Documentation ¶
Overview ¶
Package crypto is a collection of cryptographic algorithms and protocols, providing hash functions, block and stream ciphers, public key cryptography and authentication. It also includes a cryptographically secure pseudo-random number generator.
x.509
This package provides many useful functions for x.509 certificate. you can build a PKI system with this package. including parsing and verification. it can be used to parse x.509 certificates, create x.509 certificate chains, verify x.509 certificate chains, and parse x.509 certificate revocation lists.
Index ¶
- Constants
- func AEADDecrypt(key, ciphertext, additionalData []byte) (plaintext []byte, err error)
- func AEADDecryptBasic(key, ciphertext, iv, tag, additionalData []byte) (plaintext []byte, err error)
- func AEADEncrypt(key, plaintext, additionalData []byte) (ciphertext []byte, err error)
- func AEADEncryptBasic(key, plaintext, iv, additionalData []byte) (ciphertext, tag []byte, err error)
- func AESEncryptFilesInDir(dir string, secret []byte, opts ...AESEncryptFilesInDirOption) (err error)
- func AesDecrypt(secret []byte, encrypted []byte) ([]byte, error)deprecated
- func AesEncrypt(secret []byte, cnt []byte) ([]byte, error)deprecated
- func Base32Secret(key []byte) string
- func CRL2Der(crl *x509.RevocationList) []byte
- func CRL2Pem(crl *x509.RevocationList) []byte
- func CRLDer2Pem(crlDer []byte) []byte
- func CRLPem2Der(crlPem []byte) ([]byte, error)
- func CSR2Der(csr *x509.CertificateRequest) []byte
- func CSRDer2Pem(CSRInDer []byte) (CSRInPem []byte)
- func Cert2Der(cert ...*x509.Certificate) (ret []byte)
- func Cert2Pem(certs ...*x509.Certificate) (ret []byte)
- func CertDer2Pem(certInDer []byte) (certInPem []byte)
- func DecodeES256SignByBase64(sign string) (r, s *big.Int, err error)
- func DecodeES256SignByHex(sign string) (r, s *big.Int, err error)
- func Der2CRL(crlDer []byte) (*x509.RevocationList, error)
- func Der2CSR(csrDer []byte) (*x509.CertificateRequest, error)
- func Der2Cert(certInDer []byte) (*x509.Certificate, error)
- func Der2Certs(certInDer []byte) ([]*x509.Certificate, error)
- func Der2Prikey(prikeyDer []byte) (crypto.PrivateKey, error)
- func Der2Pubkey(pubkeyDer []byte) (crypto.PublicKey, error)
- func DeriveKeyByHKDF(rawKey, salt []byte, newKeyLength int) (newKey []byte, err error)
- func DeriveKeyBySMHF(rawKey, salt []byte) (newKey []byte, err error)
- func EncodeES256SignByBase64(r, s *big.Int) string
- func EncodeES256SignByHex(r, s *big.Int) string
- func FormatBig2Base64(b *big.Int) string
- func FormatBig2Hex(b *big.Int) string
- func GeneratePasswordHash(password []byte) ([]byte, error)deprecated
- func HKDFWithSHA256(secret, salt, info []byte, results [][]byte) error
- func MatchPrefix() func(o *oidContainsOption) error
- func NewECDSAPrikey(curve ECDSACurve) (*ecdsa.PrivateKey, error)
- func NewECDSAPrikeyAndCert(curve ECDSACurve, opts ...X509CertOption) (prikeyPem, certDer []byte, err error)
- func NewEd25519Prikey() (ed25519.PrivateKey, error)
- func NewEd25519PrikeyAndCert(opts ...X509CertOption) (prikeyPem, certDer []byte, err error)
- func NewRSAPrikey(bits RSAPrikeyBits) (*rsa.PrivateKey, error)
- func NewRSAPrikeyAndCert(rsaBits RSAPrikeyBits, opts ...X509CertOption) (prikeyPem, certDer []byte, err error)
- func NewX509CRL(ca *x509.Certificate, prikey crypto.PrivateKey, seriaNumber *big.Int, ...) (crlDer []byte, err error)
- func NewX509CSR(prikey crypto.PrivateKey, opts ...X509CSROption) (csrDer []byte, err error)
- func NewX509Cert(prikey crypto.PrivateKey, opts ...X509CertOption) (certDer []byte, err error)
- func NewX509CertByCSR(parent *x509.Certificate, prikey crypto.PrivateKey, csrDer []byte, ...) (certDer []byte, err error)
- func OIDContains(oids []asn1.ObjectIdentifier, oid asn1.ObjectIdentifier, ...) bool
- func ParseBase642Big(raw string) (*big.Int, error)
- func ParseHex2Big(hex string) (b *big.Int, ok bool)
- func PasswordHash(password []byte, hasher gutils.HashType) (hashedPassword string, err error)
- func Pem2CRL(crlPem []byte) (*x509.RevocationList, error)
- func Pem2CSR(csrInPem []byte) (*x509.CertificateRequest, error)
- func Pem2Cert(certInPem []byte) (*x509.Certificate, error)
- func Pem2Certs(certInPem []byte) ([]*x509.Certificate, error)
- func Pem2Der(pemBytes []byte) (derBytes []byte, err error)
- func Pem2Ders(pemBytes []byte) (dersBytes [][]byte, err error)
- func Pem2Prikey(x509v8Pem []byte) (crypto.PrivateKey, error)
- func Pem2Pubkey(pubkeyPem []byte) (crypto.PublicKey, error)
- func Prikey2Der(key crypto.PrivateKey) ([]byte, error)
- func Prikey2Pem(key crypto.PrivateKey) ([]byte, error)
- func Prikey2Pubkey(prikey crypto.PrivateKey) (pubkey crypto.PublicKey)
- func PrikeyDer2Pem(prikeyInDer []byte) (prikeyInPem []byte)
- func Privkey2Signer(privkey crypto.PrivateKey) crypto.Signer
- func Pubkey2Der(key crypto.PublicKey) ([]byte, error)
- func Pubkey2Pem(key crypto.PublicKey) ([]byte, error)
- func PubkeyDer2Pem(pubkeyInDer []byte) (prikeyInPem []byte)
- func RSADecrypt(prikey *rsa.PrivateKey, cipher []byte) (plain []byte, err error)
- func RSADer2Prikey(x509v1Der []byte) (*rsa.PrivateKey, error)
- func RSAEncrypt(pubkey *rsa.PublicKey, plain []byte) (cipher []byte, err error)
- func RSAPem2Prikey(x509v1Pem []byte) (*rsa.PrivateKey, error)
- func ReadableOIDs(oids []asn1.ObjectIdentifier) (names []string)
- func ReadablePkixName(name pkix.Name) map[string]any
- func ReadableX509CSR(csr *x509.CertificateRequest) (map[string]any, error)
- func ReadableX509Cert(cert *x509.Certificate) (map[string]any, error)
- func ReadableX509ExtKeyUsage(usages []x509.ExtKeyUsage) (usageNames []string)
- func ReadableX509Extention(ext *pkix.Extension) (map[string]any, error)
- func ReadableX509KeyUsage(usage x509.KeyUsage) (usageNames []string)
- func Salt(length int) ([]byte, error)
- func SecureCipherSuites(filter func(*tls.CipherSuite) bool) []uint16
- func SignByECDSAWithSHA256(priKey *ecdsa.PrivateKey, content []byte) (r, s *big.Int, err error)
- func SignByECDSAWithSHA256AndBase64(priKey *ecdsa.PrivateKey, content []byte) (signature string, err error)
- func SignByRSAWithSHA256(priKey *rsa.PrivateKey, content []byte) ([]byte, error)
- func SignReaderByECDSAWithSHA256(priKey *ecdsa.PrivateKey, reader io.Reader) (r, s *big.Int, err error)
- func SignReaderByRSAWithSHA256(priKey *rsa.PrivateKey, reader io.Reader) (sig []byte, err error)
- func ValidatePasswordHash(hashedPassword, password []byte) booldeprecated
- func VerifyByECDSAWithSHA256(pubKey *ecdsa.PublicKey, content []byte, r, s *big.Int) bool
- func VerifyByECDSAWithSHA256AndBase64(pubKey *ecdsa.PublicKey, content []byte, signature string) (bool, error)
- func VerifyByRSAWithSHA256(pubKey *rsa.PublicKey, content []byte, sig []byte) error
- func VerifyCRL(ca *x509.Certificate, crl *x509.RevocationList) error
- func VerifyCertByPrikey(certPem []byte, prikeyPem []byte) error
- func VerifyHashedPassword(rawpassword []byte, hashedPassword string) (err error)
- func VerifyReaderByECDSAWithSHA256(pubKey *ecdsa.PublicKey, reader io.Reader, r, s *big.Int) (bool, error)
- func VerifyReaderByRSAWithSHA256(pubKey *rsa.PublicKey, reader io.Reader, sig []byte) error
- func X509Cert2OpensslConf(cert *x509.Certificate) (opensslConf []byte)
- func X509CertSubjectKeyID(pubkey crypto.PublicKey) ([]byte, error)
- func X509Csr2OpensslConf(csr *x509.CertificateRequest) (opensslConf []byte)
- func X509CsrOption2Template(opts ...X509CSROption) (tpl *x509.CertificateRequest, err error)
- type AESEncryptFilesInDirOption
- type AesReaderWrapper
- type DHKX
- type DHKXOptionFunc
- type DefaultX509CertSerialNumGenerator
- type ECDH
- type ECDSACurve
- type HashedPassword
- type KeyExchange
- type OTPAlgorithm
- type OTPArgs
- type OTPType
- type RSAPrikeyBits
- type SignCSROption
- func WithX509CaMaxPathLen(maxPathLen int) SignCSROption
- func WithX509SerialNumGenerator(gen X509CertSerialNumberGenerator) SignCSROption
- func WithX509SignCSRCRLs(crlEndpoint ...string) SignCSROption
- func WithX509SignCSRExtKeyUsage(usage ...x509.ExtKeyUsage) SignCSROption
- func WithX509SignCSRExtenstions(_ ...pkix.Extension) SignCSROptiondeprecated
- func WithX509SignCSRExtraExtenstions(exts ...pkix.Extension) SignCSROption
- func WithX509SignCSRIsCA() SignCSROption
- func WithX509SignCSRIsCRLCA() SignCSROption
- func WithX509SignCSRKeyUsage(usage ...x509.KeyUsage) SignCSROption
- func WithX509SignCSRNotAfter(notAfter time.Time) SignCSROption
- func WithX509SignCSRNotBefore(notBefore time.Time) SignCSROption
- func WithX509SignCSROCSPServers(ocsp ...string) SignCSROption
- func WithX509SignCSRPolicies(policies ...asn1.ObjectIdentifier) SignCSROption
- func WithX509SignCSRSeriaNumber(serialNumber *big.Int) SignCSROption
- func WithX509SignCSRValidFor(validFor time.Duration) SignCSROption
- func WithX509SignCSRValidFrom(validFrom time.Time) SignCSROption
- func WithX509SignPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) SignCSROptiondeprecated
- func WithX509SignSignatureAlgorithm(algo x509.SignatureAlgorithm) SignCSROption
- type TOTP
- type TOTPInterface
- type Tongsuo
- func (t *Tongsuo) NewPrikey(ctx context.Context) (prikeyPem []byte, err error)
- func (t *Tongsuo) NewPrikeyAndCert(ctx context.Context, opts ...X509CertOption) (prikeyPem, certDer []byte, err error)
- func (t *Tongsuo) NewX509CSR(ctx context.Context, prikeyPem []byte, opts ...X509CSROption) (csrDer []byte, err error)
- func (t *Tongsuo) NewX509CertByCSR(ctx context.Context, parentCertDer []byte, parentPrikeyPem []byte, ...) (certDer []byte, err error)
- func (t *Tongsuo) ShowCertInfo(ctx context.Context, certDer []byte) (output string, err error)
- func (t *Tongsuo) ShowCsrInfo(ctx context.Context, csrDer []byte) (output string, err error)
- type X509CRLOption
- type X509CSROption
- func WithX509CSRAttribute(attr pkix.AttributeTypeAndValueSET) X509CSROptiondeprecated
- func WithX509CSRCommonName(commonName string) X509CSROption
- func WithX509CSRCountry(values ...string) X509CSROption
- func WithX509CSRDNSNames(dnsNames ...string) X509CSROption
- func WithX509CSREmailAddrs(emailAddresses ...string) X509CSROption
- func WithX509CSRExtension(_ pkix.Extension) X509CSROptiondeprecated
- func WithX509CSRExtraExtension(ext pkix.Extension) X509CSROption
- func WithX509CSRIPAddrs(ipAddresses ...net.IP) X509CSROption
- func WithX509CSRLocality(l ...string) X509CSROption
- func WithX509CSROrganization(organization ...string) X509CSROption
- func WithX509CSROrganizationUnit(ou ...string) X509CSROption
- func WithX509CSRPostalCode(codes ...string) X509CSROption
- func WithX509CSRProvince(values ...string) X509CSROption
- func WithX509CSRPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CSROptiondeprecated
- func WithX509CSRSANS(sans ...string) X509CSROption
- func WithX509CSRSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CSROption
- func WithX509CSRStreetAddrs(addrs ...string) X509CSROption
- func WithX509CSRSubject(subject pkix.Name) X509CSROption
- func WithX509CSRURIs(uris ...*url.URL) X509CSROption
- type X509CertOption
- func WithX509CertCRLs(crlEndpoint ...string) X509CertOption
- func WithX509CertCaMaxPathLen(maxPathLen int) X509CertOption
- func WithX509CertCommonName(commonName string) X509CertOption
- func WithX509CertCountry(values ...string) X509CertOption
- func WithX509CertDNSNames(dnsNames ...string) X509CertOption
- func WithX509CertEmailAddrs(emailAddresses ...string) X509CertOption
- func WithX509CertExtKeyUsage(usage ...x509.ExtKeyUsage) X509CertOption
- func WithX509CertExtentions(_ ...pkix.Extension) X509CertOptiondeprecated
- func WithX509CertExtraExtensions(exts ...pkix.Extension) X509CertOption
- func WithX509CertIPAddrs(ipAddresses ...net.IP) X509CertOption
- func WithX509CertIsCA() X509CertOption
- func WithX509CertIsCRLCA() X509CertOption
- func WithX509CertKeyUsage(usage ...x509.KeyUsage) X509CertOption
- func WithX509CertLocality(l ...string) X509CertOption
- func WithX509CertNotAfter(notAfter time.Time) X509CertOption
- func WithX509CertNotBefore(notBefore time.Time) X509CertOption
- func WithX509CertOCSPServers(ocsp ...string) X509CertOption
- func WithX509CertOrganization(organization ...string) X509CertOption
- func WithX509CertOrganizationUnit(ou ...string) X509CertOption
- func WithX509CertParent(parent *x509.Certificate) X509CertOption
- func WithX509CertPolicies(policies ...asn1.ObjectIdentifier) X509CertOption
- func WithX509CertPostalCode(codes ...string) X509CertOption
- func WithX509CertProvince(values ...string) X509CertOption
- func WithX509CertPubkey(pubkey crypto.PublicKey) X509CertOption
- func WithX509CertPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CertOptiondeprecated
- func WithX509CertSANS(sans ...string) X509CertOption
- func WithX509CertSeriaNumber(serialNumber *big.Int) X509CertOption
- func WithX509CertSerialNumGenerator(gen X509CertSerialNumberGenerator) X509CertOption
- func WithX509CertSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CertOption
- func WithX509CertStreetAddrs(addrs ...string) X509CertOption
- func WithX509CertURIs(uris ...*url.URL) X509CertOption
- func WithX509CertValidFor(validFor time.Duration) X509CertOption
- func WithX509CertValidFrom(validFrom time.Time) X509CertOption
- func WithX509Subject(subject pkix.Name) X509CertOption
- type X509CertSerialNumberGenerator
Examples ¶
Constants ¶
const ( // AesGcmIvLen is the length of IV for AES GCM AesGcmIvLen = 12 // AesGcmTagLen is the length of tag for AES GCM AesGcmTagLen = 16 )
Variables ¶
This section is empty.
Functions ¶
func AEADDecrypt ¶ added in v4.1.0
AEADDecrypt encrypt bytes by AES GCM
Sugar wrapper of AEADDecryptWithIV, will extract IV from ciphertext automatically.
Args: ¶
- key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
- ciphertext: encrypted content
- additionalData: additional data to encrypt
Returns: ¶
- plaintext: decrypted content
func AEADDecryptBasic ¶ added in v4.6.0
func AEADDecryptBasic(key, ciphertext, iv, tag, additionalData []byte) (plaintext []byte, err error)
AEADDecryptBasic encrypt bytes by AES GCM
Args: ¶
- key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
- ciphertext: encrypted content
- iv: Initialization Vector, should be 12 bytes
- tag: authentication tag, should be 16 bytes
- additionalData: additional data to encrypt
Returns: ¶
- plaintext: decrypted content
func AEADEncrypt ¶ added in v4.1.0
AEADEncrypt encrypt bytes by AES GCM
sugar wrapper of AEADEncryptWithIV, will generate random IV and append it to ciphertext as prefix.you can use AEADDecrypt to decrypt it.
Returns: ¶
- ciphertext: consists of IV, cipher and tag, `{iv}{cipher}{tag}`
func AEADEncryptBasic ¶ added in v4.6.0
func AEADEncryptBasic(key, plaintext, iv, additionalData []byte) (ciphertext, tag []byte, err error)
AEADEncryptBasic encrypt bytes by AES GCM and return IV and ciphertext
Args: ¶
- key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
- plaintext: content to encrypt
- iv: Initialization Vector, should be 12 bytes
- additionalData: additional data to encrypt
Returns: ¶
- ciphertext: encrypted content without IV and tag, the length of ciphertext is same as plaintext
func AESEncryptFilesInDir ¶
func AESEncryptFilesInDir(dir string, secret []byte, opts ...AESEncryptFilesInDirOption) (err error)
AESEncryptFilesInDir encrypt files in dir
will generate new encrypted files with <suffix> after ext
xxx.toml -> xxx.toml.enc
func AesDecrypt
deprecated
func AesEncrypt
deprecated
AesEncrypt encrypt bytes by AES GCM
inspired by https://tutorialedge.net/golang/go-encrypt-decrypt-aes-tutorial/
The key argument should be the AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
Deprecated: use AEAD instead
func Base32Secret ¶
Base32Secret generate base32 encoded secret
func CRL2Der ¶ added in v4.5.0
func CRL2Der(crl *x509.RevocationList) []byte
CRL2Der marshal crl to der
func CRL2Pem ¶ added in v4.5.0
func CRL2Pem(crl *x509.RevocationList) []byte
CRL2Pem marshal crl to pem
func CRLDer2Pem ¶ added in v4.5.0
CRLDer2Pem marshal crl to pem
func CRLPem2Der ¶ added in v4.5.0
CRLPem2Der parse crl pem
func CSRDer2Pem ¶
CSRDer2Pem convert CSR in der to pem
func Cert2Der ¶
func Cert2Der(cert ...*x509.Certificate) (ret []byte)
Cert2Der marshal private key by x509.8
func Cert2Pem ¶
func Cert2Pem(certs ...*x509.Certificate) (ret []byte)
Cert2Pem marshal x509 certificate to pem
func CertDer2Pem ¶
CertDer2Pem convert certificate in der to pem
func DecodeES256SignByBase64 ¶
DecodeES256SignByBase64 parse ecdsa signature string to two *big.Int
func DecodeES256SignByHex ¶
DecodeES256SignByHex parse ecdsa signature string to two *big.Int
func Der2Cert ¶
func Der2Cert(certInDer []byte) (*x509.Certificate, error)
Der2Cert parse sigle certificate in der
func Der2Certs ¶
func Der2Certs(certInDer []byte) ([]*x509.Certificate, error)
Der2Cert parse multiple certificates in der
func Der2Prikey ¶
func Der2Prikey(prikeyDer []byte) (crypto.PrivateKey, error)
Der2Prikey parse private key from der in x509 v8/v1
func Der2Pubkey ¶
Der2Pubkey parse public key from der in x509 pkcs1/pkix
func DeriveKeyByHKDF ¶
DeriveKeyByHKDF derive key by hkdf
func DeriveKeyBySMHF ¶
DeriveKeyBySMHF derive key by Stronger Key Derivation via Sequential Memory-Hard Functions
func EncodeES256SignByBase64 ¶
EncodeES256SignByBase64 format ecdsa signature to stirng
func EncodeES256SignByHex ¶
EncodeES256SignByHex format ecdsa sign to stirng
func FormatBig2Base64 ¶
FormatBig2Base64 format big to base64 string
func GeneratePasswordHash
deprecated
GeneratePasswordHash generate hashed password by origin password
Deprecated: use PasswordHash instead
Example ¶
// generate hashed password rawPassword := []byte("1234567890") hashedPassword, err := GeneratePasswordHash(rawPassword) if err != nil { log.Shared.Error("try to generate password got error", zap.Error(err)) return } fmt.Printf("got new hashed pasword: %v\n", string(hashedPassword)) // validate passowrd if !ValidatePasswordHash(hashedPassword, rawPassword) { log.Shared.Error("password invalidate", zap.Error(err)) return }
Output:
func HKDFWithSHA256 ¶
HKDFWithSHA256 derivative keys by HKDF with sha256. same key & salt will derivative same keys
Example ¶
derivative multiple keys:
results := make([][]byte, 10) for i := range results { results[i] = make([]byte, 20) } HKDFWithSHA256([]byte("your key"), nil, nil, results)
func MatchPrefix ¶
func MatchPrefix() func(o *oidContainsOption) error
MatchPrefix treat prefix inclusion as a match as well
`1.2.3` contains `1.2.3.4`
func NewECDSAPrikey ¶
func NewECDSAPrikey(curve ECDSACurve) (*ecdsa.PrivateKey, error)
NewECDSAPrikey new ecdsa private key
func NewECDSAPrikeyAndCert ¶ added in v4.5.0
func NewECDSAPrikeyAndCert(curve ECDSACurve, opts ...X509CertOption) ( prikeyPem, certDer []byte, err error)
NewECDSAPrikeyAndCert convient function to new ecdsa private key and cert
func NewEd25519Prikey ¶
func NewEd25519Prikey() (ed25519.PrivateKey, error)
NewEd25519Prikey new ed25519 private key
func NewEd25519PrikeyAndCert ¶ added in v4.7.0
func NewEd25519PrikeyAndCert(opts ...X509CertOption) ( prikeyPem, certDer []byte, err error)
NewEd25519PrikeyAndCert convient function to new ed25519 private key and cert
func NewRSAPrikey ¶
func NewRSAPrikey(bits RSAPrikeyBits) (*rsa.PrivateKey, error)
NewRSAPrikey new rsa privat ekey
func NewRSAPrikeyAndCert ¶
func NewRSAPrikeyAndCert(rsaBits RSAPrikeyBits, opts ...X509CertOption) ( prikeyPem, certDer []byte, err error)
NewRSAPrikeyAndCert convient function to new rsa private key and cert
func NewX509CRL ¶
func NewX509CRL(ca *x509.Certificate, prikey crypto.PrivateKey, seriaNumber *big.Int, revokeCerts []pkix.RevokedCertificate, opts ...X509CRLOption) (crlDer []byte, err error)
NewX509CRL create and sign CRL
Args ¶
- ca: CA to sign CRL.
- prikey: prikey for CA.
- revokeCerts: certifacates that will be revoked.
- WithX509CertSeriaNumber() is required for NewX509CRL.
according to RFC5280 5.2.3, X.509 v3 CRL could have a monotonically increasing sequence number as serial number.
func NewX509CSR ¶
func NewX509CSR(prikey crypto.PrivateKey, opts ...X509CSROption) (csrDer []byte, err error)
NewX509CSR new CSR
Arguments ¶
if prikey is not RSA private key, you must set SignatureAlgorithm by WithX509CertSignatureAlgorithm.
Warning: CSR do not support set IsCA / KeyUsage / ExtKeyUsage, you should set these attributes in NewX509CertByCSR.
func NewX509Cert ¶
func NewX509Cert(prikey crypto.PrivateKey, opts ...X509CertOption) (certDer []byte, err error)
NewX509Cert new cert
func NewX509CertByCSR ¶
func NewX509CertByCSR( parent *x509.Certificate, prikey crypto.PrivateKey, csrDer []byte, opts ...SignCSROption) (certDer []byte, err error)
NewX509CertByCSR sign CSR to certificate
Depends on RFC-5280 4.2.1.12, empty ext key usage is as same as any key usage. so do not set any default ext key usages.
but key usage is required in many cases:
func OIDContains ¶
func OIDContains(oids []asn1.ObjectIdentifier, oid asn1.ObjectIdentifier, opts ...func(o *oidContainsOption) error) bool
OIDContains is oid in oids
func ParseBase642Big ¶
ParseBase642Big parse base64 string to big
func ParseHex2Big ¶
ParseHex2Big parse hex string to big
func PasswordHash ¶ added in v4.1.0
PasswordHash generate salted hash of password, can verify by VerifyHashedPassword
func Pem2CRL ¶ added in v4.5.0
func Pem2CRL(crlPem []byte) (*x509.RevocationList, error)
Pem2CRL parse crl pem
func Pem2CSR ¶
func Pem2CSR(csrInPem []byte) (*x509.CertificateRequest, error)
Pem2CSR parse csr from pem
func Pem2Cert ¶
func Pem2Cert(certInPem []byte) (*x509.Certificate, error)
Pem2Cert parse single certificate in pem
func Pem2Certs ¶
func Pem2Certs(certInPem []byte) ([]*x509.Certificate, error)
Pem2Certs parse multiple certificate in pem
func Pem2Prikey ¶
func Pem2Prikey(x509v8Pem []byte) (crypto.PrivateKey, error)
Pem2Prikey parse private key from x509 v8(general) pem
func Pem2Pubkey ¶
Pem2Pubkey parse public key from pem
func Prikey2Der ¶
func Prikey2Der(key crypto.PrivateKey) ([]byte, error)
Prikey2Der marshal private key by x509.8
func Prikey2Pem ¶
func Prikey2Pem(key crypto.PrivateKey) ([]byte, error)
Prikey2Pem marshal private key to pem
func Prikey2Pubkey ¶ added in v4.7.0
func Prikey2Pubkey(prikey crypto.PrivateKey) (pubkey crypto.PublicKey)
Prikey2Pubkey get public key from private key
func PrikeyDer2Pem ¶
PrikeyDer2Pem convert private key in der to pem
func Privkey2Signer ¶
func Privkey2Signer(privkey crypto.PrivateKey) crypto.Signer
Privkey2Signer convert privkey to signer
func Pubkey2Der ¶
Pubkey2Der marshal public key by pkix
func Pubkey2Pem ¶
Pubkey2Pem marshal public key to pem
func PubkeyDer2Pem ¶
PubkeyDer2Pem convert public key in der to pem
func RSADecrypt ¶
func RSADecrypt(prikey *rsa.PrivateKey, cipher []byte) (plain []byte, err error)
RSADecrypt decrypt by rsa PKCS1v15
only accept cipher encrypted by RSAEncrypt
func RSADer2Prikey ¶
func RSADer2Prikey(x509v1Der []byte) (*rsa.PrivateKey, error)
RSADer2Prikey parse private key from x509 v1(rsa) der
func RSAPem2Prikey ¶
func RSAPem2Prikey(x509v1Pem []byte) (*rsa.PrivateKey, error)
RSAPem2Prikey parse private key from x509 v1(rsa) pem
func ReadableOIDs ¶
func ReadableOIDs(oids []asn1.ObjectIdentifier) (names []string)
ReadableX509ExtKeyUsage convert objectids to readable strings
func ReadablePkixName ¶
ReadablePkixName convert pkix.Name to readable map with strings
func ReadableX509CSR ¶ added in v4.3.0
func ReadableX509CSR(csr *x509.CertificateRequest) (map[string]any, error)
ReadableX509CSR convert x509 certificate request to readable jsonable map
func ReadableX509Cert ¶
func ReadableX509Cert(cert *x509.Certificate) (map[string]any, error)
ReadableX509Cert convert x509 certificate to readable jsonable map
func ReadableX509ExtKeyUsage ¶
func ReadableX509ExtKeyUsage(usages []x509.ExtKeyUsage) (usageNames []string)
ReadableX509ExtKeyUsage convert x509 certificate ext key usages to readable strings
func ReadableX509Extention ¶ added in v4.3.0
ReadableX509Extention convert x509 certificate extension to readable jsonable map
func ReadableX509KeyUsage ¶
ReadableX509KeyUsage convert x509 certificate key usages to readable strings
func SecureCipherSuites ¶
func SecureCipherSuites(filter func(*tls.CipherSuite) bool) []uint16
SecureCipherSuites get golang built-in cipher suites without known insecure suites
func SignByECDSAWithSHA256 ¶
SignByECDSAWithSHA256 generate signature by ecdsa private key use sha256
Example ¶
priKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { log.Shared.Panic("generate key", zap.Error(err)) } priKey2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { log.Shared.Panic("generate key", zap.Error(err)) } // case: correct key cnt := []byte("fjijf23lijfl23ijrl32jra9pfie9wpfi") r, s, err := SignByECDSAWithSHA256(priKey, cnt) if err != nil { log.Shared.Panic("sign", zap.Error(err)) } if !VerifyByECDSAWithSHA256(&priKey.PublicKey, cnt, r, s) { log.Shared.Panic("verify failed") } // generate string encoded := EncodeES256SignByBase64(r, s) if _, _, err = DecodeES256SignByBase64(encoded); err != nil { log.Shared.Panic("encode and decode", zap.Error(err)) } // case: incorrect cnt cnt = []byte("fjijf23lijfl23ijrl32jra9pfie9wpfi") r, s, err = SignByECDSAWithSHA256(priKey, cnt) if err != nil { log.Shared.Panic("sign", zap.Error(err)) } if VerifyByECDSAWithSHA256(&priKey.PublicKey, append(cnt, '2'), r, s) { log.Shared.Panic("should not verify") } // case: incorrect key r, s, err = SignByECDSAWithSHA256(priKey2, cnt) if err != nil { log.Shared.Panic("sign", zap.Error(err)) } if VerifyByECDSAWithSHA256(&priKey.PublicKey, cnt, r, s) { log.Shared.Panic("should not verify") }
Output:
func SignByECDSAWithSHA256AndBase64 ¶
func SignByECDSAWithSHA256AndBase64(priKey *ecdsa.PrivateKey, content []byte) (signature string, err error)
SignByECDSAWithSHA256AndBase64 generate signature by ecdsa private key use sha256
func SignByRSAWithSHA256 ¶
func SignByRSAWithSHA256(priKey *rsa.PrivateKey, content []byte) ([]byte, error)
SignByRSAWithSHA256 generate signature by rsa private key use sha256
func SignReaderByECDSAWithSHA256 ¶
func SignReaderByECDSAWithSHA256(priKey *ecdsa.PrivateKey, reader io.Reader) (r, s *big.Int, err error)
SignReaderByECDSAWithSHA256 generate signature by ecdsa private key use sha256
func SignReaderByRSAWithSHA256 ¶
SignReaderByRSAWithSHA256 generate signature by rsa private key use sha256
func ValidatePasswordHash
deprecated
func VerifyByECDSAWithSHA256 ¶
VerifyByECDSAWithSHA256 verify signature by ecdsa public key use sha256
func VerifyByECDSAWithSHA256AndBase64 ¶
func VerifyByECDSAWithSHA256AndBase64(pubKey *ecdsa.PublicKey, content []byte, signature string) (bool, error)
VerifyByECDSAWithSHA256 verify signature by ecdsa public key use sha256
func VerifyByRSAWithSHA256 ¶
VerifyByRSAWithSHA256 verify signature by rsa public key use sha256
func VerifyCRL ¶
func VerifyCRL(ca *x509.Certificate, crl *x509.RevocationList) error
VerifyCRL verify crl by ca
func VerifyCertByPrikey ¶
VerifyCertByPrikey verify cert by prikey
func VerifyHashedPassword ¶ added in v4.1.0
VerifyHashedPassword verify HashedPassword
func VerifyReaderByECDSAWithSHA256 ¶
func VerifyReaderByECDSAWithSHA256(pubKey *ecdsa.PublicKey, reader io.Reader, r, s *big.Int) (bool, error)
VerifyReaderByECDSAWithSHA256 verify signature by ecdsa public key use sha256
func VerifyReaderByRSAWithSHA256 ¶
VerifyReaderByRSAWithSHA256 verify signature by rsa public key use sha256
func X509Cert2OpensslConf ¶ added in v4.7.0
func X509Cert2OpensslConf(cert *x509.Certificate) (opensslConf []byte)
X509Cert2OpensslConf marshal x509
func X509CertSubjectKeyID ¶
X509CertSubjectKeyID generate subject key id for pubkey
if x509 certificate template is a CA, subject key id will generated by golang automatelly
func X509Csr2OpensslConf ¶ added in v4.7.0
func X509Csr2OpensslConf(csr *x509.CertificateRequest) (opensslConf []byte)
X509Csr2OpensslConf marshal x509 csr to openssl conf
Returns ¶
[ req ] distinguished_name = req_distinguished_name prompt = no string_mask = utf8only [ req_distinguished_name ] commonName = Intermedia CA countryName = CN stateOrProvinceName = Shanghai localityName = Shanghai organizationName = BBT organizationalUnitName = XSS
func X509CsrOption2Template ¶ added in v4.7.0
func X509CsrOption2Template(opts ...X509CSROption) (tpl *x509.CertificateRequest, err error)
X509CsrOption2Template convert X509CSROption to x509.CertificateRequest
Types ¶
type AESEncryptFilesInDirOption ¶
type AESEncryptFilesInDirOption func(*encryptFilesOption) error
AESEncryptFilesInDirOption options to encrypt files in dir
func WithAESFilesInDirFileExt ¶
func WithAESFilesInDirFileExt(ext string) AESEncryptFilesInDirOption
WithAESFilesInDirFileExt only encrypt files with specific ext
func WithAESFilesInDirFileSuffix ¶
func WithAESFilesInDirFileSuffix(suffix string) AESEncryptFilesInDirOption
WithAESFilesInDirFileSuffix will append to encrypted's filename as suffix
xxx.toml -> xxx.toml.enc
type AesReaderWrapper ¶
type AesReaderWrapper struct {
// contains filtered or unexported fields
}
AesReaderWrapper used to decrypt encrypted reader
func NewAesReaderWrapper ¶
func NewAesReaderWrapper(in io.Reader, key []byte) (*AesReaderWrapper, error)
NewAesReaderWrapper wrap reader by aes
type DHKX ¶
type DHKX struct {
// contains filtered or unexported fields
}
Diffie Hellman Key-exchange algorithm
https://pkg.go.dev/github.com/monnand/dhkx
Example ¶
alice, _ := NewDHKX() bob, _ := NewDHKX() alicePub := alice.PublicKey() bobPub := bob.PublicKey() aliceKey, _ := alice.GenerateKey(bobPub) bobKey, _ := bob.GenerateKey(alicePub) aliceKey == bobKey
Note: recommoend to use ECDH instead of DHKX
Example ¶
alice, _ := NewDHKX() bob, _ := NewDHKX() alicePub, _ := alice.PublicKey() bobPub, _ := bob.PublicKey() aliceKey, _ := alice.GenerateKey(bobPub) bobKey, _ := bob.GenerateKey(alicePub) fmt.Println(reflect.DeepEqual(aliceKey, bobKey))
Output: true
func NewDHKX ¶
func NewDHKX(optfs ...DHKXOptionFunc) (d *DHKX, err error)
NewDHKX create a new DHKX instance
each DHKX instance has it's unique group and private key
Note: recommoend to use ECDH instead of DHKX
func (*DHKX) GenerateKey ¶
GenerateKey generate new key by peer's public key
each side of the DHKX exchange peers will generate the same key
key like:
60a425ca3a4cc313db9c113a0526f3809725305afc68e1accd0e653ae8d0182c6eb05557f4b5d094 f015972b9fda7d60c1b64d79f50baea7365d858ede0fb7a6571403d4b95f682144b56fa17ffcbe9e 70de69dc0045672696e683c423c5b3dfc02a6916be1e50c74e60353ec08a465cc124e8ca88337fb7 4a0370e17a7cedb0b1e76733f43ad3db9e3d29ab43c75686a8bc4a88ee46addbd1590c8277d1b1ef 42aded6cc0bfe0a7ff8933861dae772c755087f2a41021f4ca53867ba49797d111ef21b381cb6441 178f4ccd3748f8e7b1a12ec3799571a49fc0aa793c05ab6e228b559f1fda2912542d7246388ccec1 38b4d8ce9df4a32c198891c4e33b5034
type DHKXOptionFunc ¶
type DHKXOptionFunc func(*dhkxOption) error
DHKXOptionFunc optional func to set dhkx option
type DefaultX509CertSerialNumGenerator ¶
type DefaultX509CertSerialNumGenerator struct {
// contains filtered or unexported fields
}
DefaultX509CertSerialNumGenerator default cert serial number generator base on epoch time and random int
func NewDefaultX509CertSerialNumGenerator ¶
func NewDefaultX509CertSerialNumGenerator() (*DefaultX509CertSerialNumGenerator, error)
NewDefaultX509CertSerialNumGenerator new DefaultX509CertSerialNumGenerator
func (*DefaultX509CertSerialNumGenerator) SerialNum ¶
func (g *DefaultX509CertSerialNumGenerator) SerialNum() int64
SerialNum get randon serial number
type ECDH ¶ added in v4.7.0
type ECDH struct {
// contains filtered or unexported fields
}
ECDH Elliptic Curve Diffie-Hellman
func NewEcdh ¶ added in v4.7.0
func NewEcdh(curve ECDSACurve) (ins *ECDH, err error)
NewEcdh create a new ECDH instance
Example ¶
alice, _ := NewEcdh(ECDSACurveP256) bob, _ := NewEcdh(ECDSACurveP256) alicePub, _ := alice.PublicKey() bobPub, _ := bob.PublicKey() aliceKey, _ := alice.GenerateKey(bobPub) bobKey, _ := bob.GenerateKey(alicePub) fmt.Println(reflect.DeepEqual(aliceKey, bobKey))
Output: true
func (*ECDH) GenerateKey ¶ added in v4.7.0
GenerateKey generate new key by peer's public key
type ECDSACurve ¶
type ECDSACurve string
ECDSACurve algorithms
const ( // ECDSACurveP256 ecdsa with P256 ECDSACurveP256 ECDSACurve = "P256" // ECDSACurveP384 ecdsa with P384 ECDSACurveP384 ECDSACurve = "P384" // ECDSACurveP521 ecdsa with P521 ECDSACurveP521 ECDSACurve = "P521" )
type HashedPassword ¶ added in v4.1.0
type HashedPassword struct {
// contains filtered or unexported fields
}
HashedPassword salt hashed password
generate by PasswordHash, verify by VerifyHashedPassword
func (HashedPassword) String ¶ added in v4.1.0
func (p HashedPassword) String() string
String convert to string
can verify by VerifyHashedPassword
type KeyExchange ¶ added in v4.7.0
type KeyExchange interface { // PublicKey return public key bytes // // send public key to peer, and get peer's public key // every side of the exchange peers will generate the same key PublicKey() ([]byte, error) // GenerateKey generate new key by peer's public key GenerateKey(peerPubKey []byte) ([]byte, error) }
KeyExchange key agreement interface
type OTPAlgorithm ¶
type OTPAlgorithm string
OTPAlgorithm hash algorithm for otp
const ( // OTPAlgorithmSHA1 sha1 OTPAlgorithmSHA1 OTPAlgorithm = "sha1" )
type OTPArgs ¶
type OTPArgs struct { // OtpType (readonly) otp type, must in totp/hotp OtpType OTPType // Base32Secret (required) the hotp/totp secret used to generate the URI // // genrate Base32Secret: // // Base32Secret([]byte("xxxxxx")) Base32Secret string // AccountName (optional) name of the account AccountName string // Authenticator (optional) the name of the OTP issuer; // this will be the organization title of the OTP entry in Authenticator IssuerName string // Algorithm (optional) the algorithm used in the OTP generation // // default to sha1 Algorithm OTPAlgorithm // InitialCount (optional) starting counter value. Only works for hotp InitialCount int // Digits (optional) the length of the OTP generated code. // // default to 6 Digits uint // PeriodSecs (optional) the number of seconds the OTP // generator is set to expire every code. // // default to 30 PeriodSecs uint }
OTPArgs arguments for OTP
func ParseOTPUri ¶
ParseOTPUri parse otp uri to otp arguments
Args ¶
- uri: like `otpauth://totp/issuerName:demoAccountName?secret=4S62BZNFXXSZLCRO&issuer=issuerName`
type RSAPrikeyBits ¶
type RSAPrikeyBits int
RSAPrikeyBits width of rsa private key
const ( // RSAPrikeyBits2048 rsa private key with 2048 bits RSAPrikeyBits2048 RSAPrikeyBits = 2048 // RSAPrikeyBits3072 rsa private key with 3072 bits RSAPrikeyBits3072 RSAPrikeyBits = 3072 // RSAPrikeyBits4096 rsa private key with 4096 bits RSAPrikeyBits4096 RSAPrikeyBits = 4096 )
type SignCSROption ¶
type SignCSROption func(*signCSROption) error
SignCSROption options for create certificate from CRL
func WithX509CaMaxPathLen ¶ added in v4.7.0
func WithX509CaMaxPathLen(maxPathLen int) SignCSROption
WithX509CaMaxPathLen set max path length
only CAs are allowed to specify MaxPathLen
func WithX509SerialNumGenerator ¶
func WithX509SerialNumGenerator(gen X509CertSerialNumberGenerator) SignCSROption
WithX509SerialNumGenerator set serial number generator
func WithX509SignCSRCRLs ¶
func WithX509SignCSRCRLs(crlEndpoint ...string) SignCSROption
WithX509SignCSRCRLs add crl endpoints
func WithX509SignCSRExtKeyUsage ¶
func WithX509SignCSRExtKeyUsage(usage ...x509.ExtKeyUsage) SignCSROption
WithX509SignCSRExtKeyUsage add ext key usage
func WithX509SignCSRExtenstions
deprecated
added in
v4.3.0
func WithX509SignCSRExtenstions(_ ...pkix.Extension) SignCSROption
WithX509SignCSRExtenstions set certificate extensions
Extensions contains all requested extensions, in raw form. When parsing CSRs, this can be used to extract extensions that are not parsed by this package.
Deprecated: this field is ignored by golang built-in x509 library, use WithX509SignCSRExtraExtenstions instead if you want to set extensions.
func WithX509SignCSRExtraExtenstions ¶ added in v4.3.0
func WithX509SignCSRExtraExtenstions(exts ...pkix.Extension) SignCSROption
WithX509SignCSRExtraExtenstions set certificate extra extensions
ExtraExtensions contains extensions to be copied, raw, into any CSR marshaled by CreateCertificateRequest. Values override any extensions that would otherwise be produced based on the other fields but are overridden by any extensions specified in Attributes.
The ExtraExtensions field is not populated by ParseCertificateRequest, see Extensions instead.
func WithX509SignCSRIsCRLCA ¶
func WithX509SignCSRIsCRLCA() SignCSROption
WithX509SignCSRIsCRLCA set is ca to sign CRL
func WithX509SignCSRKeyUsage ¶
func WithX509SignCSRKeyUsage(usage ...x509.KeyUsage) SignCSROption
WithX509SignCSRKeyUsage add key usage
func WithX509SignCSRNotAfter ¶ added in v4.2.0
func WithX509SignCSRNotAfter(notAfter time.Time) SignCSROption
WithX509SignCSRNotAfter set valid for duration
func WithX509SignCSRNotBefore ¶ added in v4.2.0
func WithX509SignCSRNotBefore(notBefore time.Time) SignCSROption
WithX509SignCSRNotBefore set valid from
func WithX509SignCSROCSPServers ¶
func WithX509SignCSROCSPServers(ocsp ...string) SignCSROption
WithX509SignCSROCSPServers set ocsp servers
func WithX509SignCSRPolicies ¶
func WithX509SignCSRPolicies(policies ...asn1.ObjectIdentifier) SignCSROption
WithX509SignCSRPolicies set certificate policies
func WithX509SignCSRSeriaNumber ¶
func WithX509SignCSRSeriaNumber(serialNumber *big.Int) SignCSROption
WithX509SignCSRSeriaNumber set certificate/CRL's serial number
refer to RFC-5280 5.2.3 &
Args ¶
seriaNumber:
- (optional): generate certificate
- (required): generate CRL
func WithX509SignCSRValidFor ¶
func WithX509SignCSRValidFor(validFor time.Duration) SignCSROption
WithX509SignCSRValidFor set valid for duration
deprecated: use WithX509SignCSRNotAfter instead
func WithX509SignCSRValidFrom ¶
func WithX509SignCSRValidFrom(validFrom time.Time) SignCSROption
WithX509SignCSRValidFrom set valid from
deprecated: use WithX509SignCSRNotBefore instead
func WithX509SignPublicKeyAlgorithm
deprecated
added in
v4.5.0
func WithX509SignPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) SignCSROption
WithX509SignPublicKeyAlgorithm set public key algorithm
Deprecated: this field is ignored by golang built-in x509 library
func WithX509SignSignatureAlgorithm ¶ added in v4.5.0
func WithX509SignSignatureAlgorithm(algo x509.SignatureAlgorithm) SignCSROption
WithX509SignSignatureAlgorithm set signature algorithm
type TOTP ¶
type TOTP struct {
// contains filtered or unexported fields
}
TOTP time-based OTP
type TOTPInterface ¶
type TOTPInterface interface { // Key generate key by totp Key() string // KeyAt generate key by totp at arbitraty time KeyAt(at time.Time) string // URI build uri for otp arguments URI() string }
TOTPInterface interface for TOTP
type Tongsuo ¶ added in v4.7.0
type Tongsuo struct {
// contains filtered or unexported fields
}
Tongsuo is a wrapper of tongsuo executable binary
https://github.com/Tongsuo-Project/Tongsuo
func NewTongsuo ¶ added in v4.7.0
NewTongsuo new tongsuo wrapper
#Args
- exePath: path of tongsuo executable binary
func (*Tongsuo) NewPrikeyAndCert ¶ added in v4.7.0
func (t *Tongsuo) NewPrikeyAndCert(ctx context.Context, opts ...X509CertOption) (prikeyPem, certDer []byte, err error)
NewPrikeyAndCert generate new private key and root ca
func (*Tongsuo) NewX509CSR ¶ added in v4.7.0
func (t *Tongsuo) NewX509CSR(ctx context.Context, prikeyPem []byte, opts ...X509CSROption) (csrDer []byte, err error)
NewX509CSR generate new x509 csr
func (*Tongsuo) NewX509CertByCSR ¶ added in v4.7.0
func (t *Tongsuo) NewX509CertByCSR(ctx context.Context, parentCertDer []byte, parentPrikeyPem []byte, csrDer []byte, opts ...SignCSROption) (certDer []byte, err error)
NewX509CertByCSR generate new x509 cert by csr
func (*Tongsuo) ShowCertInfo ¶ added in v4.7.0
ShowCertInfo show cert info
type X509CRLOption ¶
type X509CRLOption func(*x509CRLOption) error
X509CRLOption options for create x509 CRL
func WithX509CRLNextUpdate ¶ added in v4.5.1
func WithX509CRLNextUpdate(nextUpdate time.Time) X509CRLOption
WithX509CRLNextUpdate set next update
default to 30 days later
func WithX509CRLSignatureAlgorithm ¶ added in v4.5.1
func WithX509CRLSignatureAlgorithm(algo x509.SignatureAlgorithm) X509CRLOption
WithX509CRLSignatureAlgorithm set signature algorithm
default to auto choose algorithm depends on certificate's algorithm
func WithX509CRLThisUpdate ¶ added in v4.5.1
func WithX509CRLThisUpdate(thisUpdate time.Time) X509CRLOption
WithX509CRLThisUpdate set this update
default to now
type X509CSROption ¶
type X509CSROption func(*x509CSROption) error
X509CSROption option to generate tls certificate
func WithX509CSRAttribute
deprecated
added in
v4.3.0
func WithX509CSRAttribute(attr pkix.AttributeTypeAndValueSET) X509CSROption
WithX509CSRAttribute set attribute
Deprecated: Use Extensions and ExtraExtensions instead for parsing and generating the requestedExtensions attribute.
func WithX509CSRCommonName ¶
func WithX509CSRCommonName(commonName string) X509CSROption
WithX509CSRCommonName set common name
func WithX509CSRCountry ¶
func WithX509CSRCountry(values ...string) X509CSROption
WithX509CSRCountry set subject countries
func WithX509CSRDNSNames ¶
func WithX509CSRDNSNames(dnsNames ...string) X509CSROption
WithX509CSRDNSNames set dns sans
func WithX509CSREmailAddrs ¶
func WithX509CSREmailAddrs(emailAddresses ...string) X509CSROption
WithX509CSREmailAddrs set email sans
func WithX509CSRExtension
deprecated
added in
v4.3.0
func WithX509CSRExtension(_ pkix.Extension) X509CSROption
WithX509CSRExtension set extension
Extensions contains raw X.509 extensions. When parsing certificates, this can be used to extract non-critical extensions that are not parsed by this package. When marshaling certificates, the Extensions field is ignored, see ExtraExtensions.
Deprecated: this field is ignored by golang's built-in x509 library, use ExtraExtensions instead if you want to add custom extensions.
func WithX509CSRExtraExtension ¶ added in v4.3.0
func WithX509CSRExtraExtension(ext pkix.Extension) X509CSROption
WithX509CSRExtraExtension set extra extension
ExtraExtensions contains extensions to be copied, raw, into any marshaled certificates. Values override any extensions that would otherwise be produced based on the other fields. The ExtraExtensions field is not populated when parsing certificates, see Extensions.
func WithX509CSRIPAddrs ¶
func WithX509CSRIPAddrs(ipAddresses ...net.IP) X509CSROption
WithX509CSRIPAddrs set ip sans
func WithX509CSRLocality ¶
func WithX509CSRLocality(l ...string) X509CSROption
WithX509CSRLocality set subject localities
func WithX509CSROrganization ¶
func WithX509CSROrganization(organization ...string) X509CSROption
WithX509CSROrganization set organization
func WithX509CSROrganizationUnit ¶
func WithX509CSROrganizationUnit(ou ...string) X509CSROption
WithX509CSROrganizationUnit set organization units
func WithX509CSRPostalCode ¶
func WithX509CSRPostalCode(codes ...string) X509CSROption
WithX509CSRPostalCode set subjuect postal codes
func WithX509CSRProvince ¶
func WithX509CSRProvince(values ...string) X509CSROption
WithX509CSRProvince set subject provinces
func WithX509CSRPublicKeyAlgorithm
deprecated
func WithX509CSRPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CSROption
WithX509CSRPublicKeyAlgorithm set signature algorithm
Deprecated: this field is ignored by golang's built-in x509 library
func WithX509CSRSANS ¶
func WithX509CSRSANS(sans ...string) X509CSROption
WithX509CertSANS set certificate SANs
refer to RFC-5280 4.2.1.6
auto WithX509CSRSANS to ip/email/url/dns
func WithX509CSRSignatureAlgorithm ¶
func WithX509CSRSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CSROption
WithX509CSRSignatureAlgorithm set signature algorithm
func WithX509CSRStreetAddrs ¶
func WithX509CSRStreetAddrs(addrs ...string) X509CSROption
WithX509CSRStreetAddrs set subjuect street addresses
func WithX509CSRSubject ¶
func WithX509CSRSubject(subject pkix.Name) X509CSROption
WithX509CSRSubject set subject name
func WithX509CSRURIs ¶
func WithX509CSRURIs(uris ...*url.URL) X509CSROption
WithX509CSRURIs set uri sans
type X509CertOption ¶
type X509CertOption func(*x509V3CertOption) error
X509CertOption option to generate tls certificate
func WithX509CertCRLs ¶
func WithX509CertCRLs(crlEndpoint ...string) X509CertOption
WithX509CertCRLs add crl endpoints
func WithX509CertCaMaxPathLen ¶ added in v4.7.0
func WithX509CertCaMaxPathLen(maxPathLen int) X509CertOption
WithX509CertCaMaxPathLen set max path length
func WithX509CertCommonName ¶
func WithX509CertCommonName(commonName string) X509CertOption
WithX509CertCommonName set common name
func WithX509CertCountry ¶
func WithX509CertCountry(values ...string) X509CertOption
WithX509CertCountry set subject countries
func WithX509CertDNSNames ¶
func WithX509CertDNSNames(dnsNames ...string) X509CertOption
WithX509CertDNSNames set dns sans
func WithX509CertEmailAddrs ¶
func WithX509CertEmailAddrs(emailAddresses ...string) X509CertOption
WithX509CertEmailAddrs set email sans
func WithX509CertExtKeyUsage ¶
func WithX509CertExtKeyUsage(usage ...x509.ExtKeyUsage) X509CertOption
WithX509CertExtKeyUsage add ext key usage
func WithX509CertExtentions
deprecated
added in
v4.3.0
func WithX509CertExtentions(_ ...pkix.Extension) X509CertOption
WithX509CertExtentions set extensions
Deprecated: this field is ignored in x509 v3 certificate, use WithX509CertExtraExtensions instead if you want to set extensions.
func WithX509CertExtraExtensions ¶ added in v4.3.0
func WithX509CertExtraExtensions(exts ...pkix.Extension) X509CertOption
WithX509CertExtraExtensions set extra extensions
func WithX509CertIPAddrs ¶
func WithX509CertIPAddrs(ipAddresses ...net.IP) X509CertOption
WithX509CertIPAddrs set ip sans
func WithX509CertIsCRLCA ¶
func WithX509CertIsCRLCA() X509CertOption
WithX509CertIsCRLCA set is ca to sign CRL
func WithX509CertKeyUsage ¶
func WithX509CertKeyUsage(usage ...x509.KeyUsage) X509CertOption
WithX509CertKeyUsage add key usage
func WithX509CertLocality ¶
func WithX509CertLocality(l ...string) X509CertOption
WithX509CertLocality set subject localities
func WithX509CertNotAfter ¶ added in v4.2.0
func WithX509CertNotAfter(notAfter time.Time) X509CertOption
WithX509CertNotAfter set not after
default to 30 days later
func WithX509CertNotBefore ¶ added in v4.2.0
func WithX509CertNotBefore(notBefore time.Time) X509CertOption
WithX509CertNotBefore set not before
func WithX509CertOCSPServers ¶
func WithX509CertOCSPServers(ocsp ...string) X509CertOption
WithX509CertOCSPServers set ocsp servers
func WithX509CertOrganization ¶
func WithX509CertOrganization(organization ...string) X509CertOption
WithX509CertOrganization set organization
func WithX509CertOrganizationUnit ¶
func WithX509CertOrganizationUnit(ou ...string) X509CertOption
WithX509CertOrganizationUnit set organization unit
func WithX509CertParent ¶
func WithX509CertParent(parent *x509.Certificate) X509CertOption
WithX509CertParent set issuer
func WithX509CertPolicies ¶
func WithX509CertPolicies(policies ...asn1.ObjectIdentifier) X509CertOption
WithX509CertPolicies set certificate policies
func WithX509CertPostalCode ¶
func WithX509CertPostalCode(codes ...string) X509CertOption
WithX509CertPostalCode set subjuect postal codes
func WithX509CertProvince ¶
func WithX509CertProvince(values ...string) X509CertOption
WithX509CertProvince set subject provinces
func WithX509CertPubkey ¶
func WithX509CertPubkey(pubkey crypto.PublicKey) X509CertOption
WithX509CertPubkey set new certs' pubkey
func WithX509CertPublicKeyAlgorithm
deprecated
func WithX509CertPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CertOption
WithX509CertPublicKeyAlgorithm set signature algorithm
Deprecated: this field is ignored in x509 v3 certificate
func WithX509CertSANS ¶
func WithX509CertSANS(sans ...string) X509CertOption
WithX509CertSANS set certificate SANs
refer to RFC-5280 4.2.1.6
auto parse to ip/email/url/dns
func WithX509CertSeriaNumber ¶
func WithX509CertSeriaNumber(serialNumber *big.Int) X509CertOption
WithX509CertSeriaNumber set certificate/CRL's serial number
refer to RFC-5280 5.2.3 &
Args ¶
seriaNumber:
- (optional): generate certificate
- (required): generate CRL
func WithX509CertSerialNumGenerator ¶
func WithX509CertSerialNumGenerator(gen X509CertSerialNumberGenerator) X509CertOption
WithX509CertSerialNumGenerator set serial number generator
func WithX509CertSignatureAlgorithm ¶
func WithX509CertSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CertOption
WithX509CertSignatureAlgorithm set signature algorithm
func WithX509CertStreetAddrs ¶
func WithX509CertStreetAddrs(addrs ...string) X509CertOption
WithX509CertStreetAddrs set subjuect street addresses
func WithX509CertURIs ¶
func WithX509CertURIs(uris ...*url.URL) X509CertOption
WithX509CertURIs set uri sans
func WithX509CertValidFor ¶
func WithX509CertValidFor(validFor time.Duration) X509CertOption
WithX509CertValidFor set valid for duration
deprecated: use WithX509CertNotAfter instead
func WithX509CertValidFrom ¶
func WithX509CertValidFrom(validFrom time.Time) X509CertOption
WithX509CertValidFrom set valid from
deprecated: use WithX509CertNotBefore instead
func WithX509Subject ¶
func WithX509Subject(subject pkix.Name) X509CertOption
WithX509Subject set subject name
type X509CertSerialNumberGenerator ¶
type X509CertSerialNumberGenerator interface {
SerialNum() int64
}
X509CertSerialNumberGenerator x509 certificate serial number generator
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package kms provides a simple kms interface.
|
Package kms provides a simple kms interface. |
mem
Package mem is a multi-key KMS in pure memory
|
Package mem is a multi-key KMS in pure memory |
package Threshold cryptosystem
|
package Threshold cryptosystem |
shamir
Package shamir is Shamir’s Secret Sharing is a method for dividing a secret into multiple parts and distributing those parts among different participants.
|
Package shamir is Shamir’s Secret Sharing is a method for dividing a secret into multiple parts and distributing those parts among different participants. |
signature
Package signature provides an implementation of threshold signatures.
|
Package signature provides an implementation of threshold signatures. |