returned by the Format* functions in case there's something cripplingly wrong with it
const InvalidName = "<invalid>"
var (
// RFC 3279
OidDigestMD5 = asn1.ObjectIdentifier{1, 2, 840, 113549, 2, 5}
OidDigestSHA1 = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 26}
// RFC 5758
OidDigestSHA224 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 4}
OidDigestSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
OidDigestSHA384 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
OidDigestSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
)
var (
// RFC 3279
OidPublicKeyRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
OidPublicKeyDSA = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1}
OidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
// RFC 4055
OidMGF1 = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 8}
OidSignatureRSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10}
Asn1TagBMPString = 30
)
var (
ArgCountry string
ArgOrganization string
ArgOrganizationalUnit string
ArgLocality string
ArgProvince string
ArgCommonName string
ArgDNSNames string
ArgEmailNames string
ArgKeyUsage string
ArgExpireDays uint
ArgCertAuthority bool
ArgSerial string
ArgInteractive bool
ArgRSAPSS bool
)
var DefinedCurves = []CurveDefinition{ {256, elliptic.P256(), asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}}, {384, elliptic.P384(), asn1.ObjectIdentifier{1, 3, 132, 0, 34}}, {521, elliptic.P521(), asn1.ObjectIdentifier{1, 3, 132, 0, 35}}, }
var HashNames = map[crypto.Hash]string{ crypto.MD5: "MD5", crypto.SHA1: "SHA1", crypto.SHA224: "SHA-224", crypto.SHA256: "SHA-256", crypto.SHA384: "SHA-384", crypto.SHA512: "SHA-512", }
var HashOids = map[crypto.Hash]asn1.ObjectIdentifier{ crypto.MD5: OidDigestMD5, crypto.SHA1: OidDigestSHA1, crypto.SHA224: OidDigestSHA224, crypto.SHA256: OidDigestSHA256, crypto.SHA384: OidDigestSHA384, crypto.SHA512: OidDigestSHA512, }
func AddCertFlags(cmd *cobra.Command)
Add flags associated with X509 certificate creation to the given command
func AddRequestFlags(cmd *cobra.Command)
Add flags associated with X509 requests to the given command
func CrossSign(certBytes []byte, rand io.Reader, key crypto.Signer, cacert *x509.Certificate) (string, error)
CrossSign takes a certificate as input and re-signs it using the given key. Any command-line flags set will override the CSR contents.
func DerToPoint(curve elliptic.Curve, der []byte) (*big.Int, *big.Int)
Decode an ECDSA public key from its DER encoding. Both octet and bitstring encodings are supported.
func FormatIssuer(cert *x509.Certificate) string
Format the certificate issuer name in LDAP style
func FormatPkixName(der []byte, style NameStyle) string
Format the name (RDN sequence) from its raw DER to a readable style.
func FormatSubject(cert *x509.Certificate) string
Format the certificate subject name in LDAP style
func FprintCertificate(w io.Writer, cert *x509.Certificate)
FprintCertificate formats a certificate for display
func GetPublicKeyAlgorithm(key interface{}) x509.PublicKeyAlgorithm
Determine the type of a public or private key
func HashByName(name string) crypto.Hash
func HashShortName(hash crypto.Hash) string
func LoadCertPool(path string, tconf *tls.Config) error
Load a certificate pool from a file and set it as the root CA for a TLS config. If path is empty then the system pool will be used. If the filename starts with + then both the system pool and the contents of the file will be used.
func MakeCertificate(rand io.Reader, key crypto.Signer) (string, error)
Make a self-signed X509 certificate using command-line arguments and return the PEM string
func MakeRequest(rand io.Reader, key crypto.Signer) (string, error)
Make a X509 certificate request using command-line arguments and return the PEM string
func MakeSerial() *big.Int
Make a random 12 byte big.Int
func MarshalDigest(hash crypto.Hash, digest []byte) (der []byte, ok bool)
Pack a digest along with an algorithm identifier. Mainly useful for PKCS#1v1.5 padding (RSA).
func MarshalRSAPSSParameters(pub *rsa.PublicKey, opts *rsa.PSSOptions) (asn1.RawValue, error)
func ParseBMPString(raw asn1.RawValue) string
func PkixAlgorithms(pub crypto.PublicKey, opts crypto.SignerOpts) (digestAlg, sigAlg pkix.AlgorithmIdentifier, err error)
Given a public key and signer options, return the appropriate X.509 digest and signature algorithms
func PkixDigestAlgorithm(hash crypto.Hash) (alg pkix.AlgorithmIdentifier, ok bool)
Convert a crypto.Hash to a X.509 AlgorithmIdentifier
func PkixDigestToHash(alg pkix.AlgorithmIdentifier) (hash crypto.Hash, ok bool)
Convert a X.509 AlgorithmIdentifier to a crypto.Hash
func PkixDigestToHashE(alg pkix.AlgorithmIdentifier) (hash crypto.Hash, err error)
Convert a X.509 AlgorithmIdentifier to a crypto.Hash
func PkixPublicKeyAlgorithm(pub crypto.PublicKey) (alg pkix.AlgorithmIdentifier, ok bool)
Convert a crypto.PublicKey to a X.509 AlgorithmIdentifier
func PkixVerify(pub crypto.PublicKey, digestAlg, sigAlg pkix.AlgorithmIdentifier, digest, sig []byte) error
Verify a signature using the algorithm specified by the given X.509 AlgorithmIdentifier
func PointToDer(pub *ecdsa.PublicKey) []byte
func SameKey(pub1, pub2 interface{}) bool
Test whether two public or private keys have the same public key
func SetKeyLogFile(tconf *tls.Config)
If the SSLKEYLOGFILE environment variable is set, then open it for appending and write TLS master secrets there in the "NSS Key Log Format". Use this for debugging TLS and HTTP problems with Wireshark.
func SignCSR(csrBytes []byte, rand io.Reader, key crypto.Signer, cacert *x509.Certificate, copyExtensions bool) (string, error)
SignCSR takes a PKCS#10 signing request in PEM or DER format as input and produces a signed certificate in PEM format. Any command-line flags set will override the CSR contents.
func SubjectKeyID(pub crypto.PublicKey) ([]byte, error)
Calculcate subject key identifier from a public key per RFC 3280
func SupportedCurves() string
Return the names of all supported ECDSA curves
func ToBMPString(value string) asn1.RawValue
func UnmarshalRSAPSSParameters(hash crypto.Hash, raw asn1.RawValue) (*rsa.PSSOptions, error)
func Verify(pub interface{}, hash crypto.Hash, hashed []byte, sig []byte) error
Verify an RSA or ECDSA signature
func X509SignatureAlgorithm(pub crypto.PublicKey) x509.SignatureAlgorithm
Choose a X509 signature algorithm suitable for the specified public key
Predefined named ECDSA curve
type CurveDefinition struct {
Bits uint
Curve elliptic.Curve
Oid asn1.ObjectIdentifier
}
func CurveByBits(bits uint) (*CurveDefinition, error)
Get a curve by a number of bits
func CurveByCurve(curve elliptic.Curve) (*CurveDefinition, error)
Get a curve by an elliptic.Curve value
func CurveByDer(der []byte) (*CurveDefinition, error)
Get a curve by the DER encoding of its OID
func CurveByOid(oid asn1.ObjectIdentifier) (*CurveDefinition, error)
Get a curve by its ASN.1 object identifier
func CurveByOidString(oidstr string) (*CurveDefinition, error)
Get a curve by a dotted decimal OID string
func (def *CurveDefinition) ToDer() []byte
Return the DER encoding of the ASN.1 OID of this named curve
ASN.1 structure used to encode an ECDSA signature
type EcdsaSignature struct {
R, S *big.Int
}
func UnmarshalEcdsaSignature(der []byte) (sig EcdsaSignature, err error)
Unpack an ECDSA signature from an ASN.1 DER sequence
func UnpackEcdsaSignature(packed []byte) (sig EcdsaSignature, err error)
Unpack an ECDSA signature consisting of two numbers concatenated per IEEE 1363
func (sig EcdsaSignature) Marshal() []byte
Marshal an ECDSA signature as an ASN.1 structure
func (sig EcdsaSignature) Pack() []byte
Pack an ECDSA signature by concatenating the two numbers per IEEE 1363
type NameStyle int
const (
NameStyleOpenSsl NameStyle = iota
NameStyleLdap
NameStyleMsOsco
)
type UnknownDigestError struct {
Algorithm asn1.ObjectIdentifier
}
func (e UnknownDigestError) Error() string