Namespace: go.std.crypto.x509

v1.0

Contents

• Summary
• Index
• Constants
• Variables
• Functions, Macros, and Special Forms
• Types

Summary

Provides a low-level interface to the crypto/x509 package.

Copyright 2021 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.

Package x509 parses X.509-encoded keys and certificates.

Index

• *CertPool
• *Certificate
• *CertificateInvalidError
• *CertificateRequest
• *ConstraintViolationError
• *ExtKeyUsage
• *HostnameError
• *InsecureAlgorithmError
• *InvalidReason
• *KeyUsage
• *PEMCipher
• *PublicKeyAlgorithm
• *RevocationList
• *SignatureAlgorithm
• *SystemRootsError
• *UnhandledCriticalExtension
• *UnknownAuthorityError
• *VerifyOptions
• CANotAuthorizedForExtKeyUsage
• CANotAuthorizedForThisName
• CertPool
• Certificate
• CertificateInvalidError
• CertificateRequest
• ConstraintViolationError
• CreateCertificate
• CreateCertificateRequest
• CreateRevocationList
• DSA
• DSAWithSHA1
• DSAWithSHA256
• DecryptPEMBlock
• ECDSA
• ECDSAWithSHA1
• ECDSAWithSHA256
• ECDSAWithSHA384
• ECDSAWithSHA512
• Ed25519
• EncryptPEMBlock
• ErrUnsupportedAlgorithm
• Expired
• ExtKeyUsage
• ExtKeyUsageAny
• ExtKeyUsageClientAuth
• ExtKeyUsageCodeSigning
• ExtKeyUsageEmailProtection
• ExtKeyUsageIPSECEndSystem
• ExtKeyUsageIPSECTunnel
• ExtKeyUsageIPSECUser
• ExtKeyUsageMicrosoftCommercialCodeSigning
• ExtKeyUsageMicrosoftKernelCodeSigning
• ExtKeyUsageMicrosoftServerGatedCrypto
• ExtKeyUsageNetscapeServerGatedCrypto
• ExtKeyUsageOCSPSigning
• ExtKeyUsageServerAuth
• ExtKeyUsageTimeStamping
• HostnameError
• IncompatibleUsage
• IncorrectPasswordError
• InsecureAlgorithmError
• InvalidReason
• IsEncryptedPEMBlock
• KeyUsage
• KeyUsageCRLSign
• KeyUsageCertSign
• KeyUsageContentCommitment
• KeyUsageDataEncipherment
• KeyUsageDecipherOnly
• KeyUsageDigitalSignature
• KeyUsageEncipherOnly
• KeyUsageKeyAgreement
• KeyUsageKeyEncipherment
• MD2WithRSA
• MD5WithRSA
• MarshalECPrivateKey
• MarshalPKCS1PrivateKey
• MarshalPKCS1PublicKey
• MarshalPKCS8PrivateKey
• MarshalPKIXPublicKey
• NameConstraintsWithoutSANs
• NameMismatch
• NewCertPool
• NotAuthorizedToSign
• PEMCipher
• PEMCipher3DES
• PEMCipherAES128
• PEMCipherAES192
• PEMCipherAES256
• PEMCipherDES
• ParseCRL
• ParseCertificate
• ParseCertificateRequest
• ParseCertificates
• ParseDERCRL
• ParseECPrivateKey
• ParsePKCS1PrivateKey
• ParsePKCS1PublicKey
• ParsePKCS8PrivateKey
• ParsePKIXPublicKey
• PublicKeyAlgorithm
• PureEd25519
• RSA
• RevocationList
• SHA1WithRSA
• SHA256WithRSA
• SHA256WithRSAPSS
• SHA384WithRSA
• SHA384WithRSAPSS
• SHA512WithRSA
• SHA512WithRSAPSS
• SignatureAlgorithm
• SystemCertPool
• SystemRootsError
• TooManyConstraints
• TooManyIntermediates
• UnconstrainedName
• UnhandledCriticalExtension
• UnknownAuthorityError
• UnknownPublicKeyAlgorithm
• UnknownSignatureAlgorithm
• VerifyOptions
• arrayOfCertPool
• arrayOfCertificate
• arrayOfCertificateInvalidError
• arrayOfCertificateRequest
• arrayOfConstraintViolationError
• arrayOfExtKeyUsage
• arrayOfHostnameError
• arrayOfInsecureAlgorithmError
• arrayOfInvalidReason
• arrayOfKeyUsage
• arrayOfPEMCipher
• arrayOfPublicKeyAlgorithm
• arrayOfRevocationList
• arrayOfSignatureAlgorithm
• arrayOfSystemRootsError
• arrayOfUnhandledCriticalExtension
• arrayOfUnknownAuthorityError
• arrayOfVerifyOptions

Legend

Constant Variable Function Macro Special form Type GoVar Receiver/Method

Constants

Constants are variables with :const true in their metadata. Joker currently does not recognize them as special; as such, it allows redefining them or their values.

(None.)

Variables

• CANotAuthorizedForExtKeyUsage

  GoObject v1.0

  CANotAuthorizedForExtKeyUsage results when an intermediate or root
  certificate does not permit a requested extended key usage.
  

• CANotAuthorizedForThisName

  GoObject v1.0

  CANotAuthorizedForThisName results when an intermediate or root
  certificate has a name constraint which doesn't permit a DNS or
  other name (including IP address) in the leaf certificate.
  

• DSA

  GoObject v1.0

  Unsupported.
  

• DSAWithSHA1

  GoObject v1.0

  Unsupported.
  

• DSAWithSHA256

  GoObject v1.0

  Unsupported.
  

• ECDSA

  GoObject v1.0

• ECDSAWithSHA1

  GoObject v1.0

  Only supported for signing, and verification of CRLs, CSRs, and OCSP responses.
  

• ECDSAWithSHA256

  GoObject v1.0

• ECDSAWithSHA384

  GoObject v1.0

• ECDSAWithSHA512

  GoObject v1.0

• Ed25519

  GoObject v1.0

• ErrUnsupportedAlgorithm

  Var v1.0

  ErrUnsupportedAlgorithm results from attempting to perform an operation that
  involves algorithms that are not currently implemented.
  

• Expired

  GoObject v1.0

  Expired results when a certificate has expired, based on the time
  given in the VerifyOptions.
  

• ExtKeyUsageAny

  GoObject v1.0

• ExtKeyUsageClientAuth

  GoObject v1.0

• ExtKeyUsageCodeSigning

  GoObject v1.0

• ExtKeyUsageEmailProtection

  GoObject v1.0

• ExtKeyUsageIPSECEndSystem

  GoObject v1.0

• ExtKeyUsageIPSECTunnel

  GoObject v1.0

• ExtKeyUsageIPSECUser

  GoObject v1.0

• ExtKeyUsageMicrosoftCommercialCodeSigning

  GoObject v1.0

• ExtKeyUsageMicrosoftKernelCodeSigning

  GoObject v1.0

• ExtKeyUsageMicrosoftServerGatedCrypto

  GoObject v1.0

• ExtKeyUsageNetscapeServerGatedCrypto

  GoObject v1.0

• ExtKeyUsageOCSPSigning

  GoObject v1.0

• ExtKeyUsageServerAuth

  GoObject v1.0

• ExtKeyUsageTimeStamping

  GoObject v1.0

• IncompatibleUsage

  GoObject v1.0

  IncompatibleUsage results when the certificate's key usage indicates
  that it may only be used for a different purpose.
  

• IncorrectPasswordError

  Var v1.0

  IncorrectPasswordError is returned when an incorrect password is detected.
  

• KeyUsageCRLSign

  GoObject v1.0

• KeyUsageCertSign

  GoObject v1.0

• KeyUsageContentCommitment

  GoObject v1.0

• KeyUsageDataEncipherment

  GoObject v1.0

• KeyUsageDecipherOnly

  GoObject v1.0

• KeyUsageDigitalSignature

  GoObject v1.0

• KeyUsageEncipherOnly

  GoObject v1.0

• KeyUsageKeyAgreement

  GoObject v1.0

• KeyUsageKeyEncipherment

  GoObject v1.0

• MD2WithRSA

  GoObject v1.0

  Unsupported.
  

• MD5WithRSA

  GoObject v1.0

  Only supported for signing, not verification.
  

• NameConstraintsWithoutSANs

  GoObject v1.0

  NameConstraintsWithoutSANs is a legacy error and is no longer returned.
  

• NameMismatch

  GoObject v1.0

  NameMismatch results when the subject name of a parent certificate
  does not match the issuer name in the child.
  

• NotAuthorizedToSign

  GoObject v1.0

  NotAuthorizedToSign results when a certificate is signed by another
  which isn't marked as a CA certificate.
  

• PEMCipher3DES

  GoObject v1.0

  Possible values for the EncryptPEMBlock encryption algorithm.
  

• PEMCipherAES128

  GoObject v1.0

  Possible values for the EncryptPEMBlock encryption algorithm.
  

• PEMCipherAES192

  GoObject v1.0

  Possible values for the EncryptPEMBlock encryption algorithm.
  

• PEMCipherAES256

  GoObject v1.0

  Possible values for the EncryptPEMBlock encryption algorithm.
  

• PEMCipherDES

  GoObject v1.0

  Possible values for the EncryptPEMBlock encryption algorithm.
  

• PureEd25519

  GoObject v1.0

• RSA

  GoObject v1.0

• SHA1WithRSA

  GoObject v1.0

  Only supported for signing, and verification of CRLs, CSRs, and OCSP responses.
  

• SHA256WithRSA

  GoObject v1.0

• SHA256WithRSAPSS

  GoObject v1.0

• SHA384WithRSA

  GoObject v1.0

• SHA384WithRSAPSS

  GoObject v1.0

• SHA512WithRSA

  GoObject v1.0

• SHA512WithRSAPSS

  GoObject v1.0

• TooManyConstraints

  GoObject v1.0

  TooManyConstraints results when the number of comparison operations
  needed to check a certificate exceeds the limit set by
  VerifyOptions.MaxConstraintComparisions. This limit exists to
  prevent pathological certificates can consuming excessive amounts of
  CPU time to verify.
  

• TooManyIntermediates

  GoObject v1.0

  TooManyIntermediates results when a path length constraint is
  violated.
  

• UnconstrainedName

  GoObject v1.0

  UnconstrainedName results when a CA certificate contains permitted
  name constraints, but leaf certificate contains a name of an
  unsupported or unconstrained type.
  

• UnknownPublicKeyAlgorithm

  GoObject v1.0

• UnknownSignatureAlgorithm

  GoObject v1.0

Functions, Macros, and Special Forms

• CreateCertificate

  Function v1.0

  (CreateCertificate rand template parent pub priv)
  

  CreateCertificate creates a new X.509 v3 certificate based on a template.
  The following members of template are currently used:
  
  - AuthorityKeyId
  - BasicConstraintsValid
  - CRLDistributionPoints
  - DNSNames
  - EmailAddresses
  - ExcludedDNSDomains
  - ExcludedEmailAddresses
  - ExcludedIPRanges
  - ExcludedURIDomains
  - ExtKeyUsage
  - ExtraExtensions
  - IPAddresses
  - IsCA
  - IssuingCertificateURL
  - KeyUsage
  - MaxPathLen
  - MaxPathLenZero
  - NotAfter
  - NotBefore
  - OCSPServer
  - PermittedDNSDomains
  - PermittedDNSDomainsCritical
  - PermittedEmailAddresses
  - PermittedIPRanges
  - PermittedURIDomains
  - PolicyIdentifiers
  - SerialNumber
  - SignatureAlgorithm
  - Subject
  - SubjectKeyId
  - URIs
  - UnknownExtKeyUsage
  
  The certificate is signed by parent. If parent is equal to template then the
  certificate is self-signed. The parameter pub is the public key of the
  certificate to be generated and priv is the private key of the signer.
  
  The returned slice is the certificate in DER encoding.
  
  The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and
  ed25519.PublicKey. pub must be a supported key type, and priv must be a
  crypto.Signer with a supported public key.
  
  The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any,
  unless the resulting certificate is self-signed. Otherwise the value from
  template will be used.
  
  If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId
  will be generated from the hash of the public key.
  
  Go input arguments: (rand io.Reader, template *Certificate, parent *Certificate, pub any, priv any)
  
  Go returns: ([]byte, error)
  
  Joker input arguments: [^go.std.io/Reader rand, ^*Certificate template, ^*Certificate parent, ^GoObject pub, ^GoObject priv]
  
  Joker returns: [^arrayOfByte, ^Error]

• CreateCertificateRequest

  Function v1.0

  (CreateCertificateRequest rand template priv)
  

  CreateCertificateRequest creates a new certificate request based on a
  template. The following members of template are used:
  
  - SignatureAlgorithm
  - Subject
  - DNSNames
  - EmailAddresses
  - IPAddresses
  - URIs
  - ExtraExtensions
  - Attributes (deprecated)
  
  priv is the private key to sign the CSR with, and the corresponding public
  key will be included in the CSR. It must implement crypto.Signer and its
  Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a
  ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or
  ed25519.PrivateKey satisfies this.)
  
  The returned slice is the certificate request in DER encoding.
  
  Go input arguments: (rand io.Reader, template *CertificateRequest, priv any)
  
  Go returns: (csr []byte, err error)
  
  Joker input arguments: [^go.std.io/Reader rand, ^*CertificateRequest template, ^GoObject priv]
  
  Joker returns: [^arrayOfByte csr, ^Error err]

• CreateRevocationList

  Function v1.0

  (CreateRevocationList rand template issuer priv)
  

  CreateRevocationList creates a new X.509 v2 Certificate Revocation List,
  according to RFC 5280, based on template.
  
  The CRL is signed by priv which should be the private key associated with
  the public key in the issuer certificate.
  
  The issuer may not be nil, and the crlSign bit must be set in KeyUsage in
  order to use it as a CRL issuer.
  
  The issuer distinguished name CRL field and authority key identifier
  extension are populated using the issuer certificate. issuer must have
  SubjectKeyId set.
  
  Go input arguments: (rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer)
  
  Go returns: ([]byte, error)
  
  Joker input arguments: [^go.std.io/Reader rand, ^*RevocationList template, ^*Certificate issuer, ^go.std.crypto/Signer priv]
  
  Joker returns: [^arrayOfByte, ^Error]

• DecryptPEMBlock

  Function v1.0

  (DecryptPEMBlock b password)
  

  DecryptPEMBlock takes a PEM block encrypted according to RFC 1423 and the
  password used to encrypt it and returns a slice of decrypted DER encoded
  bytes. It inspects the DEK-Info header to determine the algorithm used for
  decryption. If no DEK-Info header is present, an error is returned. If an
  incorrect password is detected an IncorrectPasswordError is returned. Because
  of deficiencies in the format, it's not always possible to detect an
  incorrect password. In these cases no error will be returned but the
  decrypted DER bytes will be random noise.
  
  Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by
  design. Since it does not authenticate the ciphertext, it is vulnerable to
  padding oracle attacks that can let an attacker recover the plaintext.
  
  Go input arguments: (b *encoding/pem.Block, password []byte)
  
  Go returns: ([]byte, error)
  
  Joker input arguments: [^go.std.encoding.pem/*Block b, ^arrayOfByte password]
  
  Joker returns: [^arrayOfByte, ^Error]

• EncryptPEMBlock

  Function v1.0

  (EncryptPEMBlock rand blockType data password alg)
  

  EncryptPEMBlock returns a PEM block of the specified type holding the
  given DER encoded data encrypted with the specified algorithm and
  password according to RFC 1423.
  
  Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by
  design. Since it does not authenticate the ciphertext, it is vulnerable to
  padding oracle attacks that can let an attacker recover the plaintext.
  
  Go input arguments: (rand io.Reader, blockType string, data []byte, password []byte, alg PEMCipher)
  
  Go returns: (*encoding/pem.Block, error)
  
  Joker input arguments: [^go.std.io/Reader rand, ^String blockType, ^arrayOfByte data, ^arrayOfByte password, ^PEMCipher alg]
  
  Joker returns: [^go.std.encoding.pem/*Block, ^Error]

• IsEncryptedPEMBlock

  Function v1.0

  (IsEncryptedPEMBlock b)
  

  IsEncryptedPEMBlock returns whether the PEM block is password encrypted
  according to RFC 1423.
  
  Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by
  design. Since it does not authenticate the ciphertext, it is vulnerable to
  padding oracle attacks that can let an attacker recover the plaintext.
  
  Go input arguments: (b *encoding/pem.Block)
  
  Go returns: bool
  
  Joker input arguments: [^go.std.encoding.pem/*Block b]
  
  Joker returns: ^Boolean

• MarshalECPrivateKey

  Function v1.0

  (MarshalECPrivateKey key)
  

  MarshalECPrivateKey converts an EC private key to SEC 1, ASN.1 DER form.
  
  This kind of key is commonly encoded in PEM blocks of type "EC PRIVATE KEY".
  For a more flexible key format which is not EC specific, use
  MarshalPKCS8PrivateKey.
  
  Go input arguments: (key *crypto/ecdsa.PrivateKey)
  
  Go returns: ([]byte, error)
  
  Joker input arguments: [^go.std.crypto.ecdsa/*PrivateKey key]
  
  Joker returns: [^arrayOfByte, ^Error]

• MarshalPKCS1PrivateKey

  Function v1.0

  (MarshalPKCS1PrivateKey key)
  

  MarshalPKCS1PrivateKey converts an RSA private key to PKCS #1, ASN.1 DER form.
  
  This kind of key is commonly encoded in PEM blocks of type "RSA PRIVATE KEY".
  For a more flexible key format which is not RSA specific, use
  MarshalPKCS8PrivateKey.
  
  Go input arguments: (key *crypto/rsa.PrivateKey)
  
  Go returns: []byte
  
  Joker input arguments: [^go.std.crypto.rsa/*PrivateKey key]
  
  Joker returns: ^arrayOfByte

• MarshalPKCS1PublicKey

  Function v1.0

  (MarshalPKCS1PublicKey key)
  

  MarshalPKCS1PublicKey converts an RSA public key to PKCS #1, ASN.1 DER form.
  
  This kind of key is commonly encoded in PEM blocks of type "RSA PUBLIC KEY".
  
  Go input arguments: (key *crypto/rsa.PublicKey)
  
  Go returns: []byte
  
  Joker input arguments: [^go.std.crypto.rsa/*PublicKey key]
  
  Joker returns: ^arrayOfByte

• MarshalPKCS8PrivateKey

  Function v1.0

  (MarshalPKCS8PrivateKey key)
  

  MarshalPKCS8PrivateKey converts a private key to PKCS #8, ASN.1 DER form.
  
  The following key types are currently supported: *rsa.PrivateKey, *ecdsa.PrivateKey
  and ed25519.PrivateKey. Unsupported key types result in an error.
  
  This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY".
  
  Go input arguments: (key any)
  
  Go returns: ([]byte, error)
  
  Joker input arguments: [^GoObject key]
  
  Joker returns: [^arrayOfByte, ^Error]

• MarshalPKIXPublicKey

  Function v1.0

  (MarshalPKIXPublicKey pub)
  

  MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
  The encoded public key is a SubjectPublicKeyInfo structure
  (see RFC 5280, Section 4.1).
  
  The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey
  and ed25519.PublicKey. Unsupported key types result in an error.
  
  This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
  
  Go input arguments: (pub any)
  
  Go returns: ([]byte, error)
  
  Joker input arguments: [^GoObject pub]
  
  Joker returns: [^arrayOfByte, ^Error]

• NewCertPool

  Function v1.0

  (NewCertPool)
  

  NewCertPool returns a new, empty CertPool.
  
  Go returns: *CertPool
  
  Joker input arguments: []
  
  Joker returns: ^*CertPool

• ParseCRL

  Function v1.0

  (ParseCRL crlBytes)
  

  ParseCRL parses a CRL from the given bytes. It's often the case that PEM
  encoded CRLs will appear where they should be DER encoded, so this function
  will transparently handle PEM encoding as long as there isn't any leading
  garbage.
  
  Go input arguments: (crlBytes []byte)
  
  Go returns: (*crypto/x509/pkix.CertificateList, error)
  
  Joker input arguments: [^arrayOfByte crlBytes]
  
  Joker returns: [^go.std.crypto.x509.pkix/*CertificateList, ^Error]

• ParseCertificate

  Function v1.0

  (ParseCertificate der)
  

  ParseCertificate parses a single certificate from the given ASN.1 DER data.
  
  Go input arguments: (der []byte)
  
  Go returns: (*Certificate, error)
  
  Joker input arguments: [^arrayOfByte der]
  
  Joker returns: [^*Certificate, ^Error]

• ParseCertificateRequest

  Function v1.0

  (ParseCertificateRequest asn1Data)
  

  ParseCertificateRequest parses a single certificate request from the
  given ASN.1 DER data.
  
  Go input arguments: (asn1Data []byte)
  
  Go returns: (*CertificateRequest, error)
  
  Joker input arguments: [^arrayOfByte asn1Data]
  
  Joker returns: [^*CertificateRequest, ^Error]

• ParseCertificates

  Function v1.0

  (ParseCertificates der)
  

  ParseCertificates parses one or more certificates from the given ASN.1 DER
  data. The certificates must be concatenated with no intermediate padding.
  
  Go input arguments: (der []byte)
  
  Go returns: ([]*Certificate, error)
  
  Joker input arguments: [^arrayOfByte der]
  
  Joker returns: [^arrayOf*Certificate, ^Error]

• ParseDERCRL

  Function v1.0

  (ParseDERCRL derBytes)
  

  ParseDERCRL parses a DER encoded CRL from the given bytes.
  
  Go input arguments: (derBytes []byte)
  
  Go returns: (*crypto/x509/pkix.CertificateList, error)
  
  Joker input arguments: [^arrayOfByte derBytes]
  
  Joker returns: [^go.std.crypto.x509.pkix/*CertificateList, ^Error]

• ParseECPrivateKey

  Function v1.0

  (ParseECPrivateKey der)
  

  ParseECPrivateKey parses an EC private key in SEC 1, ASN.1 DER form.
  
  This kind of key is commonly encoded in PEM blocks of type "EC PRIVATE KEY".
  
  Go input arguments: (der []byte)
  
  Go returns: (*crypto/ecdsa.PrivateKey, error)
  
  Joker input arguments: [^arrayOfByte der]
  
  Joker returns: [^go.std.crypto.ecdsa/*PrivateKey, ^Error]

• ParsePKCS1PrivateKey

  Function v1.0

  (ParsePKCS1PrivateKey der)
  

  ParsePKCS1PrivateKey parses an RSA private key in PKCS #1, ASN.1 DER form.
  
  This kind of key is commonly encoded in PEM blocks of type "RSA PRIVATE KEY".
  
  Go input arguments: (der []byte)
  
  Go returns: (*crypto/rsa.PrivateKey, error)
  
  Joker input arguments: [^arrayOfByte der]
  
  Joker returns: [^go.std.crypto.rsa/*PrivateKey, ^Error]

• ParsePKCS1PublicKey

  Function v1.0

  (ParsePKCS1PublicKey der)
  

  ParsePKCS1PublicKey parses an RSA public key in PKCS #1, ASN.1 DER form.
  
  This kind of key is commonly encoded in PEM blocks of type "RSA PUBLIC KEY".
  
  Go input arguments: (der []byte)
  
  Go returns: (*crypto/rsa.PublicKey, error)
  
  Joker input arguments: [^arrayOfByte der]
  
  Joker returns: [^go.std.crypto.rsa/*PublicKey, ^Error]

• ParsePKCS8PrivateKey

  Function v1.0

  (ParsePKCS8PrivateKey der)
  

  ParsePKCS8PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form.
  
  It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey.
  More types might be supported in the future.
  
  This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY".
  
  Go input arguments: (der []byte)
  
  Go returns: (key any, err error)
  
  Joker input arguments: [^arrayOfByte der]
  
  Joker returns: [^GoObject key, ^Error err]

• ParsePKIXPublicKey

  Function v1.0

  (ParsePKIXPublicKey derBytes)
  

  ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
  The encoded public key is a SubjectPublicKeyInfo structure
  (see RFC 5280, Section 4.1).
  
  It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or
  ed25519.PublicKey. More types might be supported in the future.
  
  This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
  
  Go input arguments: (derBytes []byte)
  
  Go returns: (pub any, err error)
  
  Joker input arguments: [^arrayOfByte derBytes]
  
  Joker returns: [^GoObject pub, ^Error err]

• SystemCertPool

  Function v1.0

  (SystemCertPool)
  

  SystemCertPool returns a copy of the system cert pool.
  
  On Unix systems other than macOS the environment variables SSL_CERT_FILE and
  SSL_CERT_DIR can be used to override the system default locations for the SSL
  certificate file and SSL certificate files directory, respectively. The
  latter can be a colon-separated list.
  
  Any mutations to the returned pool are not written to disk and do not affect
  any other pool returned by SystemCertPool.
  
  New changes in the system cert pool might not be reflected in subsequent calls.
  
  Go returns: (*CertPool, error)
  
  Joker input arguments: []
  
  Joker returns: [^*CertPool, ^Error]

Types

• *CertPool

  Concrete Type v1.0

  CertPool is a set of certificates.
  

• AddCert

  Receiver for *CertPool v1.0

  ([cert])
  

  AddCert adds a certificate to a pool.
  

• AppendCertsFromPEM

  Receiver for *CertPool v1.0

  ([pemCerts])
  

  AppendCertsFromPEM attempts to parse a series of PEM encoded certificates.
  It appends any certificates found to s and reports whether any certificates
  were successfully parsed.
  
  On many Linux systems, /etc/ssl/cert.pem will contain the system wide set
  of root CAs in a format suitable for this function.
  

• Subjects

  Receiver for *CertPool v1.0

  ([])
  

  Subjects returns a list of the DER-encoded subjects of
  all of the certificates in the pool.
  
  Deprecated: if s was returned by SystemCertPool, Subjects
  will not include the system roots.
  

• *Certificate

  Concrete Type v1.0

  A Certificate represents an X.509 certificate.
  

• CheckCRLSignature

  Receiver for *Certificate v1.0

  ([crl])
  

  CheckCRLSignature checks that the signature in crl is from c.
  

• CheckSignature

  Receiver for *Certificate v1.0

  ([algo signed signature])
  

  CheckSignature verifies that signature is a valid signature over signed from
  c's public key.
  

• CheckSignatureFrom

  Receiver for *Certificate v1.0

  ([parent])
  

  CheckSignatureFrom verifies that the signature on c is a valid signature
  from parent. SHA1WithRSA and ECDSAWithSHA1 signatures are not supported.
  

• CreateCRL

  Receiver for *Certificate v1.0

  ([rand priv revokedCerts now expiry])
  

  CreateCRL returns a DER encoded CRL, signed by this Certificate, that
  contains the given list of revoked certificates.
  
  Note: this method does not generate an RFC 5280 conformant X.509 v2 CRL.
  To generate a standards compliant CRL, use CreateRevocationList instead.
  

• Equal

  Receiver for *Certificate v1.0

  ([other])
  

• Verify

  Receiver for *Certificate v1.0

  ([opts])
  

  Verify attempts to verify c by building one or more chains from c to a
  certificate in opts.Roots, using certificates in opts.Intermediates if
  needed. If successful, it returns one or more chains where the first
  element of the chain is c and the last element is from opts.Roots.
  
  If opts.Roots is nil, the platform verifier might be used, and
  verification details might differ from what is described below. If system
  roots are unavailable the returned error will be of type SystemRootsError.
  
  Name constraints in the intermediates will be applied to all names claimed
  in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim
  example.com if an intermediate doesn't permit it, even if example.com is not
  the name being validated. Note that DirectoryName constraints are not
  supported.
  
  Name constraint validation follows the rules from RFC 5280, with the
  addition that DNS name constraints may use the leading period format
  defined for emails and URIs. When a constraint has a leading period
  it indicates that at least one additional label must be prepended to
  the constrained name to be considered valid.
  
  Extended Key Usage values are enforced nested down a chain, so an intermediate
  or root that enumerates EKUs prevents a leaf from asserting an EKU not in that
  list. (While this is not specified, it is common practice in order to limit
  the types of certificates a CA can issue.)
  
  Certificates that use SHA1WithRSA and ECDSAWithSHA1 signatures are not supported,
  and will not be used to build chains.
  
  WARNING: this function doesn't do any revocation checking.
  

• VerifyHostname

  Receiver for *Certificate v1.0

  ([h])
  

  VerifyHostname returns nil if c is a valid certificate for the named host.
  Otherwise it returns an error describing the mismatch.
  
  IP addresses can be optionally enclosed in square brackets and are checked
  against the IPAddresses field. Other names are checked case insensitively
  against the DNSNames field. If the names are valid hostnames, the certificate
  fields can have a wildcard as the left-most label.
  
  Note that the legacy Common Name field is ignored.
  

• *CertificateInvalidError

  Concrete Type v1.0

  CertificateInvalidError results when an odd error occurs. Users of this
  library probably want to handle all these errors uniformly.
  

• *CertificateRequest

  Concrete Type v1.0

  CertificateRequest represents a PKCS #10, certificate signature request.
  

• CheckSignature

  Receiver for *CertificateRequest v1.0

  ([])
  

  CheckSignature reports whether the signature on c is valid.
  

• *ConstraintViolationError

  Concrete Type v1.0

  ConstraintViolationError results when a requested usage is not permitted by
  a certificate. For example: checking a signature when the public key isn't a
  certificate signing key.
  

• *ExtKeyUsage

  Concrete Type v1.0

  ExtKeyUsage represents an extended set of actions that are valid for a given key.
  Each of the ExtKeyUsage* constants define a unique action.
  

• *HostnameError

  Concrete Type v1.0

  HostnameError results when the set of authorized names doesn't match the
  requested name.
  

• *InsecureAlgorithmError

  Concrete Type v1.0

  An InsecureAlgorithmError indicates that the SignatureAlgorithm used to
  generate the signature is not secure, and the signature has been rejected.
  
  To temporarily restore support for SHA-1 signatures, include the value
  "x509sha1=1" in the GODEBUG environment variable. Note that this option will
  be removed in Go 1.19.
  

• *InvalidReason

  Concrete Type v1.0

• *KeyUsage

  Concrete Type v1.0

  KeyUsage represents the set of actions that are valid for a given key. It's
  a bitmap of the KeyUsage* constants.
  

• *PEMCipher

  Concrete Type v1.0

• *PublicKeyAlgorithm

  Concrete Type v1.0

• *RevocationList

  Concrete Type v1.0

  RevocationList contains the fields used to create an X.509 v2 Certificate
  Revocation list with CreateRevocationList.
  

• *SignatureAlgorithm

  Concrete Type v1.0

• *SystemRootsError

  Concrete Type v1.0

  SystemRootsError results when we fail to load the system root certificates.
  

• *UnhandledCriticalExtension

  Concrete Type v1.0

• *UnknownAuthorityError

  Concrete Type v1.0

  UnknownAuthorityError results when the certificate issuer is unknown
  

• *VerifyOptions

  Concrete Type v1.0

  VerifyOptions contains parameters for Certificate.Verify.
  

• CertPool

  Concrete Type v1.0

  CertPool is a set of certificates.
  

• Certificate

  Concrete Type v1.0

  A Certificate represents an X.509 certificate.
  

• CertificateInvalidError

  Concrete Type v1.0

  CertificateInvalidError results when an odd error occurs. Users of this
  library probably want to handle all these errors uniformly.
  

• Error

  Receiver for CertificateInvalidError v1.0

  ([])
  

• CertificateRequest

  Concrete Type v1.0

  CertificateRequest represents a PKCS #10, certificate signature request.
  

• ConstraintViolationError

  Concrete Type v1.0

  ConstraintViolationError results when a requested usage is not permitted by
  a certificate. For example: checking a signature when the public key isn't a
  certificate signing key.
  

• Error

  Receiver for ConstraintViolationError v1.0

  ([])
  

• ExtKeyUsage

  Concrete Type v1.0

  ExtKeyUsage represents an extended set of actions that are valid for a given key.
  Each of the ExtKeyUsage* constants define a unique action.
  

• HostnameError

  Concrete Type v1.0

  HostnameError results when the set of authorized names doesn't match the
  requested name.
  

• Error

  Receiver for HostnameError v1.0

  ([])
  

• InsecureAlgorithmError

  Concrete Type v1.0

  An InsecureAlgorithmError indicates that the SignatureAlgorithm used to
  generate the signature is not secure, and the signature has been rejected.
  
  To temporarily restore support for SHA-1 signatures, include the value
  "x509sha1=1" in the GODEBUG environment variable. Note that this option will
  be removed in Go 1.19.
  

• Error

  Receiver for InsecureAlgorithmError v1.0

  ([])
  

• InvalidReason

  Concrete Type v1.0

• KeyUsage

  Concrete Type v1.0

  KeyUsage represents the set of actions that are valid for a given key. It's
  a bitmap of the KeyUsage* constants.
  

• PEMCipher

  Concrete Type v1.0

• PublicKeyAlgorithm

  Concrete Type v1.0

• String

  Receiver for PublicKeyAlgorithm v1.0

  ([])
  

• RevocationList

  Concrete Type v1.0

  RevocationList contains the fields used to create an X.509 v2 Certificate
  Revocation list with CreateRevocationList.
  

• SignatureAlgorithm

  Concrete Type v1.0

• String

  Receiver for SignatureAlgorithm v1.0

  ([])
  

• SystemRootsError

  Concrete Type v1.0

  SystemRootsError results when we fail to load the system root certificates.
  

• Error

  Receiver for SystemRootsError v1.0

  ([])
  

• Unwrap

  Receiver for SystemRootsError v1.0

  ([])
  

• UnhandledCriticalExtension

  Concrete Type v1.0

• Error

  Receiver for UnhandledCriticalExtension v1.0

  ([])
  

• UnknownAuthorityError

  Concrete Type v1.0

  UnknownAuthorityError results when the certificate issuer is unknown
  

• Error

  Receiver for UnknownAuthorityError v1.0

  ([])
  

• VerifyOptions

  Concrete Type v1.0

  VerifyOptions contains parameters for Certificate.Verify.
  

• arrayOfCertPool

  Concrete Type v1.0

  CertPool is a set of certificates.
  

• arrayOfCertificate

  Concrete Type v1.0

  A Certificate represents an X.509 certificate.
  

• arrayOfCertificateInvalidError

  Concrete Type v1.0

  CertificateInvalidError results when an odd error occurs. Users of this
  library probably want to handle all these errors uniformly.
  

• arrayOfCertificateRequest

  Concrete Type v1.0

  CertificateRequest represents a PKCS #10, certificate signature request.
  

• arrayOfConstraintViolationError

  Concrete Type v1.0

  ConstraintViolationError results when a requested usage is not permitted by
  a certificate. For example: checking a signature when the public key isn't a
  certificate signing key.
  

• arrayOfExtKeyUsage

  Concrete Type v1.0

  ExtKeyUsage represents an extended set of actions that are valid for a given key.
  Each of the ExtKeyUsage* constants define a unique action.
  

• arrayOfHostnameError

  Concrete Type v1.0

  HostnameError results when the set of authorized names doesn't match the
  requested name.
  

• arrayOfInsecureAlgorithmError

  Concrete Type v1.0

  An InsecureAlgorithmError indicates that the SignatureAlgorithm used to
  generate the signature is not secure, and the signature has been rejected.
  
  To temporarily restore support for SHA-1 signatures, include the value
  "x509sha1=1" in the GODEBUG environment variable. Note that this option will
  be removed in Go 1.19.
  

• arrayOfInvalidReason

  Concrete Type v1.0

• arrayOfKeyUsage

  Concrete Type v1.0

  KeyUsage represents the set of actions that are valid for a given key. It's
  a bitmap of the KeyUsage* constants.
  

• arrayOfPEMCipher

  Concrete Type v1.0

• arrayOfPublicKeyAlgorithm

  Concrete Type v1.0

• arrayOfRevocationList

  Concrete Type v1.0

  RevocationList contains the fields used to create an X.509 v2 Certificate
  Revocation list with CreateRevocationList.
  

• arrayOfSignatureAlgorithm

  Concrete Type v1.0

• arrayOfSystemRootsError

  Concrete Type v1.0

  SystemRootsError results when we fail to load the system root certificates.
  

• arrayOfUnhandledCriticalExtension

  Concrete Type v1.0

• arrayOfUnknownAuthorityError

  Concrete Type v1.0

  UnknownAuthorityError results when the certificate issuer is unknown
  

• arrayOfVerifyOptions

  Concrete Type v1.0

  VerifyOptions contains parameters for Certificate.Verify.