pkcs12

README

package pkcs12

import "software.sslmate.com/src/go-pkcs12" 

Package pkcs12 implements some of PKCS#12 (also known as P12 or PFX). It is intended for decoding DER-encoded P12/PFX files for use with the crypto/tls package, and for encoding P12/PFX files for use by legacy applications which do not support newer formats. Since PKCS#12 uses weak encryption primitives, it SHOULD NOT be used for new applications.

Note that only DER-encoded PKCS#12 files are supported, even though PKCS#12 allows BER encoding. This is because encoding/asn1 only supports DER.

This package is forked from golang.org/x/crypto/pkcs12, which is frozen. The implementation is distilled from https://tools.ietf.org/html/rfc7292 and referenced documents.

Import Path

Note that although the source code and issue tracker for this package are hosted on GitHub, the import path is:

software.sslmate.com/src/go-pkcs12 

Please be sure to use this path when you go get and import this package.

Report Issues / Send Patches

Open an issue or PR at https://github.com/SSLMate/go-pkcs12

Documentation

Overview

Package pkcs12 implements some of PKCS#12.

This implementation is distilled from https://tools.ietf.org/html/rfc7292 and referenced documents. It is intended for decoding P12/PFX-stored certificates and keys for use with the crypto/tls package.

This package is frozen. If it's missing functionality you need, consider an alternative like software.sslmate.com/src/go-pkcs12.

Index

• Variables
• func Decode(pfxData []byte, password string) (privateKey interface{}, certificate *x509.Certificate, err error)
• func DecodeAll(pfxData []byte, password string) (privateKeys []interface{}, certificates []*x509.Certificate, err error)
• func ToPEM(pfxData []byte, password string) ([]*pem.Block, error)
• type NotImplementedError
  • func (e NotImplementedError) Error() string

Examples

• ToPEM

Variables

var (
	// ErrDecryption represents a failure to decrypt the input.
	ErrDecryption = errors.New("pkcs12: decryption error, incorrect padding")

	// ErrIncorrectPassword is returned when an incorrect password is detected.
	// Usually, P12/PFX data is signed to be able to verify the password.
	ErrIncorrectPassword = errors.New("pkcs12: decryption password incorrect")
)

Functions

func Decode

func Decode(pfxData []byte, password string) (privateKey interface{}, certificate *x509.Certificate, err error)

Decode extracts a certificate and private key from pfxData. This function assumes that there is only one certificate and only one private key in the pfxData; if there are more use ToPEM instead.

func DecodeAll

func DecodeAll(pfxData []byte, password string) (privateKeys []interface{}, certificates []*x509.Certificate, err error)

DecodeAll extracts all certificate and private keys from pfxData.

func ToPEM

func ToPEM(pfxData []byte, password string) ([]*pem.Block, error)

ToPEM converts all "safe bags" contained in pfxData to PEM blocks. Unknown attributes are discarded.

Note that although the returned PEM blocks for private keys have type "PRIVATE KEY", the bytes are not encoded according to PKCS #8, but according to PKCS #1 for RSA keys and SEC 1 for ECDSA keys.

Example

p12, _ := base64.StdEncoding.DecodeString(`MIIJzgIBAzCCCZQGCS ... CA+gwggPk==`)

blocks, err := ToPEM(p12, "password")
if err != nil {
	panic(err)
}

var pemData []byte
for _, b := range blocks {
	pemData = append(pemData, pem.EncodeToMemory(b)...)
}

// then use PEM data for tls to construct tls certificate:
cert, err := tls.X509KeyPair(pemData, pemData)
if err != nil {
	panic(err)
}

config := &tls.Config{
	Certificates: []tls.Certificate{cert},
}

_ = config

Types

type NotImplementedError

type NotImplementedError string

NotImplementedError indicates that the input is not currently supported.

func (NotImplementedError) Error

func (e NotImplementedError) Error() string