crypto

package
v4.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 17, 2024 License: MIT Imports: 50 Imported by: 1

Documentation

Overview

Package crypto is a collection of cryptographic algorithms and protocols, providing hash functions, block and stream ciphers, public key cryptography and authentication. It also includes a cryptographically secure pseudo-random number generator.

x.509

This package provides many useful functions for x.509 certificate. you can build a PKI system with this package. including parsing and verification. it can be used to parse x.509 certificates, create x.509 certificate chains, verify x.509 certificate chains, and parse x.509 certificate revocation lists.

Index

Examples

Constants

View Source 
const (
	// AesGcmIvLen is the length of IV for AES GCM
	AesGcmIvLen = 12
	// AesGcmTagLen is the length of tag for AES GCM
	AesGcmTagLen = 16
)

Variables

View Source 
var (
	// RSAEncrypt encrypt by RSAEncryptByPKCS1v15, for compatibility
	//
	// Deprecated: use RSAEncryptByPKCS1v15 or RsaEncryptByOAEP instead
	RSAEncrypt = RSAEncryptByPKCS1v15
	// RSADecrypt decrypt by RSADecryptByPKCS1v15, for compatibility
	//
	// Deprecated: use RSADecryptByPKCS1v15 or RSADecryptByOAEP instead
	RSADecrypt = RSADecryptByPKCS1v15
)
View Source 
var (
	// SignByRSAWithSHA256 sign content by rsa with sha256
	//
	// Deprecated: use SignByRSAPKCS1v15WithSHA256 instead
	SignByRSAWithSHA256 = SignByRSAPKCS1v15WithSHA256
	// VerifyByRSAWithSHA256 verify signature by rsa with sha256
	//
	// Deprecated: use VerifyByRSAPKCS1v15WithSHA256 instead
	VerifyByRSAWithSHA256 = VerifyByRSAPKCS1v15WithSHA256
)

Functions

func AEADDecrypt added in v4.1.0 

func AEADDecrypt(key, ciphertext, additionalData []byte) (plaintext []byte, err error)

AEADDecrypt encrypt bytes by AES GCM

Sugar wrapper of AEADDecryptWithIV, will extract IV from ciphertext automatically.

Args:

  • key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
  • ciphertext: encrypted content
  • additionalData: additional data to encrypt

Returns:

  • plaintext: decrypted content

func AEADDecryptBasic added in v4.6.0 

func AEADDecryptBasic(key, ciphertext, iv, tag, additionalData []byte) (plaintext []byte, err error)

AEADDecryptBasic encrypt bytes by AES GCM

Args:

  • key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
  • ciphertext: encrypted content
  • iv: Initialization Vector, should be 12 bytes
  • tag: authentication tag, should be 16 bytes
  • additionalData: additional data to encrypt

Returns:

  • plaintext: decrypted content

func AEADEncrypt added in v4.1.0 

func AEADEncrypt(key, plaintext, additionalData []byte) (ciphertext []byte, err error)

AEADEncrypt encrypt bytes by AES GCM

sugar wrapper of AEADEncryptWithIV, will generate random IV and append it to ciphertext as prefix.you can use AEADDecrypt to decrypt it.

Returns:

  • ciphertext: consists of IV, cipher and tag, `{iv}{cipher}{tag}`

func AEADEncryptBasic added in v4.6.0 

func AEADEncryptBasic(key, plaintext, iv, additionalData []byte) (ciphertext, tag []byte, err error)

AEADEncryptBasic encrypt bytes by AES GCM and return IV and ciphertext

Args:

  • key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
  • plaintext: content to encrypt
  • iv: Initialization Vector, should be 12 bytes
  • additionalData: additional data to encrypt

Returns:

  • ciphertext: encrypted content without IV and tag, the length of ciphertext is same as plaintext

func AESEncryptFilesInDir 

func AESEncryptFilesInDir(dir string, secret []byte, opts ...AESEncryptFilesInDirOption) (err error)

AESEncryptFilesInDir encrypt files in dir

will generate new encrypted files with <suffix> after ext 

xxx.toml -> xxx.toml.enc

func AesDecrypt deprecated 

func AesDecrypt(secret []byte, encrypted []byte) ([]byte, error)

AesDecrypt encrypt bytes by AES GCM

inspired by https://tutorialedge.net/golang/go-encrypt-decrypt-aes-tutorial/

The key argument should be 16, 24, or 32 bytes

Deprecated: use AEADDecrypt instead

func AesEncrypt deprecated 

func AesEncrypt(secret []byte, cnt []byte) ([]byte, error)

AesEncrypt encrypt bytes by AES GCM

inspired by https://tutorialedge.net/golang/go-encrypt-decrypt-aes-tutorial/

The key argument should be the AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.

Deprecated: use AEAD instead

func Base32Secret 

func Base32Secret(key []byte) string

Base32Secret generate base32 encoded secret

func CRL2Der added in v4.5.0 

func CRL2Der(crl *x509.RevocationList) []byte

CRL2Der marshal crl to der

func CRL2Pem added in v4.5.0 

func CRL2Pem(crl *x509.RevocationList) []byte

CRL2Pem marshal crl to pem

func CRLDer2Pem added in v4.5.0 

func CRLDer2Pem(crlDer []byte) []byte

CRLDer2Pem marshal crl to pem

func CRLPem2Der added in v4.5.0 

func CRLPem2Der(crlPem []byte) ([]byte, error)

CRLPem2Der parse crl pem

func CSR2Der 

func CSR2Der(csr *x509.CertificateRequest) []byte

CSR2Der marshal csr to der

func CSRDer2Pem 

func CSRDer2Pem(CSRInDer []byte) (CSRInPem []byte)

CSRDer2Pem convert CSR in der to pem, tailing with line break

func Cert2Der 

func Cert2Der(cert ...*x509.Certificate) (ret []byte)

Cert2Der marshal private key by x509.8

func Cert2Pem 

func Cert2Pem(certs ...*x509.Certificate) (ret []byte)

Cert2Pem marshal x509 certificate to pem, tailing with line break

func CertDer2Pem 

func CertDer2Pem(certInDer []byte) (certInPem []byte)

CertDer2Pem convert certificate in der to pem, tailing with line break

func DecodeES256SignByBase64 

func DecodeES256SignByBase64(sign string) (r, s *big.Int, err error)

DecodeES256SignByBase64 parse ecdsa signature string to two *big.Int

func DecodeES256SignByHex 

func DecodeES256SignByHex(sign string) (r, s *big.Int, err error)

DecodeES256SignByHex parse ecdsa signature string to two *big.Int

func Der2CRL 

func Der2CRL(crlDer []byte) (*x509.RevocationList, error)

Der2CRL parse crl der

func Der2CSR 

func Der2CSR(csrDer []byte) (*x509.CertificateRequest, error)

Der2CSR parse crl der

func Der2Cert 

func Der2Cert(certInDer []byte) (*x509.Certificate, error)

Der2Cert parse sigle certificate in der

func Der2Certs 

func Der2Certs(certInDer []byte) ([]*x509.Certificate, error)

Der2Cert parse multiple certificates in der

func Der2Prikey 

func Der2Prikey(prikeyDer []byte) (crypto.PrivateKey, error)

Der2Prikey parse private key from der in x509 v8/v1

func Der2Pubkey 

func Der2Pubkey(pubkeyDer []byte) (crypto.PublicKey, error)

Der2Pubkey parse public key from der in x509 pkcs1/pkix

func DeriveKeyByHKDF 

func DeriveKeyByHKDF(rawKey, salt []byte, newKeyLength int) (newKey []byte, err error)

DeriveKeyByHKDF derive key by hkdf

func DeriveKeyBySMHF 

func DeriveKeyBySMHF(rawKey, salt []byte) (newKey []byte, err error)

DeriveKeyBySMHF derive key by Stronger Key Derivation via Sequential Memory-Hard Functions

https://pkg.go.dev/golang.org/x/crypto@v0.5.0/scrypt

func EncodeES256SignByBase64 

func EncodeES256SignByBase64(r, s *big.Int) string

EncodeES256SignByBase64 format ecdsa signature to stirng

func EncodeES256SignByHex 

func EncodeES256SignByHex(r, s *big.Int) string

EncodeES256SignByHex format ecdsa sign to stirng

func FormatBig2Base64 

func FormatBig2Base64(b *big.Int) string

FormatBig2Base64 format big to base64 string

func FormatBig2Hex 

func FormatBig2Hex(b *big.Int) string

FormatBig2Hex format big to hex string

func GeneratePasswordHash deprecated 

func GeneratePasswordHash(password []byte) ([]byte, error)

GeneratePasswordHash generate hashed password by origin password

Deprecated: use PasswordHash instead

Example 
// generate hashed password
rawPassword := []byte("1234567890")
hashedPassword, err := GeneratePasswordHash(rawPassword)
if err != nil {
	log.Shared.Error("try to generate password got error", zap.Error(err))
	return
}
fmt.Printf("got new hashed pasword: %v\n", string(hashedPassword))

// validate passowrd
if !ValidatePasswordHash(hashedPassword, rawPassword) {
	log.Shared.Error("password invalidate", zap.Error(err))
	return
}

Output:

func HKDFWithSHA256 

func HKDFWithSHA256(secret, salt, info []byte, results [][]byte) error

HKDFWithSHA256 derivative keys by HKDF with sha256. same key & salt will derivative same keys

Example

derivative multiple keys: 

results := make([][]byte, 10)
for i := range results {
    results[i] = make([]byte, 20)
}

HKDFWithSHA256([]byte("your key"), nil, nil, results)

func HMACSha256 added in v4.7.2 

func HMACSha256(key []byte, data io.Reader) ([]byte, error)

HMACSha256 calculate HMAC by sha256

The main difference between HMAC and SHA is that HMAC uses a secure key to calculate the hash, while SHA does not. this makes HMAC more secure than SHA.

Args:

  • key: secure key, no limit on length
  • data: raw data to calculate HMAC

Returns:

  • hmac: HMAC result, 32 bytes

func MatchPrefix 

func MatchPrefix() func(o *oidContainsOption) error

MatchPrefix treat prefix inclusion as a match as well 

`1.2.3` contains `1.2.3.4`

func NewECDSAPrikey 

func NewECDSAPrikey(curve ECDSACurve) (*ecdsa.PrivateKey, error)

NewECDSAPrikey new ecdsa private key

func NewECDSAPrikeyAndCert added in v4.5.0 

func NewECDSAPrikeyAndCert(curve ECDSACurve, opts ...X509CertOption) (
	prikeyPem, certDer []byte, err error)

NewECDSAPrikeyAndCert convient function to new ecdsa private key and cert

func NewEd25519Prikey 

func NewEd25519Prikey() (ed25519.PrivateKey, error)

NewEd25519Prikey new ed25519 private key

func NewEd25519PrikeyAndCert added in v4.7.0 

func NewEd25519PrikeyAndCert(opts ...X509CertOption) (
	prikeyPem, certDer []byte, err error)

NewEd25519PrikeyAndCert convient function to new ed25519 private key and cert

func NewRSAPrikey 

func NewRSAPrikey(bits RSAPrikeyBits) (*rsa.PrivateKey, error)

NewRSAPrikey new rsa privat ekey

func NewRSAPrikeyAndCert 

func NewRSAPrikeyAndCert(rsaBits RSAPrikeyBits, opts ...X509CertOption) (
	prikeyPem, certDer []byte, err error)

NewRSAPrikeyAndCert convient function to new rsa private key and cert

func NewX509CRL 

func NewX509CRL(ca *x509.Certificate,
	prikey crypto.PrivateKey,
	seriaNumber *big.Int,
	revokeCerts []pkix.RevokedCertificate,
	opts ...X509CRLOption) (crlDer []byte, err error)

NewX509CRL create and sign CRL

Args

  • ca: CA to sign CRL.
  • prikey: prikey for CA.
  • revokeCerts: certifacates that will be revoked.
  • WithX509CertSeriaNumber() is required for NewX509CRL.

according to RFC5280 5.2.3, X.509 v3 CRL could have a monotonically increasing sequence number as serial number.

func NewX509CSR 

func NewX509CSR(prikey crypto.PrivateKey, opts ...X509CSROption) (csrDer []byte, err error)

NewX509CSR new CSR

Arguments

if prikey is not RSA private key, you must set SignatureAlgorithm by WithX509CertSignatureAlgorithm.

Warning: CSR do not support set IsCA / KeyUsage / ExtKeyUsage, you should set these attributes in NewX509CertByCSR.

func NewX509Cert 

func NewX509Cert(prikey crypto.PrivateKey, opts ...X509CertOption) (certDer []byte, err error)

NewX509Cert new cert

func NewX509CertByCSR 

func NewX509CertByCSR(
	parent *x509.Certificate,
	prikey crypto.PrivateKey,
	csrDer []byte,
	opts ...SignCSROption) (certDer []byte, err error)

NewX509CertByCSR sign CSR to certificate

Depends on RFC-5280 4.2.1.12, empty ext key usage is as same as any key usage. so do not set any default ext key usages.

but key usage is required in many cases:

func OIDContains 

func OIDContains(oids []asn1.ObjectIdentifier,
	oid asn1.ObjectIdentifier, opts ...func(o *oidContainsOption) error) bool

OIDContains is oid in oids

func OidAsn2X509 added in v4.10.0 

func OidAsn2X509(oid asn1.ObjectIdentifier) (x509.OID, error)

OidAsn2X509 convert asn1 object identifier to x509 object identifier

func OidFromString added in v4.10.0 

func OidFromString(val string) (x509Oid x509.OID, err error)

OidFromString convert string to x509 object identifier

func ParseBase642Big 

func ParseBase642Big(raw string) (*big.Int, error)

ParseBase642Big parse base64 string to big

func ParseHex2Big 

func ParseHex2Big(hex string) (b *big.Int, ok bool)

ParseHex2Big parse hex string to big

func PasswordHash added in v4.1.0 

func PasswordHash(password []byte, hasher gutils.HashType) (hashedPassword string, err error)

PasswordHash generate salted hash of password, can verify by VerifyHashedPassword

func Pem2CRL added in v4.5.0 

func Pem2CRL(crlPem []byte) (*x509.RevocationList, error)

Pem2CRL parse crl pem

func Pem2CSR 

func Pem2CSR(csrInPem []byte) (*x509.CertificateRequest, error)

Pem2CSR parse csr from pem

func Pem2Cert 

func Pem2Cert(certInPem []byte) (*x509.Certificate, error)

Pem2Cert parse single certificate in pem

func Pem2Certs 

func Pem2Certs(certInPem []byte) ([]*x509.Certificate, error)

Pem2Certs parse multiple certificate in pem

func Pem2Der 

func Pem2Der(pemBytes []byte) (derBytes []byte, err error)

Pem2Der convert pem to der

support one or more certs

func Pem2Ders 

func Pem2Ders(pemBytes []byte) (dersBytes [][]byte, err error)

Pem2Ders convert pem to ders

support one or more certs

func Pem2Prikey 

func Pem2Prikey(x509v8Pem []byte) (crypto.PrivateKey, error)

Pem2Prikey parse private key from x509 v8(general) pem

func Pem2Pubkey 

func Pem2Pubkey(pubkeyPem []byte) (crypto.PublicKey, error)

Pem2Pubkey parse public key from pem

func Prikey2Der 

func Prikey2Der(key crypto.PrivateKey) ([]byte, error)

Prikey2Der marshal private key by x509.8

func Prikey2Pem 

func Prikey2Pem(key crypto.PrivateKey) ([]byte, error)

Prikey2Pem marshal private key to pem, tailing with line break

func Prikey2Pubkey added in v4.7.0 

func Prikey2Pubkey(prikey crypto.PrivateKey) (pubkey crypto.PublicKey)

Prikey2Pubkey get public key from private key

func PrikeyDer2Pem 

func PrikeyDer2Pem(prikeyInDer []byte) (prikeyInPem []byte)

PrikeyDer2Pem convert private key in der to pem

func Privkey2Signer 

func Privkey2Signer(privkey crypto.PrivateKey) crypto.Signer

Privkey2Signer convert privkey to signer

func Pubkey2Der 

func Pubkey2Der(key crypto.PublicKey) ([]byte, error)

Pubkey2Der marshal public key by pkix

func Pubkey2Pem 

func Pubkey2Pem(key crypto.PublicKey) ([]byte, error)

Pubkey2Pem marshal public key to pem, tailing with line break

func PubkeyDer2Pem 

func PubkeyDer2Pem(pubkeyInDer []byte) (prikeyInPem []byte)

PubkeyDer2Pem convert public key in der to pem

func RSADecryptByOAEP added in v4.10.0 

func RSADecryptByOAEP(prikey *rsa.PrivateKey, cipher []byte) (plain []byte, err error)

RSADecryptByOAEP decrypt by OAEP with SHA256

func RSADecryptByPKCS1v15 added in v4.10.0 

func RSADecryptByPKCS1v15(prikey *rsa.PrivateKey, cipher []byte) (plain []byte, err error)

RSADecryptByPKCS1v15 decrypt by rsa PKCS1v15

only accept cipher encrypted by RSAEncrypt

func RSADer2Prikey 

func RSADer2Prikey(x509v1Der []byte) (*rsa.PrivateKey, error)

RSADer2Prikey parse private key from x509 v1(rsa) der

func RSAEncryptByOAEP added in v4.10.0 

func RSAEncryptByOAEP(pubkey *rsa.PublicKey, plain []byte) (cipher []byte, err error)

RSAEncryptByOAEP encrypts by OAEP with SHA256

This is not a deterministic encryption scheme, it will return different ciphertexts each time even if the same plaintext is encrypted multiple times.

func RSAEncryptByPKCS1v15 added in v4.10.0 

func RSAEncryptByPKCS1v15(pubkey *rsa.PublicKey, plain []byte) (cipher []byte, err error)

RSAEncryptByPKCS1v15 encrypt by PKCS1v15

This is not a deterministic encryption scheme, it will return different ciphertexts each time even if the same plaintext is encrypted multiple times.

func RSAPem2Prikey 

func RSAPem2Prikey(x509v1Pem []byte) (*rsa.PrivateKey, error)

RSAPem2Prikey parse private key from x509 v1(rsa) pem

func ReadableOIDs 

func ReadableOIDs(oids []asn1.ObjectIdentifier) (names []string)

ReadableX509ExtKeyUsage convert objectids to readable strings

func ReadablePkixName 

func ReadablePkixName(name pkix.Name) map[string]any

ReadablePkixName convert pkix.Name to readable map with strings

func ReadableX509CSR added in v4.3.0 

func ReadableX509CSR(csr *x509.CertificateRequest) (map[string]any, error)

ReadableX509CSR convert x509 certificate request to readable jsonable map

func ReadableX509Cert 

func ReadableX509Cert(cert *x509.Certificate) (map[string]any, error)

ReadableX509Cert convert x509 certificate to readable jsonable map

func ReadableX509ExtKeyUsage 

func ReadableX509ExtKeyUsage(usages []x509.ExtKeyUsage) (usageNames []string)

ReadableX509ExtKeyUsage convert x509 certificate ext key usages to readable strings

func ReadableX509Extention added in v4.3.0 

func ReadableX509Extention(ext *pkix.Extension) (map[string]any, error)

ReadableX509Extention convert x509 certificate extension to readable jsonable map

func ReadableX509KeyUsage 

func ReadableX509KeyUsage(usage x509.KeyUsage) (usageNames []string)

ReadableX509KeyUsage convert x509 certificate key usages to readable strings

func Salt 

func Salt(length int) ([]byte, error)

Salt generate random salt with specifiec length

func SecureCipherSuites 

func SecureCipherSuites(filter func(*tls.CipherSuite) bool) []uint16

SecureCipherSuites get golang built-in cipher suites without known insecure suites

func SignByECDSAWithSHA256 

func SignByECDSAWithSHA256(prikey *ecdsa.PrivateKey, content []byte) (r, s *big.Int, err error)

SignByECDSAWithSHA256 generate signature by ecdsa private key use sha256

Example 
priKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
	log.Shared.Panic("generate key", zap.Error(err))
}
priKey2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
	log.Shared.Panic("generate key", zap.Error(err))
}

// case: correct key
cnt := []byte("fjijf23lijfl23ijrl32jra9pfie9wpfi")
r, s, err := SignByECDSAWithSHA256(priKey, cnt)
if err != nil {
	log.Shared.Panic("sign", zap.Error(err))
}
if !VerifyByECDSAWithSHA256(&priKey.PublicKey, cnt, r, s) {
	log.Shared.Panic("verify failed")
}

// generate string
encoded := EncodeES256SignByBase64(r, s)
if _, _, err = DecodeES256SignByBase64(encoded); err != nil {
	log.Shared.Panic("encode and decode", zap.Error(err))
}

// case: incorrect cnt
cnt = []byte("fjijf23lijfl23ijrl32jra9pfie9wpfi")
r, s, err = SignByECDSAWithSHA256(priKey, cnt)
if err != nil {
	log.Shared.Panic("sign", zap.Error(err))
}
if VerifyByECDSAWithSHA256(&priKey.PublicKey, append(cnt, '2'), r, s) {
	log.Shared.Panic("should not verify")
}

// case: incorrect key
r, s, err = SignByECDSAWithSHA256(priKey2, cnt)
if err != nil {
	log.Shared.Panic("sign", zap.Error(err))
}
if VerifyByECDSAWithSHA256(&priKey.PublicKey, cnt, r, s) {
	log.Shared.Panic("should not verify")
}

Output:

func SignByECDSAWithSHA256AndBase64 

func SignByECDSAWithSHA256AndBase64(prikey *ecdsa.PrivateKey, content []byte) (signature string, err error)

SignByECDSAWithSHA256AndBase64 generate signature by ecdsa private key use sha256

func SignByEd25519WithSHA512 added in v4.9.0 

func SignByEd25519WithSHA512(prikey ed25519.PrivateKey, reader io.Reader) ([]byte, error)

SignByEd25519WithSHA512 generate signature by ed25519 private key

func SignByRSAPKCS1v15WithSHA256 added in v4.10.0 

func SignByRSAPKCS1v15WithSHA256(prikey *rsa.PrivateKey, content []byte) ([]byte, error)

SignByRSAPKCS1v15WithSHA256 generate signature by rsa private key use sha256

func SignByRSAPSSWithSHA256 added in v4.10.0 

func SignByRSAPSSWithSHA256(prikey *rsa.PrivateKey, content []byte) ([]byte, error)

SignByRSAPSSWithSHA256 generate signature by rsa private key use sha256

RSASSA-PSS is not deterministic, so it will return different signature every time.

func SignBySchnorrSha256 added in v4.9.0 

func SignBySchnorrSha256(suite dediskey.Suite, prikey kyber.Scalar, reader io.Reader) ([]byte, error)

SignBySchnorrSha256 sign content by schnorr

func SignReaderByECDSAWithSHA256 

func SignReaderByECDSAWithSHA256(prikey *ecdsa.PrivateKey, reader io.Reader) (r, s *big.Int, err error)

SignReaderByECDSAWithSHA256 generate signature by ecdsa private key use sha256

func SignReaderByEd25519WithSHA256 added in v4.8.0 

func SignReaderByEd25519WithSHA256(prikey ed25519.PrivateKey, reader io.Reader) (sig []byte, err error)

SignReaderByEd25519WithSHA256 generate signature by ecdsa private key use sha256

func SignReaderByRSAWithSHA256 

func SignReaderByRSAWithSHA256(prikey *rsa.PrivateKey, reader io.Reader) (sig []byte, err error)

SignReaderByRSAWithSHA256 generate signature by rsa private key use sha256

func SplitCertsPemChain added in v4.8.0 

func SplitCertsPemChain(pemChain string) (pems []string)

SplitCertsPemChain split pem chain to multiple pem

func ValidatePasswordHash deprecated 

func ValidatePasswordHash(hashedPassword, password []byte) bool

ValidatePasswordHash validate password is match with hashedPassword

Deprecated: use VerifyHashedPassword instead

func VerifyByECDSAWithSHA256 

func VerifyByECDSAWithSHA256(pubKey *ecdsa.PublicKey, content []byte, r, s *big.Int) bool

VerifyByECDSAWithSHA256 verify signature by ecdsa public key use sha256

func VerifyByECDSAWithSHA256AndBase64 

func VerifyByECDSAWithSHA256AndBase64(pubKey *ecdsa.PublicKey, content []byte, signature string) (bool, error)

VerifyByECDSAWithSHA256 verify signature by ecdsa public key use sha256

func VerifyByEd25519WithSHA512 added in v4.9.0 

func VerifyByEd25519WithSHA512(pubKey ed25519.PublicKey, reader io.Reader, sig []byte) error

VerifyByEd25519WithSHA512 verify signature by ed25519 public key

func VerifyByRSAPKCS1v15WithSHA256 added in v4.10.0 

func VerifyByRSAPKCS1v15WithSHA256(pubKey *rsa.PublicKey, content []byte, sig []byte) error

VerifyByRSAPKCS1v15WithSHA256 verify signature by rsa public key use sha256

func VerifyByRSAPSSWithSHA256 added in v4.10.0 

func VerifyByRSAPSSWithSHA256(pubKey *rsa.PublicKey, content []byte, sig []byte) error

VerifyByRSAPSSWithSHA256 verify signature by rsa public key use sha256

func VerifyBySchnorrSha256 added in v4.9.0 

func VerifyBySchnorrSha256(suite dediskey.Suite, pubkey kyber.Point, reader io.Reader, sig []byte) error

VerifyBySchnorrSha256 verify signature by schnorr

func VerifyCRL 

func VerifyCRL(ca *x509.Certificate, crl *x509.RevocationList) error

VerifyCRL verify crl by ca

func VerifyCertByPrikey 

func VerifyCertByPrikey(certPem []byte, prikeyPem []byte) error

VerifyCertByPrikey verify cert by prikey

func VerifyHashedPassword added in v4.1.0 

func VerifyHashedPassword(rawpassword []byte, hashedPassword string) (err error)

VerifyHashedPassword verify HashedPassword

func VerifyReaderByECDSAWithSHA256 

func VerifyReaderByECDSAWithSHA256(pubKey *ecdsa.PublicKey, reader io.Reader, r, s *big.Int) (bool, error)

VerifyReaderByECDSAWithSHA256 verify signature by ecdsa public key use sha256

func VerifyReaderByEd25519WithSHA256 added in v4.8.0 

func VerifyReaderByEd25519WithSHA256(pubKey ed25519.PublicKey, reader io.Reader, sig []byte) error

VerifyReaderByEd25519WithSHA256 verify signature by ecdsa public key use sha256

func VerifyReaderByRSAWithSHA256 

func VerifyReaderByRSAWithSHA256(pubKey *rsa.PublicKey, reader io.Reader, sig []byte) error

VerifyReaderByRSAWithSHA256 verify signature by rsa public key use sha256

func X509Cert2OpensslConf added in v4.7.0 

func X509Cert2OpensslConf(cert *x509.Certificate) (opensslConf []byte)

X509Cert2OpensslConf marshal x509

func X509CertSubjectKeyID 

func X509CertSubjectKeyID(pubkey crypto.PublicKey) ([]byte, error)

X509CertSubjectKeyID generate subject key id for pubkey

if x509 certificate template is a CA, subject key id will generated by golang automatelly

func X509CrlOptions2Tpl added in v4.10.0 

func X509CrlOptions2Tpl(opts ...X509CRLOption) (*x509.RevocationList, error)

X509CrlOptions2Tpl marshal x509 crl options to x509.RevocationList

func X509Csr2OpensslConf added in v4.7.0 

func X509Csr2OpensslConf(csr *x509.CertificateRequest) (opensslConf []byte)

X509Csr2OpensslConf marshal x509 csr to openssl conf

Returns 

[ req ]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
req_extensions = req_ext

[ req_ext ]
subjectAltName = @alt_names

[ req_distinguished_name ]
commonName = Intermedia CA
countryName = CN
stateOrProvinceName = Shanghai
localityName = Shanghai
organizationName = BBT
organizationalUnitName = XSS

[ alt_names ]
DNS.1 = localhost
DNS.2 = example.com

func X509CsrOption2Template added in v4.7.0 

func X509CsrOption2Template(opts ...X509CSROption) (tpl *x509.CertificateRequest, err error)

X509CsrOption2Template convert X509CSROption to x509.CertificateRequest

Types

type AESEncryptFilesInDirOption 

type AESEncryptFilesInDirOption func(*encryptFilesOption) error

AESEncryptFilesInDirOption options to encrypt files in dir

func WithAESFilesInDirFileExt 

func WithAESFilesInDirFileExt(ext string) AESEncryptFilesInDirOption

WithAESFilesInDirFileExt only encrypt files with specific ext

func WithAESFilesInDirFileSuffix 

func WithAESFilesInDirFileSuffix(suffix string) AESEncryptFilesInDirOption

WithAESFilesInDirFileSuffix will append to encrypted's filename as suffix 

xxx.toml -> xxx.toml.enc

type AesReaderWrapper 

type AesReaderWrapper struct {
	// contains filtered or unexported fields
}

AesReaderWrapper used to decrypt encrypted reader

func NewAesReaderWrapper 

func NewAesReaderWrapper(in io.Reader, key []byte) (*AesReaderWrapper, error)

NewAesReaderWrapper wrap reader by aes

func (*AesReaderWrapper) Read 

func (w *AesReaderWrapper) Read(p []byte) (n int, err error)

type DHKX 

type DHKX struct {
	// contains filtered or unexported fields
}

Diffie Hellman Key-exchange algorithm

https://pkg.go.dev/github.com/monnand/dhkx

Example 

alice, _ := NewDHKX()
bob, _ := NewDHKX()

alicePub := alice.PublicKey()
bobPub := bob.PublicKey()

aliceKey, _ := alice.GenerateKey(bobPub)
bobKey, _ := bob.GenerateKey(alicePub)

aliceKey == bobKey

Note: recommoend to use ECDH instead of DHKX

Example 
alice, _ := NewDHKX()

bob, _ := NewDHKX()

alicePub, _ := alice.PublicKey()
bobPub, _ := bob.PublicKey()

aliceKey, _ := alice.GenerateKey(bobPub)
bobKey, _ := bob.GenerateKey(alicePub)
fmt.Println(reflect.DeepEqual(aliceKey, bobKey))

Output:

true

func NewDHKX deprecated 

func NewDHKX(optfs ...DHKXOptionFunc) (d *DHKX, err error)

NewDHKX create a new DHKX instance

each DHKX instance has it's unique group and private key

Known vulnerabilities: DHKX is not secure against active attacks, MITM attacker could replace the public keys with his own and decrypt the messages. its better to verify peer's public key by signature.

Deprecated: ECDH is much more faster and efficient than DHKX, use ECDH instead.

func (*DHKX) GenerateKey 

func (d *DHKX) GenerateKey(peerPubKey []byte) ([]byte, error)

GenerateKey generate new key by peer's public key

each side of the DHKX exchange peers will generate the same key

key like: 

60a425ca3a4cc313db9c113a0526f3809725305afc68e1accd0e653ae8d0182c6eb05557f4b5d094
f015972b9fda7d60c1b64d79f50baea7365d858ede0fb7a6571403d4b95f682144b56fa17ffcbe9e
70de69dc0045672696e683c423c5b3dfc02a6916be1e50c74e60353ec08a465cc124e8ca88337fb7
4a0370e17a7cedb0b1e76733f43ad3db9e3d29ab43c75686a8bc4a88ee46addbd1590c8277d1b1ef
42aded6cc0bfe0a7ff8933861dae772c755087f2a41021f4ca53867ba49797d111ef21b381cb6441
178f4ccd3748f8e7b1a12ec3799571a49fc0aa793c05ab6e228b559f1fda2912542d7246388ccec1
38b4d8ce9df4a32c198891c4e33b5034

func (*DHKX) PublicKey 

func (d *DHKX) PublicKey() ([]byte, error)

PublicKey return public key bytes

type DHKXOptionFunc 

type DHKXOptionFunc func(*dhkxOption) error

DHKXOptionFunc optional func to set dhkx option

type DefaultX509CertSerialNumGenerator 

type DefaultX509CertSerialNumGenerator struct {
	// contains filtered or unexported fields
}

DefaultX509CertSerialNumGenerator default cert serial number generator base on epoch time and random int

func NewDefaultX509CertSerialNumGenerator 

func NewDefaultX509CertSerialNumGenerator() (*DefaultX509CertSerialNumGenerator, error)

NewDefaultX509CertSerialNumGenerator new DefaultX509CertSerialNumGenerator

func (*DefaultX509CertSerialNumGenerator) SerialNum 

func (g *DefaultX509CertSerialNumGenerator) SerialNum() int64

SerialNum get randon serial number

type ECDH added in v4.7.0 

type ECDH struct {
	// contains filtered or unexported fields
}

ECDH Elliptic Curve Diffie-Hellman

func NewEcdh added in v4.7.0 

func NewEcdh(curve ECDSACurve) (ins *ECDH, err error)

NewEcdh create a new ECDH instance

Known vulnerabilities: DHKX is not secure against active attacks, MITM attacker could replace the public keys with his own and decrypt the messages. its better to verify peer's public key by signature.

Example 
alice, _ := NewEcdh(ECDSACurveP256)

bob, _ := NewEcdh(ECDSACurveP256)

alicePub, _ := alice.PublicKey()
bobPub, _ := bob.PublicKey()

aliceKey, _ := alice.GenerateKey(bobPub)
bobKey, _ := bob.GenerateKey(alicePub)
fmt.Println(reflect.DeepEqual(aliceKey, bobKey))

Output:

true

func (*ECDH) GenerateKey added in v4.7.0 

func (e *ECDH) GenerateKey(peerPubKey []byte) (sharekey []byte, err error)

GenerateKey generate new key by peer's public key

func (*ECDH) PublicKey added in v4.7.0 

func (e *ECDH) PublicKey() ([]byte, error)

PublicKey return public key bytes

type ECDSACurve 

type ECDSACurve string

ECDSACurve algorithms 

const (
	// ECDSACurveP256 ecdsa with P256
	ECDSACurveP256 ECDSACurve = "P256"
	// ECDSACurveP384 ecdsa with P384
	ECDSACurveP384 ECDSACurve = "P384"
	// ECDSACurveP521 ecdsa with P521
	ECDSACurveP521 ECDSACurve = "P521"
)

type HashedPassword added in v4.1.0 

type HashedPassword struct {
	// contains filtered or unexported fields
}

HashedPassword salt hashed password

generate by PasswordHash, verify by VerifyHashedPassword

func (HashedPassword) String added in v4.1.0 

func (p HashedPassword) String() string

String convert to string

can verify by VerifyHashedPassword

type KeyExchange added in v4.7.0 

type KeyExchange interface {
	// PublicKey return public key bytes
	//
	// send public key to peer, and get peer's public key
	// every side of the exchange peers will generate the same key
	PublicKey() ([]byte, error)
	// GenerateKey generate new key by peer's public key
	GenerateKey(peerPubKey []byte) ([]byte, error)
}

KeyExchange key agreement interface

type OTPAlgorithm 

type OTPAlgorithm string

OTPAlgorithm hash algorithm for otp 

const (
	// OTPAlgorithmSHA1 sha1
	OTPAlgorithmSHA1 OTPAlgorithm = "sha1"
)

type OTPArgs 

type OTPArgs struct {
	// OtpType (readonly) otp type, must in totp/hotp
	OtpType OTPType
	// Base32Secret (required) the hotp/totp secret used to generate the URI
	//
	// genrate Base32Secret:
	//
	//  Base32Secret([]byte("xxxxxx"))
	Base32Secret string
	// AccountName (optional) name of the account
	AccountName string
	// Authenticator (optional) the name of the OTP issuer;
	// this will be the organization title of the OTP entry in Authenticator
	IssuerName string
	// Algorithm (optional) the algorithm used in the OTP generation
	//
	// default to sha1
	Algorithm OTPAlgorithm
	// InitialCount (optional) starting counter value. Only works for hotp
	InitialCount int
	// Digits (optional) the length of the OTP generated code.
	//
	// default to 6
	Digits uint
	// PeriodSecs (optional) the number of seconds the OTP
	// generator is set to expire every code.
	//
	// default to 30
	PeriodSecs uint
}

OTPArgs arguments for OTP

func ParseOTPUri 

func ParseOTPUri(uri string) (arg OTPArgs, err error)

ParseOTPUri parse otp uri to otp arguments

Args

  • uri: like `otpauth://totp/issuerName:demoAccountName?secret=4S62BZNFXXSZLCRO&issuer=issuerName`

func (OTPArgs) Hasher 

func (a OTPArgs) Hasher() (*gotp.Hasher, error)

Hasher get hasher from argument

type OTPType 

type OTPType string

OTPType otp type 

const (
	// OTPTypeTOTP time-based otp
	OTPTypeTOTP OTPType = "totp"
	// OTPTypeHOTP hash-based otp
	OTPTypeHOTP OTPType = "hotp"
)

type OpensslCertificateOutput added in v4.7.2 

type OpensslCertificateOutput struct {
	// Raw is the raw output of `openssl x509 -inform DER -text`
	Raw                                          []byte
	SerialNumber                                 *big.Int
	NotBefore, NotAfter                          time.Time
	IsCa                                         bool
	Subject                                      pkix.Name
	Policies                                     []asn1.ObjectIdentifier
	PublicKeyAlgorithm                           x509.PublicKeyAlgorithm
	SubjectKeyIdentifier, AuthorityKeyIdentifier []byte
}

OpensslCertificateOutput output of `openssl x509 -inform DER -text`

type RSAPrikeyBits 

type RSAPrikeyBits int

RSAPrikeyBits width of rsa private key 

const (
	// RSAPrikeyBits2048 rsa private key with 2048 bits
	RSAPrikeyBits2048 RSAPrikeyBits = 2048
	// RSAPrikeyBits3072 rsa private key with 3072 bits
	RSAPrikeyBits3072 RSAPrikeyBits = 3072
	// RSAPrikeyBits4096 rsa private key with 4096 bits
	RSAPrikeyBits4096 RSAPrikeyBits = 4096
)

type SignCSROption 

type SignCSROption func(*signCSROption) error

SignCSROption options for create certificate from CRL

func WithX509CaMaxPathLen added in v4.7.0 

func WithX509CaMaxPathLen(maxPathLen int) SignCSROption

WithX509CaMaxPathLen set max path length

only CAs are allowed to specify MaxPathLen

func WithX509SerialNumGenerator 

func WithX509SerialNumGenerator(gen X509CertSerialNumberGenerator) SignCSROption

WithX509SerialNumGenerator set serial number generator

func WithX509SignCSRCRLs 

func WithX509SignCSRCRLs(crlEndpoint ...string) SignCSROption

WithX509SignCSRCRLs add crl endpoints

func WithX509SignCSRExtKeyUsage 

func WithX509SignCSRExtKeyUsage(usage ...x509.ExtKeyUsage) SignCSROption

WithX509SignCSRExtKeyUsage add ext key usage

func WithX509SignCSRExtenstions deprecated added in v4.3.0 

func WithX509SignCSRExtenstions(_ ...pkix.Extension) SignCSROption

WithX509SignCSRExtenstions set certificate extensions

Extensions contains all requested extensions, in raw form. When parsing CSRs, this can be used to extract extensions that are not parsed by this package.

Deprecated: this field is ignored by golang built-in x509 library, use WithX509SignCSRExtraExtenstions instead if you want to set extensions.

func WithX509SignCSRExtraExtenstions added in v4.3.0 

func WithX509SignCSRExtraExtenstions(exts ...pkix.Extension) SignCSROption

WithX509SignCSRExtraExtenstions set certificate extra extensions

ExtraExtensions contains extensions to be copied, raw, into any CSR marshaled by CreateCertificateRequest. Values override any extensions that would otherwise be produced based on the other fields but are overridden by any extensions specified in Attributes.

The ExtraExtensions field is not populated by ParseCertificateRequest, see Extensions instead.

func WithX509SignCSRIsCA 

func WithX509SignCSRIsCA() SignCSROption

WithX509SignCSRIsCA set is ca

func WithX509SignCSRIsCRLCA 

func WithX509SignCSRIsCRLCA() SignCSROption

WithX509SignCSRIsCRLCA set is ca to sign CRL

func WithX509SignCSRKeyUsage 

func WithX509SignCSRKeyUsage(usage ...x509.KeyUsage) SignCSROption

WithX509SignCSRKeyUsage add key usage

func WithX509SignCSRNotAfter added in v4.2.0 

func WithX509SignCSRNotAfter(notAfter time.Time) SignCSROption

WithX509SignCSRNotAfter set valid for duration

func WithX509SignCSRNotBefore added in v4.2.0 

func WithX509SignCSRNotBefore(notBefore time.Time) SignCSROption

WithX509SignCSRNotBefore set valid from

func WithX509SignCSROCSPServers 

func WithX509SignCSROCSPServers(ocsp ...string) SignCSROption

WithX509SignCSROCSPServers set ocsp servers

func WithX509SignCSRPolicies 

func WithX509SignCSRPolicies(policies ...asn1.ObjectIdentifier) SignCSROption

WithX509SignCSRPolicies set certificate policies

func WithX509SignCSRSeriaNumber 

func WithX509SignCSRSeriaNumber(serialNumber *big.Int) SignCSROption

WithX509SignCSRSeriaNumber set certificate/CRL's serial number

refer to RFC-5280 5.2.3 &

Args

seriaNumber:

  • (optional): generate certificate
  • (required): generate CRL

func WithX509SignCSRValidFor 

func WithX509SignCSRValidFor(validFor time.Duration) SignCSROption

WithX509SignCSRValidFor set valid for duration

deprecated: use WithX509SignCSRNotAfter instead

func WithX509SignCSRValidFrom 

func WithX509SignCSRValidFrom(validFrom time.Time) SignCSROption

WithX509SignCSRValidFrom set valid from

deprecated: use WithX509SignCSRNotBefore instead

func WithX509SignPublicKeyAlgorithm deprecated added in v4.5.0 

func WithX509SignPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) SignCSROption

WithX509SignPublicKeyAlgorithm set public key algorithm

Deprecated: this field is ignored by golang built-in x509 library

func WithX509SignSignatureAlgorithm added in v4.5.0 

func WithX509SignSignatureAlgorithm(algo x509.SignatureAlgorithm) SignCSROption

WithX509SignSignatureAlgorithm set signature algorithm that parent certificate used to sign csr

type TOTP 

type TOTP struct {
	// contains filtered or unexported fields
}

TOTP time-based OTP

func NewTOTP 

func NewTOTP(arg OTPArgs) (*TOTP, error)

NewTOTP new TOTP

func (*TOTP) Key 

func (t *TOTP) Key() string

Key generate key by totp

func (*TOTP) KeyAt 

func (t *TOTP) KeyAt(at time.Time) string

KeyAt generate key by totp at arbitraty time

func (*TOTP) URI 

func (t *TOTP) URI() string

URI build uri for otp arguments

type TOTPInterface 

type TOTPInterface interface {
	// Key generate key by totp
	Key() string
	// KeyAt generate key by totp at arbitraty time
	KeyAt(at time.Time) string
	// URI build uri for otp arguments
	URI() string
}

TOTPInterface interface for TOTP

type Tongsuo added in v4.7.0 

type Tongsuo struct {
	// contains filtered or unexported fields
}

Tongsuo is a wrapper of tongsuo executable binary

https://github.com/Tongsuo-Project/Tongsuo

func NewTongsuo added in v4.7.0 

func NewTongsuo(exePath string) (ins *Tongsuo, err error)

NewTongsuo new tongsuo wrapper

Notice, only support

#Args

  • exePath: path of tongsuo executable binary

func (*Tongsuo) CloneX509Csr added in v4.7.2 

func (t *Tongsuo) CloneX509Csr(ctx context.Context,
	prikeyPem []byte, originCsrDer []byte) (clonedCsrDer []byte, err error)

CloneX509Csr generat a cloned csr with different private key

Args

  • prikeyPem: new private key for cloned csr
  • originCsrDer: origin csr

func (*Tongsuo) DecryptBySm2 added in v4.10.0 

func (t *Tongsuo) DecryptBySm2(ctx context.Context,
	prikeyPem []byte, cipher []byte) (data []byte, err error)

DecryptBySm2 decrypt by sm2 private key

func (*Tongsuo) DecryptBySm4Cbc added in v4.9.0 

func (t *Tongsuo) DecryptBySm4Cbc(ctx context.Context, key, combinedCipher []byte) (
	plaintext []byte, err error)

DecryptBySm4Cbc decrypt by sm4, should be encrypted by `EncryptBySm4` only

func (*Tongsuo) DecryptBySm4CbcBaisc added in v4.9.0 

func (t *Tongsuo) DecryptBySm4CbcBaisc(ctx context.Context,
	key, ciphertext, iv, hmac []byte) (plaintext []byte, err error)

DecryptBySm4CbcBaisc decrypt by sm4

Args

  • key: sm4 key
  • ciphertext: sm4 encrypted data
  • iv: sm4 iv
  • hmac: if not nil, will check ciphertext's integrity by hmac

func (*Tongsuo) EncryptBySm2 added in v4.10.0 

func (t *Tongsuo) EncryptBySm2(ctx context.Context,
	pubkeyPem []byte, data []byte) (cipher []byte, err error)

EncryptBySm2 encrypt by sm2 public key

func (*Tongsuo) EncryptBySm4Cbc added in v4.9.0 

func (t *Tongsuo) EncryptBySm4Cbc(ctx context.Context, key, plaintext []byte) (
	combinedCipher []byte, err error)

EncryptBySm4Cbc encrypt by sm4, should be decrypted by `DecryptBySm4` only

func (*Tongsuo) EncryptBySm4CbcBaisc added in v4.9.0 

func (t *Tongsuo) EncryptBySm4CbcBaisc(ctx context.Context,
	key, plaintext, iv []byte) (ciphertext, hmac []byte, err error)

EncryptBySm4CbcBaisc encrypt by sm4

Args

  • key: sm4 key, should be 16 bytes
  • plaintext: data to be encrypted
  • iv: sm4 iv, should be 16 bytes

Returns

  • ciphertext: sm4 encrypted data
  • hmac: hmac of ciphertext, 32 bytes

func (*Tongsuo) GetPubkeyFromCertPem added in v4.10.0 

func (t *Tongsuo) GetPubkeyFromCertPem(ctx context.Context, certPem []byte) (pubkeyPem []byte, err error)

GetPubkeyFromCertPem get pubkey from cert pem

func (*Tongsuo) HashBySm3 added in v4.9.0 

func (t *Tongsuo) HashBySm3(ctx context.Context, content []byte) (hash []byte, err error)

HashBySm3 hash by sm3

func (*Tongsuo) NewPrikey added in v4.7.0 

func (t *Tongsuo) NewPrikey(ctx context.Context) (prikeyPem []byte, err error)

NewPrikey generate new sm2 private key 

tongsuo ecparam -genkey -name SM2 -out rootca.key

func (*Tongsuo) NewPrikeyAndCert added in v4.7.0 

func (t *Tongsuo) NewPrikeyAndCert(ctx context.Context, opts ...X509CertOption) (
	prikeyPem, certDer []byte, err error)

NewPrikeyAndCert generate new private key and root ca

func (*Tongsuo) NewPrikeyWithPassword added in v4.9.0 

func (t *Tongsuo) NewPrikeyWithPassword(ctx context.Context, password string) (
	encryptedPrikeyPem []byte, err error)

NewPrikeyWithPassword generate new sm2 private key with password

func (*Tongsuo) NewX509CSR added in v4.7.0 

func (t *Tongsuo) NewX509CSR(ctx context.Context, prikeyPem []byte, opts ...X509CSROption) (csrDer []byte, err error)

NewX509CSR generate new x509 csr

func (*Tongsuo) NewX509Cert added in v4.7.2 

func (t *Tongsuo) NewX509Cert(ctx context.Context,
	prikeyPem []byte, opts ...X509CertOption) (certDer []byte, err error)

NewX509Cert generate new x509 cert 

tongsuo req -out rootca.crt -outform PEM -key rootca.key \
    -set_serial 123456 \
    -days 3650 -x509 -new -nodes -utf8 -batch \
    -sm3 \
    -copy_extensions copyall \
    -extensions v3_ca \
    -config rootca.cnf

func (*Tongsuo) NewX509CertByCSR added in v4.7.0 

func (t *Tongsuo) NewX509CertByCSR(ctx context.Context,
	parentCertDer []byte,
	parentPrikeyPem []byte,
	csrDer []byte,
	opts ...SignCSROption) (certDer []byte, err error)

NewX509CertByCSR generate new x509 cert by csr

func (*Tongsuo) ParseCsr2Opts added in v4.8.0 

func (t *Tongsuo) ParseCsr2Opts(ctx context.Context, csrDer []byte) ([]X509CSROption, error)

ParseCsr2Opts parse csr to opts

func (*Tongsuo) Prikey2Pubkey added in v4.9.0 

func (t *Tongsuo) Prikey2Pubkey(ctx context.Context, prikeyPem []byte) (
	pubkeyPem []byte, err error)

Prikey2Pubkey convert private key to public key

func (*Tongsuo) PrivateKey added in v4.10.0 

func (t *Tongsuo) PrivateKey(prikeyPem []byte) (crypto.PrivateKey, error)

PrivateKey get private key

func (*Tongsuo) ShowCertInfo added in v4.7.0 

func (t *Tongsuo) ShowCertInfo(ctx context.Context,
	certDer []byte) (
	certinfo string, cert *x509.Certificate, err error)

ShowCertInfo show cert info

nolint:gocognit,lll,maintidx // parse cert info part by part LGTM

Raw 

				Version: 3 (0x2)
				Serial Number: 17108345756590001 (0x3cc7f327841fb1)
				Serial Number: 51:f5:46:8b:d6:ff:ec:f2:33:e6:38:68:46:4e:9b:19:56:f3:6e:8a
				Signature Algorithm: SM2-with-SM3
				Issuer: CN = test-common-name, O = test org
				Validity
					Not Before: Mar 19 07:49:35 2024 GMT
					Not After : Mar 25 07:49:35 2024 GMT
				Subject: CN = test-common-name, O = test org
				Subject Public Key Info:
					Public Key Algorithm: id-ecPublicKey
						Public-Key: (256 bit)
						pub:
							04:31:66:dd:ef:4e:31:29:fd:4b:b1:a1:66:0b:c9:
							81:9f:6f:a4:e1:bd:44:24:6a:a8:93:62:0b:85:be:
							0e:56:14:76:ab:56:0d:7c:cc:26:77:47:d0:fe:77:
							38:31:ab:3d:b8:01:60:96:ae:07:72:e4:3d:df:4c:
							9d:02:98:9f:d3
						ASN1 OID: SM2
				X509v3 extensions:
					X509v3 Basic Constraints: critical
						CA:TRUE
	         X509v3 Key Usage: critical
	             Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only
          X509v3 Extended Key Usage:
              Any Extended Key Usage, TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, IPSec End System, IPSec Tunnel, IPSec User, Time Stamping, OCSP Signing, Microsoft Server Gated Crypto, Netscape Server Gated Crypto, Microsoft Commercial Code Signing, 1.3.6.1.4.1.311.61.1.1
				X509v3 Subject Key Identifier:
					AF:9A:33:37:3F:DE:3E:DD:77:61:A1:C8:3F:D5:0C:39:F0:D6:A6:7B
				X509v3 Authority Key Identifier:
					AF:9A:33:37:3F:DE:3E:DD:77:61:A1:C8:3F:D5:0C:39:F0:D6:A6:7B
				X509v3 Certificate Policies:
					Policy: 1.3.6.1.4.1.59936.1.1.3
		Signature Algorithm: SM2-with-SM3
		Signature Value:
			30:45:02:21:00:a8:a6:db:d5:8c:b4:d2:58:ff:1e:1f:9d:c1:
			e7:0b:eb:ba:4b:50:99:2c:c4:b9:3b:50:9d:6f:5f:1f:32:40:
			17:02:20:38:91:fb:16:41:80:52:d8:28:f8:ee:34:0f:f9:ab:
			c5:c8:1a:1f:31:d9:05:13:04:12:4d:0c:3d:fd:52:fe:51
	-----BEGIN CERTIFICATE-----
	MIIByzCCAXGgAwIBAgIHPMfzJ4QfsTAKBggqgRzPVQGDdTAuMRkwFwYDVQQDDBB0
	ZXN0LWNvbW1vbi1uYW1lMREwDwYDVQQKDAh0ZXN0IG9yZzAeFw0yNDAzMTkwNzQ5
	MzVaFw0yNDAzMjUwNzQ5MzVaMC4xGTAXBgNVBAMMEHRlc3QtY29tbW9uLW5hbWUx
	ETAPBgNVBAoMCHRlc3Qgb3JnMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEMWbd
	704xKf1LsaFmC8mBn2+k4b1EJGqok2ILhb4OVhR2q1YNfMwmd0fQ/nc4Mas9uAFg
	lq4HcuQ930ydApif06N6MHgwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw
	HQYDVR0OBBYEFK+aMzc/3j7dd2GhyD/VDDnw1qZ7MB8GA1UdIwQYMBaAFK+aMzc/
	3j7dd2GhyD/VDDnw1qZ7MBgGA1UdIAQRMA8wDQYLKwYBBAGD1CABAQMwCgYIKoEc
	z1UBg3UDSAAwRQIhAKim29WMtNJY/x4fncHnC+u6S1CZLMS5O1Cdb18fMkAXAiA4
	kfsWQYBS2Cj47jQP+avFyBofMdkFEwQSTQw9/VL+UQ==
	-----END CERTIFICATE-----

func (*Tongsuo) ShowCsrInfo added in v4.7.0 

func (t *Tongsuo) ShowCsrInfo(ctx context.Context, csrDer []byte) (
	output string, err error)

ShowCsrInfo show csr info

func (*Tongsuo) SignBySm2Sm3 added in v4.9.0 

func (t *Tongsuo) SignBySm2Sm3(ctx context.Context,
	parentPrikeyPem []byte, content []byte) (signature []byte, err error)

SignBySm2Sm3 sign by sm2 sm3

https://www.yuque.com/tsdoc/ts/ewh6xg7qlddxlec2#rehkK

func (*Tongsuo) SignX509CRL added in v4.10.0 

func (t *Tongsuo) SignX509CRL(ctx context.Context,
	CrlDer []byte,
	PrikeyPem []byte,
) (signedCrlDer []byte, err error)

SignX509CRL sign x509 crl by ca private key

func (*Tongsuo) VerifyBySm2Sm3 added in v4.9.0 

func (t *Tongsuo) VerifyBySm2Sm3(ctx context.Context,
	pubkeyPem, signature, content []byte) error

VerifyBySm2Sm3 verify by sm2 sm3

https://www.yuque.com/tsdoc/ts/ewh6xg7qlddxlec2#rehkK

func (*Tongsuo) VerifyCertsChain added in v4.9.1 

func (t *Tongsuo) VerifyCertsChain(ctx context.Context,
	leafCertPem, intermediatesPem, trustRootsPem []byte) error

VerifyCertsChain verify certs chain

Args

  • leafCert: leaf cert in PEM
  • intermediates: intermediate certs in PEM
  • trustRoots: trust roots in PEM

type TongsuoPriKey added in v4.10.0 

type TongsuoPriKey struct {
	// contains filtered or unexported fields
}

TongsuoPriKey tongsuo private key

func (*TongsuoPriKey) Decrypt added in v4.10.0 

func (t *TongsuoPriKey) Decrypt(_ io.Reader, msg []byte,
	_ crypto.DecrypterOpts) (plaintext []byte, err error)

Decrypt decrypt by private key

func (*TongsuoPriKey) Public added in v4.10.0 

func (t *TongsuoPriKey) Public() crypto.PublicKey

Public get public key

func (*TongsuoPriKey) Sign added in v4.10.0 

func (t *TongsuoPriKey) Sign(_ io.Reader, digest []byte,
	opts crypto.SignerOpts) (signature []byte, err error)

Sign sign by private key

type TongsuoPubkey added in v4.10.0 

type TongsuoPubkey struct {
	// contains filtered or unexported fields
}

TongsuoPubkey tongsuo public key

func (*TongsuoPubkey) Equal added in v4.10.0 

func (tpub *TongsuoPubkey) Equal(x crypto.PublicKey) bool

Equal compare two public keys

type X509CRLOption 

type X509CRLOption func(*x509CRLOption) error

X509CRLOption options for create x509 CRL

func WithX509CRLNextUpdate added in v4.5.1 

func WithX509CRLNextUpdate(nextUpdate time.Time) X509CRLOption

WithX509CRLNextUpdate set next update

default to 30 days later

func WithX509CRLSignatureAlgorithm added in v4.5.1 

func WithX509CRLSignatureAlgorithm(algo x509.SignatureAlgorithm) X509CRLOption

WithX509CRLSignatureAlgorithm set signature algorithm

default to auto choose algorithm depends on certificate's algorithm

func WithX509CRLThisUpdate added in v4.5.1 

func WithX509CRLThisUpdate(thisUpdate time.Time) X509CRLOption

WithX509CRLThisUpdate set this update

default to now

type X509CSROption 

type X509CSROption func(*x509CSROption) error

X509CSROption option to generate tls certificate

func WithX509CSRAttribute deprecated added in v4.3.0 

func WithX509CSRAttribute(attr pkix.AttributeTypeAndValueSET) X509CSROption

WithX509CSRAttribute set attribute

Deprecated: Use Extensions and ExtraExtensions instead for parsing and generating the requestedExtensions attribute.

func WithX509CSRCommonName 

func WithX509CSRCommonName(commonName string) X509CSROption

WithX509CSRCommonName set common name

func WithX509CSRCountry 

func WithX509CSRCountry(values ...string) X509CSROption

WithX509CSRCountry set subject countries

func WithX509CSRDNSNames 

func WithX509CSRDNSNames(dnsNames ...string) X509CSROption

WithX509CSRDNSNames set dns sans

func WithX509CSREmailAddrs 

func WithX509CSREmailAddrs(emailAddresses ...string) X509CSROption

WithX509CSREmailAddrs set email sans

func WithX509CSRExtension deprecated added in v4.3.0 

func WithX509CSRExtension(_ pkix.Extension) X509CSROption

WithX509CSRExtension set extension

Extensions contains raw X.509 extensions. When parsing certificates, this can be used to extract non-critical extensions that are not parsed by this package. When marshaling certificates, the Extensions field is ignored, see ExtraExtensions.

Deprecated: this field is ignored by golang's built-in x509 library, use ExtraExtensions instead if you want to add custom extensions.

func WithX509CSRExtraExtension added in v4.3.0 

func WithX509CSRExtraExtension(ext pkix.Extension) X509CSROption

WithX509CSRExtraExtension set extra extension

ExtraExtensions contains extensions to be copied, raw, into any marshaled certificates. Values override any extensions that would otherwise be produced based on the other fields. The ExtraExtensions field is not populated when parsing certificates, see Extensions.

func WithX509CSRIPAddrs 

func WithX509CSRIPAddrs(ipAddresses ...net.IP) X509CSROption

WithX509CSRIPAddrs set ip sans

func WithX509CSRLocality 

func WithX509CSRLocality(l ...string) X509CSROption

WithX509CSRLocality set subject localities

func WithX509CSROrganization 

func WithX509CSROrganization(organization ...string) X509CSROption

WithX509CSROrganization set organization

func WithX509CSROrganizationUnit 

func WithX509CSROrganizationUnit(ou ...string) X509CSROption

WithX509CSROrganizationUnit set organization units

func WithX509CSRPostalCode 

func WithX509CSRPostalCode(codes ...string) X509CSROption

WithX509CSRPostalCode set subjuect postal codes

func WithX509CSRProvince 

func WithX509CSRProvince(values ...string) X509CSROption

WithX509CSRProvince set subject provinces

func WithX509CSRPublicKeyAlgorithm deprecated 

func WithX509CSRPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CSROption

WithX509CSRPublicKeyAlgorithm set signature algorithm

Deprecated: this field is ignored by golang's built-in x509 library

func WithX509CSRSANS 

func WithX509CSRSANS(sans ...string) X509CSROption

WithX509CertSANS set certificate SANs

refer to RFC-5280 4.2.1.6

auto WithX509CSRSANS to ip/email/url/dns

func WithX509CSRSignatureAlgorithm 

func WithX509CSRSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CSROption

WithX509CSRSignatureAlgorithm set signature algorithm

func WithX509CSRStreetAddrs 

func WithX509CSRStreetAddrs(addrs ...string) X509CSROption

WithX509CSRStreetAddrs set subjuect street addresses

func WithX509CSRSubject 

func WithX509CSRSubject(subject pkix.Name) X509CSROption

WithX509CSRSubject set subject name

func WithX509CSRURIs 

func WithX509CSRURIs(uris ...*url.URL) X509CSROption

WithX509CSRURIs set uri sans

type X509CertOption 

type X509CertOption func(*x509V3CertOption) error

X509CertOption option to generate tls certificate

func WithX509CertCRLs 

func WithX509CertCRLs(crlEndpoint ...string) X509CertOption

WithX509CertCRLs add crl endpoints

func WithX509CertCaMaxPathLen added in v4.7.0 

func WithX509CertCaMaxPathLen(maxPathLen int) X509CertOption

WithX509CertCaMaxPathLen set max path length

func WithX509CertCommonName 

func WithX509CertCommonName(commonName string) X509CertOption

WithX509CertCommonName set common name

func WithX509CertCountry 

func WithX509CertCountry(values ...string) X509CertOption

WithX509CertCountry set subject countries

func WithX509CertDNSNames 

func WithX509CertDNSNames(dnsNames ...string) X509CertOption

WithX509CertDNSNames set dns sans

func WithX509CertEmailAddrs 

func WithX509CertEmailAddrs(emailAddresses ...string) X509CertOption

WithX509CertEmailAddrs set email sans

func WithX509CertExtKeyUsage 

func WithX509CertExtKeyUsage(usage ...x509.ExtKeyUsage) X509CertOption

WithX509CertExtKeyUsage add ext key usage

func WithX509CertExtentions deprecated added in v4.3.0 

func WithX509CertExtentions(_ ...pkix.Extension) X509CertOption

WithX509CertExtentions set extensions

Deprecated: this field is ignored in x509 v3 certificate, use WithX509CertExtraExtensions instead if you want to set extensions.

func WithX509CertExtraExtensions added in v4.3.0 

func WithX509CertExtraExtensions(exts ...pkix.Extension) X509CertOption

WithX509CertExtraExtensions set extra extensions

func WithX509CertIPAddrs 

func WithX509CertIPAddrs(ipAddresses ...net.IP) X509CertOption

WithX509CertIPAddrs set ip sans

func WithX509CertIsCA 

func WithX509CertIsCA() X509CertOption

WithX509CertIsCA set is ca

func WithX509CertIsCRLCA 

func WithX509CertIsCRLCA() X509CertOption

WithX509CertIsCRLCA set is ca to sign CRL

func WithX509CertKeyUsage 

func WithX509CertKeyUsage(usage ...x509.KeyUsage) X509CertOption

WithX509CertKeyUsage add key usage

func WithX509CertLocality 

func WithX509CertLocality(l ...string) X509CertOption

WithX509CertLocality set subject localities

func WithX509CertNotAfter added in v4.2.0 

func WithX509CertNotAfter(notAfter time.Time) X509CertOption

WithX509CertNotAfter set not after

default to 30 days later

func WithX509CertNotBefore added in v4.2.0 

func WithX509CertNotBefore(notBefore time.Time) X509CertOption

WithX509CertNotBefore set not before

func WithX509CertOCSPServers 

func WithX509CertOCSPServers(ocsp ...string) X509CertOption

WithX509CertOCSPServers set ocsp servers

func WithX509CertOrganization 

func WithX509CertOrganization(organization ...string) X509CertOption

WithX509CertOrganization set organization

func WithX509CertOrganizationUnit 

func WithX509CertOrganizationUnit(ou ...string) X509CertOption

WithX509CertOrganizationUnit set organization unit

func WithX509CertParent 

func WithX509CertParent(parent *x509.Certificate) X509CertOption

WithX509CertParent set issuer

func WithX509CertPolicies 

func WithX509CertPolicies(policies ...asn1.ObjectIdentifier) X509CertOption

WithX509CertPolicies set certificate policies

func WithX509CertPostalCode 

func WithX509CertPostalCode(codes ...string) X509CertOption

WithX509CertPostalCode set subjuect postal codes

func WithX509CertProvince 

func WithX509CertProvince(values ...string) X509CertOption

WithX509CertProvince set subject provinces

func WithX509CertPubkey 

func WithX509CertPubkey(pubkey crypto.PublicKey) X509CertOption

WithX509CertPubkey set new certs' pubkey

func WithX509CertPublicKeyAlgorithm deprecated 

func WithX509CertPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CertOption

WithX509CertPublicKeyAlgorithm set signature algorithm

Deprecated: this field is ignored in x509 v3 certificate

func WithX509CertSANS 

func WithX509CertSANS(sans ...string) X509CertOption

WithX509CertSANS set certificate SANs

refer to RFC-5280 4.2.1.6

auto parse to ip/email/url/dns

func WithX509CertSeriaNumber 

func WithX509CertSeriaNumber(serialNumber *big.Int) X509CertOption

WithX509CertSeriaNumber set certificate/CRL's serial number

refer to RFC-5280 5.2.3 &

Args

seriaNumber:

  • (optional): generate certificate
  • (required): generate CRL

func WithX509CertSerialNumGenerator 

func WithX509CertSerialNumGenerator(gen X509CertSerialNumberGenerator) X509CertOption

WithX509CertSerialNumGenerator set serial number generator

func WithX509CertSignatureAlgorithm 

func WithX509CertSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CertOption

WithX509CertSignatureAlgorithm set signature algorithm

func WithX509CertStreetAddrs 

func WithX509CertStreetAddrs(addrs ...string) X509CertOption

WithX509CertStreetAddrs set subjuect street addresses

func WithX509CertURIs 

func WithX509CertURIs(uris ...*url.URL) X509CertOption

WithX509CertURIs set uri sans

func WithX509CertValidFor 

func WithX509CertValidFor(validFor time.Duration) X509CertOption

WithX509CertValidFor set valid for duration

deprecated: use WithX509CertNotAfter instead

func WithX509CertValidFrom 

func WithX509CertValidFrom(validFrom time.Time) X509CertOption

WithX509CertValidFrom set valid from

deprecated: use WithX509CertNotBefore instead

func WithX509CsrOptions added in v4.8.0 

func WithX509CsrOptions(csrOpts []X509CSROption) X509CertOption

WithX509CsrOptions set csr options

func WithX509Subject 

func WithX509Subject(subject pkix.Name) X509CertOption

WithX509Subject set subject name

type X509CertSerialNumberGenerator 

type X509CertSerialNumberGenerator interface {
	SerialNum() int64
}

X509CertSerialNumberGenerator x509 certificate serial number generator

Source Files

View all Source files

Directories

Path Synopsis
kms
Package kms provides a simple kms interface.
 Package kms provides a simple kms interface.
mem
Package mem is a multi-key KMS in pure memory
 Package mem is a multi-key KMS in pure memory
package Threshold cryptosystem
 package Threshold cryptosystem
shamir
Package shamir is Shamir’s Secret Sharing is a method for dividing a secret into multiple parts and distributing those parts among different participants.
 Package shamir is Shamir’s Secret Sharing is a method for dividing a secret into multiple parts and distributing those parts among different participants.
signature
Package signature provides an implementation of threshold signatures.
 Package signature provides an implementation of threshold signatures.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.