x509

package
v0.0.0-...-182c8bd Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 10, 2019 License: Apache-2.0, ISC Imports: 35 Imported by: 0

Documentation

Overview

Package x509 parses X.509-encoded keys and certificates.

Index

Examples

Constants

View Source 
const (
	OID_EKU_APPLE_CODE_SIGNING                 = "1.2.840.113635.100.4.1"
	OID_EKU_APPLE_CRYPTO_ENV                   = "1.2.840.113635.100.4.5"
	OID_EKU_MICROSOFT_SYSTEM_HEALTH_LOOPHOLE   = "1.3.6.1.4.1.311.47.1.3"
	OID_EKU_ANY                                = "2.5.29.37.0"
	OID_EKU_APPLE_CRYPTO_MAINTENANCE_ENV       = "1.2.840.113635.100.4.5.2"
	OID_EKU_IPSEC_TUNNEL                       = "1.3.6.1.5.5.7.3.6"
	OID_EKU_MICROSOFT_LIFETIME_SIGNING         = "1.3.6.1.4.1.311.10.3.13"
	OID_EKU_MICROSOFT_CSP_SIGNATURE            = "1.3.6.1.4.1.311.10.3.16"
	OID_EKU_MICROSOFT_SGC_SERIALIZED           = "1.3.6.1.4.1.311.10.3.3.1"
	OID_EKU_SBGP_CERT_AA_SERVICE_AUTH          = "1.3.6.1.5.5.7.3.11"
	OID_EKU_EAP_OVER_LAN                       = "1.3.6.1.5.5.7.3.14"
	OID_EKU_APPLE_SYSTEM_IDENTITY              = "1.2.840.113635.100.4.4"
	OID_EKU_MICROSOFT_KEY_RECOVERY_3           = "1.3.6.1.4.1.311.10.3.11"
	OID_EKU_MICROSOFT_CERT_TRUST_LIST_SIGNING  = "1.3.6.1.4.1.311.10.3.1"
	OID_EKU_MICROSOFT_DRM                      = "1.3.6.1.4.1.311.10.5.1"
	OID_EKU_MICROSOFT_LICENSES                 = "1.3.6.1.4.1.311.10.5.3"
	OID_EKU_MICROSOFT_LICENSE_SERVER           = "1.3.6.1.4.1.311.10.5.4"
	OID_EKU_MICROSOFT_ENROLLMENT_AGENT         = "1.3.6.1.4.1.311.20.2.1"
	OID_EKU_APPLE_SOFTWARE_UPDATE_SIGNING      = "1.2.840.113635.100.4.1.2"
	OID_EKU_APPLE_CRYPTO_TEST_ENV              = "1.2.840.113635.100.4.5.3"
	OID_EKU_MICROSOFT_EMBEDDED_NT_CRYPTO       = "1.3.6.1.4.1.311.10.3.8"
	OID_EKU_MICROSOFT_DRM_INDIVIDUALIZATION    = "1.3.6.1.4.1.311.10.5.2"
	OID_EKU_MICROSOFT_KEY_RECOVERY_21          = "1.3.6.1.4.1.311.21.6"
	OID_EKU_EAP_OVER_PPP                       = "1.3.6.1.5.5.7.3.13"
	OID_EKU_OCSP_SIGNING                       = "1.3.6.1.5.5.7.3.9"
	OID_EKU_APPLE_CRYPTO_PRODUCTION_ENV        = "1.2.840.113635.100.4.5.1"
	OID_EKU_APPLE_CRYPTO_TIER1_QOS             = "1.2.840.113635.100.4.6.2"
	OID_EKU_CLIENT_AUTH                        = "1.3.6.1.5.5.7.3.2"
	OID_EKU_APPLE_CRYPTO_DEVELOPMENT_ENV       = "1.2.840.113635.100.4.5.4"
	OID_EKU_APPLE_CRYPTO_TIER0_QOS             = "1.2.840.113635.100.4.6.1"
	OID_EKU_APPLE_CRYPTO_TIER2_QOS             = "1.2.840.113635.100.4.6.3"
	OID_EKU_MICROSOFT_MOBILE_DEVICE_SOFTWARE   = "1.3.6.1.4.1.311.10.3.14"
	OID_EKU_MICROSOFT_NT5_CRYPTO               = "1.3.6.1.4.1.311.10.3.6"
	OID_EKU_CODE_SIGNING                       = "1.3.6.1.5.5.7.3.3"
	OID_EKU_APPLE_CODE_SIGNING_THIRD_PARTY     = "1.2.840.113635.100.4.1.3"
	OID_EKU_MICROSOFT_TIMESTAMP_SIGNING        = "1.3.6.1.4.1.311.10.3.2"
	OID_EKU_APPLE_CODE_SIGNING_DEVELOPMENT     = "1.2.840.113635.100.4.1.1"
	OID_EKU_APPLE_CRYPTO_QOS                   = "1.2.840.113635.100.4.6"
	OID_EKU_MICROSOFT_DOCUMENT_SIGNING         = "1.3.6.1.4.1.311.10.3.12"
	OID_EKU_MICROSOFT_ENCRYPTED_FILE_SYSTEM    = "1.3.6.1.4.1.311.10.3.4"
	OID_EKU_MICROSOFT_WHQL_CRYPTO              = "1.3.6.1.4.1.311.10.3.5"
	OID_EKU_MICROSOFT_ROOT_LIST_SIGNER         = "1.3.6.1.4.1.311.10.3.9"
	OID_EKU_MICROSOFT_SYSTEM_HEALTH            = "1.3.6.1.4.1.311.47.1.1"
	OID_EKU_TIME_STAMPING                      = "1.3.6.1.5.5.7.3.8"
	OID_EKU_NETSCAPE_SERVER_GATED_CRYPTO       = "2.16.840.1.113730.4.1"
	OID_EKU_APPLE_CRYPTO_TIER3_QOS             = "1.2.840.113635.100.4.6.4"
	OID_EKU_MICROSOFT_SMART_DISPLAY            = "1.3.6.1.4.1.311.10.3.15"
	OID_EKU_MICROSOFT_EFS_RECOVERY             = "1.3.6.1.4.1.311.10.3.4.1"
	OID_EKU_MICROSOFT_KERNEL_MODE_CODE_SIGNING = "1.3.6.1.4.1.311.61.1.1"
	OID_EKU_SERVER_AUTH                        = "1.3.6.1.5.5.7.3.1"
	OID_EKU_IPSEC_END_SYSTEM                   = "1.3.6.1.5.5.7.3.5"
	OID_EKU_IPSEC_USER                         = "1.3.6.1.5.5.7.3.7"
	OID_EKU_MICROSOFT_QUALIFIED_SUBORDINATE    = "1.3.6.1.4.1.311.10.3.10"
	OID_EKU_APPLE_RESOURCE_SIGNING             = "1.2.840.113635.100.4.1.4"
	OID_EKU_MICROSOFT_OEM_WHQL_CRYPTO          = "1.3.6.1.4.1.311.10.3.7"
	OID_EKU_MICROSOFT_SMARTCARD_LOGON          = "1.3.6.1.4.1.311.20.2.2"
	OID_EKU_EMAIL_PROTECTION                   = "1.3.6.1.5.5.7.3.4"
	OID_EKU_MICROSOFT_SERVER_GATED_CRYPTO      = "1.3.6.1.4.1.311.10.3.3"
	OID_EKU_MICROSOFT_CA_EXCHANGE              = "1.3.6.1.4.1.311.21.5"
	OID_EKU_DVCS                               = "1.3.6.1.5.5.7.3.10"
	OID_EKU_APPLE_ICHAT_SIGNING                = "1.2.840.113635.100.4.2"
	OID_EKU_APPLE_ICHAT_ENCRYPTION             = "1.2.840.113635.100.4.3"
)

Variables

View Source 
var DomainValidationOIDs = map[string]interface{}{

	"1.3.6.1.4.1.4146.1.10.10": nil,

	"1.3.6.1.4.1.44947.1.1.1": nil,

	"1.3.6.1.4.1.6449.1.2.2.10": nil,

	"1.3.6.1.4.1.6449.1.2.2.15": nil,

	"1.3.6.1.4.1.6449.1.2.2.16": nil,

	"1.3.6.1.4.1.6449.1.2.2.17": nil,

	"1.3.6.1.4.1.6449.1.2.2.18": nil,

	"1.3.6.1.4.1.6449.1.2.2.19": nil,

	"1.3.6.1.4.1.6449.1.2.2.21": nil,

	"1.3.6.1.4.1.6449.1.2.2.22": nil,

	"1.3.6.1.4.1.6449.1.2.2.24": nil,

	"1.3.6.1.4.1.6449.1.2.2.25": nil,

	"1.3.6.1.4.1.6449.1.2.2.26": nil,

	"1.3.6.1.4.1.6449.1.2.2.27": nil,

	"1.3.6.1.4.1.6449.1.2.2.28": nil,

	"1.3.6.1.4.1.6449.1.2.2.29": nil,

	"1.3.6.1.4.1.6449.1.2.2.31": nil,

	"1.3.6.1.4.1.6449.1.2.2.35": nil,

	"1.3.6.1.4.1.6449.1.2.2.37": nil,

	"1.3.6.1.4.1.6449.1.2.2.38": nil,

	"1.3.6.1.4.1.6449.1.2.2.39": nil,

	"1.3.6.1.4.1.6449.1.2.2.40": nil,

	"1.3.6.1.4.1.6449.1.2.2.41": nil,

	"1.3.6.1.4.1.6449.1.2.2.42": nil,

	"1.3.6.1.4.1.6449.1.2.2.44": nil,

	"1.3.6.1.4.1.6449.1.2.2.45": nil,

	"1.3.6.1.4.1.6449.1.2.2.47": nil,

	"1.3.6.1.4.1.6449.1.2.2.49": nil,

	"1.3.6.1.4.1.6449.1.2.2.50": nil,

	"1.3.6.1.4.1.6449.1.2.2.51": nil,

	"1.3.6.1.4.1.6449.1.2.2.52": nil,

	"1.3.6.1.4.1.6449.1.2.2.53": nil,

	"1.3.6.1.4.1.6449.1.2.2.54": nil,

	"1.3.6.1.4.1.6449.1.2.2.7": nil,

	"1.3.6.1.4.1.6449.1.2.2.8": nil,

	"2.16.840.1.114412.1.2": nil,

	"2.16.840.1.114413.1.7.23.1": nil,

	"2.16.840.1.114414.1.7.23.1": nil,

	"2.23.140.1.2.1": nil,
}

DomainValidationOIDs contain OIDs that identify DV certs.

View Source 
var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")

ErrUnsupportedAlgorithm results from attempting to perform an operation that involves algorithms that are not currently implemented.

View Source 
var ExtendedValidationOIDs = map[string]interface{}{

	"2.23.140.1.1": nil,

	"2.23.140.1.3": nil,

	"2.23.140.1.31": nil,

	"1.3.6.1.4.1.17326.10.14.2.1.2": nil,
	"1.3.6.1.4.1.17326.10.14.2.2.2": nil,

	"1.3.6.1.4.1.17326.10.8.12.1.2": nil,
	"1.3.6.1.4.1.17326.10.8.12.2.2": nil,

	"1.3.159.1.17.1": nil,

	"1.3.6.1.4.1.34697.2.1": nil,

	"1.3.6.1.4.1.34697.2.2": nil,

	"1.3.6.1.4.1.34697.2.3": nil,

	"1.3.6.1.4.1.34697.2.4": nil,

	"1.3.6.1.4.1.13177.10.1.3.10": nil,

	"2.16.578.1.26.1.3.3": nil,

	"1.3.6.1.4.1.36305.2": nil,

	"1.3.6.1.4.1.22234.2.5.2.3.1": nil,

	"1.2.616.1.113527.2.5.1.1": nil,

	"1.3.6.1.4.1.29836.1.10": nil,

	"1.3.6.1.4.1.6449.1.2.1.5.1": nil,

	"1.3.6.1.4.1.6334.1.100.1": nil,

	"2.16.840.1.114412.2.1": nil,

	"1.3.6.1.4.1.4788.2.202.1": nil,

	"2.16.840.1.114028.10.1.2": nil,

	"2.16.792.3.0.4.1.1.4": nil,

	"1.3.6.1.4.1.14370.1.6": nil,

	"1.3.6.1.4.1.4146.1.1": nil,

	"2.16.840.1.114413.1.7.23.3": nil,

	"1.3.6.1.4.1.14777.6.1.1": nil,
	"1.3.6.1.4.1.14777.6.1.2": nil,

	"1.3.6.1.4.1.782.1.2.1.8.1": nil,

	"1.3.6.1.4.1.8024.0.2.100.1.2": nil,

	"2.16.840.1.114404.1.1.2.4.1": nil,

	"1.2.392.200091.100.721.1": nil,

	"2.16.528.1.1003.1.2.7": nil,

	"1.3.6.1.4.1.23223.1.1.1": nil,

	"2.16.840.1.114414.1.7.23.3": nil,

	"2.16.840.1.114414.1.7.24.3": nil,

	"2.16.756.1.89.1.2.1.1": nil,

	"2.16.756.1.83.21.0": nil,

	"2.16.840.1.113733.1.7.48.1": nil,

	"1.3.6.1.4.1.40869.1.1.22.3": nil,

	"1.3.6.1.4.1.7879.13.24.1": nil,

	"2.16.840.1.113733.1.7.23.6": nil,

	"2.16.840.1.114171.500.9": nil,

	"2.16.156.112554.3": nil,

	"2.16.756.5.14.7.4.8": nil,

	"2.16.792.3.0.3.1.1.5": nil,
}

ExtendedValidationOIDs contains the UNION of Chromium (https://chromium.googlesource.com/chromium/src/net/+/master/cert/ev_root_ca_metadata.cc) and Firefox (http://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/ExtendedValidation.cpp) EV OID lists

View Source 
var IncorrectPasswordError = errors.New("x509: decryption password incorrect")

IncorrectPasswordError is returned when an incorrect password is detected.

View Source 
var OrganizationValidationOIDs = map[string]interface{}{

	"2.23.140.1.2.2": nil,

	"2.23.140.1.2.3": nil,

	"2.16.840.1.114412.1.1": nil,

	"1.3.6.1.4.1.4788.2.200.1": nil,

	"2.16.840.1.114413.1.7.23.2": nil,

	"2.16.528.1.1003.1.2.5.6": nil,

	"1.3.6.1.4.1.8024.0.2.100.1.1": nil,

	"2.16.840.1.114414.1.7.23.2": nil,

	"2.16.792.3.0.3.1.1.2": nil,
}

OrganizationValidationOIDs contains CA specific OV OIDs from https://cabforum.org/object-registry/

Functions

func AddDSAPublicKeyToKeyMap 

func AddDSAPublicKeyToKeyMap(keyMap map[string]interface{}, key *dsa.PublicKey)

func AddECDSAPublicKeyToKeyMap 

func AddECDSAPublicKeyToKeyMap(keyMap map[string]interface{}, key *ecdsa.PublicKey)

func CheckSignatureFromKey 

func CheckSignatureFromKey(publicKey interface{}, algo SignatureAlgorithm, signed, signature []byte) (err error)

func CreateCertificate 

func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interface{}, priv interface{}) (cert []byte, err error)

CreateCertificate creates a new certificate based on a template. The following members of template are used: SerialNumber, Subject, NotBefore, NotAfter, KeyUsage, ExtKeyUsage, UnknownExtKeyUsage, BasicConstraintsValid, IsCA, MaxPathLen, SubjectKeyId, DNSNames, NameConstraintsCritical, PermittedDNSNames, ExcludedDNSNames, PermittedEmailAddresses, ExcludedEmailAddresses, PermittedIPAddresses, ExcludedIPAddresses, PermittedDirectoryNames, ExcludedDirectoryNames, SignatureAlgorithm.

The certificate is signed by parent. If parent is equal to template then the certificate is self-signed. The parameter pub is the public key of the signee and priv is the private key of the signer.

The returned slice is the certificate in DER encoding.

The only supported key types are RSA and ECDSA (*rsa.PublicKey or *ecdsa.PublicKey for pub, *rsa.PrivateKey or *ecdsa.PrivateKey for priv).

func CreateCertificateRequest 

func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error)

CreateCertificateRequest creates a new certificate based on a template. The following members of template are used: Subject, Attributes, SignatureAlgorithm, Extensions, DNSNames, EmailAddresses, and IPAddresses. The private key is the private key of the signer.

The returned slice is the certificate request in DER encoding.

The only supported key types are RSA (*rsa.PrivateKey) and ECDSA (*ecdsa.PrivateKey).

func DecryptPEMBlock 

func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error)

DecryptPEMBlock takes a password encrypted PEM block and the password used to encrypt it and returns a slice of decrypted DER encoded bytes. It inspects the DEK-Info header to determine the algorithm used for decryption. If no DEK-Info header is present, an error is returned. If an incorrect password is detected an IncorrectPasswordError is returned.

func EncryptPEMBlock 

func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error)

EncryptPEMBlock returns a PEM block of the specified type holding the given DER-encoded data encrypted with the specified algorithm and password.

func IsEncryptedPEMBlock 

func IsEncryptedPEMBlock(b *pem.Block) bool

IsEncryptedPEMBlock returns if the PEM block is password encrypted.

func MarshalECPrivateKey 

func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error)

MarshalECPrivateKey marshals an EC private key into ASN.1, DER format.

func MarshalPKCS1PrivateKey 

func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte

MarshalPKCS1PrivateKey converts a private key to ASN.1 DER encoded form.

func MarshalPKIXPublicKey 

func MarshalPKIXPublicKey(pub interface{}) ([]byte, error)

MarshalPKIXPublicKey serialises a public key to DER-encoded PKIX format.

func ParseCRL 

func ParseCRL(crlBytes []byte) (certList *pkix.CertificateList, err error)

ParseCRL parses a CRL from the given bytes. It's often the case that PEM encoded CRLs will appear where they should be DER encoded, so this function will transparently handle PEM encoding as long as there isn't any leading garbage.

func ParseDERCRL 

func ParseDERCRL(derBytes []byte) (certList *pkix.CertificateList, err error)

ParseDERCRL parses a DER encoded CRL from the given bytes.

func ParseECPrivateKey 

func ParseECPrivateKey(der []byte) (key *ecdsa.PrivateKey, err error)

ParseECPrivateKey parses an ASN.1 Elliptic Curve Private Key Structure.

func ParsePKCS1PrivateKey 

func ParsePKCS1PrivateKey(der []byte) (key *rsa.PrivateKey, err error)

ParsePKCS1PrivateKey returns an RSA private key from its ASN.1 PKCS#1 DER encoded form.

func ParsePKCS8PrivateKey 

func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error)

ParsePKCS8PrivateKey parses an unencrypted, PKCS#8 private key. See http://www.rsa.com/rsalabs/node.asp?id=2130 and RFC5208.

func ParsePKIXPublicKey 

func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)

ParsePKIXPublicKey parses a DER encoded public key. These values are typically found in PEM blocks with "BEGIN PUBLIC KEY".

Types

type AugmentedECDSA 

type AugmentedECDSA struct {
	Pub *ecdsa.PublicKey
	Raw asn1.BitString
}

type AuthorityInfoAccess 

type AuthorityInfoAccess struct {
	OCSPServer            []string `json:"ocsp_urls,omitempty"`
	IssuingCertificateURL []string `json:"issuer_urls,omitempty"`
}

TODO pull out other types

type BasicConstraints 

type BasicConstraints struct {
	IsCA       bool `json:"is_ca"`
	MaxPathLen *int `json:"max_path_len,omitempty"`
}

type CRLDistributionPoints 

type CRLDistributionPoints []string

type CertPool 

type CertPool struct {
	// contains filtered or unexported fields
}

CertPool is a set of certificates.

func NewCertPool 

func NewCertPool() *CertPool

NewCertPool returns a new, empty CertPool.

func SystemCertPool 

func SystemCertPool() (*CertPool, error)

SystemCertPool returns a copy of the system cert pool.

Any mutations to the returned pool are not written to disk and do not affect any other pool.

func (*CertPool) AddCert 

func (s *CertPool) AddCert(cert *Certificate)

AddCert adds a certificate to a pool.

func (*CertPool) AppendCertsFromPEM 

func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)

AppendCertsFromPEM attempts to parse a series of PEM encoded certificates. It appends any certificates found to s and returns true if ALL certificates were successfully parsed.

On many Linux systems, /etc/ssl/cert.pem will contain the system wide set of root CAs in a format suitable for this function.

func (*CertPool) Certificates 

func (s *CertPool) Certificates() []*Certificate

Certificates returns a list of parsed certificates in the pool.

func (*CertPool) Contains 

func (s *CertPool) Contains(c *Certificate) bool

Contains returns true if c is in s.

func (*CertPool) Covers 

func (s *CertPool) Covers(pool *CertPool) bool

Covers returns true if all certs in pool are in s.

func (*CertPool) Size 

func (s *CertPool) Size() int

Size returns the number of unique certificates in the CertPool.

func (*CertPool) Subjects 

func (s *CertPool) Subjects() (res [][]byte)

Subjects returns a list of the DER-encoded subjects of all of the certificates in the pool.

func (*CertPool) Sum 

func (s *CertPool) Sum(other *CertPool) (sum *CertPool)

Sum returns the union of two certificate pools as a new certificate pool.

type CertValidationLevel 

type CertValidationLevel int

The string functions for CertValidationLevel are auto-generated via `go generate <full_path_to_x509_package>` or running `go generate` in the package directory 

const (
	UnknownValidationLevel CertValidationLevel = 0
	DV                     CertValidationLevel = 1
	OV                     CertValidationLevel = 2
	EV                     CertValidationLevel = 3
)

func (*CertValidationLevel) MarshalJSON 

func (c *CertValidationLevel) MarshalJSON() ([]byte, error)

func (CertValidationLevel) String 

func (i CertValidationLevel) String() string

type Certificate 

type Certificate struct {
	Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
	RawTBSCertificate       []byte // Certificate part of raw ASN.1 DER content.
	RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
	RawSubject              []byte // DER encoded Subject
	RawIssuer               []byte // DER encoded Issuer

	Signature          []byte
	SignatureAlgorithm SignatureAlgorithm
	SelfSigned         bool

	SignatureAlgorithmOID asn1.ObjectIdentifier

	PublicKeyAlgorithm PublicKeyAlgorithm
	PublicKey          interface{}

	PublicKeyAlgorithmOID asn1.ObjectIdentifier

	Version             int
	SerialNumber        *big.Int
	Issuer              pkix.Name
	Subject             pkix.Name
	NotBefore, NotAfter time.Time // Validity bounds.
	ValidityPeriod      int
	KeyUsage            KeyUsage

	IssuerUniqueId  asn1.BitString
	SubjectUniqueId asn1.BitString

	// Extensions contains raw X.509 extensions. When parsing certificates,
	// this can be used to extract non-critical extensions that are not
	// parsed by this package. When marshaling certificates, the Extensions
	// field is ignored, see ExtraExtensions.
	Extensions []pkix.Extension

	// ExtraExtensions contains extensions to be copied, raw, into any
	// marshaled certificates. Values override any extensions that would
	// otherwise be produced based on the other fields. The ExtraExtensions
	// field is not populated when parsing certificates, see Extensions.
	ExtraExtensions []pkix.Extension

	// UnhandledCriticalExtensions contains a list of extension IDs that
	// were not (fully) processed when parsing. Verify will fail if this
	// slice is non-empty, unless verification is delegated to an OS
	// library which understands all the critical extensions.
	//
	// Users can access these extensions using Extensions and can remove
	// elements from this slice if they believe that they have been
	// handled.
	UnhandledCriticalExtensions []asn1.ObjectIdentifier

	ExtKeyUsage        []ExtKeyUsage           // Sequence of extended key usages.
	UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.

	BasicConstraintsValid bool // if true then the next two fields are valid.
	IsCA                  bool
	MaxPathLen            int
	// MaxPathLenZero indicates that BasicConstraintsValid==true and
	// MaxPathLen==0 should be interpreted as an actual Max path length
	// of zero. Otherwise, that combination is interpreted as MaxPathLen
	// not being set.
	MaxPathLenZero bool

	SubjectKeyId   []byte
	AuthorityKeyId []byte

	// RFC 5280, 4.2.2.1 (Authority Information Access)
	OCSPServer            []string
	IssuingCertificateURL []string

	// Subject Alternate Name values
	OtherNames     []pkix.OtherName
	DNSNames       []string
	EmailAddresses []string
	DirectoryNames []pkix.Name
	EDIPartyNames  []pkix.EDIPartyName
	URIs           []string
	IPAddresses    []net.IP
	RegisteredIDs  []asn1.ObjectIdentifier

	// Issuer Alternative Name values
	IANOtherNames     []pkix.OtherName
	IANDNSNames       []string
	IANEmailAddresses []string
	IANDirectoryNames []pkix.Name
	IANEDIPartyNames  []pkix.EDIPartyName
	IANURIs           []string
	IANIPAddresses    []net.IP
	IANRegisteredIDs  []asn1.ObjectIdentifier

	// Certificate Policies values
	QualifierId          [][]asn1.ObjectIdentifier
	CPSuri               [][]string
	ExplicitTexts        [][]asn1.RawValue
	NoticeRefOrgnization [][]asn1.RawValue
	NoticeRefNumbers     [][]NoticeNumber

	ParsedExplicitTexts         [][]string
	ParsedNoticeRefOrganization [][]string

	// Name constraints
	NameConstraintsCritical bool // if true then the name constraints are marked critical.
	PermittedDNSNames       []GeneralSubtreeString
	ExcludedDNSNames        []GeneralSubtreeString
	PermittedEmailAddresses []GeneralSubtreeString
	ExcludedEmailAddresses  []GeneralSubtreeString
	PermittedIPAddresses    []GeneralSubtreeIP
	ExcludedIPAddresses     []GeneralSubtreeIP
	PermittedDirectoryNames []GeneralSubtreeName
	ExcludedDirectoryNames  []GeneralSubtreeName
	PermittedEdiPartyNames  []GeneralSubtreeEdi
	ExcludedEdiPartyNames   []GeneralSubtreeEdi
	PermittedRegisteredIDs  []GeneralSubtreeOid
	ExcludedRegisteredIDs   []GeneralSubtreeOid
	PermittedX400Addresses  []GeneralSubtreeRaw
	ExcludedX400Addresses   []GeneralSubtreeRaw

	// CRL Distribution Points
	CRLDistributionPoints []string

	PolicyIdentifiers []asn1.ObjectIdentifier
	ValidationLevel   CertValidationLevel

	// Fingerprints
	FingerprintMD5    CertificateFingerprint
	FingerprintSHA1   CertificateFingerprint
	FingerprintSHA256 CertificateFingerprint
	FingerprintNoCT   CertificateFingerprint

	// SPKI
	SPKIFingerprint           CertificateFingerprint
	SPKISubjectFingerprint    CertificateFingerprint
	TBSCertificateFingerprint CertificateFingerprint

	IsPrecert bool

	// CT
	SignedCertificateTimestampList []*ct.SignedCertificateTimestamp
	// contains filtered or unexported fields
}

A Certificate represents an X.509 certificate.

func ParseCertificate 

func ParseCertificate(asn1Data []byte) (*Certificate, error)

ParseCertificate parses a single certificate from the given ASN.1 DER data.

func ParseCertificates 

func ParseCertificates(asn1Data []byte) ([]*Certificate, error)

ParseCertificates parses one or more certificates from the given ASN.1 DER data. The certificates must be concatenated with no intermediate padding.

func ParseTBSCertificate 

func ParseTBSCertificate(asn1Data []byte) (*Certificate, error)

func (*Certificate) CheckCRLSignature 

func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) (err error)

CheckCRLSignature checks that the signature in crl is from c.

func (*Certificate) CheckSignature 

func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) (err error)

CheckSignature verifies that signature is a valid signature over signed from c's public key.

func (*Certificate) CheckSignatureFrom 

func (c *Certificate) CheckSignatureFrom(parent *Certificate) (err error)

CheckSignatureFrom verifies that the signature on c is a valid signature from parent.

func (*Certificate) CreateCRL 

func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error)

CreateCRL returns a DER encoded CRL, signed by this Certificate, that contains the given list of revoked certificates.

The only supported key type is RSA (*rsa.PrivateKey for priv).

func (*Certificate) Equal 

func (c *Certificate) Equal(other *Certificate) bool

Equal returns true if the two certificates have byte-equal Raw values.

func (*Certificate) GetParsedDNSNames 

func (c *Certificate) GetParsedDNSNames(invalidateCache bool) []ParsedDomainName

GetParsedDNSNames returns a list of parsed SAN DNS names. It is used to cache the parsing result and speed up zlint linters. If invalidateCache is true, then the cache is repopulated with current list of string from Certificate.DNSNames. This parameter should always be false, unless the Certificate.DNSNames have been modified after calling GetParsedDNSNames the previous time.

func (*Certificate) GetParsedSubjectCommonName 

func (c *Certificate) GetParsedSubjectCommonName(invalidateCache bool) ParsedDomainName

GetParsedCommonName returns parsed subject CommonName. It is used to cache the parsing result and speed up zlint linters. If invalidateCache is true, then the cache is repopulated with current subject CommonName. This parameter should always be false, unless the Certificate.Subject.CommonName have been modified after calling GetParsedSubjectCommonName the previous time.

func (*Certificate) MarshalJSON 

func (c *Certificate) MarshalJSON() ([]byte, error)

func (*Certificate) PublicKeyAlgorithmName 

func (c *Certificate) PublicKeyAlgorithmName() string

func (*Certificate) SignatureAlgorithmName 

func (c *Certificate) SignatureAlgorithmName() string

func (*Certificate) SubjectAndKey 

func (c *Certificate) SubjectAndKey() *SubjectAndKey

SubjectAndKey returns a SubjectAndKey for this certificate.

func (*Certificate) TimeInValidityPeriod 

func (c *Certificate) TimeInValidityPeriod(t time.Time) bool

TimeInValidityPeriod returns true if NotBefore < t < NotAfter

func (*Certificate) ValidateWithStupidDetail deprecated 

func (c *Certificate) ValidateWithStupidDetail(opts VerifyOptions) (chains []CertificateChain, validation *Validation, err error)

ValidateWithStupidDetail fills out a Validation struct given a leaf certificate and intermediates / roots. If opts.DNSName is set, then it will also check if the domain matches.

Deprecated: Use verifier.Verify() instead.

func (*Certificate) Verify 

func (c *Certificate) Verify(opts VerifyOptions) (current, expired, never []CertificateChain, err error)

Verify attempts to verify c by building one or more chains from c to a certificate in opts.Roots, using certificates in opts.Intermediates if needed. If successful, it returns one or more chains where the first element of the chain is c and the last element is from opts.Roots.

If opts.Roots is nil and system roots are unavailable the returned error will be of type SystemRootsError.

WARNING: this doesn't do any revocation checking.

Example 
package main

import (
	"encoding/pem"

	"github.com/zmap/zcrypto/x509"
)

func main() {
	// Verifying with a custom list of root certificates.

	const rootPEM = `
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----`

	const certPEM = `
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q
5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC
7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAa
BgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUF
BwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2Nz
cDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAf
BgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisG
AQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+
gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283
TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq
0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoW
RvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOh
yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
-----END CERTIFICATE-----`

	// First, create the set of root certificates. For this example we only
	// have one. It's also possible to omit this in order to use the
	// default root set of the current operating system.
	roots := x509.NewCertPool()
	ok := roots.AppendCertsFromPEM([]byte(rootPEM))
	if !ok {
		panic("failed to parse root certificate")
	}

	block, _ := pem.Decode([]byte(certPEM))
	if block == nil {
		panic("failed to parse certificate PEM")
	}
	cert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic("failed to parse certificate: " + err.Error())
	}

	opts := x509.VerifyOptions{
		DNSName: "mail.google.com",
		Roots:   roots,
	}

	if _, _, _, err := cert.Verify(opts); err != nil {
		panic("failed to verify certificate: " + err.Error())
	}
}

Output:

func (*Certificate) VerifyHostname 

func (c *Certificate) VerifyHostname(h string) error

VerifyHostname returns nil if c is a valid certificate for the named host. Otherwise it returns an error describing the mismatch.

type CertificateChain 

type CertificateChain []*Certificate

CertificateChain is a slice of certificates. The 0'th element is the leaf, and the last element is a root. Successive elements have a child-parent relationship.

func FilterByDate 

func FilterByDate(chains []CertificateChain, now time.Time) (current, expired, never []CertificateChain)

check expirations divides chains into a set of disjoint chains, containing current chains valid now, expired chains that were valid at some point, and the set of chains that were never valid.

func (CertificateChain) AppendToFreshChain 

func (chain CertificateChain) AppendToFreshChain(c *Certificate) CertificateChain

func (CertificateChain) CertificateInChain 

func (chain CertificateChain) CertificateInChain(c *Certificate) bool

CertificateInChain returns true if c is in the chain.

func (CertificateChain) CertificateSubjectAndKeyInChain 

func (chain CertificateChain) CertificateSubjectAndKeyInChain(c *Certificate) bool

CertificateSubjectAndKeyInChain returns true if the SubjectAndKey from c is found in any certificate in the chain.

func (CertificateChain) Range 

func (chain CertificateChain) Range(f func(int, *Certificate))

Range runs a function on each element of chain. It can modify each certificate in place.

func (CertificateChain) SubjectAndKeyInChain 

func (chain CertificateChain) SubjectAndKeyInChain(sk *SubjectAndKey) bool

SubjectAndKeyInChain returns true if the given SubjectAndKey is found in any certificate in the chain.

type CertificateExtensions 

type CertificateExtensions struct {
	KeyUsage                       KeyUsage                         `json:"key_usage,omitempty"`
	BasicConstraints               *BasicConstraints                `json:"basic_constraints,omitempty"`
	SubjectAltName                 *GeneralNames                    `json:"subject_alt_name,omitempty"`
	IssuerAltName                  *GeneralNames                    `json:"issuer_alt_name,omitempty"`
	NameConstraints                *NameConstraints                 `json:"name_constraints,omitempty"`
	CRLDistributionPoints          CRLDistributionPoints            `json:"crl_distribution_points,omitempty"`
	AuthKeyID                      SubjAuthKeyId                    `json:"authority_key_id,omitempty"`
	SubjectKeyID                   SubjAuthKeyId                    `json:"subject_key_id,omitempty"`
	ExtendedKeyUsage               *ExtendedKeyUsageExtension       `json:"extended_key_usage,omitempty"`
	CertificatePolicies            *CertificatePoliciesData         `json:"certificate_policies,omitempty"`
	AuthorityInfoAccess            *AuthorityInfoAccess             `json:"authority_info_access,omitempty"`
	IsPrecert                      IsPrecert                        `json:"ct_poison,omitempty"`
	SignedCertificateTimestampList []*ct.SignedCertificateTimestamp `json:"signed_certificate_timestamps,omitempty"`
}

type CertificateFingerprint 

type CertificateFingerprint []byte

CertificateFingerprint represents a digest/fingerprint of some data. It can easily be encoded to hex and JSON (as a hex string).

func MD5Fingerprint 

func MD5Fingerprint(data []byte) CertificateFingerprint

MD5Fingerprint creates a fingerprint of data using the MD5 hash algorithm.

func SHA1Fingerprint 

func SHA1Fingerprint(data []byte) CertificateFingerprint

SHA1Fingerprint creates a fingerprint of data using the SHA1 hash algorithm.

func SHA256Fingerprint 

func SHA256Fingerprint(data []byte) CertificateFingerprint

SHA256Fingerprint creates a fingerprint of data using the SHA256 hash algorithm.

func SHA512Fingerprint 

func SHA512Fingerprint(data []byte) CertificateFingerprint

SHA512Fingerprint creates a fingerprint of data using the SHA256 hash algorithm.

func (CertificateFingerprint) Equal 

func (f CertificateFingerprint) Equal(other CertificateFingerprint) bool

Equal returns true if the fingerprints are bytewise-equal.

func (CertificateFingerprint) Hex 

func (f CertificateFingerprint) Hex() string

Hex returns the given fingerprint encoded as a hex string.

func (*CertificateFingerprint) MarshalJSON 

func (f *CertificateFingerprint) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface, and marshals the fingerprint as a hex string.

type CertificateInvalidError 

type CertificateInvalidError struct {
	Cert   *Certificate
	Reason InvalidReason
}

CertificateInvalidError results when an odd error occurs. Users of this library probably want to handle all these errors uniformly.

func (CertificateInvalidError) Error 

func (e CertificateInvalidError) Error() string

type CertificatePolicies 

type CertificatePolicies []CertificatePoliciesJSON

type CertificatePoliciesData 

type CertificatePoliciesData struct {
	PolicyIdentifiers     []asn1.ObjectIdentifier
	QualifierId           [][]asn1.ObjectIdentifier
	CPSUri                [][]string
	ExplicitTexts         [][]string
	NoticeRefOrganization [][]string
	NoticeRefNumbers      [][]NoticeNumber
}

func (*CertificatePoliciesData) MarshalJSON 

func (cp *CertificatePoliciesData) MarshalJSON() ([]byte, error)

type CertificatePoliciesJSON 

type CertificatePoliciesJSON struct {
	PolicyIdentifier string           `json:"id,omitempty"`
	CPSUri           []string         `json:"cps,omitempty"`
	UserNotice       []UserNoticeData `json:"user_notice,omitempty"`
}

type CertificateRequest 

type CertificateRequest struct {
	Raw                      []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature).
	RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content.
	RawSubjectPublicKeyInfo  []byte // DER encoded SubjectPublicKeyInfo.
	RawSubject               []byte // DER encoded Subject.

	Version            int
	Signature          []byte
	SignatureAlgorithm SignatureAlgorithm

	PublicKeyAlgorithm PublicKeyAlgorithm
	PublicKey          interface{}

	Subject pkix.Name

	// Attributes is a collection of attributes providing
	// additional information about the subject of the certificate.
	// See RFC 2986 section 4.1.
	Attributes []pkix.AttributeTypeAndValueSET

	// Extensions contains raw X.509 extensions. When parsing CSRs, this
	// can be used to extract extensions that are not parsed by this
	// package.
	Extensions []pkix.Extension

	// ExtraExtensions contains extensions to be copied, raw, into any
	// marshaled CSR. Values override any extensions that would otherwise
	// be produced based on the other fields but are overridden by any
	// extensions specified in Attributes.
	//
	// The ExtraExtensions field is not populated when parsing CSRs, see
	// Extensions.
	ExtraExtensions []pkix.Extension

	// Subject Alternate Name values.
	DNSNames       []string
	EmailAddresses []string
	IPAddresses    []net.IP
}

CertificateRequest represents a PKCS #10, certificate signature request.

func ParseCertificateRequest 

func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error)

ParseCertificateRequest parses a single certificate request from the given ASN.1 DER data.

type CertificateType 

type CertificateType int

CertificateType represents whether a certificate is a root, intermediate, or leaf. 

const (
	CertificateTypeUnknown      CertificateType = 0
	CertificateTypeLeaf         CertificateType = 1
	CertificateTypeIntermediate CertificateType = 2
	CertificateTypeRoot         CertificateType = 3
)

CertificateType constants. Values should not be considered significant aside from CertificateTypeUnknown is the zero value.

func (CertificateType) MarshalJSON 

func (t CertificateType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. Any unknown integer value is considered the same as CertificateTypeUnknown.

func (*CertificateType) UnmarshalJSON 

func (t *CertificateType) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. Any unknown string is considered the same CertificateTypeUnknown.

type ConstraintViolationError 

type ConstraintViolationError struct{}

ConstraintViolationError results when a requested usage is not permitted by a certificate. For example: checking a signature when the public key isn't a certificate signing key.

func (ConstraintViolationError) Error 

func (ConstraintViolationError) Error() string

type ExtKeyUsage 

type ExtKeyUsage int

ExtKeyUsage represents an extended set of actions that are valid for a given key. Each of the ExtKeyUsage* constants define a unique action. 

const (
	ExtKeyUsageAppleResourceSigning ExtKeyUsage = iota
	ExtKeyUsageMicrosoftOemWhqlCrypto
	ExtKeyUsageMicrosoftSmartcardLogon
	ExtKeyUsageEmailProtection
	ExtKeyUsageMicrosoftServerGatedCrypto
	ExtKeyUsageMicrosoftCaExchange
	ExtKeyUsageDvcs
	ExtKeyUsageAppleIchatSigning
	ExtKeyUsageAppleIchatEncryption
	ExtKeyUsageAppleCodeSigning
	ExtKeyUsageAppleCryptoEnv
	ExtKeyUsageMicrosoftSystemHealthLoophole
	ExtKeyUsageAny
	ExtKeyUsageAppleCryptoMaintenanceEnv
	ExtKeyUsageIpsecTunnel
	ExtKeyUsageMicrosoftLifetimeSigning
	ExtKeyUsageMicrosoftCspSignature
	ExtKeyUsageMicrosoftSgcSerialized
	ExtKeyUsageSbgpCertAaServiceAuth
	ExtKeyUsageEapOverLan
	ExtKeyUsageMicrosoftEnrollmentAgent
	ExtKeyUsageAppleSystemIdentity
	ExtKeyUsageMicrosoftKeyRecovery3
	ExtKeyUsageMicrosoftCertTrustListSigning
	ExtKeyUsageMicrosoftDrm
	ExtKeyUsageMicrosoftLicenses
	ExtKeyUsageMicrosoftLicenseServer
	ExtKeyUsageOcspSigning
	ExtKeyUsageAppleSoftwareUpdateSigning
	ExtKeyUsageAppleCryptoTestEnv
	ExtKeyUsageMicrosoftEmbeddedNtCrypto
	ExtKeyUsageMicrosoftDrmIndividualization
	ExtKeyUsageMicrosoftKeyRecovery21
	ExtKeyUsageEapOverPpp
	ExtKeyUsageAppleCryptoProductionEnv
	ExtKeyUsageAppleCryptoTier1Qos
	ExtKeyUsageClientAuth
	ExtKeyUsageAppleCryptoDevelopmentEnv
	ExtKeyUsageAppleCryptoTier0Qos
	ExtKeyUsageAppleCryptoTier2Qos
	ExtKeyUsageMicrosoftMobileDeviceSoftware
	ExtKeyUsageMicrosoftNt5Crypto
	ExtKeyUsageCodeSigning
	ExtKeyUsageAppleCodeSigningThirdParty
	ExtKeyUsageMicrosoftTimestampSigning
	ExtKeyUsageMicrosoftSystemHealth
	ExtKeyUsageTimeStamping
	ExtKeyUsageAppleCodeSigningDevelopment
	ExtKeyUsageAppleCryptoQos
	ExtKeyUsageMicrosoftDocumentSigning
	ExtKeyUsageMicrosoftEncryptedFileSystem
	ExtKeyUsageMicrosoftWhqlCrypto
	ExtKeyUsageMicrosoftRootListSigner
	ExtKeyUsageNetscapeServerGatedCrypto
	ExtKeyUsageAppleCryptoTier3Qos
	ExtKeyUsageMicrosoftSmartDisplay
	ExtKeyUsageMicrosoftEfsRecovery
	ExtKeyUsageMicrosoftKernelModeCodeSigning
	ExtKeyUsageServerAuth
	ExtKeyUsageIpsecEndSystem
	ExtKeyUsageIpsecUser
	ExtKeyUsageMicrosoftQualifiedSubordinate
)

type ExtendedKeyUsage 

type ExtendedKeyUsage []ExtKeyUsage

type ExtendedKeyUsageExtension 

type ExtendedKeyUsageExtension struct {
	Known   ExtendedKeyUsage
	Unknown []asn1.ObjectIdentifier
}

func (*ExtendedKeyUsageExtension) MarshalJSON 

func (e *ExtendedKeyUsageExtension) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshal interface. The output is a struct of bools, with an additional `Value` field containing the actual OIDs.

func (*ExtendedKeyUsageExtension) UnmarshalJSON 

func (e *ExtendedKeyUsageExtension) UnmarshalJSON(b []byte) error

type GeneralNames 

type GeneralNames struct {
	DirectoryNames []pkix.Name
	DNSNames       []string
	EDIPartyNames  []pkix.EDIPartyName
	EmailAddresses []string
	IPAddresses    []net.IP
	OtherNames     []pkix.OtherName
	RegisteredIDs  []asn1.ObjectIdentifier
	URIs           []string
}

GeneralNames corresponds an X.509 GeneralName defined in Section 4.2.1.6 of RFC 5280. 

GeneralName ::= CHOICE {
     otherName                 [0]  AnotherName,
     rfc822Name                [1]  IA5String,
     dNSName                   [2]  IA5String,
     x400Address               [3]  ORAddress,
     directoryName             [4]  Name,
     ediPartyName              [5]  EDIPartyName,
     uniformResourceIdentifier [6]  IA5String,
     iPAddress                 [7]  OCTET STRING,
     registeredID              [8]  OBJECT IDENTIFIER }

func (*GeneralNames) MarshalJSON 

func (gn *GeneralNames) MarshalJSON() ([]byte, error)

func (*GeneralNames) UnmarshalJSON 

func (gn *GeneralNames) UnmarshalJSON(b []byte) error

type GeneralSubtreeEdi 

type GeneralSubtreeEdi struct {
	Data pkix.EDIPartyName
	Max  int
	Min  int
}

type GeneralSubtreeIP 

type GeneralSubtreeIP struct {
	Data net.IPNet
	Max  int
	Min  int
}

func (*GeneralSubtreeIP) MarshalJSON 

func (g *GeneralSubtreeIP) MarshalJSON() ([]byte, error)

func (*GeneralSubtreeIP) UnmarshalJSON 

func (g *GeneralSubtreeIP) UnmarshalJSON(b []byte) error

type GeneralSubtreeName 

type GeneralSubtreeName struct {
	Data pkix.Name
	Max  int
	Min  int
}

type GeneralSubtreeOid 

type GeneralSubtreeOid struct {
	Data asn1.ObjectIdentifier
	Max  int
	Min  int
}

type GeneralSubtreeRaw 

type GeneralSubtreeRaw struct {
	Data asn1.RawValue
	Max  int
	Min  int
}

type GeneralSubtreeString 

type GeneralSubtreeString struct {
	Data string
	Max  int
	Min  int
}

type HostnameError 

type HostnameError struct {
	Certificate *Certificate
	Host        string
}

HostnameError results when the set of authorized names doesn't match the requested name.

func (HostnameError) Error 

func (h HostnameError) Error() string

type InvalidReason 

type InvalidReason int

InvalidReason is an enumeration of the possible types of CertificateInvalidError 

const (
	// NotAuthorizedToSign results when a certificate is signed by another
	// which isn't marked as a CA certificate.
	NotAuthorizedToSign InvalidReason = iota

	// Expired results when a certificate has expired, based on the time
	// given in the VerifyOptions.
	Expired

	// CANotAuthorizedForThisName results when an intermediate or root
	// certificate has a name constraint which doesn't include the name
	// being checked.
	CANotAuthorizedForThisName

	// CANotAuthorizedForThisEmail results when an intermediate or root
	// certificate has a name constraint which doesn't include the email
	// being checked.
	CANotAuthorizedForThisEmail

	// CANotAuthorizedForThisIP results when an intermediate or root
	// certificate has a name constraint which doesn't include the IP
	// being checked.
	CANotAuthorizedForThisIP

	// CANotAuthorizedForThisDirectory results when an intermediate or root
	// certificate has a name constraint which doesn't include the directory
	// being checked.
	CANotAuthorizedForThisDirectory

	// TooManyIntermediates results when a path length constraint is
	// violated.
	TooManyIntermediates

	// IncompatibleUsage results when the certificate's key usage indicates
	// that it may only be used for a different purpose.
	IncompatibleUsage

	// NeverValid results when the certificate could never have been valid due to
	// some date-related issue, e.g. NotBefore > NotAfter.
	NeverValid

	// IsSelfSigned results when the certificate is self-signed and not a trusted
	// root.
	IsSelfSigned
)

type IsPrecert 

type IsPrecert bool

type KeyUsage 

type KeyUsage int

KeyUsage represents the set of actions that are valid for a given key. It's a bitmap of the KeyUsage* constants. 

const (
	KeyUsageDigitalSignature KeyUsage = 1 << iota
	KeyUsageContentCommitment
	KeyUsageKeyEncipherment
	KeyUsageDataEncipherment
	KeyUsageKeyAgreement
	KeyUsageCertSign
	KeyUsageCRLSign
	KeyUsageEncipherOnly
	KeyUsageDecipherOnly
)

func (KeyUsage) MarshalJSON 

func (k KeyUsage) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*KeyUsage) UnmarshalJSON 

func (k *KeyUsage) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshler interface

type NameConstraints 

type NameConstraints struct {
	Critical bool `json:"critical"`

	PermittedDNSNames       []GeneralSubtreeString
	PermittedEmailAddresses []GeneralSubtreeString
	PermittedIPAddresses    []GeneralSubtreeIP
	PermittedDirectoryNames []GeneralSubtreeName
	PermittedEdiPartyNames  []GeneralSubtreeEdi
	PermittedRegisteredIDs  []GeneralSubtreeOid

	ExcludedEmailAddresses []GeneralSubtreeString
	ExcludedDNSNames       []GeneralSubtreeString
	ExcludedIPAddresses    []GeneralSubtreeIP
	ExcludedDirectoryNames []GeneralSubtreeName
	ExcludedEdiPartyNames  []GeneralSubtreeEdi
	ExcludedRegisteredIDs  []GeneralSubtreeOid
}

func (NameConstraints) MarshalJSON 

func (nc NameConstraints) MarshalJSON() ([]byte, error)

func (*NameConstraints) UnmarshalJSON 

func (nc *NameConstraints) UnmarshalJSON(b []byte) error

type NameConstraintsJSON 

type NameConstraintsJSON struct {
	Critical bool `json:"critical"`

	PermittedDNSNames       []string            `json:"permitted_names,omitempty"`
	PermittedEmailAddresses []string            `json:"permitted_email_addresses,omitempty"`
	PermittedIPAddresses    []GeneralSubtreeIP  `json:"permitted_ip_addresses,omitempty"`
	PermittedDirectoryNames []pkix.Name         `json:"permitted_directory_names,omitempty"`
	PermittedEdiPartyNames  []pkix.EDIPartyName `json:"permitted_edi_party_names,omitempty"`
	PermittedRegisteredIDs  []string            `json:"permitted_registred_id,omitempty"`

	ExcludedDNSNames       []string            `json:"excluded_names,omitempty"`
	ExcludedEmailAddresses []string            `json:"excluded_email_addresses,omitempty"`
	ExcludedIPAddresses    []GeneralSubtreeIP  `json:"excluded_ip_addresses,omitempty"`
	ExcludedDirectoryNames []pkix.Name         `json:"excluded_directory_names,omitempty"`
	ExcludedEdiPartyNames  []pkix.EDIPartyName `json:"excluded_edi_party_names,omitempty"`
	ExcludedRegisteredIDs  []string            `json:"excluded_registred_id,omitempty"`
}

type NoticeNumber 

type NoticeNumber []int

type NoticeReference 

type NoticeReference struct {
	Organization  string       `json:"organization,omitempty"`
	NoticeNumbers NoticeNumber `json:"notice_numbers,omitempty"`
}

type PEMCipher 

type PEMCipher int
const (
	PEMCipherDES PEMCipher
	PEMCipher3DES
	PEMCipherAES128
	PEMCipherAES192
	PEMCipherAES256
)

Possible values for the EncryptPEMBlock encryption algorithm.

type ParsedDomainName 

type ParsedDomainName struct {
	DomainString string
	ParsedDomain *publicsuffix.DomainName
	ParseError   error
}

ParsedDomainName is a structure holding a parsed domain name (CommonName or DNS SAN) and a parsing error.

type PublicKeyAlgorithm 

type PublicKeyAlgorithm int
const (
	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
	RSA
	DSA
	ECDSA
)

func (*PublicKeyAlgorithm) MarshalJSON 

func (p *PublicKeyAlgorithm) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (PublicKeyAlgorithm) String 

func (p PublicKeyAlgorithm) String() string

func (*PublicKeyAlgorithm) UnmarshalJSON 

func (p *PublicKeyAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type SignatureAlgorithm 

type SignatureAlgorithm int
const (
	UnknownSignatureAlgorithm SignatureAlgorithm = iota
	MD2WithRSA
	MD5WithRSA
	SHA1WithRSA
	SHA256WithRSA
	SHA384WithRSA
	SHA512WithRSA
	DSAWithSHA1
	DSAWithSHA256
	ECDSAWithSHA1
	ECDSAWithSHA256
	ECDSAWithSHA384
	ECDSAWithSHA512
)

func (*SignatureAlgorithm) MarshalJSON 

func (s *SignatureAlgorithm) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (SignatureAlgorithm) String 

func (s SignatureAlgorithm) String() string

func (*SignatureAlgorithm) UnmarshalJSON 

func (s *SignatureAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshler interface

type SignatureAlgorithmOID 

type SignatureAlgorithmOID asn1.ObjectIdentifier

type SubjAuthKeyId 

type SubjAuthKeyId []byte

func (SubjAuthKeyId) MarshalJSON 

func (kid SubjAuthKeyId) MarshalJSON() ([]byte, error)

type SubjectAndKey 

type SubjectAndKey struct {
	RawSubject              []byte
	RawSubjectPublicKeyInfo []byte
	Fingerprint             CertificateFingerprint
	PublicKey               interface{}
	PublicKeyAlgorithm      PublicKeyAlgorithm
}

SubjectAndKey represents a (subjecty, subject public key info) tuple.

type SystemRootsError 

type SystemRootsError struct{}

SystemRootsError results when we fail to load the system root certificates.

func (SystemRootsError) Error 

func (SystemRootsError) Error() string

type UnhandledCriticalExtension 

type UnhandledCriticalExtension struct {
	// contains filtered or unexported fields
}

UnhandledCriticalExtension results when the certificate contains an unimplemented X.509 extension marked as critical.

func (UnhandledCriticalExtension) Error 

func (h UnhandledCriticalExtension) Error() string

type UnknownAuthorityError 

type UnknownAuthorityError struct {
	// contains filtered or unexported fields
}

UnknownAuthorityError results when the certificate issuer is unknown

func (UnknownAuthorityError) Error 

func (e UnknownAuthorityError) Error() string

type UnknownCertificateExtensions 

type UnknownCertificateExtensions []pkix.Extension

type UserNoticeData 

type UserNoticeData struct {
	ExplicitText    string            `json:"explicit_text,omitempty"`
	NoticeReference []NoticeReference `json:"notice_reference,omitempty"`
}

type Validation 

type Validation struct {
	BrowserTrusted bool   `json:"browser_trusted"`
	BrowserError   string `json:"browser_error,omitempty"`
	MatchesDomain  bool   `json:"matches_domain,omitempty"`
	Domain         string `json:"-"`
}

Validation stores different validation levels for a given certificate

type VerifyOptions 

type VerifyOptions struct {
	DNSName      string
	EmailAddress string
	IPAddress    net.IP

	Intermediates *CertPool
	Roots         *CertPool // if nil, the system roots are used
	CurrentTime   time.Time // if zero, the current time is used
	// KeyUsage specifies which Extended Key Usage values are acceptable.
	// An empty list means ExtKeyUsageServerAuth. Key usage is considered a
	// constraint down the chain which mirrors Windows CryptoAPI behaviour,
	// but not the spec. To accept any key usage, include ExtKeyUsageAny.
	KeyUsages []ExtKeyUsage
}

VerifyOptions contains parameters for Certificate.Verify. It's a structure because other PKIX verification APIs have ended up needing many options.

Source Files

View all Source files

Directories

Path Synopsis
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
 Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
ZIntermediate is a command line utility for verifying a set prospective intermediate certificates against a root store.
 ZIntermediate is a command line utility for verifying a set prospective intermediate certificates against a root store.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.