x509

package
v0.0.0-...-13ea42f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 19, 2020 License: Apache-2.0 Imports: 32 Imported by: 0

Documentation

Overview

Package crypto collects common cryptographic constants.

Copyright Zhigui.com. All Rights Reserved.

SPDX-License-Identifier: Apache-2.0

Index

Constants

View Source 
const (
	SM2WithSM3 x.SignatureAlgorithm = 100 + iota
	SM2WithSHA1
	SM2WithSHA256
)
View Source 
const SM2 = "SM2"

Variables

View Source 
var SmCrypto = gm_plugins.GetSmCryptoSuite()

Functions

func CheckCRLSignature 

func CheckCRLSignature(cert *x.Certificate, crl *pkix.CertificateList, algoCap AlgoCapacity) error

func CheckCertSignature 

func CheckCertSignature(cert *x.Certificate, algo x.SignatureAlgorithm, signed, signature []byte, algoCap AlgoCapacity) error

func CheckCertSignatureFrom 

func CheckCertSignatureFrom(cert *x.Certificate, parent *x.Certificate, algoCap AlgoCapacity) error

func CheckCertificateRequestSignature 

func CheckCertificateRequestSignature(c *x.CertificateRequest, algoCap AlgoCapacity) error

func CreateCRL 

func CreateCRL(c *x.Certificate, rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate,
	now, expiry time.Time, algoCap AlgoCapacity) (crlBytes []byte, err error)

func CreateCertificate 

func CreateCertificate(rand io.Reader, template, parent *x.Certificate, pub, priv interface{}, algoCap AlgoCapacity) (cert []byte, err error)

func CreateCertificateRequest 

func CreateCertificateRequest(rand io.Reader, template *x.CertificateRequest, priv interface{}, algoCap AlgoCapacity) (csr []byte, err error)

CreateCertificateRequest creates a new certificate request based on a template. The following members of template are used:

  • SignatureAlgorithm
  • Subject
  • DNSNames
  • EmailAddresses
  • IPAddresses
  • URIs
  • ExtraExtensions
  • Attributes (deprecated)

priv is the private key to sign the CSR with, and the corresponding public key will be included in the CSR. It must implement crypto.Signer and its Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or ed25519.PrivateKey satisfies this.)

The returned slice is the certificate request in DER encoding.

func InitX509 

func InitX509(algo string)

func MarshalPKIXPublicKey 

func MarshalPKIXPublicKey(pub interface{}, algoCap AlgoCapacity) ([]byte, error)

func ParseCertificate 

func ParseCertificate(asn1Data []byte, algoCap AlgoCapacity) (*x.Certificate, error)

func ParseCertificateRequest 

func ParseCertificateRequest(asn1Data []byte, algoCap AlgoCapacity) (*x.CertificateRequest, error)

func ParseCertificates 

func ParseCertificates(asn1Data []byte, algoCap AlgoCapacity) ([]*x.Certificate, error)

func ParseECPrivateKey 

func ParseECPrivateKey(der []byte) (key *primitive.Sm2PrivateKey, err error)

func ParsePKIXPublicKey 

func ParsePKIXPublicKey(derBytes []byte, algoCap AlgoCapacity) (pub interface{}, err error)

func RegisterHash 

func RegisterHash(h Hash, size uint8, f func() hash.Hash)

RegisterHash registers a function that returns a new instance of the given hash function. This is intended to be called from the init function in packages that implement hash functions.

func Verify 

func Verify(c *x.Certificate, opts x.VerifyOptions) (chains [][]*x.Certificate, err error)

Verify attempts to verify c by building one or more chains from c to a certificate in opts.Roots, using certificates in opts.Intermediates if needed. If successful, it returns one or more chains where the first element of the chain is c and the last element is from opts.Roots.

If opts.Roots is nil and system roots are unavailable the returned error will be of type SystemRootsError.

Name constraints in the intermediates will be applied to all names claimed in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim example.com if an intermediate doesn't permit it, even if example.com is not the name being validated. Note that DirectoryName constraints are not supported.

Extended Key Usage values are enforced down a chain, so an intermediate or root that enumerates EKUs prevents a leaf from asserting an EKU not in that list.

WARNING: this function doesn't do any revocation checking.

func VerifyHostname 

func VerifyHostname(c *x.Certificate, h string) error

VerifyHostname returns nil if c is a valid certificate for the named host. Otherwise it returns an error describing the mismatch.

Types

type AlgoCapacity 

type AlgoCapacity interface {
	// contains filtered or unexported methods
}

type CertPool 

type CertPool struct {
	// contains filtered or unexported fields
}

CertPool is a set of certificates.

func CopyFrom 

func CopyFrom(pool *x.CertPool) *CertPool

func NewCertPool 

func NewCertPool() *CertPool

NewCertPool returns a new, empty CertPool.

func (*CertPool) AddCert 

func (s *CertPool) AddCert(cert *x.Certificate)

AddCert adds a certificate to a pool.

func (*CertPool) AppendCertsFromPEM 

func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)

AppendCertsFromPEM attempts to parse a series of PEM encoded certificates. It appends any certificates found to s and reports whether any certificates were successfully parsed.

On many Linux systems, /etc/ssl/cert.pem will contain the system wide set of root CAs in a format suitable for this function.

func (*CertPool) Subjects 

func (s *CertPool) Subjects() [][]byte

Subjects returns a list of the DER-encoded subjects of all of the certificates in the pool.

type CertificateInvalidError 

type CertificateInvalidError struct {
	Cert   *x.Certificate
	Reason InvalidReason
	Detail string
}

CertificateInvalidError results when an odd error occurs. Users of this library probably want to handle all these errors uniformly.

func (CertificateInvalidError) Error 

func (e CertificateInvalidError) Error() string

type CertificateMgr 

type CertificateMgr struct {
	Context
}

func NewCertificateMgr 

func NewCertificateMgr(ctx Context) *CertificateMgr

func (*CertificateMgr) CreateCertificateRequestToMem 

func (c *CertificateMgr) CreateCertificateRequestToMem(template *x.CertificateRequest, privKey *primitive.Sm2PrivateKey) ([]byte, error)

func (*CertificateMgr) CreateCertificateRequestToPem 

func (c *CertificateMgr) CreateCertificateRequestToPem(FileName string, template *x.CertificateRequest,
	privKey *primitive.Sm2PrivateKey) (bool, error)

func (*CertificateMgr) CreateCertificateToMem 

func (c *CertificateMgr) CreateCertificateToMem(template, parent *x.Certificate, pubKey *primitive.Sm2PublicKey, privKey *primitive.Sm2PrivateKey) ([]byte, error)

func (*CertificateMgr) CreateCertificateToPem 

func (c *CertificateMgr) CreateCertificateToPem(FileName string, template, parent *x.Certificate, pubKey *primitive.Sm2PublicKey, privKey *primitive.Sm2PrivateKey) (bool, error)

func (*CertificateMgr) ReadCertificateFromMem 

func (c *CertificateMgr) ReadCertificateFromMem(data []byte) (*x.Certificate, error)

func (*CertificateMgr) ReadCertificateFromPem 

func (c *CertificateMgr) ReadCertificateFromPem(FileName string) (*x.Certificate, error)

func (*CertificateMgr) ReadCertificateRequestFromMem 

func (c *CertificateMgr) ReadCertificateRequestFromMem(data []byte) (*x.CertificateRequest, error)

func (*CertificateMgr) ReadCertificateRequestFromPem 

func (c *CertificateMgr) ReadCertificateRequestFromPem(FileName string) (*x.CertificateRequest, error)

type Context 

type Context interface {
	// AlgorithmName return certificate asymmetric algorithm type.
	AlgorithmName() string
	// ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
	//
	// It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey,
	// ed25519.PublicKey or *sm.PublicKey. More types might be supported in the future.
	//
	// This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
	ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)

	// MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
	//
	// The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey,
	// ed25519.PublicKey and *sm2.PublicKey. Unsupported key types result in an error.
	//
	// This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
	MarshalPKIXPublicKey(pub interface{}) ([]byte, error)

	// CreateCertificateRequest creates a new certificate request based on a template.
	CreateCertificateRequest(rand io.Reader, template *x.CertificateRequest, priv interface{}) (csr []byte, err error)

	// ParseCertificateRequest parses a single certificate request from the
	// given ASN.1 DER data.
	ParseCertificateRequest(asn1Data []byte) (*x.CertificateRequest, error)

	// CheckCertificateRequestSignature reports whether the signature on c is valid.
	CheckCertificateRequestSignature(c *x.CertificateRequest) error

	// CreateCertificate creates a new X.509v3 certificate based on a template.
	CreateCertificate(rand io.Reader, template, parent *x.Certificate, pub, priv interface{}) (cert []byte, err error)

	// ParseCertificate parses a single certificate from the given ASN.1 DER data.
	ParseCertificate(asn1Data []byte) (*x.Certificate, error)

	ParseCertificates(asn1Data []byte) ([]*x.Certificate, error)
	// CheckCertSignature verifies that signature is a valid signature over signed from
	// cert's public key.
	CheckCertSignature(cert *x.Certificate, algo x.SignatureAlgorithm, signed, signature []byte) error

	// CheckCertSignatureFrom verifies that the signature on cert is a valid signature
	// from parent.
	CheckCertSignatureFrom(cert *x.Certificate, parent *x.Certificate) error

	// WARNING: this function doesn't do any revocation checking.
	Verify(c *x.Certificate, opts x.VerifyOptions) (chains [][]*x.Certificate, err error)

	CheckCRLSignature(cert *x.Certificate, crl *pkix.CertificateList) error

	// CreateCRL returns a DER encoded CRL, signed by this Certificate, that
	// contains the given list of revoked certificates.
	CreateCRL(cert *x.Certificate, rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error)
}
var X509Instance Context

func GetX509 

func GetX509() Context

func GetX509SM2 

func GetX509SM2() Context

func GetX509Std 

func GetX509Std(algo string) Context

type Hash 

type Hash uint

Hash identifies a cryptographic hash function that is implemented in another package. 

const SM3 Hash = 100

func (Hash) Available 

func (h Hash) Available() bool

Available reports whether the given hash function is linked into the binary.

func (Hash) HashFunc 

func (h Hash) HashFunc() crypto.Hash

HashFunc simply returns the value of h so that Hash implements SignerOpts.

func (Hash) New 

func (h Hash) New() hash.Hash

New returns a new hash.Hash calculating the given hash function. New panics if the hash function is not linked into the binary.

func (Hash) Size 

func (h Hash) Size() int

Size returns the length, in bytes, of a digest resulting from the given hash function. It doesn't require that the hash function in question be linked into the program.

type HostnameError 

type HostnameError struct {
	Certificate *x.Certificate
	Host        string
}

HostnameError results when the set of authorized names doesn't match the requested name.

func (HostnameError) Error 

func (h HostnameError) Error() string

type InvalidReason 

type InvalidReason int
const (
	// NotAuthorizedToSign results when a certificate is signed by another
	// which isn't marked as a CA certificate.
	NotAuthorizedToSign InvalidReason = iota
	// Expired results when a certificate has expired, based on the time
	// given in the VerifyOptions.
	Expired
	// CANotAuthorizedForThisName results when an intermediate or root
	// certificate has a name constraint which doesn't permit a DNS or
	// other name (including IP address) in the leaf certificate.
	CANotAuthorizedForThisName
	// TooManyIntermediates results when a path length constraint is
	// violated.
	TooManyIntermediates
	// IncompatibleUsage results when the certificate's key usage indicates
	// that it may only be used for a different purpose.
	IncompatibleUsage
	// NameMismatch results when the subject name of a parent certificate
	// does not match the issuer name in the child.
	NameMismatch
	// NameConstraintsWithoutSANs results when a leaf certificate doesn't
	// contain a Subject Alternative Name extension, but a CA certificate
	// contains name constraints, and the Common Name can be interpreted as
	// a hostname.
	//
	// You can avoid this error by setting the experimental GODEBUG environment
	// variable to "x509ignoreCN=1", disabling Common Name matching entirely.
	// This behavior might become the default in the future.
	NameConstraintsWithoutSANs
	// UnconstrainedName results when a CA certificate contains permitted
	// name constraints, but leaf certificate contains a name of an
	// unsupported or unconstrained type.
	UnconstrainedName
	// TooManyConstraints results when the number of comparison operations
	// needed to check a certificate exceeds the limit set by
	// VerifyOptions.MaxConstraintComparisions. This limit exists to
	// prevent pathological certificates can consuming excessive amounts of
	// CPU time to verify.
	TooManyConstraints
	// CANotAuthorizedForExtKeyUsage results when an intermediate or root
	// certificate does not permit a requested extended key usage.
	CANotAuthorizedForExtKeyUsage
)

type SystemRootsError 

type SystemRootsError struct {
	Err error
}

SystemRootsError results when we fail to load the system root certificates.

func (SystemRootsError) Error 

func (se SystemRootsError) Error() string

type UnknownAuthorityError 

type UnknownAuthorityError struct {
	Cert *x.Certificate
	// contains filtered or unexported fields
}

UnknownAuthorityError results when the certificate issuer is unknown

func (UnknownAuthorityError) Error 

func (e UnknownAuthorityError) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.