Documentation ¶
Index ¶
- Constants
- Variables
- func AllAlternateNameWithTagAreIA5(ext *pkix.Extension, tag int) (bool, error)
- func AppendToStringSemicolonDelim(this *string, s string)
- func AuthIsFQDNOrIP(auth string) bool
- func BeforeOrOn(left, right time.Time) bool
- func CertificateSubjInTLD(c *x509.Certificate, label string) bool
- func CheckAlgorithmIDParamNotNULL(algorithmIdentifier []byte, requiredAlgoID asn1.ObjectIdentifier) error
- func CheckRDNSequenceWhiteSpace(raw []byte) (leading, trailing bool, err error)
- func CommonNameIsIP(cert *x509.Certificate) bool
- func DNSNamesExist(cert *x509.Certificate) bool
- func FindTimeType(firstDate, secondDate asn1.RawValue) (int, int)
- func GetAuthority(uri string) string
- func GetEKUString(eku x509.ExtKeyUsage) string
- func GetEKUStrings(eku []x509.ExtKeyUsage) []string
- func GetExtFromCert(cert *x509.Certificate, oid asn1.ObjectIdentifier) *pkix.Extension
- func GetHost(auth string) string
- func GetKeyUsageStrings(keyUsages x509.KeyUsage) []string
- func GetMappedPolicies(polMap *pkix.Extension) ([][2]asn1.ObjectIdentifier, error)
- func GetPublicKeyAidEncoded(c *x509.Certificate) ([]byte, error)
- func GetPublicKeyOID(c *x509.Certificate) (asn1.ObjectIdentifier, error)
- func GetSignatureAlgorithmInTBSEncoded(c *x509.Certificate) ([]byte, error)
- func GetTimes(cert *x509.Certificate) (asn1.RawValue, asn1.RawValue)
- func GetTypesInName(name *pkix.Name) []asn1.ObjectIdentifier
- func HasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool
- func HasEmailSAN(c *x509.Certificate) bool
- func HasKeyUsage(c *x509.Certificate, usage x509.KeyUsage) bool
- func HasKeyUsageOID(c *x509.Certificate) bool
- func HasReservedLabelPrefix(s string) bool
- func HasValidTLD(domain string, when time.Time) bool
- func HasXNLabelPrefix(s string) bool
- func IdnaToUnicode(s string) (string, error)
- func IntersectsIANAReserved(net net.IPNet) bool
- func IsAnyEtsiQcStatementPresent(extVal []byte) bool
- func IsCACert(c *x509.Certificate) bool
- func IsCodeSigning(policies []asn1.ObjectIdentifier) bool
- func IsDelegatedOCSPResponderCert(cert *x509.Certificate) bool
- func IsEV(in []asn1.ObjectIdentifier) bool
- func IsEmailProtectionCert(cert *x509.Certificate) bool
- func IsEmptyASN1Sequence(input []byte) bool
- func IsExtInCert(cert *x509.Certificate, oid asn1.ObjectIdentifier) bool
- func IsFQDN(domain string) bool
- func IsFQDNOrIP(host string) bool
- func IsIA5String(raw []byte) bool
- func IsIANAReserved(ip net.IP) bool
- func IsISOCountryCode(in string) bool
- func IsInPrefSyn(name string) bool
- func IsInTLDMap(label string) bool
- func IsIndividualValidatedCertificate(c *x509.Certificate) bool
- func IsLDHLabel(label string) bool
- func IsLegacySMIMECertificate(c *x509.Certificate) bool
- func IsMailboxAddress(address string) bool
- func IsMailboxValidatedCertificate(c *x509.Certificate) bool
- func IsMultipurposeSMIMECertificate(c *x509.Certificate) bool
- func IsNameAttribute(oid asn1.ObjectIdentifier) bool
- func IsOnionV2Address(dnsName string) bool
- func IsOnionV2Cert(c *x509.Certificate) bool
- func IsOnionV3Address(dnsName string) bool
- func IsOnionV3Cert(c *x509.Certificate) bool
- func IsOrganizationValidatedCertificate(c *x509.Certificate) bool
- func IsRootCA(c *x509.Certificate) bool
- func IsSMIMEBRCertificate(c *x509.Certificate) bool
- func IsSelfSigned(c *x509.Certificate) bool
- func IsServerAuthCert(cert *x509.Certificate) bool
- func IsSponsorValidatedCertificate(c *x509.Certificate) bool
- func IsStrictSMIMECertificate(c *x509.Certificate) bool
- func IsSubCA(c *x509.Certificate) bool
- func IsSubscriberCert(c *x509.Certificate) bool
- func KeyUsageIsPresent(keyUsages x509.KeyUsage, usage x509.KeyUsage) bool
- func NotAllNameFieldsAreEmpty(name *pkix.Name) bool
- func OnOrAfter(left, right time.Time) bool
- func ParseBMPString(bmpString []byte) (string, error)
- func PrimeNoSmallerThan752(dividend *big.Int) bool
- func RemovePrependedQuestionMarks(domain string) string
- func RemovePrependedWildcard(domain string) string
- func SliceContainsOID(list []asn1.ObjectIdentifier, oid asn1.ObjectIdentifier) bool
- func TypeInName(name *pkix.Name, oid asn1.ObjectIdentifier) bool
- type AttributeTypeAndRawValue
- type AttributeTypeAndRawValueSET
- type Etsi421QualEuCert
- type Etsi423QcType
- type EtsiMonetaryValueAlph
- type EtsiMonetaryValueNum
- type EtsiQcLimitValue
- type EtsiQcPds
- type EtsiQcRetentionPeriod
- type EtsiQcSscd
- type EtsiQcStmtIf
- type GTLDPeriod
- type PdsLocation
- type RawRDNSequence
Constants ¶
const (
// Tags
DNSNameTag = 2
)
const (
DurationDay = 24 * time.Hour
)
const (
GTLDPeriodDateFormat = "2006-01-02"
)
const OnionTLD = ".onion"
Variables ¶
var ( //extension OIDs AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison DeltaCRLIndicatorOID = asn1.ObjectIdentifier{2, 5, 29, 27} // Delta CRL Indicator EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage LegalEntityIdentifierOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 1} // Legal Entity Identifier LegalEntityIdentifierRoleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 2} // Legal Entity Identifier Role LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code CRLNumberOID = asn1.ObjectIdentifier{2, 5, 29, 20} // CRL Number // Extended Key Usage OIDs PreCertificateSigningCertificateEKU = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 4} // CA/B Reserved Certificate Policy Identifiers BRExtendedValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 1} // CA/B BR Reserved Certificate Policy Identifiers - Extended Validation BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Reserved Certificate Policy Identifiers - Domain-Validated BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Reserved Certificate Policy Identifiers - Organization-Validated BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Reserved Certificate Policy Identifiers - Individual-Validated BRTorServiceDescriptor = asn1.ObjectIdentifier{2, 23, 140, 1, 31} // CA/B BR Tor Service Descriptor CabfExtensionOrganizationIdentifier = asn1.ObjectIdentifier{2, 23, 140, 3, 1} // CA/B EV 9.8.2 cabfOrganizationIdentifier SMIMEBRMailboxValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 1} // CA/B SMIME BR Mailbox Validated, Legacy SMIMEBRMailboxValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 2} // CA/B SMIME BR Mailbox Validated, Multipurpose SMIMEBRMailboxValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 3} // CA/B SMIME BR Mailbox Validated, Strict SMIMEBROrganizationValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 1} // CA/B SMIME BR Organization Validated, Legacy SMIMEBROrganizationValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 2} // CA/B SMIME BR Organization Validated, Multipurpose SMIMEBROrganizationValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 3} // CA/B SMIME BR Organization Validated, Strict SMIMEBRSponsorValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 1} // CA/B SMIME BR Sponsor Validated, Legacy SMIMEBRSponsorValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 2} // CA/B SMIME BR Sponsor Validated, Multipurpose SMIMEBRSponsorValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 3} // CA/B SMIME BR Sponsor Validated, Strict SMIMEBRIndividualValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 1} // CA/B SMIME BR Individual Validated, Legacy SMIMEBRIndividualValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 2} // CA/B SMIME BR Individual Validated, Multipurpose SMIMEBRIndividualValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 3} // CA/B SMIME BR Individual Validated, Strict //X.500 attribute types CommonNameOID = asn1.ObjectIdentifier{2, 5, 4, 3} SurnameOID = asn1.ObjectIdentifier{2, 5, 4, 4} SerialOID = asn1.ObjectIdentifier{2, 5, 4, 5} CountryNameOID = asn1.ObjectIdentifier{2, 5, 4, 6} LocalityNameOID = asn1.ObjectIdentifier{2, 5, 4, 7} StateOrProvinceNameOID = asn1.ObjectIdentifier{2, 5, 4, 8} StreetAddressOID = asn1.ObjectIdentifier{2, 5, 4, 9} OrganizationNameOID = asn1.ObjectIdentifier{2, 5, 4, 10} OrganizationalUnitNameOID = asn1.ObjectIdentifier{2, 5, 4, 11} BusinessOID = asn1.ObjectIdentifier{2, 5, 4, 15} PostalCodeOID = asn1.ObjectIdentifier{2, 5, 4, 17} GivenNameOID = asn1.ObjectIdentifier{2, 5, 4, 42} // SAN otherNames OidIdOnSmtpUtf8Mailbox = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 9} // Hash algorithms - see https://golang.org/src/crypto/x509/x509.go SHA256OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1} SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} SHA512OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3} // other OIDs OidRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} OidRSASSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10} OidMD2WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} OidMD5WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} OidSHA1WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} OidSHA224WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 14} OidSHA256WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} OidSHA384WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} OidSHA512WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} AnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32, 0} UserNoticeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 2} CpsOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 1} IdEtsiQcsQcCompliance = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 1} IdEtsiQcsQcLimitValue = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 2} IdEtsiQcsQcRetentionPeriod = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 3} IdEtsiQcsQcSSCD = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 4} IdEtsiQcsQcEuPDS = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 5} IdEtsiQcsQcType = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6} IdEtsiQcsQctEsign = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 1} IdEtsiQcsQctEseal = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 2} IdEtsiQcsQctWeb = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 3} )
var ( ZeroDate = time.Date(0000, time.January, 1, 0, 0, 0, 0, time.UTC) RFC1035Date = time.Date(1987, time.January, 1, 0, 0, 0, 0, time.UTC) RFC2459Date = time.Date(1999, time.January, 1, 0, 0, 0, 0, time.UTC) RFC3279Date = time.Date(2002, time.April, 1, 0, 0, 0, 0, time.UTC) RFC3280Date = time.Date(2002, time.April, 1, 0, 0, 0, 0, time.UTC) RFC3490Date = time.Date(2003, time.March, 1, 0, 0, 0, 0, time.UTC) RFC8399Date = time.Date(2018, time.May, 1, 0, 0, 0, 0, time.UTC) RFC4325Date = time.Date(2005, time.December, 1, 0, 0, 0, 0, time.UTC) RFC4630Date = time.Date(2006, time.August, 1, 0, 0, 0, 0, time.UTC) RFC5280Date = time.Date(2008, time.May, 1, 0, 0, 0, 0, time.UTC) RFC6818Date = time.Date(2013, time.January, 1, 0, 0, 0, 0, time.UTC) RFC6962Date = time.Date(2013, time.June, 1, 0, 0, 0, 0, time.UTC) RFC8813Date = time.Date(2020, time.August, 1, 0, 0, 0, 0, time.UTC) CABEffectiveDate = time.Date(2012, time.July, 1, 0, 0, 0, 0, time.UTC) CABReservedIPDate = time.Date(2016, time.October, 1, 0, 0, 0, 0, time.UTC) CABGivenNameDate = time.Date(2016, time.September, 7, 0, 0, 0, 0, time.UTC) CABSerialNumberEntropyDate = time.Date(2016, time.September, 30, 0, 0, 0, 0, time.UTC) CABV102Date = time.Date(2012, time.June, 8, 0, 0, 0, 0, time.UTC) CABV113Date = time.Date(2013, time.February, 21, 0, 0, 0, 0, time.UTC) CABV114Date = time.Date(2013, time.May, 3, 0, 0, 0, 0, time.UTC) CABV116Date = time.Date(2013, time.July, 29, 0, 0, 0, 0, time.UTC) CABV130Date = time.Date(2015, time.April, 16, 0, 0, 0, 0, time.UTC) CABV131Date = time.Date(2015, time.September, 28, 0, 0, 0, 0, time.UTC) // https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.7.0.pdf CABV170Date = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC) NO_SHA1 = time.Date(2016, time.January, 1, 0, 0, 0, 0, time.UTC) NoRSA1024RootDate = time.Date(2011, time.January, 1, 0, 0, 0, 0, time.UTC) NoRSA1024Date = time.Date(2014, time.January, 1, 0, 0, 0, 0, time.UTC) GeneralizedDate = time.Date(2050, time.January, 1, 0, 0, 0, 0, time.UTC) NoReservedIP = time.Date(2015, time.November, 1, 0, 0, 0, 0, time.UTC) SubCert39Month = time.Date(2016, time.July, 2, 0, 0, 0, 0, time.UTC) SubCert825Days = time.Date(2018, time.March, 2, 0, 0, 0, 0, time.UTC) CABV148Date = time.Date(2017, time.June, 8, 0, 0, 0, 0, time.UTC) EtsiEn319_412_5_V2_2_1_Date = time.Date(2017, time.November, 1, 0, 0, 0, 0, time.UTC) OnionOnlyEVDate = time.Date(2015, time.May, 1, 0, 0, 0, 0, time.UTC) CABV201Date = time.Date(2017, time.July, 28, 0, 0, 0, 0, time.UTC) AppleCTPolicyDate = time.Date(2018, time.October, 15, 0, 0, 0, 0, time.UTC) MozillaPolicy22Date = time.Date(2013, time.July, 26, 0, 0, 0, 0, time.UTC) MozillaPolicy24Date = time.Date(2017, time.February, 28, 0, 0, 0, 0, time.UTC) MozillaPolicy241Date = time.Date(2017, time.March, 31, 0, 0, 0, 0, time.UTC) MozillaPolicy27Date = time.Date(2020, time.January, 1, 0, 0, 0, 0, time.UTC) CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate = time.Date(2019, time.April, 1, 0, 0, 0, 0, time.UTC) CABFBRs_1_6_2_Date = time.Date(2018, time.December, 10, 0, 0, 0, 0, time.UTC) CABFBRs_1_2_1_Date = time.Date(2015, time.January, 16, 0, 0, 0, 0, time.UTC) CABFBRs_1_6_9_Date = time.Date(2020, time.March, 27, 0, 0, 0, 0, time.UTC) CABFBRs_1_7_1_Date = time.Date(2020, time.August, 20, 0, 0, 0, 0, time.UTC) AppleReducedLifetimeDate = time.Date(2020, time.September, 1, 0, 0, 0, 0, time.UTC) CABFBRs_1_7_9_Date = time.Date(2021, time.August, 16, 0, 0, 0, 0, time.UTC) CABFBRs_1_8_0_Date = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC) CABFBRs_2_0_0_Date = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) CABFBRs_2_0_1_Date = time.Date(2024, time.March, 15, 0, 0, 0, 0, time.UTC) CABFBRs_2_0_2_Date = time.Date(2024, time.January, 8, 0, 0, 0, 0, time.UTC) CABFBRs_2_0_3_Date = time.Date(2024, time.April, 15, 0, 0, 0, 0, time.UTC) CABFBRs_2_0_4_Date = time.Date(2024, time.May, 15, 0, 0, 0, 0, time.UTC) CABFBRs_2_0_5_Date = time.Date(2024, time.July, 1, 0, 0, 0, 0, time.UTC) CABFBRs_2_0_6_Date = time.Date(2024, time.August, 6, 0, 0, 0, 0, time.UTC) CABFBRs_2_0_7_Date = time.Date(2024, time.September, 6, 0, 0, 0, 0, time.UTC) CABFBRs_2_0_8_Date = time.Date(2024, time.October, 2, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) SC16EffectiveDate = time.Date(2019, time.April, 16, 0, 0, 0, 0, time.UTC) SC17EffectiveDate = time.Date(2019, time.June, 21, 0, 0, 0, 0, time.UTC) CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) // Enforcement date of CRL reason codes from Ballot SC 061 CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) // Updates to the CABF BRs and EVGLs from Ballot SC 062 https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/ SC62EffectiveDate = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) // Date when section 9.2.8 of CABF EVG became effective CABFEV_Sec9_2_8_Date = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC) CABF_CS_BRs_1_2_Date = time.Date(2019, time.August, 13, 0, 0, 0, 0, time.UTC) )
var (
CABFEV_9_8_2 = CABV170Date
)
var ( // KeyUsageToString maps an x509.KeyUsage bitmask to its name. KeyUsageToString = map[x509.KeyUsage]string{ x509.KeyUsageDigitalSignature: "KeyUsageDigitalSignature", x509.KeyUsageContentCommitment: "KeyUsageContentCommitment", x509.KeyUsageKeyEncipherment: "KeyUsageKeyEncipherment", x509.KeyUsageDataEncipherment: "KeyUsageDataEncipherment", x509.KeyUsageKeyAgreement: "KeyUsageKeyAgreement", x509.KeyUsageCertSign: "KeyUsageCertSign", x509.KeyUsageCRLSign: "KeyUsageCRLSign", x509.KeyUsageEncipherOnly: "KeyUsageEncipherOnly", x509.KeyUsageDecipherOnly: "KeyUsageDecipherOnly", } )
var ( // 1.2.840.10045.4.3.1 is SHA224withECDSA OidSignatureSHA224withECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 1} )
additional OIDs not provided by the x509 package.
var RSAAlgorithmIDToDER = map[string][]byte{
"1.2.840.113549.1.1.1": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x1, 0x5, 0x0},
"1.2.840.113549.1.1.2": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x2, 0x5, 0x0},
"1.2.840.113549.1.1.4": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x4, 0x5, 0x0},
"1.2.840.113549.1.1.5": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x5, 0x5, 0x0},
"1.2.840.113549.1.1.14": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xe, 0x5, 0x0},
"1.2.840.113549.1.1.11": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xb, 0x5, 0x0},
"1.2.840.113549.1.1.12": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xc, 0x5, 0x0},
"1.2.840.113549.1.1.13": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xd, 0x5, 0x0},
}
RSAAlgorithmIDToDER contains DER representations of pkix.AlgorithmIdentifier for different RSA OIDs with Parameters as asn1.NULL.
Functions ¶
func AllAlternateNameWithTagAreIA5 ¶
AllAlternateNameWithTagAreIA5 returns true if all sequence members with the given tag are encoded as IA5 strings, and false otherwise. If it encounters errors parsing asn1, err will be non-nil.
func AuthIsFQDNOrIP ¶
func BeforeOrOn ¶ added in v3.3.1
BeforeOrOn returns whether left is before or strictly equal to right.
func CertificateSubjInTLD ¶
func CertificateSubjInTLD(c *x509.Certificate, label string) bool
CertificateSubjContainsTLD checks whether the provided Certificate has a Subject Common Name or DNS Subject Alternate Name that ends in the provided TLD label. If IsInTLDMap(label) returns false then CertificateSubjInTLD will return false.
func CheckAlgorithmIDParamNotNULL ¶
func CheckAlgorithmIDParamNotNULL(algorithmIdentifier []byte, requiredAlgoID asn1.ObjectIdentifier) error
CheckAlgorithmIDParamNotNULL parses an AlgorithmIdentifier with algorithm OID rsaEncryption to check the Param field is asn1.NULL Expects DER-encoded AlgorithmIdentifier including tag and length.
func CheckRDNSequenceWhiteSpace ¶
CheckRDNSequenceWhiteSpace returns true if there is leading or trailing whitespace in any name attribute in the sequence, respectively.
func CommonNameIsIP ¶
func CommonNameIsIP(cert *x509.Certificate) bool
func DNSNamesExist ¶
func DNSNamesExist(cert *x509.Certificate) bool
func GetAuthority ¶
func GetEKUString ¶ added in v3.6.0
func GetEKUString(eku x509.ExtKeyUsage) string
GetEKUString returns a human friendly Extended Key Usage (EKU) string.
func GetEKUStrings ¶ added in v3.6.0
func GetEKUStrings(eku []x509.ExtKeyUsage) []string
GetEKUStrings returns a list of human friendly Extended Key Usage (EKU) strings.
func GetExtFromCert ¶
func GetExtFromCert(cert *x509.Certificate, oid asn1.ObjectIdentifier) *pkix.Extension
GetExtFromCert returns the extension with the matching OID, if present. If the extension if not present, it returns nil.
func GetKeyUsageStrings ¶ added in v3.6.0
GetKeyUsageStrings returns a list of included key usages
func GetMappedPolicies ¶
func GetMappedPolicies(polMap *pkix.Extension) ([][2]asn1.ObjectIdentifier, error)
helper function to parse policyMapping extensions, returns slices of CertPolicyIds separated by domain
func GetPublicKeyAidEncoded ¶
func GetPublicKeyAidEncoded(c *x509.Certificate) ([]byte, error)
Returns the algorithm field of the SubjectPublicKeyInfo of the certificate in its encoded form (containing Tag and Length) or an error if the algorithm field could not be extracted.
SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING }
func GetPublicKeyOID ¶
func GetPublicKeyOID(c *x509.Certificate) (asn1.ObjectIdentifier, error)
Returns the algorithm field of the SubjectPublicKeyInfo of the certificate or an error if the algorithm field could not be extracted.
SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING }
func GetSignatureAlgorithmInTBSEncoded ¶
func GetSignatureAlgorithmInTBSEncoded(c *x509.Certificate) ([]byte, error)
Returns the signature field of the tbsCertificate of this certificate in a DER encoded form or an error if the signature field could not be extracted. The encoded form contains the tag and the length.
TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version MUST be v3 }
func GetTimes ¶
TODO(@cpu): This function is a little bit rough around the edges (especially after my quick fixes for the ineffassigns) and would be a good candidate for clean-up/refactoring.
func GetTypesInName ¶ added in v3.6.2
func GetTypesInName(name *pkix.Name) []asn1.ObjectIdentifier
func HasEKU ¶
func HasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool
HasEKU tests whether an Extended Key Usage (EKU) is present in a certificate.
func HasEmailSAN ¶ added in v3.6.0
func HasEmailSAN(c *x509.Certificate) bool
func HasKeyUsage ¶ added in v3.4.0
func HasKeyUsage(c *x509.Certificate, usage x509.KeyUsage) bool
HasKeyUsage returns whether-or-not the given x509.KeyUsage is present within the given certificate's KeyUsage bitmap. The certificate, however, is NOT checked for whether-or-not it actually has a key usage OID. If you wish to check for the presence of the key usage OID, please use HasKeyUsageOID.
func HasKeyUsageOID ¶ added in v3.4.0
func HasKeyUsageOID(c *x509.Certificate) bool
HasKeyUsageOID returns whether-or-not the OID 2.5.29.15 is present in the given certificate's extensions.
func HasReservedLabelPrefix ¶ added in v3.3.1
HasReservedLabelPrefix checks whether the given string (presumably a domain label) has hyphens ("-") as the third and fourth characters. Domain labels with hyphens in these positions are considered to be "Reserved Labels" per RFC 5890, section 2.3.1. (https://datatracker.ietf.org/doc/html/rfc5890#section-2.3.1)
func HasValidTLD ¶
HasValidTLD checks that a domain ends in a valid TLD that was delegated in the root DNS at the time specified.
func HasXNLabelPrefix ¶ added in v3.3.1
HasXNLabelPrefix checks whether the given string (presumably a domain label) is prefixed with the case-insensitive string "xn--" (the IDNA ACE prefix).
This check is useful given the bug following bug report for IDNA wherein the ACE prefix incorrectly taken to be case-sensitive.
func IdnaToUnicode ¶ added in v3.3.1
IdnaToUnicode is a wrapper around idna.ToUnicode.
If the provided string starts with the IDNA ACE prefix ("xn--", case insensitive), then that ACE prefix is coerced to a lowercase "xn--" before processing by the idna package.
This is only necessary due to the bug at https://github.com/golang/go/issues/48778
func IntersectsIANAReserved ¶
IntersectsIANAReserved checks if a CIDR intersects any IANA reserved CIDRs
func IsCodeSigning ¶ added in v3.6.4
func IsCodeSigning(policies []asn1.ObjectIdentifier) bool
func IsDelegatedOCSPResponderCert ¶ added in v3.1.0
func IsDelegatedOCSPResponderCert(cert *x509.Certificate) bool
IsDelegatedOCSPResponderCert returns true if the id-kp-OCSPSigning EKU is set According https://tools.ietf.org/html/rfc6960#section-4.2.2.2 it is not sufficient to have only the id-kp-anyExtendedKeyUsage included
func IsEV ¶
func IsEV(in []asn1.ObjectIdentifier) bool
IsEV returns true if the input is a known Extended Validation OID.
func IsEmailProtectionCert ¶ added in v3.6.0
func IsEmailProtectionCert(cert *x509.Certificate) bool
IsEmailProtectionCert returns true if the certificate presented is for use protecting emails. The S/MIME BRs say the certificate can be identified by an EKU for id-kp-emailProtection and the inclusion of a rfc822Name SAN or an otherName of type id-on-SmtpUTF8Mailbox. As a way of being overly cautious and choosing to prefer false positives over false negatives, also include certificates that have no EKUs, the any purpose EKU, or one of the policy OIDs.
func IsEmptyASN1Sequence ¶
func IsExtInCert ¶
func IsExtInCert(cert *x509.Certificate, oid asn1.ObjectIdentifier) bool
IsExtInCert is equivalent to GetExtFromCert() != nil.
func IsFQDNOrIP ¶
func IsIA5String ¶
IsIA5String returns true if raw is an IA5String, and returns false otherwise.
func IsIANAReserved ¶
IsIANAReserved checks IP validity as per IANA reserved IPs
IPv4 https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml IPv6 https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml
func IsISOCountryCode ¶
IsISOCountryCode returns true if the input is a known two-letter country code.
TODO: Document where the list of known countries came from.
func IsInPrefSyn ¶
func IsInTLDMap ¶
IsInTLDMap checks that a label is present in the TLD map. It does not consider the TLD's validity period and whether the TLD may have been removed, only whether it was ever a TLD that was delegated.
func IsIndividualValidatedCertificate ¶ added in v3.6.2
func IsIndividualValidatedCertificate(c *x509.Certificate) bool
func IsLDHLabel ¶ added in v3.6.0
func IsLegacySMIMECertificate ¶ added in v3.6.0
func IsLegacySMIMECertificate(c *x509.Certificate) bool
func IsMailboxAddress ¶ added in v3.6.2
IsMailboxAddress returns true if the passed in string resembles an RFC 5322 mailbox address.
func IsMailboxValidatedCertificate ¶ added in v3.6.0
func IsMailboxValidatedCertificate(c *x509.Certificate) bool
func IsMultipurposeSMIMECertificate ¶ added in v3.6.0
func IsMultipurposeSMIMECertificate(c *x509.Certificate) bool
func IsNameAttribute ¶
func IsNameAttribute(oid asn1.ObjectIdentifier) bool
IsNameAttribute returns true if the given ObjectIdentifier corresponds with the type of any name attribute for PKIX.
func IsOnionV2Address ¶ added in v3.4.0
IsOnionV2Address returns whether-or-not the give address appears to be an Onion V2 address.
In order to be an Onion V2 encoded address, the DNS name must satisfy the following:
- The address has at least two labels.
- The right most label is the .onion TLD.
- The second-to-the-right most label is a 16 character long, base32.
func IsOnionV2Cert ¶ added in v3.4.0
func IsOnionV2Cert(c *x509.Certificate) bool
IsOnionV2Cert returns whether-or-not at least one of the provided certificates subject common name, or any of its DNS names, are version 2 Onion addresses.
func IsOnionV3Address ¶ added in v3.4.0
IsOnionV3Address returns whether or not the provided DNS name is an Onion V3 encoded address.
In order to be an Onion V3 encoded address, the DNS name must satisfy the following:
- Contain at least two labels.
- The right most label MUST be "onion".
- The second to the right most label MUST be exactly 56 characters long.
- The second to the right most label MUST be base32 encoded against the lowercase standard encoding.
- The final byte of the decoded result from #4 MUST be equal to 0x03.
func IsOnionV3Cert ¶ added in v3.3.1
func IsOnionV3Cert(c *x509.Certificate) bool
IsOnionV3Cert returns whether-or-not at least one of the provided certificates subject common name, or any of its DNS names, are version 3 Onion addresses.
func IsOrganizationValidatedCertificate ¶ added in v3.6.0
func IsOrganizationValidatedCertificate(c *x509.Certificate) bool
func IsRootCA ¶
func IsRootCA(c *x509.Certificate) bool
IsRootCA returns true if c has IsCA set and is also self-signed.
func IsSMIMEBRCertificate ¶ added in v3.6.0
func IsSMIMEBRCertificate(c *x509.Certificate) bool
func IsSelfSigned ¶
func IsSelfSigned(c *x509.Certificate) bool
IsSelfSigned returns true if SelfSigned is set.
func IsServerAuthCert ¶
func IsServerAuthCert(cert *x509.Certificate) bool
func IsSponsorValidatedCertificate ¶ added in v3.6.0
func IsSponsorValidatedCertificate(c *x509.Certificate) bool
func IsStrictSMIMECertificate ¶ added in v3.6.0
func IsStrictSMIMECertificate(c *x509.Certificate) bool
func IsSubCA ¶
func IsSubCA(c *x509.Certificate) bool
IsSubCA returns true if c has IsCA set, but is not self-signed.
func IsSubscriberCert ¶
func IsSubscriberCert(c *x509.Certificate) bool
IsSubscriberCert returns true for if a certificate is not a CA and not self-signed.
func KeyUsageIsPresent ¶ added in v3.4.0
KeyUsageIsPresent checks the provided bitmap (keyUsages) for presence of the provided x509.KeyUsage.
func OnOrAfter ¶ added in v3.3.1
OnOrAfter returns whether left is after or strictly equal to right.
func ParseBMPString ¶
ParseBMPString returns a uint16 encoded string following the specification for a BMPString type
func PrimeNoSmallerThan752 ¶
func RemovePrependedWildcard ¶
func SliceContainsOID ¶
func SliceContainsOID(list []asn1.ObjectIdentifier, oid asn1.ObjectIdentifier) bool
Helper function that checks if an []asn1.ObjectIdentifier slice contains an asn1.ObjectIdentifier
func TypeInName ¶
func TypeInName(name *pkix.Name, oid asn1.ObjectIdentifier) bool
Helper function that checks for a name type in a pkix.Name
Types ¶
type AttributeTypeAndRawValue ¶
type AttributeTypeAndRawValue struct { Type asn1.ObjectIdentifier Value asn1.RawValue }
type AttributeTypeAndRawValueSET ¶
type AttributeTypeAndRawValueSET []AttributeTypeAndRawValue
type Etsi421QualEuCert ¶
type Etsi421QualEuCert struct {
// contains filtered or unexported fields
}
func (Etsi421QualEuCert) GetErrorInfo ¶
func (this Etsi421QualEuCert) GetErrorInfo() string
type Etsi423QcType ¶
type Etsi423QcType struct { TypeOids []asn1.ObjectIdentifier // contains filtered or unexported fields }
func (Etsi423QcType) GetErrorInfo ¶
func (this Etsi423QcType) GetErrorInfo() string
type EtsiMonetaryValueAlph ¶
type EtsiMonetaryValueNum ¶
type EtsiQcLimitValue ¶
type EtsiQcLimitValue struct { Amount int Exponent int IsNum bool CurrencyAlph string CurrencyNum int // contains filtered or unexported fields }
func (EtsiQcLimitValue) GetErrorInfo ¶
func (this EtsiQcLimitValue) GetErrorInfo() string
type EtsiQcPds ¶
type EtsiQcPds struct { PdsLocations []PdsLocation // contains filtered or unexported fields }
func (EtsiQcPds) GetErrorInfo ¶
func (this EtsiQcPds) GetErrorInfo() string
type EtsiQcRetentionPeriod ¶
type EtsiQcRetentionPeriod struct { Period int // contains filtered or unexported fields }
func (EtsiQcRetentionPeriod) GetErrorInfo ¶
func (this EtsiQcRetentionPeriod) GetErrorInfo() string
type EtsiQcSscd ¶
type EtsiQcSscd struct {
// contains filtered or unexported fields
}
func (EtsiQcSscd) GetErrorInfo ¶
func (this EtsiQcSscd) GetErrorInfo() string
type EtsiQcStmtIf ¶
func ParseQcStatem ¶
func ParseQcStatem(extVal []byte, sought asn1.ObjectIdentifier) EtsiQcStmtIf
type GTLDPeriod ¶
type GTLDPeriod struct { // GTLD is the GTLD the period corresponds to. It is used only for friendly // error messages from `Valid` GTLD string // DelegationDate is the date at which ICANN delegated the gTLD into existence // from the root DNS, or is empty if the gTLD was never delegated. DelegationDate string // RemovalDate is the date at which ICANN removed the gTLD delegation from the // root DNS, or is empty if the gTLD is still delegated and has not been // removed. RemovalDate string }
GTLDPeriod is a struct representing a gTLD's validity period. The field names are chosen to match the data returned by the ICANN gTLD v2 JSON registry[0]. See the `zlint-gtld-update` command for more information. [0] - https://www.icann.org/resources/registries/gtlds/v2/gtlds.json
type PdsLocation ¶
type RawRDNSequence ¶
type RawRDNSequence []AttributeTypeAndRawValueSET