crypto

package
v5.0.0-...-c6008c3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 12, 2024 License: MIT Imports: 50 Imported by: 0

Documentation

Overview

Package crypto is a collection of cryptographic algorithms and protocols, providing hash functions, block and stream ciphers, public key cryptography and authentication. It also includes a cryptographically secure pseudo-random number generator.

x.509

This package provides many useful functions for x.509 certificate. you can build a PKI system with this package. including parsing and verification. it can be used to parse x.509 certificates, create x.509 certificate chains, verify x.509 certificate chains, and parse x.509 certificate revocation lists.

Index

Examples

Constants

View Source
const (
	// AesGcmIvLen is the length of IV for AES GCM
	AesGcmIvLen = 12
	// AesGcmTagLen is the length of tag for AES GCM
	AesGcmTagLen = 16
)

Variables

View Source
var (
	// RSAEncrypt encrypt by RSAEncryptByPKCS1v15, for compatibility
	//
	// Deprecated: use RSAEncryptByPKCS1v15 or RsaEncryptByOAEP instead
	RSAEncrypt = RSAEncryptByPKCS1v15
	// RSADecrypt decrypt by RSADecryptByPKCS1v15, for compatibility
	//
	// Deprecated: use RSADecryptByPKCS1v15 or RSADecryptByOAEP instead
	RSADecrypt = RSADecryptByPKCS1v15
)
View Source
var (
	// SignByRSAWithSHA256 sign content by rsa with sha256
	//
	// Deprecated: use SignByRSAPKCS1v15WithSHA256 instead
	SignByRSAWithSHA256 = SignByRSAPKCS1v15WithSHA256
	// VerifyByRSAWithSHA256 verify signature by rsa with sha256
	//
	// Deprecated: use VerifyByRSAPKCS1v15WithSHA256 instead
	VerifyByRSAWithSHA256 = VerifyByRSAPKCS1v15WithSHA256
)

Functions

func AEADDecrypt

func AEADDecrypt(key, ciphertext, additionalData []byte) (plaintext []byte, err error)

AEADDecrypt encrypt bytes by AES GCM

Sugar wrapper of AEADDecryptWithIV, will extract IV from ciphertext automatically.

Args:

  • key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
  • ciphertext: encrypted content
  • additionalData: additional data to encrypt

Returns:

  • plaintext: decrypted content

func AEADDecryptBasic

func AEADDecryptBasic(key, ciphertext, iv, tag, additionalData []byte) (plaintext []byte, err error)

AEADDecryptBasic encrypt bytes by AES GCM

Args:

  • key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
  • ciphertext: encrypted content
  • iv: Initialization Vector, should be 12 bytes
  • tag: authentication tag, should be 16 bytes
  • additionalData: additional data to encrypt

Returns:

  • plaintext: decrypted content

func AEADEncrypt

func AEADEncrypt(key, plaintext, additionalData []byte) (ciphertext []byte, err error)

AEADEncrypt encrypt bytes by AES GCM

sugar wrapper of AEADEncryptWithIV, will generate random IV and append it to ciphertext as prefix.you can use AEADDecrypt to decrypt it.

Returns:

  • ciphertext: consists of IV, cipher and tag, `{iv}{cipher}{tag}`

func AEADEncryptBasic

func AEADEncryptBasic(key, plaintext, iv, additionalData []byte) (ciphertext, tag []byte, err error)

AEADEncryptBasic encrypt bytes by AES GCM and return IV and ciphertext

Args:

  • key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
  • plaintext: content to encrypt
  • iv: Initialization Vector, should be 12 bytes
  • additionalData: additional data to encrypt

Returns:

  • ciphertext: encrypted content without IV and tag, the length of ciphertext is same as plaintext

func AESEncryptFilesInDir

func AESEncryptFilesInDir(dir string, secret []byte, opts ...AESEncryptFilesInDirOption) (err error)

AESEncryptFilesInDir encrypt files in dir

will generate new encrypted files with <suffix> after ext

xxx.toml -> xxx.toml.enc

func AesDecrypt deprecated

func AesDecrypt(secret []byte, encrypted []byte) ([]byte, error)

AesDecrypt encrypt bytes by AES GCM

inspired by https://tutorialedge.net/golang/go-encrypt-decrypt-aes-tutorial/

The key argument should be 16, 24, or 32 bytes

Deprecated: use AEADDecrypt instead

func AesEncrypt deprecated

func AesEncrypt(secret []byte, cnt []byte) ([]byte, error)

AesEncrypt encrypt bytes by AES GCM

inspired by https://tutorialedge.net/golang/go-encrypt-decrypt-aes-tutorial/

The key argument should be the AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.

Deprecated: use AEAD instead

func Base32Secret

func Base32Secret(key []byte) string

Base32Secret generate base32 encoded secret

func CRL2Der

func CRL2Der(crl *x509.RevocationList) []byte

CRL2Der marshal crl to der

func CRL2Pem

func CRL2Pem(crl *x509.RevocationList) []byte

CRL2Pem marshal crl to pem

func CRLDer2Pem

func CRLDer2Pem(crlDer []byte) []byte

CRLDer2Pem marshal crl to pem

func CRLPem2Der

func CRLPem2Der(crlPem []byte) ([]byte, error)

CRLPem2Der parse crl pem

func CSR2Der

func CSR2Der(csr *x509.CertificateRequest) []byte

CSR2Der marshal csr to der

func CSRDer2Pem

func CSRDer2Pem(CSRInDer []byte) (CSRInPem []byte)

CSRDer2Pem convert CSR in der to pem, tailing with line break

func Cert2Der

func Cert2Der(cert ...*x509.Certificate) (ret []byte)

Cert2Der marshal private key by x509.8

func Cert2Pem

func Cert2Pem(certs ...*x509.Certificate) (ret []byte)

Cert2Pem marshal x509 certificate to pem, tailing with line break

func CertDer2Pem

func CertDer2Pem(certInDer []byte) (certInPem []byte)

CertDer2Pem convert certificate in der to pem, tailing with line break

func DecodeES256SignByBase64

func DecodeES256SignByBase64(sign string) (r, s *big.Int, err error)

DecodeES256SignByBase64 parse ecdsa signature string to two *big.Int

func DecodeES256SignByHex

func DecodeES256SignByHex(sign string) (r, s *big.Int, err error)

DecodeES256SignByHex parse ecdsa signature string to two *big.Int

func Der2CRL

func Der2CRL(crlDer []byte) (*x509.RevocationList, error)

Der2CRL parse crl der

func Der2CSR

func Der2CSR(csrDer []byte) (*x509.CertificateRequest, error)

Der2CSR parse crl der

func Der2Cert

func Der2Cert(certInDer []byte) (*x509.Certificate, error)

Der2Cert parse sigle certificate in der

func Der2Certs

func Der2Certs(certInDer []byte) ([]*x509.Certificate, error)

Der2Cert parse multiple certificates in der

func Der2Prikey

func Der2Prikey(prikeyDer []byte) (crypto.PrivateKey, error)

Der2Prikey parse private key from der in x509 v8/v1

func Der2Pubkey

func Der2Pubkey(pubkeyDer []byte) (crypto.PublicKey, error)

Der2Pubkey parse public key from der in x509 pkcs1/pkix

func DeriveKeyByHKDF

func DeriveKeyByHKDF(rawKey, salt []byte, newKeyLength int) (newKey []byte, err error)

DeriveKeyByHKDF derive key by hkdf

func DeriveKeyBySMHF

func DeriveKeyBySMHF(rawKey, salt []byte) (newKey []byte, err error)

DeriveKeyBySMHF derive key by Stronger Key Derivation via Sequential Memory-Hard Functions

https://pkg.go.dev/golang.org/x/crypto@v0.5.0/scrypt

func EncodeES256SignByBase64

func EncodeES256SignByBase64(r, s *big.Int) string

EncodeES256SignByBase64 format ecdsa signature to stirng

func EncodeES256SignByHex

func EncodeES256SignByHex(r, s *big.Int) string

EncodeES256SignByHex format ecdsa sign to stirng

func FormatBig2Base64

func FormatBig2Base64(b *big.Int) string

FormatBig2Base64 format big to base64 string

func FormatBig2Hex

func FormatBig2Hex(b *big.Int) string

FormatBig2Hex format big to hex string

func GeneratePasswordHash deprecated

func GeneratePasswordHash(password []byte) ([]byte, error)

GeneratePasswordHash generate hashed password by origin password

Deprecated: use PasswordHash instead

Example
// generate hashed password
rawPassword := []byte("1234567890")
hashedPassword, err := GeneratePasswordHash(rawPassword)
if err != nil {
	log.Shared.Error("try to generate password got error", zap.Error(err))
	return
}
fmt.Printf("got new hashed pasword: %v\n", string(hashedPassword))

// validate passowrd
if !ValidatePasswordHash(hashedPassword, rawPassword) {
	log.Shared.Error("password invalidate", zap.Error(err))
	return
}
Output:

func HKDFWithSHA256

func HKDFWithSHA256(secret, salt, info []byte, results [][]byte) error

HKDFWithSHA256 derivative keys by HKDF with sha256. same key & salt will derivative same keys

Example

derivative multiple keys:

results := make([][]byte, 10)
for i := range results {
    results[i] = make([]byte, 20)
}

HKDFWithSHA256([]byte("your key"), nil, nil, results)

func HMACSha256

func HMACSha256(key []byte, data io.Reader) ([]byte, error)

HMACSha256 calculate HMAC by sha256

The main difference between HMAC and SHA is that HMAC uses a secure key to calculate the hash, while SHA does not. this makes HMAC more secure than SHA.

Args:

  • key: secure key, no limit on length
  • data: raw data to calculate HMAC

Returns:

  • hmac: HMAC result, 32 bytes

func MatchPrefix

func MatchPrefix() func(o *oidContainsOption) error

MatchPrefix treat prefix inclusion as a match as well

`1.2.3` contains `1.2.3.4`

func NewECDSAPrikey

func NewECDSAPrikey(curve ECDSACurve) (*ecdsa.PrivateKey, error)

NewECDSAPrikey new ecdsa private key

func NewECDSAPrikeyAndCert

func NewECDSAPrikeyAndCert(curve ECDSACurve, opts ...X509CertOption) (
	prikeyPem, certDer []byte, err error)

NewECDSAPrikeyAndCert convient function to new ecdsa private key and cert

func NewEd25519Prikey

func NewEd25519Prikey() (ed25519.PrivateKey, error)

NewEd25519Prikey new ed25519 private key

func NewEd25519PrikeyAndCert

func NewEd25519PrikeyAndCert(opts ...X509CertOption) (
	prikeyPem, certDer []byte, err error)

NewEd25519PrikeyAndCert convient function to new ed25519 private key and cert

func NewRSAPrikey

func NewRSAPrikey(bits RSAPrikeyBits) (*rsa.PrivateKey, error)

NewRSAPrikey new rsa privat ekey

func NewRSAPrikeyAndCert

func NewRSAPrikeyAndCert(rsaBits RSAPrikeyBits, opts ...X509CertOption) (
	prikeyPem, certDer []byte, err error)

NewRSAPrikeyAndCert convient function to new rsa private key and cert

func NewX509CRL

func NewX509CRL(ca *x509.Certificate,
	prikey crypto.PrivateKey,
	seriaNumber *big.Int,
	revokeCerts []pkix.RevokedCertificate,
	opts ...X509CRLOption) (crlDer []byte, err error)

NewX509CRL create and sign CRL

Args

  • ca: CA to sign CRL.
  • prikey: prikey for CA.
  • revokeCerts: certifacates that will be revoked.
  • WithX509CertSeriaNumber() is required for NewX509CRL.

according to RFC5280 5.2.3, X.509 v3 CRL could have a monotonically increasing sequence number as serial number.

func NewX509CSR

func NewX509CSR(prikey crypto.PrivateKey, opts ...X509CSROption) (csrDer []byte, err error)

NewX509CSR new CSR

Arguments

if prikey is not RSA private key, you must set SignatureAlgorithm by WithX509CertSignatureAlgorithm.

Warning: CSR do not support set IsCA / KeyUsage / ExtKeyUsage, you should set these attributes in NewX509CertByCSR.

func NewX509Cert

func NewX509Cert(prikey crypto.PrivateKey, opts ...X509CertOption) (certDer []byte, err error)

NewX509Cert new cert

func NewX509CertByCSR

func NewX509CertByCSR(
	parent *x509.Certificate,
	prikey crypto.PrivateKey,
	csrDer []byte,
	opts ...SignCSROption) (certDer []byte, err error)

NewX509CertByCSR sign CSR to certificate

Depends on RFC-5280 4.2.1.12, empty ext key usage is as same as any key usage. so do not set any default ext key usages.

but key usage is required in many cases:

func OIDContains

func OIDContains(oids []asn1.ObjectIdentifier,
	oid asn1.ObjectIdentifier, opts ...func(o *oidContainsOption) error) bool

OIDContains is oid in oids

func OidAsn2X509

func OidAsn2X509(oid asn1.ObjectIdentifier) (x509.OID, error)

OidAsn2X509 convert asn1 object identifier to x509 object identifier

func OidFromString

func OidFromString(val string) (x509Oid x509.OID, err error)

OidFromString convert string to x509 object identifier

func ParseBase642Big

func ParseBase642Big(raw string) (*big.Int, error)

ParseBase642Big parse base64 string to big

func ParseHex2Big

func ParseHex2Big(hex string) (b *big.Int, ok bool)

ParseHex2Big parse hex string to big

func PasswordHash

func PasswordHash(password []byte, hasher gutils.HashType) (hashedPassword string, err error)

PasswordHash generate salted hash of password, can verify by VerifyHashedPassword

func Pem2CRL

func Pem2CRL(crlPem []byte) (*x509.RevocationList, error)

Pem2CRL parse crl pem

func Pem2CSR

func Pem2CSR(csrInPem []byte) (*x509.CertificateRequest, error)

Pem2CSR parse csr from pem

func Pem2Cert

func Pem2Cert(certInPem []byte) (*x509.Certificate, error)

Pem2Cert parse single certificate in pem

func Pem2Certs

func Pem2Certs(certInPem []byte) ([]*x509.Certificate, error)

Pem2Certs parse multiple certificate in pem

func Pem2Der

func Pem2Der(pemBytes []byte) (derBytes []byte, err error)

Pem2Der convert pem to der

support one or more certs

func Pem2Ders

func Pem2Ders(pemBytes []byte) (dersBytes [][]byte, err error)

Pem2Ders convert pem to ders

support one or more certs

func Pem2Prikey

func Pem2Prikey(x509v8Pem []byte) (crypto.PrivateKey, error)

Pem2Prikey parse private key from x509 v8(general) pem

func Pem2Pubkey

func Pem2Pubkey(pubkeyPem []byte) (crypto.PublicKey, error)

Pem2Pubkey parse public key from pem

func Prikey2Der

func Prikey2Der(key crypto.PrivateKey) ([]byte, error)

Prikey2Der marshal private key by x509.8

func Prikey2Pem

func Prikey2Pem(key crypto.PrivateKey) ([]byte, error)

Prikey2Pem marshal private key to pem, tailing with line break

func Prikey2Pubkey

func Prikey2Pubkey(prikey crypto.PrivateKey) (pubkey crypto.PublicKey)

Prikey2Pubkey get public key from private key

func PrikeyDer2Pem

func PrikeyDer2Pem(prikeyInDer []byte) (prikeyInPem []byte)

PrikeyDer2Pem convert private key in der to pem

func Privkey2Signer

func Privkey2Signer(privkey crypto.PrivateKey) crypto.Signer

Privkey2Signer convert privkey to signer

func Pubkey2Der

func Pubkey2Der(key crypto.PublicKey) ([]byte, error)

Pubkey2Der marshal public key by pkix

func Pubkey2Pem

func Pubkey2Pem(key crypto.PublicKey) ([]byte, error)

Pubkey2Pem marshal public key to pem, tailing with line break

func PubkeyDer2Pem

func PubkeyDer2Pem(pubkeyInDer []byte) (prikeyInPem []byte)

PubkeyDer2Pem convert public key in der to pem

func RSADecryptByOAEP

func RSADecryptByOAEP(prikey *rsa.PrivateKey, cipher []byte) (plain []byte, err error)

RSADecryptByOAEP decrypt by OAEP with SHA256

func RSADecryptByPKCS1v15

func RSADecryptByPKCS1v15(prikey *rsa.PrivateKey, cipher []byte) (plain []byte, err error)

RSADecryptByPKCS1v15 decrypt by rsa PKCS1v15

only accept cipher encrypted by RSAEncrypt

func RSADer2Prikey

func RSADer2Prikey(x509v1Der []byte) (*rsa.PrivateKey, error)

RSADer2Prikey parse private key from x509 v1(rsa) der

func RSAEncryptByOAEP

func RSAEncryptByOAEP(pubkey *rsa.PublicKey, plain []byte) (cipher []byte, err error)

RSAEncryptByOAEP encrypts by OAEP with SHA256

This is not a deterministic encryption scheme, it will return different ciphertexts each time even if the same plaintext is encrypted multiple times.

func RSAEncryptByPKCS1v15

func RSAEncryptByPKCS1v15(pubkey *rsa.PublicKey, plain []byte) (cipher []byte, err error)

RSAEncryptByPKCS1v15 encrypt by PKCS1v15

This is not a deterministic encryption scheme, it will return different ciphertexts each time even if the same plaintext is encrypted multiple times.

func RSAPem2Prikey

func RSAPem2Prikey(x509v1Pem []byte) (*rsa.PrivateKey, error)

RSAPem2Prikey parse private key from x509 v1(rsa) pem

func ReadableOIDs

func ReadableOIDs(oids []asn1.ObjectIdentifier) (names []string)

ReadableX509ExtKeyUsage convert objectids to readable strings

func ReadablePkixName

func ReadablePkixName(name pkix.Name) map[string]any

ReadablePkixName convert pkix.Name to readable map with strings

func ReadableX509CSR

func ReadableX509CSR(csr *x509.CertificateRequest) (map[string]any, error)

ReadableX509CSR convert x509 certificate request to readable jsonable map

func ReadableX509Cert

func ReadableX509Cert(cert *x509.Certificate) (map[string]any, error)

ReadableX509Cert convert x509 certificate to readable jsonable map

func ReadableX509ExtKeyUsage

func ReadableX509ExtKeyUsage(usages []x509.ExtKeyUsage) (usageNames []string)

ReadableX509ExtKeyUsage convert x509 certificate ext key usages to readable strings

func ReadableX509Extention

func ReadableX509Extention(ext *pkix.Extension) (map[string]any, error)

ReadableX509Extention convert x509 certificate extension to readable jsonable map

func ReadableX509KeyUsage

func ReadableX509KeyUsage(usage x509.KeyUsage) (usageNames []string)

ReadableX509KeyUsage convert x509 certificate key usages to readable strings

func Salt

func Salt(length int) ([]byte, error)

Salt generate random salt with specifiec length

func SecureCipherSuites

func SecureCipherSuites(filter func(*tls.CipherSuite) bool) []uint16

SecureCipherSuites get golang built-in cipher suites without known insecure suites

func SignByECDSAWithSHA256

func SignByECDSAWithSHA256(prikey *ecdsa.PrivateKey, content []byte) (r, s *big.Int, err error)

SignByECDSAWithSHA256 generate signature by ecdsa private key use sha256

Example
priKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
	log.Shared.Panic("generate key", zap.Error(err))
}
priKey2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
	log.Shared.Panic("generate key", zap.Error(err))
}

// case: correct key
cnt := []byte("fjijf23lijfl23ijrl32jra9pfie9wpfi")
r, s, err := SignByECDSAWithSHA256(priKey, cnt)
if err != nil {
	log.Shared.Panic("sign", zap.Error(err))
}
if !VerifyByECDSAWithSHA256(&priKey.PublicKey, cnt, r, s) {
	log.Shared.Panic("verify failed")
}

// generate string
encoded := EncodeES256SignByBase64(r, s)
if _, _, err = DecodeES256SignByBase64(encoded); err != nil {
	log.Shared.Panic("encode and decode", zap.Error(err))
}

// case: incorrect cnt
cnt = []byte("fjijf23lijfl23ijrl32jra9pfie9wpfi")
r, s, err = SignByECDSAWithSHA256(priKey, cnt)
if err != nil {
	log.Shared.Panic("sign", zap.Error(err))
}
if VerifyByECDSAWithSHA256(&priKey.PublicKey, append(cnt, '2'), r, s) {
	log.Shared.Panic("should not verify")
}

// case: incorrect key
r, s, err = SignByECDSAWithSHA256(priKey2, cnt)
if err != nil {
	log.Shared.Panic("sign", zap.Error(err))
}
if VerifyByECDSAWithSHA256(&priKey.PublicKey, cnt, r, s) {
	log.Shared.Panic("should not verify")
}
Output:

func SignByECDSAWithSHA256AndBase64

func SignByECDSAWithSHA256AndBase64(prikey *ecdsa.PrivateKey, content []byte) (signature string, err error)

SignByECDSAWithSHA256AndBase64 generate signature by ecdsa private key use sha256

func SignByEd25519WithSHA512

func SignByEd25519WithSHA512(prikey ed25519.PrivateKey, reader io.Reader) ([]byte, error)

SignByEd25519WithSHA512 generate signature by ed25519 private key

func SignByRSAPKCS1v15WithSHA256

func SignByRSAPKCS1v15WithSHA256(prikey *rsa.PrivateKey, content []byte) ([]byte, error)

SignByRSAPKCS1v15WithSHA256 generate signature by rsa private key use sha256

func SignByRSAPSSWithSHA256

func SignByRSAPSSWithSHA256(prikey *rsa.PrivateKey, content []byte) ([]byte, error)

SignByRSAPSSWithSHA256 generate signature by rsa private key use sha256

RSASSA-PSS is not deterministic, so it will return different signature every time.

func SignBySchnorrSha256

func SignBySchnorrSha256(suite dediskey.Suite, prikey kyber.Scalar, reader io.Reader) ([]byte, error)

SignBySchnorrSha256 sign content by schnorr

func SignReaderByECDSAWithSHA256

func SignReaderByECDSAWithSHA256(prikey *ecdsa.PrivateKey, reader io.Reader) (r, s *big.Int, err error)

SignReaderByECDSAWithSHA256 generate signature by ecdsa private key use sha256

func SignReaderByEd25519WithSHA256

func SignReaderByEd25519WithSHA256(prikey ed25519.PrivateKey, reader io.Reader) (sig []byte, err error)

SignReaderByEd25519WithSHA256 generate signature by ecdsa private key use sha256

func SignReaderByRSAWithSHA256

func SignReaderByRSAWithSHA256(prikey *rsa.PrivateKey, reader io.Reader) (sig []byte, err error)

SignReaderByRSAWithSHA256 generate signature by rsa private key use sha256

func SplitCertsPemChain

func SplitCertsPemChain(pemChain string) (pems []string)

SplitCertsPemChain split pem chain to multiple pem

func ValidatePasswordHash deprecated

func ValidatePasswordHash(hashedPassword, password []byte) bool

ValidatePasswordHash validate password is match with hashedPassword

Deprecated: use VerifyHashedPassword instead

func VerifyByECDSAWithSHA256

func VerifyByECDSAWithSHA256(pubKey *ecdsa.PublicKey, content []byte, r, s *big.Int) bool

VerifyByECDSAWithSHA256 verify signature by ecdsa public key use sha256

func VerifyByECDSAWithSHA256AndBase64

func VerifyByECDSAWithSHA256AndBase64(pubKey *ecdsa.PublicKey, content []byte, signature string) (bool, error)

VerifyByECDSAWithSHA256 verify signature by ecdsa public key use sha256

func VerifyByEd25519WithSHA512

func VerifyByEd25519WithSHA512(pubKey ed25519.PublicKey, reader io.Reader, sig []byte) error

VerifyByEd25519WithSHA512 verify signature by ed25519 public key

func VerifyByRSAPKCS1v15WithSHA256

func VerifyByRSAPKCS1v15WithSHA256(pubKey *rsa.PublicKey, content []byte, sig []byte) error

VerifyByRSAPKCS1v15WithSHA256 verify signature by rsa public key use sha256

func VerifyByRSAPSSWithSHA256

func VerifyByRSAPSSWithSHA256(pubKey *rsa.PublicKey, content []byte, sig []byte) error

VerifyByRSAPSSWithSHA256 verify signature by rsa public key use sha256

func VerifyBySchnorrSha256

func VerifyBySchnorrSha256(suite dediskey.Suite, pubkey kyber.Point, reader io.Reader, sig []byte) error

VerifyBySchnorrSha256 verify signature by schnorr

func VerifyCRL

func VerifyCRL(ca *x509.Certificate, crl *x509.RevocationList) error

VerifyCRL verify crl by ca

func VerifyCertByPrikey

func VerifyCertByPrikey(certPem []byte, prikeyPem []byte) error

VerifyCertByPrikey verify cert by prikey

func VerifyHashedPassword

func VerifyHashedPassword(rawpassword []byte, hashedPassword string) (err error)

VerifyHashedPassword verify HashedPassword

func VerifyReaderByECDSAWithSHA256

func VerifyReaderByECDSAWithSHA256(pubKey *ecdsa.PublicKey, reader io.Reader, r, s *big.Int) (bool, error)

VerifyReaderByECDSAWithSHA256 verify signature by ecdsa public key use sha256

func VerifyReaderByEd25519WithSHA256

func VerifyReaderByEd25519WithSHA256(pubKey ed25519.PublicKey, reader io.Reader, sig []byte) error

VerifyReaderByEd25519WithSHA256 verify signature by ecdsa public key use sha256

func VerifyReaderByRSAWithSHA256

func VerifyReaderByRSAWithSHA256(pubKey *rsa.PublicKey, reader io.Reader, sig []byte) error

VerifyReaderByRSAWithSHA256 verify signature by rsa public key use sha256

func X509Cert2OpensslConf

func X509Cert2OpensslConf(cert *x509.Certificate) (opensslConf []byte)

X509Cert2OpensslConf marshal x509

func X509CertSubjectKeyID

func X509CertSubjectKeyID(pubkey crypto.PublicKey) ([]byte, error)

X509CertSubjectKeyID generate subject key id for pubkey

if x509 certificate template is a CA, subject key id will generated by golang automatelly

func X509CrlOptions2Tpl

func X509CrlOptions2Tpl(opts ...X509CRLOption) (*x509.RevocationList, error)

X509CrlOptions2Tpl marshal x509 crl options to x509.RevocationList

func X509Csr2OpensslConf

func X509Csr2OpensslConf(csr *x509.CertificateRequest) (opensslConf []byte)

X509Csr2OpensslConf marshal x509 csr to openssl conf

Returns

[ req ]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
req_extensions = req_ext

[ req_ext ]
subjectAltName = @alt_names

[ req_distinguished_name ]
commonName = Intermedia CA
countryName = CN
stateOrProvinceName = Shanghai
localityName = Shanghai
organizationName = BBT
organizationalUnitName = XSS

[ alt_names ]
DNS.1 = localhost
DNS.2 = example.com

func X509CsrOption2Template

func X509CsrOption2Template(opts ...X509CSROption) (tpl *x509.CertificateRequest, err error)

X509CsrOption2Template convert X509CSROption to x509.CertificateRequest

Types

type AESEncryptFilesInDirOption

type AESEncryptFilesInDirOption func(*encryptFilesOption) error

AESEncryptFilesInDirOption options to encrypt files in dir

func WithAESFilesInDirFileExt

func WithAESFilesInDirFileExt(ext string) AESEncryptFilesInDirOption

WithAESFilesInDirFileExt only encrypt files with specific ext

func WithAESFilesInDirFileSuffix

func WithAESFilesInDirFileSuffix(suffix string) AESEncryptFilesInDirOption

WithAESFilesInDirFileSuffix will append to encrypted's filename as suffix

xxx.toml -> xxx.toml.enc

type AesReaderWrapper

type AesReaderWrapper struct {
	// contains filtered or unexported fields
}

AesReaderWrapper used to decrypt encrypted reader

func NewAesReaderWrapper

func NewAesReaderWrapper(in io.Reader, key []byte) (*AesReaderWrapper, error)

NewAesReaderWrapper wrap reader by aes

func (*AesReaderWrapper) Read

func (w *AesReaderWrapper) Read(p []byte) (n int, err error)

type DHKX

type DHKX struct {
	// contains filtered or unexported fields
}

Diffie Hellman Key-exchange algorithm

https://pkg.go.dev/github.com/monnand/dhkx

Example

alice, _ := NewDHKX()
bob, _ := NewDHKX()

alicePub := alice.PublicKey()
bobPub := bob.PublicKey()

aliceKey, _ := alice.GenerateKey(bobPub)
bobKey, _ := bob.GenerateKey(alicePub)

aliceKey == bobKey

Note: recommoend to use ECDH instead of DHKX

Example
alice, _ := NewDHKX()

bob, _ := NewDHKX()

alicePub, _ := alice.PublicKey()
bobPub, _ := bob.PublicKey()

aliceKey, _ := alice.GenerateKey(bobPub)
bobKey, _ := bob.GenerateKey(alicePub)
fmt.Println(reflect.DeepEqual(aliceKey, bobKey))
Output:

true

func NewDHKX deprecated

func NewDHKX(optfs ...DHKXOptionFunc) (d *DHKX, err error)

NewDHKX create a new DHKX instance

each DHKX instance has it's unique group and private key

Known vulnerabilities: DHKX is not secure against active attacks, MITM attacker could replace the public keys with his own and decrypt the messages. its better to verify peer's public key by signature.

Deprecated: ECDH is much more faster and efficient than DHKX, use ECDH instead.

func (*DHKX) GenerateKey

func (d *DHKX) GenerateKey(peerPubKey []byte) ([]byte, error)

GenerateKey generate new key by peer's public key

each side of the DHKX exchange peers will generate the same key

key like:

60a425ca3a4cc313db9c113a0526f3809725305afc68e1accd0e653ae8d0182c6eb05557f4b5d094
f015972b9fda7d60c1b64d79f50baea7365d858ede0fb7a6571403d4b95f682144b56fa17ffcbe9e
70de69dc0045672696e683c423c5b3dfc02a6916be1e50c74e60353ec08a465cc124e8ca88337fb7
4a0370e17a7cedb0b1e76733f43ad3db9e3d29ab43c75686a8bc4a88ee46addbd1590c8277d1b1ef
42aded6cc0bfe0a7ff8933861dae772c755087f2a41021f4ca53867ba49797d111ef21b381cb6441
178f4ccd3748f8e7b1a12ec3799571a49fc0aa793c05ab6e228b559f1fda2912542d7246388ccec1
38b4d8ce9df4a32c198891c4e33b5034

func (*DHKX) PublicKey

func (d *DHKX) PublicKey() ([]byte, error)

PublicKey return public key bytes

type DHKXOptionFunc

type DHKXOptionFunc func(*dhkxOption) error

DHKXOptionFunc optional func to set dhkx option

type DefaultX509CertSerialNumGenerator

type DefaultX509CertSerialNumGenerator struct {
	// contains filtered or unexported fields
}

DefaultX509CertSerialNumGenerator default cert serial number generator base on epoch time and random int

func NewDefaultX509CertSerialNumGenerator

func NewDefaultX509CertSerialNumGenerator() (*DefaultX509CertSerialNumGenerator, error)

NewDefaultX509CertSerialNumGenerator new DefaultX509CertSerialNumGenerator

func (*DefaultX509CertSerialNumGenerator) SerialNum

SerialNum get randon serial number

type ECDH

type ECDH struct {
	// contains filtered or unexported fields
}

ECDH Elliptic Curve Diffie-Hellman

func NewEcdh

func NewEcdh(curve ECDSACurve) (ins *ECDH, err error)

NewEcdh create a new ECDH instance

Known vulnerabilities: DHKX is not secure against active attacks, MITM attacker could replace the public keys with his own and decrypt the messages. its better to verify peer's public key by signature.

Example
alice, _ := NewEcdh(ECDSACurveP256)

bob, _ := NewEcdh(ECDSACurveP256)

alicePub, _ := alice.PublicKey()
bobPub, _ := bob.PublicKey()

aliceKey, _ := alice.GenerateKey(bobPub)
bobKey, _ := bob.GenerateKey(alicePub)
fmt.Println(reflect.DeepEqual(aliceKey, bobKey))
Output:

true

func (*ECDH) GenerateKey

func (e *ECDH) GenerateKey(peerPubKey []byte) (sharekey []byte, err error)

GenerateKey generate new key by peer's public key

func (*ECDH) PublicKey

func (e *ECDH) PublicKey() ([]byte, error)

PublicKey return public key bytes

type ECDSACurve

type ECDSACurve string

ECDSACurve algorithms

const (
	// ECDSACurveP256 ecdsa with P256
	ECDSACurveP256 ECDSACurve = "P256"
	// ECDSACurveP384 ecdsa with P384
	ECDSACurveP384 ECDSACurve = "P384"
	// ECDSACurveP521 ecdsa with P521
	ECDSACurveP521 ECDSACurve = "P521"
)

type HashedPassword

type HashedPassword struct {
	// contains filtered or unexported fields
}

HashedPassword salt hashed password

generate by PasswordHash, verify by VerifyHashedPassword

func (HashedPassword) String

func (p HashedPassword) String() string

String convert to string

can verify by VerifyHashedPassword

type KeyExchange

type KeyExchange interface {
	// PublicKey return public key bytes
	//
	// send public key to peer, and get peer's public key
	// every side of the exchange peers will generate the same key
	PublicKey() ([]byte, error)
	// GenerateKey generate new key by peer's public key
	GenerateKey(peerPubKey []byte) ([]byte, error)
}

KeyExchange key agreement interface

type OTPAlgorithm

type OTPAlgorithm string

OTPAlgorithm hash algorithm for otp

const (
	// OTPAlgorithmSHA1 sha1
	OTPAlgorithmSHA1 OTPAlgorithm = "sha1"
)

type OTPArgs

type OTPArgs struct {
	// OtpType (readonly) otp type, must in totp/hotp
	OtpType OTPType
	// Base32Secret (required) the hotp/totp secret used to generate the URI
	//
	// genrate Base32Secret:
	//
	//  Base32Secret([]byte("xxxxxx"))
	Base32Secret string
	// AccountName (optional) name of the account
	AccountName string
	// Authenticator (optional) the name of the OTP issuer;
	// this will be the organization title of the OTP entry in Authenticator
	IssuerName string
	// Algorithm (optional) the algorithm used in the OTP generation
	//
	// default to sha1
	Algorithm OTPAlgorithm
	// InitialCount (optional) starting counter value. Only works for hotp
	InitialCount int
	// Digits (optional) the length of the OTP generated code.
	//
	// default to 6
	Digits uint
	// PeriodSecs (optional) the number of seconds the OTP
	// generator is set to expire every code.
	//
	// default to 30
	PeriodSecs uint
}

OTPArgs arguments for OTP

func ParseOTPUri

func ParseOTPUri(uri string) (arg OTPArgs, err error)

ParseOTPUri parse otp uri to otp arguments

Args

  • uri: like `otpauth://totp/issuerName:demoAccountName?secret=4S62BZNFXXSZLCRO&issuer=issuerName`

func (OTPArgs) Hasher

func (a OTPArgs) Hasher() (*gotp.Hasher, error)

Hasher get hasher from argument

type OTPType

type OTPType string

OTPType otp type

const (
	// OTPTypeTOTP time-based otp
	OTPTypeTOTP OTPType = "totp"
	// OTPTypeHOTP hash-based otp
	OTPTypeHOTP OTPType = "hotp"
)

type OpensslCertificateOutput

type OpensslCertificateOutput struct {
	// Raw is the raw output of `openssl x509 -inform DER -text`
	Raw                                          []byte
	SerialNumber                                 *big.Int
	NotBefore, NotAfter                          time.Time
	IsCa                                         bool
	Subject                                      pkix.Name
	Policies                                     []asn1.ObjectIdentifier
	PublicKeyAlgorithm                           x509.PublicKeyAlgorithm
	SubjectKeyIdentifier, AuthorityKeyIdentifier []byte
}

OpensslCertificateOutput output of `openssl x509 -inform DER -text`

type RSAPrikeyBits

type RSAPrikeyBits int

RSAPrikeyBits width of rsa private key

const (
	// RSAPrikeyBits2048 rsa private key with 2048 bits
	RSAPrikeyBits2048 RSAPrikeyBits = 2048
	// RSAPrikeyBits3072 rsa private key with 3072 bits
	RSAPrikeyBits3072 RSAPrikeyBits = 3072
	// RSAPrikeyBits4096 rsa private key with 4096 bits
	RSAPrikeyBits4096 RSAPrikeyBits = 4096
)

type SignCSROption

type SignCSROption func(*signCSROption) error

SignCSROption options for create certificate from CRL

func WithX509CaMaxPathLen

func WithX509CaMaxPathLen(maxPathLen int) SignCSROption

WithX509CaMaxPathLen set max path length

only CAs are allowed to specify MaxPathLen

func WithX509SerialNumGenerator

func WithX509SerialNumGenerator(gen X509CertSerialNumberGenerator) SignCSROption

WithX509SerialNumGenerator set serial number generator

func WithX509SignCSRCRLs

func WithX509SignCSRCRLs(crlEndpoint ...string) SignCSROption

WithX509SignCSRCRLs add crl endpoints

func WithX509SignCSRExtKeyUsage

func WithX509SignCSRExtKeyUsage(usage ...x509.ExtKeyUsage) SignCSROption

WithX509SignCSRExtKeyUsage add ext key usage

func WithX509SignCSRExtenstions deprecated

func WithX509SignCSRExtenstions(_ ...pkix.Extension) SignCSROption

WithX509SignCSRExtenstions set certificate extensions

Extensions contains all requested extensions, in raw form. When parsing CSRs, this can be used to extract extensions that are not parsed by this package.

Deprecated: this field is ignored by golang built-in x509 library, use WithX509SignCSRExtraExtenstions instead if you want to set extensions.

func WithX509SignCSRExtraExtenstions

func WithX509SignCSRExtraExtenstions(exts ...pkix.Extension) SignCSROption

WithX509SignCSRExtraExtenstions set certificate extra extensions

ExtraExtensions contains extensions to be copied, raw, into any CSR marshaled by CreateCertificateRequest. Values override any extensions that would otherwise be produced based on the other fields but are overridden by any extensions specified in Attributes.

The ExtraExtensions field is not populated by ParseCertificateRequest, see Extensions instead.

func WithX509SignCSRIsCA

func WithX509SignCSRIsCA() SignCSROption

WithX509SignCSRIsCA set is ca

func WithX509SignCSRIsCRLCA

func WithX509SignCSRIsCRLCA() SignCSROption

WithX509SignCSRIsCRLCA set is ca to sign CRL

func WithX509SignCSRKeyUsage

func WithX509SignCSRKeyUsage(usage ...x509.KeyUsage) SignCSROption

WithX509SignCSRKeyUsage add key usage

func WithX509SignCSRNotAfter

func WithX509SignCSRNotAfter(notAfter time.Time) SignCSROption

WithX509SignCSRNotAfter set valid for duration

func WithX509SignCSRNotBefore

func WithX509SignCSRNotBefore(notBefore time.Time) SignCSROption

WithX509SignCSRNotBefore set valid from

func WithX509SignCSROCSPServers

func WithX509SignCSROCSPServers(ocsp ...string) SignCSROption

WithX509SignCSROCSPServers set ocsp servers

func WithX509SignCSRPolicies

func WithX509SignCSRPolicies(policies ...asn1.ObjectIdentifier) SignCSROption

WithX509SignCSRPolicies set certificate policies

func WithX509SignCSRSeriaNumber

func WithX509SignCSRSeriaNumber(serialNumber *big.Int) SignCSROption

WithX509SignCSRSeriaNumber set certificate/CRL's serial number

refer to RFC-5280 5.2.3 &

Args

seriaNumber:

  • (optional): generate certificate
  • (required): generate CRL

func WithX509SignCSRValidFor

func WithX509SignCSRValidFor(validFor time.Duration) SignCSROption

WithX509SignCSRValidFor set valid for duration

deprecated: use WithX509SignCSRNotAfter instead

func WithX509SignCSRValidFrom

func WithX509SignCSRValidFrom(validFrom time.Time) SignCSROption

WithX509SignCSRValidFrom set valid from

deprecated: use WithX509SignCSRNotBefore instead

func WithX509SignPublicKeyAlgorithm deprecated

func WithX509SignPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) SignCSROption

WithX509SignPublicKeyAlgorithm set public key algorithm

Deprecated: this field is ignored by golang built-in x509 library

func WithX509SignSignatureAlgorithm

func WithX509SignSignatureAlgorithm(algo x509.SignatureAlgorithm) SignCSROption

WithX509SignSignatureAlgorithm set signature algorithm that parent certificate used to sign csr

type TOTP

type TOTP struct {
	// contains filtered or unexported fields
}

TOTP time-based OTP

func NewTOTP

func NewTOTP(arg OTPArgs) (*TOTP, error)

NewTOTP new TOTP

func (*TOTP) Key

func (t *TOTP) Key() string

Key generate key by totp

func (*TOTP) KeyAt

func (t *TOTP) KeyAt(at time.Time) string

KeyAt generate key by totp at arbitraty time

func (*TOTP) URI

func (t *TOTP) URI() string

URI build uri for otp arguments

type TOTPInterface

type TOTPInterface interface {
	// Key generate key by totp
	Key() string
	// KeyAt generate key by totp at arbitraty time
	KeyAt(at time.Time) string
	// URI build uri for otp arguments
	URI() string
}

TOTPInterface interface for TOTP

type Tongsuo

type Tongsuo struct {
	// contains filtered or unexported fields
}

Tongsuo is a wrapper of tongsuo executable binary

https://github.com/Tongsuo-Project/Tongsuo

func NewTongsuo

func NewTongsuo(exePath string) (ins *Tongsuo, err error)

NewTongsuo new tongsuo wrapper

Notice, only support

#Args

  • exePath: path of tongsuo executable binary

func (*Tongsuo) CloneX509Csr

func (t *Tongsuo) CloneX509Csr(ctx context.Context,
	prikeyPem []byte, originCsrDer []byte) (clonedCsrDer []byte, err error)

CloneX509Csr generat a cloned csr with different private key

Args

  • prikeyPem: new private key for cloned csr
  • originCsrDer: origin csr

func (*Tongsuo) DecryptBySm2

func (t *Tongsuo) DecryptBySm2(ctx context.Context,
	prikeyPem []byte, cipher []byte) (data []byte, err error)

DecryptBySm2 decrypt by sm2 private key

func (*Tongsuo) DecryptBySm4Cbc

func (t *Tongsuo) DecryptBySm4Cbc(ctx context.Context, key, combinedCipher []byte) (
	plaintext []byte, err error)

DecryptBySm4Cbc decrypt by sm4, should be encrypted by `EncryptBySm4` only

func (*Tongsuo) DecryptBySm4CbcBaisc

func (t *Tongsuo) DecryptBySm4CbcBaisc(ctx context.Context,
	key, ciphertext, iv, hmac []byte) (plaintext []byte, err error)

DecryptBySm4CbcBaisc decrypt by sm4

Args

  • key: sm4 key
  • ciphertext: sm4 encrypted data
  • iv: sm4 iv
  • hmac: if not nil, will check ciphertext's integrity by hmac

func (*Tongsuo) EncryptBySm2

func (t *Tongsuo) EncryptBySm2(ctx context.Context,
	pubkeyPem []byte, data []byte) (cipher []byte, err error)

EncryptBySm2 encrypt by sm2 public key

func (*Tongsuo) EncryptBySm4Cbc

func (t *Tongsuo) EncryptBySm4Cbc(ctx context.Context, key, plaintext []byte) (
	combinedCipher []byte, err error)

EncryptBySm4Cbc encrypt by sm4, should be decrypted by `DecryptBySm4` only

func (*Tongsuo) EncryptBySm4CbcBaisc

func (t *Tongsuo) EncryptBySm4CbcBaisc(ctx context.Context,
	key, plaintext, iv []byte) (ciphertext, hmac []byte, err error)

EncryptBySm4CbcBaisc encrypt by sm4

Args

  • key: sm4 key, should be 16 bytes
  • plaintext: data to be encrypted
  • iv: sm4 iv, should be 16 bytes

Returns

  • ciphertext: sm4 encrypted data
  • hmac: hmac of ciphertext, 32 bytes

func (*Tongsuo) GetPubkeyFromCertPem

func (t *Tongsuo) GetPubkeyFromCertPem(ctx context.Context, certPem []byte) (pubkeyPem []byte, err error)

GetPubkeyFromCertPem get pubkey from cert pem

func (*Tongsuo) HashBySm3

func (t *Tongsuo) HashBySm3(ctx context.Context, content []byte) (hash []byte, err error)

HashBySm3 hash by sm3

func (*Tongsuo) NewPrikey

func (t *Tongsuo) NewPrikey(ctx context.Context) (prikeyPem []byte, err error)

NewPrikey generate new sm2 private key

tongsuo ecparam -genkey -name SM2 -out rootca.key

func (*Tongsuo) NewPrikeyAndCert

func (t *Tongsuo) NewPrikeyAndCert(ctx context.Context, opts ...X509CertOption) (
	prikeyPem, certDer []byte, err error)

NewPrikeyAndCert generate new private key and root ca

func (*Tongsuo) NewPrikeyWithPassword

func (t *Tongsuo) NewPrikeyWithPassword(ctx context.Context, password string) (
	encryptedPrikeyPem []byte, err error)

NewPrikeyWithPassword generate new sm2 private key with password

func (*Tongsuo) NewX509CSR

func (t *Tongsuo) NewX509CSR(ctx context.Context, prikeyPem []byte, opts ...X509CSROption) (csrDer []byte, err error)

NewX509CSR generate new x509 csr

func (*Tongsuo) NewX509Cert

func (t *Tongsuo) NewX509Cert(ctx context.Context,
	prikeyPem []byte, opts ...X509CertOption) (certDer []byte, err error)

NewX509Cert generate new x509 cert

tongsuo req -out rootca.crt -outform PEM -key rootca.key \
    -set_serial 123456 \
    -days 3650 -x509 -new -nodes -utf8 -batch \
    -sm3 \
    -copy_extensions copyall \
    -extensions v3_ca \
    -config rootca.cnf

func (*Tongsuo) NewX509CertByCSR

func (t *Tongsuo) NewX509CertByCSR(ctx context.Context,
	parentCertDer []byte,
	parentPrikeyPem []byte,
	csrDer []byte,
	opts ...SignCSROption) (certDer []byte, err error)

NewX509CertByCSR generate new x509 cert by csr

func (*Tongsuo) ParseCsr2Opts

func (t *Tongsuo) ParseCsr2Opts(ctx context.Context, csrDer []byte) ([]X509CSROption, error)

ParseCsr2Opts parse csr to opts

func (*Tongsuo) Prikey2Pubkey

func (t *Tongsuo) Prikey2Pubkey(ctx context.Context, prikeyPem []byte) (
	pubkeyPem []byte, err error)

Prikey2Pubkey convert private key to public key

func (*Tongsuo) PrivateKey

func (t *Tongsuo) PrivateKey(prikeyPem []byte) (crypto.PrivateKey, error)

PrivateKey get private key

func (*Tongsuo) ShowCertInfo

func (t *Tongsuo) ShowCertInfo(ctx context.Context,
	certDer []byte) (
	certinfo string, cert *x509.Certificate, err error)

ShowCertInfo show cert info

nolint:gocognit,lll,maintidx // parse cert info part by part LGTM

Raw

				Version: 3 (0x2)
				Serial Number: 17108345756590001 (0x3cc7f327841fb1)
				Serial Number: 51:f5:46:8b:d6:ff:ec:f2:33:e6:38:68:46:4e:9b:19:56:f3:6e:8a
				Signature Algorithm: SM2-with-SM3
				Issuer: CN = test-common-name, O = test org
				Validity
					Not Before: Mar 19 07:49:35 2024 GMT
					Not After : Mar 25 07:49:35 2024 GMT
				Subject: CN = test-common-name, O = test org
				Subject Public Key Info:
					Public Key Algorithm: id-ecPublicKey
						Public-Key: (256 bit)
						pub:
							04:31:66:dd:ef:4e:31:29:fd:4b:b1:a1:66:0b:c9:
							81:9f:6f:a4:e1:bd:44:24:6a:a8:93:62:0b:85:be:
							0e:56:14:76:ab:56:0d:7c:cc:26:77:47:d0:fe:77:
							38:31:ab:3d:b8:01:60:96:ae:07:72:e4:3d:df:4c:
							9d:02:98:9f:d3
						ASN1 OID: SM2
				X509v3 extensions:
					X509v3 Basic Constraints: critical
						CA:TRUE
	         X509v3 Key Usage: critical
	             Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only
          X509v3 Extended Key Usage:
              Any Extended Key Usage, TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, IPSec End System, IPSec Tunnel, IPSec User, Time Stamping, OCSP Signing, Microsoft Server Gated Crypto, Netscape Server Gated Crypto, Microsoft Commercial Code Signing, 1.3.6.1.4.1.311.61.1.1
				X509v3 Subject Key Identifier:
					AF:9A:33:37:3F:DE:3E:DD:77:61:A1:C8:3F:D5:0C:39:F0:D6:A6:7B
				X509v3 Authority Key Identifier:
					AF:9A:33:37:3F:DE:3E:DD:77:61:A1:C8:3F:D5:0C:39:F0:D6:A6:7B
				X509v3 Certificate Policies:
					Policy: 1.3.6.1.4.1.59936.1.1.3
		Signature Algorithm: SM2-with-SM3
		Signature Value:
			30:45:02:21:00:a8:a6:db:d5:8c:b4:d2:58:ff:1e:1f:9d:c1:
			e7:0b:eb:ba:4b:50:99:2c:c4:b9:3b:50:9d:6f:5f:1f:32:40:
			17:02:20:38:91:fb:16:41:80:52:d8:28:f8:ee:34:0f:f9:ab:
			c5:c8:1a:1f:31:d9:05:13:04:12:4d:0c:3d:fd:52:fe:51
	-----BEGIN CERTIFICATE-----
	MIIByzCCAXGgAwIBAgIHPMfzJ4QfsTAKBggqgRzPVQGDdTAuMRkwFwYDVQQDDBB0
	ZXN0LWNvbW1vbi1uYW1lMREwDwYDVQQKDAh0ZXN0IG9yZzAeFw0yNDAzMTkwNzQ5
	MzVaFw0yNDAzMjUwNzQ5MzVaMC4xGTAXBgNVBAMMEHRlc3QtY29tbW9uLW5hbWUx
	ETAPBgNVBAoMCHRlc3Qgb3JnMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEMWbd
	704xKf1LsaFmC8mBn2+k4b1EJGqok2ILhb4OVhR2q1YNfMwmd0fQ/nc4Mas9uAFg
	lq4HcuQ930ydApif06N6MHgwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw
	HQYDVR0OBBYEFK+aMzc/3j7dd2GhyD/VDDnw1qZ7MB8GA1UdIwQYMBaAFK+aMzc/
	3j7dd2GhyD/VDDnw1qZ7MBgGA1UdIAQRMA8wDQYLKwYBBAGD1CABAQMwCgYIKoEc
	z1UBg3UDSAAwRQIhAKim29WMtNJY/x4fncHnC+u6S1CZLMS5O1Cdb18fMkAXAiA4
	kfsWQYBS2Cj47jQP+avFyBofMdkFEwQSTQw9/VL+UQ==
	-----END CERTIFICATE-----

func (*Tongsuo) ShowCsrInfo

func (t *Tongsuo) ShowCsrInfo(ctx context.Context, csrDer []byte) (
	output string, err error)

ShowCsrInfo show csr info

func (*Tongsuo) SignBySm2Sm3

func (t *Tongsuo) SignBySm2Sm3(ctx context.Context,
	parentPrikeyPem []byte, content []byte) (signature []byte, err error)

SignBySm2Sm3 sign by sm2 sm3

https://www.yuque.com/tsdoc/ts/ewh6xg7qlddxlec2#rehkK

func (*Tongsuo) SignX509CRL

func (t *Tongsuo) SignX509CRL(ctx context.Context,
	CrlDer []byte,
	PrikeyPem []byte,
) (signedCrlDer []byte, err error)

SignX509CRL sign x509 crl by ca private key

func (*Tongsuo) VerifyBySm2Sm3

func (t *Tongsuo) VerifyBySm2Sm3(ctx context.Context,
	pubkeyPem, signature, content []byte) error

VerifyBySm2Sm3 verify by sm2 sm3

https://www.yuque.com/tsdoc/ts/ewh6xg7qlddxlec2#rehkK

func (*Tongsuo) VerifyCertsChain

func (t *Tongsuo) VerifyCertsChain(ctx context.Context,
	leafCertPem, intermediatesPem, trustRootsPem []byte) error

VerifyCertsChain verify certs chain

Args

  • leafCert: leaf cert in PEM
  • intermediates: intermediate certs in PEM
  • trustRoots: trust roots in PEM

type TongsuoPriKey

type TongsuoPriKey struct {
	// contains filtered or unexported fields
}

TongsuoPriKey tongsuo private key

func (*TongsuoPriKey) Decrypt

func (t *TongsuoPriKey) Decrypt(_ io.Reader, msg []byte,
	_ crypto.DecrypterOpts) (plaintext []byte, err error)

Decrypt decrypt by private key

func (*TongsuoPriKey) Public

func (t *TongsuoPriKey) Public() crypto.PublicKey

Public get public key

func (*TongsuoPriKey) Sign

func (t *TongsuoPriKey) Sign(_ io.Reader, digest []byte,
	opts crypto.SignerOpts) (signature []byte, err error)

Sign sign by private key

type TongsuoPubkey

type TongsuoPubkey struct {
	// contains filtered or unexported fields
}

TongsuoPubkey tongsuo public key

func (*TongsuoPubkey) Equal

func (tpub *TongsuoPubkey) Equal(x crypto.PublicKey) bool

Equal compare two public keys

type X509CRLOption

type X509CRLOption func(*x509CRLOption) error

X509CRLOption options for create x509 CRL

func WithX509CRLNextUpdate

func WithX509CRLNextUpdate(nextUpdate time.Time) X509CRLOption

WithX509CRLNextUpdate set next update

default to 30 days later

func WithX509CRLSignatureAlgorithm

func WithX509CRLSignatureAlgorithm(algo x509.SignatureAlgorithm) X509CRLOption

WithX509CRLSignatureAlgorithm set signature algorithm

default to auto choose algorithm depends on certificate's algorithm

func WithX509CRLThisUpdate

func WithX509CRLThisUpdate(thisUpdate time.Time) X509CRLOption

WithX509CRLThisUpdate set this update

default to now

type X509CSROption

type X509CSROption func(*x509CSROption) error

X509CSROption option to generate tls certificate

func WithX509CSRAttribute deprecated

func WithX509CSRAttribute(attr pkix.AttributeTypeAndValueSET) X509CSROption

WithX509CSRAttribute set attribute

Deprecated: Use Extensions and ExtraExtensions instead for parsing and generating the requestedExtensions attribute.

func WithX509CSRCommonName

func WithX509CSRCommonName(commonName string) X509CSROption

WithX509CSRCommonName set common name

func WithX509CSRCountry

func WithX509CSRCountry(values ...string) X509CSROption

WithX509CSRCountry set subject countries

func WithX509CSRDNSNames

func WithX509CSRDNSNames(dnsNames ...string) X509CSROption

WithX509CSRDNSNames set dns sans

func WithX509CSREmailAddrs

func WithX509CSREmailAddrs(emailAddresses ...string) X509CSROption

WithX509CSREmailAddrs set email sans

func WithX509CSRExtension deprecated

func WithX509CSRExtension(_ pkix.Extension) X509CSROption

WithX509CSRExtension set extension

Extensions contains raw X.509 extensions. When parsing certificates, this can be used to extract non-critical extensions that are not parsed by this package. When marshaling certificates, the Extensions field is ignored, see ExtraExtensions.

Deprecated: this field is ignored by golang's built-in x509 library, use ExtraExtensions instead if you want to add custom extensions.

func WithX509CSRExtraExtension

func WithX509CSRExtraExtension(ext pkix.Extension) X509CSROption

WithX509CSRExtraExtension set extra extension

ExtraExtensions contains extensions to be copied, raw, into any marshaled certificates. Values override any extensions that would otherwise be produced based on the other fields. The ExtraExtensions field is not populated when parsing certificates, see Extensions.

func WithX509CSRIPAddrs

func WithX509CSRIPAddrs(ipAddresses ...net.IP) X509CSROption

WithX509CSRIPAddrs set ip sans

func WithX509CSRLocality

func WithX509CSRLocality(l ...string) X509CSROption

WithX509CSRLocality set subject localities

func WithX509CSROrganization

func WithX509CSROrganization(organization ...string) X509CSROption

WithX509CSROrganization set organization

func WithX509CSROrganizationUnit

func WithX509CSROrganizationUnit(ou ...string) X509CSROption

WithX509CSROrganizationUnit set organization units

func WithX509CSRPostalCode

func WithX509CSRPostalCode(codes ...string) X509CSROption

WithX509CSRPostalCode set subjuect postal codes

func WithX509CSRProvince

func WithX509CSRProvince(values ...string) X509CSROption

WithX509CSRProvince set subject provinces

func WithX509CSRPublicKeyAlgorithm deprecated

func WithX509CSRPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CSROption

WithX509CSRPublicKeyAlgorithm set signature algorithm

Deprecated: this field is ignored by golang's built-in x509 library

func WithX509CSRSANS

func WithX509CSRSANS(sans ...string) X509CSROption

WithX509CertSANS set certificate SANs

refer to RFC-5280 4.2.1.6

auto WithX509CSRSANS to ip/email/url/dns

func WithX509CSRSignatureAlgorithm

func WithX509CSRSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CSROption

WithX509CSRSignatureAlgorithm set signature algorithm

func WithX509CSRStreetAddrs

func WithX509CSRStreetAddrs(addrs ...string) X509CSROption

WithX509CSRStreetAddrs set subjuect street addresses

func WithX509CSRSubject

func WithX509CSRSubject(subject pkix.Name) X509CSROption

WithX509CSRSubject set subject name

func WithX509CSRURIs

func WithX509CSRURIs(uris ...*url.URL) X509CSROption

WithX509CSRURIs set uri sans

type X509CertOption

type X509CertOption func(*x509V3CertOption) error

X509CertOption option to generate tls certificate

func WithX509CertCRLs

func WithX509CertCRLs(crlEndpoint ...string) X509CertOption

WithX509CertCRLs add crl endpoints

func WithX509CertCaMaxPathLen

func WithX509CertCaMaxPathLen(maxPathLen int) X509CertOption

WithX509CertCaMaxPathLen set max path length

func WithX509CertCommonName

func WithX509CertCommonName(commonName string) X509CertOption

WithX509CertCommonName set common name

func WithX509CertCountry

func WithX509CertCountry(values ...string) X509CertOption

WithX509CertCountry set subject countries

func WithX509CertDNSNames

func WithX509CertDNSNames(dnsNames ...string) X509CertOption

WithX509CertDNSNames set dns sans

func WithX509CertEmailAddrs

func WithX509CertEmailAddrs(emailAddresses ...string) X509CertOption

WithX509CertEmailAddrs set email sans

func WithX509CertExtKeyUsage

func WithX509CertExtKeyUsage(usage ...x509.ExtKeyUsage) X509CertOption

WithX509CertExtKeyUsage add ext key usage

func WithX509CertExtentions deprecated

func WithX509CertExtentions(_ ...pkix.Extension) X509CertOption

WithX509CertExtentions set extensions

Deprecated: this field is ignored in x509 v3 certificate, use WithX509CertExtraExtensions instead if you want to set extensions.

func WithX509CertExtraExtensions

func WithX509CertExtraExtensions(exts ...pkix.Extension) X509CertOption

WithX509CertExtraExtensions set extra extensions

func WithX509CertIPAddrs

func WithX509CertIPAddrs(ipAddresses ...net.IP) X509CertOption

WithX509CertIPAddrs set ip sans

func WithX509CertIsCA

func WithX509CertIsCA() X509CertOption

WithX509CertIsCA set is ca

func WithX509CertIsCRLCA

func WithX509CertIsCRLCA() X509CertOption

WithX509CertIsCRLCA set is ca to sign CRL

func WithX509CertKeyUsage

func WithX509CertKeyUsage(usage ...x509.KeyUsage) X509CertOption

WithX509CertKeyUsage add key usage

func WithX509CertLocality

func WithX509CertLocality(l ...string) X509CertOption

WithX509CertLocality set subject localities

func WithX509CertNotAfter

func WithX509CertNotAfter(notAfter time.Time) X509CertOption

WithX509CertNotAfter set not after

default to 30 days later

func WithX509CertNotBefore

func WithX509CertNotBefore(notBefore time.Time) X509CertOption

WithX509CertNotBefore set not before

func WithX509CertOCSPServers

func WithX509CertOCSPServers(ocsp ...string) X509CertOption

WithX509CertOCSPServers set ocsp servers

func WithX509CertOrganization

func WithX509CertOrganization(organization ...string) X509CertOption

WithX509CertOrganization set organization

func WithX509CertOrganizationUnit

func WithX509CertOrganizationUnit(ou ...string) X509CertOption

WithX509CertOrganizationUnit set organization unit

func WithX509CertParent

func WithX509CertParent(parent *x509.Certificate) X509CertOption

WithX509CertParent set issuer

func WithX509CertPolicies

func WithX509CertPolicies(policies ...asn1.ObjectIdentifier) X509CertOption

WithX509CertPolicies set certificate policies

func WithX509CertPostalCode

func WithX509CertPostalCode(codes ...string) X509CertOption

WithX509CertPostalCode set subjuect postal codes

func WithX509CertProvince

func WithX509CertProvince(values ...string) X509CertOption

WithX509CertProvince set subject provinces

func WithX509CertPubkey

func WithX509CertPubkey(pubkey crypto.PublicKey) X509CertOption

WithX509CertPubkey set new certs' pubkey

func WithX509CertPublicKeyAlgorithm deprecated

func WithX509CertPublicKeyAlgorithm(_ x509.PublicKeyAlgorithm) X509CertOption

WithX509CertPublicKeyAlgorithm set signature algorithm

Deprecated: this field is ignored in x509 v3 certificate

func WithX509CertSANS

func WithX509CertSANS(sans ...string) X509CertOption

WithX509CertSANS set certificate SANs

refer to RFC-5280 4.2.1.6

auto parse to ip/email/url/dns

func WithX509CertSeriaNumber

func WithX509CertSeriaNumber(serialNumber *big.Int) X509CertOption

WithX509CertSeriaNumber set certificate/CRL's serial number

refer to RFC-5280 5.2.3 &

Args

seriaNumber:

  • (optional): generate certificate
  • (required): generate CRL

func WithX509CertSerialNumGenerator

func WithX509CertSerialNumGenerator(gen X509CertSerialNumberGenerator) X509CertOption

WithX509CertSerialNumGenerator set serial number generator

func WithX509CertSignatureAlgorithm

func WithX509CertSignatureAlgorithm(sigAlg x509.SignatureAlgorithm) X509CertOption

WithX509CertSignatureAlgorithm set signature algorithm

func WithX509CertStreetAddrs

func WithX509CertStreetAddrs(addrs ...string) X509CertOption

WithX509CertStreetAddrs set subjuect street addresses

func WithX509CertURIs

func WithX509CertURIs(uris ...*url.URL) X509CertOption

WithX509CertURIs set uri sans

func WithX509CertValidFor

func WithX509CertValidFor(validFor time.Duration) X509CertOption

WithX509CertValidFor set valid for duration

deprecated: use WithX509CertNotAfter instead

func WithX509CertValidFrom

func WithX509CertValidFrom(validFrom time.Time) X509CertOption

WithX509CertValidFrom set valid from

deprecated: use WithX509CertNotBefore instead

func WithX509CsrOptions

func WithX509CsrOptions(csrOpts []X509CSROption) X509CertOption

WithX509CsrOptions set csr options

func WithX509Subject

func WithX509Subject(subject pkix.Name) X509CertOption

WithX509Subject set subject name

type X509CertSerialNumberGenerator

type X509CertSerialNumberGenerator interface {
	SerialNum() int64
}

X509CertSerialNumberGenerator x509 certificate serial number generator

Directories

Path Synopsis
kms
Package kms provides a simple kms interface.
Package kms provides a simple kms interface.
mem
Package mem is a multi-key KMS in pure memory
Package mem is a multi-key KMS in pure memory
package Threshold cryptosystem
package Threshold cryptosystem
shamir
Package shamir is Shamir’s Secret Sharing is a method for dividing a secret into multiple parts and distributing those parts among different participants.
Package shamir is Shamir’s Secret Sharing is a method for dividing a secret into multiple parts and distributing those parts among different participants.
signature
Package signature provides an implementation of threshold signatures.
Package signature provides an implementation of threshold signatures.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL