Version: v0.0.0-...-57fe970 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Oct 5, 2020 License: MIT Imports: 13 Imported by: 1



Package pkcs12 allows a user to read in a PKCS12 file and return a private key and public certificates that can be used in both TLS services. The official PKCS12 library is not the friendliest when you have more than 1 public key for the purpose of checking the certificates signing by intermediates and the root CA. This uses a vendored version of the package, as the original cannot accurately decode a Microsoft pkcs12 due to unsupported OIDs, some of which do not have any documentation I can find. These changes are actually based on that has been pending for a review and not the current checked in code.

Usage Note: skipVerify == true makes the assumtion that the first public cert found is the site certificate. While that seems to be the defacto standard, I did not find a reference that says this is always the case.

Note: I haven't tried to push these OID changes up into the repo. I am not an expert on TLS and some of these OIDs are mysterious in nature. I ignore these attributes as they aren't necessary for Go's purpose of serving content or validating certificate signatures. Some are related to OSCP and allowed usages. I do not understand these enough to implement (I can see these have entries in x509.Certificate struct). Some of the Microsoft ones don't have any documentation I can find online.

Note2: There aren't tests here. I've only tested this with certificates I cannot store here and I will need to duplicate this with some throw away certs or bring up a CA in my test code to do the generation. This is more involved than I can deal with right now. Your mileage may vary, as I ain't Brad Fitzpatrick.



This section is empty.


This section is empty.


func FromBytes

func FromBytes(pkcsData []byte, password string, skipVerify bool) (crypto.PrivateKey, []*x509.Certificate, tls.Certificate, error)

FromBytes opens a PKCS12 file represented by pkcsData with password and returnes the PrivateKey, public certificates and a ready made tls.Certificate.

func FromFile

func FromFile(filePath string, password string, skipVerify bool) (crypto.PrivateKey, []*x509.Certificate, tls.Certificate, error)

FromFile opens a PKCS12 file at filePath with password and returns the PrivateKey, public certificates and a ready made tls.Certificate.

func PEMFilesToTLS

func PEMFilesToTLS(keyPath, certPath string) (tls.Certificate, error)

PEMFilesToTLS takes in a private key and certificates in tow files generated by WritePEMFiles() and returns a TLS certificate to use in your service.

func WriteFromFileToPEM

func WriteFromFileToPEM(pkcs12Path string, password string, skipVerify bool, keyPath, certPath string) error

WriteFromFileToPEM writes PEM encoded key and certificate from a PCKS12 file. The certificates are concatenated together. You can use PEMFilesToTLS to read these into a TLS certificate for use. This is useful when you don't want to use the PKCS12 archive in your secret storage and would prefer PEM encoded data. The certPath will store all certificate (minues private key) in the archive, useful for certificate validation with intermediate and root CA public keys.


This section is empty.

Source Files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL