Why Go
- Case Studies
  
  Common problems companies solve with Go
- Use Cases
  
  Stories about how and why companies use Go
- Security Policy
  
  How Go can help keep you secure by default
Learn
Docs
- Effective Go
  
  Tips for writing clear, performant, and idiomatic Go code
- Go User Manual
  
  A complete introduction to building software with Go
- Standard library
  
  Reference documentation for Go's standard library
- Release Notes
  
  Learn what's new in each Go release
Packages
Community
- Recorded Talks
  
  Videos from prior events
- Meetups
  
  Meet other local Go developers
- Conferences
  
  Learn and network with Go developers from around the world
- Go blog
  
  The Go project's official blog.
- Go project
  
  Get help and stay informed from Go
- Get connected

x509

package

Go to main page

Versions in this module

v1

v1.0.1

Nov 17, 2023

Changes in this version

+ const IPv4AddressFamilyIndicator

+ const IPv6AddressFamilyIndicator

+ var AACompromise = RevocationReasonCode(10)

+ var AffiliationChanged = RevocationReasonCode(3)

+ var CACompromise = RevocationReasonCode(2)

+ var CertificateHold = RevocationReasonCode(6)

+ var CessationOfOperation = RevocationReasonCode(5)

+ var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")

+ var IncorrectPasswordError = errors.New("x509: decryption password incorrect")

+ var KeyCompromise = RevocationReasonCode(1)

+ var OIDAnyPolicy = asn1.ObjectIdentifier

+ var OIDAuthorityInfoAccessIssuers = asn1.ObjectIdentifier

+ var OIDAuthorityInfoAccessOCSP = asn1.ObjectIdentifier

+ var OIDExtensionASList = asn1.ObjectIdentifier

+ var OIDExtensionArc = asn1.ObjectIdentifier

+ var OIDExtensionAuthorityInfoAccess = asn1.ObjectIdentifier

+ var OIDExtensionAuthorityKeyId = asn1.ObjectIdentifier

+ var OIDExtensionBasicConstraints = asn1.ObjectIdentifier

+ var OIDExtensionCRLDistributionPoints = asn1.ObjectIdentifier

+ var OIDExtensionCRLNumber = asn1.ObjectIdentifier

+ var OIDExtensionCRLReasons = asn1.ObjectIdentifier

+ var OIDExtensionCTPoison = asn1.ObjectIdentifier

+ var OIDExtensionCTSCT = asn1.ObjectIdentifier

+ var OIDExtensionCertificateIssuer = asn1.ObjectIdentifier

+ var OIDExtensionCertificatePolicies = asn1.ObjectIdentifier

+ var OIDExtensionDeltaCRLIndicator = asn1.ObjectIdentifier

+ var OIDExtensionExtendedKeyUsage = asn1.ObjectIdentifier

+ var OIDExtensionFreshestCRL = asn1.ObjectIdentifier

+ var OIDExtensionIPPrefixList = asn1.ObjectIdentifier

+ var OIDExtensionInhibitAnyPolicy = asn1.ObjectIdentifier

+ var OIDExtensionInvalidityDate = asn1.ObjectIdentifier

+ var OIDExtensionIssuerAltName = asn1.ObjectIdentifier

+ var OIDExtensionIssuingDistributionPoint = asn1.ObjectIdentifier

+ var OIDExtensionKeyUsage = asn1.ObjectIdentifier

+ var OIDExtensionNameConstraints = asn1.ObjectIdentifier

+ var OIDExtensionPolicyConstraints = asn1.ObjectIdentifier

+ var OIDExtensionPolicyMappings = asn1.ObjectIdentifier

+ var OIDExtensionSubjectAltName = asn1.ObjectIdentifier

+ var OIDExtensionSubjectDirectoryAttributes = asn1.ObjectIdentifier

+ var OIDExtensionSubjectInfoAccess = asn1.ObjectIdentifier

+ var OIDExtensionSubjectKeyId = asn1.ObjectIdentifier

+ var OIDNamedCurveP192 = asn1.ObjectIdentifier

+ var OIDNamedCurveP224 = asn1.ObjectIdentifier

+ var OIDNamedCurveP256 = asn1.ObjectIdentifier

+ var OIDNamedCurveP384 = asn1.ObjectIdentifier

+ var OIDNamedCurveP521 = asn1.ObjectIdentifier

+ var OIDPublicKeyDSA = asn1.ObjectIdentifier

+ var OIDPublicKeyECDSA = asn1.ObjectIdentifier

+ var OIDPublicKeyEd25519 = oidSignatureEd25519

+ var OIDPublicKeyRSA = asn1.ObjectIdentifier

+ var OIDPublicKeyRSAESOAEP = asn1.ObjectIdentifier

+ var OIDPublicKeyRSAObsolete = asn1.ObjectIdentifier

+ var OIDSubjectInfoAccessCARepo = asn1.ObjectIdentifier

+ var OIDSubjectInfoAccessTimestamp = asn1.ObjectIdentifier

+ var PrivilegeWithdrawn = RevocationReasonCode(9)

+ var RemoveFromCRL = RevocationReasonCode(8)

+ var Superseded = RevocationReasonCode(4)

+ var Unspecified = RevocationReasonCode(0)

+ func BuildPrecertTBS(tbsData []byte, preIssuer *Certificate) ([]byte, error)

+ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error)

+ func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error)

+ func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error)

+ func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error)

+ func IsEncryptedPEMBlock(b *pem.Block) bool

+ func IsFatal(err error) bool

+ func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error)

+ func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte

+ func MarshalPKCS1PublicKey(key *rsa.PublicKey) []byte

+ func MarshalPKCS8PrivateKey(key interface{}) ([]byte, error)

+ func MarshalPKIXPublicKey(pub interface{}) ([]byte, error)

+ func OIDFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool)

+ func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error)

+ func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error)

+ func ParseECPrivateKey(der []byte) (*ecdsa.PrivateKey, error)

+ func ParsePKCS1PrivateKey(der []byte) (*rsa.PrivateKey, error)

+ func ParsePKCS1PublicKey(der []byte) (*rsa.PublicKey, error)

+ func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error)

+ func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)

+ func RemoveCTPoison(tbsData []byte) ([]byte, error)

+ func RemoveSCTList(tbsData []byte) ([]byte, error)

+ type ASIDRange struct

+ Max int

+ Min int

+ type ASIdentifiers struct

+ ASIDRanges []ASIDRange

+ ASIDs []int

+ InheritFromIssuer bool

+ type CertPool struct

+ func NewCertPool() *CertPool

+ func SystemCertPool() (*CertPool, error)

+ func (s *CertPool) AddCert(cert *Certificate)

+ func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)

+ func (s *CertPool) Subjects() [][]byte

+ type Certificate struct

+ AuthorityKeyId []byte

+ BasicConstraintsValid bool

+ CRLDistributionPoints []string

+ DNSNames []string

+ EmailAddresses []string

+ ExcludedDNSDomains []string

+ ExcludedEmailAddresses []string

+ ExcludedIPRanges []*net.IPNet

+ ExcludedURIDomains []string

+ ExtKeyUsage []ExtKeyUsage

+ Extensions []pkix.Extension

+ ExtraExtensions []pkix.Extension

+ IPAddresses []net.IP

+ IsCA bool

+ Issuer pkix.Name

+ IssuingCertificateURL []string

+ KeyUsage KeyUsage

+ MaxPathLen int

+ MaxPathLenZero bool

+ NotAfter time.Time

+ NotBefore time.Time

+ OCSPServer []string

+ PermittedDNSDomains []string

+ PermittedDNSDomainsCritical bool

+ PermittedEmailAddresses []string

+ PermittedIPRanges []*net.IPNet

+ PermittedURIDomains []string

+ PolicyIdentifiers []asn1.ObjectIdentifier

+ PublicKey interface{}

+ PublicKeyAlgorithm PublicKeyAlgorithm

+ RPKIASNumbers *ASIdentifiers

+ RPKIAddressRanges []*IPAddressFamilyBlocks

+ RPKIRoutingDomainIDs *ASIdentifiers

+ Raw []byte

+ RawIssuer []byte

+ RawSCT []byte

+ RawSubject []byte

+ RawSubjectPublicKeyInfo []byte

+ RawTBSCertificate []byte

+ SCTList SignedCertificateTimestampList

+ SerialNumber *big.Int

+ Signature []byte

+ SignatureAlgorithm SignatureAlgorithm

+ Subject pkix.Name

+ SubjectCARepositories []string

+ SubjectKeyId []byte

+ SubjectTimestamps []string

+ URIs []*url.URL

+ UnhandledCriticalExtensions []asn1.ObjectIdentifier

+ UnknownExtKeyUsage []asn1.ObjectIdentifier

+ Version int

+ func ParseCertificate(asn1Data []byte) (*Certificate, error)

+ func ParseCertificates(asn1Data []byte) ([]*Certificate, error)

+ func ParseTBSCertificate(asn1Data []byte) (*Certificate, error)

+ func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error

+ func (c *Certificate) CheckCertificateListSignature(crl *CertificateList) error

+ func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error

+ func (c *Certificate) CheckSignatureFrom(parent *Certificate) error

+ func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, ...) (crlBytes []byte, err error)

+ func (c *Certificate) Equal(other *Certificate) bool

+ func (c *Certificate) IsPrecertificate() bool

+ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error)

+ func (c *Certificate) VerifyHostname(h string) error

+ type CertificateInvalidError struct

+ Cert *Certificate

+ Detail string

+ Reason InvalidReason

+ func (e CertificateInvalidError) Error() string

+ type CertificateList struct

+ Raw asn1.RawContent

+ SignatureAlgorithm pkix.AlgorithmIdentifier

+ SignatureValue asn1.BitString

+ TBSCertList TBSCertList

+ func ParseCertificateList(clBytes []byte) (*CertificateList, error)

+ func ParseCertificateListDER(derBytes []byte) (*CertificateList, error)

+ func (certList *CertificateList) ExpiredAt(now time.Time) bool

+ type CertificateRequest struct

+ Attributes []pkix.AttributeTypeAndValueSET

+ DNSNames []string

+ EmailAddresses []string

+ Extensions []pkix.Extension

+ ExtraExtensions []pkix.Extension

+ IPAddresses []net.IP

+ PublicKey interface{}

+ PublicKeyAlgorithm PublicKeyAlgorithm

+ Raw []byte

+ RawSubject []byte

+ RawSubjectPublicKeyInfo []byte

+ RawTBSCertificateRequest []byte

+ Signature []byte

+ SignatureAlgorithm SignatureAlgorithm

+ Subject pkix.Name

+ URIs []*url.URL

+ Version int

+ func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error)

+ func (c *CertificateRequest) CheckSignature() error

+ type ConstraintViolationError struct

+ func (ConstraintViolationError) Error() string

+ type ErrCategory int

+ const BaselineRequirementsFailure

+ const EVRequirementsFailure

+ const InsecureAlgorithm

+ const InvalidASN1Content

+ const InvalidASN1DER

+ const InvalidASN1Encoding

+ const InvalidASN1Type

+ const InvalidValueRange

+ const MalformedCRL

+ const MalformedCertificate

+ const PoorlyFormedCRL

+ const PoorlyFormedCertificate

+ const UnexpectedAdditionalData

+ const UnknownCategory

+ const UnrecognizedValue

+ func (category ErrCategory) String() string

+ type Error struct

+ Category ErrCategory

+ Fatal bool

+ Field string

+ ID ErrorID

+ SpecRef string

+ SpecText string

+ Summary string

+ func NewError(id ErrorID, args ...interface{}) Error

+ func (err Error) Error() string

+ func (err Error) VerboseError() string

+ type ErrorID int

+ const ErrCertListIssuingDPInvalidFullName

+ const ErrCertListIssuingDPMultipleTypes

+ const ErrInvalidCertList

+ const ErrInvalidCertListAuthInfoAccess

+ const ErrInvalidCertListAuthKeyID

+ const ErrInvalidCertListCRLNumber

+ const ErrInvalidCertListDeltaCRL

+ const ErrInvalidCertListFreshestCRL

+ const ErrInvalidCertListIssuerAltName

+ const ErrInvalidCertListIssuingDP

+ const ErrInvalidID

+ const ErrInvalidRevocationInvalidityDate

+ const ErrInvalidRevocationIssuer

+ const ErrInvalidRevocationReason

+ const ErrMaxID

+ const ErrNegativeCertListCRLNumber

+ const ErrNegativeCertListDeltaCRL

+ const ErrTrailingCertList

+ const ErrTrailingCertListAuthInfoAccess

+ const ErrTrailingCertListAuthKeyID

+ const ErrTrailingCertListCRLNumber

+ const ErrTrailingCertListDeltaCRL

+ const ErrTrailingCertListIssuingDP

+ const ErrTrailingRevocationInvalidityDate

+ const ErrTrailingRevocationReason

+ const ErrUnexpectedlyCriticalCertListExtension

+ const ErrUnexpectedlyCriticalRevokedCertExtension

+ const ErrUnexpectedlyNonCriticalCertListExtension

+ const ErrUnexpectedlyNonCriticalRevokedCertExtension

+ const ErrUnhandledCriticalCertListExtension

+ const ErrUnhandledCriticalRevokedCertExtension

+ func ErrorFilter(ignore string) []ErrorID

+ type Errors struct

+ Errs []Error

+ func (e *Errors) AddID(id ErrorID, args ...interface{})

+ func (e *Errors) Empty() bool

+ func (e *Errors) Error() string

+ func (e *Errors) Fatal() bool

+ func (e *Errors) FirstFatal() error

+ func (e *Errors) VerboseError() string

+ func (e Errors) Filter(filtered []ErrorID) Errors

+ type ExtKeyUsage int

+ const ExtKeyUsageAny

+ const ExtKeyUsageCertificateTransparency

+ const ExtKeyUsageClientAuth

+ const ExtKeyUsageCodeSigning

+ const ExtKeyUsageEmailProtection

+ const ExtKeyUsageIPSECEndSystem

+ const ExtKeyUsageIPSECTunnel

+ const ExtKeyUsageIPSECUser

+ const ExtKeyUsageMicrosoftCommercialCodeSigning

+ const ExtKeyUsageMicrosoftKernelCodeSigning

+ const ExtKeyUsageMicrosoftServerGatedCrypto

+ const ExtKeyUsageNetscapeServerGatedCrypto

+ const ExtKeyUsageOCSPSigning

+ const ExtKeyUsageServerAuth

+ const ExtKeyUsageTimeStamping

+ type GeneralNames struct

+ DNSNames []string

+ DirectoryNames []pkix.Name

+ EmailAddresses []string

+ IPNets []net.IPNet

+ OtherNames []OtherName

+ RegisteredIDs []asn1.ObjectIdentifier

+ URIs []string

+ func (gn GeneralNames) Empty() bool

+ func (gn GeneralNames) Len() int

+ type HostnameError struct

+ Certificate *Certificate

+ Host string

+ func (h HostnameError) Error() string

+ type IPAddressFamilyBlocks struct

+ AFI uint16

+ AddressPrefixes []IPAddressPrefix

+ AddressRanges []IPAddressRange

+ InheritFromIssuer bool

+ SAFI byte

+ type IPAddressPrefix asn1.BitString

+ type IPAddressRange struct

+ Max IPAddressPrefix

+ Min IPAddressPrefix

+ type InsecureAlgorithmError SignatureAlgorithm

+ func (e InsecureAlgorithmError) Error() string

+ type InvalidReason int

+ const CANotAuthorizedForExtKeyUsage

+ const CANotAuthorizedForThisName

+ const Expired

+ const IncompatibleUsage

+ const NameConstraintsWithoutSANs

+ const NameMismatch

+ const NotAuthorizedToSign

+ const TooManyConstraints

+ const TooManyIntermediates

+ const UnconstrainedName

+ type IssuingDistributionPoint struct

+ DistributionPoint distributionPointName

+ IndirectCRL bool

+ OnlyContainsAttributeCerts bool

+ OnlyContainsCACerts bool

+ OnlyContainsUserCerts bool

+ OnlySomeReasons asn1.BitString

+ type KeyUsage int

+ const KeyUsageCRLSign

+ const KeyUsageCertSign

+ const KeyUsageContentCommitment

+ const KeyUsageDataEncipherment

+ const KeyUsageDecipherOnly

+ const KeyUsageDigitalSignature

+ const KeyUsageEncipherOnly

+ const KeyUsageKeyAgreement

+ const KeyUsageKeyEncipherment

+ type NonFatalErrors struct

+ Errors []error

+ func (e *NonFatalErrors) AddError(err error)

+ func (e *NonFatalErrors) Append(more *NonFatalErrors) *NonFatalErrors

+ func (e *NonFatalErrors) HasError() bool

+ func (e NonFatalErrors) Error() string

+ type OtherName struct

+ TypeID asn1.ObjectIdentifier

+ Value asn1.RawValue

+ type PEMCipher int

+ const PEMCipher3DES

+ const PEMCipherAES128

+ const PEMCipherAES192

+ const PEMCipherAES256

+ const PEMCipherDES

+ type PublicKeyAlgorithm int

+ const DSA

+ const ECDSA

+ const Ed25519

+ const RSA

+ const RSAESOAEP

+ const UnknownPublicKeyAlgorithm

+ func (algo PublicKeyAlgorithm) String() string

+ type ReasonFlag int

+ const AACompromiseFlag

+ const AffiliationChangedFlag

+ const CACompromiseFlag

+ const CertificateHoldFlag

+ const CessationOfOperationFlag

+ const KeyCompromiseFlag

+ const PrivilegeWithdrawnFlag

+ const SupersededFlag

+ const UnusedFlag

+ type RevocationReasonCode asn1.Enumerated

+ type RevokedCertificate struct

+ InvalidityDate time.Time

+ Issuer GeneralNames

+ RevocationReason RevocationReasonCode

+ type SerializedSCT struct

+ Val []byte

+ type SignatureAlgorithm int

+ const DSAWithSHA1

+ const DSAWithSHA256

+ const ECDSAWithSHA1

+ const ECDSAWithSHA256

+ const ECDSAWithSHA384

+ const ECDSAWithSHA512

+ const MD2WithRSA

+ const MD5WithRSA

+ const PureEd25519

+ const SHA1WithRSA

+ const SHA256WithRSA

+ const SHA256WithRSAPSS

+ const SHA384WithRSA

+ const SHA384WithRSAPSS

+ const SHA512WithRSA

+ const SHA512WithRSAPSS

+ const UnknownSignatureAlgorithm

+ func SignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm

+ func (algo SignatureAlgorithm) String() string

+ type SignedCertificateTimestampList struct

+ SCTList []SerializedSCT

+ type SystemRootsError struct

+ Err error

+ func (se SystemRootsError) Error() string

+ type TBSCertList struct

+ AuthorityKeyID []byte

+ BaseCRLNumber int

+ CRLNumber int

+ Extensions []pkix.Extension

+ FreshestCRLDistributionPoint []string

+ Issuer pkix.RDNSequence

+ IssuerAltNames GeneralNames

+ IssuingCertificateURL []string

+ IssuingDPFullNames GeneralNames

+ IssuingDistributionPoint IssuingDistributionPoint

+ NextUpdate time.Time

+ OCSPServer []string

+ Raw asn1.RawContent

+ RevokedCertificates []*RevokedCertificate

+ Signature pkix.AlgorithmIdentifier

+ ThisUpdate time.Time

+ Version int

+ type UnhandledCriticalExtension struct

+ ID asn1.ObjectIdentifier

+ func (h UnhandledCriticalExtension) Error() string

+ type UnknownAuthorityError struct

+ Cert *Certificate

+ func (e UnknownAuthorityError) Error() string

+ type VerifyOptions struct

+ CurrentTime time.Time

+ DNSName string

+ DisableCriticalExtensionChecks bool

+ DisableEKUChecks bool

+ DisableNameChecks bool

+ DisableNameConstraintChecks bool

+ DisablePathLenChecks bool

+ DisableTimeChecks bool

+ Intermediates *CertPool

+ KeyUsages []ExtKeyUsage

+ MaxConstraintComparisions int

+ Roots *CertPool