type pkixPublicKey … // ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form. The encoded // public key is a SubjectPublicKeyInfo structure (see RFC 5280, Section 4.1). // // It returns a *[rsa.PublicKey], *[dsa.PublicKey], *[ecdsa.PublicKey], // [ed25519.PublicKey] (not a pointer), or *[ecdh.PublicKey] (for X25519). // More types might be supported in the future. // // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY". func ParsePKIXPublicKey(derBytes []byte) (pub any, err error) { … } func marshalPublicKey(pub any) (publicKeyBytes []byte, publicKeyAlgorithm pkix.AlgorithmIdentifier, err error) { … } // MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form. // The encoded public key is a SubjectPublicKeyInfo structure // (see RFC 5280, Section 4.1). // // The following key types are currently supported: *[rsa.PublicKey], // *[ecdsa.PublicKey], [ed25519.PublicKey] (not a pointer), and *[ecdh.PublicKey]. // Unsupported key types result in an error. // // This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY". func MarshalPKIXPublicKey(pub any) ([]byte, error) { … } type certificate … type tbsCertificate … type dsaAlgorithmParameters … type validity … type publicKeyInfo … type authKeyId … type SignatureAlgorithm … const UnknownSignatureAlgorithm … const MD2WithRSA … const MD5WithRSA … const SHA1WithRSA … const SHA256WithRSA … const SHA384WithRSA … const SHA512WithRSA … const DSAWithSHA1 … const DSAWithSHA256 … const ECDSAWithSHA1 … const ECDSAWithSHA256 … const ECDSAWithSHA384 … const ECDSAWithSHA512 … const SHA256WithRSAPSS … const SHA384WithRSAPSS … const SHA512WithRSAPSS … const PureEd25519 … func (algo SignatureAlgorithm) isRSAPSS() bool { … } func (algo SignatureAlgorithm) hashFunc() crypto.Hash { … } func (algo SignatureAlgorithm) String() string { … } type PublicKeyAlgorithm … const UnknownPublicKeyAlgorithm … const RSA … const DSA … const ECDSA … const Ed25519 … var publicKeyAlgoName … func (algo PublicKeyAlgorithm) String() string { … } var oidSignatureMD5WithRSA … var oidSignatureSHA1WithRSA … var oidSignatureSHA256WithRSA … var oidSignatureSHA384WithRSA … var oidSignatureSHA512WithRSA … var oidSignatureRSAPSS … var oidSignatureDSAWithSHA1 … var oidSignatureDSAWithSHA256 … var oidSignatureECDSAWithSHA1 … var oidSignatureECDSAWithSHA256 … var oidSignatureECDSAWithSHA384 … var oidSignatureECDSAWithSHA512 … var oidSignatureEd25519 … var oidSHA256 … var oidSHA384 … var oidSHA512 … var oidMGF1 … var oidISOSignatureSHA1WithRSA … var signatureAlgorithmDetails … var emptyRawValue … var pssParametersSHA256 … var pssParametersSHA384 … var pssParametersSHA512 … type pssParameters … func getSignatureAlgorithmFromAI(ai pkix.AlgorithmIdentifier) SignatureAlgorithm { … } var oidPublicKeyRSA … var oidPublicKeyDSA … var oidPublicKeyECDSA … var oidPublicKeyX25519 … var oidPublicKeyEd25519 … // getPublicKeyAlgorithmFromOID returns the exposed PublicKeyAlgorithm // identifier for public key types supported in certificates and CSRs. Marshal // and Parse functions may support a different set of public key types. func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm { … } var oidNamedCurveP224 … var oidNamedCurveP256 … var oidNamedCurveP384 … var oidNamedCurveP521 … func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve { … } func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) { … } func oidFromECDHCurve(curve ecdh.Curve) (asn1.ObjectIdentifier, bool) { … } type KeyUsage … const KeyUsageDigitalSignature … const KeyUsageContentCommitment … const KeyUsageKeyEncipherment … const KeyUsageDataEncipherment … const KeyUsageKeyAgreement … const KeyUsageCertSign … const KeyUsageCRLSign … const KeyUsageEncipherOnly … const KeyUsageDecipherOnly … var oidExtKeyUsageAny … var oidExtKeyUsageServerAuth … var oidExtKeyUsageClientAuth … var oidExtKeyUsageCodeSigning … var oidExtKeyUsageEmailProtection … var oidExtKeyUsageIPSECEndSystem … var oidExtKeyUsageIPSECTunnel … var oidExtKeyUsageIPSECUser … var oidExtKeyUsageTimeStamping … var oidExtKeyUsageOCSPSigning … var oidExtKeyUsageMicrosoftServerGatedCrypto … var oidExtKeyUsageNetscapeServerGatedCrypto … var oidExtKeyUsageMicrosoftCommercialCodeSigning … var oidExtKeyUsageMicrosoftKernelCodeSigning … type ExtKeyUsage … const ExtKeyUsageAny … const ExtKeyUsageServerAuth … const ExtKeyUsageClientAuth … const ExtKeyUsageCodeSigning … const ExtKeyUsageEmailProtection … const ExtKeyUsageIPSECEndSystem … const ExtKeyUsageIPSECTunnel … const ExtKeyUsageIPSECUser … const ExtKeyUsageTimeStamping … const ExtKeyUsageOCSPSigning … const ExtKeyUsageMicrosoftServerGatedCrypto … const ExtKeyUsageNetscapeServerGatedCrypto … const ExtKeyUsageMicrosoftCommercialCodeSigning … const ExtKeyUsageMicrosoftKernelCodeSigning … var extKeyUsageOIDs … func extKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku ExtKeyUsage, ok bool) { … } func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) { … } type Certificate … var ErrUnsupportedAlgorithm … type InsecureAlgorithmError … func (e InsecureAlgorithmError) Error() string { … } type ConstraintViolationError … func (ConstraintViolationError) Error() string { … } func (c *Certificate) Equal(other *Certificate) bool { … } func (c *Certificate) hasSANExtension() bool { … } // CheckSignatureFrom verifies that the signature on c is a valid signature from parent. // // This is a low-level API that performs very limited checks, and not a full // path verifier. Most users should use [Certificate.Verify] instead. func (c *Certificate) CheckSignatureFrom(parent *Certificate) error { … } // CheckSignature verifies that signature is a valid signature over signed from // c's public key. // // This is a low-level API that performs no validity checks on the certificate. // // [MD5WithRSA] signatures are rejected, while [SHA1WithRSA] and [ECDSAWithSHA1] // signatures are currently accepted. func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error { … } func (c *Certificate) hasNameConstraints() bool { … } func (c *Certificate) getSANExtension() []byte { … } func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, pubKey any) error { … } var x509sha1 … // checkSignature verifies that signature is a valid signature over signed from // a crypto.PublicKey. func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey, allowSHA1 bool) (err error) { … } // CheckCRLSignature checks that the signature in crl is from c. // // Deprecated: Use [RevocationList.CheckSignatureFrom] instead. func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error { … } type UnhandledCriticalExtension … func (h UnhandledCriticalExtension) Error() string { … } type basicConstraints … type policyInformation … const nameTypeEmail … const nameTypeDNS … const nameTypeURI … const nameTypeIP … type authorityInfoAccess … type distributionPoint … type distributionPointName … func reverseBitsInAByte(in byte) byte { … } // asn1BitLength returns the bit-length of bitString by considering the // most-significant bit in a byte to be the "first" bit. This convention // matches ASN.1, but differs from almost everything else. func asn1BitLength(bitString []byte) int { … } var oidExtensionSubjectKeyId … var oidExtensionKeyUsage … var oidExtensionExtendedKeyUsage … var oidExtensionAuthorityKeyId … var oidExtensionBasicConstraints … var oidExtensionSubjectAltName … var oidExtensionCertificatePolicies … var oidExtensionNameConstraints … var oidExtensionCRLDistributionPoints … var oidExtensionAuthorityInfoAccess … var oidExtensionCRLNumber … var oidExtensionReasonCode … var oidAuthorityInfoAccessOcsp … var oidAuthorityInfoAccessIssuers … // oidInExtensions reports whether an extension with the given oid exists in // extensions. func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool { … } // marshalSANs marshals a list of addresses into a the contents of an X.509 // SubjectAlternativeName extension. func marshalSANs(dnsNames, emailAddresses []string, ipAddresses []net.IP, uris []*url.URL) (derBytes []byte, err error) { … } func isIA5String(s string) error { … } var x509usepolicies … func buildCertExtensions(template *Certificate, subjectIsEmpty bool, authorityKeyId []byte, subjectKeyId []byte) (ret []pkix.Extension, err error) { … } func marshalKeyUsage(ku KeyUsage) (pkix.Extension, error) { … } func marshalExtKeyUsage(extUsages []ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error) { … } func marshalBasicConstraints(isCA bool, maxPathLen int, maxPathLenZero bool) (pkix.Extension, error) { … } func marshalCertificatePolicies(policies []OID, policyIdentifiers []asn1.ObjectIdentifier) (pkix.Extension, error) { … } func buildCSRExtensions(template *CertificateRequest) ([]pkix.Extension, error) { … } func subjectBytes(cert *Certificate) ([]byte, error) { … } // signingParamsForKey returns the signature algorithm and its Algorithm // Identifier to use for signing, based on the key type. If sigAlgo is not zero // then it overrides the default. func signingParamsForKey(key crypto.Signer, sigAlgo SignatureAlgorithm) (SignatureAlgorithm, pkix.AlgorithmIdentifier, error) { … } func signTBS(tbs []byte, key crypto.Signer, sigAlg SignatureAlgorithm, rand io.Reader) ([]byte, error) { … } var emptyASN1Subject … // CreateCertificate creates a new X.509 v3 certificate based on a template. // The following members of template are currently used: // // - AuthorityKeyId // - BasicConstraintsValid // - CRLDistributionPoints // - DNSNames // - EmailAddresses // - ExcludedDNSDomains // - ExcludedEmailAddresses // - ExcludedIPRanges // - ExcludedURIDomains // - ExtKeyUsage // - ExtraExtensions // - IPAddresses // - IsCA // - IssuingCertificateURL // - KeyUsage // - MaxPathLen // - MaxPathLenZero // - NotAfter // - NotBefore // - OCSPServer // - PermittedDNSDomains // - PermittedDNSDomainsCritical // - PermittedEmailAddresses // - PermittedIPRanges // - PermittedURIDomains // - PolicyIdentifiers (see note below) // - Policies (see note below) // - SerialNumber // - SignatureAlgorithm // - Subject // - SubjectKeyId // - URIs // - UnknownExtKeyUsage // // The certificate is signed by parent. If parent is equal to template then the // certificate is self-signed. The parameter pub is the public key of the // certificate to be generated and priv is the private key of the signer. // // The returned slice is the certificate in DER encoding. // // The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and // ed25519.PublicKey. pub must be a supported key type, and priv must be a // crypto.Signer with a supported public key. // // The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any, // unless the resulting certificate is self-signed. Otherwise the value from // template will be used. // // If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId // will be generated from the hash of the public key. // // The PolicyIdentifier and Policies fields are both used to marshal certificate // policy OIDs. By default, only the PolicyIdentifier is marshaled, but if the // GODEBUG setting "x509usepolicies" has the value "1", the Policies field will // be marshaled instead of the PolicyIdentifier field. The Policies field can // be used to marshal policy OIDs which have components that are larger than 31 // bits. func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv any) ([]byte, error) { … } var pemCRLPrefix … var pemType … // ParseCRL parses a CRL from the given bytes. It's often the case that PEM // encoded CRLs will appear where they should be DER encoded, so this function // will transparently handle PEM encoding as long as there isn't any leading // garbage. // // Deprecated: Use [ParseRevocationList] instead. func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error) { … } // ParseDERCRL parses a DER encoded CRL from the given bytes. // // Deprecated: Use [ParseRevocationList] instead. func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error) { … } // CreateCRL returns a DER encoded CRL, signed by this Certificate, that // contains the given list of revoked certificates. // // Deprecated: this method does not generate an RFC 5280 conformant X.509 v2 CRL. // To generate a standards compliant CRL, use [CreateRevocationList] instead. func (c *Certificate) CreateCRL(rand io.Reader, priv any, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) { … } type CertificateRequest … type tbsCertificateRequest … type certificateRequest … var oidExtensionRequest … // newRawAttributes converts AttributeTypeAndValueSETs from a template // CertificateRequest's Attributes into tbsCertificateRequest RawAttributes. func newRawAttributes(attributes []pkix.AttributeTypeAndValueSET) ([]asn1.RawValue, error) { … } // parseRawAttributes Unmarshals RawAttributes into AttributeTypeAndValueSETs. func parseRawAttributes(rawAttributes []asn1.RawValue) []pkix.AttributeTypeAndValueSET { … } // parseCSRExtensions parses the attributes from a CSR and extracts any // requested extensions. func parseCSRExtensions(rawAttributes []asn1.RawValue) ([]pkix.Extension, error) { … } // CreateCertificateRequest creates a new certificate request based on a // template. The following members of template are used: // // - SignatureAlgorithm // - Subject // - DNSNames // - EmailAddresses // - IPAddresses // - URIs // - ExtraExtensions // - Attributes (deprecated) // // priv is the private key to sign the CSR with, and the corresponding public // key will be included in the CSR. It must implement crypto.Signer and its // Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a // ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or // ed25519.PrivateKey satisfies this.) // // The returned slice is the certificate request in DER encoding. func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv any) (csr []byte, err error) { … } // ParseCertificateRequest parses a single certificate request from the // given ASN.1 DER data. func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) { … } func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error) { … } // CheckSignature reports whether the signature on c is valid. func (c *CertificateRequest) CheckSignature() error { … } type RevocationListEntry … type RevocationList … type certificateList … type tbsCertificateList … // CreateRevocationList creates a new X.509 v2 [Certificate] Revocation List, // according to RFC 5280, based on template. // // The CRL is signed by priv which should be the private key associated with // the public key in the issuer certificate. // // The issuer may not be nil, and the crlSign bit must be set in [KeyUsage] in // order to use it as a CRL issuer. // // The issuer distinguished name CRL field and authority key identifier // extension are populated using the issuer certificate. issuer must have // SubjectKeyId set. func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer) ([]byte, error) { … } // CheckSignatureFrom verifies that the signature on rl is a valid signature // from issuer. func (rl *RevocationList) CheckSignatureFrom(parent *Certificate) error { … }
Codebase Browser
go