pkcs12

package
v1.0.1043 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2023 License: Apache-2.0 Imports: 36 Imported by: 2

Documentation

Index

Constants

View Source 
const DefaultPassword = "changeit"

DefaultPassword is the string "changeit", a commonly-used password for PKCS#12 files. Due to the weak encryption used by PKCS#12, it is RECOMMENDED that you use DefaultPassword when encoding PKCS#12 files, and protect the PKCS#12 files using other means.

Variables

View Source 
var (
	// ErrDecryption represents a failure to decrypt the input.
	ErrDecryption = errors.New("pkcs12: decryption error, incorrect padding")

	// ErrIncorrectPassword is returned when an incorrect password is detected.
	// Usually, P12/PFX data is signed to be able to verify the password.
	ErrIncorrectPassword = errors.New("pkcs12: decryption password incorrect")
)
View Source 
var (
	// 获取 Cipher 类型
	GetPKCS8CipherFromName = cryptobin_pkcs8.GetCipherFromName
	// 获取 hash 类型
	GetPKCS8HashFromName = cryptobin_pkcs8.GetHashFromName

	// 获取 Cipher 类型
	GetPKCS8PbeCipherFromName = cryptobin_pkcs8pbe.GetCipherFromName
	// 检测 Cipher 类型
	CheckPKCS8PbeCipherFromName = cryptobin_pkcs8pbe.CheckCipherFromName
)
View Source 
var CipherSHA1And3DES = CipherBlockCBC{
	// contains filtered or unexported fields
}
View Source 
var CipherSHA1AndRC2_128 = CipherBlockCBC{
	// contains filtered or unexported fields
}
View Source 
var CipherSHA1AndRC2_40 = CipherBlockCBC{
	// contains filtered or unexported fields
}
View Source 
var CipherSHA1AndRC4_128 = CipherRC4{
	// contains filtered or unexported fields
}
View Source 
var CipherSHA1AndRC4_40 = CipherRC4{
	// contains filtered or unexported fields
}
View Source 
var (
	// 默认 hash
	DefaultHash = SHA1
)
View Source 
var DefaultOpts = Opts{
	PKCS8Cipher: cryptobin_pkcs8pbe.PEMCipherSHA1And3DES,
	Cipher:      CipherSHA1AndRC2_40,
	KDFOpts: MacOpts{
		SaltSize:       8,
		IterationCount: 1,
		HMACHash:       SHA1,
	},
}

默认配置

Functions

func AddCipher 

func AddCipher(oid asn1.ObjectIdentifier, cipher func() Cipher)

添加加密

func AddKey 

func AddKey(name string, key func() Key)

添加Key

func Decode 

func Decode(pfxData []byte, password string) (
	privateKey any,
	certificate *x509.Certificate,
	err error,
)

Decode extracts a certificate and private key from pfxData, which must be a DER-encoded PKCS#12 file. This function assumes that there is only one certificate and only one private key in the pfxData. Since PKCS#12 files often contain more than one certificate, you probably want to use DecodeChain instead.

func DecodeChain 

func DecodeChain(pfxData []byte, password string) (
	privateKey any,
	certificate *x509.Certificate,
	caCerts []*x509.Certificate,
	err error,
)

DecodeChain extracts a certificate, a CA certificate chain, and private key from pfxData, which must be a DER-encoded PKCS#12 file. This function assumes that there is at least one certificate and only one private key in the pfxData. The first certificate is assumed to be the leaf certificate, and subsequent certificates, if any, are assumed to comprise the CA certificate chain.

func DecodeTrustStore 

func DecodeTrustStore(pfxData []byte, password string) (certs []*x509.Certificate, err error)

DecodeTrustStore extracts the certificates from pfxData, which must be a DER-encoded PKCS#12 file containing exclusively certificates with attribute 2.16.840.1.113894.746875.1.1, which is used by Java to designate a trust anchor.

func Encode 

func Encode(
	rand io.Reader,
	privateKey any,
	certificate *x509.Certificate,
	password string,
	opts ...Opts,
) (pfxData []byte, err error)

兼容 go 默认包

func EncodeChain 

func EncodeChain(
	rand io.Reader,
	privateKey any,
	certificate *x509.Certificate,
	caCerts []*x509.Certificate,
	password string,
	opts ...Opts,
) (pfxData []byte, err error)

EncodeChain produces pfxData containing one private key (privateKey), an end-entity certificate (certificate), and any number of CA certificates (caCerts).

The private key is encrypted with the provided password, but due to the weak encryption primitives used by PKCS#12, it is RECOMMENDED that you specify a hard-coded password (such as pkcs12.DefaultPassword) and protect the resulting pfxData using other means.

The rand argument is used to provide entropy for the encryption, and can be set to rand.Reader from the crypto/rand package.

EncodeChain emulates the behavior of OpenSSL's PKCS12_create: it creates two SafeContents: one that's encrypted with RC2 and contains the certificates, and another that is unencrypted and contains the private key shrouded with 3DES The private key bag and the end-entity certificate bag have the LocalKeyId attribute set to the SHA-1 fingerprint of the end-entity certificate.

func EncodeSecret 

func EncodeSecret(rand io.Reader, secretKey []byte, password string, opts ...Opts) (pfxData []byte, err error)

编码 Secret

func EncodeTrustStore 

func EncodeTrustStore(
	rand io.Reader,
	certs []*x509.Certificate,
	password string,
	opts ...Opts,
) (pfxData []byte, err error)

EncodeTrustStore produces pfxData containing any number of CA certificates (certs) to be trusted. The certificates will be marked with a special OID that allow it to be used as a Java TrustStore in Java 1.8 and newer.

Due to the weak encryption primitives used by PKCS#12, it is RECOMMENDED that you specify a hard-coded password (such as pkcs12.DefaultPassword) and protect the resulting pfxData using other means.

The rand argument is used to provide entropy for the encryption, and can be set to rand.Reader from the crypto/rand package.

EncodeTrustStore creates a single SafeContents that's encrypted with RC2 and contains the certificates.

The Subject of the certificates are used as the Friendly Names (Aliases) within the resulting pfxData. If certificates share a Subject, then the resulting Friendly Names (Aliases) will be identical, which Java may treat as the same entry when used as a Java TrustStore, e.g. with `keytool`. To customize the Friendly Names, use EncodeTrustStoreEntries.

func EncodeTrustStoreEntries 

func EncodeTrustStoreEntries(
	rand io.Reader,
	entries []TrustStoreEntry,
	password string,
	opts ...Opts,
) (pfxData []byte, err error)

EncodeTrustStoreEntries produces pfxData containing any number of CA certificates (entries) to be trusted. The certificates will be marked with a special OID that allow it to be used as a Java TrustStore in Java 1.8 and newer.

This is identical to EncodeTrustStore, but also allows for setting specific Friendly Names (Aliases) to be used per certificate, by specifying a slice of TrustStoreEntry.

If the same Friendly Name is used for more than one certificate, then the resulting Friendly Names (Aliases) in the pfxData will be identical, which Java may treat as the same entry when used as a Java TrustStore, e.g. with `keytool`.

Due to the weak encryption primitives used by PKCS#12, it is RECOMMENDED that you specify a hard-coded password (such as pkcs12.DefaultPassword) and protect the resulting pfxData using other means.

The rand argument is used to provide entropy for the encryption, and can be set to rand.Reader from the crypto/rand package.

EncodeTrustStoreEntries creates a single SafeContents that's encrypted with RC2 and contains the certificates.

func GetStructName 

func GetStructName(name any) string

反射获取结构体名称

func MarshalPKCS8PrivateKey 

func MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

从注册的 key 列表编码证书

func MarshalPrivateKey 

func MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

从注册的 key 列表编码证书

func ParsePKCS8PrivateKey 

func ParsePKCS8PrivateKey(pkData []byte) (privateKey crypto.PrivateKey, err error)

从注册的 key 列表解析证书

func ToPEM deprecated 

func ToPEM(pfxData []byte, password string) ([]*pem.Block, error)

ToPEM converts all "safe bags" contained in pfxData to PEM blocks.

Deprecated: ToPEM creates invalid PEM blocks (private keys are encoded as raw RSA or EC private keys rather than PKCS#8 despite being labeled "PRIVATE KEY"). To decode a PKCS#12 file, use DecodeChain instead, and use the encoding/pem package to convert to PEM if necessary.

Types

type Cipher 

type Cipher interface {
	// oid
	OID() asn1.ObjectIdentifier

	// 值大小
	KeySize() int

	// 加密, 返回: [加密后数据, 参数, error]
	Encrypt(key, plaintext []byte) ([]byte, []byte, error)

	// 解密
	Decrypt(key, params, ciphertext []byte) ([]byte, error)
}

加密接口

type CipherBlockCBC 

type CipherBlockCBC struct {
	// contains filtered or unexported fields
}

cbc 模式加密

func (CipherBlockCBC) Decrypt 

func (this CipherBlockCBC) Decrypt(password, params, ciphertext []byte) ([]byte, error)

解密

func (CipherBlockCBC) Encrypt 

func (this CipherBlockCBC) Encrypt(password, plaintext []byte) ([]byte, []byte, error)

加密

func (CipherBlockCBC) KeySize 

func (this CipherBlockCBC) KeySize() int

值大小

func (CipherBlockCBC) OID 

func (this CipherBlockCBC) OID() asn1.ObjectIdentifier

oid

func (CipherBlockCBC) WithSaltSize 

func (this CipherBlockCBC) WithSaltSize(saltSize int) CipherBlockCBC

设置 saltSize

type CipherRC4 

type CipherRC4 struct {
	// contains filtered or unexported fields
}

rc4 模式加密

func (CipherRC4) Decrypt 

func (this CipherRC4) Decrypt(password, params, ciphertext []byte) ([]byte, error)

解密

func (CipherRC4) Encrypt 

func (this CipherRC4) Encrypt(password, plaintext []byte) ([]byte, []byte, error)

加密

func (CipherRC4) KeySize 

func (this CipherRC4) KeySize() int

值大小

func (CipherRC4) OID 

func (this CipherRC4) OID() asn1.ObjectIdentifier

oid

func (CipherRC4) WithSaltSize 

func (this CipherRC4) WithSaltSize(saltSize int) CipherRC4

设置 saltSize

type Hash 

type Hash uint

pkcs8 可使用的 hash 方式 

const (
	Md2 Hash = 1 + iota
	Md4
	MD5
	SHA1
	SHA224
	SHA256
	SHA384
	SHA512
	SM3
)

type KDFOpts 

type KDFOpts interface {
	// 构造
	Compute(message []byte, password []byte) (data KDFParameters, err error)
}

KDF 设置接口

type KDFParameters 

type KDFParameters interface {
	// 验证
	Verify(message []byte, password []byte) (err error)
}

数据接口

type Key 

type Key interface {
	// 包装默认证书
	MarshalPrivateKey(privateKey crypto.PrivateKey) (pkData []byte, err error)

	// 包装 PKCS8 证书
	MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) (pkData []byte, err error)

	// 解析 PKCS8 证书
	ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)
}

Key 接口

type KeyDSA 

type KeyDSA struct{}

DSA

func (KeyDSA) MarshalPKCS8PrivateKey 

func (this KeyDSA) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

包装

func (KeyDSA) MarshalPrivateKey 

func (this KeyDSA) MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

包装

func (KeyDSA) ParsePKCS8PrivateKey 

func (this KeyDSA) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)

解析

type KeyEcdsa 

type KeyEcdsa struct{}

Ecdsa

func (KeyEcdsa) MarshalPKCS8PrivateKey 

func (this KeyEcdsa) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

包装

func (KeyEcdsa) MarshalPrivateKey 

func (this KeyEcdsa) MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

包装

func (KeyEcdsa) ParsePKCS8PrivateKey 

func (this KeyEcdsa) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)

解析

type KeyEdDSA 

type KeyEdDSA struct{}

EdDSA

func (KeyEdDSA) MarshalPKCS8PrivateKey 

func (this KeyEdDSA) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

包装

func (KeyEdDSA) MarshalPrivateKey 

func (this KeyEdDSA) MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

包装

func (KeyEdDSA) ParsePKCS8PrivateKey 

func (this KeyEdDSA) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)

解析

type KeyRsa 

type KeyRsa struct{}

rsa

func (KeyRsa) MarshalPKCS8PrivateKey 

func (this KeyRsa) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

包装

func (KeyRsa) MarshalPrivateKey 

func (this KeyRsa) MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

包装

func (KeyRsa) ParsePKCS8PrivateKey 

func (this KeyRsa) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)

解析

type KeySM2 

type KeySM2 struct{}

SM2

func (KeySM2) MarshalPKCS8PrivateKey 

func (this KeySM2) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

包装

func (KeySM2) MarshalPrivateKey 

func (this KeySM2) MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

包装

func (KeySM2) ParsePKCS8PrivateKey 

func (this KeySM2) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)

解析

type MacOpts 

type MacOpts struct {
	SaltSize       int // 8
	IterationCount int // 1
	HMACHash       Hash
}

mac 配置

func (MacOpts) Compute 

func (this MacOpts) Compute(message []byte, password []byte) (data KDFParameters, err error)

type NotImplementedError 

type NotImplementedError string

NotImplementedError indicates that the input is not currently supported.

func (NotImplementedError) Error 

func (e NotImplementedError) Error() string

type Opts 

type Opts struct {
	PKCS8Cipher  Cipher
	PKCS8KDFOpts PKCS8KDFOpts
	Cipher       Cipher
	KDFOpts      KDFOpts
}

配置

func (Opts) WithCipher 

func (this Opts) WithCipher(cipher Cipher) Opts

func (Opts) WithKDFOpts 

func (this Opts) WithKDFOpts(opts KDFOpts) Opts

func (Opts) WithPKCS8Cipher 

func (this Opts) WithPKCS8Cipher(cipher Cipher) Opts

func (Opts) WithPKCS8KDFOpts 

func (this Opts) WithPKCS8KDFOpts(opts PKCS8KDFOpts) Opts

type PKCS8KDFOpts 

type PKCS8KDFOpts = cryptobin_pkcs8.KDFOpts

KDF 设置接口

type PKCS8PBKDF2Opts 

type PKCS8PBKDF2Opts = cryptobin_pkcs8.PBKDF2Opts

PBKDF2 配置

type PKCS8ScryptOpts 

type PKCS8ScryptOpts = cryptobin_pkcs8.ScryptOpts

Scrypt 配置

type SecretKey 

type SecretKey interface {
	// Attributes return the PKCS12AttrSet of the safe bag
	// https://tools.ietf.org/html/rfc7292#section-4.2
	Attributes() map[string]string
	// key
	Key() []byte
	// FriendlyName return the value of `friendlyName`
	// attribute if exists, otherwise it will return empty string
	FriendlyName() string
}

func DecodeSecret 

func DecodeSecret(pfxData []byte, password string) (secretKeys []SecretKey, err error)

解析出 Secret

type TrustStoreEntry 

type TrustStoreEntry struct {
	Cert         *x509.Certificate
	FriendlyName string
}

TrustStoreEntry represents an entry in a Java TrustStore.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.