Namespace: go.std.crypto.x509
v1.0Contents
Summary
Provides a low-level interface to the crypto/x509 package.
Copyright 2021 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
Package x509 parses X.509-encoded keys and certificates.
Index
- *CertPool
- *Certificate
- *CertificateInvalidError
- *CertificateRequest
- *ConstraintViolationError
- *ExtKeyUsage
- *HostnameError
- *InsecureAlgorithmError
- *InvalidReason
- *KeyUsage
- *PEMCipher
- *PublicKeyAlgorithm
- *RevocationList
- *SignatureAlgorithm
- *SystemRootsError
- *UnhandledCriticalExtension
- *UnknownAuthorityError
- *VerifyOptions
- CANotAuthorizedForExtKeyUsage
- CANotAuthorizedForThisName
- CertPool
- Certificate
- CertificateInvalidError
- CertificateRequest
- ConstraintViolationError
- CreateCertificate
- CreateCertificateRequest
- CreateRevocationList
- DSA
- DSAWithSHA1
- DSAWithSHA256
- DecryptPEMBlock
- ECDSA
- ECDSAWithSHA1
- ECDSAWithSHA256
- ECDSAWithSHA384
- ECDSAWithSHA512
- Ed25519
- EncryptPEMBlock
- ErrUnsupportedAlgorithm
- Expired
- ExtKeyUsage
- ExtKeyUsageAny
- ExtKeyUsageClientAuth
- ExtKeyUsageCodeSigning
- ExtKeyUsageEmailProtection
- ExtKeyUsageIPSECEndSystem
- ExtKeyUsageIPSECTunnel
- ExtKeyUsageIPSECUser
- ExtKeyUsageMicrosoftCommercialCodeSigning
- ExtKeyUsageMicrosoftKernelCodeSigning
- ExtKeyUsageMicrosoftServerGatedCrypto
- ExtKeyUsageNetscapeServerGatedCrypto
- ExtKeyUsageOCSPSigning
- ExtKeyUsageServerAuth
- ExtKeyUsageTimeStamping
- HostnameError
- IncompatibleUsage
- IncorrectPasswordError
- InsecureAlgorithmError
- InvalidReason
- IsEncryptedPEMBlock
- KeyUsage
- KeyUsageCRLSign
- KeyUsageCertSign
- KeyUsageContentCommitment
- KeyUsageDataEncipherment
- KeyUsageDecipherOnly
- KeyUsageDigitalSignature
- KeyUsageEncipherOnly
- KeyUsageKeyAgreement
- KeyUsageKeyEncipherment
- MD2WithRSA
- MD5WithRSA
- MarshalECPrivateKey
- MarshalPKCS1PrivateKey
- MarshalPKCS1PublicKey
- MarshalPKCS8PrivateKey
- MarshalPKIXPublicKey
- NameConstraintsWithoutSANs
- NameMismatch
- NewCertPool
- NotAuthorizedToSign
- PEMCipher
- PEMCipher3DES
- PEMCipherAES128
- PEMCipherAES192
- PEMCipherAES256
- PEMCipherDES
- ParseCRL
- ParseCertificate
- ParseCertificateRequest
- ParseCertificates
- ParseDERCRL
- ParseECPrivateKey
- ParsePKCS1PrivateKey
- ParsePKCS1PublicKey
- ParsePKCS8PrivateKey
- ParsePKIXPublicKey
- ParseRevocationList
- PublicKeyAlgorithm
- PureEd25519
- RSA
- RevocationList
- SHA1WithRSA
- SHA256WithRSA
- SHA256WithRSAPSS
- SHA384WithRSA
- SHA384WithRSAPSS
- SHA512WithRSA
- SHA512WithRSAPSS
- SignatureAlgorithm
- SystemCertPool
- SystemRootsError
- TooManyConstraints
- TooManyIntermediates
- UnconstrainedName
- UnhandledCriticalExtension
- UnknownAuthorityError
- UnknownPublicKeyAlgorithm
- UnknownSignatureAlgorithm
- VerifyOptions
- arrayOfCertPool
- arrayOfCertificate
- arrayOfCertificateInvalidError
- arrayOfCertificateRequest
- arrayOfConstraintViolationError
- arrayOfExtKeyUsage
- arrayOfHostnameError
- arrayOfInsecureAlgorithmError
- arrayOfInvalidReason
- arrayOfKeyUsage
- arrayOfPEMCipher
- arrayOfPublicKeyAlgorithm
- arrayOfRevocationList
- arrayOfSignatureAlgorithm
- arrayOfSystemRootsError
- arrayOfUnhandledCriticalExtension
- arrayOfUnknownAuthorityError
- arrayOfVerifyOptions
Legend
-
Constant
Variable
Function
Macro
Special form
Type
GoVar
Receiver/Method
Constants
Constants are variables with :const true in their metadata. Joker currently does not recognize them as special; as such, it allows redefining them or their values.-
(None.)
Variables
-
CANotAuthorizedForExtKeyUsage
GoObject v1.0CANotAuthorizedForExtKeyUsage results when an intermediate or root
certificate does not permit a requested extended key usage.
-
CANotAuthorizedForThisName
GoObject v1.0CANotAuthorizedForThisName results when an intermediate or root
certificate has a name constraint which doesn't permit a DNS or
other name (including IP address) in the leaf certificate.
-
DSA
GoObject v1.0Unsupported.
-
DSAWithSHA1
GoObject v1.0Unsupported.
-
DSAWithSHA256
GoObject v1.0Unsupported.
-
ECDSA
GoObject v1.0 -
ECDSAWithSHA1
GoObject v1.0Only supported for signing, and verification of CRLs, CSRs, and OCSP responses.
-
ECDSAWithSHA256
GoObject v1.0 -
ECDSAWithSHA384
GoObject v1.0 -
ECDSAWithSHA512
GoObject v1.0 -
Ed25519
GoObject v1.0 -
ErrUnsupportedAlgorithm
Var v1.0ErrUnsupportedAlgorithm results from attempting to perform an operation that
involves algorithms that are not currently implemented.
-
Expired
GoObject v1.0Expired results when a certificate has expired, based on the time
given in the VerifyOptions.
-
ExtKeyUsageAny
GoObject v1.0 -
ExtKeyUsageClientAuth
GoObject v1.0 -
ExtKeyUsageCodeSigning
GoObject v1.0 -
ExtKeyUsageEmailProtection
GoObject v1.0 -
ExtKeyUsageIPSECEndSystem
GoObject v1.0 -
ExtKeyUsageIPSECTunnel
GoObject v1.0 -
ExtKeyUsageIPSECUser
GoObject v1.0 -
ExtKeyUsageMicrosoftCommercialCodeSigning
GoObject v1.0 -
ExtKeyUsageMicrosoftKernelCodeSigning
GoObject v1.0 -
ExtKeyUsageMicrosoftServerGatedCrypto
GoObject v1.0 -
ExtKeyUsageNetscapeServerGatedCrypto
GoObject v1.0 -
ExtKeyUsageOCSPSigning
GoObject v1.0 -
ExtKeyUsageServerAuth
GoObject v1.0 -
ExtKeyUsageTimeStamping
GoObject v1.0 -
IncompatibleUsage
GoObject v1.0IncompatibleUsage results when the certificate's key usage indicates
that it may only be used for a different purpose.
-
IncorrectPasswordError
Var v1.0IncorrectPasswordError is returned when an incorrect password is detected.
-
KeyUsageCRLSign
GoObject v1.0 -
KeyUsageCertSign
GoObject v1.0 -
KeyUsageContentCommitment
GoObject v1.0 -
KeyUsageDataEncipherment
GoObject v1.0 -
KeyUsageDecipherOnly
GoObject v1.0 -
KeyUsageDigitalSignature
GoObject v1.0 -
KeyUsageEncipherOnly
GoObject v1.0 -
KeyUsageKeyAgreement
GoObject v1.0 -
KeyUsageKeyEncipherment
GoObject v1.0 -
MD2WithRSA
GoObject v1.0Unsupported.
-
MD5WithRSA
GoObject v1.0Only supported for signing, not verification.
-
NameConstraintsWithoutSANs
GoObject v1.0NameConstraintsWithoutSANs is a legacy error and is no longer returned.
-
NameMismatch
GoObject v1.0NameMismatch results when the subject name of a parent certificate
does not match the issuer name in the child.
-
NotAuthorizedToSign
GoObject v1.0NotAuthorizedToSign results when a certificate is signed by another
which isn't marked as a CA certificate.
-
PEMCipher3DES
GoObject v1.0Possible values for the EncryptPEMBlock encryption algorithm.
-
PEMCipherAES128
GoObject v1.0Possible values for the EncryptPEMBlock encryption algorithm.
-
PEMCipherAES192
GoObject v1.0Possible values for the EncryptPEMBlock encryption algorithm.
-
PEMCipherAES256
GoObject v1.0Possible values for the EncryptPEMBlock encryption algorithm.
-
PEMCipherDES
GoObject v1.0Possible values for the EncryptPEMBlock encryption algorithm.
-
PureEd25519
GoObject v1.0 -
RSA
GoObject v1.0 -
SHA1WithRSA
GoObject v1.0Only supported for signing, and verification of CRLs, CSRs, and OCSP responses.
-
SHA256WithRSA
GoObject v1.0 -
SHA256WithRSAPSS
GoObject v1.0 -
SHA384WithRSA
GoObject v1.0 -
SHA384WithRSAPSS
GoObject v1.0 -
SHA512WithRSA
GoObject v1.0 -
SHA512WithRSAPSS
GoObject v1.0 -
TooManyConstraints
GoObject v1.0TooManyConstraints results when the number of comparison operations
needed to check a certificate exceeds the limit set by
VerifyOptions.MaxConstraintComparisions. This limit exists to
prevent pathological certificates can consuming excessive amounts of
CPU time to verify.
-
TooManyIntermediates
GoObject v1.0TooManyIntermediates results when a path length constraint is
violated.
-
UnconstrainedName
GoObject v1.0UnconstrainedName results when a CA certificate contains permitted
name constraints, but leaf certificate contains a name of an
unsupported or unconstrained type.
-
UnknownPublicKeyAlgorithm
GoObject v1.0 -
UnknownSignatureAlgorithm
GoObject v1.0
Functions, Macros, and Special Forms
-
CreateCertificate
Function v1.0(CreateCertificate rand template parent pub priv)
CreateCertificate creates a new X.509 v3 certificate based on a template.
The following members of template are currently used:
- AuthorityKeyId
- BasicConstraintsValid
- CRLDistributionPoints
- DNSNames
- EmailAddresses
- ExcludedDNSDomains
- ExcludedEmailAddresses
- ExcludedIPRanges
- ExcludedURIDomains
- ExtKeyUsage
- ExtraExtensions
- IPAddresses
- IsCA
- IssuingCertificateURL
- KeyUsage
- MaxPathLen
- MaxPathLenZero
- NotAfter
- NotBefore
- OCSPServer
- PermittedDNSDomains
- PermittedDNSDomainsCritical
- PermittedEmailAddresses
- PermittedIPRanges
- PermittedURIDomains
- PolicyIdentifiers
- SerialNumber
- SignatureAlgorithm
- Subject
- SubjectKeyId
- URIs
- UnknownExtKeyUsage
The certificate is signed by parent. If parent is equal to template then the
certificate is self-signed. The parameter pub is the public key of the
certificate to be generated and priv is the private key of the signer.
The returned slice is the certificate in DER encoding.
The currently supported key types are *rsa.PublicKey, *ecdsa.PublicKey and
ed25519.PublicKey. pub must be a supported key type, and priv must be a
crypto.Signer with a supported public key.
The AuthorityKeyId will be taken from the SubjectKeyId of parent, if any,
unless the resulting certificate is self-signed. Otherwise the value from
template will be used.
If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId
will be generated from the hash of the public key.
Go input arguments: (rand io.Reader, template *Certificate, parent *Certificate, pub any, priv any)
Go returns: ([]byte, error)
Joker input arguments: [^go.std.io/Reader rand, ^*Certificate template, ^*Certificate parent, ^GoObject pub, ^GoObject priv]
Joker returns: [^arrayOfByte, ^Error] -
CreateCertificateRequest
Function v1.0(CreateCertificateRequest rand template priv)
CreateCertificateRequest creates a new certificate request based on a
template. The following members of template are used:
- SignatureAlgorithm
- Subject
- DNSNames
- EmailAddresses
- IPAddresses
- URIs
- ExtraExtensions
- Attributes (deprecated)
priv is the private key to sign the CSR with, and the corresponding public
key will be included in the CSR. It must implement crypto.Signer and its
Public() method must return a *rsa.PublicKey or a *ecdsa.PublicKey or a
ed25519.PublicKey. (A *rsa.PrivateKey, *ecdsa.PrivateKey or
ed25519.PrivateKey satisfies this.)
The returned slice is the certificate request in DER encoding.
Go input arguments: (rand io.Reader, template *CertificateRequest, priv any)
Go returns: (csr []byte, err error)
Joker input arguments: [^go.std.io/Reader rand, ^*CertificateRequest template, ^GoObject priv]
Joker returns: [^arrayOfByte csr, ^Error err] -
CreateRevocationList
Function v1.0(CreateRevocationList rand template issuer priv)
CreateRevocationList creates a new X.509 v2 Certificate Revocation List,
according to RFC 5280, based on template.
The CRL is signed by priv which should be the private key associated with
the public key in the issuer certificate.
The issuer may not be nil, and the crlSign bit must be set in KeyUsage in
order to use it as a CRL issuer.
The issuer distinguished name CRL field and authority key identifier
extension are populated using the issuer certificate. issuer must have
SubjectKeyId set.
Go input arguments: (rand io.Reader, template *RevocationList, issuer *Certificate, priv crypto.Signer)
Go returns: ([]byte, error)
Joker input arguments: [^go.std.io/Reader rand, ^*RevocationList template, ^*Certificate issuer, ^go.std.crypto/Signer priv]
Joker returns: [^arrayOfByte, ^Error] -
DecryptPEMBlock
Function v1.0(DecryptPEMBlock b password)
DecryptPEMBlock takes a PEM block encrypted according to RFC 1423 and the
password used to encrypt it and returns a slice of decrypted DER encoded
bytes. It inspects the DEK-Info header to determine the algorithm used for
decryption. If no DEK-Info header is present, an error is returned. If an
incorrect password is detected an IncorrectPasswordError is returned. Because
of deficiencies in the format, it's not always possible to detect an
incorrect password. In these cases no error will be returned but the
decrypted DER bytes will be random noise.
Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by
design. Since it does not authenticate the ciphertext, it is vulnerable to
padding oracle attacks that can let an attacker recover the plaintext.
Go input arguments: (b *encoding/pem.Block, password []byte)
Go returns: ([]byte, error)
Joker input arguments: [^go.std.encoding.pem/*Block b, ^arrayOfByte password]
Joker returns: [^arrayOfByte, ^Error] -
EncryptPEMBlock
Function v1.0(EncryptPEMBlock rand blockType data password alg)
EncryptPEMBlock returns a PEM block of the specified type holding the
given DER encoded data encrypted with the specified algorithm and
password according to RFC 1423.
Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by
design. Since it does not authenticate the ciphertext, it is vulnerable to
padding oracle attacks that can let an attacker recover the plaintext.
Go input arguments: (rand io.Reader, blockType string, data []byte, password []byte, alg PEMCipher)
Go returns: (*encoding/pem.Block, error)
Joker input arguments: [^go.std.io/Reader rand, ^String blockType, ^arrayOfByte data, ^arrayOfByte password, ^PEMCipher alg]
Joker returns: [^go.std.encoding.pem/*Block, ^Error] -
IsEncryptedPEMBlock
Function v1.0(IsEncryptedPEMBlock b)
IsEncryptedPEMBlock returns whether the PEM block is password encrypted
according to RFC 1423.
Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by
design. Since it does not authenticate the ciphertext, it is vulnerable to
padding oracle attacks that can let an attacker recover the plaintext.
Go input arguments: (b *encoding/pem.Block)
Go returns: bool
Joker input arguments: [^go.std.encoding.pem/*Block b]
Joker returns: ^Boolean -
MarshalECPrivateKey
Function v1.0(MarshalECPrivateKey key)
MarshalECPrivateKey converts an EC private key to SEC 1, ASN.1 DER form.
This kind of key is commonly encoded in PEM blocks of type "EC PRIVATE KEY".
For a more flexible key format which is not EC specific, use
MarshalPKCS8PrivateKey.
Go input arguments: (key *crypto/ecdsa.PrivateKey)
Go returns: ([]byte, error)
Joker input arguments: [^go.std.crypto.ecdsa/*PrivateKey key]
Joker returns: [^arrayOfByte, ^Error] -
MarshalPKCS1PrivateKey
Function v1.0(MarshalPKCS1PrivateKey key)
MarshalPKCS1PrivateKey converts an RSA private key to PKCS #1, ASN.1 DER form.
This kind of key is commonly encoded in PEM blocks of type "RSA PRIVATE KEY".
For a more flexible key format which is not RSA specific, use
MarshalPKCS8PrivateKey.
Go input arguments: (key *crypto/rsa.PrivateKey)
Go returns: []byte
Joker input arguments: [^go.std.crypto.rsa/*PrivateKey key]
Joker returns: ^arrayOfByte -
MarshalPKCS1PublicKey
Function v1.0(MarshalPKCS1PublicKey key)
MarshalPKCS1PublicKey converts an RSA public key to PKCS #1, ASN.1 DER form.
This kind of key is commonly encoded in PEM blocks of type "RSA PUBLIC KEY".
Go input arguments: (key *crypto/rsa.PublicKey)
Go returns: []byte
Joker input arguments: [^go.std.crypto.rsa/*PublicKey key]
Joker returns: ^arrayOfByte -
MarshalPKCS8PrivateKey
Function v1.0(MarshalPKCS8PrivateKey key)
MarshalPKCS8PrivateKey converts a private key to PKCS #8, ASN.1 DER form.
The following key types are currently supported: *rsa.PrivateKey, *ecdsa.PrivateKey
and ed25519.PrivateKey. Unsupported key types result in an error.
This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY".
Go input arguments: (key any)
Go returns: ([]byte, error)
Joker input arguments: [^GoObject key]
Joker returns: [^arrayOfByte, ^Error] -
MarshalPKIXPublicKey
Function v1.0(MarshalPKIXPublicKey pub)
MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
The encoded public key is a SubjectPublicKeyInfo structure
(see RFC 5280, Section 4.1).
The following key types are currently supported: *rsa.PublicKey, *ecdsa.PublicKey
and ed25519.PublicKey. Unsupported key types result in an error.
This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
Go input arguments: (pub any)
Go returns: ([]byte, error)
Joker input arguments: [^GoObject pub]
Joker returns: [^arrayOfByte, ^Error] -
NewCertPool
Function v1.0(NewCertPool)
NewCertPool returns a new, empty CertPool.
Go returns: *CertPool
Joker input arguments: []
Joker returns: ^*CertPool -
ParseCRL
Function v1.0(ParseCRL crlBytes)
ParseCRL parses a CRL from the given bytes. It's often the case that PEM
encoded CRLs will appear where they should be DER encoded, so this function
will transparently handle PEM encoding as long as there isn't any leading
garbage.
Deprecated: Use ParseRevocationList instead.
Go input arguments: (crlBytes []byte)
Go returns: (*crypto/x509/pkix.CertificateList, error)
Joker input arguments: [^arrayOfByte crlBytes]
Joker returns: [^go.std.crypto.x509.pkix/*CertificateList, ^Error] -
ParseCertificate
Function v1.0(ParseCertificate der)
ParseCertificate parses a single certificate from the given ASN.1 DER data.
Go input arguments: (der []byte)
Go returns: (*Certificate, error)
Joker input arguments: [^arrayOfByte der]
Joker returns: [^*Certificate, ^Error] -
ParseCertificateRequest
Function v1.0(ParseCertificateRequest asn1Data)
ParseCertificateRequest parses a single certificate request from the
given ASN.1 DER data.
Go input arguments: (asn1Data []byte)
Go returns: (*CertificateRequest, error)
Joker input arguments: [^arrayOfByte asn1Data]
Joker returns: [^*CertificateRequest, ^Error] -
ParseCertificates
Function v1.0(ParseCertificates der)
ParseCertificates parses one or more certificates from the given ASN.1 DER
data. The certificates must be concatenated with no intermediate padding.
Go input arguments: (der []byte)
Go returns: ([]*Certificate, error)
Joker input arguments: [^arrayOfByte der]
Joker returns: [^arrayOf*Certificate, ^Error] -
ParseDERCRL
Function v1.0(ParseDERCRL derBytes)
ParseDERCRL parses a DER encoded CRL from the given bytes.
Deprecated: Use ParseRevocationList instead.
Go input arguments: (derBytes []byte)
Go returns: (*crypto/x509/pkix.CertificateList, error)
Joker input arguments: [^arrayOfByte derBytes]
Joker returns: [^go.std.crypto.x509.pkix/*CertificateList, ^Error] -
ParseECPrivateKey
Function v1.0(ParseECPrivateKey der)
ParseECPrivateKey parses an EC private key in SEC 1, ASN.1 DER form.
This kind of key is commonly encoded in PEM blocks of type "EC PRIVATE KEY".
Go input arguments: (der []byte)
Go returns: (*crypto/ecdsa.PrivateKey, error)
Joker input arguments: [^arrayOfByte der]
Joker returns: [^go.std.crypto.ecdsa/*PrivateKey, ^Error] -
ParsePKCS1PrivateKey
Function v1.0(ParsePKCS1PrivateKey der)
ParsePKCS1PrivateKey parses an RSA private key in PKCS #1, ASN.1 DER form.
This kind of key is commonly encoded in PEM blocks of type "RSA PRIVATE KEY".
Go input arguments: (der []byte)
Go returns: (*crypto/rsa.PrivateKey, error)
Joker input arguments: [^arrayOfByte der]
Joker returns: [^go.std.crypto.rsa/*PrivateKey, ^Error] -
ParsePKCS1PublicKey
Function v1.0(ParsePKCS1PublicKey der)
ParsePKCS1PublicKey parses an RSA public key in PKCS #1, ASN.1 DER form.
This kind of key is commonly encoded in PEM blocks of type "RSA PUBLIC KEY".
Go input arguments: (der []byte)
Go returns: (*crypto/rsa.PublicKey, error)
Joker input arguments: [^arrayOfByte der]
Joker returns: [^go.std.crypto.rsa/*PublicKey, ^Error] -
ParsePKCS8PrivateKey
Function v1.0(ParsePKCS8PrivateKey der)
ParsePKCS8PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form.
It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey.
More types might be supported in the future.
This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY".
Go input arguments: (der []byte)
Go returns: (key any, err error)
Joker input arguments: [^arrayOfByte der]
Joker returns: [^GoObject key, ^Error err] -
ParsePKIXPublicKey
Function v1.0(ParsePKIXPublicKey derBytes)
ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
The encoded public key is a SubjectPublicKeyInfo structure
(see RFC 5280, Section 4.1).
It returns a *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, or
ed25519.PublicKey. More types might be supported in the future.
This kind of key is commonly encoded in PEM blocks of type "PUBLIC KEY".
Go input arguments: (derBytes []byte)
Go returns: (pub any, err error)
Joker input arguments: [^arrayOfByte derBytes]
Joker returns: [^GoObject pub, ^Error err] -
ParseRevocationList
Function v1.0(ParseRevocationList der)
ParseRevocationList parses a X509 v2 Certificate Revocation List from the given
ASN.1 DER data.
Go input arguments: (der []byte)
Go returns: (*RevocationList, error)
Joker input arguments: [^arrayOfByte der]
Joker returns: [^*RevocationList, ^Error] -
SystemCertPool
Function v1.0(SystemCertPool)
SystemCertPool returns a copy of the system cert pool.
On Unix systems other than macOS the environment variables SSL_CERT_FILE and
SSL_CERT_DIR can be used to override the system default locations for the SSL
certificate file and SSL certificate files directory, respectively. The
latter can be a colon-separated list.
Any mutations to the returned pool are not written to disk and do not affect
any other pool returned by SystemCertPool.
New changes in the system cert pool might not be reflected in subsequent calls.
Go returns: (*CertPool, error)
Joker input arguments: []
Joker returns: [^*CertPool, ^Error]
Types
-
*CertPool
Concrete Type v1.0CertPool is a set of certificates.
-
AddCert
Receiver for *CertPool v1.0([cert])
AddCert adds a certificate to a pool.
-
AppendCertsFromPEM
Receiver for *CertPool v1.0([pemCerts])
AppendCertsFromPEM attempts to parse a series of PEM encoded certificates.
It appends any certificates found to s and reports whether any certificates
were successfully parsed.
On many Linux systems, /etc/ssl/cert.pem will contain the system wide set
of root CAs in a format suitable for this function.
-
Clone
Receiver for *CertPool v1.0([])
Clone returns a copy of s.
-
Equal
Receiver for *CertPool v1.0([other])
Equal reports whether s and other are equal.
-
Subjects
Receiver for *CertPool v1.0([])
Subjects returns a list of the DER-encoded subjects of
all of the certificates in the pool.
Deprecated: if s was returned by SystemCertPool, Subjects
will not include the system roots.
-
*Certificate
Concrete Type v1.0A Certificate represents an X.509 certificate.
-
CheckCRLSignature
Receiver for *Certificate v1.0([crl])
CheckCRLSignature checks that the signature in crl is from c.
Deprecated: Use RevocationList.CheckSignatureFrom instead.
-
CheckSignature
Receiver for *Certificate v1.0([algo signed signature])
CheckSignature verifies that signature is a valid signature over signed from
c's public key.
-
CheckSignatureFrom
Receiver for *Certificate v1.0([parent])
CheckSignatureFrom verifies that the signature on c is a valid signature
from parent. SHA1WithRSA and ECDSAWithSHA1 signatures are not supported.
-
CreateCRL
Receiver for *Certificate v1.0([rand priv revokedCerts now expiry])
CreateCRL returns a DER encoded CRL, signed by this Certificate, that
contains the given list of revoked certificates.
Deprecated: this method does not generate an RFC 5280 conformant X.509 v2 CRL.
To generate a standards compliant CRL, use CreateRevocationList instead.
-
Equal
Receiver for *Certificate v1.0([other])
-
Verify
Receiver for *Certificate v1.0([opts])
Verify attempts to verify c by building one or more chains from c to a
certificate in opts.Roots, using certificates in opts.Intermediates if
needed. If successful, it returns one or more chains where the first
element of the chain is c and the last element is from opts.Roots.
If opts.Roots is nil, the platform verifier might be used, and
verification details might differ from what is described below. If system
roots are unavailable the returned error will be of type SystemRootsError.
Name constraints in the intermediates will be applied to all names claimed
in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim
example.com if an intermediate doesn't permit it, even if example.com is not
the name being validated. Note that DirectoryName constraints are not
supported.
Name constraint validation follows the rules from RFC 5280, with the
addition that DNS name constraints may use the leading period format
defined for emails and URIs. When a constraint has a leading period
it indicates that at least one additional label must be prepended to
the constrained name to be considered valid.
Extended Key Usage values are enforced nested down a chain, so an intermediate
or root that enumerates EKUs prevents a leaf from asserting an EKU not in that
list. (While this is not specified, it is common practice in order to limit
the types of certificates a CA can issue.)
Certificates that use SHA1WithRSA and ECDSAWithSHA1 signatures are not supported,
and will not be used to build chains.
WARNING: this function doesn't do any revocation checking.
-
VerifyHostname
Receiver for *Certificate v1.0([h])
VerifyHostname returns nil if c is a valid certificate for the named host.
Otherwise it returns an error describing the mismatch.
IP addresses can be optionally enclosed in square brackets and are checked
against the IPAddresses field. Other names are checked case insensitively
against the DNSNames field. If the names are valid hostnames, the certificate
fields can have a wildcard as the left-most label.
Note that the legacy Common Name field is ignored.
-
*CertificateInvalidError
Concrete Type v1.0CertificateInvalidError results when an odd error occurs. Users of this
library probably want to handle all these errors uniformly.
-
*CertificateRequest
Concrete Type v1.0CertificateRequest represents a PKCS #10, certificate signature request.
-
CheckSignature
Receiver for *CertificateRequest v1.0([])
CheckSignature reports whether the signature on c is valid.
-
*ConstraintViolationError
Concrete Type v1.0ConstraintViolationError results when a requested usage is not permitted by
a certificate. For example: checking a signature when the public key isn't a
certificate signing key.
-
*ExtKeyUsage
Concrete Type v1.0ExtKeyUsage represents an extended set of actions that are valid for a given key.
Each of the ExtKeyUsage* constants define a unique action.
-
*HostnameError
Concrete Type v1.0HostnameError results when the set of authorized names doesn't match the
requested name.
-
*InsecureAlgorithmError
Concrete Type v1.0An InsecureAlgorithmError indicates that the SignatureAlgorithm used to
generate the signature is not secure, and the signature has been rejected.
To temporarily restore support for SHA-1 signatures, include the value
"x509sha1=1" in the GODEBUG environment variable. Note that this option will
be removed in a future release.
-
*InvalidReason
Concrete Type v1.0 -
*KeyUsage
Concrete Type v1.0KeyUsage represents the set of actions that are valid for a given key. It's
a bitmap of the KeyUsage* constants.
-
*PEMCipher
Concrete Type v1.0 -
*PublicKeyAlgorithm
Concrete Type v1.0 -
*RevocationList
Concrete Type v1.0RevocationList contains the fields used to create an X.509 v2 Certificate
Revocation list with CreateRevocationList.
-
CheckSignatureFrom
Receiver for *RevocationList v1.0([parent])
CheckSignatureFrom verifies that the signature on rl is a valid signature
from issuer.
-
*SignatureAlgorithm
Concrete Type v1.0 -
*SystemRootsError
Concrete Type v1.0SystemRootsError results when we fail to load the system root certificates.
-
*UnhandledCriticalExtension
Concrete Type v1.0 -
*UnknownAuthorityError
Concrete Type v1.0UnknownAuthorityError results when the certificate issuer is unknown
-
*VerifyOptions
Concrete Type v1.0VerifyOptions contains parameters for Certificate.Verify.
-
CertPool
Concrete Type v1.0CertPool is a set of certificates.
-
Certificate
Concrete Type v1.0A Certificate represents an X.509 certificate.
-
CertificateInvalidError
Concrete Type v1.0CertificateInvalidError results when an odd error occurs. Users of this
library probably want to handle all these errors uniformly.
-
Error
Receiver for CertificateInvalidError v1.0([])
-
CertificateRequest
Concrete Type v1.0CertificateRequest represents a PKCS #10, certificate signature request.
-
ConstraintViolationError
Concrete Type v1.0ConstraintViolationError results when a requested usage is not permitted by
a certificate. For example: checking a signature when the public key isn't a
certificate signing key.
-
Error
Receiver for ConstraintViolationError v1.0([])
-
ExtKeyUsage
Concrete Type v1.0ExtKeyUsage represents an extended set of actions that are valid for a given key.
Each of the ExtKeyUsage* constants define a unique action.
-
HostnameError
Concrete Type v1.0HostnameError results when the set of authorized names doesn't match the
requested name.
-
Error
Receiver for HostnameError v1.0([])
-
InsecureAlgorithmError
Concrete Type v1.0An InsecureAlgorithmError indicates that the SignatureAlgorithm used to
generate the signature is not secure, and the signature has been rejected.
To temporarily restore support for SHA-1 signatures, include the value
"x509sha1=1" in the GODEBUG environment variable. Note that this option will
be removed in a future release.
-
Error
Receiver for InsecureAlgorithmError v1.0([])
-
InvalidReason
Concrete Type v1.0 -
KeyUsage
Concrete Type v1.0KeyUsage represents the set of actions that are valid for a given key. It's
a bitmap of the KeyUsage* constants.
-
PEMCipher
Concrete Type v1.0 -
PublicKeyAlgorithm
Concrete Type v1.0 -
String
Receiver for PublicKeyAlgorithm v1.0([])
-
RevocationList
Concrete Type v1.0RevocationList contains the fields used to create an X.509 v2 Certificate
Revocation list with CreateRevocationList.
-
SignatureAlgorithm
Concrete Type v1.0 -
String
Receiver for SignatureAlgorithm v1.0([])
-
SystemRootsError
Concrete Type v1.0SystemRootsError results when we fail to load the system root certificates.
-
Error
Receiver for SystemRootsError v1.0([])
-
Unwrap
Receiver for SystemRootsError v1.0([])
-
UnhandledCriticalExtension
Concrete Type v1.0 -
Error
Receiver for UnhandledCriticalExtension v1.0([])
-
UnknownAuthorityError
Concrete Type v1.0UnknownAuthorityError results when the certificate issuer is unknown
-
Error
Receiver for UnknownAuthorityError v1.0([])
-
VerifyOptions
Concrete Type v1.0VerifyOptions contains parameters for Certificate.Verify.
-
arrayOfCertPool
Concrete Type v1.0CertPool is a set of certificates.
-
arrayOfCertificate
Concrete Type v1.0A Certificate represents an X.509 certificate.
-
arrayOfCertificateInvalidError
Concrete Type v1.0CertificateInvalidError results when an odd error occurs. Users of this
library probably want to handle all these errors uniformly.
-
arrayOfCertificateRequest
Concrete Type v1.0CertificateRequest represents a PKCS #10, certificate signature request.
-
arrayOfConstraintViolationError
Concrete Type v1.0ConstraintViolationError results when a requested usage is not permitted by
a certificate. For example: checking a signature when the public key isn't a
certificate signing key.
-
arrayOfExtKeyUsage
Concrete Type v1.0ExtKeyUsage represents an extended set of actions that are valid for a given key.
Each of the ExtKeyUsage* constants define a unique action.
-
arrayOfHostnameError
Concrete Type v1.0HostnameError results when the set of authorized names doesn't match the
requested name.
-
arrayOfInsecureAlgorithmError
Concrete Type v1.0An InsecureAlgorithmError indicates that the SignatureAlgorithm used to
generate the signature is not secure, and the signature has been rejected.
To temporarily restore support for SHA-1 signatures, include the value
"x509sha1=1" in the GODEBUG environment variable. Note that this option will
be removed in a future release.
-
arrayOfInvalidReason
Concrete Type v1.0 -
arrayOfKeyUsage
Concrete Type v1.0KeyUsage represents the set of actions that are valid for a given key. It's
a bitmap of the KeyUsage* constants.
-
arrayOfPEMCipher
Concrete Type v1.0 -
arrayOfPublicKeyAlgorithm
Concrete Type v1.0 -
arrayOfRevocationList
Concrete Type v1.0RevocationList contains the fields used to create an X.509 v2 Certificate
Revocation list with CreateRevocationList.
-
arrayOfSignatureAlgorithm
Concrete Type v1.0 -
arrayOfSystemRootsError
Concrete Type v1.0SystemRootsError results when we fail to load the system root certificates.
-
arrayOfUnhandledCriticalExtension
Concrete Type v1.0 -
arrayOfUnknownAuthorityError
Concrete Type v1.0UnknownAuthorityError results when the certificate issuer is unknown
-
arrayOfVerifyOptions
Concrete Type v1.0VerifyOptions contains parameters for Certificate.Verify.