x509

Imports

Imports #

macOS "crypto/x509/internal/macos"
"errors"
"fmt"
"io/fs"
"os"
"path/filepath"
"strings"
"bytes"
"crypto"
"crypto/x509/pkix"
"errors"
"fmt"
"iter"
"maps"
"net"
"net/netip"
"net/url"
"reflect"
"runtime"
"strings"
"time"
"unicode/utf8"
"crypto/ecdh"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rsa"
"crypto/x509/pkix"
"encoding/asn1"
"errors"
"fmt"
"bytes"
"errors"
"strings"
"syscall"
"unsafe"
"crypto/aes"
"crypto/cipher"
"crypto/des"
"crypto/md5"
"encoding/hex"
"encoding/pem"
"errors"
"io"
"strings"
"internal/goos"
"bytes"
"crypto/sha256"
"encoding/pem"
"sync"
"bytes"
"crypto/dsa"
"crypto/ecdh"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rsa"
"crypto/x509/pkix"
"encoding/asn1"
"errors"
"fmt"
"internal/godebug"
"math/big"
"net"
"net/url"
"strconv"
"strings"
"time"
"unicode/utf16"
"unicode/utf8"
"golang.org/x/crypto/cryptobyte"
cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
"crypto/rsa"
"encoding/asn1"
"errors"
"internal/godebug"
"math/big"
"os"
"crypto/ecdh"
"crypto/ecdsa"
"crypto/elliptic"
"encoding/asn1"
"errors"
"fmt"
"math/big"
"bytes"
"crypto"
"crypto/ecdh"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
cryptorand "crypto/rand"
"crypto/rsa"
"crypto/sha1"
"crypto/x509/pkix"
"encoding/asn1"
"encoding/pem"
"errors"
"fmt"
"internal/godebug"
"io"
"math/big"
"net"
"net/url"
"strconv"
"time"
"unicode"
_ "crypto/sha1"
_ "crypto/sha256"
_ "crypto/sha512"
"golang.org/x/crypto/cryptobyte"
cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
"bytes"
"encoding/asn1"
"errors"
"math"
"math/big"
"math/bits"
"strconv"
"strings"
"internal/godebug"
"sync"
_ "unsafe"

Constants & Variables

CANotAuthorizedForExtKeyUsage const #

CANotAuthorizedForExtKeyUsage results when an intermediate or root certificate does not permit a requested extended key usage.

const CANotAuthorizedForExtKeyUsage

CANotAuthorizedForThisName const #

CANotAuthorizedForThisName results when an intermediate or root certificate has a name constraint which doesn't permit a DNS or other name (including IP address) in the leaf certificate.

const CANotAuthorizedForThisName

DSA const #

const DSA

DSAWithSHA1 const #

const DSAWithSHA1

DSAWithSHA256 const #

const DSAWithSHA256

ECDSA const #

const ECDSA

ECDSAWithSHA1 const #

const ECDSAWithSHA1

ECDSAWithSHA256 const #

const ECDSAWithSHA256

ECDSAWithSHA384 const #

const ECDSAWithSHA384

ECDSAWithSHA512 const #

const ECDSAWithSHA512

Ed25519 const #

const Ed25519

ErrUnsupportedAlgorithm var #

ErrUnsupportedAlgorithm results from attempting to perform an operation that involves algorithms that are not currently implemented.

var ErrUnsupportedAlgorithm = *ast.CallExpr

Expired const #

Expired results when a certificate has expired, based on the time given in the VerifyOptions.

const Expired

ExtKeyUsageAny const #

const ExtKeyUsageAny ExtKeyUsage = iota

ExtKeyUsageClientAuth const #

const ExtKeyUsageClientAuth

ExtKeyUsageCodeSigning const #

const ExtKeyUsageCodeSigning

ExtKeyUsageEmailProtection const #

const ExtKeyUsageEmailProtection

ExtKeyUsageIPSECEndSystem const #

const ExtKeyUsageIPSECEndSystem

ExtKeyUsageIPSECTunnel const #

const ExtKeyUsageIPSECTunnel

ExtKeyUsageIPSECUser const #

const ExtKeyUsageIPSECUser

ExtKeyUsageMicrosoftCommercialCodeSigning const #

const ExtKeyUsageMicrosoftCommercialCodeSigning

ExtKeyUsageMicrosoftKernelCodeSigning const #

const ExtKeyUsageMicrosoftKernelCodeSigning

ExtKeyUsageMicrosoftServerGatedCrypto const #

const ExtKeyUsageMicrosoftServerGatedCrypto

ExtKeyUsageNetscapeServerGatedCrypto const #

const ExtKeyUsageNetscapeServerGatedCrypto

ExtKeyUsageOCSPSigning const #

const ExtKeyUsageOCSPSigning

ExtKeyUsageServerAuth const #

const ExtKeyUsageServerAuth

ExtKeyUsageTimeStamping const #

const ExtKeyUsageTimeStamping

IncompatibleUsage const #

IncompatibleUsage results when the certificate's key usage indicates that it may only be used for a different purpose.

const IncompatibleUsage

IncorrectPasswordError var #

IncorrectPasswordError is returned when an incorrect password is detected.

var IncorrectPasswordError = *ast.CallExpr

KeyUsageCRLSign const #

const KeyUsageCRLSign

KeyUsageCertSign const #

const KeyUsageCertSign

KeyUsageContentCommitment const #

const KeyUsageContentCommitment

KeyUsageDataEncipherment const #

const KeyUsageDataEncipherment

KeyUsageDecipherOnly const #

const KeyUsageDecipherOnly

KeyUsageDigitalSignature const #

const KeyUsageDigitalSignature KeyUsage = *ast.BinaryExpr

KeyUsageEncipherOnly const #

const KeyUsageEncipherOnly

KeyUsageKeyAgreement const #

const KeyUsageKeyAgreement

KeyUsageKeyEncipherment const #

const KeyUsageKeyEncipherment

MD2WithRSA const #

const MD2WithRSA

MD5WithRSA const #

const MD5WithRSA

NameConstraintsWithoutSANs const #

NameConstraintsWithoutSANs is a legacy error and is no longer returned.

const NameConstraintsWithoutSANs

NameMismatch const #

NameMismatch results when the subject name of a parent certificate does not match the issuer name in the child.

const NameMismatch

NoValidChains const #

NoValidChains results when there are no valid chains to return.

const NoValidChains

NotAuthorizedToSign const #

NotAuthorizedToSign results when a certificate is signed by another which isn't marked as a CA certificate.

const NotAuthorizedToSign InvalidReason = iota

PEMCipher3DES const #

Possible values for the EncryptPEMBlock encryption algorithm.

const PEMCipher3DES

PEMCipherAES128 const #

Possible values for the EncryptPEMBlock encryption algorithm.

const PEMCipherAES128

PEMCipherAES192 const #

Possible values for the EncryptPEMBlock encryption algorithm.

const PEMCipherAES192

PEMCipherAES256 const #

Possible values for the EncryptPEMBlock encryption algorithm.

const PEMCipherAES256

PEMCipherDES const #

Possible values for the EncryptPEMBlock encryption algorithm.

const PEMCipherDES

PureEd25519 const #

const PureEd25519

RSA const #

const RSA

SHA1WithRSA const #

const SHA1WithRSA

SHA256WithRSA const #

const SHA256WithRSA

SHA256WithRSAPSS const #

const SHA256WithRSAPSS

SHA384WithRSA const #

const SHA384WithRSA

SHA384WithRSAPSS const #

const SHA384WithRSAPSS

SHA512WithRSA const #

const SHA512WithRSA

SHA512WithRSAPSS const #

const SHA512WithRSAPSS

TooManyConstraints const #

TooManyConstraints results when the number of comparison operations needed to check a certificate exceeds the limit set by VerifyOptions.MaxConstraintComparisions. This limit exists to prevent pathological certificates can consuming excessive amounts of CPU time to verify.

const TooManyConstraints

TooManyIntermediates const #

TooManyIntermediates results when a path length constraint is violated.

const TooManyIntermediates

UnconstrainedName const #

UnconstrainedName results when a CA certificate contains permitted name constraints, but leaf certificate contains a name of an unsupported or unconstrained type.

const UnconstrainedName

UnknownPublicKeyAlgorithm const #

const UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota

UnknownSignatureAlgorithm const #

const UnknownSignatureAlgorithm SignatureAlgorithm = iota

_ const #

Possible values for the EncryptPEMBlock encryption algorithm.

const _ PEMCipher = iota

anyPolicyOID var #

var anyPolicyOID = *ast.CallExpr

certDirEnv const #

certDirEnv is the environment variable which identifies which directory to check for SSL certificate files. If set this overrides the system default. It is a colon separated list of directories. See https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html.

const certDirEnv = "SSL_CERT_DIR"

certDirectories var #

Possible directories with certificate files; all will be read.

var certDirectories = []string{...}

certDirectories var #

Possible directories with certificate files; all will be read.

var certDirectories = []string{...}

certDirectories var #

Possible directories with certificate files; all will be read.

var certDirectories = []string{...}

certDirectories var #

Possible directories with certificate files; all will be read.

var certDirectories = []string{...}

certDirectories var #

Possible directories with certificate files; all will be read.

var certDirectories = []string{...}

certFileEnv const #

certFileEnv is the environment variable which identifies where to locate the SSL certificate file. If set this overrides the system default.

const certFileEnv = "SSL_CERT_FILE"

certFiles var #

Possible certificate files; stop after finding one.

var certFiles = []string{...}

certFiles var #

Possible certificate files; stop after finding one.

var certFiles = []string{...}

certFiles var #

Possible certificate files; stop after finding one.

var certFiles = []string{...}

certFiles var #

Possible certificate files; stop after finding one.

var certFiles = []string{...}

certFiles var #

Possible certificate files; stop after finding one.

var certFiles = []string{...}

certFiles var #

Possible certificate files; stop after finding one.

var certFiles = []string{...}

ecPrivKeyVersion const #

const ecPrivKeyVersion = 1

emptyASN1Subject var #

emptyASN1Subject is the ASN.1 DER encoding of an empty Subject, which is just an empty SEQUENCE.

var emptyASN1Subject = []byte{...}

emptyRawValue var #

var emptyRawValue = asn1.RawValue{...}

errInvalidOID var #

var errInvalidOID = *ast.CallExpr

errNotParsed var #

errNotParsed is returned when a certificate without ASN.1 contents is verified. Platform-specific verification needs the ASN.1 contents.

var errNotParsed = *ast.CallExpr

extKeyUsageOIDs var #

extKeyUsageOIDs contains the mapping between an ExtKeyUsage and its OID.

var extKeyUsageOIDs = []struct{...}{...}

fallbacksSet var #

systemRoots should be an internal detail, but widely used packages access it using linkname. Notable members of the hall of shame include: - github.com/breml/rootcerts Do not remove or change the type signature. See go.dev/issue/67401. go:linkname systemRoots

var fallbacksSet bool

intermediateCertificate const #

const intermediateCertificate

leafCertificate const #

const leafCertificate = iota

maxChainSignatureChecks const #

maxChainSignatureChecks is the maximum number of CheckSignatureFrom calls that an invocation of buildChains will (transitively) make. Most chains are less than 15 certificates long, so this leaves space for multiple chains and for failed checks due to different intermediates having the same Subject.

const maxChainSignatureChecks = 100

nameTypeDNS const #

const nameTypeDNS = 2

nameTypeEmail const #

const nameTypeEmail = 1

nameTypeIP const #

const nameTypeIP = 7

nameTypeURI const #

const nameTypeURI = 6

oidAuthorityInfoAccessIssuers var #

var oidAuthorityInfoAccessIssuers = asn1.ObjectIdentifier{...}

oidAuthorityInfoAccessOcsp var #

var oidAuthorityInfoAccessOcsp = asn1.ObjectIdentifier{...}

oidExtKeyUsageAny var #

RFC 5280, 4.2.1.12 Extended Key Usage anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }

var oidExtKeyUsageAny = asn1.ObjectIdentifier{...}

oidExtKeyUsageClientAuth var #

var oidExtKeyUsageClientAuth = asn1.ObjectIdentifier{...}

oidExtKeyUsageCodeSigning var #

var oidExtKeyUsageCodeSigning = asn1.ObjectIdentifier{...}

oidExtKeyUsageEmailProtection var #

var oidExtKeyUsageEmailProtection = asn1.ObjectIdentifier{...}

oidExtKeyUsageIPSECEndSystem var #

var oidExtKeyUsageIPSECEndSystem = asn1.ObjectIdentifier{...}

oidExtKeyUsageIPSECTunnel var #

var oidExtKeyUsageIPSECTunnel = asn1.ObjectIdentifier{...}

oidExtKeyUsageIPSECUser var #

var oidExtKeyUsageIPSECUser = asn1.ObjectIdentifier{...}

oidExtKeyUsageMicrosoftCommercialCodeSigning var #

var oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{...}

oidExtKeyUsageMicrosoftKernelCodeSigning var #

var oidExtKeyUsageMicrosoftKernelCodeSigning = asn1.ObjectIdentifier{...}

oidExtKeyUsageMicrosoftServerGatedCrypto var #

var oidExtKeyUsageMicrosoftServerGatedCrypto = asn1.ObjectIdentifier{...}

oidExtKeyUsageNetscapeServerGatedCrypto var #

var oidExtKeyUsageNetscapeServerGatedCrypto = asn1.ObjectIdentifier{...}

oidExtKeyUsageOCSPSigning var #

var oidExtKeyUsageOCSPSigning = asn1.ObjectIdentifier{...}

oidExtKeyUsageServerAuth var #

var oidExtKeyUsageServerAuth = asn1.ObjectIdentifier{...}

oidExtKeyUsageTimeStamping var #

var oidExtKeyUsageTimeStamping = asn1.ObjectIdentifier{...}

oidExtensionAuthorityInfoAccess var #

var oidExtensionAuthorityInfoAccess = []int{...}

oidExtensionAuthorityKeyId var #

var oidExtensionAuthorityKeyId = []int{...}

oidExtensionBasicConstraints var #

var oidExtensionBasicConstraints = []int{...}

oidExtensionCRLDistributionPoints var #

var oidExtensionCRLDistributionPoints = []int{...}

oidExtensionCRLNumber var #

var oidExtensionCRLNumber = []int{...}

oidExtensionCertificatePolicies var #

var oidExtensionCertificatePolicies = []int{...}

oidExtensionExtendedKeyUsage var #

var oidExtensionExtendedKeyUsage = []int{...}

oidExtensionKeyUsage var #

var oidExtensionKeyUsage = []int{...}

oidExtensionNameConstraints var #

var oidExtensionNameConstraints = []int{...}

oidExtensionReasonCode var #

var oidExtensionReasonCode = []int{...}

oidExtensionRequest var #

oidExtensionRequest is a PKCS #9 OBJECT IDENTIFIER that indicates requested extensions in a CSR.

var oidExtensionRequest = asn1.ObjectIdentifier{...}

oidExtensionSubjectAltName var #

var oidExtensionSubjectAltName = []int{...}

oidExtensionSubjectKeyId var #

var oidExtensionSubjectKeyId = []int{...}

oidISOSignatureSHA1WithRSA var #

oidISOSignatureSHA1WithRSA means the same as oidSignatureSHA1WithRSA but it's specified by ISO. Microsoft's makecert.exe has been known to produce certificates with this OID.

var oidISOSignatureSHA1WithRSA = asn1.ObjectIdentifier{...}

oidMGF1 var #

OIDs for signature algorithms pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } RFC 3279 2.2.1 RSA Signature Algorithms md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } dsaWithSha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 3 } RFC 3279 2.2.3 ECDSA Signature Algorithm ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-x962(10045) signatures(4) ecdsa-with-SHA1(1)} RFC 4055 5 PKCS #1 Version 1.5 sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } RFC 5758 3.1 DSA Signature Algorithms dsaWithSha256 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) algorithms(4) id-dsa-with-sha2(3) 2} RFC 5758 3.2 ECDSA Signature Algorithm ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 } ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 } RFC 8410 3 Curve25519 and Curve448 Algorithm Identifiers id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 }

var oidMGF1 = asn1.ObjectIdentifier{...}

oidNamedCurveP224 var #

RFC 5480, 2.1.1.1. Named Curve secp224r1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) curve(0) 33 } secp256r1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 7 } secp384r1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) curve(0) 34 } secp521r1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) curve(0) 35 } NB: secp256r1 is equivalent to prime256v1

var oidNamedCurveP224 = asn1.ObjectIdentifier{...}

oidNamedCurveP256 var #

var oidNamedCurveP256 = asn1.ObjectIdentifier{...}

oidNamedCurveP384 var #

var oidNamedCurveP384 = asn1.ObjectIdentifier{...}

oidNamedCurveP521 var #

var oidNamedCurveP521 = asn1.ObjectIdentifier{...}

oidPublicKeyDSA var #

var oidPublicKeyDSA = asn1.ObjectIdentifier{...}

oidPublicKeyECDSA var #

RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters id-ecPublicKey OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }

var oidPublicKeyECDSA = asn1.ObjectIdentifier{...}

oidPublicKeyEd25519 var #

var oidPublicKeyEd25519 = asn1.ObjectIdentifier{...}

oidPublicKeyRSA var #

RFC 3279, 2.3 Public Key Algorithms pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 } id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 }

var oidPublicKeyRSA = asn1.ObjectIdentifier{...}

oidPublicKeyX25519 var #

RFC 8410, Section 3 id-X25519 OBJECT IDENTIFIER ::= { 1 3 101 110 } id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 }

var oidPublicKeyX25519 = asn1.ObjectIdentifier{...}

oidSHA256 var #

var oidSHA256 = asn1.ObjectIdentifier{...}

oidSHA384 var #

var oidSHA384 = asn1.ObjectIdentifier{...}

oidSHA512 var #

var oidSHA512 = asn1.ObjectIdentifier{...}

oidSignatureDSAWithSHA1 var #

var oidSignatureDSAWithSHA1 = asn1.ObjectIdentifier{...}

oidSignatureDSAWithSHA256 var #

var oidSignatureDSAWithSHA256 = asn1.ObjectIdentifier{...}

oidSignatureECDSAWithSHA1 var #

var oidSignatureECDSAWithSHA1 = asn1.ObjectIdentifier{...}

oidSignatureECDSAWithSHA256 var #

var oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{...}

oidSignatureECDSAWithSHA384 var #

var oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{...}

oidSignatureECDSAWithSHA512 var #

var oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{...}

oidSignatureEd25519 var #

var oidSignatureEd25519 = asn1.ObjectIdentifier{...}

oidSignatureMD5WithRSA var #

var oidSignatureMD5WithRSA = asn1.ObjectIdentifier{...}

oidSignatureRSAPSS var #

var oidSignatureRSAPSS = asn1.ObjectIdentifier{...}

oidSignatureSHA1WithRSA var #

var oidSignatureSHA1WithRSA = asn1.ObjectIdentifier{...}

oidSignatureSHA256WithRSA var #

var oidSignatureSHA256WithRSA = asn1.ObjectIdentifier{...}

oidSignatureSHA384WithRSA var #

var oidSignatureSHA384WithRSA = asn1.ObjectIdentifier{...}

oidSignatureSHA512WithRSA var #

var oidSignatureSHA512WithRSA = asn1.ObjectIdentifier{...}

once var #

var once sync.Once

pemCRLPrefix var #

pemCRLPrefix is the magic string that indicates that we have a PEM encoded CRL.

var pemCRLPrefix = *ast.CallExpr

pemType var #

pemType is the type of a PEM encoded CRL.

var pemType = "X509 CRL"

pssParametersSHA256 var #

DER encoded RSA PSS parameters for the SHA256, SHA384, and SHA512 hashes as defined in RFC 3447, Appendix A.2.3. The parameters contain the following values: - hashAlgorithm contains the associated hash identifier with NULL parameters - maskGenAlgorithm always contains the default mgf1SHA1 identifier - saltLength contains the length of the associated hash - trailerField always contains the default trailerFieldBC value

var pssParametersSHA256 = asn1.RawValue{...}

pssParametersSHA384 var #

var pssParametersSHA384 = asn1.RawValue{...}

pssParametersSHA512 var #

var pssParametersSHA512 = asn1.RawValue{...}

publicKeyAlgoName var #

var publicKeyAlgoName = [...]string{...}

rfc1423Algos var #

rfc1423Algos holds a slice of the possible ways to encrypt a PEM block. The ivSize numbers were taken from the OpenSSL source.

var rfc1423Algos = []rfc1423Algo{...}

rootCertificate const #

const rootCertificate

signatureAlgorithmDetails var #

var signatureAlgorithmDetails = []struct{...}{...}

systemRoots var #

var systemRoots *CertPool

systemRootsErr var #

var systemRootsErr error

systemRootsMu var #

var systemRootsMu sync.RWMutex

windowsExtKeyUsageOIDs var #

windowsExtKeyUsageOIDs are the C NUL-terminated string representations of the OIDs for use with the Windows API.

var windowsExtKeyUsageOIDs = *ast.CallExpr

x509negativeserial var #

var x509negativeserial = *ast.CallExpr

x509rsacrt var #

x509rsacrt, if zero, makes ParsePKCS1PrivateKey ignore and recompute invalid CRT values in the RSA private key.

var x509rsacrt = *ast.CallExpr

x509usefallbackroots var #

var x509usefallbackroots = *ast.CallExpr

x509usepolicies var #

var x509usepolicies = *ast.CallExpr

x509v2Version const #

The X.509 standards confusingly 1-indexed the version names, but 0-indexed the actual encoded version, so the version for X.509v2 is 1.

const x509v2Version = 1

Type Aliases

ExtKeyUsage type #

ExtKeyUsage represents an extended set of actions that are valid for a given key. Each of the ExtKeyUsage* constants define a unique action.

type ExtKeyUsage int

InsecureAlgorithmError type #

An InsecureAlgorithmError indicates that the [SignatureAlgorithm] used to generate the signature is not secure, and the signature has been rejected.

type InsecureAlgorithmError SignatureAlgorithm

InvalidReason type #

type InvalidReason int

KeyUsage type #

KeyUsage represents the set of actions that are valid for a given key. It's a bitmap of the KeyUsage* constants.

type KeyUsage int

PEMCipher type #

type PEMCipher int

PublicKeyAlgorithm type #

type PublicKeyAlgorithm int

SignatureAlgorithm type #

type SignatureAlgorithm int

sum224 type #

type sum224 [sha256.Size224]byte

Structs

CertPool struct #

CertPool is a set of certificates.

type CertPool struct {
byName map[string][]int
lazyCerts []lazyCert
haveSum map[sum224]bool
systemPool bool
}

Certificate struct #

A Certificate represents an X.509 certificate.

type Certificate struct {
Raw []byte
RawTBSCertificate []byte
RawSubjectPublicKeyInfo []byte
RawSubject []byte
RawIssuer []byte
Signature []byte
SignatureAlgorithm SignatureAlgorithm
PublicKeyAlgorithm PublicKeyAlgorithm
PublicKey any
Version int
SerialNumber *big.Int
Issuer pkix.Name
Subject pkix.Name
NotBefore time.Time
NotAfter time.Time
KeyUsage KeyUsage
Extensions []pkix.Extension
ExtraExtensions []pkix.Extension
UnhandledCriticalExtensions []asn1.ObjectIdentifier
ExtKeyUsage []ExtKeyUsage
UnknownExtKeyUsage []asn1.ObjectIdentifier
BasicConstraintsValid bool
IsCA bool
MaxPathLen int
MaxPathLenZero bool
SubjectKeyId []byte
AuthorityKeyId []byte
OCSPServer []string
IssuingCertificateURL []string
DNSNames []string
EmailAddresses []string
IPAddresses []net.IP
URIs []*url.URL
PermittedDNSDomainsCritical bool
PermittedDNSDomains []string
ExcludedDNSDomains []string
PermittedIPRanges []*net.IPNet
ExcludedIPRanges []*net.IPNet
PermittedEmailAddresses []string
ExcludedEmailAddresses []string
PermittedURIDomains []string
ExcludedURIDomains []string
CRLDistributionPoints []string
PolicyIdentifiers []asn1.ObjectIdentifier
Policies []OID
InhibitAnyPolicy int
InhibitAnyPolicyZero bool
InhibitPolicyMapping int
InhibitPolicyMappingZero bool
RequireExplicitPolicy int
RequireExplicitPolicyZero bool
PolicyMappings []PolicyMapping
}

CertificateInvalidError struct #

CertificateInvalidError results when an odd error occurs. Users of this library probably want to handle all these errors uniformly.

type CertificateInvalidError struct {
Cert *Certificate
Reason InvalidReason
Detail string
}

CertificateRequest struct #

CertificateRequest represents a PKCS #10, certificate signature request.

type CertificateRequest struct {
Raw []byte
RawTBSCertificateRequest []byte
RawSubjectPublicKeyInfo []byte
RawSubject []byte
Version int
Signature []byte
SignatureAlgorithm SignatureAlgorithm
PublicKeyAlgorithm PublicKeyAlgorithm
PublicKey any
Subject pkix.Name
Attributes []pkix.AttributeTypeAndValueSET
Extensions []pkix.Extension
ExtraExtensions []pkix.Extension
DNSNames []string
EmailAddresses []string
IPAddresses []net.IP
URIs []*url.URL
}

ConstraintViolationError struct #

ConstraintViolationError results when a requested usage is not permitted by a certificate. For example: checking a signature when the public key isn't a certificate signing key.

type ConstraintViolationError struct {

}

HostnameError struct #

HostnameError results when the set of authorized names doesn't match the requested name.

type HostnameError struct {
Certificate *Certificate
Host string
}

OID struct #

An OID represents an ASN.1 OBJECT IDENTIFIER.

type OID struct {
der []byte
}

PolicyMapping struct #

PolicyMapping represents a policy mapping entry in the policyMappings extension.

type PolicyMapping struct {
IssuerDomainPolicy OID
SubjectDomainPolicy OID
}

RevocationList struct #

RevocationList represents a [Certificate] Revocation List (CRL) as specified by RFC 5280.

type RevocationList struct {
Raw []byte
RawTBSRevocationList []byte
RawIssuer []byte
Issuer pkix.Name
AuthorityKeyId []byte
Signature []byte
SignatureAlgorithm SignatureAlgorithm
RevokedCertificateEntries []RevocationListEntry
RevokedCertificates []pkix.RevokedCertificate
Number *big.Int
ThisUpdate time.Time
NextUpdate time.Time
Extensions []pkix.Extension
ExtraExtensions []pkix.Extension
}

RevocationListEntry struct #

RevocationListEntry represents an entry in the revokedCertificates sequence of a CRL.

type RevocationListEntry struct {
Raw []byte
SerialNumber *big.Int
RevocationTime time.Time
ReasonCode int
Extensions []pkix.Extension
ExtraExtensions []pkix.Extension
}

SystemRootsError struct #

SystemRootsError results when we fail to load the system root certificates.

type SystemRootsError struct {
Err error
}

UnhandledCriticalExtension struct #

type UnhandledCriticalExtension struct {

}

UnknownAuthorityError struct #

UnknownAuthorityError results when the certificate issuer is unknown

type UnknownAuthorityError struct {
Cert *Certificate
hintErr error
hintCert *Certificate
}

VerifyOptions struct #

VerifyOptions contains parameters for Certificate.Verify.

type VerifyOptions struct {
DNSName string
Intermediates *CertPool
Roots *CertPool
CurrentTime time.Time
KeyUsages []ExtKeyUsage
MaxConstraintComparisions int
CertificatePolicies []OID
inhibitPolicyMapping bool
requireExplicitPolicy bool
inhibitAnyPolicy bool
}

authKeyId struct #

RFC 5280, 4.2.1.1

type authKeyId struct {
Id []byte `asn1:"optional,tag:0"`
}

authorityInfoAccess struct #

RFC 5280, 4.2.2.1

type authorityInfoAccess struct {
Method asn1.ObjectIdentifier
Location asn1.RawValue
}

basicConstraints struct #

type basicConstraints struct {
IsCA bool `asn1:"optional"`
MaxPathLen int `asn1:"optional,default:-1"`
}

certificate struct #

type certificate struct {
TBSCertificate tbsCertificate
SignatureAlgorithm pkix.AlgorithmIdentifier
SignatureValue asn1.BitString
}

certificateList struct #

These structures reflect the ASN.1 structure of X.509 CRLs better than the existing crypto/x509/pkix variants do. These mirror the existing certificate structs in this file. Notably, we include issuer as an asn1.RawValue, mirroring the behavior of tbsCertificate and allowing raw (unparsed) subjects to be passed cleanly.

type certificateList struct {
TBSCertList tbsCertificateList
SignatureAlgorithm pkix.AlgorithmIdentifier
SignatureValue asn1.BitString
}

certificateRequest struct #

type certificateRequest struct {
Raw asn1.RawContent
TBSCSR tbsCertificateRequest
SignatureAlgorithm pkix.AlgorithmIdentifier
SignatureValue asn1.BitString
}

distributionPoint struct #

RFC 5280, 4.2.1.14

type distributionPoint struct {
DistributionPoint distributionPointName `asn1:"optional,tag:0"`
Reason asn1.BitString `asn1:"optional,tag:1"`
CRLIssuer asn1.RawValue `asn1:"optional,tag:2"`
}

distributionPointName struct #

type distributionPointName struct {
FullName []asn1.RawValue `asn1:"optional,tag:0"`
RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
}

dsaAlgorithmParameters struct #

type dsaAlgorithmParameters struct {
P *big.Int
Q *big.Int
G *big.Int
}

ecPrivateKey struct #

ecPrivateKey reflects an ASN.1 Elliptic Curve Private Key Structure. References: RFC 5915 SEC1 - http://www.secg.org/sec1-v2.pdf Per RFC 5915 the NamedCurveOID is marked as ASN.1 OPTIONAL, however in most cases it is not.

type ecPrivateKey struct {
Version int
PrivateKey []byte
NamedCurveOID asn1.ObjectIdentifier `asn1:"optional,explicit,tag:0"`
PublicKey asn1.BitString `asn1:"optional,explicit,tag:1"`
}

lazyCert struct #

lazyCert is minimal metadata about a Cert and a func to retrieve it in its normal expanded *Certificate form.

type lazyCert struct {
rawSubject []byte
constraint func([]*Certificate) error
getCert func() (*Certificate, error)
}

pkcs1AdditionalRSAPrime struct #

type pkcs1AdditionalRSAPrime struct {
Prime *big.Int
Exp *big.Int
Coeff *big.Int
}

pkcs1PrivateKey struct #

pkcs1PrivateKey is a structure which mirrors the PKCS #1 ASN.1 for an RSA private key.

type pkcs1PrivateKey struct {
Version int
N *big.Int
E int
D *big.Int
P *big.Int
Q *big.Int
Dp *big.Int `asn1:"optional"`
Dq *big.Int `asn1:"optional"`
Qinv *big.Int `asn1:"optional"`
AdditionalPrimes []pkcs1AdditionalRSAPrime `asn1:"optional,omitempty"`
}

pkcs1PublicKey struct #

pkcs1PublicKey reflects the ASN.1 structure of a PKCS #1 public key.

type pkcs1PublicKey struct {
N *big.Int
E int
}

pkcs8 struct #

pkcs8 reflects an ASN.1, PKCS #8 PrivateKey. See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-8/pkcs-8v1_2.asn and RFC 5208.

type pkcs8 struct {
Version int
Algo pkix.AlgorithmIdentifier
PrivateKey []byte
}

pkixPublicKey struct #

pkixPublicKey reflects a PKIX public key structure. See SubjectPublicKeyInfo in RFC 3280.

type pkixPublicKey struct {
Algo pkix.AlgorithmIdentifier
BitString asn1.BitString
}

policyGraph struct #

type policyGraph struct {
strata []map[string]*policyGraphNode
parentIndex map[string][]*policyGraphNode
depth int
}

policyGraphNode struct #

type policyGraphNode struct {
validPolicy OID
expectedPolicySet []OID
parents map[*policyGraphNode]bool
children map[*policyGraphNode]bool
}

policyInformation struct #

RFC 5280 4.2.1.4

type policyInformation struct {
Policy asn1.ObjectIdentifier
}

potentialParent struct #

type potentialParent struct {
cert *Certificate
constraint func([]*Certificate) error
}

pssParameters struct #

pssParameters reflects the parameters in an AlgorithmIdentifier that specifies RSA PSS. See RFC 3447, Appendix A.2.3.

type pssParameters struct {
Hash pkix.AlgorithmIdentifier `asn1:"explicit,tag:0"`
MGF pkix.AlgorithmIdentifier `asn1:"explicit,tag:1"`
SaltLength int `asn1:"explicit,tag:2"`
TrailerField int `asn1:"optional,explicit,tag:3,default:1"`
}

publicKeyInfo struct #

type publicKeyInfo struct {
Raw asn1.RawContent
Algorithm pkix.AlgorithmIdentifier
PublicKey asn1.BitString
}

rfc1423Algo struct #

rfc1423Algo holds a method for enciphering a PEM block.

type rfc1423Algo struct {
cipher PEMCipher
name string
cipherFunc func(key []byte) (cipher.Block, error)
keySize int
blockSize int
}

rfc2821Mailbox struct #

rfc2821Mailbox represents a “mailbox” (which is an email address to most people) by breaking it into the “local” (i.e. before the '@') and “domain” parts.

type rfc2821Mailbox struct {
local string
domain string
}

tbsCertificate struct #

type tbsCertificate struct {
Raw asn1.RawContent
Version int `asn1:"optional,explicit,default:0,tag:0"`
SerialNumber *big.Int
SignatureAlgorithm pkix.AlgorithmIdentifier
Issuer asn1.RawValue
Validity validity
Subject asn1.RawValue
PublicKey publicKeyInfo
UniqueId asn1.BitString `asn1:"optional,tag:1"`
SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"`
Extensions []pkix.Extension `asn1:"omitempty,optional,explicit,tag:3"`
}

tbsCertificateList struct #

type tbsCertificateList struct {
Raw asn1.RawContent
Version int `asn1:"optional,default:0"`
Signature pkix.AlgorithmIdentifier
Issuer asn1.RawValue
ThisUpdate time.Time
NextUpdate time.Time `asn1:"optional"`
RevokedCertificates []pkix.RevokedCertificate `asn1:"optional"`
Extensions []pkix.Extension `asn1:"tag:0,optional,explicit"`
}

tbsCertificateRequest struct #

type tbsCertificateRequest struct {
Raw asn1.RawContent
Version int
Subject asn1.RawValue
PublicKey publicKeyInfo
RawAttributes []asn1.RawValue `asn1:"tag:0"`
}

validity struct #

type validity struct {
NotBefore time.Time
NotAfter time.Time
}

Functions

AddCert method #

AddCert adds a certificate to a pool.

func (s *CertPool) AddCert(cert *Certificate)

AddCertWithConstraint method #

AddCertWithConstraint adds a certificate to the pool with the additional constraint. When Certificate.Verify builds a chain which is rooted by cert, it will additionally pass the whole chain to constraint to determine its validity. If constraint returns a non-nil error, the chain will be discarded. constraint may be called concurrently from multiple goroutines.

func (s *CertPool) AddCertWithConstraint(cert *Certificate, constraint func([]*Certificate) error)

AppendBinary method #

AppendBinary implements [encoding.BinaryAppender]

func (o OID) AppendBinary(b []byte) ([]byte, error)

AppendCertsFromPEM method #

AppendCertsFromPEM attempts to parse a series of PEM encoded certificates. It appends any certificates found to s and reports whether any certificates were successfully parsed. On many Linux systems, /etc/ssl/cert.pem will contain the system wide set of root CAs in a format suitable for this function.

func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)

AppendText method #

AppendText implements [encoding.TextAppender]

func (o OID) AppendText(b []byte) ([]byte, error)

CheckCRLSignature method #

CheckCRLSignature checks that the signature in crl is from c. Deprecated: Use [RevocationList.CheckSignatureFrom] instead.

func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error

CheckSignature method #

CheckSignature verifies that signature is a valid signature over signed from c's public key. This is a low-level API that performs no validity checks on the certificate. [MD5WithRSA] signatures are rejected, while [SHA1WithRSA] and [ECDSAWithSHA1] signatures are currently accepted.

func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed []byte, signature []byte) error

CheckSignature method #

CheckSignature reports whether the signature on c is valid.

func (c *CertificateRequest) CheckSignature() error

CheckSignatureFrom method #

CheckSignatureFrom verifies that the signature on c is a valid signature from parent. This is a low-level API that performs very limited checks, and not a full path verifier. Most users should use [Certificate.Verify] instead.

func (c *Certificate) CheckSignatureFrom(parent *Certificate) error

CheckSignatureFrom method #

CheckSignatureFrom verifies that the signature on rl is a valid signature from issuer.

func (rl *RevocationList) CheckSignatureFrom(parent *Certificate) error

Clone method #

Clone returns a copy of s.

func (s *CertPool) Clone() *CertPool

CreateCRL method #

CreateCRL returns a DER encoded CRL, signed by this Certificate, that contains the given list of revoked certificates. Deprecated: this method does not generate an RFC 5280 conformant X.509 v2 CRL. To generate a standards compliant CRL, use [CreateRevocationList] instead.

func (c *Certificate) CreateCRL(rand io.Reader, priv any, revokedCerts []pkix.RevokedCertificate, now time.Time, expiry time.Time) (crlBytes []byte, err error)

CreateCertificate function #

CreateCertificate creates a new X.509 v3 certificate based on a template. The following members of template are currently used: - AuthorityKeyId - BasicConstraintsValid - CRLDistributionPoints - DNSNames - EmailAddresses - ExcludedDNSDomains - ExcludedEmailAddresses - ExcludedIPRanges - ExcludedURIDomains - ExtKeyUsage - ExtraExtensions - IPAddresses - IsCA - IssuingCertificateURL - KeyUsage - MaxPathLen - MaxPathLenZero - NotAfter - NotBefore - OCSPServer - PermittedDNSDomains - PermittedDNSDomainsCritical - PermittedEmailAddresses - PermittedIPRanges - PermittedURIDomains - PolicyIdentifiers (see note below) - Policies (see note below) - SerialNumber - SignatureAlgorithm - Subject - SubjectKeyId - URIs - UnknownExtKeyUsage The certificate is signed by parent. If parent is equal to template then the certificate is self-signed. The parameter pub is the public key of the certificate to be generated and priv is the private key of the signer. The returned slice is the certificate in DER encoding. The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and ed25519.PublicKey. pub must be a supported key type, and priv must be a crypto.Signer with a supported public key. The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any, unless the resulting certificate is self-signed. Otherwise the value from template will be used. If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId will be generated from the hash of the public key. If template.SerialNumber is nil, a serial number will be generated which conforms to RFC 5280, Section 4.1.2.2 using entropy from rand. The PolicyIdentifier and Policies fields can both be used to marshal certificate policy OIDs. By default, only the Policies is marshaled, but if the GODEBUG setting "x509usepolicies" has the value "0", the PolicyIdentifiers field will be marshaled instead of the Policies field. This changed in Go 1.24. The Policies field can be used to marshal policy OIDs which have components that are larger than 31 bits.

func CreateCertificate(rand io.Reader, template *Certificate, parent *Certificate, pub any, priv any) ([]byte, error)

CreateCertificateRequest function #

CreateCertificateRequest creates a new certificate request based on a template. The following members of template are used: - SignatureAlgorithm - Subject - DNSNames - EmailAddresses - IPAddresses - URIs - ExtraExtensions - Attributes (deprecated) priv is the private key to sign the CSR with, and the corresponding public key will be included in the CSR. It must implement crypto.Signer and its Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or ed25519.PrivateKey satisfies this.) The returned slice is the certificate request in DER encoding.

func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv any) (csr []byte, err error)

CreateRevocationList function #

CreateRevocationList creates a new X.509 v2 [Certificate] Revocation List, according to RFC 5280, based on template. The CRL is signed by priv which should be the private key associated with the public key in the issuer certificate. The issuer may not be nil, and the crlSign bit must be set in [KeyUsage] in order to use it as a CRL issuer. The issuer distinguished name CRL field and authority key identifier extension are populated using the issuer certificate. issuer must have SubjectKeyId set.

func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer) ([]byte, error)

DecryptPEMBlock function #

DecryptPEMBlock takes a PEM block encrypted according to RFC 1423 and the password used to encrypt it and returns a slice of decrypted DER encoded bytes. It inspects the DEK-Info header to determine the algorithm used for decryption. If no DEK-Info header is present, an error is returned. If an incorrect password is detected an [IncorrectPasswordError] is returned. Because of deficiencies in the format, it's not always possible to detect an incorrect password. In these cases no error will be returned but the decrypted DER bytes will be random noise. Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error)

EncryptPEMBlock function #

EncryptPEMBlock returns a PEM block of the specified type holding the given DER encoded data encrypted with the specified algorithm and password according to RFC 1423. Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

func EncryptPEMBlock(rand io.Reader, blockType string, data []byte, password []byte, alg PEMCipher) (*pem.Block, error)

Equal method #

Equal returns true when oid and other represents the same Object Identifier.

func (oid OID) Equal(other OID) bool

Equal method #

Equal reports whether s and other are equal.

func (s *CertPool) Equal(other *CertPool) bool

Equal method #

func (c *Certificate) Equal(other *Certificate) bool

EqualASN1OID method #

EqualASN1OID returns whether an OID equals an asn1.ObjectIdentifier. If asn1.ObjectIdentifier cannot represent the OID specified by oid, because a component of OID requires more than 31 bits, it returns false.

func (oid OID) EqualASN1OID(other asn1.ObjectIdentifier) bool

Error method #

func (h UnhandledCriticalExtension) Error() string

Error method #

func (se SystemRootsError) Error() string

Error method #

func (e UnknownAuthorityError) Error() string

Error method #

func (h HostnameError) Error() string

Error method #

func (e CertificateInvalidError) Error() string

Error method #

func (ConstraintViolationError) Error() string

Error method #

func (e InsecureAlgorithmError) Error() string

IsEncryptedPEMBlock function #

IsEncryptedPEMBlock returns whether the PEM block is password encrypted according to RFC 1423. Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

func IsEncryptedPEMBlock(b *pem.Block) bool

MarshalBinary method #

MarshalBinary implements [encoding.BinaryMarshaler]

func (o OID) MarshalBinary() ([]byte, error)

MarshalECPrivateKey function #

MarshalECPrivateKey converts an EC private key to SEC 1, ASN.1 DER form. This kind of key is commonly encoded in PEM blocks of type "EC PRIVATE KEY". For a more flexible key format which is not EC specific, use [MarshalPKCS8PrivateKey].

func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error)

MarshalPKCS1PrivateKey function #

MarshalPKCS1PrivateKey converts an [RSA] private key to PKCS #1, ASN.1 DER form. This kind of key is commonly encoded in PEM blocks of type "RSA PRIVATE KEY". For a more flexible key format which is not [RSA] specific, use [MarshalPKCS8PrivateKey]. The key must have passed validation by calling [rsa.PrivateKey.Validate] first. MarshalPKCS1PrivateKey calls [rsa.PrivateKey.Precompute], which may modify the key if not already precomputed.

func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte

MarshalPKCS1PublicKey function #

MarshalPKCS1PublicKey converts an [RSA] public key to PKCS #1, ASN.1 DER form. This kind of key is commonly encoded in PEM blocks of type "RSA PUBLIC KEY".

func MarshalPKCS1PublicKey(key *rsa.PublicKey) []byte

MarshalPKCS8PrivateKey function #

MarshalPKCS8PrivateKey converts a private key to PKCS #8, ASN.1 DER form. The following key types are currently supported: *[rsa.PrivateKey], *[ecdsa.PrivateKey], [ed25519.PrivateKey] (not a pointer), and *[ecdh.PrivateKey]. Unsupported key types result in an error. This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". MarshalPKCS8PrivateKey runs [rsa.PrivateKey.Precompute] on RSA keys.

func MarshalPKCS8PrivateKey(key any) ([]byte, error)

MarshalPKIXPublicKey function #

MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form. The encoded public key is a SubjectPublicKeyInfo structure (see RFC 5280, Section 4.1). The following key types are currently supported: *[rsa.PublicKey], *[ecdsa.PublicKey], [ed25519.PublicKey] (not a pointer), and *[ecdh.PublicKey]. Unsupported key types result in an error. This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".

func MarshalPKIXPublicKey(pub any) ([]byte, error)

MarshalText method #

MarshalText implements [encoding.TextMarshaler]

func (o OID) MarshalText() ([]byte, error)

NewCertPool function #

NewCertPool returns a new, empty CertPool.

func NewCertPool() *CertPool

OIDFromInts function #

OIDFromInts creates a new OID using ints, each integer is a separate component.

func OIDFromInts(oid []uint64) (OID, error)

ParseCRL function #

ParseCRL parses a CRL from the given bytes. It's often the case that PEM encoded CRLs will appear where they should be DER encoded, so this function will transparently handle PEM encoding as long as there isn't any leading garbage. Deprecated: Use [ParseRevocationList] instead.

func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error)

ParseCertificate function #

ParseCertificate parses a single certificate from the given ASN.1 DER data. Before Go 1.23, ParseCertificate accepted certificates with negative serial numbers. This behavior can be restored by including "x509negativeserial=1" in the GODEBUG environment variable.

func ParseCertificate(der []byte) (*Certificate, error)

ParseCertificateRequest function #

ParseCertificateRequest parses a single certificate request from the given ASN.1 DER data.

func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error)

ParseCertificates function #

ParseCertificates parses one or more certificates from the given ASN.1 DER data. The certificates must be concatenated with no intermediate padding.

func ParseCertificates(der []byte) ([]*Certificate, error)

ParseDERCRL function #

ParseDERCRL parses a DER encoded CRL from the given bytes. Deprecated: Use [ParseRevocationList] instead.

func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error)

ParseECPrivateKey function #

ParseECPrivateKey parses an EC private key in SEC 1, ASN.1 DER form. This kind of key is commonly encoded in PEM blocks of type "EC PRIVATE KEY".

func ParseECPrivateKey(der []byte) (*ecdsa.PrivateKey, error)

ParseOID function #

ParseOID parses a Object Identifier string, represented by ASCII numbers separated by dots.

func ParseOID(oid string) (OID, error)

ParsePKCS1PrivateKey function #

ParsePKCS1PrivateKey parses an [RSA] private key in PKCS #1, ASN.1 DER form. This kind of key is commonly encoded in PEM blocks of type "RSA PRIVATE KEY". Before Go 1.24, the CRT parameters were ignored and recomputed. To restore the old behavior, use the GODEBUG=x509rsacrt=0 environment variable.

func ParsePKCS1PrivateKey(der []byte) (*rsa.PrivateKey, error)

ParsePKCS1PublicKey function #

ParsePKCS1PublicKey parses an [RSA] public key in PKCS #1, ASN.1 DER form. This kind of key is commonly encoded in PEM blocks of type "RSA PUBLIC KEY".

func ParsePKCS1PublicKey(der []byte) (*rsa.PublicKey, error)

ParsePKCS8PrivateKey function #

ParsePKCS8PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form. It returns a *[rsa.PrivateKey], an *[ecdsa.PrivateKey], an [ed25519.PrivateKey] (not a pointer), or an *[ecdh.PrivateKey] (for X25519). More types might be supported in the future. This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". Before Go 1.24, the CRT parameters of RSA keys were ignored and recomputed. To restore the old behavior, use the GODEBUG=x509rsacrt=0 environment variable.

func ParsePKCS8PrivateKey(der []byte) (key any, err error)

ParsePKIXPublicKey function #

ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form. The encoded public key is a SubjectPublicKeyInfo structure (see RFC 5280, Section 4.1). It returns a *[rsa.PublicKey], *[dsa.PublicKey], *[ecdsa.PublicKey], [ed25519.PublicKey] (not a pointer), or *[ecdh.PublicKey] (for X25519). More types might be supported in the future. This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".

func ParsePKIXPublicKey(derBytes []byte) (pub any, err error)

ParseRevocationList function #

ParseRevocationList parses a X509 v2 [Certificate] Revocation List from the given ASN.1 DER data.

func ParseRevocationList(der []byte) (*RevocationList, error)

SetFallbackRoots function #

SetFallbackRoots sets the roots to use during certificate verification, if no custom roots are specified and a platform verifier or a system certificate pool is not available (for instance in a container which does not have a root certificate bundle). SetFallbackRoots will panic if roots is nil. SetFallbackRoots may only be called once, if called multiple times it will panic. The fallback behavior can be forced on all platforms, even when there is a system certificate pool, by setting GODEBUG=x509usefallbackroots=1 (note that on Windows and macOS this will disable usage of the platform verification APIs and cause the pure Go verifier to be used). Setting x509usefallbackroots=1 without calling SetFallbackRoots has no effect.

func SetFallbackRoots(roots *CertPool)

String method #

func (algo PublicKeyAlgorithm) String() string

String method #

func (algo SignatureAlgorithm) String() string

String method #

Strings returns the string representation of the Object Identifier.

func (oid OID) String() string

Subjects method #

Subjects returns a list of the DER-encoded subjects of all of the certificates in the pool. Deprecated: if s was returned by [SystemCertPool], Subjects will not include the system roots.

func (s *CertPool) Subjects() [][]byte

SystemCertPool function #

SystemCertPool returns a copy of the system cert pool. On Unix systems other than macOS the environment variables SSL_CERT_FILE and SSL_CERT_DIR can be used to override the system default locations for the SSL certificate file and SSL certificate files directory, respectively. The latter can be a colon-separated list. Any mutations to the returned pool are not written to disk and do not affect any other pool returned by SystemCertPool. New changes in the system cert pool might not be reflected in subsequent calls.

func SystemCertPool() (*CertPool, error)

UnmarshalBinary method #

UnmarshalBinary implements [encoding.BinaryUnmarshaler]

func (o *OID) UnmarshalBinary(b []byte) error

UnmarshalText method #

UnmarshalText implements [encoding.TextUnmarshaler]

func (o *OID) UnmarshalText(text []byte) error

Unwrap method #

func (se SystemRootsError) Unwrap() error

Verify method #

Verify attempts to verify c by building one or more chains from c to a certificate in opts.Roots, using certificates in opts.Intermediates if needed. If successful, it returns one or more chains where the first element of the chain is c and the last element is from opts.Roots. If opts.Roots is nil, the platform verifier might be used, and verification details might differ from what is described below. If system roots are unavailable the returned error will be of type SystemRootsError. Name constraints in the intermediates will be applied to all names claimed in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim example.com if an intermediate doesn't permit it, even if example.com is not the name being validated. Note that DirectoryName constraints are not supported. Name constraint validation follows the rules from RFC 5280, with the addition that DNS name constraints may use the leading period format defined for emails and URIs. When a constraint has a leading period it indicates that at least one additional label must be prepended to the constrained name to be considered valid. Extended Key Usage values are enforced nested down a chain, so an intermediate or root that enumerates EKUs prevents a leaf from asserting an EKU not in that list. (While this is not specified, it is common practice in order to limit the types of certificates a CA can issue.) Certificates that use SHA1WithRSA and ECDSAWithSHA1 signatures are not supported, and will not be used to build chains. Certificates other than c in the returned chains should not be modified. WARNING: this function doesn't do any revocation checking.

func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error)

VerifyHostname method #

VerifyHostname returns nil if c is a valid certificate for the named host. Otherwise it returns an error describing the mismatch. IP addresses can be optionally enclosed in square brackets and are checked against the IPAddresses field. Other names are checked case insensitively against the DNSNames field. If the names are valid hostnames, the certificate fields can have a wildcard as the complete left-most label (e.g. *.example.com). Note that the legacy Common Name field is ignored.

func (c *Certificate) VerifyHostname(h string) error

addCertFunc method #

addCertFunc adds metadata about a certificate to a pool, along with a func to fetch that certificate later when needed. The rawSubject is Certificate.RawSubject and must be non-empty. The getCert func may be called 0 or more times.

func (s *CertPool) addCertFunc(rawSum224 sum224, rawSubject string, getCert func() (*Certificate, error), constraint func([]*Certificate) error)

alreadyInChain function #

alreadyInChain checks whether a candidate certificate is present in a chain. Rather than doing a direct byte for byte equivalency check, we check if the subject, public key, and SAN, if present, are equal. This prevents loops that are created by mutual cross-signatures, or other cross-signature bridge oddities.

func alreadyInChain(candidate *Certificate, chain []*Certificate) bool

appendBase128BigInt function #

func appendBase128BigInt(dst []byte, n *big.Int) []byte

appendBase128Int function #

func appendBase128Int(dst []byte, n uint64) []byte

appendToFreshChain function #

func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate

asn1BitLength function #

asn1BitLength returns the bit-length of bitString by considering the most-significant bit in a byte to be the "first" bit. This convention matches ASN.1, but differs from almost everything else.

func asn1BitLength(bitString []byte) int

base128BigIntLength function #

func base128BigIntLength(n *big.Int) int

base128IntLength function #

func base128IntLength(n uint64) int

buildCSRExtensions function #

func buildCSRExtensions(template *CertificateRequest) ([]pkix.Extension, error)

buildCertExtensions function #

func buildCertExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte, subjectKeyId []byte) (ret []pkix.Extension, err error)

buildChains method #

func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*Certificate, err error)

cert method #

cert returns cert index n in s.

func (s *CertPool) cert(n int) (*Certificate, func([]*Certificate) error, error)

checkChainForKeyUsage function #

func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool

checkChainSSLServerPolicy function #

checkChainSSLServerPolicy checks that the certificate chain in chainCtx is valid for use as a certificate chain for a SSL/TLS server.

func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContext, opts *VerifyOptions) error

checkChainTrustStatus function #

checkChainTrustStatus checks the trust status of the certificate chain, translating any errors it finds into Go errors in the process.

func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainContext) error

checkNameConstraints method #

checkNameConstraints checks that c permits a child certificate to claim the given name, of type nameType. The argument parsedName contains the parsed form of name, suitable for passing to the match function. The total number of comparisons is tracked in the given count and should not exceed the given limit.

func (c *Certificate) checkNameConstraints(count *int, maxConstraintComparisons int, nameType string, name string, parsedName any, match func(parsedName any, constraint any) (match bool, err error), permitted any, excluded any) error

checkSignature function #

checkSignature verifies that signature is a valid signature over signed from a crypto.PublicKey.

func checkSignature(algo SignatureAlgorithm, signed []byte, signature []byte, publicKey crypto.PublicKey, allowSHA1 bool) (err error)

cipherByKey function #

func cipherByKey(key PEMCipher) *rfc1423Algo

cipherByName function #

func cipherByName(name string) *rfc1423Algo

contains method #

func (s *CertPool) contains(cert *Certificate) bool

createStoreContext function #

Creates a new *syscall.CertContext representing the leaf certificate in an in-memory certificate store containing itself and all of the intermediate certificates specified in the opts.Intermediates CertPool. A pointer to the in-memory store is available in the returned CertContext's Store field. The store is automatically freed when the CertContext is freed using syscall.CertFreeCertificateContext.

func createStoreContext(leaf *Certificate, opts *VerifyOptions) (*syscall.CertContext, error)

deleteLeaf method #

func (pg *policyGraph) deleteLeaf(policy OID)

deriveKey method #

deriveKey uses a key derivation function to stretch the password into a key with the number of bits our cipher requires. This algorithm was derived from the OpenSSL source.

func (c rfc1423Algo) deriveKey(password []byte, salt []byte) []byte

domainToReverseLabels function #

domainToReverseLabels converts a textual domain name like foo.example.com to the list of labels in reverse order, e.g. ["com", "example", "foo"].

func domainToReverseLabels(domain string) (reverseLabels []string, ok bool)

exportCertificate function #

exportCertificate returns a *Certificate for a SecCertificateRef.

func exportCertificate(cert macOS.CFRef) (*Certificate, error)

extKeyUsageFromOID function #

func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool)

extractSimpleChain function #

extractSimpleChain extracts the final certificate chain from a CertSimpleChain.

func extractSimpleChain(simpleChain **syscall.CertSimpleChain, count int) (chain []*Certificate, err error)

findPotentialParents method #

findPotentialParents returns the certificates in s which might have signed cert.

func (s *CertPool) findPotentialParents(cert *Certificate) []potentialParent

forEachSAN function #

func forEachSAN(der cryptobyte.String, callback func(tag int, data []byte) error) error

getPublicKeyAlgorithmFromOID function #

getPublicKeyAlgorithmFromOID returns the exposed PublicKeyAlgorithm identifier for public key types supported in certificates and CSRs. Marshal and Parse functions may support a different set of public key types.

func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm

getSANExtension method #

func (c *Certificate) getSANExtension() []byte

getSignatureAlgorithmFromAI function #

func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm

hasNameConstraints method #

func (c *Certificate) hasNameConstraints() bool

hasSANExtension method #

func (c *Certificate) hasSANExtension() bool

hashFunc method #

func (algo SignatureAlgorithm) hashFunc() crypto.Hash

incrDepth method #

func (pg *policyGraph) incrDepth()

init function #

func init()

init function #

func init()

initSystemRoots function #

func initSystemRoots()

insert method #

func (pg *policyGraph) insert(n *policyGraphNode)

isIA5String function #

func isIA5String(s string) error

isPrintable function #

isPrintable reports whether the given b is in the ASN.1 PrintableString set. This is a simplified version of encoding/asn1.isPrintable.

func isPrintable(b byte) bool

isRSAPSS method #

func (algo SignatureAlgorithm) isRSAPSS() bool

isSameDirSymlink function #

isSameDirSymlink reports whether fi in dir is a symlink with a target not containing a slash.

func isSameDirSymlink(f fs.DirEntry, dir string) bool

isValid method #

isValid performs validity checks on c given that it is a candidate to append to the chain in currentChain.

func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *VerifyOptions) error

isValidIPMask function #

isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.

func isValidIPMask(mask []byte) bool

leafWithPolicy method #

func (pg *policyGraph) leafWithPolicy(policy OID) *policyGraphNode

leaves method #

func (pg *policyGraph) leaves() map[string]*policyGraphNode

len method #

len returns the number of certs in the set. A nil set is a valid empty set.

func (s *CertPool) len() int

loadSystemRoots function #

func loadSystemRoots() (*CertPool, error)

loadSystemRoots function #

func loadSystemRoots() (*CertPool, error)

loadSystemRoots function #

func loadSystemRoots() (*CertPool, error)

loadSystemRoots function #

func loadSystemRoots() (*CertPool, error)

marshalBasicConstraints function #

func marshalBasicConstraints(isCA bool, maxPathLen int, maxPathLenZero bool) (pkix.Extension, error)

marshalCertificatePolicies function #

func marshalCertificatePolicies(policies []OID, policyIdentifiers []asn1.ObjectIdentifier) (pkix.Extension, error)

marshalECDHPrivateKey function #

marshalECDHPrivateKey marshals an EC private key into ASN.1, DER format suitable for NIST curves.

func marshalECDHPrivateKey(key *ecdh.PrivateKey) ([]byte, error)

marshalECPrivateKeyWithOID function #

marshalECPrivateKeyWithOID marshals an EC private key into ASN.1, DER format and sets the curve ID to the given OID, or omits it if OID is nil.

func marshalECPrivateKeyWithOID(key *ecdsa.PrivateKey, oid asn1.ObjectIdentifier) ([]byte, error)

marshalExtKeyUsage function #

func marshalExtKeyUsage(extUsages []ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error)

marshalKeyUsage function #

func marshalKeyUsage(ku KeyUsage) (pkix.Extension, error)

marshalPublicKey function #

func marshalPublicKey(pub any) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error)

marshalSANs function #

marshalSANs marshals a list of addresses into a the contents of an X.509 SubjectAlternativeName extension.

func marshalSANs(dnsNames []string, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error)

matchDomainConstraint function #

func matchDomainConstraint(domain string, constraint string) (bool, error)

matchEmailConstraint function #

func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error)

matchExactly function #

func matchExactly(hostA string, hostB string) bool

matchHostnames function #

func matchHostnames(pattern string, host string) bool

matchIPConstraint function #

func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error)

matchURIConstraint function #

func matchURIConstraint(uri *url.URL, constraint string) (bool, error)

mustNewOIDFromInts function #

func mustNewOIDFromInts(ints []uint64) OID

namedCurveFromOID function #

func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve

newOIDFromDER function #

func newOIDFromDER(der []byte) (OID, bool)

newPolicyGraph function #

func newPolicyGraph() *policyGraph

newPolicyGraphNode function #

func newPolicyGraphNode(valid OID, parents []*policyGraphNode) *policyGraphNode

newRawAttributes function #

newRawAttributes converts AttributeTypeAndValueSETs from a template CertificateRequest's Attributes into tbsCertificateRequest RawAttributes.

func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error)

oidFromECDHCurve function #

func oidFromECDHCurve(curve ecdh.Curve) (asn1.ObjectIdentifier, bool)

oidFromExtKeyUsage function #

func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool)

oidFromNamedCurve function #

func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool)

oidInExtensions function #

oidInExtensions reports whether an extension with the given oid exists in extensions.

func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool

parentWithAnyPolicy method #

func (pg *policyGraph) parentWithAnyPolicy() *policyGraphNode

parents method #

func (pg *policyGraph) parents() *ast.IndexExpr

parentsWithExpected method #

func (pg *policyGraph) parentsWithExpected(expected OID) []*policyGraphNode

parseAI function #

func parseAI(der cryptobyte.String) (pkix.AlgorithmIdentifier, error)

parseASN1String function #

parseASN1String parses the ASN.1 string types T61String, PrintableString, UTF8String, BMPString, IA5String, and NumericString. This is mostly copied from the respective encoding/asn1.parse... methods, rather than just increasing the API surface of that package.

func parseASN1String(tag cryptobyte_asn1.Tag, value []byte) (string, error)

parseAuthorityKeyIdentifier function #

func parseAuthorityKeyIdentifier(e pkix.Extension) ([]byte, error)

parseBase128Int function #

func parseBase128Int(bytes []byte, initOffset int) (ret int, offset int, failed bool)

parseBasicConstraintsExtension function #

func parseBasicConstraintsExtension(der cryptobyte.String) (bool, int, error)

parseCSRExtensions function #

parseCSRExtensions parses the attributes from a CSR and extracts any requested extensions.

func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error)

parseCertificate function #

func parseCertificate(der []byte) (*Certificate, error)

parseCertificatePoliciesExtension function #

func parseCertificatePoliciesExtension(der cryptobyte.String) ([]OID, error)

parseCertificateRequest function #

func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error)

parseECPrivateKey function #

parseECPrivateKey parses an ASN.1 Elliptic Curve Private Key Structure. The OID for the named curve may be provided from another source (such as the PKCS8 container) - if it is provided then use this instead of the OID that may exist in the EC private key structure.

func parseECPrivateKey(namedCurveOID *asn1.ObjectIdentifier, der []byte) (key *ecdsa.PrivateKey, err error)

parseExtKeyUsageExtension function #

func parseExtKeyUsageExtension(der cryptobyte.String) ([]ExtKeyUsage, []asn1.ObjectIdentifier, error)

parseExtension function #

func parseExtension(der cryptobyte.String) (pkix.Extension, error)

parseKeyUsageExtension function #

func parseKeyUsageExtension(der cryptobyte.String) (KeyUsage, error)

parseName function #

parseName parses a DER encoded Name as defined in RFC 5280. We may want to export this function in the future for use in crypto/tls.

func parseName(raw cryptobyte.String) (*pkix.RDNSequence, error)

parseNameConstraintsExtension function #

func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandled bool, err error)

parsePublicKey function #

func parsePublicKey(keyData *publicKeyInfo) (any, error)

parseRFC2821Mailbox function #

parseRFC2821Mailbox parses an email address into local and domain parts, based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280, Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”.

func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool)

parseRawAttributes function #

parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs.

func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET

parseSANExtension function #

func parseSANExtension(der cryptobyte.String) (dnsNames []string, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL, err error)

parseTime function #

func parseTime(der *cryptobyte.String) (time.Time, error)

parseValidity function #

func parseValidity(der cryptobyte.String) (time.Time, time.Time, error)

policiesValid function #

func policiesValid(chain []*Certificate, opts VerifyOptions) bool

processExtensions function #

func processExtensions(out *Certificate) error

prune method #

func (pg *policyGraph) prune()

readUniqueDirectoryEntries function #

readUniqueDirectoryEntries is like os.ReadDir but omits symlinks that point within the directory.

func readUniqueDirectoryEntries(dir string) ([]fs.DirEntry, error)

reverseBitsInAByte function #

func reverseBitsInAByte(in byte) byte

signTBS function #

func signTBS(tbs []byte, key crypto.Signer, sigAlg SignatureAlgorithm, rand io.Reader) ([]byte, error)

signaturePublicKeyAlgoMismatchError function #

func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey any) error

signingParamsForKey function #

signingParamsForKey returns the signature algorithm and its Algorithm Identifier to use for signing, based on the key type. If sigAlgo is not zero then it overrides the default.

func signingParamsForKey(key crypto.Signer, sigAlgo SignatureAlgorithm) (SignatureAlgorithm, pkix.AlgorithmIdentifier, error)

subjectBytes function #

func subjectBytes(cert *Certificate) ([]byte, error)

systemRootsPool function #

func systemRootsPool() *CertPool

systemVerify method #

systemVerify is like Verify, except that it uses CryptoAPI calls to build certificate chains and verify them.

func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error)

systemVerify method #

func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error)

systemVerify method #

func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error)

systemVerify method #

func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error)

toASN1OID method #

func (oid OID) toASN1OID() (asn1.ObjectIdentifier, bool)

toLowerCaseASCII function #

toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use an explicitly ASCII function to avoid any sharp corners resulting from performing Unicode operations on DNS labels.

func toLowerCaseASCII(in string) string

unmarshalOIDText method #

func (o *OID) unmarshalOIDText(oid string) error

validHostname function #

validHostname reports whether host is a valid hostname that can be matched or matched against according to RFC 6125 2.2, with some leniency to accommodate legacy values.

func validHostname(host string, isPattern bool) bool

validHostnameInput function #

func validHostnameInput(host string) bool

validHostnamePattern function #

func validHostnamePattern(host string) bool

validPolicyNodes method #

func (pg *policyGraph) validPolicyNodes() []*policyGraphNode

verifyChain function #

func verifyChain(c *Certificate, chainCtx *syscall.CertChainContext, opts *VerifyOptions) (chain []*Certificate, err error)

Generated with Arrow