# package x509
`import "crypto/x509"`
x509包解析X.509編碼的證書和密鑰。
## Index
* [Constants](#pkg-constants)
* [Variables](#pkg-variables)
* [type PEMCipher](#PEMCipher)
* [type PublicKeyAlgorithm](#PublicKeyAlgorithm)
* [type SignatureAlgorithm](#SignatureAlgorithm)
* [type SystemRootsError](#SystemRootsError)
* [func (e SystemRootsError) Error() string](#SystemRootsError.Error)
* [type HostnameError](#HostnameError)
* [func (h HostnameError) Error() string](#HostnameError.Error)
* [type UnknownAuthorityError](#UnknownAuthorityError)
* [func (e UnknownAuthorityError) Error() string](#UnknownAuthorityError.Error)
* [type ConstraintViolationError](#ConstraintViolationError)
* [func (ConstraintViolationError) Error() string](#ConstraintViolationError.Error)
* [type UnhandledCriticalExtension](#UnhandledCriticalExtension)
* [func (h UnhandledCriticalExtension) Error() string](#UnhandledCriticalExtension.Error)
* [type CertificateInvalidError](#CertificateInvalidError)
* [func (e CertificateInvalidError) Error() string](#CertificateInvalidError.Error)
* [type KeyUsage](#KeyUsage)
* [type ExtKeyUsage](#ExtKeyUsage)
* [type VerifyOptions](#VerifyOptions)
* [type InvalidReason](#InvalidReason)
* [type Certificate](#Certificate)
* [func (c \*Certificate) CheckSignatureFrom(parent \*Certificate) (err error)](#Certificate.CheckSignatureFrom)
* [func (c \*Certificate) CheckCRLSignature(crl \*pkix.CertificateList) (err error)](#Certificate.CheckCRLSignature)
* [func (c \*Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) (err error)](#Certificate.CheckSignature)
* [func (c \*Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error)](#Certificate.CreateCRL)
* [func (c \*Certificate) Equal(other \*Certificate) bool](#Certificate.Equal)
* [func (c \*Certificate) Verify(opts VerifyOptions) (chains [][]\*Certificate, err error)](#Certificate.Verify)
* [func (c \*Certificate) VerifyHostname(h string) error](#Certificate.VerifyHostname)
* [type CertPool](#CertPool)
* [func NewCertPool() \*CertPool](#NewCertPool)
* [func (s \*CertPool) AddCert(cert \*Certificate)](#CertPool.AddCert)
* [func (s \*CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)](#CertPool.AppendCertsFromPEM)
* [func (s \*CertPool) Subjects() (res [][]byte)](#CertPool.Subjects)
* [type CertificateRequest](#CertificateRequest)
* [func MarshalECPrivateKey(key \*ecdsa.PrivateKey) ([]byte, error)](#MarshalECPrivateKey)
* [func MarshalPKCS1PrivateKey(key \*rsa.PrivateKey) []byte](#MarshalPKCS1PrivateKey)
* [func MarshalPKIXPublicKey(pub interface{}) ([]byte, error)](#MarshalPKIXPublicKey)
* [func ParseECPrivateKey(der []byte) (key \*ecdsa.PrivateKey, err error)](#ParseECPrivateKey)
* [func ParsePKCS1PrivateKey(der []byte) (key \*rsa.PrivateKey, err error)](#ParsePKCS1PrivateKey)
* [func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error)](#ParsePKCS8PrivateKey)
* [func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)](#ParsePKIXPublicKey)
* [func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (\*pem.Block, error)](#EncryptPEMBlock)
* [func IsEncryptedPEMBlock(b \*pem.Block) bool](#IsEncryptedPEMBlock)
* [func DecryptPEMBlock(b \*pem.Block, password []byte) ([]byte, error)](#DecryptPEMBlock)
* [func ParseCRL(crlBytes []byte) (certList \*pkix.CertificateList, err error)](#ParseCRL)
* [func ParseDERCRL(derBytes []byte) (certList \*pkix.CertificateList, err error)](#ParseDERCRL)
* [func ParseCertificate(asn1Data []byte) (\*Certificate, error)](#ParseCertificate)
* [func ParseCertificateRequest(asn1Data []byte) (\*CertificateRequest, error)](#ParseCertificateRequest)
* [func ParseCertificates(asn1Data []byte) ([]\*Certificate, error)](#ParseCertificates)
* [func CreateCertificate(rand io.Reader, template, parent \*Certificate, pub interface{}, priv interface{}) (cert []byte, err error)](#CreateCertificate)
* [func CreateCertificateRequest(rand io.Reader, template \*CertificateRequest, priv interface{}) (csr []byte, err error)](#CreateCertificateRequest)
### Examples
* [Certificate.Verify](#example-Certificate-Verify)
## Constants
```
const (
PEMCipherDES
PEMCipher3DES
PEMCipherAES128
PEMCipherAES192
PEMCipherAES256
)
```
可能會被EncryptPEMBlock加密算法使用的值。
## Variables
```
var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")
```
當試圖執行包含目前未實現的算法的操作時,會返回ErrUnsupportedAlgorithm。
```
var IncorrectPasswordError = errors.New("x509: decryption password incorrect")
```
當檢測到不正確的密碼時,會返回IncorrectPasswordError。
## type [PEMCipher](https://github.com/golang/go/blob/master/src/crypto/x509/pem_decrypt.go#L23 "View Source")
```
type PEMCipher int
```
## type [PublicKeyAlgorithm](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L172 "View Source")
```
type PublicKeyAlgorithm int
```
```
const (
UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
RSA
DSA
ECDSA
)
```
## type [SignatureAlgorithm](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L154 "View Source")
```
type SignatureAlgorithm int
```
```
const (
UnknownSignatureAlgorithm SignatureAlgorithm = iota
MD2WithRSA
MD5WithRSA
SHA1WithRSA
SHA256WithRSA
SHA384WithRSA
SHA512WithRSA
DSAWithSHA1
DSAWithSHA256
ECDSAWithSHA1
ECDSAWithSHA256
ECDSAWithSHA384
ECDSAWithSHA512
)
```
## type [SystemRootsError](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L119 "View Source")
```
type SystemRootsError struct {
}
```
當從系統裝載根證書失敗時,會返回SystemRootsError。
### func (SystemRootsError) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L122 "View Source")
```
func (e SystemRootsError) Error() string
```
## type [HostnameError](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L62 "View Source")
```
type HostnameError struct {
Certificate *Certificate
Host string
}
```
當認證的名字和請求的名字不匹配時,會返回HostnameError。
### func (HostnameError) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L67 "View Source")
```
func (h HostnameError) Error() string
```
## type [UnknownAuthorityError](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L93 "View Source")
```
type UnknownAuthorityError struct {
// 內含隱藏或非導出字段
}
```
當證書的發布者未知時,會返回UnknownAuthorityError。
### func (UnknownAuthorityError) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L103 "View Source")
```
func (e UnknownAuthorityError) Error() string
```
## type [ConstraintViolationError](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L527 "View Source")
```
type ConstraintViolationError struct{}
```
當請求的用途不被證書許可時,會返回ConstraintViolationError。如:當公鑰不是證書的簽名密鑰時用它檢查簽名。
### func (ConstraintViolationError) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L529 "View Source")
```
func (ConstraintViolationError) Error() string
```
## type [UnhandledCriticalExtension](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L677 "View Source")
```
type UnhandledCriticalExtension struct{}
```
### func (UnhandledCriticalExtension) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L679 "View Source")
```
func (h UnhandledCriticalExtension) Error() string
```
## type [CertificateInvalidError](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L39 "View Source")
```
type CertificateInvalidError struct {
Cert *Certificate
Reason InvalidReason
}
```
當發生其余的錯誤時,會返回CertificateInvalidError。本包的使用者可能會想統一處理所有這類錯誤。
### func (CertificateInvalidError) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L44 "View Source")
```
func (e CertificateInvalidError) Error() string
```
## type [KeyUsage](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L361 "View Source")
```
type KeyUsage int
```
KeyUsage代表給定密鑰的合法操作集。用KeyUsage類型常數的位圖表示。(字位表示有無)
```
const (
KeyUsageDigitalSignature KeyUsage = 1 << iota
KeyUsageContentCommitment
KeyUsageKeyEncipherment
KeyUsageDataEncipherment
KeyUsageKeyAgreement
KeyUsageCertSign
KeyUsageCRLSign
KeyUsageEncipherOnly
KeyUsageDecipherOnly
)
```
## type [ExtKeyUsage](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L404 "View Source")
```
type ExtKeyUsage int
```
ExtKeyUsage代表給定密鑰的合法操作擴展集。每一個ExtKeyUsage類型常數定義一個特定的操作。
```
const (
ExtKeyUsageAny ExtKeyUsage = iota
ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageIPSECEndSystem
ExtKeyUsageIPSECTunnel
ExtKeyUsageIPSECUser
ExtKeyUsageTimeStamping
ExtKeyUsageOCSPSigning
ExtKeyUsageMicrosoftServerGatedCrypto
ExtKeyUsageNetscapeServerGatedCrypto
)
```
## type [VerifyOptions](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L128 "View Source")
```
type VerifyOptions struct {
DNSName string
Intermediates *CertPool
Roots *CertPool // 如為nil,將使用系統根證書池
CurrentTime time.Time // 如為零值,將使用當前時間
// KeyUsage指定了可以接受哪些密鑰擴展用途,空列表代表ExtKeyUsageServerAuth。
// 密鑰用途被作為生成證書鏈的限制條件(類似Windows加密應用程序接口的行為,但不完全一樣)
// 要接受任何密鑰用途,可以使本字段包含ExtKeyUsageAny。
KeyUsages []ExtKeyUsage
}
```
VerifyOptions包含提供給Certificate.Verify方法的參數。它是結構體類型,因為其他PKIX認證API需要很長參數。
## type [InvalidReason](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L16 "View Source")
```
type InvalidReason int
```
```
const (
// NotAuthorizedToSign表示給本證書簽名的證書不是CA證書
NotAuthorizedToSign InvalidReason = iota
// Expired表示證書已過期,根據VerifyOptions.CurrentTime判斷
Expired
// CANotAuthorizedForThisName表示中間證書或根證書具有名字限制,且不包含被檢查的名字
CANotAuthorizedForThisName
// TooManyIntermediates表示違反了路徑長度限制
TooManyIntermediates
// IncompatibleUsage表示證書的密鑰用途顯示它只能用于其它目的
IncompatibleUsage
)
```
## type [Certificate](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L459 "View Source")
```
type Certificate struct {
Raw []byte // 原始、完整的ASN.1 DER內容(證書、簽名算法、簽名)
RawTBSCertificate []byte // ASN.1 DER?內容的證書部分
RawSubjectPublicKeyInfo []byte // 原始DER編碼的SubjectPublicKeyInfo
RawSubject []byte // 原始DER編碼的Subject
RawIssuer []byte // 原始DER編碼的Issuer
Signature []byte
SignatureAlgorithm SignatureAlgorithm
PublicKeyAlgorithm PublicKeyAlgorithm
PublicKey interface{}
Version int
SerialNumber *big.Int
Issuer pkix.Name
Subject pkix.Name
NotBefore, NotAfter time.Time // 有效期前后界,本時間段之外無效
KeyUsage KeyUsage
// Extensions保管原始的X.509擴展。當解析證書時,本字段用于摘錄本包未解析的不關鍵擴展。
// 序列化證書時,Extensions字段會被忽略,參見ExtraExtensions。
Extensions []pkix.Extension
// ExtraExtensions包含應被直接拷貝到任何序列化的證書中的擴展。
// 本字段保管的值會覆蓋任何其它字段生成的擴展。
// ExtraExtensions字段在解析證書時不會被填寫,參見Extensions。
ExtraExtensions []pkix.Extension
ExtKeyUsage []ExtKeyUsage // 密鑰擴展用途的序列
UnknownExtKeyUsage []asn1.ObjectIdentifier // 遇到的本包不能識別的密鑰擴展用途
BasicConstraintsValid bool // 如果下兩個字段合法,將為真
IsCA bool
MaxPathLen int
SubjectKeyId []byte
AuthorityKeyId []byte
// RFC 5280, 4.2.2.1(認證信息存取)
OCSPServer []string
IssuingCertificateURL []string
// 證書持有者的替用名稱
DNSNames []string
EmailAddresses []string
IPAddresses []net.IP
// 名稱的約束
PermittedDNSDomainsCritical bool // 如為真則名稱約束被標記為關鍵的
PermittedDNSDomains []string
// CRL配銷點
CRLDistributionPoints []string
PolicyIdentifiers []asn1.ObjectIdentifier
}
```
Certificate代表一個X.509證書。
### func (\*Certificate) [CheckSignatureFrom](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L588 "View Source")
```
func (c *Certificate) CheckSignatureFrom(parent *Certificate) (err error)
```
CheckSignatureFrom檢查c中的簽名是否是來自parent的合法簽名。
### func (\*Certificate) [CheckCRLSignature](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L672 "View Source")
```
func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) (err error)
```
CheckCRLSignature檢查crl中的簽名是否來自c。
### func (\*Certificate) [CheckSignature](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L616 "View Source")
```
func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) (err error)
```
CheckSignature檢查signature是否是c的公鑰生成的signed的合法簽名。
### func (\*Certificate) [CreateCRL](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1556 "View Source")
```
func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error)
```
CreateCRL返回一個DER編碼的CRL(證書注銷列表),使用c簽名,并包含給出的已取消簽名列表。
只支持RSA類型的密鑰(priv參數必須是*rsa.PrivateKey類型)。
### func (\*Certificate) [Equal](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L533 "View Source")
```
func (c *Certificate) Equal(other *Certificate) bool
```
### func (\*Certificate) [Verify](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L210 "View Source")
```
func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error)
```
Verify通過創建一到多個從c到opts.Roots中的證書的鏈條來認證c,如有必要會使用opts.Intermediates中的證書。如果成功,它會返回一到多個證書鏈條,每一條都以c開始,以opts.Roots中的證書結束。
警告:它不會做任何取消檢查。
Example
```
// Verifying with a custom list of root certificates.
const rootPEM = `
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----`
const certPEM = `
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q
5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC
7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAa
BgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUF
BwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2Nz
cDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAf
BgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisG
AQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+
gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283
TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq
0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoW
RvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOh
yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
-----END CERTIFICATE-----`
// First, create the set of root certificates. For this example we only
// have one. It's also possible to omit this in order to use the
// default root set of the current operating system.
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
panic("failed to parse root certificate")
}
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
panic("failed to parse certificate PEM")
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
panic("failed to parse certificate: " + err.Error())
}
opts := x509.VerifyOptions{
DNSName: "mail.google.com",
Roots: roots,
}
if _, err := cert.Verify(opts); err != nil {
panic("failed to verify certificate: " + err.Error())
}
```
### func (\*Certificate) [VerifyHostname](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L381 "View Source")
```
func (c *Certificate) VerifyHostname(h string) error
```
如果c是名為h的主機的合法證書,VerifyHostname會返回真;否則它返回一個描述該不匹配情況的錯誤。
## type [CertPool](https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L12 "View Source")
```
type CertPool struct {
// 內含隱藏或非導出字段
}
```
CertPool代表一個證書集合/證書池。
### func [NewCertPool](https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L19 "View Source")
```
func NewCertPool() *CertPool
```
NewCertPool創建一個新的、空的CertPool。
### func (\*CertPool) [AddCert](https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L56 "View Source")
```
func (s *CertPool) AddCert(cert *Certificate)
```
AddCert向s中添加一個證書。
### func (\*CertPool) [AppendCertsFromPEM](https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L85 "View Source")
```
func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)
```
AppendCertsFromPEM試圖解析一系列PEM編碼的證書。它將找到的任何證書都加入s中,如果所有證書都成功被解析,會返回真。
在許多Linux系統中,/etc/ssl/cert.pem會包含適合本函數的大量系統級根證書。
### func (\*CertPool) [Subjects](https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L110 "View Source")
```
func (s *CertPool) Subjects() (res [][]byte)
```
Subjects返回池中所有證書的DER編碼的持有者的列表。
## type [CertificateRequest](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1596 "View Source")
```
type CertificateRequest struct {
Raw []byte // 原始、完整的ASN.1 DER內容(CSR、簽名算法、簽名)
RawTBSCertificateRequest []byte // ASN.1 DER?內容的證書請求信息
RawSubjectPublicKeyInfo []byte // 原始DER編碼的SubjectPublicKeyInfo
RawSubject []byte // 原始DER編碼的Subject
Version int
Signature []byte
SignatureAlgorithm SignatureAlgorithm
PublicKeyAlgorithm PublicKeyAlgorithm
PublicKey interface{}
Subject pkix.Name
// Attributes提供關于證書持有者的額外信息,參見RFC 2986 section 4.1。
Attributes []pkix.AttributeTypeAndValueSET
// Extensions保管原始的X.509擴展。當解析CSR時,本字段用于摘錄本包未解析的不關鍵擴展。
Extensions []pkix.Extension
// ExtraExtensions包含應被直接拷貝到任何序列化的CSR中的擴展。
// 本字段保管的值會覆蓋任何其它字段生成的擴展,但會被Attributes字段指定的擴展覆蓋。
// ExtraExtensions字段在解析CSR時不會增加,參見Extensions。
ExtraExtensions []pkix.Extension
// 證書持有者的替用名稱。
DNSNames []string
EmailAddresses []string
IPAddresses []net.IP
}
```
CertificateRequest代表一個PKCS #10證書簽名請求。
## func [MarshalECPrivateKey](https://github.com/golang/go/blob/master/src/crypto/x509/sec1.go#L37 "View Source")
```
func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error)
```
MarshalECPrivateKey將ecdsa私鑰序列化為ASN.1 DER編碼。
## func [MarshalPKCS1PrivateKey](https://github.com/golang/go/blob/master/src/crypto/x509/pkcs1.go#L87 "View Source")
```
func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte
```
MarshalPKCS1PrivateKey將rsa私鑰序列化為ASN.1 PKCS#1 DER編碼。
## func [MarshalPKIXPublicKey](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L85 "View Source")
```
func MarshalPKIXPublicKey(pub interface{}) ([]byte, error)
```
MarshalPKIXPublicKey將公鑰序列化為PKIX格式DER編碼。
## func [ParseECPrivateKey](https://github.com/golang/go/blob/master/src/crypto/x509/sec1.go#L32 "View Source")
```
func ParseECPrivateKey(der []byte) (key *ecdsa.PrivateKey, err error)
```
ParseECPrivateKey解析ASN.1 DER編碼的ecdsa私鑰。
## func [ParsePKCS1PrivateKey](https://github.com/golang/go/blob/master/src/crypto/x509/pkcs1.go#L39 "View Source")
```
func ParsePKCS1PrivateKey(der []byte) (key *rsa.PrivateKey, err error)
```
ParsePKCS1PrivateKey解析ASN.1 PKCS#1 DER編碼的rsa私鑰。
## func [ParsePKCS8PrivateKey](https://github.com/golang/go/blob/master/src/crypto/x509/pkcs8.go#L26 "View Source")
```
func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error)
```
ParsePKCS8PrivateKey解析一個未加密的PKCS#8私鑰,參見[http://www.rsa.com/rsalabs/node.asp?id=2130](http://www.rsa.com/rsalabs/node.asp?id=2130)和RFC5208。
## func [ParsePKIXPublicKey](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L38 "View Source")
```
func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)
```
ParsePKIXPublicKey解析一個DER編碼的公鑰。這些公鑰一般在以"BEGIN PUBLIC KEY"出現的PEM塊中。
## func [EncryptPEMBlock](https://github.com/golang/go/blob/master/src/crypto/x509/pem_decrypt.go#L176 "View Source")
```
func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error)
```
EncryptPEMBlock使用指定的密碼、加密算法加密data,返回一個具有指定塊類型,保管加密后數據的PEM塊。
## func [IsEncryptedPEMBlock](https://github.com/golang/go/blob/master/src/crypto/x509/pem_decrypt.go#L99 "View Source")
```
func IsEncryptedPEMBlock(b *pem.Block) bool
```
IsEncryptedPEMBlock返回PEM塊b是否是用密碼加密了的。
## func [DecryptPEMBlock](https://github.com/golang/go/blob/master/src/crypto/x509/pem_decrypt.go#L112 "View Source")
```
func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error)
```
DecryptPEMBlock接受一個加密后的PEM塊和加密該塊的密碼password,返回解密后的DER編碼字節切片。它會檢查DEK信息頭域,以確定用于解密的算法。如果b中沒有DEK信息頭域,會返回錯誤。如果函數發現密碼不正確,會返回IncorrectPasswordError。
## func [ParseCRL](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1532 "View Source")
```
func ParseCRL(crlBytes []byte) (certList *pkix.CertificateList, err error)
```
ParseCRL從crlBytes中解析CRL(證書注銷列表)。因為經常有PEM編碼的CRL出現在應該是DER編碼的地方,因此本函數可以透明的處理PEM編碼,只要沒有前導的垃圾數據。
## func [ParseDERCRL](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1543 "View Source")
```
func ParseDERCRL(derBytes []byte) (certList *pkix.CertificateList, err error)
```
ParseDERCRL從derBytes中解析DER編碼的CRL。
## func [ParseCertificate](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1085 "View Source")
```
func ParseCertificate(asn1Data []byte) (*Certificate, error)
```
ParseCertificate從ASN.1 DER數據解析單個證書。
## func [ParseCertificateRequest](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1824 "View Source")
```
func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error)
```
ParseCertificateRequest解析一個ASN.1 DER數據獲取單個證書請求。
## func [ParseCertificates](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1100 "View Source")
```
func ParseCertificates(asn1Data []byte) ([]*Certificate, error)
```
ParseCertificates從ASN.1 DER編碼的asn1Data中解析一到多個證書。這些證書必須是串聯的,且中間沒有填充。
## func [CreateCertificate](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1437 "View Source")
```
func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interface{}, priv interface{}) (cert []byte, err error)
```
CreateCertificate基于模板創建一個新的證書。會用到模板的如下字段:
SerialNumber、Subject、NotBefore、NotAfter、KeyUsage、ExtKeyUsage、UnknownExtKeyUsage、
BasicConstraintsValid、IsCA、MaxPathLen、SubjectKeyId、DNSNames、PermittedDNSDomainsCritical、
PermittedDNSDomains、SignatureAlgorithm。
該證書會使用parent簽名。如果parent和template相同,則證書是自簽名的。Pub參數是被簽名者的公鑰,而priv是簽名者的私鑰。
返回的切片是DER編碼的證書。
只支持RSA和ECDSA類型的密鑰。(pub可以是*rsa.PublicKey或*ecdsa.PublicKey,priv可以是*rsa.PrivateKey或*ecdsa.PrivateKey)
## func [CreateCertificateRequest](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1667 "View Source")
```
func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error)
```
CreateCertificateRequest基于模板創建一個新的證書請求。會用到模板的如下字段:
Subject、Attributes、Extension、SignatureAlgorithm、DNSNames、EmailAddresses、IPAddresses。
priv是簽名者的私鑰。返回的切片是DER編碼的證書請求。
只支持RSA(*rsa.PrivateKey)和ECDSA(*ecdsa.PrivateKey)類型的密鑰。
- 庫
- package achive
- package tar
- package zip
- package bufio
- package builtin
- package bytes
- package compress
- package bzip2
- package flate
- package gzip
- package lzw
- package zlib
- package container
- package heap
- package list
- package ring
- package crypto
- package aes
- package cipher
- package des
- package dsa
- package ecdsa
- package elliptic
- package hmac
- package md5
- package rand
- package rc4
- package rsa
- package sha1
- package sha256
- package sha512
- package subtle
- package tls
- package x509
- package pkix
- package database
- package sql
- package driver
- package encoding
- package ascii85
- package asn1
- package base32
- package base64
- package binary
- package csv
- package gob
- package hex
- package json
- package pem
- package xml
- package errors
- package expvar
- package flag
- package fmt
- package go
- package doc
- package format
- package parser
- package printer
- package hash
- package adler32
- package crc32
- package crc64
- package fnv
- package html
- package template
- package image
- package color
- package palette
- package draw
- package gif
- package jpeg
- package png
- package index
- package suffixarray
- package io
- package ioutil
- package log
- package syslog
- package math
- package big
- package cmplx
- package rand
- package mime
- package multipart
- package net
- package http
- package cgi
- package cookiejar
- package fcgi
- package httptest
- package httputil
- package pprof
- package mail
- package rpc
- package jsonrpc
- package smtp
- package textproto
- package url
- package os
- package exec
- package signal
- package user
- package path
- package filepath
- package reflect
- package regexp
- package runtime
- package cgo
- package debug
- package pprof
- package race
- package sort
- package strconv
- package strings
- package sync
- package atomic
- package text
- package scanner
- package tabwriter
- package template
- package time
- package unicode
- package utf16
- package utf8
- package unsafe