Categorygithub.com/google/certificate-transparency-gox509
package
1.3.1
Repository: https://github.com/google/certificate-transparency-go.git
Documentation: pkg.go.dev
Versions
1
Dependencies
36
Dependents
278
Files
5.8k SLOC

# README

Important Notice

This is a fork of the crypto/x509 Go package. The original source can be found on GitHub.

Be careful about making local modifications to this code as it will make maintenance harder in future.

# Packages

Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP.

# Functions

BuildPrecertTBS builds a Certificate Transparency pre-certificate (RFC 6962 s3.1) from the given DER-encoded TBSCertificate, returning a DER-encoded TBSCertificate.
CreateCertificate creates a new X.509v3 certificate based on a template.
CreateCertificateRequest creates a new certificate request based on a template.
DecryptPEMBlock takes a password encrypted PEM block and the password used to encrypt it and returns a slice of decrypted DER encoded bytes.
EncryptPEMBlock returns a PEM block of the specified type holding the given DER-encoded data encrypted with the specified algorithm and password.
ErrorFilter builds a list of error IDs (suitable for use with Errors.Filter) from a comma-separated string.
IsEncryptedPEMBlock returns if the PEM block is password encrypted.
IsFatal indicates whether an error is fatal.
MarshalECPrivateKey converts an EC private key to SEC 1, ASN.1 DER form.
MarshalPKCS1PrivateKey converts an RSA private key to PKCS#1, ASN.1 DER form.
MarshalPKCS1PublicKey converts an RSA public key to PKCS#1, ASN.1 DER form.
MarshalPKCS8PrivateKey converts a private key to PKCS#8, ASN.1 DER form.
MarshalPKIXPublicKey converts a public key to PKIX, ASN.1 DER form.
NewCertPool returns a new, empty CertPool.
NewError builds a new x509.Error based on the template for the given id.
OIDFromNamedCurve returns the OID used to specify the use of the given elliptic curve.
ParseCertificate parses a single certificate from the given ASN.1 DER data.
ParseCertificateList parses a CertificateList (e.g.
ParseCertificateListDER parses a DER encoded CertificateList from the given bytes.
ParseCertificateRequest parses a single certificate request from the given ASN.1 DER data.
ParseCertificates parses one or more certificates from the given ASN.1 DER data.
ParseCRL parses a CRL from the given bytes.
ParseDERCRL parses a DER encoded CRL from the given bytes.
ParseECPrivateKey parses an EC private key in SEC 1, ASN.1 DER form.
ParsePKCS1PrivateKey parses an RSA private key in PKCS#1, ASN.1 DER form.
ParsePKCS1PublicKey parses an RSA public key in PKCS#1, ASN.1 DER form.
ParsePKCS8PrivateKey parses an unencrypted private key in PKCS#8, ASN.1 DER form.
ParsePKIXPublicKey parses a public key in PKIX, ASN.1 DER form.
ParseTBSCertificate parses a single TBSCertificate from the given ASN.1 DER data.
RemoveCTPoison takes a DER-encoded TBSCertificate and removes the CT poison extension (preserving the order of other extensions), and returns the result still as a DER-encoded TBSCertificate.
RemoveSCTList takes a DER-encoded TBSCertificate and removes the CT SCT extension that contains the SCT list (preserving the order of other extensions), and returns the result still as a DER-encoded TBSCertificate.
SignatureAlgorithmFromAI converts an PKIX algorithm identifier to the equivalent local constant.
SystemCertPool returns a copy of the system cert pool.

# Constants

ReasonFlag values.
ReasonFlag values.
Errors relative to CA/Browser Forum guidelines.
ReasonFlag values.
CANotAuthorizedForExtKeyUsage results when an intermediate or root certificate does not permit a requested extended key usage.
CANotAuthorizedForThisName results when an intermediate or root certificate has a name constraint which doesn't permit a DNS or other name (including IP address) in the leaf certificate.
ReasonFlag values.
ReasonFlag values.
PublicKeyAlgorithm values:.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
PublicKeyAlgorithm values:.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
PublicKeyAlgorithm values:.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
To preserve error IDs, only append to this list, never insert.
ErrCategory values.
Expired results when a certificate has expired, based on the time given in the VerifyOptions.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
ExtKeyUsage values:.
IncompatibleUsage results when the certificate's key usage indicates that it may only be used for a different purpose.
Other errors.
ErrCategory values.
ErrCategory values.
Errors in ASN.1 encoding.
ErrCategory values.
Errors in ASN.1 relative to schema.
Most relevant values for AFI from: http://www.iana.org/assignments/address-family-numbers.
Most relevant values for AFI from: http://www.iana.org/assignments/address-family-numbers.
ReasonFlag values.
KeyUsage values:.
KeyUsage values:.
KeyUsage values:.
KeyUsage values:.
KeyUsage values:.
KeyUsage values:.
KeyUsage values:.
KeyUsage values:.
KeyUsage values:.
Fails a MUST clause.
Fails a MUST clause.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
NameConstraintsWithoutSANs results when a leaf certificate doesn't contain a Subject Alternative Name extension, but a CA certificate contains name constraints, and the Common Name can be interpreted as a hostname.
NameMismatch results when the subject name of a parent certificate does not match the issuer name in the child.
NotAuthorizedToSign results when a certificate is signed by another which isn't marked as a CA certificate.
Possible values for the EncryptPEMBlock encryption algorithm.
Possible values for the EncryptPEMBlock encryption algorithm.
Possible values for the EncryptPEMBlock encryption algorithm.
Possible values for the EncryptPEMBlock encryption algorithm.
Possible values for the EncryptPEMBlock encryption algorithm.
Fails a SHOULD clause.
Fails a SHOULD clause.
ReasonFlag values.
SignatureAlgorithm values:.
PublicKeyAlgorithm values:.
PublicKeyAlgorithm values:.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
SignatureAlgorithm values:.
ReasonFlag values.
TooManyConstraints results when the number of comparison operations needed to check a certificate exceeds the limit set by VerifyOptions.MaxConstraintComparisions.
TooManyIntermediates results when a path length constraint is violated.
UnconstrainedName results when a CA certificate contains permitted name constraints, but leaf certificate contains a name of an unsupported or unconstrained type.
ErrCategory values.
ErrCategory values.
PublicKeyAlgorithm values:.
SignatureAlgorithm values:.
ErrCategory values.
ReasonFlag values.

# Variables

RevocationReasonCode values.
RevocationReasonCode values.
RevocationReasonCode values.
RevocationReasonCode values.
RevocationReasonCode values.
ErrUnsupportedAlgorithm results from attempting to perform an operation that involves algorithms that are not currently implemented.
IncorrectPasswordError is returned when an incorrect password is detected.
RevocationReasonCode values.
id-ce RFC5280 s4.2.1.
OIDExtensionASList is defined in RFC 3779 s3.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for CRL entry extensions (RevokedCertificate.Extensions), RFC 5280 s5.3.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for CRL extensions (TBSCertList.Extensions), RFC 5280 s5.2.
OID values for CRL entry extensions (RevokedCertificate.Extensions), RFC 5280 s5.3.
OIDExtensionCTPoison is defined in RFC 6962 s3.1.
OIDExtensionCTSCT is defined in RFC 6962 s3.3.
OID values for CRL extensions (TBSCertList.Extensions), RFC 5280 s5.2.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for CRL entry extensions (RevokedCertificate.Extensions), RFC 5280 s5.3.
OIDExtensionIPPrefixList is defined in RFC 3779 s2.
OID values for standard extensions from RFC 5280.
OID values for CRL extensions (TBSCertList.Extensions), RFC 5280 s5.2.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
OID values for standard extensions from RFC 5280.
RFC 5480, 2.1.1.1.
RFC 5480, 2.1.1.1.
RFC 5480, 2.1.1.1.
RFC 5480, 2.1.1.1.
RFC 5480, 2.1.1.1.
RFC 3279, 2.3 Public Key Algorithms pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 } id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } # RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters id-ecPublicKey OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }.
RFC 3279, 2.3 Public Key Algorithms pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 } id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } # RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters id-ecPublicKey OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }.
RFC 3279, 2.3 Public Key Algorithms pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 } id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } # RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters id-ecPublicKey OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }.
RFC 3279, 2.3 Public Key Algorithms pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 } id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } # RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters id-ecPublicKey OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }.
RFC 3279, 2.3 Public Key Algorithms pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 } id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } # RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters id-ecPublicKey OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }.
RFC 3279, 2.3 Public Key Algorithms pkcs-1 OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } rsaEncryption OBJECT IDENTIFIER ::== { pkcs1-1 1 } id-dsa OBJECT IDENTIFIER ::== { iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } # RFC 5480, 2.1.1 Unrestricted Algorithm Identifier and Parameters id-ecPublicKey OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 }.
RevocationReasonCode values.
RevocationReasonCode values.
RevocationReasonCode values.
RevocationReasonCode values.

# Structs

ASIdentifiers describes a collection of AS Identifiers (AS numbers or routing domain identifiers).
ASIDRange describes an inclusive range of AS Identifiers (AS numbers or routing domain identifiers).
A Certificate represents an X.509 certificate.
CertificateInvalidError results when an odd error occurs.
CertificateList represents the ASN.1 structure of the same name from RFC 5280, s5.1.
CertificateRequest represents a PKCS #10, certificate signature request.
CertPool is a set of certificates.
ConstraintViolationError results when a requested usage is not permitted by a certificate.
Error implements the error interface and describes a single error in an X.509 certificate or CRL.
Errors implements the error interface and holds a collection of errors found in a certificate or CRL.
GeneralNames holds a collection of names related to a certificate.
HostnameError results when the set of authorized names doesn't match the requested name.
IPAddressFamilyBlocks describes a set of ranges of IP addresses.
IPAddressRange describes an (inclusive) IP address range.
IssuingDistributionPoint represents the ASN.1 structure of the same name.
NonFatalErrors is an error type which can hold a number of other errors.
OtherName describes a name related to a certificate which is not in one of the standard name formats.
RevokedCertificate represents the unnamed ASN.1 structure that makes up the revokedCertificates member of the TBSCertList structure from RFC 5280, s5.1.
SerializedSCT represents a single TLS-encoded signed certificate timestamp, from RFC6962 s3.3.
SignedCertificateTimestampList is a list of signed certificate timestamps, from RFC6962 s3.3.
SystemRootsError results when we fail to load the system root certificates.
TBSCertList represents the ASN.1 structure of the same name from RFC 5280, section 5.1.
UnhandledCriticalExtension results when the certificate contains an extension that is marked as critical but which is not handled by this library.
UnknownAuthorityError results when the certificate issuer is unknown.
VerifyOptions contains parameters for Certificate.Verify.

# Type aliases

ErrCategory indicates the category of an x509.Error.
ErrorID is an identifier for an x509.Error, to allow filtering.
ExtKeyUsage represents an extended set of actions that are valid for a given key.
InsecureAlgorithmError results when the signature algorithm for a certificate is known to be insecure.
IPAddressPrefix describes an IP address prefix as an ASN.1 bit string, where the BitLength field holds the prefix length.
KeyUsage represents the set of actions that are valid for a given key.
PublicKeyAlgorithm indicates the algorithm used for a certificate's public key.
ReasonFlag holds a bitmask of applicable revocation reasons, from RFC 5280 s4.2.1.13.
RevocationReasonCode represents the reason for a certificate revocation; see RFC 5280 s5.3.1.
SignatureAlgorithm indicates the algorithm used to sign a certificate.