Documentation ¶
Index ¶
- Constants
- Variables
- func AddCipher(oid asn1.ObjectIdentifier, cipher func() Cipher)
- func AddKey(name string, key func() Key)
- func Decode(pfxData []byte, password string) (privateKey any, certificate *x509.Certificate, err error)
- func DecodeChain(pfxData []byte, password string) (privateKey any, certificate *x509.Certificate, caCerts []*x509.Certificate, ...)
- func DecodeTrustStore(pfxData []byte, password string) (certs []*x509.Certificate, err error)
- func Encode(rand io.Reader, privateKey any, certificate *x509.Certificate, password string, ...) (pfxData []byte, err error)
- func EncodeChain(rand io.Reader, privateKey any, certificate *x509.Certificate, ...) (pfxData []byte, err error)
- func EncodeSecret(rand io.Reader, secretKey []byte, password string, opts ...Opts) (pfxData []byte, err error)
- func EncodeTrustStore(rand io.Reader, certs []*x509.Certificate, password string, opts ...Opts) (pfxData []byte, err error)
- func EncodeTrustStoreEntries(rand io.Reader, entries []TrustStoreEntry, password string, opts ...Opts) (pfxData []byte, err error)
- func GetStructName(s any) (name string)
- func MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
- func MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
- func ParsePKCS8PrivateKey(pkData []byte) (privateKey crypto.PrivateKey, err error)
- func ToPEM(pfxData []byte, password string) ([]*pem.Block, error)deprecated
- type Cipher
- type CipherBlockCBC
- func (this CipherBlockCBC) Decrypt(password, params, ciphertext []byte) ([]byte, error)
- func (this CipherBlockCBC) Encrypt(password, plaintext []byte) ([]byte, []byte, error)
- func (this CipherBlockCBC) KeySize() int
- func (this CipherBlockCBC) OID() asn1.ObjectIdentifier
- func (this CipherBlockCBC) WithSaltSize(saltSize int) CipherBlockCBC
- type CipherRC4
- func (this CipherRC4) Decrypt(password, params, ciphertext []byte) ([]byte, error)
- func (this CipherRC4) Encrypt(password, plaintext []byte) ([]byte, []byte, error)
- func (this CipherRC4) KeySize() int
- func (this CipherRC4) OID() asn1.ObjectIdentifier
- func (this CipherRC4) WithSaltSize(saltSize int) CipherRC4
- type Hash
- type KDFOpts
- type KDFParameters
- type Key
- type KeyDSA
- type KeyEcdsa
- type KeyEdDSA
- type KeyRsa
- type KeySM2
- type MacOpts
- type NotImplementedError
- type Opts
- type PKCS8KDFOpts
- type PKCS8PBKDF2Opts
- type PKCS8ScryptOpts
- type SecretKey
- type TrustStoreEntry
Constants ¶
const DefaultPassword = "changeit"
DefaultPassword is the string "changeit", a commonly-used password for PKCS#12 files. Due to the weak encryption used by PKCS#12, it is RECOMMENDED that you use DefaultPassword when encoding PKCS#12 files, and protect the PKCS#12 files using other means.
Variables ¶
var ( // ErrDecryption represents a failure to decrypt the input. ErrDecryption = errors.New("pkcs12: decryption error, incorrect padding") // ErrIncorrectPassword is returned when an incorrect password is detected. // Usually, P12/PFX data is signed to be able to verify the password. ErrIncorrectPassword = errors.New("pkcs12: decryption password incorrect") )
var ( // 获取 Cipher 类型 GetPKCS8CipherFromName = cryptobin_pkcs8.GetCipherFromName // 获取 hash 类型 GetPKCS8HashFromName = cryptobin_pkcs8.GetHashFromName // 获取 Cipher 类型 GetPKCS8PbeCipherFromName = cryptobin_pkcs8pbe.GetCipherFromName // 检测 Cipher 类型 CheckPKCS8PbeCipherFromName = cryptobin_pkcs8pbe.CheckCipherFromName )
var CipherSHA1And2DES = CipherBlockCBC{ // contains filtered or unexported fields }
var CipherSHA1And3DES = CipherBlockCBC{ // contains filtered or unexported fields }
var CipherSHA1AndRC2_128 = CipherBlockCBC{ // contains filtered or unexported fields }
var CipherSHA1AndRC2_40 = CipherBlockCBC{ // contains filtered or unexported fields }
var CipherSHA1AndRC4_128 = CipherRC4{ // contains filtered or unexported fields }
var CipherSHA1AndRC4_40 = CipherRC4{ // contains filtered or unexported fields }
var ( // 默认 hash DefaultHash = SHA1 )
var DefaultOpts = Opts{ PKCS8Cipher: cryptobin_pkcs8pbe.PEMCipherSHA1And3DES, Cipher: CipherSHA1AndRC2_40, KDFOpts: MacOpts{ SaltSize: 8, IterationCount: 1, HMACHash: SHA1, }, }
默认配置
Functions ¶
func Decode ¶
func Decode(pfxData []byte, password string) ( privateKey any, certificate *x509.Certificate, err error, )
Decode extracts a certificate and private key from pfxData, which must be a DER-encoded PKCS#12 file. This function assumes that there is only one certificate and only one private key in the pfxData. Since PKCS#12 files often contain more than one certificate, you probably want to use DecodeChain instead.
func DecodeChain ¶
func DecodeChain(pfxData []byte, password string) ( privateKey any, certificate *x509.Certificate, caCerts []*x509.Certificate, err error, )
DecodeChain extracts a certificate, a CA certificate chain, and private key from pfxData, which must be a DER-encoded PKCS#12 file. This function assumes that there is at least one certificate and only one private key in the pfxData. The first certificate is assumed to be the leaf certificate, and subsequent certificates, if any, are assumed to comprise the CA certificate chain.
func DecodeTrustStore ¶
func DecodeTrustStore(pfxData []byte, password string) (certs []*x509.Certificate, err error)
DecodeTrustStore extracts the certificates from pfxData, which must be a DER-encoded PKCS#12 file containing exclusively certificates with attribute 2.16.840.1.113894.746875.1.1, which is used by Java to designate a trust anchor.
func Encode ¶
func Encode( rand io.Reader, privateKey any, certificate *x509.Certificate, password string, opts ...Opts, ) (pfxData []byte, err error)
兼容 go 默认包
func EncodeChain ¶
func EncodeChain( rand io.Reader, privateKey any, certificate *x509.Certificate, caCerts []*x509.Certificate, password string, opts ...Opts, ) (pfxData []byte, err error)
EncodeChain produces pfxData containing one private key (privateKey), an end-entity certificate (certificate), and any number of CA certificates (caCerts).
The private key is encrypted with the provided password, but due to the weak encryption primitives used by PKCS#12, it is RECOMMENDED that you specify a hard-coded password (such as pkcs12.DefaultPassword) and protect the resulting pfxData using other means.
The rand argument is used to provide entropy for the encryption, and can be set to rand.Reader from the crypto/rand package.
EncodeChain emulates the behavior of OpenSSL's PKCS12_create: it creates two SafeContents: one that's encrypted with RC2 and contains the certificates, and another that is unencrypted and contains the private key shrouded with 3DES The private key bag and the end-entity certificate bag have the LocalKeyId attribute set to the SHA-1 fingerprint of the end-entity certificate.
func EncodeSecret ¶
func EncodeSecret(rand io.Reader, secretKey []byte, password string, opts ...Opts) (pfxData []byte, err error)
编码 Secret
func EncodeTrustStore ¶
func EncodeTrustStore( rand io.Reader, certs []*x509.Certificate, password string, opts ...Opts, ) (pfxData []byte, err error)
EncodeTrustStore produces pfxData containing any number of CA certificates (certs) to be trusted. The certificates will be marked with a special OID that allow it to be used as a Java TrustStore in Java 1.8 and newer.
Due to the weak encryption primitives used by PKCS#12, it is RECOMMENDED that you specify a hard-coded password (such as pkcs12.DefaultPassword) and protect the resulting pfxData using other means.
The rand argument is used to provide entropy for the encryption, and can be set to rand.Reader from the crypto/rand package.
EncodeTrustStore creates a single SafeContents that's encrypted with RC2 and contains the certificates.
The Subject of the certificates are used as the Friendly Names (Aliases) within the resulting pfxData. If certificates share a Subject, then the resulting Friendly Names (Aliases) will be identical, which Java may treat as the same entry when used as a Java TrustStore, e.g. with `keytool`. To customize the Friendly Names, use EncodeTrustStoreEntries.
func EncodeTrustStoreEntries ¶
func EncodeTrustStoreEntries( rand io.Reader, entries []TrustStoreEntry, password string, opts ...Opts, ) (pfxData []byte, err error)
EncodeTrustStoreEntries produces pfxData containing any number of CA certificates (entries) to be trusted. The certificates will be marked with a special OID that allow it to be used as a Java TrustStore in Java 1.8 and newer.
This is identical to EncodeTrustStore, but also allows for setting specific Friendly Names (Aliases) to be used per certificate, by specifying a slice of TrustStoreEntry.
If the same Friendly Name is used for more than one certificate, then the resulting Friendly Names (Aliases) in the pfxData will be identical, which Java may treat as the same entry when used as a Java TrustStore, e.g. with `keytool`.
Due to the weak encryption primitives used by PKCS#12, it is RECOMMENDED that you specify a hard-coded password (such as pkcs12.DefaultPassword) and protect the resulting pfxData using other means.
The rand argument is used to provide entropy for the encryption, and can be set to rand.Reader from the crypto/rand package.
EncodeTrustStoreEntries creates a single SafeContents that's encrypted with RC2 and contains the certificates.
func MarshalPKCS8PrivateKey ¶
func MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
从注册的 key 列表编码证书
func MarshalPrivateKey ¶
func MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
从注册的 key 列表编码证书
func ParsePKCS8PrivateKey ¶
func ParsePKCS8PrivateKey(pkData []byte) (privateKey crypto.PrivateKey, err error)
从注册的 key 列表解析证书
func ToPEM
deprecated
ToPEM converts all "safe bags" contained in pfxData to PEM blocks.
Deprecated: ToPEM creates invalid PEM blocks (private keys are encoded as raw RSA or EC private keys rather than PKCS#8 despite being labeled "PRIVATE KEY"). To decode a PKCS#12 file, use DecodeChain instead, and use the encoding/pem package to convert to PEM if necessary.
Types ¶
type Cipher ¶
type Cipher interface { // oid OID() asn1.ObjectIdentifier // 值大小 KeySize() int // 加密, 返回: [加密后数据, 参数, error] Encrypt(key, plaintext []byte) ([]byte, []byte, error) // 解密 Decrypt(key, params, ciphertext []byte) ([]byte, error) }
加密接口
type CipherBlockCBC ¶
type CipherBlockCBC struct {
// contains filtered or unexported fields
}
cbc 模式加密
func (CipherBlockCBC) Decrypt ¶
func (this CipherBlockCBC) Decrypt(password, params, ciphertext []byte) ([]byte, error)
解密
func (CipherBlockCBC) Encrypt ¶
func (this CipherBlockCBC) Encrypt(password, plaintext []byte) ([]byte, []byte, error)
加密
func (CipherBlockCBC) WithSaltSize ¶
func (this CipherBlockCBC) WithSaltSize(saltSize int) CipherBlockCBC
设置 saltSize
type CipherRC4 ¶
type CipherRC4 struct {
// contains filtered or unexported fields
}
rc4 模式加密
func (CipherRC4) WithSaltSize ¶
设置 saltSize
type KDFOpts ¶
type KDFOpts interface { // 构造 Compute(message []byte, password []byte) (data KDFParameters, err error) }
KDF 设置接口
type KDFParameters ¶
数据接口
type Key ¶
type Key interface { // 包装默认证书 MarshalPrivateKey(privateKey crypto.PrivateKey) (pkData []byte, err error) // 包装 PKCS8 证书 MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) (pkData []byte, err error) // 解析 PKCS8 证书 ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error) }
Key 接口
type KeyDSA ¶
type KeyDSA struct{}
DSA
func (KeyDSA) MarshalPKCS8PrivateKey ¶
func (this KeyDSA) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
包装
func (KeyDSA) MarshalPrivateKey ¶
func (this KeyDSA) MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
包装
func (KeyDSA) ParsePKCS8PrivateKey ¶
func (this KeyDSA) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)
解析
type KeyEcdsa ¶
type KeyEcdsa struct{}
Ecdsa
func (KeyEcdsa) MarshalPKCS8PrivateKey ¶
func (this KeyEcdsa) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
包装
func (KeyEcdsa) MarshalPrivateKey ¶
func (this KeyEcdsa) MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
包装
func (KeyEcdsa) ParsePKCS8PrivateKey ¶
func (this KeyEcdsa) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)
解析
type KeyEdDSA ¶
type KeyEdDSA struct{}
EdDSA
func (KeyEdDSA) MarshalPKCS8PrivateKey ¶
func (this KeyEdDSA) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
包装
func (KeyEdDSA) MarshalPrivateKey ¶
func (this KeyEdDSA) MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
包装
func (KeyEdDSA) ParsePKCS8PrivateKey ¶
func (this KeyEdDSA) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)
解析
type KeyRsa ¶
type KeyRsa struct{}
rsa
func (KeyRsa) MarshalPKCS8PrivateKey ¶
func (this KeyRsa) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
包装
func (KeyRsa) MarshalPrivateKey ¶
func (this KeyRsa) MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
包装
func (KeyRsa) ParsePKCS8PrivateKey ¶
func (this KeyRsa) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)
解析
type KeySM2 ¶
type KeySM2 struct{}
SM2
func (KeySM2) MarshalPKCS8PrivateKey ¶
func (this KeySM2) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
包装
func (KeySM2) MarshalPrivateKey ¶
func (this KeySM2) MarshalPrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
包装
func (KeySM2) ParsePKCS8PrivateKey ¶
func (this KeySM2) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error)
解析
type NotImplementedError ¶
type NotImplementedError string
NotImplementedError indicates that the input is not currently supported.
func (NotImplementedError) Error ¶
func (e NotImplementedError) Error() string
type Opts ¶
type Opts struct { PKCS8Cipher Cipher PKCS8KDFOpts PKCS8KDFOpts Cipher Cipher KDFOpts KDFOpts }
配置
func (Opts) WithCipher ¶
func (Opts) WithKDFOpts ¶
func (Opts) WithPKCS8Cipher ¶
func (Opts) WithPKCS8KDFOpts ¶
func (this Opts) WithPKCS8KDFOpts(opts PKCS8KDFOpts) Opts
type SecretKey ¶
type SecretKey interface { // Attributes return the PKCS12AttrSet of the safe bag // https://tools.ietf.org/html/rfc7292#section-4.2 Attributes() map[string]string // key Key() []byte // FriendlyName return the value of `friendlyName` // attribute if exists, otherwise it will return empty string FriendlyName() string }
type TrustStoreEntry ¶
type TrustStoreEntry struct { Cert *x509.Certificate FriendlyName string }
TrustStoreEntry represents an entry in a Java TrustStore.