README
¶
TLS Tools for Humans
This repository provides some command line tools and libraries that are intended
to replace some of the common certificate-viewing commands from openssl, such as openssl s_client and openssl x509.
These tools are not intended to perform security functions, such as providing cryptographic primitives or APIs for use in TLS servers.
Installation
You can install all of the tools using:
go get github.com/brcrwilliams/tlstools/cmd/...
readpem
readpem is a tool to retrieve all of the peer certificate PEMs from a remote address.
It takes the address in the form of host:port as a single positional argument.
If no port is given, it will default to port 443.
It will output the certificates to stdout, and can be piped as needed.
Ex: readpem example.com:443 > chain.pem
Use x509meta if you want to see the x509 metadata.
Ex: x509meta --pem chain.pem
readpem will perform certificate verification when reading certificates using the golang standard library ((*x509.Certificate).Verify()).
If certificate verification fails, it will emit a warning, but continue operating as normal.
It does not check certificate revocation.
Example usage
$ readpem github.com
-----BEGIN CERTIFICATE-----
MIIG1TCCBb2gAwIBAgIQBVfICygmg6F7ChFEkylreTANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0yMDA1MDUwMDAwMDBaFw0yMjA1MTAxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdp
dGh1Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7MrTQ2J6a
nox5KUwrqO9cQ9STO5R4/zBUxxvI5S8bmc0QjWfIVAwHWuT0Bn/H1oS0LM0tTkQm
ARrqN77v9McVB8MWTGsmGQnS/1kQRFuKiYGUHf7iX5pfijbYsOkfb4AiVKysKUNV
UtgVvpJoe5RWURjQp9XDWkeo2DzGHXLcBDadrM8VLC6H1/D9SXdVruxKqduLKR41
Z/6dlSDdeY1gCnhz3Ch1pYbfMfsTCTamw+AtRtwlK3b2rfTHffhowjuzM15UKt+b
rr/cEBlAjQTva8rutYU9K9ONgl+pG2u7Bv516DwmNy8xz9wOjTeOpeh0M9N/ewq8
cgbR87LFaxi1AgMBAAGjggNzMIIDbzAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVk
YqISuFlyOzAdBgNVHQ4EFgQUYwLSXQJf943VWhKedhE2loYsikgwJQYDVR0RBB4w
HIIKZ2l0aHViLmNvbYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5o
dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzYuY3JsMDSg
MqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzYu
Y3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3
MHUwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEF
BQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhp
Z2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAXwGCisGAQQB
1nkCBAIEggFsBIIBaAFmAHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVd
x4QAAAFx5ltprwAABAMARjBEAiAuWGCWxN/M0Ms3KOsqFjDMHT8Aq0SlHfQ68KDg
rVU6AAIgDA+2EB0D5W5r0i4Nhljx6ABlIByzrEdfcxiOD/o6//EAdQAiRUUHWVUk
VpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAXHmW2nTAAAEAwBGMEQCIBp+XQKa
UDiPHwjBxdv5qvgyALKaysKqMF60gqem8iPRAiAk9Dp5+VBUXfSHqyW+tVShUigh
ndopccf8Gs21KJ4jXgB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7UiwXl
AAABceZbahsAAAQDAEcwRQIgd/5HcxT4wfNV8zavwxjYkw2TYBAuRCcqp1SjWKFn
4EoCIQDHSTHxnbpxWFbP6v5Y6nGFZCDjaHgd9HrzUv2J/DaacDANBgkqhkiG9w0B
AQsFAAOCAQEAhjKPnBW4r+jR3gg6RA5xICTW/A5YMcyqtK0c1QzFr8S7/l+skGpC
yCHrJfFrLDeyKqgabvLRT6YvvM862MGfMMDsk+sKWtzLbDIcYG7sbviGpU+gtG1q
B0ohWNApfWWKyNpquqvwdSEzAEBvhcUT5idzbK7q45bQU9vBIWgQz+PYULAU7KmY
z7jOYV09o22TNMQT+hFmo92+EBlwSeIETYEsHy5ZxixTRTvu9hP00CyEbiht5OTK
5EiJG6vsIh/uEtRsdenMCxV06W2f20Af4iSFo0uk6c1ryHefh08FcwA4pSNUaPyi
Pb8YGQ6o/blejFzo/OSiUnDueafSJ0p6SQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
x509meta
x509meta is a reimplementation of openssl x509, with several improvements:
- JSON output
- The
--remoteflag can be used to retrieve certificate metadata directly from a remote server - Can read multiple PEMs at a time
- Greatly simplified usage (5 options compared to
openssl x509's 53 options)
It operates in three modes:
--remote host:port- Reads certificates from a remote server. By default, it will only output the server certificate. Any additonal peer certificates can also be shown by passing the--chainflag.--pem file- Reads one or more certificate PEMs from a file and outputs the x509 metadata.--der file- Reads a DER encoded certificate from a file and outputs the x509 metadata.
--pem and --der can also read from stdin by givin them - as a value.
Ex:
echo '<pem>' | x509meta --pem -
x509meta will perform certificate verification when operating in --remote mode using the golang standard library ((*x509.Certificate).Verify()).
If certificate verification fails, it will emit a warning, but continue operating as normal.
It does not check certificate revocation.
Example Usage
$ x509meta --remote github.com
{
"Version": 3,
"SerialNumber": "05:57:c8:0b:28:26:83:a1:7b:0a:11:44:93:29:6b:79",
"Issuer": "CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
"Subject": "CN=github.com,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US",
"Validity": {
"NotAfter": "May 10 12:00:00 2022 UTC",
"NotBefore": "May 5 00:00:00 2020 UTC"
},
"SubjectPublicKeyInfo": {
"PublicKeyAlgorithm": "RSA",
"Parameters": {
"KeySize": 2048,
"Modulus": "bb:32:b4:d0:d8:9e:9a:9e:8c:79:29:4c:2b:a8:ef:5c:43:d4:93:3b:94:78:ff:30:54:c7:1b:c8:e5:2f:1b:99:cd:10:8d:67:c8:54:0c:07:5a:e4:f4:06:7f:c7:d6:84:b4:2c:cd:2d:4e:44:26:01:1a:ea:37:be:ef:f4:c7:15:07:c3:16:4c:6b:26:19:09:d2:ff:59:10:44:5b:8a:89:81:94:1d:fe:e2:5f:9a:5f:8a:36:d8:b0:e9:1f:6f:80:22:54:ac:ac:29:43:55:52:d8:15:be:92:68:7b:94:56:51:18:d0:a7:d5:c3:5a:47:a8:d8:3c:c6:1d:72:dc:04:36:9d:ac:cf:15:2c:2e:87:d7:f0:fd:49:77:55:ae:ec:4a:a9:db:8b:29:1e:35:67:fe:9d:95:20:dd:79:8d:60:0a:78:73:dc:28:75:a5:86:df:31:fb:13:09:36:a6:c3:e0:2d:46:dc:25:2b:76:f6:ad:f4:c7:7d:f8:68:c2:3b:b3:33:5e:54:2a:df:9b:ae:bf:dc:10:19:40:8d:04:ef:6b:ca:ee:b5:85:3d:2b:d3:8d:82:5f:a9:1b:6b:bb:06:fe:75:e8:3c:26:37:2f:31:cf:dc:0e:8d:37:8e:a5:e8:74:33:d3:7f:7b:0a:bc:72:06:d1:f3:b2:c5:6b:18:b5",
"Exponent": 65537
}
},
"X509v3Extensions": {
"KeyUsage": [
"Digital Signature",
"Key Encipherment"
],
"ExtendedKeyUsage": [
"Server Auth",
"Client Auth"
],
"BasicConstraints": {
"CA": false,
"MaxPathLength": -1
},
"SubjectKeyIdentifier": "63:02:d2:5d:02:5f:f7:8d:d5:5a:12:9e:76:11:36:96:86:2c:8a:48",
"AuthorityKeyIdentifier": "51:68:ff:90:af:02:07:75:3c:cc:d9:65:64:62:a2:12:b8:59:72:3b"
},
"AuthorityInformation": {
"OCSP": [
"http://ocsp.digicert.com"
],
"CAIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt"
]
},
"SubjectAlternativeNames": [
"DNS:github.com",
"DNS:www.github.com"
],
"CertificatePolicies": [
"2.16.840.1.114412.1.1",
"2.23.140.1.2.2"
],
"CRLDistributionPoints": [
"http://crl3.digicert.com/sha2-ha-server-g6.crl",
"http://crl4.digicert.com/sha2-ha-server-g6.crl"
],
"SignatureAlgorithm": "SHA256-RSA",
"Signature": "86:32:8f:9c:15:b8:af:e8:d1:de:08:3a:44:0e:71:20:24:d6:fc:0e:58:31:cc:aa:b4:ad:1c:d5:0c:c5:af:c4:bb:fe:5f:ac:90:6a:42:c8:21:eb:25:f1:6b:2c:37:b2:2a:a8:1a:6e:f2:d1:4f:a6:2f:bc:cf:3a:d8:c1:9f:30:c0:ec:93:eb:0a:5a:dc:cb:6c:32:1c:60:6e:ec:6e:f8:86:a5:4f:a0:b4:6d:6a:07:4a:21:58:d0:29:7d:65:8a:c8:da:6a:ba:ab:f0:75:21:33:00:40:6f:85:c5:13:e6:27:73:6c:ae:ea:e3:96:d0:53:db:c1:21:68:10:cf:e3:d8:50:b0:14:ec:a9:98:cf:b8:ce:61:5d:3d:a3:6d:93:34:c4:13:fa:11:66:a3:dd:be:10:19:70:49:e2:04:4d:81:2c:1f:2e:59:c6:2c:53:45:3b:ee:f6:13:f4:d0:2c:84:6e:28:6d:e4:e4:ca:e4:48:89:1b:ab:ec:22:1f:ee:12:d4:6c:75:e9:cc:0b:15:74:e9:6d:9f:db:40:1f:e2:24:85:a3:4b:a4:e9:cd:6b:c8:77:9f:87:4f:05:73:00:38:a5:23:54:68:fc:a2:3d:bf:18:19:0e:a8:fd:b9:5e:8c:5c:e8:fc:e4:a2:52:70:ee:79:a7:d2:27:4a:7a:49"
}
$ readpem github.com > chain.pem
$ x509meta --pem chain.pem
[
{
"Version": 3,
"SerialNumber": "05:57:c8:0b:28:26:83:a1:7b:0a:11:44:93:29:6b:79",
"Issuer": "CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
"Subject": "CN=github.com,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US",
"Validity": {
"NotAfter": "May 10 12:00:00 2022 UTC",
"NotBefore": "May 5 00:00:00 2020 UTC"
},
"SubjectPublicKeyInfo": {
"PublicKeyAlgorithm": "RSA",
"Parameters": {
"KeySize": 2048,
"Modulus": "bb:32:b4:d0:d8:9e:9a:9e:8c:79:29:4c:2b:a8:ef:5c:43:d4:93:3b:94:78:ff:30:54:c7:1b:c8:e5:2f:1b:99:cd:10:8d:67:c8:54:0c:07:5a:e4:f4:06:7f:c7:d6:84:b4:2c:cd:2d:4e:44:26:01:1a:ea:37:be:ef:f4:c7:15:07:c3:16:4c:6b:26:19:09:d2:ff:59:10:44:5b:8a:89:81:94:1d:fe:e2:5f:9a:5f:8a:36:d8:b0:e9:1f:6f:80:22:54:ac:ac:29:43:55:52:d8:15:be:92:68:7b:94:56:51:18:d0:a7:d5:c3:5a:47:a8:d8:3c:c6:1d:72:dc:04:36:9d:ac:cf:15:2c:2e:87:d7:f0:fd:49:77:55:ae:ec:4a:a9:db:8b:29:1e:35:67:fe:9d:95:20:dd:79:8d:60:0a:78:73:dc:28:75:a5:86:df:31:fb:13:09:36:a6:c3:e0:2d:46:dc:25:2b:76:f6:ad:f4:c7:7d:f8:68:c2:3b:b3:33:5e:54:2a:df:9b:ae:bf:dc:10:19:40:8d:04:ef:6b:ca:ee:b5:85:3d:2b:d3:8d:82:5f:a9:1b:6b:bb:06:fe:75:e8:3c:26:37:2f:31:cf:dc:0e:8d:37:8e:a5:e8:74:33:d3:7f:7b:0a:bc:72:06:d1:f3:b2:c5:6b:18:b5",
"Exponent": 65537
}
},
"X509v3Extensions": {
"KeyUsage": [
"Digital Signature",
"Key Encipherment"
],
"ExtendedKeyUsage": [
"Server Auth",
"Client Auth"
],
"BasicConstraints": {
"CA": false,
"MaxPathLength": -1
},
"SubjectKeyIdentifier": "63:02:d2:5d:02:5f:f7:8d:d5:5a:12:9e:76:11:36:96:86:2c:8a:48",
"AuthorityKeyIdentifier": "51:68:ff:90:af:02:07:75:3c:cc:d9:65:64:62:a2:12:b8:59:72:3b"
},
"AuthorityInformation": {
"OCSP": [
"http://ocsp.digicert.com"
],
"CAIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt"
]
},
"SubjectAlternativeNames": [
"DNS:github.com",
"DNS:www.github.com"
],
"CertificatePolicies": [
"2.16.840.1.114412.1.1",
"2.23.140.1.2.2"
],
"CRLDistributionPoints": [
"http://crl3.digicert.com/sha2-ha-server-g6.crl",
"http://crl4.digicert.com/sha2-ha-server-g6.crl"
],
"SignatureAlgorithm": "SHA256-RSA",
"Signature": "86:32:8f:9c:15:b8:af:e8:d1:de:08:3a:44:0e:71:20:24:d6:fc:0e:58:31:cc:aa:b4:ad:1c:d5:0c:c5:af:c4:bb:fe:5f:ac:90:6a:42:c8:21:eb:25:f1:6b:2c:37:b2:2a:a8:1a:6e:f2:d1:4f:a6:2f:bc:cf:3a:d8:c1:9f:30:c0:ec:93:eb:0a:5a:dc:cb:6c:32:1c:60:6e:ec:6e:f8:86:a5:4f:a0:b4:6d:6a:07:4a:21:58:d0:29:7d:65:8a:c8:da:6a:ba:ab:f0:75:21:33:00:40:6f:85:c5:13:e6:27:73:6c:ae:ea:e3:96:d0:53:db:c1:21:68:10:cf:e3:d8:50:b0:14:ec:a9:98:cf:b8:ce:61:5d:3d:a3:6d:93:34:c4:13:fa:11:66:a3:dd:be:10:19:70:49:e2:04:4d:81:2c:1f:2e:59:c6:2c:53:45:3b:ee:f6:13:f4:d0:2c:84:6e:28:6d:e4:e4:ca:e4:48:89:1b:ab:ec:22:1f:ee:12:d4:6c:75:e9:cc:0b:15:74:e9:6d:9f:db:40:1f:e2:24:85:a3:4b:a4:e9:cd:6b:c8:77:9f:87:4f:05:73:00:38:a5:23:54:68:fc:a2:3d:bf:18:19:0e:a8:fd:b9:5e:8c:5c:e8:fc:e4:a2:52:70:ee:79:a7:d2:27:4a:7a:49"
},
{
"Version": 3,
"SerialNumber": "04:e1:e7:a4:dc:5c:f2:f3:6d:c0:2b:42:b8:5d:15:9f",
"Issuer": "CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
"Subject": "CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
"Validity": {
"NotAfter": "Oct 22 12:00:00 2028 UTC",
"NotBefore": "Oct 22 12:00:00 2013 UTC"
},
"SubjectPublicKeyInfo": {
"PublicKeyAlgorithm": "RSA",
"Parameters": {
"KeySize": 2048,
"Modulus": "b6:e0:2f:c2:24:06:c8:6d:04:5f:d7:ef:0a:64:06:b2:7d:22:26:65:16:ae:42:40:9b:ce:dc:9f:9f:76:07:3e:c3:30:55:87:19:b9:4f:94:0e:5a:94:1f:55:56:b4:c2:02:2a:af:d0:98:ee:0b:40:d7:c4:d0:3b:72:c8:14:9e:ef:90:b1:11:a9:ae:d2:c8:b8:43:3a:d9:0b:0b:d5:d5:95:f5:40:af:c8:1d:ed:4d:9c:5f:57:b7:86:50:68:99:f5:8a:da:d2:c7:05:1f:a8:97:c9:dc:a4:b1:82:84:2d:c6:ad:a5:9c:c7:19:82:a6:85:0f:5e:44:58:2a:37:8f:fd:35:f1:0b:08:27:32:5a:f5:bb:8b:9e:a4:bd:51:d0:27:e2:dd:3b:42:33:a3:05:28:c4:bb:28:cc:9a:ac:2b:23:0d:78:c6:7b:e6:5e:71:b7:4a:3e:08:fb:81:b7:16:16:a1:9d:23:12:4d:e5:d7:92:08:ac:75:a4:9c:ba:cd:17:b2:1e:44:35:65:7f:53:25:39:d1:1c:0a:9a:63:1b:19:92:74:68:0a:37:c2:c2:52:48:cb:39:5a:a2:b6:e1:5d:c1:dd:a0:20:b8:21:a2:93:26:6f:14:4a:21:41:c7:ed:6d:9b:f2:48:2f:f3:03:f5:a2:68:92:53:2f:5e:e3",
"Exponent": 65537
}
},
"X509v3Extensions": {
"KeyUsage": [
"CRL Sign",
"Cert Sign",
"Digital Signature"
],
"ExtendedKeyUsage": [
"Server Auth",
"Client Auth"
],
"BasicConstraints": {
"CA": true,
"MaxPathLength": 0
},
"SubjectKeyIdentifier": "51:68:ff:90:af:02:07:75:3c:cc:d9:65:64:62:a2:12:b8:59:72:3b",
"AuthorityKeyIdentifier": "b1:3e:c3:69:03:f8:bf:47:01:d4:98:26:1a:08:02:ef:63:64:2b:c3"
},
"AuthorityInformation": {
"OCSP": [
"http://ocsp.digicert.com"
],
"CAIssuers": null
},
"SubjectAlternativeNames": [],
"CertificatePolicies": [
"2.5.29.32.0"
],
"CRLDistributionPoints": [
"http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl"
],
"SignatureAlgorithm": "SHA256-RSA",
"Signature": "18:8a:95:89:03:e6:6d:df:5c:fc:1d:68:ea:4a:8f:83:d6:51:2f:8d:6b:44:16:9e:ac:63:f5:d2:6e:6c:84:99:8b:aa:81:71:84:5b:ed:34:4e:b0:b7:79:92:29:cc:2d:80:6a:f0:8e:20:e1:79:a4:fe:03:47:13:ea:f5:86:ca:59:71:7d:f4:04:96:6b:d3:59:58:3d:fe:d3:31:25:5c:18:38:84:a3:e6:9f:82:fd:8c:5b:98:31:4e:cd:78:9e:1a:fd:85:cb:49:aa:f2:27:8b:99:72:fc:3e:aa:d5:41:0b:da:d5:36:a1:bf:1c:6e:47:49:7f:5e:d9:48:7c:03:d9:fd:8b:49:a0:98:26:42:40:eb:d6:92:11:a4:64:0a:57:54:c4:f5:1d:d6:02:5e:6b:ac:ee:c4:80:9a:12:72:fa:56:93:d7:ff:bf:30:85:06:30:bf:0b:7f:4e:ff:57:05:9d:24:ed:85:c3:2b:fb:a6:75:a8:ac:2d:16:ef:7d:79:27:b2:eb:c2:9d:0b:07:ea:aa:85:d3:01:a3:20:28:41:59:43:28:d2:81:e3:aa:f6:ec:7b:3b:77:b6:40:62:80:05:41:45:01:ef:17:06:3e:de:c0:33:9b:67:d3:61:2e:72:87:e4:69:fc:12:00:57:40:1e:70:f5:1e:c9:b4"
}
]
Library
The CLI tools are wrappers around a public API. You can read the reference docs on pkg.go.dev.
Documentation
¶
Index ¶
- func Dial(addr string) ([]*x509.Certificate, error)
- func ReadDER(reader io.Reader) (*x509.Certificate, error)
- func ReadPEM(reader io.Reader) ([]*x509.Certificate, error)
- func WritePEM(out io.Writer, cert *x509.Certificate) error
- func WriteX509Meta(out io.Writer, cert *x509.Certificate) error
- func WriteX509Metas(out io.Writer, certs []*x509.Certificate) error
- type AuthorityInformation
- type BasicConstraints
- type OpenSSLFormat
- type SubjectPublicKeyInfo
- type Validity
- type X509v3Extensions
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Dial ¶
func Dial(addr string) ([]*x509.Certificate, error)
Dial opens a TLS connection to the given address over TCP, and returns the peer certificates. It will return an error if there was an error opening the TLS connection.
func ReadDER ¶
func ReadDER(reader io.Reader) (*x509.Certificate, error)
ReadDER will a DER-encoded certificate from reader and parse it into an *x509.Certificate. It expects the input to contain only one certificate, since DER does not have delimiters.
Example ¶
package main
import (
"encoding/hex"
"fmt"
"os"
"github.com/brcrwilliams/tlstools"
)
func main() {
f, err := os.Open("/path/to/cert.der")
if err != nil {
panic(err)
}
defer f.Close()
cert, err := tlstools.ReadDER(f)
if err != nil {
panic(err)
}
fmt.Printf("Serial: %s\n", hex.EncodeToString(cert.SerialNumber.Bytes()))
}
Output:
func ReadPEM ¶
func ReadPEM(reader io.Reader) ([]*x509.Certificate, error)
ReadPEM will read PEM-encoded certificates from reader and then parse them into *x509.Certificates. It will return an error if the input contains non-certificate PEMs, or if one of the PEMs is invalid.
Example ¶
package main
import (
"encoding/hex"
"fmt"
"os"
"github.com/brcrwilliams/tlstools"
)
func main() {
f, err := os.Open("/path/to/cert.pem")
if err != nil {
panic(err)
}
defer f.Close()
certs, err := tlstools.ReadPEM(f)
if err != nil {
panic(err)
}
for _, cert := range certs {
fmt.Printf("Serial: %s\n", hex.EncodeToString(cert.SerialNumber.Bytes()))
}
}
Output:
func WritePEM ¶
func WritePEM(out io.Writer, cert *x509.Certificate) error
WritePEM encodes the given certificate to PEM and writes it to out.
func WriteX509Meta ¶
func WriteX509Meta(out io.Writer, cert *x509.Certificate) error
WriteX509Meta takes an *x509.Certificate and writes the x509 metadata to out in OpenSSL JSON format.
func WriteX509Metas ¶
func WriteX509Metas(out io.Writer, certs []*x509.Certificate) error
WriteX509Metas takes a slice of *x509.Certificates and writes the x509 metadata to out in OpenSSL JSON format.
Types ¶
type AuthorityInformation ¶
AuthorityInformation is... only grouped here because that's what openssl does.
type BasicConstraints ¶
type BasicConstraints struct {
CA bool
MaxPathLength int
// contains filtered or unexported fields
}
BasicConstraints represents the Basic Constraints extension.
func (*BasicConstraints) MarshalJSON ¶
func (b *BasicConstraints) MarshalJSON() ([]byte, error)
MarshalJSON converts the BasicConstraints into JSON. If MatxPathLength is nil, then it will be ommitted.
func (*BasicConstraints) MaxPathIsNil ¶
func (b *BasicConstraints) MaxPathIsNil() bool
MaxPathIsNil is used to determine if MaxPathLength is zero or unset.
type OpenSSLFormat ¶
type OpenSSLFormat struct {
Version int
SerialNumber string
Issuer string
Subject string
Validity *Validity
SubjectPublicKeyInfo *SubjectPublicKeyInfo
X509v3Extensions *X509v3Extensions
SignatureAlgorithm string
Signature string
}
OpenSSLFormat is a transformation of x509.Certificate. It's intended to output JSON which looks similar to the output of `openssl x509 -text`.
func CertToOpenSSL ¶
func CertToOpenSSL(cert *x509.Certificate) *OpenSSLFormat
CertToOpenSSL converts an *x509.Certificate into OpenSSLFormat.
type SubjectPublicKeyInfo ¶
type SubjectPublicKeyInfo struct {
PublicKeyAlgorithm string
Parameters interface{}
}
SubjectPublicKeyInfo contains information about the certificate public key.
type Validity ¶
Validity contains the NotBefore and NotAfter timestamps.
func (*Validity) MarshalJSON ¶
MarshalJSON turns Valdity into a JSON object, with the timestamps in "Jan 2 15:04:05 2006 MST" format.
type X509v3Extensions ¶
type X509v3Extensions struct {
KeyUsage []string
ExtendedKeyUsage []string
BasicConstraints *BasicConstraints
SubjectKeyIdentifier string
AuthorityKeyIdentifier string
AuthorityInformation *AuthorityInformation
SubjectAlternativeNames []string
CertificatePolicies []string
CRLDistributionPoints []string
}
X509v3Extensions contains the x509 v3 Extenions
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.