💎一站式轻松地调用各大LLM模型接口,支持GPT4、智谱、星火、月之暗面及文生图 广告
# package x509 `import "crypto/x509"` x509包解析X.509编码的证书和密钥。 ## Index * [Constants](#pkg-constants) * [Variables](#pkg-variables) * [type PEMCipher](#PEMCipher) * [type PublicKeyAlgorithm](#PublicKeyAlgorithm) * [type SignatureAlgorithm](#SignatureAlgorithm) * [type SystemRootsError](#SystemRootsError) * [func (e SystemRootsError) Error() string](#SystemRootsError.Error) * [type HostnameError](#HostnameError) * [func (h HostnameError) Error() string](#HostnameError.Error) * [type UnknownAuthorityError](#UnknownAuthorityError) * [func (e UnknownAuthorityError) Error() string](#UnknownAuthorityError.Error) * [type ConstraintViolationError](#ConstraintViolationError) * [func (ConstraintViolationError) Error() string](#ConstraintViolationError.Error) * [type UnhandledCriticalExtension](#UnhandledCriticalExtension) * [func (h UnhandledCriticalExtension) Error() string](#UnhandledCriticalExtension.Error) * [type CertificateInvalidError](#CertificateInvalidError) * [func (e CertificateInvalidError) Error() string](#CertificateInvalidError.Error) * [type KeyUsage](#KeyUsage) * [type ExtKeyUsage](#ExtKeyUsage) * [type VerifyOptions](#VerifyOptions) * [type InvalidReason](#InvalidReason) * [type Certificate](#Certificate) * [func (c \*Certificate) CheckSignatureFrom(parent \*Certificate) (err error)](#Certificate.CheckSignatureFrom) * [func (c \*Certificate) CheckCRLSignature(crl \*pkix.CertificateList) (err error)](#Certificate.CheckCRLSignature) * [func (c \*Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) (err error)](#Certificate.CheckSignature) * [func (c \*Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error)](#Certificate.CreateCRL) * [func (c \*Certificate) Equal(other \*Certificate) bool](#Certificate.Equal) * [func (c \*Certificate) Verify(opts VerifyOptions) (chains [][]\*Certificate, err error)](#Certificate.Verify) * [func (c \*Certificate) VerifyHostname(h string) error](#Certificate.VerifyHostname) * [type CertPool](#CertPool) * [func NewCertPool() \*CertPool](#NewCertPool) * [func (s \*CertPool) AddCert(cert \*Certificate)](#CertPool.AddCert) * [func (s \*CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)](#CertPool.AppendCertsFromPEM) * [func (s \*CertPool) Subjects() (res [][]byte)](#CertPool.Subjects) * [type CertificateRequest](#CertificateRequest) * [func MarshalECPrivateKey(key \*ecdsa.PrivateKey) ([]byte, error)](#MarshalECPrivateKey) * [func MarshalPKCS1PrivateKey(key \*rsa.PrivateKey) []byte](#MarshalPKCS1PrivateKey) * [func MarshalPKIXPublicKey(pub interface{}) ([]byte, error)](#MarshalPKIXPublicKey) * [func ParseECPrivateKey(der []byte) (key \*ecdsa.PrivateKey, err error)](#ParseECPrivateKey) * [func ParsePKCS1PrivateKey(der []byte) (key \*rsa.PrivateKey, err error)](#ParsePKCS1PrivateKey) * [func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error)](#ParsePKCS8PrivateKey) * [func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)](#ParsePKIXPublicKey) * [func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (\*pem.Block, error)](#EncryptPEMBlock) * [func IsEncryptedPEMBlock(b \*pem.Block) bool](#IsEncryptedPEMBlock) * [func DecryptPEMBlock(b \*pem.Block, password []byte) ([]byte, error)](#DecryptPEMBlock) * [func ParseCRL(crlBytes []byte) (certList \*pkix.CertificateList, err error)](#ParseCRL) * [func ParseDERCRL(derBytes []byte) (certList \*pkix.CertificateList, err error)](#ParseDERCRL) * [func ParseCertificate(asn1Data []byte) (\*Certificate, error)](#ParseCertificate) * [func ParseCertificateRequest(asn1Data []byte) (\*CertificateRequest, error)](#ParseCertificateRequest) * [func ParseCertificates(asn1Data []byte) ([]\*Certificate, error)](#ParseCertificates) * [func CreateCertificate(rand io.Reader, template, parent \*Certificate, pub interface{}, priv interface{}) (cert []byte, err error)](#CreateCertificate) * [func CreateCertificateRequest(rand io.Reader, template \*CertificateRequest, priv interface{}) (csr []byte, err error)](#CreateCertificateRequest) ### Examples * [Certificate.Verify](#example-Certificate-Verify) ## Constants ``` const ( PEMCipherDES PEMCipher3DES PEMCipherAES128 PEMCipherAES192 PEMCipherAES256 ) ``` 可能会被EncryptPEMBlock加密算法使用的值。 ## Variables ``` var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented") ``` 当试图执行包含目前未实现的算法的操作时,会返回ErrUnsupportedAlgorithm。 ``` var IncorrectPasswordError = errors.New("x509: decryption password incorrect") ``` 当检测到不正确的密码时,会返回IncorrectPasswordError。 ## type [PEMCipher](https://github.com/golang/go/blob/master/src/crypto/x509/pem_decrypt.go#L23 "View Source") ``` type PEMCipher int ``` ## type [PublicKeyAlgorithm](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L172 "View Source") ``` type PublicKeyAlgorithm int ``` ``` const ( UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota RSA DSA ECDSA ) ``` ## type [SignatureAlgorithm](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L154 "View Source") ``` type SignatureAlgorithm int ``` ``` const ( UnknownSignatureAlgorithm SignatureAlgorithm = iota MD2WithRSA MD5WithRSA SHA1WithRSA SHA256WithRSA SHA384WithRSA SHA512WithRSA DSAWithSHA1 DSAWithSHA256 ECDSAWithSHA1 ECDSAWithSHA256 ECDSAWithSHA384 ECDSAWithSHA512 ) ``` ## type [SystemRootsError](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L119 "View Source") ``` type SystemRootsError struct { } ``` 当从系统装载根证书失败时,会返回SystemRootsError。 ### func (SystemRootsError) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L122 "View Source") ``` func (e SystemRootsError) Error() string ``` ## type [HostnameError](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L62 "View Source") ``` type HostnameError struct { Certificate *Certificate Host string } ``` 当认证的名字和请求的名字不匹配时,会返回HostnameError。 ### func (HostnameError) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L67 "View Source") ``` func (h HostnameError) Error() string ``` ## type [UnknownAuthorityError](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L93 "View Source") ``` type UnknownAuthorityError struct { // 内含隐藏或非导出字段 } ``` 当证书的发布者未知时,会返回UnknownAuthorityError。 ### func (UnknownAuthorityError) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L103 "View Source") ``` func (e UnknownAuthorityError) Error() string ``` ## type [ConstraintViolationError](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L527 "View Source") ``` type ConstraintViolationError struct{} ``` 当请求的用途不被证书许可时,会返回ConstraintViolationError。如:当公钥不是证书的签名密钥时用它检查签名。 ### func (ConstraintViolationError) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L529 "View Source") ``` func (ConstraintViolationError) Error() string ``` ## type [UnhandledCriticalExtension](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L677 "View Source") ``` type UnhandledCriticalExtension struct{} ``` ### func (UnhandledCriticalExtension) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L679 "View Source") ``` func (h UnhandledCriticalExtension) Error() string ``` ## type [CertificateInvalidError](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L39 "View Source") ``` type CertificateInvalidError struct { Cert *Certificate Reason InvalidReason } ``` 当发生其余的错误时,会返回CertificateInvalidError。本包的使用者可能会想统一处理所有这类错误。 ### func (CertificateInvalidError) [Error](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L44 "View Source") ``` func (e CertificateInvalidError) Error() string ``` ## type [KeyUsage](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L361 "View Source") ``` type KeyUsage int ``` KeyUsage代表给定密钥的合法操作集。用KeyUsage类型常数的位图表示。(字位表示有无) ``` const ( KeyUsageDigitalSignature KeyUsage = 1 << iota KeyUsageContentCommitment KeyUsageKeyEncipherment KeyUsageDataEncipherment KeyUsageKeyAgreement KeyUsageCertSign KeyUsageCRLSign KeyUsageEncipherOnly KeyUsageDecipherOnly ) ``` ## type [ExtKeyUsage](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L404 "View Source") ``` type ExtKeyUsage int ``` ExtKeyUsage代表给定密钥的合法操作扩展集。每一个ExtKeyUsage类型常数定义一个特定的操作。 ``` const ( ExtKeyUsageAny ExtKeyUsage = iota ExtKeyUsageServerAuth ExtKeyUsageClientAuth ExtKeyUsageCodeSigning ExtKeyUsageEmailProtection ExtKeyUsageIPSECEndSystem ExtKeyUsageIPSECTunnel ExtKeyUsageIPSECUser ExtKeyUsageTimeStamping ExtKeyUsageOCSPSigning ExtKeyUsageMicrosoftServerGatedCrypto ExtKeyUsageNetscapeServerGatedCrypto ) ``` ## type [VerifyOptions](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L128 "View Source") ``` type VerifyOptions struct { DNSName string Intermediates *CertPool Roots *CertPool // 如为nil,将使用系统根证书池 CurrentTime time.Time // 如为零值,将使用当前时间 // KeyUsage指定了可以接受哪些密钥扩展用途,空列表代表ExtKeyUsageServerAuth。 // 密钥用途被作为生成证书链的限制条件(类似Windows加密应用程序接口的行为,但不完全一样) // 要接受任何密钥用途,可以使本字段包含ExtKeyUsageAny。 KeyUsages []ExtKeyUsage } ``` VerifyOptions包含提供给Certificate.Verify方法的参数。它是结构体类型,因为其他PKIX认证API需要很长参数。 ## type [InvalidReason](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L16 "View Source") ``` type InvalidReason int ``` ``` const ( // NotAuthorizedToSign表示给本证书签名的证书不是CA证书 NotAuthorizedToSign InvalidReason = iota // Expired表示证书已过期,根据VerifyOptions.CurrentTime判断 Expired // CANotAuthorizedForThisName表示中间证书或根证书具有名字限制,且不包含被检查的名字 CANotAuthorizedForThisName // TooManyIntermediates表示违反了路径长度限制 TooManyIntermediates // IncompatibleUsage表示证书的密钥用途显示它只能用于其它目的 IncompatibleUsage ) ``` ## type [Certificate](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L459 "View Source") ``` type Certificate struct { Raw []byte // 原始、完整的ASN.1 DER内容(证书、签名算法、签名) RawTBSCertificate []byte // ASN.1 DER 内容的证书部分 RawSubjectPublicKeyInfo []byte // 原始DER编码的SubjectPublicKeyInfo RawSubject []byte // 原始DER编码的Subject RawIssuer []byte // 原始DER编码的Issuer Signature []byte SignatureAlgorithm SignatureAlgorithm PublicKeyAlgorithm PublicKeyAlgorithm PublicKey interface{} Version int SerialNumber *big.Int Issuer pkix.Name Subject pkix.Name NotBefore, NotAfter time.Time // 有效期前后界,本时间段之外无效 KeyUsage KeyUsage // Extensions保管原始的X.509扩展。当解析证书时,本字段用于摘录本包未解析的不关键扩展。 // 序列化证书时,Extensions字段会被忽略,参见ExtraExtensions。 Extensions []pkix.Extension // ExtraExtensions包含应被直接拷贝到任何序列化的证书中的扩展。 // 本字段保管的值会覆盖任何其它字段生成的扩展。 // ExtraExtensions字段在解析证书时不会被填写,参见Extensions。 ExtraExtensions []pkix.Extension ExtKeyUsage []ExtKeyUsage // 密钥扩展用途的序列 UnknownExtKeyUsage []asn1.ObjectIdentifier // 遇到的本包不能识别的密钥扩展用途 BasicConstraintsValid bool // 如果下两个字段合法,将为真 IsCA bool MaxPathLen int SubjectKeyId []byte AuthorityKeyId []byte // RFC 5280, 4.2.2.1(认证信息存取) OCSPServer []string IssuingCertificateURL []string // 证书持有者的替用名称 DNSNames []string EmailAddresses []string IPAddresses []net.IP // 名称的约束 PermittedDNSDomainsCritical bool // 如为真则名称约束被标记为关键的 PermittedDNSDomains []string // CRL配销点 CRLDistributionPoints []string PolicyIdentifiers []asn1.ObjectIdentifier } ``` Certificate代表一个X.509证书。 ### func (\*Certificate) [CheckSignatureFrom](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L588 "View Source") ``` func (c *Certificate) CheckSignatureFrom(parent *Certificate) (err error) ``` CheckSignatureFrom检查c中的签名是否是来自parent的合法签名。 ### func (\*Certificate) [CheckCRLSignature](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L672 "View Source") ``` func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) (err error) ``` CheckCRLSignature检查crl中的签名是否来自c。 ### func (\*Certificate) [CheckSignature](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L616 "View Source") ``` func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) (err error) ``` CheckSignature检查signature是否是c的公钥生成的signed的合法签名。 ### func (\*Certificate) [CreateCRL](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1556 "View Source") ``` func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error) ``` CreateCRL返回一个DER编码的CRL(证书注销列表),使用c签名,并包含给出的已取消签名列表。 只支持RSA类型的密钥(priv参数必须是*rsa.PrivateKey类型)。 ### func (\*Certificate) [Equal](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L533 "View Source") ``` func (c *Certificate) Equal(other *Certificate) bool ``` ### func (\*Certificate) [Verify](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L210 "View Source") ``` func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) ``` Verify通过创建一到多个从c到opts.Roots中的证书的链条来认证c,如有必要会使用opts.Intermediates中的证书。如果成功,它会返回一到多个证书链条,每一条都以c开始,以opts.Roots中的证书结束。 警告:它不会做任何取消检查。 Example ``` // Verifying with a custom list of root certificates. const rootPEM = ` -----BEGIN CERTIFICATE----- MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY /iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/ zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6 yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx -----END CERTIFICATE-----` const certPEM = ` -----BEGIN CERTIFICATE----- MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q 5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC 7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAa BgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUF BwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy LmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2Nz cDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAf BgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisG AQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29t L0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+ gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283 TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq 0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoW RvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOh yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA== -----END CERTIFICATE-----` // First, create the set of root certificates. For this example we only // have one. It's also possible to omit this in order to use the // default root set of the current operating system. roots := x509.NewCertPool() ok := roots.AppendCertsFromPEM([]byte(rootPEM)) if !ok { panic("failed to parse root certificate") } block, _ := pem.Decode([]byte(certPEM)) if block == nil { panic("failed to parse certificate PEM") } cert, err := x509.ParseCertificate(block.Bytes) if err != nil { panic("failed to parse certificate: " + err.Error()) } opts := x509.VerifyOptions{ DNSName: "mail.google.com", Roots: roots, } if _, err := cert.Verify(opts); err != nil { panic("failed to verify certificate: " + err.Error()) } ``` ### func (\*Certificate) [VerifyHostname](https://github.com/golang/go/blob/master/src/crypto/x509/verify.go#L381 "View Source") ``` func (c *Certificate) VerifyHostname(h string) error ``` 如果c是名为h的主机的合法证书,VerifyHostname会返回真;否则它返回一个描述该不匹配情况的错误。 ## type [CertPool](https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L12 "View Source") ``` type CertPool struct { // 内含隐藏或非导出字段 } ``` CertPool代表一个证书集合/证书池。 ### func [NewCertPool](https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L19 "View Source") ``` func NewCertPool() *CertPool ``` NewCertPool创建一个新的、空的CertPool。 ### func (\*CertPool) [AddCert](https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L56 "View Source") ``` func (s *CertPool) AddCert(cert *Certificate) ``` AddCert向s中添加一个证书。 ### func (\*CertPool) [AppendCertsFromPEM](https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L85 "View Source") ``` func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool) ``` AppendCertsFromPEM试图解析一系列PEM编码的证书。它将找到的任何证书都加入s中,如果所有证书都成功被解析,会返回真。 在许多Linux系统中,/etc/ssl/cert.pem会包含适合本函数的大量系统级根证书。 ### func (\*CertPool) [Subjects](https://github.com/golang/go/blob/master/src/crypto/x509/cert_pool.go#L110 "View Source") ``` func (s *CertPool) Subjects() (res [][]byte) ``` Subjects返回池中所有证书的DER编码的持有者的列表。 ## type [CertificateRequest](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1596 "View Source") ``` type CertificateRequest struct { Raw []byte // 原始、完整的ASN.1 DER内容(CSR、签名算法、签名) RawTBSCertificateRequest []byte // ASN.1 DER 内容的证书请求信息 RawSubjectPublicKeyInfo []byte // 原始DER编码的SubjectPublicKeyInfo RawSubject []byte // 原始DER编码的Subject Version int Signature []byte SignatureAlgorithm SignatureAlgorithm PublicKeyAlgorithm PublicKeyAlgorithm PublicKey interface{} Subject pkix.Name // Attributes提供关于证书持有者的额外信息,参见RFC 2986 section 4.1。 Attributes []pkix.AttributeTypeAndValueSET // Extensions保管原始的X.509扩展。当解析CSR时,本字段用于摘录本包未解析的不关键扩展。 Extensions []pkix.Extension // ExtraExtensions包含应被直接拷贝到任何序列化的CSR中的扩展。 // 本字段保管的值会覆盖任何其它字段生成的扩展,但会被Attributes字段指定的扩展覆盖。 // ExtraExtensions字段在解析CSR时不会增加,参见Extensions。 ExtraExtensions []pkix.Extension // 证书持有者的替用名称。 DNSNames []string EmailAddresses []string IPAddresses []net.IP } ``` CertificateRequest代表一个PKCS #10证书签名请求。 ## func [MarshalECPrivateKey](https://github.com/golang/go/blob/master/src/crypto/x509/sec1.go#L37 "View Source") ``` func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error) ``` MarshalECPrivateKey将ecdsa私钥序列化为ASN.1 DER编码。 ## func [MarshalPKCS1PrivateKey](https://github.com/golang/go/blob/master/src/crypto/x509/pkcs1.go#L87 "View Source") ``` func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte ``` MarshalPKCS1PrivateKey将rsa私钥序列化为ASN.1 PKCS#1 DER编码。 ## func [MarshalPKIXPublicKey](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L85 "View Source") ``` func MarshalPKIXPublicKey(pub interface{}) ([]byte, error) ``` MarshalPKIXPublicKey将公钥序列化为PKIX格式DER编码。 ## func [ParseECPrivateKey](https://github.com/golang/go/blob/master/src/crypto/x509/sec1.go#L32 "View Source") ``` func ParseECPrivateKey(der []byte) (key *ecdsa.PrivateKey, err error) ``` ParseECPrivateKey解析ASN.1 DER编码的ecdsa私钥。 ## func [ParsePKCS1PrivateKey](https://github.com/golang/go/blob/master/src/crypto/x509/pkcs1.go#L39 "View Source") ``` func ParsePKCS1PrivateKey(der []byte) (key *rsa.PrivateKey, err error) ``` ParsePKCS1PrivateKey解析ASN.1 PKCS#1 DER编码的rsa私钥。 ## func [ParsePKCS8PrivateKey](https://github.com/golang/go/blob/master/src/crypto/x509/pkcs8.go#L26 "View Source") ``` func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error) ``` ParsePKCS8PrivateKey解析一个未加密的PKCS#8私钥,参见[http://www.rsa.com/rsalabs/node.asp?id=2130](http://www.rsa.com/rsalabs/node.asp?id=2130)和RFC5208。 ## func [ParsePKIXPublicKey](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L38 "View Source") ``` func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) ``` ParsePKIXPublicKey解析一个DER编码的公钥。这些公钥一般在以"BEGIN PUBLIC KEY"出现的PEM块中。 ## func [EncryptPEMBlock](https://github.com/golang/go/blob/master/src/crypto/x509/pem_decrypt.go#L176 "View Source") ``` func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error) ``` EncryptPEMBlock使用指定的密码、加密算法加密data,返回一个具有指定块类型,保管加密后数据的PEM块。 ## func [IsEncryptedPEMBlock](https://github.com/golang/go/blob/master/src/crypto/x509/pem_decrypt.go#L99 "View Source") ``` func IsEncryptedPEMBlock(b *pem.Block) bool ``` IsEncryptedPEMBlock返回PEM块b是否是用密码加密了的。 ## func [DecryptPEMBlock](https://github.com/golang/go/blob/master/src/crypto/x509/pem_decrypt.go#L112 "View Source") ``` func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error) ``` DecryptPEMBlock接受一个加密后的PEM块和加密该块的密码password,返回解密后的DER编码字节切片。它会检查DEK信息头域,以确定用于解密的算法。如果b中没有DEK信息头域,会返回错误。如果函数发现密码不正确,会返回IncorrectPasswordError。 ## func [ParseCRL](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1532 "View Source") ``` func ParseCRL(crlBytes []byte) (certList *pkix.CertificateList, err error) ``` ParseCRL从crlBytes中解析CRL(证书注销列表)。因为经常有PEM编码的CRL出现在应该是DER编码的地方,因此本函数可以透明的处理PEM编码,只要没有前导的垃圾数据。 ## func [ParseDERCRL](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1543 "View Source") ``` func ParseDERCRL(derBytes []byte) (certList *pkix.CertificateList, err error) ``` ParseDERCRL从derBytes中解析DER编码的CRL。 ## func [ParseCertificate](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1085 "View Source") ``` func ParseCertificate(asn1Data []byte) (*Certificate, error) ``` ParseCertificate从ASN.1 DER数据解析单个证书。 ## func [ParseCertificateRequest](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1824 "View Source") ``` func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error) ``` ParseCertificateRequest解析一个ASN.1 DER数据获取单个证书请求。 ## func [ParseCertificates](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1100 "View Source") ``` func ParseCertificates(asn1Data []byte) ([]*Certificate, error) ``` ParseCertificates从ASN.1 DER编码的asn1Data中解析一到多个证书。这些证书必须是串联的,且中间没有填充。 ## func [CreateCertificate](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1437 "View Source") ``` func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interface{}, priv interface{}) (cert []byte, err error) ``` CreateCertificate基于模板创建一个新的证书。会用到模板的如下字段: SerialNumber、Subject、NotBefore、NotAfter、KeyUsage、ExtKeyUsage、UnknownExtKeyUsage、 BasicConstraintsValid、IsCA、MaxPathLen、SubjectKeyId、DNSNames、PermittedDNSDomainsCritical、 PermittedDNSDomains、SignatureAlgorithm。 该证书会使用parent签名。如果parent和template相同,则证书是自签名的。Pub参数是被签名者的公钥,而priv是签名者的私钥。 返回的切片是DER编码的证书。 只支持RSA和ECDSA类型的密钥。(pub可以是*rsa.PublicKey或*ecdsa.PublicKey,priv可以是*rsa.PrivateKey或*ecdsa.PrivateKey) ## func [CreateCertificateRequest](https://github.com/golang/go/blob/master/src/crypto/x509/x509.go#L1667 "View Source") ``` func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error) ``` CreateCertificateRequest基于模板创建一个新的证书请求。会用到模板的如下字段: Subject、Attributes、Extension、SignatureAlgorithm、DNSNames、EmailAddresses、IPAddresses。 priv是签名者的私钥。返回的切片是DER编码的证书请求。 只支持RSA(*rsa.PrivateKey)和ECDSA(*ecdsa.PrivateKey)类型的密钥。