Package x509

import "crypto/x509"
Overview
Index
Examples
Subdirectories

Overview ▾

包x509解析X.509编码的密钥和证书.

在UNIX系统上,可以使用环境变量SSL_CERT_FILE和SSL_CERT_DIR分别覆盖SSL证书文件和SSL证书文件目录的系统默认位置.

Index ▾

Variables
func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error)
func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error)
func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error)
func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error)
func IsEncryptedPEMBlock(b *pem.Block) bool
func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error)
func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte
func MarshalPKCS1PublicKey(key *rsa.PublicKey) []byte
func MarshalPKCS8PrivateKey(key interface{}) ([]byte, error)
func MarshalPKIXPublicKey(pub interface{}) ([]byte, error)
func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error)
func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error)
func ParseECPrivateKey(der []byte) (*ecdsa.PrivateKey, error)
func ParsePKCS1PrivateKey(der []byte) (*rsa.PrivateKey, error)
func ParsePKCS1PublicKey(der []byte) (*rsa.PublicKey, error)
func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error)
func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)
type CertPool
    func NewCertPool() *CertPool
    func SystemCertPool() (*CertPool, error)
    func (s *CertPool) AddCert(cert *Certificate)
    func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)
    func (s *CertPool) Subjects() [][]byte
type Certificate
    func ParseCertificate(asn1Data []byte) (*Certificate, error)
    func ParseCertificates(asn1Data []byte) ([]*Certificate, error)
    func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error
    func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error
    func (c *Certificate) CheckSignatureFrom(parent *Certificate) error
    func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error)
    func (c *Certificate) Equal(other *Certificate) bool
    func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error)
    func (c *Certificate) VerifyHostname(h string) error
type CertificateInvalidError
    func (e CertificateInvalidError) Error() string
type CertificateRequest
    func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error)
    func (c *CertificateRequest) CheckSignature() error
type ConstraintViolationError
    func (ConstraintViolationError) Error() string
type ExtKeyUsage
type HostnameError
    func (h HostnameError) Error() string
type InsecureAlgorithmError
    func (e InsecureAlgorithmError) Error() string
type InvalidReason
type KeyUsage
type PEMCipher
type PublicKeyAlgorithm
    func (algo PublicKeyAlgorithm) String() string
type SignatureAlgorithm
    func (algo SignatureAlgorithm) String() string
type SystemRootsError
    func (se SystemRootsError) Error() string
type UnhandledCriticalExtension
    func (h UnhandledCriticalExtension) Error() string
type UnknownAuthorityError
    func (e UnknownAuthorityError) Error() string
type VerifyOptions

Examples

Certificate.Verify
ParsePKIXPublicKey

Package files

cert_pool.go pem_decrypt.go pkcs1.go pkcs8.go root.go root_linux.go root_unix.go sec1.go verify.go x509.go

Variables

ErrUnsupportedAlgorithm是尝试执行涉及当前未实现算法的操作的结果.

var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")

当检测到错误的密码时,返回IncorrectPasswordError.

var IncorrectPasswordError = errors.New("x509: decryption password incorrect")

func CreateCertificate

func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error)

CreateCertificate基于模板创建一个新的X.509v3证书. 使用以下模板成员:

- AuthorityKeyId
- BasicConstraintsValid
- CRLDistributionPoints
- DNSNames
- EmailAddresses
- ExcludedDNSDomains
- ExcludedEmailAddresses
- ExcludedIPRanges
- ExcludedURIDomains
- ExtKeyUsage
- ExtraExtensions
- IsCA
- IssuingCertificateURL
- KeyUsage
- MaxPathLen
- MaxPathLenZero
- NotAfter
- NotBefore
- OCSPServer
- PermittedDNSDomains
- PermittedDNSDomainsCritical
- PermittedEmailAddresses
- PermittedIPRanges
- PermittedURIDomains
- PolicyIdentifiers
- SerialNumber
- SignatureAlgorithm
- Subject
- SubjectKeyId
- URIs
- UnknownExtKeyUsage

该证书由父母签署. 如果父代等于模板,则证书是自签名的. 参数pub是签署人的公钥,而priv是签署人的私钥.

返回的切片是DER编码的证书.

当前支持的密钥类型为* rsa.PublicKey,* ecdsa.PublicKey和ed25519.PublicKey. pub必须是受支持的密钥类型,而priv必须是crypto.Signal具有受支持的公共密钥.

除非生成的证书是自签名的,否则将从父级的SubjectKeyId中获取AuthorityKeyId. 否则,将使用模板中的值.

func CreateCertificateRequest 1.3

func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error)

CreateCertificateRequest基于模板创建一个新的证书请求. 使用以下模板成员:

- SignatureAlgorithm
- Subject
- DNSNames
- EmailAddresses
- IPAddresses
- URIs
- ExtraExtensions
- Attributes (deprecated)

priv是用于签署CSR的私钥,并且相应的公钥将包含在CSR中. 它必须实现crypto.Signer,并且其Public()方法必须返回* rsa.PublicKey或* ecdsa.PublicKey或ed25519.PublicKey. (一个* rsa.PrivateKey,* ecdsa.PrivateKey或ed25519.PrivateKey满足此要求.)

返回的切片是DER编码的证书请求.

func DecryptPEMBlock 1.1

func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error)

DecryptPEMBlock接收密码加密的PEM块和用于对其加密的密码,并返回解密的DER编码字节的切片. 它检查DEK-Info标头,以确定用于解密的算法. 如果不存在DEK-Info标头,则返回错误. 如果检测到错误的密码,则返回IncorrectPasswordError. 由于加密的PEM格式存在缺陷,因此并非总是能够检测到错误的密码. 在这些情况下,不会返回任何错误,但解密的DER字节将是随机噪声.

func EncryptPEMBlock 1.1

func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error)

EncryptPEMBlock返回指定类型的PEM块,其中包含使用指定算法和密码加密的给定DER编码数据.

func IsEncryptedPEMBlock 1.1

func IsEncryptedPEMBlock(b *pem.Block) bool

如果PEM块已用密码加密,则IsEncryptedPEMBlock返回.

func MarshalECPrivateKey 1.2

func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error)

MarshalECPrivateKey将EC私钥转换为SEC 1,ASN.1 DER形式.

这种密钥通常在类型为" EC PRIVATE KEY"的PEM块中编码. 对于不是EC特定的更灵活的密钥格式,请使用MarshalPKCS8PrivateKey.

func MarshalPKCS1PrivateKey

func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte

MarshalPKCS1PrivateKey将RSA私钥转换为PKCS#1,ASN.1 DER形式.

通常将这种密钥编码在" RSA PRIVATE KEY"类型的PEM块中. 对于不是RSA特定的更灵活的密钥格式,请使用MarshalPKCS8PrivateKey.

func MarshalPKCS1PublicKey 1.10

func MarshalPKCS1PublicKey(key *rsa.PublicKey) []byte

MarshalPKCS1PublicKey将RSA公钥转换为PKCS#1,ASN.1 DER形式.

这种密钥通常在" RSA PUBLIC KEY"类型的PEM块中编码.

func MarshalPKCS8PrivateKey 1.10

func MarshalPKCS8PrivateKey(key interface{}) ([]byte, error)

MarshalPKCS8PrivateKey将RSA私钥转换为PKCS#8,ASN.1 DER形式.

当前支持以下密钥类型:* rsa.PrivateKey,* ecdsa.PrivateKey和ed25519.PrivateKey. 不支持的密钥类型会导致错误.

通常将这种密钥编码为" PRIVATE KEY"类型的PEM块.

func MarshalPKIXPublicKey

func MarshalPKIXPublicKey(pub interface{}) ([]byte, error)

MarshalPKIXPublicKey将公用密钥转换为AIX.1 DER形式的PKIX.

当前支持以下密钥类型:* rsa.PublicKey,* ecdsa.PublicKey和ed25519.PublicKey. 不支持的密钥类型会导致错误.

这种密钥通常在" PUBLIC KEY"类型的PEM块中编码.

func ParseCRL

func ParseCRL(crlBytes []byte) (*pkix.CertificateList, error)

ParseCRL从给定的字节解析CRL. 通常,PEM编码的CRL会出现在应该对其进行DER编码的位置,因此只要没有任何前导垃圾,此功能将透明地处理PEM编码.

func ParseDERCRL

func ParseDERCRL(derBytes []byte) (*pkix.CertificateList, error)

ParseDERCRL从给定的字节解析DER编码的CRL.

func ParseECPrivateKey 1.1

func ParseECPrivateKey(der []byte) (*ecdsa.PrivateKey, error)

ParseECPrivateKey解析SEC 1,ASN.1 DER格式的EC公钥.

这种密钥通常在" EC PUBLIC KEY"类型的PEM块中编码.

func ParsePKCS1PrivateKey

func ParsePKCS1PrivateKey(der []byte) (*rsa.PrivateKey, error)

ParsePKCS1PrivateKey解析PKCS#1,ASN.1 DER形式的RSA私钥.

通常将这种密钥编码在" RSA PRIVATE KEY"类型的PEM块中.

func ParsePKCS1PublicKey 1.10

func ParsePKCS1PublicKey(der []byte) (*rsa.PublicKey, error)

ParsePKCS1PublicKey解析PKCS#1,ASN.1 DER形式的RSA公钥.

这种密钥通常在" RSA PUBLIC KEY"类型的PEM块中编码.

func ParsePKCS8PrivateKey

func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error)

ParsePKCS8PrivateKey解析PKCS#8,ASN.1 DER格式的未加密私钥.

它返回* rsa.PrivateKey,* ecdsa.PrivateKey或ed25519.PrivateKey. 将来可能会支持更多类型.

通常将这种密钥编码为" PRIVATE KEY"类型的PEM块.

func ParsePKIXPublicKey

func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)

ParsePKIXPublicKey解析PKIX,ASN.1 DER形式的公钥.

它返回* rsa.PublicKey,* dsa.PublicKey,* ecdsa.PublicKey或ed25519.PublicKey. 将来可能会支持更多类型.

这种密钥通常在" PUBLIC KEY"类型的PEM块中编码.

Example

type CertPool

CertPool是一组证书.

type CertPool struct {
    // contains filtered or unexported fields
}

func NewCertPool

func NewCertPool() *CertPool

NewCertPool返回一个新的空CertPool.

func SystemCertPool 1.7

func SystemCertPool() (*CertPool, error)

SystemCertPool返回系统证书池的副本.

返回池的任何突变都不会写入磁盘,并且不会影响SystemCertPool返回的任何其他池.

系统证书池中的新更改可能不会反映在后续调用中.

func (*CertPool) AddCert

func (s *CertPool) AddCert(cert *Certificate)

AddCert将证书添加到池中.

func (*CertPool) AppendCertsFromPEM

func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)

AppendCertsFromPEM尝试解析一系列PEM编码的证书. 它将找到的所有证书附加到,并报告是否成功解析了任何证书.

在许多Linux系统上,/ etc / ssl / cert.pem将包含适用于此功能的格式的系统范围的根CA集合.

func (*CertPool) Subjects

func (s *CertPool) Subjects() [][]byte

主题返回池中所有证书的DER编码主题列表.

type Certificate

证书代表X.509证书.

type Certificate struct {
    Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
    RawTBSCertificate       []byte // Certificate part of raw ASN.1 DER content.
    RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
    RawSubject              []byte // DER encoded Subject
    RawIssuer               []byte // DER encoded Issuer

    Signature          []byte
    SignatureAlgorithm SignatureAlgorithm

    PublicKeyAlgorithm PublicKeyAlgorithm
    PublicKey          interface{}

    Version             int
    SerialNumber        *big.Int
    Issuer              pkix.Name
    Subject             pkix.Name
    NotBefore, NotAfter time.Time // Validity bounds.
    KeyUsage            KeyUsage

    // Extensions contains raw X.509 extensions. When parsing certificates,
    // this can be used to extract non-critical extensions that are not
    // parsed by this package. When marshaling certificates, the Extensions
    // field is ignored, see ExtraExtensions.
    Extensions []pkix.Extension // Go 1.2

    // ExtraExtensions contains extensions to be copied, raw, into any
    // marshaled certificates. Values override any extensions that would
    // otherwise be produced based on the other fields. The ExtraExtensions
    // field is not populated when parsing certificates, see Extensions.
    ExtraExtensions []pkix.Extension // Go 1.2

    // UnhandledCriticalExtensions contains a list of extension IDs that
    // were not (fully) processed when parsing. Verify will fail if this
    // slice is non-empty, unless verification is delegated to an OS
    // library which understands all the critical extensions.
    //
    // Users can access these extensions using Extensions and can remove
    // elements from this slice if they believe that they have been
    // handled.
    UnhandledCriticalExtensions []asn1.ObjectIdentifier // Go 1.5

    ExtKeyUsage        []ExtKeyUsage           // Sequence of extended key usages.
    UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.

    // BasicConstraintsValid indicates whether IsCA, MaxPathLen,
    // and MaxPathLenZero are valid.
    BasicConstraintsValid bool
    IsCA                  bool

    // MaxPathLen and MaxPathLenZero indicate the presence and
    // value of the BasicConstraints' "pathLenConstraint".
    //
    // When parsing a certificate, a positive non-zero MaxPathLen
    // means that the field was specified, -1 means it was unset,
    // and MaxPathLenZero being true mean that the field was
    // explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
    // should be treated equivalent to -1 (unset).
    //
    // When generating a certificate, an unset pathLenConstraint
    // can be requested with either MaxPathLen == -1 or using the
    // zero value for both MaxPathLen and MaxPathLenZero.
    MaxPathLen int
    // MaxPathLenZero indicates that BasicConstraintsValid==true
    // and MaxPathLen==0 should be interpreted as an actual
    // maximum path length of zero. Otherwise, that combination is
    // interpreted as MaxPathLen not being set.
    MaxPathLenZero bool // Go 1.4

    SubjectKeyId   []byte
    AuthorityKeyId []byte

    // RFC 5280, 4.2.2.1 (Authority Information Access)
    OCSPServer            []string // Go 1.2
    IssuingCertificateURL []string // Go 1.2

    // Subject Alternate Name values. (Note that these values may not be valid
    // if invalid values were contained within a parsed certificate. For
    // example, an element of DNSNames may not be a valid DNS domain name.)
    DNSNames       []string
    EmailAddresses []string
    IPAddresses    []net.IP // Go 1.1
    URIs           []*url.URL // Go 1.10

    // Name constraints
    PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical.
    PermittedDNSDomains         []string
    ExcludedDNSDomains          []string // Go 1.9
    PermittedIPRanges           []*net.IPNet // Go 1.10
    ExcludedIPRanges            []*net.IPNet // Go 1.10
    PermittedEmailAddresses     []string // Go 1.10
    ExcludedEmailAddresses      []string // Go 1.10
    PermittedURIDomains         []string // Go 1.10
    ExcludedURIDomains          []string // Go 1.10

    // CRL Distribution Points
    CRLDistributionPoints []string // Go 1.2

    PolicyIdentifiers []asn1.ObjectIdentifier
}

func ParseCertificate

func ParseCertificate(asn1Data []byte) (*Certificate, error)

ParseCertificate parses a single certificate from the given ASN.1 DER data.

func ParseCertificates

func ParseCertificates(asn1Data []byte) ([]*Certificate, error)

ParseCertificates从给定的ASN.1 DER数据中解析一个或多个证书. 证书必须串联在一起,且没有中间填充.

func (*Certificate) CheckCRLSignature

func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) error

CheckCRLSignature检查crl中的签名是否来自c.

func (*Certificate) CheckSignature

func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error

CheckSignature会验证签名是有效的签名,该签名是从c的公钥签名的.

func (*Certificate) CheckSignatureFrom

func (c *Certificate) CheckSignatureFrom(parent *Certificate) error

CheckSignatureFrom验证c上的签名是否是来自父级的有效签名.

func (*Certificate) CreateCRL

func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error)

CreateCRL返回由此证书签名的DER编码的CRL,其中包含给定的吊销证书列表.

func (*Certificate) Equal

func (c *Certificate) Equal(other *Certificate) bool

func (*Certificate) Verify

func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error)

通过在opts.Roots中建立从c到证书的一个或多个链来验证尝试验证c的尝试,并根据需要使用opts.Intermediates中的证书. 如果成功,它将返回一个或多个链,其中链的第一个元素为c,最后一个元素来自opts.Roots.

如果opts.Roots为nil且系统根目录不可用,则返回的错误将为SystemRootsError类型.

中间件中的名称约束将应用于链中声明的所有名称,而不仅仅是opts.DNSName. 因此,如果中间节点不允许example.com,则叶子即使声明example.com的名称无效,也无法主张它. 请注意,不支持DirectoryName约束.

扩展密钥用法值是在链上强制执行的,因此枚举EKU的中间节点或根节点可防止叶子声明不在该列表中的EKU.

警告:此函数不执行任何吊销检查.

Example

func (*Certificate) VerifyHostname

func (c *Certificate) VerifyHostname(h string) error

如果c是指定主机的有效证书,VerifyHostname返回nil. 否则,它将返回描述不匹配的错误.

type CertificateInvalidError

当发生奇数错误时,将生成CertificateInvalidError. 该库的用户可能希望统一处理所有这些错误.

type CertificateInvalidError struct {
    Cert   *Certificate
    Reason InvalidReason
    Detail string // Go 1.10
}

func (CertificateInvalidError) Error

func (e CertificateInvalidError) Error() string

type CertificateRequest 1.3

CertificateRequest表示PKCS#10证书签名请求.

type CertificateRequest struct {
    Raw                      []byte // Complete ASN.1 DER content (CSR, signature algorithm and signature).
    RawTBSCertificateRequest []byte // Certificate request info part of raw ASN.1 DER content.
    RawSubjectPublicKeyInfo  []byte // DER encoded SubjectPublicKeyInfo.
    RawSubject               []byte // DER encoded Subject.

    Version            int
    Signature          []byte
    SignatureAlgorithm SignatureAlgorithm

    PublicKeyAlgorithm PublicKeyAlgorithm
    PublicKey          interface{}

    Subject pkix.Name

    // Attributes contains the CSR attributes that can parse as
    // pkix.AttributeTypeAndValueSET.
    //
    // Deprecated: Use Extensions and ExtraExtensions instead for parsing and
    // generating the requestedExtensions attribute.
    Attributes []pkix.AttributeTypeAndValueSET

    // Extensions contains all requested extensions, in raw form. When parsing
    // CSRs, this can be used to extract extensions that are not parsed by this
    // package.
    Extensions []pkix.Extension

    // ExtraExtensions contains extensions to be copied, raw, into any CSR
    // marshaled by CreateCertificateRequest. Values override any extensions
    // that would otherwise be produced based on the other fields but are
    // overridden by any extensions specified in Attributes.
    //
    // The ExtraExtensions field is not populated by ParseCertificateRequest,
    // see Extensions instead.
    ExtraExtensions []pkix.Extension

    // Subject Alternate Name values.
    DNSNames       []string
    EmailAddresses []string
    IPAddresses    []net.IP
    URIs           []*url.URL // Go 1.10
}

func ParseCertificateRequest 1.3

func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error)

ParseCertificateRequest从给定的ASN.1 DER数据中解析单个证书请求.

func (*CertificateRequest) CheckSignature 1.5

func (c *CertificateRequest) CheckSignature() error

CheckSignature报告c上的签名是否有效.

type ConstraintViolationError

如果证书不允许所请求的用法,则会导致ConstraintViolationError. 例如:当公钥不是证书签名密钥时检查签名.

type ConstraintViolationError struct{}

func (ConstraintViolationError) Error

func (ConstraintViolationError) Error() string

type ExtKeyUsage

ExtKeyUsage represents an extended set of actions that are valid for a given key. Each of the ExtKeyUsage* constants define a unique action.

type ExtKeyUsage int
const (
    ExtKeyUsageAny ExtKeyUsage = iota
    ExtKeyUsageServerAuth
    ExtKeyUsageClientAuth
    ExtKeyUsageCodeSigning
    ExtKeyUsageEmailProtection
    ExtKeyUsageIPSECEndSystem
    ExtKeyUsageIPSECTunnel
    ExtKeyUsageIPSECUser
    ExtKeyUsageTimeStamping
    ExtKeyUsageOCSPSigning
    ExtKeyUsageMicrosoftServerGatedCrypto
    ExtKeyUsageNetscapeServerGatedCrypto
    ExtKeyUsageMicrosoftCommercialCodeSigning
    ExtKeyUsageMicrosoftKernelCodeSigning
)

type HostnameError

当授权名称集与请求的名称不匹配时,将导致HostnameError.

type HostnameError struct {
    Certificate *Certificate
    Host        string
}

func (HostnameError) Error

func (h HostnameError) Error() string

type InsecureAlgorithmError 1.6

InsecureAlgorithmError

type InsecureAlgorithmError SignatureAlgorithm

func (InsecureAlgorithmError) Error 1.6

func (e InsecureAlgorithmError) Error() string

type InvalidReason

type InvalidReason int
const (
    // NotAuthorizedToSign results when a certificate is signed by another
    // which isn't marked as a CA certificate.
    NotAuthorizedToSign InvalidReason = iota
    // Expired results when a certificate has expired, based on the time
    // given in the VerifyOptions.
    Expired
    // CANotAuthorizedForThisName results when an intermediate or root
    // certificate has a name constraint which doesn't permit a DNS or
    // other name (including IP address) in the leaf certificate.
    CANotAuthorizedForThisName
    // TooManyIntermediates results when a path length constraint is
    // violated.
    TooManyIntermediates
    // IncompatibleUsage results when the certificate's key usage indicates
    // that it may only be used for a different purpose.
    IncompatibleUsage
    // NameMismatch results when the subject name of a parent certificate
    // does not match the issuer name in the child.
    NameMismatch
    // NameConstraintsWithoutSANs results when a leaf certificate doesn't
    // contain a Subject Alternative Name extension, but a CA certificate
    // contains name constraints, and the Common Name can be interpreted as
    // a hostname.
    //
    // You can avoid this error by setting the experimental GODEBUG environment
    // variable to "x509ignoreCN=1", disabling Common Name matching entirely.
    // This behavior might become the default in the future.
    NameConstraintsWithoutSANs
    // UnconstrainedName results when a CA certificate contains permitted
    // name constraints, but leaf certificate contains a name of an
    // unsupported or unconstrained type.
    UnconstrainedName
    // TooManyConstraints results when the number of comparison operations
    // needed to check a certificate exceeds the limit set by
    // VerifyOptions.MaxConstraintComparisions. This limit exists to
    // prevent pathological certificates can consuming excessive amounts of
    // CPU time to verify.
    TooManyConstraints
    // CANotAuthorizedForExtKeyUsage results when an intermediate or root
    // certificate does not permit a requested extended key usage.
    CANotAuthorizedForExtKeyUsage
)

type KeyUsage

KeyUsage表示对给定键有效的一组操作. 这是KeyUsage *常数的位图.

type KeyUsage int
const (
    KeyUsageDigitalSignature KeyUsage = 1 << iota
    KeyUsageContentCommitment
    KeyUsageKeyEncipherment
    KeyUsageDataEncipherment
    KeyUsageKeyAgreement
    KeyUsageCertSign
    KeyUsageCRLSign
    KeyUsageEncipherOnly
    KeyUsageDecipherOnly
)

type PEMCipher 1.1

type PEMCipher int

EncryptPEMBlock加密算法的可能值.

const (
    PEMCipherDES PEMCipher
    PEMCipher3DES
    PEMCipherAES128
    PEMCipherAES192
    PEMCipherAES256
)

type PublicKeyAlgorithm

type PublicKeyAlgorithm int
const (
    UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
    RSA
    DSA
    ECDSA
    Ed25519
)

func (PublicKeyAlgorithm) String 1.10

func (algo PublicKeyAlgorithm) String() string

type SignatureAlgorithm

type SignatureAlgorithm int
const (
    UnknownSignatureAlgorithm SignatureAlgorithm = iota
    MD2WithRSA
    MD5WithRSA
    SHA1WithRSA
    SHA256WithRSA
    SHA384WithRSA
    SHA512WithRSA
    DSAWithSHA1
    DSAWithSHA256
    ECDSAWithSHA1
    ECDSAWithSHA256
    ECDSAWithSHA384
    ECDSAWithSHA512
    SHA256WithRSAPSS
    SHA384WithRSAPSS
    SHA512WithRSAPSS
    PureEd25519
)

func (SignatureAlgorithm) String 1.6

func (algo SignatureAlgorithm) String() string

type SystemRootsError 1.1

当我们无法加载系统根证书时,将导致SystemRootsError.

type SystemRootsError struct {
    Err error // Go 1.7
}

func (SystemRootsError) Error 1.1

func (se SystemRootsError) Error() string

type UnhandledCriticalExtension

type UnhandledCriticalExtension struct{}

func (UnhandledCriticalExtension) Error

func (h UnhandledCriticalExtension) Error() string

type UnknownAuthorityError

证书颁发者未知时,出现UnknownAuthorityError错误

type UnknownAuthorityError struct {
    Cert *Certificate // Go 1.8
    // contains filtered or unexported fields
}

func (UnknownAuthorityError) Error

func (e UnknownAuthorityError) Error() string

type VerifyOptions

VerifyOptions包含用于Certificate.Verify的参数. 这是一种结构,因为其他PKIX验证API最终需要许多选项.

type VerifyOptions struct {
    DNSName       string
    Intermediates *CertPool
    Roots         *CertPool // if nil, the system roots are used
    CurrentTime   time.Time // if zero, the current time is used
    // KeyUsage specifies which Extended Key Usage values are acceptable. A leaf
    // certificate is accepted if it contains any of the listed values. An empty
    // list means ExtKeyUsageServerAuth. To accept any key usage, include
    // ExtKeyUsageAny.
    //
    // Certificate chains are required to nest these extended key usage values.
    // (This matches the Windows CryptoAPI behavior, but not the spec.)
    KeyUsages []ExtKeyUsage // Go 1.1
    // MaxConstraintComparisions is the maximum number of comparisons to
    // perform when checking a given certificate's name constraints. If
    // zero, a sensible default is used. This limit prevents pathological
    // certificates from consuming excessive amounts of CPU time when
    // validating.
    MaxConstraintComparisions int // Go 1.10
}

Subdirectories

Name Synopsis
..
pkix 软件包pkix包含用于X.509证书,CRL和OCSP的ASN.1解析和序列化的共享低级结构.

by  ICOPY.SITE