util

package
v3.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 9, 2024 License: Apache-2.0 Imports: 22 Imported by: 14

Documentation

Index

Constants

View Source 
const (
	// Tags
	DNSNameTag = 2
)
View Source 
const (
	DurationDay = 24 * time.Hour
)
View Source 
const (
	GTLDPeriodDateFormat = "2006-01-02"
)
View Source 
const OnionTLD = ".onion"

Variables

View Source 
var (
	//extension OIDs
	AdobeTimeStampOID            = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1}    // Adobe Time-stamp x509 extension
	AdobeArchiveRevInfoOID       = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2}    // Adobe Archive Revocation Info x509 extension
	AiaOID                       = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1}        // Authority Information Access
	AuthkeyOID                   = asn1.ObjectIdentifier{2, 5, 29, 35}                     // Authority Key Identifier
	BasicConstOID                = asn1.ObjectIdentifier{2, 5, 29, 19}                     // Basic Constraints
	CertPolicyOID                = asn1.ObjectIdentifier{2, 5, 29, 32}                     // Certificate Policies
	CrlDistOID                   = asn1.ObjectIdentifier{2, 5, 29, 31}                     // CRL Distribution Points
	CtPoisonOID                  = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison
	EkuSynOid                    = asn1.ObjectIdentifier{2, 5, 29, 37}                     // Extended Key Usage Syntax
	FreshCRLOID                  = asn1.ObjectIdentifier{2, 5, 29, 46}                     // Freshest CRL
	InhibitAnyPolicyOID          = asn1.ObjectIdentifier{2, 5, 29, 54}                     // Inhibit Any Policy
	IssuerAlternateNameOID       = asn1.ObjectIdentifier{2, 5, 29, 18}                     // Issuer Alt Name
	KeyUsageOID                  = asn1.ObjectIdentifier{2, 5, 29, 15}                     // Key Usage
	LegalEntityIdentifierOID     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 1}       // Legal Entity Identifier
	LegalEntityIdentifierRoleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 2}       // Legal Entity Identifier Role
	LogoTypeOID                  = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12}       // Logo Type Ext
	NameConstOID                 = asn1.ObjectIdentifier{2, 5, 29, 30}                     // Name Constraints
	OscpNoCheckOID               = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5}    // OSCP No Check
	PolicyConstOID               = asn1.ObjectIdentifier{2, 5, 29, 36}                     // Policy Constraints
	PolicyMapOID                 = asn1.ObjectIdentifier{2, 5, 29, 33}                     // Policy Mappings
	PrivKeyUsageOID              = asn1.ObjectIdentifier{2, 5, 29, 16}                     // Private Key Usage Period
	QcStateOid                   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3}        // QC Statements
	TimestampOID                 = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List
	SmimeOID                     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15}      // Smime Capabilities
	SubjectAlternateNameOID      = asn1.ObjectIdentifier{2, 5, 29, 17}                     // Subject Alt Name
	SubjectDirAttrOID            = asn1.ObjectIdentifier{2, 5, 29, 9}                      // Subject Directory Attributes
	SubjectInfoAccessOID         = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11}       // Subject Info Access Syntax
	SubjectKeyIdentityOID        = asn1.ObjectIdentifier{2, 5, 29, 14}                     // Subject Key Identifier
	ReasonCodeOID                = asn1.ObjectIdentifier{2, 5, 29, 21}                     // CRL Reason Code
	// CA/B reserved policies
	BRDomainValidatedOID                        = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}    // CA/B BR Domain-Validated
	BROrganizationValidatedOID                  = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2}    // CA/B BR Organization-Validated
	BRIndividualValidatedOID                    = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3}    // CA/B BR Individual-Validated
	BRTorServiceDescriptor                      = asn1.ObjectIdentifier{2, 23, 140, 1, 31}      // CA/B BR Tor Service Descriptor
	CabfExtensionOrganizationIdentifier         = asn1.ObjectIdentifier{2, 23, 140, 3, 1}       // CA/B EV 9.8.2 cabfOrganizationIdentifier
	SMIMEBRMailboxValidatedLegacyOID            = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 1} // CA/B SMIME BR Mailbox Validated, Legacy
	SMIMEBRMailboxValidatedMultipurposeOID      = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 2} // CA/B SMIME BR Mailbox Validated, Multipurpose
	SMIMEBRMailboxValidatedStrictOID            = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 3} // CA/B SMIME BR Mailbox Validated, Strict
	SMIMEBROrganizationValidatedLegacyOID       = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 1} // CA/B SMIME BR Organization Validated, Legacy
	SMIMEBROrganizationValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 2} // CA/B SMIME BR Organization Validated, Multipurpose
	SMIMEBROrganizationValidatedStrictOID       = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 3} // CA/B SMIME BR Organization Validated, Strict
	SMIMEBRSponsorValidatedLegacyOID            = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 1} // CA/B SMIME BR Sponsor Validated, Legacy
	SMIMEBRSponsorValidatedMultipurposeOID      = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 2} // CA/B SMIME BR Sponsor Validated, Multipurpose
	SMIMEBRSponsorValidatedStrictOID            = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 3} // CA/B SMIME BR Sponsor Validated, Strict
	SMIMEBRIndividualValidatedLegacyOID         = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 1} // CA/B SMIME BR Individual Validated, Legacy
	SMIMEBRIndividualValidatedMultipurposeOID   = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 2} // CA/B SMIME BR Individual Validated, Multipurpose
	SMIMEBRIndividualValidatedStrictOID         = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 3} // CA/B SMIME BR Individual Validated, Strict
	//X.500 attribute types
	CommonNameOID             = asn1.ObjectIdentifier{2, 5, 4, 3}
	SurnameOID                = asn1.ObjectIdentifier{2, 5, 4, 4}
	SerialOID                 = asn1.ObjectIdentifier{2, 5, 4, 5}
	CountryNameOID            = asn1.ObjectIdentifier{2, 5, 4, 6}
	LocalityNameOID           = asn1.ObjectIdentifier{2, 5, 4, 7}
	StateOrProvinceNameOID    = asn1.ObjectIdentifier{2, 5, 4, 8}
	StreetAddressOID          = asn1.ObjectIdentifier{2, 5, 4, 9}
	OrganizationNameOID       = asn1.ObjectIdentifier{2, 5, 4, 10}
	OrganizationalUnitNameOID = asn1.ObjectIdentifier{2, 5, 4, 11}
	BusinessOID               = asn1.ObjectIdentifier{2, 5, 4, 15}
	PostalCodeOID             = asn1.ObjectIdentifier{2, 5, 4, 17}
	GivenNameOID              = asn1.ObjectIdentifier{2, 5, 4, 42}
	// SAN otherNames
	OidIdOnSmtpUtf8Mailbox = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 9}
	// Hash algorithms - see https://golang.org/src/crypto/x509/x509.go
	SHA256OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
	SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
	SHA512OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
	// other OIDs
	OidRSAEncryption           = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
	OidRSASSAPSS               = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
	OidMD2WithRSAEncryption    = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2}
	OidMD5WithRSAEncryption    = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4}
	OidSHA1WithRSAEncryption   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
	OidSHA224WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 14}
	OidSHA256WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
	OidSHA384WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12}
	OidSHA512WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
	AnyPolicyOID               = asn1.ObjectIdentifier{2, 5, 29, 32, 0}
	UserNoticeOID              = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 2}
	CpsOID                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 1}
	IdEtsiQcsQcCompliance      = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 1}
	IdEtsiQcsQcLimitValue      = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 2}
	IdEtsiQcsQcRetentionPeriod = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 3}
	IdEtsiQcsQcSSCD            = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 4}
	IdEtsiQcsQcEuPDS           = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 5}
	IdEtsiQcsQcType            = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6}
	IdEtsiQcsQctEsign          = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 1}
	IdEtsiQcsQctEseal          = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 2}
	IdEtsiQcsQctWeb            = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 3}
)
View Source 
var (
	ZeroDate                   = time.Date(0000, time.January, 1, 0, 0, 0, 0, time.UTC)
	RFC1035Date                = time.Date(1987, time.January, 1, 0, 0, 0, 0, time.UTC)
	RFC2459Date                = time.Date(1999, time.January, 1, 0, 0, 0, 0, time.UTC)
	RFC3279Date                = time.Date(2002, time.April, 1, 0, 0, 0, 0, time.UTC)
	RFC3280Date                = time.Date(2002, time.April, 1, 0, 0, 0, 0, time.UTC)
	RFC3490Date                = time.Date(2003, time.March, 1, 0, 0, 0, 0, time.UTC)
	RFC8399Date                = time.Date(2018, time.May, 1, 0, 0, 0, 0, time.UTC)
	RFC4325Date                = time.Date(2005, time.December, 1, 0, 0, 0, 0, time.UTC)
	RFC4630Date                = time.Date(2006, time.August, 1, 0, 0, 0, 0, time.UTC)
	RFC5280Date                = time.Date(2008, time.May, 1, 0, 0, 0, 0, time.UTC)
	RFC6818Date                = time.Date(2013, time.January, 1, 0, 0, 0, 0, time.UTC)
	RFC8813Date                = time.Date(2020, time.August, 1, 0, 0, 0, 0, time.UTC)
	CABEffectiveDate           = time.Date(2012, time.July, 1, 0, 0, 0, 0, time.UTC)
	CABReservedIPDate          = time.Date(2016, time.October, 1, 0, 0, 0, 0, time.UTC)
	CABGivenNameDate           = time.Date(2016, time.September, 7, 0, 0, 0, 0, time.UTC)
	CABSerialNumberEntropyDate = time.Date(2016, time.September, 30, 0, 0, 0, 0, time.UTC)
	CABV102Date                = time.Date(2012, time.June, 8, 0, 0, 0, 0, time.UTC)
	CABV113Date                = time.Date(2013, time.February, 21, 0, 0, 0, 0, time.UTC)
	CABV114Date                = time.Date(2013, time.May, 3, 0, 0, 0, 0, time.UTC)
	CABV116Date                = time.Date(2013, time.July, 29, 0, 0, 0, 0, time.UTC)
	CABV130Date                = time.Date(2015, time.April, 16, 0, 0, 0, 0, time.UTC)
	CABV131Date                = time.Date(2015, time.September, 28, 0, 0, 0, 0, time.UTC)
	// https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.7.0.pdf
	CABV170Date                                      = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC)
	NO_SHA1                                          = time.Date(2016, time.January, 1, 0, 0, 0, 0, time.UTC)
	NoRSA1024RootDate                                = time.Date(2011, time.January, 1, 0, 0, 0, 0, time.UTC)
	NoRSA1024Date                                    = time.Date(2014, time.January, 1, 0, 0, 0, 0, time.UTC)
	GeneralizedDate                                  = time.Date(2050, time.January, 1, 0, 0, 0, 0, time.UTC)
	NoReservedIP                                     = time.Date(2015, time.November, 1, 0, 0, 0, 0, time.UTC)
	SubCert39Month                                   = time.Date(2016, time.July, 2, 0, 0, 0, 0, time.UTC)
	SubCert825Days                                   = time.Date(2018, time.March, 2, 0, 0, 0, 0, time.UTC)
	CABV148Date                                      = time.Date(2017, time.June, 8, 0, 0, 0, 0, time.UTC)
	EtsiEn319_412_5_V2_2_1_Date                      = time.Date(2017, time.November, 1, 0, 0, 0, 0, time.UTC)
	OnionOnlyEVDate                                  = time.Date(2015, time.May, 1, 0, 0, 0, 0, time.UTC)
	CABV201Date                                      = time.Date(2017, time.July, 28, 0, 0, 0, 0, time.UTC)
	AppleCTPolicyDate                                = time.Date(2018, time.October, 15, 0, 0, 0, 0, time.UTC)
	MozillaPolicy22Date                              = time.Date(2013, time.July, 26, 0, 0, 0, 0, time.UTC)
	MozillaPolicy24Date                              = time.Date(2017, time.February, 28, 0, 0, 0, 0, time.UTC)
	MozillaPolicy241Date                             = time.Date(2017, time.March, 31, 0, 0, 0, 0, time.UTC)
	MozillaPolicy27Date                              = time.Date(2020, time.January, 1, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate = time.Date(2019, time.April, 1, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_6_2_Date                               = time.Date(2018, time.December, 10, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_2_1_Date                               = time.Date(2015, time.January, 16, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_6_9_Date                               = time.Date(2020, time.March, 27, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_7_1_Date                               = time.Date(2020, time.August, 20, 0, 0, 0, 0, time.UTC)
	AppleReducedLifetimeDate                         = time.Date(2020, time.September, 1, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_7_9_Date                               = time.Date(2021, time.August, 16, 0, 0, 0, 0, time.UTC)
	CABFBRs_1_8_0_Date                               = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC)
	CABFBRs_2_0_0_Date                               = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC)
	NoReservedDomainLabelsDate                       = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC)
	CABFBRs_OU_Prohibited_Date                       = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC)
	CABF_SMIME_BRs_1_0_0_Date                        = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC)
	// Enforcement date of CRL reason codes from Ballot SC 061
	CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC)
	// Updates to the CABF BRs and EVGLs from Ballot SC 062 https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/
	SC62EffectiveDate = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC)
)
View Source 
var (
	CABFEV_9_8_2 = CABV170Date
)
View Source 
var (
	// KeyUsageToString maps an x509.KeyUsage bitmask to its name.
	KeyUsageToString = map[x509.KeyUsage]string{
		x509.KeyUsageDigitalSignature:  "KeyUsageDigitalSignature",
		x509.KeyUsageContentCommitment: "KeyUsageContentCommitment",
		x509.KeyUsageKeyEncipherment:   "KeyUsageKeyEncipherment",
		x509.KeyUsageDataEncipherment:  "KeyUsageDataEncipherment",
		x509.KeyUsageKeyAgreement:      "KeyUsageKeyAgreement",
		x509.KeyUsageCertSign:          "KeyUsageCertSign",
		x509.KeyUsageCRLSign:           "KeyUsageCRLSign",
		x509.KeyUsageEncipherOnly:      "KeyUsageEncipherOnly",
		x509.KeyUsageDecipherOnly:      "KeyUsageDecipherOnly",
	}
)
View Source 
var (
	// 1.2.840.10045.4.3.1 is SHA224withECDSA
	OidSignatureSHA224withECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 1}
)

additional OIDs not provided by the x509 package.

View Source 
var RSAAlgorithmIDToDER = map[string][]byte{

	"1.2.840.113549.1.1.1": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x1, 0x5, 0x0},

	"1.2.840.113549.1.1.2": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x2, 0x5, 0x0},

	"1.2.840.113549.1.1.4": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x4, 0x5, 0x0},

	"1.2.840.113549.1.1.5": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x5, 0x5, 0x0},

	"1.2.840.113549.1.1.14": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xe, 0x5, 0x0},

	"1.2.840.113549.1.1.11": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xb, 0x5, 0x0},

	"1.2.840.113549.1.1.12": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xc, 0x5, 0x0},

	"1.2.840.113549.1.1.13": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xd, 0x5, 0x0},
}

RSAAlgorithmIDToDER contains DER representations of pkix.AlgorithmIdentifier for different RSA OIDs with Parameters as asn1.NULL.

Functions

func AllAlternateNameWithTagAreIA5 

func AllAlternateNameWithTagAreIA5(ext *pkix.Extension, tag int) (bool, error)

AllAlternateNameWithTagAreIA5 returns true if all sequence members with the given tag are encoded as IA5 strings, and false otherwise. If it encounters errors parsing asn1, err will be non-nil.

func AppendToStringSemicolonDelim 

func AppendToStringSemicolonDelim(this *string, s string)

func AuthIsFQDNOrIP 

func AuthIsFQDNOrIP(auth string) bool

func BeforeOrOn added in v3.3.1 

func BeforeOrOn(left, right time.Time) bool

BeforeOrOn returns whether left is before or strictly equal to right.

func CertificateSubjInTLD 

func CertificateSubjInTLD(c *x509.Certificate, label string) bool

CertificateSubjContainsTLD checks whether the provided Certificate has a Subject Common Name or DNS Subject Alternate Name that ends in the provided TLD label. If IsInTLDMap(label) returns false then CertificateSubjInTLD will return false.

func CheckAlgorithmIDParamNotNULL 

func CheckAlgorithmIDParamNotNULL(algorithmIdentifier []byte, requiredAlgoID asn1.ObjectIdentifier) error

CheckAlgorithmIDParamNotNULL parses an AlgorithmIdentifier with algorithm OID rsaEncryption to check the Param field is asn1.NULL Expects DER-encoded AlgorithmIdentifier including tag and length.

func CheckRDNSequenceWhiteSpace 

func CheckRDNSequenceWhiteSpace(raw []byte) (leading, trailing bool, err error)

CheckRDNSequenceWhiteSpace returns true if there is leading or trailing whitespace in any name attribute in the sequence, respectively.

func CommonNameIsIP 

func CommonNameIsIP(cert *x509.Certificate) bool

func DNSNamesExist 

func DNSNamesExist(cert *x509.Certificate) bool

func FindTimeType 

func FindTimeType(firstDate, secondDate asn1.RawValue) (int, int)

func GetAuthority 

func GetAuthority(uri string) string

func GetEKUString added in v3.6.0 

func GetEKUString(eku x509.ExtKeyUsage) string

GetEKUString returns a human friendly Extended Key Usage (EKU) string.

func GetEKUStrings added in v3.6.0 

func GetEKUStrings(eku []x509.ExtKeyUsage) []string

GetEKUStrings returns a list of human friendly Extended Key Usage (EKU) strings.

func GetExtFromCert 

func GetExtFromCert(cert *x509.Certificate, oid asn1.ObjectIdentifier) *pkix.Extension

GetExtFromCert returns the extension with the matching OID, if present. If the extension if not present, it returns nil.

func GetHost 

func GetHost(auth string) string

func GetKeyUsageStrings added in v3.6.0 

func GetKeyUsageStrings(keyUsages x509.KeyUsage) []string

GetKeyUsageStrings returns a list of included key usages

func GetMappedPolicies 

func GetMappedPolicies(polMap *pkix.Extension) ([][2]asn1.ObjectIdentifier, error)

helper function to parse policyMapping extensions, returns slices of CertPolicyIds separated by domain

func GetPublicKeyAidEncoded 

func GetPublicKeyAidEncoded(c *x509.Certificate) ([]byte, error)

Returns the algorithm field of the SubjectPublicKeyInfo of the certificate in its encoded form (containing Tag and Length) or an error if the algorithm field could not be extracted. 

SubjectPublicKeyInfo  ::=  SEQUENCE  {
    algorithm            AlgorithmIdentifier,
    subjectPublicKey     BIT STRING  }

func GetPublicKeyOID 

func GetPublicKeyOID(c *x509.Certificate) (asn1.ObjectIdentifier, error)

Returns the algorithm field of the SubjectPublicKeyInfo of the certificate or an error if the algorithm field could not be extracted. 

SubjectPublicKeyInfo  ::=  SEQUENCE  {
    algorithm            AlgorithmIdentifier,
    subjectPublicKey     BIT STRING  }

func GetSignatureAlgorithmInTBSEncoded 

func GetSignatureAlgorithmInTBSEncoded(c *x509.Certificate) ([]byte, error)

Returns the signature field of the tbsCertificate of this certificate in a DER encoded form or an error if the signature field could not be extracted. The encoded form contains the tag and the length. 

TBSCertificate  ::=  SEQUENCE  {
    version         [0]  EXPLICIT Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    signature            AlgorithmIdentifier,
    issuer               Name,
    validity             Validity,
    subject              Name,
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version MUST be v2 or v3
    subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version MUST be v2 or v3
    extensions      [3]  EXPLICIT Extensions OPTIONAL
                         -- If present, version MUST be v3
    }

func GetTimes 

func GetTimes(cert *x509.Certificate) (asn1.RawValue, asn1.RawValue)

TODO(@cpu): This function is a little bit rough around the edges (especially after my quick fixes for the ineffassigns) and would be a good candidate for clean-up/refactoring.

func GetTypesInName added in v3.6.2 

func GetTypesInName(name *pkix.Name) []asn1.ObjectIdentifier

func HasEKU 

func HasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool

HasEKU tests whether an Extended Key Usage (EKU) is present in a certificate.

func HasEmailSAN added in v3.6.0 

func HasEmailSAN(c *x509.Certificate) bool

func HasKeyUsage added in v3.4.0 

func HasKeyUsage(c *x509.Certificate, usage x509.KeyUsage) bool

HasKeyUsage returns whether-or-not the given x509.KeyUsage is present within the given certificate's KeyUsage bitmap. The certificate, however, is NOT checked for whether-or-not it actually has a key usage OID. If you wish to check for the presence of the key usage OID, please use HasKeyUsageOID.

func HasKeyUsageOID added in v3.4.0 

func HasKeyUsageOID(c *x509.Certificate) bool

HasKeyUsageOID returns whether-or-not the OID 2.5.29.15 is present in the given certificate's extensions.

func HasReservedLabelPrefix added in v3.3.1 

func HasReservedLabelPrefix(s string) bool

HasReservedLabelPrefix checks whether the given string (presumably a domain label) has hyphens ("-") as the third and fourth characters. Domain labels with hyphens in these positions are considered to be "Reserved Labels" per RFC 5890, section 2.3.1. (https://datatracker.ietf.org/doc/html/rfc5890#section-2.3.1)

func HasValidTLD 

func HasValidTLD(domain string, when time.Time) bool

HasValidTLD checks that a domain ends in a valid TLD that was delegated in the root DNS at the time specified.

func HasXNLabelPrefix added in v3.3.1 

func HasXNLabelPrefix(s string) bool

HasXNLabelPrefix checks whether the given string (presumably a domain label) is prefixed with the case-insensitive string "xn--" (the IDNA ACE prefix).

This check is useful given the bug following bug report for IDNA wherein the ACE prefix incorrectly taken to be case-sensitive.

https://github.com/golang/go/issues/48778

func IdnaToUnicode added in v3.3.1 

func IdnaToUnicode(s string) (string, error)

IdnaToUnicode is a wrapper around idna.ToUnicode.

If the provided string starts with the IDNA ACE prefix ("xn--", case insensitive), then that ACE prefix is coerced to a lowercase "xn--" before processing by the idna package.

This is only necessary due to the bug at https://github.com/golang/go/issues/48778

func IntersectsIANAReserved 

func IntersectsIANAReserved(net net.IPNet) bool

IntersectsIANAReserved checks if a CIDR intersects any IANA reserved CIDRs

func IsAnyEtsiQcStatementPresent 

func IsAnyEtsiQcStatementPresent(extVal []byte) bool

func IsCACert 

func IsCACert(c *x509.Certificate) bool

IsCACert returns true if c has IsCA set.

func IsDelegatedOCSPResponderCert added in v3.1.0 

func IsDelegatedOCSPResponderCert(cert *x509.Certificate) bool

IsDelegatedOCSPResponderCert returns true if the id-kp-OCSPSigning EKU is set According https://tools.ietf.org/html/rfc6960#section-4.2.2.2 it is not sufficient to have only the id-kp-anyExtendedKeyUsage included

func IsEV 

func IsEV(in []asn1.ObjectIdentifier) bool

IsEV returns true if the input is a known Extended Validation OID.

func IsEmailProtectionCert added in v3.6.0 

func IsEmailProtectionCert(cert *x509.Certificate) bool

IsEmailProtectionCert returns true if the certificate presented is for use protecting emails. A certificate is for use protecting emails if it contains the Any Purpose or emailProtection EKUs or if the certificate contains no EKUs. This last point is a way of being overly cautious and choosing to prefer false positives over false negatives.

func IsEmptyASN1Sequence 

func IsEmptyASN1Sequence(input []byte) bool

func IsExtInCert 

func IsExtInCert(cert *x509.Certificate, oid asn1.ObjectIdentifier) bool

IsExtInCert is equivalent to GetExtFromCert() != nil.

func IsFQDN 

func IsFQDN(domain string) bool

func IsFQDNOrIP 

func IsFQDNOrIP(host string) bool

func IsIA5String 

func IsIA5String(raw []byte) bool

IsIA5String returns true if raw is an IA5String, and returns false otherwise.

func IsIANAReserved 

func IsIANAReserved(ip net.IP) bool

IsIANAReserved checks IP validity as per IANA reserved IPs 

IPv4
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
IPv6
https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml

func IsISOCountryCode 

func IsISOCountryCode(in string) bool

IsISOCountryCode returns true if the input is a known two-letter country code.

TODO: Document where the list of known countries came from.

func IsInPrefSyn 

func IsInPrefSyn(name string) bool

func IsInTLDMap 

func IsInTLDMap(label string) bool

IsInTLDMap checks that a label is present in the TLD map. It does not consider the TLD's validity period and whether the TLD may have been removed, only whether it was ever a TLD that was delegated.

func IsIndividualValidatedCertificate added in v3.6.2 

func IsIndividualValidatedCertificate(c *x509.Certificate) bool

func IsLDHLabel added in v3.6.0 

func IsLDHLabel(label string) bool

func IsLegacySMIMECertificate added in v3.6.0 

func IsLegacySMIMECertificate(c *x509.Certificate) bool

func IsMailboxAddress added in v3.6.2 

func IsMailboxAddress(address string) bool

IsMailboxAddress returns true if the passed in string resembles an RFC 5322 mailbox address.

func IsMailboxValidatedCertificate added in v3.6.0 

func IsMailboxValidatedCertificate(c *x509.Certificate) bool

func IsMultipurposeSMIMECertificate added in v3.6.0 

func IsMultipurposeSMIMECertificate(c *x509.Certificate) bool

func IsNameAttribute 

func IsNameAttribute(oid asn1.ObjectIdentifier) bool

IsNameAttribute returns true if the given ObjectIdentifier corresponds with the type of any name attribute for PKIX.

func IsOnionV2Address added in v3.4.0 

func IsOnionV2Address(dnsName string) bool

IsOnionV2Address returns whether-or-not the give address appears to be an Onion V2 address.

In order to be an Onion V2 encoded address, the DNS name must satisfy the following:

  1. The address has at least two labels.
  2. The right most label is the .onion TLD.
  3. The second-to-the-right most label is a 16 character long, base32.

func IsOnionV2Cert added in v3.4.0 

func IsOnionV2Cert(c *x509.Certificate) bool

IsOnionV2Cert returns whether-or-not at least one of the provided certificates subject common name, or any of its DNS names, are version 2 Onion addresses.

func IsOnionV3Address added in v3.4.0 

func IsOnionV3Address(dnsName string) bool

IsOnionV3Address returns whether or not the provided DNS name is an Onion V3 encoded address.

In order to be an Onion V3 encoded address, the DNS name must satisfy the following:

  1. Contain at least two labels.
  2. The right most label MUST be "onion".
  3. The second to the right most label MUST be exactly 56 characters long.
  4. The second to the right most label MUST be base32 encoded against the lowercase standard encoding.
  5. The final byte of the decoded result from #4 MUST be equal to 0x03.

func IsOnionV3Cert added in v3.3.1 

func IsOnionV3Cert(c *x509.Certificate) bool

IsOnionV3Cert returns whether-or-not at least one of the provided certificates subject common name, or any of its DNS names, are version 3 Onion addresses.

func IsOrganizationValidatedCertificate added in v3.6.0 

func IsOrganizationValidatedCertificate(c *x509.Certificate) bool

func IsRootCA 

func IsRootCA(c *x509.Certificate) bool

IsRootCA returns true if c has IsCA set and is also self-signed.

func IsSMIMEBRCertificate added in v3.6.0 

func IsSMIMEBRCertificate(c *x509.Certificate) bool

func IsSelfSigned 

func IsSelfSigned(c *x509.Certificate) bool

IsSelfSigned returns true if SelfSigned is set.

func IsServerAuthCert 

func IsServerAuthCert(cert *x509.Certificate) bool

func IsSponsorValidatedCertificate added in v3.6.0 

func IsSponsorValidatedCertificate(c *x509.Certificate) bool

func IsStrictSMIMECertificate added in v3.6.0 

func IsStrictSMIMECertificate(c *x509.Certificate) bool

func IsSubCA 

func IsSubCA(c *x509.Certificate) bool

IsSubCA returns true if c has IsCA set, but is not self-signed.

func IsSubscriberCert 

func IsSubscriberCert(c *x509.Certificate) bool

IsSubscriberCert returns true for if a certificate is not a CA and not self-signed.

func KeyUsageIsPresent added in v3.4.0 

func KeyUsageIsPresent(keyUsages x509.KeyUsage, usage x509.KeyUsage) bool

KeyUsageIsPresent checks the provided bitmap (keyUsages) for presence of the provided x509.KeyUsage.

func NotAllNameFieldsAreEmpty 

func NotAllNameFieldsAreEmpty(name *pkix.Name) bool

func OnOrAfter added in v3.3.1 

func OnOrAfter(left, right time.Time) bool

OnOrAfter returns whether left is after or strictly equal to right.

func ParseBMPString 

func ParseBMPString(bmpString []byte) (string, error)

ParseBMPString returns a uint16 encoded string following the specification for a BMPString type

func PrimeNoSmallerThan752 

func PrimeNoSmallerThan752(dividend *big.Int) bool

func RemovePrependedQuestionMarks 

func RemovePrependedQuestionMarks(domain string) string

func RemovePrependedWildcard 

func RemovePrependedWildcard(domain string) string

func SliceContainsOID 

func SliceContainsOID(list []asn1.ObjectIdentifier, oid asn1.ObjectIdentifier) bool

Helper function that checks if an []asn1.ObjectIdentifier slice contains an asn1.ObjectIdentifier

func TypeInName 

func TypeInName(name *pkix.Name, oid asn1.ObjectIdentifier) bool

Helper function that checks for a name type in a pkix.Name

Types

type AttributeTypeAndRawValue 

type AttributeTypeAndRawValue struct {
	Type  asn1.ObjectIdentifier
	Value asn1.RawValue
}

type AttributeTypeAndRawValueSET 

type AttributeTypeAndRawValueSET []AttributeTypeAndRawValue

type Etsi421QualEuCert 

type Etsi421QualEuCert struct {
	// contains filtered or unexported fields
}

func (Etsi421QualEuCert) GetErrorInfo 

func (this Etsi421QualEuCert) GetErrorInfo() string

func (Etsi421QualEuCert) IsPresent 

func (this Etsi421QualEuCert) IsPresent() bool

type Etsi423QcType 

type Etsi423QcType struct {
	TypeOids []asn1.ObjectIdentifier
	// contains filtered or unexported fields
}

func (Etsi423QcType) GetErrorInfo 

func (this Etsi423QcType) GetErrorInfo() string

func (Etsi423QcType) IsPresent 

func (this Etsi423QcType) IsPresent() bool

type EtsiMonetaryValueAlph 

type EtsiMonetaryValueAlph struct {
	Iso4217CurrencyCodeAlph string `asn1:"printable"`
	Amount                  int
	Exponent                int
}

type EtsiMonetaryValueNum 

type EtsiMonetaryValueNum struct {
	Iso4217CurrencyCodeNum int
	Amount                 int
	Exponent               int
}

type EtsiQcLimitValue 

type EtsiQcLimitValue struct {
	Amount       int
	Exponent     int
	IsNum        bool
	CurrencyAlph string
	CurrencyNum  int
	// contains filtered or unexported fields
}

func (EtsiQcLimitValue) GetErrorInfo 

func (this EtsiQcLimitValue) GetErrorInfo() string

func (EtsiQcLimitValue) IsPresent 

func (this EtsiQcLimitValue) IsPresent() bool

type EtsiQcPds 

type EtsiQcPds struct {
	PdsLocations []PdsLocation
	// contains filtered or unexported fields
}

func (EtsiQcPds) GetErrorInfo 

func (this EtsiQcPds) GetErrorInfo() string

func (EtsiQcPds) IsPresent 

func (this EtsiQcPds) IsPresent() bool

type EtsiQcRetentionPeriod 

type EtsiQcRetentionPeriod struct {
	Period int
	// contains filtered or unexported fields
}

func (EtsiQcRetentionPeriod) GetErrorInfo 

func (this EtsiQcRetentionPeriod) GetErrorInfo() string

func (EtsiQcRetentionPeriod) IsPresent 

func (this EtsiQcRetentionPeriod) IsPresent() bool

type EtsiQcSscd 

type EtsiQcSscd struct {
	// contains filtered or unexported fields
}

func (EtsiQcSscd) GetErrorInfo 

func (this EtsiQcSscd) GetErrorInfo() string

func (EtsiQcSscd) IsPresent 

func (this EtsiQcSscd) IsPresent() bool

type EtsiQcStmtIf 

type EtsiQcStmtIf interface {
	GetErrorInfo() string
	IsPresent() bool
}

func ParseQcStatem 

func ParseQcStatem(extVal []byte, sought asn1.ObjectIdentifier) EtsiQcStmtIf

type GTLDPeriod 

type GTLDPeriod struct {
	// GTLD is the GTLD the period corresponds to. It is used only for friendly
	// error messages from `Valid`
	GTLD string
	// DelegationDate is the date at which ICANN delegated the gTLD into existence
	// from the root DNS, or is empty if the gTLD was never delegated.
	DelegationDate string
	// RemovalDate is the date at which ICANN removed the gTLD delegation from the
	// root DNS, or is empty if the gTLD is still delegated and has not been
	// removed.
	RemovalDate string
}

GTLDPeriod is a struct representing a gTLD's validity period. The field names are chosen to match the data returned by the ICANN gTLD v2 JSON registry[0]. See the `zlint-gtld-update` command for more information. [0] - https://www.icann.org/resources/registries/gtlds/v2/gtlds.json

func (GTLDPeriod) Valid 

func (p GTLDPeriod) Valid(when time.Time) error

Valid determines if the provided `when` time is within the GTLDPeriod for the gTLD. E.g. whether a certificate issued at `when` with a subject identifier using the specified gTLD can be considered a valid use of the gTLD.

type PdsLocation 

type PdsLocation struct {
	Url      string `asn1:"ia5"`
	Language string `asn1:"printable"`
}

type RawRDNSequence 

type RawRDNSequence []AttributeTypeAndRawValueSET

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.