# Functions
AEADDecrypt encrypt bytes by AES GCM
Sugar wrapper of AEADDecryptWithIV, will extract IV from ciphertext automatically.
AEADDecryptBasic encrypt bytes by AES GCM
# Args: - key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256 - ciphertext: encrypted content - iv: Initialization Vector, should be 12 bytes - tag: authentication tag, should be 16 bytes - additionalData: additional data to encrypt
# Returns: - plaintext: decrypted content.
AEADEncrypt encrypt bytes by AES GCM
sugar wrapper of AEADEncryptWithIV, will generate random IV and append it to ciphertext as prefix.you can use AEADDecrypt to decrypt it.
AEADEncryptBasic encrypt bytes by AES GCM and return IV and ciphertext
# Args: - key: AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256 - plaintext: content to encrypt - iv: Initialization Vector, should be 12 bytes - additionalData: additional data to encrypt
# Returns: - ciphertext: encrypted content without IV and tag, the length of ciphertext is same as plaintext.
AesDecrypt encrypt bytes by AES GCM
inspired by https://tutorialedge.net/golang/go-encrypt-decrypt-aes-tutorial/
# The key argument should be 16, 24, or 32 bytes
Deprecated: use AEADDecrypt instead.
AesEncrypt encrypt bytes by AES GCM
inspired by https://tutorialedge.net/golang/go-encrypt-decrypt-aes-tutorial/
The key argument should be the AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
AESEncryptFilesInDir encrypt files in dir
will generate new encrypted files with <suffix> after ext
xxx.toml -> xxx.toml.enc.
Base32Secret generate base32 encoded secret.
Cert2Der marshal private key by x509.8.
Cert2Pem marshal x509 certificate to pem, tailing with line break.
CertDer2Pem convert certificate in der to pem, tailing with line break.
CRL2Der marshal crl to der.
CRL2Pem marshal crl to pem.
CRLDer2Pem marshal crl to pem.
CRLPem2Der parse crl pem.
CSR2Der marshal csr to der.
CSRDer2Pem convert CSR in der to pem, tailing with line break.
DecodeES256SignByBase64 parse ecdsa signature string to two *big.Int.
DecodeES256SignByHex parse ecdsa signature string to two *big.Int.
Der2Cert parse sigle certificate in der.
Der2Cert parse multiple certificates in der.
Der2CRL parse crl der.
Der2CSR parse crl der.
Der2Prikey parse private key from der in x509 v8/v1.
Der2Pubkey parse public key from der in x509 pkcs1/pkix.
DeriveKeyByHKDF derive key by hkdf.
DeriveKeyBySMHF derive key by Stronger Key Derivation via Sequential Memory-Hard Functions
https://pkg.go.dev/golang.org/x/[email protected]/scrypt.
EncodeES256SignByBase64 format ecdsa signature to stirng.
EncodeES256SignByHex format ecdsa sign to stirng.
FormatBig2Base64 format big to base64 string.
FormatBig2Hex format big to hex string.
GeneratePasswordHash generate hashed password by origin password
Deprecated: use PasswordHash instead.
HKDFWithSHA256 derivative keys by HKDF with sha256.
HMACSha256 calculate HMAC by sha256
The main difference between HMAC and SHA is that HMAC uses a secure key to calculate the hash, while SHA does not.
MatchPrefix treat prefix inclusion as a match as well
`1.2.3` contains `1.2.3.4`.
NewAesReaderWrapper wrap reader by aes.
NewDefaultX509CertSerialNumGenerator new DefaultX509CertSerialNumGenerator.
NewDHKX create a new DHKX instance
each DHKX instance has it's unique group and private key
Known vulnerabilities: DHKX is not secure against active attacks, MITM attacker could replace the public keys with his own and decrypt the messages.
NewEcdh create a new ECDH instance
Known vulnerabilities: DHKX is not secure against active attacks, MITM attacker could replace the public keys with his own and decrypt the messages.
NewECDSAPrikey new ecdsa private key.
NewECDSAPrikeyAndCert convient function to new ecdsa private key and cert.
NewEd25519Prikey new ed25519 private key.
NewEd25519PrikeyAndCert convient function to new ed25519 private key and cert.
NewRSAPrikey new rsa privat ekey.
NewRSAPrikeyAndCert convient function to new rsa private key and cert.
NewTongsuo new tongsuo wrapper
Notice, only support - github.com/tongsuo-project/tongsuo-go-sdk v0.0.0-20231225081335-82a881b9b3d3 - https://github.com/Tongsuo-Project/Tongsuo 8.4.0-pre3
#Args - exePath: path of tongsuo executable binary.
NewTOTP new TOTP.
NewX509Cert new cert.
NewX509CertByCSR sign CSR to certificate
Depends on RFC-5280 4.2.1.12, empty ext key usage is as same as any key usage.
NewX509CRL create and sign CRL
# Args
- ca: CA to sign CRL.
NewX509CSR new CSR
# Arguments
if prikey is not RSA private key, you must set SignatureAlgorithm by WithX509CertSignatureAlgorithm.
OidAsn2X509 convert asn1 object identifier to x509 object identifier.
OIDContains is oid in oids.
OidFromString convert string to x509 object identifier.
ParseBase642Big parse base64 string to big.
ParseHex2Big parse hex string to big.
ParseOTPUri parse otp uri to otp arguments
# Args
- uri: like `otpauth://totp/issuerName:demoAccountName?secret=4S62BZNFXXSZLCRO&issuer=issuerName`.
PasswordHash generate salted hash of password, can verify by VerifyHashedPassword.
Pem2Cert parse single certificate in pem.
Pem2Certs parse multiple certificate in pem.
Pem2CRL parse crl pem.
Pem2CSR parse csr from pem.
Pem2Der convert pem to der
support one or more certs.
Pem2Ders convert pem to ders
support one or more certs.
Pem2Prikey parse private key from x509 v8(general) pem.
Pem2Pubkey parse public key from pem.
Prikey2Der marshal private key by x509.8.
Prikey2Pem marshal private key to pem, tailing with line break.
Prikey2Pubkey get public key from private key.
PrikeyDer2Pem convert private key in der to pem.
Privkey2Signer convert privkey to signer.
Pubkey2Der marshal public key by pkix.
Pubkey2Pem marshal public key to pem, tailing with line break.
PubkeyDer2Pem convert public key in der to pem.
ReadableX509ExtKeyUsage convert objectids to readable strings.
ReadablePkixName convert pkix.Name to readable map with strings.
ReadableX509Cert convert x509 certificate to readable jsonable map.
ReadableX509CSR convert x509 certificate request to readable jsonable map.
ReadableX509Extention convert x509 certificate extension to readable jsonable map.
ReadableX509ExtKeyUsage convert x509 certificate ext key usages to readable strings.
ReadableX509KeyUsage convert x509 certificate key usages to readable strings.
RSADecryptByOAEP decrypt by OAEP with SHA256.
RSADecryptByPKCS1v15 decrypt by rsa PKCS1v15
only accept cipher encrypted by RSAEncrypt.
RSADer2Prikey parse private key from x509 v1(rsa) der.
RSAEncryptByOAEP encrypts by OAEP with SHA256
This is not a deterministic encryption scheme, it will return different ciphertexts each time even if the same plaintext is encrypted multiple times.
RSAEncryptByPKCS1v15 encrypt by PKCS1v15
This is not a deterministic encryption scheme, it will return different ciphertexts each time even if the same plaintext is encrypted multiple times.
RSAPem2Prikey parse private key from x509 v1(rsa) pem.
Salt generate random salt with specifiec length.
SecureCipherSuites get golang built-in cipher suites without known insecure suites.
SignByECDSAWithSHA256 generate signature by ecdsa private key use sha256.
SignByECDSAWithSHA256AndBase64 generate signature by ecdsa private key use sha256.
SignByEd25519WithSHA512 generate signature by ed25519 private key.
SignByRSAPKCS1v15WithSHA256 generate signature by rsa private key use sha256.
SignByRSAPSSWithSHA256 generate signature by rsa private key use sha256
RSASSA-PSS is not deterministic, so it will return different signature every time.
SignBySchnorrSha256 sign content by schnorr.
SignReaderByECDSAWithSHA256 generate signature by ecdsa private key use sha256.
SignReaderByEd25519WithSHA256 generate signature by ecdsa private key use sha256.
SignReaderByRSAWithSHA256 generate signature by rsa private key use sha256.
SplitCertsPemChain split pem chain to multiple pem.
ValidatePasswordHash validate password is match with hashedPassword
Deprecated: use VerifyHashedPassword instead.
VerifyByECDSAWithSHA256 verify signature by ecdsa public key use sha256.
VerifyByECDSAWithSHA256 verify signature by ecdsa public key use sha256.
VerifyByEd25519WithSHA512 verify signature by ed25519 public key.
VerifyByRSAPKCS1v15WithSHA256 verify signature by rsa public key use sha256.
VerifyByRSAPSSWithSHA256 verify signature by rsa public key use sha256.
VerifyBySchnorrSha256 verify signature by schnorr.
VerifyCertByPrikey verify cert by prikey.
VerifyCRL verify crl by ca.
VerifyHashedPassword verify HashedPassword.
VerifyReaderByECDSAWithSHA256 verify signature by ecdsa public key use sha256.
VerifyReaderByEd25519WithSHA256 verify signature by ecdsa public key use sha256.
VerifyReaderByRSAWithSHA256 verify signature by rsa public key use sha256.
WithAESFilesInDirFileExt only encrypt files with specific ext.
WithAESFilesInDirFileSuffix will append to encrypted's filename as suffix
xxx.toml -> xxx.toml.enc.
WithX509CaMaxPathLen set max path length
only CAs are allowed to specify MaxPathLen.
WithX509CertCaMaxPathLen set max path length.
WithX509CertCommonName set common name.
WithX509CertCountry set subject countries.
WithX509CertCRLs add crl endpoints.
WithX509CertDNSNames set dns sans.
WithX509CertEmailAddrs set email sans.
WithX509CertExtentions set extensions
Deprecated: this field is ignored in x509 v3 certificate, use WithX509CertExtraExtensions instead if you want to set extensions.
WithX509CertExtKeyUsage add ext key usage.
WithX509CertExtraExtensions set extra extensions.
WithX509CertIPAddrs set ip sans.
WithX509CertIsCA set is ca.
WithX509CertIsCRLCA set is ca to sign CRL.
WithX509CertKeyUsage add key usage.
WithX509CertLocality set subject localities.
WithX509CertNotAfter set not after
default to 30 days later.
WithX509CertNotBefore set not before.
WithX509CertOCSPServers set ocsp servers.
WithX509CertOrganization set organization.
WithX509CertOrganizationUnit set organization unit.
WithX509CertParent set issuer.
WithX509CertPolicies set certificate policies.
WithX509CertPostalCode set subjuect postal codes.
WithX509CertProvince set subject provinces.
WithX509CertPubkey set new certs' pubkey.
WithX509CertPublicKeyAlgorithm set signature algorithm
Deprecated: this field is ignored in x509 v3 certificate.
WithX509CertSANS set certificate SANs
refer to RFC-5280 4.2.1.6
auto parse to ip/email/url/dns.
WithX509CertSerialNumGenerator set serial number generator.
WithX509CertSeriaNumber set certificate/CRL's serial number
refer to RFC-5280 5.2.3 &
# Args
seriaNumber: - (optional): generate certificate - (required): generate CRL.
WithX509CertSignatureAlgorithm set signature algorithm.
WithX509CertStreetAddrs set subjuect street addresses.
WithX509CertURIs set uri sans.
WithX509CertValidFor set valid for duration
deprecated: use WithX509CertNotAfter instead.
WithX509CertValidFrom set valid from
deprecated: use WithX509CertNotBefore instead.
WithX509CRLNextUpdate set next update
default to 30 days later.
WithX509CRLSignatureAlgorithm set signature algorithm
default to auto choose algorithm depends on certificate's algorithm.
WithX509CRLThisUpdate set this update
default to now.
WithX509CSRAttribute set attribute
Deprecated: Use Extensions and ExtraExtensions instead for parsing and generating the requestedExtensions attribute.
WithX509CSRCommonName set common name.
WithX509CSRCountry set subject countries.
WithX509CSRDNSNames set dns sans.
WithX509CSREmailAddrs set email sans.
WithX509CSRExtension set extension
Extensions contains raw X.509 extensions.
WithX509CSRExtraExtension set extra extension
ExtraExtensions contains extensions to be copied, raw, into any marshaled certificates.
WithX509CSRIPAddrs set ip sans.
WithX509CSRLocality set subject localities.
WithX509CsrOptions set csr options.
WithX509CSROrganization set organization.
WithX509CSROrganizationUnit set organization units.
WithX509CSRPostalCode set subjuect postal codes.
WithX509CSRProvince set subject provinces.
WithX509CSRPublicKeyAlgorithm set signature algorithm
Deprecated: this field is ignored by golang's built-in x509 library.
WithX509CertSANS set certificate SANs
refer to RFC-5280 4.2.1.6
auto WithX509CSRSANS to ip/email/url/dns.
WithX509CSRSignatureAlgorithm set signature algorithm.
WithX509CSRStreetAddrs set subjuect street addresses.
WithX509CSRSubject set subject name.
WithX509CSRURIs set uri sans.
WithX509SerialNumGenerator set serial number generator.
WithX509SignCSRCRLs add crl endpoints.
WithX509SignCSRExtenstions set certificate extensions
Extensions contains all requested extensions, in raw form.
WithX509SignCSRExtKeyUsage add ext key usage.
WithX509SignCSRExtraExtenstions set certificate extra extensions
ExtraExtensions contains extensions to be copied, raw, into any CSR marshaled by CreateCertificateRequest.
WithX509SignCSRIsCA set is ca.
WithX509SignCSRIsCRLCA set is ca to sign CRL.
WithX509SignCSRKeyUsage add key usage.
WithX509SignCSRNotAfter set valid for duration.
WithX509SignCSRNotBefore set valid from.
WithX509SignCSROCSPServers set ocsp servers.
WithX509SignCSRPolicies set certificate policies.
WithX509SignCSRSeriaNumber set certificate/CRL's serial number
refer to RFC-5280 5.2.3 &
# Args
seriaNumber: - (optional): generate certificate - (required): generate CRL.
WithX509SignCSRValidFor set valid for duration
deprecated: use WithX509SignCSRNotAfter instead.
WithX509SignCSRValidFrom set valid from
deprecated: use WithX509SignCSRNotBefore instead.
WithX509SignPublicKeyAlgorithm set public key algorithm
Deprecated: this field is ignored by golang built-in x509 library.
WithX509SignSignatureAlgorithm set signature algorithm that parent certificate used to sign csr.
WithX509Subject set subject name.
X509Cert2OpensslConf marshal x509.
X509CertSubjectKeyID generate subject key id for pubkey
if x509 certificate template is a CA, subject key id will generated by golang automatelly
- https://cs.opensource.google/go/go/+/refs/tags/go1.19.5:src/crypto/x509/x509.go;l=1476.
X509CrlOptions2Tpl marshal x509 crl options to x509.RevocationList.
X509Csr2OpensslConf marshal x509 csr to openssl conf
# Returns
[ req ] distinguished_name = req_distinguished_name prompt = no string_mask = utf8only req_extensions = req_ext
[ req_ext ] subjectAltName = @alt_names
[ req_distinguished_name ] commonName = Intermedia CA countryName = CN stateOrProvinceName = Shanghai localityName = Shanghai organizationName = BBT organizationalUnitName = XSS
[ alt_names ] DNS.1 = localhost DNS.2 = example.com.
X509CsrOption2Template convert X509CSROption to x509.CertificateRequest.
# Constants
AesGcmIvLen is the length of IV for AES GCM.
AesGcmTagLen is the length of tag for AES GCM.
ECDSACurveP256 ecdsa with P256.
ECDSACurveP384 ecdsa with P384.
ECDSACurveP521 ecdsa with P521.
OTPAlgorithmSHA1 sha1.
OTPTypeHOTP hash-based otp.
OTPTypeTOTP time-based otp.
RSAPrikeyBits2048 rsa private key with 2048 bits.
RSAPrikeyBits3072 rsa private key with 3072 bits.
RSAPrikeyBits4096 rsa private key with 4096 bits.
# Variables
RSADecrypt decrypt by RSADecryptByPKCS1v15, for compatibility
Deprecated: use RSADecryptByPKCS1v15 or RSADecryptByOAEP instead.
RSAEncrypt encrypt by RSAEncryptByPKCS1v15, for compatibility
Deprecated: use RSAEncryptByPKCS1v15 or RsaEncryptByOAEP instead.
SignByRSAWithSHA256 sign content by rsa with sha256
Deprecated: use SignByRSAPKCS1v15WithSHA256 instead.
VerifyByRSAWithSHA256 verify signature by rsa with sha256
Deprecated: use VerifyByRSAPKCS1v15WithSHA256 instead.
# Structs
AesReaderWrapper used to decrypt encrypted reader.
DefaultX509CertSerialNumGenerator default cert serial number generator base on epoch time and random int.
Diffie Hellman Key-exchange algorithm
https://pkg.go.dev/github.com/monnand/dhkx
# Example
alice, _ := NewDHKX() bob, _ := NewDHKX()
alicePub := alice.PublicKey() bobPub := bob.PublicKey()
aliceKey, _ := alice.GenerateKey(bobPub) bobKey, _ := bob.GenerateKey(alicePub)
aliceKey == bobKey
Note: recommoend to use ECDH instead of DHKX.
ECDH Elliptic Curve Diffie-Hellman.
HashedPassword salt hashed password
generate by PasswordHash, verify by VerifyHashedPassword.
OpensslCertificateOutput output of `openssl x509 -inform DER -text`.
OTPArgs arguments for OTP.
Tongsuo is a wrapper of tongsuo executable binary
https://github.com/Tongsuo-Project/Tongsuo.
TongsuoPriKey tongsuo private key.
TongsuoPubkey tongsuo public key.
TOTP time-based OTP.
# Interfaces
KeyExchange key agreement interface.
TOTPInterface interface for TOTP.
X509CertSerialNumberGenerator x509 certificate serial number generator.
# Type aliases
AESEncryptFilesInDirOption options to encrypt files in dir.
DHKXOptionFunc optional func to set dhkx option.
ECDSACurve algorithms.
OTPAlgorithm hash algorithm for otp.
OTPType otp type.
RSAPrikeyBits width of rsa private key.
SignCSROption options for create certificate from CRL.
X509CertOption option to generate tls certificate.
X509CRLOption options for create x509 CRL.
X509CSROption option to generate tls certificate.