryptionCipherCtx ¶
func NewGCMDecryptionCipherCtx(blocksize int, e *Engine, key, iv []byte) ( AuthenticatedDecryptionCipherCtx, error)
type AuthenticatedEncryptionCipherCtx ¶
type AuthenticatedEncryptionCipherCtx interface { EncryptionCipherCtx // data passed in to ExtraData() is part of the final output; it is // not encrypted itself, but is part of the authenticated data. when // decrypting or authenticating, pass back with the decryption // context's ExtraData() ExtraData([]byte) error // use after finalizing encryption to get the authenticating tag GetTag() ([]byte, error) }
func NewGCMEncryptionCipherCtx ¶
func NewGCMEncryptionCipherCtx(blocksize int, e *Engine, key, iv []byte) ( AuthenticatedEncryptionCipherCtx, error)
type Certificate ¶
type Certificate struct { Issuer *Certificate // contains filtered or unexported fields }
func LoadCertificateFromPEM ¶
func LoadCertificateFromPEM(pem_block []byte) (*Certificate, error)
LoadCertificateFromPEM loads an X509 certificate from a PEM-encoded block.
func NewCertificate ¶
func NewCertificate(info *CertificateInfo, key PublicKey) (*Certificate, error)
NewCertificate generates a basic certificate based on the provided CertificateInfo struct
func (*Certificate) AddExtension ¶
func (c *Certificate) AddExtension(nid NID, value string) error
Add an extension to a certificate. Extension constants are NID_* as found in openssl.
func (*Certificate) AddExtensions ¶
func (c *Certificate) AddExtensions(extensions map[NID]string) error
Wraps AddExtension using a map of NID to text extension. Will return without finishing if it encounters an error.
func (*Certificate) CheckEmail ¶
func (c *Certificate) CheckEmail(email string, flags CheckFlags) error
CheckEmail checks that the X509 certificate is signed for the provided email address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.
func (*Certificate) CheckHost ¶
func (c *Certificate) CheckHost(host string, flags CheckFlags) error
CheckHost checks that the X509 certificate is signed for the provided host name. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Note that CheckHost does not check the IP field. See VerifyHostname. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.
func (*Certificate) CheckIP ¶
func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error
CheckIP checks that the X509 certificate is signed for the provided IP address. See http://www.openssl.org/docs/crypto/X509_check_host.html for more. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.
func (*Certificate) GetIssuerName ¶
func (c *Certificate) GetIssuerName() (*Name, error)
func (*Certificate) GetSerialNumberHex ¶
func (c *Certificate) GetSerialNumberHex() (serial string)
GetSerialNumberHex returns the certificate's serial number in hex format
func (*Certificate) GetSubjectName ¶
func (c *Certificate) GetSubjectName() (*Name, error)
func (*Certificate) MarshalPEM ¶
func (c *Certificate) MarshalPEM() (pem_block []byte, err error)
MarshalPEM converts the X509 certificate to PEM-encoded format
func (*Certificate) PublicKey ¶
func (c *Certificate) PublicKey() (PublicKey, error)
PublicKey returns the public key embedded in the X509 certificate.
func (*Certificate) SetExpireDate ¶
func (c *Certificate) SetExpireDate(when time.Duration) error
SetExpireDate sets the certificate issue date relative to the current time.
func (*Certificate) SetIssueDate ¶
func (c *Certificate) SetIssueDate(when time.Duration) error
SetIssueDate sets the certificate issue date relative to the current time.
func (*Certificate) SetIssuer ¶
func (c *Certificate) SetIssuer(issuer *Certificate) error
SetIssuer updates the stored Issuer cert and the internal x509 Issuer Name of a certificate. The stored Issuer reference is used when adding extensions.
func (*Certificate) SetIssuerName ¶
func (c *Certificate) SetIssuerName(name *Name) error
SetIssuerName populates the issuer name of a certificate. Use SetIssuer instead, if possible.
func (*Certificate) SetPubKey ¶
func (c *Certificate) SetPubKey(pubKey PublicKey) error
SetPubKey assigns a new public key to a certificate.
func (*Certificate) SetSerial ¶
func (c *Certificate) SetSerial(serial *big.Int) error
SetSerial sets the serial of a certificate.
func (*Certificate) SetSubjectName ¶
func (c *Certificate) SetSubjectName(name *Name) error
func (*Certificate) Sign ¶
func (c *Certificate) Sign(privKey PrivateKey, digest EVP_MD) error
Sign a certificate using a private key and a digest name. Accepted digest names are 'sha256', 'sha384', and 'sha512'.
func (*Certificate) VerifyHostname ¶
func (c *Certificate) VerifyHostname(host string) error
VerifyHostname is a combination of CheckHost and CheckIP. If the provided hostname looks like an IP address, it will be checked as an IP address, otherwise it will be checked as a hostname. Specifically returns ValidationError if the Certificate didn't match but there was no internal error.
type CertificateInfo ¶
type CertificateStore ¶
type CertificateStore struct {
// contains filtered or unexported fields
}
func NewCertificateStore ¶
func NewCertificateStore() (*CertificateStore, error)
Allocate a new, empty CertificateStore
func (*CertificateStore) AddCertificate ¶
func (s *CertificateStore) AddCertificate(cert *Certificate) error
AddCertificate marks the provided Certificate as a trusted certificate in the given CertificateStore.
func (*CertificateStore) LoadCertificatesFromPEM ¶
func (s *CertificateStore) LoadCertificatesFromPEM(data []byte) error
Parse a chained PEM file, loading all certificates into the Store.
type CertificateStoreCtx ¶
type CertificateStoreCtx struct {
// contains filtered or unexported fields
}
func (*CertificateStoreCtx) Depth ¶
func (self *CertificateStoreCtx) Depth() int
func (*CertificateStoreCtx) Err ¶
func (self *CertificateStoreCtx) Err() error
func (*CertificateStoreCtx) GetCurrentCert ¶
func (self *CertificateStoreCtx) GetCurrentCert() *Certificate
the certicate returned is only valid for the lifetime of the underlying X509_STORE_CTX
func (*CertificateStoreCtx) VerifyResult ¶
func (self *CertificateStoreCtx) VerifyResult() VerifyResult
type CheckFlags ¶
type CheckFlags int
const ( AlwaysCheckSubject CheckFlags = C.X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT NoWildcards CheckFlags = C.X509_CHECK_FLAG_NO_WILDCARDS )
type Cipher ¶
type Cipher struct {
// contains filtered or unexported fields
}
func GetCipherByName ¶
func GetCipherByNid ¶
type Conn ¶
type Conn struct { *SSL // contains filtered or unexported fields }
func Client ¶
Client wraps an existing stream connection and puts it in the connect state for any subsequent handshakes.
IMPORTANT NOTE: if you use this method instead of Dial to construct an SSL connection, you are responsible for verifying the peer's hostname. Otherwise, you are vulnerable to MITM attacks.
Client also does not set up SNI for you like Dial does.
Client connections probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.
func Dial ¶
Dial will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.
Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.
func DialSession ¶
DialSession will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.
Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.
If session is not nil it will be used to resume the tls state. The session can be retrieved from the GetSession method on the Conn.
func DialSessionWithDialer ¶
func DialSessionWithDialer(dialer *net.Dialer, network, addr string, ctx *Ctx, flags DialFlags, session []byte) (*Conn, error)
DialSessionWithDialer will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.
The specified dialer will be used to open the underlying TCP connection.
Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.
If session is not nil it will be used to resume the tls state. The session can be retrieved from the GetSession method on the Conn.
func DialWithDialer ¶
func DialWithDialer(dialer *net.Dialer, network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error)
DialWithDialer will connect to network/address and then wrap the corresponding underlying connection with an OpenSSL client connection using context ctx. If flags includes InsecureSkipHostVerification, the server certificate's hostname will not be checked to match the hostname in addr. Otherwise, flags should be 0.
The specified dialer will be used to open the underlying TCP connection.
Dial probably won't work for you unless you set a verify location or add some certs to the certificate store of the client context you're using. This library is not nice enough to use the system certificate store by default for you yet.
func Server ¶
Server wraps an existing stream connection and puts it in the accept state for any subsequent handshakes.
func (*Conn) Close ¶
Close shuts down the SSL connection and closes the underlying wrapped connection.
func (*Conn) ConnectionState ¶
func (c *Conn) ConnectionState() (rv ConnectionState)
func (*Conn) CurrentCipher ¶
func (*Conn) GetSession ¶
func (*Conn) Handshake ¶
Handshake performs an SSL handshake. If a handshake is not manually triggered, it will run before the first I/O on the encrypted stream.
func (*Conn) PeerCertificate ¶
func (c *Conn) PeerCertificate() (*Certificate, error)
PeerCertificate returns the Certificate of the peer with which you're communicating. Only valid after a handshake.
func (*Conn) PeerCertificateChain ¶
func (c *Conn) PeerCertificateChain() (rv []*Certificate, err error)
PeerCertificateChain returns the certificate chain of the peer. If called on the client side, the stack also contains the peer's certificate; if called on the server side, the peer's certificate must be obtained separately using PeerCertificate.
func (*Conn) Read ¶
Read reads up to len(b) bytes into b. It returns the number of bytes read and an error if applicable. io.EOF is returned when the caller can expect to see no more data.
func (*Conn) RemoteAddr ¶
RemoteAddr returns the underlying connection's remote address
func (*Conn) SessionReused ¶
func (*Conn) SetDeadline ¶
SetDeadline calls SetDeadline on the underlying connection.
func (*Conn) SetReadDeadline ¶
SetReadDeadline calls SetReadDeadline on the underlying connection.
func (*Conn) SetTlsExtHostName ¶
func (*Conn) SetWriteDeadline ¶
SetWriteDeadline calls SetWriteDeadline on the underlying connection.
func (*Conn) UnderlyingConn ¶
func (*Conn) VerifyHostname ¶
VerifyHostname pulls the PeerCertificate and calls VerifyHostname on the certificate.
func (*Conn) VerifyResult ¶
func (c *Conn) VerifyResult() VerifyResult
type ConnectionState ¶
type ConnectionState struct { Certificate *Certificate CertificateError error CertificateChain []*Certificate CertificateChainError error SessionReused bool }
type Ctx ¶
type Ctx struct {
// contains filtered or unexported fields
}
func NewCtxFromFiles ¶
NewCtxFromFiles calls NewCtx, loads the provided files, and configures the context to use them.
func NewCtxWithVersion ¶
func NewCtxWithVersion(version SSLVersion) (*Ctx, error)
NewCtxWithVersion creates an SSL context that is specific to the provided SSL version. See http://www.openssl.org/docs/ssl/SSL_CTX_new.html for more.
func (*Ctx) AddChainCertificate ¶
func (c *Ctx) AddChainCertificate(cert *Certificate) error
AddChainCertificate adds a certificate to the chain presented in the handshake.
func (*Ctx) ClearOptions ¶
func (*Ctx) GetCertificateStore ¶
func (c *Ctx) GetCertificateStore() *CertificateStore
GetCertificateStore returns the context's certificate store that will be used for peer validation.
func (*Ctx) GetMode ¶
GetMode returns context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
func (*Ctx) GetOptions ¶
GetOptions returns context options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*Ctx) GetTimeout ¶
Get session cache timeout. See https://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
func (*Ctx) GetVerifyCallback ¶
func (c *Ctx) GetVerifyCallback() VerifyCallback
func (*Ctx) GetVerifyDepth ¶
GetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*Ctx) LoadVerifyLocations ¶
LoadVerifyLocations tells the context to trust all certificate authorities provided in either the ca_file or the ca_path. See http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html for more.
func (*Ctx) SessGetCacheSize ¶
Get session cache size. https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html
func (*Ctx) SessSetCacheSize ¶
Set session cache size. Returns previously set value. https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html
func (*Ctx) SetCipherList ¶
SetCipherList sets the list of available ciphers. The format of the list is described at http://www.openssl.org/docs/apps/ciphers.html, but see http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html for more.
func (*Ctx) SetDHParameters ¶
SetDHParameters sets the DH group (DH parameters) used to negotiate an emphemeral DH key during handshaking.
func (*Ctx) SetEllipticCurve ¶
func (c *Ctx) SetEllipticCurve(curve EllipticCurve) error
SetEllipticCurve sets the elliptic curve used by the SSL context to enable an ECDH cipher suite to be selected during the handshake.
func (*Ctx) SetMode ¶
SetMode sets context modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
func (*Ctx) SetOptions ¶
SetOptions sets context options. See http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*Ctx) SetSessionCacheMode ¶
func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes
SetSessionCacheMode enables or disables session caching. See http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html
func (*Ctx) SetSessionId ¶
func (*Ctx) SetTLSExtServernameCallback ¶
func (c *Ctx) SetTLSExtServernameCallback(sni_cb TLSExtServernameCallback)
SetTLSExtServernameCallback sets callback function for Server Name Indication (SNI) rfc6066 (http://tools.ietf.org/html/rfc6066). See http://stackoverflow.com/questions/22373332/serving-multiple-domains-in-one-box-with-sni
func (*Ctx) SetTicketStore ¶
func (c *Ctx) SetTicketStore(store *TicketStore)
SetTicketStore sets the ticket store for the context so that clients can do ticket based session resumption. If the store is nil, the
func (*Ctx) SetTimeout ¶
Set session cache timeout. Returns previously set value. See https://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
func (*Ctx) SetVerify ¶
func (c *Ctx) SetVerify(options VerifyOptions, verify_cb VerifyCallback)
SetVerify controls peer verification settings. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*Ctx) SetVerifyCallback ¶
func (c *Ctx) SetVerifyCallback(verify_cb VerifyCallback)
func (*Ctx) SetVerifyDepth ¶
SetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*Ctx) SetVerifyMode ¶
func (c *Ctx) SetVerifyMode(options VerifyOptions)
func (*Ctx) UseCertificate ¶
func (c *Ctx) UseCertificate(cert *Certificate) error
UseCertificate configures the context to present the given certificate to peers.
func (*Ctx) UsePrivateKey ¶
func (c *Ctx) UsePrivateKey(key PrivateKey) error
UsePrivateKey configures the context to use the given private key for SSL handshakes.
func (*Ctx) VerifyMode ¶
func (c *Ctx) VerifyMode() VerifyOptions
type DH ¶
type DH struct {
// contains filtered or unexported fields
}
func LoadDHParametersFromPEM ¶
LoadDHParametersFromPEM loads the Diffie-Hellman parameters from a PEM-encoded block.
type DecryptionCipherCtx ¶
type DecryptionCipherCtx interface { CipherCtx // pass in ciphertext, get back plaintext. can be called // multiple times as needed DecryptUpdate(input []byte) ([]byte, error) // call after all ciphertext has been passed in; may return // additional plaintext if needed to finish off a block DecryptFinal() ([]byte, error) }
func NewDecryptionCipherCtx ¶
func NewDecryptionCipherCtx(c *Cipher, e *Engine, key, iv []byte) ( DecryptionCipherCtx, error)
type Digest ¶
type Digest struct {
// contains filtered or unexported fields
}
Digest represents and openssl message digest.
func GetDigestByName ¶
GetDigestByName returns the Digest with the name or nil and an error if the digest was not found.
func GetDigestByNid ¶
GetDigestByName returns the Digest with the NID or nil and an error if the digest was not found.
type EllipticCurve ¶
type EllipticCurve int
EllipticCurve repesents the ASN.1 OID of an elliptic curve. see https://www.openssl.org/docs/apps/ecparam.html for a list of implemented curves.
const ( // P-256: X9.62/SECG curve over a 256 bit prime field Prime256v1 EllipticCurve = C.NID_X9_62_prime256v1 // P-384: NIST/SECG curve over a 384 bit prime field Secp384r1 EllipticCurve = C.NID_secp384r1 )
type EncryptionCipherCtx ¶
type EncryptionCipherCtx interface { CipherCtx // pass in plaintext, get back ciphertext. can be called // multiple times as needed EncryptUpdate(input []byte) ([]byte, error) // call after all plaintext has been passed in; may return // additional ciphertext if needed to finish off a block // or extra padding information EncryptFinal() ([]byte, error) }
func NewEncryptionCipherCtx ¶
func NewEncryptionCipherCtx(c *Cipher, e *Engine, key, iv []byte) ( EncryptionCipherCtx, error)
type Method ¶
var ( SHA1_Method Method = C.X_EVP_sha1() SHA256_Method Method = C.X_EVP_sha256() SHA512_Method Method = C.X_EVP_sha512() )
type Modes ¶
type Modes int
const ( // ReleaseBuffers is only valid if you are using OpenSSL 1.0.1 or newer ReleaseBuffers Modes = C.SSL_MODE_RELEASE_BUFFERS )
type NID ¶
type NID int
const ( NID_undef NID = 0 NID_rsadsi NID = 1 NID_pkcs NID = 2 NID_md2 NID = 3 NID_md5 NID = 4 NID_rc4 NID = 5 NID_rsaEncryption NID = 6 NID_md2WithRSAEncryption NID = 7 NID_md5WithRSAEncryption NID = 8 NID_pbeWithMD2AndDES_CBC NID = 9 NID_pbeWithMD5AndDES_CBC NID = 10 NID_X500 NID = 11 NID_X509 NID = 12 NID_commonName NID = 13 NID_countryName NID = 14 NID_localityName NID = 15 NID_stateOrProvinceName NID = 16 NID_organizationName NID = 17 NID_organizationalUnitName NID = 18 NID_rsa NID = 19 NID_pkcs7 NID = 20 NID_pkcs7_data NID = 21 NID_pkcs7_signed NID = 22 NID_pkcs7_enveloped NID = 23 NID_pkcs7_signedAndEnveloped NID = 24 NID_pkcs7_digest NID = 25 NID_pkcs7_encrypted NID = 26 NID_pkcs3 NID = 27 NID_dhKeyAgreement NID = 28 NID_des_ecb NID = 29 NID_des_cfb64 NID = 30 NID_des_cbc NID = 31 NID_des_ede_ecb NID = 32 NID_des_ede3_ecb NID = 33 NID_idea_cbc NID = 34 NID_idea_cfb64 NID = 35 NID_idea_ecb NID = 36 NID_rc2_cbc NID = 37 NID_rc2_ecb NID = 38 NID_rc2_cfb64 NID = 39 NID_rc2_ofb64 NID = 40 NID_sha NID = 41 NID_shaWithRSAEncryption NID = 42 NID_des_ede_cbc NID = 43 NID_des_ede3_cbc NID = 44 NID_des_ofb64 NID = 45 NID_idea_ofb64 NID = 46 NID_pkcs9 NID = 47 NID_pkcs9_emailAddress NID = 48 NID_pkcs9_unstructuredName NID = 49 NID_pkcs9_contentType NID = 50 NID_pkcs9_messageDigest NID = 51 NID_pkcs9_signingTime NID = 52 NID_pkcs9_countersignature NID = 53 NID_pkcs9_challengePassword NID = 54 NID_pkcs9_unstructuredAddress NID = 55 NID_pkcs9_extCertAttributes NID = 56 NID_netscape NID = 57 NID_netscape_cert_extension NID = 58 NID_netscape_data_type NID = 59 NID_des_ede_cfb64 NID = 60 NID_des_ede3_cfb64 NID = 61 NID_des_ede_ofb64 NID = 62 NID_des_ede3_ofb64 NID = 63 NID_sha1 NID = 64 NID_sha1WithRSAEncryption NID = 65 NID_dsaWithSHA NID = 66 NID_dsa_2 NID = 67 NID_pbeWithSHA1AndRC2_CBC NID = 68 NID_id_pbkdf2 NID = 69 NID_dsaWithSHA1_2 NID = 70 NID_netscape_cert_type NID = 71 NID_netscape_base_url NID = 72 NID_netscape_revocation_url NID = 73 NID_netscape_ca_revocation_url NID = 74 NID_netscape_renewal_url NID = 75 NID_netscape_ca_policy_url NID = 76 NID_netscape_ssl_server_name NID = 77 NID_netscape_comment NID = 78 NID_netscape_cert_sequence NID = 79 NID_desx_cbc NID = 80 NID_id_ce NID = 81 NID_subject_key_identifier NID = 82 NID_key_usage NID = 83 NID_private_key_usage_period NID = 84 NID_subject_alt_name NID = 85 NID_issuer_alt_name NID = 86 NID_basic_constraints NID = 87 NID_crl_number NID = 88 NID_certificate_policies NID = 89 NID_bf_cbc NID = 91 NID_bf_ecb NID = 92 NID_bf_cfb64 NID = 93 NID_bf_ofb64 NID = 94 NID_mdc2 NID = 95 NID_mdc2WithRSA NID = 96 NID_rc4_40 NID = 97 NID_rc2_40_cbc NID = 98 NID_givenName NID = 99 NID_surname NID = 100 NID_initials NID = 101 NID_uniqueIdentifier NID = 102 NID_crl_distribution_points NID = 103 NID_md5WithRSA NID = 104 NID_serialNumber NID = 105 NID_title NID = 106 NID_description NID = 107 NID_cast5_cbc NID = 108 NID_cast5_ecb NID = 109 NID_cast5_cfb64 NID = 110 NID_cast5_ofb64 NID = 111 NID_pbeWithMD5AndCast5_CBC NID = 112 NID_dsaWithSHA1 NID = 113 NID_md5_sha1 NID = 114 NID_sha1WithRSA NID = 115 NID_dsa NID = 116 NID_ripemd160 NID = 117 NID_ripemd160WithRSA NID = 119 NID_rc5_cbc NID = 120 NID_rc5_ecb NID = 121 NID_rc5_cfb64 NID = 122 NID_rc5_ofb64 NID = 123 NID_zlib_compression NID = 125 NID_ext_key_usage NID = 126 NID_id_pkix NID = 127 NID_id_kp NID = 128 NID_server_auth NID = 129 NID_client_auth NID = 130 NID_code_sign NID = 131 NID_email_protect NID = 132 NID_time_stamp NID = 133 NID_ms_code_ind NID = 134 NID_ms_code_com NID = 135 NID_ms_ctl_sign NID = 136 NID_ms_sgc NID = 137 NID_ms_efs NID = 138 NID_ns_sgc NID = 139 NID_delta_crl NID = 140 NID_crl_reason NID = 141 NID_invalidity_date NID = 142 NID_sxnet NID = 143 NID_pbe_WithSHA1And128BitRC4 NID = 144 NID_pbe_WithSHA1And40BitRC4 NID = 145 NID_pbe_WithSHA1And3_Key_TripleDES_CBC NID = 146 NID_pbe_WithSHA1And2_Key_TripleDES_CBC NID = 147 NID_pbe_WithSHA1And128BitRC2_CBC NID = 148 NID_pbe_WithSHA1And40BitRC2_CBC NID = 149 NID_keyBag NID = 150 NID_pkcs8ShroudedKeyBag NID = 151 NID_certBag NID = 152 NID_crlBag NID = 153 NID_secretBag NID = 154 NID_safeContentsBag NID = 155 NID_friendlyName NID = 156 NID_localKeyID NID = 157 NID_x509Certificate NID = 158 NID_sdsiCertificate NID = 159 NID_x509Crl NID = 160 NID_pbes2 NID = 161 NID_pbmac1 NID = 162 NID_hmacWithSHA1 NID = 163 NID_id_qt_cps NID = 164 NID_id_qt_unotice NID = 165 NID_rc2_64_cbc NID = 166 NID_SMIMECapabilities NID = 167 NID_pbeWithMD2AndRC2_CBC NID = 168 NID_pbeWithMD5AndRC2_CBC NID = 169 NID_pbeWithSHA1AndDES_CBC NID = 170 NID_ms_ext_req NID = 171 NID_ext_req NID = 172 NID_name NID = 173 NID_dnQualifier NID = 174 NID_id_pe NID = 175 NID_id_ad NID = 176 NID_info_access NID = 177 NID_ad_OCSP NID = 178 NID_ad_ca_issuers NID = 179 NID_OCSP_sign NID = 180 NID_iso NID = 181 NID_member_body NID = 182 NID_ISO_US NID = 183 NID_X9_57 NID = 184 NID_X9cm NID = 185 NID_pkcs1 NID = 186 NID_pkcs5 NID = 187 NID_SMIME NID = 188 NID_id_smime_mod NID = 189 NID_id_smime_ct NID = 190 NID_id_smime_aa NID = 191 NID_id_smime_alg NID = 192 NID_id_smime_cd NID = 193 NID_id_smime_spq NID = 194 NID_id_smime_cti NID = 195 NID_id_smime_mod_cms NID = 196 NID_id_smime_mod_ess NID = 197 NID_id_smime_mod_oid NID = 198 NID_id_smime_mod_msg_v3 NID = 199 NID_id_smime_mod_ets_eSignature_88 NID = 200 NID_id_smime_mod_ets_eSignature_97 NID = 201 NID_id_smime_mod_ets_eSigPolicy_88 NID = 202 NID_id_smime_mod_ets_eSigPolicy_97 NID = 203 NID_id_smime_ct_receipt NID = 204 NID_id_smime_ct_authData NID = 205 NID_id_smime_ct_publishCert NID = 206 NID_id_smime_ct_TSTInfo NID = 207 NID_id_smime_ct_TDTInfo NID = 208 NID_id_smime_ct_contentInfo NID = 209 NID_id_smime_ct_DVCSRequestData NID = 210 NID_id_smime_ct_DVCSResponseData NID = 211 NID_id_smime_aa_receiptRequest NID = 212 NID_id_smime_aa_securityLabel NID = 213 NID_id_smime_aa_mlExpandHistory NID = 214 NID_id_smime_aa_contentHint NID = 215 NID_id_smime_aa_msgSigDigest NID = 216 NID_id_smime_aa_encapContentType NID = 217 NID_id_smime_aa_contentIdentifier NID = 218 NID_id_smime_aa_macValue NID = 219 NID_id_smime_aa_equivalentLabels NID = 220 NID_id_smime_aa_contentReference NID = 221 NID_id_smime_aa_encrypKeyPref NID = 222 NID_id_smime_aa_signingCertificate NID = 223 NID_id_smime_aa_smimeEncryptCerts NID = 224 NID_id_smime_aa_timeStampToken NID = 225 NID_id_smime_aa_ets_sigPolicyId NID = 226 NID_id_smime_aa_ets_commitmentType NID = 227 NID_id_smime_aa_ets_signerLocation NID = 228 NID_id_smime_aa_ets_signerAttr NID = 229 NID_id_smime_aa_ets_otherSigCert NID = 230 NID_id_smime_aa_ets_contentTimestamp NID = 231 NID_id_smime_aa_ets_CertificateRefs NID = 232 NID_id_smime_aa_ets_RevocationRefs NID = 233 NID_id_smime_aa_ets_certValues NID = 234 NID_id_smime_aa_ets_revocationValues NID = 235 NID_id_smime_aa_ets_escTimeStamp NID = 236 NID_id_smime_aa_ets_certCRLTimestamp NID = 237 NID_id_smime_aa_ets_archiveTimeStamp NID = 238 NID_id_smime_aa_signatureType NID = 239 NID_id_smime_aa_dvcs_dvc NID = 240 NID_id_smime_alg_ESDHwith3DES NID = 241 NID_id_smime_alg_ESDHwithRC2 NID = 242 NID_id_smime_alg_3DESwrap NID = 243 NID_id_smime_alg_RC2wrap NID = 244 NID_id_smime_alg_ESDH NID = 245 NID_id_smime_alg_CMS3DESwrap NID = 246 NID_id_smime_alg_CMSRC2wrap NID = 247 NID_id_smime_cd_ldap NID = 248 NID_id_smime_spq_ets_sqt_uri NID = 249 NID_id_smime_spq_ets_sqt_unotice NID = 250 NID_id_smime_cti_ets_proofOfOrigin NID = 251 NID_id_smime_cti_ets_proofOfReceipt NID = 252 NID_id_smime_cti_ets_proofOfDelivery NID = 253 NID_id_smime_cti_ets_proofOfSender NID = 254 NID_id_smime_cti_ets_proofOfApproval NID = 255 NID_id_smime_cti_ets_proofOfCreation NID = 256 NID_md4 NID = 257 NID_id_pkix_mod NID = 258 NID_id_qt NID = 259 NID_id_it NID = 260 NID_id_pkip NID = 261 NID_id_alg NID = 262 NID_id_cmc NID = 263 NID_id_on NID = 264 NID_id_pda NID = 265 NID_id_aca NID = 266 NID_id_qcs NID = 267 NID_id_cct NID = 268 NID_id_pkix1_explicit_88 NID = 269 NID_id_pkix1_implicit_88 NID = 270 NID_id_pkix1_explicit_93 NID = 271 NID_id_pkix1_implicit_93 NID = 272 NID_id_mod_crmf NID = 273 NID_id_mod_cmc NID = 274 NID_id_mod_kea_profile_88 NID = 275 NID_id_mod_kea_profile_93 NID = 276 NID_id_mod_cmp NID = 277 NID_id_mod_qualified_cert_88 NID = 278 NID_id_mod_qualified_cert_93 NID = 279 NID_id_mod_attribute_cert NID = 280 NID_id_mod_timestamp_protocol NID = 281 NID_id_mod_ocsp NID = 282 NID_id_mod_dvcs NID = 283 NID_id_mod_cmp2000 NID = 284 NID_biometricInfo NID = 285 NID_qcStatements NID = 286 NID_ac_auditEntity NID = 287 NID_ac_targeting NID = 288 NID_aaControls NID = 289 NID_sbgp_ipAddrBlock NID = 290 NID_sbgp_autonomousSysNum NID = 291 NID_sbgp_routerIdentifier NID = 292 NID_textNotice NID = 293 NID_ipsecEndSystem NID = 294 NID_ipsecTunnel NID = 295 NID_ipsecUser NID = 296 NID_dvcs NID = 297 NID_id_it_caProtEncCert NID = 298 NID_id_it_signKeyPairTypes NID = 299 NID_id_it_encKeyPairTypes NID = 300 NID_id_it_preferredSymmAlg NID = 301 NID_id_it_caKeyUpdateInfo NID = 302 NID_id_it_currentCRL NID = 303 NID_id_it_unsupportedOIDs NID = 304 NID_id_it_subscriptionRequest NID = 305 NID_id_it_subscriptionResponse NID = 306 NID_id_it_keyPairParamReq NID = 307 NID_id_it_keyPairParamRep NID = 308 NID_id_it_revPassphrase NID = 309 NID_id_it_implicitConfirm NID = 310 NID_id_it_confirmWaitTime NID = 311 NID_id_it_origPKIMessage NID = 312 NID_id_regCtrl NID = 313 NID_id_regInfo NID = 314 NID_id_regCtrl_regToken NID = 315 NID_id_regCtrl_authenticator NID = 316 NID_id_regCtrl_pkiPublicationInfo NID = 317 NID_id_regCtrl_pkiArchiveOptions NID = 318 NID_id_regCtrl_oldCertID NID = 319 NID_id_regCtrl_protocolEncrKey NID = 320 NID_id_regInfo_utf8Pairs NID = 321 NID_id_regInfo_certReq NID = 322 NID_id_alg_des40 NID = 323 NID_id_alg_noSignature NID = 324 NID_id_alg_dh_sig_hmac_sha1 NID = 325 NID_id_alg_dh_pop NID = 326 NID_id_cmc_statusInfo NID = 327 NID_id_cmc_identification NID = 328 NID_id_cmc_identityProof NID = 329 NID_id_cmc_dataReturn NID = 330 NID_id_cmc_transactionId NID = 331 NID_id_cmc_senderNonce NID = 332 NID_id_cmc_recipientNonce NID = 333 NID_id_cmc_addExtensions NID = 334 NID_id_cmc_encryptedPOP NID = 335 NID_id_cmc_decryptedPOP NID = 336 NID_id_cmc_lraPOPWitness NID = 337 NID_id_cmc_getCert NID = 338 NID_id_cmc_getCRL NID = 339 NID_id_cmc_revokeRequest NID = 340 NID_id_cmc_regInfo NID = 341 NID_id_cmc_responseInfo NID = 342 NID_id_cmc_queryPending NID = 343 NID_id_cmc_popLinkRandom NID = 344 NID_id_cmc_popLinkWitness NID = 345 NID_id_cmc_confirmCertAcceptance NID = 346 NID_id_on_personalData NID = 347 NID_id_pda_dateOfBirth NID = 348 NID_id_pda_placeOfBirth NID = 349 NID_id_pda_gender NID = 351 NID_id_pda_countryOfCitizenship NID = 352 NID_id_pda_countryOfResidence NID = 353 NID_id_aca_authenticationInfo NID = 354 NID_id_aca_accessIdentity NID = 355 NID_id_aca_chargingIdentity NID = 356 NID_id_aca_group NID = 357 NID_id_aca_role NID = 358 NID_id_qcs_pkixQCSyntax_v1 NID = 359 NID_id_cct_crs NID = 360 NID_id_cct_PKIData NID = 361 NID_id_cct_PKIResponse NID = 362 NID_ad_timeStamping NID = 363 NID_ad_dvcs NID = 364 NID_id_pkix_OCSP_basic NID = 365 NID_id_pkix_OCSP_Nonce NID = 366 NID_id_pkix_OCSP_CrlID NID = 367 NID_id_pkix_OCSP_acceptableResponses NID = 368 NID_id_pkix_OCSP_noCheck NID = 369 NID_id_pkix_OCSP_archiveCutoff NID = 370 NID_id_pkix_OCSP_serviceLocator NID = 371 NID_id_pkix_OCSP_extendedStatus NID = 372 NID_id_pkix_OCSP_valid NID = 373 NID_id_pkix_OCSP_path NID = 374 NID_id_pkix_OCSP_trustRoot NID = 375 NID_algorithm NID = 376 NID_rsaSignature NID = 377 NID_X500algorithms NID = 378 NID_org NID = 379 NID_dod NID = 380 NID_iana NID = 381 NID_Directory NID = 382 NID_Management NID = 383 NID_Experimental NID = 384 NID_Private NID = 385 NID_Security NID = 386 NID_SNMPv2 NID = 387 NID_Mail NID = 388 NID_Enterprises NID = 389 NID_dcObject NID = 390 NID_domainComponent NID = 391 NID_Domain NID = 392 NID_joint_iso_ccitt NID = 393 NID_selected_attribute_types NID = 394 NID_clearance NID = 395 NID_md4WithRSAEncryption NID = 396 NID_ac_proxying NID = 397 NID_sinfo_access NID = 398 NID_id_aca_encAttrs NID = 399 NID_role NID = 400 NID_policy_constraints NID = 401 NID_target_information NID = 402 NID_no_rev_avail NID = 403 NID_ccitt NID = 404 NID_ansi_X9_62 NID = 405 NID_X9_62_prime_field NID = 406 NID_X9_62_characteristic_two_field NID = 407 NID_X9_62_id_ecPublicKey NID = 408 NID_X9_62_prime192v1 NID = 409 NID_X9_62_prime192v2 NID = 410 NID_X9_62_prime192v3 NID = 411 NID_X9_62_prime239v1 NID = 412 NID_X9_62_prime239v2 NID = 413 NID_X9_62_prime239v3 NID = 414 NID_X9_62_prime256v1 NID = 415 NID_ecdsa_with_SHA1 NID = 416 NID_ms_csp_name NID = 417 NID_aes_128_ecb NID = 418 NID_aes_128_cbc NID = 419 NID_aes_128_ofb128 NID = 420 NID_aes_128_cfb128 NID = 421 NID_aes_192_ecb NID = 422 NID_aes_192_cbc NID = 423 NID_aes_192_ofb128 NID = 424 NID_aes_192_cfb128 NID = 425 NID_aes_256_ecb NID = 426 NID_aes_256_cbc NID = 427 NID_aes_256_ofb128 NID = 428 NID_aes_256_cfb128 NID = 429 NID_hold_instruction_code NID = 430 NID_hold_instruction_none NID = 431 NID_hold_instruction_call_issuer NID = 432 NID_hold_instruction_reject NID = 433 NID_data NID = 434 NID_pss NID = 435 NID_ucl NID = 436 NID_pilot NID = 437 NID_pilotAttributeType NID = 438 NID_pilotAttributeSyntax NID = 439 NID_pilotObjectClass NID = 440 NID_pilotGroups NID = 441 NID_iA5StringSyntax NID = 442 NID_caseIgnoreIA5StringSyntax NID = 443 NID_pilotObject NID = 444 NID_pilotPerson NID = 445 NID_account NID = 446 NID_document NID = 447 NID_room NID = 448 NID_documentSeries NID = 449 NID_rFC822localPart NID = 450 NID_dNSDomain NID = 451 NID_domainRelatedObject NID = 452 NID_friendlyCountry NID = 453 NID_simpleSecurityObject NID = 454 NID_pilotOrganization NID = 455 NID_pilotDSA NID = 456 NID_qualityLabelledData NID = 457 NID_userId NID = 458 NID_textEncodedORAddress NID = 459 NID_rfc822Mailbox NID = 460 NID_info NID = 461 NID_favouriteDrink NID = 462 NID_roomNumber NID = 463 NID_photo NID = 464 NID_userClass NID = 465 NID_host NID = 466 NID_manager NID = 467 NID_documentIdentifier NID = 468 NID_documentTitle NID = 469 NID_documentVersion NID = 470 NID_documentAuthor NID = 471 NID_documentLocation NID = 472 NID_homeTelephoneNumber NID = 473 NID_secretary NID = 474 NID_otherMailbox NID = 475 NID_lastModifiedTime NID = 476 NID_lastModifiedBy NID = 477 NID_aRecord NID = 478 NID_pilotAttributeType27 NID = 479 NID_mXRecord NID = 480 NID_nSRecord NID = 481 NID_sOARecord NID = 482 NID_cNAMERecord NID = 483 NID_associatedDomain NID = 484 NID_associatedName NID = 485 NID_homePostalAddress NID = 486 NID_personalTitle NID = 487 NID_mobileTelephoneNumber NID = 488 NID_pagerTelephoneNumber NID = 489 NID_friendlyCountryName NID = 490 NID_organizationalStatus NID = 491 NID_janetMailbox NID = 492 NID_mailPreferenceOption NID = 493 NID_buildingName NID = 494 NID_dSAQuality NID = 495 NID_singleLevelQuality NID = 496 NID_subtreeMinimumQuality NID = 497 NID_subtreeMaximumQuality NID = 498 NID_personalSignature NID = 499 NID_dITRedirect NID = 500 NID_audio NID = 501 NID_documentPublisher NID = 502 NID_x500UniqueIdentifier NID = 503 NID_mime_mhs NID = 504 NID_mime_mhs_headings NID = 505 NID_mime_mhs_bodies NID = 506 NID_id_hex_partial_message NID = 507 NID_id_hex_multipart_message NID = 508 NID_generationQualifier NID = 509 NID_pseudonym NID = 510 NID_id_set NID = 512 NID_set_ctype NID = 513 NID_set_msgExt NID = 514 NID_set_attr NID = 515 NID_set_policy NID = 516 NID_set_certExt NID = 517 NID_set_brand NID = 518 NID_setct_PANData NID = 519 NID_setct_PANToken NID = 520 NID_setct_PANOnly NID = 521 NID_setct_OIData NID = 522 NID_setct_PI NID = 523 NID_setct_PIData NID = 524 NID_setct_PIDataUnsigned NID = 525 NID_setct_HODInput NID = 526 NID_setct_AuthResBaggage NID = 527 NID_setct_AuthRevReqBaggage NID = 528 NID_setct_AuthRevResBaggage NID = 529 NID_setct_CapTokenSeq NID = 530 NID_setct_PInitResData NID = 531 NID_setct_PI_TBS NID = 532 NID_setct_PResData NID = 533 NID_setct_AuthReqTBS NID = 534 NID_setct_AuthResTBS NID = 535 NID_setct_AuthResTBSX NID = 536 NID_setct_AuthTokenTBS NID = 537 NID_setct_CapTokenData NID = 538 NID_setct_CapTokenTBS NID = 539 NID_setct_AcqCardCodeMsg NID = 540 NID_setct_AuthRevReqTBS NID = 541 NID_setct_AuthRevResData NID = 542 NID_setct_AuthRevResTBS NID = 543 NID_setct_CapReqTBS NID = 544 NID_setct_CapReqTBSX NID = 545 NID_setct_CapResData NID = 546 NID_setct_CapRevReqTBS NID = 547 NID_setct_CapRevReqTBSX NID = 548 NID_setct_CapRevResData NID = 549 NID_setct_CredReqTBS NID = 550 NID_setct_CredReqTBSX NID = 551 NID_setct_CredResData NID = 552 NID_setct_CredRevReqTBS NID = 553 NID_setct_CredRevReqTBSX NID = 554 NID_setct_CredRevResData NID = 555 NID_setct_PCertReqData NID = 556 NID_setct_PCertResTBS NID = 557 NID_setct_BatchAdminReqData NID = 558 NID_setct_BatchAdminResData NID = 559 NID_setct_CardCInitResTBS NID = 560 NID_setct_MeAqCInitResTBS NID = 561 NID_setct_RegFormResTBS NID = 562 NID_setct_CertReqData NID = 563 NID_setct_CertReqTBS NID = 564 NID_setct_CertResData NID = 565 NID_setct_CertInqReqTBS NID = 566 NID_setct_ErrorTBS NID = 567 NID_setct_PIDualSignedTBE NID = 568 NID_setct_PIUnsignedTBE NID = 569 NID_setct_AuthReqTBE NID = 570 NID_setct_AuthResTBE NID = 571 NID_setct_AuthResTBEX NID = 572 NID_setct_AuthTokenTBE NID = 573 NID_setct_CapTokenTBE NID = 574 NID_setct_CapTokenTBEX NID = 575 NID_setct_AcqCardCodeMsgTBE NID = 576 NID_setct_AuthRevReqTBE NID = 577 NID_setct_AuthRevResTBE NID = 578 NID_setct_AuthRevResTBEB NID = 579 NID_setct_CapReqTBE NID = 580 NID_setct_CapReqTBEX NID = 581 NID_setct_CapResTBE NID = 582 NID_setct_CapRevReqTBE NID = 583 NID_setct_CapRevReqTBEX NID = 584 NID_setct_CapRevResTBE NID = 585 NID_setct_CredReqTBE NID = 586 NID_setct_CredReqTBEX NID = 587 NID_setct_CredResTBE NID = 588 NID_setct_CredRevReqTBE NID = 589 NID_setct_CredRevReqTBEX NID = 590 NID_setct_CredRevResTBE NID = 591 NID_setct_BatchAdminReqTBE NID = 592 NID_setct_BatchAdminResTBE NID = 593 NID_setct_RegFormReqTBE NID = 594 NID_setct_CertReqTBE NID = 595 NID_setct_CertReqTBEX NID = 596 NID_setct_CertResTBE NID = 597 NID_setct_CRLNotificationTBS NID = 598 NID_setct_CRLNotificationResTBS NID = 599 NID_setct_BCIDistributionTBS NID = 600 NID_setext_genCrypt NID = 601 NID_setext_miAuth NID = 602 NID_setext_pinSecure NID = 603 NID_setext_pinAny NID = 604 NID_setext_track2 NID = 605 NID_setext_cv NID = 606 NID_set_policy_root NID = 607 NID_setCext_hashedRoot NID = 608 NID_setCext_certType NID = 609 NID_setCext_merchData NID = 610 NID_setCext_cCertRequired NID = 611 NID_setCext_tunneling NID = 612 NID_setCext_setExt NID = 613 NID_setCext_setQualf NID = 614 NID_setCext_PGWYcapabilities NID = 615 NID_setCext_TokenIdentifier NID = 616 NID_setCext_Track2Data NID = 617 NID_setCext_TokenType NID = 618 NID_setCext_IssuerCapabilities NID = 619 NID_setAttr_Cert NID = 620 NID_setAttr_PGWYcap NID = 621 NID_setAttr_TokenType NID = 622 NID_setAttr_IssCap NID = 623 NID_set_rootKeyThumb NID = 624 NID_set_addPolicy NID = 625 NID_setAttr_Token_EMV NID = 626 NID_setAttr_Token_B0Prime NID = 627 NID_setAttr_IssCap_CVM NID = 628 NID_setAttr_IssCap_T2 NID = 629 NID_setAttr_IssCap_Sig NID = 630 NID_setAttr_GenCryptgrm NID = 631 NID_setAttr_T2Enc NID = 632 NID_setAttr_T2cleartxt NID = 633 NID_setAttr_TokICCsig NID = 634 NID_setAttr_SecDevSig NID = 635 NID_set_brand_IATA_ATA NID = 636 NID_set_brand_Diners NID = 637 NID_set_brand_AmericanExpress NID = 638 NID_set_brand_JCB NID = 639 NID_set_brand_Visa NID = 640 NID_set_brand_MasterCard NID = 641 NID_set_brand_Novus NID = 642 NID_des_cdmf NID = 643 NID_rsaOAEPEncryptionSET NID = 644 NID_itu_t NID = 645 NID_joint_iso_itu_t NID = 646 NID_international_organizations NID = 647 NID_ms_smartcard_login NID = 648 NID_ms_upn NID = 649 NID_aes_128_cfb1 NID = 650 NID_aes_192_cfb1 NID = 651 NID_aes_256_cfb1 NID = 652 NID_aes_128_cfb8 NID = 653 NID_aes_192_cfb8 NID = 654 NID_aes_256_cfb8 NID = 655 NID_des_cfb1 NID = 656 NID_des_cfb8 NID = 657 NID_des_ede3_cfb1 NID = 658 NID_des_ede3_cfb8 NID = 659 NID_streetAddress NID = 660 NID_postalCode NID = 661 NID_id_ppl NID = 662 NID_proxyCertInfo NID = 663 NID_id_ppl_anyLanguage NID = 664 NID_id_ppl_inheritAll NID = 665 NID_name_constraints NID = 666 NID_Independent NID = 667 NID_sha256WithRSAEncryption NID = 668 NID_sha384WithRSAEncryption NID = 669 NID_sha512WithRSAEncryption NID = 670 NID_sha224WithRSAEncryption NID = 671 NID_sha256 NID = 672 NID_sha384 NID = 673 NID_sha512 NID = 674 NID_sha224 NID = 675 NID_identified_organization NID = 676 NID_certicom_arc NID = 677 NID_wap NID = 678 NID_wap_wsg NID = 679 NID_X9_62_id_characteristic_two_basis NID = 680 NID_X9_62_onBasis NID = 681 NID_X9_62_tpBasis NID = 682 NID_X9_62_ppBasis NID = 683 NID_X9_62_c2pnb163v1 NID = 684 NID_X9_62_c2pnb163v2 NID = 685 NID_X9_62_c2pnb163v3 NID = 686 NID_X9_62_c2pnb176v1 NID = 687 NID_X9_62_c2tnb191v1 NID = 688 NID_X9_62_c2tnb191v2 NID = 689 NID_X9_62_c2tnb191v3 NID = 690 NID_X9_62_c2onb191v4 NID = 691 NID_X9_62_c2onb191v5 NID = 692 NID_X9_62_c2pnb208w1 NID = 693 NID_X9_62_c2tnb239v1 NID = 694 NID_X9_62_c2tnb239v2 NID = 695 NID_X9_62_c2tnb239v3 NID = 696 NID_X9_62_c2onb239v4 NID = 697 NID_X9_62_c2onb239v5 NID = 698 NID_X9_62_c2pnb272w1 NID = 699 NID_X9_62_c2pnb304w1 NID = 700 NID_X9_62_c2tnb359v1 NID = 701 NID_X9_62_c2pnb368w1 NID = 702 NID_X9_62_c2tnb431r1 NID = 703 NID_secp112r1 NID = 704 NID_secp112r2 NID = 705 NID_secp128r1 NID = 706 NID_secp128r2 NID = 707 NID_secp160k1 NID = 708 NID_secp160r1 NID = 709 NID_secp160r2 NID = 710 NID_secp192k1 NID = 711 NID_secp224k1 NID = 712 NID_secp224r1 NID = 713 NID_secp256k1 NID = 714 NID_secp384r1 NID = 715 NID_secp521r1 NID = 716 NID_sect113r1 NID = 717 NID_sect113r2 NID = 718 NID_sect131r1 NID = 719 NID_sect131r2 NID = 720 NID_sect163k1 NID = 721 NID_sect163r1 NID = 722 NID_sect163r2 NID = 723 NID_sect193r1 NID = 724 NID_sect193r2 NID = 725 NID_sect233k1 NID = 726 NID_sect233r1 NID = 727 NID_sect239k1 NID = 728 NID_sect283k1 NID = 729 NID_sect283r1 NID = 730 NID_sect409k1 NID = 731 NID_sect409r1 NID = 732 NID_sect571k1 NID = 733 NID_sect571r1 NID = 734 NID_wap_wsg_idm_ecid_wtls1 NID = 735 NID_wap_wsg_idm_ecid_wtls3 NID = 736 NID_wap_wsg_idm_ecid_wtls4 NID = 737 NID_wap_wsg_idm_ecid_wtls5 NID = 738 NID_wap_wsg_idm_ecid_wtls6 NID = 739 NID_wap_wsg_idm_ecid_wtls7 NID = 740 NID_wap_wsg_idm_ecid_wtls8 NID = 741 NID_wap_wsg_idm_ecid_wtls9 NID = 742 NID_wap_wsg_idm_ecid_wtls10 NID = 743 NID_wap_wsg_idm_ecid_wtls11 NID = 744 NID_wap_wsg_idm_ecid_wtls12 NID = 745 NID_any_policy NID = 746 NID_policy_mappings NID = 747 NID_inhibit_any_policy NID = 748 NID_ipsec3 NID = 749 NID_ipsec4 NID = 750 NID_camellia_128_cbc NID = 751 NID_camellia_192_cbc NID = 752 NID_camellia_256_cbc NID = 753 NID_camellia_128_ecb NID = 754 NID_camellia_192_ecb NID = 755 NID_camellia_256_ecb NID = 756 NID_camellia_128_cfb128 NID = 757 NID_camellia_192_cfb128 NID = 758 NID_camellia_256_cfb128 NID = 759 NID_camellia_128_cfb1 NID = 760 NID_camellia_192_cfb1 NID = 761 NID_camellia_256_cfb1 NID = 762 NID_camellia_128_cfb8 NID = 763 NID_camellia_192_cfb8 NID = 764 NID_camellia_256_cfb8 NID = 765 NID_camellia_128_ofb128 NID = 766 NID_camellia_192_ofb128 NID = 767 NID_camellia_256_ofb128 NID = 768 NID_subject_directory_attributes NID = 769 NID_issuing_distribution_point NID = 770 NID_certificate_issuer NID = 771 NID_kisa NID = 773 NID_seed_ecb NID = 776 NID_seed_cbc NID = 777 NID_seed_ofb128 NID = 778 NID_seed_cfb128 NID = 779 NID_hmac_md5 NID = 780 NID_hmac_sha1 NID = 781 NID_id_PasswordBasedMAC NID = 782 NID_id_DHBasedMac NID = 783 NID_id_it_suppLangTags NID = 784 NID_caRepository NID = 785 NID_id_smime_ct_compressedData NID = 786 NID_id_ct_asciiTextWithCRLF NID = 787 NID_id_aes128_wrap NID = 788 NID_id_aes192_wrap NID = 789 NID_id_aes256_wrap NID = 790 NID_ecdsa_with_Recommended NID = 791 NID_ecdsa_with_Specified NID = 792 NID_ecdsa_with_SHA224 NID = 793 NID_ecdsa_with_SHA256 NID = 794 NID_ecdsa_with_SHA384 NID = 795 NID_ecdsa_with_SHA512 NID = 796 NID_hmacWithMD5 NID = 797 NID_hmacWithSHA224 NID = 798 NID_hmacWithSHA256 NID = 799 NID_hmacWithSHA384 NID = 800 NID_hmacWithSHA512 NID = 801 NID_dsa_with_SHA224 NID = 802 NID_dsa_with_SHA256 NID = 803 NID_whirlpool NID = 804 NID_cryptopro NID = 805 NID_cryptocom NID = 806 NID_id_GostR3411_94_with_GostR3410_2001 NID = 807 NID_id_GostR3411_94_with_GostR3410_94 NID = 808 NID_id_GostR3411_94 NID = 809 NID_id_HMACGostR3411_94 NID = 810 NID_id_GostR3410_2001 NID = 811 NID_id_GostR3410_94 NID = 812 NID_id_Gost28147_89 NID = 813 NID_gost89_cnt NID = 814 NID_id_Gost28147_89_MAC NID = 815 NID_id_GostR3411_94_prf NID = 816 NID_id_GostR3410_2001DH NID = 817 NID_id_GostR3410_94DH NID = 818 NID_id_Gost28147_89_CryptoPro_KeyMeshing NID = 819 NID_id_Gost28147_89_None_KeyMeshing NID = 820 NID_id_GostR3411_94_TestParamSet NID = 821 NID_id_GostR3411_94_CryptoProParamSet NID = 822 NID_id_Gost28147_89_TestParamSet NID = 823 NID_id_Gost28147_89_CryptoPro_A_ParamSet NID = 824 NID_id_Gost28147_89_CryptoPro_B_ParamSet NID = 825 NID_id_Gost28147_89_CryptoPro_C_ParamSet NID = 826 NID_id_Gost28147_89_CryptoPro_D_ParamSet NID = 827 NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet NID = 828 NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet NID = 829 NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet NID = 830 NID_id_GostR3410_94_TestParamSet NID = 831 NID_id_GostR3410_94_CryptoPro_A_ParamSet NID = 832 NID_id_GostR3410_94_CryptoPro_B_ParamSet NID = 833 NID_id_GostR3410_94_CryptoPro_C_ParamSet NID = 834 NID_id_GostR3410_94_CryptoPro_D_ParamSet NID = 835 NID_id_GostR3410_94_CryptoPro_XchA_ParamSet NID = 836 NID_id_GostR3410_94_CryptoPro_XchB_ParamSet NID = 837 NID_id_GostR3410_94_CryptoPro_XchC_ParamSet NID = 838 NID_id_GostR3410_2001_TestParamSet NID = 839 NID_id_GostR3410_2001_CryptoPro_A_ParamSet NID = 840 NID_id_GostR3410_2001_CryptoPro_B_ParamSet NID = 841 NID_id_GostR3410_2001_CryptoPro_C_ParamSet NID = 842 NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet NID = 843 NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet NID = 844 NID_id_GostR3410_94_a NID = 845 NID_id_GostR3410_94_aBis NID = 846 NID_id_GostR3410_94_b NID = 847 NID_id_GostR3410_94_bBis NID = 848 NID_id_Gost28147_89_cc NID = 849 NID_id_GostR3410_94_cc NID = 850 NID_id_GostR3410_2001_cc NID = 851 NID_id_GostR3411_94_with_GostR3410_94_cc NID = 852 NID_id_GostR3411_94_with_GostR3410_2001_cc NID = 853 NID_id_GostR3410_2001_ParamSet_cc NID = 854 NID_hmac NID = 855 NID_LocalKeySet NID = 856 NID_freshest_crl NID = 857 NID_id_on_permanentIdentifier NID = 858 NID_searchGuide NID = 859 NID_businessCategory NID = 860 NID_postalAddress NID = 861 NID_postOfficeBox NID = 862 NID_physicalDeliveryOfficeName NID = 863 NID_telephoneNumber NID = 864 NID_telexNumber NID = 865 NID_teletexTerminalIdentifier NID = 866 NID_facsimileTelephoneNumber NID = 867 NID_x121Address NID = 868 NID_internationaliSDNNumber NID = 869 NID_registeredAddress NID = 870 NID_destinationIndicator NID = 871 NID_preferredDeliveryMethod NID = 872 NID_presentationAddress NID = 873 NID_supportedApplicationContext NID = 874 NID_member NID = 875 NID_owner NID = 876 NID_roleOccupant NID = 877 NID_seeAlso NID = 878 NID_userPassword NID = 879 NID_userCertificate NID = 880 NID_cACertificate NID = 881 NID_certificateRevocationList NID = 883 NID_crossCertificatePair NID = 884 NID_enhancedSearchGuide NID = 885 NID_protocolInformation NID = 886 NID_distinguishedName NID = 887 NID_uniqueMember NID = 888 NID_houseIdentifier NID = 889 NID_supportedAlgorithms NID = 890 NID_deltaRevocationList NID = 891 NID_dmdName NID = 892 NID_id_alg_PWRI_KEK NID = 893 NID_cmac NID = 894 NID_aes_128_gcm NID = 895 NID_aes_128_ccm NID = 896 NID_id_aes128_wrap_pad NID = 897 NID_aes_192_gcm NID = 898 NID_aes_192_ccm NID = 899 NID_id_aes192_wrap_pad NID = 900 NID_aes_256_gcm NID = 901 NID_aes_256_ccm NID = 902 NID_id_aes256_wrap_pad NID = 903 NID_aes_128_ctr NID = 904 NID_aes_192_ctr NID = 905 NID_aes_256_ctr NID = 906 NID_id_camellia128_wrap NID = 907 NID_id_camellia192_wrap NID = 908 NID_id_camellia256_wrap NID = 909 NID_anyExtendedKeyUsage NID = 910 NID_mgf1 NID = 911 NID_rsassaPss NID = 912 NID_aes_128_xts NID = 913 NID_aes_256_xts NID = 914 NID_rc4_hmac_md5 NID = 915 NID_aes_128_cbc_hmac_sha1 NID = 916 NID_aes_192_cbc_hmac_sha1 NID = 917 NID_aes_256_cbc_hmac_sha1 NID = 918 NID_rsaesOaep NID = 919 NID_dhpublicnumber NID = 920 NID_brainpoolP160r1 NID = 921 NID_brainpoolP160t1 NID = 922 NID_brainpoolP192r1 NID = 923 NID_brainpoolP192t1 NID = 924 NID_brainpoolP224r1 NID = 925 NID_brainpoolP224t1 NID = 926 NID_brainpoolP256r1 NID = 927 NID_brainpoolP256t1 NID = 928 NID_brainpoolP320r1 NID = 929 NID_brainpoolP320t1 NID = 930 NID_brainpoolP384r1 NID = 931 NID_brainpoolP384t1 NID = 932 NID_brainpoolP512r1 NID = 933 NID_brainpoolP512t1 NID = 934 NID_pSpecified NID = 935 NID_dhSinglePass_stdDH_sha1kdf_scheme NID = 936 NID_dhSinglePass_stdDH_sha224kdf_scheme NID = 937 NID_dhSinglePass_stdDH_sha256kdf_scheme NID = 938 NID_dhSinglePass_stdDH_sha384kdf_scheme NID = 939 NID_dhSinglePass_stdDH_sha512kdf_scheme NID = 940 NID_dhSinglePass_cofactorDH_sha1kdf_scheme NID = 941 NID_dhSinglePass_cofactorDH_sha224kdf_scheme NID = 942 NID_dhSinglePass_cofactorDH_sha256kdf_scheme NID = 943 NID_dhSinglePass_cofactorDH_sha384kdf_scheme NID = 944 NID_dhSinglePass_cofactorDH_sha512kdf_scheme NID = 945 NID_dh_std_kdf NID = 946 NID_dh_cofactor_kdf NID = 947 NID_aes_128_cbc_hmac_sha256 NID = 948 NID_aes_192_cbc_hmac_sha256 NID = 949 NID_aes_256_cbc_hmac_sha256 NID = 950 NID_ct_precert_scts NID = 951 NID_ct_precert_poison NID = 952 NID_ct_precert_signer NID = 953 NID_ct_cert_scts NID = 954 NID_jurisdictionLocalityName NID = 955 NID_jurisdictionStateOrProvinceName NID = 956 NID_jurisdictionCountryName NID = 957 NID_aes_128_ocb NID = 958 NID_aes_192_ocb NID = 959 NID_aes_256_ocb NID = 960 NID_camellia_128_gcm NID = 961 NID_camellia_128_ccm NID = 962 NID_camellia_128_ctr NID = 963 NID_camellia_128_cmac NID = 964 NID_camellia_192_gcm NID = 965 NID_camellia_192_ccm NID = 966 NID_camellia_192_ctr NID = 967 NID_camellia_192_cmac NID = 968 NID_camellia_256_gcm NID = 969 NID_camellia_256_ccm NID = 970 NID_camellia_256_ctr NID = 971 NID_camellia_256_cmac NID = 972 NID_id_scrypt NID = 973 NID_id_tc26 NID = 974 NID_gost89_cnt_12 NID = 975 NID_gost_mac_12 NID = 976 NID_id_tc26_algorithms NID = 977 NID_id_tc26_sign NID = 978 NID_id_GostR3410_2012_256 NID = 979 NID_id_GostR3410_2012_512 NID = 980 NID_id_tc26_digest NID = 981 NID_id_GostR3411_2012_256 NID = 982 NID_id_GostR3411_2012_512 NID = 983 NID_id_tc26_signwithdigest NID = 984 NID_id_tc26_signwithdigest_gost3410_2012_256 NID = 985 NID_id_tc26_signwithdigest_gost3410_2012_512 NID = 986 NID_id_tc26_mac NID = 987 NID_id_tc26_hmac_gost_3411_2012_256 NID = 988 NID_id_tc26_hmac_gost_3411_2012_512 NID = 989 NID_id_tc26_cipher NID = 990 NID_id_tc26_agreement NID = 991 NID_id_tc26_agreement_gost_3410_2012_256 NID = 992 NID_id_tc26_agreement_gost_3410_2012_512 NID = 993 NID_id_tc26_constants NID = 994 NID_id_tc26_sign_constants NID = 995 NID_id_tc26_gost_3410_2012_512_constants NID = 996 NID_id_tc26_gost_3410_2012_512_paramSetTest NID = 997 NID_id_tc26_gost_3410_2012_512_paramSetA NID = 998 NID_id_tc26_gost_3410_2012_512_paramSetB NID = 999 NID_id_tc26_digest_constants NID = 1000 NID_id_tc26_cipher_constants NID = 1001 NID_id_tc26_gost_28147_constants NID = 1002 NID_id_tc26_gost_28147_param_Z NID = 1003 NID_INN NID = 1004 NID_OGRN NID = 1005 NID_SNILS NID = 1006 NID_subjectSignTool NID = 1007 NID_issuerSignTool NID = 1008 NID_gost89_cbc NID = 1009 NID_gost89_ecb NID = 1010 NID_gost89_ctr NID = 1011 NID_grasshopper_ecb NID = 1012 NID_grasshopper_ctr NID = 1013 NID_grasshopper_ofb NID = 1014 NID_grasshopper_cbc NID = 1015 NID_grasshopper_cfb NID = 1016 NID_grasshopper_mac NID = 1017 NID_chacha20_poly1305 NID = 1018 NID_chacha20 NID = 1019 NID_tlsfeature NID = 1020 NID_tls1_prf NID = 1021 NID_ipsec_IKE NID = 1022 NID_capwapAC NID = 1023 NID_capwapWTP NID = 1024 NID_sshClient NID = 1025 NID_sshServer NID = 1026 NID_sendRouter NID = 1027 NID_sendProxiedRouter NID = 1028 NID_sendOwner NID = 1029 NID_sendProxiedOwner NID = 1030 NID_id_pkinit NID = 1031 NID_pkInitClientAuth NID = 1032 NID_pkInitKDC NID = 1033 NID_X25519 NID = 1034 NID_X448 NID = 1035 NID_hkdf NID = 1036 NID_kx_rsa NID = 1037 NID_kx_ecdhe NID = 1038 NID_kx_dhe NID = 1039 NID_kx_ecdhe_psk NID = 1040 NID_kx_dhe_psk NID = 1041 NID_kx_rsa_psk NID = 1042 NID_kx_psk NID = 1043 NID_kx_srp NID = 1044 NID_kx_gost NID = 1045 NID_auth_rsa NID = 1046 NID_auth_ecdsa NID = 1047 NID_auth_psk NID = 1048 NID_auth_dss NID = 1049 NID_auth_gost01 NID = 1050 NID_auth_gost12 NID = 1051 NID_auth_srp NID = 1052 NID_auth_null NID = 1053 NID_blake2b512 NID = 1056 NID_blake2s256 NID = 1057 NID_id_smime_ct_contentCollection NID = 1058 NID_id_smime_ct_authEnvelopedData NID = 1059 NID_id_ct_xml NID = 1060 )
type Name ¶
type Name struct {
// contains filtered or unexported fields
}
func (*Name) AddTextEntries ¶
AddTextEntries allows adding multiple entries to a name in one call.
func (*Name) AddTextEntry ¶
AddTextEntry appends a text entry to an X509 NAME.
type OAEPOptions ¶
OAEPOptions contains optional parameters that may be specified when performing RSA-OAEP encryption/decryption operations.
OAEPDigest and MGF1Digest may be used to specify the message digest algorithm to use for the padding and mask generation, respectively.
If OAEPDigest is nil, SHA1 will be used. If MGF1Digest is nil, the same digest as OAEPDigest will be used.
NOTE: In OpenSSL < v1.0.2, the digest used for both OAEP and MGF1 is hard-coded to SHA1. An error will be returned if either digest is set to anything other than SHA1 or nil.
Label can be used to set the OAEP label.
Note: In OpenSSL < v1.0.2, the OAEP label cannot be changed. Setting Label to a non-empty byte slice will cause the operation to return an error.
type Options ¶
type Options int
const ( // NoCompression is only valid if you are using OpenSSL 1.0.1 or newer NoCompression Options = C.SSL_OP_NO_COMPRESSION NoSSLv2 Options = C.SSL_OP_NO_SSLv2 NoSSLv3 Options = C.SSL_OP_NO_SSLv3 NoTLSv1 Options = C.SSL_OP_NO_TLSv1 CipherServerPreference Options = C.SSL_OP_CIPHER_SERVER_PREFERENCE NoSessionResumptionOrRenegotiation Options = C.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION NoTicket Options = C.SSL_OP_NO_TICKET )
type PrivateKey ¶
type PrivateKey interface { PublicKey // Signs the data using PKCS1.15 SignPKCS1v15(Method, []byte) ([]byte, error) // SignPSS signs a hashed message using the RSA-PSS digital signature // algorithm. The message must have already been hashed using the specified // digest, with the hash specified in hashed. SignPSS(method Method, hashed []byte, saltlen int) (sig []byte, err error) // MarshalPKCS1PrivateKeyPEM converts the private key to PEM-encoded PKCS1 // format MarshalPKCS1PrivateKeyPEM() (pem_block []byte, err error) // MarshalPKCS1PrivateKeyPEMWithPassword converts the private key to a PEM-encoded, // encrypted PKCS1 format using the given cipher and password. MarshalPKCS1PrivateKeyPEMWithPassword(cipher *Cipher, password string) (pem_block []byte, err error) // MarshalPKCS1PrivateKeyDER converts the private key to DER-encoded PKCS1 // format MarshalPKCS1PrivateKeyDER() (der_block []byte, err error) // DecryptOAEP decrypts data that has been encrypted using RSA-OAEP. // This method will return an error for non-RSA keys. // // oaepDigest and mgf1Digest may be used to specify the message digest // algorithm to use for the padding and mask generation, respectively. // // If oaepDigest is nil, SHA1 will be used by default. // If mgf1Digest is nil, the same digest as oaepDigest will be used. // // NOTE: In OpenSSL < v1.0.2, the digest used for both OAEP and MGF1 is // hard-coded to SHA1. // An error will be returned if either digest is set to anything other // than SHA1 or nil. DecryptOAEP(encrypted []byte, opts *OAEPOptions) (plaintext []byte, err error) }
func GenerateECKey ¶
func GenerateECKey(curve EllipticCurve) (PrivateKey, error)
GenerateECKey generates a new elliptic curve private key on the speicified curve.
func GenerateRSAKey ¶
func GenerateRSAKey(bits int) (PrivateKey, error)
GenerateRSAKey generates a new RSA private key with an exponent of 3.
func GenerateRSAKeyWithExponent ¶
func GenerateRSAKeyWithExponent(bits int, exponent int) (PrivateKey, error)
GenerateRSAKeyWithExponent generates a new RSA private key.
func LoadPrivateKeyFromDER ¶
func LoadPrivateKeyFromDER(der_block []byte) (PrivateKey, error)
LoadPrivateKeyFromDER loads a private key from a DER-encoded block.
func LoadPrivateKeyFromPEM ¶
func LoadPrivateKeyFromPEM(pem_block []byte) (PrivateKey, error)
LoadPrivateKeyFromPEM loads a private key from a PEM-encoded block.
func LoadPrivateKeyFromPEMWidthPassword ¶
func LoadPrivateKeyFromPEMWidthPassword(pem_block []byte, password string) ( PrivateKey, error)
LoadPrivateKeyFromPEMWidthPassword loads a private key from a PEM-encoded block. Backwards-compatible with typo
func LoadPrivateKeyFromPEMWithPassword ¶
func LoadPrivateKeyFromPEMWithPassword(pem_block []byte, password string) ( PrivateKey, error)
LoadPrivateKeyFromPEMWithPassword loads a private key from a PEM-encoded block.
type PublicKey ¶
type PublicKey interface { // Verifies the data signature using PKCS1.15 VerifyPKCS1v15(method Method, data, sig []byte) error // VerifyPSS verifies that sig is a valid RSA-PSS signature. // The data must have been already hashed using digest, with the hash // specified in hashed. VerifyPSS(method Method, hashed, sig []byte, saltlen int) error // MarshalPKIXPublicKeyPEM converts the public key to PEM-encoded PKIX // format MarshalPKIXPublicKeyPEM() (pem_block []byte, err error) // MarshalPKIXPublicKeyDER converts the public key to DER-encoded PKIX // format MarshalPKIXPublicKeyDER() (der_block []byte, err error) // EncryptOAEP encrypts the given plaintext with the key using RSA-OAEP. // This method will return an error for non-RSA keys. EncryptOAEP(plaintext []byte, opts *OAEPOptions) (encrypted []byte, err error) // KeyType returns an identifier for what kind of key is represented by this // object. KeyType() NID // BaseType returns an identifier for what kind of key is represented // by this object. // Keys that share same algorithm but use different legacy formats // will have the same BaseType. // // For example, a key with a `KeyType() == KeyTypeRSA` and a key with a // `KeyType() == KeyTypeRSA2` would both have `BaseType() == KeyTypeRSA`. BaseType() NID // Free immediately frees the key, removing it from memory. // Any attempt to use the key after calling Free will fail. // // Note: keys are automatically freed when they are garbage collected, // so it is not necessary to manually call this method in most cases. // Only use this method if you have a need to immediately remove a key // from memory. Free() // contains filtered or unexported methods }
func LoadPublicKeyFromDER ¶
LoadPublicKeyFromDER loads a public key from a DER-encoded block.
func LoadPublicKeyFromPEM ¶
LoadPublicKeyFromPEM loads a public key from a PEM-encoded block.
type SHA1Hash ¶
type SHA1Hash struct {
// contains filtered or unexported fields
}
func NewSHA1Hash ¶
func NewSHA1HashWithEngine ¶
type SHA256Hash ¶
type SHA256Hash struct {
// contains filtered or unexported fields
}
func NewSHA256Hash ¶
func NewSHA256Hash() (*SHA256Hash, error)
func NewSHA256HashWithEngine ¶
func NewSHA256HashWithEngine(e *Engine) (*SHA256Hash, error)
func (*SHA256Hash) Close ¶
func (s *SHA256Hash) Close()
func (*SHA256Hash) Reset ¶
func (s *SHA256Hash) Reset() error
func (*SHA256Hash) Sum ¶
func (s *SHA256Hash) Sum() (result [32]byte, err error)
type SSL ¶
type SSL struct {
// contains filtered or unexported fields
}
func (*SSL) ClearOptions ¶
ClearOptions clear SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*SSL) GetOptions ¶
GetOptions returns SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*SSL) GetServername ¶
Wrapper around SSL_get_servername. Returns server name according to rfc6066 http://tools.ietf.org/html/rfc6066.
func (*SSL) GetVerifyCallback ¶
func (s *SSL) GetVerifyCallback() VerifyCallback
GetVerifyCallback returns callback function. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) GetVerifyDepth ¶
GetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) SetOptions ¶
SetOptions sets SSL options. See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
func (*SSL) SetSSLCtx ¶
SetSSLCtx changes context to new one. Useful for Server Name Indication (SNI) rfc6066 http://tools.ietf.org/html/rfc6066. See http://stackoverflow.com/questions/22373332/serving-multiple-domains-in-one-box-with-sni
func (*SSL) SetVerify ¶
func (s *SSL) SetVerify(options VerifyOptions, verify_cb VerifyCallback)
SetVerify controls peer verification settings. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) SetVerifyCallback ¶
func (s *SSL) SetVerifyCallback(verify_cb VerifyCallback)
SetVerifyCallback controls peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) SetVerifyDepth ¶
SetVerifyDepth controls how many certificates deep the certificate verification logic is willing to follow a certificate chain. See https://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) SetVerifyMode ¶
func (s *SSL) SetVerifyMode(options VerifyOptions)
SetVerifyMode controls peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
func (*SSL) VerifyMode ¶
func (s *SSL) VerifyMode() VerifyOptions
VerifyMode returns peer verification setting. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
type SSLTLSExtErr ¶
type SSLTLSExtErr int
const ( SSLTLSExtErrOK SSLTLSExtErr = C.SSL_TLSEXT_ERR_OK SSLTLSExtErrAlertWarning SSLTLSExtErr = C.SSL_TLSEXT_ERR_ALERT_WARNING SSLTLSEXTErrAlertFatal SSLTLSExtErr = C.SSL_TLSEXT_ERR_ALERT_FATAL SSLTLSEXTErrNoAck SSLTLSExtErr = C.SSL_TLSEXT_ERR_NOACK )
type SSLVersion ¶
type SSLVersion int
const ( SSLv3 SSLVersion = 0x02 // Vulnerable to "POODLE" attack. TLSv1 SSLVersion = 0x03 TLSv1_1 SSLVersion = 0x04 TLSv1_2 SSLVersion = 0x05 // Make sure to disable SSLv2 and SSLv3 if you use this. SSLv3 is vulnerable // to the "POODLE" attack, and SSLv2 is what, just don't even. AnyVersion SSLVersion = 0x06 )
type SessionCacheModes ¶
type SessionCacheModes int
const ( SessionCacheOff SessionCacheModes = C.SSL_SESS_CACHE_OFF SessionCacheClient SessionCacheModes = C.SSL_SESS_CACHE_CLIENT SessionCacheServer SessionCacheModes = C.SSL_SESS_CACHE_SERVER SessionCacheBoth SessionCacheModes = C.SSL_SESS_CACHE_BOTH NoAutoClear SessionCacheModes = C.SSL_SESS_CACHE_NO_AUTO_CLEAR NoInternalLookup SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP NoInternalStore SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL_STORE NoInternal SessionCacheModes = C.SSL_SESS_CACHE_NO_INTERNAL )
type TLSExtServernameCallback ¶
type TLSExtServernameCallback func(ssl *SSL) SSLTLSExtErr
type TicketCipherCtx ¶
TicketCipherCtx describes the cipher that will be used by the ticket store for encrypting the tickets. Engine may be nil if no engine is desired.
type TicketDigestCtx ¶
TicketDigestCtx describes the digest that will be used by the ticket store to authenticate the data. Engine may be nil if no engine is desired.
type TicketKey ¶
type TicketKey struct { Name TicketName CipherKey []byte HMACKey []byte IV []byte }
TicketKey is the key material for a ticket. If this is lost, forward secrecy is lost as it allows decrypting TLS sessions retroactively.
type TicketKeyManager ¶
type TicketKeyManager interface { // New should create a brand new TicketKey with a new name. New() *TicketKey // Current should return a key that is still valid. Current() *TicketKey // Lookup should return a key with the given name, or nil if no name // exists. Lookup(name TicketName) *TicketKey // Expired should return if the key with the given name is expired and // should not be used any more. Expired(name TicketName) bool // ShouldRenew should return if the key is still ok to use for the current // session, but we should send a new key for the client. ShouldRenew(name TicketName) bool }
TicketKeyManager is a manager for TicketKeys. It allows one to control the lifetime of tickets, causing renewals and expirations for keys that are created. Calls to the manager are serialized.
type TicketName ¶
type TicketName [KeyNameSize]byte
TicketName is an identifier for the key material for a ticket.
type TicketStore ¶
type TicketStore struct { CipherCtx TicketCipherCtx DigestCtx TicketDigestCtx Keys TicketKeyManager }
TicketStore descibes the encryption and authentication methods the tickets will use along with a key manager for generating and keeping track of the secrets.
type VerifyCallback ¶
type VerifyCallback func(ok bool, store *CertificateStoreCtx) bool
type VerifyOptions ¶
type VerifyOptions int
const ( VerifyNone VerifyOptions = C.SSL_VERIFY_NONE VerifyPeer VerifyOptions = C.SSL_VERIFY_PEER VerifyFailIfNoPeerCert VerifyOptions = C.SSL_VERIFY_FAIL_IF_NO_PEER_CERT VerifyClientOnce VerifyOptions = C.SSL_VERIFY_CLIENT_ONCE )
type VerifyResult ¶
type VerifyResult int
const ( Ok VerifyResult = C.X509_V_OK UnableToGetIssuerCert VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT UnableToGetCrl VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL UnableToDecryptCertSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE UnableToDecryptCrlSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE UnableToDecodeIssuerPublicKey VerifyResult = C.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY CertSignatureFailure VerifyResult = C.X509_V_ERR_CERT_SIGNATURE_FAILURE CrlSignatureFailure VerifyResult = C.X509_V_ERR_CRL_SIGNATURE_FAILURE CertNotYetValid VerifyResult = C.X509_V_ERR_CERT_NOT_YET_VALID CertHasExpired VerifyResult = C.X509_V_ERR_CERT_HAS_EXPIRED CrlNotYetValid VerifyResult = C.X509_V_ERR_CRL_NOT_YET_VALID CrlHasExpired VerifyResult = C.X509_V_ERR_CRL_HAS_EXPIRED ErrorInCertNotBeforeField VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ErrorInCertNotAfterField VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD ErrorInCrlLastUpdateField VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD ErrorInCrlNextUpdateField VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD OutOfMem VerifyResult = C.X509_V_ERR_OUT_OF_MEM DepthZeroSelfSignedCert VerifyResult = C.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT SelfSignedCertInChain VerifyResult = C.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN UnableToGetIssuerCertLocally VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY UnableToVerifyLeafSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE CertChainTooLong VerifyResult = C.X509_V_ERR_CERT_CHAIN_TOO_LONG CertRevoked VerifyResult = C.X509_V_ERR_CERT_REVOKED InvalidCa VerifyResult = C.X509_V_ERR_INVALID_CA PathLengthExceeded VerifyResult = C.X509_V_ERR_PATH_LENGTH_EXCEEDED InvalidPurpose VerifyResult = C.X509_V_ERR_INVALID_PURPOSE CertUntrusted VerifyResult = C.X509_V_ERR_CERT_UNTRUSTED CertRejected VerifyResult = C.X509_V_ERR_CERT_REJECTED SubjectIssuerMismatch VerifyResult = C.X509_V_ERR_SUBJECT_ISSUER_MISMATCH AkidSkidMismatch VerifyResult = C.X509_V_ERR_AKID_SKID_MISMATCH AkidIssuerSerialMismatch VerifyResult = C.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH KeyusageNoCertsign VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CERTSIGN UnableToGetCrlIssuer VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER UnhandledCriticalExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION KeyusageNoCrlSign VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN UnhandledCriticalCrlExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION InvalidNonCa VerifyResult = C.X509_V_ERR_INVALID_NON_CA ProxyPathLengthExceeded VerifyResult = C.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED KeyusageNoDigitalSignature VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE ProxyCertificatesNotAllowed VerifyResult = C.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED InvalidExtension VerifyResult = C.X509_V_ERR_INVALID_EXTENSION InvalidPolicyExtension VerifyResult = C.X509_V_ERR_INVALID_POLICY_EXTENSION NoExplicitPolicy VerifyResult = C.X509_V_ERR_NO_EXPLICIT_POLICY UnnestedResource VerifyResult = C.X509_V_ERR_UNNESTED_RESOURCE ApplicationVerification VerifyResult = C.X509_V_ERR_APPLICATION_VERIFICATION )