Documentation ¶
Overview ¶
Package crypto is a collection of cryptographic algorithms and protocols, providing hash functions, block and stream ciphers, public key cryptography and authentication. It also includes a cryptographically secure pseudo-random number generator.
x.509
This package provides many useful functions for x.509 certificate. you can build a PKI system with this package. including parsing and verification. it can be used to parse x.509 certificates, create x.509 certificate chains, verify x.509 certificate chains, and parse x.509 certificate revocation lists.
Index ¶
- Constants
- Variables
- func AEADDecrypt(key, ciphertext, additionalData []byte) (plaintext []byte, err error)
- func AEADDecryptBasic(key, ciphertext, iv, tag, additionalData []byte) (plaintext []byte, err error)
- func AEADEncrypt(key, plaintext, additionalData []byte) (ciphertext []byte, err error)
- func AEADEncryptBasic(key, plaintext, iv, additionalData []byte) (ciphertext, tag []byte, err error)
- func AESEncryptFilesInDir(dir string, secret []byte, opts ...AESEncryptFilesInDirOption) (err error)
- func AesDecrypt(secret []byte, encrypted []byte) ([]byte, error)deprecated
- func AesEncrypt(secret []byte, cnt []byte) ([]byte, error)deprecated
- func Base32Secret(key []byte) string
- func CRL2Der(crl *x509.RevocationList) []byte
- func CRL2Pem(crl *x509.RevocationList) []byte
- func CRLDer2Pem(crlDer []byte) []byte
- func CRLPem2Der(crlPem []byte) ([]byte, error)
- func CSR2Der(csr *x509.CertificateRequest) []byte
- func CSRDer2Pem(CSRInDer []byte) (CSRInPem []byte)
- func Cert2Der(cert ...*x509.Certificate) (ret []byte)
- func Cert2Pem(certs ...*x509.Certificate) (ret []byte)
- func CertDer2Pem(certInDer []byte) (certInPem []byte)
- func DecodeES256SignByBase64(sign string) (r, s *big.Int, err error)
- func DecodeES256SignByHex(sign string) (r, s *big.Int, err error)
- func Der2CRL(crlDer []byte) (*x509.RevocationList, error)
- func Der2CSR(csrDer []byte) (*x509.CertificateRequest, error)
- func Der2Cert(certInDer []byte) (*x509.Certificate, error)
- func Der2Certs(certInDer []byte) ([]*x509.Certificate, error)
- func Der2Prikey(prikeyDer []byte) (crypto.PrivateKey, error)
- func Der2Pubkey(pubkeyDer []byte) (crypto.PublicKey, error)
- func DeriveKeyByHKDF(rawKey, salt []byte, newKeyLength int) (newKey []byte, err error)
- func DeriveKeyBySMHF(rawKey, salt []byte) (newKey []byte, err error)
- func EncodeES256SignByBase64(r, s *big.Int) string
- func EncodeES256SignByHex(r, s *big.Int) string
- func FormatBig2Base64(b *big.Int) string
- func FormatBig2Hex(b *big.Int) string
- func GeneratePasswordHash(password []byte) ([]byte, error)deprecated
- func HKDFWithSHA256(secret, salt, info []byte, results [][]byte) error
- func HMACSha256(key []byte, data io.Reader) ([]byte, error)
- func MatchPrefix() func(o *oidContainsOption) error
- func NewECDSAPrikey(curve ECDSACurve) (*ecdsa.PrivateKey, error)
- func NewECDSAPrikeyAndCert(curve ECDSACurve, opts ...X509CertOption) (prikeyPem, certDer []byte, err error)
- func NewEd25519Prikey() (ed25519.PrivateKey, error)
- func NewEd25519PrikeyAndCert(opts ...X509CertOption) (prikeyPem, certDer []byte, err error)
- func NewRSAPrikey(bits RSAPrikeyBits) (*rsa.PrivateKey, error)
- func NewRSAPrikeyAndCert(rsaBits RSAPrikeyBits, opts ...X509CertOption) (prikeyPem, certDer []byte, err error)
- func NewX509CRL(ca *x509.Certificate, prikey crypto.PrivateKey, seriaNumber *big.Int, ...) (crlDer []byte, err error)
- func NewX509CSR(prikey crypto.PrivateKey, opts ...X509CSROption) (csrDer []byte, err error)
- func NewX509Cert(prikey crypto.PrivateKey, opts ...X509CertOption) (certDer []byte, err error)
- func NewX509CertByCSR(parent *x509.Certificate, prikey crypto.PrivateKey, csrDer []byte, ...) (certDer []byte, err error)
- func OIDContains(oids []asn1.ObjectIdentifier, oid asn1.ObjectIdentifier, ...) bool
- func OidAsn2X509(oid asn1.ObjectIdentifier) (x509.OID, error)
- func OidFromString(val string) (x509Oid x509.OID, err error)
- func ParseBase642Big(raw string) (*big.Int, error)
- func ParseHex2Big(hex string) (b *big.Int, ok bool)
- func PasswordHash(password []byte, hasher gutils.HashType) (hashedPassword string, err error)
- func Pem2CRL(crlPem []byte) (*x509.RevocationList, error)
- func Pem2CSR(csrInPem []byte) (*x509.CertificateRequest, error)
- func Pem2Cert(certInPem []byte) (*x509.Certificate, error)
- func Pem2Certs(certInPem []byte) ([]*x509.Certificate, error)
- func Pem2Der(pemBytes []byte) (derBytes []byte, err error)
- func Pem2Ders(pemBytes []byte) (dersBytes [][]byte, err error)
- func Pem2Prikey(x509v8Pem []byte) (crypto.PrivateKey, error)
- func Pem2Pubkey(pubkeyPem []byte) (crypto.PublicKey, error)
- func Prikey2Der(key crypto.PrivateKey) ([]byte, error)
- func Prikey2Pem(key crypto.PrivateKey) ([]byte, error)
- func Prikey2Pubkey(prikey crypto.PrivateKey) (pubkey crypto.PublicKey)
- func PrikeyDer2Pem(prikeyInDer []byte) (prikeyInPem []byte)
- func Privkey2Signer(privkey crypto.PrivateKey) crypto.Signer
- func Pubkey2Der(key crypto.PublicKey) ([]byte, error)
- func Pubkey2Pem(key crypto.PublicKey) ([]byte, error)
- func PubkeyDer2Pem(pubkeyInDer []byte) (prikeyInPem []byte)
- func RSADecryptByOAEP(prikey *rsa.PrivateKey, cipher []byte) (plain []byte, err error)
- func RSADecryptByPKCS1v15(prikey *rsa.PrivateKey, cipher []byte) (plain []byte, err error)
- func RSADer2Prikey(x509v1Der []byte) (*rsa.PrivateKey, error)
- func RSAEncryptByOAEP(pubkey *rsa.PublicKey, plain []byte) (cipher []byte, err error)
- func RSAEncryptByPKCS1v15(pubkey *rsa.PublicKey, plain []byte) (cipher []byte, err error)
- func RSAPem2Prikey(x509v1Pem []byte) (*rsa.PrivateKey, error)
- func ReadableOIDs(oids []asn1.ObjectIdentifier) (names []string)
- func ReadablePkixName(name pkix.Name) map[string]any
- func ReadableX509CSR(csr *x509.CertificateRequest) (map[string]any, error)
- func ReadableX509Cert(cert *x509.Certificate) (map[string]any, error)
- func ReadableX509ExtKeyUsage(usages []x509.ExtKeyUsage) (usageNames []string)
- func ReadableX509Extention(ext *pkix.Extension) (map[string]any, error)
- func ReadableX509KeyUsage(usage x509.KeyUsage) (usageNames []string)
- func Salt(length int) ([]byte, error)
- func SecureCipherSuites(filter func(*tls.CipherSuite) bool) []uint16
- func SignByECDSAWithSHA256(prikey *ecdsa.PrivateKey, content []byte) (r, s *big.Int, err error)
- func SignByECDSAWithSHA256AndBase64(prikey *ecdsa.PrivateKey, content []byte) (signature string, err error)
- func SignByEd25519WithSHA512(prikey ed25519.PrivateKey, reader io.Reader) ([]byte, error)
- func SignByRSAPKCS1v15WithSHA256(prikey *rsa.PrivateKey, content []byte) ([]byte, error)
- func SignByRSAPSSWithSHA256(prikey *rsa.PrivateKey, content []byte) ([]byte, error)
- func SignBySchnorrSha256(suite dediskey.Suite, prikey kyber.Scalar, reader io.Reader) ([]byte, error)
- func SignReaderByECDSAWithSHA256(prikey *ecdsa.PrivateKey, reader io.Reader) (r, s *big.Int, err error)
- func SignReaderByEd25519WithSHA256(prikey ed25519.PrivateKey, reader io.Reader) (sig []byte, err error)
- func SignReaderByRSAWithSHA256(prikey *rsa.PrivateKey, reader io.Reader) (sig []byte, err error)
- func SplitCertsPemChain(pemChain string) (pems []string)
- func ValidatePasswordHash(hashedPassword, password []byte) booldeprecated
- func VerifyByECDSAWithSHA256(pubKey *ecdsa.PublicKey, content []byte, r, s *big.Int) bool
- func VerifyByECDSAWithSHA256AndBase64(pubKey *ecdsa.PublicKey, content []byte, signature string) (bool, error)
- func VerifyByEd25519WithSHA512(pubKey ed25519.PublicKey, reader io.Reader, sig []byte) error
- func VerifyByRSAPKCS1v15WithSHA256(pubKey *rsa.PublicKey, content []byte, sig []byte) error
- func VerifyByRSAPSSWithSHA256(pubKey *rsa.PublicKey, content []byte, sig []byte) error
- func VerifyBySchnorrSha256(suite dediskey.Suite, pubkey kyber.Point, reader io.Reader, sig []byte) error
- func VerifyCRL(ca *x509.Certificate, crl *x509.RevocationList) error
- func VerifyCertByPrikey(certPem []byte, prikeyPem []byte) error
- func VerifyHashedPassword(rawpassword []byte, hashedPassword string) (err error)
- func VerifyReaderByECDSAWithSHA256(pubKey *ecdsa.PublicKey, reader io.Reader, r, s *big.Int) (bool, error)
- func VerifyReaderByEd25519WithSHA256(pubKey ed25519.PublicKey, reader io.Reader, sig []byte) error
- func VerifyReaderByRSAWithSHA256(pubKey *rsa.PublicKey, reader io.Reader, sig []byte) error
- func X509Cert2OpensslConf(cert *x509.Certificate) (opensslConf []byte)
- func X509CertSubjectKeyID(pubkey crypto.PublicKey) ([]byte, error)
- func X509CrlOptions2Tpl(opts ...X509CRLOption) (*x509.RevocationList, error)
- func X509Csr2OpensslConf(csr *x509.CertificateRequest) (opensslConf []byte)
- func X509CsrOption2Template(opts ...X509CSROption) (tpl *x509.CertificateRequest, err error)
- type AESEncryptFilesInDirOption
- type AesReaderWrapper
- type DHKX
- type DHKXOptionFunc
- type DefaultX509CertSerialNumGenerator
- type ECDH
- type ECDSACurve
- type HashedPassword
- type KeyExchange
- type OTPAlgorithm
- type OTPArgs
- type OTPType
- type OpensslCertificateOutput
- type RSAPrikeyBits
- type SignCSROption
- func WithX509CaMaxPathLen(maxPathLen int) SignCSROption
- func WithX509SerialNumGenerator(gen X509CertSerialNumberGenerator) SignCSROption
- func WithX509SignCSRCRLs(crlEndpoint ...string) SignCSROption
- func WithX509SignCSRExtKeyUsage(usage ...x509.ExtKeyUsage) SignCSROption
- func WithX509SignCSRExtenstions(_ ...pkix.Extension) SignCSROptiondeprecated
- func WithX509SignCSRExtraExtenstions(exts ...pkix.Extension) SignCSROption
- func WithX509SignCSRIsCA() SignCSROption
- func WithX509SignCSRIsCRLCA() SignCSROption
- func WithX509SignCSRKeyUsage(usage ...x509.KeyUsage) SignCSROption
- func WithX509SignCSRNotAfter(notAfter time.Time) SignCSROption
- func WithX509SignCSRNotBefore(notBefore time.Time) SignCSROption
- func WithX509SignCSROCSPServers(ocsp ...string) SignCSROption
- func WithX509SignCSRPolicies(policies ...asn1.ObjectIdentifier) SignCSROption
- func WithX509SignCSRSeriaNumber(serialNumber *big.Int) SignCSROption
- func WithX509SignCSRValidFor(validFor time.Duration) SignCSROption
- func WithX509SignCSRValidFrom(validFrom time.Time) SignCSROption
- func WithX509SignPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) SignCSROptiondeprecated
- func WithX509SignSignatureAlgorithm(algo x509.SignatureAlgorithm) SignCSROption
- type TOTP
- type TOTPInterface
- type Tongsuo
- func (t *Tongsuo) CloneX509Csr(ctx context.Context, prikeyPem []byte, originCsrDer []byte) (clonedCsrDer []byte, err error)
- func (t *Tongsuo) DecryptBySm2(ctx context.Context, prikeyPem []byte, cipher []byte) (data []byte, err error)
- func (t *Tongsuo) DecryptBySm4Cbc(ctx context.Context, key, combinedCipher []byte) (plaintext []byte, err error)
- func (t *Tongsuo) DecryptBySm4CbcBaisc(ctx context.Context, key, ciphertext, iv, hmac []byte) (plaintext []byte, err error)
- func (t *Tongsuo) EncryptBySm2(ctx context.Context, pubkeyPem []byte, data []byte) (cipher []byte, err error)
- func (t *Tongsuo) EncryptBySm4Cbc(ctx context.Context, key, plaintext []byte) (combinedCipher []byte, err error)
- func (t *Tongsuo) EncryptBySm4CbcBaisc(ctx context.Context, key, plaintext, iv []byte) (ciphertext, hmac []byte, err error)
- func (t *Tongsuo) GetPubkeyFromCertPem(ctx context.Context, certPem []byte) (pubkeyPem []byte, err error)
- func (t *Tongsuo) HashBySm3(ctx context.Context, content []byte) (hash []byte, err error)
- func (t *Tongsuo) NewPrikey(ctx context.Context) (prikeyPem []byte, err error)
- func (t *Tongsuo) NewPrikeyAndCert(ctx context.Context, opts ...X509CertOption) (prikeyPem, certDer []byte, err error)
- func (t *Tongsuo) NewPrikeyWithPassword(ctx context.Context, password string) (encryptedPrikeyPem []byte, err error)
- func (t *Tongsuo) NewX509CSR(ctx context.Context, prikeyPem []byte, opts ...X509CSROption) (csrDer []byte, err error)
- func (t *Tongsuo) NewX509Cert(ctx context.Context, prikeyPem []byte, opts ...X509CertOption) (certDer []byte, err error)
- func (t *Tongsuo) NewX509CertByCSR(ctx context.Context, parentCertDer []byte, parentPrikeyPem []byte, ...) (certDer []byte, err error)
- func (t *Tongsuo) ParseCsr2Opts(ctx context.Context, csrDer []byte) ([]X509CSROption, error)
- func (t *Tongsuo) Prikey2Pubkey(ctx context.Context, prikeyPem []byte) (pubkeyPem []byte, err error)
- func (t *Tongsuo) PrivateKey(prikeyPem []byte) (crypto.PrivateKey, error)
- func (t *Tongsuo) ShowCertInfo(ctx context.Context, certDer []byte) (certinfo string, cert *x509.Certificate, err error)
- func (t *Tongsuo) ShowCsrInfo(ctx context.Context, csrDer []byte) (output string, err error)
- func (t *Tongsuo) SignBySm2Sm3(ctx context.Context, parentPrikeyPem []byte, content []byte) (signature []byte, err error)
- func (t *Tongsuo) SignX509CRL(ctx context.Context, CrlDer []byte, PrikeyPem []byte) (signedCrlDer []byte, err error)
- func (t *Tongsuo) VerifyBySm2Sm3(ctx context.Context, pubkeyPem, signature, content []byte) error
- func (t *Tongsuo) VerifyCertsChain(ctx context.Context, leafCertPem, intermediatesPem, trustRootsPem []byte) error
- type TongsuoPriKey
- type TongsuoPubkey
- type X509CRLOption
- type X509CSROption
- func WithX509CSRAttribute(attr pkix.AttributeTypeAndValueSET) X509CSROptiondeprecated
- func WithX509CSRCommonName(commonName string) X509CSROption
- func WithX509CSRCountry(values ...string) X509CSROption
- func WithX509CSRDNSNames(dnsNames ...string) X509CSROption
- func WithX509CSREmailAddrs(emailAddresses ...string) X509CSROption
- func WithX509CSRExtension(_ pkix.Extension) X509CSROptiondeprecated
- func WithX509CSRExtraExtension(ext pkix.Extension) X509CSROption
- func WithX509CSRIPAddrs(ipAddresses ...net.IP) X509CSROption
- func WithX509CSRLocality(l ...string) X509CSROption
- func WithX509CSROrganization(organization ...string) X509CSROption
- func WithX509CSROrganizationUnit(ou ...string) X509CSROption
- func WithX509CSRPostalCode(codes ...string) X509CSROption
- func WithX509CSRProvince(values ...string) X509CSROption
- func WithX509CSRPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CSROptiondeprecated
- func WithX509CSRSANS(sans ...string) X509CSROption
- func WithX509CSRSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CSROption
- func WithX509CSRStreetAddrs(addrs ...string) X509CSROption
- func WithX509CSRSubject(subject pkix.Name) X509CSROption
- func WithX509CSRURIs(uris ...*url.URL) X509CSROption
- type X509CertOption
- func WithX509CertCRLs(crlEndpoint ...string) X509CertOption
- func WithX509CertCaMaxPathLen(maxPathLen int) X509CertOption
- func WithX509CertCommonName(commonName string) X509CertOption
- func WithX509CertCountry(values ...string) X509CertOption
- func WithX509CertDNSNames(dnsNames ...string) X509CertOption
- func WithX509CertEmailAddrs(emailAddresses ...string) X509CertOption
- func WithX509CertExtKeyUsage(usage ...x509.ExtKeyUsage) X509CertOption
- func WithX509CertExtentions(_ ...pkix.Extension) X509CertOptiondeprecated
- func WithX509CertExtraExtensions(exts ...pkix.Extension) X509CertOption
- func WithX509CertIPAddrs(ipAddresses ...net.IP) X509CertOption
- func WithX509CertIsCA() X509CertOption
- func WithX509CertIsCRLCA() X509CertOption
- func WithX509CertKeyUsage(usage ...x509.KeyUsage) X509CertOption
- func WithX509CertLocality(l ...string) X509CertOption
- func WithX509CertNotAfter(notAfter time.Time) X509CertOption
- func WithX509CertNotBefore(notBefore time.Time) X509CertOption
- func WithX509CertOCSPServers(ocsp ...string) X509CertOption
- func WithX509CertOrganization(organization ...string) X509CertOption
- func WithX509CertOrganizationUnit(ou ...string) X509CertOption
- func WithX509CertParent(parent *x509.Certificate) X509CertOption
- func WithX509CertPolicies(policies ...asn1.ObjectIdentifier) X509CertOption
- func WithX509CertPostalCode(codes ...string) X509CertOption
- func WithX509CertProvince(values ...string) X509CertOption
- func WithX509CertPubkey(pubkey crypto.PublicKey) X509CertOption
- func WithX509CertPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CertOptiondeprecated
- func WithX509CertSANS(sans ...string) X509CertOption
- func WithX509CertSeriaNumber(serialNumber *big.Int) X509CertOption
- func WithX509CertSerialNumGenerator(gen X509CertSerialNumberGenerator) X509CertOption
- func WithX509CertSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CertOption
- func WithX509CertStreetAddrs(addrs ...string) X509CertOption
- func WithX509CertURIs(uris ...*url.URL) X509CertOption
- func WithX509CertValidFor(validFor time.Duration) X509CertOption
- func WithX509CertValidFrom(validFrom time.Time) X509CertOption
- func WithX509CsrOptions(csrOpts []X509CSROption) X509CertOption
- func WithX509Subject(subject pkix.Name) X509CertOption
- type X509CertSerialNumberGenerator
Examples ¶
Constants ¶
const ( // AesGcmIvLen is the length of IV for AES GCM AesGcmIvLen = 12 // AesGcmTagLen is the length of tag for AES GCM AesGcmTagLen = 16 )
Variables ¶
var ( // RSAEncrypt encrypt by RSAEncryptByPKCS1v15, for compatibility // // Deprecated: use RSAEncryptByPKCS1v15 or RsaEncryptByOAEP instead RSAEncrypt = RSAEncryptByPKCS1v15 // RSADecrypt decrypt by RSADecryptByPKCS1v15, for compatibility // // Deprecated: use RSADecryptByPKCS1v15 or RSADecryptByOAEP instead RSADecrypt = RSADecryptByPKCS1v15 )
var ( // SignByRSAWithSHA256 sign content by rsa with sha256 // // Deprecated: use SignByRSAPKCS1v15WithSHA256 instead SignByRSAWithSHA256 = SignByRSAPKCS1v15WithSHA256 // VerifyByRSAWithSHA256 verify signature by rsa with sha256 // // Deprecated: use VerifyByRSAPKCS1v15WithSHA256 instead VerifyByRSAWithSHA256 = VerifyByRSAPKCS1v15WithSHA256 )
Functions ¶
func AEADDecrypt ¶
AEADDecrypt encrypt bytes by AES GCM
Sugar wrapper of AEADDecryptWithIV, will extract IV from ciphertext automatically.
Args: ¶
- key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
- ciphertext: encrypted content
- additionalData: additional data to encrypt
Returns: ¶
- plaintext: decrypted content
func AEADDecryptBasic ¶
func AEADDecryptBasic(key, ciphertext, iv, tag, additionalData []byte) (plaintext []byte, err error)
AEADDecryptBasic encrypt bytes by AES GCM
Args: ¶
- key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
- ciphertext: encrypted content
- iv: Initialization Vector, should be 12 bytes
- tag: authentication tag, should be 16 bytes
- additionalData: additional data to encrypt
Returns: ¶
- plaintext: decrypted content
func AEADEncrypt ¶
AEADEncrypt encrypt bytes by AES GCM
sugar wrapper of AEADEncryptWithIV, will generate random IV and append it to ciphertext as prefix.you can use AEADDecrypt to decrypt it.
Returns: ¶
- ciphertext: consists of IV, cipher and tag, `{iv}{cipher}{tag}`
func AEADEncryptBasic ¶
func AEADEncryptBasic(key, plaintext, iv, additionalData []byte) (ciphertext, tag []byte, err error)
AEADEncryptBasic encrypt bytes by AES GCM and return IV and ciphertext
Args: ¶
- key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
- plaintext: content to encrypt
- iv: Initialization Vector, should be 12 bytes
- additionalData: additional data to encrypt
Returns: ¶
- ciphertext: encrypted content without IV and tag, the length of ciphertext is same as plaintext
func AESEncryptFilesInDir ¶
func AESEncryptFilesInDir(dir string, secret []byte, opts ...AESEncryptFilesInDirOption) (err error)
AESEncryptFilesInDir encrypt files in dir
will generate new encrypted files with <suffix> after ext
xxx.toml -> xxx.toml.enc
func AesDecrypt
deprecated
func AesEncrypt
deprecated
AesEncrypt encrypt bytes by AES GCM
inspired by https://tutorialedge.net/golang/go-encrypt-decrypt-aes-tutorial/
The key argument should be the AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
Deprecated: use AEAD instead
func Base32Secret ¶
Base32Secret generate base32 encoded secret
func CSRDer2Pem ¶
CSRDer2Pem convert CSR in der to pem, tailing with line break
func Cert2Der ¶
func Cert2Der(cert ...*x509.Certificate) (ret []byte)
Cert2Der marshal private key by x509.8
func Cert2Pem ¶
func Cert2Pem(certs ...*x509.Certificate) (ret []byte)
Cert2Pem marshal x509 certificate to pem, tailing with line break
func CertDer2Pem ¶
CertDer2Pem convert certificate in der to pem, tailing with line break
func DecodeES256SignByBase64 ¶
DecodeES256SignByBase64 parse ecdsa signature string to two *big.Int
func DecodeES256SignByHex ¶
DecodeES256SignByHex parse ecdsa signature string to two *big.Int
func Der2Cert ¶
func Der2Cert(certInDer []byte) (*x509.Certificate, error)
Der2Cert parse sigle certificate in der
func Der2Certs ¶
func Der2Certs(certInDer []byte) ([]*x509.Certificate, error)
Der2Cert parse multiple certificates in der
func Der2Prikey ¶
func Der2Prikey(prikeyDer []byte) (crypto.PrivateKey, error)
Der2Prikey parse private key from der in x509 v8/v1
func Der2Pubkey ¶
Der2Pubkey parse public key from der in x509 pkcs1/pkix
func DeriveKeyByHKDF ¶
DeriveKeyByHKDF derive key by hkdf
func DeriveKeyBySMHF ¶
DeriveKeyBySMHF derive key by Stronger Key Derivation via Sequential Memory-Hard Functions
func EncodeES256SignByBase64 ¶
EncodeES256SignByBase64 format ecdsa signature to stirng
func EncodeES256SignByHex ¶
EncodeES256SignByHex format ecdsa sign to stirng
func FormatBig2Base64 ¶
FormatBig2Base64 format big to base64 string
func GeneratePasswordHash
deprecated
GeneratePasswordHash generate hashed password by origin password
Deprecated: use PasswordHash instead
Example ¶
// generate hashed password rawPassword := []byte("1234567890") hashedPassword, err := GeneratePasswordHash(rawPassword) if err != nil { log.Shared.Error("try to generate password got error", zap.Error(err)) return } fmt.Printf("got new hashed pasword: %v\n", string(hashedPassword)) // validate passowrd if !ValidatePasswordHash(hashedPassword, rawPassword) { log.Shared.Error("password invalidate", zap.Error(err)) return }
Output:
func HKDFWithSHA256 ¶
HKDFWithSHA256 derivative keys by HKDF with sha256. same key & salt will derivative same keys
Example ¶
derivative multiple keys:
results := make([][]byte, 10) for i := range results { results[i] = make([]byte, 20) } HKDFWithSHA256([]byte("your key"), nil, nil, results)
func HMACSha256 ¶
HMACSha256 calculate HMAC by sha256
The main difference between HMAC and SHA is that HMAC uses a secure key to calculate the hash, while SHA does not. this makes HMAC more secure than SHA.
Args: ¶
- key: secure key, no limit on length
- data: raw data to calculate HMAC
Returns: ¶
- hmac: HMAC result, 32 bytes
func MatchPrefix ¶
func MatchPrefix() func(o *oidContainsOption) error
MatchPrefix treat prefix inclusion as a match as well
`1.2.3` contains `1.2.3.4`
func NewECDSAPrikey ¶
func NewECDSAPrikey(curve ECDSACurve) (*ecdsa.PrivateKey, error)
NewECDSAPrikey new ecdsa private key
func NewECDSAPrikeyAndCert ¶
func NewECDSAPrikeyAndCert(curve ECDSACurve, opts ...X509CertOption) ( prikeyPem, certDer []byte, err error)
NewECDSAPrikeyAndCert convient function to new ecdsa private key and cert
func NewEd25519Prikey ¶
func NewEd25519Prikey() (ed25519.PrivateKey, error)
NewEd25519Prikey new ed25519 private key
func NewEd25519PrikeyAndCert ¶
func NewEd25519PrikeyAndCert(opts ...X509CertOption) ( prikeyPem, certDer []byte, err error)
NewEd25519PrikeyAndCert convient function to new ed25519 private key and cert
func NewRSAPrikey ¶
func NewRSAPrikey(bits RSAPrikeyBits) (*rsa.PrivateKey, error)
NewRSAPrikey new rsa privat ekey
func NewRSAPrikeyAndCert ¶
func NewRSAPrikeyAndCert(rsaBits RSAPrikeyBits, opts ...X509CertOption) ( prikeyPem, certDer []byte, err error)
NewRSAPrikeyAndCert convient function to new rsa private key and cert
func NewX509CRL ¶
func NewX509CRL(ca *x509.Certificate, prikey crypto.PrivateKey, seriaNumber *big.Int, revokeCerts []pkix.RevokedCertificate, opts ...X509CRLOption) (crlDer []byte, err error)
NewX509CRL create and sign CRL
Args ¶
- ca: CA to sign CRL.
- prikey: prikey for CA.
- revokeCerts: certifacates that will be revoked.
- WithX509CertSeriaNumber() is required for NewX509CRL.
according to RFC5280 5.2.3, X.509 v3 CRL could have a monotonically increasing sequence number as serial number.
func NewX509CSR ¶
func NewX509CSR(prikey crypto.PrivateKey, opts ...X509CSROption) (csrDer []byte, err error)
NewX509CSR new CSR
Arguments ¶
if prikey is not RSA private key, you must set SignatureAlgorithm by WithX509CertSignatureAlgorithm.
Warning: CSR do not support set IsCA / KeyUsage / ExtKeyUsage, you should set these attributes in NewX509CertByCSR.
func NewX509Cert ¶
func NewX509Cert(prikey crypto.PrivateKey, opts ...X509CertOption) (certDer []byte, err error)
NewX509Cert new cert
func NewX509CertByCSR ¶
func NewX509CertByCSR( parent *x509.Certificate, prikey crypto.PrivateKey, csrDer []byte, opts ...SignCSROption) (certDer []byte, err error)
NewX509CertByCSR sign CSR to certificate
Depends on RFC-5280 4.2.1.12, empty ext key usage is as same as any key usage. so do not set any default ext key usages.
but key usage is required in many cases:
func OIDContains ¶
func OIDContains(oids []asn1.ObjectIdentifier, oid asn1.ObjectIdentifier, opts ...func(o *oidContainsOption) error) bool
OIDContains is oid in oids
func OidAsn2X509 ¶
func OidAsn2X509(oid asn1.ObjectIdentifier) (x509.OID, error)
OidAsn2X509 convert asn1 object identifier to x509 object identifier
func OidFromString ¶
OidFromString convert string to x509 object identifier
func ParseBase642Big ¶
ParseBase642Big parse base64 string to big
func ParseHex2Big ¶
ParseHex2Big parse hex string to big
func PasswordHash ¶
PasswordHash generate salted hash of password, can verify by VerifyHashedPassword
func Pem2CSR ¶
func Pem2CSR(csrInPem []byte) (*x509.CertificateRequest, error)
Pem2CSR parse csr from pem
func Pem2Cert ¶
func Pem2Cert(certInPem []byte) (*x509.Certificate, error)
Pem2Cert parse single certificate in pem
func Pem2Certs ¶
func Pem2Certs(certInPem []byte) ([]*x509.Certificate, error)
Pem2Certs parse multiple certificate in pem
func Pem2Prikey ¶
func Pem2Prikey(x509v8Pem []byte) (crypto.PrivateKey, error)
Pem2Prikey parse private key from x509 v8(general) pem
func Pem2Pubkey ¶
Pem2Pubkey parse public key from pem
func Prikey2Der ¶
func Prikey2Der(key crypto.PrivateKey) ([]byte, error)
Prikey2Der marshal private key by x509.8
func Prikey2Pem ¶
func Prikey2Pem(key crypto.PrivateKey) ([]byte, error)
Prikey2Pem marshal private key to pem, tailing with line break
func Prikey2Pubkey ¶
func Prikey2Pubkey(prikey crypto.PrivateKey) (pubkey crypto.PublicKey)
Prikey2Pubkey get public key from private key
func PrikeyDer2Pem ¶
PrikeyDer2Pem convert private key in der to pem
func Privkey2Signer ¶
func Privkey2Signer(privkey crypto.PrivateKey) crypto.Signer
Privkey2Signer convert privkey to signer
func Pubkey2Der ¶
Pubkey2Der marshal public key by pkix
func Pubkey2Pem ¶
Pubkey2Pem marshal public key to pem, tailing with line break
func PubkeyDer2Pem ¶
PubkeyDer2Pem convert public key in der to pem
func RSADecryptByOAEP ¶
func RSADecryptByOAEP(prikey *rsa.PrivateKey, cipher []byte) (plain []byte, err error)
RSADecryptByOAEP decrypt by OAEP with SHA256
func RSADecryptByPKCS1v15 ¶
func RSADecryptByPKCS1v15(prikey *rsa.PrivateKey, cipher []byte) (plain []byte, err error)
RSADecryptByPKCS1v15 decrypt by rsa PKCS1v15
only accept cipher encrypted by RSAEncrypt
func RSADer2Prikey ¶
func RSADer2Prikey(x509v1Der []byte) (*rsa.PrivateKey, error)
RSADer2Prikey parse private key from x509 v1(rsa) der
func RSAEncryptByOAEP ¶
RSAEncryptByOAEP encrypts by OAEP with SHA256
This is not a deterministic encryption scheme, it will return different ciphertexts each time even if the same plaintext is encrypted multiple times.
func RSAEncryptByPKCS1v15 ¶
RSAEncryptByPKCS1v15 encrypt by PKCS1v15
This is not a deterministic encryption scheme, it will return different ciphertexts each time even if the same plaintext is encrypted multiple times.
func RSAPem2Prikey ¶
func RSAPem2Prikey(x509v1Pem []byte) (*rsa.PrivateKey, error)
RSAPem2Prikey parse private key from x509 v1(rsa) pem
func ReadableOIDs ¶
func ReadableOIDs(oids []asn1.ObjectIdentifier) (names []string)
ReadableX509ExtKeyUsage convert objectids to readable strings
func ReadablePkixName ¶
ReadablePkixName convert pkix.Name to readable map with strings
func ReadableX509CSR ¶
func ReadableX509CSR(csr *x509.CertificateRequest) (map[string]any, error)
ReadableX509CSR convert x509 certificate request to readable jsonable map
func ReadableX509Cert ¶
func ReadableX509Cert(cert *x509.Certificate) (map[string]any, error)
ReadableX509Cert convert x509 certificate to readable jsonable map
func ReadableX509ExtKeyUsage ¶
func ReadableX509ExtKeyUsage(usages []x509.ExtKeyUsage) (usageNames []string)
ReadableX509ExtKeyUsage convert x509 certificate ext key usages to readable strings
func ReadableX509Extention ¶
ReadableX509Extention convert x509 certificate extension to readable jsonable map
func ReadableX509KeyUsage ¶
ReadableX509KeyUsage convert x509 certificate key usages to readable strings
func SecureCipherSuites ¶
func SecureCipherSuites(filter func(*tls.CipherSuite) bool) []uint16
SecureCipherSuites get golang built-in cipher suites without known insecure suites
func SignByECDSAWithSHA256 ¶
SignByECDSAWithSHA256 generate signature by ecdsa private key use sha256
Example ¶
priKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { log.Shared.Panic("generate key", zap.Error(err)) } priKey2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { log.Shared.Panic("generate key", zap.Error(err)) } // case: correct key cnt := []byte("fjijf23lijfl23ijrl32jra9pfie9wpfi") r, s, err := SignByECDSAWithSHA256(priKey, cnt) if err != nil { log.Shared.Panic("sign", zap.Error(err)) } if !VerifyByECDSAWithSHA256(&priKey.PublicKey, cnt, r, s) { log.Shared.Panic("verify failed") } // generate string encoded := EncodeES256SignByBase64(r, s) if _, _, err = DecodeES256SignByBase64(encoded); err != nil { log.Shared.Panic("encode and decode", zap.Error(err)) } // case: incorrect cnt cnt = []byte("fjijf23lijfl23ijrl32jra9pfie9wpfi") r, s, err = SignByECDSAWithSHA256(priKey, cnt) if err != nil { log.Shared.Panic("sign", zap.Error(err)) } if VerifyByECDSAWithSHA256(&priKey.PublicKey, append(cnt, '2'), r, s) { log.Shared.Panic("should not verify") } // case: incorrect key r, s, err = SignByECDSAWithSHA256(priKey2, cnt) if err != nil { log.Shared.Panic("sign", zap.Error(err)) } if VerifyByECDSAWithSHA256(&priKey.PublicKey, cnt, r, s) { log.Shared.Panic("should not verify") }
Output:
func SignByECDSAWithSHA256AndBase64 ¶
func SignByECDSAWithSHA256AndBase64(prikey *ecdsa.PrivateKey, content []byte) (signature string, err error)
SignByECDSAWithSHA256AndBase64 generate signature by ecdsa private key use sha256
func SignByEd25519WithSHA512 ¶
SignByEd25519WithSHA512 generate signature by ed25519 private key
func SignByRSAPKCS1v15WithSHA256 ¶
func SignByRSAPKCS1v15WithSHA256(prikey *rsa.PrivateKey, content []byte) ([]byte, error)
SignByRSAPKCS1v15WithSHA256 generate signature by rsa private key use sha256
func SignByRSAPSSWithSHA256 ¶
func SignByRSAPSSWithSHA256(prikey *rsa.PrivateKey, content []byte) ([]byte, error)
SignByRSAPSSWithSHA256 generate signature by rsa private key use sha256
RSASSA-PSS is not deterministic, so it will return different signature every time.
func SignBySchnorrSha256 ¶
func SignBySchnorrSha256(suite dediskey.Suite, prikey kyber.Scalar, reader io.Reader) ([]byte, error)
SignBySchnorrSha256 sign content by schnorr
func SignReaderByECDSAWithSHA256 ¶
func SignReaderByECDSAWithSHA256(prikey *ecdsa.PrivateKey, reader io.Reader) (r, s *big.Int, err error)
SignReaderByECDSAWithSHA256 generate signature by ecdsa private key use sha256
func SignReaderByEd25519WithSHA256 ¶
func SignReaderByEd25519WithSHA256(prikey ed25519.PrivateKey, reader io.Reader) (sig []byte, err error)
SignReaderByEd25519WithSHA256 generate signature by ecdsa private key use sha256
func SignReaderByRSAWithSHA256 ¶
SignReaderByRSAWithSHA256 generate signature by rsa private key use sha256
func SplitCertsPemChain ¶
SplitCertsPemChain split pem chain to multiple pem
func ValidatePasswordHash
deprecated
func VerifyByECDSAWithSHA256 ¶
VerifyByECDSAWithSHA256 verify signature by ecdsa public key use sha256
func VerifyByECDSAWithSHA256AndBase64 ¶
func VerifyByECDSAWithSHA256AndBase64(pubKey *ecdsa.PublicKey, content []byte, signature string) (bool, error)
VerifyByECDSAWithSHA256 verify signature by ecdsa public key use sha256
func VerifyByEd25519WithSHA512 ¶
VerifyByEd25519WithSHA512 verify signature by ed25519 public key
func VerifyByRSAPKCS1v15WithSHA256 ¶
VerifyByRSAPKCS1v15WithSHA256 verify signature by rsa public key use sha256
func VerifyByRSAPSSWithSHA256 ¶
VerifyByRSAPSSWithSHA256 verify signature by rsa public key use sha256
func VerifyBySchnorrSha256 ¶
func VerifyBySchnorrSha256(suite dediskey.Suite, pubkey kyber.Point, reader io.Reader, sig []byte) error
VerifyBySchnorrSha256 verify signature by schnorr
func VerifyCRL ¶
func VerifyCRL(ca *x509.Certificate, crl *x509.RevocationList) error
VerifyCRL verify crl by ca
func VerifyCertByPrikey ¶
VerifyCertByPrikey verify cert by prikey
func VerifyHashedPassword ¶
VerifyHashedPassword verify HashedPassword
func VerifyReaderByECDSAWithSHA256 ¶
func VerifyReaderByECDSAWithSHA256(pubKey *ecdsa.PublicKey, reader io.Reader, r, s *big.Int) (bool, error)
VerifyReaderByECDSAWithSHA256 verify signature by ecdsa public key use sha256
func VerifyReaderByEd25519WithSHA256 ¶
VerifyReaderByEd25519WithSHA256 verify signature by ecdsa public key use sha256
func VerifyReaderByRSAWithSHA256 ¶
VerifyReaderByRSAWithSHA256 verify signature by rsa public key use sha256
func X509Cert2OpensslConf ¶
func X509Cert2OpensslConf(cert *x509.Certificate) (opensslConf []byte)
X509Cert2OpensslConf marshal x509
func X509CertSubjectKeyID ¶
X509CertSubjectKeyID generate subject key id for pubkey
if x509 certificate template is a CA, subject key id will generated by golang automatelly
func X509CrlOptions2Tpl ¶
func X509CrlOptions2Tpl(opts ...X509CRLOption) (*x509.RevocationList, error)
X509CrlOptions2Tpl marshal x509 crl options to x509.RevocationList
func X509Csr2OpensslConf ¶
func X509Csr2OpensslConf(csr *x509.CertificateRequest) (opensslConf []byte)
X509Csr2OpensslConf marshal x509 csr to openssl conf
Returns ¶
[ req ] distinguished_name = req_distinguished_name prompt = no string_mask = utf8only req_extensions = req_ext [ req_ext ] subjectAltName = @alt_names [ req_distinguished_name ] commonName = Intermedia CA countryName = CN stateOrProvinceName = Shanghai localityName = Shanghai organizationName = BBT organizationalUnitName = XSS [ alt_names ] DNS.1 = localhost DNS.2 = example.com
func X509CsrOption2Template ¶
func X509CsrOption2Template(opts ...X509CSROption) (tpl *x509.CertificateRequest, err error)
X509CsrOption2Template convert X509CSROption to x509.CertificateRequest
Types ¶
type AESEncryptFilesInDirOption ¶
type AESEncryptFilesInDirOption func(*encryptFilesOption) error
AESEncryptFilesInDirOption options to encrypt files in dir
func WithAESFilesInDirFileExt ¶
func WithAESFilesInDirFileExt(ext string) AESEncryptFilesInDirOption
WithAESFilesInDirFileExt only encrypt files with specific ext
func WithAESFilesInDirFileSuffix ¶
func WithAESFilesInDirFileSuffix(suffix string) AESEncryptFilesInDirOption
WithAESFilesInDirFileSuffix will append to encrypted's filename as suffix
xxx.toml -> xxx.toml.enc
type AesReaderWrapper ¶
type AesReaderWrapper struct {
// contains filtered or unexported fields
}
AesReaderWrapper used to decrypt encrypted reader
func NewAesReaderWrapper ¶
func NewAesReaderWrapper(in io.Reader, key []byte) (*AesReaderWrapper, error)
NewAesReaderWrapper wrap reader by aes
type DHKX ¶
type DHKX struct {
// contains filtered or unexported fields
}
Diffie Hellman Key-exchange algorithm
https://pkg.go.dev/github.com/monnand/dhkx
Example ¶
alice, _ := NewDHKX() bob, _ := NewDHKX() alicePub := alice.PublicKey() bobPub := bob.PublicKey() aliceKey, _ := alice.GenerateKey(bobPub) bobKey, _ := bob.GenerateKey(alicePub) aliceKey == bobKey
Note: recommoend to use ECDH instead of DHKX
Example ¶
alice, _ := NewDHKX() bob, _ := NewDHKX() alicePub, _ := alice.PublicKey() bobPub, _ := bob.PublicKey() aliceKey, _ := alice.GenerateKey(bobPub) bobKey, _ := bob.GenerateKey(alicePub) fmt.Println(reflect.DeepEqual(aliceKey, bobKey))
Output: true
func NewDHKX
deprecated
func NewDHKX(optfs ...DHKXOptionFunc) (d *DHKX, err error)
NewDHKX create a new DHKX instance
each DHKX instance has it's unique group and private key
Known vulnerabilities: DHKX is not secure against active attacks, MITM attacker could replace the public keys with his own and decrypt the messages. its better to verify peer's public key by signature.
Deprecated: ECDH is much more faster and efficient than DHKX, use ECDH instead.
func (*DHKX) GenerateKey ¶
GenerateKey generate new key by peer's public key
each side of the DHKX exchange peers will generate the same key
key like:
60a425ca3a4cc313db9c113a0526f3809725305afc68e1accd0e653ae8d0182c6eb05557f4b5d094 f015972b9fda7d60c1b64d79f50baea7365d858ede0fb7a6571403d4b95f682144b56fa17ffcbe9e 70de69dc0045672696e683c423c5b3dfc02a6916be1e50c74e60353ec08a465cc124e8ca88337fb7 4a0370e17a7cedb0b1e76733f43ad3db9e3d29ab43c75686a8bc4a88ee46addbd1590c8277d1b1ef 42aded6cc0bfe0a7ff8933861dae772c755087f2a41021f4ca53867ba49797d111ef21b381cb6441 178f4ccd3748f8e7b1a12ec3799571a49fc0aa793c05ab6e228b559f1fda2912542d7246388ccec1 38b4d8ce9df4a32c198891c4e33b5034
type DHKXOptionFunc ¶
type DHKXOptionFunc func(*dhkxOption) error
DHKXOptionFunc optional func to set dhkx option
type DefaultX509CertSerialNumGenerator ¶
type DefaultX509CertSerialNumGenerator struct {
// contains filtered or unexported fields
}
DefaultX509CertSerialNumGenerator default cert serial number generator base on epoch time and random int
func NewDefaultX509CertSerialNumGenerator ¶
func NewDefaultX509CertSerialNumGenerator() (*DefaultX509CertSerialNumGenerator, error)
NewDefaultX509CertSerialNumGenerator new DefaultX509CertSerialNumGenerator
func (*DefaultX509CertSerialNumGenerator) SerialNum ¶
func (g *DefaultX509CertSerialNumGenerator) SerialNum() int64
SerialNum get randon serial number
type ECDH ¶
type ECDH struct {
// contains filtered or unexported fields
}
ECDH Elliptic Curve Diffie-Hellman
func NewEcdh ¶
func NewEcdh(curve ECDSACurve) (ins *ECDH, err error)
NewEcdh create a new ECDH instance
Known vulnerabilities: DHKX is not secure against active attacks, MITM attacker could replace the public keys with his own and decrypt the messages. its better to verify peer's public key by signature.
Example ¶
alice, _ := NewEcdh(ECDSACurveP256) bob, _ := NewEcdh(ECDSACurveP256) alicePub, _ := alice.PublicKey() bobPub, _ := bob.PublicKey() aliceKey, _ := alice.GenerateKey(bobPub) bobKey, _ := bob.GenerateKey(alicePub) fmt.Println(reflect.DeepEqual(aliceKey, bobKey))
Output: true
func (*ECDH) GenerateKey ¶
GenerateKey generate new key by peer's public key
type ECDSACurve ¶
type ECDSACurve string
ECDSACurve algorithms
const ( // ECDSACurveP256 ecdsa with P256 ECDSACurveP256 ECDSACurve = "P256" // ECDSACurveP384 ecdsa with P384 ECDSACurveP384 ECDSACurve = "P384" // ECDSACurveP521 ecdsa with P521 ECDSACurveP521 ECDSACurve = "P521" )
type HashedPassword ¶
type HashedPassword struct {
// contains filtered or unexported fields
}
HashedPassword salt hashed password
generate by PasswordHash, verify by VerifyHashedPassword
func (HashedPassword) String ¶
func (p HashedPassword) String() string
String convert to string
can verify by VerifyHashedPassword
type KeyExchange ¶
type KeyExchange interface { // PublicKey return public key bytes // // send public key to peer, and get peer's public key // every side of the exchange peers will generate the same key PublicKey() ([]byte, error) // GenerateKey generate new key by peer's public key GenerateKey(peerPubKey []byte) ([]byte, error) }
KeyExchange key agreement interface
type OTPAlgorithm ¶
type OTPAlgorithm string
OTPAlgorithm hash algorithm for otp
const ( // OTPAlgorithmSHA1 sha1 OTPAlgorithmSHA1 OTPAlgorithm = "sha1" )
type OTPArgs ¶
type OTPArgs struct { // OtpType (readonly) otp type, must in totp/hotp OtpType OTPType // Base32Secret (required) the hotp/totp secret used to generate the URI // // genrate Base32Secret: // // Base32Secret([]byte("xxxxxx")) Base32Secret string // AccountName (optional) name of the account AccountName string // Authenticator (optional) the name of the OTP issuer; // this will be the organization title of the OTP entry in Authenticator IssuerName string // Algorithm (optional) the algorithm used in the OTP generation // // default to sha1 Algorithm OTPAlgorithm // InitialCount (optional) starting counter value. Only works for hotp InitialCount int // Digits (optional) the length of the OTP generated code. // // default to 6 Digits uint // PeriodSecs (optional) the number of seconds the OTP // generator is set to expire every code. // // default to 30 PeriodSecs uint }
OTPArgs arguments for OTP
func ParseOTPUri ¶
ParseOTPUri parse otp uri to otp arguments
Args ¶
- uri: like `otpauth://totp/issuerName:demoAccountName?secret=4S62BZNFXXSZLCRO&issuer=issuerName`
type OpensslCertificateOutput ¶
type OpensslCertificateOutput struct { // Raw is the raw output of `openssl x509 -inform DER -text` Raw []byte SerialNumber *big.Int NotBefore, NotAfter time.Time IsCa bool Subject pkix.Name Policies []asn1.ObjectIdentifier PublicKeyAlgorithm x509.PublicKeyAlgorithm SubjectKeyIdentifier, AuthorityKeyIdentifier []byte }
OpensslCertificateOutput output of `openssl x509 -inform DER -text`
type RSAPrikeyBits ¶
type RSAPrikeyBits int
RSAPrikeyBits width of rsa private key
const ( // RSAPrikeyBits2048 rsa private key with 2048 bits RSAPrikeyBits2048 RSAPrikeyBits = 2048 // RSAPrikeyBits3072 rsa private key with 3072 bits RSAPrikeyBits3072 RSAPrikeyBits = 3072 // RSAPrikeyBits4096 rsa private key with 4096 bits RSAPrikeyBits4096 RSAPrikeyBits = 4096 )
type SignCSROption ¶
type SignCSROption func(*signCSROption) error
SignCSROption options for create certificate from CRL
func WithX509CaMaxPathLen ¶
func WithX509CaMaxPathLen(maxPathLen int) SignCSROption
WithX509CaMaxPathLen set max path length
only CAs are allowed to specify MaxPathLen
func WithX509SerialNumGenerator ¶
func WithX509SerialNumGenerator(gen X509CertSerialNumberGenerator) SignCSROption
WithX509SerialNumGenerator set serial number generator
func WithX509SignCSRCRLs ¶
func WithX509SignCSRCRLs(crlEndpoint ...string) SignCSROption
WithX509SignCSRCRLs add crl endpoints
func WithX509SignCSRExtKeyUsage ¶
func WithX509SignCSRExtKeyUsage(usage ...x509.ExtKeyUsage) SignCSROption
WithX509SignCSRExtKeyUsage add ext key usage
func WithX509SignCSRExtenstions
deprecated
func WithX509SignCSRExtenstions(_ ...pkix.Extension) SignCSROption
WithX509SignCSRExtenstions set certificate extensions
Extensions contains all requested extensions, in raw form. When parsing CSRs, this can be used to extract extensions that are not parsed by this package.
Deprecated: this field is ignored by golang built-in x509 library, use WithX509SignCSRExtraExtenstions instead if you want to set extensions.
func WithX509SignCSRExtraExtenstions ¶
func WithX509SignCSRExtraExtenstions(exts ...pkix.Extension) SignCSROption
WithX509SignCSRExtraExtenstions set certificate extra extensions
ExtraExtensions contains extensions to be copied, raw, into any CSR marshaled by CreateCertificateRequest. Values override any extensions that would otherwise be produced based on the other fields but are overridden by any extensions specified in Attributes.
The ExtraExtensions field is not populated by ParseCertificateRequest, see Extensions instead.
func WithX509SignCSRIsCRLCA ¶
func WithX509SignCSRIsCRLCA() SignCSROption
WithX509SignCSRIsCRLCA set is ca to sign CRL
func WithX509SignCSRKeyUsage ¶
func WithX509SignCSRKeyUsage(usage ...x509.KeyUsage) SignCSROption
WithX509SignCSRKeyUsage add key usage
func WithX509SignCSRNotAfter ¶
func WithX509SignCSRNotAfter(notAfter time.Time) SignCSROption
WithX509SignCSRNotAfter set valid for duration
func WithX509SignCSRNotBefore ¶
func WithX509SignCSRNotBefore(notBefore time.Time) SignCSROption
WithX509SignCSRNotBefore set valid from
func WithX509SignCSROCSPServers ¶
func WithX509SignCSROCSPServers(ocsp ...string) SignCSROption
WithX509SignCSROCSPServers set ocsp servers
func WithX509SignCSRPolicies ¶
func WithX509SignCSRPolicies(policies ...asn1.ObjectIdentifier) SignCSROption
WithX509SignCSRPolicies set certificate policies
func WithX509SignCSRSeriaNumber ¶
func WithX509SignCSRSeriaNumber(serialNumber *big.Int) SignCSROption
WithX509SignCSRSeriaNumber set certificate/CRL's serial number
refer to RFC-5280 5.2.3 &
Args ¶
seriaNumber:
- (optional): generate certificate
- (required): generate CRL
func WithX509SignCSRValidFor ¶
func WithX509SignCSRValidFor(validFor time.Duration) SignCSROption
WithX509SignCSRValidFor set valid for duration
deprecated: use WithX509SignCSRNotAfter instead
func WithX509SignCSRValidFrom ¶
func WithX509SignCSRValidFrom(validFrom time.Time) SignCSROption
WithX509SignCSRValidFrom set valid from
deprecated: use WithX509SignCSRNotBefore instead
func WithX509SignPublicKeyAlgorithm
deprecated
func WithX509SignPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) SignCSROption
WithX509SignPublicKeyAlgorithm set public key algorithm
Deprecated: this field is ignored by golang built-in x509 library
func WithX509SignSignatureAlgorithm ¶
func WithX509SignSignatureAlgorithm(algo x509.SignatureAlgorithm) SignCSROption
WithX509SignSignatureAlgorithm set signature algorithm that parent certificate used to sign csr
type TOTP ¶
type TOTP struct {
// contains filtered or unexported fields
}
TOTP time-based OTP
type TOTPInterface ¶
type TOTPInterface interface { // Key generate key by totp Key() string // KeyAt generate key by totp at arbitraty time KeyAt(at time.Time) string // URI build uri for otp arguments URI() string }
TOTPInterface interface for TOTP
type Tongsuo ¶
type Tongsuo struct {
// contains filtered or unexported fields
}
Tongsuo is a wrapper of tongsuo executable binary
https://github.com/Tongsuo-Project/Tongsuo
func NewTongsuo ¶
NewTongsuo new tongsuo wrapper
Notice, only support
- github.com/tongsuo-project/tongsuo-go-sdk v0.0.0-20231225081335-82a881b9b3d3
- https://github.com/Tongsuo-Project/Tongsuo 8.4.0-pre3
#Args
- exePath: path of tongsuo executable binary
func (*Tongsuo) CloneX509Csr ¶
func (t *Tongsuo) CloneX509Csr(ctx context.Context, prikeyPem []byte, originCsrDer []byte) (clonedCsrDer []byte, err error)
CloneX509Csr generat a cloned csr with different private key
Args ¶
- prikeyPem: new private key for cloned csr
- originCsrDer: origin csr
func (*Tongsuo) DecryptBySm2 ¶
func (t *Tongsuo) DecryptBySm2(ctx context.Context, prikeyPem []byte, cipher []byte) (data []byte, err error)
DecryptBySm2 decrypt by sm2 private key
func (*Tongsuo) DecryptBySm4Cbc ¶
func (t *Tongsuo) DecryptBySm4Cbc(ctx context.Context, key, combinedCipher []byte) ( plaintext []byte, err error)
DecryptBySm4Cbc decrypt by sm4, should be encrypted by `EncryptBySm4` only
func (*Tongsuo) DecryptBySm4CbcBaisc ¶
func (t *Tongsuo) DecryptBySm4CbcBaisc(ctx context.Context, key, ciphertext, iv, hmac []byte) (plaintext []byte, err error)
DecryptBySm4CbcBaisc decrypt by sm4
Args ¶
- key: sm4 key
- ciphertext: sm4 encrypted data
- iv: sm4 iv
- hmac: if not nil, will check ciphertext's integrity by hmac
func (*Tongsuo) EncryptBySm2 ¶
func (t *Tongsuo) EncryptBySm2(ctx context.Context, pubkeyPem []byte, data []byte) (cipher []byte, err error)
EncryptBySm2 encrypt by sm2 public key
func (*Tongsuo) EncryptBySm4Cbc ¶
func (t *Tongsuo) EncryptBySm4Cbc(ctx context.Context, key, plaintext []byte) ( combinedCipher []byte, err error)
EncryptBySm4Cbc encrypt by sm4, should be decrypted by `DecryptBySm4` only
func (*Tongsuo) EncryptBySm4CbcBaisc ¶
func (t *Tongsuo) EncryptBySm4CbcBaisc(ctx context.Context, key, plaintext, iv []byte) (ciphertext, hmac []byte, err error)
EncryptBySm4CbcBaisc encrypt by sm4
Args ¶
- key: sm4 key, should be 16 bytes
- plaintext: data to be encrypted
- iv: sm4 iv, should be 16 bytes
Returns ¶
- ciphertext: sm4 encrypted data
- hmac: hmac of ciphertext, 32 bytes
func (*Tongsuo) GetPubkeyFromCertPem ¶
func (t *Tongsuo) GetPubkeyFromCertPem(ctx context.Context, certPem []byte) (pubkeyPem []byte, err error)
GetPubkeyFromCertPem get pubkey from cert pem
func (*Tongsuo) NewPrikey ¶
NewPrikey generate new sm2 private key
tongsuo ecparam -genkey -name SM2 -out rootca.key
func (*Tongsuo) NewPrikeyAndCert ¶
func (t *Tongsuo) NewPrikeyAndCert(ctx context.Context, opts ...X509CertOption) ( prikeyPem, certDer []byte, err error)
NewPrikeyAndCert generate new private key and root ca
func (*Tongsuo) NewPrikeyWithPassword ¶
func (t *Tongsuo) NewPrikeyWithPassword(ctx context.Context, password string) ( encryptedPrikeyPem []byte, err error)
NewPrikeyWithPassword generate new sm2 private key with password
func (*Tongsuo) NewX509CSR ¶
func (t *Tongsuo) NewX509CSR(ctx context.Context, prikeyPem []byte, opts ...X509CSROption) (csrDer []byte, err error)
NewX509CSR generate new x509 csr
func (*Tongsuo) NewX509Cert ¶
func (t *Tongsuo) NewX509Cert(ctx context.Context, prikeyPem []byte, opts ...X509CertOption) (certDer []byte, err error)
NewX509Cert generate new x509 cert
tongsuo req -out rootca.crt -outform PEM -key rootca.key \ -set_serial 123456 \ -days 3650 -x509 -new -nodes -utf8 -batch \ -sm3 \ -copy_extensions copyall \ -extensions v3_ca \ -config rootca.cnf
func (*Tongsuo) NewX509CertByCSR ¶
func (t *Tongsuo) NewX509CertByCSR(ctx context.Context, parentCertDer []byte, parentPrikeyPem []byte, csrDer []byte, opts ...SignCSROption) (certDer []byte, err error)
NewX509CertByCSR generate new x509 cert by csr
func (*Tongsuo) ParseCsr2Opts ¶
ParseCsr2Opts parse csr to opts
func (*Tongsuo) Prikey2Pubkey ¶
func (t *Tongsuo) Prikey2Pubkey(ctx context.Context, prikeyPem []byte) ( pubkeyPem []byte, err error)
Prikey2Pubkey convert private key to public key
func (*Tongsuo) PrivateKey ¶
func (t *Tongsuo) PrivateKey(prikeyPem []byte) (crypto.PrivateKey, error)
PrivateKey get private key
func (*Tongsuo) ShowCertInfo ¶
func (t *Tongsuo) ShowCertInfo(ctx context.Context, certDer []byte) ( certinfo string, cert *x509.Certificate, err error)
ShowCertInfo show cert info
nolint:gocognit,lll,maintidx // parse cert info part by part LGTM
Raw ¶
Version: 3 (0x2) Serial Number: 17108345756590001 (0x3cc7f327841fb1) Serial Number: 51:f5:46:8b:d6:ff:ec:f2:33:e6:38:68:46:4e:9b:19:56:f3:6e:8a Signature Algorithm: SM2-with-SM3 Issuer: CN = test-common-name, O = test org Validity Not Before: Mar 19 07:49:35 2024 GMT Not After : Mar 25 07:49:35 2024 GMT Subject: CN = test-common-name, O = test org Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:31:66:dd:ef:4e:31:29:fd:4b:b1:a1:66:0b:c9: 81:9f:6f:a4:e1:bd:44:24:6a:a8:93:62:0b:85:be: 0e:56:14:76:ab:56:0d:7c:cc:26:77:47:d0:fe:77: 38:31:ab:3d:b8:01:60:96:ae:07:72:e4:3d:df:4c: 9d:02:98:9f:d3 ASN1 OID: SM2 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only X509v3 Extended Key Usage: Any Extended Key Usage, TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, IPSec End System, IPSec Tunnel, IPSec User, Time Stamping, OCSP Signing, Microsoft Server Gated Crypto, Netscape Server Gated Crypto, Microsoft Commercial Code Signing, 1.3.6.1.4.1.311.61.1.1 X509v3 Subject Key Identifier: AF:9A:33:37:3F:DE:3E:DD:77:61:A1:C8:3F:D5:0C:39:F0:D6:A6:7B X509v3 Authority Key Identifier: AF:9A:33:37:3F:DE:3E:DD:77:61:A1:C8:3F:D5:0C:39:F0:D6:A6:7B X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.59936.1.1.3 Signature Algorithm: SM2-with-SM3 Signature Value: 30:45:02:21:00:a8:a6:db:d5:8c:b4:d2:58:ff:1e:1f:9d:c1: e7:0b:eb:ba:4b:50:99:2c:c4:b9:3b:50:9d:6f:5f:1f:32:40: 17:02:20:38:91:fb:16:41:80:52:d8:28:f8:ee:34:0f:f9:ab: c5:c8:1a:1f:31:d9:05:13:04:12:4d:0c:3d:fd:52:fe:51 -----BEGIN CERTIFICATE----- MIIByzCCAXGgAwIBAgIHPMfzJ4QfsTAKBggqgRzPVQGDdTAuMRkwFwYDVQQDDBB0 ZXN0LWNvbW1vbi1uYW1lMREwDwYDVQQKDAh0ZXN0IG9yZzAeFw0yNDAzMTkwNzQ5 MzVaFw0yNDAzMjUwNzQ5MzVaMC4xGTAXBgNVBAMMEHRlc3QtY29tbW9uLW5hbWUx ETAPBgNVBAoMCHRlc3Qgb3JnMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEMWbd 704xKf1LsaFmC8mBn2+k4b1EJGqok2ILhb4OVhR2q1YNfMwmd0fQ/nc4Mas9uAFg lq4HcuQ930ydApif06N6MHgwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw HQYDVR0OBBYEFK+aMzc/3j7dd2GhyD/VDDnw1qZ7MB8GA1UdIwQYMBaAFK+aMzc/ 3j7dd2GhyD/VDDnw1qZ7MBgGA1UdIAQRMA8wDQYLKwYBBAGD1CABAQMwCgYIKoEc z1UBg3UDSAAwRQIhAKim29WMtNJY/x4fncHnC+u6S1CZLMS5O1Cdb18fMkAXAiA4 kfsWQYBS2Cj47jQP+avFyBofMdkFEwQSTQw9/VL+UQ== -----END CERTIFICATE-----
func (*Tongsuo) ShowCsrInfo ¶
ShowCsrInfo show csr info
func (*Tongsuo) SignBySm2Sm3 ¶
func (t *Tongsuo) SignBySm2Sm3(ctx context.Context, parentPrikeyPem []byte, content []byte) (signature []byte, err error)
SignBySm2Sm3 sign by sm2 sm3
func (*Tongsuo) SignX509CRL ¶
func (t *Tongsuo) SignX509CRL(ctx context.Context, CrlDer []byte, PrikeyPem []byte, ) (signedCrlDer []byte, err error)
SignX509CRL sign x509 crl by ca private key
func (*Tongsuo) VerifyBySm2Sm3 ¶
VerifyBySm2Sm3 verify by sm2 sm3
type TongsuoPriKey ¶
type TongsuoPriKey struct {
// contains filtered or unexported fields
}
TongsuoPriKey tongsuo private key
func (*TongsuoPriKey) Decrypt ¶
func (t *TongsuoPriKey) Decrypt(_ io.Reader, msg []byte, _ crypto.DecrypterOpts) (plaintext []byte, err error)
Decrypt decrypt by private key
func (*TongsuoPriKey) Public ¶
func (t *TongsuoPriKey) Public() crypto.PublicKey
Public get public key
func (*TongsuoPriKey) Sign ¶
func (t *TongsuoPriKey) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)
Sign sign by private key
type TongsuoPubkey ¶
type TongsuoPubkey struct {
// contains filtered or unexported fields
}
TongsuoPubkey tongsuo public key
type X509CRLOption ¶
type X509CRLOption func(*x509CRLOption) error
X509CRLOption options for create x509 CRL
func WithX509CRLNextUpdate ¶
func WithX509CRLNextUpdate(nextUpdate time.Time) X509CRLOption
WithX509CRLNextUpdate set next update
default to 30 days later
func WithX509CRLSignatureAlgorithm ¶
func WithX509CRLSignatureAlgorithm(algo x509.SignatureAlgorithm) X509CRLOption
WithX509CRLSignatureAlgorithm set signature algorithm
default to auto choose algorithm depends on certificate's algorithm
func WithX509CRLThisUpdate ¶
func WithX509CRLThisUpdate(thisUpdate time.Time) X509CRLOption
WithX509CRLThisUpdate set this update
default to now
type X509CSROption ¶
type X509CSROption func(*x509CSROption) error
X509CSROption option to generate tls certificate
func WithX509CSRAttribute
deprecated
func WithX509CSRAttribute(attr pkix.AttributeTypeAndValueSET) X509CSROption
WithX509CSRAttribute set attribute
Deprecated: Use Extensions and ExtraExtensions instead for parsing and generating the requestedExtensions attribute.
func WithX509CSRCommonName ¶
func WithX509CSRCommonName(commonName string) X509CSROption
WithX509CSRCommonName set common name
func WithX509CSRCountry ¶
func WithX509CSRCountry(values ...string) X509CSROption
WithX509CSRCountry set subject countries
func WithX509CSRDNSNames ¶
func WithX509CSRDNSNames(dnsNames ...string) X509CSROption
WithX509CSRDNSNames set dns sans
func WithX509CSREmailAddrs ¶
func WithX509CSREmailAddrs(emailAddresses ...string) X509CSROption
WithX509CSREmailAddrs set email sans
func WithX509CSRExtension
deprecated
func WithX509CSRExtension(_ pkix.Extension) X509CSROption
WithX509CSRExtension set extension
Extensions contains raw X.509 extensions. When parsing certificates, this can be used to extract non-critical extensions that are not parsed by this package. When marshaling certificates, the Extensions field is ignored, see ExtraExtensions.
Deprecated: this field is ignored by golang's built-in x509 library, use ExtraExtensions instead if you want to add custom extensions.
func WithX509CSRExtraExtension ¶
func WithX509CSRExtraExtension(ext pkix.Extension) X509CSROption
WithX509CSRExtraExtension set extra extension
ExtraExtensions contains extensions to be copied, raw, into any marshaled certificates. Values override any extensions that would otherwise be produced based on the other fields. The ExtraExtensions field is not populated when parsing certificates, see Extensions.
func WithX509CSRIPAddrs ¶
func WithX509CSRIPAddrs(ipAddresses ...net.IP) X509CSROption
WithX509CSRIPAddrs set ip sans
func WithX509CSRLocality ¶
func WithX509CSRLocality(l ...string) X509CSROption
WithX509CSRLocality set subject localities
func WithX509CSROrganization ¶
func WithX509CSROrganization(organization ...string) X509CSROption
WithX509CSROrganization set organization
func WithX509CSROrganizationUnit ¶
func WithX509CSROrganizationUnit(ou ...string) X509CSROption
WithX509CSROrganizationUnit set organization units
func WithX509CSRPostalCode ¶
func WithX509CSRPostalCode(codes ...string) X509CSROption
WithX509CSRPostalCode set subjuect postal codes
func WithX509CSRProvince ¶
func WithX509CSRProvince(values ...string) X509CSROption
WithX509CSRProvince set subject provinces
func WithX509CSRPublicKeyAlgorithm
deprecated
func WithX509CSRPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CSROption
WithX509CSRPublicKeyAlgorithm set signature algorithm
Deprecated: this field is ignored by golang's built-in x509 library
func WithX509CSRSANS ¶
func WithX509CSRSANS(sans ...string) X509CSROption
WithX509CertSANS set certificate SANs
refer to RFC-5280 4.2.1.6
auto WithX509CSRSANS to ip/email/url/dns
func WithX509CSRSignatureAlgorithm ¶
func WithX509CSRSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CSROption
WithX509CSRSignatureAlgorithm set signature algorithm
func WithX509CSRStreetAddrs ¶
func WithX509CSRStreetAddrs(addrs ...string) X509CSROption
WithX509CSRStreetAddrs set subjuect street addresses
func WithX509CSRSubject ¶
func WithX509CSRSubject(subject pkix.Name) X509CSROption
WithX509CSRSubject set subject name
func WithX509CSRURIs ¶
func WithX509CSRURIs(uris ...*url.URL) X509CSROption
WithX509CSRURIs set uri sans
type X509CertOption ¶
type X509CertOption func(*x509V3CertOption) error
X509CertOption option to generate tls certificate
func WithX509CertCRLs ¶
func WithX509CertCRLs(crlEndpoint ...string) X509CertOption
WithX509CertCRLs add crl endpoints
func WithX509CertCaMaxPathLen ¶
func WithX509CertCaMaxPathLen(maxPathLen int) X509CertOption
WithX509CertCaMaxPathLen set max path length
func WithX509CertCommonName ¶
func WithX509CertCommonName(commonName string) X509CertOption
WithX509CertCommonName set common name
func WithX509CertCountry ¶
func WithX509CertCountry(values ...string) X509CertOption
WithX509CertCountry set subject countries
func WithX509CertDNSNames ¶
func WithX509CertDNSNames(dnsNames ...string) X509CertOption
WithX509CertDNSNames set dns sans
func WithX509CertEmailAddrs ¶
func WithX509CertEmailAddrs(emailAddresses ...string) X509CertOption
WithX509CertEmailAddrs set email sans
func WithX509CertExtKeyUsage ¶
func WithX509CertExtKeyUsage(usage ...x509.ExtKeyUsage) X509CertOption
WithX509CertExtKeyUsage add ext key usage
func WithX509CertExtentions
deprecated
func WithX509CertExtentions(_ ...pkix.Extension) X509CertOption
WithX509CertExtentions set extensions
Deprecated: this field is ignored in x509 v3 certificate, use WithX509CertExtraExtensions instead if you want to set extensions.
func WithX509CertExtraExtensions ¶
func WithX509CertExtraExtensions(exts ...pkix.Extension) X509CertOption
WithX509CertExtraExtensions set extra extensions
func WithX509CertIPAddrs ¶
func WithX509CertIPAddrs(ipAddresses ...net.IP) X509CertOption
WithX509CertIPAddrs set ip sans
func WithX509CertIsCRLCA ¶
func WithX509CertIsCRLCA() X509CertOption
WithX509CertIsCRLCA set is ca to sign CRL
func WithX509CertKeyUsage ¶
func WithX509CertKeyUsage(usage ...x509.KeyUsage) X509CertOption
WithX509CertKeyUsage add key usage
func WithX509CertLocality ¶
func WithX509CertLocality(l ...string) X509CertOption
WithX509CertLocality set subject localities
func WithX509CertNotAfter ¶
func WithX509CertNotAfter(notAfter time.Time) X509CertOption
WithX509CertNotAfter set not after
default to 30 days later
func WithX509CertNotBefore ¶
func WithX509CertNotBefore(notBefore time.Time) X509CertOption
WithX509CertNotBefore set not before
func WithX509CertOCSPServers ¶
func WithX509CertOCSPServers(ocsp ...string) X509CertOption
WithX509CertOCSPServers set ocsp servers
func WithX509CertOrganization ¶
func WithX509CertOrganization(organization ...string) X509CertOption
WithX509CertOrganization set organization
func WithX509CertOrganizationUnit ¶
func WithX509CertOrganizationUnit(ou ...string) X509CertOption
WithX509CertOrganizationUnit set organization unit
func WithX509CertParent ¶
func WithX509CertParent(parent *x509.Certificate) X509CertOption
WithX509CertParent set issuer
func WithX509CertPolicies ¶
func WithX509CertPolicies(policies ...asn1.ObjectIdentifier) X509CertOption
WithX509CertPolicies set certificate policies
func WithX509CertPostalCode ¶
func WithX509CertPostalCode(codes ...string) X509CertOption
WithX509CertPostalCode set subjuect postal codes
func WithX509CertProvince ¶
func WithX509CertProvince(values ...string) X509CertOption
WithX509CertProvince set subject provinces
func WithX509CertPubkey ¶
func WithX509CertPubkey(pubkey crypto.PublicKey) X509CertOption
WithX509CertPubkey set new certs' pubkey
func WithX509CertPublicKeyAlgorithm
deprecated
func WithX509CertPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CertOption
WithX509CertPublicKeyAlgorithm set signature algorithm
Deprecated: this field is ignored in x509 v3 certificate
func WithX509CertSANS ¶
func WithX509CertSANS(sans ...string) X509CertOption
WithX509CertSANS set certificate SANs
refer to RFC-5280 4.2.1.6
auto parse to ip/email/url/dns
func WithX509CertSeriaNumber ¶
func WithX509CertSeriaNumber(serialNumber *big.Int) X509CertOption
WithX509CertSeriaNumber set certificate/CRL's serial number
refer to RFC-5280 5.2.3 &
Args ¶
seriaNumber:
- (optional): generate certificate
- (required): generate CRL
func WithX509CertSerialNumGenerator ¶
func WithX509CertSerialNumGenerator(gen X509CertSerialNumberGenerator) X509CertOption
WithX509CertSerialNumGenerator set serial number generator
func WithX509CertSignatureAlgorithm ¶
func WithX509CertSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CertOption
WithX509CertSignatureAlgorithm set signature algorithm
func WithX509CertStreetAddrs ¶
func WithX509CertStreetAddrs(addrs ...string) X509CertOption
WithX509CertStreetAddrs set subjuect street addresses
func WithX509CertURIs ¶
func WithX509CertURIs(uris ...*url.URL) X509CertOption
WithX509CertURIs set uri sans
func WithX509CertValidFor ¶
func WithX509CertValidFor(validFor time.Duration) X509CertOption
WithX509CertValidFor set valid for duration
deprecated: use WithX509CertNotAfter instead
func WithX509CertValidFrom ¶
func WithX509CertValidFrom(validFrom time.Time) X509CertOption
WithX509CertValidFrom set valid from
deprecated: use WithX509CertNotBefore instead
func WithX509CsrOptions ¶
func WithX509CsrOptions(csrOpts []X509CSROption) X509CertOption
WithX509CsrOptions set csr options
func WithX509Subject ¶
func WithX509Subject(subject pkix.Name) X509CertOption
WithX509Subject set subject name
type X509CertSerialNumberGenerator ¶
type X509CertSerialNumberGenerator interface {
SerialNum() int64
}
X509CertSerialNumberGenerator x509 certificate serial number generator
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package kms provides a simple kms interface.
|
Package kms provides a simple kms interface. |
mem
Package mem is a multi-key KMS in pure memory
|
Package mem is a multi-key KMS in pure memory |
package Threshold cryptosystem
|
package Threshold cryptosystem |
shamir
Package shamir is Shamir’s Secret Sharing is a method for dividing a secret into multiple parts and distributing those parts among different participants.
|
Package shamir is Shamir’s Secret Sharing is a method for dividing a secret into multiple parts and distributing those parts among different participants. |
signature
Package signature provides an implementation of threshold signatures.
|
Package signature provides an implementation of threshold signatures. |