certlib

package

v1.19.0 Latest Latest Go to latest Published: Feb 12, 2026 License: Apache-2.0, BSD-2-Clause Imports: 24 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

git.wntrmute.dev/kyle/goutils

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func CreateTLSConfig(remoteCAs *x509.CertPool, cert *tls.Certificate) *tls.Config
func DeserializeSCTList(serializedSCTList []byte) ([]ct.SignedCertificateTimestamp, error)
func EncodeCertificatePEM(cert *x509.Certificate) []byte
func EncodeCertificatesPEM(certs []*x509.Certificate) []byte
func ExpiryTime(chain []*x509.Certificate) time.Time
func ExportCSRAsPEM(req *x509.CertificateRequest) []byte
func ExportPrivateKeyPEM(priv crypto.PrivateKey) ([]byte, error)
func GetKeyDERFromPEM(in []byte, password []byte) ([]byte, error)
func HashAlgoString(alg x509.SignatureAlgorithm) string
func InclusiveDate(year int, month time.Month, day int) time.Time
func KeyLength(key any) int
func LoadCSR(path string) (*x509.CertificateRequest, error)
func LoadCertificate(path string) (*x509.Certificate, error)
func LoadCertificates(path string) ([]*x509.Certificate, error)
func LoadClientCertificate(certFile string, keyFile string) (*tls.Certificate, error)
func LoadFullCertPool(roots, intermediates string) (*x509.CertPool, error)
func LoadPEMCertPool(certsFile string) (*x509.CertPool, error)
func LoadPrivateKey(path string) (crypto.Signer, error)
func MarshalEd25519PrivateKey(sk crypto.PrivateKey) ([]byte, error)
func MarshalEd25519PublicKey(pk crypto.PublicKey) ([]byte, error)
func MatchKeys(cert *x509.Certificate, priv crypto.Signer) (bool, string)
func MatchKeysCSR(csr *x509.CertificateRequest, priv crypto.Signer) (bool, string)
func MonthsValid(c *x509.Certificate) int
func PEMToCertPool(pemCerts []byte) (*x509.CertPool, error)
func ParseCSR(in []byte) (*x509.CertificateRequest, []byte, error)
func ParseCSRPEM(csrPEM []byte) (*x509.CertificateRequest, error)
func ParseCertificatePEM(certPEM []byte) (*x509.Certificate, error)
func ParseCertificatesDER(certsDER []byte, password string) ([]*x509.Certificate, crypto.Signer, error)
func ParseCertificatesPEM(certsPEM []byte) ([]*x509.Certificate, error)
func ParseEd25519PrivateKey(der []byte) (crypto.PrivateKey, error)
func ParseEd25519PublicKey(der []byte) (crypto.PublicKey, error)
func ParseOneCertificateFromPEM(certsPEM []byte) ([]*x509.Certificate, []byte, error)
func ParsePrivateKeyDER(keyDER []byte) (crypto.Signer, error)
func ParsePrivateKeyPEM(keyPEM []byte) (crypto.Signer, error)
func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (crypto.Signer, error)
func ParseSelfSignedCertificatePEM(certPEM []byte) (*x509.Certificate, error)
func PoolFromBytes(certBytes []byte) (*x509.CertPool, error)
func ReadBytes(valFile string) ([]byte, error)
func ReadCertificate(in []byte) (*x509.Certificate, []byte, error)
func ReadCertificates(in []byte) ([]*x509.Certificate, error)
func SCTListFromOCSPResponse(response *ocsp.Response) ([]ct.SignedCertificateTimestamp, error)
func SerializeSCTList(sctList []ct.SignedCertificateTimestamp) ([]byte, error)
func SignatureString(alg x509.SignatureAlgorithm) string
func SignerAlgo(priv crypto.Signer) x509.SignatureAlgorithm
func StringTLSVersion(version string) uint16
func ValidExpiry(c *x509.Certificate) bool
type FileFormat
- func (f FileFormat) String() string
type FileType
- func FileKind(path string) (*FileType, error)
- func (ft FileType) String() string
type KeyAlgo
- func (ka KeyAlgo) String() string

Constants ¶

View Source

const OneDay = 24 * time.Hour

OneDay is a time.Duration representing a day's worth of seconds.

View Source

const OneYear = 8760 * time.Hour

OneYear is a time.Duration representing a year's worth of seconds.

Variables ¶

View Source

var Apr2015 = InclusiveDate(year2015, time.April, day1)

Apr2015 is the April 2015 CAB Forum deadline for when CAs must stop issuing certificates valid for more than 39 months.

View Source

var DelegationExtension = pkix.Extension{
	Id:       DelegationUsage,
	Critical: false,
	Value:    []byte{0x05, 0x00},
}

DelegationExtension is a non-critical extension marking delegation usage.

View Source

var DelegationUsage = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 44363, 44}

DelegationUsage is the OID for the DelegationUseage extensions.

View Source

var Jul2012 = InclusiveDate(year2012, time.July, day1)

Jul2012 is the July 2012 CAB Forum deadline for when CAs must stop issuing certificates valid for more than 5 years.

Functions ¶

func CreateTLSConfig ¶

func CreateTLSConfig(remoteCAs *x509.CertPool, cert *tls.Certificate) *tls.Config

CreateTLSConfig creates a tls.Config object from certs and roots.

func DeserializeSCTList ¶

func DeserializeSCTList(serializedSCTList []byte) ([]ct.SignedCertificateTimestamp, error)

DeserializeSCTList deserializes a list of SCTs.

func EncodeCertificatePEM ¶

func EncodeCertificatePEM(cert *x509.Certificate) []byte

EncodeCertificatePEM encodes a single x509 certificates to PEM.

func EncodeCertificatesPEM ¶

func EncodeCertificatesPEM(certs []*x509.Certificate) []byte

EncodeCertificatesPEM encodes a number of x509 certificates to PEM.

func ExpiryTime ¶

func ExpiryTime(chain []*x509.Certificate) time.Time

ExpiryTime returns the time when the certificate chain is expired.

func ExportCSRAsPEM ¶ added in v1.15.4

func ExportCSRAsPEM(req *x509.CertificateRequest) []byte

func ExportPrivateKeyPEM ¶ added in v1.15.2

func ExportPrivateKeyPEM(priv crypto.PrivateKey) ([]byte, error)

func GetKeyDERFromPEM ¶

func GetKeyDERFromPEM(in []byte, password []byte) ([]byte, error)

GetKeyDERFromPEM parses a PEM-encoded private key and returns DER-format key bytes.

func HashAlgoString ¶

func HashAlgoString(alg x509.SignatureAlgorithm) string

HashAlgoString returns the hash algorithm name contains in the signature method.

func InclusiveDate ¶

func InclusiveDate(year int, month time.Month, day int) time.Time

InclusiveDate returns the time.Time representation of a date - 1 nanosecond. This allows time.After to be used inclusively.

func KeyLength ¶

func KeyLength(key any) int

KeyLength returns the bit size of ECDSA or RSA PublicKey.

func LoadCSR ¶ added in v1.15.3

func LoadCSR(path string) (*x509.CertificateRequest, error)

func LoadCertificate ¶

func LoadCertificate(path string) (*x509.Certificate, error)

LoadCertificate tries to read a single certificate from disk. If the file contains multiple certificates (e.g. a chain), only the first certificate is returned.

func LoadCertificates ¶

func LoadCertificates(path string) ([]*x509.Certificate, error)

LoadCertificates tries to read all the certificates in a file, returning them in the order that it found them in the file.

func LoadClientCertificate ¶

func LoadClientCertificate(certFile string, keyFile string) (*tls.Certificate, error)

LoadClientCertificate load key/certificate from pem files.

func LoadFullCertPool ¶ added in v1.13.3

func LoadFullCertPool(roots, intermediates string) (*x509.CertPool, error)

LoadFullCertPool returns a certificate pool with roots and intermediates from disk. If no roots are provided, the system root pool will be used.

func LoadPEMCertPool ¶

func LoadPEMCertPool(certsFile string) (*x509.CertPool, error)

LoadPEMCertPool loads a pool of PEM certificates from file.

func LoadPrivateKey ¶ added in v1.14.6

func LoadPrivateKey(path string) (crypto.Signer, error)

LoadPrivateKey loads a private key from disk. It accepts both PEM and DER encodings and supports RSA and ECDSA keys. If the file contains a PEM block, the block type must be one of the recognised private key types.

func MarshalEd25519PrivateKey ¶

func MarshalEd25519PrivateKey(sk crypto.PrivateKey) ([]byte, error)

MarshalEd25519PrivateKey returns a DER encoding of the input private key as specified in https://tools.ietf.org/html/draft-ietf-curdle-pkix-04.

func MarshalEd25519PublicKey ¶

func MarshalEd25519PublicKey(pk crypto.PublicKey) ([]byte, error)

MarshalEd25519PublicKey creates a DER-encoded SubjectPublicKeyInfo for an ed25519 public key, as defined in https://tools.ietf.org/html/draft-ietf-curdle-pkix-04. This is analogous to MarshalPKIXPublicKey in crypto/x509, which doesn't currently support Ed25519.

func MatchKeys ¶ added in v1.14.6

func MatchKeys(cert *x509.Certificate, priv crypto.Signer) (bool, string)

MatchKeys determines whether the certificate's public key matches the given private key. It returns true if they match; otherwise, it returns false and a human-friendly reason.

func MatchKeysCSR ¶ added in v1.19.0

func MatchKeysCSR(csr *x509.CertificateRequest, priv crypto.Signer) (bool, string)

MatchKeysCSR determines whether the CSR's public key matches the given private key. It returns true if they match; otherwise, it returns false and a human-friendly reason.

func MonthsValid ¶

func MonthsValid(c *x509.Certificate) int

MonthsValid returns the number of months for which a certificate is valid.

func PEMToCertPool ¶

func PEMToCertPool(pemCerts []byte) (*x509.CertPool, error)

PEMToCertPool concerts PEM certificates to a CertPool.

func ParseCSR ¶

func ParseCSR(in []byte) (*x509.CertificateRequest, []byte, error)

ParseCSR parses a PEM- or DER-encoded PKCS #10 certificate signing request.

func ParseCSRPEM ¶

func ParseCSRPEM(csrPEM []byte) (*x509.CertificateRequest, error)

ParseCSRPEM parses a PEM-encoded certificate signing request. It does not check the signature. This is useful for dumping data from a CSR locally.

func ParseCertificatePEM ¶

func ParseCertificatePEM(certPEM []byte) (*x509.Certificate, error)

ParseCertificatePEM parses and returns a PEM-encoded certificate, can handle PEM encoded PKCS #7 structures.

func ParseCertificatesDER ¶

func ParseCertificatesDER(certsDER []byte, password string) ([]*x509.Certificate, crypto.Signer, error)

ParseCertificatesDER parses a DER encoding of a certificate object and possibly private key, either PKCS #7, PKCS #12, or raw x509.

func ParseCertificatesPEM ¶

func ParseCertificatesPEM(certsPEM []byte) ([]*x509.Certificate, error)

ParseCertificatesPEM parses a sequence of PEM-encoded certificate and returns them, can handle PEM encoded PKCS #7 structures.

func ParseEd25519PrivateKey ¶

func ParseEd25519PrivateKey(der []byte) (crypto.PrivateKey, error)

ParseEd25519PrivateKey returns the Ed25519 private key encoded by the input.

func ParseEd25519PublicKey ¶

func ParseEd25519PublicKey(der []byte) (crypto.PublicKey, error)

ParseEd25519PublicKey returns the Ed25519 public key encoded by the input.

func ParseOneCertificateFromPEM ¶

func ParseOneCertificateFromPEM(certsPEM []byte) ([]*x509.Certificate, []byte, error)

ParseOneCertificateFromPEM attempts to parse one PEM encoded certificate object, either a raw x509 certificate or a PKCS #7 structure possibly containing multiple certificates, from the top of certsPEM, which itself may contain multiple PEM encoded certificate objects.

func ParsePrivateKeyDER ¶

func ParsePrivateKeyDER(keyDER []byte) (crypto.Signer, error)

ParsePrivateKeyDER parses a PKCS #1, PKCS #8, ECDSA, or Ed25519 DER-encoded private key. The key must not be in PEM format. If an error is returned, it may contain information about the private key, so care should be taken when displaying it directly.

func ParsePrivateKeyPEM ¶

func ParsePrivateKeyPEM(keyPEM []byte) (crypto.Signer, error)

ParsePrivateKeyPEM parses and returns a PEM-encoded private key. The private key may be either an unencrypted PKCS#8, PKCS#1, or elliptic private key.

func ParsePrivateKeyPEMWithPassword ¶

func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (crypto.Signer, error)

ParsePrivateKeyPEMWithPassword parses and returns a PEM-encoded private key. The private key may be a potentially encrypted PKCS#8, PKCS#1, or elliptic private key.

func ParseSelfSignedCertificatePEM ¶

func ParseSelfSignedCertificatePEM(certPEM []byte) (*x509.Certificate, error)

ParseSelfSignedCertificatePEM parses a PEM-encoded certificate and check if it is self-signed.

func PoolFromBytes ¶ added in v1.14.7

func PoolFromBytes(certBytes []byte) (*x509.CertPool, error)

func ReadBytes ¶

func ReadBytes(valFile string) ([]byte, error)

ReadBytes reads a []byte either from a file or an environment variable. If valFile has a prefix of 'env:', the []byte is read from the environment using the subsequent name. If the prefix is 'file:' the []byte is read from the subsequent file. If no prefix is provided, valFile is assumed to be a file path.

func ReadCertificate ¶

func ReadCertificate(in []byte) (*x509.Certificate, []byte, error)

ReadCertificate reads a DER or PEM-encoded certificate from the byte slice.

func ReadCertificates ¶

func ReadCertificates(in []byte) ([]*x509.Certificate, error)

ReadCertificates tries to read all the certificates in a PEM-encoded collection.

func SCTListFromOCSPResponse ¶

func SCTListFromOCSPResponse(response *ocsp.Response) ([]ct.SignedCertificateTimestamp, error)

SCTListFromOCSPResponse extracts the SCTList from an ocsp.Response, returning an empty list if the SCT extension was not found or could not be unmarshalled.

func SerializeSCTList ¶

func SerializeSCTList(sctList []ct.SignedCertificateTimestamp) ([]byte, error)

SerializeSCTList serializes a list of SCTs.

func SignatureString ¶

func SignatureString(alg x509.SignatureAlgorithm) string

SignatureString returns the TLS signature string corresponding to an X509 signature algorithm.

func SignerAlgo ¶

func SignerAlgo(priv crypto.Signer) x509.SignatureAlgorithm

SignerAlgo returns an X.509 signature algorithm from a crypto.Signer.

func StringTLSVersion ¶

func StringTLSVersion(version string) uint16

StringTLSVersion returns underlying enum values from human names for TLS versions, defaults to current golang default of TLS 1.0.

func ValidExpiry ¶

func ValidExpiry(c *x509.Certificate) bool

ValidExpiry determines if a certificate is valid for an acceptable length of time per the CA/Browser Forum baseline requirements. See https://cabforum.org/wp-content/uploads/CAB-Forum-BR-1.3.0.pdf

Types ¶

type FileFormat ¶ added in v1.15.6

type FileFormat uint8

const (
	FormatPEM FileFormat = iota + 1
	FormatDER
)

func (FileFormat) String ¶ added in v1.15.6

func (f FileFormat) String() string

type FileType ¶ added in v1.15.6

type FileType struct {
	Format FileFormat
	Type   string
	Algo   KeyAlgo
}

func FileKind ¶ added in v1.15.6

func FileKind(path string) (*FileType, error)

FileKind returns the file type of the given file.

func (FileType) String ¶ added in v1.15.6

func (ft FileType) String() string

type KeyAlgo ¶ added in v1.15.7

type KeyAlgo struct {
	Type x509.PublicKeyAlgorithm
	Size int
	// contains filtered or unexported fields
}

func (KeyAlgo) String ¶ added in v1.15.7

func (ka KeyAlgo) String() string

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
bundler
certerr Package certerr provides typed errors and helpers for certificate-related operations across the repository.	Package certerr provides typed errors and helpers for certificate-related operations across the repository.
certgen
dump Package dump implements tooling for dumping certificate information.	Package dump implements tooling for dumping certificate information.
hosts Package hosts provides a simple way to parse hostnames and ports.	Package hosts provides a simple way to parse hostnames and ports.
pkcs7
revoke Package revoke provides functionality for checking the validity of a cert.	Package revoke provides functionality for checking the validity of a cert.
ski
verify

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL