x509

package
v0.0.0-...-a1f61fb Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 19, 2023 License: Apache-2.0, ISC, MIT Imports: 37 Imported by: 171

README

Originally based on the go/crypto/x509 standard library, this package has now diverged enough that it is no longer updated with direct correspondence to new go releases.

Approximately supports all the features of github.com/golang/go/crypto/x509 package at: branch: release-branch.go1.10 revision: dea961ebd9f871b39b3bdaab32f952037f28cd71

Documentation

Overview

Example (X509_ParseCertificate) 
package main

import (
	"encoding/pem"

	"github.com/zmap/zcrypto/x509"
)

func main() {
	// Verifying with a custom list of root certificates.

	const rootPEM = `
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----`

	const certPEM = `
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q
5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC
7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAa
BgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUF
BwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2Nz
cDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAf
BgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisG
AQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+
gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283
TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq
0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoW
RvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOh
yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
-----END CERTIFICATE-----`

	// First, create the set of root certificates. For this example we only
	// have one. It's also possible to omit this in order to use the
	// default root set of the current operating system.
	roots := x509.NewCertPool()
	ok := roots.AppendCertsFromPEM([]byte(rootPEM))
	if !ok {
		panic("failed to parse root certificate")
	}

	block, _ := pem.Decode([]byte(certPEM))
	if block == nil {
		panic("failed to parse certificate PEM")
	}
	_, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic("failed to parse certificate: " + err.Error())
	}
}

Output:

Index

Examples

Constants

View Source 
const (
	OID_EKU_APPLE_CODE_SIGNING                 = "1.2.840.113635.100.4.1"
	OID_EKU_APPLE_CODE_SIGNING_DEVELOPMENT     = "1.2.840.113635.100.4.1.1"
	OID_EKU_APPLE_SOFTWARE_UPDATE_SIGNING      = "1.2.840.113635.100.4.1.2"
	OID_EKU_APPLE_CODE_SIGNING_THIRD_PARTY     = "1.2.840.113635.100.4.1.3"
	OID_EKU_APPLE_RESOURCE_SIGNING             = "1.2.840.113635.100.4.1.4"
	OID_EKU_APPLE_ICHAT_SIGNING                = "1.2.840.113635.100.4.2"
	OID_EKU_APPLE_ICHAT_ENCRYPTION             = "1.2.840.113635.100.4.3"
	OID_EKU_APPLE_SYSTEM_IDENTITY              = "1.2.840.113635.100.4.4"
	OID_EKU_APPLE_CRYPTO_ENV                   = "1.2.840.113635.100.4.5"
	OID_EKU_APPLE_CRYPTO_PRODUCTION_ENV        = "1.2.840.113635.100.4.5.1"
	OID_EKU_APPLE_CRYPTO_MAINTENANCE_ENV       = "1.2.840.113635.100.4.5.2"
	OID_EKU_APPLE_CRYPTO_TEST_ENV              = "1.2.840.113635.100.4.5.3"
	OID_EKU_APPLE_CRYPTO_DEVELOPMENT_ENV       = "1.2.840.113635.100.4.5.4"
	OID_EKU_APPLE_CRYPTO_QOS                   = "1.2.840.113635.100.4.6"
	OID_EKU_APPLE_CRYPTO_TIER0_QOS             = "1.2.840.113635.100.4.6.1"
	OID_EKU_APPLE_CRYPTO_TIER1_QOS             = "1.2.840.113635.100.4.6.2"
	OID_EKU_APPLE_CRYPTO_TIER2_QOS             = "1.2.840.113635.100.4.6.3"
	OID_EKU_APPLE_CRYPTO_TIER3_QOS             = "1.2.840.113635.100.4.6.4"
	OID_EKU_ADOBE_AUTHENTIC_DOCUMENT_TRUST     = "1.2.840.113583.1.1.5"
	OID_EKU_MICROSOFT_CERT_TRUST_LIST_SIGNING  = "1.3.6.1.4.1.311.10.3.1"
	OID_EKU_MICROSOFT_QUALIFIED_SUBORDINATE    = "1.3.6.1.4.1.311.10.3.10"
	OID_EKU_MICROSOFT_KEY_RECOVERY_3           = "1.3.6.1.4.1.311.10.3.11"
	OID_EKU_MICROSOFT_DOCUMENT_SIGNING         = "1.3.6.1.4.1.311.10.3.12"
	OID_EKU_MICROSOFT_LIFETIME_SIGNING         = "1.3.6.1.4.1.311.10.3.13"
	OID_EKU_MICROSOFT_MOBILE_DEVICE_SOFTWARE   = "1.3.6.1.4.1.311.10.3.14"
	OID_EKU_MICROSOFT_SMART_DISPLAY            = "1.3.6.1.4.1.311.10.3.15"
	OID_EKU_MICROSOFT_CSP_SIGNATURE            = "1.3.6.1.4.1.311.10.3.16"
	OID_EKU_MICROSOFT_TIMESTAMP_SIGNING        = "1.3.6.1.4.1.311.10.3.2"
	OID_EKU_MICROSOFT_SERVER_GATED_CRYPTO      = "1.3.6.1.4.1.311.10.3.3"
	OID_EKU_MICROSOFT_SGC_SERIALIZED           = "1.3.6.1.4.1.311.10.3.3.1"
	OID_EKU_MICROSOFT_ENCRYPTED_FILE_SYSTEM    = "1.3.6.1.4.1.311.10.3.4"
	OID_EKU_MICROSOFT_EFS_RECOVERY             = "1.3.6.1.4.1.311.10.3.4.1"
	OID_EKU_MICROSOFT_WHQL_CRYPTO              = "1.3.6.1.4.1.311.10.3.5"
	OID_EKU_MICROSOFT_NT5_CRYPTO               = "1.3.6.1.4.1.311.10.3.6"
	OID_EKU_MICROSOFT_OEM_WHQL_CRYPTO          = "1.3.6.1.4.1.311.10.3.7"
	OID_EKU_MICROSOFT_EMBEDDED_NT_CRYPTO       = "1.3.6.1.4.1.311.10.3.8"
	OID_EKU_MICROSOFT_ROOT_LIST_SIGNER         = "1.3.6.1.4.1.311.10.3.9"
	OID_EKU_MICROSOFT_DRM                      = "1.3.6.1.4.1.311.10.5.1"
	OID_EKU_MICROSOFT_DRM_INDIVIDUALIZATION    = "1.3.6.1.4.1.311.10.5.2"
	OID_EKU_MICROSOFT_LICENSES                 = "1.3.6.1.4.1.311.10.5.3"
	OID_EKU_MICROSOFT_LICENSE_SERVER           = "1.3.6.1.4.1.311.10.5.4"
	OID_EKU_MICROSOFT_ENROLLMENT_AGENT         = "1.3.6.1.4.1.311.20.2.1"
	OID_EKU_MICROSOFT_SMARTCARD_LOGON          = "1.3.6.1.4.1.311.20.2.2"
	OID_EKU_MICROSOFT_CA_EXCHANGE              = "1.3.6.1.4.1.311.21.5"
	OID_EKU_MICROSOFT_KEY_RECOVERY_21          = "1.3.6.1.4.1.311.21.6"
	OID_EKU_MICROSOFT_SYSTEM_HEALTH            = "1.3.6.1.4.1.311.47.1.1"
	OID_EKU_MICROSOFT_SYSTEM_HEALTH_LOOPHOLE   = "1.3.6.1.4.1.311.47.1.3"
	OID_EKU_MICROSOFT_KERNEL_MODE_CODE_SIGNING = "1.3.6.1.4.1.311.61.1.1"
	OID_EKU_SERVER_AUTH                        = "1.3.6.1.5.5.7.3.1"
	OID_EKU_DVCS                               = "1.3.6.1.5.5.7.3.10"
	OID_EKU_SBGP_CERT_AA_SERVICE_AUTH          = "1.3.6.1.5.5.7.3.11"
	OID_EKU_EAP_OVER_PPP                       = "1.3.6.1.5.5.7.3.13"
	OID_EKU_EAP_OVER_LAN                       = "1.3.6.1.5.5.7.3.14"
	OID_EKU_CLIENT_AUTH                        = "1.3.6.1.5.5.7.3.2"
	OID_EKU_CODE_SIGNING                       = "1.3.6.1.5.5.7.3.3"
	OID_EKU_EMAIL_PROTECTION                   = "1.3.6.1.5.5.7.3.4"
	OID_EKU_IPSEC_END_SYSTEM                   = "1.3.6.1.5.5.7.3.5"
	OID_EKU_IPSEC_TUNNEL                       = "1.3.6.1.5.5.7.3.6"
	OID_EKU_IPSEC_USER                         = "1.3.6.1.5.5.7.3.7"
	OID_EKU_TIME_STAMPING                      = "1.3.6.1.5.5.7.3.8"
	OID_EKU_OCSP_SIGNING                       = "1.3.6.1.5.5.7.3.9"
	OID_EKU_IPSEC_INTERMEDIATE_SYSTEM_USAGE    = "1.3.6.1.5.5.8.2.2"
	OID_EKU_NETSCAPE_SERVER_GATED_CRYPTO       = "2.16.840.1.113730.4.1"
	OID_EKU_ANY                                = "2.5.29.37.0"
)

Variables

View Source 
var DomainValidationOIDs = map[string]interface{}{

	"1.3.6.1.4.1.4146.1.10.10": nil,

	"1.3.6.1.4.1.44947.1.1.1": nil,

	"1.3.6.1.4.1.6449.1.2.2.10": nil,

	"1.3.6.1.4.1.6449.1.2.2.15": nil,

	"1.3.6.1.4.1.6449.1.2.2.16": nil,

	"1.3.6.1.4.1.6449.1.2.2.17": nil,

	"1.3.6.1.4.1.6449.1.2.2.18": nil,

	"1.3.6.1.4.1.6449.1.2.2.19": nil,

	"1.3.6.1.4.1.6449.1.2.2.21": nil,

	"1.3.6.1.4.1.6449.1.2.2.22": nil,

	"1.3.6.1.4.1.6449.1.2.2.24": nil,

	"1.3.6.1.4.1.6449.1.2.2.25": nil,

	"1.3.6.1.4.1.6449.1.2.2.26": nil,

	"1.3.6.1.4.1.6449.1.2.2.27": nil,

	"1.3.6.1.4.1.6449.1.2.2.28": nil,

	"1.3.6.1.4.1.6449.1.2.2.29": nil,

	"1.3.6.1.4.1.6449.1.2.2.31": nil,

	"1.3.6.1.4.1.6449.1.2.2.35": nil,

	"1.3.6.1.4.1.6449.1.2.2.37": nil,

	"1.3.6.1.4.1.6449.1.2.2.38": nil,

	"1.3.6.1.4.1.6449.1.2.2.39": nil,

	"1.3.6.1.4.1.6449.1.2.2.40": nil,

	"1.3.6.1.4.1.6449.1.2.2.41": nil,

	"1.3.6.1.4.1.6449.1.2.2.42": nil,

	"1.3.6.1.4.1.6449.1.2.2.44": nil,

	"1.3.6.1.4.1.6449.1.2.2.45": nil,

	"1.3.6.1.4.1.6449.1.2.2.47": nil,

	"1.3.6.1.4.1.6449.1.2.2.49": nil,

	"1.3.6.1.4.1.6449.1.2.2.50": nil,

	"1.3.6.1.4.1.6449.1.2.2.51": nil,

	"1.3.6.1.4.1.6449.1.2.2.52": nil,

	"1.3.6.1.4.1.6449.1.2.2.53": nil,

	"1.3.6.1.4.1.6449.1.2.2.54": nil,

	"1.3.6.1.4.1.6449.1.2.2.7": nil,

	"1.3.6.1.4.1.6449.1.2.2.8": nil,

	"2.16.840.1.114412.1.2": nil,

	"2.16.840.1.114413.1.7.23.1": nil,

	"2.16.840.1.114414.1.7.23.1": nil,

	"2.23.140.1.2.1": nil,
}

DomainValidationOIDs contain OIDs that identify DV certs.

View Source 
var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")

ErrUnsupportedAlgorithm results from attempting to perform an operation that involves algorithms that are not currently implemented.

View Source 
var ExtendedValidationOIDs = map[string]interface{}{

	"2.23.140.1.1": nil,

	"2.23.140.1.3": nil,

	"2.23.140.1.31": nil,

	"1.3.6.1.4.1.17326.10.14.2.1.2": nil,
	"1.3.6.1.4.1.17326.10.14.2.2.2": nil,

	"1.3.6.1.4.1.17326.10.8.12.1.2": nil,
	"1.3.6.1.4.1.17326.10.8.12.2.2": nil,

	"1.3.159.1.17.1": nil,

	"1.3.6.1.4.1.34697.2.1": nil,

	"1.3.6.1.4.1.34697.2.2": nil,

	"1.3.6.1.4.1.34697.2.3": nil,

	"1.3.6.1.4.1.34697.2.4": nil,

	"1.3.6.1.4.1.13177.10.1.3.10": nil,

	"2.16.578.1.26.1.3.3": nil,

	"1.3.6.1.4.1.36305.2": nil,

	"1.3.6.1.4.1.22234.2.5.2.3.1": nil,

	"1.2.616.1.113527.2.5.1.1": nil,

	"1.3.6.1.4.1.29836.1.10": nil,

	"1.3.6.1.4.1.6449.1.2.1.5.1": nil,

	"1.3.6.1.4.1.6334.1.100.1": nil,

	"2.16.840.1.114412.2.1": nil,

	"1.3.6.1.4.1.4788.2.202.1": nil,

	"2.16.840.1.114028.10.1.2": nil,

	"2.16.792.3.0.4.1.1.4": nil,

	"1.3.6.1.4.1.14370.1.6": nil,

	"1.3.6.1.4.1.4146.1.1": nil,

	"2.16.840.1.114413.1.7.23.3": nil,

	"1.3.6.1.4.1.14777.6.1.1": nil,
	"1.3.6.1.4.1.14777.6.1.2": nil,

	"1.3.6.1.4.1.782.1.2.1.8.1": nil,

	"1.3.6.1.4.1.8024.0.2.100.1.2": nil,

	"2.16.840.1.114404.1.1.2.4.1": nil,

	"1.2.392.200091.100.721.1": nil,

	"2.16.528.1.1003.1.2.7": nil,

	"1.3.6.1.4.1.23223.1.1.1": nil,

	"2.16.840.1.114414.1.7.23.3": nil,

	"2.16.840.1.114414.1.7.24.3": nil,

	"2.16.756.1.89.1.2.1.1": nil,

	"2.16.756.1.83.21.0": nil,

	"2.16.840.1.113733.1.7.48.1": nil,

	"1.3.6.1.4.1.40869.1.1.22.3": nil,

	"1.3.6.1.4.1.7879.13.24.1": nil,

	"2.16.840.1.113733.1.7.23.6": nil,

	"2.16.840.1.114171.500.9": nil,

	"2.16.156.112554.3": nil,

	"2.16.756.5.14.7.4.8": nil,

	"2.16.792.3.0.3.1.1.5": nil,
}

ExtendedValidationOIDs contains the UNION of Chromium (https://chromium.googlesource.com/chromium/src/net/+/master/cert/ev_root_ca_metadata.cc) and Firefox (http://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/ExtendedValidation.cpp) EV OID lists

View Source 
var IncorrectPasswordError = errors.New("x509: decryption password incorrect")

IncorrectPasswordError is returned when an incorrect password is detected.

View Source 
var OrganizationValidationOIDs = map[string]interface{}{

	"2.23.140.1.2.2": nil,

	"2.23.140.1.2.3": nil,

	"2.16.840.1.114412.1.1": nil,

	"1.3.6.1.4.1.4788.2.200.1": nil,

	"2.16.840.1.114413.1.7.23.2": nil,

	"2.16.528.1.1003.1.2.5.6": nil,

	"1.3.6.1.4.1.8024.0.2.100.1.1": nil,

	"2.16.840.1.114414.1.7.23.2": nil,

	"2.16.792.3.0.3.1.1.2": nil,
}

OrganizationValidationOIDs contains CA specific OV OIDs from https://cabforum.org/object-registry/

Functions

func CheckSignatureFromKey 

func CheckSignatureFromKey(publicKey interface{}, algo SignatureAlgorithm, signed, signature []byte) (err error)

func CreateCertificate 

func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error)

CreateCertificate creates a new certificate based on a template. The following members of template are used: AuthorityKeyId, BasicConstraintsValid, DNSNames, ExcludedDNSDomains, ExtKeyUsage, IsCA, KeyUsage, MaxPathLen, MaxPathLenZero, NotAfter, NotBefore, PermittedDNSDomains, PermittedDNSDomainsCritical, SerialNumber, SignatureAlgorithm, Subject, SubjectKeyId, and UnknownExtKeyUsage.

The certificate is signed by parent. If parent is equal to template then the certificate is self-signed. The parameter pub is the public key of the signee and priv is the private key of the signer.

The returned slice is the certificate in DER encoding.

All keys types that are implemented via crypto.Signer are supported (This includes *rsa.PublicKey and *ecdsa.PublicKey.)

The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any, unless the resulting certificate is self-signed. Otherwise the value from template will be used.

func CreateCertificateRequest 

func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error)

CreateCertificateRequest creates a new certificate request based on a template. The following members of template are used: Attributes, DNSNames, EmailAddresses, ExtraExtensions, IPAddresses, SignatureAlgorithm, and Subject. The private key is the private key of the signer.

The returned slice is the certificate request in DER encoding.

All keys types that are implemented via crypto.Signer are supported (This includes *rsa.PublicKey and *ecdsa.PublicKey.)

func CreateRevocationList 

func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer) ([]byte, error)

CreateRevocationList creates a new X.509 v2 Certificate Revocation List, according to RFC 5280, based on template.

The CRL is signed by priv which should be the private key associated with the public key in the issuer certificate.

The issuer may not be nil, and the crlSign bit must be set in KeyUsage in order to use it as a CRL issuer.

The issuer distinguished name CRL field and authority key identifier extension are populated using the issuer certificate. issuer must have SubjectKeyId set.

func DecryptPEMBlock 

func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error)

DecryptPEMBlock takes a password encrypted PEM block and the password used to encrypt it and returns a slice of decrypted DER encoded bytes. It inspects the DEK-Info header to determine the algorithm used for decryption. If no DEK-Info header is present, an error is returned. If an incorrect password is detected an IncorrectPasswordError is returned. Because of deficiencies in the encrypted-PEM format, it's not always possible to detect an incorrect password. In these cases no error will be returned but the decrypted DER bytes will be random noise.

func EncryptPEMBlock 

func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error)

EncryptPEMBlock returns a PEM block of the specified type holding the given DER-encoded data encrypted with the specified algorithm and password.

func GetRSAPublicKeyJSON 

func GetRSAPublicKeyJSON(key *rsa.PublicKey) *jsonKeys.RSAPublicKey

GetRSAPublicKeyJSON - get the jsonKeys.RSAPublicKey for the given standard RSA PublicKey.

func IsEncryptedPEMBlock 

func IsEncryptedPEMBlock(b *pem.Block) bool

IsEncryptedPEMBlock returns if the PEM block is password encrypted.

func MarshalECPrivateKey 

func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error)

MarshalECPrivateKey marshals an EC private key into ASN.1, DER format.

func MarshalPKCS1PrivateKey 

func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte

MarshalPKCS1PrivateKey converts a private key to ASN.1 DER encoded form.

func MarshalPKIXPublicKey 

func MarshalPKIXPublicKey(pub interface{}) ([]byte, error)

MarshalPKIXPublicKey serialises a public key to DER-encoded PKIX format.

func ParseCRL 

func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error)

ParseCRL parses a CRL from the given bytes. It's often the case that PEM encoded CRLs will appear where they should be DER encoded, so this function will transparently handle PEM encoding as long as there isn't any leading garbage.

func ParseDERCRL 

func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error)

ParseDERCRL parses a DER encoded CRL from the given bytes.

func ParseECPrivateKey 

func ParseECPrivateKey(der []byte) (*ecdsa.PrivateKey, error)

ParseECPrivateKey parses an ASN.1 Elliptic Curve Private Key Structure.

func ParsePKCS1PrivateKey 

func ParsePKCS1PrivateKey(der []byte) (*rsa.PrivateKey, error)

ParsePKCS1PrivateKey returns an RSA private key from its ASN.1 PKCS#1 DER encoded form.

func ParsePKCS8PrivateKey 

func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error)

ParsePKCS8PrivateKey parses an unencrypted, PKCS#8 private key. See RFC 5208.

func ParsePKIXPublicKey 

func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)

ParsePKIXPublicKey parses a DER encoded public key. These values are typically found in PEM blocks with "BEGIN PUBLIC KEY".

Supported key types include RSA, DSA, and ECDSA. Unknown key types result in an error.

On success, pub will be of type *rsa.PublicKey, *dsa.PublicKey, or *ecdsa.PublicKey.

Types

type AugmentedECDSA 

type AugmentedECDSA struct {
	Pub *ecdsa.PublicKey
	Raw asn1.BitString
}

type AuthorityInfoAccess 

type AuthorityInfoAccess struct {
	OCSPServer            []string `json:"ocsp_urls,omitempty"`
	IssuingCertificateURL []string `json:"issuer_urls,omitempty"`
}

TODO pull out other types

type BasicConstraints 

type BasicConstraints struct {
	IsCA       bool `json:"is_ca"`
	MaxPathLen *int `json:"max_path_len,omitempty"`
}

type CABFOrganizationIDASN 

type CABFOrganizationIDASN struct {
	RegistrationSchemeIdentifier string `asn1:"printable"`
	RegistrationCountry          string `asn1:"printable"`
	RegistrationStateOrProvince  string `asn1:"printable,optional,tag:0"`
	RegistrationReference        string `asn1:"utf8"`
}
    id-CABFOrganizationIdentifier OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organization-identifier(1) }

    ext-CABFOrganizationIdentifier EXTENSION ::= { SYNTAX CABFOrganizationIdentifier IDENTIFIED BY id-CABFOrganizationIdentifier }

    CABFOrganizationIdentifier ::= SEQUENCE {

        registrationSchemeIdentifier   PrintableString (SIZE(3)),

        registrationCountry            PrintableString (SIZE(2)),

        registrationStateOrProvince    [0] IMPLICIT PrintableString OPTIONAL (SIZE(0..128)),

        registrationReference          UTF8String

	}

type CABFOrganizationIdentifier 

type CABFOrganizationIdentifier struct {
	Scheme    string `json:"scheme,omitempty"`
	Country   string `json:"country,omitempty"`
	State     string `json:"state,omitempty"`
	Reference string `json:"reference,omitempty"`
}

type CRLDistributionPoints 

type CRLDistributionPoints []string

type CertPool 

type CertPool struct {
	// contains filtered or unexported fields
}

CertPool is a set of certificates.

func NewCertPool 

func NewCertPool() *CertPool

NewCertPool returns a new, empty CertPool.

func (*CertPool) AddCert 

func (s *CertPool) AddCert(cert *Certificate)

AddCert adds a certificate to a pool.

func (*CertPool) AppendCertsFromPEM 

func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)

AppendCertsFromPEM attempts to parse a series of PEM encoded certificates. It appends any certificates found to s and reports whether any certificates were successfully parsed.

On many Linux systems, /etc/ssl/cert.pem will contain the system wide set of root CAs in a format suitable for this function.

func (*CertPool) Certificates 

func (s *CertPool) Certificates() []*Certificate

Certificates returns a list of parsed certificates in the pool.

func (*CertPool) Contains 

func (s *CertPool) Contains(c *Certificate) bool

Contains returns true if c is in s.

func (*CertPool) Covers 

func (s *CertPool) Covers(pool *CertPool) bool

Covers returns true if all certs in pool are in s.

func (*CertPool) Size 

func (s *CertPool) Size() int

Size returns the number of unique certificates in the CertPool.

func (*CertPool) Subjects 

func (s *CertPool) Subjects() [][]byte

Subjects returns a list of the DER-encoded subjects of all of the certificates in the pool.

func (*CertPool) Sum 

func (s *CertPool) Sum(other *CertPool) (sum *CertPool)

Sum returns the union of two certificate pools as a new certificate pool.

type CertValidationLevel 

type CertValidationLevel int

The string functions for CertValidationLevel are auto-generated via `go generate <full_path_to_x509_package>` or running `go generate` in the package directory 

const (
	UnknownValidationLevel CertValidationLevel = 0
	DV                     CertValidationLevel = 1
	OV                     CertValidationLevel = 2
	EV                     CertValidationLevel = 3
)

func (*CertValidationLevel) MarshalJSON 

func (c *CertValidationLevel) MarshalJSON() ([]byte, error)

func (CertValidationLevel) String 

func (i CertValidationLevel) String() string

type Certificate 

type Certificate struct {
	Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
	RawTBSCertificate       []byte // Certificate part of raw ASN.1 DER content.
	RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
	RawSubject              []byte // DER encoded Subject
	RawIssuer               []byte // DER encoded Issuer

	Signature          []byte
	SignatureAlgorithm SignatureAlgorithm

	SelfSigned bool

	SignatureAlgorithmOID asn1.ObjectIdentifier

	PublicKeyAlgorithm PublicKeyAlgorithm
	PublicKey          interface{}

	PublicKeyAlgorithmOID asn1.ObjectIdentifier

	Version             int
	SerialNumber        *big.Int
	Issuer              pkix.Name
	Subject             pkix.Name
	NotBefore, NotAfter time.Time // Validity bounds.
	ValidityPeriod      int
	KeyUsage            KeyUsage

	IssuerUniqueId  asn1.BitString
	SubjectUniqueId asn1.BitString

	// Extensions contains raw X.509 extensions. When parsing certificates,
	// this can be used to extract non-critical extensions that are not
	// parsed by this package. When marshaling certificates, the Extensions
	// field is ignored, see ExtraExtensions.
	Extensions []pkix.Extension

	// ExtensionsMap contains raw x.509 extensions keyed by OID (in string
	// representation). It allows fast membership testing of specific OIDs. Like
	// the Extensions field this field is ignored when marshaling certificates. If
	// multiple extensions with the same OID are present only the last
	// pkix.Extension will be in this map. Consult the `Extensions` slice when it
	// is required to process all extensions including duplicates.
	ExtensionsMap map[string]pkix.Extension

	// ExtraExtensions contains extensions to be copied, raw, into any
	// marshaled certificates. Values override any extensions that would
	// otherwise be produced based on the other fields. The ExtraExtensions
	// field is not populated when parsing certificates, see Extensions.
	ExtraExtensions []pkix.Extension

	// UnhandledCriticalExtensions contains a list of extension IDs that
	// were not (fully) processed when parsing. Verify will fail if this
	// slice is non-empty, unless verification is delegated to an OS
	// library which understands all the critical extensions.
	//
	// Users can access these extensions using Extensions and can remove
	// elements from this slice if they believe that they have been
	// handled.
	UnhandledCriticalExtensions []asn1.ObjectIdentifier

	ExtKeyUsage        []ExtKeyUsage           // Sequence of extended key usages.
	UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.

	BasicConstraintsValid bool // if true then the next two fields are valid.
	IsCA                  bool

	// MaxPathLen and MaxPathLenZero indicate the presence and
	// value of the BasicConstraints' "pathLenConstraint".
	//
	// When parsing a certificate, a positive non-zero MaxPathLen
	// means that the field was specified, -1 means it was unset,
	// and MaxPathLenZero being true mean that the field was
	// explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
	// should be treated equivalent to -1 (unset).
	//
	// When generating a certificate, an unset pathLenConstraint
	// can be requested with either MaxPathLen == -1 or using the
	// zero value for both MaxPathLen and MaxPathLenZero.
	MaxPathLen int
	// MaxPathLenZero indicates that BasicConstraintsValid==true and
	// MaxPathLen==0 should be interpreted as an actual Max path length
	// of zero. Otherwise, that combination is interpreted as MaxPathLen
	// not being set.
	MaxPathLenZero bool

	SubjectKeyId   []byte
	AuthorityKeyId []byte

	// RFC 5280, 4.2.2.1 (Authority Information Access)
	OCSPServer            []string
	IssuingCertificateURL []string

	// Subject Alternate Name values
	OtherNames     []pkix.OtherName
	DNSNames       []string
	EmailAddresses []string
	DirectoryNames []pkix.Name
	EDIPartyNames  []pkix.EDIPartyName
	URIs           []string
	IPAddresses    []net.IP
	RegisteredIDs  []asn1.ObjectIdentifier

	// Issuer Alternative Name values
	IANOtherNames     []pkix.OtherName
	IANDNSNames       []string
	IANEmailAddresses []string
	IANDirectoryNames []pkix.Name
	IANEDIPartyNames  []pkix.EDIPartyName
	IANURIs           []string
	IANIPAddresses    []net.IP
	IANRegisteredIDs  []asn1.ObjectIdentifier

	// Certificate Policies values
	QualifierId          [][]asn1.ObjectIdentifier
	CPSuri               [][]string
	ExplicitTexts        [][]asn1.RawValue
	NoticeRefOrgnization [][]asn1.RawValue
	NoticeRefNumbers     [][]NoticeNumber

	ParsedExplicitTexts         [][]string
	ParsedNoticeRefOrganization [][]string

	// Name constraints
	NameConstraintsCritical bool // if true then the name constraints are marked critical.
	PermittedDNSNames       []GeneralSubtreeString
	ExcludedDNSNames        []GeneralSubtreeString
	PermittedEmailAddresses []GeneralSubtreeString
	ExcludedEmailAddresses  []GeneralSubtreeString
	PermittedURIs           []GeneralSubtreeString
	ExcludedURIs            []GeneralSubtreeString
	PermittedIPAddresses    []GeneralSubtreeIP
	ExcludedIPAddresses     []GeneralSubtreeIP
	PermittedDirectoryNames []GeneralSubtreeName
	ExcludedDirectoryNames  []GeneralSubtreeName
	PermittedEdiPartyNames  []GeneralSubtreeEdi
	ExcludedEdiPartyNames   []GeneralSubtreeEdi
	PermittedRegisteredIDs  []GeneralSubtreeOid
	ExcludedRegisteredIDs   []GeneralSubtreeOid
	PermittedX400Addresses  []GeneralSubtreeRaw
	ExcludedX400Addresses   []GeneralSubtreeRaw

	// FailedToParseNames contains values that are failed to parse,
	// without returning an error.
	FailedToParseNames []asn1.RawValue

	// CRL Distribution Points
	CRLDistributionPoints []string

	PolicyIdentifiers []asn1.ObjectIdentifier
	ValidationLevel   CertValidationLevel

	// Fingerprints
	FingerprintMD5    CertificateFingerprint
	FingerprintSHA1   CertificateFingerprint
	FingerprintSHA256 CertificateFingerprint
	FingerprintNoCT   CertificateFingerprint

	// SPKI
	SPKIFingerprint           CertificateFingerprint
	SPKISubjectFingerprint    CertificateFingerprint
	TBSCertificateFingerprint CertificateFingerprint

	IsPrecert bool

	// CT
	SignedCertificateTimestampList []*ct.SignedCertificateTimestamp

	// QWACS
	CABFOrganizationIdentifier *CABFOrganizationIdentifier
	QCStatements               *QCStatements

	// CAB Forum Tor Service Descriptor Hash Extensions (see EV Guidelines
	// Appendix F)
	TorServiceDescriptors []*TorServiceDescriptorHash
	// contains filtered or unexported fields
}

A Certificate represents an X.509 certificate.

func ParseCertificate 

func ParseCertificate(asn1Data []byte) (*Certificate, error)

ParseCertificate parses a single certificate from the given ASN.1 DER data.

func ParseCertificates 

func ParseCertificates(asn1Data []byte) ([]*Certificate, error)

ParseCertificates parses one or more certificates from the given ASN.1 DER data. The certificates must be concatenated with no intermediate padding.

func ParseTBSCertificate 

func ParseTBSCertificate(asn1Data []byte) (*Certificate, error)

func (*Certificate) CheckCRLSignature 

func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error

CheckCRLSignature checks that the signature in crl is from c.

func (*Certificate) CheckSignature 

func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) (err error)

CheckSignature verifies that signature is a valid signature over signed from c's public key.

func (*Certificate) CheckSignatureFrom 

func (c *Certificate) CheckSignatureFrom(parent *Certificate) (err error)

CheckSignatureFrom verifies that the signature on c is a valid signature from parent.

func (*Certificate) CollectAllNames 

func (c *Certificate) CollectAllNames() []string

CollectAllNames - Collect and validate all DNS / URI / IP Address names for a given certificate

func (*Certificate) CreateCRL 

func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error)

CreateCRL returns a DER encoded CRL, signed by this Certificate, that contains the given list of revoked certificates.

func (*Certificate) Equal 

func (c *Certificate) Equal(other *Certificate) bool

func (*Certificate) GetParsedDNSNames 

func (c *Certificate) GetParsedDNSNames(invalidateCache bool) []ParsedDomainName

GetParsedDNSNames returns a list of parsed SAN DNS names. It is used to cache the parsing result and speed up zlint linters. If invalidateCache is true, then the cache is repopulated with current list of string from Certificate.DNSNames. This parameter should always be false, unless the Certificate.DNSNames have been modified after calling GetParsedDNSNames the previous time.

func (*Certificate) GetParsedSubjectCommonName 

func (c *Certificate) GetParsedSubjectCommonName(invalidateCache bool) ParsedDomainName

GetParsedCommonName returns parsed subject CommonName. It is used to cache the parsing result and speed up zlint linters. If invalidateCache is true, then the cache is repopulated with current subject CommonName. This parameter should always be false, unless the Certificate.Subject.CommonName have been modified after calling GetParsedSubjectCommonName the previous time.

func (*Certificate) MarshalJSON 

func (c *Certificate) MarshalJSON() ([]byte, error)

func (*Certificate) PublicKeyAlgorithmName 

func (c *Certificate) PublicKeyAlgorithmName() string

func (*Certificate) SignatureAlgorithmName 

func (c *Certificate) SignatureAlgorithmName() string

func (*Certificate) SubjectAndKey 

func (c *Certificate) SubjectAndKey() *SubjectAndKey

SubjectAndKey returns a SubjectAndKey for this certificate.

func (*Certificate) TimeInValidityPeriod 

func (c *Certificate) TimeInValidityPeriod(t time.Time) bool

TimeInValidityPeriod returns true if NotBefore < t < NotAfter

func (*Certificate) UnmarshalJSON 

func (c *Certificate) UnmarshalJSON(b []byte) error

UnmarshalJSON - intentionally implimented to always error, as this method should not be used. The MarshalJSON method on Certificate condenses data in a way that is not recoverable. Use the x509.ParseCertificate function instead or JSONCertificateWithRaw Marshal method

func (*Certificate) ValidateWithStupidDetail deprecated 

func (c *Certificate) ValidateWithStupidDetail(opts VerifyOptions) (chains []CertificateChain, validation *Validation, err error)

ValidateWithStupidDetail fills out a Validation struct given a leaf certificate and intermediates / roots. If opts.DNSName is set, then it will also check if the domain matches.

Deprecated: Use verifier.Verify() instead.

func (*Certificate) Verify 

func (c *Certificate) Verify(opts VerifyOptions) (current, expired, never []CertificateChain, err error)

Verify attempts to verify c by building one or more chains from c to a certificate in opts.Roots, using certificates in opts.Intermediates if needed. If successful, it returns one or more chains where the first element of the chain is c and the last element is from opts.Roots.

If opts.Roots is nil and system roots are unavailable the returned error will be of type SystemRootsError.

WARNING: this doesn't do any revocation checking.

func (*Certificate) VerifyHostname 

func (c *Certificate) VerifyHostname(h string) error

VerifyHostname returns nil if c is a valid certificate for the named host. Otherwise it returns an error describing the mismatch.

type CertificateChain 

type CertificateChain []*Certificate

CertificateChain is a slice of certificates. The 0'th element is the leaf, and the last element is a root. Successive elements have a child-parent relationship.

func FilterByDate 

func FilterByDate(chains []CertificateChain, now time.Time) (current, expired, never []CertificateChain)

check expirations divides chains into a set of disjoint chains, containing current chains valid now, expired chains that were valid at some point, and the set of chains that were never valid.

func (CertificateChain) AppendToFreshChain 

func (chain CertificateChain) AppendToFreshChain(c *Certificate) CertificateChain

func (CertificateChain) CertificateInChain 

func (chain CertificateChain) CertificateInChain(c *Certificate) bool

CertificateInChain returns true if c is in the chain.

func (CertificateChain) CertificateSubjectAndKeyInChain 

func (chain CertificateChain) CertificateSubjectAndKeyInChain(c *Certificate) bool

CertificateSubjectAndKeyInChain returns true if the SubjectAndKey from c is found in any certificate in the chain.

func (CertificateChain) Range 

func (chain CertificateChain) Range(f func(int, *Certificate))

Range runs a function on each element of chain. It can modify each certificate in place.

func (CertificateChain) SubjectAndKeyInChain 

func (chain CertificateChain) SubjectAndKeyInChain(sk *SubjectAndKey) bool

SubjectAndKeyInChain returns true if the given SubjectAndKey is found in any certificate in the chain.

type CertificateExtensions 

type CertificateExtensions struct {
	KeyUsage                       KeyUsage                         `json:"key_usage,omitempty"`
	BasicConstraints               *BasicConstraints                `json:"basic_constraints,omitempty"`
	SubjectAltName                 *GeneralNames                    `json:"subject_alt_name,omitempty"`
	IssuerAltName                  *GeneralNames                    `json:"issuer_alt_name,omitempty"`
	NameConstraints                *NameConstraints                 `json:"name_constraints,omitempty"`
	CRLDistributionPoints          CRLDistributionPoints            `json:"crl_distribution_points,omitempty"`
	AuthKeyID                      SubjAuthKeyId                    `json:"authority_key_id,omitempty"`
	SubjectKeyID                   SubjAuthKeyId                    `json:"subject_key_id,omitempty"`
	ExtendedKeyUsage               *ExtendedKeyUsageExtension       `json:"extended_key_usage,omitempty"`
	CertificatePolicies            *CertificatePoliciesData         `json:"certificate_policies,omitempty"`
	AuthorityInfoAccess            *AuthorityInfoAccess             `json:"authority_info_access,omitempty"`
	IsPrecert                      IsPrecert                        `json:"ct_poison,omitempty"`
	SignedCertificateTimestampList []*ct.SignedCertificateTimestamp `json:"signed_certificate_timestamps,omitempty"`
	TorServiceDescriptors          []*TorServiceDescriptorHash      `json:"tor_service_descriptors,omitempty"`
	CABFOrganizationIdentifier     *CABFOrganizationIdentifier      `json:"cabf_organization_id,omitempty"`
	QCStatements                   *QCStatements                    `json:"qc_statements,omitempty"`
}

type CertificateFingerprint 

type CertificateFingerprint []byte

CertificateFingerprint represents a digest/fingerprint of some data. It can easily be encoded to hex and JSON (as a hex string).

func MD5Fingerprint 

func MD5Fingerprint(data []byte) CertificateFingerprint

MD5Fingerprint creates a fingerprint of data using the MD5 hash algorithm.

func SHA1Fingerprint 

func SHA1Fingerprint(data []byte) CertificateFingerprint

SHA1Fingerprint creates a fingerprint of data using the SHA1 hash algorithm.

func SHA256Fingerprint 

func SHA256Fingerprint(data []byte) CertificateFingerprint

SHA256Fingerprint creates a fingerprint of data using the SHA256 hash algorithm.

func SHA512Fingerprint 

func SHA512Fingerprint(data []byte) CertificateFingerprint

SHA512Fingerprint creates a fingerprint of data using the SHA256 hash algorithm.

func (CertificateFingerprint) Equal 

func (f CertificateFingerprint) Equal(other CertificateFingerprint) bool

Equal returns true if the fingerprints are bytewise-equal.

func (CertificateFingerprint) Hex 

func (f CertificateFingerprint) Hex() string

Hex returns the given fingerprint encoded as a hex string.

func (*CertificateFingerprint) MarshalJSON 

func (f *CertificateFingerprint) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface, and marshals the fingerprint as a hex string.

type CertificateInvalidError 

type CertificateInvalidError struct {
	Cert   *Certificate
	Reason InvalidReason
}

CertificateInvalidError results when an odd error occurs. Users of this library probably want to handle all these errors uniformly.

func (CertificateInvalidError) Error 

func (e CertificateInvalidError) Error() string

type CertificatePolicies 

type CertificatePolicies []CertificatePoliciesJSON

type CertificatePoliciesData 

type CertificatePoliciesData struct {
	PolicyIdentifiers     []asn1.ObjectIdentifier
	QualifierId           [][]asn1.ObjectIdentifier
	CPSUri                [][]string
	ExplicitTexts         [][]string
	NoticeRefOrganization [][]string
	NoticeRefNumbers      [][]NoticeNumber
}

func (*CertificatePoliciesData) MarshalJSON 

func (cp *CertificatePoliciesData) MarshalJSON() ([]byte, error)

type CertificatePoliciesJSON 

type CertificatePoliciesJSON struct {
	PolicyIdentifier string           `json:"id,omitempty"`
	CPSUri           []string         `json:"cps,omitempty"`
	UserNotice       []UserNoticeData `json:"user_notice,omitempty"`
}

type CertificateRequest 

type CertificateRequest struct {
	Raw                      []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature).
	RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content.
	RawSubjectPublicKeyInfo  []byte // DER encoded SubjectPublicKeyInfo.
	RawSubject               []byte // DER encoded Subject.

	Version            int
	Signature          []byte
	SignatureAlgorithm SignatureAlgorithm

	PublicKeyAlgorithm PublicKeyAlgorithm
	PublicKey          interface{}

	Subject pkix.Name

	// Attributes is the dried husk of a bug and shouldn't be used.
	Attributes []pkix.AttributeTypeAndValueSET

	// Extensions contains raw X.509 extensions. When parsing CSRs, this
	// can be used to extract extensions that are not parsed by this
	// package.
	Extensions []pkix.Extension

	// ExtraExtensions contains extensions to be copied, raw, into any
	// marshaled CSR. Values override any extensions that would otherwise
	// be produced based on the other fields but are overridden by any
	// extensions specified in Attributes.
	//
	// The ExtraExtensions field is not populated when parsing CSRs, see
	// Extensions.
	ExtraExtensions []pkix.Extension

	// Subject Alternate Name values.
	DNSNames       []string
	EmailAddresses []string
	IPAddresses    []net.IP
}

CertificateRequest represents a PKCS #10, certificate signature request.

func ParseCertificateRequest 

func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error)

ParseCertificateRequest parses a single certificate request from the given ASN.1 DER data.

func (*CertificateRequest) CheckSignature 

func (c *CertificateRequest) CheckSignature() error

CheckSignature reports whether the signature on c is valid.

type CertificateType 

type CertificateType int

CertificateType represents whether a certificate is a root, intermediate, or leaf. 

const (
	CertificateTypeUnknown      CertificateType = 0
	CertificateTypeLeaf         CertificateType = 1
	CertificateTypeIntermediate CertificateType = 2
	CertificateTypeRoot         CertificateType = 3
)

CertificateType constants. Values should not be considered significant aside from CertificateTypeUnknown is the zero value.

func (CertificateType) MarshalJSON 

func (t CertificateType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface. Any unknown integer value is considered the same as CertificateTypeUnknown.

func (*CertificateType) UnmarshalJSON 

func (t *CertificateType) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface. Any unknown string is considered the same CertificateTypeUnknown.

type ConstraintViolationError 

type ConstraintViolationError struct{}

ConstraintViolationError results when a requested usage is not permitted by a certificate. For example: checking a signature when the public key isn't a certificate signing key.

func (ConstraintViolationError) Error 

func (ConstraintViolationError) Error() string

type DSAPublicKeyJSON 

type DSAPublicKeyJSON struct {
	G []byte `json:"g"`
	P []byte `json:"p"`
	Q []byte `json:"q"`
	Y []byte `json:"y"`
}

DSAPublicKeyJSON - used to condense several fields from a DSA public key into one field for use in JSONCertificate. Uses default JSON marshal and unmarshal methods

func GetDSAPublicKeyJSON 

func GetDSAPublicKeyJSON(key *dsa.PublicKey) *DSAPublicKeyJSON

GetDSAPublicKeyJSON - get the DSAPublicKeyJSON for the given standard DSA PublicKey.

type ECDSAPublicKeyJSON 

type ECDSAPublicKeyJSON struct {
	B      []byte `json:"b"`
	Curve  string `json:"curve"`
	Gx     []byte `json:"gx"`
	Gy     []byte `json:"gy"`
	Length int    `json:"length"`
	N      []byte `json:"n"`
	P      []byte `json:"p"`
	Pub    []byte `json:"pub,omitempty"`
	X      []byte `json:"x"`
	Y      []byte `json:"y"`
}

ECDSAPublicKeyJSON - used to condense several fields from a ECDSA public key into one field for use in JSONCertificate. Uses default JSON marshal and unmarshal methods

func GetAugmentedECDSAPublicKeyJSON 

func GetAugmentedECDSAPublicKeyJSON(key *AugmentedECDSA) *ECDSAPublicKeyJSON

GetAugmentedECDSAPublicKeyJSON - get the GetECDSAPublicKeyJSON for the given "augmented" ECDSA PublicKey.

func GetECDSAPublicKeyJSON 

func GetECDSAPublicKeyJSON(key *ecdsa.PublicKey) *ECDSAPublicKeyJSON

GetECDSAPublicKeyJSON - get the GetECDSAPublicKeyJSON for the given standard ECDSA PublicKey.

type ExtKeyUsage 

type ExtKeyUsage int

ExtKeyUsage represents an extended set of actions that are valid for a given key. Each of the ExtKeyUsage* constants define a unique action. 

const (
	ExtKeyUsageAppleCodeSigning ExtKeyUsage = iota
	ExtKeyUsageAppleCodeSigningDevelopment
	ExtKeyUsageAppleSoftwareUpdateSigning
	ExtKeyUsageAppleCodeSigningThirdParty
	ExtKeyUsageAppleResourceSigning
	ExtKeyUsageAppleIchatSigning
	ExtKeyUsageAppleIchatEncryption
	ExtKeyUsageAppleSystemIdentity
	ExtKeyUsageAppleCryptoEnv
	ExtKeyUsageAppleCryptoProductionEnv
	ExtKeyUsageAppleCryptoMaintenanceEnv
	ExtKeyUsageAppleCryptoTestEnv
	ExtKeyUsageAppleCryptoDevelopmentEnv
	ExtKeyUsageAppleCryptoQos
	ExtKeyUsageAppleCryptoTier0Qos
	ExtKeyUsageAppleCryptoTier1Qos
	ExtKeyUsageAppleCryptoTier2Qos
	ExtKeyUsageAppleCryptoTier3Qos
	ExtKeyUsageAdobeAuthenticDocumentTrust
	ExtKeyUsageMicrosoftCertTrustListSigning
	ExtKeyUsageMicrosoftQualifiedSubordinate
	ExtKeyUsageMicrosoftKeyRecovery3
	ExtKeyUsageMicrosoftDocumentSigning
	ExtKeyUsageMicrosoftLifetimeSigning
	ExtKeyUsageMicrosoftMobileDeviceSoftware
	ExtKeyUsageMicrosoftSmartDisplay
	ExtKeyUsageMicrosoftCspSignature
	ExtKeyUsageMicrosoftTimestampSigning
	ExtKeyUsageMicrosoftServerGatedCrypto
	ExtKeyUsageMicrosoftSgcSerialized
	ExtKeyUsageMicrosoftEncryptedFileSystem
	ExtKeyUsageMicrosoftEfsRecovery
	ExtKeyUsageMicrosoftWhqlCrypto
	ExtKeyUsageMicrosoftNt5Crypto
	ExtKeyUsageMicrosoftOemWhqlCrypto
	ExtKeyUsageMicrosoftEmbeddedNtCrypto
	ExtKeyUsageMicrosoftRootListSigner
	ExtKeyUsageMicrosoftDrm
	ExtKeyUsageMicrosoftDrmIndividualization
	ExtKeyUsageMicrosoftLicenses
	ExtKeyUsageMicrosoftLicenseServer
	ExtKeyUsageMicrosoftEnrollmentAgent
	ExtKeyUsageMicrosoftSmartcardLogon
	ExtKeyUsageMicrosoftCaExchange
	ExtKeyUsageMicrosoftKeyRecovery21
	ExtKeyUsageMicrosoftSystemHealth
	ExtKeyUsageMicrosoftSystemHealthLoophole
	ExtKeyUsageMicrosoftKernelModeCodeSigning
	ExtKeyUsageServerAuth
	ExtKeyUsageDvcs
	ExtKeyUsageSbgpCertAaServiceAuth
	ExtKeyUsageEapOverPpp
	ExtKeyUsageEapOverLan
	ExtKeyUsageClientAuth
	ExtKeyUsageCodeSigning
	ExtKeyUsageEmailProtection
	ExtKeyUsageIpsecEndSystem
	ExtKeyUsageIpsecTunnel
	ExtKeyUsageIpsecUser
	ExtKeyUsageTimeStamping
	ExtKeyUsageOcspSigning
	ExtKeyUsageIpsecIntermediateSystemUsage
	ExtKeyUsageNetscapeServerGatedCrypto
	ExtKeyUsageAny
)

type ExtendedKeyUsage 

type ExtendedKeyUsage []ExtKeyUsage

type ExtendedKeyUsageExtension 

type ExtendedKeyUsageExtension struct {
	Known   ExtendedKeyUsage
	Unknown []asn1.ObjectIdentifier
}

func (*ExtendedKeyUsageExtension) MarshalJSON 

func (e *ExtendedKeyUsageExtension) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshal interface. The output is a struct of bools, with an additional `Value` field containing the actual OIDs.

func (*ExtendedKeyUsageExtension) UnmarshalJSON 

func (e *ExtendedKeyUsageExtension) UnmarshalJSON(b []byte) error

type GeneralNames 

type GeneralNames struct {
	DirectoryNames []pkix.Name
	DNSNames       []string
	EDIPartyNames  []pkix.EDIPartyName
	EmailAddresses []string
	IPAddresses    []net.IP
	OtherNames     []pkix.OtherName
	RegisteredIDs  []asn1.ObjectIdentifier
	URIs           []string
}

GeneralNames corresponds an X.509 GeneralName defined in Section 4.2.1.6 of RFC 5280. 

GeneralName ::= CHOICE {
     otherName                 [0]  AnotherName,
     rfc822Name                [1]  IA5String,
     dNSName                   [2]  IA5String,
     x400Address               [3]  ORAddress,
     directoryName             [4]  Name,
     ediPartyName              [5]  EDIPartyName,
     uniformResourceIdentifier [6]  IA5String,
     iPAddress                 [7]  OCTET STRING,
     registeredID              [8]  OBJECT IDENTIFIER }

func (*GeneralNames) MarshalJSON 

func (gn *GeneralNames) MarshalJSON() ([]byte, error)

func (*GeneralNames) UnmarshalJSON 

func (gn *GeneralNames) UnmarshalJSON(b []byte) error

type GeneralSubtreeEdi 

type GeneralSubtreeEdi struct {
	Data pkix.EDIPartyName
	Max  int
	Min  int
}

type GeneralSubtreeIP 

type GeneralSubtreeIP struct {
	Data net.IPNet
	Max  int
	Min  int
}

func (*GeneralSubtreeIP) MarshalJSON 

func (g *GeneralSubtreeIP) MarshalJSON() ([]byte, error)

func (*GeneralSubtreeIP) UnmarshalJSON 

func (g *GeneralSubtreeIP) UnmarshalJSON(b []byte) error

type GeneralSubtreeName 

type GeneralSubtreeName struct {
	Data pkix.Name
	Max  int
	Min  int
}

type GeneralSubtreeOid 

type GeneralSubtreeOid struct {
	Data asn1.ObjectIdentifier
	Max  int
	Min  int
}

type GeneralSubtreeRaw 

type GeneralSubtreeRaw struct {
	Data asn1.RawValue
	Max  int
	Min  int
}

type GeneralSubtreeString 

type GeneralSubtreeString struct {
	Data string
	Max  int
	Min  int
}

type HostnameError 

type HostnameError struct {
	Certificate *Certificate
	Host        string
}

HostnameError results when the set of authorized names doesn't match the requested name.

func (HostnameError) Error 

func (h HostnameError) Error() string

type InsecureAlgorithmError 

type InsecureAlgorithmError SignatureAlgorithm

An InsecureAlgorithmError

func (InsecureAlgorithmError) Error 

func (e InsecureAlgorithmError) Error() string

type InvalidReason 

type InvalidReason int
const (
	// NotAuthorizedToSign results when a certificate is signed by another
	// which isn't marked as a CA certificate.
	NotAuthorizedToSign InvalidReason = iota

	// Expired results when a certificate has expired, based on the time
	// given in the VerifyOptions.
	Expired

	// CANotAuthorizedForThisName results when an intermediate or root
	// certificate has a name constraint which doesn't include the name
	// being checked.
	CANotAuthorizedForThisName

	// CANotAuthorizedForThisEmail results when an intermediate or root
	// certificate has a name constraint which doesn't include the email
	// being checked.
	CANotAuthorizedForThisEmail

	// CANotAuthorizedForThisIP results when an intermediate or root
	// certificate has a name constraint which doesn't include the IP
	// being checked.
	CANotAuthorizedForThisIP

	// CANotAuthorizedForThisDirectory results when an intermediate or root
	// certificate has a name constraint which doesn't include the directory
	// being checked.
	CANotAuthorizedForThisDirectory

	// TooManyIntermediates results when a path length constraint is
	// violated.
	TooManyIntermediates

	// IncompatibleUsage results when the certificate's key usage indicates
	// that it may only be used for a different purpose.
	IncompatibleUsage

	// NameMismatch results when the subject name of a parent certificate
	// does not match the issuer name in the child.
	NameMismatch

	// NeverValid results when the certificate could never have been valid due to
	// some date-related issue, e.g. NotBefore > NotAfter.
	NeverValid

	// IsSelfSigned results when the certificate is self-signed and not a trusted
	// root.
	IsSelfSigned
)

type IsPrecert 

type IsPrecert bool

type JSONCertificate 

type JSONCertificate struct {
	Version                   int                          `json:"version"`
	SerialNumber              string                       `json:"serial_number"`
	SignatureAlgorithm        JSONSignatureAlgorithm       `json:"signature_algorithm"`
	Issuer                    pkix.Name                    `json:"issuer"`
	IssuerDN                  string                       `json:"issuer_dn,omitempty"`
	Validity                  JSONValidity                 `json:"validity"`
	Subject                   pkix.Name                    `json:"subject"`
	SubjectDN                 string                       `json:"subject_dn,omitempty"`
	SubjectKeyInfo            JSONSubjectKeyInfo           `json:"subject_key_info"`
	Extensions                *CertificateExtensions       `json:"extensions,omitempty"`
	UnknownExtensions         UnknownCertificateExtensions `json:"unknown_extensions,omitempty"`
	Signature                 JSONSignature                `json:"signature"`
	FingerprintMD5            CertificateFingerprint       `json:"fingerprint_md5"`
	FingerprintSHA1           CertificateFingerprint       `json:"fingerprint_sha1"`
	FingerprintSHA256         CertificateFingerprint       `json:"fingerprint_sha256"`
	FingerprintNoCT           CertificateFingerprint       `json:"tbs_noct_fingerprint"`
	SPKISubjectFingerprint    CertificateFingerprint       `json:"spki_subject_fingerprint"`
	TBSCertificateFingerprint CertificateFingerprint       `json:"tbs_fingerprint"`
	ValidationLevel           CertValidationLevel          `json:"validation_level"`
	Names                     []string                     `json:"names,omitempty"`
	Redacted                  bool                         `json:"redacted"`
}

JSONCertificate - used to condense data from x509.Certificate when marhsaling into JSON. This struct has a distinct and independent layout from x509.Certificate, mostly for condensing data across repetitive fields and making it more presentable.

func (*JSONCertificate) UnmarshalJSON 

func (jc *JSONCertificate) UnmarshalJSON(b []byte) error

UnmarshalJSON - intentionally implimented to always error, as this method should not be used. The MarshalJSON method on Certificate condenses data in a way that is not recoverable. Use the x509.ParseCertificate function instead or JSONCertificateWithRaw Marshal method

type JSONCertificateWithRaw 

type JSONCertificateWithRaw struct {
	Raw []byte `json:"raw,omitempty"`
}

JSONCertificateWithRaw - intermediate struct for unmarshaling json of a certificate - the raw is require since the MarshalJSON method on Certificate condenses data in a way that makes extraction to the original in Unmarshal impossible. The JSON output of Marshal is not even used to construct a certificate, all we need is raw

func (*JSONCertificateWithRaw) ParseRaw 

func (c *JSONCertificateWithRaw) ParseRaw() (*Certificate, error)

ParseRaw - for converting the intermediate object JSONCertificateWithRaw into a parsed Certificate see description of JSONCertificateWithRaw for why this is used instead of UnmarshalJSON methods

type JSONSignature 

type JSONSignature struct {
	SignatureAlgorithm JSONSignatureAlgorithm `json:"signature_algorithm"`
	Value              []byte                 `json:"value"`
	Valid              bool                   `json:"valid"`
	SelfSigned         bool                   `json:"self_signed"`
}

JSONSignature - used to condense several fields from x509.Certificate related to the signature into one field within JSONCertificate Unfortunately, this struct cannot have its own Marshal method since it needs information from multiple fields in x509.Certificate

type JSONSignatureAlgorithm 

type JSONSignatureAlgorithm struct {
	Name string      `json:"name,omitempty"`
	OID  pkix.AuxOID `json:"oid"`
}

JSONSignatureAlgorithm is the intermediate type used when marshaling a PublicKeyAlgorithm out to JSON.

type JSONSubjectKeyInfo 

type JSONSubjectKeyInfo struct {
	KeyAlgorithm    PublicKeyAlgorithm     `json:"key_algorithm"`
	RSAPublicKey    *jsonKeys.RSAPublicKey `json:"rsa_public_key,omitempty"`
	DSAPublicKey    *DSAPublicKeyJSON      `json:"dsa_public_key,omitempty"`
	ECDSAPublicKey  *ECDSAPublicKeyJSON    `json:"ecdsa_public_key,omitempty"`
	SPKIFingerprint CertificateFingerprint `json:"fingerprint_sha256"`
}

JSONSubjectKeyInfo - used to condense several fields from x509.Certificate related to the subject public key into one field within JSONCertificate Unfortunately, this struct cannot have its own Marshal method since it needs information from multiple fields in x509.Certificate

type JSONValidity 

type JSONValidity struct {
	ValidityPeriod int
	// contains filtered or unexported fields
}

JSONValidity - used to condense several fields related to validity in x509.Certificate into one field within JSONCertificate Unfortunately, this struct cannot have its own Marshal method since it needs information from multiple fields in x509.Certificate

func (*JSONValidity) MarshalJSON 

func (v *JSONValidity) MarshalJSON() ([]byte, error)

func (*JSONValidity) UnmarshalJSON 

func (v *JSONValidity) UnmarshalJSON(b []byte) error

type KeyUsage 

type KeyUsage int

KeyUsage represents the set of actions that are valid for a given key. It's a bitmap of the KeyUsage* constants. 

const (
	KeyUsageDigitalSignature KeyUsage = 1 << iota
	KeyUsageContentCommitment
	KeyUsageKeyEncipherment
	KeyUsageDataEncipherment
	KeyUsageKeyAgreement
	KeyUsageCertSign
	KeyUsageCRLSign
	KeyUsageEncipherOnly
	KeyUsageDecipherOnly
)

func (KeyUsage) MarshalJSON 

func (k KeyUsage) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (*KeyUsage) UnmarshalJSON 

func (k *KeyUsage) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshler interface

type MonetaryValue 

type MonetaryValue struct {
	Currency       string `json:"currency,omitempty"`
	CurrencyNumber int    `json:"currency_number,omitempty"`
	Amount         int    `json:"amount,omitempty"`
	Exponent       int    `json:"exponent,omitempty"`
}

type NameConstraints 

type NameConstraints struct {
	Critical bool `json:"critical"`

	PermittedDNSNames       []GeneralSubtreeString
	PermittedEmailAddresses []GeneralSubtreeString
	PermittedURIs           []GeneralSubtreeString
	PermittedIPAddresses    []GeneralSubtreeIP
	PermittedDirectoryNames []GeneralSubtreeName
	PermittedEdiPartyNames  []GeneralSubtreeEdi
	PermittedRegisteredIDs  []GeneralSubtreeOid

	ExcludedEmailAddresses []GeneralSubtreeString
	ExcludedDNSNames       []GeneralSubtreeString
	ExcludedURIs           []GeneralSubtreeString
	ExcludedIPAddresses    []GeneralSubtreeIP
	ExcludedDirectoryNames []GeneralSubtreeName
	ExcludedEdiPartyNames  []GeneralSubtreeEdi
	ExcludedRegisteredIDs  []GeneralSubtreeOid
}

func (NameConstraints) MarshalJSON 

func (nc NameConstraints) MarshalJSON() ([]byte, error)

func (*NameConstraints) UnmarshalJSON 

func (nc *NameConstraints) UnmarshalJSON(b []byte) error

type NameConstraintsJSON 

type NameConstraintsJSON struct {
	Critical bool `json:"critical"`

	PermittedDNSNames       []string            `json:"permitted_names,omitempty"`
	PermittedEmailAddresses []string            `json:"permitted_email_addresses,omitempty"`
	PermittedURIs           []string            `json:"permitted_uris,omitempty"`
	PermittedIPAddresses    []GeneralSubtreeIP  `json:"permitted_ip_addresses,omitempty"`
	PermittedDirectoryNames []pkix.Name         `json:"permitted_directory_names,omitempty"`
	PermittedEdiPartyNames  []pkix.EDIPartyName `json:"permitted_edi_party_names,omitempty"`
	PermittedRegisteredIDs  []string            `json:"permitted_registred_id,omitempty"`

	ExcludedDNSNames       []string            `json:"excluded_names,omitempty"`
	ExcludedEmailAddresses []string            `json:"excluded_email_addresses,omitempty"`
	ExcludedURIs           []string            `json:"excluded_uris,omitempty"`
	ExcludedIPAddresses    []GeneralSubtreeIP  `json:"excluded_ip_addresses,omitempty"`
	ExcludedDirectoryNames []pkix.Name         `json:"excluded_directory_names,omitempty"`
	ExcludedEdiPartyNames  []pkix.EDIPartyName `json:"excluded_edi_party_names,omitempty"`
	ExcludedRegisteredIDs  []string            `json:"excluded_registred_id,omitempty"`
}

type NoticeNumber 

type NoticeNumber []int

type NoticeReference 

type NoticeReference struct {
	Organization  string       `json:"organization,omitempty"`
	NoticeNumbers NoticeNumber `json:"notice_numbers,omitempty"`
}

type PDSLocation 

type PDSLocation struct {
	URL      string `json:"url,omitempty" asn1:"ia5"`
	Language string `json:"language,omitempty" asn1:"printable"`
}

type PDSLocations 

type PDSLocations struct {
	Locations []PDSLocation `json:"locations,omitempty"`
}

type PEMCipher 

type PEMCipher int
const (
	PEMCipherDES PEMCipher
	PEMCipher3DES
	PEMCipherAES128
	PEMCipherAES192
	PEMCipherAES256
)

Possible values for the EncryptPEMBlock encryption algorithm.

type ParsedDomainName 

type ParsedDomainName struct {
	DomainString string
	ParsedDomain *publicsuffix.DomainName
	ParseError   error
}

ParsedDomainName is a structure holding a parsed domain name (CommonName or DNS SAN) and a parsing error.

type ParsedQCStatements 

type ParsedQCStatements struct {
	ETSICompliance  []bool          `json:"etsi_compliance,omitempty"`
	SSCD            []bool          `json:"sscd,omitempty"`
	Types           []QCType        `json:"types,omitempty"`
	Limit           []MonetaryValue `json:"limit,omitempty"`
	PDSLocations    []PDSLocations  `json:"pds_locations,omitempty"`
	RetentionPeriod []int           `json:"retention_period,omitempty"`
	Legislation     []QCLegistation `json:"legislation,omitempty"`
}

type PublicKeyAlgorithm 

type PublicKeyAlgorithm int
const (
	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
	RSA
	DSA
	ECDSA
	Ed25519
	X25519
)

func (*PublicKeyAlgorithm) MarshalJSON 

func (p *PublicKeyAlgorithm) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (PublicKeyAlgorithm) String 

func (p PublicKeyAlgorithm) String() string

func (*PublicKeyAlgorithm) UnmarshalJSON 

func (p *PublicKeyAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

type QCLegistation 

type QCLegistation struct {
	CountryCodes []string `json:"country_codes,omitempty"`
}

type QCStatementASN 

type QCStatementASN struct {
	StatementID   asn1.ObjectIdentifier
	StatementInfo asn1.RawValue `asn1:"optional"`
}

func (*QCStatementASN) MarshalJSON 

func (s *QCStatementASN) MarshalJSON() ([]byte, error)

type QCStatements 

type QCStatements struct {
	StatementIDs     []string            `json:"ids,omitempty"`
	ParsedStatements *ParsedQCStatements `json:"parsed,omitempty"`
}

func (*QCStatements) Parse 

func (q *QCStatements) Parse(in *QCStatementsASN) error

type QCStatementsASN 

type QCStatementsASN struct {
	QCStatements []QCStatementASN
}

type QCType 

type QCType struct {
	TypeIdentifiers []asn1.ObjectIdentifier
}

func (*QCType) MarshalJSON 

func (qt *QCType) MarshalJSON() ([]byte, error)

type RevocationList 

type RevocationList struct {
	// Raw contains the complete ASN.1 DER content of the CRL (tbsCertList,
	// signatureAlgorithm, and signatureValue.)
	Raw []byte
	// RawTBSRevocationList contains just the tbsCertList portion of the ASN.1
	// DER.
	RawTBSRevocationList []byte
	// RawIssuer contains the DER encoded Issuer.
	RawIssuer []byte

	// Issuer contains the DN of the issuing certificate.
	Issuer pkix.Name
	// AuthorityKeyId is used to identify the public key associated with the
	// issuing certificate. It is populated from the authorityKeyIdentifier
	// extension when parsing a CRL. It is ignored when creating a CRL; the
	// extension is populated from the issuing certificate itself.
	AuthorityKeyId []byte

	Signature []byte
	// SignatureAlgorithm is used to determine the signature algorithm to be
	// used when signing the CRL. If 0 the default algorithm for the signing
	// key will be used.
	SignatureAlgorithm SignatureAlgorithm

	// RevokedCertificates is used to populate the revokedCertificates
	// sequence in the CRL, it may be empty. RevokedCertificates may be nil,
	// in which case an empty CRL will be created.
	RevokedCertificates []RevokedCertificate

	// Number is used to populate the X.509 v2 cRLNumber extension in the CRL,
	// which should be a monotonically increasing sequence number for a given
	// CRL scope and CRL issuer. It is also populated from the cRLNumber
	// extension when parsing a CRL.
	Number *big.Int

	// ThisUpdate is used to populate the thisUpdate field in the CRL, which
	// indicates the issuance date of the CRL.
	ThisUpdate time.Time
	// NextUpdate is used to populate the nextUpdate field in the CRL, which
	// indicates the date by which the next CRL will be issued. NextUpdate
	// must be greater than ThisUpdate.
	NextUpdate time.Time

	// Extensions contains raw X.509 extensions. When creating a CRL,
	// the Extensions field is ignored, see ExtraExtensions.
	Extensions []pkix.Extension

	// ExtraExtensions contains any additional extensions to add directly to
	// the CRL.
	ExtraExtensions []pkix.Extension
}

RevocationList contains the fields used to create an X.509 v2 Certificate Revocation list with CreateRevocationList.

func ParseRevocationList 

func ParseRevocationList(der []byte) (*RevocationList, error)

ParseRevocationList parses a X509 v2 Certificate Revocation List from the given ASN.1 DER data.

func (*RevocationList) CheckSignatureFrom 

func (rl *RevocationList) CheckSignatureFrom(parent *Certificate) error

CheckSignatureFrom verifies that the signature on rl is a valid signature from issuer.

type RevokedCertificate 

type RevokedCertificate struct {
	// Raw contains the raw bytes of the revokedCertificates entry. It is set when
	// parsing a CRL; it is ignored when generating a CRL.
	Raw []byte

	// SerialNumber represents the serial number of a revoked certificate. It is
	// both used when creating a CRL and populated when parsing a CRL. It MUST NOT
	// be nil.
	SerialNumber *big.Int
	// RevocationTime represents the time at which the certificate was revoked. It
	// is both used when creating a CRL and populated when parsing a CRL. It MUST
	// NOT be nil.
	RevocationTime time.Time
	// ReasonCode represents the reason for revocation, using the integer enum
	// values specified in RFC 5280 Section 5.3.1. When creating a CRL, a value of
	// nil or zero will result in the reasonCode extension being omitted. When
	// parsing a CRL, a value of nil represents a no reasonCode extension, while a
	// value of 0 represents a reasonCode extension containing enum value 0 (this
	// SHOULD NOT happen, but can and does).
	ReasonCode *int

	// Extensions contains raw X.509 extensions. When creating a CRL, the
	// Extensions field is ignored, see ExtraExtensions.
	Extensions []pkix.Extension
	// ExtraExtensions contains any additional extensions to add directly to the
	// revokedCertificate entry. It is up to the caller to ensure that this field
	// does not contain any extensions which duplicate extensions created by this
	// package (currently, the reasonCode extension). The ExtraExtensions field is
	// not populated when parsing a CRL, see Extensions.
	ExtraExtensions []pkix.Extension
}

RevokedCertificate represents an entry in the revokedCertificates sequence of a CRL. STARTBLOCK: This type does not exist in upstream.

type SignatureAlgorithm 

type SignatureAlgorithm int
const (
	UnknownSignatureAlgorithm SignatureAlgorithm = iota
	MD2WithRSA
	MD5WithRSA
	SHA1WithRSA
	SHA256WithRSA
	SHA384WithRSA
	SHA512WithRSA
	DSAWithSHA1
	DSAWithSHA256
	ECDSAWithSHA1
	ECDSAWithSHA256
	ECDSAWithSHA384
	ECDSAWithSHA512
	SHA256WithRSAPSS
	SHA384WithRSAPSS
	SHA512WithRSAPSS
	Ed25519Sig
)

func GetSignatureAlgorithmFromAI 

func GetSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm

GetSignatureAlgorithmFromAI converts asn1 AlgorithmIdentifier to SignatureAlgorithm int

func (*SignatureAlgorithm) MarshalJSON 

func (s *SignatureAlgorithm) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface MAY NOT PRESERVE ORIGINAL OID FROM CERTIFICATE - CONSIDER USING jsonifySignatureAlgorithm INSTEAD!

func (SignatureAlgorithm) String 

func (algo SignatureAlgorithm) String() string

func (*SignatureAlgorithm) UnmarshalJSON 

func (s *SignatureAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON implements the json.Unmarshler interface

type SignatureAlgorithmOID 

type SignatureAlgorithmOID asn1.ObjectIdentifier

type SubjAuthKeyId 

type SubjAuthKeyId []byte

func (SubjAuthKeyId) MarshalJSON 

func (kid SubjAuthKeyId) MarshalJSON() ([]byte, error)

type SubjectAndKey 

type SubjectAndKey struct {
	RawSubject              []byte
	RawSubjectPublicKeyInfo []byte
	Fingerprint             CertificateFingerprint
	PublicKey               interface{}
	PublicKeyAlgorithm      PublicKeyAlgorithm
}

SubjectAndKey represents a (subjecty, subject public key info) tuple.

type SystemRootsError 

type SystemRootsError struct {
	Err error
}

SystemRootsError results when we fail to load the system root certificates.

func (SystemRootsError) Error 

func (se SystemRootsError) Error() string

type TorServiceDescriptorHash 

type TorServiceDescriptorHash struct {
	Onion         string                   `json:"onion"`
	Algorithm     pkix.AlgorithmIdentifier `json:"-"`
	AlgorithmName string                   `json:"algorithm_name"`
	Hash          CertificateFingerprint   `json:"hash"`
	HashBits      int                      `json:"hash_bits"`
}

TorServiceDescriptorHash is a structure corrsponding to the TorServiceDescriptorHash SEQUENCE described in Appendix F ("Issuance of Certificates for .onion Domain Names").

Each TorServiceDescriptorHash holds an onion URI (a utf8 string with the .onion address that was validated), a hash algorithm name (computed based on the pkix.AlgorithmIdentifier in the TorServiceDescriptorHash), the hash bytes (computed over the DER encoding of the ASN.1 SubjectPublicKey of the .onion service), and the number of bits in the hash bytes.

type UnhandledCriticalExtension 

type UnhandledCriticalExtension struct {
	// contains filtered or unexported fields
}

UnhandledCriticalExtension results when the certificate contains an unimplemented X.509 extension marked as critical.

func (UnhandledCriticalExtension) Error 

func (h UnhandledCriticalExtension) Error() string

type UnknownAuthorityError 

type UnknownAuthorityError struct {
	Cert *Certificate
	// contains filtered or unexported fields
}

UnknownAuthorityError results when the certificate issuer is unknown

func (UnknownAuthorityError) Error 

func (e UnknownAuthorityError) Error() string

type UnknownCertificateExtensions 

type UnknownCertificateExtensions []pkix.Extension

type UserNoticeData 

type UserNoticeData struct {
	ExplicitText    string            `json:"explicit_text,omitempty"`
	NoticeReference []NoticeReference `json:"notice_reference,omitempty"`
}

type Validation 

type Validation struct {
	BrowserTrusted bool   `json:"browser_trusted"`
	BrowserError   string `json:"browser_error,omitempty"`
	MatchesDomain  bool   `json:"matches_domain,omitempty"`
	Domain         string `json:"-"`
}

Validation stores different validation levels for a given certificate

type VerifyOptions 

type VerifyOptions struct {
	DNSName      string
	EmailAddress string
	IPAddress    net.IP

	Intermediates *CertPool
	Roots         *CertPool // if nil, the system roots are used
	CurrentTime   time.Time // if zero, the current time is used
	// KeyUsage specifies which Extended Key Usage values are acceptable.
	// An empty list means ExtKeyUsageServerAuth. Key usage is considered a
	// constraint down the chain which mirrors Windows CryptoAPI behaviour,
	// but not the spec. To accept any key usage, include ExtKeyUsageAny.
	KeyUsages []ExtKeyUsage
}

VerifyOptions contains parameters for Certificate.Verify. It's a structure because other PKIX verification APIs have ended up needing many options.

type X25519PublicKey 

type X25519PublicKey []byte

curve25519 package does not expose key types

Source Files

View all Source files

Directories

Path Synopsis
Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
 Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.
revocation
crl
google
microsoft
mozilla
ocsp
Package ocsp parses OCSP responses as specified in RFC 2560.
 Package ocsp parses OCSP responses as specified in RFC 2560.
ZIntermediate is a command line utility for verifying a set prospective intermediate certificates against a root store.
 ZIntermediate is a command line utility for verifying a set prospective intermediate certificates against a root store.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.