gmx509

package
v0.0.0-...-9634917 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 20, 2020 License: Apache-2.0 Imports: 27 Imported by: 20

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")

ErrUnsupportedAlgorithm results from attempting to perform an operation that involves algorithms that are not currently implemented.

Functions

func CheckSignature 

func CheckSignature(c *x509.Certificate, algo x509.SignatureAlgorithm, signed, signature []byte) error

CheckSignature verifies that signature is a valid signature over signed from c's public key.

func CheckSignatureFrom 

func CheckSignatureFrom(c *x509.Certificate, parent *x509.Certificate) error

CheckSignatureFrom verifies that the signature on c is a valid signature from parent.

func CreateCertificate 

func CreateCertificate(cinfo *TBSCertificate, signature []byte) ([]byte, error)

func CreateCertificateBytes 

func CreateCertificateBytes(template, parent *x509.Certificate, pub *sm2.PublicKey, priv *sm2.PrivateKey) (cert []byte, err error)

CreateCertificateBytes 为x509.CreateCertificate的国密改造版,返回序列化之后的字节数组形式的拟签字证书。

func CreateCertificatePEM 

func CreateCertificatePEM() ([]byte, error)

CreateCertificatePEM 返回用PEM编码格式存储的certificate

func CreateCertificateRequest 

func CreateCertificateRequest(template *x509.CertificateRequest, pub *sm2.PublicKey,
	pri *sm2.PrivateKey, userId []byte) (csr []byte, err error)

CreateCertificateRequest 生成证书签发请求。 与x509标准库相比较,输入参数为SM2私钥参数; 标准库则是可实现crypto.Signer接口的任何算法的私钥。 此外,SM2签名算法本身内建了哈希步骤,因此输入明文消息即可; 其他不对称加密算法则需要事先进行哈希运算,然后再将哈希值输入不对称加密算法。

func FillCertificateTemplateByCSR 

func FillCertificateTemplateByCSR(template *x509.Certificate, csr *x509.CertificateRequest)

func IssueCertificateBySoftCAKey 

func IssueCertificateBySoftCAKey(cinfo *TBSCertificate, caPri *sm2.PrivateKey, userId []byte) ([]byte, error)

func MarshalPKCS8SM2PrivateKey 

func MarshalPKCS8SM2PrivateKey(key *sm2.PrivateKey) ([]byte, error)

MarshalPKCS8SM2PrivateKey convert SM2 private key into PKCS#8 []byte ref: crypto/x509/pkcs8.go ---- MarshalPKCS8PrivateKey()

func MarshalPKIXSM2PublicKey 

func MarshalPKIXSM2PublicKey(pub *sm2.PublicKey) ([]byte, error)

MarshalPKIXSM2PublicKey converts a SM2 public key to PKIX, ASN.1 DER form. 将SM2公钥转换成符合PKIX, ASN.1 DER编码规则的形式.

func MarshalSM2PrivateKey 

func MarshalSM2PrivateKey(key *sm2.PrivateKey) ([]byte, error)

MarshalSM2PrivateKey converts a SM2 private key to SEC 1, ASN.1 DER form.

func PEMtoSM2PrivateKey 

func PEMtoSM2PrivateKey(raw []byte, pwd []byte) (interface{}, error)

PEMtoSM2PrivateKey unmarshals a pem to SM2 private key

func PEMtoSM4 

func PEMtoSM4(raw []byte, pwd []byte) ([]byte, error)

PEMtoSM4 extracts from the PEM an SM4 private key

func ParseCertificate 

func ParseCertificate(asn1Data []byte) (*x509.Certificate, error)

ParseCertificate parses a single certificate from the given ASN.1 DER data.

func ParseCertificateRequest 

func ParseCertificateRequest(asn1Data []byte) (*x509.CertificateRequest, error)

ParseCertificateRequest parses a single certificate request from the given ASN.1 DER data.

func ParsePKCS8SM2PrivateKey 

func ParsePKCS8SM2PrivateKey(der []byte) (*sm2.PrivateKey, error)

ParsePKCS8SM2PrivateKey 解析PKCS8格式的采用DER规则编码的SM2私钥.

func ParsePKIXSM2PublicKey 

func ParsePKIXSM2PublicKey(der []byte) (*sm2.PublicKey, error)

ParsePKIXSM2PublicKey parse a DER-encoded ASN.1 data into SM2 public key object. 将符合PKIX, ASN.1 DER编码规则的SM2公钥反序列化为对象.

func ParseSM2PrivateKey 

func ParseSM2PrivateKey(der []byte) (key *sm2.PrivateKey, err error)

ParseSM2PrivateKey parses a SM2 in form of SEC 1, ASN.1 DER back to object. 解析依照ASN.1规范的椭圆曲线私钥结构定义的SM2. ref: crypto/x509/sec1.go ---- ParseECPrivateKey()

func PemToSM2PublicKey 

func PemToSM2PublicKey(raw []byte, pwd []byte) (interface{}, error)

PemToSM2PublicKey unmarshals a pem to public key

func SM2PrivateKeyToEncryptedPEM 

func SM2PrivateKeyToEncryptedPEM(privateKey interface{}, pwd []byte) ([]byte, error)

SM2PrivateKeyToEncryptedPEM converts a private key into an encrypted PEM

func SM2PrivateKeyToPEM 

func SM2PrivateKeyToPEM(privateKey interface{}, pwd []byte) ([]byte, error)

SM2PrivateKeyToPEM converts sm2 private key to PEM format. EC private keys are converted to PKCS#8 format.

func SM2PublicKeyToEncryptedPEM 

func SM2PublicKeyToEncryptedPEM(publicKey interface{}, pwd []byte) ([]byte, error)

SM2PublicKeyToEncryptedPEM converts a public key to encrypted pem

func SM2PublicKeyToPEM 

func SM2PublicKeyToPEM(publicKey interface{}, pwd []byte) ([]byte, error)

SM2PublicKeyToPEM marshals a public key to the pem format

func SM4CBCPKCS7Decrypt 

func SM4CBCPKCS7Decrypt(key, src []byte) ([]byte, error)

SM4CBCPKCS7Decrypt combines CBC decryption and PKCS7 unpadding

func SM4CBCPKCS7Encrypt 

func SM4CBCPKCS7Encrypt(key, src []byte) ([]byte, error)

SM4CBCPKCS7Encrypt combines CBC encryption and PKCS7 padding

func SM4CBCPKCS7EncryptWithIV 

func SM4CBCPKCS7EncryptWithIV(IV []byte, key, src []byte) ([]byte, error)

SM4CBCPKCS7EncryptWithIV combines CBC encryption and PKCS7 padding, the IV used is the one passed to the function

func SM4CBCPKCS7EncryptWithRand 

func SM4CBCPKCS7EncryptWithRand(prng io.Reader, key, src []byte) ([]byte, error)

SM4CBCPKCS7EncryptWithRand combines CBC encryption and PKCS7 padding using as prng the passed to the function

func SM4DecryptPEMBlock 

func SM4DecryptPEMBlock(block *pem.Block, pwd []byte) ([]byte, error)

SM4DecryptPEMBlock decrypt PEM block via SM4. 将输入消息用SM4加密并转化为PEM格式的函数, 其中密文格式采用CBC模式,PKCS7规范填充尾部字节。

func SM4EncryptPEMBlock 

func SM4EncryptPEMBlock(blockType string, raw []byte, pwd []byte) ([]byte, error)

SM4EncryptPEMBlock encrypt raw message into PEM format via SM4. refer: x509.EncryptPEMBlock() 将输入消息用SM4加密并转化为PEM格式的函数。

func SM4toEncryptedPEM 

func SM4toEncryptedPEM(raw []byte, pwd []byte) ([]byte, error)

SM4toEncryptedPEM encapsulates a SM4 key in the encrypted PEM format

func SM4toPEM 

func SM4toPEM(raw []byte) []byte

SM4toPEM encapsulates a SM4 key in the PEM format

func Verify 

func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certificate, err error)

Verify attempts to verify c by building one or more chains from c to a certificate in opts.Roots, using certificates in opts.Intermediates if needed. If successful, it returns one or more chains where the first element of the chain is c and the last element is from opts.Roots.

If opts.Roots is nil and system roots are unavailable the returned error will be of type SystemRootsError.

Name constraints in the intermediates will be applied to all names claimed in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim example.com if an intermediate doesn't permit it, even if example.com is not the name being validated. Note that DirectoryName constraints are not supported.

Extended Key Usage values are enforced down a chain, so an intermediate or root that enumerates EKUs prevents a leaf from asserting an EKU not in that list.

WARNING: this function doesn't do any revocation checking.

func VerifyCSRSign 

func VerifyCSRSign(csr *x509.CertificateRequest, userId []byte) (bool, error)

func VerifyDERCSRSign 

func VerifyDERCSRSign(asn1Data []byte, userId []byte) (bool, error)

Types

type CertPool 

type CertPool struct {
	// contains filtered or unexported fields
}

CertPool is a set of certificates.

func NewCertPool 

func NewCertPool() *CertPool

NewCertPool returns a new, empty CertPool.

func (*CertPool) AddCert 

func (s *CertPool) AddCert(cert *x509.Certificate)

AddCert adds a certificate to a pool. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

func (*CertPool) AppendCertsFromPEM 

func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)

AppendCertsFromPEM attempts to parse a series of PEM encoded certificates. It appends any certificates found to s and reports whether any certificates were successfully parsed.

On many Linux systems, /etc/ssl/cert.pem will contain the system wide set of root CAs in a format suitable for this function.

func (*CertPool) Subjects 

func (s *CertPool) Subjects() [][]byte

Subjects returns a list of the DER-encoded subjects of all of the certificates in the pool.

type CertificateInvalidError 

type CertificateInvalidError struct {
	Cert   *x509.Certificate
	Reason InvalidReason
	Detail string
}

CertificateInvalidError results when an odd error occurs. Users of this library probably want to handle all these errors uniformly.

func (CertificateInvalidError) Error 

func (e CertificateInvalidError) Error() string

type ConstraintViolationError 

type ConstraintViolationError struct{}

ConstraintViolationError results when a requested usage is not permitted by a certificate. For example: checking a signature when the public key isn't a certificate signing key.

func (ConstraintViolationError) Error 

func (ConstraintViolationError) Error() string

type InvalidReason 

type InvalidReason int
const (
	// NotAuthorizedToSign results when a certificate is signed by another
	// which isn't marked as a CA certificate.
	NotAuthorizedToSign InvalidReason = iota
	// Expired results when a certificate has expired, based on the time
	// given in the VerifyOptions.
	Expired // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>
	// CANotAuthorizedForThisName results when an intermediate or root
	// certificate has a name constraint which doesn't permit a DNS or
	// other name (including IP address) in the leaf certificate.
	CANotAuthorizedForThisName
	// TooManyIntermediates results when a path length constraint is
	// violated.
	TooManyIntermediates
	// IncompatibleUsage results when the certificate's key usage indicates
	// that it may only be used for a different purpose.
	IncompatibleUsage
	// NameMismatch results when the subject name of a parent certificate
	// does not match the issuer name in the child.
	NameMismatch
	// NameConstraintsWithoutSANs results when a leaf certificate doesn't
	// contain a Subject Alternative Name extension, but a CA certificate
	// contains name constraints, and the Common Name can be interpreted as
	// a hostname.
	//
	// You can avoid this error by setting the experimental GODEBUG environment
	// variable to "x509ignoreCN=1", disabling Common Name matching entirely.
	// This behavior might become the default in the future.
	NameConstraintsWithoutSANs
	// UnconstrainedName results when a CA certificate contains permitted
	// name constraints, but leaf certificate contains a name of an
	// unsupported or unconstrained type.
	UnconstrainedName
	// TooManyConstraints results when the number of comparison operations
	// needed to check a certificate exceeds the limit set by
	// VerifyOptions.MaxConstraintComparisions. This limit exists to
	// prevent pathological certificates can consuming excessive amounts of
	// CPU time to verify.
	TooManyConstraints
	// CANotAuthorizedForExtKeyUsage results when an intermediate or root
	// certificate does not permit a requested extended key usage.
	CANotAuthorizedForExtKeyUsage
)

type TBSCertificate 

type TBSCertificate tbsCertificate

func CreateCertificateInfo 

func CreateCertificateInfo(template, parent *x509.Certificate, csr *x509.CertificateRequest) (*TBSCertificate, error)

为什么要将构建CertificateInfo和签发证书分开呢? 是因为实际应用中的CA密钥大多数都是放在加密卡/加密机中的,签名由加密卡/加密机来完成

type UnhandledCriticalExtension 

type UnhandledCriticalExtension struct{}

func (UnhandledCriticalExtension) Error 

func (h UnhandledCriticalExtension) Error() string

type UnknownAuthorityError 

type UnknownAuthorityError struct {
	Cert *x509.Certificate
	// contains filtered or unexported fields
}

UnknownAuthorityError results when the certificate issuer is unknown

func (UnknownAuthorityError) Error 

func (e UnknownAuthorityError) Error() string

type VerifyOptions 

type VerifyOptions struct {
	DNSName       string
	Intermediates *CertPool
	Roots         *CertPool // if nil, the system roots are used
	CurrentTime   time.Time // if zero, the current time is used
	// KeyUsage specifies which Extended Key Usage values are acceptable. A leaf
	// certificate is accepted if it contains any of the listed values. An empty
	// list means ExtKeyUsageServerAuth. To accept any key usage, include
	// ExtKeyUsageAny.
	//
	// Certificate chains are required to nest these extended key usage values.
	// (This matches the Windows CryptoAPI behavior, but not the spec.)
	KeyUsages []x509.ExtKeyUsage
	// MaxConstraintComparisions is the maximum number of comparisons to
	// perform when checking a given certificate's name constraints. If
	// zero, a sensible default is used. This limit prevents pathological
	// certificates from consuming excessive amounts of CPU time when
	// validating.
	MaxConstraintComparisions int
}

VerifyOptions contains parameters for Certificate.Verify. It's a structure because other PKIX verification APIs have ended up needing many options.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.