Documentation
¶
Overview ¶
Copyright 2024 Google LLC. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Package x509util includes utility code for working with X.509 certificates from the x509 package.
Index ¶
- func BuildPrecertTBS(tbsData []byte, preIssuer *x509.Certificate) ([]byte, error)
- func CertificateFromPEM(pemBytes []byte) (*x509.Certificate, error)
- func EntryFromChain(chain []*x509.Certificate, isPrecert bool, timestamp uint64) (*ctonly.Entry, error)
- func ReadPossiblePEMFile(filename, blockname string) ([][]byte, error)
- func RemoveCTPoison(tbsData []byte) ([]byte, error)
- type PEMCertPool
- func (p *PEMCertPool) AddCert(cert *x509.Certificate)
- func (p *PEMCertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)
- func (p *PEMCertPool) AppendCertsFromPEMFile(pemFile string) error
- func (p *PEMCertPool) CertPool() *lax509.CertPool
- func (p *PEMCertPool) Included(cert *x509.Certificate) bool
- func (p *PEMCertPool) RawCertificates() []*x509.Certificate
- func (p *PEMCertPool) Subjects() (res [][]byte)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func BuildPrecertTBS ¶
func BuildPrecertTBS(tbsData []byte, preIssuer *x509.Certificate) ([]byte, error)
BuildPrecertTBS builds a Certificate Transparency pre-certificate (RFC 6962 s3.1) from the given DER-encoded TBSCertificate, returning a DER-encoded TBSCertificate.
This function removes the CT poison extension (there must be exactly 1 of these), preserving the order of other extensions.
If preIssuer is provided, this should be a special intermediate certificate that was used to sign the precert (indicated by having the special CertificateTransparency extended key usage). In this case, the issuance information of the pre-cert is updated to reflect the next issuer in the chain, i.e. the issuer of this special intermediate:
- The precert's Issuer is changed to the Issuer of the intermediate
- The precert's AuthorityKeyId is changed to the AuthorityKeyId of the intermediate.
func CertificateFromPEM ¶
func CertificateFromPEM(pemBytes []byte) (*x509.Certificate, error)
CertificateFromPEM takes a certificate in PEM format and returns the corresponding x509.Certificate object.
func EntryFromChain ¶
func EntryFromChain(chain []*x509.Certificate, isPrecert bool, timestamp uint64) (*ctonly.Entry, error)
EntryFromChain generates an Entry from a chain and timestamp. copied from certificate-transparency-go/serialization.go TODO(phboneff): add tests
func ReadPossiblePEMFile ¶
TODO(phboneff): inline / delete this ReadPossiblePEMFile loads data from a file which may be in DER format or may be in PEM format (with the given blockname).
func RemoveCTPoison ¶
RemoveCTPoison takes a DER-encoded TBSCertificate and removes the CT poison extension (preserving the order of other extensions), and returns the result still as a DER-encoded TBSCertificate. This function will fail if there is not exactly 1 CT poison extension present.
Types ¶
type PEMCertPool ¶
type PEMCertPool struct {
// contains filtered or unexported fields
}
PEMCertPool is a wrapper / extension to x509.CertPool. It allows us to access the raw certs, which we need to serve get-roots request and has stricter handling on loading certs into the pool. CertPool ignores errors if at least one cert loads correctly but PEMCertPool requires all certs to load.
func NewPEMCertPool ¶
func NewPEMCertPool() *PEMCertPool
NewPEMCertPool creates a new, empty, instance of PEMCertPool.
func (*PEMCertPool) AddCert ¶
func (p *PEMCertPool) AddCert(cert *x509.Certificate)
AddCert adds a certificate to a pool. Uses fingerprint to weed out duplicates. cert must not be nil.
func (*PEMCertPool) AppendCertsFromPEM ¶
func (p *PEMCertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)
AppendCertsFromPEM adds certs to the pool from a byte slice assumed to contain PEM encoded data. Skips over non certificate blocks in the data. Returns true if all certificates in the data were parsed and added to the pool successfully and at least one certificate was found.
func (*PEMCertPool) AppendCertsFromPEMFile ¶
func (p *PEMCertPool) AppendCertsFromPEMFile(pemFile string) error
AppendCertsFromPEMFile adds certs from a file that contains concatenated PEM data.
func (*PEMCertPool) CertPool ¶
func (p *PEMCertPool) CertPool() *lax509.CertPool
CertPool returns the underlying CertPool.
func (*PEMCertPool) Included ¶
func (p *PEMCertPool) Included(cert *x509.Certificate) bool
Included indicates whether the given cert is included in the pool.
func (*PEMCertPool) RawCertificates ¶
func (p *PEMCertPool) RawCertificates() []*x509.Certificate
RawCertificates returns a list of the raw bytes of certificates that are in this pool
func (*PEMCertPool) Subjects ¶
func (p *PEMCertPool) Subjects() (res [][]byte)
Subjects returns a list of the DER-encoded subjects of all of the certificates in the pool.
Source Files