Copy disabled (too large)
Download .txt
Showing preview only (36,768K chars total). Download the full file to get everything.
Repository: cloudflare/cfssl
Branch: master
Commit: ed8df4971265
Files: 2240
Total size: 34.6 MB
Directory structure:
gitextract__9id0mvi/
├── .dockerignore
├── .github/
│ ├── dependabot.yml
│ └── workflows/
│ ├── docker-builds.yml
│ ├── go.yml
│ ├── semgrep.yml
│ └── snapshot.yml
├── .gitignore
├── .golangci.yaml
├── .goreleaser.yml
├── CHANGELOG
├── Dockerfile
├── Dockerfile.alpine
├── LICENSE
├── Makefile
├── README.md
├── api/
│ ├── api.go
│ ├── api_test.go
│ ├── bundle/
│ │ ├── bundle.go
│ │ └── bundle_test.go
│ ├── certadd/
│ │ ├── insert.go
│ │ └── insert_test.go
│ ├── certinfo/
│ │ └── certinfo.go
│ ├── client/
│ │ ├── api.go
│ │ ├── client.go
│ │ ├── client_test.go
│ │ └── group.go
│ ├── crl/
│ │ ├── crl.go
│ │ └── crl_test.go
│ ├── gencrl/
│ │ ├── gencrl.go
│ │ └── gencrl_test.go
│ ├── generator/
│ │ ├── generator.go
│ │ ├── generator_test.go
│ │ └── testdata/
│ │ ├── ca.pem
│ │ └── ca_key.pem
│ ├── health/
│ │ └── health.go
│ ├── info/
│ │ ├── info.go
│ │ └── info_test.go
│ ├── initca/
│ │ ├── initca.go
│ │ └── initca_test.go
│ ├── ocsp/
│ │ ├── ocspsign.go
│ │ └── ocspsign_test.go
│ ├── revoke/
│ │ ├── revoke.go
│ │ └── revoke_test.go
│ ├── scan/
│ │ ├── scan.go
│ │ └── scan_test.go
│ ├── sign/
│ │ ├── sign.go
│ │ └── sign_test.go
│ ├── signhandler/
│ │ ├── signhandler.go
│ │ └── signhandler_test.go
│ └── testdata/
│ ├── broken.pem
│ ├── broken_csr.pem
│ ├── ca-bundle.pem
│ ├── ca.pem
│ ├── ca2-key.pem
│ ├── ca2.pem
│ ├── ca_key.pem
│ ├── cert.pem
│ ├── csr.pem
│ ├── int-bundle.pem
│ ├── leaf.badkey
│ ├── leaf.key
│ └── leaf.pem
├── auth/
│ ├── auth.go
│ ├── auth_test.go
│ └── testdata/
│ ├── authrequest.json
│ └── request.json
├── bundler/
│ ├── bundle.go
│ ├── bundle_from_file_test.go
│ ├── bundle_from_pem_test.go
│ ├── bundle_from_remote_test.go
│ ├── bundler.go
│ ├── bundler_sha1_deprecation_test.go
│ ├── bundler_test.go
│ ├── doc.go
│ └── testdata/
│ ├── bad-bundle.pem
│ ├── ca-bundle.crt.metadata
│ ├── ca-bundle.pem
│ ├── ca.key
│ ├── ca.pem
│ ├── cfssl-leaf-ecdsa256.csr
│ ├── cfssl-leaf-ecdsa256.key
│ ├── cfssl-leaf-ecdsa256.pem
│ ├── cfssl-leaf-ecdsa384.csr
│ ├── cfssl-leaf-ecdsa384.key
│ ├── cfssl-leaf-ecdsa384.pem
│ ├── cfssl-leaf-ecdsa521.csr
│ ├── cfssl-leaf-ecdsa521.key
│ ├── cfssl-leaf-ecdsa521.pem
│ ├── cfssl-leaf-rsa2048.csr
│ ├── cfssl-leaf-rsa2048.key
│ ├── cfssl-leaf-rsa2048.pem
│ ├── cfssl-leaf-rsa3072.csr
│ ├── cfssl-leaf-rsa3072.key
│ ├── cfssl-leaf-rsa3072.pem
│ ├── cfssl-leaf-rsa4096.csr
│ ├── cfssl-leaf-rsa4096.key
│ ├── cfssl-leaf-rsa4096.pem
│ ├── cfssl-leaflet-rsa4096.pem
│ ├── client-auth/
│ │ ├── build_certs.sh
│ │ ├── int-config.json
│ │ ├── int-csr.json
│ │ ├── int.pem
│ │ ├── leaf-client-csr.json
│ │ ├── leaf-client.pem
│ │ ├── leaf-server-csr.json
│ │ ├── leaf-server.pem
│ │ ├── root-config.json
│ │ ├── root-csr.json
│ │ └── root.pem
│ ├── dsa2048.key
│ ├── dsa2048.pem
│ ├── empty.pem
│ ├── forcebundle.pem
│ ├── froyo.pem
│ ├── int-bundle.pem
│ ├── inter-L1-expired.pem
│ ├── inter-L1-sha1.pem
│ ├── inter-L1.csr
│ ├── inter-L1.key
│ ├── inter-L1.pem
│ ├── inter-L2-direct.pem
│ ├── inter-L2.csr
│ ├── inter-L2.key
│ ├── inter-L2.pem
│ ├── intermediates.crt
│ ├── nss.pem
│ ├── osx.pem
│ ├── partial-bundle.pem
│ └── reverse-partial-bundle.pem
├── certdb/
│ ├── README.md
│ ├── certdb.go
│ ├── dbconf/
│ │ ├── db_config.go
│ │ ├── db_config_test.go
│ │ └── testdata/
│ │ ├── bad-db-config.json
│ │ ├── db-config.json
│ │ └── memory_db.json
│ ├── mysql/
│ │ ├── dbconf.yml
│ │ └── migrations/
│ │ ├── 001_CreateCertificates.sql
│ │ └── 002_AddMetadataToCertificates.sql
│ ├── ocspstapling/
│ │ ├── ocspstapling.go
│ │ └── ocspstapling_test.go
│ ├── pg/
│ │ ├── dbconf.yml
│ │ └── migrations/
│ │ ├── 001_CreateCertificates.sql
│ │ └── 002_AddMetadataToCertificates.sql
│ ├── sql/
│ │ ├── database_accessor.go
│ │ ├── sql_mysql_test.go
│ │ ├── sql_pq_test.go
│ │ └── sql_test.go
│ ├── sqlite/
│ │ ├── dbconf.yml
│ │ └── migrations/
│ │ ├── 001_CreateCertificates.sql
│ │ └── 002_AddMetadataToCertificates.sql
│ └── testdb/
│ └── testdb.go
├── certinfo/
│ ├── certinfo.go
│ └── certinfo_test.go
├── cli/
│ ├── bundle/
│ │ ├── bundle.go
│ │ └── bundle_test.go
│ ├── certinfo/
│ │ └── certinfo.go
│ ├── cli.go
│ ├── cli_test.go
│ ├── config.go
│ ├── crl/
│ │ ├── crl.go
│ │ └── crl_test.go
│ ├── gencert/
│ │ ├── gencert.go
│ │ └── gencert_test.go
│ ├── gencrl/
│ │ ├── gencrl.go
│ │ ├── gencrl_test.go
│ │ └── testdata/
│ │ ├── ca-keyTwo.pem
│ │ ├── caTwo.pem
│ │ └── serialList
│ ├── gencsr/
│ │ ├── gencsr.go
│ │ ├── gencsr_test.go
│ │ └── testdata/
│ │ ├── csr.json
│ │ └── test-key.pem
│ ├── genkey/
│ │ ├── genkey.go
│ │ ├── genkey_test.go
│ │ └── testdata/
│ │ └── csr.json
│ ├── info/
│ │ └── info.go
│ ├── ocspdump/
│ │ └── ocspdump.go
│ ├── ocsprefresh/
│ │ ├── ocsprefresh.go
│ │ └── ocsprefresh_test.go
│ ├── ocspserve/
│ │ └── ocspserve.go
│ ├── ocspsign/
│ │ └── ocspsign.go
│ ├── printdefault/
│ │ ├── defaults.go
│ │ └── printdefault.go
│ ├── revoke/
│ │ ├── revoke.go
│ │ └── revoke_test.go
│ ├── scan/
│ │ ├── scan.go
│ │ └── scan_test.go
│ ├── selfsign/
│ │ ├── selfsign.go
│ │ └── selfsign_test.go
│ ├── serve/
│ │ ├── README.md
│ │ ├── serve.go
│ │ ├── serve_test.go
│ │ └── static/
│ │ ├── assets/
│ │ │ └── cfssl.js
│ │ └── index.html
│ ├── sign/
│ │ ├── sign.go
│ │ └── sign_test.go
│ ├── testdata/
│ │ ├── bad_csr.json
│ │ ├── bad_oid_csr.json
│ │ ├── ca-key.pem
│ │ ├── ca.csr
│ │ ├── ca.pem
│ │ ├── csr.json
│ │ ├── db-config.json
│ │ └── test.txt
│ └── version/
│ ├── version.go
│ └── version_test.go
├── cmd/
│ ├── cfssl/
│ │ ├── cfssl.go
│ │ └── cfssl_test.go
│ ├── cfssl-bundle/
│ │ └── cfssl-bundle.go
│ ├── cfssl-certinfo/
│ │ └── cfssl-certinfo.go
│ ├── cfssl-newkey/
│ │ └── cfssl-newkey.go
│ ├── cfssl-scan/
│ │ └── cfssl-scan.go
│ ├── cfssljson/
│ │ ├── cfssljson.go
│ │ ├── cfssljson_test.go
│ │ └── testdata/
│ │ └── test.txt
│ ├── mkbundle/
│ │ ├── cert-bundle.crt
│ │ ├── mkbundle.go
│ │ └── mkbundle_test.go
│ └── multirootca/
│ ├── api.go
│ └── ca.go
├── config/
│ ├── config.go
│ ├── config_test.go
│ └── testdata/
│ ├── invalid_auth.json
│ ├── invalid_auth_bad_key.json
│ ├── invalid_config.json
│ ├── invalid_default.json
│ ├── invalid_no_auth_keys.json
│ ├── invalid_no_remotes.json
│ ├── invalid_profile.json
│ ├── invalid_remotes.json
│ ├── invalid_usage.json
│ ├── valid_config.json
│ ├── valid_config_auth.json
│ ├── valid_config_auth_no_default.json
│ └── valid_config_no_default.json
├── crl/
│ ├── crl.go
│ ├── crl_test.go
│ └── testdata/
│ ├── ca-key.pem
│ ├── ca-keyTwo.pem
│ ├── ca.pem
│ ├── caTwo.pem
│ ├── cert.pem
│ ├── serialList
│ ├── server.crt
│ └── server.key
├── crypto/
│ ├── doc.go
│ └── pkcs7/
│ └── pkcs7.go
├── csr/
│ ├── csr.go
│ ├── csr_test.go
│ └── testdata/
│ └── test-ecdsa-ca.pem
├── doc/
│ ├── README.txt
│ ├── api/
│ │ ├── endpoint_authsign.txt
│ │ ├── endpoint_bundle.txt
│ │ ├── endpoint_certinfo.txt
│ │ ├── endpoint_crl.txt
│ │ ├── endpoint_health.txt
│ │ ├── endpoint_info.txt
│ │ ├── endpoint_init_ca.txt
│ │ ├── endpoint_newcert.txt
│ │ ├── endpoint_newkey.txt
│ │ ├── endpoint_revoke.txt
│ │ ├── endpoint_scan.txt
│ │ ├── endpoint_scaninfo.txt
│ │ ├── endpoint_sign.txt
│ │ └── intro.txt
│ ├── authentication.txt
│ ├── ca-bundle.crt.metadata.sample
│ ├── cmd/
│ │ ├── cfssl.txt
│ │ └── multiroot.txt
│ ├── errorcode.txt
│ └── transport.txt
├── errors/
│ ├── doc.go
│ ├── error.go
│ ├── error_test.go
│ └── http.go
├── go.mod
├── go.sum
├── helpers/
│ ├── derhelpers/
│ │ ├── derhelpers.go
│ │ ├── ed25519.go
│ │ └── ed25519_test.go
│ ├── helpers.go
│ ├── helpers_test.go
│ ├── testdata/
│ │ ├── bundle.pem
│ │ ├── bundle_pkcs7.pem
│ │ ├── bundle_with_whitespace.pem
│ │ ├── ca.pem
│ │ ├── ca_key.pem
│ │ ├── cert.der
│ │ ├── cert.pem
│ │ ├── cert_pkcs7.pem
│ │ ├── cert_with_whitespace.pem
│ │ ├── ecdsa256.csr
│ │ ├── empty.pem
│ │ ├── empty_pkcs7.der
│ │ ├── empty_pkcs7.pem
│ │ ├── emptycert.pem
│ │ ├── emptypasswordpkcs12.p12
│ │ ├── enc_priv_key.pem
│ │ ├── messed_up_bundle.pem
│ │ ├── messed_up_priv_key.pem
│ │ ├── messedupcert.pem
│ │ ├── multiplecerts.p12
│ │ ├── noheadercert.pem
│ │ ├── openssl_secp384.pem
│ │ ├── passwordpkcs12.p12
│ │ ├── priv_rsa_key.pem
│ │ ├── private_ecdsa_key.pem
│ │ ├── private_ed25519_key.pem
│ │ ├── rsa-old.csr
│ │ ├── secp256k1-key.pem
│ │ ├── test.bad.csr.pem
│ │ └── test.csr.pem
│ └── testsuite/
│ ├── testdata/
│ │ ├── cert_csr.json
│ │ └── initCA/
│ │ ├── ca_csr.json
│ │ └── cfssl_output.pem
│ ├── testing_helpers.go
│ └── testing_helpers_test.go
├── info/
│ └── info.go
├── initca/
│ ├── initca.go
│ ├── initca_test.go
│ └── testdata/
│ ├── 5min-ecdsa-key.pem
│ ├── 5min-ecdsa.pem
│ ├── 5min-ed25519-key.pem
│ ├── 5min-ed25519.pem
│ ├── 5min-rsa-key.pem
│ ├── 5min-rsa.pem
│ ├── README.md
│ ├── ca_csr_ecdsa.json
│ ├── ca_csr_ed25519.json
│ ├── ca_csr_rsa.json
│ ├── ecdsa256.csr
│ ├── ecdsa384.csr
│ ├── ecdsa521.csr
│ ├── ed25519.csr
│ ├── rsa2048.csr
│ ├── rsa3072.csr
│ └── rsa4096.csr
├── log/
│ ├── log.go
│ └── log_test.go
├── multiroot/
│ └── config/
│ ├── config.go
│ ├── config_test.go
│ └── testdata/
│ ├── bad-db-config.json
│ ├── bad.conf
│ ├── badconfig.json
│ ├── config.json
│ ├── db-config.json
│ ├── roots.conf
│ ├── roots_bad_certificate.conf
│ ├── roots_bad_db.conf
│ ├── roots_bad_private_key.conf
│ ├── roots_bad_whitelist.conf
│ ├── roots_bad_whitelist2.conf
│ ├── roots_badconfig.conf
│ ├── roots_badspec.conf
│ ├── roots_badspec2.conf
│ ├── roots_badspec3.conf
│ ├── roots_db.conf
│ ├── roots_der.conf
│ ├── roots_ksm.conf
│ ├── roots_missing_certificate.conf
│ ├── roots_missing_certificate_entry.conf
│ ├── roots_missing_private.conf
│ ├── roots_missing_private_key_entry.conf
│ ├── roots_no_kdl_private_key.conf
│ ├── roots_whitelist.conf
│ ├── roots_whitelist_ipv6.conf
│ ├── server.crt
│ ├── server.der
│ ├── server.key
│ ├── test.conf
│ └── test2.conf
├── ocsp/
│ ├── config/
│ │ └── config.go
│ ├── ocsp.go
│ ├── ocsp_test.go
│ ├── responder.go
│ ├── responder_test.go
│ ├── testdata/
│ │ ├── ca-key.pem
│ │ ├── ca.pem
│ │ ├── cert.pem
│ │ ├── db-config.json
│ │ ├── resp64.pem
│ │ ├── response.der
│ │ ├── response_broken.pem
│ │ ├── response_mix.pem
│ │ ├── server.crt
│ │ ├── server.key
│ │ ├── server_broken.crt
│ │ ├── server_broken.key
│ │ └── sqlite_ca.pem
│ └── universal/
│ └── universal.go
├── revoke/
│ ├── revoke.go
│ └── revoke_test.go
├── scan/
│ ├── broad.go
│ ├── connectivity.go
│ ├── crypto/
│ │ ├── crypto.go
│ │ ├── md5/
│ │ │ ├── example_test.go
│ │ │ ├── gen.go
│ │ │ ├── md5.go
│ │ │ ├── md5_test.go
│ │ │ ├── md5block.go
│ │ │ ├── md5block_386.s
│ │ │ ├── md5block_amd64.s
│ │ │ ├── md5block_amd64p32.s
│ │ │ ├── md5block_arm.s
│ │ │ ├── md5block_decl.go
│ │ │ └── md5block_generic.go
│ │ ├── rsa/
│ │ │ ├── example_test.go
│ │ │ ├── pkcs1v15.go
│ │ │ ├── pkcs1v15_test.go
│ │ │ ├── pss.go
│ │ │ ├── pss_test.go
│ │ │ ├── rsa.go
│ │ │ ├── rsa_test.go
│ │ │ └── testdata/
│ │ │ └── pss-vect.txt.bz2
│ │ ├── sha1/
│ │ │ ├── example_test.go
│ │ │ ├── sha1.go
│ │ │ ├── sha1_test.go
│ │ │ ├── sha1block.go
│ │ │ ├── sha1block_386.s
│ │ │ ├── sha1block_amd64.s
│ │ │ ├── sha1block_amd64p32.s
│ │ │ ├── sha1block_arm.s
│ │ │ ├── sha1block_decl.go
│ │ │ └── sha1block_generic.go
│ │ ├── sha256/
│ │ │ ├── sha256.go
│ │ │ ├── sha256_test.go
│ │ │ ├── sha256block.go
│ │ │ ├── sha256block_386.s
│ │ │ ├── sha256block_amd64.s
│ │ │ └── sha256block_decl.go
│ │ ├── sha512/
│ │ │ ├── sha512.go
│ │ │ ├── sha512_test.go
│ │ │ ├── sha512block.go
│ │ │ ├── sha512block_amd64.s
│ │ │ └── sha512block_decl.go
│ │ └── tls/
│ │ ├── alert.go
│ │ ├── cfsslscan_common.go
│ │ ├── cfsslscan_handshake.go
│ │ ├── cipher_suites.go
│ │ ├── common.go
│ │ ├── conn.go
│ │ ├── conn_test.go
│ │ ├── example_test.go
│ │ ├── generate_cert.go
│ │ ├── handshake_client.go
│ │ ├── handshake_client_test.go
│ │ ├── handshake_messages.go
│ │ ├── handshake_messages_test.go
│ │ ├── handshake_server.go
│ │ ├── handshake_server_test.go
│ │ ├── handshake_test.go
│ │ ├── key_agreement.go
│ │ ├── prf.go
│ │ ├── prf_test.go
│ │ ├── testdata/
│ │ │ ├── Client-TLSv10-ClientCert-ECDSA-ECDSA
│ │ │ ├── Client-TLSv10-ClientCert-ECDSA-RSA
│ │ │ ├── Client-TLSv10-ClientCert-RSA-ECDSA
│ │ │ ├── Client-TLSv10-ClientCert-RSA-RSA
│ │ │ ├── Client-TLSv10-ECDHE-ECDSA-AES
│ │ │ ├── Client-TLSv10-ECDHE-RSA-AES
│ │ │ ├── Client-TLSv10-RSA-RC4
│ │ │ ├── Client-TLSv11-ECDHE-ECDSA-AES
│ │ │ ├── Client-TLSv11-ECDHE-RSA-AES
│ │ │ ├── Client-TLSv11-RSA-RC4
│ │ │ ├── Client-TLSv12-AES128-GCM-SHA256
│ │ │ ├── Client-TLSv12-AES256-GCM-SHA384
│ │ │ ├── Client-TLSv12-ALPN
│ │ │ ├── Client-TLSv12-ALPN-NoMatch
│ │ │ ├── Client-TLSv12-ClientCert-ECDSA-ECDSA
│ │ │ ├── Client-TLSv12-ClientCert-ECDSA-RSA
│ │ │ ├── Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384
│ │ │ ├── Client-TLSv12-ClientCert-RSA-ECDSA
│ │ │ ├── Client-TLSv12-ClientCert-RSA-RSA
│ │ │ ├── Client-TLSv12-ECDHE-ECDSA-AES
│ │ │ ├── Client-TLSv12-ECDHE-ECDSA-AES-GCM
│ │ │ ├── Client-TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384
│ │ │ ├── Client-TLSv12-ECDHE-RSA-AES
│ │ │ ├── Client-TLSv12-RSA-RC4
│ │ │ ├── Client-TLSv12-SCT
│ │ │ ├── Server-SSLv3-RSA-3DES
│ │ │ ├── Server-SSLv3-RSA-AES
│ │ │ ├── Server-SSLv3-RSA-RC4
│ │ │ ├── Server-TLSv10-ECDHE-ECDSA-AES
│ │ │ ├── Server-TLSv10-RSA-3DES
│ │ │ ├── Server-TLSv10-RSA-AES
│ │ │ ├── Server-TLSv10-RSA-RC4
│ │ │ ├── Server-TLSv11-FallbackSCSV
│ │ │ ├── Server-TLSv11-RSA-RC4
│ │ │ ├── Server-TLSv12-ALPN
│ │ │ ├── Server-TLSv12-ALPN-NoMatch
│ │ │ ├── Server-TLSv12-CipherSuiteCertPreferenceECDSA
│ │ │ ├── Server-TLSv12-CipherSuiteCertPreferenceRSA
│ │ │ ├── Server-TLSv12-ClientAuthRequestedAndECDSAGiven
│ │ │ ├── Server-TLSv12-ClientAuthRequestedAndGiven
│ │ │ ├── Server-TLSv12-ClientAuthRequestedNotGiven
│ │ │ ├── Server-TLSv12-ECDHE-ECDSA-AES
│ │ │ ├── Server-TLSv12-IssueTicket
│ │ │ ├── Server-TLSv12-IssueTicketPreDisable
│ │ │ ├── Server-TLSv12-RSA-3DES
│ │ │ ├── Server-TLSv12-RSA-AES
│ │ │ ├── Server-TLSv12-RSA-AES-GCM
│ │ │ ├── Server-TLSv12-RSA-AES256-GCM-SHA384
│ │ │ ├── Server-TLSv12-RSA-RC4
│ │ │ ├── Server-TLSv12-Resume
│ │ │ ├── Server-TLSv12-ResumeDisabled
│ │ │ ├── Server-TLSv12-SNI
│ │ │ ├── Server-TLSv12-SNI-GetCertificate
│ │ │ └── Server-TLSv12-SNI-GetCertificateNotFound
│ │ ├── ticket.go
│ │ ├── tls.go
│ │ └── tls_test.go
│ ├── pki.go
│ ├── scan_common.go
│ ├── scan_common_test.go
│ ├── tls_handshake.go
│ └── tls_session.go
├── selfsign/
│ ├── selfsign.go
│ ├── selfsign_test.go
│ └── testdata/
│ ├── extension.csr
│ ├── localhost.csr
│ ├── localhost.key
│ └── sans.csr
├── signer/
│ ├── local/
│ │ ├── local.go
│ │ ├── local_test.go
│ │ └── testdata/
│ │ ├── build_inter_pathlen_csrs.sh
│ │ ├── ca.pem
│ │ ├── ca_key.pem
│ │ ├── ecdsa256-inter.csr
│ │ ├── ecdsa256-inter.key
│ │ ├── ecdsa256.csr
│ │ ├── ecdsa256_ca.pem
│ │ ├── ecdsa256_ca_key.pem
│ │ ├── ecdsa384.csr
│ │ ├── ecdsa521.csr
│ │ ├── ed25519.csr
│ │ ├── ex.csr
│ │ ├── inter_pathlen_0.csr
│ │ ├── inter_pathlen_1.csr
│ │ ├── inter_pathlen_unspecified.csr
│ │ ├── ip.csr
│ │ ├── key.pem
│ │ ├── rsa-old.csr
│ │ ├── rsa2048-inter.csr
│ │ ├── rsa2048-inter.key
│ │ ├── rsa2048.csr
│ │ ├── rsa3072.csr
│ │ ├── rsa4096.csr
│ │ ├── san_domain.csr
│ │ └── test.csr
│ ├── remote/
│ │ ├── remote.go
│ │ ├── remote_test.go
│ │ └── testdata/
│ │ ├── README.md
│ │ ├── ca.pem
│ │ ├── ca_key.pem
│ │ ├── client-key.pem
│ │ ├── client.json
│ │ ├── client.pem
│ │ ├── config.json
│ │ ├── server-key.pem
│ │ ├── server.json
│ │ └── server.pem
│ ├── signer.go
│ ├── signer_test.go
│ └── universal/
│ ├── universal.go
│ └── universal_test.go
├── test.sh
├── testdata/
│ ├── csr.json
│ ├── garbage.crt
│ ├── garbage.key
│ ├── gd_bundle.crt
│ ├── good_config.json
│ ├── roots/
│ │ └── httplib2_cacerts.txt
│ ├── server.crt
│ ├── server.csr
│ ├── server.key
│ ├── ssl-verifier.sh
│ ├── temp.crt
│ └── test.py
├── tools.go
├── transport/
│ ├── ca/
│ │ ├── cert_provider.go
│ │ ├── cfssl_provider.go
│ │ └── localca/
│ │ ├── signer.go
│ │ └── signer_test.go
│ ├── client.go
│ ├── core/
│ │ ├── defs.go
│ │ └── rand.go
│ ├── doc.go
│ ├── example/
│ │ ├── README.md
│ │ ├── ca.json
│ │ ├── config.json
│ │ ├── config_auth.json
│ │ ├── exlib/
│ │ │ └── exlib.go
│ │ ├── genca.sh
│ │ ├── maclient/
│ │ │ ├── client.go
│ │ │ ├── client.json
│ │ │ └── client_auth.json
│ │ └── maserver/
│ │ ├── server.go
│ │ ├── server.json
│ │ └── server_auth.json
│ ├── kp/
│ │ ├── key_provider.go
│ │ └── key_provider_test.go
│ ├── listener.go
│ ├── roots/
│ │ ├── cfssl.go
│ │ ├── doc.go
│ │ ├── provider.go
│ │ └── system/
│ │ ├── nilref_nil_darwin.go
│ │ ├── nilref_zero_darwin.go
│ │ ├── root.go
│ │ ├── root_bsd.go
│ │ ├── root_cgo_darwin.go
│ │ ├── root_darwin.go
│ │ ├── root_darwin_armx.go
│ │ ├── root_darwin_test.go
│ │ ├── root_linux.go
│ │ ├── root_nacl.go
│ │ ├── root_nocgo_darwin.go
│ │ ├── root_plan9.go
│ │ ├── root_solaris.go
│ │ ├── root_unix.go
│ │ └── root_windows.go
│ └── transport_test.go
├── ubiquity/
│ ├── filter.go
│ ├── performance.go
│ ├── sha1.go
│ ├── testdata/
│ │ ├── ca.pem.metadata
│ │ ├── ecdsa256sha2.pem
│ │ ├── ecdsa384sha2.pem
│ │ ├── ecdsa521sha2.pem
│ │ ├── godzilla.pem
│ │ ├── macrosoft.pem
│ │ ├── pineapple.pem
│ │ ├── rsa1024sha1.pem
│ │ ├── rsa2048sha2.pem
│ │ ├── rsa3072sha2.pem
│ │ └── rsa4096sha2.pem
│ ├── ubiquity_crypto.go
│ ├── ubiquity_platform.go
│ └── ubiquity_test.go
├── vendor/
│ ├── bitbucket.org/
│ │ └── liamstask/
│ │ └── goose/
│ │ ├── cmd/
│ │ │ └── goose/
│ │ │ ├── cmd.go
│ │ │ ├── cmd_create.go
│ │ │ ├── cmd_dbversion.go
│ │ │ ├── cmd_down.go
│ │ │ ├── cmd_redo.go
│ │ │ ├── cmd_status.go
│ │ │ ├── cmd_up.go
│ │ │ └── main.go
│ │ └── lib/
│ │ └── goose/
│ │ ├── dbconf.go
│ │ ├── dialect.go
│ │ ├── migrate.go
│ │ ├── migration_go.go
│ │ ├── migration_sql.go
│ │ └── util.go
│ ├── filippo.io/
│ │ └── edwards25519/
│ │ ├── LICENSE
│ │ ├── README.md
│ │ ├── doc.go
│ │ ├── edwards25519.go
│ │ ├── extra.go
│ │ ├── field/
│ │ │ ├── fe.go
│ │ │ ├── fe_amd64.go
│ │ │ ├── fe_amd64.s
│ │ │ ├── fe_amd64_noasm.go
│ │ │ ├── fe_arm64.go
│ │ │ ├── fe_arm64.s
│ │ │ ├── fe_arm64_noasm.go
│ │ │ ├── fe_extra.go
│ │ │ └── fe_generic.go
│ │ ├── scalar.go
│ │ ├── scalar_fiat.go
│ │ ├── scalarmult.go
│ │ └── tables.go
│ ├── github.com/
│ │ ├── beorn7/
│ │ │ └── perks/
│ │ │ ├── LICENSE
│ │ │ └── quantile/
│ │ │ ├── exampledata.txt
│ │ │ └── stream.go
│ │ ├── cespare/
│ │ │ └── xxhash/
│ │ │ └── v2/
│ │ │ ├── LICENSE.txt
│ │ │ ├── README.md
│ │ │ ├── testall.sh
│ │ │ ├── xxhash.go
│ │ │ ├── xxhash_amd64.s
│ │ │ ├── xxhash_arm64.s
│ │ │ ├── xxhash_asm.go
│ │ │ ├── xxhash_other.go
│ │ │ ├── xxhash_safe.go
│ │ │ └── xxhash_unsafe.go
│ │ ├── cloudflare/
│ │ │ ├── backoff/
│ │ │ │ ├── .travis.yml
│ │ │ │ ├── LICENSE
│ │ │ │ ├── README.md
│ │ │ │ └── backoff.go
│ │ │ └── redoctober/
│ │ │ ├── LICENSE.md
│ │ │ ├── client/
│ │ │ │ └── client.go
│ │ │ ├── config/
│ │ │ │ └── config.go
│ │ │ ├── core/
│ │ │ │ └── core.go
│ │ │ ├── cryptor/
│ │ │ │ └── cryptor.go
│ │ │ ├── ecdh/
│ │ │ │ └── ecdh.go
│ │ │ ├── hipchat/
│ │ │ │ └── hipchat.go
│ │ │ ├── keycache/
│ │ │ │ └── keycache.go
│ │ │ ├── msp/
│ │ │ │ ├── README.md
│ │ │ │ ├── formatted.go
│ │ │ │ ├── matrix.go
│ │ │ │ ├── msp.go
│ │ │ │ ├── number.go
│ │ │ │ └── raw.go
│ │ │ ├── order/
│ │ │ │ └── order.go
│ │ │ ├── padding/
│ │ │ │ └── padding.go
│ │ │ ├── passvault/
│ │ │ │ └── passvault.go
│ │ │ ├── persist/
│ │ │ │ ├── file.go
│ │ │ │ ├── null.go
│ │ │ │ └── persist.go
│ │ │ ├── report/
│ │ │ │ └── report.go
│ │ │ └── symcrypt/
│ │ │ └── symcrypt.go
│ │ ├── getsentry/
│ │ │ └── sentry-go/
│ │ │ ├── .craft.yml
│ │ │ ├── .gitattributes
│ │ │ ├── .gitignore
│ │ │ ├── .golangci.yml
│ │ │ ├── CHANGELOG.md
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── LICENSE
│ │ │ ├── MIGRATION.md
│ │ │ ├── README.md
│ │ │ ├── client.go
│ │ │ ├── doc.go
│ │ │ ├── dsn.go
│ │ │ ├── hub.go
│ │ │ ├── integrations.go
│ │ │ ├── interfaces.go
│ │ │ ├── internal/
│ │ │ │ ├── crypto/
│ │ │ │ │ └── randutil/
│ │ │ │ │ └── randutil.go
│ │ │ │ ├── debug/
│ │ │ │ │ └── transport.go
│ │ │ │ └── ratelimit/
│ │ │ │ ├── category.go
│ │ │ │ ├── deadline.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── map.go
│ │ │ │ ├── rate_limits.go
│ │ │ │ └── retry_after.go
│ │ │ ├── scope.go
│ │ │ ├── sentry.go
│ │ │ ├── sourcereader.go
│ │ │ ├── span_recorder.go
│ │ │ ├── stacktrace.go
│ │ │ ├── traces_sampler.go
│ │ │ ├── tracing.go
│ │ │ ├── transport.go
│ │ │ └── util.go
│ │ ├── go-logr/
│ │ │ └── logr/
│ │ │ ├── .golangci.yaml
│ │ │ ├── CHANGELOG.md
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── SECURITY.md
│ │ │ ├── context.go
│ │ │ ├── context_noslog.go
│ │ │ ├── context_slog.go
│ │ │ ├── discard.go
│ │ │ ├── logr.go
│ │ │ ├── sloghandler.go
│ │ │ ├── slogr.go
│ │ │ └── slogsink.go
│ │ ├── go-sql-driver/
│ │ │ └── mysql/
│ │ │ ├── .gitignore
│ │ │ ├── AUTHORS
│ │ │ ├── CHANGELOG.md
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── atomic_bool.go
│ │ │ ├── atomic_bool_go118.go
│ │ │ ├── auth.go
│ │ │ ├── buffer.go
│ │ │ ├── collations.go
│ │ │ ├── conncheck.go
│ │ │ ├── conncheck_dummy.go
│ │ │ ├── connection.go
│ │ │ ├── connector.go
│ │ │ ├── const.go
│ │ │ ├── driver.go
│ │ │ ├── dsn.go
│ │ │ ├── errors.go
│ │ │ ├── fields.go
│ │ │ ├── infile.go
│ │ │ ├── nulltime.go
│ │ │ ├── packets.go
│ │ │ ├── result.go
│ │ │ ├── rows.go
│ │ │ ├── statement.go
│ │ │ ├── transaction.go
│ │ │ └── utils.go
│ │ ├── google/
│ │ │ └── certificate-transparency-go/
│ │ │ ├── .gitignore
│ │ │ ├── .golangci.yaml
│ │ │ ├── AUTHORS
│ │ │ ├── CHANGELOG.md
│ │ │ ├── CODEOWNERS
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── CONTRIBUTORS
│ │ │ ├── LICENSE
│ │ │ ├── PULL_REQUEST_TEMPLATE.md
│ │ │ ├── README.md
│ │ │ ├── asn1/
│ │ │ │ ├── README.md
│ │ │ │ ├── asn1.go
│ │ │ │ ├── common.go
│ │ │ │ └── marshal.go
│ │ │ ├── client/
│ │ │ │ ├── configpb/
│ │ │ │ │ ├── multilog.pb.go
│ │ │ │ │ └── multilog.proto
│ │ │ │ ├── getentries.go
│ │ │ │ ├── logclient.go
│ │ │ │ └── multilog.go
│ │ │ ├── cloudbuild.yaml
│ │ │ ├── cloudbuild_master.yaml
│ │ │ ├── cloudbuild_tag.yaml
│ │ │ ├── codecov.yml
│ │ │ ├── jsonclient/
│ │ │ │ ├── backoff.go
│ │ │ │ └── client.go
│ │ │ ├── proto_gen.go
│ │ │ ├── serialization.go
│ │ │ ├── signatures.go
│ │ │ ├── tls/
│ │ │ │ ├── signature.go
│ │ │ │ ├── tls.go
│ │ │ │ └── types.go
│ │ │ ├── types.go
│ │ │ └── x509/
│ │ │ ├── README.md
│ │ │ ├── cert_pool.go
│ │ │ ├── curves.go
│ │ │ ├── error.go
│ │ │ ├── errors.go
│ │ │ ├── names.go
│ │ │ ├── pem_decrypt.go
│ │ │ ├── pkcs1.go
│ │ │ ├── pkcs8.go
│ │ │ ├── pkix/
│ │ │ │ └── pkix.go
│ │ │ ├── ptr_sysptr_windows.go
│ │ │ ├── ptr_uint_windows.go
│ │ │ ├── revoked.go
│ │ │ ├── root.go
│ │ │ ├── root_aix.go
│ │ │ ├── root_bsd.go
│ │ │ ├── root_cgo_darwin.go
│ │ │ ├── root_darwin.go
│ │ │ ├── root_darwin_armx.go
│ │ │ ├── root_js.go
│ │ │ ├── root_linux.go
│ │ │ ├── root_nocgo_darwin.go
│ │ │ ├── root_plan9.go
│ │ │ ├── root_solaris.go
│ │ │ ├── root_unix.go
│ │ │ ├── root_wasip1.go
│ │ │ ├── root_windows.go
│ │ │ ├── root_zos.go
│ │ │ ├── rpki.go
│ │ │ ├── sec1.go
│ │ │ ├── test-dir.crt
│ │ │ ├── test-file.crt
│ │ │ ├── verify.go
│ │ │ └── x509.go
│ │ ├── jmhodges/
│ │ │ └── clock/
│ │ │ ├── .travis.yml
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── clock.go
│ │ │ └── timer.go
│ │ ├── jmoiron/
│ │ │ └── sqlx/
│ │ │ ├── .gitignore
│ │ │ ├── .travis.yml
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── bind.go
│ │ │ ├── doc.go
│ │ │ ├── named.go
│ │ │ ├── named_context.go
│ │ │ ├── reflectx/
│ │ │ │ ├── README.md
│ │ │ │ └── reflect.go
│ │ │ ├── sqlx.go
│ │ │ ├── sqlx_context.go
│ │ │ └── types/
│ │ │ ├── README.md
│ │ │ └── types.go
│ │ ├── kisielk/
│ │ │ └── sqlstruct/
│ │ │ ├── .gitignore
│ │ │ ├── .travis.yml
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ └── sqlstruct.go
│ │ ├── kylelemons/
│ │ │ └── go-gypsy/
│ │ │ ├── LICENSE
│ │ │ └── yaml/
│ │ │ ├── config.go
│ │ │ ├── doc.go
│ │ │ ├── parser.go
│ │ │ └── types.go
│ │ ├── lib/
│ │ │ └── pq/
│ │ │ ├── .gitignore
│ │ │ ├── LICENSE.md
│ │ │ ├── README.md
│ │ │ ├── TESTS.md
│ │ │ ├── array.go
│ │ │ ├── buf.go
│ │ │ ├── conn.go
│ │ │ ├── conn_go115.go
│ │ │ ├── conn_go18.go
│ │ │ ├── connector.go
│ │ │ ├── copy.go
│ │ │ ├── doc.go
│ │ │ ├── encode.go
│ │ │ ├── error.go
│ │ │ ├── krb.go
│ │ │ ├── notice.go
│ │ │ ├── notify.go
│ │ │ ├── oid/
│ │ │ │ ├── doc.go
│ │ │ │ └── types.go
│ │ │ ├── rows.go
│ │ │ ├── scram/
│ │ │ │ └── scram.go
│ │ │ ├── ssl.go
│ │ │ ├── ssl_permissions.go
│ │ │ ├── ssl_windows.go
│ │ │ ├── url.go
│ │ │ ├── user_other.go
│ │ │ ├── user_posix.go
│ │ │ ├── user_windows.go
│ │ │ └── uuid.go
│ │ ├── mattn/
│ │ │ └── go-sqlite3/
│ │ │ ├── .codecov.yml
│ │ │ ├── .gitignore
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── backup.go
│ │ │ ├── callback.go
│ │ │ ├── convert.go
│ │ │ ├── doc.go
│ │ │ ├── error.go
│ │ │ ├── sqlite3-binding.c
│ │ │ ├── sqlite3-binding.h
│ │ │ ├── sqlite3.go
│ │ │ ├── sqlite3_context.go
│ │ │ ├── sqlite3_func_crypt.go
│ │ │ ├── sqlite3_go18.go
│ │ │ ├── sqlite3_libsqlite3.go
│ │ │ ├── sqlite3_load_extension.go
│ │ │ ├── sqlite3_load_extension_omit.go
│ │ │ ├── sqlite3_opt_allow_uri_authority.go
│ │ │ ├── sqlite3_opt_app_armor.go
│ │ │ ├── sqlite3_opt_column_metadata.go
│ │ │ ├── sqlite3_opt_foreign_keys.go
│ │ │ ├── sqlite3_opt_fts5.go
│ │ │ ├── sqlite3_opt_icu.go
│ │ │ ├── sqlite3_opt_introspect.go
│ │ │ ├── sqlite3_opt_math_functions.go
│ │ │ ├── sqlite3_opt_os_trace.go
│ │ │ ├── sqlite3_opt_preupdate.go
│ │ │ ├── sqlite3_opt_preupdate_hook.go
│ │ │ ├── sqlite3_opt_preupdate_omit.go
│ │ │ ├── sqlite3_opt_secure_delete.go
│ │ │ ├── sqlite3_opt_secure_delete_fast.go
│ │ │ ├── sqlite3_opt_serialize.go
│ │ │ ├── sqlite3_opt_serialize_omit.go
│ │ │ ├── sqlite3_opt_stat4.go
│ │ │ ├── sqlite3_opt_unlock_notify.c
│ │ │ ├── sqlite3_opt_unlock_notify.go
│ │ │ ├── sqlite3_opt_userauth.go
│ │ │ ├── sqlite3_opt_userauth_omit.go
│ │ │ ├── sqlite3_opt_vacuum_full.go
│ │ │ ├── sqlite3_opt_vacuum_incr.go
│ │ │ ├── sqlite3_opt_vtable.go
│ │ │ ├── sqlite3_other.go
│ │ │ ├── sqlite3_solaris.go
│ │ │ ├── sqlite3_trace.go
│ │ │ ├── sqlite3_type.go
│ │ │ ├── sqlite3_usleep_windows.go
│ │ │ ├── sqlite3_windows.go
│ │ │ ├── sqlite3ext.h
│ │ │ └── static_mock.go
│ │ ├── pelletier/
│ │ │ └── go-toml/
│ │ │ ├── .dockerignore
│ │ │ ├── .gitignore
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── Dockerfile
│ │ │ ├── LICENSE
│ │ │ ├── Makefile
│ │ │ ├── PULL_REQUEST_TEMPLATE.md
│ │ │ ├── README.md
│ │ │ ├── azure-pipelines.yml
│ │ │ ├── benchmark.sh
│ │ │ ├── doc.go
│ │ │ ├── example-crlf.toml
│ │ │ ├── example.toml
│ │ │ ├── fuzz.go
│ │ │ ├── fuzz.sh
│ │ │ ├── keysparsing.go
│ │ │ ├── lexer.go
│ │ │ ├── localtime.go
│ │ │ ├── marshal.go
│ │ │ ├── marshal_OrderPreserve_test.toml
│ │ │ ├── marshal_test.toml
│ │ │ ├── parser.go
│ │ │ ├── position.go
│ │ │ ├── token.go
│ │ │ ├── toml.go
│ │ │ ├── tomlpub.go
│ │ │ ├── tomltree_create.go
│ │ │ ├── tomltree_write.go
│ │ │ └── tomltree_writepub.go
│ │ ├── prometheus/
│ │ │ ├── client_golang/
│ │ │ │ ├── LICENSE
│ │ │ │ ├── NOTICE
│ │ │ │ └── prometheus/
│ │ │ │ ├── .gitignore
│ │ │ │ ├── README.md
│ │ │ │ ├── build_info_collector.go
│ │ │ │ ├── collector.go
│ │ │ │ ├── counter.go
│ │ │ │ ├── desc.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── expvar_collector.go
│ │ │ │ ├── fnv.go
│ │ │ │ ├── gauge.go
│ │ │ │ ├── get_pid.go
│ │ │ │ ├── get_pid_gopherjs.go
│ │ │ │ ├── go_collector.go
│ │ │ │ ├── go_collector_go116.go
│ │ │ │ ├── go_collector_latest.go
│ │ │ │ ├── histogram.go
│ │ │ │ ├── internal/
│ │ │ │ │ ├── almost_equal.go
│ │ │ │ │ ├── difflib.go
│ │ │ │ │ ├── go_collector_options.go
│ │ │ │ │ ├── go_runtime_metrics.go
│ │ │ │ │ └── metric.go
│ │ │ │ ├── labels.go
│ │ │ │ ├── metric.go
│ │ │ │ ├── num_threads.go
│ │ │ │ ├── num_threads_gopherjs.go
│ │ │ │ ├── observer.go
│ │ │ │ ├── process_collector.go
│ │ │ │ ├── process_collector_js.go
│ │ │ │ ├── process_collector_other.go
│ │ │ │ ├── process_collector_wasip1.go
│ │ │ │ ├── process_collector_windows.go
│ │ │ │ ├── promauto/
│ │ │ │ │ └── auto.go
│ │ │ │ ├── promhttp/
│ │ │ │ │ ├── delegator.go
│ │ │ │ │ ├── http.go
│ │ │ │ │ ├── instrument_client.go
│ │ │ │ │ ├── instrument_server.go
│ │ │ │ │ └── option.go
│ │ │ │ ├── registry.go
│ │ │ │ ├── summary.go
│ │ │ │ ├── timer.go
│ │ │ │ ├── untyped.go
│ │ │ │ ├── value.go
│ │ │ │ ├── vec.go
│ │ │ │ ├── vnext.go
│ │ │ │ └── wrap.go
│ │ │ ├── client_model/
│ │ │ │ ├── LICENSE
│ │ │ │ ├── NOTICE
│ │ │ │ └── go/
│ │ │ │ └── metrics.pb.go
│ │ │ ├── common/
│ │ │ │ ├── LICENSE
│ │ │ │ ├── NOTICE
│ │ │ │ ├── expfmt/
│ │ │ │ │ ├── decode.go
│ │ │ │ │ ├── encode.go
│ │ │ │ │ ├── expfmt.go
│ │ │ │ │ ├── fuzz.go
│ │ │ │ │ ├── openmetrics_create.go
│ │ │ │ │ ├── text_create.go
│ │ │ │ │ └── text_parse.go
│ │ │ │ ├── internal/
│ │ │ │ │ └── bitbucket.org/
│ │ │ │ │ └── ww/
│ │ │ │ │ └── goautoneg/
│ │ │ │ │ ├── README.txt
│ │ │ │ │ └── autoneg.go
│ │ │ │ └── model/
│ │ │ │ ├── alert.go
│ │ │ │ ├── fingerprinting.go
│ │ │ │ ├── fnv.go
│ │ │ │ ├── labels.go
│ │ │ │ ├── labelset.go
│ │ │ │ ├── metadata.go
│ │ │ │ ├── metric.go
│ │ │ │ ├── model.go
│ │ │ │ ├── signature.go
│ │ │ │ ├── silence.go
│ │ │ │ ├── time.go
│ │ │ │ ├── value.go
│ │ │ │ ├── value_float.go
│ │ │ │ ├── value_histogram.go
│ │ │ │ └── value_type.go
│ │ │ └── procfs/
│ │ │ ├── .gitignore
│ │ │ ├── .golangci.yml
│ │ │ ├── CODE_OF_CONDUCT.md
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── LICENSE
│ │ │ ├── MAINTAINERS.md
│ │ │ ├── Makefile
│ │ │ ├── Makefile.common
│ │ │ ├── NOTICE
│ │ │ ├── README.md
│ │ │ ├── SECURITY.md
│ │ │ ├── arp.go
│ │ │ ├── buddyinfo.go
│ │ │ ├── cmdline.go
│ │ │ ├── cpuinfo.go
│ │ │ ├── cpuinfo_armx.go
│ │ │ ├── cpuinfo_loong64.go
│ │ │ ├── cpuinfo_mipsx.go
│ │ │ ├── cpuinfo_others.go
│ │ │ ├── cpuinfo_ppcx.go
│ │ │ ├── cpuinfo_riscvx.go
│ │ │ ├── cpuinfo_s390x.go
│ │ │ ├── cpuinfo_x86.go
│ │ │ ├── crypto.go
│ │ │ ├── doc.go
│ │ │ ├── fs.go
│ │ │ ├── fs_statfs_notype.go
│ │ │ ├── fs_statfs_type.go
│ │ │ ├── fscache.go
│ │ │ ├── internal/
│ │ │ │ ├── fs/
│ │ │ │ │ └── fs.go
│ │ │ │ └── util/
│ │ │ │ ├── parse.go
│ │ │ │ ├── readfile.go
│ │ │ │ ├── sysreadfile.go
│ │ │ │ ├── sysreadfile_compat.go
│ │ │ │ └── valueparser.go
│ │ │ ├── ipvs.go
│ │ │ ├── kernel_random.go
│ │ │ ├── loadavg.go
│ │ │ ├── mdstat.go
│ │ │ ├── meminfo.go
│ │ │ ├── mountinfo.go
│ │ │ ├── mountstats.go
│ │ │ ├── net_conntrackstat.go
│ │ │ ├── net_dev.go
│ │ │ ├── net_ip_socket.go
│ │ │ ├── net_protocols.go
│ │ │ ├── net_route.go
│ │ │ ├── net_sockstat.go
│ │ │ ├── net_softnet.go
│ │ │ ├── net_tcp.go
│ │ │ ├── net_udp.go
│ │ │ ├── net_unix.go
│ │ │ ├── net_wireless.go
│ │ │ ├── net_xfrm.go
│ │ │ ├── netstat.go
│ │ │ ├── proc.go
│ │ │ ├── proc_cgroup.go
│ │ │ ├── proc_cgroups.go
│ │ │ ├── proc_environ.go
│ │ │ ├── proc_fdinfo.go
│ │ │ ├── proc_interrupts.go
│ │ │ ├── proc_io.go
│ │ │ ├── proc_limits.go
│ │ │ ├── proc_maps.go
│ │ │ ├── proc_netstat.go
│ │ │ ├── proc_ns.go
│ │ │ ├── proc_psi.go
│ │ │ ├── proc_smaps.go
│ │ │ ├── proc_snmp.go
│ │ │ ├── proc_snmp6.go
│ │ │ ├── proc_stat.go
│ │ │ ├── proc_status.go
│ │ │ ├── proc_sys.go
│ │ │ ├── schedstat.go
│ │ │ ├── slab.go
│ │ │ ├── softirqs.go
│ │ │ ├── stat.go
│ │ │ ├── swaps.go
│ │ │ ├── thread.go
│ │ │ ├── ttar
│ │ │ ├── vm.go
│ │ │ └── zoneinfo.go
│ │ ├── weppos/
│ │ │ └── publicsuffix-go/
│ │ │ ├── LICENSE.txt
│ │ │ └── publicsuffix/
│ │ │ ├── publicsuffix.go
│ │ │ └── rules.go
│ │ ├── ziutek/
│ │ │ └── mymysql/
│ │ │ ├── LICENSE
│ │ │ ├── godrv/
│ │ │ │ ├── appengine.go
│ │ │ │ └── driver.go
│ │ │ ├── mysql/
│ │ │ │ ├── errors.go
│ │ │ │ ├── field.go
│ │ │ │ ├── interface.go
│ │ │ │ ├── row.go
│ │ │ │ ├── types.go
│ │ │ │ └── utils.go
│ │ │ └── native/
│ │ │ ├── LICENSE
│ │ │ ├── addons.go
│ │ │ ├── binding.go
│ │ │ ├── codecs.go
│ │ │ ├── command.go
│ │ │ ├── common.go
│ │ │ ├── consts.go
│ │ │ ├── init.go
│ │ │ ├── mysql.go
│ │ │ ├── packet.go
│ │ │ ├── paramvalue.go
│ │ │ ├── passwd.go
│ │ │ ├── prepared.go
│ │ │ ├── result.go
│ │ │ └── unsafe.go-disabled
│ │ └── zmap/
│ │ ├── zcrypto/
│ │ │ ├── LICENSE
│ │ │ ├── cryptobyte/
│ │ │ │ ├── NOTICE.md
│ │ │ │ ├── asn1/
│ │ │ │ │ └── asn1.go
│ │ │ │ ├── asn1.go
│ │ │ │ ├── builder.go
│ │ │ │ └── string.go
│ │ │ ├── dsa/
│ │ │ │ └── dsa.go
│ │ │ ├── encoding/
│ │ │ │ └── asn1/
│ │ │ │ ├── README.md
│ │ │ │ ├── asn1.go
│ │ │ │ ├── common.go
│ │ │ │ └── marshal.go
│ │ │ ├── internal/
│ │ │ │ └── randutil/
│ │ │ │ └── randutil.go
│ │ │ ├── json/
│ │ │ │ ├── dhe.go
│ │ │ │ ├── ecdhe.go
│ │ │ │ ├── names.go
│ │ │ │ └── rsa.go
│ │ │ ├── util/
│ │ │ │ └── isURL.go
│ │ │ └── x509/
│ │ │ ├── README.md
│ │ │ ├── cert_pool.go
│ │ │ ├── certificate_type.go
│ │ │ ├── chain.go
│ │ │ ├── crl_parser.go
│ │ │ ├── ct/
│ │ │ │ ├── serialization.go
│ │ │ │ └── types.go
│ │ │ ├── example.json
│ │ │ ├── extended_key_usage.go
│ │ │ ├── extended_key_usage_schema.sh
│ │ │ ├── extensions.go
│ │ │ ├── fingerprint.go
│ │ │ ├── generated_certvalidationlevel_string.go
│ │ │ ├── json.go
│ │ │ ├── names.go
│ │ │ ├── pem_decrypt.go
│ │ │ ├── pkcs1.go
│ │ │ ├── pkcs8.go
│ │ │ ├── pkix/
│ │ │ │ ├── json.go
│ │ │ │ ├── oid.go
│ │ │ │ ├── oid_names.go
│ │ │ │ └── pkix.go
│ │ │ ├── qc_statements.go
│ │ │ ├── sec1.go
│ │ │ ├── tor_service_descriptor.go
│ │ │ ├── validation.go
│ │ │ ├── verify.go
│ │ │ └── x509.go
│ │ └── zlint/
│ │ └── v3/
│ │ ├── .goreleaser.yml
│ │ ├── LICENSE
│ │ ├── lint/
│ │ │ ├── base.go
│ │ │ ├── configuration.go
│ │ │ ├── global_configurations.go
│ │ │ ├── lint_lookup.go
│ │ │ ├── profile.go
│ │ │ ├── registration.go
│ │ │ ├── result.go
│ │ │ └── source.go
│ │ ├── lints/
│ │ │ ├── apple/
│ │ │ │ ├── lint_ct_sct_policy_count_unsatisfied.go
│ │ │ │ ├── lint_e_server_cert_valid_time_longer_than_398_days.go
│ │ │ │ ├── lint_w_server_cert_valid_time_longer_than_397_days.go
│ │ │ │ └── time.go
│ │ │ ├── cabf_br/
│ │ │ │ ├── lint_ca_common_name_missing.go
│ │ │ │ ├── lint_ca_country_name_invalid.go
│ │ │ │ ├── lint_ca_country_name_missing.go
│ │ │ │ ├── lint_ca_crl_sign_not_set.go
│ │ │ │ ├── lint_ca_digital_signature_not_set.go
│ │ │ │ ├── lint_ca_is_ca.go
│ │ │ │ ├── lint_ca_key_cert_sign_not_set.go
│ │ │ │ ├── lint_ca_key_usage_missing.go
│ │ │ │ ├── lint_ca_key_usage_not_critical.go
│ │ │ │ ├── lint_ca_organization_name_missing.go
│ │ │ │ ├── lint_cab_dv_conflicts_with_locality.go
│ │ │ │ ├── lint_cab_dv_conflicts_with_org.go
│ │ │ │ ├── lint_cab_dv_conflicts_with_postal.go
│ │ │ │ ├── lint_cab_dv_conflicts_with_province.go
│ │ │ │ ├── lint_cab_dv_conflicts_with_street.go
│ │ │ │ ├── lint_cab_iv_requires_personal_name.go
│ │ │ │ ├── lint_cab_ov_requires_org.go
│ │ │ │ ├── lint_cert_policy_iv_requires_country.go
│ │ │ │ ├── lint_cert_policy_iv_requires_province_or_locality.go
│ │ │ │ ├── lint_cert_policy_ov_requires_country.go
│ │ │ │ ├── lint_cert_policy_ov_requires_province_or_locality.go
│ │ │ │ ├── lint_dh_params_missing.go
│ │ │ │ ├── lint_dnsname_bad_character_in_label.go
│ │ │ │ ├── lint_dnsname_check_left_label_wildcard.go
│ │ │ │ ├── lint_dnsname_contains_bare_iana_suffix.go
│ │ │ │ ├── lint_dnsname_contains_empty_label.go
│ │ │ │ ├── lint_dnsname_contains_prohibited_reserved_label.go
│ │ │ │ ├── lint_dnsname_hyphen_in_sld.go
│ │ │ │ ├── lint_dnsname_label_too_long.go
│ │ │ │ ├── lint_dnsname_right_label_valid_tld.go
│ │ │ │ ├── lint_dnsname_underscore_in_sld.go
│ │ │ │ ├── lint_dnsname_underscore_in_trd.go
│ │ │ │ ├── lint_dnsname_wildcard_left_of_public_suffix.go
│ │ │ │ ├── lint_dnsname_wildcard_only_in_left_label.go
│ │ │ │ ├── lint_dsa_correct_order_in_subgroup.go
│ │ │ │ ├── lint_dsa_improper_modulus_or_divisor_size.go
│ │ │ │ ├── lint_dsa_shorter_than_2048_bits.go
│ │ │ │ ├── lint_dsa_unique_correct_representation.go
│ │ │ │ ├── lint_e_sub_ca_aia_missing.go
│ │ │ │ ├── lint_ec_improper_curves.go
│ │ │ │ ├── lint_ext_nc_intersects_reserved_ip.go
│ │ │ │ ├── lint_ext_san_contains_reserved_ip.go
│ │ │ │ ├── lint_ext_san_critical_with_subject_dn.go
│ │ │ │ ├── lint_ext_san_directory_name_present.go
│ │ │ │ ├── lint_ext_san_edi_party_name_present.go
│ │ │ │ ├── lint_ext_san_missing.go
│ │ │ │ ├── lint_ext_san_other_name_present.go
│ │ │ │ ├── lint_ext_san_registered_id_present.go
│ │ │ │ ├── lint_ext_san_rfc822_name_present.go
│ │ │ │ ├── lint_ext_san_uniform_resource_identifier_present.go
│ │ │ │ ├── lint_ext_tor_service_descriptor_hash_invalid.go
│ │ │ │ ├── lint_extra_subject_common_names.go
│ │ │ │ ├── lint_invalid_certificate_version.go
│ │ │ │ ├── lint_no_underscores_before_1_6_2.go
│ │ │ │ ├── lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go
│ │ │ │ ├── lint_old_root_ca_rsa_mod_less_than_2048_bits.go
│ │ │ │ ├── lint_old_sub_ca_rsa_mod_less_than_1024_bits.go
│ │ │ │ ├── lint_old_sub_cert_rsa_mod_less_than_1024_bits.go
│ │ │ │ ├── lint_organizational_unit_name_prohibited.go
│ │ │ │ ├── lint_prohibit_dsa_usage.go
│ │ │ │ ├── lint_public_key_type_not_allowed.go
│ │ │ │ ├── lint_root_ca_basic_constraints_path_len_constraint_field_present.go
│ │ │ │ ├── lint_root_ca_contains_cert_policy.go
│ │ │ │ ├── lint_root_ca_extended_key_usage_present.go
│ │ │ │ ├── lint_root_ca_key_usage_must_be_critical.go
│ │ │ │ ├── lint_root_ca_key_usage_present.go
│ │ │ │ ├── lint_rsa_mod_factors_smaller_than_752_bits.go
│ │ │ │ ├── lint_rsa_mod_less_than_2048_bits.go
│ │ │ │ ├── lint_rsa_mod_not_odd.go
│ │ │ │ ├── lint_rsa_public_exponent_not_in_range.go
│ │ │ │ ├── lint_rsa_public_exponent_not_odd.go
│ │ │ │ ├── lint_rsa_public_exponent_too_small.go
│ │ │ │ ├── lint_san_dns_name_onion_invalid.go
│ │ │ │ ├── lint_san_dns_name_onion_not_ev_cert.go
│ │ │ │ ├── lint_signature_algorithm_not_supported.go
│ │ │ │ ├── lint_sub_ca_aia_does_not_contain_issuing_ca_url.go
│ │ │ │ ├── lint_sub_ca_aia_marked_critical.go
│ │ │ │ ├── lint_sub_ca_certificate_policies_marked_critical.go
│ │ │ │ ├── lint_sub_ca_certificate_policies_missing.go
│ │ │ │ ├── lint_sub_ca_crl_distribution_points_does_not_contain_url.go
│ │ │ │ ├── lint_sub_ca_crl_distribution_points_marked_critical.go
│ │ │ │ ├── lint_sub_ca_crl_distribution_points_missing.go
│ │ │ │ ├── lint_sub_ca_eku_critical.go
│ │ │ │ ├── lint_sub_ca_eku_missing.go
│ │ │ │ ├── lint_sub_ca_eku_valid_fields.go
│ │ │ │ ├── lint_sub_ca_name_constraints_not_critical.go
│ │ │ │ ├── lint_sub_cert_aia_does_not_contain_issuing_ca_url.go
│ │ │ │ ├── lint_sub_cert_aia_does_not_contain_ocsp_url.go
│ │ │ │ ├── lint_sub_cert_aia_marked_critical.go
│ │ │ │ ├── lint_sub_cert_aia_missing.go
│ │ │ │ ├── lint_sub_cert_cert_policy_empty.go
│ │ │ │ ├── lint_sub_cert_certificate_policies_marked_critical.go
│ │ │ │ ├── lint_sub_cert_certificate_policies_missing.go
│ │ │ │ ├── lint_sub_cert_country_name_must_appear.go
│ │ │ │ ├── lint_sub_cert_crl_distribution_points_does_not_contain_url.go
│ │ │ │ ├── lint_sub_cert_crl_distribution_points_marked_critical.go
│ │ │ │ ├── lint_sub_cert_eku_extra_values.go
│ │ │ │ ├── lint_sub_cert_eku_missing.go
│ │ │ │ ├── lint_sub_cert_eku_server_auth_client_auth_missing.go
│ │ │ │ ├── lint_sub_cert_gn_sn_contains_policy.go
│ │ │ │ ├── lint_sub_cert_is_ca.go
│ │ │ │ ├── lint_sub_cert_key_usage_cert_sign_bit_set.go
│ │ │ │ ├── lint_sub_cert_key_usage_crl_sign_bit_set.go
│ │ │ │ ├── lint_sub_cert_locality_name_must_appear.go
│ │ │ │ ├── lint_sub_cert_locality_name_must_not_appear.go
│ │ │ │ ├── lint_sub_cert_or_sub_ca_using_sha1.go
│ │ │ │ ├── lint_sub_cert_postal_code_prohibited.go
│ │ │ │ ├── lint_sub_cert_province_must_appear.go
│ │ │ │ ├── lint_sub_cert_province_must_not_appear.go
│ │ │ │ ├── lint_sub_cert_sha1_expiration_too_long.go
│ │ │ │ ├── lint_sub_cert_street_address_should_not_exist.go
│ │ │ │ ├── lint_sub_cert_valid_time_longer_than_39_months.go
│ │ │ │ ├── lint_sub_cert_valid_time_longer_than_825_days.go
│ │ │ │ ├── lint_subject_common_name_included.go
│ │ │ │ ├── lint_subject_common_name_not_exactly_from_san.go
│ │ │ │ ├── lint_subject_common_name_not_from_san.go
│ │ │ │ ├── lint_subject_contains_malformed_arpa_ip.go
│ │ │ │ ├── lint_subject_contains_noninformational_value.go
│ │ │ │ ├── lint_subject_contains_organizational_unit_name_and_no_organization_name.go
│ │ │ │ ├── lint_subject_contains_reserved_arpa_ip.go
│ │ │ │ ├── lint_subject_contains_reserved_ip.go
│ │ │ │ ├── lint_subject_country_not_iso.go
│ │ │ │ ├── lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go
│ │ │ │ ├── lint_underscore_not_permissible_in_dnsname.go
│ │ │ │ └── lint_w_sub_ca_aia_missing.go
│ │ │ ├── cabf_ev/
│ │ │ │ ├── lint_ev_business_category_missing.go
│ │ │ │ ├── lint_ev_country_name_missing.go
│ │ │ │ ├── lint_ev_not_wildcard.go
│ │ │ │ ├── lint_ev_organization_id_missing.go
│ │ │ │ ├── lint_ev_organization_name_missing.go
│ │ │ │ ├── lint_ev_san_ip_address_present.go
│ │ │ │ ├── lint_ev_serial_number_missing.go
│ │ │ │ ├── lint_ev_valid_time_too_long.go
│ │ │ │ └── lint_onion_subject_validity_time_too_large.go
│ │ │ ├── community/
│ │ │ │ ├── lint_ian_bare_wildcard.go
│ │ │ │ ├── lint_ian_dns_name_includes_null_char.go
│ │ │ │ ├── lint_ian_dns_name_starts_with_period.go
│ │ │ │ ├── lint_ian_iana_pub_suffix_empty.go
│ │ │ │ ├── lint_ian_wildcard_not_first.go
│ │ │ │ ├── lint_is_redacted_cert.go
│ │ │ │ ├── lint_issuer_dn_leading_whitespace.go
│ │ │ │ ├── lint_issuer_dn_trailing_whitespace.go
│ │ │ │ ├── lint_issuer_multiple_rdn.go
│ │ │ │ ├── lint_rsa_exp_negative.go
│ │ │ │ ├── lint_rsa_fermat_factorization.go
│ │ │ │ ├── lint_rsa_no_public_key.go
│ │ │ │ ├── lint_san_bare_wildcard.go
│ │ │ │ ├── lint_san_dns_name_duplicate.go
│ │ │ │ ├── lint_san_dns_name_includes_null_char.go
│ │ │ │ ├── lint_san_dns_name_starts_with_period.go
│ │ │ │ ├── lint_san_iana_pub_suffix_empty.go
│ │ │ │ ├── lint_san_wildcard_not_first.go
│ │ │ │ ├── lint_subject_dn_leading_whitespace.go
│ │ │ │ ├── lint_subject_dn_trailing_whitespace.go
│ │ │ │ ├── lint_subject_multiple_rdn.go
│ │ │ │ └── lint_validity_time_not_positive.go
│ │ │ ├── etsi/
│ │ │ │ ├── lint_qcstatem_etsi_present_qcs_critical.go
│ │ │ │ ├── lint_qcstatem_etsi_type_as_statem.go
│ │ │ │ ├── lint_qcstatem_mandatory_etsi_statems.go
│ │ │ │ ├── lint_qcstatem_qccompliance_valid.go
│ │ │ │ ├── lint_qcstatem_qclimitvalue_valid.go
│ │ │ │ ├── lint_qcstatem_qcpds_lang_case.go
│ │ │ │ ├── lint_qcstatem_qcpds_valid.go
│ │ │ │ ├── lint_qcstatem_qcretentionperiod_valid.go
│ │ │ │ ├── lint_qcstatem_qcsscd_valid.go
│ │ │ │ ├── lint_qcstatem_qctype_valid.go
│ │ │ │ └── lint_qcstatem_qctype_web.go
│ │ │ ├── mozilla/
│ │ │ │ ├── lint_e_prohibit_dsa_usage.go
│ │ │ │ ├── lint_mp_allowed_eku.go
│ │ │ │ ├── lint_mp_authority_key_identifier_correct.go
│ │ │ │ ├── lint_mp_ecdsa_pub_key_encoding_correct.go
│ │ │ │ ├── lint_mp_ecdsa_signature_encoding_correct.go
│ │ │ │ ├── lint_mp_exponent_cannot_be_one.go
│ │ │ │ ├── lint_mp_modulus_must_be_2048_bits_or_more.go
│ │ │ │ ├── lint_mp_modulus_must_be_divisible_by_8.go
│ │ │ │ ├── lint_mp_pss_parameters_encoding_correct.go
│ │ │ │ └── lint_mp_rsassa-pss_in_spki.go
│ │ │ └── rfc/
│ │ │ ├── lint_basic_constraints_not_critical.go
│ │ │ ├── lint_ca_subject_field_empty.go
│ │ │ ├── lint_cert_contains_unique_identifier.go
│ │ │ ├── lint_cert_extensions_version_not_3.go
│ │ │ ├── lint_cert_unique_identifier_version_not_2_or_3.go
│ │ │ ├── lint_crl_has_next_update.go
│ │ │ ├── lint_distribution_point_incomplete.go
│ │ │ ├── lint_distribution_point_missing_ldap_or_uri.go
│ │ │ ├── lint_dnsname_contains_empty_label.go
│ │ │ ├── lint_dnsname_hyphen_in_sld.go
│ │ │ ├── lint_dnsname_label_too_long.go
│ │ │ ├── lint_dnsname_underscore_in_sld.go
│ │ │ ├── lint_dnsname_underscore_in_trd.go
│ │ │ ├── lint_ecdsa_allowed_ku.go
│ │ │ ├── lint_ecdsa_ee_invalid_ku.go
│ │ │ ├── lint_eku_critical_improperly.go
│ │ │ ├── lint_ext_aia_access_location_missing.go
│ │ │ ├── lint_ext_aia_marked_critical.go
│ │ │ ├── lint_ext_authority_key_identifier_critical.go
│ │ │ ├── lint_ext_authority_key_identifier_missing.go
│ │ │ ├── lint_ext_authority_key_identifier_no_key_identifier.go
│ │ │ ├── lint_ext_cert_policy_contains_noticeref.go
│ │ │ ├── lint_ext_cert_policy_disallowed_any_policy_qualifier.go
│ │ │ ├── lint_ext_cert_policy_duplicate.go
│ │ │ ├── lint_ext_cert_policy_explicit_text_ia5_string.go
│ │ │ ├── lint_ext_cert_policy_explicit_text_includes_control.go
│ │ │ ├── lint_ext_cert_policy_explicit_text_not_nfc.go
│ │ │ ├── lint_ext_cert_policy_explicit_text_not_utf8.go
│ │ │ ├── lint_ext_cert_policy_explicit_text_too_long.go
│ │ │ ├── lint_ext_crl_distribution_marked_critical.go
│ │ │ ├── lint_ext_duplicate_extension.go
│ │ │ ├── lint_ext_freshest_crl_marked_critical.go
│ │ │ ├── lint_ext_ian_critical.go
│ │ │ ├── lint_ext_ian_dns_not_ia5_string.go
│ │ │ ├── lint_ext_ian_empty_name.go
│ │ │ ├── lint_ext_ian_no_entries.go
│ │ │ ├── lint_ext_ian_rfc822_format_invalid.go
│ │ │ ├── lint_ext_ian_space_dns_name.go
│ │ │ ├── lint_ext_ian_uri_format_invalid.go
│ │ │ ├── lint_ext_ian_uri_host_not_fqdn_or_ip.go
│ │ │ ├── lint_ext_ian_uri_not_ia5.go
│ │ │ ├── lint_ext_ian_uri_relative.go
│ │ │ ├── lint_ext_key_usage_cert_sign_without_ca.go
│ │ │ ├── lint_ext_key_usage_not_critical.go
│ │ │ ├── lint_ext_key_usage_without_bits.go
│ │ │ ├── lint_ext_name_constraints_not_critical.go
│ │ │ ├── lint_ext_name_constraints_not_in_ca.go
│ │ │ ├── lint_ext_policy_constraints_empty.go
│ │ │ ├── lint_ext_policy_constraints_not_critical.go
│ │ │ ├── lint_ext_policy_map_any_policy.go
│ │ │ ├── lint_ext_policy_map_not_critical.go
│ │ │ ├── lint_ext_policy_map_not_in_cert_policy.go
│ │ │ ├── lint_ext_san_dns_name_too_long.go
│ │ │ ├── lint_ext_san_dns_not_ia5_string.go
│ │ │ ├── lint_ext_san_empty_name.go
│ │ │ ├── lint_ext_san_no_entries.go
│ │ │ ├── lint_ext_san_not_critical_without_subject.go
│ │ │ ├── lint_ext_san_rfc822_format_invalid.go
│ │ │ ├── lint_ext_san_space_dns_name.go
│ │ │ ├── lint_ext_san_uri_format_invalid.go
│ │ │ ├── lint_ext_san_uri_host_not_fqdn_or_ip.go
│ │ │ ├── lint_ext_san_uri_not_ia5.go
│ │ │ ├── lint_ext_san_uri_relative.go
│ │ │ ├── lint_ext_subject_directory_attr_critical.go
│ │ │ ├── lint_ext_subject_key_identifier_critical.go
│ │ │ ├── lint_ext_subject_key_identifier_missing_ca.go
│ │ │ ├── lint_ext_subject_key_identifier_missing_sub_cert.go
│ │ │ ├── lint_generalized_time_does_not_include_seconds.go
│ │ │ ├── lint_generalized_time_includes_fraction_seconds.go
│ │ │ ├── lint_generalized_time_not_in_zulu.go
│ │ │ ├── lint_idn_dnsname_malformed_unicode.go
│ │ │ ├── lint_idn_dnsname_must_be_nfc.go
│ │ │ ├── lint_incorrect_ku_encoding.go
│ │ │ ├── lint_inhibit_any_policy_not_critical.go
│ │ │ ├── lint_issuer_dn_country_not_printable_string.go
│ │ │ ├── lint_issuer_field_empty.go
│ │ │ ├── lint_key_usage_incorrect_length.go
│ │ │ ├── lint_name_constraint_empty.go
│ │ │ ├── lint_name_constraint_maximum_not_absent.go
│ │ │ ├── lint_name_constraint_minimum_non_zero.go
│ │ │ ├── lint_name_constraint_not_fqdn.go
│ │ │ ├── lint_name_constraint_on_edi_party_name.go
│ │ │ ├── lint_name_constraint_on_registered_id.go
│ │ │ ├── lint_name_constraint_on_x400.go
│ │ │ ├── lint_path_len_constraint_improperly_included.go
│ │ │ ├── lint_path_len_constraint_zero_or_less.go
│ │ │ ├── lint_rsa_allowed_ku_ca.go
│ │ │ ├── lint_rsa_allowed_ku_ee.go
│ │ │ ├── lint_rsa_allowed_ku_no_encipherment_ca.go
│ │ │ ├── lint_serial_number_longer_than_20_octets.go
│ │ │ ├── lint_serial_number_not_positive.go
│ │ │ ├── lint_spki_rsa_encryption_parameter_not_null.go
│ │ │ ├── lint_subject_common_name_max_length.go
│ │ │ ├── lint_subject_dn_country_not_printable_string.go
│ │ │ ├── lint_subject_dn_not_printable_characters.go
│ │ │ ├── lint_subject_dn_serial_number_max_length.go
│ │ │ ├── lint_subject_dn_serial_number_not_printable_string.go
│ │ │ ├── lint_subject_email_max_length.go
│ │ │ ├── lint_subject_empty_without_san.go
│ │ │ ├── lint_subject_given_name_max_length.go
│ │ │ ├── lint_subject_given_name_recommended_max_length.go
│ │ │ ├── lint_subject_info_access_marked_critical.go
│ │ │ ├── lint_subject_locality_name_max_length.go
│ │ │ ├── lint_subject_not_dn.go
│ │ │ ├── lint_subject_organization_name_max_length.go
│ │ │ ├── lint_subject_organizational_unit_name_max_length.go
│ │ │ ├── lint_subject_postal_code_max_length.go
│ │ │ ├── lint_subject_printable_string_badalpha.go
│ │ │ ├── lint_subject_state_name_max_length.go
│ │ │ ├── lint_subject_street_address_max_length.go
│ │ │ ├── lint_subject_surname_max_length.go
│ │ │ ├── lint_subject_surname_recommended_max_length.go
│ │ │ ├── lint_superfluous_ku_encoding.go
│ │ │ ├── lint_tbs_signature_alg_matches_cert_signature_alg.go
│ │ │ ├── lint_tbs_signature_rsa_encryption_parameter_not_null.go
│ │ │ ├── lint_utc_time_does_not_include_seconds.go
│ │ │ ├── lint_utc_time_not_in_zulu.go
│ │ │ └── lint_wrong_time_format_pre2050.go
│ │ ├── makefile
│ │ ├── newLint.sh
│ │ ├── newProfile.sh
│ │ ├── profileTemplate
│ │ ├── resultset.go
│ │ ├── template
│ │ ├── util/
│ │ │ ├── algorithm_identifier.go
│ │ │ ├── ca.go
│ │ │ ├── countries.go
│ │ │ ├── eku.go
│ │ │ ├── encodings.go
│ │ │ ├── ev.go
│ │ │ ├── fqdn.go
│ │ │ ├── gtld.go
│ │ │ ├── gtld_map.go
│ │ │ ├── idna.go
│ │ │ ├── ip.go
│ │ │ ├── ku.go
│ │ │ ├── names.go
│ │ │ ├── oid.go
│ │ │ ├── onion.go
│ │ │ ├── primes.go
│ │ │ ├── qc_stmt.go
│ │ │ ├── rdn.go
│ │ │ └── time.go
│ │ └── zlint.go
│ ├── golang.org/
│ │ └── x/
│ │ ├── crypto/
│ │ │ ├── LICENSE
│ │ │ ├── PATENTS
│ │ │ ├── blowfish/
│ │ │ │ ├── block.go
│ │ │ │ ├── cipher.go
│ │ │ │ └── const.go
│ │ │ ├── chacha20/
│ │ │ │ ├── chacha_arm64.go
│ │ │ │ ├── chacha_arm64.s
│ │ │ │ ├── chacha_generic.go
│ │ │ │ ├── chacha_noasm.go
│ │ │ │ ├── chacha_ppc64le.go
│ │ │ │ ├── chacha_ppc64le.s
│ │ │ │ ├── chacha_s390x.go
│ │ │ │ ├── chacha_s390x.s
│ │ │ │ └── xor.go
│ │ │ ├── cryptobyte/
│ │ │ │ ├── asn1/
│ │ │ │ │ └── asn1.go
│ │ │ │ ├── asn1.go
│ │ │ │ ├── builder.go
│ │ │ │ └── string.go
│ │ │ ├── curve25519/
│ │ │ │ ├── curve25519.go
│ │ │ │ ├── curve25519_compat.go
│ │ │ │ ├── curve25519_go120.go
│ │ │ │ └── internal/
│ │ │ │ └── field/
│ │ │ │ ├── README
│ │ │ │ ├── fe.go
│ │ │ │ ├── fe_amd64.go
│ │ │ │ ├── fe_amd64.s
│ │ │ │ ├── fe_amd64_noasm.go
│ │ │ │ ├── fe_arm64.go
│ │ │ │ ├── fe_arm64.s
│ │ │ │ ├── fe_arm64_noasm.go
│ │ │ │ ├── fe_generic.go
│ │ │ │ ├── sync.checkpoint
│ │ │ │ └── sync.sh
│ │ │ ├── ed25519/
│ │ │ │ └── ed25519.go
│ │ │ ├── internal/
│ │ │ │ ├── alias/
│ │ │ │ │ ├── alias.go
│ │ │ │ │ └── alias_purego.go
│ │ │ │ └── poly1305/
│ │ │ │ ├── mac_noasm.go
│ │ │ │ ├── poly1305.go
│ │ │ │ ├── sum_amd64.go
│ │ │ │ ├── sum_amd64.s
│ │ │ │ ├── sum_generic.go
│ │ │ │ ├── sum_ppc64le.go
│ │ │ │ ├── sum_ppc64le.s
│ │ │ │ ├── sum_s390x.go
│ │ │ │ └── sum_s390x.s
│ │ │ ├── ocsp/
│ │ │ │ └── ocsp.go
│ │ │ ├── pbkdf2/
│ │ │ │ └── pbkdf2.go
│ │ │ ├── pkcs12/
│ │ │ │ ├── bmp-string.go
│ │ │ │ ├── crypto.go
│ │ │ │ ├── errors.go
│ │ │ │ ├── internal/
│ │ │ │ │ └── rc2/
│ │ │ │ │ └── rc2.go
│ │ │ │ ├── mac.go
│ │ │ │ ├── pbkdf.go
│ │ │ │ ├── pkcs12.go
│ │ │ │ └── safebags.go
│ │ │ ├── scrypt/
│ │ │ │ └── scrypt.go
│ │ │ └── ssh/
│ │ │ ├── buffer.go
│ │ │ ├── certs.go
│ │ │ ├── channel.go
│ │ │ ├── cipher.go
│ │ │ ├── client.go
│ │ │ ├── client_auth.go
│ │ │ ├── common.go
│ │ │ ├── connection.go
│ │ │ ├── doc.go
│ │ │ ├── handshake.go
│ │ │ ├── internal/
│ │ │ │ └── bcrypt_pbkdf/
│ │ │ │ └── bcrypt_pbkdf.go
│ │ │ ├── kex.go
│ │ │ ├── keys.go
│ │ │ ├── mac.go
│ │ │ ├── messages.go
│ │ │ ├── mux.go
│ │ │ ├── server.go
│ │ │ ├── session.go
│ │ │ ├── ssh_gss.go
│ │ │ ├── streamlocal.go
│ │ │ ├── tcpip.go
│ │ │ └── transport.go
│ │ ├── net/
│ │ │ ├── LICENSE
│ │ │ ├── PATENTS
│ │ │ ├── context/
│ │ │ │ └── ctxhttp/
│ │ │ │ └── ctxhttp.go
│ │ │ └── idna/
│ │ │ ├── go118.go
│ │ │ ├── idna10.0.0.go
│ │ │ ├── idna9.0.0.go
│ │ │ ├── pre_go118.go
│ │ │ ├── punycode.go
│ │ │ ├── tables10.0.0.go
│ │ │ ├── tables11.0.0.go
│ │ │ ├── tables12.0.0.go
│ │ │ ├── tables13.0.0.go
│ │ │ ├── tables15.0.0.go
│ │ │ ├── tables9.0.0.go
│ │ │ ├── trie.go
│ │ │ ├── trie12.0.0.go
│ │ │ ├── trie13.0.0.go
│ │ │ └── trieval.go
│ │ ├── sys/
│ │ │ ├── LICENSE
│ │ │ ├── PATENTS
│ │ │ ├── cpu/
│ │ │ │ ├── asm_aix_ppc64.s
│ │ │ │ ├── byteorder.go
│ │ │ │ ├── cpu.go
│ │ │ │ ├── cpu_aix.go
│ │ │ │ ├── cpu_arm.go
│ │ │ │ ├── cpu_arm64.go
│ │ │ │ ├── cpu_arm64.s
│ │ │ │ ├── cpu_gc_arm64.go
│ │ │ │ ├── cpu_gc_s390x.go
│ │ │ │ ├── cpu_gc_x86.go
│ │ │ │ ├── cpu_gccgo_arm64.go
│ │ │ │ ├── cpu_gccgo_s390x.go
│ │ │ │ ├── cpu_gccgo_x86.c
│ │ │ │ ├── cpu_gccgo_x86.go
│ │ │ │ ├── cpu_linux.go
│ │ │ │ ├── cpu_linux_arm.go
│ │ │ │ ├── cpu_linux_arm64.go
│ │ │ │ ├── cpu_linux_mips64x.go
│ │ │ │ ├── cpu_linux_noinit.go
│ │ │ │ ├── cpu_linux_ppc64x.go
│ │ │ │ ├── cpu_linux_s390x.go
│ │ │ │ ├── cpu_loong64.go
│ │ │ │ ├── cpu_mips64x.go
│ │ │ │ ├── cpu_mipsx.go
│ │ │ │ ├── cpu_netbsd_arm64.go
│ │ │ │ ├── cpu_openbsd_arm64.go
│ │ │ │ ├── cpu_openbsd_arm64.s
│ │ │ │ ├── cpu_other_arm.go
│ │ │ │ ├── cpu_other_arm64.go
│ │ │ │ ├── cpu_other_mips64x.go
│ │ │ │ ├── cpu_other_ppc64x.go
│ │ │ │ ├── cpu_other_riscv64.go
│ │ │ │ ├── cpu_ppc64x.go
│ │ │ │ ├── cpu_riscv64.go
│ │ │ │ ├── cpu_s390x.go
│ │ │ │ ├── cpu_s390x.s
│ │ │ │ ├── cpu_wasm.go
│ │ │ │ ├── cpu_x86.go
│ │ │ │ ├── cpu_x86.s
│ │ │ │ ├── cpu_zos.go
│ │ │ │ ├── cpu_zos_s390x.go
│ │ │ │ ├── endian_big.go
│ │ │ │ ├── endian_little.go
│ │ │ │ ├── hwcap_linux.go
│ │ │ │ ├── parse.go
│ │ │ │ ├── proc_cpuinfo_linux.go
│ │ │ │ ├── runtime_auxv.go
│ │ │ │ ├── runtime_auxv_go121.go
│ │ │ │ ├── syscall_aix_gccgo.go
│ │ │ │ └── syscall_aix_ppc64_gc.go
│ │ │ ├── unix/
│ │ │ │ ├── .gitignore
│ │ │ │ ├── README.md
│ │ │ │ ├── affinity_linux.go
│ │ │ │ ├── aliases.go
│ │ │ │ ├── asm_aix_ppc64.s
│ │ │ │ ├── asm_bsd_386.s
│ │ │ │ ├── asm_bsd_amd64.s
│ │ │ │ ├── asm_bsd_arm.s
│ │ │ │ ├── asm_bsd_arm64.s
│ │ │ │ ├── asm_bsd_ppc64.s
│ │ │ │ ├── asm_bsd_riscv64.s
│ │ │ │ ├── asm_linux_386.s
│ │ │ │ ├── asm_linux_amd64.s
│ │ │ │ ├── asm_linux_arm.s
│ │ │ │ ├── asm_linux_arm64.s
│ │ │ │ ├── asm_linux_loong64.s
│ │ │ │ ├── asm_linux_mips64x.s
│ │ │ │ ├── asm_linux_mipsx.s
│ │ │ │ ├── asm_linux_ppc64x.s
│ │ │ │ ├── asm_linux_riscv64.s
│ │ │ │ ├── asm_linux_s390x.s
│ │ │ │ ├── asm_openbsd_mips64.s
│ │ │ │ ├── asm_solaris_amd64.s
│ │ │ │ ├── asm_zos_s390x.s
│ │ │ │ ├── bluetooth_linux.go
│ │ │ │ ├── cap_freebsd.go
│ │ │ │ ├── constants.go
│ │ │ │ ├── dev_aix_ppc.go
│ │ │ │ ├── dev_aix_ppc64.go
│ │ │ │ ├── dev_darwin.go
│ │ │ │ ├── dev_dragonfly.go
│ │ │ │ ├── dev_freebsd.go
│ │ │ │ ├── dev_linux.go
│ │ │ │ ├── dev_netbsd.go
│ │ │ │ ├── dev_openbsd.go
│ │ │ │ ├── dev_zos.go
│ │ │ │ ├── dirent.go
│ │ │ │ ├── endian_big.go
│ │ │ │ ├── endian_little.go
│ │ │ │ ├── env_unix.go
│ │ │ │ ├── epoll_zos.go
│ │ │ │ ├── fcntl.go
│ │ │ │ ├── fcntl_darwin.go
│ │ │ │ ├── fcntl_linux_32bit.go
│ │ │ │ ├── fdset.go
│ │ │ │ ├── fstatfs_zos.go
│ │ │ │ ├── gccgo.go
│ │ │ │ ├── gccgo_c.c
│ │ │ │ ├── gccgo_linux_amd64.go
│ │ │ │ ├── ifreq_linux.go
│ │ │ │ ├── ioctl_linux.go
│ │ │ │ ├── ioctl_signed.go
│ │ │ │ ├── ioctl_unsigned.go
│ │ │ │ ├── ioctl_zos.go
│ │ │ │ ├── mkall.sh
│ │ │ │ ├── mkerrors.sh
│ │ │ │ ├── mmap_nomremap.go
│ │ │ │ ├── mremap.go
│ │ │ │ ├── pagesize_unix.go
│ │ │ │ ├── pledge_openbsd.go
│ │ │ │ ├── ptrace_darwin.go
│ │ │ │ ├── ptrace_ios.go
│ │ │ │ ├── race.go
│ │ │ │ ├── race0.go
│ │ │ │ ├── readdirent_getdents.go
│ │ │ │ ├── readdirent_getdirentries.go
│ │ │ │ ├── sockcmsg_dragonfly.go
│ │ │ │ ├── sockcmsg_linux.go
│ │ │ │ ├── sockcmsg_unix.go
│ │ │ │ ├── sockcmsg_unix_other.go
│ │ │ │ ├── syscall.go
│ │ │ │ ├── syscall_aix.go
│ │ │ │ ├── syscall_aix_ppc.go
│ │ │ │ ├── syscall_aix_ppc64.go
│ │ │ │ ├── syscall_bsd.go
│ │ │ │ ├── syscall_darwin.go
│ │ │ │ ├── syscall_darwin_amd64.go
│ │ │ │ ├── syscall_darwin_arm64.go
│ │ │ │ ├── syscall_darwin_libSystem.go
│ │ │ │ ├── syscall_dragonfly.go
│ │ │ │ ├── syscall_dragonfly_amd64.go
│ │ │ │ ├── syscall_freebsd.go
│ │ │ │ ├── syscall_freebsd_386.go
│ │ │ │ ├── syscall_freebsd_amd64.go
│ │ │ │ ├── syscall_freebsd_arm.go
│ │ │ │ ├── syscall_freebsd_arm64.go
│ │ │ │ ├── syscall_freebsd_riscv64.go
│ │ │ │ ├── syscall_hurd.go
│ │ │ │ ├── syscall_hurd_386.go
│ │ │ │ ├── syscall_illumos.go
│ │ │ │ ├── syscall_linux.go
│ │ │ │ ├── syscall_linux_386.go
│ │ │ │ ├── syscall_linux_alarm.go
│ │ │ │ ├── syscall_linux_amd64.go
│ │ │ │ ├── syscall_linux_amd64_gc.go
│ │ │ │ ├── syscall_linux_arm.go
│ │ │ │ ├── syscall_linux_arm64.go
│ │ │ │ ├── syscall_linux_gc.go
│ │ │ │ ├── syscall_linux_gc_386.go
│ │ │ │ ├── syscall_linux_gc_arm.go
│ │ │ │ ├── syscall_linux_gccgo_386.go
│ │ │ │ ├── syscall_linux_gccgo_arm.go
│ │ │ │ ├── syscall_linux_loong64.go
│ │ │ │ ├── syscall_linux_mips64x.go
│ │ │ │ ├── syscall_linux_mipsx.go
│ │ │ │ ├── syscall_linux_ppc.go
│ │ │ │ ├── syscall_linux_ppc64x.go
│ │ │ │ ├── syscall_linux_riscv64.go
│ │ │ │ ├── syscall_linux_s390x.go
│ │ │ │ ├── syscall_linux_sparc64.go
│ │ │ │ ├── syscall_netbsd.go
│ │ │ │ ├── syscall_netbsd_386.go
│ │ │ │ ├── syscall_netbsd_amd64.go
│ │ │ │ ├── syscall_netbsd_arm.go
│ │ │ │ ├── syscall_netbsd_arm64.go
│ │ │ │ ├── syscall_openbsd.go
│ │ │ │ ├── syscall_openbsd_386.go
│ │ │ │ ├── syscall_openbsd_amd64.go
│ │ │ │ ├── syscall_openbsd_arm.go
│ │ │ │ ├── syscall_openbsd_arm64.go
│ │ │ │ ├── syscall_openbsd_libc.go
│ │ │ │ ├── syscall_openbsd_mips64.go
│ │ │ │ ├── syscall_openbsd_ppc64.go
│ │ │ │ ├── syscall_openbsd_riscv64.go
│ │ │ │ ├── syscall_solaris.go
│ │ │ │ ├── syscall_solaris_amd64.go
│ │ │ │ ├── syscall_unix.go
│ │ │ │ ├── syscall_unix_gc.go
│ │ │ │ ├── syscall_unix_gc_ppc64x.go
│ │ │ │ ├── syscall_zos_s390x.go
│ │ │ │ ├── sysvshm_linux.go
│ │ │ │ ├── sysvshm_unix.go
│ │ │ │ ├── sysvshm_unix_other.go
│ │ │ │ ├── timestruct.go
│ │ │ │ ├── unveil_openbsd.go
│ │ │ │ ├── xattr_bsd.go
│ │ │ │ ├── zerrors_aix_ppc.go
│ │ │ │ ├── zerrors_aix_ppc64.go
│ │ │ │ ├── zerrors_darwin_amd64.go
│ │ │ │ ├── zerrors_darwin_arm64.go
│ │ │ │ ├── zerrors_dragonfly_amd64.go
│ │ │ │ ├── zerrors_freebsd_386.go
│ │ │ │ ├── zerrors_freebsd_amd64.go
│ │ │ │ ├── zerrors_freebsd_arm.go
│ │ │ │ ├── zerrors_freebsd_arm64.go
│ │ │ │ ├── zerrors_freebsd_riscv64.go
│ │ │ │ ├── zerrors_linux.go
│ │ │ │ ├── zerrors_linux_386.go
│ │ │ │ ├── zerrors_linux_amd64.go
│ │ │ │ ├── zerrors_linux_arm.go
│ │ │ │ ├── zerrors_linux_arm64.go
│ │ │ │ ├── zerrors_linux_loong64.go
│ │ │ │ ├── zerrors_linux_mips.go
│ │ │ │ ├── zerrors_linux_mips64.go
│ │ │ │ ├── zerrors_linux_mips64le.go
│ │ │ │ ├── zerrors_linux_mipsle.go
│ │ │ │ ├── zerrors_linux_ppc.go
│ │ │ │ ├── zerrors_linux_ppc64.go
│ │ │ │ ├── zerrors_linux_ppc64le.go
│ │ │ │ ├── zerrors_linux_riscv64.go
│ │ │ │ ├── zerrors_linux_s390x.go
│ │ │ │ ├── zerrors_linux_sparc64.go
│ │ │ │ ├── zerrors_netbsd_386.go
│ │ │ │ ├── zerrors_netbsd_amd64.go
│ │ │ │ ├── zerrors_netbsd_arm.go
│ │ │ │ ├── zerrors_netbsd_arm64.go
│ │ │ │ ├── zerrors_openbsd_386.go
│ │ │ │ ├── zerrors_openbsd_amd64.go
│ │ │ │ ├── zerrors_openbsd_arm.go
│ │ │ │ ├── zerrors_openbsd_arm64.go
│ │ │ │ ├── zerrors_openbsd_mips64.go
│ │ │ │ ├── zerrors_openbsd_ppc64.go
│ │ │ │ ├── zerrors_openbsd_riscv64.go
│ │ │ │ ├── zerrors_solaris_amd64.go
│ │ │ │ ├── zerrors_zos_s390x.go
│ │ │ │ ├── zptrace_armnn_linux.go
│ │ │ │ ├── zptrace_linux_arm64.go
│ │ │ │ ├── zptrace_mipsnn_linux.go
│ │ │ │ ├── zptrace_mipsnnle_linux.go
│ │ │ │ ├── zptrace_x86_linux.go
│ │ │ │ ├── zsyscall_aix_ppc.go
│ │ │ │ ├── zsyscall_aix_ppc64.go
│ │ │ │ ├── zsyscall_aix_ppc64_gc.go
│ │ │ │ ├── zsyscall_aix_ppc64_gccgo.go
│ │ │ │ ├── zsyscall_darwin_amd64.go
│ │ │ │ ├── zsyscall_darwin_amd64.s
│ │ │ │ ├── zsyscall_darwin_arm64.go
│ │ │ │ ├── zsyscall_darwin_arm64.s
│ │ │ │ ├── zsyscall_dragonfly_amd64.go
│ │ │ │ ├── zsyscall_freebsd_386.go
│ │ │ │ ├── zsyscall_freebsd_amd64.go
│ │ │ │ ├── zsyscall_freebsd_arm.go
│ │ │ │ ├── zsyscall_freebsd_arm64.go
│ │ │ │ ├── zsyscall_freebsd_riscv64.go
│ │ │ │ ├── zsyscall_illumos_amd64.go
│ │ │ │ ├── zsyscall_linux.go
│ │ │ │ ├── zsyscall_linux_386.go
│ │ │ │ ├── zsyscall_linux_amd64.go
│ │ │ │ ├── zsyscall_linux_arm.go
│ │ │ │ ├── zsyscall_linux_arm64.go
│ │ │ │ ├── zsyscall_linux_loong64.go
│ │ │ │ ├── zsyscall_linux_mips.go
│ │ │ │ ├── zsyscall_linux_mips64.go
│ │ │ │ ├── zsyscall_linux_mips64le.go
│ │ │ │ ├── zsyscall_linux_mipsle.go
│ │ │ │ ├── zsyscall_linux_ppc.go
│ │ │ │ ├── zsyscall_linux_ppc64.go
│ │ │ │ ├── zsyscall_linux_ppc64le.go
│ │ │ │ ├── zsyscall_linux_riscv64.go
│ │ │ │ ├── zsyscall_linux_s390x.go
│ │ │ │ ├── zsyscall_linux_sparc64.go
│ │ │ │ ├── zsyscall_netbsd_386.go
│ │ │ │ ├── zsyscall_netbsd_amd64.go
│ │ │ │ ├── zsyscall_netbsd_arm.go
│ │ │ │ ├── zsyscall_netbsd_arm64.go
│ │ │ │ ├── zsyscall_openbsd_386.go
│ │ │ │ ├── zsyscall_openbsd_386.s
│ │ │ │ ├── zsyscall_openbsd_amd64.go
│ │ │ │ ├── zsyscall_openbsd_amd64.s
│ │ │ │ ├── zsyscall_openbsd_arm.go
│ │ │ │ ├── zsyscall_openbsd_arm.s
│ │ │ │ ├── zsyscall_openbsd_arm64.go
│ │ │ │ ├── zsyscall_openbsd_arm64.s
│ │ │ │ ├── zsyscall_openbsd_mips64.go
│ │ │ │ ├── zsyscall_openbsd_mips64.s
│ │ │ │ ├── zsyscall_openbsd_ppc64.go
│ │ │ │ ├── zsyscall_openbsd_ppc64.s
│ │ │ │ ├── zsyscall_openbsd_riscv64.go
│ │ │ │ ├── zsyscall_openbsd_riscv64.s
│ │ │ │ ├── zsyscall_solaris_amd64.go
│ │ │ │ ├── zsyscall_zos_s390x.go
│ │ │ │ ├── zsysctl_openbsd_386.go
│ │ │ │ ├── zsysctl_openbsd_amd64.go
│ │ │ │ ├── zsysctl_openbsd_arm.go
│ │ │ │ ├── zsysctl_openbsd_arm64.go
│ │ │ │ ├── zsysctl_openbsd_mips64.go
│ │ │ │ ├── zsysctl_openbsd_ppc64.go
│ │ │ │ ├── zsysctl_openbsd_riscv64.go
│ │ │ │ ├── zsysnum_darwin_amd64.go
│ │ │ │ ├── zsysnum_darwin_arm64.go
│ │ │ │ ├── zsysnum_dragonfly_amd64.go
│ │ │ │ ├── zsysnum_freebsd_386.go
│ │ │ │ ├── zsysnum_freebsd_amd64.go
│ │ │ │ ├── zsysnum_freebsd_arm.go
│ │ │ │ ├── zsysnum_freebsd_arm64.go
│ │ │ │ ├── zsysnum_freebsd_riscv64.go
│ │ │ │ ├── zsysnum_linux_386.go
│ │ │ │ ├── zsysnum_linux_amd64.go
│ │ │ │ ├── zsysnum_linux_arm.go
│ │ │ │ ├── zsysnum_linux_arm64.go
│ │ │ │ ├── zsysnum_linux_loong64.go
│ │ │ │ ├── zsysnum_linux_mips.go
│ │ │ │ ├── zsysnum_linux_mips64.go
│ │ │ │ ├── zsysnum_linux_mips64le.go
│ │ │ │ ├── zsysnum_linux_mipsle.go
│ │ │ │ ├── zsysnum_linux_ppc.go
│ │ │ │ ├── zsysnum_linux_ppc64.go
│ │ │ │ ├── zsysnum_linux_ppc64le.go
│ │ │ │ ├── zsysnum_linux_riscv64.go
│ │ │ │ ├── zsysnum_linux_s390x.go
│ │ │ │ ├── zsysnum_linux_sparc64.go
│ │ │ │ ├── zsysnum_netbsd_386.go
│ │ │ │ ├── zsysnum_netbsd_amd64.go
│ │ │ │ ├── zsysnum_netbsd_arm.go
│ │ │ │ ├── zsysnum_netbsd_arm64.go
│ │ │ │ ├── zsysnum_openbsd_386.go
│ │ │ │ ├── zsysnum_openbsd_amd64.go
│ │ │ │ ├── zsysnum_openbsd_arm.go
│ │ │ │ ├── zsysnum_openbsd_arm64.go
│ │ │ │ ├── zsysnum_openbsd_mips64.go
│ │ │ │ ├── zsysnum_openbsd_ppc64.go
│ │ │ │ ├── zsysnum_openbsd_riscv64.go
│ │ │ │ ├── zsysnum_zos_s390x.go
│ │ │ │ ├── ztypes_aix_ppc.go
│ │ │ │ ├── ztypes_aix_ppc64.go
│ │ │ │ ├── ztypes_darwin_amd64.go
│ │ │ │ ├── ztypes_darwin_arm64.go
│ │ │ │ ├── ztypes_dragonfly_amd64.go
│ │ │ │ ├── ztypes_freebsd_386.go
│ │ │ │ ├── ztypes_freebsd_amd64.go
│ │ │ │ ├── ztypes_freebsd_arm.go
│ │ │ │ ├── ztypes_freebsd_arm64.go
│ │ │ │ ├── ztypes_freebsd_riscv64.go
│ │ │ │ ├── ztypes_linux.go
│ │ │ │ ├── ztypes_linux_386.go
│ │ │ │ ├── ztypes_linux_amd64.go
│ │ │ │ ├── ztypes_linux_arm.go
│ │ │ │ ├── ztypes_linux_arm64.go
│ │ │ │ ├── ztypes_linux_loong64.go
│ │ │ │ ├── ztypes_linux_mips.go
│ │ │ │ ├── ztypes_linux_mips64.go
│ │ │ │ ├── ztypes_linux_mips64le.go
│ │ │ │ ├── ztypes_linux_mipsle.go
│ │ │ │ ├── ztypes_linux_ppc.go
│ │ │ │ ├── ztypes_linux_ppc64.go
│ │ │ │ ├── ztypes_linux_ppc64le.go
│ │ │ │ ├── ztypes_linux_riscv64.go
│ │ │ │ ├── ztypes_linux_s390x.go
│ │ │ │ ├── ztypes_linux_sparc64.go
│ │ │ │ ├── ztypes_netbsd_386.go
│ │ │ │ ├── ztypes_netbsd_amd64.go
│ │ │ │ ├── ztypes_netbsd_arm.go
│ │ │ │ ├── ztypes_netbsd_arm64.go
│ │ │ │ ├── ztypes_openbsd_386.go
│ │ │ │ ├── ztypes_openbsd_amd64.go
│ │ │ │ ├── ztypes_openbsd_arm.go
│ │ │ │ ├── ztypes_openbsd_arm64.go
│ │ │ │ ├── ztypes_openbsd_mips64.go
│ │ │ │ ├── ztypes_openbsd_ppc64.go
│ │ │ │ ├── ztypes_openbsd_riscv64.go
│ │ │ │ ├── ztypes_solaris_amd64.go
│ │ │ │ └── ztypes_zos_s390x.go
│ │ │ └── windows/
│ │ │ ├── aliases.go
│ │ │ ├── dll_windows.go
│ │ │ ├── empty.s
│ │ │ ├── env_windows.go
│ │ │ ├── eventlog.go
│ │ │ ├── exec_windows.go
│ │ │ ├── memory_windows.go
│ │ │ ├── mkerrors.bash
│ │ │ ├── mkknownfolderids.bash
│ │ │ ├── mksyscall.go
│ │ │ ├── race.go
│ │ │ ├── race0.go
│ │ │ ├── security_windows.go
│ │ │ ├── service.go
│ │ │ ├── setupapi_windows.go
│ │ │ ├── str.go
│ │ │ ├── syscall.go
│ │ │ ├── syscall_windows.go
│ │ │ ├── types_windows.go
│ │ │ ├── types_windows_386.go
│ │ │ ├── types_windows_amd64.go
│ │ │ ├── types_windows_arm.go
│ │ │ ├── types_windows_arm64.go
│ │ │ ├── zerrors_windows.go
│ │ │ ├── zknownfolderids_windows.go
│ │ │ └── zsyscall_windows.go
│ │ └── text/
│ │ ├── LICENSE
│ │ ├── PATENTS
│ │ ├── secure/
│ │ │ └── bidirule/
│ │ │ ├── bidirule.go
│ │ │ ├── bidirule10.0.0.go
│ │ │ └── bidirule9.0.0.go
│ │ ├── transform/
│ │ │ └── transform.go
│ │ └── unicode/
│ │ ├── bidi/
│ │ │ ├── bidi.go
│ │ │ ├── bracket.go
│ │ │ ├── core.go
│ │ │ ├── prop.go
│ │ │ ├── tables10.0.0.go
│ │ │ ├── tables11.0.0.go
│ │ │ ├── tables12.0.0.go
│ │ │ ├── tables13.0.0.go
│ │ │ ├── tables15.0.0.go
│ │ │ ├── tables9.0.0.go
│ │ │ └── trieval.go
│ │ └── norm/
│ │ ├── composition.go
│ │ ├── forminfo.go
│ │ ├── input.go
│ │ ├── iter.go
│ │ ├── normalize.go
│ │ ├── readwriter.go
│ │ ├── tables10.0.0.go
│ │ ├── tables11.0.0.go
│ │ ├── tables12.0.0.go
│ │ ├── tables13.0.0.go
│ │ ├── tables15.0.0.go
│ │ ├── tables9.0.0.go
│ │ ├── transform.go
│ │ └── trie.go
│ ├── google.golang.org/
│ │ └── protobuf/
│ │ ├── LICENSE
│ │ ├── PATENTS
│ │ ├── encoding/
│ │ │ ├── protodelim/
│ │ │ │ └── protodelim.go
│ │ │ ├── prototext/
│ │ │ │ ├── decode.go
│ │ │ │ ├── doc.go
│ │ │ │ └── encode.go
│ │ │ └── protowire/
│ │ │ └── wire.go
│ │ ├── internal/
│ │ │ ├── descfmt/
│ │ │ │ └── stringer.go
│ │ │ ├── descopts/
│ │ │ │ └── options.go
│ │ │ ├── detrand/
│ │ │ │ └── rand.go
│ │ │ ├── editiondefaults/
│ │ │ │ ├── defaults.go
│ │ │ │ └── editions_defaults.binpb
│ │ │ ├── encoding/
│ │ │ │ ├── defval/
│ │ │ │ │ └── default.go
│ │ │ │ ├── messageset/
│ │ │ │ │ └── messageset.go
│ │ │ │ ├── tag/
│ │ │ │ │ └── tag.go
│ │ │ │ └── text/
│ │ │ │ ├── decode.go
│ │ │ │ ├── decode_number.go
│ │ │ │ ├── decode_string.go
│ │ │ │ ├── decode_token.go
│ │ │ │ ├── doc.go
│ │ │ │ └── encode.go
│ │ │ ├── errors/
│ │ │ │ ├── errors.go
│ │ │ │ ├── is_go112.go
│ │ │ │ └── is_go113.go
│ │ │ ├── filedesc/
│ │ │ │ ├── build.go
│ │ │ │ ├── desc.go
│ │ │ │ ├── desc_init.go
│ │ │ │ ├── desc_lazy.go
│ │ │ │ ├── desc_list.go
│ │ │ │ ├── desc_list_gen.go
│ │ │ │ ├── editions.go
│ │ │ │ └── placeholder.go
│ │ │ ├── filetype/
│ │ │ │ └── build.go
│ │ │ ├── flags/
│ │ │ │ ├── flags.go
│ │ │ │ ├── proto_legacy_disable.go
│ │ │ │ └── proto_legacy_enable.go
│ │ │ ├── genid/
│ │ │ │ ├── any_gen.go
│ │ │ │ ├── api_gen.go
│ │ │ │ ├── descriptor_gen.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── duration_gen.go
│ │ │ │ ├── empty_gen.go
│ │ │ │ ├── field_mask_gen.go
│ │ │ │ ├── go_features_gen.go
│ │ │ │ ├── goname.go
│ │ │ │ ├── map_entry.go
│ │ │ │ ├── source_context_gen.go
│ │ │ │ ├── struct_gen.go
│ │ │ │ ├── timestamp_gen.go
│ │ │ │ ├── type_gen.go
│ │ │ │ ├── wrappers.go
│ │ │ │ └── wrappers_gen.go
│ │ │ ├── impl/
│ │ │ │ ├── api_export.go
│ │ │ │ ├── checkinit.go
│ │ │ │ ├── codec_extension.go
│ │ │ │ ├── codec_field.go
│ │ │ │ ├── codec_gen.go
│ │ │ │ ├── codec_map.go
│ │ │ │ ├── codec_map_go111.go
│ │ │ │ ├── codec_map_go112.go
│ │ │ │ ├── codec_message.go
│ │ │ │ ├── codec_messageset.go
│ │ │ │ ├── codec_reflect.go
│ │ │ │ ├── codec_tables.go
│ │ │ │ ├── codec_unsafe.go
│ │ │ │ ├── convert.go
│ │ │ │ ├── convert_list.go
│ │ │ │ ├── convert_map.go
│ │ │ │ ├── decode.go
│ │ │ │ ├── encode.go
│ │ │ │ ├── enum.go
│ │ │ │ ├── extension.go
│ │ │ │ ├── legacy_enum.go
│ │ │ │ ├── legacy_export.go
│ │ │ │ ├── legacy_extension.go
│ │ │ │ ├── legacy_file.go
│ │ │ │ ├── legacy_message.go
│ │ │ │ ├── merge.go
│ │ │ │ ├── merge_gen.go
│ │ │ │ ├── message.go
│ │ │ │ ├── message_reflect.go
│ │ │ │ ├── message_reflect_field.go
│ │ │ │ ├── message_reflect_gen.go
│ │ │ │ ├── pointer_reflect.go
│ │ │ │ ├── pointer_unsafe.go
│ │ │ │ ├── validate.go
│ │ │ │ └── weak.go
│ │ │ ├── order/
│ │ │ │ ├── order.go
│ │ │ │ └── range.go
│ │ │ ├── pragma/
│ │ │ │ └── pragma.go
│ │ │ ├── set/
│ │ │ │ └── ints.go
│ │ │ ├── strs/
│ │ │ │ ├── strings.go
│ │ │ │ ├── strings_pure.go
│ │ │ │ ├── strings_unsafe_go120.go
│ │ │ │ └── strings_unsafe_go121.go
│ │ │ └── version/
│ │ │ └── version.go
│ │ ├── proto/
│ │ │ ├── checkinit.go
│ │ │ ├── decode.go
│ │ │ ├── decode_gen.go
│ │ │ ├── doc.go
│ │ │ ├── encode.go
│ │ │ ├── encode_gen.go
│ │ │ ├── equal.go
│ │ │ ├── extension.go
│ │ │ ├── merge.go
│ │ │ ├── messageset.go
│ │ │ ├── proto.go
│ │ │ ├── proto_methods.go
│ │ │ ├── proto_reflect.go
│ │ │ ├── reset.go
│ │ │ ├── size.go
│ │ │ ├── size_gen.go
│ │ │ └── wrappers.go
│ │ ├── reflect/
│ │ │ ├── protoreflect/
│ │ │ │ ├── methods.go
│ │ │ │ ├── proto.go
│ │ │ │ ├── source.go
│ │ │ │ ├── source_gen.go
│ │ │ │ ├── type.go
│ │ │ │ ├── value.go
│ │ │ │ ├── value_equal.go
│ │ │ │ ├── value_pure.go
│ │ │ │ ├── value_union.go
│ │ │ │ ├── value_unsafe_go120.go
│ │ │ │ └── value_unsafe_go121.go
│ │ │ └── protoregistry/
│ │ │ └── registry.go
│ │ ├── runtime/
│ │ │ ├── protoiface/
│ │ │ │ ├── legacy.go
│ │ │ │ └── methods.go
│ │ │ └── protoimpl/
│ │ │ ├── impl.go
│ │ │ └── version.go
│ │ └── types/
│ │ └── known/
│ │ └── timestamppb/
│ │ └── timestamp.pb.go
│ ├── k8s.io/
│ │ └── klog/
│ │ └── v2/
│ │ ├── .gitignore
│ │ ├── .golangci.yaml
│ │ ├── CONTRIBUTING.md
│ │ ├── LICENSE
│ │ ├── OWNERS
│ │ ├── README.md
│ │ ├── RELEASE.md
│ │ ├── SECURITY.md
│ │ ├── SECURITY_CONTACTS
│ │ ├── code-of-conduct.md
│ │ ├── contextual.go
│ │ ├── contextual_slog.go
│ │ ├── exit.go
│ │ ├── format.go
│ │ ├── imports.go
│ │ ├── internal/
│ │ │ ├── buffer/
│ │ │ │ └── buffer.go
│ │ │ ├── clock/
│ │ │ │ ├── README.md
│ │ │ │ └── clock.go
│ │ │ ├── dbg/
│ │ │ │ └── dbg.go
│ │ │ ├── serialize/
│ │ │ │ ├── keyvalues.go
│ │ │ │ ├── keyvalues_no_slog.go
│ │ │ │ └── keyvalues_slog.go
│ │ │ ├── severity/
│ │ │ │ └── severity.go
│ │ │ └── sloghandler/
│ │ │ └── sloghandler_slog.go
│ │ ├── k8s_references.go
│ │ ├── k8s_references_slog.go
│ │ ├── klog.go
│ │ ├── klog_file.go
│ │ ├── klog_file_others.go
│ │ ├── klog_file_windows.go
│ │ ├── klogr.go
│ │ ├── klogr_slog.go
│ │ └── safeptr.go
│ └── modules.txt
└── whitelist/
├── LICENSE
├── README.md
├── example/
│ └── example_whitelist.go
├── http_test.go
├── lookup.go
├── whitelist.go
├── whitelist_net.go
├── whitelist_net_test.go
└── whitelist_test.go
================================================
FILE CONTENTS
================================================
================================================
FILE: .dockerignore
================================================
cfssl_*
*-amd64
*-386
dist/*
.git
================================================
FILE: .github/dependabot.yml
================================================
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
- package-ecosystem: gomod
directory: /
schedule:
interval: weekly
================================================
FILE: .github/workflows/docker-builds.yml
================================================
name: cfssl docker
on:
workflow_dispatch:
push:
branches:
- "master"
tags:
- "v*"
jobs:
build-and-push-image:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
strategy:
matrix:
include:
# github container registry
- registry: "ghcr.io"
username: ${{ github.actor }}
password_secret: GITHUB_TOKEN
image: ghcr.io/cloudflare/cfssl
# docker test publish, todo: switch to service account
- registry: ""
username: nicky
password_secret: DOCKER_REGISTRY_TOKEN_NICKY
image: cfssl/cfssl
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Docker hub
uses: docker/login-action@v3
with:
registry: ${{ matrix.registry }}
username: ${{ matrix.username }}
password: ${{ secrets[matrix.password_secret] }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ matrix.image }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64,linux/s390x
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
================================================
FILE: .github/workflows/go.yml
================================================
name: Go
on:
push:
pull_request:
branches: [master]
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
# starting with go 1.24 the GODEBUG=x509sha1=1 flag has been removed.
# many tests rely on sha1 certificates. After resolving #1413 we can
# run these on stable and oldstable again. Min version (1.20) can
# always be run.
go: ['1.23', '1.22', '1.20']
services:
# Label used to access the service container
postgres:
# Docker Hub image
image: postgres
# Provide the password for postgres
env:
POSTGRES_DB: postgres_db
POSTGRES_PASSWORD: ""
POSTGRES_HOST_AUTH_METHOD: trust # allow no password
POSTGRES_PORT: 5432
POSTGRES_USER: postgres
# Set health checks to wait until postgres has started
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
mysql:
image: mysql
env:
MYSQL_ALLOW_EMPTY_PASSWORD: yes
MYSQL_ROOT_PASSWORD: ""
ports:
- 3306:3306
options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
env:
GOFLAGS: "-mod=vendor"
GODEBUG: "x509sha1=1"
BUILD_TAGS: "postgresql"
PGHOST: localhost
MYSQL_HOST: 127.0.0.1
steps:
- run: psql -c 'create database certdb_development;' -U postgres;
- run: mysql -e 'create database certdb_development;' -u root;
- run: mysql -e 'SET global sql_mode = 0;' -u root;
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go }}
- name: Build
run: go build -v ./...
- run: make bin/goose;
- run: ./bin/goose -path certdb/pg up;
- run: ./bin/goose -path certdb/mysql up;
- name: Test
run: ./test.sh
- uses: codecov/codecov-action@v4
golangci:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: "1.20"
- name: golangci-lint
uses: golangci/golangci-lint-action@v6
with:
# There is a breaking change in 1.58 that causes the linter not to recognize
# internal imports or standard library imports and results in linting errors
# that cannot be ignored.
# e.g certdb/certdb.go:5:2: could not import encoding/json (Config.Importer.Import(encoding/json) returned nil but no error) (typecheck)
version: v1.57
================================================
FILE: .github/workflows/semgrep.yml
================================================
on:
pull_request: {}
workflow_dispatch: {}
push:
branches:
- main
- master
schedule:
- cron: '0 0 * * *'
name: Semgrep config
jobs:
semgrep:
name: semgrep/ci
runs-on: ubuntu-latest
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
SEMGREP_URL: https://cloudflare.semgrep.dev
SEMGREP_APP_URL: https://cloudflare.semgrep.dev
SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
container:
image: semgrep/semgrep
steps:
- uses: actions/checkout@v4
- run: semgrep ci
================================================
FILE: .github/workflows/snapshot.yml
================================================
name: Image snapshots
on:
push:
pull_request:
branches: [master]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: make snapshot
- name: Archive snapshot artifacts
uses: actions/upload-artifact@v4
with:
name: binaries
path: dist/
================================================
FILE: .gitignore
================================================
dist/*
coverage.txt
profile.out
bin
*.deb
*.rpm
test
.DS_Store
================================================
FILE: .golangci.yaml
================================================
linters:
disable:
- staticcheck
- govet
- gosimple
- ineffassign
- unused
- errcheck
================================================
FILE: .goreleaser.yml
================================================
env:
- GO111MODULE=on
- CGO_ENABLED=0
- GOFLAGS=-mod=vendor
- GOPROXY=off
builds:
- id: cfssl-darwin
binary: cfssl
env:
- CC=o64-clang
- CXX=o64-clang++
- CGO_ENABLED=1
goos:
- darwin
goarch:
- amd64
- arm64
main: ./cmd/cfssl
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-linux
binary: cfssl
goos:
- linux
goarch:
- amd64
- arm
- arm64
- s390x
main: ./cmd/cfssl
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-windows
binary: cfssl
env:
- CC=x86_64-w64-mingw32-gcc
- CXX=x86_64-w64-mingw32-g++
goos:
- windows
goarch:
- amd64
main: ./cmd/cfssl
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-bundle-darwin
binary: cfssl-bundle
env:
- CC=o64-clang
- CXX=o64-clang++
- CGO_ENABLED=1
goos:
- darwin
goarch:
- amd64
main: ./cmd/cfssl-bundle
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-bundle-linux
binary: cfssl-bundle
goos:
- linux
goarch:
- amd64
- arm
- arm64
- s390x
main: ./cmd/cfssl-bundle
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-bundle-windows
binary: cfssl-bundle
env:
- CC=x86_64-w64-mingw32-gcc
- CXX=x86_64-w64-mingw32-g++
goos:
- windows
goarch:
- amd64
main: ./cmd/cfssl-bundle
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-certinfo-darwin
binary: cfssl-certinfo
env:
- CC=o64-clang
- CXX=o64-clang++
- CGO_ENABLED=1
goos:
- darwin
goarch:
- amd64
main: ./cmd/cfssl-certinfo
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-certinfo-linux
binary: cfssl-certinfo
goos:
- linux
goarch:
- amd64
- arm
- arm64
- s390x
main: ./cmd/cfssl-certinfo
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-certinfo-windows
binary: cfssl-certinfo
env:
- CC=x86_64-w64-mingw32-gcc
- CXX=x86_64-w64-mingw32-g++
goos:
- windows
goarch:
- amd64
main: ./cmd/cfssl-certinfo
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-newkey-darwin
binary: cfssl-newkey
env:
- CC=o64-clang
- CXX=o64-clang++
- CGO_ENABLED=1
goos:
- darwin
goarch:
- amd64
main: ./cmd/cfssl-newkey
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-newkey-linux
binary: cfssl-newkey
goos:
- linux
goarch:
- amd64
- arm
- arm64
- s390x
main: ./cmd/cfssl-newkey
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-newkey-windows
binary: cfssl-newkey
env:
- CC=x86_64-w64-mingw32-gcc
- CXX=x86_64-w64-mingw32-g++
goos:
- windows
goarch:
- amd64
main: ./cmd/cfssl-newkey
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-scan-darwin
binary: cfssl-scan
env:
- CC=o64-clang
- CXX=o64-clang++
- CGO_ENABLED=1
goos:
- darwin
goarch:
- amd64
main: ./cmd/cfssl-scan
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-scan-linux
binary: cfssl-scan
goos:
- linux
goarch:
- amd64
- arm
- arm64
- s390x
main: ./cmd/cfssl-scan
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssl-scan-windows
binary: cfssl-scan
env:
- CC=x86_64-w64-mingw32-gcc
- CXX=x86_64-w64-mingw32-g++
goos:
- windows
goarch:
- amd64
main: ./cmd/cfssl-scan
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssljson-darwin
binary: cfssljson
env:
- CC=o64-clang
- CXX=o64-clang++
- CGO_ENABLED=1
goos:
- darwin
goarch:
- amd64
main: ./cmd/cfssljson
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssljson-linux
binary: cfssljson
goos:
- linux
goarch:
- amd64
- arm
- arm64
- s390x
main: ./cmd/cfssljson
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: cfssljson-windows
binary: cfssljson
env:
- CC=x86_64-w64-mingw32-gcc
- CXX=x86_64-w64-mingw32-g++
goos:
- windows
goarch:
- amd64
main: ./cmd/cfssljson
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: mkbundle-darwin
binary: mkbundle
env:
- CC=o64-clang
- CXX=o64-clang++
- CGO_ENABLED=1
goos:
- darwin
goarch:
- amd64
main: ./cmd/mkbundle
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: mkbundle-linux
binary: mkbundle
goos:
- linux
goarch:
- amd64
- arm
- arm64
- s390x
main: ./cmd/mkbundle
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: mkbundle-windows
binary: mkbundle
env:
- CC=x86_64-w64-mingw32-gcc
- CXX=x86_64-w64-mingw32-g++
goos:
- windows
goarch:
- amd64
main: ./cmd/mkbundle
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: multirootca-darwin
binary: multirootca
env:
- CC=o64-clang
- CXX=o64-clang++
- CGO_ENABLED=1
goos:
- darwin
goarch:
- amd64
main: ./cmd/multirootca
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: multirootca-linux
binary: multirootca
goos:
- linux
goarch:
- amd64
- arm
- arm64
- s390x
main: ./cmd/multirootca
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
- id: multirootca-windows
binary: multirootca
env:
- CC=x86_64-w64-mingw32-gcc
- CXX=x86_64-w64-mingw32-g++
goos:
- windows
goarch:
- amd64
main: ./cmd/multirootca
ldflags:
- -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
archives:
- format: binary
allow_different_binary_count: true # https://github.com/goreleaser/goreleaser/pull/1841
release:
github:
owner: cloudflare
name: cfssl
prerelease: auto
changelog:
sort: asc
================================================
FILE: CHANGELOG
================================================
1.1.0 - 2015-08-04
ADDED:
- Revocation now checks OCSP status.
- Authenticated endpoints are now supported using HMAC tags.
- Bundle can verify certificates against a domain or IP.
- OCSP subcommand has been added.
- PKCS #11 keys are now supported; this support is now the default.
- OCSP serving is now implemented.
- The multirootca tool is now available for multiple signing
keys via an authenticated API.
- A scan utility for checking the quality of a server's TLS
configuration.
- The certificate bundler now supports PKCS #7 and PKCS #12.
- An info endpoint has been added to retrieve the signers'
certificates.
- Signers can now use a serial sequence number for certificate
serial numbers; the default remains randomised serial numbers.
- CSR whitelisting allows the signer to explicitly distrust
certain fields in a CSR.
- Signing profiles can include certificate policies and their
qualifiers.
- The multirootca can use Red October-secured private keys.
- The multirootca can whitelist CSRs per-signer based on an
IP network whitelist.
- The signer can whitelist SANs and common names via a regular-
expression whitelist.
- Multiple fallback remote signers are now supported in the
cfssl server.
- A Docker build script has been provided to facilitate building
CFSSL for all supported platforms.
- The log package includes a new logging level, fatal, that
immediately exits with error after printing the log message.
CHANGED:
- CLI tool can read from standard input.
- The -f flag has been renamed to -config.
- Signers have been refactored into local and remote signers
under a single universal signer abstraction.
- The CLI subcommands have been refactored into separate
packages.
- Signing can now extract subject information from a CSR.
- Various improvements to the certificate ubiquity scoring,
such as accounting for SHA1 deprecation.
- The bundle CLI tool can set the intermediates directory that
newly found intermediates can be stored in.
- The CLI tools return exit code 1 on failure.
CONTRIBUTORS:
Alice Xia
Dan Rohr
Didier Smith
Dominic Luechinger
Erik Kristensen
Fabian Ruff
George Tankersley
Harald Wagener
Harry Harpham
Jacob H. Haven
Jacob Hoffman-Andrews
Joshua Kroll
Kyle Isom
Nick Sullivan
Peter Eckersley
Richard Barnes
Sophie Huang
Steve Rude
Tara Vancil
Terin Stock
Thomaz Leite
Travis Truman
Zi Lin
================================================
FILE: Dockerfile
================================================
FROM --platform=${TARGETPLATFORM} golang:1.20
ARG TARGETPLATFORM
ARG BUILDPLATFORM
RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM"
LABEL org.opencontainers.image.source https://github.com/cloudflare/cfssl
LABEL org.opencontainers.image.description "Cloudflare's PKI toolkit"
ARG TARGETOS
ARG TARGETARCH
WORKDIR /workdir
COPY . /workdir
RUN git clone https://github.com/cloudflare/cfssl_trust.git /etc/cfssl && \
make clean && \
GOOS=${TARGETOS} GOARCH=${TARGETARCH} make all && cp bin/* /usr/bin/
EXPOSE 8888
ENTRYPOINT ["cfssl"]
CMD ["--help"]
================================================
FILE: Dockerfile.alpine
================================================
FROM golang:1.20-alpine AS builder
WORKDIR /workdir
COPY . /workdir
RUN set -x && \
apk --no-cache add git gcc libc-dev make
RUN git clone https://github.com/cloudflare/cfssl_trust.git /etc/cfssl && \
make clean && \
make all
FROM alpine:3.11
COPY --from=builder /etc/cfssl /etc/cfssl
COPY --from=builder /workdir/bin/ /usr/bin
EXPOSE 8888
ENTRYPOINT ["cfssl"]
CMD ["--help"]
================================================
FILE: LICENSE
================================================
Copyright (c) 2014 CloudFlare Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: Makefile
================================================
VERSION := $(shell git describe --tags --abbrev=0 | tr -d '[:alpha:]')
LDFLAGS := "-s -w -X github.com/cloudflare/cfssl/cli/version.version=$(VERSION)"
export GOFLAGS := -mod=vendor
export GOPROXY := off
.PHONY: all
all: bin/cfssl bin/cfssl-bundle bin/cfssl-certinfo bin/cfssl-newkey bin/cfssl-scan bin/cfssljson bin/mkbundle bin/multirootca
bin/%: $(shell find . -type f -name '*.go')
@mkdir -p $(dir $@)
ifneq ($(and $(TARGETOS),$(TARGETARCH)),)
GOOS=$(TARGETOS) GOARCH=$(TARGETARCH) go build -ldflags $(LDFLAGS) -o $@ ./cmd/$(@F)
else
go build -ldflags $(LDFLAGS) -o $@ ./cmd/$(@F)
endif
.PHONY: install
install: install-cfssl install-cfssl-bundle install-cfssl-certinfo install-cfssl-newkey install-cfssl-scan install-cfssljson install-mkbundle install-multirootca
.PHONY: install-%
install-%:
go install ./cmd/$(@F:install-%=%)
.PHONY: serve
serve: bin/cfssl
serve:
./bin/cfssl serve
bin/goose: $(shell find vendor -type f -name '*.go')
@mkdir -p $(dir $@)
ifneq ($(and $(TARGETOS),$(TARGETARCH)),)
GOOS=$(TARGETOS) GOARCH=$(TARGETARCH) go build -o $@ ./vendor/bitbucket.org/liamstask/goose/cmd/goose
else
go build -o $@ ./vendor/bitbucket.org/liamstask/goose/cmd/goose
endif
.PHONY: clean
clean:
rm -rf bin *.deb *.rpm
# Check that given variables are set and all have non-empty values,
# die with an error otherwise.
#
# Params:
# 1. Variable name(s) to test.
# 2. (optional) Error message to print.
#
# cf: https://stackoverflow.com/questions/10858261/abort-makefile-if-variable-not-set
check_defined = \
$(strip $(foreach 1,$1, \
$(call __check_defined,$1,$(strip $(value 2)))))
__check_defined = \
$(if $(value $1),, \
$(error Undefined $1$(if $2, ($2))))
.PHONY: snapshot
snapshot:
docker run \
--rm \
-v $(PWD):/cross \
-w /cross \
ghcr.io/goreleaser/goreleaser-cross:latest --clean --snapshot --skip=publish
.PHONY: github-release
github-release:
@:$(call check_defined, GITHUB_TOKEN)
docker run \
--rm \
-e GITHUB_TOKEN=$(GITHUB_TOKEN) \
-v $(PWD):/cross \
-w /cross \
ghcr.io/goreleaser/goreleaser-cross:latest --clean
.PHONY: release
release: github-release
BUILD_PATH := $(CURDIR)/build
INSTALL_PATH := $(BUILD_PATH)/usr/local/bin
FPM = fakeroot fpm -C $(BUILD_PATH) \
-a $(shell uname -m) \
-s dir \
-v $(VERSION) \
--url 'https://github.com/cloudflare/cfssl' \
--vendor Cloudflare \
-n cfssl
.PHONY: package
package: package-deb package-rpm
.PHONY: package-deb
package-deb: all
$(RM) -r build
mkdir -p $(INSTALL_PATH)
cp bin/* $(INSTALL_PATH)
$(FPM) -t deb .
.PHONY: package-rpm
package-rpm: all
$(RM) -r build
mkdir -p $(INSTALL_PATH)
cp bin/* $(INSTALL_PATH)
$(FPM) -t rpm .
================================================
FILE: README.md
================================================
# CFSSL
[](https://travis-ci.org/cloudflare/cfssl)
[](http://codecov.io/github/cloudflare/cfssl?branch=master)
[](https://godoc.org/github.com/cloudflare/cfssl)
## CloudFlare's PKI/TLS toolkit
CFSSL is CloudFlare's PKI/TLS swiss army knife. It is both a command line
tool and an HTTP API server for signing, verifying, and bundling TLS
certificates. It requires Go 1.20+ to build.
Note that certain linux distributions have certain algorithms removed
(RHEL-based distributions in particular), so the golang from the
official repositories will not work. Users of these distributions should
[install go manually](//golang.org/dl) to install CFSSL.
CFSSL consists of:
* a set of packages useful for building custom TLS PKI tools
* the `cfssl` program, which is the canonical command line utility
using the CFSSL packages.
* the `multirootca` program, which is a certificate authority server
that can use multiple signing keys.
* the `mkbundle` program is used to build certificate pool bundles.
* the `cfssljson` program, which takes the JSON output from the
`cfssl` and `multirootca` programs and writes certificates, keys,
CSRs, and bundles to disk.
### Building
Building cfssl requires a
[working Go 1.20+ installation](http://golang.org/doc/install).
```
$ git clone git@github.com:cloudflare/cfssl.git
$ cd cfssl
$ make
$ make install
```
The resulting binaries will be in the bin folder:
```
$ tree bin
bin
├── cfssl
├── cfssl-bundle
├── cfssl-certinfo
├── cfssl-newkey
├── cfssl-scan
├── cfssljson
├── mkbundle
└── multirootca
0 directories, 8 files
```
#### Cross Compilation
You can set the `GOOS` and `GOARCH` environment variables to have Go cross compile for alternative platforms; however, cfssl requires cgo, and cgo requires a working compiler toolchain for the target platform.
### Installation
Installation requires a [working Go 1.20+ installation](http://golang.org/doc/install).
Alternatively, [prebuilt binaries are available](https://github.com/cloudflare/cfssl/releases)
```
$ go install github.com/cloudflare/cfssl/cmd/...@latest
```
This will download, build, and install all of the utility programs
(including `cfssl`, `cfssljson`, and `mkbundle` among others).
### Using the Command Line Tool
The `cfssl` command line tool takes a command to specify what
operation it should carry out:
sign signs a certificate
bundle build a certificate bundle
genkey generate a private key and a certificate request
gencert generate a private key and a certificate
serve start the API server
version prints out the current version
selfsign generates a self-signed certificate
print-defaults print default configurations
Use `cfssl [command] -help` to find out more about a command.
The `version` command takes no arguments.
#### Signing
```
cfssl sign [-ca cert] [-ca-key key] [-hostname comma,separated,hostnames] csr [subject]
```
The `csr` is the client's certificate request. The `-ca` and `-ca-key`
flags are the CA's certificate and private key, respectively. By
default, they are `ca.pem` and `ca_key.pem`. The `-hostname` is
a comma separated hostname list that overrides the DNS names and
IP address in the certificate SAN extension.
For example, assuming the CA's private key is in
`/etc/ssl/private/cfssl_key.pem` and the CA's certificate is in
`/etc/ssl/certs/cfssl.pem`, to sign the `cloudflare.pem` certificate
for cloudflare.com:
```
cfssl sign -ca /etc/ssl/certs/cfssl.pem \
-ca-key /etc/ssl/private/cfssl_key.pem \
-hostname cloudflare.com \
./cloudflare.pem
```
It is also possible to specify CSR with the `-csr` flag. By doing so,
flag values take precedence and will overwrite the argument.
The subject is an optional file that contains subject information that
should be used in place of the information from the CSR. It should be
a JSON file as follows:
```json
{
"CN": "example.com",
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Internet Widgets, Inc.",
"OU": "WWW",
"ST": "California"
}
]
}
```
**N.B.** As of Go 1.7, self-signed certificates will not include
[the AKI](https://go.googlesource.com/go/+/b623b71509b2d24df915d5bc68602e1c6edf38ca).
#### Bundling
```
cfssl bundle [-ca-bundle bundle] [-int-bundle bundle] \
[-metadata metadata_file] [-flavor bundle_flavor] \
-cert certificate_file [-key key_file]
```
The bundles are used for the root and intermediate certificate
pools. In addition, platform metadata is specified through `-metadata`.
The bundle files, metadata file (and auxiliary files) can be
found at:
https://github.com/cloudflare/cfssl_trust
Specify PEM-encoded client certificate and key through `-cert` and
`-key` respectively. If key is specified, the bundle will be built
and verified with the key. Otherwise the bundle will be built
without a private key. Instead of file path, use `-` for reading
certificate PEM from stdin. It is also acceptable that the certificate
file should contain a (partial) certificate bundle.
Specify bundling flavor through `-flavor`. There are three flavors:
`optimal` to generate a bundle of shortest chain and most advanced
cryptographic algorithms, `ubiquitous` to generate a bundle of most
widely acceptance across different browsers and OS platforms, and
`force` to find an acceptable bundle which is identical to the
content of the input certificate file.
Alternatively, the client certificate can be pulled directly from
a domain. It is also possible to connect to the remote address
through `-ip`.
```
cfssl bundle [-ca-bundle bundle] [-int-bundle bundle] \
[-metadata metadata_file] [-flavor bundle_flavor] \
-domain domain_name [-ip ip_address]
```
The bundle output form should follow the example:
```json
{
"bundle": "CERT_BUNDLE_IN_PEM",
"crt": "LEAF_CERT_IN_PEM",
"crl_support": true,
"expires": "2015-12-31T23:59:59Z",
"hostnames": ["example.com"],
"issuer": "ISSUER CERT SUBJECT",
"key": "KEY_IN_PEM",
"key_size": 2048,
"key_type": "2048-bit RSA",
"ocsp": ["http://ocsp.example-ca.com"],
"ocsp_support": true,
"root": "ROOT_CA_CERT_IN_PEM",
"signature": "SHA1WithRSA",
"subject": "LEAF CERT SUBJECT",
"status": {
"rebundled": false,
"expiring_SKIs": [],
"untrusted_root_stores": [],
"messages": [],
"code": 0
}
}
```
#### Generating certificate signing request and private key
```
cfssl genkey csr.json
```
To generate a private key and corresponding certificate request, specify
the key request as a JSON file. This file should follow the form:
```json
{
"hosts": [
"example.com",
"www.example.com",
"https://www.example.com",
"jdoe@example.com",
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Internet Widgets, Inc.",
"OU": "WWW",
"ST": "California"
}
]
}
```
#### Generating self-signed root CA certificate and private key
```
cfssl genkey -initca csr.json | cfssljson -bare ca
```
To generate a self-signed root CA certificate, specify the key request as
a JSON file in the same format as in 'genkey'. Three PEM-encoded entities
will appear in the output: the private key, the csr, and the self-signed
certificate.
#### Generating a remote-issued certificate and private key.
```
cfssl gencert -remote=remote_server [-hostname=comma,separated,hostnames] csr.json
```
This calls `genkey` but has a remote CFSSL server sign and issue
the certificate. You may use `-hostname` to override certificate SANs.
#### Generating a local-issued certificate and private key.
```
cfssl gencert -ca cert -ca-key key [-hostname=comma,separated,hostnames] csr.json
```
This generates and issues a certificate and private key from a local CA
via a JSON request. You may use `-hostname` to override certificate SANs.
#### Updating an OCSP responses file with a newly issued certificate
```
cfssl ocspsign -ca cert -responder key -responder-key key -cert cert \
| cfssljson -bare -stdout >> responses
```
This will generate an OCSP response for the `cert` and add it to the
`responses` file. You can then pass `responses` to `ocspserve` to start an
OCSP server.
### Starting the API Server
CFSSL comes with an HTTP-based API server; the endpoints are
documented in [`doc/api/intro.txt`](doc/api/intro.txt). The server is started with the `serve`
command:
```
cfssl serve [-address address] [-ca cert] [-ca-bundle bundle] \
[-ca-key key] [-int-bundle bundle] [-int-dir dir] [-port port] \
[-metadata file] [-remote remote_host] [-config config] \
[-responder cert] [-responder-key key] [-db-config db-config]
```
Address and port default to "127.0.0.1:8888". The `-ca` and `-ca-key`
arguments should be the PEM-encoded certificate and private key to use
for signing; by default, they are `ca.pem` and `ca_key.pem`. The
`-ca-bundle` and `-int-bundle` should be the certificate bundles used
for the root and intermediate certificate pools, respectively. These
default to `ca-bundle.crt` and `int-bundle.crt` respectively. If the
`-remote` option is specified, all signature operations will be forwarded
to the remote CFSSL.
`-int-dir` specifies an intermediates directory. `-metadata` is a file for
root certificate presence. The content of the file is a json dictionary
(k,v) such that each key k is an SHA-1 digest of a root certificate while value v
is a list of key store filenames. `-config` specifies a path to a configuration
file. `-responder` and `-responder-key` are the certificate and the
private key for the OCSP responder, respectively.
The amount of logging can be controlled with the `-loglevel` option. This
comes *after* the serve command:
```
cfssl serve -loglevel 2
```
The levels are:
* 0 - DEBUG
* 1 - INFO (this is the default level)
* 2 - WARNING
* 3 - ERROR
* 4 - CRITICAL
### The multirootca
The `cfssl` program can act as an online certificate authority, but it
only uses a single key. If multiple signing keys are needed, the
`multirootca` program can be used. It only provides the `sign`,
`authsign` and `info` endpoints. The documentation contains instructions
for configuring and running the CA.
### The mkbundle Utility
`mkbundle` is used to build the root and intermediate bundles used in
verifying certificates. It can be installed with
```
go get github.com/cloudflare/cfssl/cmd/mkbundle
```
It takes a collection of certificates, checks for CRL revocation (OCSP
support is planned for the next release) and expired certificates, and
bundles them into one file. It takes directories of certificates and
certificate files (which may contain multiple certificates). For example,
if the directory `intermediates` contains a number of intermediate
certificates:
```
mkbundle -f int-bundle.crt intermediates
```
will check those certificates and combine valid certificates into a single
`int-bundle.crt` file.
The `-f` flag specifies an output name; `-loglevel` specifies the verbosity
of the logging (using the same loglevels as above), and `-nw` controls the
number of revocation-checking workers.
### The cfssljson Utility
Most of the output from `cfssl` is in JSON. The `cfssljson` utility can take
this output and split it out into separate `key`, `certificate`, `CSR`, and
`bundle` files as appropriate. The tool takes a single flag, `-f`, that
specifies the input file, and an argument that specifies the base name for
the files produced. If the input filename is `-` (which is the default),
cfssljson reads from standard input. It maps keys in the JSON file to
filenames in the following way:
* if __cert__ or __certificate__ is specified, __basename.pem__ will be produced.
* if __key__ or __private_key__ is specified, __basename-key.pem__ will be produced.
* if __csr__ or __certificate_request__ is specified, __basename.csr__ will be produced.
* if __bundle__ is specified, __basename-bundle.pem__ will be produced.
* if __ocspResponse__ is specified, __basename-response.der__ will be produced.
Instead of saving to a file, you can pass `-stdout` to output the encoded
contents to standard output.
### Static Builds
By default, the web assets are accessed from disk, based on their
relative locations. If you wish to distribute a single,
statically-linked, `cfssl` binary, you’ll want to embed these resources
before building. This can by done with the
[go.rice](https://github.com/GeertJohan/go.rice) tool.
```
pushd cli/serve && rice embed-go && popd
```
Then building with `go build` will use the embedded resources.
### Additional Documentation
Additional documentation can be found in the "doc" directory:
* [doc/api/intro.txt](doc/api/intro.txt): documents the API endpoints
================================================
FILE: api/api.go
================================================
// Package api implements an HTTP-based API and server for CFSSL.
package api
import (
"encoding/json"
"io"
"net/http"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/log"
)
// Handler is an interface providing a generic mechanism for handling HTTP requests.
type Handler interface {
Handle(w http.ResponseWriter, r *http.Request) error
}
// HTTPHandler is a wrapper that encapsulates Handler interface as http.Handler.
// HTTPHandler also enforces that the Handler only responds to requests with registered HTTP methods.
type HTTPHandler struct {
Handler // CFSSL handler
Methods []string // The associated HTTP methods
}
// HandlerFunc is similar to the http.HandlerFunc type; it serves as
// an adapter allowing the use of ordinary functions as Handlers. If
// f is a function with the appropriate signature, HandlerFunc(f) is a
// Handler object that calls f.
type HandlerFunc func(http.ResponseWriter, *http.Request) error
// Handle calls f(w, r)
func (f HandlerFunc) Handle(w http.ResponseWriter, r *http.Request) error {
w.Header().Set("Content-Type", "application/json")
return f(w, r)
}
// HandleError is the centralised error handling and reporting.
func HandleError(w http.ResponseWriter, err error) (code int) {
if err == nil {
return http.StatusOK
}
msg := err.Error()
httpCode := http.StatusInternalServerError
// If it is recognized as HttpError emitted from cfssl,
// we rewrite the status code accordingly. If it is a
// cfssl error, set the http status to StatusBadRequest
switch err := err.(type) {
case *errors.HTTPError:
httpCode = err.StatusCode
code = err.StatusCode
case *errors.Error:
httpCode = http.StatusBadRequest
code = err.ErrorCode
msg = err.Message
}
response := NewErrorResponse(msg, code)
jsonMessage, err := json.Marshal(response)
if err != nil {
log.Errorf("Failed to marshal JSON: %v", err)
} else {
msg = string(jsonMessage)
}
http.Error(w, msg, httpCode)
return code
}
// ServeHTTP encapsulates the call to underlying Handler to handle the request
// and return the response with proper HTTP status code
func (h HTTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
var err error
var match bool
// Throw 405 when requested with an unsupported verb.
for _, m := range h.Methods {
if m == r.Method {
match = true
}
}
if match {
err = h.Handle(w, r)
} else {
err = errors.NewMethodNotAllowed(r.Method)
}
status := HandleError(w, err)
log.Infof("%s - \"%s %s\" %d", r.RemoteAddr, r.Method, r.URL, status)
}
// readRequestBlob takes a JSON-blob-encoded response body in the form
// map[string]string and returns it, the list of keywords presented,
// and any error that occurred.
func readRequestBlob(r *http.Request) (map[string]string, error) {
var blob map[string]string
body, err := io.ReadAll(r.Body)
if err != nil {
return nil, err
}
r.Body.Close()
err = json.Unmarshal(body, &blob)
if err != nil {
return nil, err
}
return blob, nil
}
// ProcessRequestOneOf reads a JSON blob for the request and makes
// sure it contains one of a set of keywords. For example, a request
// might have the ('foo' && 'bar') keys, OR it might have the 'baz'
// key. In either case, we want to accept the request; however, if
// none of these sets shows up, the request is a bad request, and it
// should be returned.
func ProcessRequestOneOf(r *http.Request, keywordSets [][]string) (map[string]string, []string, error) {
blob, err := readRequestBlob(r)
if err != nil {
return nil, nil, err
}
var matched []string
for _, set := range keywordSets {
if matchKeywords(blob, set) {
if matched != nil {
return nil, nil, errors.NewBadRequestString("mismatched parameters")
}
matched = set
}
}
if matched == nil {
return nil, nil, errors.NewBadRequestString("no valid parameter sets found")
}
return blob, matched, nil
}
// ProcessRequestFirstMatchOf reads a JSON blob for the request and returns
// the first match of a set of keywords. For example, a request
// might have one of the following combinations: (foo=1, bar=2), (foo=1), and (bar=2)
// By giving a specific ordering of those combinations, we could decide how to accept
// the request.
func ProcessRequestFirstMatchOf(r *http.Request, keywordSets [][]string) (map[string]string, []string, error) {
blob, err := readRequestBlob(r)
if err != nil {
return nil, nil, err
}
for _, set := range keywordSets {
if matchKeywords(blob, set) {
return blob, set, nil
}
}
return nil, nil, errors.NewBadRequestString("no valid parameter sets found")
}
func matchKeywords(blob map[string]string, keywords []string) bool {
for _, keyword := range keywords {
if _, ok := blob[keyword]; !ok {
return false
}
}
return true
}
// ResponseMessage implements the standard for response errors and
// messages. A message has a code and a string message.
type ResponseMessage struct {
Code int `json:"code"`
Message string `json:"message"`
}
// Response implements the CloudFlare standard for API
// responses.
type Response struct {
Success bool `json:"success"`
Result interface{} `json:"result"`
Errors []ResponseMessage `json:"errors"`
Messages []ResponseMessage `json:"messages"`
}
// NewSuccessResponse is a shortcut for creating new successful API
// responses.
func NewSuccessResponse(result interface{}) Response {
return Response{
Success: true,
Result: result,
Errors: []ResponseMessage{},
Messages: []ResponseMessage{},
}
}
// NewSuccessResponseWithMessage is a shortcut for creating new successul API
// responses that includes a message.
func NewSuccessResponseWithMessage(result interface{}, message string, code int) Response {
return Response{
Success: true,
Result: result,
Errors: []ResponseMessage{},
Messages: []ResponseMessage{{code, message}},
}
}
// NewErrorResponse is a shortcut for creating an error response for a
// single error.
func NewErrorResponse(message string, code int) Response {
return Response{
Success: false,
Result: nil,
Errors: []ResponseMessage{{code, message}},
Messages: []ResponseMessage{},
}
}
// SendResponse builds a response from the result, sets the JSON
// header, and writes to the http.ResponseWriter.
func SendResponse(w http.ResponseWriter, result interface{}) error {
response := NewSuccessResponse(result)
w.Header().Set("Content-Type", "application/json")
enc := json.NewEncoder(w)
err := enc.Encode(response)
return err
}
// SendResponseWithMessage builds a response from the result and the
// provided message, sets the JSON header, and writes to the
// http.ResponseWriter.
func SendResponseWithMessage(w http.ResponseWriter, result interface{}, message string, code int) error {
response := NewSuccessResponseWithMessage(result, message, code)
w.Header().Set("Content-Type", "application/json")
enc := json.NewEncoder(w)
err := enc.Encode(response)
return err
}
================================================
FILE: api/api_test.go
================================================
package api
import (
"bytes"
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"testing"
)
const (
ty = "Thank you!"
deny = "That's not true!"
)
func simpleHandle(w http.ResponseWriter, r *http.Request) error {
_, _, err := ProcessRequestOneOf(r, [][]string{
{"compliment"},
{"critique"},
})
if err != nil {
return err
}
return SendResponse(w, ty)
}
func cleverHandle(w http.ResponseWriter, r *http.Request) error {
_, matched, err := ProcessRequestFirstMatchOf(r, [][]string{
{"compliment"},
{"critique"},
})
if err != nil {
return err
}
if matched[0] == "critique" {
return SendResponse(w, deny)
}
return SendResponse(w, ty)
}
func post(t *testing.T, obj map[string]interface{}, ts *httptest.Server) (resp *http.Response, body []byte) {
blob, err := json.Marshal(obj)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
func get(t *testing.T, ts *httptest.Server) (resp *http.Response, body []byte) {
resp, err := http.Get(ts.URL)
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
func TestRigidHandle(t *testing.T) {
ts := httptest.NewServer(HTTPHandler{Handler: HandlerFunc(simpleHandle), Methods: []string{"POST"}})
defer ts.Close()
// Response to compliment
obj := map[string]interface{}{}
obj["compliment"] = "it's good"
resp, body := post(t, obj, ts)
if resp.StatusCode != http.StatusOK {
t.Errorf("Test expected 200, have %d", resp.StatusCode)
}
message := new(Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Errorf("failed to read response body: %v", err)
t.Fatal("returned:", message)
}
if message.Result != ty {
t.Fatal("Wrong response")
}
// Response to critique
obj = map[string]interface{}{}
obj["critique"] = "it's bad"
resp, body = post(t, obj, ts)
if resp.StatusCode != http.StatusOK {
t.Errorf("Test expected 200, have %d", resp.StatusCode)
}
message = new(Response)
err = json.Unmarshal(body, message)
if err != nil {
t.Errorf("failed to read response body: %v", err)
t.Fatal("returned:", message)
}
if message.Result != ty {
t.Fatal("Wrong response")
}
// reject mixed review
obj = map[string]interface{}{}
obj["critique"] = "it's OK"
obj["compliment"] = "it's not bad"
resp, _ = post(t, obj, ts)
if resp.StatusCode != http.StatusBadRequest {
t.Errorf("Test expected 400, have %d", resp.StatusCode)
}
// reject empty review
obj = map[string]interface{}{}
resp, _ = post(t, obj, ts)
if resp.StatusCode != http.StatusBadRequest {
t.Errorf("Test expected 400, have %d", resp.StatusCode)
}
// reject GET
resp, _ = get(t, ts)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Errorf("Test expected 405, have %d", resp.StatusCode)
}
}
func TestCleverHandle(t *testing.T) {
ts := httptest.NewServer(HTTPHandler{Handler: HandlerFunc(cleverHandle), Methods: []string{"POST"}})
defer ts.Close()
// Response ty to compliment
obj := map[string]interface{}{}
obj["compliment"] = "it's good"
resp, body := post(t, obj, ts)
if resp.StatusCode != http.StatusOK {
t.Errorf("Test expected 200, have %d", resp.StatusCode)
}
message := new(Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Errorf("failed to read response body: %v", err)
t.Fatal("returned:", message)
}
if message.Result != ty {
t.Fatal("Wrong response")
}
// Response deny to critique
obj = map[string]interface{}{}
obj["critique"] = "it's bad"
resp, body = post(t, obj, ts)
if resp.StatusCode != http.StatusOK {
t.Errorf("Test expected 200, have %d", resp.StatusCode)
}
message = new(Response)
err = json.Unmarshal(body, message)
if err != nil {
t.Errorf("failed to read response body: %v", err)
t.Fatal("returned:", message)
}
if message.Result != deny {
t.Fatal("Wrong response")
}
// Be polite to mixed review
obj = map[string]interface{}{}
obj["critique"] = "it's OK"
obj["compliment"] = "it's not bad"
_, body = post(t, obj, ts)
message = new(Response)
err = json.Unmarshal(body, message)
if err != nil {
t.Errorf("failed to read response body: %v", err)
t.Fatal("returned:", message)
}
if message.Result != ty {
t.Fatal("Wrong response")
}
// reject empty review
obj = map[string]interface{}{}
resp, _ = post(t, obj, ts)
if resp.StatusCode != http.StatusBadRequest {
t.Errorf("Test expected 400, have %d", resp.StatusCode)
}
// reject GET
resp, _ = get(t, ts)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Errorf("Test expected 405, have %d", resp.StatusCode)
}
}
================================================
FILE: api/bundle/bundle.go
================================================
// Package bundle implements the HTTP handler for the bundle command.
package bundle
import (
"net/http"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/bundler"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/log"
)
// Handler accepts requests for either remote or uploaded
// certificates to be bundled, and returns a certificate bundle (or
// error).
type Handler struct {
bundler *bundler.Bundler
}
// NewHandler creates a new bundler that uses the root bundle and
// intermediate bundle in the trust chain.
func NewHandler(caBundleFile, intBundleFile string) (http.Handler, error) {
var err error
b := new(Handler)
if b.bundler, err = bundler.NewBundler(caBundleFile, intBundleFile); err != nil {
return nil, err
}
log.Info("bundler API ready")
return api.HTTPHandler{Handler: b, Methods: []string{"POST"}}, nil
}
// Handle implements an http.Handler interface for the bundle handler.
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
blob, matched, err := api.ProcessRequestFirstMatchOf(r,
[][]string{
{"certificate"},
{"domain"},
})
if err != nil {
log.Warningf("invalid request: %v", err)
return err
}
flavor := blob["flavor"]
bf := bundler.Ubiquitous
if flavor != "" {
bf = bundler.BundleFlavor(flavor)
}
log.Infof("request for flavor %v", bf)
var result *bundler.Bundle
switch matched[0] {
case "domain":
bundle, err := h.bundler.BundleFromRemote(blob["domain"], blob["ip"], bf)
if err != nil {
log.Warningf("couldn't bundle from remote: %v", err)
return err
}
result = bundle
case "certificate":
bundle, err := h.bundler.BundleFromPEMorDER([]byte(blob["certificate"]), []byte(blob["private_key"]), bf, "")
if err != nil {
log.Warning("bad PEM certificate or private key")
return err
}
serverName := blob["domain"]
ip := blob["ip"]
if serverName != "" {
err := bundle.Cert.VerifyHostname(serverName)
if err != nil {
return errors.Wrap(errors.CertificateError, errors.VerifyFailed, err)
}
}
if ip != "" {
err := bundle.Cert.VerifyHostname(ip)
if err != nil {
return errors.Wrap(errors.CertificateError, errors.VerifyFailed, err)
}
}
result = bundle
}
log.Info("wrote response")
return api.SendResponse(w, result)
}
================================================
FILE: api/bundle/bundle_test.go
================================================
package bundle
import (
"bytes"
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"os"
"testing"
"github.com/cloudflare/cfssl/api"
)
const (
testCaBundleFile = "../testdata/ca-bundle.pem"
testIntBundleFile = "../testdata/int-bundle.pem"
testLeafCertFile = "../testdata/leaf.pem"
testLeafKeyFile = "../testdata/leaf.key"
testLeafWrongKeyFile = "../testdata/leaf.badkey"
testBrokenCertFile = "../testdata/broken.pem"
)
func newTestHandler(t *testing.T) (h http.Handler) {
h, err := NewHandler(testCaBundleFile, testIntBundleFile)
if err != nil {
t.Fatal(err)
}
return
}
func newBundleServer(t *testing.T) *httptest.Server {
ts := httptest.NewServer(newTestHandler(t))
return ts
}
func testBundleFile(t *testing.T, domain, ip, certFile, keyFile, flavor string) (resp *http.Response, body []byte) {
ts := newBundleServer(t)
defer ts.Close()
var certPEM, keyPEM []byte
if certFile != "" {
var err error
certPEM, err = os.ReadFile(certFile)
if err != nil {
t.Fatal(err)
}
}
if keyFile != "" {
var err error
keyPEM, err = os.ReadFile(keyFile)
if err != nil {
t.Fatal(err)
}
}
obj := map[string]string{"flavor": flavor}
if len(domain) > 0 {
obj["domain"] = domain
}
if len(ip) > 0 {
obj["ip"] = ip
}
if len(certPEM) > 0 {
obj["certificate"] = string(certPEM)
}
if len(keyPEM) > 0 {
obj["private_key"] = string(keyPEM)
}
blob, err := json.Marshal(obj)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
func TestNewHandler(t *testing.T) {
newTestHandler(t)
}
type bundleTest struct {
Domain string
IP string
CertFile string
KeyFile string
Flavor string
ExpectedHTTPStatus int
ExpectedSuccess bool
ExpectedErrorCode int
}
var bundleTests = []bundleTest{
// Test bundling with certificate
{
CertFile: testLeafCertFile,
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
CertFile: testLeafCertFile,
Flavor: "ubiquitous",
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
CertFile: testLeafCertFile,
Flavor: "optimal",
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
CertFile: testLeafCertFile,
KeyFile: testLeafKeyFile,
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
CertFile: testLeafCertFile,
Domain: "cfssl-leaf.com",
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
// Test bundling with remote domain
{
Domain: "google.com",
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
},
// Error testing.
{
CertFile: testLeafCertFile,
KeyFile: testLeafWrongKeyFile,
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: 2300,
},
{
// no input parameter is specified
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: http.StatusBadRequest,
},
{
CertFile: testBrokenCertFile,
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: 1003,
},
{
CertFile: testLeafKeyFile,
KeyFile: testLeafKeyFile,
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: 1003,
},
{
CertFile: testLeafCertFile,
KeyFile: testLeafCertFile,
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: 2003,
},
{
CertFile: testLeafCertFile,
Domain: "cloudflare-leaf.com",
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: 1200,
},
}
func TestBundle(t *testing.T) {
for i, test := range bundleTests {
resp, body := testBundleFile(t, test.Domain, test.IP, test.CertFile, test.KeyFile, test.Flavor)
if resp.StatusCode != test.ExpectedHTTPStatus {
t.Errorf("Test %d: expected: %d, have %d", i, test.ExpectedHTTPStatus, resp.StatusCode)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body))
}
message := new(api.Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Errorf("failed to read response body: %v", err)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess != message.Success {
t.Errorf("Test %d: expected: %v, have %v", i, test.ExpectedSuccess, message.Success)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess == true {
continue
}
if test.ExpectedErrorCode != 0 && test.ExpectedErrorCode != message.Errors[0].Code {
t.Errorf("Test %d: expected: %v, have %v", i, test.ExpectedErrorCode, message.Errors[0].Code)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
}
}
================================================
FILE: api/certadd/insert.go
================================================
package certadd
import (
"bytes"
"database/sql"
"encoding/base64"
"encoding/hex"
"encoding/json"
"io"
"math/big"
"net/http"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/certdb"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/ocsp"
"github.com/jmoiron/sqlx/types"
stdocsp "golang.org/x/crypto/ocsp"
)
// This is patterned on
// https://github.com/cloudflare/cfssl/blob/master/api/revoke/revoke.go. This
// file defines an HTTP endpoint handler that accepts certificates and
// inserts them into a certdb, optionally also creating an OCSP
// response for them. If so, it will also return the OCSP response as
// a base64 encoded string.
// A Handler accepts new SSL certificates and inserts them into the
// certdb, creating an appropriate OCSP response for them.
type Handler struct {
dbAccessor certdb.Accessor
signer ocsp.Signer
}
// NewHandler creates a new Handler from a certdb.Accessor and ocsp.Signer
func NewHandler(dbAccessor certdb.Accessor, signer ocsp.Signer) http.Handler {
return &api.HTTPHandler{
Handler: &Handler{
dbAccessor: dbAccessor,
signer: signer,
},
Methods: []string{"POST"},
}
}
// AddRequest describes a request from a client to insert a
// certificate into the database.
type AddRequest struct {
Serial string `json:"serial_number"`
AKI string `json:"authority_key_identifier"`
CALabel string `json:"ca_label"`
Status string `json:"status"`
Reason int `json:"reason"`
Expiry time.Time `json:"expiry"`
RevokedAt time.Time `json:"revoked_at"`
PEM string `json:"pem"`
IssuedAt *time.Time `json:"issued_at"`
NotBefore *time.Time `json:"not_before"`
MetadataJSON types.JSONText `json:"metadata"`
SansJSON types.JSONText `json:"sans"`
CommonName string `json:"common_name"`
}
// Map of valid reason codes
var validReasons = map[int]bool{
stdocsp.Unspecified: true,
stdocsp.KeyCompromise: true,
stdocsp.CACompromise: true,
stdocsp.AffiliationChanged: true,
stdocsp.Superseded: true,
stdocsp.CessationOfOperation: true,
stdocsp.CertificateHold: true,
stdocsp.RemoveFromCRL: true,
stdocsp.PrivilegeWithdrawn: true,
stdocsp.AACompromise: true,
}
// Handle handles HTTP requests to add certificates
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
body, err := io.ReadAll(r.Body)
if err != nil {
return err
}
r.Body.Close()
var req AddRequest
err = json.Unmarshal(body, &req)
if err != nil {
return errors.NewBadRequestString("Unable to parse certificate addition request")
}
if len(req.Serial) == 0 {
return errors.NewBadRequestString("Serial number is required but not provided")
}
if len(req.AKI) == 0 {
return errors.NewBadRequestString("Authority key identifier is required but not provided")
}
if _, present := ocsp.StatusCode[req.Status]; !present {
return errors.NewBadRequestString("Invalid certificate status")
}
if ocsp.StatusCode[req.Status] == stdocsp.Revoked {
if req.RevokedAt == (time.Time{}) {
return errors.NewBadRequestString("Revoked certificate should specify when it was revoked")
}
if _, present := validReasons[req.Reason]; !present {
return errors.NewBadRequestString("Invalid certificate status reason code")
}
}
if len(req.PEM) == 0 {
return errors.NewBadRequestString("The provided certificate is empty")
}
if req.Expiry.IsZero() {
return errors.NewBadRequestString("Expiry is required but not provided")
}
// Parse the certificate and validate that it matches
cert, err := helpers.ParseCertificatePEM([]byte(req.PEM))
if err != nil {
return errors.NewBadRequestString("Unable to parse PEM encoded certificates")
}
serialBigInt := new(big.Int)
if _, success := serialBigInt.SetString(req.Serial, 10); !success {
return errors.NewBadRequestString("Unable to parse serial key of request")
}
if serialBigInt.Cmp(cert.SerialNumber) != 0 {
return errors.NewBadRequestString("Serial key of request and certificate do not match")
}
aki, err := hex.DecodeString(req.AKI)
if err != nil {
return errors.NewBadRequestString("Unable to decode authority key identifier")
}
if !bytes.Equal(aki, cert.AuthorityKeyId) {
return errors.NewBadRequestString("Authority key identifier of request and certificate do not match")
}
if req.Expiry != cert.NotAfter {
return errors.NewBadRequestString("Expiry of request and certificate do not match")
}
cr := certdb.CertificateRecord{
Serial: req.Serial,
AKI: req.AKI,
CALabel: req.CALabel,
Status: req.Status,
Reason: req.Reason,
Expiry: req.Expiry,
RevokedAt: req.RevokedAt,
PEM: req.PEM,
IssuedAt: req.IssuedAt,
NotBefore: req.NotBefore,
MetadataJSON: req.MetadataJSON,
SANsJSON: req.SansJSON,
CommonName: sql.NullString{String: req.CommonName, Valid: req.CommonName != ""},
}
err = h.dbAccessor.InsertCertificate(cr)
if err != nil {
return err
}
result := map[string]string{}
if h.signer != nil {
// Now create an appropriate OCSP response
sr := ocsp.SignRequest{
Certificate: cert,
Status: req.Status,
Reason: req.Reason,
RevokedAt: req.RevokedAt,
}
ocspResponse, err := h.signer.Sign(sr)
if err != nil {
return err
}
// We parse the OCSP response in order to get the next
// update time/expiry time
ocspParsed, err := stdocsp.ParseResponse(ocspResponse, nil)
if err != nil {
return err
}
result["ocsp_response"] = base64.StdEncoding.EncodeToString(ocspResponse)
ocspRecord := certdb.OCSPRecord{
Serial: req.Serial,
AKI: req.AKI,
Body: string(ocspResponse),
Expiry: ocspParsed.NextUpdate,
}
if err = h.dbAccessor.InsertOCSP(ocspRecord); err != nil {
return err
}
}
return api.SendResponse(w, result)
}
================================================
FILE: api/certadd/insert_test.go
================================================
package certadd
import (
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/hex"
"encoding/json"
"encoding/pem"
"io"
"math/big"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/cloudflare/cfssl/certdb"
"github.com/cloudflare/cfssl/certdb/sql"
"github.com/cloudflare/cfssl/certdb/testdb"
"github.com/cloudflare/cfssl/ocsp"
stdocsp "golang.org/x/crypto/ocsp"
)
func prepDB() (certdb.Accessor, error) {
db := testdb.SQLiteDB("../../certdb/testdb/certstore_development.db")
dbAccessor := sql.NewAccessor(db)
return dbAccessor, nil
}
func makeRequest(t *testing.T, dbAccessor certdb.Accessor, signer ocsp.Signer, req map[string]interface{}) (resp *http.Response, body []byte) {
ts := httptest.NewServer(NewHandler(dbAccessor, signer))
defer ts.Close()
blob, err := json.Marshal(req)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
func makeCertificate() (serialNumber *big.Int, cert *x509.Certificate, pemBytes []byte, signer ocsp.Signer, err error) {
privKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return
}
serialNumberRange := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err = rand.Int(rand.Reader, serialNumberRange)
if err != nil {
return
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Cornell CS 5152"},
},
AuthorityKeyId: []byte{42, 42, 42, 42},
NotAfter: time.Now(),
}
cert = &template
issuerSerial, err := rand.Int(rand.Reader, serialNumberRange)
if err != nil {
return
}
responderSerial, err := rand.Int(rand.Reader, serialNumberRange)
if err != nil {
return
}
// Generate a CA certificate
issuerTemplate := x509.Certificate{
SerialNumber: issuerSerial,
Subject: pkix.Name{
Organization: []string{"Cornell CS 5152"},
},
AuthorityKeyId: []byte{42, 42, 42, 42},
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
IsCA: true,
BasicConstraintsValid: true,
}
issuerBytes, err := x509.CreateCertificate(rand.Reader, &issuerTemplate, &issuerTemplate, &privKey.PublicKey, privKey)
if err != nil {
return
}
issuer, err := x509.ParseCertificate(issuerBytes)
if err != nil {
return
}
responderTemplate := x509.Certificate{
SerialNumber: responderSerial,
Subject: pkix.Name{
Organization: []string{"Cornell CS 5152 Responder"},
},
AuthorityKeyId: []byte{42, 42, 42, 43},
}
responderBytes, err := x509.CreateCertificate(rand.Reader, &responderTemplate, &responderTemplate, &privKey.PublicKey, privKey)
if err != nil {
return
}
responder, err := x509.ParseCertificate(responderBytes)
if err != nil {
return
}
signer, err = ocsp.NewSigner(issuer, responder, privKey, time.Hour)
if err != nil {
return
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, issuer, &privKey.PublicKey, privKey)
if err != nil {
return
}
pemBytes = pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: derBytes,
})
return
}
func TestInsertValidCertificate(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "good",
"pem": string(pemBytes),
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusOK {
t.Fatal("Expected HTTP OK, got", resp.StatusCode, string(body))
}
var response map[string]interface{}
if err = json.Unmarshal(body, &response); err != nil {
t.Fatal("Could not parse response: ", err)
}
responseResult := response["result"].(map[string]interface{})
encodedOcsp := responseResult["ocsp_response"].(string)
rawOcsp, err := base64.StdEncoding.DecodeString(encodedOcsp)
if err != nil {
t.Fatal("Could not base64 decode response: ", err)
}
returnedOcsp, err := stdocsp.ParseResponse(rawOcsp, nil)
if err != nil {
t.Fatal("Could not parse returned OCSP response", err)
}
ocsps, err := dbAccessor.GetOCSP(serialNumber.Text(10), hex.EncodeToString(cert.AuthorityKeyId))
if err != nil {
t.Fatal(err)
}
if len(ocsps) != 1 {
t.Fatal("Expected 1 OCSP record to be inserted, but found ", len(ocsps))
}
parsedOcsp, err := stdocsp.ParseResponse([]byte(ocsps[0].Body), nil)
if err != nil {
t.Fatal(err)
}
if parsedOcsp.SerialNumber.Cmp(returnedOcsp.SerialNumber) != 0 {
t.Fatal("The returned and inserted OCSP response have different serial numbers: got ", returnedOcsp.SerialNumber, " but decoded ", parsedOcsp.SerialNumber)
}
if parsedOcsp.SerialNumber.Cmp(serialNumber) != 0 {
t.Fatal("Got the wrong serial number: expected", serialNumber, "but got", parsedOcsp.SerialNumber)
}
if parsedOcsp.Status != stdocsp.Good {
t.Fatal("Expected OCSP response status to be ", stdocsp.Good,
" but found ", parsedOcsp.Status)
}
}
func TestInsertMissingSerial(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
_, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "good",
"pem": string(pemBytes),
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request", resp.StatusCode, string(body))
}
}
func TestInsertMissingAKI(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"status": "good",
"pem": string(pemBytes),
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request", resp.StatusCode, string(body))
}
}
func TestInsertMissingExpiry(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "good",
"pem": string(pemBytes),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request", resp.StatusCode, string(body))
}
}
func TestInsertMissingPEM(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, _, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "good",
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request", resp.StatusCode, string(body))
}
}
func TestInsertInvalidSerial(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
_, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": "this is not a serial number",
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "good",
"pem": string(pemBytes),
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request", resp.StatusCode, string(body))
}
}
func TestInsertInvalidAKI(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": "this is not an AKI",
"status": "good",
"pem": string(pemBytes),
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request, got", resp.StatusCode, string(body))
}
}
func TestInsertInvalidStatus(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "invalid",
"pem": string(pemBytes),
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request", resp.StatusCode, string(body))
}
}
func TestInsertInvalidPEM(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, _, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "good",
"pem": "this is not a PEM certificate",
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request, got", resp.StatusCode, string(body))
}
}
func TestInsertInvalidExpiry(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "good",
"pem": string(pemBytes),
"expiry": "this is not an expiry",
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request, got", resp.StatusCode, string(body))
}
}
func TestInsertWrongSerial(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
_, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": big.NewInt(1).Text(10),
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "good",
"pem": string(pemBytes),
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request", resp.StatusCode, string(body))
}
}
func TestInsertWrongAKI(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": hex.EncodeToString([]byte{7, 7}),
"status": "good",
"pem": string(pemBytes),
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request", resp.StatusCode, string(body))
}
}
func TestInsertWrongExpiry(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, _, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": hex.EncodeToString([]byte{7, 7}),
"status": "good",
"pem": string(pemBytes),
"expiry": time.Now().UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request", resp.StatusCode, string(body))
}
}
func TestInsertRevokedCertificate(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "revoked",
"pem": string(pemBytes),
"revoked_at": time.Now(),
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
})
if resp.StatusCode != http.StatusOK {
t.Fatal("Expected HTTP OK", resp.StatusCode, string(body))
}
ocsps, err := dbAccessor.GetOCSP(serialNumber.Text(10), hex.EncodeToString(cert.AuthorityKeyId))
if err != nil {
t.Fatal(err)
}
if len(ocsps) != 1 {
t.Fatal("Expected 1 OCSP record to be inserted, but found ", len(ocsps))
}
response, err := stdocsp.ParseResponse([]byte(ocsps[0].Body), nil)
if err != nil {
t.Fatal(err)
}
if response.Status != stdocsp.Revoked {
t.Fatal("Expected OCSP response status to be ", stdocsp.Revoked,
" but found ", response.Status)
}
}
func TestInsertRevokedCertificateWithoutTime(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
serialNumber, cert, pemBytes, signer, err := makeCertificate()
if err != nil {
t.Fatal(err)
}
resp, body := makeRequest(t, dbAccessor, signer, map[string]interface{}{
"serial_number": serialNumber.Text(10),
"authority_key_identifier": hex.EncodeToString(cert.AuthorityKeyId),
"status": "revoked",
"pem": string(pemBytes),
"expiry": cert.NotAfter.UTC().Format(time.RFC3339),
// Omit RevokedAt
})
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("Expected HTTP Bad Request", resp.StatusCode, string(body))
}
}
================================================
FILE: api/certinfo/certinfo.go
================================================
// Package certinfo implements the HTTP handler for the certinfo command.
package certinfo
import (
"errors"
"net/http"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/certdb"
"github.com/cloudflare/cfssl/certinfo"
"github.com/cloudflare/cfssl/log"
)
// Handler accepts requests for either remote or uploaded
// certificates to be bundled, and returns a certificate bundle (or
// error).
type Handler struct {
dbAccessor certdb.Accessor
}
// NewHandler creates a new bundler that uses the root bundle and
// intermediate bundle in the trust chain.
func NewHandler() http.Handler {
return api.HTTPHandler{Handler: new(Handler), Methods: []string{"POST"}}
}
// NewAccessorHandler creates a new bundler with database access via the
// certdb.Accessor interface. If this handler is constructed it will be possible
// to lookup certificates issued earlier by the CA.
func NewAccessorHandler(dbAccessor certdb.Accessor) http.Handler {
return api.HTTPHandler{
Handler: &Handler{
dbAccessor: dbAccessor,
},
Methods: []string{"POST"},
}
}
// Handle implements an http.Handler interface for the bundle handler.
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) (err error) {
blob, matched, err := api.ProcessRequestFirstMatchOf(r,
[][]string{
{"certificate"},
{"domain"},
{"serial", "authority_key_id"},
})
if err != nil {
log.Warningf("invalid request: %v", err)
return err
}
var cert *certinfo.Certificate
switch matched[0] {
case "domain":
if cert, err = certinfo.ParseCertificateDomain(blob["domain"]); err != nil {
log.Warningf("couldn't parse remote certificate: %v", err)
return err
}
case "certificate":
if cert, err = certinfo.ParseCertificatePEM([]byte(blob["certificate"])); err != nil {
log.Warningf("bad PEM certificate: %v", err)
return err
}
case "serial", "authority_key_id":
if h.dbAccessor == nil {
log.Warning("could not find certificates with db access")
return errors.New("cannot lookup certificate from serial without db access")
}
if cert, err = certinfo.ParseSerialNumber(blob["serial"], blob["authority_key_id"], h.dbAccessor); err != nil {
log.Warningf("couldn't find certificate: %v", err)
return err
}
}
return api.SendResponse(w, cert)
}
================================================
FILE: api/client/api.go
================================================
package client
// SignResult is the result of signing a CSR.
type SignResult struct {
Certificate []byte `json:"certificate"`
}
================================================
FILE: api/client/client.go
================================================
// Package client implements a Go client for CFSSL API commands.
package client
import (
"bytes"
"crypto/tls"
"encoding/json"
stderr "errors"
"fmt"
"io"
"net"
"net/http"
"net/url"
"strconv"
"strings"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/auth"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/info"
"github.com/cloudflare/cfssl/log"
)
// A server points to a single remote CFSSL instance.
type server struct {
URL string
TLSConfig *tls.Config
reqModifier func(*http.Request, []byte)
RequestTimeout time.Duration
proxy func(*http.Request) (*url.URL, error)
}
// A Remote points to at least one (but possibly multiple) remote
// CFSSL instances. It must be able to perform a authenticated and
// unauthenticated certificate signing requests, return information
// about the CA on the other end, and return a list of the hosts that
// are used by the remote.
type Remote interface {
AuthSign(req, id []byte, provider auth.Provider) ([]byte, error)
Sign(jsonData []byte) ([]byte, error)
Info(jsonData []byte) (*info.Resp, error)
Hosts() []string
SetReqModifier(func(*http.Request, []byte))
SetRequestTimeout(d time.Duration)
SetProxy(func(*http.Request) (*url.URL, error))
}
// NewServer sets up a new server target. The address should be of
// The format [protocol:]name[:port] of the remote CFSSL instance.
// If no protocol is given http is default. If no port
// is specified, the CFSSL default port (8888) is used. If the name is
// a comma-separated list of hosts, an ordered group will be returned.
func NewServer(addr string) Remote {
return NewServerTLS(addr, nil)
}
// NewServerTLS is the TLS version of NewServer
func NewServerTLS(addr string, tlsConfig *tls.Config) Remote {
addrs := strings.Split(addr, ",")
var remote Remote
if len(addrs) > 1 {
remote, _ = NewGroup(addrs, tlsConfig, StrategyOrderedList)
} else {
u, err := normalizeURL(addrs[0])
if err != nil {
log.Errorf("bad url: %v", err)
return nil
}
srv := newServer(u, tlsConfig)
if srv != nil {
remote = srv
}
}
return remote
}
func (srv *server) Hosts() []string {
return []string{srv.URL}
}
func (srv *server) SetReqModifier(mod func(*http.Request, []byte)) {
srv.reqModifier = mod
}
func (srv *server) SetRequestTimeout(timeout time.Duration) {
srv.RequestTimeout = timeout
}
func (srv *server) SetProxy(proxy func(*http.Request) (*url.URL, error)) {
srv.proxy = proxy
}
func newServer(u *url.URL, tlsConfig *tls.Config) *server {
URL := u.String()
return &server{
URL: URL,
TLSConfig: tlsConfig,
}
}
func (srv *server) getURL(endpoint string) string {
return fmt.Sprintf("%s/api/v1/cfssl/%s", srv.URL, endpoint)
}
func (srv *server) createTransport() *http.Transport {
// Start with defaults from http.DefaultTransport
transport := &http.Transport{
Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
DualStack: true,
}).DialContext,
MaxIdleConns: 100,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
}
// Setup HTTPS client
tlsConfig := srv.TLSConfig
tlsConfig.BuildNameToCertificate()
transport.TLSClientConfig = tlsConfig
// Setup Proxy
if srv.proxy != nil {
transport.Proxy = srv.proxy
}
return transport
}
// post connects to the remote server and returns a Response struct
func (srv *server) post(url string, jsonData []byte) (*api.Response, error) {
var resp *http.Response
var err error
client := &http.Client{}
if srv.TLSConfig != nil {
client.Transport = srv.createTransport()
}
if srv.RequestTimeout != 0 {
client.Timeout = srv.RequestTimeout
}
req, err := http.NewRequest("POST", url, bytes.NewReader(jsonData))
if err != nil {
err = fmt.Errorf("failed POST to %s: %v", url, err)
return nil, errors.Wrap(errors.APIClientError, errors.ClientHTTPError, err)
}
req.Close = true
req.Header.Set("content-type", "application/json")
if srv.reqModifier != nil {
srv.reqModifier(req, jsonData)
}
resp, err = client.Do(req)
if err != nil {
err = fmt.Errorf("failed POST to %s: %v", url, err)
return nil, errors.Wrap(errors.APIClientError, errors.ClientHTTPError, err)
}
defer req.Body.Close()
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return nil, errors.Wrap(errors.APIClientError, errors.IOError, err)
}
if resp.StatusCode != http.StatusOK {
log.Errorf("http error with %s", url)
return nil, errors.Wrap(errors.APIClientError, errors.ClientHTTPError, stderr.New(string(body)))
}
var response api.Response
err = json.Unmarshal(body, &response)
if err != nil {
log.Debug("Unable to parse response body:", string(body))
return nil, errors.Wrap(errors.APIClientError, errors.JSONError, err)
}
if !response.Success || response.Result == nil {
if len(response.Errors) > 0 {
return nil, errors.Wrap(errors.APIClientError, errors.ServerRequestFailed, stderr.New(response.Errors[0].Message))
}
return nil, errors.New(errors.APIClientError, errors.ServerRequestFailed)
}
return &response, nil
}
// AuthSign fills out an authenticated signing request to the server,
// receiving a certificate or error in response.
// It takes the serialized JSON request to send, remote address and
// authentication provider.
func (srv *server) AuthSign(req, id []byte, provider auth.Provider) ([]byte, error) {
return srv.authReq(req, id, provider, "sign")
}
// AuthInfo fills out an authenticated info request to the server,
// receiving a certificate or error in response.
// It takes the serialized JSON request to send, remote address and
// authentication provider.
func (srv *server) AuthInfo(req, id []byte, provider auth.Provider) ([]byte, error) {
return srv.authReq(req, id, provider, "info")
}
// authReq is the common logic for AuthSign and AuthInfo -- perform the given
// request, and return the resultant certificate.
// The target is either 'sign' or 'info'.
func (srv *server) authReq(req, ID []byte, provider auth.Provider, target string) ([]byte, error) {
url := srv.getURL("auth" + target)
token, err := provider.Token(req)
if err != nil {
return nil, errors.Wrap(errors.APIClientError, errors.AuthenticationFailure, err)
}
aReq := &auth.AuthenticatedRequest{
Timestamp: time.Now().Unix(),
RemoteAddress: ID,
Token: token,
Request: req,
}
jsonData, err := json.Marshal(aReq)
if err != nil {
return nil, errors.Wrap(errors.APIClientError, errors.JSONError, err)
}
response, err := srv.post(url, jsonData)
if err != nil {
return nil, err
}
result, ok := response.Result.(map[string]interface{})
if !ok {
return nil, errors.New(errors.APIClientError, errors.JSONError)
}
cert, ok := result["certificate"].(string)
if !ok {
return nil, errors.New(errors.APIClientError, errors.JSONError)
}
return []byte(cert), nil
}
// Sign sends a signature request to the remote CFSSL server,
// receiving a signed certificate or an error in response.
// It takes the serialized JSON request to send.
func (srv *server) Sign(jsonData []byte) ([]byte, error) {
return srv.request(jsonData, "sign")
}
// Info sends an info request to the remote CFSSL server, receiving a
// response or an error in response.
// It takes the serialized JSON request to send.
func (srv *server) Info(jsonData []byte) (*info.Resp, error) {
res, err := srv.getResultMap(jsonData, "info")
if err != nil {
return nil, err
}
info := new(info.Resp)
if val, ok := res["certificate"]; ok {
info.Certificate = val.(string)
}
var usages []interface{}
if val, ok := res["usages"]; ok && val != nil {
usages = val.([]interface{})
}
if val, ok := res["expiry"]; ok && val != nil {
info.ExpiryString = val.(string)
}
info.Usage = make([]string, len(usages))
for i, s := range usages {
info.Usage[i] = s.(string)
}
return info, nil
}
func (srv *server) getResultMap(jsonData []byte, target string) (result map[string]interface{}, err error) {
url := srv.getURL(target)
response, err := srv.post(url, jsonData)
if err != nil {
return
}
result, ok := response.Result.(map[string]interface{})
if !ok {
err = errors.Wrap(errors.APIClientError, errors.ClientHTTPError, stderr.New("response is formatted improperly"))
return
}
return
}
// request performs the common logic for Sign and Info, performing the actual
// request and returning the resultant certificate.
func (srv *server) request(jsonData []byte, target string) ([]byte, error) {
result, err := srv.getResultMap(jsonData, target)
if err != nil {
return nil, err
}
cert := result["certificate"].(string)
if cert != "" {
return []byte(cert), nil
}
return nil, errors.Wrap(errors.APIClientError, errors.ClientHTTPError, stderr.New("response doesn't contain certificate."))
}
// AuthRemote acts as a Remote with a default Provider for AuthSign.
type AuthRemote struct {
Remote
provider auth.Provider
}
// NewAuthServer sets up a new auth server target with an addr
// in the same format at NewServer and a default authentication provider to
// use for Sign requests.
func NewAuthServer(addr string, tlsConfig *tls.Config, provider auth.Provider) *AuthRemote {
return &AuthRemote{
Remote: NewServerTLS(addr, tlsConfig),
provider: provider,
}
}
// Sign is overloaded to perform an AuthSign request using the default auth provider.
func (ar *AuthRemote) Sign(req []byte) ([]byte, error) {
return ar.AuthSign(req, nil, ar.provider)
}
// normalizeURL checks for http/https protocol, appends "http" as default protocol if not defined in url
func normalizeURL(addr string) (*url.URL, error) {
addr = strings.TrimSpace(addr)
u, err := url.Parse(addr)
if err != nil {
return nil, err
}
if u.Opaque != "" {
u.Host = net.JoinHostPort(u.Scheme, u.Opaque)
u.Opaque = ""
} else if u.Path != "" && !strings.Contains(u.Path, ":") {
u.Host = net.JoinHostPort(u.Path, "8888")
u.Path = ""
} else if u.Scheme == "" {
u.Host = u.Path
u.Path = ""
}
if u.Scheme != "https" {
u.Scheme = "http"
}
_, port, err := net.SplitHostPort(u.Host)
if err != nil {
_, port, err = net.SplitHostPort(u.Host + ":8888")
if err != nil {
return nil, err
}
}
if port != "" {
_, err = strconv.Atoi(port)
if err != nil {
return nil, err
}
}
return u, nil
}
================================================
FILE: api/client/client_test.go
================================================
package client
import (
"crypto/tls"
"github.com/cloudflare/cfssl/auth"
"github.com/cloudflare/cfssl/helpers"
"net"
"strings"
"testing"
)
var (
testProvider auth.Provider
testKey = "0123456789ABCDEF0123456789ABCDEF"
testAD = []byte{1, 2, 3, 4} // IP address 1.2.3.4
)
func TestNewServer(t *testing.T) {
s := NewServer("1.1.1.1:::123456789")
if s != nil {
t.Fatalf("fatal error, server created with too many colons %v", s)
}
s2 := NewServer("1.1.1.1:[]")
if s != nil {
t.Fatalf("%v", s2)
}
_, port, _ := net.SplitHostPort("")
if port != "" {
t.Fatalf("%v", port)
}
s = NewServer("http://127.0.0.1:8888")
hosts := s.Hosts()
if len(hosts) != 1 || hosts[0] != "http://127.0.0.1:8888" {
t.Fatalf("expected [http://127.0.0.1:8888], but have %v", hosts)
}
s = NewServer("http://1.1.1.1:9999")
hosts = s.Hosts()
if len(hosts) != 1 || hosts[0] != "http://1.1.1.1:9999" {
t.Fatalf("expected [http://1.1.1.1:9999], but have %v", hosts)
}
s = NewServer("https://1.1.1.1:8080")
hosts = s.Hosts()
if len(hosts) != 1 || hosts[0] != "https://1.1.1.1:8080" {
t.Fatalf("expected [https://1.1.1.1:8080], but have %v", hosts)
}
}
func TestInvalidPort(t *testing.T) {
s := NewServer("1.1.1.1:99999999999999999999999999999")
if s != nil {
t.Fatalf("%v", s)
}
}
func TestAuthSign(t *testing.T) {
s := NewServer(".X")
testProvider, _ = auth.New(testKey, nil)
testRequest := []byte(`testing 1 2 3`)
as, err := s.AuthSign(testRequest, testAD, testProvider)
if as != nil || err == nil {
t.Fatal("expected error with auth sign function")
}
}
func TestDefaultAuthSign(t *testing.T) {
testProvider, _ = auth.New(testKey, nil)
s := NewAuthServer(".X", nil, testProvider)
testRequest := []byte(`testing 1 2 3`)
as, err := s.Sign(testRequest)
if as != nil || err == nil {
t.Fatal("expected error with auth sign function")
}
}
func TestSign(t *testing.T) {
s := NewServer(".X")
sign, err := s.Sign([]byte{5, 5, 5, 5})
if sign != nil || err == nil {
t.Fatalf("expected error with sign function")
}
}
func TestNewMutualTLSServer(t *testing.T) {
cert, _ := helpers.LoadClientCertificate("../../helpers/testdata/ca.pem", "../../helpers/testdata/ca_key.pem")
s := NewServerTLS("https://nohost:8888", helpers.CreateTLSConfig(nil, cert))
if s == nil {
t.Fatalf("fatal error, empty server")
}
_, err := s.Sign([]byte{5, 5, 5, 5})
if err == nil {
t.Fatalf("expected error with sign function")
}
if !(strings.Contains(err.Error(), "Post")) && !(strings.Contains(err.Error(), "https://nohost:8888/api/v1/cfssl/sign")) && !(strings.Contains(err.Error(), "dial tcp: lookup nohost: no such host")) {
t.Fatalf("no error message %v", err)
}
}
func TestNewServerGroup(t *testing.T) {
s := NewServer("cfssl1.local:8888, cfssl2.local:8888, http://cfssl3.local:8888, http://cfssl4.local:8888")
ogl, ok := s.(*orderedListGroup)
if !ok {
t.Fatalf("expected NewServer to return an ordered group list with a list of servers, instead got a %T = %+v", ogl, ogl)
}
if len(ogl.remotes) != 4 {
t.Fatalf("expected the remote to have four servers, but it has %d", len(ogl.remotes))
}
hosts := ogl.Hosts()
if len(hosts) != 4 {
t.Fatalf("expected 2 hosts in the group, but have %d", len(hosts))
}
if hosts[0] != "http://cfssl1.local:8888" {
t.Fatalf("expected to see http://cfssl1.local:8888, but saw %s",
hosts[0])
}
if hosts[1] != "http://cfssl2.local:8888" {
t.Fatalf("expected to see http://cfssl2.local:8888, but saw %s",
hosts[1])
}
if hosts[2] != "http://cfssl3.local:8888" {
t.Fatalf("expected to see http://cfssl1.local:8888, but saw %s",
hosts[2])
}
if hosts[3] != "http://cfssl4.local:8888" {
t.Fatalf("expected to see http://cfssl2.local:8888, but saw %s",
hosts[3])
}
}
func TestNewTLSServerGroup(t *testing.T) {
NewTLSServerGroup(t, nil)
}
func TestNewMutualTLSServerGroup(t *testing.T) {
cert, _ := helpers.LoadClientCertificate("../../helpers/testdata/ca.pem", "../../helpers/testdata/ca_key.pem")
NewTLSServerGroup(t, cert)
}
func NewTLSServerGroup(t *testing.T, cert *tls.Certificate) {
s := NewServerTLS("https://cfssl1.local:8888, https://cfssl2.local:8888", helpers.CreateTLSConfig(nil, cert))
ogl, ok := s.(*orderedListGroup)
if !ok {
t.Fatalf("expected NewServer to return an ordered group list with a list of servers, instead got a %T = %+v", ogl, ogl)
}
if len(ogl.remotes) != 2 {
t.Fatalf("expected the remote to have two servers, but it has %d", len(ogl.remotes))
}
hosts := ogl.Hosts()
if len(hosts) != 2 {
t.Fatalf("expected 2 hosts in the group, but have %d", len(hosts))
}
if hosts[0] != "https://cfssl1.local:8888" {
t.Fatalf("expected to see https://cfssl1.local:8888, but saw %s",
hosts[0])
}
if hosts[1] != "https://cfssl2.local:8888" {
t.Fatalf("expected to see https://cfssl2.local:8888, but saw %s",
hosts[1])
}
}
func TestNewOGLGroup(t *testing.T) {
strategy := StrategyFromString("ordered_list")
if strategy == StrategyInvalid {
t.Fatal("expected StrategyOrderedList as selected strategy but have StrategyInvalid")
}
if strategy != StrategyOrderedList {
t.Fatalf("expected StrategyOrderedList (%d) but have %d", StrategyOrderedList, strategy)
}
rem, err := NewGroup([]string{"ca1.local,", "ca2.local"}, nil, strategy)
if err != nil {
t.Fatalf("%v", err)
}
ogl, ok := rem.(*orderedListGroup)
if !ok {
t.Fatalf("expected to get an orderedListGroup but got %T", rem)
}
if len(ogl.remotes) != 2 {
t.Fatalf("expected two remotes in the ordered group list but have %d", len(ogl.remotes))
}
}
================================================
FILE: api/client/group.go
================================================
package client
import (
"crypto/tls"
"errors"
"net/http"
"net/url"
"strings"
"time"
"github.com/cloudflare/cfssl/auth"
"github.com/cloudflare/cfssl/info"
)
// Strategy is the means by which the server to use as a remote should
// be selected.
type Strategy int
const (
// StrategyInvalid indicates any strategy that is unsupported
// or returned when no strategy is applicable.
StrategyInvalid = iota
// StrategyOrderedList is a sequential list of servers: if the
// first server cannot be reached, the next is used. The
// client will proceed in this manner until the list of
// servers is exhausted, and then an error is returned.
StrategyOrderedList
)
var strategyStrings = map[string]Strategy{
"ordered_list": StrategyOrderedList,
}
// StrategyFromString takes a string describing a
func StrategyFromString(s string) Strategy {
s = strings.TrimSpace(strings.ToLower(s))
strategy, ok := strategyStrings[s]
if !ok {
return StrategyInvalid
}
return strategy
}
// NewGroup will use the collection of remotes specified with the
// given strategy.
func NewGroup(remotes []string, tlsConfig *tls.Config, strategy Strategy) (Remote, error) {
var servers = make([]*server, len(remotes))
for i := range remotes {
u, err := normalizeURL(remotes[i])
if err != nil {
return nil, err
}
servers[i] = newServer(u, tlsConfig)
}
switch strategy {
case StrategyOrderedList:
return newOrdererdListGroup(servers)
default:
return nil, errors.New("unrecognised strategy")
}
}
type orderedListGroup struct {
remotes []*server
}
func (g *orderedListGroup) Hosts() []string {
var hosts = make([]string, 0, len(g.remotes))
for _, srv := range g.remotes {
srvHosts := srv.Hosts()
hosts = append(hosts, srvHosts[0])
}
return hosts
}
func (g *orderedListGroup) SetRequestTimeout(timeout time.Duration) {
for _, srv := range g.remotes {
srv.SetRequestTimeout(timeout)
}
}
func (g *orderedListGroup) SetProxy(proxy func(*http.Request) (*url.URL, error)) {
for _, srv := range g.remotes {
srv.SetProxy(proxy)
}
}
func newOrdererdListGroup(remotes []*server) (Remote, error) {
return &orderedListGroup{
remotes: remotes,
}, nil
}
func (g *orderedListGroup) AuthSign(req, id []byte, provider auth.Provider) (resp []byte, err error) {
for i := range g.remotes {
resp, err = g.remotes[i].AuthSign(req, id, provider)
if err == nil {
return resp, nil
}
}
return nil, err
}
func (g *orderedListGroup) Sign(jsonData []byte) (resp []byte, err error) {
for i := range g.remotes {
resp, err = g.remotes[i].Sign(jsonData)
if err == nil {
return resp, nil
}
}
return nil, err
}
func (g *orderedListGroup) Info(jsonData []byte) (resp *info.Resp, err error) {
for i := range g.remotes {
resp, err = g.remotes[i].Info(jsonData)
if err == nil {
return resp, nil
}
}
return nil, err
}
// SetReqModifier does nothing because there is no request modifier for group
func (g *orderedListGroup) SetReqModifier(mod func(*http.Request, []byte)) {
// noop
}
================================================
FILE: api/crl/crl.go
================================================
// Package crl implements the HTTP handler for the crl command.
package crl
import (
"crypto"
"crypto/x509"
"net/http"
"os"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/certdb"
"github.com/cloudflare/cfssl/crl"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/log"
)
// A Handler accepts requests with a serial number parameter
// and revokes
type Handler struct {
dbAccessor certdb.Accessor
ca *x509.Certificate
key crypto.Signer
}
// NewHandler returns a new http.Handler that handles a revoke request.
func NewHandler(dbAccessor certdb.Accessor, caPath string, caKeyPath string) (http.Handler, error) {
ca, err := helpers.ReadBytes(caPath)
if err != nil {
return nil, err
}
caKey, err := helpers.ReadBytes(caKeyPath)
if err != nil {
return nil, errors.Wrap(errors.PrivateKeyError, errors.ReadFailed, err)
}
// Parse the PEM encoded certificate
issuerCert, err := helpers.ParseCertificatePEM(ca)
if err != nil {
return nil, err
}
strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD")
password := []byte(strPassword)
if strPassword == "" {
password = nil
}
// Parse the key given
key, err := helpers.ParsePrivateKeyPEMWithPassword(caKey, password)
if err != nil {
log.Debugf("malformed private key %v", err)
return nil, err
}
return &api.HTTPHandler{
Handler: &Handler{
dbAccessor: dbAccessor,
ca: issuerCert,
key: key,
},
Methods: []string{"GET"},
}, nil
}
// Handle responds to revocation requests. It attempts to revoke
// a certificate with a given serial number
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
var newExpiryTime = 7 * helpers.OneDay
certs, err := h.dbAccessor.GetRevokedAndUnexpiredCertificates()
if err != nil {
return err
}
queryExpiryTime := r.URL.Query().Get("expiry")
if queryExpiryTime != "" {
log.Infof("requested expiry time of %s", queryExpiryTime)
newExpiryTime, err = time.ParseDuration(queryExpiryTime)
if err != nil {
return err
}
}
result, err := crl.NewCRLFromDB(certs, h.ca, h.key, newExpiryTime)
if err != nil {
return err
}
return api.SendResponse(w, result)
}
================================================
FILE: api/crl/crl_test.go
================================================
package crl
import (
"crypto/x509"
"encoding/base64"
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/certdb"
"github.com/cloudflare/cfssl/certdb/sql"
"github.com/cloudflare/cfssl/certdb/testdb"
"github.com/cloudflare/cfssl/helpers"
)
const (
fakeAKI = "fake aki"
testCaFile = "../testdata/ca.pem"
testCaKeyFile = "../testdata/ca_key.pem"
)
func prepDB() (certdb.Accessor, error) {
db := testdb.SQLiteDB("../../certdb/testdb/certstore_development.db")
expirationTime := time.Now().AddDate(1, 0, 0)
var cert = certdb.CertificateRecord{
Serial: "1",
AKI: fakeAKI,
Expiry: expirationTime,
PEM: "revoked cert",
Status: "revoked",
RevokedAt: time.Now(),
Reason: 4,
}
dbAccessor := sql.NewAccessor(db)
err := dbAccessor.InsertCertificate(cert)
if err != nil {
return nil, err
}
return dbAccessor, nil
}
func testGetCRL(t *testing.T, dbAccessor certdb.Accessor, expiry string) (resp *http.Response, body []byte) {
handler, err := NewHandler(dbAccessor, testCaFile, testCaKeyFile)
if err != nil {
t.Fatal(err)
}
ts := httptest.NewServer(handler)
defer ts.Close()
if expiry != "" {
resp, err = http.Get(ts.URL + "?expiry=" + expiry)
} else {
resp, err = http.Get(ts.URL)
}
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
func TestCRLGeneration(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
resp, body := testGetCRL(t, dbAccessor, "")
if resp.StatusCode != http.StatusOK {
t.Fatal("unexpected HTTP status code; expected OK", string(body))
}
message := new(api.Response)
err = json.Unmarshal(body, message)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
}
crlBytes := message.Result.(string)
crlBytesDER, err := base64.StdEncoding.DecodeString(crlBytes)
if err != nil {
t.Fatal("failed to decode certificate ", err)
}
parsedCrl, err := x509.ParseCRL(crlBytesDER)
if err != nil {
t.Fatal("failed to get certificate ", err)
}
if parsedCrl.HasExpired(time.Now().Add(5 * helpers.OneDay)) {
t.Fatal("the request will expire after 5 days, this shouldn't happen")
}
certs := parsedCrl.TBSCertList.RevokedCertificates
if len(certs) != 1 {
t.Fatal("failed to get one certificate")
}
cert := certs[0]
if cert.SerialNumber.String() != "1" {
t.Fatal("cert was not correctly inserted in CRL, serial was ", cert.SerialNumber)
}
}
func TestCRLGenerationWithExpiry(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
resp, body := testGetCRL(t, dbAccessor, "119h")
if resp.StatusCode != http.StatusOK {
t.Fatal("unexpected HTTP status code; expected OK", string(body))
}
message := new(api.Response)
err = json.Unmarshal(body, message)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
}
crlBytes := message.Result.(string)
crlBytesDER, err := base64.StdEncoding.DecodeString(crlBytes)
if err != nil {
t.Fatal("failed to decode certificate ", err)
}
parsedCrl, err := x509.ParseCRL(crlBytesDER)
if err != nil {
t.Fatal("failed to get certificate ", err)
}
if !parsedCrl.HasExpired(time.Now().Add(5 * helpers.OneDay)) {
t.Fatal("the request should have expired")
}
certs := parsedCrl.TBSCertList.RevokedCertificates
if len(certs) != 1 {
t.Fatal("failed to get one certificate")
}
cert := certs[0]
if cert.SerialNumber.String() != "1" {
t.Fatal("cert was not correctly inserted in CRL, serial was ", cert.SerialNumber)
}
}
================================================
FILE: api/gencrl/gencrl.go
================================================
// Package gencrl implements the HTTP handler for the gencrl commands.
package gencrl
import (
"crypto/rand"
"crypto/x509/pkix"
"encoding/json"
"io"
"math/big"
"net/http"
"strconv"
"strings"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/log"
)
// This type is meant to be unmarshalled from JSON
type jsonCRLRequest struct {
Certificate string `json:"certificate"`
SerialNumber []string `json:"serialNumber"`
PrivateKey string `json:"issuingKey"`
ExpiryTime string `json:"expireTime"`
}
// Handle responds to requests for crl generation. It creates this crl
// based off of the given certificate, serial numbers, and private key
func gencrlHandler(w http.ResponseWriter, r *http.Request) error {
var revokedCerts []pkix.RevokedCertificate
var oneWeek = time.Duration(604800) * time.Second
var newExpiryTime = time.Now()
body, err := io.ReadAll(r.Body)
if err != nil {
return err
}
r.Body.Close()
req := &jsonCRLRequest{}
err = json.Unmarshal(body, req)
if err != nil {
log.Error(err)
}
if req.ExpiryTime != "" {
expiryTime := strings.TrimSpace(req.ExpiryTime)
expiryInt, err := strconv.ParseInt(expiryTime, 0, 32)
if err != nil {
return err
}
newExpiryTime = time.Now().Add((time.Duration(expiryInt) * time.Second))
}
if req.ExpiryTime == "" {
newExpiryTime = time.Now().Add(oneWeek)
}
if err != nil {
return err
}
cert, err := helpers.ParseCertificatePEM([]byte(req.Certificate))
if err != nil {
log.Error("error from ParseCertificatePEM", err)
return errors.NewBadRequestString("malformed certificate")
}
for _, value := range req.SerialNumber {
tempBigInt := new(big.Int)
tempBigInt.SetString(value, 10)
tempCert := pkix.RevokedCertificate{
SerialNumber: tempBigInt,
RevocationTime: time.Now(),
}
revokedCerts = append(revokedCerts, tempCert)
}
key, err := helpers.ParsePrivateKeyPEM([]byte(req.PrivateKey))
if err != nil {
log.Debugf("malformed private key %v", err)
return errors.NewBadRequestString("malformed Private Key")
}
result, err := cert.CreateCRL(rand.Reader, key, revokedCerts, time.Now(), newExpiryTime)
if err != nil {
log.Debugf("unable to create CRL: %v", err)
return err
}
return api.SendResponse(w, result)
}
// NewHandler returns a new http.Handler that handles a crl generation request.
func NewHandler() http.Handler {
return api.HTTPHandler{
Handler: api.HandlerFunc(gencrlHandler),
Methods: []string{"POST"},
}
}
================================================
FILE: api/gencrl/gencrl_test.go
================================================
package gencrl
import (
"bytes"
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"os"
"testing"
"github.com/cloudflare/cfssl/api"
)
const (
cert = "../../crl/testdata/caTwo.pem"
key = "../../crl/testdata/ca-keyTwo.pem"
serialList = "../../crl/testdata/serialList"
expiryTime = "2000"
)
type testJSON struct {
Certificate string
SerialNumber []string
PrivateKey string
ExpiryTime string
ExpectedHTTPStatus int
ExpectedSuccess bool
}
var tester = testJSON{
Certificate: cert,
SerialNumber: []string{"1", "2", "3"},
PrivateKey: key,
ExpiryTime: "2000",
ExpectedHTTPStatus: 200,
ExpectedSuccess: true,
}
func newTestHandler(t *testing.T) http.Handler {
return NewHandler()
}
func TestNewHandler(t *testing.T) {
newTestHandler(t)
}
func newCRLServer(t *testing.T) *httptest.Server {
ts := httptest.NewServer(newTestHandler(t))
return ts
}
func testCRLCreation(t *testing.T, issuingKey, certFile string, expiry string, serialList []string) (resp *http.Response, body []byte) {
ts := newCRLServer(t)
defer ts.Close()
obj := map[string]interface{}{}
if certFile != "" {
c, err := os.ReadFile(certFile)
if err != nil {
t.Fatal(err)
}
obj["certificate"] = string(c)
}
obj["serialNumber"] = serialList
if issuingKey != "" {
c, err := os.ReadFile(issuingKey)
if err != nil {
t.Fatal(err)
}
obj["issuingKey"] = string(c)
}
obj["expireTime"] = expiry
blob, err := json.Marshal(obj)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
func TestCRL(t *testing.T) {
resp, body := testCRLCreation(t, tester.PrivateKey, tester.Certificate, tester.ExpiryTime, tester.SerialNumber)
if resp.StatusCode != tester.ExpectedHTTPStatus {
t.Logf("expected: %d, have %d", tester.ExpectedHTTPStatus, resp.StatusCode)
t.Fatal(resp.Status, tester.ExpectedHTTPStatus, string(body))
}
message := new(api.Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Logf("failed to read response body: %v", err)
t.Fatal(resp.Status, tester.ExpectedHTTPStatus, message)
}
}
================================================
FILE: api/generator/generator.go
================================================
// Package generator implements the HTTP handlers for certificate generation.
package generator
import (
"crypto/md5"
"crypto/sha1"
"crypto/sha256"
"crypto/x509"
"encoding/json"
"encoding/pem"
"fmt"
"io"
"net/http"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/bundler"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/csr"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/log"
"github.com/cloudflare/cfssl/signer"
"github.com/cloudflare/cfssl/signer/universal"
)
const (
// CSRNoHostMessage is used to alert the user to a certificate lacking a hosts field.
CSRNoHostMessage = `This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").`
// NoBundlerMessage is used to alert the user that the server does not have a bundler initialized.
NoBundlerMessage = `This request requires a bundler, but one is not initialized for the API server.`
)
// Sum contains digests for a certificate or certificate request.
type Sum struct {
MD5 string `json:"md5"`
SHA1 string `json:"sha-1"`
SHA256 string `json:"sha-256"`
}
// Validator is a type of function that contains the logic for validating
// a certificate request.
type Validator func(*csr.CertificateRequest) error
// A CertRequest stores a PEM-encoded private key and corresponding
// CSR; this is returned from the CSR generation endpoint.
type CertRequest struct {
Key string `json:"private_key"`
CSR string `json:"certificate_request"`
Sums map[string]Sum `json:"sums"`
}
// A Handler accepts JSON-encoded certificate requests and
// returns a new private key and certificate request.
type Handler struct {
generator *csr.Generator
}
// NewHandler builds a new Handler from the
// validation function provided.
func NewHandler(validator Validator) (http.Handler, error) {
log.Info("setting up key / CSR generator")
return &api.HTTPHandler{
Handler: &Handler{
generator: &csr.Generator{Validator: validator},
},
Methods: []string{"POST"},
}, nil
}
func computeSum(in []byte) (sum Sum, err error) {
var data []byte
p, _ := pem.Decode(in)
if p == nil {
err = errors.NewBadRequestString("not a CSR or certificate")
return
}
switch p.Type {
case "CERTIFICATE REQUEST":
var req *x509.CertificateRequest
req, err = x509.ParseCertificateRequest(p.Bytes)
if err != nil {
return
}
data = req.Raw
case "CERTIFICATE":
var cert *x509.Certificate
cert, err = x509.ParseCertificate(p.Bytes)
if err != nil {
return
}
data = cert.Raw
default:
err = errors.NewBadRequestString("not a CSR or certificate")
return
}
md5Sum := md5.Sum(data)
sha1Sum := sha1.Sum(data)
sha256Sum := sha256.Sum256(data)
sum.MD5 = fmt.Sprintf("%X", md5Sum[:])
sum.SHA1 = fmt.Sprintf("%X", sha1Sum[:])
sum.SHA256 = fmt.Sprintf("%X", sha256Sum[:])
return
}
// Handle responds to requests for the CA to generate a new private
// key and certificate request on behalf of the client. The format for
// these requests is documented in the API documentation.
func (g *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
log.Info("request for CSR")
body, err := io.ReadAll(r.Body)
if err != nil {
log.Warningf("failed to read request body: %v", err)
return errors.NewBadRequest(err)
}
r.Body.Close()
req := new(csr.CertificateRequest)
req.KeyRequest = csr.NewKeyRequest()
err = json.Unmarshal(body, req)
if err != nil {
log.Warningf("failed to unmarshal request: %v", err)
return errors.NewBadRequest(err)
}
if req.CA != nil {
log.Warningf("request received with CA section")
return errors.NewBadRequestString("ca section only permitted in initca")
}
csr, key, err := g.generator.ProcessRequest(req)
if err != nil {
log.Warningf("failed to process CSR: %v", err)
// The validator returns a *cfssl/errors.HttpError
return err
}
sum, err := computeSum(csr)
if err != nil {
return errors.NewBadRequest(err)
}
// Both key and csr are returned PEM-encoded.
response := api.NewSuccessResponse(&CertRequest{
Key: string(key),
CSR: string(csr),
Sums: map[string]Sum{"certificate_request": sum},
})
w.Header().Set("Content-Type", "application/json")
enc := json.NewEncoder(w)
err = enc.Encode(response)
return err
}
// A CertGeneratorHandler accepts JSON-encoded certificate requests
// and returns a new private key and signed certificate; it handles
// sending the CSR to the server.
type CertGeneratorHandler struct {
generator *csr.Generator
bundler *bundler.Bundler
signer signer.Signer
}
// NewCertGeneratorHandler builds a new handler for generating
// certificates directly from certificate requests; the validator covers
// the certificate request and the CA's key and certificate are used to
// sign the generated request. If remote is not an empty string, the
// handler will send signature requests to the CFSSL instance contained
// in remote.
func NewCertGeneratorHandler(validator Validator, caFile, caKeyFile string, policy *config.Signing) (http.Handler, error) {
var err error
log.Info("setting up new generator / signer")
cg := new(CertGeneratorHandler)
if policy == nil {
policy = &config.Signing{
Default: config.DefaultConfig(),
Profiles: nil,
}
}
root := universal.Root{
Config: map[string]string{
"ca-file": caFile,
"ca-key-file": caKeyFile,
},
}
if cg.signer, err = universal.NewSigner(root, policy); err != nil {
log.Errorf("setting up signer failed: %v", err)
return nil, err
}
cg.generator = &csr.Generator{Validator: validator}
return api.HTTPHandler{Handler: cg, Methods: []string{"POST"}}, nil
}
// NewCertGeneratorHandlerFromSigner returns a handler directly from
// the signer and validation function.
func NewCertGeneratorHandlerFromSigner(validator Validator, signer signer.Signer) http.Handler {
return api.HTTPHandler{
Handler: &CertGeneratorHandler{
generator: &csr.Generator{Validator: validator},
signer: signer,
},
Methods: []string{"POST"},
}
}
// SetBundler allows injecting an optional Bundler into the CertGeneratorHandler.
func (cg *CertGeneratorHandler) SetBundler(caBundleFile, intBundleFile string) (err error) {
cg.bundler, err = bundler.NewBundler(caBundleFile, intBundleFile)
return err
}
type genSignRequest struct {
Request *csr.CertificateRequest `json:"request"`
Profile string `json:"profile"`
Label string `json:"label"`
Bundle bool `json:"bundle"`
}
// Handle responds to requests for the CA to generate a new private
// key and certificate on behalf of the client. The format for these
// requests is documented in the API documentation.
func (cg *CertGeneratorHandler) Handle(w http.ResponseWriter, r *http.Request) error {
log.Info("request for CSR")
req := new(genSignRequest)
req.Request = csr.New()
body, err := io.ReadAll(r.Body)
if err != nil {
log.Warningf("failed to read request body: %v", err)
return errors.NewBadRequest(err)
}
r.Body.Close()
err = json.Unmarshal(body, req)
if err != nil {
log.Warningf("failed to unmarshal request: %v", err)
return errors.NewBadRequest(err)
}
if req.Request == nil {
log.Warning("empty request received")
return errors.NewBadRequestString("missing request section")
}
if req.Request.CA != nil {
log.Warningf("request received with CA section")
return errors.NewBadRequestString("ca section only permitted in initca")
}
csr, key, err := cg.generator.ProcessRequest(req.Request)
if err != nil {
log.Warningf("failed to process CSR: %v", err)
// The validator returns a *cfssl/errors.HttpError
return err
}
signReq := signer.SignRequest{
Request: string(csr),
Profile: req.Profile,
Label: req.Label,
}
certBytes, err := cg.signer.Sign(signReq)
if err != nil {
log.Warningf("failed to sign request: %v", err)
return err
}
reqSum, err := computeSum(csr)
if err != nil {
return errors.NewBadRequest(err)
}
certSum, err := computeSum(certBytes)
if err != nil {
return errors.NewBadRequest(err)
}
result := map[string]interface{}{
"private_key": string(key),
"certificate_request": string(csr),
"certificate": string(certBytes),
"sums": map[string]Sum{
"certificate_request": reqSum,
"certificate": certSum,
},
}
if req.Bundle {
if cg.bundler == nil {
return api.SendResponseWithMessage(w, result, NoBundlerMessage,
errors.New(errors.PolicyError, errors.InvalidRequest).ErrorCode)
}
bundle, err := cg.bundler.BundleFromPEMorDER(certBytes, nil, bundler.Optimal, "")
if err != nil {
return err
}
result["bundle"] = bundle
}
if len(req.Request.Hosts) == 0 {
return api.SendResponseWithMessage(w, result, CSRNoHostMessage,
errors.New(errors.PolicyError, errors.InvalidRequest).ErrorCode)
}
return api.SendResponse(w, result)
}
// CSRValidate does nothing and will never return an error. It exists because NewHandler
// requires a Validator as a parameter.
func CSRValidate(req *csr.CertificateRequest) error {
return nil
}
================================================
FILE: api/generator/generator_test.go
================================================
package generator
import (
"bytes"
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/csr"
"github.com/cloudflare/cfssl/signer/local"
)
const (
testCaFile = "testdata/ca.pem"
testCaKeyFile = "testdata/ca_key.pem"
testCABundle = "../../bundler/testdata/ca-bundle.pem"
testIntBundle = "../../bundler/testdata/int-bundle.pem"
)
func csrData(t *testing.T) *bytes.Reader {
req := &csr.CertificateRequest{
Names: []csr.Name{
{
C: "US",
ST: "California",
L: "San Francisco",
O: "CloudFlare",
OU: "Systems Engineering",
},
},
CN: "cloudflare.com",
Hosts: []string{"cloudflare.com"},
KeyRequest: csr.NewKeyRequest(),
}
csrBytes, err := json.Marshal(req)
if err != nil {
t.Fatal(err)
}
return bytes.NewReader(csrBytes)
}
func TestGeneratorRESTfulVerbs(t *testing.T) {
handler, _ := NewHandler(CSRValidate)
ts := httptest.NewServer(handler)
data := csrData(t)
// POST should work.
req, _ := http.NewRequest("POST", ts.URL, data)
resp, _ := http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusOK {
t.Fatal(resp.Status)
}
// Test GET, PUT, DELETE and whatever, expect 400 errors.
req, _ = http.NewRequest("GET", ts.URL, data)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
req, _ = http.NewRequest("PUT", ts.URL, data)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
req, _ = http.NewRequest("DELETE", ts.URL, data)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
req, _ = http.NewRequest("WHATEVER", ts.URL, data)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
}
func TestCSRValidate(t *testing.T) {
req := &csr.CertificateRequest{
Names: []csr.Name{
{
C: "US",
ST: "California",
L: "San Francisco",
O: "CloudFlare",
OU: "Systems Engineering",
},
},
CN: "cloudflare.com",
Hosts: []string{},
KeyRequest: csr.NewKeyRequest(),
}
err := CSRValidate(req)
if err != nil {
t.Fatal("There should be not an error for missing Hosts parameter")
}
}
func TestNewCertGeneratorHandlerFromSigner(t *testing.T) {
var expiry = 1 * time.Minute
var CAConfig = &config.Config{
Signing: &config.Signing{
Profiles: map[string]*config.SigningProfile{
"signature": {
Usage: []string{"digital signature"},
Expiry: expiry,
},
},
Default: &config.SigningProfile{
Usage: []string{"cert sign", "crl sign"},
ExpiryString: "43800h",
Expiry: expiry,
CAConstraint: config.CAConstraint{IsCA: true},
ClientProvidesSerialNumbers: true,
},
},
}
s, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, CAConfig.Signing)
if err != nil {
t.Fatal(err)
}
h := NewCertGeneratorHandlerFromSigner(CSRValidate, s)
_, ok := h.(http.Handler)
if !ok {
t.Fatal("A HTTP handler has not been returned")
}
apiH, ok := h.(api.HTTPHandler)
if !ok {
t.Fatal("An api.HTTPHandler has not been returned")
}
cg, ok := apiH.Handler.(*CertGeneratorHandler)
if !ok {
t.Fatal("A CertGeneratorHandler has not been set")
}
if err := cg.SetBundler(testCABundle, testIntBundle); err != nil {
t.Fatal(err)
}
}
================================================
FILE: api/generator/testdata/ca.pem
================================================
-----BEGIN CERTIFICATE-----
MIIEmzCCA4OgAwIBAgIMAMSvNBgypwaaSQ5iMA0GCSqGSIb3DQEBBQUAMIGMMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
YW5jaXNjbzETMBEGA1UEChMKQ0ZTU0wgVEVTVDEbMBkGA1UEAxMSQ0ZTU0wgVEVT
VCBSb290IENBMR4wHAYJKoZIhvcNAQkBFg90ZXN0QHRlc3QubG9jYWwwHhcNMTIx
MjEyMDIxMDMxWhcNMjIxMDIxMDIxMDMxWjCBjDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAoT
CkNGU1NMIFRFU1QxGzAZBgNVBAMTEkNGU1NMIFRFU1QgUm9vdCBDQTEeMBwGCSqG
SIb3DQEJARYPdGVzdEB0ZXN0LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAsRp1xSfIDoD/40Bo4Hls3sFn4dav5NgxbZGpVyGF7dJI9u0eEnL4
BUGssPaUFLWC83CZxujUEiEfE0oKX+uOhhGv3+j5xSTNM764m2eSiN53cdZtK05d
hwq9uS8LtjKOQeN1mQ5qmiqxBMdjkKgMsVw5lMCgoYKo57kaKFyXzdpNVDzqw+pt
HWmuNtDQjK3qT5Ma06mYPmIGYhIZYLY7oJGg9ZEaNR0GIw4zIT5JRsNiaSb5wTLw
aa0n/4vLJyVjLJcYmJBvZWj8g+taK+C4INu/jGux+bmsC9hq14tbOaTNAn/NE0qN
8oHwcRBEqfOdEYdZkxI5NWPiKNW/Q+AeXQIDAQABo4H6MIH3MB0GA1UdDgQWBBS3
0veEuqg51fusEM4p/YuWpBPsvTCBxAYDVR0jBIG8MIG5gBS30veEuqg51fusEM4p
/YuWpBPsvaGBkqSBjzCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAoTCkNGU1NMIFRFU1Qx
GzAZBgNVBAMTEkNGU1NMIFRFU1QgUm9vdCBDQTEeMBwGCSqGSIb3DQEJARYPdGVz
dEB0ZXN0LmxvY2FsggwAxK80GDKnBppJDmIwDwYDVR0TBAgwBgEB/wIBADANBgkq
hkiG9w0BAQUFAAOCAQEAJ7r1EZYDwed6rS0+YKHdkRGRQ5Rz6A9DIVBPXrSMAGj3
F5EF2m/GJbhpVbnNJTVlgP9DDyabOZNxzdrCr4cHMkYYnocDdgAodnkw6GZ/GJTc
depbVTR4TpihFNzeDEGJePrEwM1DouGswpu97jyuCYZ3z1a60+a+3C1GwWaJ7Aet
Uqm+yLTUrMISsfnDPqJdM1NeqW3jiZ4IgcqJkieCCSpag9Xuzrp9q6rjmePvlQkv
qz020JGg6VijJ+c6Tf5y0XqbAhkBTqYtVamu9gEth9utn12EhdNjTZMPKMjjgFUd
H0N6yOEuQMl4ky7RxZBM0iPyeob6i4z2LEQilgv9MQ==
-----END CERTIFICATE-----
================================================
FILE: api/generator/testdata/ca_key.pem
================================================
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxGnXFJ8gOgP/j
QGjgeWzewWfh1q/k2DFtkalXIYXt0kj27R4ScvgFQayw9pQUtYLzcJnG6NQSIR8T
Sgpf646GEa/f6PnFJM0zvribZ5KI3ndx1m0rTl2HCr25Lwu2Mo5B43WZDmqaKrEE
x2OQqAyxXDmUwKChgqjnuRooXJfN2k1UPOrD6m0daa420NCMrepPkxrTqZg+YgZi
EhlgtjugkaD1kRo1HQYjDjMhPklGw2JpJvnBMvBprSf/i8snJWMslxiYkG9laPyD
61or4Lgg27+Ma7H5uawL2GrXi1s5pM0Cf80TSo3ygfBxEESp850Rh1mTEjk1Y+Io
1b9D4B5dAgMBAAECggEAKHhjcSomDSptTwDo9mLI/h40HudwSlsc8GzYxZBjinUD
N2n39T9QbeMUE1xFenX/9qFEgq+xxnLLJx1EQacSapCgIAqdCO/f9HMgvGJumdg8
c0cMq1i9Bp7tu+OESZ5D48qWlOM2eQRIb08g8W11eRIaFmPuUPoKnuktkQuXpPJc
YbS/+JuA8SDwe6sV0cMCQuS+iHFfeGwWCKrDUkhLwcL3waW3od2XFyOeFFWFhl0h
HmM/mWKRuRdqR7hrmArTwFZVkB+o/1ywVYXIv+JQm0eNZ5PKLNJGL2f5oxbMR/JI
AoK0bAlJmYaFp96h1KpbPwLEL/0hHSWA7sAyJIgQAQKBgQDaEAZor/w4ZUTekT1+
cbId0yA+ikDXQOfXaNCSh9Pex+Psjd5zVVOqyVFJ29daRju3d7rmpN4Cm5V4h0l1
/2ad207rjCAnpCHtaddJWNyJzF2IL2IaoCZQRp0k7zOjBGQpoWDTwBaEin5CCv3P
kkdQkKz6FDP1xskHSLZr21/QCQKBgQDP6jXutEgGjf3yKpMFk/69EamJdon8clbt
hl7cOyWtobnZhdOWVZPe00Oo3Jag2aWgFFsm3EtwnUCnR4d4+fXRKS2LkhfIUZcz
cKy17Ileggdd8UGhL4RDrF/En9tJL86WcVkcoOrqLcGB2FLWrVhVpHFK74eLMCH/
uc/+ioPItQKBgHYoDsD08s7AGMQcoNx90MyWVLduhFnegoFW+wUa8jOZzieka6/E
wVQeR5yksZjpy3vLNYu6M83n7eLkM2rrm/fXGHlLcTTpm7SgEBZfPwivotKjEh5p
PrlqucWEk082lutz1RqHz+u7e1Rfzk2F7nx6GDBdeBYpw03eGXJx6QW5AoGBAIJq
4puyAEAET1fZNtHX7IGCk7sDXTi6LCbgE57HhzHr8V0t4fQ6CABMuvMwM1gATjEk
s6yjoLqqGUUUzDipanViBAy5fiuManC868lN7zkWDTLzQ3ytBqVAee4na/DziP27
ae9YTSLJwskE/alloLRP6zTbHUXE0n7LelmrX1DFAoGBAMFLl+Lu+WFgCHxBjn43
rHpJbQZQmsFhAMhkN4hsj6dJfAGn2gRLRiVRAika+8QF65xMZiVQWUVSUZADWERi
0SXGjzN1wYxO3Qzy3LYwws6fxFAq5lo79eb38yFT2lHdqK3x/QgiDSRVl+R6cExV
xQB518/lp2eIeMpglWByDwJX
-----END PRIVATE KEY-----
================================================
FILE: api/health/health.go
================================================
package health
import (
"encoding/json"
"net/http"
"github.com/cloudflare/cfssl/api"
)
// Response contains the response to the /health API
type Response struct {
Healthy bool `json:"healthy"`
}
func healthHandler(w http.ResponseWriter, r *http.Request) error {
response := api.NewSuccessResponse(&Response{Healthy: true})
return json.NewEncoder(w).Encode(response)
}
// NewHealthCheck creates a new handler to serve health checks.
func NewHealthCheck() http.Handler {
return api.HTTPHandler{
Handler: api.HandlerFunc(healthHandler),
Methods: []string{"GET"},
}
}
================================================
FILE: api/info/info.go
================================================
// Package info implements the HTTP handler for the info command.
package info
import (
"encoding/json"
"io"
"net/http"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/info"
"github.com/cloudflare/cfssl/log"
"github.com/cloudflare/cfssl/signer"
)
// Handler is a type that contains the root certificates for the CA,
// and serves information on them for clients that need the certificates.
type Handler struct {
sign signer.Signer
}
// NewHandler creates a new handler to serve information on the CA's
// certificates, taking a signer to use.
func NewHandler(s signer.Signer) (http.Handler, error) {
return &api.HTTPHandler{
Handler: &Handler{
sign: s,
},
Methods: []string{"POST"},
}, nil
}
// Handle listens for incoming requests for CA information, and returns
// a list containing information on each root certificate.
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
req := new(info.Req)
body, err := io.ReadAll(r.Body)
if err != nil {
log.Warningf("failed to read request body: %v", err)
return errors.NewBadRequest(err)
}
r.Body.Close()
err = json.Unmarshal(body, req)
if err != nil {
log.Warningf("failed to unmarshal request: %v", err)
return errors.NewBadRequest(err)
}
resp, err := h.sign.Info(*req)
if err != nil {
return err
}
response := api.NewSuccessResponse(resp)
w.Header().Set("Content-Type", "application/json")
enc := json.NewEncoder(w)
return enc.Encode(response)
}
// MultiHandler is a handler for providing the public certificates for
// a multi-root certificate authority. It takes a mapping of label to
// signer and a default label, and handles the standard information
// request as defined in the client package.
type MultiHandler struct {
signers map[string]signer.Signer
defaultLabel string
}
// NewMultiHandler constructs a MultiHandler from a mapping of labels
// to signers and the default label.
func NewMultiHandler(signers map[string]signer.Signer, defaultLabel string) (http.Handler, error) {
return &api.HTTPHandler{
Handler: &MultiHandler{
signers: signers,
defaultLabel: defaultLabel,
},
Methods: []string{"POST"},
}, nil
}
// Handle accepts client information requests, and uses the label to
// look up the signer whose public certificate should be retrieved. If
// the label is empty, the default label is used.
func (h *MultiHandler) Handle(w http.ResponseWriter, r *http.Request) error {
req := new(info.Req)
body, err := io.ReadAll(r.Body)
if err != nil {
log.Warningf("failed to read request body: %v", err)
return errors.NewBadRequest(err)
}
r.Body.Close()
err = json.Unmarshal(body, req)
if err != nil {
log.Warningf("failed to unmarshal request: %v", err)
return errors.NewBadRequest(err)
}
log.Debug("checking label")
if req.Label == "" {
req.Label = h.defaultLabel
}
if _, ok := h.signers[req.Label]; !ok {
log.Warningf("request for invalid endpoint")
return errors.NewBadRequestString("bad label")
}
log.Debug("getting info")
resp, err := h.signers[req.Label].Info(*req)
if err != nil {
log.Infof("error getting certificate: %v", err)
return err
}
response := api.NewSuccessResponse(resp)
w.Header().Set("Content-Type", "application/json")
enc := json.NewEncoder(w)
return enc.Encode(response)
}
================================================
FILE: api/info/info_test.go
================================================
package info
import (
"bytes"
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"testing"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/signer"
"github.com/cloudflare/cfssl/signer/local"
)
const (
testCaFile = "../testdata/ca.pem"
testCaKeyFile = "../testdata/ca_key.pem"
// second test CA for multiroot
testCaFile2 = "../testdata/ca2.pem"
testCaKeyFile2 = "../testdata/ca2-key.pem"
)
// Generally, the single root function and its multiroot analogue will
// be presented together.
func newTestHandler(t *testing.T) (h http.Handler) {
signer, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, nil)
if err != nil {
t.Fatal(err)
}
h, err = NewHandler(signer)
if err != nil {
t.Fatal(err)
}
return
}
func newTestMultiHandler(t *testing.T) (h http.Handler) {
signer1, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, nil)
if err != nil {
t.Fatal(err)
}
signer2, err := local.NewSignerFromFile(testCaFile2, testCaKeyFile2, nil)
if err != nil {
t.Fatal(err)
}
signers := map[string]signer.Signer{
"test1": signer1,
"test2": signer2,
}
h, err = NewMultiHandler(signers, "test1")
if err != nil {
t.Fatalf("%v", err)
}
return
}
func TestNewHandler(t *testing.T) {
newTestHandler(t)
}
func TestNewMultiHandler(t *testing.T) {
newTestMultiHandler(t)
}
func newInfoServer(t *testing.T) *httptest.Server {
ts := httptest.NewServer(newTestHandler(t))
return ts
}
func newMultiInfoServer(t *testing.T) *httptest.Server {
return httptest.NewServer(newTestMultiHandler(t))
}
func testInfoFile(t *testing.T, req map[string]interface{}) (resp *http.Response, body []byte) {
ts := newInfoServer(t)
defer ts.Close()
blob, err := json.Marshal(req)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
func testMultiInfoFile(t *testing.T, req map[string]interface{}) (resp *http.Response, body []byte) {
ts := newMultiInfoServer(t)
defer ts.Close()
blob, err := json.Marshal(req)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
type infoTest struct {
RequestObject map[string]interface{}
ExpectedHTTPStatus int
ExpectedSuccess bool
ExpectedErrorCode int
}
var infoTests = []infoTest{
{
map[string]interface{}{
"label": "",
"profile": "",
},
http.StatusOK,
true,
0,
},
{
map[string]interface{}{
"label": 123,
},
http.StatusBadRequest,
false,
http.StatusBadRequest,
},
}
var multiInfoTests = []infoTest{
{
map[string]interface{}{
"label": "",
"profile": "",
},
http.StatusOK,
true,
0,
},
{
map[string]interface{}{
"label": "test1",
"profile": "",
},
http.StatusOK,
true,
0,
},
{
map[string]interface{}{
"label": "test2",
"profile": "",
},
http.StatusOK,
true,
0,
},
{
map[string]interface{}{
"label": "badlabel",
"profile": "",
},
http.StatusBadRequest,
false,
http.StatusBadRequest,
},
{
map[string]interface{}{
"label": 123,
},
http.StatusBadRequest,
false,
http.StatusBadRequest,
},
}
func TestInfo(t *testing.T) {
for i, test := range infoTests {
resp, body := testInfoFile(t, test.RequestObject)
if resp.StatusCode != test.ExpectedHTTPStatus {
t.Fatalf("Test %d: expected: %d, have %d", i, test.ExpectedHTTPStatus, resp.StatusCode)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body))
}
message := new(api.Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess != message.Success {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedSuccess, message.Success)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess == true {
continue
}
if test.ExpectedErrorCode != message.Errors[0].Code {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedErrorCode, message.Errors[0].Code)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
}
}
func TestMultiInfo(t *testing.T) {
for i, test := range multiInfoTests {
resp, body := testMultiInfoFile(t, test.RequestObject)
if resp.StatusCode != test.ExpectedHTTPStatus {
t.Fatalf("Test %d: expected: %d, have %d", i, test.ExpectedHTTPStatus, resp.StatusCode)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body))
}
message := new(api.Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess != message.Success {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedSuccess, message.Success)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess == true {
continue
}
if test.ExpectedErrorCode != message.Errors[0].Code {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedErrorCode, message.Errors[0].Code)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
}
}
================================================
FILE: api/initca/initca.go
================================================
// Package initca implements the HTTP handler for the CA initialization command
package initca
import (
"encoding/json"
"io"
"net/http"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/csr"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/initca"
"github.com/cloudflare/cfssl/log"
)
// A NewCA contains a private key and certificate suitable for serving
// as the root key for a new certificate authority.
type NewCA struct {
Key string `json:"private_key"`
Cert string `json:"certificate"`
}
// initialCAHandler is an HTTP handler that accepts a JSON blob in the
// same format as the CSR endpoint; this blob should contain the
// identity information for the CA's root key. This endpoint is not
// suitable for creating intermediate certificates.
func initialCAHandler(w http.ResponseWriter, r *http.Request) error {
log.Info("setting up initial CA handler")
body, err := io.ReadAll(r.Body)
if err != nil {
log.Warningf("failed to read request body: %v", err)
return errors.NewBadRequest(err)
}
r.Body.Close()
req := new(csr.CertificateRequest)
req.KeyRequest = csr.NewKeyRequest()
err = json.Unmarshal(body, req)
if err != nil {
log.Warningf("failed to unmarshal request: %v", err)
return errors.NewBadRequest(err)
}
cert, _, key, err := initca.New(req)
if err != nil {
log.Warningf("failed to initialise new CA: %v", err)
return err
}
response := api.NewSuccessResponse(&NewCA{string(key), string(cert)})
enc := json.NewEncoder(w)
err = enc.Encode(response)
return err
}
// NewHandler returns a new http.Handler that handles request to
// initialize a CA.
func NewHandler() http.Handler {
return api.HTTPHandler{Handler: api.HandlerFunc(initialCAHandler), Methods: []string{"POST"}}
}
================================================
FILE: api/initca/initca_test.go
================================================
package initca
import (
"bytes"
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"github.com/cloudflare/cfssl/csr"
)
func csrData(t *testing.T) *bytes.Reader {
req := &csr.CertificateRequest{
Names: []csr.Name{
{
C: "US",
ST: "California",
L: "San Francisco",
O: "CloudFlare",
OU: "Systems Engineering",
},
},
CN: "cloudflare.com",
Hosts: []string{"cloudflare.com"},
KeyRequest: csr.NewKeyRequest(),
}
csrBytes, err := json.Marshal(req)
if err != nil {
t.Fatal(err)
}
return bytes.NewReader(csrBytes)
}
func TestInitCARESTfulVerbs(t *testing.T) {
ts := httptest.NewServer(NewHandler())
data := csrData(t)
// POST should work.
req, _ := http.NewRequest("POST", ts.URL, data)
resp, _ := http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusOK {
t.Fatal(resp.Status)
}
// Test GET, PUT, DELETE and whatever, expect 400 errors.
req, _ = http.NewRequest("GET", ts.URL, data)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
req, _ = http.NewRequest("PUT", ts.URL, data)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
req, _ = http.NewRequest("DELETE", ts.URL, data)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
req, _ = http.NewRequest("WHATEVER", ts.URL, data)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
}
func TestBadRequestBody(t *testing.T) {
ts := httptest.NewServer(NewHandler())
req, _ := http.NewRequest("POST", ts.URL, nil)
resp, _ := http.DefaultClient.Do(req)
if resp.StatusCode == http.StatusOK {
t.Fatal(resp.Status)
}
}
func TestBadRequestBody_2(t *testing.T) {
ts := httptest.NewServer(NewHandler())
r := &csr.CertificateRequest{}
csrBytes, err := json.Marshal(r)
if err != nil {
t.Fatal(err)
}
data := bytes.NewReader(csrBytes)
req, _ := http.NewRequest("POST", ts.URL, data)
resp, _ := http.DefaultClient.Do(req)
if resp.StatusCode == http.StatusOK {
t.Fatal(resp.Status)
}
}
================================================
FILE: api/ocsp/ocspsign.go
================================================
// Package ocsp implements the HTTP handler for the ocsp commands.
package ocsp
import (
"crypto"
"encoding/base64"
"encoding/json"
"io"
"net/http"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/log"
"github.com/cloudflare/cfssl/ocsp"
)
// A Handler accepts requests with a certficate parameter
// (which should be PEM-encoded) and returns a signed ocsp
// response.
type Handler struct {
signer ocsp.Signer
}
// NewHandler returns a new http.Handler that handles a ocspsign request.
func NewHandler(s ocsp.Signer) http.Handler {
return &api.HTTPHandler{
Handler: &Handler{
signer: s,
},
Methods: []string{"POST"},
}
}
// This type is meant to be unmarshalled from JSON
type jsonSignRequest struct {
Certificate string `json:"certificate"`
Status string `json:"status"`
Reason int `json:"reason,omitempty"`
RevokedAt string `json:"revoked_at,omitempty"`
IssuerHash string `json:"issuer_hash,omitempty"`
}
var nameToHash = map[string]crypto.Hash{
"MD5": crypto.MD5,
"SHA1": crypto.SHA1,
"SHA256": crypto.SHA256,
"SHA384": crypto.SHA384,
"SHA512": crypto.SHA512,
}
// Handle responds to requests for a ocsp signature. It creates and signs
// a ocsp response for the provided certificate and status. If the status
// is revoked then it also adds reason and revoked_at. The response is
// base64 encoded.
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
body, err := io.ReadAll(r.Body)
if err != nil {
return err
}
r.Body.Close()
// Default the status to good so it matches the cli
req := &jsonSignRequest{
Status: "good",
}
err = json.Unmarshal(body, req)
if err != nil {
return errors.NewBadRequestString("Unable to parse sign request")
}
cert, err := helpers.ParseCertificatePEM([]byte(req.Certificate))
if err != nil {
log.Error("Error from ParseCertificatePEM", err)
return errors.NewBadRequestString("Malformed certificate")
}
signReq := ocsp.SignRequest{
Certificate: cert,
Status: req.Status,
}
// We need to convert the time from being a string to a time.Time
if req.Status == "revoked" {
signReq.Reason = req.Reason
// "now" is accepted and the default on the cli so default that here
if req.RevokedAt == "" || req.RevokedAt == "now" {
signReq.RevokedAt = time.Now()
} else {
signReq.RevokedAt, err = time.Parse("2006-01-02", req.RevokedAt)
if err != nil {
return errors.NewBadRequestString("Malformed revocation time")
}
}
}
if req.IssuerHash != "" {
issuerHash, ok := nameToHash[req.IssuerHash]
if !ok {
return errors.NewBadRequestString("Unsupported hash algorithm in request")
}
signReq.IssuerHash = issuerHash
}
resp, err := h.signer.Sign(signReq)
if err != nil {
return err
}
b64Resp := base64.StdEncoding.EncodeToString(resp)
result := map[string]string{"ocspResponse": b64Resp}
return api.SendResponse(w, result)
}
================================================
FILE: api/ocsp/ocspsign_test.go
================================================
package ocsp
import (
"bytes"
"encoding/base64"
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"os"
"testing"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/ocsp"
goocsp "golang.org/x/crypto/ocsp"
)
const (
testCaFile = "../../ocsp/testdata/ca.pem"
testRespCertFile = "../../ocsp/testdata/server.crt"
testKeyFile = "../../ocsp/testdata/server.key"
testCertFile = "../../ocsp/testdata/cert.pem"
)
func newTestHandler(t *testing.T) http.Handler {
// arbitrary duration
dur, _ := time.ParseDuration("1ms")
s, err := ocsp.NewSignerFromFile(testCaFile, testRespCertFile, testKeyFile, dur)
if err != nil {
t.Fatalf("Signer creation failed %v", err)
}
return NewHandler(s)
}
func TestNewHandler(t *testing.T) {
newTestHandler(t)
}
func newSignServer(t *testing.T) *httptest.Server {
ts := httptest.NewServer(newTestHandler(t))
return ts
}
func testSignFile(t *testing.T, certFile, status string, reason int, revokedAt string, hash string) (resp *http.Response, body []byte) {
ts := newSignServer(t)
defer ts.Close()
obj := map[string]interface{}{}
if certFile != "" {
c, err := os.ReadFile(certFile)
if err != nil {
t.Fatal(err)
}
obj["certificate"] = string(c)
}
if status != "" {
obj["status"] = status
}
obj["reason"] = reason
if revokedAt != "" {
obj["revoked_at"] = revokedAt
}
obj["issuer_hash"] = hash
blob, err := json.Marshal(obj)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
type signTest struct {
CertificateFile string
Status string
Reason int
RevokedAt string
ExpectedHTTPStatus int
ExpectedSuccess bool
ExpectedErrorCode int
IssuerHash string
}
var signTests = []signTest{
{
CertificateFile: testCertFile,
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
CertificateFile: testCertFile,
Status: "revoked",
Reason: 1,
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
CertificateFile: testCertFile,
Status: "revoked",
RevokedAt: "now",
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
CertificateFile: testCertFile,
Status: "revoked",
RevokedAt: "2015-08-15",
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
CertificateFile: testCertFile,
Status: "revoked",
RevokedAt: "a",
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: http.StatusBadRequest,
},
{
CertificateFile: "",
Status: "",
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: http.StatusBadRequest,
},
{
CertificateFile: testCertFile,
Status: "_",
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: 8200,
},
{
CertificateFile: testCertFile,
IssuerHash: "SHA256",
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
CertificateFile: testCertFile,
IssuerHash: "MD4",
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: http.StatusBadRequest,
},
}
func TestSign(t *testing.T) {
for i, test := range signTests {
resp, body := testSignFile(t, test.CertificateFile, test.Status, test.Reason, test.RevokedAt, test.IssuerHash)
if resp.StatusCode != test.ExpectedHTTPStatus {
t.Logf("Test %d: expected: %d, have %d", i, test.ExpectedHTTPStatus, resp.StatusCode)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body))
}
message := new(api.Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Logf("failed to read response body: %v", err)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess != message.Success {
t.Logf("Test %d: expected: %v, have %v", i, test.ExpectedSuccess, message.Success)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if !test.ExpectedSuccess {
if test.ExpectedErrorCode != message.Errors[0].Code {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedErrorCode, message.Errors[0].Code)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
continue
}
result, ok := message.Result.(map[string]interface{})
if !ok {
t.Logf("failed to read result")
t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body))
}
b64Resp, ok := result["ocspResponse"].(string)
if !ok {
t.Logf("failed to find ocspResponse")
t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body))
}
der, err := base64.StdEncoding.DecodeString(b64Resp)
if err != nil {
t.Logf("failed to decode base64")
t.Fatal(resp.Status, test.ExpectedHTTPStatus, b64Resp)
}
ocspResp, err := goocsp.ParseResponse(der, nil)
if err != nil {
t.Logf("failed to parse ocsp response: %v", err)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, b64Resp)
}
// should default to good
if test.Status == "" {
test.Status = "good"
}
intStatus := ocsp.StatusCode[test.Status]
if ocspResp.Status != intStatus {
t.Fatalf("Test %d incorrect status: expected: %v, have %v", i, intStatus, ocspResp.Status)
t.Fatal(ocspResp.Status, intStatus, ocspResp)
}
if test.Status == "revoked" {
if ocspResp.RevocationReason != test.Reason {
t.Fatalf("Test %d incorrect reason: expected: %v, have %v", i, test.Reason, ocspResp.RevocationReason)
t.Fatal(ocspResp.RevocationReason, test.Reason, ocspResp)
}
var r time.Time
if test.RevokedAt == "" || test.RevokedAt == "now" {
r = time.Now().UTC().Truncate(helpers.OneDay)
} else {
r, _ = time.Parse("2006-01-02", test.RevokedAt)
}
if !ocspResp.RevokedAt.Truncate(helpers.OneDay).Equal(r) {
t.Fatalf("Test %d incorrect revokedAt: expected: %v, have %v", i, r, ocspResp.RevokedAt)
t.Fatal(ocspResp.RevokedAt, test.RevokedAt, ocspResp)
}
}
}
}
================================================
FILE: api/revoke/revoke.go
================================================
// Package revoke implements the HTTP handler for the revoke command
package revoke
import (
"encoding/json"
"io"
"net/http"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/certdb"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/ocsp"
stdocsp "golang.org/x/crypto/ocsp"
)
// A Handler accepts requests with a serial number parameter
// and revokes
type Handler struct {
dbAccessor certdb.Accessor
Signer ocsp.Signer
}
// NewHandler returns a new http.Handler that handles a revoke request.
func NewHandler(dbAccessor certdb.Accessor) http.Handler {
return &api.HTTPHandler{
Handler: &Handler{
dbAccessor: dbAccessor,
},
Methods: []string{"POST"},
}
}
// NewOCSPHandler returns a new http.Handler that handles a revoke
// request and also generates an OCSP response
func NewOCSPHandler(dbAccessor certdb.Accessor, signer ocsp.Signer) http.Handler {
return &api.HTTPHandler{
Handler: &Handler{
dbAccessor: dbAccessor,
Signer: signer,
},
Methods: []string{"POST"},
}
}
// This type is meant to be unmarshalled from JSON
type jsonRevokeRequest struct {
Serial string `json:"serial"`
AKI string `json:"authority_key_id"`
Reason string `json:"reason"`
}
// Handle responds to revocation requests. It attempts to revoke
// a certificate with a given serial number
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
body, err := io.ReadAll(r.Body)
if err != nil {
return err
}
r.Body.Close()
// Default the status to good so it matches the cli
var req jsonRevokeRequest
err = json.Unmarshal(body, &req)
if err != nil {
return errors.NewBadRequestString("Unable to parse revocation request")
}
if len(req.Serial) == 0 {
return errors.NewBadRequestString("serial number is required but not provided")
}
var reasonCode int
reasonCode, err = ocsp.ReasonStringToCode(req.Reason)
if err != nil {
return errors.NewBadRequestString("Invalid reason code")
}
err = h.dbAccessor.RevokeCertificate(req.Serial, req.AKI, reasonCode)
if err != nil {
return err
}
// If we were given a signer, try and generate an OCSP
// response indicating revocation
if h.Signer != nil {
// TODO: should these errors be errors?
// Grab the certificate from the database
cr, err := h.dbAccessor.GetCertificate(req.Serial, req.AKI)
if err != nil {
return err
}
if len(cr) != 1 {
return errors.NewBadRequestString("No unique certificate found")
}
cert, err := helpers.ParseCertificatePEM([]byte(cr[0].PEM))
if err != nil {
return errors.NewBadRequestString("Unable to parse certificates from PEM data")
}
sr := ocsp.SignRequest{
Certificate: cert,
Status: "revoked",
Reason: reasonCode,
RevokedAt: time.Now().UTC(),
}
ocspResponse, err := h.Signer.Sign(sr)
if err != nil {
return err
}
// We parse the OCSP response in order to get the next
// update time/expiry time
ocspParsed, err := stdocsp.ParseResponse(ocspResponse, nil)
if err != nil {
return err
}
ocspRecord := certdb.OCSPRecord{
Serial: req.Serial,
AKI: req.AKI,
Body: string(ocspResponse),
Expiry: ocspParsed.NextUpdate,
}
if err = h.dbAccessor.InsertOCSP(ocspRecord); err != nil {
return err
}
}
result := map[string]string{}
return api.SendResponse(w, result)
}
================================================
FILE: api/revoke/revoke_test.go
================================================
package revoke
import (
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/hex"
"encoding/json"
"encoding/pem"
"io"
"math/big"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/certdb"
"github.com/cloudflare/cfssl/certdb/sql"
"github.com/cloudflare/cfssl/certdb/testdb"
"github.com/cloudflare/cfssl/ocsp"
stdocsp "golang.org/x/crypto/ocsp"
)
const (
fakeAKI = "fake aki"
)
func prepDB() (certdb.Accessor, error) {
db := testdb.SQLiteDB("../../certdb/testdb/certstore_development.db")
expirationTime := time.Now().AddDate(1, 0, 0)
var cert = certdb.CertificateRecord{
Serial: "1",
AKI: fakeAKI,
Expiry: expirationTime,
PEM: "unexpired cert",
}
dbAccessor := sql.NewAccessor(db)
err := dbAccessor.InsertCertificate(cert)
if err != nil {
return nil, err
}
return dbAccessor, nil
}
func testRevokeCert(t *testing.T, dbAccessor certdb.Accessor, serial, aki, reason string) (resp *http.Response, body []byte) {
ts := httptest.NewServer(NewHandler(dbAccessor))
defer ts.Close()
obj := map[string]interface{}{}
obj["serial"] = serial
obj["authority_key_id"] = aki
if reason != "" {
obj["reason"] = reason
}
blob, err := json.Marshal(obj)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
func TestInvalidRevocation(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
resp, _ := testRevokeCert(t, dbAccessor, "", "", "")
if resp.StatusCode != http.StatusBadRequest {
t.Fatal("expected bad request response")
}
}
func TestRevocation(t *testing.T) {
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
resp, body := testRevokeCert(t, dbAccessor, "1", fakeAKI, "5")
if resp.StatusCode != http.StatusOK {
t.Fatal("unexpected HTTP status code; expected OK", string(body))
}
message := new(api.Response)
err = json.Unmarshal(body, message)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
}
certs, err := dbAccessor.GetCertificate("1", fakeAKI)
if err != nil {
t.Fatal("failed to get certificate ", err)
}
if len(certs) != 1 {
t.Fatal("failed to get one certificate")
}
cert := certs[0]
if cert.Status != "revoked" || cert.Reason != 5 {
t.Fatal("cert was not correctly revoked")
}
}
// TestOCSPGeneration tests that revoking a certificate (when the
// request handler has an OCSP response signer) generates an
// appropriate OCSP response in the certdb.
func TestOCSPGeneration(t *testing.T) {
privKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatal(err)
}
serialNumberRange := new(big.Int).Lsh(big.NewInt(1), 128)
// 1. Generate a CA certificate to serve as the signing certificate.
issuerSerial, err := rand.Int(rand.Reader, serialNumberRange)
if err != nil {
t.Fatal(err)
}
issuerTemplate := x509.Certificate{
SerialNumber: issuerSerial,
Subject: pkix.Name{
Organization: []string{"cfssl unit test"},
},
AuthorityKeyId: []byte{42, 42, 42, 42},
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
IsCA: true,
BasicConstraintsValid: true,
}
issuerBytes, err := x509.CreateCertificate(rand.Reader, &issuerTemplate, &issuerTemplate, &privKey.PublicKey, privKey)
if err != nil {
t.Fatal(err)
}
issuer, err := x509.ParseCertificate(issuerBytes)
if err != nil {
t.Fatal(err)
}
// 2. Generate a certificate signed by the CA certificate to revoke.
revokedSerial, err := rand.Int(rand.Reader, serialNumberRange)
if err != nil {
t.Fatal(err)
}
revokedTemplate := x509.Certificate{
SerialNumber: revokedSerial,
Subject: pkix.Name{
Organization: []string{"Cornell CS 5152"},
},
AuthorityKeyId: []byte{42, 42, 42, 42},
}
revokedBytes, err := x509.CreateCertificate(rand.Reader, &revokedTemplate, issuer, &privKey.PublicKey, privKey)
if err != nil {
t.Fatal(err)
}
revoked := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: revokedBytes,
})
revokedAKI := hex.EncodeToString(revokedTemplate.AuthorityKeyId)
revokedSerialStr := revokedSerial.Text(16)
// 3. Generate a certificate to use as the responder certificate.
responderSerial, err := rand.Int(rand.Reader, serialNumberRange)
if err != nil {
t.Fatal(err)
}
responderTemplate := x509.Certificate{
SerialNumber: responderSerial,
Subject: pkix.Name{
Organization: []string{"Cornell CS 5152 Responder"},
},
AuthorityKeyId: []byte{42, 42, 42, 43},
}
responderBytes, err := x509.CreateCertificate(rand.Reader, &responderTemplate, &responderTemplate, &privKey.PublicKey, privKey)
if err != nil {
t.Fatal(err)
}
responder, err := x509.ParseCertificate(responderBytes)
if err != nil {
t.Fatal(err)
}
// 4. Create the OCSP signer
signer, err := ocsp.NewSigner(issuer, responder, privKey, time.Hour)
if err != nil {
t.Fatal(err)
}
// 5. Spin up the test server
// 5a. Prepare the DB
dbAccessor, err := prepDB()
if err != nil {
t.Fatal(err)
}
expirationTime := time.Now().AddDate(1, 0, 0)
cr := certdb.CertificateRecord{
Serial: revokedSerialStr,
AKI: revokedAKI,
Expiry: expirationTime,
PEM: string(revoked),
}
if err := dbAccessor.InsertCertificate(cr); err != nil {
t.Fatal(err)
}
// 5b. Start the test server
ts := httptest.NewServer(NewOCSPHandler(dbAccessor, signer))
defer ts.Close()
// 6. Prepare the revocation request
obj := map[string]interface{}{}
obj["serial"] = revokedSerialStr
obj["authority_key_id"] = revokedAKI
obj["reason"] = "unspecified"
blob, err := json.Marshal(obj)
if err != nil {
t.Fatal(err)
}
// Get the original number of OCSP responses
ocspsBefore, _ := dbAccessor.GetOCSP(revokedSerialStr, revokedAKI)
ocspCountBefore := len(ocspsBefore)
// 7. Send the revocation request
resp, err := http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err := io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
if resp.StatusCode != http.StatusOK {
t.Fatal("unexpected HTTP status code; expected OK", string(body))
}
message := new(api.Response)
err = json.Unmarshal(body, message)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
}
// 8. Make sure the certificate record was updated
certs, err := dbAccessor.GetCertificate(revokedSerialStr, revokedAKI)
if err != nil {
t.Fatal("failed to get certificate ", err)
}
if len(certs) != 1 {
t.Fatal("failed to get one certificate")
}
cert := certs[0]
if cert.Status != "revoked" || cert.Reason != stdocsp.Unspecified {
t.Fatal("cert was not correctly revoked")
}
// 9. Make sure there is an OCSP record
ocsps, err := dbAccessor.GetOCSP(revokedSerialStr, revokedAKI)
if err != nil {
t.Fatal("failed to get OCSP responses ", err)
}
if len(ocsps) == 0 {
t.Fatal("No OCSP response generated")
}
if len(ocsps) <= ocspCountBefore {
t.Fatal("No new OCSP response found")
}
}
================================================
FILE: api/scan/scan.go
================================================
package scan
import (
"encoding/json"
"net/http"
"time"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/log"
"github.com/cloudflare/cfssl/scan"
)
// scanHandler is an HTTP handler that accepts GET parameters for host (required)
// family and scanner, and uses these to perform scans, returning a JSON blob result.
func scanHandler(w http.ResponseWriter, r *http.Request) error {
if err := r.ParseForm(); err != nil {
log.Warningf("failed to parse body: %v", err)
return errors.NewBadRequest(err)
}
family := r.Form.Get("family")
scanner := r.Form.Get("scanner")
ip := r.Form.Get("ip")
timeoutStr := r.Form.Get("timeout")
var timeout time.Duration
var err error
if timeoutStr != "" {
if timeout, err = time.ParseDuration(timeoutStr); err != nil {
return errors.NewBadRequest(err)
}
if timeout < time.Second || timeout > 5*time.Minute {
return errors.NewBadRequestString("invalid timeout given")
}
} else {
timeout = time.Minute
}
host := r.Form.Get("host")
if host == "" {
log.Warningf("no host given")
return errors.NewBadRequestString("no host given")
}
results, err := scan.Default.RunScans(host, ip, family, scanner, timeout)
if err != nil {
return errors.NewBadRequest(err)
}
return json.NewEncoder(w).Encode(api.NewSuccessResponse(results))
}
// NewHandler returns a new http.Handler that handles a scan request.
func NewHandler(caBundleFile string) (http.Handler, error) {
return api.HTTPHandler{
Handler: api.HandlerFunc(scanHandler),
Methods: []string{"GET"},
}, scan.LoadRootCAs(caBundleFile)
}
// scanInfoHandler is an HTTP handler that returns a JSON blob result describing
// the possible families and scans to be run.
func scanInfoHandler(w http.ResponseWriter, r *http.Request) error {
log.Info("setting up scaninfo handler")
response := api.NewSuccessResponse(scan.Default)
enc := json.NewEncoder(w)
return enc.Encode(response)
}
// NewInfoHandler returns a new http.Handler that handles a request for scan info.
func NewInfoHandler() http.Handler {
return api.HTTPHandler{
Handler: api.HandlerFunc(scanInfoHandler),
Methods: []string{"GET"},
}
}
================================================
FILE: api/scan/scan_test.go
================================================
package scan
import (
"net/http"
"net/http/httptest"
"testing"
)
var (
handler, _ = NewHandler("")
ts = httptest.NewServer(handler)
)
func TestBadRequest(t *testing.T) {
// Test request with no host
req, _ := http.NewRequest("GET", ts.URL, nil)
resp, _ := http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusBadRequest {
t.Fatal(resp.Status)
}
}
func TestScanRESTfulVerbs(t *testing.T) {
// GET should work
req, _ := http.NewRequest("GET", ts.URL, nil)
data := req.URL.Query()
data.Add("host", "cloudflare.com")
req.URL.RawQuery = data.Encode()
resp, _ := http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusOK {
t.Fatal(resp.Status)
}
// POST, PUT, DELETE, WHATEVER should return 400 errors
req, _ = http.NewRequest("POST", ts.URL, nil)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
req, _ = http.NewRequest("DELETE", ts.URL, nil)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
req, _ = http.NewRequest("PUT", ts.URL, nil)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
req, _ = http.NewRequest("WHATEVER", ts.URL, nil)
resp, _ = http.DefaultClient.Do(req)
if resp.StatusCode != http.StatusMethodNotAllowed {
t.Fatal(resp.Status)
}
}
func TestNewInfoHandler(t *testing.T) {
handler := NewInfoHandler()
if handler == nil {
t.Fatal("Handler error")
}
}
================================================
FILE: api/sign/sign.go
================================================
// Package sign implements the HTTP handler for the certificate signing command.
package sign
import (
"net/http"
"github.com/cloudflare/cfssl/api/signhandler"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/log"
"github.com/cloudflare/cfssl/signer/universal"
)
// NewHandler generates a new Handler using the certificate
// authority private key and certficate to sign certificates. If remote
// is not an empty string, the handler will send signature requests to
// the CFSSL instance contained in remote by default.
func NewHandler(caFile, caKeyFile string, policy *config.Signing) (http.Handler, error) {
root := universal.Root{
Config: map[string]string{
"cert-file": caFile,
"key-file": caKeyFile,
},
}
s, err := universal.NewSigner(root, policy)
if err != nil {
log.Errorf("setting up signer failed: %v", err)
return nil, err
}
return signhandler.NewHandlerFromSigner(s)
}
// NewAuthHandler generates a new AuthHandler using the certificate
// authority private key and certficate to sign certificates. If remote
// is not an empty string, the handler will send signature requests to
// the CFSSL instance contained in remote by default.
func NewAuthHandler(caFile, caKeyFile string, policy *config.Signing) (http.Handler, error) {
root := universal.Root{
Config: map[string]string{
"cert-file": caFile,
"key-file": caKeyFile,
},
}
s, err := universal.NewSigner(root, policy)
if err != nil {
log.Errorf("setting up signer failed: %v", err)
return nil, err
}
return signhandler.NewAuthHandlerFromSigner(s)
}
================================================
FILE: api/sign/sign_test.go
================================================
package sign
import (
"bytes"
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"os"
"strings"
"testing"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/auth"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/signer"
)
const (
testCaFile = "../testdata/ca.pem"
testCaKeyFile = "../testdata/ca_key.pem"
testCSRFile = "../testdata/csr.pem"
testBrokenCertFile = "../testdata/broken.pem"
testBrokenCSRFile = "../testdata/broken_csr.pem"
)
var validLocalConfig = `
{
"signing": {
"default": {
"usages": ["digital signature", "email protection"],
"expiry": "1m"
}
}
}`
var validAuthLocalConfig = `
{
"signing": {
"default": {
"usages": ["digital signature", "email protection"],
"expiry": "1m",
"auth_key": "sample"
}
},
"auth_keys": {
"sample": {
"type":"standard",
"key":"0123456789ABCDEF0123456789ABCDEF"
}
}
}`
var validMixedLocalConfig = `
{
"signing": {
"default": {
"usages": ["digital signature", "email protection"],
"expiry": "1m"
},
"profiles": {
"auth": {
"usages": ["digital signature", "email protection"],
"expiry": "1m",
"auth_key": "sample"
}
}
},
"auth_keys": {
"sample": {
"type":"standard",
"key":"0123456789ABCDEF0123456789ABCDEF"
}
}
}`
var alsoValidMixedLocalConfig = `
{
"signing": {
"default": {
"usages": ["digital signature", "email protection"],
"expiry": "1m",
"auth_key": "sample"
},
"profiles": {
"no-auth": {
"usages": ["digital signature", "email protection"],
"expiry": "1m"
}
}
},
"auth_keys": {
"sample": {
"type":"standard",
"key":"0123456789ABCDEF0123456789ABCDEF"
}
}
}`
func newTestHandler(t *testing.T) (h http.Handler) {
h, err := NewHandler(testCaFile, testCaKeyFile, nil)
if err != nil {
t.Fatal(err)
}
return
}
func TestNewHandler(t *testing.T) {
newTestHandler(t)
}
func TestNewHandlerWithProfile(t *testing.T) {
conf, err := config.LoadConfig([]byte(validLocalConfig))
if err != nil {
t.Fatal(err)
}
_, err = NewHandler(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal(err)
}
}
func TestNewHandlerWithAuthProfile(t *testing.T) {
conf, err := config.LoadConfig([]byte(validAuthLocalConfig))
if err != nil {
t.Fatal(err)
}
_, err = NewHandler(testCaFile, testCaKeyFile, conf.Signing)
if err == nil {
t.Fatal("All profiles have auth keys. Should have failed to create non-auth sign handler.")
}
}
func TestNewHandlerError(t *testing.T) {
// using testBrokenCSRFile as badly formed key
_, err := NewHandler(testCaFile, testBrokenCSRFile, nil)
if err == nil {
t.Fatal("Expect error when create a signer with broken file.")
}
}
func TestNewAuthHandlerWithNonAuthProfile(t *testing.T) {
conf, err := config.LoadConfig([]byte(validLocalConfig))
if err != nil {
t.Fatal(err)
}
_, err = NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing)
if err == nil {
t.Fatal("No profile have auth keys. Should have failed to create auth sign handler.")
}
}
func TestNewHandlersWithMixedProfile(t *testing.T) {
conf, err := config.LoadConfig([]byte(validMixedLocalConfig))
if err != nil {
t.Fatal(err)
}
_, err = NewHandler(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal("Should be able to create non-auth sign handler.")
}
_, err = NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal("Should be able to create auth sign handler.")
}
}
func TestNewHandlersWithAnotherMixedProfile(t *testing.T) {
conf, err := config.LoadConfig([]byte(alsoValidMixedLocalConfig))
if err != nil {
t.Fatal(err)
}
_, err = NewHandler(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal("Should be able to create non-auth sign handler.")
}
_, err = NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal("Should be able to create auth sign handler.")
}
}
func newSignServer(t *testing.T) *httptest.Server {
ts := httptest.NewServer(newTestHandler(t))
return ts
}
func testSignFileOldInterface(t *testing.T, hostname, csrFile string) (resp *http.Response, body []byte) {
ts := newSignServer(t)
defer ts.Close()
var csrPEM []byte
if csrFile != "" {
var err error
csrPEM, err = os.ReadFile(csrFile)
if err != nil {
t.Fatal(err)
}
}
obj := map[string]string{}
if len(hostname) > 0 {
obj["hostname"] = hostname
}
if len(csrPEM) > 0 {
obj["certificate_request"] = string(csrPEM)
}
blob, err := json.Marshal(obj)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
func testSignFile(t *testing.T, hosts []string, subject *signer.Subject, csrFile string) (resp *http.Response, body []byte) {
ts := newSignServer(t)
defer ts.Close()
var csrPEM []byte
if csrFile != "" {
var err error
csrPEM, err = os.ReadFile(csrFile)
if err != nil {
t.Fatal(err)
}
}
obj := map[string]interface{}{}
if hosts != nil {
obj["hosts"] = hosts
}
if len(csrPEM) > 0 {
obj["certificate_request"] = string(csrPEM)
}
if subject != nil {
obj["subject"] = subject
}
blob, err := json.Marshal(obj)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
const (
testHostName = "localhost"
testDomainName = "cloudflare.com"
)
type signTest struct {
Hosts []string
Subject *signer.Subject
CSRFile string
ExpectedHTTPStatus int
ExpectedSuccess bool
ExpectedErrorCode int
}
var signTests = []signTest{
{
Hosts: []string{testHostName},
CSRFile: testCSRFile,
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
Hosts: []string{testDomainName},
CSRFile: testCSRFile,
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
Hosts: []string{testDomainName, testHostName},
CSRFile: testCSRFile,
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
Hosts: []string{testDomainName},
Subject: &signer.Subject{CN: "example.com"},
CSRFile: testCSRFile,
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
Hosts: []string{},
Subject: &signer.Subject{CN: "example.com"},
CSRFile: testCSRFile,
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
Hosts: nil,
CSRFile: testCSRFile,
ExpectedHTTPStatus: http.StatusOK,
ExpectedSuccess: true,
ExpectedErrorCode: 0,
},
{
Hosts: []string{testDomainName},
CSRFile: "",
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: http.StatusBadRequest,
},
{
Hosts: []string{testDomainName},
CSRFile: testBrokenCSRFile,
ExpectedHTTPStatus: http.StatusBadRequest,
ExpectedSuccess: false,
ExpectedErrorCode: 9002,
},
}
func TestSign(t *testing.T) {
for i, test := range signTests {
resp, body := testSignFile(t, test.Hosts, test.Subject, test.CSRFile)
if resp.StatusCode != test.ExpectedHTTPStatus {
t.Logf("Test %d: expected: %d, have %d", i, test.ExpectedHTTPStatus, resp.StatusCode)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body))
}
message := new(api.Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Logf("failed to read response body: %v", err)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess != message.Success {
t.Logf("Test %d: expected: %v, have %v", i, test.ExpectedSuccess, message.Success)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess == true {
continue
}
if test.ExpectedErrorCode != message.Errors[0].Code {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedErrorCode, message.Errors[0].Code)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
}
// Test for backward compatibility
// TODO remove after API transition is complete.
for i, test := range signTests {
// an empty hostname is not accepted by the old interface but an empty hosts array should be accepted
// so skip the case of empty hosts array for the old interface.
if test.Hosts != nil && len(test.Hosts) == 0 {
continue
}
hostname := strings.Join(test.Hosts, ",")
resp, body := testSignFileOldInterface(t, hostname, test.CSRFile)
if resp.StatusCode != test.ExpectedHTTPStatus {
t.Logf("Test %d: expected: %d, have %d", i, test.ExpectedHTTPStatus, resp.StatusCode)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body))
}
message := new(api.Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Logf("failed to read response body: %v", err)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess != message.Success {
t.Logf("Test %d: expected: %v, have %v", i, test.ExpectedSuccess, message.Success)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess == true {
continue
}
if test.ExpectedErrorCode != message.Errors[0].Code {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedErrorCode, message.Errors[0].Code)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
}
}
func newTestAuthHandler(t *testing.T) http.Handler {
conf, err := config.LoadConfig([]byte(validAuthLocalConfig))
if err != nil {
t.Fatal(err)
}
h, err := NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal(err)
}
return h
}
func TestNewAuthHandler(t *testing.T) {
newTestAuthHandler(t)
}
func TestNewAuthHandlerWithNoAuthConfig(t *testing.T) {
conf, err := config.LoadConfig([]byte(validLocalConfig))
if err != nil {
t.Fatal(err)
}
_, err = NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing)
if err == nil {
t.Fatal("Config doesn't have auth keys. Should have failed.")
}
return
}
func testAuthSignFile(t *testing.T, hosts []string, subject *signer.Subject, csrFile string, profile *config.SigningProfile) (resp *http.Response, body []byte) {
ts := newAuthSignServer(t)
defer ts.Close()
var csrPEM []byte
if csrFile != "" {
var err error
csrPEM, err = os.ReadFile(csrFile)
if err != nil {
t.Fatal(err)
}
}
obj := map[string]interface{}{}
if hosts != nil {
obj["hosts"] = hosts
}
if subject != nil {
obj["subject"] = subject
}
if len(csrPEM) > 0 {
obj["certificate_request"] = string(csrPEM)
}
reqBlob, err := json.Marshal(obj)
if err != nil {
t.Fatal(err)
}
var aReq auth.AuthenticatedRequest
aReq.Request = reqBlob
aReq.Token, err = profile.Provider.Token(aReq.Request)
if err != nil {
t.Fatal(err)
}
blob, err := json.Marshal(aReq)
if err != nil {
t.Fatal(err)
}
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
return
}
func newAuthSignServer(t *testing.T) *httptest.Server {
ts := httptest.NewServer(newTestAuthHandler(t))
return ts
}
func TestAuthSign(t *testing.T) {
conf, err := config.LoadConfig([]byte(validAuthLocalConfig))
if err != nil {
t.Fatal(err)
}
for i, test := range signTests {
resp, body := testAuthSignFile(t, test.Hosts, test.Subject, test.CSRFile, conf.Signing.Default)
if resp.StatusCode != test.ExpectedHTTPStatus {
t.Logf("Test %d: expected: %d, have %d", i, test.ExpectedHTTPStatus, resp.StatusCode)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body))
}
message := new(api.Response)
err := json.Unmarshal(body, message)
if err != nil {
t.Logf("failed to read response body: %v", err)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess != message.Success {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedSuccess, message.Success)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
if test.ExpectedSuccess == true {
continue
}
if test.ExpectedErrorCode != message.Errors[0].Code {
t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedErrorCode, message.Errors[0].Code)
t.Fatal(resp.Status, test.ExpectedHTTPStatus, message)
}
}
}
================================================
FILE: api/signhandler/signhandler.go
================================================
// Package signhandler provides the handlers for signers.
package signhandler
import (
"encoding/json"
"io"
"math/big"
"net/http"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/auth"
"github.com/cloudflare/cfssl/bundler"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/log"
"github.com/cloudflare/cfssl/signer"
)
// NoBundlerMessage is used to alert the user that the server does not have a bundler initialized.
const NoBundlerMessage = `This request requires a bundler, but one is not initialized for the API server.`
// A Handler accepts requests with a hostname and certficate
// parameter (which should be PEM-encoded) and returns a new signed
// certificate. It includes upstream servers indexed by their
// profile name.
type Handler struct {
signer signer.Signer
bundler *bundler.Bundler
}
// NewHandlerFromSigner generates a new Handler directly from
// an existing signer.
func NewHandlerFromSigner(signer signer.Signer) (h *api.HTTPHandler, err error) {
policy := signer.Policy()
if policy == nil {
err = errors.New(errors.PolicyError, errors.InvalidPolicy)
return
}
// Sign will only respond for profiles that have no auth provider.
// So if all of the profiles require authentication, we return an error.
haveUnauth := (policy.Default.Provider == nil)
for _, profile := range policy.Profiles {
haveUnauth = haveUnauth || (profile.Provider == nil)
}
if !haveUnauth {
err = errors.New(errors.PolicyError, errors.InvalidPolicy)
return
}
return &api.HTTPHandler{
Handler: &Handler{
signer: signer,
},
Methods: []string{"POST"},
}, nil
}
// SetBundler allows injecting an optional Bundler into the Handler.
func (h *Handler) SetBundler(caBundleFile, intBundleFile string) (err error) {
h.bundler, err = bundler.NewBundler(caBundleFile, intBundleFile)
return err
}
// This type is meant to be unmarshalled from JSON so that there can be a
// hostname field in the API
// TODO: Change the API such that the normal struct can be used.
type jsonSignRequest struct {
Hostname string `json:"hostname"`
Hosts []string `json:"hosts"`
Request string `json:"certificate_request"`
Subject *signer.Subject `json:"subject,omitempty"`
Profile string `json:"profile"`
Label string `json:"label"`
Serial *big.Int `json:"serial,omitempty"`
Bundle bool `json:"bundle"`
}
func jsonReqToTrue(js jsonSignRequest) signer.SignRequest {
sub := new(signer.Subject)
if js.Subject == nil {
sub = nil
} else {
// make a copy
*sub = *js.Subject
}
if js.Hostname != "" {
return signer.SignRequest{
Hosts: signer.SplitHosts(js.Hostname),
Subject: sub,
Request: js.Request,
Profile: js.Profile,
Label: js.Label,
Serial: js.Serial,
}
}
return signer.SignRequest{
Hosts: js.Hosts,
Subject: sub,
Request: js.Request,
Profile: js.Profile,
Label: js.Label,
Serial: js.Serial,
}
}
// Handle responds to requests for the CA to sign the certificate request
// present in the "certificate_request" parameter for the host named
// in the "hostname" parameter. The certificate should be PEM-encoded. If
// provided, subject information from the "subject" parameter will be used
// in place of the subject information from the CSR.
func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
log.Info("signature request received")
body, err := io.ReadAll(r.Body)
if err != nil {
return err
}
r.Body.Close()
var req jsonSignRequest
err = json.Unmarshal(body, &req)
if err != nil {
return errors.NewBadRequestString("Unable to parse sign request")
}
signReq := jsonReqToTrue(req)
if req.Request == "" {
return errors.NewBadRequestString("missing parameter 'certificate_request'")
}
var cert []byte
profile, err := signer.Profile(h.signer, req.Profile)
if err != nil {
return err
}
if profile.Provider != nil {
log.Error("profile requires authentication")
return errors.NewBadRequestString("authentication required")
}
cert, err = h.signer.Sign(signReq)
if err != nil {
log.Warningf("failed to sign request: %v", err)
return err
}
result := map[string]interface{}{"certificate": string(cert)}
if req.Bundle {
if h.bundler == nil {
return api.SendResponseWithMessage(w, result, NoBundlerMessage,
errors.New(errors.PolicyError, errors.InvalidRequest).ErrorCode)
}
bundle, err := h.bundler.BundleFromPEMorDER(cert, nil, bundler.Optimal, "")
if err != nil {
return err
}
result["bundle"] = bundle
}
log.Info("wrote response")
return api.SendResponse(w, result)
}
// An AuthHandler verifies and signs incoming signature requests.
type AuthHandler struct {
signer signer.Signer
bundler *bundler.Bundler
}
// NewAuthHandlerFromSigner creates a new AuthHandler from the signer
// that is passed in.
func NewAuthHandlerFromSigner(signer signer.Signer) (http.Handler, error) {
policy := signer.Policy()
if policy == nil {
return nil, errors.New(errors.PolicyError, errors.InvalidPolicy)
}
if policy.Default == nil && policy.Profiles == nil {
return nil, errors.New(errors.PolicyError, errors.InvalidPolicy)
}
// AuthSign will not respond for profiles that have no auth provider.
// So if there are no profiles with auth providers in this policy,
// we return an error.
haveAuth := (policy.Default.Provider != nil)
for _, profile := range policy.Profiles {
if haveAuth {
break
}
haveAuth = (profile.Provider != nil)
}
if !haveAuth {
return nil, errors.New(errors.PolicyError, errors.InvalidPolicy)
}
return &api.HTTPHandler{
Handler: &AuthHandler{
signer: signer,
},
Methods: []string{"POST"},
}, nil
}
// SetBundler allows injecting an optional Bundler into the Handler.
func (h *AuthHandler) SetBundler(caBundleFile, intBundleFile string) (err error) {
h.bundler, err = bundler.NewBundler(caBundleFile, intBundleFile)
return err
}
// Handle receives the incoming request, validates it, and processes it.
func (h *AuthHandler) Handle(w http.ResponseWriter, r *http.Request) error {
log.Info("signature request received")
body, err := io.ReadAll(r.Body)
if err != nil {
log.Errorf("failed to read response body: %v", err)
return err
}
r.Body.Close()
var aReq auth.AuthenticatedRequest
err = json.Unmarshal(body, &aReq)
if err != nil {
log.Errorf("failed to unmarshal authenticated request: %v", err)
return errors.NewBadRequest(err)
}
var req jsonSignRequest
err = json.Unmarshal(aReq.Request, &req)
if err != nil {
log.Errorf("failed to unmarshal request from authenticated request: %v", err)
return errors.NewBadRequestString("Unable to parse authenticated sign request")
}
// Sanity checks to ensure that we have a valid policy. This
// should have been checked in NewAuthHandler.
policy := h.signer.Policy()
if policy == nil {
log.Critical("signer was initialised without a signing policy")
return errors.NewBadRequestString("invalid policy")
}
profile, err := signer.Profile(h.signer, req.Profile)
if err != nil {
return err
}
if profile.Provider == nil {
log.Error("profile has no authentication provider")
return errors.NewBadRequestString("no authentication provider")
}
validAuth := false
if profile.Provider.Verify(&aReq) {
validAuth = true
} else if profile.PrevProvider != nil && profile.PrevProvider.Verify(&aReq) {
validAuth = true
}
if !validAuth {
log.Warning("received authenticated request with invalid token")
return errors.NewBadRequestString("invalid token")
}
signReq := jsonReqToTrue(req)
if signReq.Request == "" {
return errors.NewBadRequestString("missing parameter 'certificate_request'")
}
cert, err := h.signer.Sign(signReq)
if err != nil {
log.Errorf("signature failed: %v", err)
return err
}
result := map[string]interface{}{"certificate": string(cert)}
if req.Bundle {
if h.bundler == nil {
return api.SendResponseWithMessage(w, result, NoBundlerMessage,
errors.New(errors.PolicyError, errors.InvalidRequest).ErrorCode)
}
bundle, err := h.bundler.BundleFromPEMorDER(cert, nil, bundler.Optimal, "")
if err != nil {
return err
}
result["bundle"] = bundle
}
log.Info("wrote response")
return api.SendResponse(w, result)
}
================================================
FILE: api/signhandler/signhandler_test.go
================================================
package signhandler
import (
"bytes"
"encoding/json"
"io"
"net/http"
"net/http/httptest"
"os"
"testing"
"github.com/cloudflare/cfssl/api"
"github.com/cloudflare/cfssl/certdb"
"github.com/cloudflare/cfssl/certdb/sql"
"github.com/cloudflare/cfssl/certdb/testdb"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/signer"
"github.com/cloudflare/cfssl/signer/local"
)
const (
testCaFile = "../testdata/ca.pem"
testCaKeyFile = "../testdata/ca_key.pem"
testCSRFile = "../testdata/csr.pem"
)
// GetUnexpiredCertificates sometimes doesn't return a certificate with an
// expiry of 1m as above
var validLocalConfigLongerExpiry = `
{
"signing": {
"default": {
"usages": ["digital signature", "email protection"],
"expiry": "10m"
}
}
}`
var dbAccessor certdb.Accessor
func TestSignerDBPersistence(t *testing.T) {
conf, err := config.LoadConfig([]byte(validLocalConfigLongerExpiry))
if err != nil {
t.Fatal(err)
}
var s *local.Signer
s, err = local.NewSignerFromFile(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal(err)
}
db := testdb.SQLiteDB("../../certdb/testdb/certstore_development.db")
if err != nil {
t.Fatal(err)
}
dbAccessor = sql.NewAccessor(db)
s.SetDBAccessor(dbAccessor)
var handler *api.HTTPHandler
handler, err = NewHandlerFromSigner(signer.Signer(s))
if err != nil {
t.Fatal(err)
}
ts := httptest.NewServer(handler)
defer ts.Close()
var csrPEM, body []byte
csrPEM, err = os.ReadFile(testCSRFile)
if err != nil {
t.Fatal(err)
}
blob, err := json.Marshal(&map[string]string{"certificate_request": string(csrPEM)})
if err != nil {
t.Fatal(err)
}
var resp *http.Response
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = io.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
if resp.StatusCode != http.StatusOK {
t.Fatal(resp.Status, string(body))
}
message := new(api.Response)
err = json.Unmarshal(body, message)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
}
if !message.Success {
t.Fatal("API operation failed")
}
crs, err := dbAccessor.GetUnexpiredCertificates()
if err != nil {
t.Fatal("Failed to get unexpired certificates")
}
if len(crs) != 1 {
t.Fatal("Expected 1 unexpired certificate in the database after signing 1: len(crs)=", len(crs))
}
}
================================================
FILE: api/testdata/broken.pem
================================================
-----BEGIN CERTIFICATE-----
MIICATCCAWoCCQDidF+uNJR6czANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
cyBQdHkgTHRkMB4XDTEyMDUwMTIyNTUxN1oXDTEzMDUwMTIyNTUxN1owRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
nodhz31kLEJoeLSkRmrv8l7exkGtO0REtIbirj9BBy64ZXVBE7khKGO2cnM8U7yj
w7Ntfh+IvCjZVA3d2XqHS3Pjrt4HmU/cGCONE8+NEXoqdzLUDPOix1qDDRBvXs81
IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtpjl
KAV2qh6CYHZbdqixhDerjvJcD4Nsd7kExEZfHuECAwEAATANBgkqhkiG9w0BAQUF
AAOBgQCyOqs7+qpMrYCgL6OamDeCVojLoEp036PsnaYWf2NPmsVXdpYW40Foyyjp
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
iv5otkxO5rxtGPv7o2J1eMBpCuSkydvoz3Ey/QwGqbBwEXQ4xYCgra336gqW2KQt
+LnDCkE8f5oBhCIisExc2i8PDvsRsY70g/2gs983ImJjVR8sDw==
-----END CERTIFICATE-----
================================================
FILE: api/testdata/broken_csr.pem
================================================
-----BEGIN CERTIFICATE REQUEST-----
MIIFGzCCAwUCAQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl
MRwwGgYDVQQLExNTeXN0ZW1zIEVuZ2luZWVyaW5nMRYwFAYDVQQHEw1TYW4gRnJh
bmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMR0wGwYDVQQDExRjbG91ZGZsYXJl
LWludGVyLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOUKdX6+
PSxU/LxKocsCUj7HCc+FaDOPZV68Po3PVm7UF5DmbnLgJYJ/4aZEZM/v5r8LnXQX
DqumYicHQ2DHHBDasLTx8m0KeKOUYf9WMQ8gdjmVFoCiZwzxGDHok66/0Glkkqmv
2nJQxXncl5ZFta4sfmcQx3KT02l61LaBbG3j8PbRCWEr+0eRE6twuYRR13AgZ3AT
wnMjzxzvsW67qmAy0cq+XgYYfTK9vhPs+8J0fxXa0Iftu3yuhd30xLIVXLu45GR+
i6KnsSxVERSaVxjkS+lHXjUpdtmqI5CK6wn67vqYRRA2TzAJHX8Jb+KL2/UEo5WN
fAJ8S0heODQA8nHVU1JIfpegOlQRMv55DgnQUv1c1uwO5hqvv7MPQ3X/m9Kjccs1
FBH1/SVuzKyxYEQ34LErX3HI+6avbVnRtTR/UHkfnZVIXSrcjUm73BGj33hrtiKl
0ZyZnaUKGZPuvebOUFNiXemhTbqrfi/zAb1Tsm/h+xkn5EZ5sMj5NHdAbpih3TqX
2gRhnFZcFjtJM6zzC5O7eG5Kdqf8iladXTXtWxzrUPkb5CupzFl1dyS3dqdkoIXv
kmlScnu+6jBOaYeVvwogxr2Y69y4Zfg/qbPyBOLZquX9ovbuSP1DQmC//LV5t7YH
HY/1MXr5U0MMvcn+9JWUV6ou3at4AgEqfK0vAgMBAAGgSzBJBgkqhkiG9w0BCQ4x
PDA6MDgGA1UdEQQxMC+CFGNsb3VkZmxhcmUtaW50ZXIuY29tghd3d3djbG91ZGZs
YXJlLWludGVyLmNvbTALBgkqhkiG9w0BAQ0DggIBAHtSt/v+IHQmSK5UiQWwjRWA
ZezIWVlJuselW8DEPNHzDtnraVhjPSFP995Cqh9fc89kx2Bt9hDhjNteTB+pJW6B
aCRRZygJ6/m3Ii1XqTFgfEJBWwuIX1Req0PCW/ayegdLzzYbSZ31wRICCveBQyGw
vRtzIBUeMvz9MgLJ8zx7eN7fDhrvy+Y1SkC4g0sAQTYYfM9P/He4k5hx79hmd2YC
mUDAlNZV0g0dY0qR4cITmhniIFW5iZBplY7DmqooUXrj5yEga2QMj/RA16lPzHbz
7ceUlcH2L6/V6zMR/rfCiGRoWInxWSuuJhLIVLmoEo0590w6KVEZifHxsRpl4l09
imvzwTSQGIrY8jF9AxOD0rRA9wXCT9h8XtBWyJZ1/DmzJG8+7oZ/HdE9XhzwNujD
Q6lBOj+dznju7k/snYCZVq501JLPeql8vQrq0O/xSqSK4yN1IG4NisZeDK2BZEOy
QhnKXodIKf+zXnFw86lZ/ZwHQFr6jOSxmbrZ2OiY34m7Yd9oeIaMPviysRih2x4Q
O6DFz72f97+xFZuXIbmn8DPQV8U9bk/gbrfUCPnx/icS8UoPsBKc9Gio0FZO4+8A
4/ac3oeN0zy/WjsBP+J50CRUXMrRI9KO+/bI4pcT14B31YbuSo6ygIkIkj7YDh36
+4ZG6HnUPQI8HteF9hzp=BROKEN==
-----END CERTIFICATE REQUEST-----
================================================
FILE: api/testdata/ca-bundle.pem
================================================
-----BEGIN CERTIFICATE-----
MIIC1jCCAj+gAwIBAgIUJhxh1ENJRZoFuCN+XB0xlP1zgeYwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
DVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCkNsb3VkRmxhcmUxFDASBgNVBAsMC0RF
Vl9URVNUSU5HMRYwFAYDVQQDDA1DRlNTTF9URVNUX0NBMB4XDTI1MDIwODIwMTYy
N1oXDTM1MDIwNjIwMTYyN1owfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
b3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCkNsb3VkRmxh
cmUxFDASBgNVBAsMC0RFVl9URVNUSU5HMRYwFAYDVQQDDA1DRlNTTF9URVNUX0NB
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbp/6OQ/a3mr+8zRgBRlmSGr8Q
BgP4vUIxLn2Mk4uiZ8OcpRY4YqL+TtREGDUc0ve+bv8RINrNlYXL2X+eJtbE2RJQ
+RAiu+saw2K+RFTNeTCA1fwg3ws5gBDcFbECqK1dOkuN/gV4JMHobn2/15iUBfeS
JxdF1j5yqES8sVu7cwIDAQABo1MwUTAdBgNVHQ4EFgQUuF7vrmdQt9bzB+VqvlWz
ZzoNkj4wHwYDVR0jBBgwFoAUuF7vrmdQt9bzB+VqvlWzZzoNkj4wDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQALmrNPUPlCyhabvgC8RsMZPhJjtxr9
TotLuoa49zsHH18djRZLrm8mNzBwUVVNJ1hgwSpRnyrc7T4HQTTvjpCnyXEVRil/
9HQbpVPBSw5W6oK3koLG0rFnZXHocqK+Qri4FkbwsTK5qlea35OJWkODiUY/ykVM
E4sm6QDE79e0Iw==
-----END CERTIFICATE-----
================================================
FILE: api/testdata/ca.pem
================================================
-----BEGIN CERTIFICATE-----
MIIEmzCCA4OgAwIBAgIMAMSvNBgypwaaSQ5iMA0GCSqGSIb3DQEBBQUAMIGMMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
YW5jaXNjbzETMBEGA1UEChMKQ0ZTU0wgVEVTVDEbMBkGA1UEAxMSQ0ZTU0wgVEVT
VCBSb290IENBMR4wHAYJKoZIhvcNAQkBFg90ZXN0QHRlc3QubG9jYWwwHhcNMTIx
MjEyMDIxMDMxWhcNMjIxMDIxMDIxMDMxWjCBjDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAoT
CkNGU1NMIFRFU1QxGzAZBgNVBAMTEkNGU1NMIFRFU1QgUm9vdCBDQTEeMBwGCSqG
SIb3DQEJARYPdGVzdEB0ZXN0LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAsRp1xSfIDoD/40Bo4Hls3sFn4dav5NgxbZGpVyGF7dJI9u0eEnL4
BUGssPaUFLWC83CZxujUEiEfE0oKX+uOhhGv3+j5xSTNM764m2eSiN53cdZtK05d
hwq9uS8LtjKOQeN1mQ5qmiqxBMdjkKgMsVw5lMCgoYKo57kaKFyXzdpNVDzqw+pt
HWmuNtDQjK3qT5Ma06mYPmIGYhIZYLY7oJGg9ZEaNR0GIw4zIT5JRsNiaSb5wTLw
aa0n/4vLJyVjLJcYmJBvZWj8g+taK+C4INu/jGux+bmsC9hq14tbOaTNAn/NE0qN
8oHwcRBEqfOdEYdZkxI5NWPiKNW/Q+AeXQIDAQABo4H6MIH3MB0GA1UdDgQWBBS3
0veEuqg51fusEM4p/YuWpBPsvTCBxAYDVR0jBIG8MIG5gBS30veEuqg51fusEM4p
/YuWpBPsvaGBkqSBjzCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAoTCkNGU1NMIFRFU1Qx
GzAZBgNVBAMTEkNGU1NMIFRFU1QgUm9vdCBDQTEeMBwGCSqGSIb3DQEJARYPdGVz
dEB0ZXN0LmxvY2FsggwAxK80GDKnBppJDmIwDwYDVR0TBAgwBgEB/wIBADANBgkq
hkiG9w0BAQUFAAOCAQEAJ7r1EZYDwed6rS0+YKHdkRGRQ5Rz6A9DIVBPXrSMAGj3
F5EF2m/GJbhpVbnNJTVlgP9DDyabOZNxzdrCr4cHMkYYnocDdgAodnkw6GZ/GJTc
depbVTR4TpihFNzeDEGJePrEwM1DouGswpu97jyuCYZ3z1a60+a+3C1GwWaJ7Aet
Uqm+yLTUrMISsfnDPqJdM1NeqW3jiZ4IgcqJkieCCSpag9Xuzrp9q6rjmePvlQkv
qz020JGg6VijJ+c6Tf5y0XqbAhkBTqYtVamu9gEth9utn12EhdNjTZMPKMjjgFUd
H0N6yOEuQMl4ky7RxZBM0iPyeob6i4z2LEQilgv9MQ==
-----END CERTIFICATE-----
================================================
FILE: api/testdata/ca2-key.pem
================================================
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEILOI+Ox7VUA+HaiOuAbBtf1IOXffEsOoI/443rTOPzD5oAoGCCqGSM49
AwEHoUQDQgAEoY1dLpXLl1bN5p8GFqOKrYu8C7QF0OLCMlfoiJInE6XI+PKlxXx+
KlwasHd9zxV1HA4YtHifkrAL9u0CvrbdOg==
-----END EC PRIVATE KEY-----
================================================
FILE: api/testdata/ca2.pem
================================================
-----BEGIN CERTIFICATE-----
MIICYjCCAgigAwIBAgIIB/ijVOdMMDMwCgYIKoZIzj0EAwIwgYIxCzAJBgNVBAYT
AlVTMRUwEwYDVQQKEwxDRlNTTCBURVNUIDIxGzAZBgNVBAsTEkNGU1NMIFRlc3Qg
Um9vdCBDQTETMBEGA1UEBxMKQ2FsaWZvcm5pYTETMBEGA1UECBMKQ2FsaWZvcm5p
YTEVMBMGA1UEAxMMQ0ZTU0wgVEVTVCAyMB4XDTE1MDQwNjIzNTkwMFoXDTIwMDQw
NDIzNTkwMFowgYIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxDRlNTTCBURVNUIDIx
GzAZBgNVBAsTEkNGU1NMIFRlc3QgUm9vdCBDQTETMBEGA1UEBxMKQ2FsaWZvcm5p
YTETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEAxMMQ0ZTU0wgVEVTVCAyMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoY1dLpXLl1bN5p8GFqOKrYu8C7QF0OLC
MlfoiJInE6XI+PKlxXx+KlwasHd9zxV1HA4YtHifkrAL9u0CvrbdOqNmMGQwDgYD
VR0PAQH/BAQDAgAGMBIGA1UdEwEB/wQIMAYBAf8CAQIwHQYDVR0OBBYEFGNz0lWe
3YnOP5PykkQ+ZVcHCZp2MB8GA1UdIwQYMBaAFGNz0lWe3YnOP5PykkQ+ZVcHCZp2
MAoGCCqGSM49BAMCA0gAMEUCIQCuxcZqp9vyJ8mH9eFS9cvMAbTildshZJYn7QB6
8WDscAIga1np4tMDrsIynHrmYI1GnD/TgmUi4ElBNoyUnob+B+U=
-----END CERTIFICATE-----
================================================
FILE: api/testdata/ca_key.pem
================================================
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxGnXFJ8gOgP/j
QGjgeWzewWfh1q/k2DFtkalXIYXt0kj27R4ScvgFQayw9pQUtYLzcJnG6NQSIR8T
Sgpf646GEa/f6PnFJM0zvribZ5KI3ndx1m0rTl2HCr25Lwu2Mo5B43WZDmqaKrEE
x2OQqAyxXDmUwKChgqjnuRooXJfN2k1UPOrD6m0daa420NCMrepPkxrTqZg+YgZi
EhlgtjugkaD1kRo1HQYjDjMhPklGw2JpJvnBMvBprSf/i8snJWMslxiYkG9laPyD
61or4Lgg27+Ma7H5uawL2GrXi1s5pM0Cf80TSo3ygfBxEESp850Rh1mTEjk1Y+Io
1b9D4B5dAgMBAAECggEAKHhjcSomDSptTwDo9mLI/h40HudwSlsc8GzYxZBjinUD
N2n39T9QbeMUE1xFenX/9qFEgq+xxnLLJx1EQacSapCgIAqdCO/f9HMgvGJumdg8
c0cMq1i9Bp7tu+OESZ5D48qWlOM2eQRIb08g8W11eRIaFmPuUPoKnuktkQuXpPJc
YbS/+JuA8SDwe6sV0cMCQuS+iHFfeGwWCKrDUkhLwcL3waW3od2XFyOeFFWFhl0h
HmM/mWKRuRdqR7hrmArTwFZVkB+o/1ywVYXIv+JQm0eNZ5PKLNJGL2f5oxbMR/JI
AoK0bAlJmYaFp96h1KpbPwLEL/0hHSWA7sAyJIgQAQKBgQDaEAZor/w4ZUTekT1+
cbId0yA+ikDXQOfXaNCSh9Pex+Psjd5zVVOqyVFJ29daRju3d7rmpN4Cm5V4h0l1
/2ad207rjCAnpCHtaddJWNyJzF2IL2IaoCZQRp0k7zOjBGQpoWDTwBaEin5CCv3P
kkdQkKz6FDP1xskHSLZr21/QCQKBgQDP6jXutEgGjf3yKpMFk/69EamJdon8clbt
hl7cOyWtobnZhdOWVZPe00Oo3Jag2aWgFFsm3EtwnUCnR4d4+fXRKS2LkhfIUZcz
cKy17Ileggdd8UGhL4RDrF/En9tJL86WcVkcoOrqLcGB2FLWrVhVpHFK74eLMCH/
uc/+ioPItQKBgHYoDsD08s7AGMQcoNx90MyWVLduhFnegoFW+wUa8jOZzieka6/E
wVQeR5yksZjpy3vLNYu6M83n7eLkM2rrm/fXGHlLcTTpm7SgEBZfPwivotKjEh5p
PrlqucWEk082lutz1RqHz+u7e1Rfzk2F7nx6GDBdeBYpw03eGXJx6QW5AoGBAIJq
4puyAEAET1fZNtHX7IGCk7sDXTi6LCbgE57HhzHr8V0t4fQ6CABMuvMwM1gATjEk
s6yjoLqqGUUUzDipanViBAy5fiuManC868lN7zkWDTLzQ3ytBqVAee4na/DziP27
ae9YTSLJwskE/alloLRP6zTbHUXE0n7LelmrX1DFAoGBAMFLl+Lu+WFgCHxBjn43
rHpJbQZQmsFhAMhkN4hsj6dJfAGn2gRLRiVRAika+8QF65xMZiVQWUVSUZADWERi
0SXGjzN1wYxO3Qzy3LYwws6fxFAq5lo79eb38yFT2lHdqK3x/QgiDSRVl+R6cExV
xQB518/lp2eIeMpglWByDwJX
-----END PRIVATE KEY-----
==========================
gitextract__9id0mvi/
├── .dockerignore
├── .github/
│ ├── dependabot.yml
│ └── workflows/
│ ├── docker-builds.yml
│ ├── go.yml
│ ├── semgrep.yml
│ └── snapshot.yml
├── .gitignore
├── .golangci.yaml
├── .goreleaser.yml
├── CHANGELOG
├── Dockerfile
├── Dockerfile.alpine
├── LICENSE
├── Makefile
├── README.md
├── api/
│ ├── api.go
│ ├── api_test.go
│ ├── bundle/
│ │ ├── bundle.go
│ │ └── bundle_test.go
│ ├── certadd/
│ │ ├── insert.go
│ │ └── insert_test.go
│ ├── certinfo/
│ │ └── certinfo.go
│ ├── client/
│ │ ├── api.go
│ │ ├── client.go
│ │ ├── client_test.go
│ │ └── group.go
│ ├── crl/
│ │ ├── crl.go
│ │ └── crl_test.go
│ ├── gencrl/
│ │ ├── gencrl.go
│ │ └── gencrl_test.go
│ ├── generator/
│ │ ├── generator.go
│ │ ├── generator_test.go
│ │ └── testdata/
│ │ ├── ca.pem
│ │ └── ca_key.pem
│ ├── health/
│ │ └── health.go
│ ├── info/
│ │ ├── info.go
│ │ └── info_test.go
│ ├── initca/
│ │ ├── initca.go
│ │ └── initca_test.go
│ ├── ocsp/
│ │ ├── ocspsign.go
│ │ └── ocspsign_test.go
│ ├── revoke/
│ │ ├── revoke.go
│ │ └── revoke_test.go
│ ├── scan/
│ │ ├── scan.go
│ │ └── scan_test.go
│ ├── sign/
│ │ ├── sign.go
│ │ └── sign_test.go
│ ├── signhandler/
│ │ ├── signhandler.go
│ │ └── signhandler_test.go
│ └── testdata/
│ ├── broken.pem
│ ├── broken_csr.pem
│ ├── ca-bundle.pem
│ ├── ca.pem
│ ├── ca2-key.pem
│ ├── ca2.pem
│ ├── ca_key.pem
│ ├── cert.pem
│ ├── csr.pem
│ ├── int-bundle.pem
│ ├── leaf.badkey
│ ├── leaf.key
│ └── leaf.pem
├── auth/
│ ├── auth.go
│ ├── auth_test.go
│ └── testdata/
│ ├── authrequest.json
│ └── request.json
├── bundler/
│ ├── bundle.go
│ ├── bundle_from_file_test.go
│ ├── bundle_from_pem_test.go
│ ├── bundle_from_remote_test.go
│ ├── bundler.go
│ ├── bundler_sha1_deprecation_test.go
│ ├── bundler_test.go
│ ├── doc.go
│ └── testdata/
│ ├── bad-bundle.pem
│ ├── ca-bundle.crt.metadata
│ ├── ca-bundle.pem
│ ├── ca.key
│ ├── ca.pem
│ ├── cfssl-leaf-ecdsa256.csr
│ ├── cfssl-leaf-ecdsa256.key
│ ├── cfssl-leaf-ecdsa256.pem
│ ├── cfssl-leaf-ecdsa384.csr
│ ├── cfssl-leaf-ecdsa384.key
│ ├── cfssl-leaf-ecdsa384.pem
│ ├── cfssl-leaf-ecdsa521.csr
│ ├── cfssl-leaf-ecdsa521.key
│ ├── cfssl-leaf-ecdsa521.pem
│ ├── cfssl-leaf-rsa2048.csr
│ ├── cfssl-leaf-rsa2048.key
│ ├── cfssl-leaf-rsa2048.pem
│ ├── cfssl-leaf-rsa3072.csr
│ ├── cfssl-leaf-rsa3072.key
│ ├── cfssl-leaf-rsa3072.pem
│ ├── cfssl-leaf-rsa4096.csr
│ ├── cfssl-leaf-rsa4096.key
│ ├── cfssl-leaf-rsa4096.pem
│ ├── cfssl-leaflet-rsa4096.pem
│ ├── client-auth/
│ │ ├── build_certs.sh
│ │ ├── int-config.json
│ │ ├── int-csr.json
│ │ ├── int.pem
│ │ ├── leaf-client-csr.json
│ │ ├── leaf-client.pem
│ │ ├── leaf-server-csr.json
│ │ ├── leaf-server.pem
│ │ ├── root-config.json
│ │ ├── root-csr.json
│ │ └── root.pem
│ ├── dsa2048.key
│ ├── dsa2048.pem
│ ├── empty.pem
│ ├── forcebundle.pem
│ ├── froyo.pem
│ ├── int-bundle.pem
│ ├── inter-L1-expired.pem
│ ├── inter-L1-sha1.pem
│ ├── inter-L1.csr
│ ├── inter-L1.key
│ ├── inter-L1.pem
│ ├── inter-L2-direct.pem
│ ├── inter-L2.csr
│ ├── inter-L2.key
│ ├── inter-L2.pem
│ ├── intermediates.crt
│ ├── nss.pem
│ ├── osx.pem
│ ├── partial-bundle.pem
│ └── reverse-partial-bundle.pem
├── certdb/
│ ├── README.md
│ ├── certdb.go
│ ├── dbconf/
│ │ ├── db_config.go
│ │ ├── db_config_test.go
│ │ └── testdata/
│ │ ├── bad-db-config.json
│ │ ├── db-config.json
│ │ └── memory_db.json
│ ├── mysql/
│ │ ├── dbconf.yml
│ │ └── migrations/
│ │ ├── 001_CreateCertificates.sql
│ │ └── 002_AddMetadataToCertificates.sql
│ ├── ocspstapling/
│ │ ├── ocspstapling.go
│ │ └── ocspstapling_test.go
│ ├── pg/
│ │ ├── dbconf.yml
│ │ └── migrations/
│ │ ├── 001_CreateCertificates.sql
│ │ └── 002_AddMetadataToCertificates.sql
│ ├── sql/
│ │ ├── database_accessor.go
│ │ ├── sql_mysql_test.go
│ │ ├── sql_pq_test.go
│ │ └── sql_test.go
│ ├── sqlite/
│ │ ├── dbconf.yml
│ │ └── migrations/
│ │ ├── 001_CreateCertificates.sql
│ │ └── 002_AddMetadataToCertificates.sql
│ └── testdb/
│ └── testdb.go
├── certinfo/
│ ├── certinfo.go
│ └── certinfo_test.go
├── cli/
│ ├── bundle/
│ │ ├── bundle.go
│ │ └── bundle_test.go
│ ├── certinfo/
│ │ └── certinfo.go
│ ├── cli.go
│ ├── cli_test.go
│ ├── config.go
│ ├── crl/
│ │ ├── crl.go
│ │ └── crl_test.go
│ ├── gencert/
│ │ ├── gencert.go
│ │ └── gencert_test.go
│ ├── gencrl/
│ │ ├── gencrl.go
│ │ ├── gencrl_test.go
│ │ └── testdata/
│ │ ├── ca-keyTwo.pem
│ │ ├── caTwo.pem
│ │ └── serialList
│ ├── gencsr/
│ │ ├── gencsr.go
│ │ ├── gencsr_test.go
│ │ └── testdata/
│ │ ├── csr.json
│ │ └── test-key.pem
│ ├── genkey/
│ │ ├── genkey.go
│ │ ├── genkey_test.go
│ │ └── testdata/
│ │ └── csr.json
│ ├── info/
│ │ └── info.go
│ ├── ocspdump/
│ │ └── ocspdump.go
│ ├── ocsprefresh/
│ │ ├── ocsprefresh.go
│ │ └── ocsprefresh_test.go
│ ├── ocspserve/
│ │ └── ocspserve.go
│ ├── ocspsign/
│ │ └── ocspsign.go
│ ├── printdefault/
│ │ ├── defaults.go
│ │ └── printdefault.go
│ ├── revoke/
│ │ ├── revoke.go
│ │ └── revoke_test.go
│ ├── scan/
│ │ ├── scan.go
│ │ └── scan_test.go
│ ├── selfsign/
│ │ ├── selfsign.go
│ │ └── selfsign_test.go
│ ├── serve/
│ │ ├── README.md
│ │ ├── serve.go
│ │ ├── serve_test.go
│ │ └── static/
│ │ ├── assets/
│ │ │ └── cfssl.js
│ │ └── index.html
│ ├── sign/
│ │ ├── sign.go
│ │ └── sign_test.go
│ ├── testdata/
│ │ ├── bad_csr.json
│ │ ├── bad_oid_csr.json
│ │ ├── ca-key.pem
│ │ ├── ca.csr
│ │ ├── ca.pem
│ │ ├── csr.json
│ │ ├── db-config.json
│ │ └── test.txt
│ └── version/
│ ├── version.go
│ └── version_test.go
├── cmd/
│ ├── cfssl/
│ │ ├── cfssl.go
│ │ └── cfssl_test.go
│ ├── cfssl-bundle/
│ │ └── cfssl-bundle.go
│ ├── cfssl-certinfo/
│ │ └── cfssl-certinfo.go
│ ├── cfssl-newkey/
│ │ └── cfssl-newkey.go
│ ├── cfssl-scan/
│ │ └── cfssl-scan.go
│ ├── cfssljson/
│ │ ├── cfssljson.go
│ │ ├── cfssljson_test.go
│ │ └── testdata/
│ │ └── test.txt
│ ├── mkbundle/
│ │ ├── cert-bundle.crt
│ │ ├── mkbundle.go
│ │ └── mkbundle_test.go
│ └── multirootca/
│ ├── api.go
│ └── ca.go
├── config/
│ ├── config.go
│ ├── config_test.go
│ └── testdata/
│ ├── invalid_auth.json
│ ├── invalid_auth_bad_key.json
│ ├── invalid_config.json
│ ├── invalid_default.json
│ ├── invalid_no_auth_keys.json
│ ├── invalid_no_remotes.json
│ ├── invalid_profile.json
│ ├── invalid_remotes.json
│ ├── invalid_usage.json
│ ├── valid_config.json
│ ├── valid_config_auth.json
│ ├── valid_config_auth_no_default.json
│ └── valid_config_no_default.json
├── crl/
│ ├── crl.go
│ ├── crl_test.go
│ └── testdata/
│ ├── ca-key.pem
│ ├── ca-keyTwo.pem
│ ├── ca.pem
│ ├── caTwo.pem
│ ├── cert.pem
│ ├── serialList
│ ├── server.crt
│ └── server.key
├── crypto/
│ ├── doc.go
│ └── pkcs7/
│ └── pkcs7.go
├── csr/
│ ├── csr.go
│ ├── csr_test.go
│ └── testdata/
│ └── test-ecdsa-ca.pem
├── doc/
│ ├── README.txt
│ ├── api/
│ │ ├── endpoint_authsign.txt
│ │ ├── endpoint_bundle.txt
│ │ ├── endpoint_certinfo.txt
│ │ ├── endpoint_crl.txt
│ │ ├── endpoint_health.txt
│ │ ├── endpoint_info.txt
│ │ ├── endpoint_init_ca.txt
│ │ ├── endpoint_newcert.txt
│ │ ├── endpoint_newkey.txt
│ │ ├── endpoint_revoke.txt
│ │ ├── endpoint_scan.txt
│ │ ├── endpoint_scaninfo.txt
│ │ ├── endpoint_sign.txt
│ │ └── intro.txt
│ ├── authentication.txt
│ ├── ca-bundle.crt.metadata.sample
│ ├── cmd/
│ │ ├── cfssl.txt
│ │ └── multiroot.txt
│ ├── errorcode.txt
│ └── transport.txt
├── errors/
│ ├── doc.go
│ ├── error.go
│ ├── error_test.go
│ └── http.go
├── go.mod
├── go.sum
├── helpers/
│ ├── derhelpers/
│ │ ├── derhelpers.go
│ │ ├── ed25519.go
│ │ └── ed25519_test.go
│ ├── helpers.go
│ ├── helpers_test.go
│ ├── testdata/
│ │ ├── bundle.pem
│ │ ├── bundle_pkcs7.pem
│ │ ├── bundle_with_whitespace.pem
│ │ ├── ca.pem
│ │ ├── ca_key.pem
│ │ ├── cert.der
│ │ ├── cert.pem
│ │ ├── cert_pkcs7.pem
│ │ ├── cert_with_whitespace.pem
│ │ ├── ecdsa256.csr
│ │ ├── empty.pem
│ │ ├── empty_pkcs7.der
│ │ ├── empty_pkcs7.pem
│ │ ├── emptycert.pem
│ │ ├── emptypasswordpkcs12.p12
│ │ ├── enc_priv_key.pem
│ │ ├── messed_up_bundle.pem
│ │ ├── messed_up_priv_key.pem
│ │ ├── messedupcert.pem
│ │ ├── multiplecerts.p12
│ │ ├── noheadercert.pem
│ │ ├── openssl_secp384.pem
│ │ ├── passwordpkcs12.p12
│ │ ├── priv_rsa_key.pem
│ │ ├── private_ecdsa_key.pem
│ │ ├── private_ed25519_key.pem
│ │ ├── rsa-old.csr
│ │ ├── secp256k1-key.pem
│ │ ├── test.bad.csr.pem
│ │ └── test.csr.pem
│ └── testsuite/
│ ├── testdata/
│ │ ├── cert_csr.json
│ │ └── initCA/
│ │ ├── ca_csr.json
│ │ └── cfssl_output.pem
│ ├── testing_helpers.go
│ └── testing_helpers_test.go
├── info/
│ └── info.go
├── initca/
│ ├── initca.go
│ ├── initca_test.go
│ └── testdata/
│ ├── 5min-ecdsa-key.pem
│ ├── 5min-ecdsa.pem
│ ├── 5min-ed25519-key.pem
│ ├── 5min-ed25519.pem
│ ├── 5min-rsa-key.pem
│ ├── 5min-rsa.pem
│ ├── README.md
│ ├── ca_csr_ecdsa.json
│ ├── ca_csr_ed25519.json
│ ├── ca_csr_rsa.json
│ ├── ecdsa256.csr
│ ├── ecdsa384.csr
│ ├── ecdsa521.csr
│ ├── ed25519.csr
│ ├── rsa2048.csr
│ ├── rsa3072.csr
│ └── rsa4096.csr
├── log/
│ ├── log.go
│ └── log_test.go
├── multiroot/
│ └── config/
│ ├── config.go
│ ├── config_test.go
│ └── testdata/
│ ├── bad-db-config.json
│ ├── bad.conf
│ ├── badconfig.json
│ ├── config.json
│ ├── db-config.json
│ ├── roots.conf
│ ├── roots_bad_certificate.conf
│ ├── roots_bad_db.conf
│ ├── roots_bad_private_key.conf
│ ├── roots_bad_whitelist.conf
│ ├── roots_bad_whitelist2.conf
│ ├── roots_badconfig.conf
│ ├── roots_badspec.conf
│ ├── roots_badspec2.conf
│ ├── roots_badspec3.conf
│ ├── roots_db.conf
│ ├── roots_der.conf
│ ├── roots_ksm.conf
│ ├── roots_missing_certificate.conf
│ ├── roots_missing_certificate_entry.conf
│ ├── roots_missing_private.conf
│ ├── roots_missing_private_key_entry.conf
│ ├── roots_no_kdl_private_key.conf
│ ├── roots_whitelist.conf
│ ├── roots_whitelist_ipv6.conf
│ ├── server.crt
│ ├── server.der
│ ├── server.key
│ ├── test.conf
│ └── test2.conf
├── ocsp/
│ ├── config/
│ │ └── config.go
│ ├── ocsp.go
│ ├── ocsp_test.go
│ ├── responder.go
│ ├── responder_test.go
│ ├── testdata/
│ │ ├── ca-key.pem
│ │ ├── ca.pem
│ │ ├── cert.pem
│ │ ├── db-config.json
│ │ ├── resp64.pem
│ │ ├── response.der
│ │ ├── response_broken.pem
│ │ ├── response_mix.pem
│ │ ├── server.crt
│ │ ├── server.key
│ │ ├── server_broken.crt
│ │ ├── server_broken.key
│ │ └── sqlite_ca.pem
│ └── universal/
│ └── universal.go
├── revoke/
│ ├── revoke.go
│ └── revoke_test.go
├── scan/
│ ├── broad.go
│ ├── connectivity.go
│ ├── crypto/
│ │ ├── crypto.go
│ │ ├── md5/
│ │ │ ├── example_test.go
│ │ │ ├── gen.go
│ │ │ ├── md5.go
│ │ │ ├── md5_test.go
│ │ │ ├── md5block.go
│ │ │ ├── md5block_386.s
│ │ │ ├── md5block_amd64.s
│ │ │ ├── md5block_amd64p32.s
│ │ │ ├── md5block_arm.s
│ │ │ ├── md5block_decl.go
│ │ │ └── md5block_generic.go
│ │ ├── rsa/
│ │ │ ├── example_test.go
│ │ │ ├── pkcs1v15.go
│ │ │ ├── pkcs1v15_test.go
│ │ │ ├── pss.go
│ │ │ ├── pss_test.go
│ │ │ ├── rsa.go
│ │ │ ├── rsa_test.go
│ │ │ └── testdata/
│ │ │ └── pss-vect.txt.bz2
│ │ ├── sha1/
│ │ │ ├── example_test.go
│ │ │ ├── sha1.go
│ │ │ ├── sha1_test.go
│ │ │ ├── sha1block.go
│ │ │ ├── sha1block_386.s
│ │ │ ├── sha1block_amd64.s
│ │ │ ├── sha1block_amd64p32.s
│ │ │ ├── sha1block_arm.s
│ │ │ ├── sha1block_decl.go
│ │ │ └── sha1block_generic.go
│ │ ├── sha256/
│ │ │ ├── sha256.go
│ │ │ ├── sha256_test.go
│ │ │ ├── sha256block.go
│ │ │ ├── sha256block_386.s
│ │ │ ├── sha256block_amd64.s
│ │ │ └── sha256block_decl.go
│ │ ├── sha512/
│ │ │ ├── sha512.go
│ │ │ ├── sha512_test.go
│ │ │ ├── sha512block.go
│ │ │ ├── sha512block_amd64.s
│ │ │ └── sha512block_decl.go
│ │ └── tls/
│ │ ├── alert.go
│ │ ├── cfsslscan_common.go
│ │ ├── cfsslscan_handshake.go
│ │ ├── cipher_suites.go
│ │ ├── common.go
│ │ ├── conn.go
│ │ ├── conn_test.go
│ │ ├── example_test.go
│ │ ├── generate_cert.go
│ │ ├── handshake_client.go
│ │ ├── handshake_client_test.go
│ │ ├── handshake_messages.go
│ │ ├── handshake_messages_test.go
│ │ ├── handshake_server.go
│ │ ├── handshake_server_test.go
│ │ ├── handshake_test.go
│ │ ├── key_agreement.go
│ │ ├── prf.go
│ │ ├── prf_test.go
│ │ ├── testdata/
│ │ │ ├── Client-TLSv10-ClientCert-ECDSA-ECDSA
│ │ │ ├── Client-TLSv10-ClientCert-ECDSA-RSA
│ │ │ ├── Client-TLSv10-ClientCert-RSA-ECDSA
│ │ │ ├── Client-TLSv10-ClientCert-RSA-RSA
│ │ │ ├── Client-TLSv10-ECDHE-ECDSA-AES
│ │ │ ├── Client-TLSv10-ECDHE-RSA-AES
│ │ │ ├── Client-TLSv10-RSA-RC4
│ │ │ ├── Client-TLSv11-ECDHE-ECDSA-AES
│ │ │ ├── Client-TLSv11-ECDHE-RSA-AES
│ │ │ ├── Client-TLSv11-RSA-RC4
│ │ │ ├── Client-TLSv12-AES128-GCM-SHA256
│ │ │ ├── Client-TLSv12-AES256-GCM-SHA384
│ │ │ ├── Client-TLSv12-ALPN
│ │ │ ├── Client-TLSv12-ALPN-NoMatch
│ │ │ ├── Client-TLSv12-ClientCert-ECDSA-ECDSA
│ │ │ ├── Client-TLSv12-ClientCert-ECDSA-RSA
│ │ │ ├── Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384
│ │ │ ├── Client-TLSv12-ClientCert-RSA-ECDSA
│ │ │ ├── Client-TLSv12-ClientCert-RSA-RSA
│ │ │ ├── Client-TLSv12-ECDHE-ECDSA-AES
│ │ │ ├── Client-TLSv12-ECDHE-ECDSA-AES-GCM
│ │ │ ├── Client-TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384
│ │ │ ├── Client-TLSv12-ECDHE-RSA-AES
│ │ │ ├── Client-TLSv12-RSA-RC4
│ │ │ ├── Client-TLSv12-SCT
│ │ │ ├── Server-SSLv3-RSA-3DES
│ │ │ ├── Server-SSLv3-RSA-AES
│ │ │ ├── Server-SSLv3-RSA-RC4
│ │ │ ├── Server-TLSv10-ECDHE-ECDSA-AES
│ │ │ ├── Server-TLSv10-RSA-3DES
│ │ │ ├── Server-TLSv10-RSA-AES
│ │ │ ├── Server-TLSv10-RSA-RC4
│ │ │ ├── Server-TLSv11-FallbackSCSV
│ │ │ ├── Server-TLSv11-RSA-RC4
│ │ │ ├── Server-TLSv12-ALPN
│ │ │ ├── Server-TLSv12-ALPN-NoMatch
│ │ │ ├── Server-TLSv12-CipherSuiteCertPreferenceECDSA
│ │ │ ├── Server-TLSv12-CipherSuiteCertPreferenceRSA
│ │ │ ├── Server-TLSv12-ClientAuthRequestedAndECDSAGiven
│ │ │ ├── Server-TLSv12-ClientAuthRequestedAndGiven
│ │ │ ├── Server-TLSv12-ClientAuthRequestedNotGiven
│ │ │ ├── Server-TLSv12-ECDHE-ECDSA-AES
│ │ │ ├── Server-TLSv12-IssueTicket
│ │ │ ├── Server-TLSv12-IssueTicketPreDisable
│ │ │ ├── Server-TLSv12-RSA-3DES
│ │ │ ├── Server-TLSv12-RSA-AES
│ │ │ ├── Server-TLSv12-RSA-AES-GCM
│ │ │ ├── Server-TLSv12-RSA-AES256-GCM-SHA384
│ │ │ ├── Server-TLSv12-RSA-RC4
│ │ │ ├── Server-TLSv12-Resume
│ │ │ ├── Server-TLSv12-ResumeDisabled
│ │ │ ├── Server-TLSv12-SNI
│ │ │ ├── Server-TLSv12-SNI-GetCertificate
│ │ │ └── Server-TLSv12-SNI-GetCertificateNotFound
│ │ ├── ticket.go
│ │ ├── tls.go
│ │ └── tls_test.go
│ ├── pki.go
│ ├── scan_common.go
│ ├── scan_common_test.go
│ ├── tls_handshake.go
│ └── tls_session.go
├── selfsign/
│ ├── selfsign.go
│ ├── selfsign_test.go
│ └── testdata/
│ ├── extension.csr
│ ├── localhost.csr
│ ├── localhost.key
│ └── sans.csr
├── signer/
│ ├── local/
│ │ ├── local.go
│ │ ├── local_test.go
│ │ └── testdata/
│ │ ├── build_inter_pathlen_csrs.sh
│ │ ├── ca.pem
│ │ ├── ca_key.pem
│ │ ├── ecdsa256-inter.csr
│ │ ├── ecdsa256-inter.key
│ │ ├── ecdsa256.csr
│ │ ├── ecdsa256_ca.pem
│ │ ├── ecdsa256_ca_key.pem
│ │ ├── ecdsa384.csr
│ │ ├── ecdsa521.csr
│ │ ├── ed25519.csr
│ │ ├── ex.csr
│ │ ├── inter_pathlen_0.csr
│ │ ├── inter_pathlen_1.csr
│ │ ├── inter_pathlen_unspecified.csr
│ │ ├── ip.csr
│ │ ├── key.pem
│ │ ├── rsa-old.csr
│ │ ├── rsa2048-inter.csr
│ │ ├── rsa2048-inter.key
│ │ ├── rsa2048.csr
│ │ ├── rsa3072.csr
│ │ ├── rsa4096.csr
│ │ ├── san_domain.csr
│ │ └── test.csr
│ ├── remote/
│ │ ├── remote.go
│ │ ├── remote_test.go
│ │ └── testdata/
│ │ ├── README.md
│ │ ├── ca.pem
│ │ ├── ca_key.pem
│ │ ├── client-key.pem
│ │ ├── client.json
│ │ ├── client.pem
│ │ ├── config.json
│ │ ├── server-key.pem
│ │ ├── server.json
│ │ └── server.pem
│ ├── signer.go
│ ├── signer_test.go
│ └── universal/
│ ├── universal.go
│ └── universal_test.go
├── test.sh
├── testdata/
│ ├── csr.json
│ ├── garbage.crt
│ ├── garbage.key
│ ├── gd_bundle.crt
│ ├── good_config.json
│ ├── roots/
│ │ └── httplib2_cacerts.txt
│ ├── server.crt
│ ├── server.csr
│ ├── server.key
│ ├── ssl-verifier.sh
│ ├── temp.crt
│ └── test.py
├── tools.go
├── transport/
│ ├── ca/
│ │ ├── cert_provider.go
│ │ ├── cfssl_provider.go
│ │ └── localca/
│ │ ├── signer.go
│ │ └── signer_test.go
│ ├── client.go
│ ├── core/
│ │ ├── defs.go
│ │ └── rand.go
│ ├── doc.go
│ ├── example/
│ │ ├── README.md
│ │ ├── ca.json
│ │ ├── config.json
│ │ ├── config_auth.json
│ │ ├── exlib/
│ │ │ └── exlib.go
│ │ ├── genca.sh
│ │ ├── maclient/
│ │ │ ├── client.go
│ │ │ ├── client.json
│ │ │ └── client_auth.json
│ │ └── maserver/
│ │ ├── server.go
│ │ ├── server.json
│ │ └── server_auth.json
│ ├── kp/
│ │ ├── key_provider.go
│ │ └── key_provider_test.go
│ ├── listener.go
│ ├── roots/
│ │ ├── cfssl.go
│ │ ├── doc.go
│ │ ├── provider.go
│ │ └── system/
│ │ ├── nilref_nil_darwin.go
│ │ ├── nilref_zero_darwin.go
│ │ ├── root.go
│ │ ├── root_bsd.go
│ │ ├── root_cgo_darwin.go
│ │ ├── root_darwin.go
│ │ ├── root_darwin_armx.go
│ │ ├── root_darwin_test.go
│ │ ├── root_linux.go
│ │ ├── root_nacl.go
│ │ ├── root_nocgo_darwin.go
│ │ ├── root_plan9.go
│ │ ├── root_solaris.go
│ │ ├── root_unix.go
│ │ └── root_windows.go
│ └── transport_test.go
├── ubiquity/
│ ├── filter.go
│ ├── performance.go
│ ├── sha1.go
│ ├── testdata/
│ │ ├── ca.pem.metadata
│ │ ├── ecdsa256sha2.pem
│ │ ├── ecdsa384sha2.pem
│ │ ├── ecdsa521sha2.pem
│ │ ├── godzilla.pem
│ │ ├── macrosoft.pem
│ │ ├── pineapple.pem
│ │ ├── rsa1024sha1.pem
│ │ ├── rsa2048sha2.pem
│ │ ├── rsa3072sha2.pem
│ │ └── rsa4096sha2.pem
│ ├── ubiquity_crypto.go
│ ├── ubiquity_platform.go
│ └── ubiquity_test.go
├── vendor/
│ ├── bitbucket.org/
│ │ └── liamstask/
│ │ └── goose/
│ │ ├── cmd/
│ │ │ └── goose/
│ │ │ ├── cmd.go
│ │ │ ├── cmd_create.go
│ │ │ ├── cmd_dbversion.go
│ │ │ ├── cmd_down.go
│ │ │ ├── cmd_redo.go
│ │ │ ├── cmd_status.go
│ │ │ ├── cmd_up.go
│ │ │ └── main.go
│ │ └── lib/
│ │ └── goose/
│ │ ├── dbconf.go
│ │ ├── dialect.go
│ │ ├── migrate.go
│ │ ├── migration_go.go
│ │ ├── migration_sql.go
│ │ └── util.go
│ ├── filippo.io/
│ │ └── edwards25519/
│ │ ├── LICENSE
│ │ ├── README.md
│ │ ├── doc.go
│ │ ├── edwards25519.go
│ │ ├── extra.go
│ │ ├── field/
│ │ │ ├── fe.go
│ │ │ ├── fe_amd64.go
│ │ │ ├── fe_amd64.s
│ │ │ ├── fe_amd64_noasm.go
│ │ │ ├── fe_arm64.go
│ │ │ ├── fe_arm64.s
│ │ │ ├── fe_arm64_noasm.go
│ │ │ ├── fe_extra.go
│ │ │ └── fe_generic.go
│ │ ├── scalar.go
│ │ ├── scalar_fiat.go
│ │ ├── scalarmult.go
│ │ └── tables.go
│ ├── github.com/
│ │ ├── beorn7/
│ │ │ └── perks/
│ │ │ ├── LICENSE
│ │ │ └── quantile/
│ │ │ ├── exampledata.txt
│ │ │ └── stream.go
│ │ ├── cespare/
│ │ │ └── xxhash/
│ │ │ └── v2/
│ │ │ ├── LICENSE.txt
│ │ │ ├── README.md
│ │ │ ├── testall.sh
│ │ │ ├── xxhash.go
│ │ │ ├── xxhash_amd64.s
│ │ │ ├── xxhash_arm64.s
│ │ │ ├── xxhash_asm.go
│ │ │ ├── xxhash_other.go
│ │ │ ├── xxhash_safe.go
│ │ │ └── xxhash_unsafe.go
│ │ ├── cloudflare/
│ │ │ ├── backoff/
│ │ │ │ ├── .travis.yml
│ │ │ │ ├── LICENSE
│ │ │ │ ├── README.md
│ │ │ │ └── backoff.go
│ │ │ └── redoctober/
│ │ │ ├── LICENSE.md
│ │ │ ├── client/
│ │ │ │ └── client.go
│ │ │ ├── config/
│ │ │ │ └── config.go
│ │ │ ├── core/
│ │ │ │ └── core.go
│ │ │ ├── cryptor/
│ │ │ │ └── cryptor.go
│ │ │ ├── ecdh/
│ │ │ │ └── ecdh.go
│ │ │ ├── hipchat/
│ │ │ │ └── hipchat.go
│ │ │ ├── keycache/
│ │ │ │ └── keycache.go
│ │ │ ├── msp/
│ │ │ │ ├── README.md
│ │ │ │ ├── formatted.go
│ │ │ │ ├── matrix.go
│ │ │ │ ├── msp.go
│ │ │ │ ├── number.go
│ │ │ │ └── raw.go
│ │ │ ├── order/
│ │ │ │ └── order.go
│ │ │ ├── padding/
│ │ │ │ └── padding.go
│ │ │ ├── passvault/
│ │ │ │ └── passvault.go
│ │ │ ├── persist/
│ │ │ │ ├── file.go
│ │ │ │ ├── null.go
│ │ │ │ └── persist.go
│ │ │ ├── report/
│ │ │ │ └── report.go
│ │ │ └── symcrypt/
│ │ │ └── symcrypt.go
│ │ ├── getsentry/
│ │ │ └── sentry-go/
│ │ │ ├── .craft.yml
│ │ │ ├── .gitattributes
│ │ │ ├── .gitignore
│ │ │ ├── .golangci.yml
│ │ │ ├── CHANGELOG.md
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── LICENSE
│ │ │ ├── MIGRATION.md
│ │ │ ├── README.md
│ │ │ ├── client.go
│ │ │ ├── doc.go
│ │ │ ├── dsn.go
│ │ │ ├── hub.go
│ │ │ ├── integrations.go
│ │ │ ├── interfaces.go
│ │ │ ├── internal/
│ │ │ │ ├── crypto/
│ │ │ │ │ └── randutil/
│ │ │ │ │ └── randutil.go
│ │ │ │ ├── debug/
│ │ │ │ │ └── transport.go
│ │ │ │ └── ratelimit/
│ │ │ │ ├── category.go
│ │ │ │ ├── deadline.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── map.go
│ │ │ │ ├── rate_limits.go
│ │ │ │ └── retry_after.go
│ │ │ ├── scope.go
│ │ │ ├── sentry.go
│ │ │ ├── sourcereader.go
│ │ │ ├── span_recorder.go
│ │ │ ├── stacktrace.go
│ │ │ ├── traces_sampler.go
│ │ │ ├── tracing.go
│ │ │ ├── transport.go
│ │ │ └── util.go
│ │ ├── go-logr/
│ │ │ └── logr/
│ │ │ ├── .golangci.yaml
│ │ │ ├── CHANGELOG.md
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── SECURITY.md
│ │ │ ├── context.go
│ │ │ ├── context_noslog.go
│ │ │ ├── context_slog.go
│ │ │ ├── discard.go
│ │ │ ├── logr.go
│ │ │ ├── sloghandler.go
│ │ │ ├── slogr.go
│ │ │ └── slogsink.go
│ │ ├── go-sql-driver/
│ │ │ └── mysql/
│ │ │ ├── .gitignore
│ │ │ ├── AUTHORS
│ │ │ ├── CHANGELOG.md
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── atomic_bool.go
│ │ │ ├── atomic_bool_go118.go
│ │ │ ├── auth.go
│ │ │ ├── buffer.go
│ │ │ ├── collations.go
│ │ │ ├── conncheck.go
│ │ │ ├── conncheck_dummy.go
│ │ │ ├── connection.go
│ │ │ ├── connector.go
│ │ │ ├── const.go
│ │ │ ├── driver.go
│ │ │ ├── dsn.go
│ │ │ ├── errors.go
│ │ │ ├── fields.go
│ │ │ ├── infile.go
│ │ │ ├── nulltime.go
│ │ │ ├── packets.go
│ │ │ ├── result.go
│ │ │ ├── rows.go
│ │ │ ├── statement.go
│ │ │ ├── transaction.go
│ │ │ └── utils.go
│ │ ├── google/
│ │ │ └── certificate-transparency-go/
│ │ │ ├── .gitignore
│ │ │ ├── .golangci.yaml
│ │ │ ├── AUTHORS
│ │ │ ├── CHANGELOG.md
│ │ │ ├── CODEOWNERS
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── CONTRIBUTORS
│ │ │ ├── LICENSE
│ │ │ ├── PULL_REQUEST_TEMPLATE.md
│ │ │ ├── README.md
│ │ │ ├── asn1/
│ │ │ │ ├── README.md
│ │ │ │ ├── asn1.go
│ │ │ │ ├── common.go
│ │ │ │ └── marshal.go
│ │ │ ├── client/
│ │ │ │ ├── configpb/
│ │ │ │ │ ├── multilog.pb.go
│ │ │ │ │ └── multilog.proto
│ │ │ │ ├── getentries.go
│ │ │ │ ├── logclient.go
│ │ │ │ └── multilog.go
│ │ │ ├── cloudbuild.yaml
│ │ │ ├── cloudbuild_master.yaml
│ │ │ ├── cloudbuild_tag.yaml
│ │ │ ├── codecov.yml
│ │ │ ├── jsonclient/
│ │ │ │ ├── backoff.go
│ │ │ │ └── client.go
│ │ │ ├── proto_gen.go
│ │ │ ├── serialization.go
│ │ │ ├── signatures.go
│ │ │ ├── tls/
│ │ │ │ ├── signature.go
│ │ │ │ ├── tls.go
│ │ │ │ └── types.go
│ │ │ ├── types.go
│ │ │ └── x509/
│ │ │ ├── README.md
│ │ │ ├── cert_pool.go
│ │ │ ├── curves.go
│ │ │ ├── error.go
│ │ │ ├── errors.go
│ │ │ ├── names.go
│ │ │ ├── pem_decrypt.go
│ │ │ ├── pkcs1.go
│ │ │ ├── pkcs8.go
│ │ │ ├── pkix/
│ │ │ │ └── pkix.go
│ │ │ ├── ptr_sysptr_windows.go
│ │ │ ├── ptr_uint_windows.go
│ │ │ ├── revoked.go
│ │ │ ├── root.go
│ │ │ ├── root_aix.go
│ │ │ ├── root_bsd.go
│ │ │ ├── root_cgo_darwin.go
│ │ │ ├── root_darwin.go
│ │ │ ├── root_darwin_armx.go
│ │ │ ├── root_js.go
│ │ │ ├── root_linux.go
│ │ │ ├── root_nocgo_darwin.go
│ │ │ ├── root_plan9.go
│ │ │ ├── root_solaris.go
│ │ │ ├── root_unix.go
│ │ │ ├── root_wasip1.go
│ │ │ ├── root_windows.go
│ │ │ ├── root_zos.go
│ │ │ ├── rpki.go
│ │ │ ├── sec1.go
│ │ │ ├── test-dir.crt
│ │ │ ├── test-file.crt
│ │ │ ├── verify.go
│ │ │ └── x509.go
│ │ ├── jmhodges/
│ │ │ └── clock/
│ │ │ ├── .travis.yml
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── clock.go
│ │ │ └── timer.go
│ │ ├── jmoiron/
│ │ │ └── sqlx/
│ │ │ ├── .gitignore
│ │ │ ├── .travis.yml
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── bind.go
│ │ │ ├── doc.go
│ │ │ ├── named.go
│ │ │ ├── named_context.go
│ │ │ ├── reflectx/
│ │ │ │ ├── README.md
│ │ │ │ └── reflect.go
│ │ │ ├── sqlx.go
│ │ │ ├── sqlx_context.go
│ │ │ └── types/
│ │ │ ├── README.md
│ │ │ └── types.go
│ │ ├── kisielk/
│ │ │ └── sqlstruct/
│ │ │ ├── .gitignore
│ │ │ ├── .travis.yml
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ └── sqlstruct.go
│ │ ├── kylelemons/
│ │ │ └── go-gypsy/
│ │ │ ├── LICENSE
│ │ │ └── yaml/
│ │ │ ├── config.go
│ │ │ ├── doc.go
│ │ │ ├── parser.go
│ │ │ └── types.go
│ │ ├── lib/
│ │ │ └── pq/
│ │ │ ├── .gitignore
│ │ │ ├── LICENSE.md
│ │ │ ├── README.md
│ │ │ ├── TESTS.md
│ │ │ ├── array.go
│ │ │ ├── buf.go
│ │ │ ├── conn.go
│ │ │ ├── conn_go115.go
│ │ │ ├── conn_go18.go
│ │ │ ├── connector.go
│ │ │ ├── copy.go
│ │ │ ├── doc.go
│ │ │ ├── encode.go
│ │ │ ├── error.go
│ │ │ ├── krb.go
│ │ │ ├── notice.go
│ │ │ ├── notify.go
│ │ │ ├── oid/
│ │ │ │ ├── doc.go
│ │ │ │ └── types.go
│ │ │ ├── rows.go
│ │ │ ├── scram/
│ │ │ │ └── scram.go
│ │ │ ├── ssl.go
│ │ │ ├── ssl_permissions.go
│ │ │ ├── ssl_windows.go
│ │ │ ├── url.go
│ │ │ ├── user_other.go
│ │ │ ├── user_posix.go
│ │ │ ├── user_windows.go
│ │ │ └── uuid.go
│ │ ├── mattn/
│ │ │ └── go-sqlite3/
│ │ │ ├── .codecov.yml
│ │ │ ├── .gitignore
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── backup.go
│ │ │ ├── callback.go
│ │ │ ├── convert.go
│ │ │ ├── doc.go
│ │ │ ├── error.go
│ │ │ ├── sqlite3-binding.c
│ │ │ ├── sqlite3-binding.h
│ │ │ ├── sqlite3.go
│ │ │ ├── sqlite3_context.go
│ │ │ ├── sqlite3_func_crypt.go
│ │ │ ├── sqlite3_go18.go
│ │ │ ├── sqlite3_libsqlite3.go
│ │ │ ├── sqlite3_load_extension.go
│ │ │ ├── sqlite3_load_extension_omit.go
│ │ │ ├── sqlite3_opt_allow_uri_authority.go
│ │ │ ├── sqlite3_opt_app_armor.go
│ │ │ ├── sqlite3_opt_column_metadata.go
│ │ │ ├── sqlite3_opt_foreign_keys.go
│ │ │ ├── sqlite3_opt_fts5.go
│ │ │ ├── sqlite3_opt_icu.go
│ │ │ ├── sqlite3_opt_introspect.go
│ │ │ ├── sqlite3_opt_math_functions.go
│ │ │ ├── sqlite3_opt_os_trace.go
│ │ │ ├── sqlite3_opt_preupdate.go
│ │ │ ├── sqlite3_opt_preupdate_hook.go
│ │ │ ├── sqlite3_opt_preupdate_omit.go
│ │ │ ├── sqlite3_opt_secure_delete.go
│ │ │ ├── sqlite3_opt_secure_delete_fast.go
│ │ │ ├── sqlite3_opt_serialize.go
│ │ │ ├── sqlite3_opt_serialize_omit.go
│ │ │ ├── sqlite3_opt_stat4.go
│ │ │ ├── sqlite3_opt_unlock_notify.c
│ │ │ ├── sqlite3_opt_unlock_notify.go
│ │ │ ├── sqlite3_opt_userauth.go
│ │ │ ├── sqlite3_opt_userauth_omit.go
│ │ │ ├── sqlite3_opt_vacuum_full.go
│ │ │ ├── sqlite3_opt_vacuum_incr.go
│ │ │ ├── sqlite3_opt_vtable.go
│ │ │ ├── sqlite3_other.go
│ │ │ ├── sqlite3_solaris.go
│ │ │ ├── sqlite3_trace.go
│ │ │ ├── sqlite3_type.go
│ │ │ ├── sqlite3_usleep_windows.go
│ │ │ ├── sqlite3_windows.go
│ │ │ ├── sqlite3ext.h
│ │ │ └── static_mock.go
│ │ ├── pelletier/
│ │ │ └── go-toml/
│ │ │ ├── .dockerignore
│ │ │ ├── .gitignore
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── Dockerfile
│ │ │ ├── LICENSE
│ │ │ ├── Makefile
│ │ │ ├── PULL_REQUEST_TEMPLATE.md
│ │ │ ├── README.md
│ │ │ ├── azure-pipelines.yml
│ │ │ ├── benchmark.sh
│ │ │ ├── doc.go
│ │ │ ├── example-crlf.toml
│ │ │ ├── example.toml
│ │ │ ├── fuzz.go
│ │ │ ├── fuzz.sh
│ │ │ ├── keysparsing.go
│ │ │ ├── lexer.go
│ │ │ ├── localtime.go
│ │ │ ├── marshal.go
│ │ │ ├── marshal_OrderPreserve_test.toml
│ │ │ ├── marshal_test.toml
│ │ │ ├── parser.go
│ │ │ ├── position.go
│ │ │ ├── token.go
│ │ │ ├── toml.go
│ │ │ ├── tomlpub.go
│ │ │ ├── tomltree_create.go
│ │ │ ├── tomltree_write.go
│ │ │ └── tomltree_writepub.go
│ │ ├── prometheus/
│ │ │ ├── client_golang/
│ │ │ │ ├── LICENSE
│ │ │ │ ├── NOTICE
│ │ │ │ └── prometheus/
│ │ │ │ ├── .gitignore
│ │ │ │ ├── README.md
│ │ │ │ ├── build_info_collector.go
│ │ │ │ ├── collector.go
│ │ │ │ ├── counter.go
│ │ │ │ ├── desc.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── expvar_collector.go
│ │ │ │ ├── fnv.go
│ │ │ │ ├── gauge.go
│ │ │ │ ├── get_pid.go
│ │ │ │ ├── get_pid_gopherjs.go
│ │ │ │ ├── go_collector.go
│ │ │ │ ├── go_collector_go116.go
│ │ │ │ ├── go_collector_latest.go
│ │ │ │ ├── histogram.go
│ │ │ │ ├── internal/
│ │ │ │ │ ├── almost_equal.go
│ │ │ │ │ ├── difflib.go
│ │ │ │ │ ├── go_collector_options.go
│ │ │ │ │ ├── go_runtime_metrics.go
│ │ │ │ │ └── metric.go
│ │ │ │ ├── labels.go
│ │ │ │ ├── metric.go
│ │ │ │ ├── num_threads.go
│ │ │ │ ├── num_threads_gopherjs.go
│ │ │ │ ├── observer.go
│ │ │ │ ├── process_collector.go
│ │ │ │ ├── process_collector_js.go
│ │ │ │ ├── process_collector_other.go
│ │ │ │ ├── process_collector_wasip1.go
│ │ │ │ ├── process_collector_windows.go
│ │ │ │ ├── promauto/
│ │ │ │ │ └── auto.go
│ │ │ │ ├── promhttp/
│ │ │ │ │ ├── delegator.go
│ │ │ │ │ ├── http.go
│ │ │ │ │ ├── instrument_client.go
│ │ │ │ │ ├── instrument_server.go
│ │ │ │ │ └── option.go
│ │ │ │ ├── registry.go
│ │ │ │ ├── summary.go
│ │ │ │ ├── timer.go
│ │ │ │ ├── untyped.go
│ │ │ │ ├── value.go
│ │ │ │ ├── vec.go
│ │ │ │ ├── vnext.go
│ │ │ │ └── wrap.go
│ │ │ ├── client_model/
│ │ │ │ ├── LICENSE
│ │ │ │ ├── NOTICE
│ │ │ │ └── go/
│ │ │ │ └── metrics.pb.go
│ │ │ ├── common/
│ │ │ │ ├── LICENSE
│ │ │ │ ├── NOTICE
│ │ │ │ ├── expfmt/
│ │ │ │ │ ├── decode.go
│ │ │ │ │ ├── encode.go
│ │ │ │ │ ├── expfmt.go
│ │ │ │ │ ├── fuzz.go
│ │ │ │ │ ├── openmetrics_create.go
│ │ │ │ │ ├── text_create.go
│ │ │ │ │ └── text_parse.go
│ │ │ │ ├── internal/
│ │ │ │ │ └── bitbucket.org/
│ │ │ │ │ └── ww/
│ │ │ │ │ └── goautoneg/
│ │ │ │ │ ├── README.txt
│ │ │ │ │ └── autoneg.go
│ │ │ │ └── model/
│ │ │ │ ├── alert.go
│ │ │ │ ├── fingerprinting.go
│ │ │ │ ├── fnv.go
│ │ │ │ ├── labels.go
│ │ │ │ ├── labelset.go
│ │ │ │ ├── metadata.go
│ │ │ │ ├── metric.go
│ │ │ │ ├── model.go
│ │ │ │ ├── signature.go
│ │ │ │ ├── silence.go
│ │ │ │ ├── time.go
│ │ │ │ ├── value.go
│ │ │ │ ├── value_float.go
│ │ │ │ ├── value_histogram.go
│ │ │ │ └── value_type.go
│ │ │ └── procfs/
│ │ │ ├── .gitignore
│ │ │ ├── .golangci.yml
│ │ │ ├── CODE_OF_CONDUCT.md
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── LICENSE
│ │ │ ├── MAINTAINERS.md
│ │ │ ├── Makefile
│ │ │ ├── Makefile.common
│ │ │ ├── NOTICE
│ │ │ ├── README.md
│ │ │ ├── SECURITY.md
│ │ │ ├── arp.go
│ │ │ ├── buddyinfo.go
│ │ │ ├── cmdline.go
│ │ │ ├── cpuinfo.go
│ │ │ ├── cpuinfo_armx.go
│ │ │ ├── cpuinfo_loong64.go
│ │ │ ├── cpuinfo_mipsx.go
│ │ │ ├── cpuinfo_others.go
│ │ │ ├── cpuinfo_ppcx.go
│ │ │ ├── cpuinfo_riscvx.go
│ │ │ ├── cpuinfo_s390x.go
│ │ │ ├── cpuinfo_x86.go
│ │ │ ├── crypto.go
│ │ │ ├── doc.go
│ │ │ ├── fs.go
│ │ │ ├── fs_statfs_notype.go
│ │ │ ├── fs_statfs_type.go
│ │ │ ├── fscache.go
│ │ │ ├── internal/
│ │ │ │ ├── fs/
│ │ │ │ │ └── fs.go
│ │ │ │ └── util/
│ │ │ │ ├── parse.go
│ │ │ │ ├── readfile.go
│ │ │ │ ├── sysreadfile.go
│ │ │ │ ├── sysreadfile_compat.go
│ │ │ │ └── valueparser.go
│ │ │ ├── ipvs.go
│ │ │ ├── kernel_random.go
│ │ │ ├── loadavg.go
│ │ │ ├── mdstat.go
│ │ │ ├── meminfo.go
│ │ │ ├── mountinfo.go
│ │ │ ├── mountstats.go
│ │ │ ├── net_conntrackstat.go
│ │ │ ├── net_dev.go
│ │ │ ├── net_ip_socket.go
│ │ │ ├── net_protocols.go
│ │ │ ├── net_route.go
│ │ │ ├── net_sockstat.go
│ │ │ ├── net_softnet.go
│ │ │ ├── net_tcp.go
│ │ │ ├── net_udp.go
│ │ │ ├── net_unix.go
│ │ │ ├── net_wireless.go
│ │ │ ├── net_xfrm.go
│ │ │ ├── netstat.go
│ │ │ ├── proc.go
│ │ │ ├── proc_cgroup.go
│ │ │ ├── proc_cgroups.go
│ │ │ ├── proc_environ.go
│ │ │ ├── proc_fdinfo.go
│ │ │ ├── proc_interrupts.go
│ │ │ ├── proc_io.go
│ │ │ ├── proc_limits.go
│ │ │ ├── proc_maps.go
│ │ │ ├── proc_netstat.go
│ │ │ ├── proc_ns.go
│ │ │ ├── proc_psi.go
│ │ │ ├── proc_smaps.go
│ │ │ ├── proc_snmp.go
│ │ │ ├── proc_snmp6.go
│ │ │ ├── proc_stat.go
│ │ │ ├── proc_status.go
│ │ │ ├── proc_sys.go
│ │ │ ├── schedstat.go
│ │ │ ├── slab.go
│ │ │ ├── softirqs.go
│ │ │ ├── stat.go
│ │ │ ├── swaps.go
│ │ │ ├── thread.go
│ │ │ ├── ttar
│ │ │ ├── vm.go
│ │ │ └── zoneinfo.go
│ │ ├── weppos/
│ │ │ └── publicsuffix-go/
│ │ │ ├── LICENSE.txt
│ │ │ └── publicsuffix/
│ │ │ ├── publicsuffix.go
│ │ │ └── rules.go
│ │ ├── ziutek/
│ │ │ └── mymysql/
│ │ │ ├── LICENSE
│ │ │ ├── godrv/
│ │ │ │ ├── appengine.go
│ │ │ │ └── driver.go
│ │ │ ├── mysql/
│ │ │ │ ├── errors.go
│ │ │ │ ├── field.go
│ │ │ │ ├── interface.go
│ │ │ │ ├── row.go
│ │ │ │ ├── types.go
│ │ │ │ └── utils.go
│ │ │ └── native/
│ │ │ ├── LICENSE
│ │ │ ├── addons.go
│ │ │ ├── binding.go
│ │ │ ├── codecs.go
│ │ │ ├── command.go
│ │ │ ├── common.go
│ │ │ ├── consts.go
│ │ │ ├── init.go
│ │ │ ├── mysql.go
│ │ │ ├── packet.go
│ │ │ ├── paramvalue.go
│ │ │ ├── passwd.go
│ │ │ ├── prepared.go
│ │ │ ├── result.go
│ │ │ └── unsafe.go-disabled
│ │ └── zmap/
│ │ ├── zcrypto/
│ │ │ ├── LICENSE
│ │ │ ├── cryptobyte/
│ │ │ │ ├── NOTICE.md
│ │ │ │ ├── asn1/
│ │ │ │ │ └── asn1.go
│ │ │ │ ├── asn1.go
│ │ │ │ ├── builder.go
│ │ │ │ └── string.go
│ │ │ ├── dsa/
│ │ │ │ └── dsa.go
│ │ │ ├── encoding/
│ │ │ │ └── asn1/
│ │ │ │ ├── README.md
│ │ │ │ ├── asn1.go
│ │ │ │ ├── common.go
│ │ │ │ └── marshal.go
│ │ │ ├── internal/
│ │ │ │ └── randutil/
│ │ │ │ └── randutil.go
│ │ │ ├── json/
│ │ │ │ ├── dhe.go
│ │ │ │ ├── ecdhe.go
│ │ │ │ ├── names.go
│ │ │ │ └── rsa.go
│ │ │ ├── util/
│ │ │ │ └── isURL.go
│ │ │ └── x509/
│ │ │ ├── README.md
│ │ │ ├── cert_pool.go
│ │ │ ├── certificate_type.go
│ │ │ ├── chain.go
│ │ │ ├── crl_parser.go
│ │ │ ├── ct/
│ │ │ │ ├── serialization.go
│ │ │ │ └── types.go
│ │ │ ├── example.json
│ │ │ ├── extended_key_usage.go
│ │ │ ├── extended_key_usage_schema.sh
│ │ │ ├── extensions.go
│ │ │ ├── fingerprint.go
│ │ │ ├── generated_certvalidationlevel_string.go
│ │ │ ├── json.go
│ │ │ ├── names.go
│ │ │ ├── pem_decrypt.go
│ │ │ ├── pkcs1.go
│ │ │ ├── pkcs8.go
│ │ │ ├── pkix/
│ │ │ │ ├── json.go
│ │ │ │ ├── oid.go
│ │ │ │ ├── oid_names.go
│ │ │ │ └── pkix.go
│ │ │ ├── qc_statements.go
│ │ │ ├── sec1.go
│ │ │ ├── tor_service_descriptor.go
│ │ │ ├── validation.go
│ │ │ ├── verify.go
│ │ │ └── x509.go
│ │ └── zlint/
│ │ └── v3/
│ │ ├── .goreleaser.yml
│ │ ├── LICENSE
│ │ ├── lint/
│ │ │ ├── base.go
│ │ │ ├── configuration.go
│ │ │ ├── global_configurations.go
│ │ │ ├── lint_lookup.go
│ │ │ ├── profile.go
│ │ │ ├── registration.go
│ │ │ ├── result.go
│ │ │ └── source.go
│ │ ├── lints/
│ │ │ ├── apple/
│ │ │ │ ├── lint_ct_sct_policy_count_unsatisfied.go
│ │ │ │ ├── lint_e_server_cert_valid_time_longer_than_398_days.go
│ │ │ │ ├── lint_w_server_cert_valid_time_longer_than_397_days.go
│ │ │ │ └── time.go
│ │ │ ├── cabf_br/
│ │ │ │ ├── lint_ca_common_name_missing.go
│ │ │ │ ├── lint_ca_country_name_invalid.go
│ │ │ │ ├── lint_ca_country_name_missing.go
│ │ │ │ ├── lint_ca_crl_sign_not_set.go
│ │ │ │ ├── lint_ca_digital_signature_not_set.go
│ │ │ │ ├── lint_ca_is_ca.go
│ │ │ │ ├── lint_ca_key_cert_sign_not_set.go
│ │ │ │ ├── lint_ca_key_usage_missing.go
│ │ │ │ ├── lint_ca_key_usage_not_critical.go
│ │ │ │ ├── lint_ca_organization_name_missing.go
│ │ │ │ ├── lint_cab_dv_conflicts_with_locality.go
│ │ │ │ ├── lint_cab_dv_conflicts_with_org.go
│ │ │ │ ├── lint_cab_dv_conflicts_with_postal.go
│ │ │ │ ├── lint_cab_dv_conflicts_with_province.go
│ │ │ │ ├── lint_cab_dv_conflicts_with_street.go
│ │ │ │ ├── lint_cab_iv_requires_personal_name.go
│ │ │ │ ├── lint_cab_ov_requires_org.go
│ │ │ │ ├── lint_cert_policy_iv_requires_country.go
│ │ │ │ ├── lint_cert_policy_iv_requires_province_or_locality.go
│ │ │ │ ├── lint_cert_policy_ov_requires_country.go
│ │ │ │ ├── lint_cert_policy_ov_requires_province_or_locality.go
│ │ │ │ ├── lint_dh_params_missing.go
│ │ │ │ ├── lint_dnsname_bad_character_in_label.go
│ │ │ │ ├── lint_dnsname_check_left_label_wildcard.go
│ │ │ │ ├── lint_dnsname_contains_bare_iana_suffix.go
│ │ │ │ ├── lint_dnsname_contains_empty_label.go
│ │ │ │ ├── lint_dnsname_contains_prohibited_reserved_label.go
│ │ │ │ ├── lint_dnsname_hyphen_in_sld.go
│ │ │ │ ├── lint_dnsname_label_too_long.go
│ │ │ │ ├── lint_dnsname_right_label_valid_tld.go
│ │ │ │ ├── lint_dnsname_underscore_in_sld.go
│ │ │ │ ├── lint_dnsname_underscore_in_trd.go
│ │ │ │ ├── lint_dnsname_wildcard_left_of_public_suffix.go
│ │ │ │ ├── lint_dnsname_wildcard_only_in_left_label.go
│ │ │ │ ├── lint_dsa_correct_order_in_subgroup.go
│ │ │ │ ├── lint_dsa_improper_modulus_or_divisor_size.go
│ │ │ │ ├── lint_dsa_shorter_than_2048_bits.go
│ │ │ │ ├── lint_dsa_unique_correct_representation.go
│ │ │ │ ├── lint_e_sub_ca_aia_missing.go
│ │ │ │ ├── lint_ec_improper_curves.go
│ │ │ │ ├── lint_ext_nc_intersects_reserved_ip.go
│ │ │ │ ├── lint_ext_san_contains_reserved_ip.go
│ │ │ │ ├── lint_ext_san_critical_with_subject_dn.go
│ │ │ │ ├── lint_ext_san_directory_name_present.go
│ │ │ │ ├── lint_ext_san_edi_party_name_present.go
│ │ │ │ ├── lint_ext_san_missing.go
│ │ │ │ ├── lint_ext_san_other_name_present.go
│ │ │ │ ├── lint_ext_san_registered_id_present.go
│ │ │ │ ├── lint_ext_san_rfc822_name_present.go
│ │ │ │ ├── lint_ext_san_uniform_resource_identifier_present.go
│ │ │ │ ├── lint_ext_tor_service_descriptor_hash_invalid.go
│ │ │ │ ├── lint_extra_subject_common_names.go
│ │ │ │ ├── lint_invalid_certificate_version.go
│ │ │ │ ├── lint_no_underscores_before_1_6_2.go
│ │ │ │ ├── lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go
│ │ │ │ ├── lint_old_root_ca_rsa_mod_less_than_2048_bits.go
│ │ │ │ ├── lint_old_sub_ca_rsa_mod_less_than_1024_bits.go
│ │ │ │ ├── lint_old_sub_cert_rsa_mod_less_than_1024_bits.go
│ │ │ │ ├── lint_organizational_unit_name_prohibited.go
│ │ │ │ ├── lint_prohibit_dsa_usage.go
│ │ │ │ ├── lint_public_key_type_not_allowed.go
│ │ │ │ ├── lint_root_ca_basic_constraints_path_len_constraint_field_present.go
│ │ │ │ ├── lint_root_ca_contains_cert_policy.go
│ │ │ │ ├── lint_root_ca_extended_key_usage_present.go
│ │ │ │ ├── lint_root_ca_key_usage_must_be_critical.go
│ │ │ │ ├── lint_root_ca_key_usage_present.go
│ │ │ │ ├── lint_rsa_mod_factors_smaller_than_752_bits.go
│ │ │ │ ├── lint_rsa_mod_less_than_2048_bits.go
│ │ │ │ ├── lint_rsa_mod_not_odd.go
│ │ │ │ ├── lint_rsa_public_exponent_not_in_range.go
│ │ │ │ ├── lint_rsa_public_exponent_not_odd.go
│ │ │ │ ├── lint_rsa_public_exponent_too_small.go
│ │ │ │ ├── lint_san_dns_name_onion_invalid.go
│ │ │ │ ├── lint_san_dns_name_onion_not_ev_cert.go
│ │ │ │ ├── lint_signature_algorithm_not_supported.go
│ │ │ │ ├── lint_sub_ca_aia_does_not_contain_issuing_ca_url.go
│ │ │ │ ├── lint_sub_ca_aia_marked_critical.go
│ │ │ │ ├── lint_sub_ca_certificate_policies_marked_critical.go
│ │ │ │ ├── lint_sub_ca_certificate_policies_missing.go
│ │ │ │ ├── lint_sub_ca_crl_distribution_points_does_not_contain_url.go
│ │ │ │ ├── lint_sub_ca_crl_distribution_points_marked_critical.go
│ │ │ │ ├── lint_sub_ca_crl_distribution_points_missing.go
│ │ │ │ ├── lint_sub_ca_eku_critical.go
│ │ │ │ ├── lint_sub_ca_eku_missing.go
│ │ │ │ ├── lint_sub_ca_eku_valid_fields.go
│ │ │ │ ├── lint_sub_ca_name_constraints_not_critical.go
│ │ │ │ ├── lint_sub_cert_aia_does_not_contain_issuing_ca_url.go
│ │ │ │ ├── lint_sub_cert_aia_does_not_contain_ocsp_url.go
│ │ │ │ ├── lint_sub_cert_aia_marked_critical.go
│ │ │ │ ├── lint_sub_cert_aia_missing.go
│ │ │ │ ├── lint_sub_cert_cert_policy_empty.go
│ │ │ │ ├── lint_sub_cert_certificate_policies_marked_critical.go
│ │ │ │ ├── lint_sub_cert_certificate_policies_missing.go
│ │ │ │ ├── lint_sub_cert_country_name_must_appear.go
│ │ │ │ ├── lint_sub_cert_crl_distribution_points_does_not_contain_url.go
│ │ │ │ ├── lint_sub_cert_crl_distribution_points_marked_critical.go
│ │ │ │ ├── lint_sub_cert_eku_extra_values.go
│ │ │ │ ├── lint_sub_cert_eku_missing.go
│ │ │ │ ├── lint_sub_cert_eku_server_auth_client_auth_missing.go
│ │ │ │ ├── lint_sub_cert_gn_sn_contains_policy.go
│ │ │ │ ├── lint_sub_cert_is_ca.go
│ │ │ │ ├── lint_sub_cert_key_usage_cert_sign_bit_set.go
│ │ │ │ ├── lint_sub_cert_key_usage_crl_sign_bit_set.go
│ │ │ │ ├── lint_sub_cert_locality_name_must_appear.go
│ │ │ │ ├── lint_sub_cert_locality_name_must_not_appear.go
│ │ │ │ ├── lint_sub_cert_or_sub_ca_using_sha1.go
│ │ │ │ ├── lint_sub_cert_postal_code_prohibited.go
│ │ │ │ ├── lint_sub_cert_province_must_appear.go
│ │ │ │ ├── lint_sub_cert_province_must_not_appear.go
│ │ │ │ ├── lint_sub_cert_sha1_expiration_too_long.go
│ │ │ │ ├── lint_sub_cert_street_address_should_not_exist.go
│ │ │ │ ├── lint_sub_cert_valid_time_longer_than_39_months.go
│ │ │ │ ├── lint_sub_cert_valid_time_longer_than_825_days.go
│ │ │ │ ├── lint_subject_common_name_included.go
│ │ │ │ ├── lint_subject_common_name_not_exactly_from_san.go
│ │ │ │ ├── lint_subject_common_name_not_from_san.go
│ │ │ │ ├── lint_subject_contains_malformed_arpa_ip.go
│ │ │ │ ├── lint_subject_contains_noninformational_value.go
│ │ │ │ ├── lint_subject_contains_organizational_unit_name_and_no_organization_name.go
│ │ │ │ ├── lint_subject_contains_reserved_arpa_ip.go
│ │ │ │ ├── lint_subject_contains_reserved_ip.go
│ │ │ │ ├── lint_subject_country_not_iso.go
│ │ │ │ ├── lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go
│ │ │ │ ├── lint_underscore_not_permissible_in_dnsname.go
│ │ │ │ └── lint_w_sub_ca_aia_missing.go
│ │ │ ├── cabf_ev/
│ │ │ │ ├── lint_ev_business_category_missing.go
│ │ │ │ ├── lint_ev_country_name_missing.go
│ │ │ │ ├── lint_ev_not_wildcard.go
│ │ │ │ ├── lint_ev_organization_id_missing.go
│ │ │ │ ├── lint_ev_organization_name_missing.go
│ │ │ │ ├── lint_ev_san_ip_address_present.go
│ │ │ │ ├── lint_ev_serial_number_missing.go
│ │ │ │ ├── lint_ev_valid_time_too_long.go
│ │ │ │ └── lint_onion_subject_validity_time_too_large.go
│ │ │ ├── community/
│ │ │ │ ├── lint_ian_bare_wildcard.go
│ │ │ │ ├── lint_ian_dns_name_includes_null_char.go
│ │ │ │ ├── lint_ian_dns_name_starts_with_period.go
│ │ │ │ ├── lint_ian_iana_pub_suffix_empty.go
│ │ │ │ ├── lint_ian_wildcard_not_first.go
│ │ │ │ ├── lint_is_redacted_cert.go
│ │ │ │ ├── lint_issuer_dn_leading_whitespace.go
│ │ │ │ ├── lint_issuer_dn_trailing_whitespace.go
│ │ │ │ ├── lint_issuer_multiple_rdn.go
│ │ │ │ ├── lint_rsa_exp_negative.go
│ │ │ │ ├── lint_rsa_fermat_factorization.go
│ │ │ │ ├── lint_rsa_no_public_key.go
│ │ │ │ ├── lint_san_bare_wildcard.go
│ │ │ │ ├── lint_san_dns_name_duplicate.go
│ │ │ │ ├── lint_san_dns_name_includes_null_char.go
│ │ │ │ ├── lint_san_dns_name_starts_with_period.go
│ │ │ │ ├── lint_san_iana_pub_suffix_empty.go
│ │ │ │ ├── lint_san_wildcard_not_first.go
│ │ │ │ ├── lint_subject_dn_leading_whitespace.go
│ │ │ │ ├── lint_subject_dn_trailing_whitespace.go
│ │ │ │ ├── lint_subject_multiple_rdn.go
│ │ │ │ └── lint_validity_time_not_positive.go
│ │ │ ├── etsi/
│ │ │ │ ├── lint_qcstatem_etsi_present_qcs_critical.go
│ │ │ │ ├── lint_qcstatem_etsi_type_as_statem.go
│ │ │ │ ├── lint_qcstatem_mandatory_etsi_statems.go
│ │ │ │ ├── lint_qcstatem_qccompliance_valid.go
│ │ │ │ ├── lint_qcstatem_qclimitvalue_valid.go
│ │ │ │ ├── lint_qcstatem_qcpds_lang_case.go
│ │ │ │ ├── lint_qcstatem_qcpds_valid.go
│ │ │ │ ├── lint_qcstatem_qcretentionperiod_valid.go
│ │ │ │ ├── lint_qcstatem_qcsscd_valid.go
│ │ │ │ ├── lint_qcstatem_qctype_valid.go
│ │ │ │ └── lint_qcstatem_qctype_web.go
│ │ │ ├── mozilla/
│ │ │ │ ├── lint_e_prohibit_dsa_usage.go
│ │ │ │ ├── lint_mp_allowed_eku.go
│ │ │ │ ├── lint_mp_authority_key_identifier_correct.go
│ │ │ │ ├── lint_mp_ecdsa_pub_key_encoding_correct.go
│ │ │ │ ├── lint_mp_ecdsa_signature_encoding_correct.go
│ │ │ │ ├── lint_mp_exponent_cannot_be_one.go
│ │ │ │ ├── lint_mp_modulus_must_be_2048_bits_or_more.go
│ │ │ │ ├── lint_mp_modulus_must_be_divisible_by_8.go
│ │ │ │ ├── lint_mp_pss_parameters_encoding_correct.go
│ │ │ │ └── lint_mp_rsassa-pss_in_spki.go
│ │ │ └── rfc/
│ │ │ ├── lint_basic_constraints_not_critical.go
│ │ │ ├── lint_ca_subject_field_empty.go
│ │ │ ├── lint_cert_contains_unique_identifier.go
│ │ │ ├── lint_cert_extensions_version_not_3.go
│ │ │ ├── lint_cert_unique_identifier_version_not_2_or_3.go
│ │ │ ├── lint_crl_has_next_update.go
│ │ │ ├── lint_distribution_point_incomplete.go
│ │ │ ├── lint_distribution_point_missing_ldap_or_uri.go
│ │ │ ├── lint_dnsname_contains_empty_label.go
│ │ │ ├── lint_dnsname_hyphen_in_sld.go
│ │ │ ├── lint_dnsname_label_too_long.go
│ │ │ ├── lint_dnsname_underscore_in_sld.go
│ │ │ ├── lint_dnsname_underscore_in_trd.go
│ │ │ ├── lint_ecdsa_allowed_ku.go
│ │ │ ├── lint_ecdsa_ee_invalid_ku.go
│ │ │ ├── lint_eku_critical_improperly.go
│ │ │ ├── lint_ext_aia_access_location_missing.go
│ │ │ ├── lint_ext_aia_marked_critical.go
│ │ │ ├── lint_ext_authority_key_identifier_critical.go
│ │ │ ├── lint_ext_authority_key_identifier_missing.go
│ │ │ ├── lint_ext_authority_key_identifier_no_key_identifier.go
│ │ │ ├── lint_ext_cert_policy_contains_noticeref.go
│ │ │ ├── lint_ext_cert_policy_disallowed_any_policy_qualifier.go
│ │ │ ├── lint_ext_cert_policy_duplicate.go
│ │ │ ├── lint_ext_cert_policy_explicit_text_ia5_string.go
│ │ │ ├── lint_ext_cert_policy_explicit_text_includes_control.go
│ │ │ ├── lint_ext_cert_policy_explicit_text_not_nfc.go
│ │ │ ├── lint_ext_cert_policy_explicit_text_not_utf8.go
│ │ │ ├── lint_ext_cert_policy_explicit_text_too_long.go
│ │ │ ├── lint_ext_crl_distribution_marked_critical.go
│ │ │ ├── lint_ext_duplicate_extension.go
│ │ │ ├── lint_ext_freshest_crl_marked_critical.go
│ │ │ ├── lint_ext_ian_critical.go
│ │ │ ├── lint_ext_ian_dns_not_ia5_string.go
│ │ │ ├── lint_ext_ian_empty_name.go
│ │ │ ├── lint_ext_ian_no_entries.go
│ │ │ ├── lint_ext_ian_rfc822_format_invalid.go
│ │ │ ├── lint_ext_ian_space_dns_name.go
│ │ │ ├── lint_ext_ian_uri_format_invalid.go
│ │ │ ├── lint_ext_ian_uri_host_not_fqdn_or_ip.go
│ │ │ ├── lint_ext_ian_uri_not_ia5.go
│ │ │ ├── lint_ext_ian_uri_relative.go
│ │ │ ├── lint_ext_key_usage_cert_sign_without_ca.go
│ │ │ ├── lint_ext_key_usage_not_critical.go
│ │ │ ├── lint_ext_key_usage_without_bits.go
│ │ │ ├── lint_ext_name_constraints_not_critical.go
│ │ │ ├── lint_ext_name_constraints_not_in_ca.go
│ │ │ ├── lint_ext_policy_constraints_empty.go
│ │ │ ├── lint_ext_policy_constraints_not_critical.go
│ │ │ ├── lint_ext_policy_map_any_policy.go
│ │ │ ├── lint_ext_policy_map_not_critical.go
│ │ │ ├── lint_ext_policy_map_not_in_cert_policy.go
│ │ │ ├── lint_ext_san_dns_name_too_long.go
│ │ │ ├── lint_ext_san_dns_not_ia5_string.go
│ │ │ ├── lint_ext_san_empty_name.go
│ │ │ ├── lint_ext_san_no_entries.go
│ │ │ ├── lint_ext_san_not_critical_without_subject.go
│ │ │ ├── lint_ext_san_rfc822_format_invalid.go
│ │ │ ├── lint_ext_san_space_dns_name.go
│ │ │ ├── lint_ext_san_uri_format_invalid.go
│ │ │ ├── lint_ext_san_uri_host_not_fqdn_or_ip.go
│ │ │ ├── lint_ext_san_uri_not_ia5.go
│ │ │ ├── lint_ext_san_uri_relative.go
│ │ │ ├── lint_ext_subject_directory_attr_critical.go
│ │ │ ├── lint_ext_subject_key_identifier_critical.go
│ │ │ ├── lint_ext_subject_key_identifier_missing_ca.go
│ │ │ ├── lint_ext_subject_key_identifier_missing_sub_cert.go
│ │ │ ├── lint_generalized_time_does_not_include_seconds.go
│ │ │ ├── lint_generalized_time_includes_fraction_seconds.go
│ │ │ ├── lint_generalized_time_not_in_zulu.go
│ │ │ ├── lint_idn_dnsname_malformed_unicode.go
│ │ │ ├── lint_idn_dnsname_must_be_nfc.go
│ │ │ ├── lint_incorrect_ku_encoding.go
│ │ │ ├── lint_inhibit_any_policy_not_critical.go
│ │ │ ├── lint_issuer_dn_country_not_printable_string.go
│ │ │ ├── lint_issuer_field_empty.go
│ │ │ ├── lint_key_usage_incorrect_length.go
│ │ │ ├── lint_name_constraint_empty.go
│ │ │ ├── lint_name_constraint_maximum_not_absent.go
│ │ │ ├── lint_name_constraint_minimum_non_zero.go
│ │ │ ├── lint_name_constraint_not_fqdn.go
│ │ │ ├── lint_name_constraint_on_edi_party_name.go
│ │ │ ├── lint_name_constraint_on_registered_id.go
│ │ │ ├── lint_name_constraint_on_x400.go
│ │ │ ├── lint_path_len_constraint_improperly_included.go
│ │ │ ├── lint_path_len_constraint_zero_or_less.go
│ │ │ ├── lint_rsa_allowed_ku_ca.go
│ │ │ ├── lint_rsa_allowed_ku_ee.go
│ │ │ ├── lint_rsa_allowed_ku_no_encipherment_ca.go
│ │ │ ├── lint_serial_number_longer_than_20_octets.go
│ │ │ ├── lint_serial_number_not_positive.go
│ │ │ ├── lint_spki_rsa_encryption_parameter_not_null.go
│ │ │ ├── lint_subject_common_name_max_length.go
│ │ │ ├── lint_subject_dn_country_not_printable_string.go
│ │ │ ├── lint_subject_dn_not_printable_characters.go
│ │ │ ├── lint_subject_dn_serial_number_max_length.go
│ │ │ ├── lint_subject_dn_serial_number_not_printable_string.go
│ │ │ ├── lint_subject_email_max_length.go
│ │ │ ├── lint_subject_empty_without_san.go
│ │ │ ├── lint_subject_given_name_max_length.go
│ │ │ ├── lint_subject_given_name_recommended_max_length.go
│ │ │ ├── lint_subject_info_access_marked_critical.go
│ │ │ ├── lint_subject_locality_name_max_length.go
│ │ │ ├── lint_subject_not_dn.go
│ │ │ ├── lint_subject_organization_name_max_length.go
│ │ │ ├── lint_subject_organizational_unit_name_max_length.go
│ │ │ ├── lint_subject_postal_code_max_length.go
│ │ │ ├── lint_subject_printable_string_badalpha.go
│ │ │ ├── lint_subject_state_name_max_length.go
│ │ │ ├── lint_subject_street_address_max_length.go
│ │ │ ├── lint_subject_surname_max_length.go
│ │ │ ├── lint_subject_surname_recommended_max_length.go
│ │ │ ├── lint_superfluous_ku_encoding.go
│ │ │ ├── lint_tbs_signature_alg_matches_cert_signature_alg.go
│ │ │ ├── lint_tbs_signature_rsa_encryption_parameter_not_null.go
│ │ │ ├── lint_utc_time_does_not_include_seconds.go
│ │ │ ├── lint_utc_time_not_in_zulu.go
│ │ │ └── lint_wrong_time_format_pre2050.go
│ │ ├── makefile
│ │ ├── newLint.sh
│ │ ├── newProfile.sh
│ │ ├── profileTemplate
│ │ ├── resultset.go
│ │ ├── template
│ │ ├── util/
│ │ │ ├── algorithm_identifier.go
│ │ │ ├── ca.go
│ │ │ ├── countries.go
│ │ │ ├── eku.go
│ │ │ ├── encodings.go
│ │ │ ├── ev.go
│ │ │ ├── fqdn.go
│ │ │ ├── gtld.go
│ │ │ ├── gtld_map.go
│ │ │ ├── idna.go
│ │ │ ├── ip.go
│ │ │ ├── ku.go
│ │ │ ├── names.go
│ │ │ ├── oid.go
│ │ │ ├── onion.go
│ │ │ ├── primes.go
│ │ │ ├── qc_stmt.go
│ │ │ ├── rdn.go
│ │ │ └── time.go
│ │ └── zlint.go
│ ├── golang.org/
│ │ └── x/
│ │ ├── crypto/
│ │ │ ├── LICENSE
│ │ │ ├── PATENTS
│ │ │ ├── blowfish/
│ │ │ │ ├── block.go
│ │ │ │ ├── cipher.go
│ │ │ │ └── const.go
│ │ │ ├── chacha20/
│ │ │ │ ├── chacha_arm64.go
│ │ │ │ ├── chacha_arm64.s
│ │ │ │ ├── chacha_generic.go
│ │ │ │ ├── chacha_noasm.go
│ │ │ │ ├── chacha_ppc64le.go
│ │ │ │ ├── chacha_ppc64le.s
│ │ │ │ ├── chacha_s390x.go
│ │ │ │ ├── chacha_s390x.s
│ │ │ │ └── xor.go
│ │ │ ├── cryptobyte/
│ │ │ │ ├── asn1/
│ │ │ │ │ └── asn1.go
│ │ │ │ ├── asn1.go
│ │ │ │ ├── builder.go
│ │ │ │ └── string.go
│ │ │ ├── curve25519/
│ │ │ │ ├── curve25519.go
│ │ │ │ ├── curve25519_compat.go
│ │ │ │ ├── curve25519_go120.go
│ │ │ │ └── internal/
│ │ │ │ └── field/
│ │ │ │ ├── README
│ │ │ │ ├── fe.go
│ │ │ │ ├── fe_amd64.go
│ │ │ │ ├── fe_amd64.s
│ │ │ │ ├── fe_amd64_noasm.go
│ │ │ │ ├── fe_arm64.go
│ │ │ │ ├── fe_arm64.s
│ │ │ │ ├── fe_arm64_noasm.go
│ │ │ │ ├── fe_generic.go
│ │ │ │ ├── sync.checkpoint
│ │ │ │ └── sync.sh
│ │ │ ├── ed25519/
│ │ │ │ └── ed25519.go
│ │ │ ├── internal/
│ │ │ │ ├── alias/
│ │ │ │ │ ├── alias.go
│ │ │ │ │ └── alias_purego.go
│ │ │ │ └── poly1305/
│ │ │ │ ├── mac_noasm.go
│ │ │ │ ├── poly1305.go
│ │ │ │ ├── sum_amd64.go
│ │ │ │ ├── sum_amd64.s
│ │ │ │ ├── sum_generic.go
│ │ │ │ ├── sum_ppc64le.go
│ │ │ │ ├── sum_ppc64le.s
│ │ │ │ ├── sum_s390x.go
│ │ │ │ └── sum_s390x.s
│ │ │ ├── ocsp/
│ │ │ │ └── ocsp.go
│ │ │ ├── pbkdf2/
│ │ │ │ └── pbkdf2.go
│ │ │ ├── pkcs12/
│ │ │ │ ├── bmp-string.go
│ │ │ │ ├── crypto.go
│ │ │ │ ├── errors.go
│ │ │ │ ├── internal/
│ │ │ │ │ └── rc2/
│ │ │ │ │ └── rc2.go
│ │ │ │ ├── mac.go
│ │ │ │ ├── pbkdf.go
│ │ │ │ ├── pkcs12.go
│ │ │ │ └── safebags.go
│ │ │ ├── scrypt/
│ │ │ │ └── scrypt.go
│ │ │ └── ssh/
│ │ │ ├── buffer.go
│ │ │ ├── certs.go
│ │ │ ├── channel.go
│ │ │ ├── cipher.go
│ │ │ ├── client.go
│ │ │ ├── client_auth.go
│ │ │ ├── common.go
│ │ │ ├── connection.go
│ │ │ ├── doc.go
│ │ │ ├── handshake.go
│ │ │ ├── internal/
│ │ │ │ └── bcrypt_pbkdf/
│ │ │ │ └── bcrypt_pbkdf.go
│ │ │ ├── kex.go
│ │ │ ├── keys.go
│ │ │ ├── mac.go
│ │ │ ├── messages.go
│ │ │ ├── mux.go
│ │ │ ├── server.go
│ │ │ ├── session.go
│ │ │ ├── ssh_gss.go
│ │ │ ├── streamlocal.go
│ │ │ ├── tcpip.go
│ │ │ └── transport.go
│ │ ├── net/
│ │ │ ├── LICENSE
│ │ │ ├── PATENTS
│ │ │ ├── context/
│ │ │ │ └── ctxhttp/
│ │ │ │ └── ctxhttp.go
│ │ │ └── idna/
│ │ │ ├── go118.go
│ │ │ ├── idna10.0.0.go
│ │ │ ├── idna9.0.0.go
│ │ │ ├── pre_go118.go
│ │ │ ├── punycode.go
│ │ │ ├── tables10.0.0.go
│ │ │ ├── tables11.0.0.go
│ │ │ ├── tables12.0.0.go
│ │ │ ├── tables13.0.0.go
│ │ │ ├── tables15.0.0.go
│ │ │ ├── tables9.0.0.go
│ │ │ ├── trie.go
│ │ │ ├── trie12.0.0.go
│ │ │ ├── trie13.0.0.go
│ │ │ └── trieval.go
│ │ ├── sys/
│ │ │ ├── LICENSE
│ │ │ ├── PATENTS
│ │ │ ├── cpu/
│ │ │ │ ├── asm_aix_ppc64.s
│ │ │ │ ├── byteorder.go
│ │ │ │ ├── cpu.go
│ │ │ │ ├── cpu_aix.go
│ │ │ │ ├── cpu_arm.go
│ │ │ │ ├── cpu_arm64.go
│ │ │ │ ├── cpu_arm64.s
│ │ │ │ ├── cpu_gc_arm64.go
│ │ │ │ ├── cpu_gc_s390x.go
│ │ │ │ ├── cpu_gc_x86.go
│ │ │ │ ├── cpu_gccgo_arm64.go
│ │ │ │ ├── cpu_gccgo_s390x.go
│ │ │ │ ├── cpu_gccgo_x86.c
│ │ │ │ ├── cpu_gccgo_x86.go
│ │ │ │ ├── cpu_linux.go
│ │ │ │ ├── cpu_linux_arm.go
│ │ │ │ ├── cpu_linux_arm64.go
│ │ │ │ ├── cpu_linux_mips64x.go
│ │ │ │ ├── cpu_linux_noinit.go
│ │ │ │ ├── cpu_linux_ppc64x.go
│ │ │ │ ├── cpu_linux_s390x.go
│ │ │ │ ├── cpu_loong64.go
│ │ │ │ ├── cpu_mips64x.go
│ │ │ │ ├── cpu_mipsx.go
│ │ │ │ ├── cpu_netbsd_arm64.go
│ │ │ │ ├── cpu_openbsd_arm64.go
│ │ │ │ ├── cpu_openbsd_arm64.s
│ │ │ │ ├── cpu_other_arm.go
│ │ │ │ ├── cpu_other_arm64.go
│ │ │ │ ├── cpu_other_mips64x.go
│ │ │ │ ├── cpu_other_ppc64x.go
│ │ │ │ ├── cpu_other_riscv64.go
│ │ │ │ ├── cpu_ppc64x.go
│ │ │ │ ├── cpu_riscv64.go
│ │ │ │ ├── cpu_s390x.go
│ │ │ │ ├── cpu_s390x.s
│ │ │ │ ├── cpu_wasm.go
│ │ │ │ ├── cpu_x86.go
│ │ │ │ ├── cpu_x86.s
│ │ │ │ ├── cpu_zos.go
│ │ │ │ ├── cpu_zos_s390x.go
│ │ │ │ ├── endian_big.go
│ │ │ │ ├── endian_little.go
│ │ │ │ ├── hwcap_linux.go
│ │ │ │ ├── parse.go
│ │ │ │ ├── proc_cpuinfo_linux.go
│ │ │ │ ├── runtime_auxv.go
│ │ │ │ ├── runtime_auxv_go121.go
│ │ │ │ ├── syscall_aix_gccgo.go
│ │ │ │ └── syscall_aix_ppc64_gc.go
│ │ │ ├── unix/
│ │ │ │ ├── .gitignore
│ │ │ │ ├── README.md
│ │ │ │ ├── affinity_linux.go
│ │ │ │ ├── aliases.go
│ │ │ │ ├── asm_aix_ppc64.s
│ │ │ │ ├── asm_bsd_386.s
│ │ │ │ ├── asm_bsd_amd64.s
│ │ │ │ ├── asm_bsd_arm.s
│ │ │ │ ├── asm_bsd_arm64.s
│ │ │ │ ├── asm_bsd_ppc64.s
│ │ │ │ ├── asm_bsd_riscv64.s
│ │ │ │ ├── asm_linux_386.s
│ │ │ │ ├── asm_linux_amd64.s
│ │ │ │ ├── asm_linux_arm.s
│ │ │ │ ├── asm_linux_arm64.s
│ │ │ │ ├── asm_linux_loong64.s
│ │ │ │ ├── asm_linux_mips64x.s
│ │ │ │ ├── asm_linux_mipsx.s
│ │ │ │ ├── asm_linux_ppc64x.s
│ │ │ │ ├── asm_linux_riscv64.s
│ │ │ │ ├── asm_linux_s390x.s
│ │ │ │ ├── asm_openbsd_mips64.s
│ │ │ │ ├── asm_solaris_amd64.s
│ │ │ │ ├── asm_zos_s390x.s
│ │ │ │ ├── bluetooth_linux.go
│ │ │ │ ├── cap_freebsd.go
│ │ │ │ ├── constants.go
│ │ │ │ ├── dev_aix_ppc.go
│ │ │ │ ├── dev_aix_ppc64.go
│ │ │ │ ├── dev_darwin.go
│ │ │ │ ├── dev_dragonfly.go
│ │ │ │ ├── dev_freebsd.go
│ │ │ │ ├── dev_linux.go
│ │ │ │ ├── dev_netbsd.go
│ │ │ │ ├── dev_openbsd.go
│ │ │ │ ├── dev_zos.go
│ │ │ │ ├── dirent.go
│ │ │ │ ├── endian_big.go
│ │ │ │ ├── endian_little.go
│ │ │ │ ├── env_unix.go
│ │ │ │ ├── epoll_zos.go
│ │ │ │ ├── fcntl.go
│ │ │ │ ├── fcntl_darwin.go
│ │ │ │ ├── fcntl_linux_32bit.go
│ │ │ │ ├── fdset.go
│ │ │ │ ├── fstatfs_zos.go
│ │ │ │ ├── gccgo.go
│ │ │ │ ├── gccgo_c.c
│ │ │ │ ├── gccgo_linux_amd64.go
│ │ │ │ ├── ifreq_linux.go
│ │ │ │ ├── ioctl_linux.go
│ │ │ │ ├── ioctl_signed.go
│ │ │ │ ├── ioctl_unsigned.go
│ │ │ │ ├── ioctl_zos.go
│ │ │ │ ├── mkall.sh
│ │ │ │ ├── mkerrors.sh
│ │ │ │ ├── mmap_nomremap.go
│ │ │ │ ├── mremap.go
│ │ │ │ ├── pagesize_unix.go
│ │ │ │ ├── pledge_openbsd.go
│ │ │ │ ├── ptrace_darwin.go
│ │ │ │ ├── ptrace_ios.go
│ │ │ │ ├── race.go
│ │ │ │ ├── race0.go
│ │ │ │ ├── readdirent_getdents.go
│ │ │ │ ├── readdirent_getdirentries.go
│ │ │ │ ├── sockcmsg_dragonfly.go
│ │ │ │ ├── sockcmsg_linux.go
│ │ │ │ ├── sockcmsg_unix.go
│ │ │ │ ├── sockcmsg_unix_other.go
│ │ │ │ ├── syscall.go
│ │ │ │ ├── syscall_aix.go
│ │ │ │ ├── syscall_aix_ppc.go
│ │ │ │ ├── syscall_aix_ppc64.go
│ │ │ │ ├── syscall_bsd.go
│ │ │ │ ├── syscall_darwin.go
│ │ │ │ ├── syscall_darwin_amd64.go
│ │ │ │ ├── syscall_darwin_arm64.go
│ │ │ │ ├── syscall_darwin_libSystem.go
│ │ │ │ ├── syscall_dragonfly.go
│ │ │ │ ├── syscall_dragonfly_amd64.go
│ │ │ │ ├── syscall_freebsd.go
│ │ │ │ ├── syscall_freebsd_386.go
│ │ │ │ ├── syscall_freebsd_amd64.go
│ │ │ │ ├── syscall_freebsd_arm.go
│ │ │ │ ├── syscall_freebsd_arm64.go
│ │ │ │ ├── syscall_freebsd_riscv64.go
│ │ │ │ ├── syscall_hurd.go
│ │ │ │ ├── syscall_hurd_386.go
│ │ │ │ ├── syscall_illumos.go
│ │ │ │ ├── syscall_linux.go
│ │ │ │ ├── syscall_linux_386.go
│ │ │ │ ├── syscall_linux_alarm.go
│ │ │ │ ├── syscall_linux_amd64.go
│ │ │ │ ├── syscall_linux_amd64_gc.go
│ │ │ │ ├── syscall_linux_arm.go
│ │ │ │ ├── syscall_linux_arm64.go
│ │ │ │ ├── syscall_linux_gc.go
│ │ │ │ ├── syscall_linux_gc_386.go
│ │ │ │ ├── syscall_linux_gc_arm.go
│ │ │ │ ├── syscall_linux_gccgo_386.go
│ │ │ │ ├── syscall_linux_gccgo_arm.go
│ │ │ │ ├── syscall_linux_loong64.go
│ │ │ │ ├── syscall_linux_mips64x.go
│ │ │ │ ├── syscall_linux_mipsx.go
│ │ │ │ ├── syscall_linux_ppc.go
│ │ │ │ ├── syscall_linux_ppc64x.go
│ │ │ │ ├── syscall_linux_riscv64.go
│ │ │ │ ├── syscall_linux_s390x.go
│ │ │ │ ├── syscall_linux_sparc64.go
│ │ │ │ ├── syscall_netbsd.go
│ │ │ │ ├── syscall_netbsd_386.go
│ │ │ │ ├── syscall_netbsd_amd64.go
│ │ │ │ ├── syscall_netbsd_arm.go
│ │ │ │ ├── syscall_netbsd_arm64.go
│ │ │ │ ├── syscall_openbsd.go
│ │ │ │ ├── syscall_openbsd_386.go
│ │ │ │ ├── syscall_openbsd_amd64.go
│ │ │ │ ├── syscall_openbsd_arm.go
│ │ │ │ ├── syscall_openbsd_arm64.go
│ │ │ │ ├── syscall_openbsd_libc.go
│ │ │ │ ├── syscall_openbsd_mips64.go
│ │ │ │ ├── syscall_openbsd_ppc64.go
│ │ │ │ ├── syscall_openbsd_riscv64.go
│ │ │ │ ├── syscall_solaris.go
│ │ │ │ ├── syscall_solaris_amd64.go
│ │ │ │ ├── syscall_unix.go
│ │ │ │ ├── syscall_unix_gc.go
│ │ │ │ ├── syscall_unix_gc_ppc64x.go
│ │ │ │ ├── syscall_zos_s390x.go
│ │ │ │ ├── sysvshm_linux.go
│ │ │ │ ├── sysvshm_unix.go
│ │ │ │ ├── sysvshm_unix_other.go
│ │ │ │ ├── timestruct.go
│ │ │ │ ├── unveil_openbsd.go
│ │ │ │ ├── xattr_bsd.go
│ │ │ │ ├── zerrors_aix_ppc.go
│ │ │ │ ├── zerrors_aix_ppc64.go
│ │ │ │ ├── zerrors_darwin_amd64.go
│ │ │ │ ├── zerrors_darwin_arm64.go
│ │ │ │ ├── zerrors_dragonfly_amd64.go
│ │ │ │ ├── zerrors_freebsd_386.go
│ │ │ │ ├── zerrors_freebsd_amd64.go
│ │ │ │ ├── zerrors_freebsd_arm.go
│ │ │ │ ├── zerrors_freebsd_arm64.go
│ │ │ │ ├── zerrors_freebsd_riscv64.go
│ │ │ │ ├── zerrors_linux.go
│ │ │ │ ├── zerrors_linux_386.go
│ │ │ │ ├── zerrors_linux_amd64.go
│ │ │ │ ├── zerrors_linux_arm.go
│ │ │ │ ├── zerrors_linux_arm64.go
│ │ │ │ ├── zerrors_linux_loong64.go
│ │ │ │ ├── zerrors_linux_mips.go
│ │ │ │ ├── zerrors_linux_mips64.go
│ │ │ │ ├── zerrors_linux_mips64le.go
│ │ │ │ ├── zerrors_linux_mipsle.go
│ │ │ │ ├── zerrors_linux_ppc.go
│ │ │ │ ├── zerrors_linux_ppc64.go
│ │ │ │ ├── zerrors_linux_ppc64le.go
│ │ │ │ ├── zerrors_linux_riscv64.go
│ │ │ │ ├── zerrors_linux_s390x.go
│ │ │ │ ├── zerrors_linux_sparc64.go
│ │ │ │ ├── zerrors_netbsd_386.go
│ │ │ │ ├── zerrors_netbsd_amd64.go
│ │ │ │ ├── zerrors_netbsd_arm.go
│ │ │ │ ├── zerrors_netbsd_arm64.go
│ │ │ │ ├── zerrors_openbsd_386.go
│ │ │ │ ├── zerrors_openbsd_amd64.go
│ │ │ │ ├── zerrors_openbsd_arm.go
│ │ │ │ ├── zerrors_openbsd_arm64.go
│ │ │ │ ├── zerrors_openbsd_mips64.go
│ │ │ │ ├── zerrors_openbsd_ppc64.go
│ │ │ │ ├── zerrors_openbsd_riscv64.go
│ │ │ │ ├── zerrors_solaris_amd64.go
│ │ │ │ ├── zerrors_zos_s390x.go
│ │ │ │ ├── zptrace_armnn_linux.go
│ │ │ │ ├── zptrace_linux_arm64.go
│ │ │ │ ├── zptrace_mipsnn_linux.go
│ │ │ │ ├── zptrace_mipsnnle_linux.go
│ │ │ │ ├── zptrace_x86_linux.go
│ │ │ │ ├── zsyscall_aix_ppc.go
│ │ │ │ ├── zsyscall_aix_ppc64.go
│ │ │ │ ├── zsyscall_aix_ppc64_gc.go
│ │ │ │ ├── zsyscall_aix_ppc64_gccgo.go
│ │ │ │ ├── zsyscall_darwin_amd64.go
│ │ │ │ ├── zsyscall_darwin_amd64.s
│ │ │ │ ├── zsyscall_darwin_arm64.go
│ │ │ │ ├── zsyscall_darwin_arm64.s
│ │ │ │ ├── zsyscall_dragonfly_amd64.go
│ │ │ │ ├── zsyscall_freebsd_386.go
│ │ │ │ ├── zsyscall_freebsd_amd64.go
│ │ │ │ ├── zsyscall_freebsd_arm.go
│ │ │ │ ├── zsyscall_freebsd_arm64.go
│ │ │ │ ├── zsyscall_freebsd_riscv64.go
│ │ │ │ ├── zsyscall_illumos_amd64.go
│ │ │ │ ├── zsyscall_linux.go
│ │ │ │ ├── zsyscall_linux_386.go
│ │ │ │ ├── zsyscall_linux_amd64.go
│ │ │ │ ├── zsyscall_linux_arm.go
│ │ │ │ ├── zsyscall_linux_arm64.go
│ │ │ │ ├── zsyscall_linux_loong64.go
│ │ │ │ ├── zsyscall_linux_mips.go
│ │ │ │ ├── zsyscall_linux_mips64.go
│ │ │ │ ├── zsyscall_linux_mips64le.go
│ │ │ │ ├── zsyscall_linux_mipsle.go
│ │ │ │ ├── zsyscall_linux_ppc.go
│ │ │ │ ├── zsyscall_linux_ppc64.go
│ │ │ │ ├── zsyscall_linux_ppc64le.go
│ │ │ │ ├── zsyscall_linux_riscv64.go
│ │ │ │ ├── zsyscall_linux_s390x.go
│ │ │ │ ├── zsyscall_linux_sparc64.go
│ │ │ │ ├── zsyscall_netbsd_386.go
│ │ │ │ ├── zsyscall_netbsd_amd64.go
│ │ │ │ ├── zsyscall_netbsd_arm.go
│ │ │ │ ├── zsyscall_netbsd_arm64.go
│ │ │ │ ├── zsyscall_openbsd_386.go
│ │ │ │ ├── zsyscall_openbsd_386.s
│ │ │ │ ├── zsyscall_openbsd_amd64.go
│ │ │ │ ├── zsyscall_openbsd_amd64.s
│ │ │ │ ├── zsyscall_openbsd_arm.go
│ │ │ │ ├── zsyscall_openbsd_arm.s
│ │ │ │ ├── zsyscall_openbsd_arm64.go
│ │ │ │ ├── zsyscall_openbsd_arm64.s
│ │ │ │ ├── zsyscall_openbsd_mips64.go
│ │ │ │ ├── zsyscall_openbsd_mips64.s
│ │ │ │ ├── zsyscall_openbsd_ppc64.go
│ │ │ │ ├── zsyscall_openbsd_ppc64.s
│ │ │ │ ├── zsyscall_openbsd_riscv64.go
│ │ │ │ ├── zsyscall_openbsd_riscv64.s
│ │ │ │ ├── zsyscall_solaris_amd64.go
│ │ │ │ ├── zsyscall_zos_s390x.go
│ │ │ │ ├── zsysctl_openbsd_386.go
│ │ │ │ ├── zsysctl_openbsd_amd64.go
│ │ │ │ ├── zsysctl_openbsd_arm.go
│ │ │ │ ├── zsysctl_openbsd_arm64.go
│ │ │ │ ├── zsysctl_openbsd_mips64.go
│ │ │ │ ├── zsysctl_openbsd_ppc64.go
│ │ │ │ ├── zsysctl_openbsd_riscv64.go
│ │ │ │ ├── zsysnum_darwin_amd64.go
│ │ │ │ ├── zsysnum_darwin_arm64.go
│ │ │ │ ├── zsysnum_dragonfly_amd64.go
│ │ │ │ ├── zsysnum_freebsd_386.go
│ │ │ │ ├── zsysnum_freebsd_amd64.go
│ │ │ │ ├── zsysnum_freebsd_arm.go
│ │ │ │ ├── zsysnum_freebsd_arm64.go
│ │ │ │ ├── zsysnum_freebsd_riscv64.go
│ │ │ │ ├── zsysnum_linux_386.go
│ │ │ │ ├── zsysnum_linux_amd64.go
│ │ │ │ ├── zsysnum_linux_arm.go
│ │ │ │ ├── zsysnum_linux_arm64.go
│ │ │ │ ├── zsysnum_linux_loong64.go
│ │ │ │ ├── zsysnum_linux_mips.go
│ │ │ │ ├── zsysnum_linux_mips64.go
│ │ │ │ ├── zsysnum_linux_mips64le.go
│ │ │ │ ├── zsysnum_linux_mipsle.go
│ │ │ │ ├── zsysnum_linux_ppc.go
│ │ │ │ ├── zsysnum_linux_ppc64.go
│ │ │ │ ├── zsysnum_linux_ppc64le.go
│ │ │ │ ├── zsysnum_linux_riscv64.go
│ │ │ │ ├── zsysnum_linux_s390x.go
│ │ │ │ ├── zsysnum_linux_sparc64.go
│ │ │ │ ├── zsysnum_netbsd_386.go
│ │ │ │ ├── zsysnum_netbsd_amd64.go
│ │ │ │ ├── zsysnum_netbsd_arm.go
│ │ │ │ ├── zsysnum_netbsd_arm64.go
│ │ │ │ ├── zsysnum_openbsd_386.go
│ │ │ │ ├── zsysnum_openbsd_amd64.go
│ │ │ │ ├── zsysnum_openbsd_arm.go
│ │ │ │ ├── zsysnum_openbsd_arm64.go
│ │ │ │ ├── zsysnum_openbsd_mips64.go
│ │ │ │ ├── zsysnum_openbsd_ppc64.go
│ │ │ │ ├── zsysnum_openbsd_riscv64.go
│ │ │ │ ├── zsysnum_zos_s390x.go
│ │ │ │ ├── ztypes_aix_ppc.go
│ │ │ │ ├── ztypes_aix_ppc64.go
│ │ │ │ ├── ztypes_darwin_amd64.go
│ │ │ │ ├── ztypes_darwin_arm64.go
│ │ │ │ ├── ztypes_dragonfly_amd64.go
│ │ │ │ ├── ztypes_freebsd_386.go
│ │ │ │ ├── ztypes_freebsd_amd64.go
│ │ │ │ ├── ztypes_freebsd_arm.go
│ │ │ │ ├── ztypes_freebsd_arm64.go
│ │ │ │ ├── ztypes_freebsd_riscv64.go
│ │ │ │ ├── ztypes_linux.go
│ │ │ │ ├── ztypes_linux_386.go
│ │ │ │ ├── ztypes_linux_amd64.go
│ │ │ │ ├── ztypes_linux_arm.go
│ │ │ │ ├── ztypes_linux_arm64.go
│ │ │ │ ├── ztypes_linux_loong64.go
│ │ │ │ ├── ztypes_linux_mips.go
│ │ │ │ ├── ztypes_linux_mips64.go
│ │ │ │ ├── ztypes_linux_mips64le.go
│ │ │ │ ├── ztypes_linux_mipsle.go
│ │ │ │ ├── ztypes_linux_ppc.go
│ │ │ │ ├── ztypes_linux_ppc64.go
│ │ │ │ ├── ztypes_linux_ppc64le.go
│ │ │ │ ├── ztypes_linux_riscv64.go
│ │ │ │ ├── ztypes_linux_s390x.go
│ │ │ │ ├── ztypes_linux_sparc64.go
│ │ │ │ ├── ztypes_netbsd_386.go
│ │ │ │ ├── ztypes_netbsd_amd64.go
│ │ │ │ ├── ztypes_netbsd_arm.go
│ │ │ │ ├── ztypes_netbsd_arm64.go
│ │ │ │ ├── ztypes_openbsd_386.go
│ │ │ │ ├── ztypes_openbsd_amd64.go
│ │ │ │ ├── ztypes_openbsd_arm.go
│ │ │ │ ├── ztypes_openbsd_arm64.go
│ │ │ │ ├── ztypes_openbsd_mips64.go
│ │ │ │ ├── ztypes_openbsd_ppc64.go
│ │ │ │ ├── ztypes_openbsd_riscv64.go
│ │ │ │ ├── ztypes_solaris_amd64.go
│ │ │ │ └── ztypes_zos_s390x.go
│ │ │ └── windows/
│ │ │ ├── aliases.go
│ │ │ ├── dll_windows.go
│ │ │ ├── empty.s
│ │ │ ├── env_windows.go
│ │ │ ├── eventlog.go
│ │ │ ├── exec_windows.go
│ │ │ ├── memory_windows.go
│ │ │ ├── mkerrors.bash
│ │ │ ├── mkknownfolderids.bash
│ │ │ ├── mksyscall.go
│ │ │ ├── race.go
│ │ │ ├── race0.go
│ │ │ ├── security_windows.go
│ │ │ ├── service.go
│ │ │ ├── setupapi_windows.go
│ │ │ ├── str.go
│ │ │ ├── syscall.go
│ │ │ ├── syscall_windows.go
│ │ │ ├── types_windows.go
│ │ │ ├── types_windows_386.go
│ │ │ ├── types_windows_amd64.go
│ │ │ ├── types_windows_arm.go
│ │ │ ├── types_windows_arm64.go
│ │ │ ├── zerrors_windows.go
│ │ │ ├── zknownfolderids_windows.go
│ │ │ └── zsyscall_windows.go
│ │ └── text/
│ │ ├── LICENSE
│ │ ├── PATENTS
│ │ ├── secure/
│ │ │ └── bidirule/
│ │ │ ├── bidirule.go
│ │ │ ├── bidirule10.0.0.go
│ │ │ └── bidirule9.0.0.go
│ │ ├── transform/
│ │ │ └── transform.go
│ │ └── unicode/
│ │ ├── bidi/
│ │ │ ├── bidi.go
│ │ │ ├── bracket.go
│ │ │ ├── core.go
│ │ │ ├── prop.go
│ │ │ ├── tables10.0.0.go
│ │ │ ├── tables11.0.0.go
│ │ │ ├── tables12.0.0.go
│ │ │ ├── tables13.0.0.go
│ │ │ ├── tables15.0.0.go
│ │ │ ├── tables9.0.0.go
│ │ │ └── trieval.go
│ │ └── norm/
│ │ ├── composition.go
│ │ ├── forminfo.go
│ │ ├── input.go
│ │ ├── iter.go
│ │ ├── normalize.go
│ │ ├── readwriter.go
│ │ ├── tables10.0.0.go
│ │ ├── tables11.0.0.go
│ │ ├── tables12.0.0.go
│ │ ├── tables13.0.0.go
│ │ ├── tables15.0.0.go
│ │ ├── tables9.0.0.go
│ │ ├── transform.go
│ │ └── trie.go
│ ├── google.golang.org/
│ │ └── protobuf/
│ │ ├── LICENSE
│ │ ├── PATENTS
│ │ ├── encoding/
│ │ │ ├── protodelim/
│ │ │ │ └── protodelim.go
│ │ │ ├── prototext/
│ │ │ │ ├── decode.go
│ │ │ │ ├── doc.go
│ │ │ │ └── encode.go
│ │ │ └── protowire/
│ │ │ └── wire.go
│ │ ├── internal/
│ │ │ ├── descfmt/
│ │ │ │ └── stringer.go
│ │ │ ├── descopts/
│ │ │ │ └── options.go
│ │ │ ├── detrand/
│ │ │ │ └── rand.go
│ │ │ ├── editiondefaults/
│ │ │ │ ├── defaults.go
│ │ │ │ └── editions_defaults.binpb
│ │ │ ├── encoding/
│ │ │ │ ├── defval/
│ │ │ │ │ └── default.go
│ │ │ │ ├── messageset/
│ │ │ │ │ └── messageset.go
│ │ │ │ ├── tag/
│ │ │ │ │ └── tag.go
│ │ │ │ └── text/
│ │ │ │ ├── decode.go
│ │ │ │ ├── decode_number.go
│ │ │ │ ├── decode_string.go
│ │ │ │ ├── decode_token.go
│ │ │ │ ├── doc.go
│ │ │ │ └── encode.go
│ │ │ ├── errors/
│ │ │ │ ├── errors.go
│ │ │ │ ├── is_go112.go
│ │ │ │ └── is_go113.go
│ │ │ ├── filedesc/
│ │ │ │ ├── build.go
│ │ │ │ ├── desc.go
│ │ │ │ ├── desc_init.go
│ │ │ │ ├── desc_lazy.go
│ │ │ │ ├── desc_list.go
│ │ │ │ ├── desc_list_gen.go
│ │ │ │ ├── editions.go
│ │ │ │ └── placeholder.go
│ │ │ ├── filetype/
│ │ │ │ └── build.go
│ │ │ ├── flags/
│ │ │ │ ├── flags.go
│ │ │ │ ├── proto_legacy_disable.go
│ │ │ │ └── proto_legacy_enable.go
│ │ │ ├── genid/
│ │ │ │ ├── any_gen.go
│ │ │ │ ├── api_gen.go
│ │ │ │ ├── descriptor_gen.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── duration_gen.go
│ │ │ │ ├── empty_gen.go
│ │ │ │ ├── field_mask_gen.go
│ │ │ │ ├── go_features_gen.go
│ │ │ │ ├── goname.go
│ │ │ │ ├── map_entry.go
│ │ │ │ ├── source_context_gen.go
│ │ │ │ ├── struct_gen.go
│ │ │ │ ├── timestamp_gen.go
│ │ │ │ ├── type_gen.go
│ │ │ │ ├── wrappers.go
│ │ │ │ └── wrappers_gen.go
│ │ │ ├── impl/
│ │ │ │ ├── api_export.go
│ │ │ │ ├── checkinit.go
│ │ │ │ ├── codec_extension.go
│ │ │ │ ├── codec_field.go
│ │ │ │ ├── codec_gen.go
│ │ │ │ ├── codec_map.go
│ │ │ │ ├── codec_map_go111.go
│ │ │ │ ├── codec_map_go112.go
│ │ │ │ ├── codec_message.go
│ │ │ │ ├── codec_messageset.go
│ │ │ │ ├── codec_reflect.go
│ │ │ │ ├── codec_tables.go
│ │ │ │ ├── codec_unsafe.go
│ │ │ │ ├── convert.go
│ │ │ │ ├── convert_list.go
│ │ │ │ ├── convert_map.go
│ │ │ │ ├── decode.go
│ │ │ │ ├── encode.go
│ │ │ │ ├── enum.go
│ │ │ │ ├── extension.go
│ │ │ │ ├── legacy_enum.go
│ │ │ │ ├── legacy_export.go
│ │ │ │ ├── legacy_extension.go
│ │ │ │ ├── legacy_file.go
│ │ │ │ ├── legacy_message.go
│ │ │ │ ├── merge.go
│ │ │ │ ├── merge_gen.go
│ │ │ │ ├── message.go
│ │ │ │ ├── message_reflect.go
│ │ │ │ ├── message_reflect_field.go
│ │ │ │ ├── message_reflect_gen.go
│ │ │ │ ├── pointer_reflect.go
│ │ │ │ ├── pointer_unsafe.go
│ │ │ │ ├── validate.go
│ │ │ │ └── weak.go
│ │ │ ├── order/
│ │ │ │ ├── order.go
│ │ │ │ └── range.go
│ │ │ ├── pragma/
│ │ │ │ └── pragma.go
│ │ │ ├── set/
│ │ │ │ └── ints.go
│ │ │ ├── strs/
│ │ │ │ ├── strings.go
│ │ │ │ ├── strings_pure.go
│ │ │ │ ├── strings_unsafe_go120.go
│ │ │ │ └── strings_unsafe_go121.go
│ │ │ └── version/
│ │ │ └── version.go
│ │ ├── proto/
│ │ │ ├── checkinit.go
│ │ │ ├── decode.go
│ │ │ ├── decode_gen.go
│ │ │ ├── doc.go
│ │ │ ├── encode.go
│ │ │ ├── encode_gen.go
│ │ │ ├── equal.go
│ │ │ ├── extension.go
│ │ │ ├── merge.go
│ │ │ ├── messageset.go
│ │ │ ├── proto.go
│ │ │ ├── proto_methods.go
│ │ │ ├── proto_reflect.go
│ │ │ ├── reset.go
│ │ │ ├── size.go
│ │ │ ├── size_gen.go
│ │ │ └── wrappers.go
│ │ ├── reflect/
│ │ │ ├── protoreflect/
│ │ │ │ ├── methods.go
│ │ │ │ ├── proto.go
│ │ │ │ ├── source.go
│ │ │ │ ├── source_gen.go
│ │ │ │ ├── type.go
│ │ │ │ ├── value.go
│ │ │ │ ├── value_equal.go
│ │ │ │ ├── value_pure.go
│ │ │ │ ├── value_union.go
│ │ │ │ ├── value_unsafe_go120.go
│ │ │ │ └── value_unsafe_go121.go
│ │ │ └── protoregistry/
│ │ │ └── registry.go
│ │ ├── runtime/
│ │ │ ├── protoiface/
│ │ │ │ ├── legacy.go
│ │ │ │ └── methods.go
│ │ │ └── protoimpl/
│ │ │ ├── impl.go
│ │ │ └── version.go
│ │ └── types/
│ │ └── known/
│ │ └── timestamppb/
│ │ └── timestamp.pb.go
│ ├── k8s.io/
│ │ └── klog/
│ │ └── v2/
│ │ ├── .gitignore
│ │ ├── .golangci.yaml
│ │ ├── CONTRIBUTING.md
│ │ ├── LICENSE
│ │ ├── OWNERS
│ │ ├── README.md
│ │ ├── RELEASE.md
│ │ ├── SECURITY.md
│ │ ├── SECURITY_CONTACTS
│ │ ├── code-of-conduct.md
│ │ ├── contextual.go
│ │ ├── contextual_slog.go
│ │ ├── exit.go
│ │ ├── format.go
│ │ ├── imports.go
│ │ ├── internal/
│ │ │ ├── buffer/
│ │ │ │ └── buffer.go
│ │ │ ├── clock/
│ │ │ │ ├── README.md
│ │ │ │ └── clock.go
│ │ │ ├── dbg/
│ │ │ │ └── dbg.go
│ │ │ ├── serialize/
│ │ │ │ ├── keyvalues.go
│ │ │ │ ├── keyvalues_no_slog.go
│ │ │ │ └── keyvalues_slog.go
│ │ │ ├── severity/
│ │ │ │ └── severity.go
│ │ │ └── sloghandler/
│ │ │ └── sloghandler_slog.go
│ │ ├── k8s_references.go
│ │ ├── k8s_references_slog.go
│ │ ├── klog.go
│ │ ├── klog_file.go
│ │ ├── klog_file_others.go
│ │ ├── klog_file_windows.go
│ │ ├── klogr.go
│ │ ├── klogr_slog.go
│ │ └── safeptr.go
│ └── modules.txt
└── whitelist/
├── LICENSE
├── README.md
├── example/
│ └── example_whitelist.go
├── http_test.go
├── lookup.go
├── whitelist.go
├── whitelist_net.go
├── whitelist_net_test.go
└── whitelist_test.go
Showing preview only (9,832K chars total). Download the full file or copy to clipboard to get everything.
SYMBOL INDEX (115198 symbols across 1564 files)
FILE: api/api.go
type Handler (line 14) | type Handler interface
type HTTPHandler (line 20) | type HTTPHandler struct
method ServeHTTP (line 71) | func (h HTTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
type HandlerFunc (line 29) | type HandlerFunc
method Handle (line 32) | func (f HandlerFunc) Handle(w http.ResponseWriter, r *http.Request) er...
function HandleError (line 38) | func HandleError(w http.ResponseWriter, err error) (code int) {
function readRequestBlob (line 92) | func readRequestBlob(r *http.Request) (map[string]string, error) {
function ProcessRequestOneOf (line 114) | func ProcessRequestOneOf(r *http.Request, keywordSets [][]string) (map[s...
function ProcessRequestFirstMatchOf (line 140) | func ProcessRequestFirstMatchOf(r *http.Request, keywordSets [][]string)...
function matchKeywords (line 154) | func matchKeywords(blob map[string]string, keywords []string) bool {
type ResponseMessage (line 165) | type ResponseMessage struct
type Response (line 172) | type Response struct
function NewSuccessResponse (line 181) | func NewSuccessResponse(result interface{}) Response {
function NewSuccessResponseWithMessage (line 192) | func NewSuccessResponseWithMessage(result interface{}, message string, c...
function NewErrorResponse (line 203) | func NewErrorResponse(message string, code int) Response {
function SendResponse (line 214) | func SendResponse(w http.ResponseWriter, result interface{}) error {
function SendResponseWithMessage (line 225) | func SendResponseWithMessage(w http.ResponseWriter, result interface{}, ...
FILE: api/api_test.go
constant ty (line 13) | ty = "Thank you!"
constant deny (line 14) | deny = "That's not true!"
function simpleHandle (line 17) | func simpleHandle(w http.ResponseWriter, r *http.Request) error {
function cleverHandle (line 30) | func cleverHandle(w http.ResponseWriter, r *http.Request) error {
function post (line 45) | func post(t *testing.T, obj map[string]interface{}, ts *httptest.Server)...
function get (line 62) | func get(t *testing.T, ts *httptest.Server) (resp *http.Response, body [...
function TestRigidHandle (line 75) | func TestRigidHandle(t *testing.T) {
function TestCleverHandle (line 145) | func TestCleverHandle(t *testing.T) {
FILE: api/bundle/bundle.go
type Handler (line 16) | type Handler struct
method Handle (line 35) | func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
function NewHandler (line 22) | func NewHandler(caBundleFile, intBundleFile string) (http.Handler, error) {
FILE: api/bundle/bundle_test.go
constant testCaBundleFile (line 16) | testCaBundleFile = "../testdata/ca-bundle.pem"
constant testIntBundleFile (line 17) | testIntBundleFile = "../testdata/int-bundle.pem"
constant testLeafCertFile (line 18) | testLeafCertFile = "../testdata/leaf.pem"
constant testLeafKeyFile (line 19) | testLeafKeyFile = "../testdata/leaf.key"
constant testLeafWrongKeyFile (line 20) | testLeafWrongKeyFile = "../testdata/leaf.badkey"
constant testBrokenCertFile (line 21) | testBrokenCertFile = "../testdata/broken.pem"
function newTestHandler (line 24) | func newTestHandler(t *testing.T) (h http.Handler) {
function newBundleServer (line 32) | func newBundleServer(t *testing.T) *httptest.Server {
function testBundleFile (line 37) | func testBundleFile(t *testing.T, domain, ip, certFile, keyFile, flavor ...
function TestNewHandler (line 86) | func TestNewHandler(t *testing.T) {
type bundleTest (line 90) | type bundleTest struct
function TestBundle (line 186) | func TestBundle(t *testing.T) {
FILE: api/certadd/insert.go
type Handler (line 33) | type Handler struct
method Handle (line 82) | func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
function NewHandler (line 39) | func NewHandler(dbAccessor certdb.Accessor, signer ocsp.Signer) http.Han...
type AddRequest (line 51) | type AddRequest struct
FILE: api/certadd/insert_test.go
function prepDB (line 28) | func prepDB() (certdb.Accessor, error) {
function makeRequest (line 35) | func makeRequest(t *testing.T, dbAccessor certdb.Accessor, signer ocsp.S...
function makeCertificate (line 57) | func makeCertificate() (serialNumber *big.Int, cert *x509.Certificate, p...
function TestInsertValidCertificate (line 143) | func TestInsertValidCertificate(t *testing.T) {
function TestInsertMissingSerial (line 211) | func TestInsertMissingSerial(t *testing.T) {
function TestInsertMissingAKI (line 235) | func TestInsertMissingAKI(t *testing.T) {
function TestInsertMissingExpiry (line 259) | func TestInsertMissingExpiry(t *testing.T) {
function TestInsertMissingPEM (line 283) | func TestInsertMissingPEM(t *testing.T) {
function TestInsertInvalidSerial (line 307) | func TestInsertInvalidSerial(t *testing.T) {
function TestInsertInvalidAKI (line 332) | func TestInsertInvalidAKI(t *testing.T) {
function TestInsertInvalidStatus (line 357) | func TestInsertInvalidStatus(t *testing.T) {
function TestInsertInvalidPEM (line 382) | func TestInsertInvalidPEM(t *testing.T) {
function TestInsertInvalidExpiry (line 407) | func TestInsertInvalidExpiry(t *testing.T) {
function TestInsertWrongSerial (line 432) | func TestInsertWrongSerial(t *testing.T) {
function TestInsertWrongAKI (line 457) | func TestInsertWrongAKI(t *testing.T) {
function TestInsertWrongExpiry (line 482) | func TestInsertWrongExpiry(t *testing.T) {
function TestInsertRevokedCertificate (line 507) | func TestInsertRevokedCertificate(t *testing.T) {
function TestInsertRevokedCertificateWithoutTime (line 552) | func TestInsertRevokedCertificateWithoutTime(t *testing.T) {
FILE: api/certinfo/certinfo.go
type Handler (line 17) | type Handler struct
method Handle (line 40) | func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) (err ...
function NewHandler (line 23) | func NewHandler() http.Handler {
function NewAccessorHandler (line 30) | func NewAccessorHandler(dbAccessor certdb.Accessor) http.Handler {
FILE: api/client/api.go
type SignResult (line 4) | type SignResult struct
FILE: api/client/client.go
type server (line 26) | type server struct
method Hosts (line 80) | func (srv *server) Hosts() []string {
method SetReqModifier (line 84) | func (srv *server) SetReqModifier(mod func(*http.Request, []byte)) {
method SetRequestTimeout (line 88) | func (srv *server) SetRequestTimeout(timeout time.Duration) {
method SetProxy (line 92) | func (srv *server) SetProxy(proxy func(*http.Request) (*url.URL, error...
method getURL (line 104) | func (srv *server) getURL(endpoint string) string {
method createTransport (line 108) | func (srv *server) createTransport() *http.Transport {
method post (line 134) | func (srv *server) post(url string, jsonData []byte) (*api.Response, e...
method AuthSign (line 192) | func (srv *server) AuthSign(req, id []byte, provider auth.Provider) ([...
method AuthInfo (line 200) | func (srv *server) AuthInfo(req, id []byte, provider auth.Provider) ([...
method authReq (line 207) | func (srv *server) authReq(req, ID []byte, provider auth.Provider, tar...
method Sign (line 248) | func (srv *server) Sign(jsonData []byte) ([]byte, error) {
method Info (line 255) | func (srv *server) Info(jsonData []byte) (*info.Resp, error) {
method getResultMap (line 282) | func (srv *server) getResultMap(jsonData []byte, target string) (resul...
method request (line 298) | func (srv *server) request(jsonData []byte, target string) ([]byte, er...
type Remote (line 39) | type Remote interface
function NewServer (line 54) | func NewServer(addr string) Remote {
function NewServerTLS (line 59) | func NewServerTLS(addr string, tlsConfig *tls.Config) Remote {
function newServer (line 96) | func newServer(u *url.URL, tlsConfig *tls.Config) *server {
type AuthRemote (line 312) | type AuthRemote struct
method Sign (line 328) | func (ar *AuthRemote) Sign(req []byte) ([]byte, error) {
function NewAuthServer (line 320) | func NewAuthServer(addr string, tlsConfig *tls.Config, provider auth.Pro...
function normalizeURL (line 333) | func normalizeURL(addr string) (*url.URL, error) {
FILE: api/client/client_test.go
function TestNewServer (line 18) | func TestNewServer(t *testing.T) {
function TestInvalidPort (line 55) | func TestInvalidPort(t *testing.T) {
function TestAuthSign (line 62) | func TestAuthSign(t *testing.T) {
function TestDefaultAuthSign (line 72) | func TestDefaultAuthSign(t *testing.T) {
function TestSign (line 82) | func TestSign(t *testing.T) {
function TestNewMutualTLSServer (line 90) | func TestNewMutualTLSServer(t *testing.T) {
function TestNewServerGroup (line 105) | func TestNewServerGroup(t *testing.T) {
function TestNewTLSServerGroup (line 143) | func TestNewTLSServerGroup(t *testing.T) {
function TestNewMutualTLSServerGroup (line 147) | func TestNewMutualTLSServerGroup(t *testing.T) {
function NewTLSServerGroup (line 152) | func NewTLSServerGroup(t *testing.T, cert *tls.Certificate) {
function TestNewOGLGroup (line 180) | func TestNewOGLGroup(t *testing.T) {
FILE: api/client/group.go
type Strategy (line 17) | type Strategy
constant StrategyInvalid (line 22) | StrategyInvalid = iota
constant StrategyOrderedList (line 28) | StrategyOrderedList
function StrategyFromString (line 36) | func StrategyFromString(s string) Strategy {
function NewGroup (line 47) | func NewGroup(remotes []string, tlsConfig *tls.Config, strategy Strategy...
type orderedListGroup (line 65) | type orderedListGroup struct
method Hosts (line 69) | func (g *orderedListGroup) Hosts() []string {
method SetRequestTimeout (line 78) | func (g *orderedListGroup) SetRequestTimeout(timeout time.Duration) {
method SetProxy (line 84) | func (g *orderedListGroup) SetProxy(proxy func(*http.Request) (*url.UR...
method AuthSign (line 96) | func (g *orderedListGroup) AuthSign(req, id []byte, provider auth.Prov...
method Sign (line 107) | func (g *orderedListGroup) Sign(jsonData []byte) (resp []byte, err err...
method Info (line 118) | func (g *orderedListGroup) Info(jsonData []byte) (resp *info.Resp, err...
method SetReqModifier (line 130) | func (g *orderedListGroup) SetReqModifier(mod func(*http.Request, []by...
function newOrdererdListGroup (line 90) | func newOrdererdListGroup(remotes []*server) (Remote, error) {
FILE: api/crl/crl.go
type Handler (line 21) | type Handler struct
method Handle (line 70) | func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
function NewHandler (line 28) | func NewHandler(dbAccessor certdb.Accessor, caPath string, caKeyPath str...
FILE: api/crl/crl_test.go
constant fakeAKI (line 21) | fakeAKI = "fake aki"
constant testCaFile (line 22) | testCaFile = "../testdata/ca.pem"
constant testCaKeyFile (line 23) | testCaKeyFile = "../testdata/ca_key.pem"
function prepDB (line 26) | func prepDB() (certdb.Accessor, error) {
function testGetCRL (line 48) | func testGetCRL(t *testing.T, dbAccessor certdb.Accessor, expiry string)...
function TestCRLGeneration (line 71) | func TestCRLGeneration(t *testing.T) {
function TestCRLGenerationWithExpiry (line 111) | func TestCRLGenerationWithExpiry(t *testing.T) {
FILE: api/gencrl/gencrl.go
type jsonCRLRequest (line 22) | type jsonCRLRequest struct
function gencrlHandler (line 31) | func gencrlHandler(w http.ResponseWriter, r *http.Request) error {
function NewHandler (line 98) | func NewHandler() http.Handler {
FILE: api/gencrl/gencrl_test.go
constant cert (line 16) | cert = "../../crl/testdata/caTwo.pem"
constant key (line 17) | key = "../../crl/testdata/ca-keyTwo.pem"
constant serialList (line 18) | serialList = "../../crl/testdata/serialList"
constant expiryTime (line 19) | expiryTime = "2000"
type testJSON (line 22) | type testJSON struct
function newTestHandler (line 40) | func newTestHandler(t *testing.T) http.Handler {
function TestNewHandler (line 44) | func TestNewHandler(t *testing.T) {
function newCRLServer (line 48) | func newCRLServer(t *testing.T) *httptest.Server {
function testCRLCreation (line 53) | func testCRLCreation(t *testing.T, issuingKey, certFile string, expiry s...
function TestCRL (line 95) | func TestCRL(t *testing.T) {
FILE: api/generator/generator.go
constant CSRNoHostMessage (line 27) | CSRNoHostMessage = `This certificate lacks a "hosts" field. This makes i...
constant NoBundlerMessage (line 32) | NoBundlerMessage = `This request requires a bundler, but one is not init...
type Sum (line 36) | type Sum struct
type Validator (line 44) | type Validator
type CertRequest (line 48) | type CertRequest struct
type Handler (line 56) | type Handler struct
method Handle (line 112) | func (g *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
function NewHandler (line 62) | func NewHandler(validator Validator) (http.Handler, error) {
function computeSum (line 72) | func computeSum(in []byte) (sum Sum, err error) {
type CertGeneratorHandler (line 161) | type CertGeneratorHandler struct
method SetBundler (line 214) | func (cg *CertGeneratorHandler) SetBundler(caBundleFile, intBundleFile...
method Handle (line 229) | func (cg *CertGeneratorHandler) Handle(w http.ResponseWriter, r *http....
function NewCertGeneratorHandler (line 173) | func NewCertGeneratorHandler(validator Validator, caFile, caKeyFile stri...
function NewCertGeneratorHandlerFromSigner (line 203) | func NewCertGeneratorHandlerFromSigner(validator Validator, signer signe...
type genSignRequest (line 219) | type genSignRequest struct
function CSRValidate (line 321) | func CSRValidate(req *csr.CertificateRequest) error {
FILE: api/generator/generator_test.go
constant testCaFile (line 18) | testCaFile = "testdata/ca.pem"
constant testCaKeyFile (line 19) | testCaKeyFile = "testdata/ca_key.pem"
constant testCABundle (line 20) | testCABundle = "../../bundler/testdata/ca-bundle.pem"
constant testIntBundle (line 21) | testIntBundle = "../../bundler/testdata/int-bundle.pem"
function csrData (line 24) | func csrData(t *testing.T) *bytes.Reader {
function TestGeneratorRESTfulVerbs (line 46) | func TestGeneratorRESTfulVerbs(t *testing.T) {
function TestCSRValidate (line 80) | func TestCSRValidate(t *testing.T) {
function TestNewCertGeneratorHandlerFromSigner (line 101) | func TestNewCertGeneratorHandlerFromSigner(t *testing.T) {
FILE: api/health/health.go
type Response (line 11) | type Response struct
function healthHandler (line 15) | func healthHandler(w http.ResponseWriter, r *http.Request) error {
function NewHealthCheck (line 21) | func NewHealthCheck() http.Handler {
FILE: api/info/info.go
type Handler (line 18) | type Handler struct
method Handle (line 35) | func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
function NewHandler (line 24) | func NewHandler(s signer.Signer) (http.Handler, error) {
type MultiHandler (line 65) | type MultiHandler struct
method Handle (line 85) | func (h *MultiHandler) Handle(w http.ResponseWriter, r *http.Request) ...
function NewMultiHandler (line 72) | func NewMultiHandler(signers map[string]signer.Signer, defaultLabel stri...
FILE: api/info/info_test.go
constant testCaFile (line 17) | testCaFile = "../testdata/ca.pem"
constant testCaKeyFile (line 18) | testCaKeyFile = "../testdata/ca_key.pem"
constant testCaFile2 (line 21) | testCaFile2 = "../testdata/ca2.pem"
constant testCaKeyFile2 (line 22) | testCaKeyFile2 = "../testdata/ca2-key.pem"
function newTestHandler (line 28) | func newTestHandler(t *testing.T) (h http.Handler) {
function newTestMultiHandler (line 41) | func newTestMultiHandler(t *testing.T) (h http.Handler) {
function TestNewHandler (line 65) | func TestNewHandler(t *testing.T) {
function TestNewMultiHandler (line 69) | func TestNewMultiHandler(t *testing.T) {
function newInfoServer (line 73) | func newInfoServer(t *testing.T) *httptest.Server {
function newMultiInfoServer (line 78) | func newMultiInfoServer(t *testing.T) *httptest.Server {
function testInfoFile (line 82) | func testInfoFile(t *testing.T, req map[string]interface{}) (resp *http....
function testMultiInfoFile (line 102) | func testMultiInfoFile(t *testing.T, req map[string]interface{}) (resp *...
type infoTest (line 122) | type infoTest struct
function TestInfo (line 196) | func TestInfo(t *testing.T) {
function TestMultiInfo (line 227) | func TestMultiInfo(t *testing.T) {
FILE: api/initca/initca.go
type NewCA (line 18) | type NewCA struct
function initialCAHandler (line 27) | func initialCAHandler(w http.ResponseWriter, r *http.Request) error {
function NewHandler (line 59) | func NewHandler() http.Handler {
FILE: api/initca/initca_test.go
function csrData (line 13) | func csrData(t *testing.T) *bytes.Reader {
function TestInitCARESTfulVerbs (line 35) | func TestInitCARESTfulVerbs(t *testing.T) {
function TestBadRequestBody (line 68) | func TestBadRequestBody(t *testing.T) {
function TestBadRequestBody_2 (line 77) | func TestBadRequestBody_2(t *testing.T) {
FILE: api/ocsp/ocspsign.go
type Handler (line 22) | type Handler struct
method Handle (line 57) | func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
function NewHandler (line 27) | func NewHandler(s ocsp.Signer) http.Handler {
type jsonSignRequest (line 37) | type jsonSignRequest struct
FILE: api/ocsp/ocspsign_test.go
constant testCaFile (line 22) | testCaFile = "../../ocsp/testdata/ca.pem"
constant testRespCertFile (line 23) | testRespCertFile = "../../ocsp/testdata/server.crt"
constant testKeyFile (line 24) | testKeyFile = "../../ocsp/testdata/server.key"
constant testCertFile (line 25) | testCertFile = "../../ocsp/testdata/cert.pem"
function newTestHandler (line 28) | func newTestHandler(t *testing.T) http.Handler {
function TestNewHandler (line 38) | func TestNewHandler(t *testing.T) {
function newSignServer (line 42) | func newSignServer(t *testing.T) *httptest.Server {
function testSignFile (line 47) | func testSignFile(t *testing.T, certFile, status string, reason int, rev...
type signTest (line 84) | type signTest struct
function TestSign (line 164) | func TestSign(t *testing.T) {
FILE: api/revoke/revoke.go
type Handler (line 21) | type Handler struct
method Handle (line 57) | func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
function NewHandler (line 27) | func NewHandler(dbAccessor certdb.Accessor) http.Handler {
function NewOCSPHandler (line 38) | func NewOCSPHandler(dbAccessor certdb.Accessor, signer ocsp.Signer) http...
type jsonRevokeRequest (line 49) | type jsonRevokeRequest struct
FILE: api/revoke/revoke_test.go
constant fakeAKI (line 29) | fakeAKI = "fake aki"
function prepDB (line 32) | func prepDB() (certdb.Accessor, error) {
function testRevokeCert (line 51) | func testRevokeCert(t *testing.T, dbAccessor certdb.Accessor, serial, ak...
function TestInvalidRevocation (line 80) | func TestInvalidRevocation(t *testing.T) {
function TestRevocation (line 93) | func TestRevocation(t *testing.T) {
function TestOCSPGeneration (line 128) | func TestOCSPGeneration(t *testing.T) {
FILE: api/scan/scan.go
function scanHandler (line 16) | func scanHandler(w http.ResponseWriter, r *http.Request) error {
function NewHandler (line 54) | func NewHandler(caBundleFile string) (http.Handler, error) {
function scanInfoHandler (line 63) | func scanInfoHandler(w http.ResponseWriter, r *http.Request) error {
function NewInfoHandler (line 71) | func NewInfoHandler() http.Handler {
FILE: api/scan/scan_test.go
function TestBadRequest (line 14) | func TestBadRequest(t *testing.T) {
function TestScanRESTfulVerbs (line 24) | func TestScanRESTfulVerbs(t *testing.T) {
function TestNewInfoHandler (line 58) | func TestNewInfoHandler(t *testing.T) {
FILE: api/sign/sign.go
function NewHandler (line 17) | func NewHandler(caFile, caKeyFile string, policy *config.Signing) (http....
function NewAuthHandler (line 37) | func NewAuthHandler(caFile, caKeyFile string, policy *config.Signing) (h...
FILE: api/sign/sign_test.go
constant testCaFile (line 20) | testCaFile = "../testdata/ca.pem"
constant testCaKeyFile (line 21) | testCaKeyFile = "../testdata/ca_key.pem"
constant testCSRFile (line 22) | testCSRFile = "../testdata/csr.pem"
constant testBrokenCertFile (line 23) | testBrokenCertFile = "../testdata/broken.pem"
constant testBrokenCSRFile (line 24) | testBrokenCSRFile = "../testdata/broken_csr.pem"
function newTestHandler (line 100) | func newTestHandler(t *testing.T) (h http.Handler) {
function TestNewHandler (line 108) | func TestNewHandler(t *testing.T) {
function TestNewHandlerWithProfile (line 112) | func TestNewHandlerWithProfile(t *testing.T) {
function TestNewHandlerWithAuthProfile (line 124) | func TestNewHandlerWithAuthProfile(t *testing.T) {
function TestNewHandlerError (line 136) | func TestNewHandlerError(t *testing.T) {
function TestNewAuthHandlerWithNonAuthProfile (line 144) | func TestNewAuthHandlerWithNonAuthProfile(t *testing.T) {
function TestNewHandlersWithMixedProfile (line 156) | func TestNewHandlersWithMixedProfile(t *testing.T) {
function TestNewHandlersWithAnotherMixedProfile (line 173) | func TestNewHandlersWithAnotherMixedProfile(t *testing.T) {
function newSignServer (line 190) | func newSignServer(t *testing.T) *httptest.Server {
function testSignFileOldInterface (line 195) | func testSignFileOldInterface(t *testing.T, hostname, csrFile string) (r...
function testSignFile (line 230) | func testSignFile(t *testing.T, hosts []string, subject *signer.Subject,...
constant testHostName (line 269) | testHostName = "localhost"
constant testDomainName (line 270) | testDomainName = "cloudflare.com"
type signTest (line 273) | type signTest struct
function TestSign (line 343) | func TestSign(t *testing.T) {
function newTestAuthHandler (line 413) | func newTestAuthHandler(t *testing.T) http.Handler {
function TestNewAuthHandler (line 426) | func TestNewAuthHandler(t *testing.T) {
function TestNewAuthHandlerWithNoAuthConfig (line 430) | func TestNewAuthHandlerWithNoAuthConfig(t *testing.T) {
function testAuthSignFile (line 443) | func testAuthSignFile(t *testing.T, hosts []string, subject *signer.Subj...
function newAuthSignServer (line 494) | func newAuthSignServer(t *testing.T) *httptest.Server {
function TestAuthSign (line 499) | func TestAuthSign(t *testing.T) {
FILE: api/signhandler/signhandler.go
constant NoBundlerMessage (line 19) | NoBundlerMessage = `This request requires a bundler, but one is not init...
type Handler (line 25) | type Handler struct
method SetBundler (line 60) | func (h *Handler) SetBundler(caBundleFile, intBundleFile string) (err ...
method Handle (line 114) | func (h *Handler) Handle(w http.ResponseWriter, r *http.Request) error {
function NewHandlerFromSigner (line 32) | func NewHandlerFromSigner(signer signer.Signer) (h *api.HTTPHandler, err...
type jsonSignRequest (line 68) | type jsonSignRequest struct
function jsonReqToTrue (line 79) | func jsonReqToTrue(js jsonSignRequest) signer.SignRequest {
type AuthHandler (line 172) | type AuthHandler struct
method SetBundler (line 213) | func (h *AuthHandler) SetBundler(caBundleFile, intBundleFile string) (...
method Handle (line 219) | func (h *AuthHandler) Handle(w http.ResponseWriter, r *http.Request) e...
function NewAuthHandlerFromSigner (line 179) | func NewAuthHandlerFromSigner(signer signer.Signer) (http.Handler, error) {
FILE: api/signhandler/signhandler_test.go
constant testCaFile (line 22) | testCaFile = "../testdata/ca.pem"
constant testCaKeyFile (line 23) | testCaKeyFile = "../testdata/ca_key.pem"
constant testCSRFile (line 24) | testCSRFile = "../testdata/csr.pem"
function TestSignerDBPersistence (line 41) | func TestSignerDBPersistence(t *testing.T) {
FILE: auth/auth.go
type AuthenticatedRequest (line 20) | type AuthenticatedRequest struct
type Provider (line 32) | type Provider interface
type Standard (line 40) | type Standard struct
method Token (line 73) | func (p Standard) Token(req []byte) (token []byte, err error) {
method Verify (line 81) | func (p Standard) Verify(ad *AuthenticatedRequest) bool {
function New (line 48) | func New(key string, ad []byte) (*Standard, error) {
FILE: auth/auth_test.go
function TestNew (line 16) | func TestNew(t *testing.T) {
function TestVerifyTrue (line 47) | func TestVerifyTrue(t *testing.T) {
function TestVerifyAD (line 71) | func TestVerifyAD(t *testing.T) {
function TestTokenLength (line 82) | func TestTokenLength(t *testing.T) {
function TestBadRequest (line 94) | func TestBadRequest(t *testing.T) {
function TestNullRequest (line 102) | func TestNullRequest(t *testing.T) {
function TestPreGenerated (line 109) | func TestPreGenerated(t *testing.T) {
function TestLoadBenchmarkRequest (line 128) | func TestLoadBenchmarkRequest(t *testing.T) {
function BenchmarkToken (line 137) | func BenchmarkToken(b *testing.B) {
function BenchmarkVerify (line 146) | func BenchmarkVerify(b *testing.B) {
FILE: bundler/bundle.go
type Bundle (line 23) | type Bundle struct
method MarshalJSON (line 98) | func (b *Bundle) MarshalJSON() ([]byte, error) {
method buildHostnames (line 171) | func (b *Bundle) buildHostnames() {
type BundleStatus (line 37) | type BundleStatus struct
type chain (line 50) | type chain
method MarshalJSON (line 52) | func (c chain) MarshalJSON() ([]byte, error) {
function PemBlockToString (line 63) | func PemBlockToString(block *pem.Block) string {
type names (line 82) | type names
method MarshalJSON (line 84) | func (n names) MarshalJSON() ([]byte, error) {
FILE: bundler/bundle_from_file_test.go
type fileTest (line 11) | type fileTest struct
constant leafECDSA256 (line 57) | leafECDSA256 = "testdata/cfssl-leaf-ecdsa256.pem"
constant leafECDSA384 (line 58) | leafECDSA384 = "testdata/cfssl-leaf-ecdsa384.pem"
constant leafECDSA521 (line 59) | leafECDSA521 = "testdata/cfssl-leaf-ecdsa521.pem"
constant leafRSA2048 (line 60) | leafRSA2048 = "testdata/cfssl-leaf-rsa2048.pem"
constant leafRSA3072 (line 61) | leafRSA3072 = "testdata/cfssl-leaf-rsa3072.pem"
constant leafRSA4096 (line 62) | leafRSA4096 = "testdata/cfssl-leaf-rsa4096.pem"
constant leafKeyECDSA256 (line 63) | leafKeyECDSA256 = "testdata/cfssl-leaf-ecdsa256.key"
constant leafKeyECDSA384 (line 64) | leafKeyECDSA384 = "testdata/cfssl-leaf-ecdsa384.key"
constant leafKeyECDSA521 (line 65) | leafKeyECDSA521 = "testdata/cfssl-leaf-ecdsa521.key"
constant leafKeyRSA2048 (line 66) | leafKeyRSA2048 = "testdata/cfssl-leaf-rsa2048.key"
constant leafKeyRSA3072 (line 67) | leafKeyRSA3072 = "testdata/cfssl-leaf-rsa3072.key"
constant leafKeyRSA4096 (line 68) | leafKeyRSA4096 = "testdata/cfssl-leaf-rsa4096.key"
constant leafletRSA4096 (line 69) | leafletRSA4096 = "testdata/cfssl-leaflet-rsa4096.pem"
constant interL1 (line 70) | interL1 = "testdata/inter-L1.pem"
constant interL1Expired (line 71) | interL1Expired = "testdata/inter-L1-expired.pem"
constant interL1CSR (line 72) | interL1CSR = "testdata/inter-L1.csr"
constant interL2 (line 73) | interL2 = "testdata/inter-L2.pem"
constant interL2Direct (line 75) | interL2Direct = "testdata/inter-L2-direct.pem"
constant partialBundle (line 76) | partialBundle = "testdata/partial-bundle.pem"
constant rpBundle (line 77) | rpBundle = "testdata/reverse-partial-bundle.pem"
constant badBundle (line 78) | badBundle = "testdata/bad-bundle.pem"
constant interL2CSR (line 79) | interL2CSR = "testdata/inter-L2.csr"
constant certDSA2048 (line 80) | certDSA2048 = "testdata/dsa2048.pem"
constant keyDSA2048 (line 81) | keyDSA2048 = "testdata/dsa2048.key"
function TestBundleFromFile (line 348) | func TestBundleFromFile(t *testing.T) {
FILE: bundler/bundle_from_pem_test.go
type pemTest (line 9) | type pemTest struct
function TestBundleFromPEM (line 69) | func TestBundleFromPEM(t *testing.T) {
FILE: bundler/bundle_from_remote_test.go
type remoteTest (line 14) | type remoteTest struct
constant RSACertSite (line 23) | RSACertSite = "rsa2048.badssl.com"
constant SelfSignedSSLSite (line 24) | SelfSignedSSLSite = "self-signed.badssl.com"
constant MismatchedHostnameSite (line 25) | MismatchedHostnameSite = "wrong.host.badssl.com"
constant ECCCertSite (line 26) | ECCCertSite = "ecc256.badssl.com"
constant InvalidSite (line 27) | InvalidSite = "cloudflare1337.com"
constant ValidSNI (line 28) | ValidSNI = "badssl.com"
constant ValidSNIWildcard (line 29) | ValidSNIWildcard = "badssl.com"
constant SNISANWildcard (line 30) | SNISANWildcard = "*.badssl.com"
constant InvalidIP (line 31) | InvalidIP = "300.300.300.300"
function getBundleHostnameChecker (line 34) | func getBundleHostnameChecker(hostname string) func(*testing.T, *remoteT...
function expectErrorMessages (line 51) | func expectErrorMessages(expectedContents []string) func(*testing.T, *re...
function TestBundleFromRemote (line 105) | func TestBundleFromRemote(t *testing.T) {
function resolveHostIP (line 124) | func resolveHostIP(host string) string {
function TestBundleFromRemoteSNI (line 165) | func TestBundleFromRemoteSNI(t *testing.T) {
function TestBundleFromRemoteFlavor (line 184) | func TestBundleFromRemoteFlavor(t *testing.T) {
FILE: bundler/bundler.go
type BundleFlavor (line 40) | type BundleFlavor
constant Optimal (line 45) | Optimal BundleFlavor = "optimal"
constant Ubiquitous (line 49) | Ubiquitous BundleFlavor = "ubiquitous"
constant Force (line 52) | Force BundleFlavor = "force"
constant sha2Warning (line 56) | sha2Warning = "The bundle contains certificates signed with adv...
constant ecdsaWarning (line 57) | ecdsaWarning = "The bundle contains ECDSA signatures, which are ...
constant expiringWarningStub (line 58) | expiringWarningStub = "The bundle is expiring within 30 days."
constant untrustedWarningStub (line 59) | untrustedWarningStub = "The bundle may not be trusted by the following p...
constant ubiquityWarning (line 60) | ubiquityWarning = "Unable to measure bundle ubiquity: No platform m...
type Bundler (line 66) | type Bundler struct
method VerifyOptions (line 190) | func (b *Bundler) VerifyOptions() x509.VerifyOptions {
method BundleFromFile (line 201) | func (b *Bundler) BundleFromFile(bundleFile, keyFile string, flavor Bu...
method BundleFromPEMorDER (line 228) | func (b *Bundler) BundleFromPEMorDER(certsRaw, keyPEM []byte, flavor B...
method BundleFromRemote (line 271) | func (b *Bundler) BundleFromRemote(serverName, ip string, flavor Bundl...
method verifyChain (line 405) | func (b *Bundler) verifyChain(chain []*fetchedIntermediate) bool {
method fetchIntermediates (line 476) | func (b *Bundler) fetchIntermediates(certs []*x509.Certificate) (err e...
method Bundle (line 558) | func (b *Bundler) Bundle(certs []*x509.Certificate, key crypto.Signer,...
type options (line 73) | type options struct
type Option (line 84) | type Option
function WithKeyUsages (line 88) | func WithKeyUsages(usages ...x509.ExtKeyUsage) Option {
function NewBundler (line 97) | func NewBundler(caBundleFile, intBundleFile string, opt ...Option) (*Bun...
function NewBundlerFromPEM (line 139) | func NewBundlerFromPEM(caBundlePEM, intBundlePEM []byte, opt ...Option) ...
type fetchedIntermediate (line 329) | type fetchedIntermediate struct
function fetchRemoteCertificate (line 337) | func fetchRemoteCertificate(certURL string) (fi *fetchedIntermediate, er...
function reverse (line 370) | func reverse(certs []*x509.Certificate) []*x509.Certificate {
function partialVerify (line 384) | func partialVerify(certs []*x509.Certificate) bool {
function isSelfSigned (line 397) | func isSelfSigned(cert *x509.Certificate) bool {
function isChainRootNode (line 401) | func isChainRootNode(cert *x509.Certificate) bool {
function constructCertFileName (line 455) | func constructCertFileName(cert *x509.Certificate) string {
function checkExpiringCerts (line 745) | func checkExpiringCerts(chain []*x509.Certificate) (expiringIntermediate...
function getSKIs (line 756) | func getSKIs(chain []*x509.Certificate, indices []int) (skis []string) {
function expirationWarning (line 765) | func expirationWarning(expiringIntermediates []int) (ret string) {
function untrustedPlatformsWarning (line 784) | func untrustedPlatformsWarning(platforms []string) string {
function optimalChains (line 805) | func optimalChains(chains [][]*x509.Certificate) [][]*x509.Certificate {
function ubiquitousChains (line 817) | func ubiquitousChains(chains [][]*x509.Certificate) [][]*x509.Certificate {
function diff (line 835) | func diff(chain1, chain2 []*x509.Certificate) bool {
FILE: bundler/bundler_sha1_deprecation_test.go
constant sha1CA (line 19) | sha1CA = "testdata/ca.pem"
constant sha1CAKey (line 20) | sha1CAKey = "testdata/ca.key"
constant sha1Intermediate (line 21) | sha1Intermediate = "testdata/inter-L1-sha1.pem"
constant sha2Intermediate (line 22) | sha2Intermediate = "testdata/inter-L1.pem"
constant intermediateKey (line 23) | intermediateKey = "testdata/inter-L1.key"
constant intermediateCSR (line 24) | intermediateCSR = "testdata/inter-L1.csr"
constant leafCSR (line 25) | leafCSR = "testdata/cfssl-leaf-ecdsa256.csr"
function TestChromeWarning (line 28) | func TestChromeWarning(t *testing.T) {
function TestSHA2Preferences (line 85) | func TestSHA2Preferences(t *testing.T) {
function makeCASignerFromFile (line 126) | func makeCASignerFromFile(certFile, keyFile string, sigAlgo x509.Signatu...
function makeCASigner (line 141) | func makeCASigner(certBytes, keyBytes []byte, sigAlgo x509.SignatureAlgo...
function signCSRFile (line 170) | func signCSRFile(s signer.Signer, csrFile string, t *testing.T) []byte {
FILE: bundler/bundler_test.go
constant testCaBundle (line 19) | testCaBundle = "testdata/ca-bundle.pem"
constant testIntCaBundle (line 21) | testIntCaBundle = "testdata/int-bundle.pem"
constant testNSSRootBundle (line 22) | testNSSRootBundle = "testdata/nss.pem"
constant testMetadata (line 23) | testMetadata = "testdata/ca-bundle.crt.metadata"
constant testCFSSLRootBundle (line 24) | testCFSSLRootBundle = "testdata/ca.pem"
constant testCAFile (line 25) | testCAFile = "testdata/ca.pem"
constant testCAKeyFile (line 26) | testCAKeyFile = "testdata/ca.key"
constant testCFSSLIntBundle (line 27) | testCFSSLIntBundle = "testdata/intermediates.crt"
constant emptyPEM (line 28) | emptyPEM = "testdata/empty.pem"
constant interL1SHA1 (line 29) | interL1SHA1 = "testdata/inter-L1-sha1.pem"
constant interL1Key (line 30) | interL1Key = "testdata/inter-L1.key"
constant interL2SHA2 (line 31) | interL2SHA2 = "testdata/inter-L2.pem"
constant interL2Key (line 32) | interL2Key = "testdata/inter-L2.key"
function TestNewBundler (line 36) | func TestNewBundler(t *testing.T) {
function TestNewBundlerMissingCA (line 40) | func TestNewBundlerMissingCA(t *testing.T) {
function TestNewBundlerMissingIntermediate (line 52) | func TestNewBundlerMissingIntermediate(t *testing.T) {
type bundleObject (line 65) | type bundleObject struct
function TestBundleMarshalJSON (line 88) | func TestBundleMarshalJSON(t *testing.T) {
function TestBundleWithECDSAKeyMarshalJSON (line 163) | func TestBundleWithECDSAKeyMarshalJSON(t *testing.T) {
function TestBundleWithRSAKeyMarshalJSON (line 199) | func TestBundleWithRSAKeyMarshalJSON(t *testing.T) {
function TestBundleHostnamesMarshalJSON (line 238) | func TestBundleHostnamesMarshalJSON(t *testing.T) {
function TestRebundleFromPEM (line 251) | func TestRebundleFromPEM(t *testing.T) {
function TestUbiquitousBundle (line 285) | func TestUbiquitousBundle(t *testing.T) {
function TestUbiquityBundleWithoutMetadata (line 328) | func TestUbiquityBundleWithoutMetadata(t *testing.T) {
function checkUbiquityWarningAndCode (line 350) | func checkUbiquityWarningAndCode(t *testing.T, bundle *Bundle, expected ...
function TestForceBundle (line 370) | func TestForceBundle(t *testing.T) {
function TestUpdateIntermediate (line 474) | func TestUpdateIntermediate(t *testing.T) {
function TestForceBundleNoFallback (line 520) | func TestForceBundleNoFallback(t *testing.T) {
function TestSHA2HomogeneityAgainstUbiquity (line 563) | func TestSHA2HomogeneityAgainstUbiquity(t *testing.T) {
function checkSHA2WarningAndCode (line 669) | func checkSHA2WarningAndCode(t *testing.T, bundle *Bundle, expected bool) {
function checkECDSAWarningAndCode (line 685) | func checkECDSAWarningAndCode(t *testing.T, bundle *Bundle, expected boo...
function TestSHA2Warning (line 705) | func TestSHA2Warning(t *testing.T) {
function TestECDSAWarning (line 739) | func TestECDSAWarning(t *testing.T) {
function readCert (line 754) | func readCert(filename string) *x509.Certificate {
function newBundler (line 762) | func newBundler(t *testing.T) (b *Bundler) {
function newBundlerFromPEM (line 771) | func newBundlerFromPEM(t *testing.T, caBundlePEM, intBundlePEM []byte) (...
function newCustomizedBundlerFromFile (line 781) | func newCustomizedBundlerFromFile(t *testing.T, caBundle, intBundle, adh...
function newBundlerWithoutInters (line 808) | func newBundlerWithoutInters(t *testing.T) (b *Bundler) {
function newBundlerWithoutRoots (line 818) | func newBundlerWithoutRoots(t *testing.T) (b *Bundler) {
function newBundlerWithoutRootsAndInters (line 825) | func newBundlerWithoutRootsAndInters(t *testing.T) *Bundler {
function ExpectErrorMessage (line 835) | func ExpectErrorMessage(expectedErrorContent string) func(*testing.T, er...
function ExpectErrorMessages (line 847) | func ExpectErrorMessages(expectedContents []string) func(*testing.T, err...
function ExpectBundleLength (line 862) | func ExpectBundleLength(expectedLen int) func(*testing.T, *Bundle) {
function TestBundlerWithEmptyRootInfo (line 874) | func TestBundlerWithEmptyRootInfo(t *testing.T) {
function TestBundlerClientAuth (line 918) | func TestBundlerClientAuth(t *testing.T) {
FILE: certdb/certdb.go
type CertificateRecord (line 13) | type CertificateRecord struct
method SetMetadata (line 31) | func (c *CertificateRecord) SetMetadata(meta map[string]interface{}) e...
method GetMetadata (line 41) | func (c *CertificateRecord) GetMetadata() (map[string]interface{}, err...
method SetSANs (line 48) | func (c *CertificateRecord) SetSANs(meta []string) error {
method GetSANs (line 58) | func (c *CertificateRecord) GetSANs() ([]string, error) {
type OCSPRecord (line 66) | type OCSPRecord struct
type Accessor (line 74) | type Accessor interface
FILE: certdb/dbconf/db_config.go
type DBConfig (line 15) | type DBConfig struct
function LoadFile (line 22) | func LoadFile(path string) (cfg *DBConfig, err error) {
function DBFromConfig (line 49) | func DBFromConfig(path string) (db *sqlx.DB, err error) {
FILE: certdb/dbconf/db_config_test.go
function TestLoadFile (line 9) | func TestLoadFile(t *testing.T) {
function TestDBFromConfig (line 21) | func TestDBFromConfig(t *testing.T) {
FILE: certdb/mysql/migrations/001_CreateCertificates.sql
type certificates (line 4) | CREATE TABLE certificates (
type ocsp_responses (line 16) | CREATE TABLE ocsp_responses (
FILE: certdb/ocspstapling/ocspstapling.go
function StapleSCTList (line 28) | func StapleSCTList(acc certdb.Accessor, serial, aki string, scts []ct.Si...
FILE: certdb/ocspstapling/ocspstapling_test.go
function TestStapleSCTList (line 23) | func TestStapleSCTList(t *testing.T) {
function nextSN (line 124) | func nextSN() *big.Int {
function makeCert (line 132) | func makeCert(issuer *x509.Certificate) (*x509.Certificate, crypto.Signe...
FILE: certdb/pg/migrations/001_CreateCertificates.sql
type certificates (line 4) | CREATE TABLE certificates (
type ocsp_responses (line 16) | CREATE TABLE ocsp_responses (
FILE: certdb/sql/database_accessor.go
function init (line 16) | func init() {
constant insertSQL (line 21) | insertSQL = `
constant selectSQL (line 27) | selectSQL = `
constant selectAllUnexpiredSQL (line 31) | selectAllUnexpiredSQL = `
constant selectAllRevokedAndUnexpiredWithLabelSQL (line 35) | selectAllRevokedAndUnexpiredWithLabelSQL = `
constant selectRevokedAndUnexpiredWithLabelSQL (line 39) | selectRevokedAndUnexpiredWithLabelSQL = `
constant selectAllRevokedAndUnexpiredSQL (line 43) | selectAllRevokedAndUnexpiredSQL = `
constant updateRevokeSQL (line 47) | updateRevokeSQL = `
constant insertOCSPSQL (line 52) | insertOCSPSQL = `
constant updateOCSPSQL (line 56) | updateOCSPSQL = `
constant selectAllUnexpiredOCSPSQL (line 61) | selectAllUnexpiredOCSPSQL = `
constant selectOCSPSQL (line 65) | selectOCSPSQL = `
type Accessor (line 71) | type Accessor struct
method checkDB (line 84) | func (d *Accessor) checkDB() error {
method SetDB (line 98) | func (d *Accessor) SetDB(db *sqlx.DB) {
method InsertCertificate (line 104) | func (d *Accessor) InsertCertificate(cr certdb.CertificateRecord) error {
method GetCertificate (line 152) | func (d *Accessor) GetCertificate(serial, aki string) (crs []certdb.Ce...
method GetUnexpiredCertificates (line 167) | func (d *Accessor) GetUnexpiredCertificates() (crs []certdb.Certificat...
method GetUnexpiredCertificatesByLabel (line 182) | func (d *Accessor) GetUnexpiredCertificatesByLabel(labels []string) (c...
method GetRevokedAndUnexpiredCertificates (line 205) | func (d *Accessor) GetRevokedAndUnexpiredCertificates() (crs []certdb....
method GetRevokedAndUnexpiredCertificatesByLabel (line 220) | func (d *Accessor) GetRevokedAndUnexpiredCertificatesByLabel(label str...
method GetRevokedAndUnexpiredCertificatesByLabelSelectColumns (line 235) | func (d *Accessor) GetRevokedAndUnexpiredCertificatesByLabelSelectColu...
method RevokeCertificate (line 250) | func (d *Accessor) RevokeCertificate(serial, aki string, reasonCode in...
method InsertOCSP (line 279) | func (d *Accessor) InsertOCSP(rr certdb.OCSPRecord) error {
method GetOCSP (line 309) | func (d *Accessor) GetOCSP(serial, aki string) (ors []certdb.OCSPRecor...
method GetUnexpiredOCSPs (line 324) | func (d *Accessor) GetUnexpiredOCSPs() (ors []certdb.OCSPRecord, err e...
method UpdateOCSP (line 339) | func (d *Accessor) UpdateOCSP(serial, aki, body string, expiry time.Ti...
method UpsertOCSP (line 384) | func (d *Accessor) UpsertOCSP(serial, aki, body string, expiry time.Ti...
function wrapSQLError (line 77) | func wrapSQLError(err error) error {
function NewAccessor (line 93) | func NewAccessor(db *sqlx.DB) *Accessor {
FILE: certdb/sql/sql_mysql_test.go
function TestMySQL (line 12) | func TestMySQL(t *testing.T) {
FILE: certdb/sql/sql_pq_test.go
function TestPostgreSQL (line 12) | func TestPostgreSQL(t *testing.T) {
FILE: certdb/sql/sql_test.go
constant sqliteDBFile (line 16) | sqliteDBFile = "../testdb/certstore_development.db"
constant fakeAKI (line 17) | fakeAKI = "fake_aki"
function TestNoDB (line 20) | func TestNoDB(t *testing.T) {
type TestAccessor (line 28) | type TestAccessor struct
method Truncate (line 33) | func (ta *TestAccessor) Truncate() {
function TestSQLite (line 37) | func TestSQLite(t *testing.T) {
function roughlySameTime (line 47) | func roughlySameTime(t1, t2 time.Time) bool {
function testEverything (line 52) | func testEverything(ta TestAccessor, t *testing.T) {
function testInsertCertificateAndGetCertificate (line 63) | func testInsertCertificateAndGetCertificate(ta TestAccessor, t *testing....
function testInsertCertificateAndGetUnexpiredCertificate (line 117) | func testInsertCertificateAndGetUnexpiredCertificate(ta TestAccessor, t ...
function testInsertCertificateAndGetUnexpiredCertificateNullCommonName (line 178) | func testInsertCertificateAndGetUnexpiredCertificateNullCommonName(ta Te...
function testUpdateCertificateAndGetCertificate (line 232) | func testUpdateCertificateAndGetCertificate(ta TestAccessor, t *testing....
function testInsertOCSPAndGetOCSP (line 317) | func testInsertOCSPAndGetOCSP(ta TestAccessor, t *testing.T) {
function testInsertOCSPAndGetUnexpiredOCSP (line 359) | func testInsertOCSPAndGetUnexpiredOCSP(ta TestAccessor, t *testing.T) {
function testUpdateOCSPAndGetOCSP (line 400) | func testUpdateOCSPAndGetOCSP(ta TestAccessor, t *testing.T) {
function testUpsertOCSPAndGetOCSP (line 443) | func testUpsertOCSPAndGetOCSP(ta TestAccessor, t *testing.T) {
function setupGoodCert (line 495) | func setupGoodCert(ta TestAccessor, t *testing.T, r certdb.OCSPRecord) {
FILE: certdb/sqlite/migrations/001_CreateCertificates.sql
type certificates (line 4) | CREATE TABLE certificates (
type ocsp_responses (line 16) | CREATE TABLE ocsp_responses (
FILE: certdb/testdb/testdb.go
constant mysqlTruncateTables (line 14) | mysqlTruncateTables = `
constant pgTruncateTables (line 19) | pgTruncateTables = `
constant sqliteTruncateTables (line 37) | sqliteTruncateTables = `
function MySQLDB (line 44) | func MySQLDB() *sqlx.DB {
function PostgreSQLDB (line 62) | func PostgreSQLDB() *sqlx.DB {
function SQLiteDB (line 80) | func SQLiteDB(dbpath string) *sqlx.DB {
function Truncate (line 92) | func Truncate(db *sqlx.DB) {
FILE: certinfo/certinfo.go
type Certificate (line 19) | type Certificate struct
type Name (line 33) | type Name struct
function ParseName (line 48) | func ParseName(name pkix.Name) Name {
function formatKeyID (line 73) | func formatKeyID(id []byte) string {
function ParseCertificate (line 87) | func ParseCertificate(cert *x509.Certificate) *Certificate {
function ParseCertificateFile (line 107) | func ParseCertificateFile(certFile string) (*Certificate, error) {
function ParseCertificatePEM (line 117) | func ParseCertificatePEM(certPEM []byte) (*Certificate, error) {
function ParseCSRPEM (line 127) | func ParseCSRPEM(csrPEM []byte) (*x509.CertificateRequest, error) {
function ParseCSRFile (line 137) | func ParseCSRFile(csrFile string) (*x509.CertificateRequest, error) {
function ParseCertificateDomain (line 147) | func ParseCertificateDomain(domain string) (cert *Certificate, err error) {
function ParseSerialNumber (line 172) | func ParseSerialNumber(serial, aki string, dbAccessor certdb.Accessor) (...
FILE: certinfo/certinfo_test.go
constant sqliteDBFile (line 21) | sqliteDBFile = "../certdb/testdb/certstore_development.db"
constant fakeAKI (line 22) | fakeAKI = "fake_aki"
constant testSerial (line 23) | testSerial = 1337
function TestParseSerialNumber (line 26) | func TestParseSerialNumber(t *testing.T) {
function createCertificate (line 109) | func createCertificate() (string, error) {
function certificateToPEMBlock (line 136) | func certificateToPEMBlock(cert []byte) (string, error) {
FILE: cli/bundle/bundle.go
function bundlerMain (line 29) | func bundlerMain(args []string, c cli.Config) (err error) {
FILE: cli/certinfo/certinfo.go
function certinfoMain (line 37) | func certinfoMain(args []string, c cli.Config) (err error) {
FILE: cli/cli.go
type Command (line 40) | type Command struct
constant usage (line 53) | usage = `Usage:
function printDefaultValue (line 63) | func printDefaultValue(f *flag.Flag) {
function PopFirstArgument (line 74) | func PopFirstArgument(args []string) (string, []string, error) {
function Start (line 82) | func Start(cmds map[string]*Command) error {
function ReadStdin (line 152) | func ReadStdin(filename string) ([]byte, error) {
function PrintCert (line 160) | func PrintCert(key, csrBytes, cert []byte) {
function PrintOCSPResponse (line 183) | func PrintOCSPResponse(resp []byte) {
function PrintCRL (line 195) | func PrintCRL(certList []byte) {
FILE: cli/cli_test.go
function TestHelp (line 17) | func TestHelp(t *testing.T) {
function TestUnknownFlag (line 29) | func TestUnknownFlag(t *testing.T) {
function TestBadCommand (line 41) | func TestBadCommand(t *testing.T) {
function TestCommandHelp (line 51) | func TestCommandHelp(t *testing.T) {
function TestCommandBadFlag (line 61) | func TestCommandBadFlag(t *testing.T) {
function ResetForTesting (line 76) | func ResetForTesting(usage func()) {
function ResetCFSSLFlagSetForTesting (line 83) | func ResetCFSSLFlagSetForTesting(usage func()) {
function TestReadStdin (line 90) | func TestReadStdin(t *testing.T) {
function TestPopFirstArg (line 106) | func TestPopFirstArg(t *testing.T) {
FILE: cli/config.go
type Config (line 14) | type Config struct
function registerFlags (line 76) | func registerFlags(c *Config, f *flag.FlagSet) {
function RootFromConfig (line 139) | func RootFromConfig(c *Config) universal.Root {
FILE: cli/crl/crl.go
function generateCRL (line 27) | func generateCRL(c cli.Config) (crlBytes []byte, err error) {
function crlMain (line 94) | func crlMain(args []string, c cli.Config) (err error) {
FILE: cli/crl/crl_test.go
constant fakeAKI (line 18) | fakeAKI = "fake aki"
constant testCaFile (line 19) | testCaFile = "../testdata/ca.pem"
constant testCaKeyFile (line 20) | testCaKeyFile = "../testdata/ca-key.pem"
function prepDB (line 23) | func prepDB() (err error) {
function verifyCRL (line 45) | func verifyCRL(t *testing.T, crlBytesDER []byte, serial string, expireAf...
function TestRevokeMain (line 65) | func TestRevokeMain(t *testing.T) {
function TestRevokeExpiry (line 79) | func TestRevokeExpiry(t *testing.T) {
FILE: cli/gencert/gencert.go
function gencertMain (line 40) | func gencertMain(args []string, c cli.Config) error {
FILE: cli/gencert/gencert_test.go
function TestGencertMain (line 11) | func TestGencertMain(t *testing.T) {
function TestGencertFile (line 54) | func TestGencertFile(t *testing.T) {
function TestGencertEnv (line 87) | func TestGencertEnv(t *testing.T) {
function TestBadGencertEnv (line 125) | func TestBadGencertEnv(t *testing.T) {
function TestBadGencertMain (line 176) | func TestBadGencertMain(t *testing.T) {
function TestOidMain (line 219) | func TestOidMain(t *testing.T) {
FILE: cli/gencrl/gencrl.go
function gencrlMain (line 25) | func gencrlMain(args []string, c cli.Config) (err error) {
FILE: cli/gencrl/gencrl_test.go
function TestGencrl (line 9) | func TestGencrl(t *testing.T) {
function TestGencrlTime (line 20) | func TestGencrlTime(t *testing.T) {
FILE: cli/gencsr/gencsr.go
function gencsrMain (line 28) | func gencsrMain(args []string, c cli.Config) (err error) {
FILE: cli/gencsr/gencsr_test.go
constant testKeyFile (line 14) | testKeyFile = "testdata/test-key.pem"
constant testCAKeyFile (line 15) | testCAKeyFile = "../testdata/ca-key.pem"
constant testCACertFile (line 16) | testCACertFile = "../testdata/ca.pem"
type stdoutRedirect (line 19) | type stdoutRedirect struct
method readAll (line 36) | func (pipe *stdoutRedirect) readAll() ([]byte, error) {
function newStdoutRedirect (line 25) | func newStdoutRedirect() (*stdoutRedirect, error) {
function checkResponse (line 42) | func checkResponse(out []byte) error {
function TestGencsr (line 59) | func TestGencsr(t *testing.T) {
function TestGencsrFromCert (line 78) | func TestGencsrFromCert(t *testing.T) {
function TestGencsrError (line 97) | func TestGencsrError(t *testing.T) {
FILE: cli/genkey/genkey.go
function genkeyMain (line 26) | func genkeyMain(args []string, c cli.Config) (err error) {
function Validator (line 77) | func Validator(req *csr.CertificateRequest) error {
FILE: cli/genkey/genkey_test.go
type stdoutRedirect (line 13) | type stdoutRedirect struct
method readAll (line 30) | func (pipe *stdoutRedirect) readAll() ([]byte, error) {
function newStdoutRedirect (line 19) | func newStdoutRedirect() (*stdoutRedirect, error) {
function checkResponse (line 36) | func checkResponse(out []byte) error {
function TestGenkey (line 53) | func TestGenkey(t *testing.T) {
FILE: cli/info/info.go
function getInfoFromRemote (line 30) | func getInfoFromRemote(c cli.Config) (resp *info.Resp, err error) {
function getInfoFromConfig (line 58) | func getInfoFromConfig(c cli.Config) (resp *info.Resp, err error) {
function infoMain (line 76) | func infoMain(args []string, c cli.Config) (err error) {
FILE: cli/ocspdump/ocspdump.go
function ocspdumpMain (line 28) | func ocspdumpMain(args []string, c cli.Config) error {
FILE: cli/ocsprefresh/ocsprefresh.go
function ocsprefreshMain (line 31) | func ocsprefreshMain(args []string, c cli.Config) error {
function SignerFromConfig (line 101) | func SignerFromConfig(c cli.Config) (ocsp.Signer, error) {
FILE: cli/ocsprefresh/ocsprefresh_test.go
function TestOCSPRefreshMain (line 19) | func TestOCSPRefreshMain(t *testing.T) {
FILE: cli/ocspserve/ocspserve.go
function ocspServerMain (line 29) | func ocspServerMain(args []string, c cli.Config) error {
FILE: cli/ocspsign/ocspsign.go
function ocspSignerMain (line 28) | func ocspSignerMain(args []string, c cli.Config) (err error) {
function SignerFromConfig (line 82) | func SignerFromConfig(c cli.Config) (ocsp.Signer, error) {
FILE: cli/printdefault/printdefault.go
function printAvailable (line 17) | func printAvailable() {
function printDefaults (line 24) | func printDefaults(args []string, c cli.Config) (err error) {
FILE: cli/revoke/revoke.go
function revokeMain (line 28) | func revokeMain(args []string, c cli.Config) error {
FILE: cli/revoke/revoke_test.go
constant fakeAKI (line 17) | fakeAKI = "fake aki"
function prepDB (line 20) | func prepDB() (err error) {
function TestRevokeMain (line 39) | func TestRevokeMain(t *testing.T) {
FILE: cli/scan/scan.go
function printJSON (line 27) | func printJSON(v interface{}) {
type context (line 35) | type context struct
method runWorker (line 53) | func (ctx *context) runWorker() {
function newContext (line 41) | func newContext(c cli.Config, numWorkers int) *context {
function parseCSV (line 67) | func parseCSV(hosts []string, csvFile string, maxHosts int) ([]string, e...
function scanMain (line 87) | func scanMain(args []string, c cli.Config) (err error) {
FILE: cli/scan/scan_test.go
function TestScanMain (line 11) | func TestScanMain(t *testing.T) {
FILE: cli/selfsign/selfsign.go
function selfSignMain (line 40) | func selfSignMain(args []string, c cli.Config) (err error) {
FILE: cli/selfsign/selfsign_test.go
function TestSelfSignMain (line 9) | func TestSelfSignMain(t *testing.T) {
function TestBadSelfSignMain (line 16) | func TestBadSelfSignMain(t *testing.T) {
FILE: cli/serve/serve.go
function v1APIPath (line 78) | func v1APIPath(path string) string {
type staticFS (line 94) | type staticFS struct
method Open (line 99) | func (s *staticFS) Open(name string) (fs.File, error) {
function registerHandlers (line 250) | func registerHandlers() {
function serverMain (line 279) | func serverMain(args []string, c cli.Config) error {
function defaultWrapHandler (line 373) | func defaultWrapHandler(path string, handler http.Handler, err error) (s...
function SetWrapHandler (line 380) | func SetWrapHandler(wh func(path string, handler http.Handler, err error...
function SetEndpoint (line 385) | func SetEndpoint(path string, getHandler func() (http.Handler, error)) {
FILE: cli/serve/serve_test.go
function TestServe (line 11) | func TestServe(t *testing.T) {
FILE: cli/serve/static/assets/cfssl.js
function getProp (line 19) | function getProp(obj, prop) {
function Tformat (line 93) | function Tformat(key) {
function appWrapper (line 99) | function appWrapper(module) {
function gradeToGlyphicon (line 151) | function gradeToGlyphicon(grade) {
function gradeToPanel (line 164) | function gradeToPanel(grade) {
function broad (line 309) | function broad() {
function connectivity (line 330) | function connectivity() {
function tlssession (line 369) | function tlssession() {
function pki (line 406) | function pki() {
function tlshandshake (line 459) | function tlshandshake() {
FILE: cli/sign/sign.go
function SignerFromConfigAndDB (line 43) | func SignerFromConfigAndDB(c cli.Config, db *sqlx.DB) (signer.Signer, er...
function SignerFromConfig (line 97) | func SignerFromConfig(c cli.Config) (s signer.Signer, err error) {
function signerMain (line 110) | func signerMain(args []string, c cli.Config) (err error) {
FILE: cli/sign/sign_test.go
function TestSignFromConfig (line 11) | func TestSignFromConfig(t *testing.T) {
function TestSignerMain (line 19) | func TestSignerMain(t *testing.T) {
function TestBadSigner (line 27) | func TestBadSigner(t *testing.T) {
function TestSignerWithDB (line 39) | func TestSignerWithDB(t *testing.T) {
FILE: cli/version/version.go
function FormatVersion (line 23) | func FormatVersion() string {
function versionMain (line 28) | func versionMain(args []string, c cli.Config) (err error) {
FILE: cli/version/version_test.go
function TestVersionMain (line 9) | func TestVersionMain(t *testing.T) {
FILE: cmd/cfssl-bundle/cfssl-bundle.go
function main (line 14) | func main() {
function printDefaultValue (line 60) | func printDefaultValue(f *flag.Flag) {
function registerFlags (line 69) | func registerFlags(c *cli.Config, f *flag.FlagSet) {
FILE: cmd/cfssl-certinfo/cfssl-certinfo.go
function main (line 18) | func main() {
function printDefaultValue (line 65) | func printDefaultValue(f *flag.Flag) {
function registerFlags (line 74) | func registerFlags(c *cli.Config, f *flag.FlagSet) {
FILE: cmd/cfssl-newkey/cfssl-newkey.go
function main (line 14) | func main() {
function printDefaultValue (line 61) | func printDefaultValue(f *flag.Flag) {
function registerFlags (line 70) | func registerFlags(c *cli.Config, f *flag.FlagSet) {
FILE: cmd/cfssl-scan/cfssl-scan.go
function main (line 15) | func main() {
function printDefaultValue (line 59) | func printDefaultValue(f *flag.Flag) {
function registerFlags (line 68) | func registerFlags(c *cli.Config, f *flag.FlagSet) {
FILE: cmd/cfssl/cfssl.go
function main (line 56) | func main() {
FILE: cmd/cfssljson/cfssljson.go
function readFile (line 16) | func readFile(filespec string) ([]byte, error) {
function writeFile (line 23) | func writeFile(filespec, contents string, perms os.FileMode) {
type ResponseMessage (line 32) | type ResponseMessage struct
type Response (line 38) | type Response struct
type outputFile (line 45) | type outputFile struct
function main (line 52) | func main() {
FILE: cmd/cfssljson/cfssljson_test.go
function TestReadFile (line 7) | func TestReadFile(t *testing.T) {
FILE: cmd/mkbundle/mkbundle.go
function worker (line 25) | func worker(paths chan string, bundler chan *x509.Certificate, pool *syn...
function supervisor (line 76) | func supervisor(paths chan string, bundler chan *x509.Certificate, numWo...
function makeBundle (line 88) | func makeBundle(filename string, bundler chan *x509.Certificate) {
function scanFiles (line 118) | func scanFiles(paths chan string) {
function main (line 140) | func main() {
FILE: cmd/multirootca/api.go
type SignatureResponse (line 22) | type SignatureResponse struct
type filter (line 26) | type filter
constant signOperation (line 54) | signOperation = "sign"
function fail (line 57) | func fail(w http.ResponseWriter, req *http.Request, status, code int, ms...
function dispatchRequest (line 78) | func dispatchRequest(w http.ResponseWriter, req *http.Request) {
function metricsDisallowed (line 196) | func metricsDisallowed(w http.ResponseWriter, req *http.Request) {
FILE: cmd/multirootca/ca.go
function parseSigner (line 26) | func parseSigner(root *config.Root) (signer.Signer, error) {
function main (line 51) | func main() {
FILE: config/config.go
type CSRWhitelist (line 37) | type CSRWhitelist struct
type OID (line 44) | type OID
method UnmarshalJSON (line 134) | func (oid *OID) UnmarshalJSON(data []byte) (err error) {
method MarshalJSON (line 148) | func (oid OID) MarshalJSON() ([]byte, error) {
type CertificatePolicy (line 49) | type CertificatePolicy struct
type CertificatePolicyQualifier (line 56) | type CertificatePolicyQualifier struct
type AuthRemote (line 62) | type AuthRemote struct
type CAConstraint (line 70) | type CAConstraint struct
type SigningProfile (line 78) | type SigningProfile struct
method populate (line 187) | func (p *SigningProfile) populate(cfg *Config) error {
method updateRemote (line 373) | func (p *SigningProfile) updateRemote(remote string) error {
method Usages (line 462) | func (p *SigningProfile) Usages() (ku x509.KeyUsage, eku []x509.ExtKey...
method validProfile (line 482) | func (p *SigningProfile) validProfile(isDefault bool) bool {
method hasLocalConfig (line 549) | func (p *SigningProfile) hasLocalConfig() bool {
function parseObjectIdentifier (line 152) | func parseObjectIdentifier(oidString string) (oid asn1.ObjectIdentifier,...
constant timeFormat (line 173) | timeFormat = "2006-01-02T15:04:05"
type Signing (line 585) | type Signing struct
method OverrideRemotes (line 382) | func (p *Signing) OverrideRemotes(remote string) error {
method SetClientCertKeyPairFromFile (line 401) | func (p *Signing) SetClientCertKeyPairFromFile(certFile string, keyFil...
method SetRemoteCAsFromFile (line 417) | func (p *Signing) SetRemoteCAsFromFile(caFile string) error {
method SetRemoteCAs (line 430) | func (p *Signing) SetRemoteCAs(remoteCAs *x509.CertPool) {
method NeedsRemoteSigner (line 438) | func (p *Signing) NeedsRemoteSigner() bool {
method NeedsLocalSigner (line 449) | func (p *Signing) NeedsLocalSigner() bool {
method warnSkippedSettings (line 567) | func (p *Signing) warnSkippedSettings() {
method Valid (line 608) | func (p *Signing) Valid() bool {
type Config (line 591) | type Config struct
method Valid (line 600) | func (c *Config) Valid() bool {
type AuthKey (line 664) | type AuthKey struct
function DefaultConfig (line 678) | func DefaultConfig() *SigningProfile {
function LoadFile (line 689) | func LoadFile(path string) (*Config, error) {
function LoadConfig (line 705) | func LoadConfig(config []byte) (*Config, error) {
FILE: config/config_test.go
function TestInvalidProfile (line 279) | func TestInvalidProfile(t *testing.T) {
function TestRemoteProfiles (line 301) | func TestRemoteProfiles(t *testing.T) {
function TestInvalidDefault (line 333) | func TestInvalidDefault(t *testing.T) {
function TestValidConfig (line 347) | func TestValidConfig(t *testing.T) {
function TestDefaultConfig (line 355) | func TestDefaultConfig(t *testing.T) {
function TestParse (line 365) | func TestParse(t *testing.T) {
function TestPopulateLintRegistry (line 412) | func TestPopulateLintRegistry(t *testing.T) {
function TestLoadFile (line 441) | func TestLoadFile(t *testing.T) {
function TestLoadInvalidConfigFile (line 457) | func TestLoadInvalidConfigFile(t *testing.T) {
function TestNeedLocalSigner (line 477) | func TestNeedLocalSigner(t *testing.T) {
function TestOverrideRemotes (line 520) | func TestOverrideRemotes(t *testing.T) {
function TestAuthRemoteConfig (line 541) | func TestAuthRemoteConfig(t *testing.T) {
function TestDuplicateRemoteConfig (line 565) | func TestDuplicateRemoteConfig(t *testing.T) {
function TestBadAuthRemoteConfig (line 572) | func TestBadAuthRemoteConfig(t *testing.T) {
function TestValidCAConstraint (line 594) | func TestValidCAConstraint(t *testing.T) {
function TestWantCopyExtension (line 603) | func TestWantCopyExtension(t *testing.T) {
function TestDontWantCopyExtension (line 614) | func TestDontWantCopyExtension(t *testing.T) {
FILE: crl/crl.go
function NewCRLFromFile (line 22) | func NewCRLFromFile(serialList, issuerFile, keyFile []byte, expiryTime s...
function NewCRLFromDB (line 79) | func NewCRLFromDB(certs []certdb.CertificateRecord, issuerCert *x509.Cer...
function CreateGenericCRL (line 100) | func CreateGenericCRL(certList []pkix.RevokedCertificate, key crypto.Sig...
FILE: crl/crl_test.go
constant serverCertFile (line 10) | serverCertFile = "testdata/ca.pem"
constant serverKeyFile (line 11) | serverKeyFile = "testdata/ca-key.pem"
constant tryTwoCert (line 12) | tryTwoCert = "testdata/caTwo.pem"
constant tryTwoKey (line 13) | tryTwoKey = "testdata/ca-keyTwo.pem"
constant serialList (line 14) | serialList = "testdata/serialList"
function TestNewCRLFromFile (line 17) | func TestNewCRLFromFile(t *testing.T) {
function TestNewCRLFromFileWithoutRevocations (line 51) | func TestNewCRLFromFileWithoutRevocations(t *testing.T) {
FILE: crypto/pkcs7/pkcs7.go
type signedData (line 59) | type signedData struct
type initPKCS7 (line 68) | type initPKCS7 struct
constant ObjIDData (line 76) | ObjIDData = "1.2.840.113549.1.7.1"
constant ObjIDSignedData (line 77) | ObjIDSignedData = "1.2.840.113549.1.7.2"
constant ObjIDEncryptedData (line 78) | ObjIDEncryptedData = "1.2.840.113549.1.7.6"
type PKCS7 (line 87) | type PKCS7 struct
type Content (line 94) | type Content struct
type SignedData (line 101) | type SignedData struct
type Data (line 109) | type Data struct
type EncryptedData (line 114) | type EncryptedData struct
type EncryptedContentInfo (line 121) | type EncryptedContentInfo struct
function ParsePKCS7 (line 130) | func ParsePKCS7(raw []byte) (msg *PKCS7, err error) {
FILE: csr/csr.go
constant curveP256 (line 31) | curveP256 = 256
constant curveP384 (line 32) | curveP384 = 384
constant curveP521 (line 33) | curveP521 = 521
type Name (line 37) | type Name struct
type KeyRequest (line 49) | type KeyRequest struct
method Algo (line 60) | func (kr *KeyRequest) Algo() string {
method Size (line 65) | func (kr *KeyRequest) Size() int {
method Generate (line 71) | func (kr *KeyRequest) Generate() (crypto.PrivateKey, error) {
method SigAlgo (line 108) | func (kr *KeyRequest) SigAlgo() x509.SignatureAlgorithm {
function NewKeyRequest (line 55) | func NewKeyRequest() *KeyRequest {
type CAConfig (line 140) | type CAConfig struct
type CertificateRequest (line 149) | type CertificateRequest struct
method Name (line 194) | func (cr *CertificateRequest) Name() (pkix.Name, error) {
function New (line 163) | func New() *CertificateRequest {
function appendIf (line 170) | func appendIf(s string, a *[]string) {
function OIDFromString (line 177) | func OIDFromString(s string) (asn1.ObjectIdentifier, error) {
type BasicConstraints (line 220) | type BasicConstraints struct
function ParseRequest (line 231) | func ParseRequest(req *CertificateRequest) (csr, key []byte, err error) {
function ExtractCertificateRequest (line 290) | func ExtractCertificateRequest(cert *x509.Certificate) *CertificateReque...
function getHosts (line 309) | func getHosts(cert *x509.Certificate) []string {
function getNames (line 324) | func getNames(sub pkix.Name) []Name {
type Generator (line 366) | type Generator struct
method ProcessRequest (line 372) | func (g *Generator) ProcessRequest(req *CertificateRequest) (csr, key ...
function IsNameEmpty (line 389) | func IsNameEmpty(n Name) bool {
function Regenerate (line 400) | func Regenerate(priv crypto.Signer, csr []byte) ([]byte, error) {
function GenerateDER (line 413) | func GenerateDER(priv crypto.Signer, req *CertificateRequest) (csr []byt...
function Generate (line 474) | func Generate(priv crypto.Signer, req *CertificateRequest) (csr []byte, ...
function appendCAInfoToCSR (line 491) | func appendCAInfoToCSR(reqConf *CAConfig, csr *x509.CertificateRequest) ...
function appendExtensionsToCSR (line 512) | func appendExtensionsToCSR(extensions []pkix.Extension, csr *x509.Certif...
FILE: csr/csr_test.go
function TestNew (line 22) | func TestNew(t *testing.T) {
function TestKeyRequest (line 30) | func TestKeyRequest(t *testing.T) {
function TestPKIXName (line 55) | func TestPKIXName(t *testing.T) {
function TestParseRequest (line 99) | func TestParseRequest(t *testing.T) {
function TestParseRequestCA (line 162) | func TestParseRequestCA(t *testing.T) {
function TestParseRequestCANoPathlen (line 223) | func TestParseRequestCANoPathlen(t *testing.T) {
function whichCurve (line 285) | func whichCurve(sz int) elliptic.Curve {
function TestECGeneration (line 300) | func TestECGeneration(t *testing.T) {
function TestED25519Generation (line 319) | func TestED25519Generation(t *testing.T) {
function TestRSAKeyGeneration (line 334) | func TestRSAKeyGeneration(t *testing.T) {
function TestBadKeyRequest (line 357) | func TestBadKeyRequest(t *testing.T) {
function TestDefaultKeyRequest (line 392) | func TestDefaultKeyRequest(t *testing.T) {
function TestRSACertRequest (line 436) | func TestRSACertRequest(t *testing.T) {
function TestED25519CertRequest (line 459) | func TestED25519CertRequest(t *testing.T) {
function TestBadCertRequest (line 481) | func TestBadCertRequest(t *testing.T) {
function testValidator (line 505) | func testValidator(req *CertificateRequest) error {
function TestGenerator (line 515) | func TestGenerator(t *testing.T) {
function TestBadGenerator (line 571) | func TestBadGenerator(t *testing.T) {
function TestWeakCSR (line 594) | func TestWeakCSR(t *testing.T) {
function TestIsNameEmpty (line 647) | func TestIsNameEmpty(t *testing.T) {
function TestGenerate (line 655) | func TestGenerate(t *testing.T) {
function TestGenerateASN1 (line 708) | func TestGenerateASN1(t *testing.T) {
function TestReGenerate (line 763) | func TestReGenerate(t *testing.T) {
function TestBadReGenerate (line 806) | func TestBadReGenerate(t *testing.T) {
function TestExtractCertificateRequest (line 855) | func TestExtractCertificateRequest(t *testing.T) {
function TestDelegationCSR (line 889) | func TestDelegationCSR(t *testing.T) {
FILE: errors/error.go
type Error (line 13) | type Error struct
method Error (line 216) | func (e *Error) Error() string {
type Category (line 19) | type Category
type Reason (line 22) | type Reason
constant Success (line 26) | Success Category = 1000 * iota
constant CertificateError (line 29) | CertificateError
constant PrivateKeyError (line 32) | PrivateKeyError
constant IntermediatesError (line 35) | IntermediatesError
constant RootError (line 38) | RootError
constant PolicyError (line 42) | PolicyError
constant DialError (line 45) | DialError
constant APIClientError (line 48) | APIClientError
constant OCSPError (line 51) | OCSPError
constant CSRError (line 54) | CSRError
constant CTError (line 57) | CTError
constant CertStoreError (line 60) | CertStoreError
constant None (line 65) | None Reason = iota
constant BundleExpiringBit (line 70) | BundleExpiringBit int = 1 << iota
constant BundleNotUbiquitousBit (line 71) | BundleNotUbiquitousBit
constant Unknown (line 76) | Unknown Reason = iota
constant ReadFailed (line 77) | ReadFailed
constant DecodeFailed (line 78) | DecodeFailed
constant ParseFailed (line 79) | ParseFailed
constant SelfSigned (line 87) | SelfSigned Reason = 100 * (iota + 1)
constant VerifyFailed (line 92) | VerifyFailed
constant BadRequest (line 95) | BadRequest
constant MissingSerial (line 100) | MissingSerial
constant certificateInvalid (line 104) | certificateInvalid = 10 * (iota + 1)
constant unknownAuthority (line 105) | unknownAuthority
constant Encrypted (line 114) | Encrypted Reason = 100 * (iota + 1)
constant NotRSAOrECCOrEd25519 (line 119) | NotRSAOrECCOrEd25519
constant KeyMismatch (line 123) | KeyMismatch
constant GenerationFailed (line 127) | GenerationFailed
constant Unavailable (line 132) | Unavailable
constant NoKeyUsages (line 140) | NoKeyUsages Reason = 100 * (iota + 1)
constant InvalidPolicy (line 144) | InvalidPolicy
constant InvalidRequest (line 148) | InvalidRequest
constant UnknownProfile (line 151) | UnknownProfile
constant UnmatchedWhitelist (line 153) | UnmatchedWhitelist
constant AuthenticationFailure (line 161) | AuthenticationFailure Reason = 100 * (iota + 1)
constant JSONError (line 164) | JSONError
constant IOError (line 167) | IOError
constant ClientHTTPError (line 170) | ClientHTTPError
constant ServerRequestFailed (line 174) | ServerRequestFailed
constant IssuerMismatch (line 182) | IssuerMismatch Reason = 100 * (iota + 1)
constant InvalidStatus (line 186) | InvalidStatus
constant PrecertSubmissionFailed (line 193) | PrecertSubmissionFailed = 100 * (iota + 1)
constant CTClientConstructionFailed (line 196) | CTClientConstructionFailed
constant PrecertMissingPoison (line 199) | PrecertMissingPoison
constant PrecertInvalidPoison (line 203) | PrecertInvalidPoison
constant InsertionFailed (line 209) | InsertionFailed = 100 * (iota + 1)
constant RecordNotFound (line 212) | RecordNotFound
function New (line 228) | func New(category Category, reason Reason) *Error {
function Wrap (line 404) | func Wrap(category Category, reason Reason, err error) *Error {
FILE: errors/error_test.go
function TestNew (line 10) | func TestNew(t *testing.T) {
function TestWrap (line 223) | func TestWrap(t *testing.T) {
function TestMarshal (line 265) | func TestMarshal(t *testing.T) {
function TestErrorString (line 279) | func TestErrorString(t *testing.T) {
function TestHTTP (line 288) | func TestHTTP(t *testing.T) {
function TestHTTPErrorString (line 332) | func TestHTTPErrorString(t *testing.T) {
FILE: errors/http.go
type HTTPError (line 9) | type HTTPError struct
method Error (line 15) | func (e *HTTPError) Error() string {
function NewMethodNotAllowed (line 22) | func NewMethodNotAllowed(method string) *HTTPError {
function NewBadRequest (line 27) | func NewBadRequest(err error) *HTTPError {
function NewBadRequestString (line 33) | func NewBadRequestString(s string) *HTTPError {
function NewBadRequestMissingParameter (line 39) | func NewBadRequestMissingParameter(s string) *HTTPError {
function NewBadRequestUnwantedParameter (line 45) | func NewBadRequestUnwantedParameter(s string) *HTTPError {
FILE: helpers/derhelpers/derhelpers.go
function ParsePrivateKeyDER (line 17) | func ParsePrivateKeyDER(keyDER []byte) (key crypto.Signer, err error) {
FILE: helpers/derhelpers/ed25519.go
type subjectPublicKeyInfo (line 21) | type subjectPublicKeyInfo struct
function MarshalEd25519PublicKey (line 30) | func MarshalEd25519PublicKey(pk crypto.PublicKey) ([]byte, error) {
function ParseEd25519PublicKey (line 50) | func ParseEd25519PublicKey(der []byte) (crypto.PublicKey, error) {
type oneAsymmetricKey (line 74) | type oneAsymmetricKey struct
type curvePrivateKey (line 82) | type curvePrivateKey
function MarshalEd25519PrivateKey (line 86) | func MarshalEd25519PrivateKey(sk crypto.PrivateKey) ([]byte, error) {
function ParseEd25519PrivateKey (line 110) | func ParseEd25519PrivateKey(der []byte) (crypto.PrivateKey, error) {
FILE: helpers/derhelpers/ed25519_test.go
function TestParseMarshalEd25519PublicKey (line 19) | func TestParseMarshalEd25519PublicKey(t *testing.T) {
function TestParseMarshalEd25519PrivateKey (line 45) | func TestParseMarshalEd25519PrivateKey(t *testing.T) {
function TestKeyPair (line 71) | func TestKeyPair(t *testing.T) {
FILE: helpers/helpers.go
constant OneYear (line 36) | OneYear = 8760 * time.Hour
constant OneDay (line 39) | OneDay = 24 * time.Hour
function InclusiveDate (line 53) | func InclusiveDate(year int, month time.Month, day int) time.Time {
function KeyLength (line 66) | func KeyLength(key interface{}) int {
function ExpiryTime (line 82) | func ExpiryTime(chain []*x509.Certificate) (notAfter time.Time) {
function MonthsValid (line 97) | func MonthsValid(c *x509.Certificate) int {
function ValidExpiry (line 113) | func ValidExpiry(c *x509.Certificate) bool {
function SignatureString (line 131) | func SignatureString(alg x509.SignatureAlgorithm) string {
function HashAlgoString (line 166) | func HashAlgoString(alg x509.SignatureAlgorithm) string {
function StringTLSVersion (line 201) | func StringTLSVersion(version string) uint16 {
function EncodeCertificatesPEM (line 213) | func EncodeCertificatesPEM(certs []*x509.Certificate) []byte {
function EncodeCertificatePEM (line 226) | func EncodeCertificatePEM(cert *x509.Certificate) []byte {
function ParseCertificatesPEM (line 232) | func ParseCertificatesPEM(certsPEM []byte) ([]*x509.Certificate, error) {
function ParseCertificatesDER (line 256) | func ParseCertificatesDER(certsDER []byte, password string) (certs []*x5...
function ParseSelfSignedCertificatePEM (line 284) | func ParseSelfSignedCertificatePEM(certPEM []byte) (*x509.Certificate, e...
function ParseCertificatePEM (line 298) | func ParseCertificatePEM(certPEM []byte) (*x509.Certificate, error) {
function ParseOneCertificateFromPEM (line 319) | func ParseOneCertificateFromPEM(certsPEM []byte) ([]*x509.Certificate, [...
function LoadPEMCertPool (line 346) | func LoadPEMCertPool(certsFile string) (*x509.CertPool, error) {
function PEMToCertPool (line 359) | func PEMToCertPool(pemCerts []byte) (*x509.CertPool, error) {
function ParsePrivateKeyPEM (line 375) | func ParsePrivateKeyPEM(keyPEM []byte) (key crypto.Signer, err error) {
function ParsePrivateKeyPEMWithPassword (line 382) | func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (key...
function GetKeyDERFromPEM (line 392) | func GetKeyDERFromPEM(in []byte, password []byte) ([]byte, error) {
function ParseCSR (line 418) | func ParseCSR(in []byte) (csr *x509.CertificateRequest, rest []byte, err...
function ParseCSRPEM (line 446) | func ParseCSRPEM(csrPEM []byte) (*x509.CertificateRequest, error) {
function ParseCSRDER (line 463) | func ParseCSRDER(csrDER []byte) (*x509.CertificateRequest, error) {
function SignerAlgo (line 478) | func SignerAlgo(priv crypto.Signer) x509.SignatureAlgorithm {
function LoadClientCertificate (line 511) | func LoadClientCertificate(certFile string, keyFile string) (*tls.Certif...
function CreateTLSConfig (line 525) | func CreateTLSConfig(remoteCAs *x509.CertPool, cert *tls.Certificate) *t...
function SerializeSCTList (line 537) | func SerializeSCTList(sctList []ct.SignedCertificateTimestamp) ([]byte, ...
function DeserializeSCTList (line 550) | func DeserializeSCTList(serializedSCTList []byte) ([]ct.SignedCertificat...
function SCTListFromOCSPResponse (line 577) | func SCTListFromOCSPResponse(response *ocsp.Response) ([]ct.SignedCertif...
function ReadBytes (line 612) | func ReadBytes(valFile string) ([]byte, error) {
FILE: helpers/helpers_test.go
constant testCertFile (line 24) | testCertFile = "testdata/cert.pem"
constant testCertDERFile (line 25) | testCertDERFile = "testdata/cert.der"
constant testBundleFile (line 26) | testBundleFile = "testdata/bundle.pem"
constant testExtraWSCertFile (line 27) | testExtraWSCertFile = "testdata/cert_with_whitespace.pem"
constant testExtraWSBundleFile (line 28) | testExtraWSBundleFile = "testdata/bundle_with_whitespace.pem"
constant testMessedUpBundleFile (line 29) | testMessedUpBundleFile = "testdata/messed_up_bundle.pem"
constant testMessedUpCertFile (line 30) | testMessedUpCertFile = "testdata/messedupcert.pem"
constant testEmptyCertFile (line 31) | testEmptyCertFile = "testdata/emptycert.pem"
constant testPrivateRSAKey (line 32) | testPrivateRSAKey = "testdata/priv_rsa_key.pem"
constant testPrivateECDSAKey (line 33) | testPrivateECDSAKey = "testdata/private_ecdsa_key.pem"
constant testPrivateEd25519Key (line 34) | testPrivateEd25519Key = "testdata/private_ed25519_key.pem"
constant testPrivateOpenSSLECKey (line 35) | testPrivateOpenSSLECKey = "testdata/openssl_secp384.pem"
constant testUnsupportedECDSAKey (line 36) | testUnsupportedECDSAKey = "testdata/secp256k1-key.pem"
constant testMessedUpPrivateKey (line 37) | testMessedUpPrivateKey = "testdata/messed_up_priv_key.pem"
constant testEncryptedPrivateKey (line 38) | testEncryptedPrivateKey = "testdata/enc_priv_key.pem"
constant testEmptyPem (line 39) | testEmptyPem = "testdata/empty.pem"
constant testNoHeaderCert (line 40) | testNoHeaderCert = "testdata/noheadercert.pem"
constant testSinglePKCS7 (line 41) | testSinglePKCS7 = "testdata/cert_pkcs7.pem"
constant testEmptyPKCS7DER (line 42) | testEmptyPKCS7DER = "testdata/empty_pkcs7.der"
constant testEmptyPKCS7PEM (line 43) | testEmptyPKCS7PEM = "testdata/empty_pkcs7.pem"
constant testMultiplePKCS7 (line 44) | testMultiplePKCS7 = "testdata/bundle_pkcs7.pem"
constant testPKCS12EmptyPswd (line 45) | testPKCS12EmptyPswd = "testdata/emptypasswordpkcs12.p12"
constant testPKCS12Passwordispassword (line 46) | testPKCS12Passwordispassword = "testdata/passwordpkcs12.p12"
constant testPKCS12MultipleCerts (line 47) | testPKCS12MultipleCerts = "testdata/multiplecerts.p12"
constant testCSRPEM (line 48) | testCSRPEM = "testdata/test.csr.pem"
constant testCSRPEMBad (line 49) | testCSRPEMBad = "testdata/test.bad.csr.pem"
function TestParseCertificatesDER (line 52) | func TestParseCertificatesDER(t *testing.T) {
function TestKeyLength (line 78) | func TestKeyLength(t *testing.T) {
function TestExpiryTime (line 122) | func TestExpiryTime(t *testing.T) {
function TestMonthsValid (line 144) | func TestMonthsValid(t *testing.T) {
function TestHasValidExpiry (line 166) | func TestHasValidExpiry(t *testing.T) {
function TestHashAlgoString (line 196) | func TestHashAlgoString(t *testing.T) {
function TestSignatureString (line 241) | func TestSignatureString(t *testing.T) {
function TestParseCertificatePEM (line 286) | func TestParseCertificatePEM(t *testing.T) {
function TestParseCertificatesPEM (line 310) | func TestParseCertificatesPEM(t *testing.T) {
function TestSelfSignedCertificatePEM (line 338) | func TestSelfSignedCertificatePEM(t *testing.T) {
function TestParsePrivateKeyPEM (line 369) | func TestParsePrivateKeyPEM(t *testing.T) {
constant ecdsaTestCSR (line 429) | ecdsaTestCSR = "testdata/ecdsa256.csr"
function TestParseCSRPEM (line 431) | func TestParseCSRPEM(t *testing.T) {
function TestParseCSRPEMMore (line 450) | func TestParseCSRPEMMore(t *testing.T) {
constant rsaOldTestCSR (line 475) | rsaOldTestCSR = "testdata/rsa-old.csr"
function TestParseOldCSR (line 477) | func TestParseOldCSR(t *testing.T) {
constant clientCertFile (line 490) | clientCertFile = "testdata/ca.pem"
constant clientKeyFile (line 491) | clientKeyFile = "testdata/ca_key.pem"
function TestClientCertParams (line 493) | func TestClientCertParams(t *testing.T) {
function TestLoadPEMCertPool (line 521) | func TestLoadPEMCertPool(t *testing.T) {
function sctEquals (line 562) | func sctEquals(sctA, sctB ct.SignedCertificateTimestamp) bool {
function TestDeserializeSCTList (line 576) | func TestDeserializeSCTList(t *testing.T) {
function TestSCTListFromOCSPResponse (line 646) | func TestSCTListFromOCSPResponse(t *testing.T) {
FILE: helpers/testsuite/testing_helpers.go
type CFSSLServerData (line 25) | type CFSSLServerData struct
type CFSSLServer (line 34) | type CFSSLServer struct
method Kill (line 132) | func (server *CFSSLServer) Kill() error {
function StartCFSSLServer (line 41) | func StartCFSSLServer(address string, portNumber int, serverData CFSSLSe...
function CreateCertificateChain (line 142) | func CreateCertificateChain(requests []csr.CertificateRequest) (certChai...
function CreateSelfSignedCert (line 171) | func CreateSelfSignedCert(request csr.CertificateRequest) (encodedCert, ...
function SignCertificate (line 214) | func SignCertificate(request csr.CertificateRequest, signerCert, signerK...
function createTempFile (line 310) | func createTempFile(data []byte) (fileName string, err error) {
function checkCLIOutput (line 335) | func checkCLIOutput(CLIOutput []byte) error {
function cleanCLIOutput (line 347) | func cleanCLIOutput(CLIOutput []byte, item string) (cleanedOutput []byte...
function NewConfig (line 369) | func NewConfig(t *testing.T, configBytes []byte) *config.Config {
type CSRTest (line 381) | type CSRTest struct
FILE: helpers/testsuite/testing_helpers_test.go
constant testDataDirectory (line 21) | testDataDirectory = "testdata"
constant initCADirectory (line 22) | initCADirectory = testDataDirectory + string(os.PathSeparator) + "initCA"
constant preMadeOutput (line 23) | preMadeOutput = initCADirectory + string(os.PathSeparator) + "cfssl_...
constant csrFile (line 24) | csrFile = testDataDirectory + string(os.PathSeparator) + "cert...
function TestStartCFSSLServer (line 67) | func TestStartCFSSLServer(t *testing.T) {
function TestCreateCertificateChain (line 140) | func TestCreateCertificateChain(t *testing.T) {
function TestCreateSelfSignedCert (line 278) | func TestCreateSelfSignedCert(t *testing.T) {
function chainsEqual (line 330) | func chainsEqual(chain1, chain2 []*x509.Certificate) bool {
function nullifyTimeDependency (line 348) | func nullifyTimeDependency(cert *x509.Certificate) *x509.Certificate {
function checkFields (line 373) | func checkFields(struct1, struct2 interface{}, typeOfStructs reflect.Typ...
function checkFieldsOfChains (line 390) | func checkFieldsOfChains(chain1, chain2 []*x509.Certificate) [][]string {
function certEqualsRequest (line 407) | func certEqualsRequest(cert *x509.Certificate, request csr.CertificateRe...
function randomElement (line 476) | func randomElement(set []string) string {
FILE: info/info.go
type Req (line 5) | type Req struct
type Resp (line 11) | type Resp struct
FILE: initca/initca.go
function validator (line 29) | func validator(req *csr.CertificateRequest) error {
function New (line 48) | func New(req *csr.CertificateRequest) (cert, csrPEM, key []byte, err err...
function NewFromPEM (line 105) | func NewFromPEM(req *csr.CertificateRequest, keyFile string) (cert, csrP...
function RenewFromPEM (line 124) | func RenewFromPEM(caFile, keyFile string) ([]byte, error) {
function NewFromSigner (line 149) | func NewFromSigner(req *csr.CertificateRequest, priv crypto.Signer) (cer...
function RenewFromSigner (line 189) | func RenewFromSigner(ca *x509.Certificate, priv crypto.Signer) ([]byte, ...
function Update (line 247) | func Update(ca *x509.Certificate, priv crypto.Signer) (cert []byte, err ...
FILE: initca/initca_test.go
function TestInitCA (line 68) | func TestInitCA(t *testing.T) {
function TestInvalidCAConfig (line 196) | func TestInvalidCAConfig(t *testing.T) {
function TestInvalidCryptoParams (line 219) | func TestInvalidCryptoParams(t *testing.T) {
type validation (line 248) | type validation struct
function TestValidations (line 268) | func TestValidations(t *testing.T) {
function TestRenewRSA (line 281) | func TestRenewRSA(t *testing.T) {
function TestRenewED25519 (line 318) | func TestRenewED25519(t *testing.T) {
function TestRenewECDSA (line 355) | func TestRenewECDSA(t *testing.T) {
function TestRenewMismatch (line 392) | func TestRenewMismatch(t *testing.T) {
function TestRenew (line 399) | func TestRenew(t *testing.T) {
FILE: log/log.go
constant LevelDebug (line 17) | LevelDebug = iota
constant LevelInfo (line 19) | LevelInfo
constant LevelWarning (line 21) | LevelWarning
constant LevelError (line 23) | LevelError
constant LevelCritical (line 25) | LevelCritical
constant LevelFatal (line 27) | LevelFatal
type SyslogWriter (line 46) | type SyslogWriter interface
function SetLogger (line 61) | func SetLogger(logger SyslogWriter) {
function print (line 65) | func print(l int, msg string) {
function outputf (line 88) | func outputf(l int, format string, v []interface{}) {
function output (line 92) | func output(l int, v []interface{}) {
function Fatalf (line 98) | func Fatalf(format string, v ...interface{}) {
function Fatal (line 104) | func Fatal(v ...interface{}) {
function Criticalf (line 111) | func Criticalf(format string, v ...interface{}) {
function Critical (line 116) | func Critical(v ...interface{}) {
function Errorf (line 122) | func Errorf(format string, v ...interface{}) {
function Error (line 127) | func Error(v ...interface{}) {
function Warningf (line 133) | func Warningf(format string, v ...interface{}) {
function Warning (line 138) | func Warning(v ...interface{}) {
function Infof (line 144) | func Infof(format string, v ...interface{}) {
function Info (line 149) | func Info(v ...interface{}) {
function Debugf (line 155) | func Debugf(format string, v ...interface{}) {
function Debug (line 160) | func Debug(v ...interface{}) {
FILE: log/log_test.go
constant teststring (line 10) | teststring = "asdf123"
function TestOutputf (line 12) | func TestOutputf(t *testing.T) {
function TestOutput (line 25) | func TestOutput(t *testing.T) {
function TestCriticalf (line 38) | func TestCriticalf(t *testing.T) {
function TestCritical (line 51) | func TestCritical(t *testing.T) {
function TestWarningf (line 63) | func TestWarningf(t *testing.T) {
function TestWarning (line 76) | func TestWarning(t *testing.T) {
function TestInfof (line 88) | func TestInfof(t *testing.T) {
function TestInfo (line 101) | func TestInfo(t *testing.T) {
function TestDebugf (line 113) | func TestDebugf(t *testing.T) {
function TestDebug (line 127) | func TestDebug(t *testing.T) {
type testSyslogger (line 140) | type testSyslogger struct
method Debug (line 144) | func (l testSyslogger) Debug(s string) {
method Info (line 149) | func (l testSyslogger) Info(s string) {
method Warning (line 154) | func (l testSyslogger) Warning(s string) {
method Err (line 159) | func (l testSyslogger) Err(s string) {
method Crit (line 164) | func (l testSyslogger) Crit(s string) {
method Emerg (line 169) | func (l testSyslogger) Emerg(s string) {
function TestSetLogger (line 174) | func TestSetLogger(t *testing.T) {
FILE: multiroot/config/config.go
type RawMap (line 30) | type RawMap
method SectionInConfig (line 91) | func (c *RawMap) SectionInConfig(section string) bool {
function ParseToRawMap (line 43) | func ParseToRawMap(fileName string) (cfg RawMap, err error) {
type Root (line 101) | type Root struct
function LoadRoot (line 110) | func LoadRoot(cfg map[string]string) (*Root, error) {
function parsePrivateKeySpec (line 169) | func parsePrivateKeySpec(spec string, cfg map[string]string) (crypto.Sig...
function parseACL (line 263) | func parseACL(nets string) (whitelist.NetACL, error) {
type RootList (line 281) | type RootList
function Parse (line 304) | func Parse(filename string) (RootList, error) {
FILE: multiroot/config/config_test.go
function UnlinkIfExists (line 14) | func UnlinkIfExists(file string) {
function stringSlicesEqual (line 24) | func stringSlicesEqual(slice1, slice2 []string) bool {
function TestGoodConfig (line 43) | func TestGoodConfig(t *testing.T) {
function TestGoodConfig2 (line 53) | func TestGoodConfig2(t *testing.T) {
function TestBadConfig (line 65) | func TestBadConfig(t *testing.T) {
function TestQuotedValue (line 73) | func TestQuotedValue(t *testing.T) {
function TestENoEnt (line 91) | func TestENoEnt(t *testing.T) {
function TestLoadRoots (line 98) | func TestLoadRoots(t *testing.T) {
function TestLoadDERRoots (line 115) | func TestLoadDERRoots(t *testing.T) {
function TestLoadKSMRoot (line 132) | func TestLoadKSMRoot(t *testing.T) {
function TestLoadBadRootConfs (line 139) | func TestLoadBadRootConfs(t *testing.T) {
constant confWhitelist (line 165) | confWhitelist = "testdata/roots_whitelist.conf"
function TestLoadWhitelist (line 167) | func TestLoadWhitelist(t *testing.T) {
constant confWhitelistIPv6 (line 210) | confWhitelistIPv6 = "testdata/roots_whitelist_ipv6.conf"
function TestLoadIPv6Whitelist (line 212) | func TestLoadIPv6Whitelist(t *testing.T) {
constant confDBConfig (line 259) | confDBConfig = "testdata/roots_db.conf"
function TestLoadDBConfig (line 261) | func TestLoadDBConfig(t *testing.T) {
FILE: ocsp/config/config.go
type Config (line 8) | type Config struct
FILE: ocsp/ocsp.go
type SignRequest (line 49) | type SignRequest struct
type Signer (line 68) | type Signer interface
type StandardSigner (line 77) | type StandardSigner struct
method Sign (line 156) | func (s StandardSigner) Sign(req SignRequest) ([]byte, error) {
function ReasonStringToCode (line 85) | func ReasonStringToCode(reason string) (reasonCode int, err error) {
function NewSignerFromFile (line 107) | func NewSignerFromFile(issuerFile, responderFile, keyFile string, interv...
function NewSigner (line 145) | func NewSigner(issuer, responder *x509.Certificate, key crypto.Signer, i...
FILE: ocsp/ocsp_test.go
constant serverCertFile (line 14) | serverCertFile = "testdata/ca.pem"
constant serverKeyFile (line 15) | serverKeyFile = "testdata/ca-key.pem"
constant otherCertFile (line 16) | otherCertFile = "testdata/cert.pem"
constant brokenServerCert (line 17) | brokenServerCert = "testdata/server_broken.crt"
constant brokenServerKey (line 18) | brokenServerKey = "testdata/server_broken.key"
constant wrongServerCertFile (line 19) | wrongServerCertFile = "testdata/server.crt"
constant wrongServerKeyFile (line 20) | wrongServerKeyFile = "testdata/server.key"
function TestNewSignerFromFile (line 23) | func TestNewSignerFromFile(t *testing.T) {
function setup (line 66) | func setup(t *testing.T) (SignRequest, time.Duration) {
function TestSignNoResponder (line 85) | func TestSignNoResponder(t *testing.T) {
function TestSign (line 105) | func TestSign(t *testing.T) {
function TestSignCustomInterval (line 149) | func TestSignCustomInterval(t *testing.T) {
FILE: ocsp/responder.go
type Source (line 56) | type Source interface
type InMemorySource (line 61) | type InMemorySource
method Response (line 66) | func (src InMemorySource) Response(request *ocsp.Request) ([]byte, htt...
type DBSource (line 75) | type DBSource struct
method Response (line 89) | func (src DBSource) Response(req *ocsp.Request) ([]byte, http.Header, ...
function NewDBSource (line 80) | func NewDBSource(dbAccessor certdb.Accessor) Source {
function NewSourceFromFile (line 134) | func NewSourceFromFile(responseFile string) (Source, error) {
function NewSourceFromDB (line 168) | func NewSourceFromDB(DBConfigFile string) (Source, error) {
type Stats (line 184) | type Stats interface
type Responder (line 190) | type Responder struct
method ServeHTTP (line 253) | func (rs Responder) ServeHTTP(response http.ResponseWriter, request *h...
function NewResponder (line 197) | func NewResponder(source Source, stats Stats) *Responder {
function overrideHeaders (line 205) | func overrideHeaders(response http.ResponseWriter, headers http.Header) {
type logEvent (line 218) | type logEvent struct
FILE: ocsp/responder_test.go
constant responseFile (line 23) | responseFile = "testdata/resp64.pem"
constant binResponseFile (line 24) | binResponseFile = "testdata/response.der"
constant brokenResponseFile (line 25) | brokenResponseFile = "testdata/response_broken.pem"
constant mixResponseFile (line 26) | mixResponseFile = "testdata/response_mix.pem"
type testSource (line 29) | type testSource struct
method Response (line 31) | func (ts testSource) Response(r *goocsp.Request) ([]byte, http.Header,...
type testCase (line 35) | type testCase struct
function TestOCSP (line 40) | func TestOCSP(t *testing.T) {
type testHeaderSource (line 80) | type testHeaderSource struct
method Response (line 84) | func (ts testHeaderSource) Response(r *goocsp.Request) ([]byte, http.H...
function TestOverrideHeaders (line 89) | func TestOverrideHeaders(t *testing.T) {
function TestCacheHeaders (line 114) | func TestCacheHeaders(t *testing.T) {
function TestNewSourceFromFile (line 177) | func TestNewSourceFromFile(t *testing.T) {
function TestSqliteTrivial (line 208) | func TestSqliteTrivial(t *testing.T) {
function TestSqliteRealResponse (line 270) | func TestSqliteRealResponse(t *testing.T) {
function TestNewSqliteSource (line 357) | func TestNewSqliteSource(t *testing.T) {
FILE: ocsp/universal/universal.go
function NewSignerFromConfig (line 9) | func NewSignerFromConfig(cfg ocspConfig.Config) (ocsp.Signer, error) {
FILE: revoke/revoke.go
function ldapURL (line 42) | func ldapURL(url string) bool {
function revCheck (line 63) | func revCheck(cert *x509.Certificate) (revoked, ok bool, err error) {
function fetchCRL (line 97) | func fetchCRL(url string) (*pkix.CertificateList, error) {
function getIssuer (line 115) | func getIssuer(cert *x509.Certificate) *x509.Certificate {
function certIsRevokedCRL (line 132) | func certIsRevokedCRL(cert *x509.Certificate, url string) (revoked, ok b...
function VerifyCertificate (line 184) | func VerifyCertificate(cert *x509.Certificate) (revoked, ok bool) {
function VerifyCertificateError (line 191) | func VerifyCertificateError(cert *x509.Certificate) (revoked, ok bool, e...
function fetchRemote (line 204) | func fetchRemote(url string) (*x509.Certificate, error) {
function certIsRevokedOCSP (line 228) | func certIsRevokedOCSP(leaf *x509.Certificate, strict bool) (revoked, ok...
function sendOCSPRequest (line 273) | func sendOCSPRequest(server string, req []byte, leaf, issuer *x509.Certi...
function SetCRLFetcher (line 317) | func SetCRLFetcher(fn func(io.Reader) ([]byte, error)) {
function SetRemoteFetcher (line 324) | func SetRemoteFetcher(fn func(io.Reader) ([]byte, error)) {
function SetOCSPFetcher (line 331) | func SetOCSPFetcher(fn func(io.Reader) ([]byte, error)) {
FILE: revoke/revoke_test.go
function mustParse (line 117) | func mustParse(pemData string) *x509.Certificate {
function TestRevoked (line 132) | func TestRevoked(t *testing.T) {
function TestExpired (line 140) | func TestExpired(t *testing.T) {
function TestGood (line 148) | func TestGood(t *testing.T) {
function TestLdap (line 157) | func TestLdap(t *testing.T) {
function TestLdapURLErr (line 165) | func TestLdapURLErr(t *testing.T) {
function TestCertNotYetValid (line 171) | func TestCertNotYetValid(t *testing.T) {
function TestCRLFetchError (line 180) | func TestCRLFetchError(t *testing.T) {
function TestBadCRLSet (line 193) | func TestBadCRLSet(t *testing.T) {
function TestCachedCRLSet (line 205) | func TestCachedCRLSet(t *testing.T) {
function TestRemoteFetchError (line 212) | func TestRemoteFetchError(t *testing.T) {
function TestNoOCSPServers (line 222) | func TestNoOCSPServers(t *testing.T) {
FILE: scan/broad.go
function incrementBytes (line 24) | func incrementBytes(bytes []byte) {
function intermediateCAScan (line 40) | func intermediateCAScan(addr, hostname string) (grade Grade, output Outp...
FILE: scan/connectivity.go
function dnsLookupScan (line 37) | func dnsLookupScan(addr, hostname string) (grade Grade, output Output, e...
function initOnCloudFlareScan (line 56) | func initOnCloudFlareScan() ([]*net.IPNet, error) {
function onCloudFlareScan (line 99) | func onCloudFlareScan(addr, hostname string) (grade Grade, output Output...
function tcpDialScan (line 132) | func tcpDialScan(addr, hostname string) (grade Grade, output Output, err...
function tlsDialScan (line 144) | func tlsDialScan(addr, hostname string) (grade Grade, output Output, err...
FILE: scan/crypto/crypto.go
type Hash (line 16) | type Hash
method HashFunc (line 19) | func (h Hash) HashFunc() Hash {
method Size (line 63) | func (h Hash) Size() int {
method New (line 74) | func (h Hash) New() hash.Hash {
method Available (line 85) | func (h Hash) Available() bool {
constant MD4 (line 24) | MD4 Hash = 1 + iota
constant MD5 (line 25) | MD5
constant SHA1 (line 26) | SHA1
constant SHA224 (line 27) | SHA224
constant SHA256 (line 28) | SHA256
constant SHA384 (line 29) | SHA384
constant SHA512 (line 30) | SHA512
constant MD5SHA1 (line 31) | MD5SHA1
constant RIPEMD160 (line 32) | RIPEMD160
constant SHA3_224 (line 33) | SHA3_224
constant SHA3_256 (line 34) | SHA3_256
constant SHA3_384 (line 35) | SHA3_384
constant SHA3_512 (line 36) | SHA3_512
constant SHA512_224 (line 37) | SHA512_224
constant SHA512_256 (line 38) | SHA512_256
constant maxHash (line 39) | maxHash
function RegisterHash (line 92) | func RegisterHash(h Hash, f func() hash.Hash) {
type PublicKey (line 100) | type PublicKey interface
type PrivateKey (line 103) | type PrivateKey interface
type Signer (line 107) | type Signer interface
type SignerOpts (line 129) | type SignerOpts interface
type Decrypter (line 139) | type Decrypter interface
type DecrypterOpts (line 150) | type DecrypterOpts interface
FILE: scan/crypto/md5/example_test.go
function ExampleNew (line 13) | func ExampleNew() {
function ExampleSum (line 21) | func ExampleSum() {
FILE: scan/crypto/md5/gen.go
function main (line 29) | func main() {
type Data (line 49) | type Data struct
function dup (line 68) | func dup(count int, x []int) []int {
function relabel (line 76) | func relabel(s string) string {
function rotate (line 80) | func rotate() string {
function init (line 85) | func init() {
FILE: scan/crypto/md5/md5.go
function init (line 15) | func init() {
constant Size (line 20) | Size = 16
constant BlockSize (line 23) | BlockSize = 64
constant chunk (line 26) | chunk = 64
constant init0 (line 27) | init0 = 0x67452301
constant init1 (line 28) | init1 = 0xEFCDAB89
constant init2 (line 29) | init2 = 0x98BADCFE
constant init3 (line 30) | init3 = 0x10325476
type digest (line 34) | type digest struct
method Reset (line 41) | func (d *digest) Reset() {
method Size (line 57) | func (d *digest) Size() int { return Size }
method BlockSize (line 59) | func (d *digest) BlockSize() int { return BlockSize }
method Write (line 61) | func (d *digest) Write(p []byte) (nn int, err error) {
method Sum (line 84) | func (d0 *digest) Sum(in []byte) []byte {
method checkSum (line 91) | func (d *digest) checkSum() [Size]byte {
function New (line 51) | func New() hash.Hash {
function Sum (line 125) | func Sum(data []byte) [Size]byte {
FILE: scan/crypto/md5/md5_test.go
type md5Test (line 15) | type md5Test struct
function TestGolden (line 54) | func TestGolden(t *testing.T) {
function TestLarge (line 85) | func TestLarge(t *testing.T) {
function TestBlockGeneric (line 110) | func TestBlockGeneric(t *testing.T) {
function benchmarkSize (line 125) | func benchmarkSize(b *testing.B, size int, unaligned bool) {
function BenchmarkHash8Bytes (line 141) | func BenchmarkHash8Bytes(b *testing.B) {
function BenchmarkHash1K (line 145) | func BenchmarkHash1K(b *testing.B) {
function BenchmarkHash8K (line 149) | func BenchmarkHash8K(b *testing.B) {
function BenchmarkHash8BytesUnaligned (line 153) | func BenchmarkHash8BytesUnaligned(b *testing.B) {
function BenchmarkHash1KUnaligned (line 157) | func BenchmarkHash1KUnaligned(b *testing.B) {
function BenchmarkHash8KUnaligned (line 161) | func BenchmarkHash8KUnaligned(b *testing.B) {
FILE: scan/crypto/md5/md5block.go
constant x86 (line 15) | x86 = runtime.GOARCH == "amd64" || runtime.GOARCH == "386"
function init (line 19) | func init() {
function blockGeneric (line 25) | func blockGeneric(dig *digest, p []byte) {
FILE: scan/crypto/md5/md5block_decl.go
function block (line 12) | func block(dig *digest, p []byte)
FILE: scan/crypto/rsa/example_test.go
function ExampleDecryptPKCS1v15SessionKey (line 38) | func ExampleDecryptPKCS1v15SessionKey() {
function ExampleSignPKCS1v15 (line 88) | func ExampleSignPKCS1v15() {
function ExampleVerifyPKCS1v15 (line 111) | func ExampleVerifyPKCS1v15() {
function ExampleEncryptOAEP (line 131) | func ExampleEncryptOAEP() {
function ExampleDecryptOAEP (line 150) | func ExampleDecryptOAEP() {
FILE: scan/crypto/rsa/pkcs1v15.go
type PKCS1v15DecryptOptions (line 19) | type PKCS1v15DecryptOptions struct
function EncryptPKCS1v15 (line 35) | func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) (out []...
function DecryptPKCS1v15 (line 72) | func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte...
function DecryptPKCS1v15SessionKey (line 106) | func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphert...
function decryptPKCS1v15 (line 137) | func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte...
function nonZeroRandomBytes (line 176) | func nonZeroRandomBytes(s []byte, rand io.Reader) (err error) {
function SignPKCS1v15 (line 229) | func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, ha...
function VerifyPKCS1v15 (line 266) | func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig...
function pkcs1v15HashInfo (line 301) | func pkcs1v15HashInfo(hash crypto.Hash, inLen int) (hashLen int, prefix ...
function copyWithLeftPad (line 321) | func copyWithLeftPad(dest, src []byte) {
FILE: scan/crypto/rsa/pkcs1v15_test.go
function decodeBase64 (line 20) | func decodeBase64(in string) []byte {
type DecryptPKCS1v15Test (line 29) | type DecryptPKCS1v15Test struct
function TestDecryptPKCS1v15 (line 53) | func TestDecryptPKCS1v15(t *testing.T) {
function TestEncryptPKCS1v15 (line 77) | func TestEncryptPKCS1v15(t *testing.T) {
function TestEncryptPKCS1v15SessionKey (line 138) | func TestEncryptPKCS1v15SessionKey(t *testing.T) {
function TestEncryptPKCS1v15DecrypterSessionKey (line 152) | func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
function TestNonZeroRandomBytes (line 168) | func TestNonZeroRandomBytes(t *testing.T) {
type signPKCS1v15Test (line 184) | type signPKCS1v15Test struct
function TestSignPKCS1v15 (line 195) | func TestSignPKCS1v15(t *testing.T) {
function TestVerifyPKCS1v15 (line 213) | func TestVerifyPKCS1v15(t *testing.T) {
function TestOverlongMessagePKCS1v15 (line 228) | func TestOverlongMessagePKCS1v15(t *testing.T) {
function TestUnpaddedSignature (line 236) | func TestUnpaddedSignature(t *testing.T) {
function TestShortSessionKey (line 258) | func TestShortSessionKey(t *testing.T) {
FILE: scan/crypto/rsa/pss.go
function emsaPSSEncode (line 20) | func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash...
function emsaPSSVerify (line 93) | func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) e...
function signPSSWithSalt (line 194) | func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash,...
constant PSSSaltLengthAuto (line 213) | PSSSaltLengthAuto = 0
constant PSSSaltLengthEqualsHash (line 216) | PSSSaltLengthEqualsHash = -1
type PSSOptions (line 220) | type PSSOptions struct
method HashFunc (line 234) | func (pssOpts *PSSOptions) HashFunc() crypto.Hash {
method saltLength (line 238) | func (opts *PSSOptions) saltLength() int {
function SignPSS (line 249) | func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed ...
function VerifyPSS (line 274) | func VerifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []by...
function verifyPSS (line 279) | func verifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []by...
FILE: scan/crypto/rsa/pss_test.go
function TestEMSAPSS (line 24) | func TestEMSAPSS(t *testing.T) {
function TestPSSGolden (line 79) | func TestPSSGolden(t *testing.T) {
function TestPSSOpenSSL (line 170) | func TestPSSOpenSSL(t *testing.T) {
function TestPSSNilOpts (line 192) | func TestPSSNilOpts(t *testing.T) {
function TestPSSSigning (line 201) | func TestPSSSigning(t *testing.T) {
function bigFromHex (line 236) | func bigFromHex(hex string) *big.Int {
function intFromHex (line 244) | func intFromHex(hex string) int {
function fromHex (line 252) | func fromHex(hexStr string) []byte {
FILE: scan/crypto/rsa/rsa.go
type PublicKey (line 37) | type PublicKey struct
type OAEPOptions (line 44) | type OAEPOptions struct
function checkPub (line 63) | func checkPub(pub *PublicKey) error {
type PrivateKey (line 77) | type PrivateKey struct
method Public (line 88) | func (priv *PrivateKey) Public() crypto.PublicKey {
method Sign (line 97) | func (priv *PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.S...
method Decrypt (line 108) | func (priv *PrivateKey) Decrypt(rand io.Reader, ciphertext []byte, opt...
method Validate (line 156) | func (priv *PrivateKey) Validate() error {
method Precompute (line 431) | func (priv *PrivateKey) Precompute() {
type PrecomputedValues (line 136) | type PrecomputedValues struct
type CRTValue (line 148) | type CRTValue struct
function GenerateKey (line 194) | func GenerateKey(random io.Reader, bits int) (priv *PrivateKey, err erro...
function GenerateMultiPrimeKey (line 209) | func GenerateMultiPrimeKey(random io.Reader, nprimes int, bits int) (pri...
function incCounter (line 290) | func incCounter(c *[4]byte) {
function mgf1XOR (line 305) | func mgf1XOR(out []byte, hash hash.Hash, seed []byte) {
function encrypt (line 328) | func encrypt(c *big.Int, pub *PublicKey, m *big.Int) *big.Int {
function EncryptOAEP (line 351) | func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg [...
function modInverse (line 407) | func modInverse(a, n *big.Int) (ia *big.Int, ok bool) {
function decrypt (line 462) | func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int...
function decryptAndCheck (line 538) | func decryptAndCheck(random io.Reader, priv *PrivateKey, c *big.Int) (m ...
function DecryptOAEP (line 565) | func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, cip...
function leftPad (line 638) | func leftPad(input []byte, size int) (out []byte) {
FILE: scan/crypto/rsa/rsa_test.go
function TestKeyGeneration (line 17) | func TestKeyGeneration(t *testing.T) {
function Test3PrimeKeyGeneration (line 32) | func Test3PrimeKeyGeneration(t *testing.T) {
function Test4PrimeKeyGeneration (line 45) | func Test4PrimeKeyGeneration(t *testing.T) {
function TestNPrimeKeyGeneration (line 58) | func TestNPrimeKeyGeneration(t *testing.T) {
function TestGnuTLSKey (line 76) | func TestGnuTLSKey(t *testing.T) {
function testKeyBasics (line 94) | func testKeyBasics(t *testing.T, priv *PrivateKey) {
function fromBase10 (line 124) | func fromBase10(base10 string) *big.Int {
function init (line 134) | func init() {
function BenchmarkRSA2048Decrypt (line 149) | func BenchmarkRSA2048Decrypt(b *testing.B) {
function BenchmarkRSA2048Sign (line 161) | func BenchmarkRSA2048Sign(b *testing.B) {
function Benchmark3PrimeRSA2048Decrypt (line 171) | func Benchmark3PrimeRSA2048Decrypt(b *testing.B) {
type testEncryptOAEPMessage (line 196) | type testEncryptOAEPMessage struct
type testEncryptOAEPStruct (line 202) | type testEncryptOAEPStruct struct
function TestEncryptOAEP (line 209) | func TestEncryptOAEP(t *testing.T) {
function TestDecryptOAEP (line 229) | func TestDecryptOAEP(t *testing.T) {
FILE: scan/crypto/sha1/example_test.go
function ExampleNew (line 13) | func ExampleNew() {
function ExampleSum (line 21) | func ExampleSum() {
FILE: scan/crypto/sha1/sha1.go
function init (line 13) | func init() {
constant Size (line 18) | Size = 20
constant BlockSize (line 21) | BlockSize = 64
constant chunk (line 24) | chunk = 64
constant init0 (line 25) | init0 = 0x67452301
constant init1 (line 26) | init1 = 0xEFCDAB89
constant init2 (line 27) | init2 = 0x98BADCFE
constant init3 (line 28) | init3 = 0x10325476
constant init4 (line 29) | init4 = 0xC3D2E1F0
type digest (line 33) | type digest struct
method Reset (line 40) | func (d *digest) Reset() {
method Size (line 57) | func (d *digest) Size() int { return Size }
method BlockSize (line 59) | func (d *digest) BlockSize() int { return BlockSize }
method Write (line 61) | func (d *digest) Write(p []byte) (nn int, err error) {
method Sum (line 84) | func (d0 *digest) Sum(in []byte) []byte {
method checkSum (line 91) | func (d *digest) checkSum() [Size]byte {
function New (line 51) | func New() hash.Hash {
function Sum (line 125) | func Sum(data []byte) [Size]byte {
FILE: scan/crypto/sha1/sha1_test.go
type sha1Test (line 16) | type sha1Test struct
function TestGolden (line 55) | func TestGolden(t *testing.T) {
function TestSize (line 80) | func TestSize(t *testing.T) {
function TestBlockSize (line 87) | func TestBlockSize(t *testing.T) {
function TestBlockGeneric (line 95) | func TestBlockGeneric(t *testing.T) {
function benchmarkSize (line 109) | func benchmarkSize(b *testing.B, size int) {
function BenchmarkHash8Bytes (line 119) | func BenchmarkHash8Bytes(b *testing.B) {
function BenchmarkHash1K (line 123) | func BenchmarkHash1K(b *testing.B) {
function BenchmarkHash8K (line 127) | func BenchmarkHash8K(b *testing.B) {
FILE: scan/crypto/sha1/sha1block.go
constant _K0 (line 8) | _K0 = 0x5A827999
constant _K1 (line 9) | _K1 = 0x6ED9EBA1
constant _K2 (line 10) | _K2 = 0x8F1BBCDC
constant _K3 (line 11) | _K3 = 0xCA62C1D6
function blockGeneric (line 16) | func blockGeneric(dig *digest, p []byte) {
FILE: scan/crypto/sha1/sha1block_decl.go
function block (line 12) | func block(dig *digest, p []byte)
FILE: scan/crypto/sha256/sha256.go
function init (line 14) | func init() {
constant Size (line 20) | Size = 32
constant Size224 (line 23) | Size224 = 28
constant BlockSize (line 26) | BlockSize = 64
constant chunk (line 29) | chunk = 64
constant init0 (line 30) | init0 = 0x6A09E667
constant init1 (line 31) | init1 = 0xBB67AE85
constant init2 (line 32) | init2 = 0x3C6EF372
constant init3 (line 33) | init3 = 0xA54FF53A
constant init4 (line 34) | init4 = 0x510E527F
constant init5 (line 35) | init5 = 0x9B05688C
constant init6 (line 36) | init6 = 0x1F83D9AB
constant init7 (line 37) | init7 = 0x5BE0CD19
constant init0_224 (line 38) | init0_224 = 0xC1059ED8
constant init1_224 (line 39) | init1_224 = 0x367CD507
constant init2_224 (line 40) | init2_224 = 0x3070DD17
constant init3_224 (line 41) | init3_224 = 0xF70E5939
constant init4_224 (line 42) | init4_224 = 0xFFC00B31
constant init5_224 (line 43) | init5_224 = 0x68581511
constant init6_224 (line 44) | init6_224 = 0x64F98FA7
constant init7_224 (line 45) | init7_224 = 0xBEFA4FA4
type digest (line 49) | type digest struct
method Reset (line 57) | func (d *digest) Reset() {
method Size (line 96) | func (d *digest) Size() int {
method BlockSize (line 103) | func (d *digest) BlockSize() int { return BlockSize }
method Write (line 105) | func (d *digest) Write(p []byte) (nn int, err error) {
method Sum (line 128) | func (d0 *digest) Sum(in []byte) []byte {
method checkSum (line 138) | func (d *digest) checkSum() [Size]byte {
function New (line 82) | func New() hash.Hash {
function New224 (line 89) | func New224() hash.Hash {
function Sum256 (line 177) | func Sum256(data []byte) [Size]byte {
function Sum224 (line 185) | func Sum224(data []byte) (sum224 [Size224]byte) {
FILE: scan/crypto/sha256/sha256_test.go
type sha256Test (line 15) | type sha256Test struct
function TestGolden (line 88) | func TestGolden(t *testing.T) {
function TestSize (line 135) | func TestSize(t *testing.T) {
function TestBlockSize (line 146) | func TestBlockSize(t *testing.T) {
function benchmarkSize (line 156) | func benchmarkSize(b *testing.B, size int) {
function BenchmarkHash8Bytes (line 166) | func BenchmarkHash8Bytes(b *testing.B) {
function BenchmarkHash1K (line 170) | func BenchmarkHash1K(b *testing.B) {
function BenchmarkHash8K (line 174) | func BenchmarkHash8K(b *testing.B) {
FILE: scan/crypto/sha256/sha256block.go
function block (line 81) | func block(dig *digest, p []byte) {
FILE: scan/crypto/sha256/sha256block_decl.go
function block (line 12) | func block(dig *digest, p []byte)
FILE: scan/crypto/sha512/sha512.go
function init (line 14) | func init() {
constant Size (line 23) | Size = 64
constant Size224 (line 26) | Size224 = 28
constant Size256 (line 29) | Size256 = 32
constant Size384 (line 32) | Size384 = 48
constant BlockSize (line 36) | BlockSize = 128
constant chunk (line 40) | chunk = 128
constant init0 (line 41) | init0 = 0x6a09e667f3bcc908
constant init1 (line 42) | init1 = 0xbb67ae8584caa73b
constant init2 (line 43) | init2 = 0x3c6ef372fe94f82b
constant init3 (line 44) | init3 = 0xa54ff53a5f1d36f1
constant init4 (line 45) | init4 = 0x510e527fade682d1
constant init5 (line 46) | init5 = 0x9b05688c2b3e6c1f
constant init6 (line 47) | init6 = 0x1f83d9abfb41bd6b
constant init7 (line 48) | init7 = 0x5be0cd19137e2179
constant init0_224 (line 49) | init0_224 = 0x8c3d37c819544da2
constant init1_224 (line 50) | init1_224 = 0x73e1996689dcd4d6
constant init2_224 (line 51) | init2_224 = 0x1dfab7ae32ff9c82
constant init3_224 (line 52) | init3_224 = 0x679dd514582f9fcf
constant init4_224 (line 53) | init4_224 = 0x0f6d2b697bd44da8
constant init5_224 (line 54) | init5_224 = 0x77e36f7304c48942
constant init6_224 (line 55) | init6_224 = 0x3f9d85a86a1d36c8
constant init7_224 (line 56) | init7_224 = 0x1112e6ad91d692a1
constant init0_256 (line 57) | init0_256 = 0x22312194fc2bf72c
constant init1_256 (line 58) | init1_256 = 0x9f555fa3c84c64c2
constant init2_256 (line 59) | init2_256 = 0x2393b86b6f53b151
constant init3_256 (line 60) | init3_256 = 0x963877195940eabd
constant init4_256 (line 61) | init4_256 = 0x96283ee2a88effe3
constant init5_256 (line 62) | init5_256 = 0xbe5e1e2553863992
constant init6_256 (line 63) | init6_256 = 0x2b0199fc2c85b8aa
constant init7_256 (line 64) | init7_256 = 0x0eb72ddc81c52ca2
constant init0_384 (line 65) | init0_384 = 0xcbbb9d5dc1059ed8
constant init1_384 (line 66) | init1_384 = 0x629a292a367cd507
constant init2_384 (line 67) | init2_384 = 0x9159015a3070dd17
constant init3_384 (line 68) | init3_384 = 0x152fecd8f70e5939
constant init4_384 (line 69) | init4_384 = 0x67332667ffc00b31
constant init5_384 (line 70) | init5_384 = 0x8eb44a8768581511
constant init6_384 (line 71) | init6_384 = 0xdb0c2e0d64f98fa7
constant init7_384 (line 72) | init7_384 = 0x47b5481dbefa4fa4
type digest (line 76) | type digest struct
method Reset (line 84) | func (d *digest) Reset() {
method Size (line 155) | func (d *digest) Size() int {
method BlockSize (line 168) | func (d *digest) BlockSize() int { return BlockSize }
method Write (line 170) | func (d *digest) Write(p []byte) (nn int, err error) {
method Sum (line 193) | func (d0 *digest) Sum(in []byte) []byte {
method checkSum (line 210) | func (d *digest) checkSum() [Size]byte {
function New (line 128) | func New() hash.Hash {
function New512_224 (line 135) | func New512_224() hash.Hash {
function New512_256 (line 142) | func New512_256() hash.Hash {
function New384 (line 149) | func New384() hash.Hash {
function Sum512 (line 253) | func Sum512(data []byte) [Size]byte {
function Sum384 (line 261) | func Sum384(data []byte) (sum384 [Size384]byte) {
function Sum512_224 (line 271) | func Sum512_224(data []byte) (sum224 [Size224]byte) {
function Sum512_256 (line 281) | func Sum512_256(data []byte) (sum256 [Size256]byte) {
FILE: scan/crypto/sha512/sha512_test.go
type sha512Test (line 16) | type sha512Test struct
function testHash (line 244) | func testHash(t *testing.T, name, in, outHex string, oneShotResult []byt...
function TestGolden (line 266) | func TestGolden(t *testing.T) {
function TestSize (line 281) | func TestSize(t *testing.T) {
function TestBlockSize (line 300) | func TestBlockSize(t *testing.T) {
function benchmarkSize (line 310) | func benchmarkSize(b *testing.B, size int) {
function BenchmarkHash8Bytes (line 320) | func BenchmarkHash8Bytes(b *testing.B) {
function BenchmarkHash1K (line 324) | func BenchmarkHash1K(b *testing.B) {
function BenchmarkHash8K (line 328) | func BenchmarkHash8K(b *testing.B) {
FILE: scan/crypto/sha512/sha512block.go
function block (line 97) | func block(dig *digest, p []byte) {
FILE: scan/crypto/sha512/sha512block_decl.go
function block (line 12) | func block(dig *digest, p []byte)
FILE: scan/crypto/tls/alert.go
type alert (line 9) | type alert
method String (line 69) | func (e alert) String() string {
method Error (line 77) | func (e alert) Error() string {
constant alertLevelWarning (line 13) | alertLevelWarning = 1
constant alertLevelError (line 14) | alertLevelError = 2
constant alertCloseNotify (line 18) | alertCloseNotify alert = 0
constant alertUnexpectedMessage (line 19) | alertUnexpectedMessage alert = 10
constant alertBadRecordMAC (line 20) | alertBadRecordMAC alert = 20
constant alertDecryptionFailed (line 21) | alertDecryptionFailed alert = 21
constant alertRecordOverflow (line 22) | alertRecordOverflow alert = 22
constant alertDecompressionFailure (line 23) | alertDecompressionFailure alert = 30
constant alertHandshakeFailure (line 24) | alertHandshakeFailure alert = 40
constant alertBadCertificate (line 25) | alertBadCertificate alert = 42
constant alertUnsupportedCertificate (line 26) | alertUnsupportedCertificate alert = 43
constant alertCertificateRevoked (line 27) | alertCertificateRevoked alert = 44
constant alertCertificateExpired (line 28) | alertCertificateExpired alert = 45
constant alertCertificateUnknown (line 29) | alertCertificateUnknown alert = 46
constant alertIllegalParameter (line 30) | alertIllegalParameter alert = 47
constant alertUnknownCA (line 31) | alertUnknownCA alert = 48
constant alertAccessDenied (line 32) | alertAccessDenied alert = 49
constant alertDecodeError (line 33) | alertDecodeError alert = 50
constant alertDecryptError (line 34) | alertDecryptError alert = 51
constant alertProtocolVersion (line 35) | alertProtocolVersion alert = 70
constant alertInsufficientSecurity (line 36) | alertInsufficientSecurity alert = 71
constant alertInternalError (line 37) | alertInternalError alert = 80
constant alertInappropriateFallback (line 38) | alertInappropriateFallback alert = 86
constant alertUserCanceled (line 39) | alertUserCanceled alert = 90
constant alertNoRenegotiation (line 40) | alertNoRenegotiation alert = 100
FILE: scan/crypto/tls/cfsslscan_common.go
type hashAlgID (line 7) | type hashAlgID
method String (line 19) | func (h hashAlgID) String() string {
constant HashNone (line 10) | HashNone hashAlgID = iota
constant HashMD5 (line 11) | HashMD5
constant HashSHA1 (line 12) | HashSHA1
constant HashSHA224 (line 13) | HashSHA224
constant HashSHA256 (line 14) | HashSHA256
constant HashSHA384 (line 15) | HashSHA384
constant HashSHA512 (line 16) | HashSHA512
type sigAlgID (line 40) | type sigAlgID
method String (line 50) | func (sig sigAlgID) String() string {
constant SigAnon (line 44) | SigAnon sigAlgID = iota
constant SigRSA (line 45) | SigRSA
constant SigDSA (line 46) | SigDSA
constant SigECDSA (line 47) | SigECDSA
type SignatureAndHash (line 67) | type SignatureAndHash struct
method String (line 72) | func (sigAlg SignatureAndHash) String() string {
method MarshalJSON (line 76) | func (sigAlg SignatureAndHash) MarshalJSON() ([]byte, error) {
method internal (line 80) | func (sigAlg SignatureAndHash) internal() signatureAndHash {
function init (line 92) | func init() {
type CipherSuite (line 110) | type CipherSuite struct
method String (line 118) | func (c CipherSuite) String() string {
FILE: scan/crypto/tls/cfsslscan_handshake.go
method SayHello (line 5) | func (c *Conn) SayHello(newSigAls []SignatureAndHash) (cipherID, curveTy...
method sayHello (line 84) | func (c *Conn) sayHello(hello *clientHelloMsg) (serverHello *serverHello...
method exchangeKeys (line 99) | func (c *Conn) exchangeKeys() (serverKeyExchange *serverKeyExchangeMsg, ...
FILE: scan/crypto/tls/cipher_suites.go
type keyAgreement (line 20) | type keyAgreement interface
constant suiteECDHE (line 42) | suiteECDHE = 1 << iota
constant suiteECDSA (line 47) | suiteECDSA
constant suiteTLS12 (line 50) | suiteTLS12
constant suiteSHA384 (line 53) | suiteSHA384
constant suiteDefaultOff (line 56) | suiteDefaultOff
type cipherSuite (line 61) | type cipherSuite struct
function cipherRC4 (line 97) | func cipherRC4(key, iv []byte, isRead bool) interface{} {
function cipher3DES (line 102) | func cipher3DES(key, iv []byte, isRead bool) interface{} {
function cipherAES (line 110) | func cipherAES(key, iv []byte, isRead bool) interface{} {
function macSHA1 (line 119) | func macSHA1(version uint16, key []byte) macFunction {
type macFunction (line 131) | type macFunction interface
type fixedNonceAEAD (line 138) | type fixedNonceAEAD struct
method NonceSize (line 146) | func (f *fixedNonceAEAD) NonceSize() int { return 8 }
method Overhead (line 147) | func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() }
method Seal (line 149) | func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []...
method Open (line 154) | func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []...
function aeadAESGCM (line 159) | func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
type ssl30MAC (line 178) | type ssl30MAC struct
method Size (line 183) | func (s ssl30MAC) Size() int {
method MAC (line 191) | func (s ssl30MAC) MAC(digestBuf, seq, header, data []byte) []byte {
type tls10MAC (line 214) | type tls10MAC struct
method Size (line 218) | func (s tls10MAC) Size() int {
method MAC (line 222) | func (s tls10MAC) MAC(digestBuf, seq, header, data []byte) []byte {
function rsaKA (line 230) | func rsaKA(version uint16) keyAgreement {
function ecdheECDSAKA (line 234) | func ecdheECDSAKA(version uint16) keyAgreement {
function ecdheRSAKA (line 241) | func ecdheRSAKA(version uint16) keyAgreement {
function mutualCipherSuite (line 250) | func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
constant TLS_RSA_WITH_RC4_128_SHA (line 267) | TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
constant TLS_RSA_WITH_3DES_EDE_CBC_SHA (line 268) | TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
constant TLS_RSA_WITH_AES_128_CBC_SHA (line 269) | TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
constant TLS_RSA_WITH_AES_256_CBC_SHA (line 270) | TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
constant TLS_RSA_WITH_AES_128_GCM_SHA256 (line 271) | TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
constant TLS_RSA_WITH_AES_256_GCM_SHA384 (line 272) | TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
constant TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (line 273) | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
constant TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (line 274) | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
constant TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (line 275) | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
constant TLS_ECDHE_RSA_WITH_RC4_128_SHA (line 276) | TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
constant TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (line 277) | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
constant TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (line 278) | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
constant TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (line 279) | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
constant TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (line 280) | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
constant TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (line 281) | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
constant TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (line 282) | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
constant TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (line 283) | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
constant TLS_FALLBACK_SCSV (line 288) | TLS_FALLBACK_SCSV uint16 = 0x5600
FILE: scan/crypto/tls/common.go
constant VersionSSL30 (line 23) | VersionSSL30 = 0x0300
constant VersionTLS10 (line 24) | VersionTLS10 = 0x0301
constant VersionTLS11 (line 25) | VersionTLS11 = 0x0302
constant VersionTLS12 (line 26) | VersionTLS12 = 0x0303
constant maxPlaintext (line 30) | maxPlaintext = 16384
constant maxCiphertext (line 31) | maxCiphertext = 16384 + 2048
constant recordHeaderLen (line 32) | recordHeaderLen = 5
constant maxHandshake (line 33) | maxHandshake = 65536
constant minVersion (line 35) | minVersion = VersionTLS10
constant maxVersion (line 36) | maxVersion = VersionTLS12
type recordType (line 40) | type recordType
constant recordTypeChangeCipherSpec (line 43) | recordTypeChangeCipherSpec recordType = 20
constant recordTypeAlert (line 44) | recordTypeAlert recordType = 21
constant recordTypeHandshake (line 45) | recordTypeHandshake recordType = 22
constant recordTypeApplicationData (line 46) | recordTypeApplicationData recordType = 23
constant typeClientHello (line 51) | typeClientHello uint8 = 1
constant typeServerHello (line 52) | typeServerHello uint8 = 2
constant typeNewSessionTicket (line 53) | typeNewSessionTicket uint8 = 4
constant typeCertificate (line 54) | typeCertificate uint8 = 11
constant typeServerKeyExchange (line 55) | typeServerKeyExchange uint8 = 12
constant typeCertificateRequest (line 56) | typeCertificateRequest uint8 = 13
constant typeServerHelloDone (line 57) | typeServerHelloDone uint8 = 14
constant typeCertificateVerify (line 58) | typeCertificateVerify uint8 = 15
constant typeClientKeyExchange (line 59) | typeClientKeyExchange uint8 = 16
constant typeFinished (line 60) | typeFinished uint8 = 20
constant typeCertificateStatus (line 61) | typeCertificateStatus uint8 = 22
constant typeNextProtocol (line 62) | typeNextProtocol uint8 = 67
constant compressionNone (line 67) | compressionNone uint8 = 0
constant extensionServerName (line 72) | extensionServerName uint16 = 0
constant extensionStatusRequest (line 73) | extensionStatusRequest uint16 = 5
constant extensionSupportedCurves (line 74) | extensionSupportedCurves uint16 = 10
constant extensionSupportedPoints (line 75) | extensionSupportedPoints uint16 = 11
constant extensionSignatureAlgorithms (line 76) | extensionSignatureAlgorithms uint16 = 13
constant extensionALPN (line 77) | extensionALPN uint16 = 16
constant extensionSCT (line 78) | extensionSCT uint16 = 18
constant extensionSessionTicket (line 79) | extensionSessionTicket uint16 = 35
constant extensionNextProtoNeg (line 80) | extensionNextProtoNeg uint16 = 13172
constant extensionRenegotiationInfo (line 81) | extensionRenegotiationInfo uint16 = 0xff01
constant scsvRenegotiation (line 86) | scsvRenegotiation uint16 = 0x00ff
type CurveID (line 91) | type CurveID
constant CurveP256 (line 94) | CurveP256 CurveID = 23
constant CurveP384 (line 95) | CurveP384 CurveID = 24
constant CurveP521 (line 96) | CurveP521 CurveID = 25
constant pointFormatUncompressed (line 102) | pointFormatUncompressed uint8 = 0
constant statusTypeOCSP (line 107) | statusTypeOCSP uint8 = 1
constant certTypeRSASign (line 112) | certTypeRSASign = 1
constant certTypeDSSSign (line 113) | certTypeDSSSign = 2
constant certTypeRSAFixedDH (line 114) | certTypeRSAFixedDH = 3
constant certTypeDSSFixedDH (line 115) | certTypeDSSFixedDH = 4
constant certTypeECDSASign (line 118) | certTypeECDSASign = 64
constant certTypeRSAFixedECDH (line 119) | certTypeRSAFixedECDH = 65
constant certTypeECDSAFixedECDH (line 120) | certTypeECDSAFixedECDH = 66
constant hashSHA1 (line 127) | hashSHA1 uint8 = 2
constant hashSHA256 (line 128) | hashSHA256 uint8 = 4
constant hashSHA384 (line 129) | hashSHA384 uint8 = 5
constant signatureRSA (line 134) | signatureRSA uint8 = 1
constant signatureECDSA (line 135) | signatureECDSA uint8 = 3
type signatureAndHash (line 140) | type signatureAndHash struct
type ConnectionState (line 157) | type ConnectionState struct
type ClientAuthType (line 181) | type ClientAuthType
constant NoClientCert (line 184) | NoClientCert ClientAuthType = iota
constant RequestClientCert (line 185) | RequestClientCert
constant RequireAnyClientCert (line 186) | RequireAnyClientCert
constant VerifyClientCertIfGiven (line 187) | VerifyClientCertIfGiven
constant RequireAndVerifyClientCert (line 188) | RequireAndVerifyClientCert
type ClientSessionState (line 193) | type ClientSessionState struct
type ClientSessionCache (line 206) | type ClientSessionCache interface
type ClientHelloInfo (line 217) | type ClientHelloInfo struct
type Config (line 245) | type Config struct
method serverInit (line 387) | func (c *Config) serverInit() {
method ticketKeys (line 410) | func (c *Config) ticketKeys() []ticketKey {
method SetSessionTicketKeys (line 424) | func (c *Config) SetSessionTicketKeys(keys [][32]byte) {
method rand (line 439) | func (c *Config) rand() io.Reader {
method time (line 447) | func (c *Config) time() time.Time {
method cipherSuites (line 455) | func (c *Config) cipherSuites() []uint16 {
method minVersion (line 463) | func (c *Config) minVersion() uint16 {
method maxVersion (line 470) | func (c *Config) maxVersion() uint16 {
method curvePreferences (line 479) | func (c *Config) curvePreferences() []CurveID {
method mutualVersion (line 488) | func (c *Config) mutualVersion(vers uint16) (uint16, bool) {
method getCertificate (line 503) | func (c *Config) getCertificate(clientHello *ClientHelloInfo) (*Certif...
method BuildNameToCertificate (line 548) | func (c *Config) BuildNameToCertificate() {
constant ticketKeyNameLen (line 365) | ticketKeyNameLen = 16
type ticketKey (line 368) | type ticketKey struct
function ticketKeyFromBytes (line 379) | func ticketKeyFromBytes(b [32]byte) (key ticketKey) {
type Certificate (line 566) | type Certificate struct
type record (line 588) | type record struct
type handshakeMessage (line 594) | type handshakeMessage interface
type lruSessionCache (line 601) | type lruSessionCache struct
method Put (line 631) | func (c *lruSessionCache) Put(sessionKey string, cs *ClientSessionStat...
method Get (line 659) | func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState,...
type lruSessionCacheEntry (line 609) | type lruSessionCacheEntry struct
function NewLRUClientSessionCache (line 617) | func NewLRUClientSessionCache(capacity int) ClientSessionCache {
type dsaSignature (line 671) | type dsaSignature struct
type ecdsaSignature (line 675) | type ecdsaSignature
function defaultConfig (line 679) | func defaultConfig() *Config {
function defaultCipherSuites (line 688) | func defaultCipherSuites() []uint16 {
function initDefaultCipherSuites (line 693) | func initDefaultCipherSuites() {
function unexpectedMessageError (line 703) | func unexpectedMessageError(wanted, got interface{}) error {
function isSupportedSignatureAndHash (line 707) | func isSupportedSignatureAndHash(sigHash signatureAndHash, sigHashes []s...
FILE: scan/crypto/tls/conn.go
type Conn (line 25) | type Conn struct
method LocalAddr (line 73) | func (c *Conn) LocalAddr() net.Addr {
method RemoteAddr (line 78) | func (c *Conn) RemoteAddr() net.Addr {
method SetDeadline (line 85) | func (c *Conn) SetDeadline(t time.Time) error {
method SetReadDeadline (line 91) | func (c *Conn) SetReadDeadline(t time.Time) error {
method SetWriteDeadline (line 98) | func (c *Conn) SetWriteDeadline(t time.Time) error {
method newRecordHeaderError (line 526) | func (c *Conn) newRecordHeaderError(msg string) (err RecordHeaderError) {
method readRecord (line 535) | func (c *Conn) readRecord(want recordType) error {
method sendAlertLocked (line 689) | func (c *Conn) sendAlertLocked(err alert) error {
method sendAlert (line 707) | func (c *Conn) sendAlert(err alert) error {
method writeRecord (line 716) | func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err er...
method readHandshake (line 795) | func (c *Conn) readHandshake() (interface{}, error) {
method Write (line 867) | func (c *Conn) Write(b []byte) (int, error) {
method Read (line 921) | func (c *Conn) Read(b []byte) (n int, err error) {
method Close (line 982) | func (c *Conn) Close() error {
method Handshake (line 1022) | func (c *Conn) Handshake() error {
method ConnectionState (line 1041) | func (c *Conn) ConnectionState() ConnectionState {
method OCSPResponse (line 1068) | func (c *Conn) OCSPResponse() []byte {
method VerifyHostname (line 1078) | func (c *Conn) VerifyHostname(host string) error {
type halfConn (line 104) | type halfConn struct
method setErrorLocked (line 122) | func (hc *halfConn) setErrorLocked(err error) error {
method error (line 127) | func (hc *halfConn) error() error {
method prepareCipherSpec (line 136) | func (hc *halfConn) prepareCipherSpec(version uint16, cipher interface...
method changeCipherSpec (line 144) | func (hc *halfConn) changeCipherSpec() error {
method incSeq (line 159) | func (hc *halfConn) incSeq() {
method resetSeq (line 174) | func (hc *halfConn) resetSeq() {
method decrypt (line 247) | func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertVa...
method encrypt (line 362) | func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
method newBlock (line 481) | func (hc *halfConn) newBlock() *block {
method freeBlock (line 496) | func (hc *halfConn) freeBlock(b *block) {
method splitBlock (line 504) | func (hc *halfConn) splitBlock(b *block, n int) (*block, *block) {
function removePadding (line 183) | func removePadding(payload []byte) ([]byte, byte) {
function removePaddingSSL30 (line 221) | func removePaddingSSL30(payload []byte) ([]byte, byte) {
function roundUp (line 234) | func roundUp(a, b int) int {
type cbcMode (line 239) | type cbcMode interface
function padToBlockSize (line 349) | func padToBlockSize(payload []byte, blockSize int) (prefix, finalBlock [...
type block (line 418) | type block struct
method resize (line 425) | func (b *block) resize(n int) {
method reserve (line 433) | func (b *block) reserve(n int) {
method readFromUntil (line 451) | func (b *block) readFromUntil(r io.Reader, n int) error {
method Read (line 474) | func (b *block) Read(p []byte) (n int, err error) {
type RecordHeaderError (line 516) | type RecordHeaderError struct
method Error (line 524) | func (e RecordHeaderError) Error() string { return "tls: " + e.Msg }
FILE: scan/crypto/tls/conn_test.go
function TestRoundUp (line 11) | func TestRoundUp(t *testing.T) {
function TestRemovePadding (line 38) | func TestRemovePadding(t *testing.T) {
function TestCertificateSelection (line 62) | func TestCertificateSelection(t *testing.T) {
FILE: scan/crypto/tls/example_test.go
function ExampleDial (line 12) | func ExampleDial() {
FILE: scan/crypto/tls/generate_cert.go
function publicKey (line 43) | func publicKey(priv interface{}) interface{} {
function pemBlockForKey (line 56) | func pemBlockForKey(priv interface{}) *pem.Block {
function main (line 79) | func main() {
FILE: scan/crypto/tls/handshake_client.go
type clientHandshakeState (line 21) | type clientHandshakeState struct
method doFullHandshake (line 240) | func (hs *clientHandshakeState) doFullHandshake() error {
method establishKeys (line 490) | func (hs *clientHandshakeState) establishKeys() error {
method serverResumedSession (line 512) | func (hs *clientHandshakeState) serverResumedSession() bool {
method processServerHello (line 519) | func (hs *clientHandshakeState) processServerHello() (bool, error) {
method readFinished (line 563) | func (hs *clientHandshakeState) readFinished(out []byte) error {
method readSessionTicket (line 592) | func (hs *clientHandshakeState) readSessionTicket() error {
method sendFinished (line 621) | func (hs *clientHandshakeState) sendFinished(out []byte) error {
method clientHandshake (line 31) | func (c *Conn) clientHandshake() error {
function clientSessionCacheKey (line 646) | func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
function mutualProtocol (line 657) | func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
FILE: scan/crypto/tls/handshake_client_test.go
type blockingSource (line 31) | type blockingSource
method Read (line 33) | func (b blockingSource) Read([]byte) (n int, err error) {
type clientTest (line 40) | type clientTest struct
method connFromCommand (line 71) | func (test *clientTest) connFromCommand() (conn *recordingConn, child ...
method dataPath (line 173) | func (test *clientTest) dataPath() string {
method loadData (line 177) | func (test *clientTest) loadData() (flows [][]byte, err error) {
method run (line 186) | func (test *clientTest) run(t *testing.T, write bool) {
function runClientTestForVersion (line 268) | func runClientTestForVersion(t *testing.T, template *clientTest, prefix,...
function runClientTestTLS10 (line 279) | func runClientTestTLS10(t *testing.T, template *clientTest) {
function runClientTestTLS11 (line 283) | func runClientTestTLS11(t *testing.T, template *clientTest) {
function runClientTestTLS12 (line 287) | func runClientTestTLS12(t *testing.T, template *clientTest) {
function TestHandshakeClientRSARC4 (line 291) | func TestHandshakeClientRSARC4(t *testing.T) {
function TestHandshakeClientRSAAES128GCM (line 301) | func TestHandshakeClientRSAAES128GCM(t *testing.T) {
function TestHandshakeClientRSAAES256GCM (line 309) | func TestHandshakeClientRSAAES256GCM(t *testing.T) {
function TestHandshakeClientECDHERSAAES (line 317) | func TestHandshakeClientECDHERSAAES(t *testing.T) {
function TestHandshakeClientECDHEECDSAAES (line 327) | func TestHandshakeClientECDHEECDSAAES(t *testing.T) {
function TestHandshakeClientECDHEECDSAAESGCM (line 339) | func TestHandshakeClientECDHEECDSAAESGCM(t *testing.T) {
function TestHandshakeClientAES256GCMSHA384 (line 349) | func TestHandshakeClientAES256GCMSHA384(t *testing.T) {
function TestHandshakeClientCertRSA (line 359) | func TestHandshakeClientCertRSA(t *testing.T) {
function TestHandshakeClientCertECDSA (line 395) | func TestHandshakeClientCertECDSA(t *testing.T) {
function TestClientResumption (line 421) | func TestClientResumption(t *testing.T) {
function TestLRUClientSessionCache (line 495) | func TestLRUClientSessionCache(t *testing.T) {
function TestHandshakeClientALPNMatch (line 541) | func TestHandshakeClientALPNMatch(t *testing.T) {
function TestHandshakeClientALPNNoMatch (line 562) | func TestHandshakeClientALPNNoMatch(t *testing.T) {
constant sctsBase64 (line 584) | sctsBase64 = "ABIBaQFnAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAA...
function TestHandshakClientSCTs (line 586) | func TestHandshakClientSCTs(t *testing.T) {
function TestNoIPAddressesInSNI (line 621) | func TestNoIPAddressesInSNI(t *testing.T) {
function TestServerSelectingUnconfiguredCipherSuite (line 648) | func TestServerSelectingUnconfiguredCipherSuite(t *testing.T) {
FILE: scan/crypto/tls/handshake_messages.go
type clientHelloMsg (line 9) | type clientHelloMsg struct
method equal (line 29) | func (m *clientHelloMsg) equal(i interface{}) bool {
method marshal (line 54) | func (m *clientHelloMsg) marshal() []byte {
method unmarshal (line 292) | func (m *clientHelloMsg) unmarshal(data []byte) bool {
type serverHelloMsg (line 485) | type serverHelloMsg struct
method equal (line 501) | func (m *serverHelloMsg) equal(i interface{}) bool {
method marshal (line 530) | func (m *serverHelloMsg) marshal() []byte {
method unmarshal (line 671) | func (m *serverHelloMsg) unmarshal(data []byte) bool {
type certificateMsg (line 806) | type certificateMsg struct
method equal (line 811) | func (m *certificateMsg) equal(i interface{}) bool {
method marshal (line 821) | func (m *certificateMsg) marshal() (x []byte) {
method unmarshal (line 856) | func (m *certificateMsg) unmarshal(data []byte) bool {
type serverKeyExchangeMsg (line 893) | type serverKeyExchangeMsg struct
method equal (line 898) | func (m *serverKeyExchangeMsg) equal(i interface{}) bool {
method marshal (line 908) | func (m *serverKeyExchangeMsg) marshal() []byte {
method unmarshal (line 924) | func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
type certificateStatusMsg (line 933) | type certificateStatusMsg struct
method equal (line 939) | func (m *certificateStatusMsg) equal(i interface{}) bool {
method marshal (line 950) | func (m *certificateStatusMsg) marshal() []byte {
method unmarshal (line 978) | func (m *certificateStatusMsg) unmarshal(data []byte) bool {
type serverHelloDoneMsg (line 999) | type serverHelloDoneMsg struct
method equal (line 1001) | func (m *serverHelloDoneMsg) equal(i interface{}) bool {
method marshal (line 1006) | func (m *serverHelloDoneMsg) marshal() []byte {
method unmarshal (line 1012) | func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
type clientKeyExchangeMsg (line 1016) | type clientKeyExchangeMsg struct
method equal (line 1021) | func (m *clientKeyExchangeMsg) equal(i interface{}) bool {
method marshal (line 1031) | func (m *clientKeyExchangeMsg) marshal() []byte {
method unmarshal (line 1047) | func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
type finishedMsg (line 1060) | type finishedMsg struct
method equal (line 1065) | func (m *finishedMsg) equal(i interface{}) bool {
method marshal (line 1075) | func (m *finishedMsg) marshal() (x []byte) {
method unmarshal (line 1088) | func (m *finishedMsg) unmarshal(data []byte) bool {
type nextProtoMsg (line 1097) | type nextProtoMsg struct
method equal (line 1102) | func (m *nextProtoMsg) equal(i interface{}) bool {
method marshal (line 1112) | func (m *nextProtoMsg) marshal() []byte {
method unmarshal (line 1140) | func (m *nextProtoMsg) unmarshal(data []byte) bool {
type certificateRequestMsg (line 1167) | type certificateRequestMsg struct
method equal (line 1179) | func (m *certificateRequestMsg) equal(i interface{}) bool {
method marshal (line 1191) | func (m *certificateRequestMsg) marshal() (x []byte) {
method unmarshal (line 1246) | func (m *certificateRequestMsg) unmarshal(data []byte) bool {
type certificateVerifyMsg (line 1326) | type certificateVerifyMsg struct
method equal (line 1333) | func (m *certificateVerifyMsg) equal(i interface{}) bool {
method marshal (line 1346) | func (m *certificateVerifyMsg) marshal() (x []byte) {
method unmarshal (line 1377) | func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
type newSessionTicketMsg (line 1410) | type newSessionTicketMsg struct
method equal (line 1415) | func (m *newSessionTicketMsg) equal(i interface{}) bool {
method marshal (line 1425) | func (m *newSessionTicketMsg) marshal() (x []byte) {
method unmarshal (line 1447) | func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
function eqUint16s (line 1469) | func eqUint16s(x, y []uint16) bool {
function eqCurveIDs (line 1481) | func eqCurveIDs(x, y []CurveID) bool {
function eqStrings (line 1493) | func eqStrings(x, y []string) bool {
function eqByteSlices (line 1505) | func eqByteSlices(x, y [][]byte) bool {
function eqSignatureAndHashes (line 1517) | func eqSignatureAndHashes(x, y []signatureAndHash) bool {
FILE: scan/crypto/tls/handshake_messages_test.go
type testMessage (line 29) | type testMessage interface
function TestMarshalUnmarshal (line 35) | func TestMarshalUnmarshal(t *testing.T) {
function TestFuzz (line 83) | func TestFuzz(t *testing.T) {
function randomBytes (line 97) | func randomBytes(n int, rand *rand.Rand) []byte {
function randomString (line 105) | func randomString(n int, rand *rand.Rand) string {
method Generate (line 110) | func (*clientHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value {
method Generate (line 152) | func (*serverHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value {
method Generate (line 189) | func (*certificateMsg) Generate(rand *rand.Rand, size int) reflect.Value {
method Generate (line 199) | func (*certificateRequestMsg) Generate(rand *rand.Rand, size int) reflec...
method Generate (line 210) | func (*certificateVerifyMsg) Generate(rand *rand.Rand, size int) reflect...
method Generate (line 216) | func (*certificateStatusMsg) Generate(rand *rand.Rand, size int) reflect...
method Generate (line 227) | func (*clientKeyExchangeMsg) Generate(rand *rand.Rand, size int) reflect...
method Generate (line 233) | func (*finishedMsg) Generate(rand *rand.Rand, size int) reflect.Value {
method Generate (line 239) | func (*nextProtoMsg) Generate(rand *rand.Rand, size int) reflect.Value {
method Generate (line 245) | func (*newSessionTicketMsg) Generate(rand *rand.Rand, size int) reflect....
method Generate (line 251) | func (*sessionState) Generate(rand *rand.Rand, size int) reflect.Value {
FILE: scan/crypto/tls/handshake_server.go
type serverHandshakeState (line 21) | type serverHandshakeState struct
method readClientHello (line 103) | func (hs *serverHandshakeState) readClientHello() (isResume bool, err ...
method checkForResumption (line 264) | func (hs *serverHandshakeState) checkForResumption() bool {
method doResumeHandshake (line 313) | func (hs *serverHandshakeState) doResumeHandshake() error {
method doFullHandshake (line 338) | func (hs *serverHandshakeState) doFullHandshake() error {
method establishKeys (line 545) | func (hs *serverHandshakeState) establishKeys() error {
method readFinished (line 570) | func (hs *serverHandshakeState) readFinished(out []byte) error {
method sendSessionTicket (line 614) | func (hs *serverHandshakeState) sendSessionTicket() error {
method sendFinished (line 640) | func (hs *serverHandshakeState) sendFinished(out []byte) error {
method processCertsFromClient (line 659) | func (hs *serverHandshakeState) processCertsFromClient(certificates []...
method setCipherSuite (line 712) | func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCip...
method serverHandshake (line 38) | func (c *Conn) serverHandshake() error {
FILE: scan/crypto/tls/handshake_server_test.go
type zeroSource (line 28) | type zeroSource struct
method Read (line 30) | func (zeroSource) Read(b []byte) (n int, err error) {
function allCipherSuites (line 40) | func allCipherSuites() []uint16 {
function init (line 49) | func init() {
function testClientHello (line 66) | func testClientHello(t *testing.T, serverConfig *Config, m handshakeMess...
function testClientHelloFailure (line 70) | func testClientHelloFailure(t *testing.T, serverConfig *Config, m handsh...
function TestSimpleError (line 94) | func TestSimpleError(t *testing.T) {
function TestRejectBadProtocolVersion (line 100) | func TestRejectBadProtocolVersion(t *testing.T) {
function TestNoSuiteOverlap (line 106) | func TestNoSuiteOverlap(t *testing.T) {
function TestNoCompressionOverlap (line 115) | func TestNoCompressionOverlap(t *testing.T) {
function TestNoRC4ByDefault (line 124) | func TestNoRC4ByDefault(t *testing.T) {
function TestDontSelectECDSAWithRSAKey (line 137) | func TestDontSelectECDSAWithRSAKey(t *testing.T) {
function TestDontSelectRSAWithECDSAKey (line 162) | func TestDontSelectRSAWithECDSAKey(t *testing.T) {
function TestRenegotiationExtension (line 186) | func TestRenegotiationExtension(t *testing.T) {
function TestTLS12OnlyCipherSuites (line 234) | func TestTLS12OnlyCipherSuites(t *testing.T) {
function TestAlertForwarding (line 281) | func TestAlertForwarding(t *testing.T) {
function TestClose (line 295) | func TestClose(t *testing.T) {
function testHandshake (line 306) | func testHandshake(clientConfig, serverConfig *Config) (serverState, cli...
function TestVersion (line 326) | func TestVersion(t *testing.T) {
function TestCipherSuitePreference (line 343) | func TestCipherSuitePreference(t *testing.T) {
function TestSCTHandshake (line 372) | func TestSCTHandshake(t *testing.T) {
type serverTest (line 404) | type serverTest struct
method connFromCommand (line 430) | func (test *serverTest) connFromCommand() (conn *recordingConn, child ...
method dataPath (line 486) | func (test *serverTest) dataPath() string {
method loadData (line 490) | func (test *serverTest) loadData() (flows [][]byte, err error) {
method run (line 499) | func (test *serverTest) run(t *testing.T, write bool) {
function runServerTestForVersion (line 598) | func runServerTestForVersion(t *testing.T, template *serverTest, prefix,...
function runServerTestSSLv3 (line 609) | func runServerTestSSLv3(t *testing.T, template *serverTest) {
function runServerTestTLS10 (line 613) | func runServerTestTLS10(t *testing.T, template *serverTest) {
function runServerTestTLS11 (line 617) | func runServerTestTLS11(t *testing.T, template *serverTest) {
function runServerTestTLS12 (line 621) | func runServerTestTLS12(t *testing.T, template *serverTest) {
function TestHandshakeServerRSARC4 (line 625) | func TestHandshakeServerRSARC4(t *testing.T) {
function TestHandshakeServerRSA3DES (line 636) | func TestHandshakeServerRSA3DES(t *testing.T) {
function TestHandshakeServerRSAAES (line 646) | func TestHandshakeServerRSAAES(t *testing.T) {
function TestHandshakeServerAESGCM (line 656) | func TestHandshakeServerAESGCM(t *testing.T) {
function TestHandshakeServerAES256GCMSHA384 (line 664) | func TestHandshakeServerAES256GCMSHA384(t *testing.T) {
function TestHandshakeServerECDHEECDSAAES (line 672) | func TestHandshakeServerECDHEECDSAAES(t *testing.T) {
function TestHandshakeServerALPN (line 688) | func TestHandshakeServerALPN(t *testing.T) {
function TestHandshakeServerALPNNoMatch (line 709) | func TestHandshakeServerALPNNoMatch(t *testing.T) {
function TestHandshakeServerSNI (line 734) | func TestHandshakeServerSNI(t *testing.T) {
function TestHandshakeServerSNIGetCertificate (line 744) | func TestHandshakeServerSNIGetCertificate(t *testing.T) {
function TestHandshakeServerSNIGetCertificateNotFound (line 766) | func TestHandshakeServerSNIGetCertificateNotFound(t *testing.T) {
function TestHandshakeServerSNIGetCertificateError (line 782) | func TestHandshakeServerSNIGetCertificateError(t *testing.T) {
function TestHandshakeServerEmptyCertificates (line 801) | func TestHandshakeServerEmptyCertificates(t *testing.T) {
function TestCipherSuiteCertPreferenceECDSA (line 831) | func TestCipherSuiteCertPreferenceECDSA(t *testing.T) {
function TestResumption (line 860) | func TestResumption(t *testing.T) {
function TestResumptionDisabled (line 877) | func TestResumptionDisabled(t *testing.T) {
function TestFallbackSCSV (line 903) | func TestFallbackSCSV(t *testing.T) {
constant clientCertificatePEM (line 921) | clientCertificatePEM = `
constant clientKeyPEM (line 936) | clientKeyPEM = `
constant clientECDSACertificatePEM (line 953) | clientECDSACertificatePEM = `
constant clientECDSAKeyPEM (line 968) | clientECDSAKeyPEM = `
function TestClientAuth (line 980) | func TestClientAuth(t *testing.T) {
function bigFromString (line 1021) | func bigFromString(s string) *big.Int {
function fromHex (line 1027) | func fromHex(s string) []byte {
FILE: scan/crypto/tls/handshake_test.go
type recordingConn (line 43) | type recordingConn struct
method Read (line 50) | func (r *recordingConn) Read(b []byte) (n int, err error) {
method Write (line 70) | func (r *recordingConn) Write(b []byte) (n int, err error) {
method WriteTo (line 91) | func (r *recordingConn) WriteTo(w io.Writer) {
function parseTestData (line 108) | func parseTestData(r io.Reader) (flows [][]byte, err error) {
function tempFile (line 158) | func tempFile(contents string) string {
FILE: scan/crypto/tls/key_agreement.go
type rsaKeyAgreement (line 26) | type rsaKeyAgreement struct
method generateServerKeyExchange (line 28) | func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, ce...
method processClientKeyExchange (line 32) | func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, cer...
method processServerKeyExchange (line 63) | func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, cli...
method generateClientKeyExchange (line 67) | func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, cl...
function sha1Hash (line 89) | func sha1Hash(slices [][]byte) []byte {
function md5SHA1Hash (line 99) | func md5SHA1Hash(slices [][]byte) []byte {
function hashForServerKeyExchange (line 113) | func hashForServerKeyExchange(sigAndHash signatureAndHash, version uint1...
function pickTLS12HashForSignature (line 138) | func pickTLS12HashForSignature(sigType uint8, clientList []signatureAndH...
function curveForCurveID (line 158) | func curveForCurveID(id CurveID) (elliptic.Curve, bool) {
type ecdheKeyAgreement (line 176) | type ecdheKeyAgreement struct
method generateServerKeyExchange (line 184) | func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config,...
method processClientKeyExchange (line 280) | func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, ...
method processServerKeyExchange (line 299) | func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, ...
method generateClientKeyExchange (line 384) | func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config,...
FILE: scan/crypto/tls/prf.go
function splitPreMasterSecret (line 19) | func splitPreMasterSecret(secret []byte) (s1, s2 []byte) {
function pHash (line 26) | func pHash(result, secret, seed []byte, hash func() hash.Hash) {
function prf10 (line 51) | func prf10(result, secret, label, seed []byte) {
function prf12 (line 70) | func prf12(hashFunc func() hash.Hash) func(result, secret, label, seed [...
function prf30 (line 82) | func prf30(result, secret, label, seed []byte) {
constant tlsRandomLength (line 114) | tlsRandomLength = 32
constant masterSecretLength (line 115) | masterSecretLength = 48
constant finishedVerifyLength (line 116) | finishedVerifyLength = 12
function prfAndHashForVersion (line 124) | func prfAndHashForVersion(version uint16, suite *cipherSuite) (func(resu...
function prfForVersion (line 140) | func prfForVersion(version uint16, suite *cipherSuite) func(result, secr...
function masterFromPreMasterSecret (line 147) | func masterFromPreMasterSecret(version uint16, suite *cipherSuite, preMa...
function keysFromMasterSecret (line 160) | func keysFromMasterSecret(version uint16, suite *cipherSuite, masterSecr...
function lookupTLSHash (line 184) | func lookupTLSHash(hash uint8) (crypto.Hash, error) {
function newFinishedHash (line 197) | func newFinishedHash(version uint16, cipherSuite *cipherSuite) finishedH...
type finishedHash (line 213) | type finishedHash struct
method Write (line 228) | func (h *finishedHash) Write(msg []byte) (n int, err error) {
method Sum (line 244) | func (h finishedHash) Sum() []byte {
method clientSum (line 291) | func (h finishedHash) clientSum(masterSecret []byte) []byte {
method serverSum (line 303) | func (h finishedHash) serverSum(masterSecret []byte) []byte {
method selectClientCertSignatureAlgorithm (line 315) | func (h finishedHash) selectClientCertSignatureAlgorithm(serverList []...
method hashForClientCertificate (line 331) | func (h finishedHash) hashForClientCertificate(signatureAndHash signat...
method discardHandshakeBuffer (line 366) | func (h *finishedHash) discardHandshakeBuffer() {
function finishedSum30 (line 257) | func finishedSum30(md5, sha1 hash.Hash, masterSecret []byte, magic []byt...
FILE: scan/crypto/tls/prf_test.go
type testSplitPreMasterSecretTest (line 12) | type testSplitPreMasterSecretTest struct
function TestSplitPreMasterSecret (line 24) | func TestSplitPreMasterSecret(t *testing.T) {
type testKeysFromTest (line 36) | type testKeysFromTest struct
function TestKeysFromPreMasterSecret (line 47) | func TestKeysFromPreMasterSecret(t *testing.T) {
function cipherSuiteById (line 73) | func cipherSuiteById(id uint16) *cipherSuite {
FILE: scan/crypto/tls/ticket.go
type sessionState (line 20) | type sessionState struct
method equal (line 30) | func (s *sessionState) equal(i interface{}) bool {
method marshal (line 55) | func (s *sessionState) marshal() []byte {
method unmarshal (line 89) | func (s *sessionState) unmarshal(data []byte) bool {
method encryptTicket (line 136) | func (c *Conn) encryptTicket(state *sessionState) ([]byte, error) {
method decryptTicket (line 161) | func (c *Conn) decryptTicket(encrypted []byte) (*sessionState, bool) {
FILE: scan/crypto/tls/tls.go
function Server (line 31) | func Server(conn net.Conn, config *Config) *Conn {
function Client (line 39) | func Client(conn net.Conn, config *Config) *Conn {
type listener (line 44) | type listener struct
method Accept (line 51) | func (l *listener) Accept() (c net.Conn, err error) {
function NewListener (line 64) | func NewListener(inner net.Listener, config *Config) net.Listener {
function Listen (line 75) | func Listen(network, laddr string, config *Config) (net.Listener, error) {
type timeoutError (line 86) | type timeoutError struct
method Error (line 88) | func (timeoutError) Error() string { return "tls: DialWithDialer tim...
method Timeout (line 89) | func (timeoutError) Timeout() bool { return true }
method Temporary (line 90) | func (timeoutError) Temporary() bool { return true }
function DialWithDialer (line 99) | func DialWithDialer(dialer *net.Dialer, network, addr string, config *Co...
function Dial (line 170) | func Dial(network, addr string, config *Config) (*Conn, error) {
function LoadX509KeyPair (line 178) | func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) {
function X509KeyPair (line 193) | func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
function parsePrivateKey (line 281) | func parsePrivateKey(der []byte) (crypto.PrivateKey, error) {
FILE: scan/crypto/tls/tls_test.go
function TestX509KeyPair (line 93) | func TestX509KeyPair(t *testing.T) {
function TestX509KeyPairErrors (line 107) | func TestX509KeyPairErrors(t *testing.T) {
function TestX509MixedKeyPair (line 139) | func TestX509MixedKeyPair(t *testing.T) {
function newLocalListener (line 148) | func newLocalListener(t *testing.T) net.Listener {
function TestDialTimeout (line 159) | func TestDialTimeout(t *testing.T) {
function TestConnReadNonzeroAndEOF (line 198) | func TestConnReadNonzeroAndEOF(t *testing.T) {
function testConnReadNonzeroAndEOF (line 217) | func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error {
function TestTLSUniqueMatches (line 273) | func TestTLSUniqueMatches(t *testing.T) {
function TestVerifyHostname (line 317) | func TestVerifyHostname(t *testing.T) {
function TestVerifyHostnameResumed (line 341) | func TestVerifyHostnameResumed(t *testing.T) {
function TestConnCloseBreakingWrite (line 364) | func TestConnCloseBreakingWrite(t *testing.T) {
type changeImplConn (line 445) | type changeImplConn struct
method Write (line 451) | func (w *changeImplConn) Write(p []byte) (n int, err error) {
method Close (line 458) | func (w *changeImplConn) Close() error {
FILE: scan/pki.go
function getChain (line 34) | func getChain(addr string, config *tls.Config) (chain []*x509.Certificat...
type expiration (line 53) | type expiration
method String (line 55) | func (e expiration) String() string {
function chainExpiration (line 59) | func chainExpiration(addr, hostname string) (grade Grade, output Output,...
function chainValidation (line 82) | func chainValidation(addr, hostname string) (grade Grade, output Output,...
function multipleCerts (line 138) | func multipleCerts(addr, hostname string) (grade Grade, output Output, e...
FILE: scan/scan_common.go
type Grade (line 28) | type Grade
method String (line 42) | func (g Grade) String() string {
constant Bad (line 32) | Bad Grade = iota
constant Warning (line 34) | Warning
constant Good (line 36) | Good
constant Skipped (line 38) | Skipped
type Output (line 58) | type Output interface
function multiscan (line 62) | func multiscan(host string, scan func(string) (Grade, Output, error)) (g...
type Scanner (line 94) | type Scanner struct
method Scan (line 102) | func (s *Scanner) Scan(addr, hostname string) (Grade, Output, error) {
type Family (line 112) | type Family struct
type FamilySet (line 120) | type FamilySet
method RunScans (line 231) | func (fs FamilySet) RunScans(host, ip, family, scanner string, timeout...
type ScannerResult (line 132) | type ScannerResult struct
type FamilyResult (line 139) | type FamilyResult
type Result (line 142) | type Result struct
type context (line 147) | type context struct
method newfamilyContext (line 177) | func (ctx *context) newfamilyContext(numScanners int) *familyContext {
method copyResults (line 189) | func (ctx *context) copyResults(timeout time.Duration) map[string]Fami...
function newContext (line 154) | func newContext(addr, hostname string, familyRegexp, scannerRegexp *rege...
type familyContext (line 172) | type familyContext struct
method runScanner (line 210) | func (familyCtx *familyContext) runScanner(familyName, scannerName str...
function LoadRootCAs (line 267) | func LoadRootCAs(caBundleFile string) (err error) {
function defaultTLSConfig (line 275) | func defaultTLSConfig(hostname string) *tls.Config {
FILE: scan/scan_common_test.go
function TestCommon (line 33) | func TestCommon(t *testing.T) {
FILE: scan/tls_handshake.go
function getCipherIndex (line 44) | func getCipherIndex(ciphers []uint16, serverCipher uint16) (cipherIndex ...
function getCurveIndex (line 57) | func getCurveIndex(curves []tls.CurveID, serverCurve tls.CurveID) (curve...
function sayHello (line 68) | func sayHello(addr, hostname string, ciphers []uint16, curves []tls.Curv...
function allCiphersIDs (line 120) | func allCiphersIDs() []uint16 {
function allECDHECiphersIDs (line 128) | func allECDHECiphersIDs() []uint16 {
function allCurvesIDs (line 182) | func allCurvesIDs() []tls.CurveID {
type cipherDatum (line 195) | type cipherDatum struct
type cipherVersions (line 202) | type cipherVersions struct
type cipherVersionList (line 207) | type cipherVersionList
method String (line 209) | func (cvList cipherVersionList) String() string {
method MarshalJSON (line 225) | func (cvList cipherVersionList) MarshalJSON() ([]byte, error) {
function doCurveScan (line 247) | func doCurveScan(addr, hostname string, vers, cipherID uint16, ciphers [...
function cipherSuiteScan (line 271) | func cipherSuiteScan(addr, hostname string) (grade Grade, output Output,...
function sigAlgsScan (line 328) | func sigAlgsScan(addr, hostname string) (grade Grade, output Output, err...
function certSigAlgsScan (line 347) | func certSigAlgsScan(addr, hostname string) (grade Grade, output Output,...
function certSigAlgsScanByCipher (line 376) | func certSigAlgsScanByCipher(addr, hostname string) (grade Grade, output...
function ecCurveScan (line 404) | func ecCurveScan(addr, hostname string) (grade Grade, output Output, err...
FILE: scan/tls_session.go
function sessionResumeScan (line 18) | func sessionResumeScan(addr, hostname string) (grade Grade, output Outpu...
FILE: selfsign/selfsign.go
constant threeMonths (line 23) | threeMonths = 2190 * time.Hour
function parseCertificateRequest (line 27) | func parseCertificateRequest(priv crypto.Signer, csrBytes []byte) (templ...
type subjectPublicKeyInfo (line 55) | type subjectPublicKeyInfo struct
function Sign (line 61) | func Sign(priv crypto.Signer, csrPEM []byte, profile *config.SigningProf...
FILE: selfsign/selfsign_test.go
constant keyFile (line 19) | keyFile = "testdata/localhost.key"
constant csrFile (line 20) | csrFile = "testdata/localhost.csr"
constant csr2File (line 22) | csr2File = "testdata/sans.csr"
constant extCsrFile (line 24) | extCsrFile = "testdata/extension.csr"
function TestDefaultSign (line 27) | func TestDefaultSign(t *testing.T) {
function TestSANs (line 51) | func TestSANs(t *testing.T) {
function TestExtensions (line 108) | func TestExtensions(t *testing.T){
FILE: signer/local/local.go
type Signer (line 46) | type Signer struct
method lint (line 148) | func (s *Signer) lint(template x509.Certificate, errLevel lint.LintSta...
method sign (line 192) | func (s *Signer) sign(template *x509.Certificate, lintErrLevel lint.Li...
method Sign (line 287) | func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
method SignFromPrecert (line 550) | func (s *Signer) SignFromPrecert(precert *x509.Certificate, scts []ct....
method Info (line 625) | func (s *Signer) Info(req info.Req) (resp *info.Resp, err error) {
method SigAlgo (line 647) | func (s *Signer) SigAlgo() x509.SignatureAlgorithm {
method Certificate (line 652) | func (s *Signer) Certificate(label, profile string) (*x509.Certificate...
method SetPolicy (line 658) | func (s *Signer) SetPolicy(policy *config.Signing) {
method SetDBAccessor (line 663) | func (s *Signer) SetDBAccessor(dba certdb.Accessor) {
method GetDBAccessor (line 668) | func (s *Signer) GetDBAccessor() certdb.Accessor {
method SetReqModifier (line 673) | func (s *Signer) SetReqModifier(func(*http.Request, []byte)) {
method Policy (line 678) | func (s *Signer) Policy() *config.Signing {
function NewSigner (line 59) | func NewSigner(priv crypto.Signer, cert *x509.Certificate, sigAlgo x509....
function NewSignerFromFile (line 99) | func NewSignerFromFile(caFile, caKeyFile string, policy *config.Signing)...
type LintError (line 135) | type LintError struct
method Error (line 139) | func (e *LintError) Error() string {
function replaceSliceIfEmpty (line 228) | func replaceSliceIfEmpty(replaced, newContents *[]string) {
function PopulateSubjectFromCSR (line 237) | func PopulateSubjectFromCSR(s *signer.Subject, req pkix.Name) pkix.Name {
function OverrideHosts (line 262) | func OverrideHosts(template *x509.Certificate, hosts []string) {
FILE: signer/local/local_test.go
constant fullSubjectCSR (line 39) | fullSubjectCSR = "testdata/test.csr"
constant testCSR (line 40) | testCSR = "testdata/ecdsa256.csr"
constant testSANCSR (line 41) | testSANCSR = "testdata/san_domain.csr"
constant testCaFile (line 42) | testCaFile = "testdata/ca.pem"
constant testCaKeyFile (line 43) | testCaKeyFile = "testdata/ca_key.pem"
constant testECDSACaFile (line 44) | testECDSACaFile = "testdata/ecdsa256_ca.pem"
constant testECDSACaKeyFile (line 45) | testECDSACaKeyFile = "testdata/ecdsa256_ca_key.pem"
function newTestSigner (line 51) | func newTestSigner(t *testing.T) (s *Signer) {
function TestNewSignerFromFilePolicy (line 59) | func TestNewSignerFromFilePolicy(t *testing.T) {
function TestNewSignerFromFileInvalidPolicy (line 85) | func TestNewSignerFromFileInvalidPolicy(t *testing.T) {
function TestNewSignerFromFileNoUsageInPolicy (line 111) | func TestNewSignerFromFileNoUsageInPolicy(t *testing.T) {
function TestNewSignerFromFileEdgeCases (line 137) | func TestNewSignerFromFileEdgeCases(t *testing.T) {
function TestNewSignerFromFilePolicyLinting (line 160) | func TestNewSignerFromFilePolicyLinting(t *testing.T) {
function TestSign (line 205) | func TestSign(t *testing.T) {
function TestCertificate (line 253) | func TestCertificate(t *testing.T) {
function TestPolicy (line 265) | func TestPolicy(t *testing.T) {
function newCustomSigner (line 279) | func newCustomSigner(t *testing.T, testCaFile, testCaKeyFile string) (s ...
function TestNewSignerFromFile (line 287) | func TestNewSignerFromFile(t *testing.T) {
constant testHostName (line 292) | testHostName = "localhost"
function testSignFile (line 295) | func testSignFile(t *testing.T, certFile string) ([]byte, error) {
type csrTest (line 306) | type csrTest struct
function ExpectError (line 315) | func ExpectError() func(*testing.T, error) {
function TestSignCSRs (line 374) | func TestSignCSRs(t *testing.T) {
function TestECDSASigner (line 402) | func TestECDSASigner(t *testing.T) {
constant ecdsaInterCSR (line 431) | ecdsaInterCSR = "testdata/ecdsa256-inter.csr"
constant ecdsaInterKey (line 432) | ecdsaInterKey = "testdata/ecdsa256-inter.key"
constant rsaInterCSR (line 433) | rsaInterCSR = "testdata/rsa2048-inter.csr"
constant rsaInterKey (line 434) | rsaInterKey = "testdata/rsa2048-inter.key"
function TestCAIssuing (line 437) | func TestCAIssuing(t *testing.T) {
function TestPopulateSubjectFromCSR (line 504) | func TestPopulateSubjectFromCSR(t *testing.T) {
function TestOverrideSubject (line 572) | func TestOverrideSubject(t *testing.T) {
function TestOverwriteHosts (line 631) | func TestOverwriteHosts(t *testing.T) {
function TestOverrideValidity (line 710) | func TestOverrideValidity(t *testing.T) {
function expectOneValueOf (line 802) | func expectOneValueOf(t *testing.T, s []string, e, n string) {
function expectEmpty (line 812) | func expectEmpty(t *testing.T, s []string, n string) {
function TestCASignPathlen (line 818) | func TestCASignPathlen(t *testing.T) {
function TestNoWhitelistSign (line 972) | func TestNoWhitelistSign(t *testing.T) {
function TestWhitelistSign (line 1027) | func TestWhitelistSign(t *testing.T) {
function TestNameWhitelistSign (line 1096) | func TestNameWhitelistSign(t *testing.T) {
function TestExtensionSign (line 1168) | func TestExtensionSign(t *testing.T) {
function TestCTFailure (line 1258) | func TestCTFailure(t *testing.T) {
function TestCTSuccess (line 1294) | func TestCTSuccess(t *testing.T) {
function TestReturnPrecert (line 1331) | func TestReturnPrecert(t *testing.T) {
function TestSignFromPrecert (line 1377) | func TestSignFromPrecert(t *testing.T) {
function TestLint (line 1492) | func TestLint(t *testing.T) {
FILE: signer/remote/remote.go
type Signer (line 20) | type Signer struct
method Sign (line 44) | func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
method Info (line 57) | func (s *Signer) Info(req info.Req) (resp *info.Resp, err error) {
method remoteOp (line 69) | func (s *Signer) remoteOp(req interface{}, profile, target string) (re...
method SigAlgo (line 105) | func (s *Signer) SigAlgo() x509.SignatureAlgorithm {
method SetPolicy (line 111) | func (s *Signer) SetPolicy(policy *config.Signing) {
method SetDBAccessor (line 116) | func (s *Signer) SetDBAccessor(dba certdb.Accessor) {
method GetDBAccessor (line 121) | func (s *Signer) GetDBAccessor() certdb.Accessor {
method SetReqModifier (line 126) | func (s *Signer) SetReqModifier(mod func(*http.Request, []byte)) {
method Policy (line 131) | func (s *Signer) Policy() *config.Signing {
function NewSigner (line 27) | func NewSigner(policy *config.Signing) (*Signer, error) {
FILE: signer/remote/remote_test.go
constant testCaFile (line 26) | testCaFile = "testdata/ca.pem"
constant testCaKeyFile (line 27) | testCaKeyFile = "testdata/ca_key.pem"
constant testServerFile (line 28) | testServerFile = "testdata/server.pem"
constant testServerKeyFile (line 29) | testServerKeyFile = "testdata/server-key.pem"
constant testClientFile (line 30) | testClientFile = "testdata/client.pem"
constant testClientKeyFile (line 31) | testClientKeyFile = "testdata/client-key.pem"
function TestNewSigner (line 65) | func TestNewSigner(t *testing.T) {
function TestNewAuthSigner (line 74) | func TestNewAuthSigner(t *testing.T) {
function TestRemoteInfo (line 83) | func TestRemoteInfo(t *testing.T) {
function TestRemoteTLSInfo (line 93) | func TestRemoteTLSInfo(t *testing.T) {
function TestRemoteMutualTLSInfo (line 97) | func TestRemoteMutualTLSInfo(t *testing.T) {
function remoteTLSInfo (line 101) | func remoteTLSInfo(t *testing.T, isMutual bool) {
function verifyRemoteInfo (line 124) | func verifyRemoteInfo(t *testing.T, remoteConfig *config.Config) {
function TestRemoteSign (line 143) | func TestRemoteSign(t *testing.T) {
function TestRemoteTLSSign (line 153) | func TestRemoteTLSSign(t *testing.T) {
function TestRemoteMutualTLSSign (line 157) | func TestRemoteMutualTLSSign(t *testing.T) {
function remoteTLSSign (line 161) | func remoteTLSSign(t *testing.T, isMutual bool) {
function verifyRemoteSign (line 183) | func verifyRemoteSign(t *testing.T, remoteConfig *config.Config) {
function TestRemoteSignBadServerAndOverride (line 216) | func TestRemoteSignBadServerAndOverride(t *testing.T) {
function newRemoteSigner (line 253) | func newRemoteSigner(t *testing.T, policy *config.Signing) *Signer {
function newTestSignHandler (line 262) | func newTestSignHandler(t *testing.T) (h http.Handler) {
function newTestInfoHandler (line 270) | func newTestInfoHandler(t *testing.T) (h http.Handler) {
function newTestServer (line 278) | func newTestServer(t *testing.T, path string, handler http.Handler, isTL...
function newTestSignServer (line 304) | func newTestSignServer(t *testing.T, isTLS bool, certPool *x509.CertPool...
function newTestInfoServer (line 310) | func newTestInfoServer(t *testing.T, isTLS bool, certPool *x509.CertPool...
function closeTestServer (line 316) | func closeTestServer(t *testing.T, ts *httptest.Server) {
function newHandler (line 323) | func newHandler(t *testing.T, caFile, caKeyFile, op string) (http.Handle...
FILE: signer/signer.go
type Subject (line 30) | type Subject struct
method Name (line 88) | func (s *Subject) Name() pkix.Name {
type Extension (line 38) | type Extension struct
type SignRequest (line 51) | type SignRequest struct
function appendIf (line 81) | func appendIf(s string, a *[]string) {
function SplitHosts (line 105) | func SplitHosts(hostList string) []string {
type Signer (line 115) | type Signer interface
function Profile (line 127) | func Profile(s Signer, profile string) (*config.SigningProfile, error) {
function DefaultSigAlgo (line 146) | func DefaultSigAlgo(priv crypto.Signer) x509.SignatureAlgorithm {
function isCommonAttr (line 179) | func isCommonAttr(t []int) bool {
function ParseCertificateRequest (line 185) | func ParseCertificateRequest(s Signer, p *config.SigningProfile, csrByte...
type subjectPublicKeyInfo (line 260) | type subjectPublicKeyInfo struct
function ComputeSKI (line 268) | func ComputeSKI(template *x509.Certificate) ([]byte, error) {
function FillTemplate (line 289) | func FillTemplate(template *x509.Certificate, defaultProfile, profile *c...
type policyInformation (line 395) | type policyInformation struct
type cpsPolicyQualifier (line 400) | type cpsPolicyQualifier struct
type userNotice (line 405) | type userNotice struct
type userNoticePolicyQualifier (line 408) | type userNoticePolicyQualifier struct
function addPolicies (line 435) | func addPolicies(template *x509.Certificate, policies []config.Certifica...
FILE: signer/signer_test.go
function TestAppendIf (line 16) | func TestAppendIf(t *testing.T) {
function TestSplitHosts (line 30) | func TestSplitHosts(t *testing.T) {
function TestAddPolicies (line 50) | func TestAddPolicies(t *testing.T) {
function TestAddPoliciesWithQualifiers (line 75) | func TestAddPoliciesWithQualifiers(t *testing.T) {
function TestName (line 110) | func TestName(t *testing.T) {
FILE: signer/universal/universal.go
type Signer (line 19) | type Signer struct
method getMatchingProfile (line 143) | func (s *Signer) getMatchingProfile(profile string) (*config.SigningPr...
method Sign (line 159) | func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
method Info (line 174) | func (s *Signer) Info(req info.Req) (resp *info.Resp, err error) {
method SetDBAccessor (line 188) | func (s *Signer) SetDBAccessor(dba certdb.Accessor) {
method GetDBAccessor (line 193) | func (s *Signer) GetDBAccessor() certdb.Accessor {
method SetReqModifier (line 198) | func (s *Signer) SetReqModifier(mod func(*http.Request, []byte)) {
method SigAlgo (line 204) | func (s *Signer) SigAlgo() x509.SignatureAlgorithm {
method SetPolicy (line 215) | func (s *Signer) SetPolicy(policy *config.Signing) {
method Policy (line 220) | func (s *Signer) Policy() *config.Signing {
type Root (line 27) | type Root struct
type localSignerCheck (line 34) | type localSignerCheck
function fileBackedSigner (line 37) | func fileBackedSigner(root *Root, policy *config.Signing) (signer.Signer...
function PrependLocalSignerToList (line 54) | func PrependLocalSignerToList(signer localSignerCheck) {
function newLocalSigner (line 58) | func newLocalSigner(root Root, policy *config.Signing) (s signer.Signer,...
function newUniversalSigner (line 84) | func newUniversalSigner(root Root, policy *config.Signing) (*Signer, err...
function NewSigner (line 109) | func NewSigner(root Root, policy *config.Signing) (signer.Signer, error) {
FILE: signer/universal/universal_test.go
constant testCaFile (line 23) | testCaFile = "../local/testdata/ca.pem"
constant testCaKeyFile (line 24) | testCaKeyFile = "../local/testdata/ca_key.pem"
function TestNewSigner (line 273) | func TestNewSigner(t *testing.T) {
function checkInfo (line 290) | func checkInfo(t *testing.T, s signer.Signer, name string, profile *conf...
function TestUniversalRemoteAndLocalInfo (line 314) | func TestUniversalRemoteAndLocalInfo(t *testing.T) {
function TestUniversalMultipleRemoteAndLocalInfo (line 337) | func TestUniversalMultipleRemoteAndLocalInfo(t *testing.T) {
function TestUniversalRemoteAndLocalSign (line 360) | func TestUniversalRemoteAndLocalSign(t *testing.T) {
function newTestUniversalSigner (line 416) | func newTestUniversalSigner(t *testing.T, policy *config.Signing) signer...
function newTestSignHandler (line 435) | func newTestSignHandler(t *testing.T, s signer.Signer) (h http.Handler) {
function newTestInfoHandler (line 443) | func newTestInfoHandler(t *testing.T, s signer.Signer) (h http.Handler) {
function newTestSignServer (line 451) | func newTestSignServer(t *testing.T, s signer.Signer) *httptest.Server {
function newTestInfoServer (line 460) | func newTestInfoServer(t *testing.T, s signer.Signer) *httptest.Server {
function closeTestServer (line 469) | func closeTestServer(t *testing.T, ts *httptest.Server) {
FILE: transport/ca/cert_provider.go
type CertificateAuthority (line 8) | type CertificateAuthority interface
FILE: transport/ca/cfssl_provider.go
type authError (line 21) | type authError struct
method Error (line 25) | func (err *authError) Error() string {
function newStandardProvider (line 36) | func newStandardProvider(ak config.AuthKey, ad []byte) (auth.Provider, e...
function newProvider (line 42) | func newProvider(ak config.AuthKey, ad []byte) (auth.Provider, error) {
function ipIsLocal (line 67) | func ipIsLocal(ip net.IP) bool {
function findLabel (line 110) | func findLabel(label string) *config.Config {
function getProfile (line 122) | func getProfile(cfg *config.Config, profileName string) (*config.Signing...
function getRemote (line 151) | func getRemote(cfg *config.Config, profile *config.SigningProfile) (stri...
type CFSSL (line 188) | type CFSSL struct
method validateAuth (line 77) | func (cap *CFSSL) validateAuth() error {
method loadAuth (line 145) | func (cap *CFSSL) loadAuth() error {
method setRemoteAndAuth (line 161) | func (cap *CFSSL) setRemoteAndAuth() error {
method SignCSR (line 198) | func (cap *CFSSL) SignCSR(csrPEM []byte) (cert []byte, err error) {
method CACertificate (line 240) | func (cap *CFSSL) CACertificate() ([]byte, error) {
function NewCFSSLProvider (line 262) | func NewCFSSLProvider(id *core.Identity, defaultRemote client.Remote) (*...
FILE: transport/ca/localca/signer.go
type CA (line 23) | type CA struct
method Toggle (line 41) | func (lca *CA) Toggle() {
method CACertificate (line 48) | func (lca *CA) CACertificate() ([]byte, error) {
method SignCSR (line 69) | func (lca *CA) SignCSR(csrPEM []byte) ([]byte, error) {
function ExampleRequest (line 107) | func ExampleRequest() *csr.CertificateRequest {
function ExampleSigningConfig (line 124) | func ExampleSigningConfig() *config.Signing {
function New (line 137) | func New(req *csr.CertificateRequest, profiles *config.Signing) (*CA, er...
function NewFromSigner (line 167) | func NewFromSigner(s *local.Signer) *CA {
function Load (line 173) | func Load(lca *CA, profiles *config.Signing) (err error) {
FILE: transport/ca/localca/signer_test.go
function TestEncodePEM (line 15) | func TestEncodePEM(t *testing.T) {
function TestLoadSigner (line 23) | func TestLoadSigner(t *testing.T) {
function TestNewSigner (line 69) | func TestNewSigner(t *testing.T) {
FILE: transport/client.go
function envOrDefault (line 20) | func envOrDefault(key, def string) string {
type Transport (line 44) | type Transport struct
method TLSClientAuthClientConfig (line 85) | func (tr *Transport) TLSClientAuthClientConfig(host string) (*tls.Conf...
method TLSClientAuthServerConfig (line 105) | func (tr *Transport) TLSClientAuthServerConfig() (*tls.Config, error) {
method TLSServerConfig (line 123) | func (tr *Transport) TLSServerConfig() (*tls.Config, error) {
method Lifespan (line 178) | func (tr *Transport) Lifespan() time.Duration {
method RefreshKeys (line 202) | func (tr *Transport) RefreshKeys() (err error) {
method getCertificate (line 269) | func (tr *Transport) getCertificate() (cert tls.Certificate, err error) {
method AutoUpdate (line 329) | func (tr *Transport) AutoUpdate(certUpdates chan<- time.Time, errChan ...
function New (line 141) | func New(before time.Duration, identity *core.Identity) (*Transport, err...
function Dial (line 289) | func Dial(address string, tr *Transport) (*tls.Conn, error) {
FILE: transport/core/defs.go
type Root (line 19) | type Root struct
type Identity (line 29) | type Identity struct
FILE: transport/core/rand.go
function seed (line 14) | func seed() error {
function init (line 31) | func init() {
FILE: transport/example/exlib/exlib.go
function Err (line 23) | func Err(exit int, err error, format string, a ...interface{}) {
function Errx (line 33) | func Errx(exit int, format string, a ...interface{}) {
function Warn (line 42) | func Warn(err error, format string, a ...interface{}) (int, error) {
function Unpack (line 50) | func Unpack(r io.Reader) ([]byte, error) {
constant messageMax (line 64) | messageMax = 1 << 16
function Pack (line 67) | func Pack(w io.Writer, buf []byte) error {
FILE: transport/example/maclient/client.go
function main (line 21) | func main() {
FILE: transport/example/maserver/server.go
function main (line 19) | func main() {
function connHandler (line 65) | func connHandler(conn net.Conn) {
function serve (line 90) | func serve(l net.Listener) error {
FILE: transport/kp/key_provider.go
constant curveP256 (line 37) | curveP256 = 256
constant curveP384 (line 38) | curveP384 = 384
constant curveP521 (line 39) | curveP521 = 521
type KeyProvider (line 44) | type KeyProvider interface
type StandardPaths (line 98) | type StandardPaths struct
type StandardProvider (line 106) | type StandardProvider struct
method resetCert (line 148) | func (sp *StandardProvider) resetCert() {
method resetKey (line 153) | func (sp *StandardProvider) resetKey() {
method Check (line 169) | func (sp *StandardProvider) Check() error {
method Persistent (line 187) | func (sp *StandardProvider) Persistent() bool {
method Generate (line 192) | func (sp *StandardProvider) Generate(algo string, size int) (err error) {
method Certificate (line 274) | func (sp *StandardProvider) Certificate() *x509.Certificate {
method CertificateRequest (line 281) | func (sp *StandardProvider) CertificateRequest(req *csr.CertificateReq...
method Load (line 296) | func (sp *StandardProvider) Load() (err error) {
method Ready (line 367) | func (sp *StandardProvider) Ready() bool {
method SetCertificatePEM (line 384) | func (sp *StandardProvider) SetCertificatePEM(certPEM []byte) error {
method SignalFailure (line 397) | func (sp *StandardProvider) SignalFailure(err error) bool {
method SignCSR (line 402) | func (sp *StandardProvider) SignCSR(tpl *x509.CertificateRequest) ([]b...
method Store (line 407) | func (sp *StandardProvider) Store() error {
method X509KeyPair (line 421) | func (sp *StandardProvider) X509KeyPair() (tls.Certificate, error) {
function NewStandardProvider (line 123) | func NewStandardProvider(id *core.Identity) (*StandardProvider, error) {
FILE: transport/kp/key_provider_test.go
constant testKey (line 12) | testKey = "testdata/test.key"
constant testCert (line 13) | testCert = "testdata/test.pem"
function removeIfPresent (line 28) | func removeIfPresent(path string) error {
function TestMain (line 35) | func TestMain(m *testing.M) {
function TestNewStandardProvider (line 51) | func TestNewStandardProvider(t *testing.T) {
function TestGenerate (line 79) | func TestGenerate(t *testing.T) {
FILE: transport/listener.go
type Listener (line 12) | type Listener struct
method AutoUpdate (line 57) | func (l *Listener) AutoUpdate(certUpdates chan<- time.Time, errChan ch...
function Listen (line 19) | func Listen(address string, tr *Transport) (*Listener, error) {
method getConfig (line 31) | func (tr *Transport) getConfig() (*tls.Config, error) {
function pollWait (line 44) | func pollWait(target time.Time) {
FILE: transport/roots/cfssl.go
function NewCFSSL (line 16) | func NewCFSSL(metadata map[string]string) ([]*x509.Certificate, error) {
FILE: transport/roots/provider.go
type TrustStore (line 24) | type TrustStore struct
method Pool (line 30) | func (ts *TrustStore) Pool() *x509.CertPool {
method Certificates (line 39) | func (ts *TrustStore) Certificates() []*x509.Certificate {
method addCerts (line 47) | func (ts *TrustStore) addCerts(certs []*x509.Certificate) {
type Trusted (line 59) | type Trusted interface
function New (line 74) | func New(rootDefs []*core.Root) (*TrustStore, error) {
function TrustPEM (line 111) | func TrustPEM(metadata map[string]string) ([]*x509.Certificate, error) {
FILE: transport/roots/system/nilref_nil_darwin.go
function setNilCFRef (line 19) | func setNilCFRef(v *C.CFDataRef) {
function isNilCFRef (line 23) | func isNilCFRef(v C.CFDataRef) bool {
FILE: transport/roots/system/nilref_zero_darwin.go
function setNilCFRef (line 19) | func setNilCFRef(v *C.CFDataRef) {
function isNilCFRef (line 23) | func isNilCFRef(v C.CFDataRef) bool {
FILE: transport/roots/system/root.go
function appendPEM (line 13) | func appendPEM(roots []*x509.Certificate, pemCerts []byte) ([]*x509.Cert...
function New (line 41) | func New(metadata map[string]string) ([]*x509.Certificate, error) {
FILE: transport/roots/system/root_cgo_darwin.go
function initSystemRoots (line 70) | func initSystemRoots() []*x509.Certificate {
FILE: transport/roots/system/root_darwin.go
function execSecurityRoots (line 15) | func execSecurityRoots() ([]*x509.Certificate, error) {
FILE: transport/roots/system/root_darwin_armx.go
function initSystemRoots (line 14) | func initSystemRoots() {
constant systemRootsPEM (line 19) | systemRootsPEM = `
FILE: transport/roots/system/root_darwin_test.go
function TestSystemRoots (line 13) | func TestSystemRoots(t *testing.T) {
FILE: transport/roots/system/root_nocgo_darwin.go
function initSystemRoots (line 12) | func initSystemRoots() []*x509.Certificate {
FILE: transport/roots/system/root_plan9.go
function initSystemRoots (line 19) | func initSystemRoots() (roots []*x509.Certificate) {
FILE: transport/roots/system/root_unix.go
function initSystemRoots (line 21) | func initSystemRoots() []*x509.Certificate {
FILE: transport/roots/system/root_windows.go
function createStoreContext (line 21) | func createStoreContext(leaf *Certificate, opts *VerifyOptions) (*syscal...
function extractSimpleChain (line 60) | func extractSimpleChain(simpleChain **syscall.CertSimpleChain, count int...
function checkChainTrustStatus (line 86) | func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainCo...
function checkChainSSLServerPolicy (line 101) | func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertCha...
function initSystemRoots (line 143) | func initSystemRoots() []*x509.Certificate {
FILE: transport/transport_test.go
function cfsslIsAvailable (line 23) | func cfsslIsAvailable() bool {
function removeIfPresent (line 45) | func removeIfPresent(path string) error {
function TestMain (line 52) | func TestMain(m *testing.M) {
function TestTransportSetup (line 123) | func TestTransportSetup(t *testing.T) {
function TestRefreshKeys (line 133) | func TestRefreshKeys(t *testing.T) {
function TestAutoUpdate (line 140) | func TestAutoUpdate(t *testing.T) {
function testListen (line 209) | func testListen(t *testing.T) {
function TestListener (line 222) | func TestListener(t *testing.T) {
FILE: ubiquity/filter.go
type RankingFunc (line 16) | type RankingFunc
function Filter (line 19) | func Filter(chains [][]*x509.Certificate, f RankingFunc) [][]*x509.Certi...
FILE: ubiquity/performance.go
function hashPriority (line 16) | func hashPriority(cert *x509.Certificate) int {
function keyAlgoPriority (line 31) | func keyAlgoPriority(cert *x509.Certificate) int {
function HashPriority (line 65) | func HashPriority(certs []*x509.Certificate) int {
function KeyAlgoPriority (line 76) | func KeyAlgoPriority(certs []*x509.Certificate) int {
function CompareChainHashPriority (line 87) | func CompareChainHashPriority(chain1, chain2 []*x509.Certificate) int {
function CompareChainKeyAlgoPriority (line 94) | func CompareChainKeyAlgoPriority(chain1, chain2 []*x509.Certificate) int {
function CompareChainCryptoSuite (line 101) | func CompareChainCryptoSuite(chain1, chain2 []*x509.Certificate) int {
function CompareChainLength (line 108) | func CompareChainLength(chain1, chain2 []*x509.Certificate) int {
function compareTime (line 112) | func compareTime(t1, t2 time.Time) int {
function CompareChainExpiry (line 122) | func CompareChainExpiry(chain1, chain2 []*x509.Certificate) int {
FILE: ubiquity/sha1.go
type DeprecationSeverity (line 12) | type DeprecationSeverity
constant None (line 16) | None DeprecationSeverity = iota
constant Low (line 18) | Low
constant Medium (line 21) | Medium
constant High (line 23) | High
type SHA1DeprecationPolicy (line 27) | type SHA1DeprecationPolicy struct
method Flag (line 104) | func (p SHA1DeprecationPolicy) Flag(chain []*x509.Certificate) bool {
function SHA1DeprecationMessages (line 134) | func SHA1DeprecationMessages(chain []*x509.Certificate) []string {
FILE: ubiquity/ubiquity_crypto.go
type HashUbiquity (line 17) | type HashUbiquity
type KeyAlgoUbiquity (line 22) | type KeyAlgoUbiquity
constant UnknownHashUbiquity (line 27) | UnknownHashUbiquity HashUbiquity = 0
constant SHA2Ubiquity (line 28) | SHA2Ubiquity HashUbiquity = 70
constant SHA1Ubiquity (line 29) | SHA1Ubiquity HashUbiquity = 100
constant MD5Ubiquity (line 30) | MD5Ubiquity HashUbiquity = 0
constant MD2Ubiquity (line 31) | MD2Ubiquity HashUbiquity = 0
constant RSAUbiquity (line 39) | RSAUbiquity KeyAlgoUbiquity = 100
constant DSAUbiquity (line 40) | DSAUbiquity KeyAlgoUbiquity = 100
constant ECDSA256Ubiquity (line 41) | ECDSA256Ubiquity KeyAlgoUbiquity = 70
constant ECDSA384Ubiquity (line 42) | ECDSA384Ubiquity KeyAlgoUbiquity = 70
constant ECDSA521Ubiquity (line 43) | ECDSA521Ubiquity KeyAlgoUbiquity = 30
constant UnknownAlgoUbiquity (line 44) | UnknownAlgoUbiquity KeyAlgoUbiquity = 0
function hashUbiquity (line 50) | func hashUbiquity(cert *x509.Certificate) HashUbiquity {
function keyAlgoUbiquity (line 67) | func keyAlgoUbiquity(cert *x509.Certificate) KeyAlgoUbiquity {
function ChainHashUbiquity (line 94) | func ChainHashUbiquity(chain []*x509.Certificate) HashUbiquity {
function ChainKeyAlgoUbiquity (line 107) | func ChainKeyAlgoUbiquity(chain []*x509.Certificate) KeyAlgoUbiquity {
function CompareChainHashUbiquity (line 121) | func CompareChainHashUbiquity(chain1, chain2 []*x509.Certificate) int {
function CompareChainKeyAlgoUbiquity (line 130) | func CompareChainKeyAlgoUbiquity(chain1, chain2 []*x509.Certificate) int {
function CompareExpiryUbiquity (line 139) | func CompareExpiryUbiquity(chain1, chain2 []*x509.Certificate) int {
FILE: ubiquity/ubiquity_platform.go
function SHA1RawPublicKey (line 21) | func SHA1RawPublicKey(cert *x509.Certificate) string {
type CertSet (line 26) | type CertSet
method Lookup (line 29) | func (s CertSet) Lookup(cert *x509.Certificate) bool {
method Add (line 34) | func (s CertSet) Add(cert *x509.Certificate) {
type Platform (line 39) | type Platform struct
method Trust (line 51) | func (p Platform) Trust(root *x509.Certificate) bool {
method hashUbiquity (line 63) | func (p Platform) hashUbiquity() HashUbiquity {
method keyAlgoUbiquity (line 74) | func (p Platform) keyAlgoUbiquity() KeyAlgoUbiquity {
method ParseAndLoad (line 91) | func (p *Platform) ParseAndLoad() (ok bool) {
function LoadPlatforms (line 134) | func LoadPlatforms(filename string) error {
function UntrustedPlatforms (line 174) | func UntrustedPlatforms(root *x509.Certificate) []string {
function CrossPlatformUbiq
Copy disabled (too large)
Download .json
Condensed preview — 2240 files, each showing path, character count, and a content snippet. Download the .json file for the full structured content (38,233K chars).
[
{
"path": ".dockerignore",
"chars": 34,
"preview": "cfssl_*\n*-amd64\n*-386\ndist/*\n.git\n"
},
{
"path": ".github/dependabot.yml",
"chars": 197,
"preview": "version: 2\nupdates:\n - package-ecosystem: github-actions\n directory: /\n schedule:\n interval: weekly\n\n - pac"
},
{
"path": ".github/workflows/docker-builds.yml",
"chars": 1624,
"preview": "name: cfssl docker\n\non:\n workflow_dispatch:\n push:\n branches:\n - \"master\"\n tags:\n - \"v*\"\njobs:\n build"
},
{
"path": ".github/workflows/go.yml",
"chars": 2731,
"preview": "name: Go\n\non:\n push:\n pull_request:\n branches: [master]\n\njobs:\n build:\n runs-on: ubuntu-latest\n strategy:\n "
},
{
"path": ".github/workflows/semgrep.yml",
"chars": 586,
"preview": "on:\n pull_request: {}\n workflow_dispatch: {}\n push: \n branches:\n - main\n - master\n schedule:\n - cron"
},
{
"path": ".github/workflows/snapshot.yml",
"chars": 332,
"preview": "name: Image snapshots\n\non:\n push:\n pull_request:\n branches: [master]\n\njobs:\n build:\n runs-on: ubuntu-latest\n "
},
{
"path": ".gitignore",
"chars": 63,
"preview": "dist/*\ncoverage.txt\nprofile.out\nbin\n*.deb\n*.rpm\ntest\n.DS_Store\n"
},
{
"path": ".golangci.yaml",
"chars": 111,
"preview": "linters:\n disable:\n - staticcheck\n - govet\n - gosimple\n - ineffassign\n - unused\n - errcheck\n"
},
{
"path": ".goreleaser.yml",
"chars": 7117,
"preview": "env:\n - GO111MODULE=on\n - CGO_ENABLED=0\n - GOFLAGS=-mod=vendor\n - GOPROXY=off\nbuilds:\n - id: cfssl-darwin\n binar"
},
{
"path": "CHANGELOG",
"chars": 2821,
"preview": "1.1.0 - 2015-08-04\n\nADDED:\n - Revocation now checks OCSP status.\n - Authenticated endpoints are now supporte"
},
{
"path": "Dockerfile",
"chars": 585,
"preview": "FROM --platform=${TARGETPLATFORM} golang:1.20\n\nARG TARGETPLATFORM\nARG BUILDPLATFORM\nRUN echo \"I am running on $BUILDPLAT"
},
{
"path": "Dockerfile.alpine",
"chars": 391,
"preview": "FROM golang:1.20-alpine AS builder\n\nWORKDIR /workdir\nCOPY . /workdir\n\nRUN set -x && \\\n\tapk --no-cache add git gcc libc-d"
},
{
"path": "LICENSE",
"chars": 1266,
"preview": "Copyright (c) 2014 CloudFlare Inc.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are"
},
{
"path": "Makefile",
"chars": 2679,
"preview": "VERSION := $(shell git describe --tags --abbrev=0 | tr -d '[:alpha:]')\nLDFLAGS := \"-s -w -X github.com/cloudflare/cfssl/"
},
{
"path": "README.md",
"chars": 13425,
"preview": "# CFSSL\n\n[](https://travis-ci.org/cloudflare/cf"
},
{
"path": "api/api.go",
"chars": 6968,
"preview": "// Package api implements an HTTP-based API and server for CFSSL.\npackage api\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/htt"
},
{
"path": "api/api_test.go",
"chars": 4739,
"preview": "package api\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n)\n\nconst (\n\tty = \"Th"
},
{
"path": "api/bundle/bundle.go",
"chars": 2305,
"preview": "// Package bundle implements the HTTP handler for the bundle command.\npackage bundle\n\nimport (\n\t\"net/http\"\n\n\t\"github.com"
},
{
"path": "api/bundle/bundle_test.go",
"chars": 5193,
"preview": "package bundle\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com"
},
{
"path": "api/certadd/insert.go",
"chars": 6032,
"preview": "package certadd\n\nimport (\n\t\"bytes\"\n\t\"database/sql\"\n\t\"encoding/base64\"\n\t\"encoding/hex\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"math/big\""
},
{
"path": "api/certadd/insert_test.go",
"chars": 15279,
"preview": "package certadd\n\nimport (\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t\"encoding/base64\"\n\t\""
},
{
"path": "api/certinfo/certinfo.go",
"chars": 2284,
"preview": "// Package certinfo implements the HTTP handler for the certinfo command.\npackage certinfo\n\nimport (\n\t\"errors\"\n\t\"net/htt"
},
{
"path": "api/client/api.go",
"chars": 130,
"preview": "package client\n\n// SignResult is the result of signing a CSR.\ntype SignResult struct {\n\tCertificate []byte `json:\"certif"
},
{
"path": "api/client/client.go",
"chars": 10437,
"preview": "// Package client implements a Go client for CFSSL API commands.\npackage client\n\nimport (\n\t\"bytes\"\n\t\"crypto/tls\"\n\t\"encod"
},
{
"path": "api/client/client_test.go",
"chars": 5588,
"preview": "package client\n\nimport (\n\t\"crypto/tls\"\n\t\"github.com/cloudflare/cfssl/auth\"\n\t\"github.com/cloudflare/cfssl/helpers\"\n\t\"net\""
},
{
"path": "api/client/group.go",
"chars": 3028,
"preview": "package client\n\nimport (\n\t\"crypto/tls\"\n\t\"errors\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/cloudflare/cfss"
},
{
"path": "api/crl/crl.go",
"chars": 2232,
"preview": "// Package crl implements the HTTP handler for the crl command.\npackage crl\n\nimport (\n\t\"crypto\"\n\t\"crypto/x509\"\n\t\"net/htt"
},
{
"path": "api/crl/crl_test.go",
"chars": 3619,
"preview": "package crl\n\nimport (\n\t\"crypto/x509\"\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testin"
},
{
"path": "api/gencrl/gencrl.go",
"chars": 2568,
"preview": "// Package gencrl implements the HTTP handler for the gencrl commands.\npackage gencrl\n\nimport (\n\t\"crypto/rand\"\n\t\"crypto/"
},
{
"path": "api/gencrl/gencrl_test.go",
"chars": 2287,
"preview": "package gencrl\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com"
},
{
"path": "api/generator/generator.go",
"chars": 9300,
"preview": "// Package generator implements the HTTP handlers for certificate generation.\npackage generator\n\nimport (\n\t\"crypto/md5\"\n"
},
{
"path": "api/generator/generator_test.go",
"chars": 3494,
"preview": "package generator\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/"
},
{
"path": "api/generator/testdata/ca.pem",
"chars": 1659,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEmzCCA4OgAwIBAgIMAMSvNBgypwaaSQ5iMA0GCSqGSIb3DQEBBQUAMIGMMQsw\nCQYDVQQGEwJVUzETMBEGA1UECBM"
},
{
"path": "api/generator/testdata/ca_key.pem",
"chars": 1704,
"preview": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxGnXFJ8gOgP/j\nQGjgeWzewWfh1q/k2DFtkalXIYX"
},
{
"path": "api/health/health.go",
"chars": 581,
"preview": "package health\n\nimport (\n\t\"encoding/json\"\n\t\"net/http\"\n\n\t\"github.com/cloudflare/cfssl/api\"\n)\n\n// Response contains the re"
},
{
"path": "api/info/info.go",
"chars": 3351,
"preview": "// Package info implements the HTTP handler for the info command.\npackage info\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/ht"
},
{
"path": "api/info/info_test.go",
"chars": 5395,
"preview": "package info\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/cloudfl"
},
{
"path": "api/initca/initca.go",
"chars": 1770,
"preview": "// Package initca implements the HTTP handler for the CA initialization command\npackage initca\n\nimport (\n\t\"encoding/json"
},
{
"path": "api/initca/initca_test.go",
"chars": 2195,
"preview": "package initca\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/cloudflare/"
},
{
"path": "api/ocsp/ocspsign.go",
"chars": 3001,
"preview": "// Package ocsp implements the HTTP handler for the ocsp commands.\npackage ocsp\n\nimport (\n\t\"crypto\"\n\t\"encoding/base64\"\n\t"
},
{
"path": "api/ocsp/ocspsign_test.go",
"chars": 6343,
"preview": "package ocsp\n\nimport (\n\t\"bytes\"\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"testi"
},
{
"path": "api/revoke/revoke.go",
"chars": 3397,
"preview": "// Package revoke implements the HTTP handler for the revoke command\npackage revoke\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n\t\"n"
},
{
"path": "api/revoke/revoke_test.go",
"chars": 7171,
"preview": "package revoke\n\nimport (\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t\"encoding/hex\"\n\t\"enco"
},
{
"path": "api/scan/scan.go",
"chars": 2191,
"preview": "package scan\n\nimport (\n\t\"encoding/json\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/cloudflare/cfssl/api\"\n\t\"github.com/cloudflare/"
},
{
"path": "api/scan/scan_test.go",
"chars": 1531,
"preview": "package scan\n\nimport (\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n)\n\nvar (\n\thandler, _ = NewHandler(\"\")\n\tts = h"
},
{
"path": "api/sign/sign.go",
"chars": 1585,
"preview": "// Package sign implements the HTTP handler for the certificate signing command.\npackage sign\n\nimport (\n\t\"net/http\"\n\n\t\"g"
},
{
"path": "api/sign/sign_test.go",
"chars": 12679,
"preview": "package sign\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"g"
},
{
"path": "api/signhandler/signhandler.go",
"chars": 8285,
"preview": "// Package signhandler provides the handlers for signers.\npackage signhandler\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n\t\"math/bi"
},
{
"path": "api/signhandler/signhandler_test.go",
"chars": 2400,
"preview": "package signhandler\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"testing\"\n\n\t\"githu"
},
{
"path": "api/testdata/broken.pem",
"chars": 757,
"preview": "-----BEGIN CERTIFICATE-----\nMIICATCCAWoCCQDidF+uNJR6czANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB\ncyBQdHkgTHRkMB4XDTEyMDUwMTI"
},
{
"path": "api/testdata/broken_csr.pem",
"chars": 1855,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIFGzCCAwUCAQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl\nMRwwGgYDVQQLExNTeXN"
},
{
"path": "api/testdata/ca-bundle.pem",
"chars": 1046,
"preview": "-----BEGIN CERTIFICATE-----\nMIIC1jCCAj+gAwIBAgIUJhxh1ENJRZoFuCN+XB0xlP1zgeYwDQYJKoZIhvcNAQEL\nBQAwfTELMAkGA1UEBhMCVVMxEzA"
},
{
"path": "api/testdata/ca.pem",
"chars": 1659,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEmzCCA4OgAwIBAgIMAMSvNBgypwaaSQ5iMA0GCSqGSIb3DQEBBQUAMIGMMQsw\nCQYDVQQGEwJVUzETMBEGA1UECBM"
},
{
"path": "api/testdata/ca2-key.pem",
"chars": 227,
"preview": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEILOI+Ox7VUA+HaiOuAbBtf1IOXffEsOoI/443rTOPzD5oAoGCCqGSM49\nAwEHoUQDQgAEoY1dLpXLl1bN"
},
{
"path": "api/testdata/ca2.pem",
"chars": 887,
"preview": "-----BEGIN CERTIFICATE-----\nMIICYjCCAgigAwIBAgIIB/ijVOdMMDMwCgYIKoZIzj0EAwIwgYIxCzAJBgNVBAYT\nAlVTMRUwEwYDVQQKEwxDRlNTTCB"
},
{
"path": "api/testdata/ca_key.pem",
"chars": 1704,
"preview": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxGnXFJ8gOgP/j\nQGjgeWzewWfh1q/k2DFtkalXIYX"
},
{
"path": "api/testdata/cert.pem",
"chars": 729,
"preview": "-----BEGIN CERTIFICATE-----\nMIIB7jCCAVmgAwIBAgIBADALBgkqhkiG9w0BAQUwJjEQMA4GA1UEChMHQWNtZSBD\nbzESMBAGA1UEAxMJMTI3LjAuMC4"
},
{
"path": "api/testdata/csr.pem",
"chars": 708,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIB0jCCAVcCAQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl\nMRwwGgYDVQQLExNTeXN"
},
{
"path": "api/testdata/int-bundle.pem",
"chars": 3196,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEfzCCA+igAwIBAgIUEvxiFE387bDlHt8NSYEYLPYpJwIwDQYJKoZIhvcNAQEF\nBQAwfTELMAkGA1UEBhMCVVMxEzA"
},
{
"path": "api/testdata/leaf.badkey",
"chars": 2459,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIIG5AIBAAKCAYEA9xYBDoV2tPx8lqZ/bH/wLvoPsg1/CXeknvRcNuxw1gu6c3IJ\nBrKZlkFtiU6Y8FADiUBOVab"
},
{
"path": "api/testdata/leaf.key",
"chars": 1679,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA0C6SSsXfuse2IV8+6hSYqSPQdoQwZ5BYQnSxuKylArCrMXx8\nJGHrJP6Pj7GxRmH40v9u9Vw"
},
{
"path": "api/testdata/leaf.pem",
"chars": 1276,
"preview": "-----BEGIN CERTIFICATE-----\nMIIDgTCCAwegAwIBAgIUIyiQolnMtXFv0JQk2OTdP28gJ+wwCgYIKoZIzj0EAwMw\ngYwxCzAJBgNVBAYTAlVTMRMwEQY"
},
{
"path": "auth/auth.go",
"chars": 2651,
"preview": "// Package auth implements an interface for providing CFSSL\n// authentication. This is meant to authenticate a client CF"
},
{
"path": "auth/auth_test.go",
"chars": 3365,
"preview": "package auth\n\nimport (\n\t\"encoding/json\"\n\t\"os\"\n\t\"testing\"\n)\n\nvar (\n\ttestProvider Provider\n\ttestProviderAD Provider\n\ttes"
},
{
"path": "auth/testdata/authrequest.json",
"chars": 2220,
"preview": "{\"token\": \"tSU1WTE/322iXrOBfJSQ9/u1dleqpwUmCj1LXYHw07Y=\", \"request\": \"ewoJImhvc3RuYW1lIjogImt5bGVpc29tLm5ldCIsCgkicmVxdW"
},
{
"path": "auth/testdata/request.json",
"chars": 1609,
"preview": "{\n\t\"hostname\": \"kyleisom.net\",\n\t\"request\": \"-----BEGIN CERTIFICATE REQUEST-----\n\t MIID0TCCAjsCAQAwYDELMAkGA1UEBhMCVVM"
},
{
"path": "bundler/bundle.go",
"chars": 5355,
"preview": "package bundler\n\nimport (\n\t\"bytes\"\n\t\"crypto/ecdsa\"\n\t\"crypto/ed25519\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t\""
},
{
"path": "bundler/bundle_from_file_test.go",
"chars": 12175,
"preview": "package bundler\n\n// This test file contains tests on checking the correctness of BundleFromFile and Bundle.\n// We simula"
},
{
"path": "bundler/bundle_from_pem_test.go",
"chars": 17719,
"preview": "package bundler\n\n// This test file contains tests on checking the correctness of BundleFromPEM\nimport (\n\t\"testing\"\n)\n\n//"
},
{
"path": "bundler/bundle_from_remote_test.go",
"chars": 6576,
"preview": "package bundler\n\n// This test file contains tests on checking the correctness of BundleFromRemote\nimport (\n\t\"net\"\n\t\"stri"
},
{
"path": "bundler/bundler.go",
"chars": 27313,
"preview": "// Package bundler implements certificate bundling functionality for\n// CFSSL.\npackage bundler\n\nimport (\n\t\"bytes\"\n\t\"cryp"
},
{
"path": "bundler/bundler_sha1_deprecation_test.go",
"chars": 5105,
"preview": "package bundler\n\n// This test file contains tests on checking Bundle.Status with SHA-1 deprecation warning.\nimport (\n\t\"c"
},
{
"path": "bundler/bundler_test.go",
"chars": 28570,
"preview": "package bundler\n\n// This test file contains mostly tests on checking Bundle.Status when bundling under different circums"
},
{
"path": "bundler/doc.go",
"chars": 869,
"preview": "// Package bundler provides an API for creating certificate bundles,\n// which contain a trust chain of certificates. Gen"
},
{
"path": "bundler/testdata/bad-bundle.pem",
"chars": 2054,
"preview": "-----BEGIN CERTIFICATE-----\nMIICoDCCAiagAwIBAgITCWxPP1OUyLXZWxBBaLbwZxa0sTAKBggqhkjOPQQDAzCB\njDELMAkGA1UEBhMCVVMxEzARBgN"
},
{
"path": "bundler/testdata/ca-bundle.crt.metadata",
"chars": 1068,
"preview": "[\n{\n\t\"name\":\"Chrome Browser M39\",\n\t\"weight\": 0,\n\t\"hash_algo\": \"SHA2\",\n\t\"key_algo\": \"ECDSA256\",\n\t\"hash_algo_expiry\":\t{\n\t\t"
},
{
"path": "bundler/testdata/ca-bundle.pem",
"chars": 586202,
"preview": "-----BEGIN CERTIFICATE-----\nMIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG\nA1UEBhMCVVMxFzAVBgNVBAoTDlZ"
},
{
"path": "bundler/testdata/ca.key",
"chars": 887,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQCbp/6OQ/a3mr+8zRgBRlmSGr8QBgP4vUIxLn2Mk4uiZ8OcpRY4\nYqL+TtREGDUc0ve+bv8RINr"
},
{
"path": "bundler/testdata/ca.pem",
"chars": 1046,
"preview": "-----BEGIN CERTIFICATE-----\nMIIC1jCCAj+gAwIBAgIUJhxh1ENJRZoFuCN+XB0xlP1zgeYwDQYJKoZIhvcNAQEL\nBQAwfTELMAkGA1UEBhMCVVMxEzA"
},
{
"path": "bundler/testdata/cfssl-leaf-ecdsa256.csr",
"chars": 619,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBkTCCATcCAQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl\nMRwwGgYDVQQLExNTeXN"
},
{
"path": "bundler/testdata/cfssl-leaf-ecdsa256.key",
"chars": 227,
"preview": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIC2qaVydr67HuwWMrPQ3ljCVSsnbV7HbN78KqEX6a0GuoAoGCCqGSM49\nAwEHoUQDQgAEjEb98b3L+COU"
},
{
"path": "bundler/testdata/cfssl-leaf-ecdsa256.pem",
"chars": 972,
"preview": "-----BEGIN CERTIFICATE-----\nMIICoDCCAiagAwIBAgITCWxPP1OUyLXZWxBBaLbwZxa0sTAKBggqhkjOPQQDAzCB\njDELMAkGA1UEBhMCVVMxEzARBgN"
},
{
"path": "bundler/testdata/cfssl-leaf-ecdsa384.csr",
"chars": 704,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBzjCCAVQCAQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl\nMRwwGgYDVQQLExNTeXN"
},
{
"path": "bundler/testdata/cfssl-leaf-ecdsa384.key",
"chars": 288,
"preview": "-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDAEwBewBsRvgqvyy/aJ0NsoTqkbwFeu3bL6rLxLGcxCfKzlOYz5te8j\nBR4cPZbv5WOgBwYFK4EEACKh"
},
{
"path": "bundler/testdata/cfssl-leaf-ecdsa384.pem",
"chars": 1012,
"preview": "-----BEGIN CERTIFICATE-----\nMIICvzCCAkSgAwIBAgIUEOTb+fwacUOxBc1ryZ3YHHR7hYIwCgYIKoZIzj0EAwMw\ngYwxCzAJBgNVBAYTAlVTMRMwEQY"
},
{
"path": "bundler/testdata/cfssl-leaf-ecdsa521.csr",
"chars": 802,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIICGDCCAXoCAQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl\nMRwwGgYDVQQLExNTeXN"
},
{
"path": "bundler/testdata/cfssl-leaf-ecdsa521.key",
"chars": 365,
"preview": "-----BEGIN EC PRIVATE KEY-----\nMIHcAgEBBEIBnn+dzn3tVUMj9s3nRs8I7waob9iLi/QhsIj5leFRj44hbWGwfymm\nOHLJR1jIG8VzyYaNssSPo7io"
},
{
"path": "bundler/testdata/cfssl-leaf-ecdsa521.pem",
"chars": 1061,
"preview": "-----BEGIN CERTIFICATE-----\nMIIC4zCCAmqgAwIBAgIUIvQg58qwdfu6CKACtoMSUpXFw54wCgYIKoZIzj0EAwMw\ngYwxCzAJBgNVBAYTAlVTMRMwEQY"
},
{
"path": "bundler/testdata/cfssl-leaf-rsa2048.csr",
"chars": 1151,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDGDCCAgICAQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl\nMRwwGgYDVQQLExNTeXN"
},
{
"path": "bundler/testdata/cfssl-leaf-rsa2048.key",
"chars": 1679,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA0C6SSsXfuse2IV8+6hSYqSPQdoQwZ5BYQnSxuKylArCrMXx8\nJGHrJP6Pj7GxRmH40v9u9Vw"
},
{
"path": "bundler/testdata/cfssl-leaf-rsa2048.pem",
"chars": 1276,
"preview": "-----BEGIN CERTIFICATE-----\nMIIDgTCCAwegAwIBAgIUIyiQolnMtXFv0JQk2OTdP28gJ+wwCgYIKoZIzj0EAwMw\ngYwxCzAJBgNVBAYTAlVTMRMwEQY"
},
{
"path": "bundler/testdata/cfssl-leaf-rsa3072.csr",
"chars": 1496,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIEGDCCAoICAQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl\nMRwwGgYDVQQLExNTeXN"
},
{
"path": "bundler/testdata/cfssl-leaf-rsa3072.key",
"chars": 2459,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIIG5AIBAAKCAYEA9xYBDoV2tPx8lqZ/bH/wLvoPsg1/CXeknvRcNuxw1gu6c3IJ\nBrKZlkFtiU6Y8FADiUBOVab"
},
{
"path": "bundler/testdata/cfssl-leaf-rsa3072.pem",
"chars": 1496,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEIzCCA6igAwIBAgIUL217UgdH/bkOgktlJzArh5mBF/EwCgYIKoZIzj0EAwMw\ngYwxCzAJBgNVBAYTAlVTMRMwEQY"
},
{
"path": "bundler/testdata/cfssl-leaf-rsa4096.csr",
"chars": 1842,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIFGDCCAwICAQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl\nMRwwGgYDVQQLExNTeXN"
},
{
"path": "bundler/testdata/cfssl-leaf-rsa4096.key",
"chars": 3243,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIIJJwIBAAKCAgEAtY3sRFA2cmwm4bEttx1TVRENJnd1re3fiR8YccUPcnmZ3uNY\n1sfnaEiHfTsxk10hbLOo24d"
},
{
"path": "bundler/testdata/cfssl-leaf-rsa4096.pem",
"chars": 1593,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEazCCA/KgAwIBAgIUcR0LLDGZDk/UiPGCOW6zwtLHwzIwCgYIKoZIzj0EAwMw\ngYwxCzAJBgNVBAYTAlVTMRMwEQY"
},
{
"path": "bundler/testdata/cfssl-leaflet-rsa4096.pem",
"chars": 2113,
"preview": "-----BEGIN CERTIFICATE-----\nMIIF7TCCA9WgAwIBAgIUWYLzdjKYWwotahY/fUcJs/Lx8TYwDQYJKoZIhvcNAQEN\nBQAwgYsxCzAJBgNVBAYTAlVTMRM"
},
{
"path": "bundler/testdata/client-auth/build_certs.sh",
"chars": 483,
"preview": "#!/bin/sh\nrm *.pem *.csr\ncfssl genkey -initca root-csr.json | cfssljson -bare root\ncfssl gencert -ca root.pem -ca-key ro"
},
{
"path": "bundler/testdata/client-auth/int-config.json",
"chars": 262,
"preview": "{\n\t\"signing\": {\n\t\t\"profiles\": {\n\t\t\t\"server\": {\n\t\t\t\t\"usages\": [\"server auth\"],\n\t\t\t\t\"expiry\": \"43830h\"\n\t\t\t},\n\t\t\t\"client\": "
},
{
"path": "bundler/testdata/client-auth/int-csr.json",
"chars": 156,
"preview": "{\n\t\"request\":{\n\t\t\"names\":[\n\t\t\t{\n\t\t\t\t\"C\":\"US\",\n\t\t\t\t\"ST\":\"California\",\n\t\t\t\t\"L\":\"San Francisco\",\n\t\t\t\t\"O\":\"example.com\"\n\t\t\t}"
},
{
"path": "bundler/testdata/client-auth/int.pem",
"chars": 648,
"preview": "-----BEGIN CERTIFICATE-----\nMIIBsDCCAVegAwIBAgIUQ+SzyUX7rjP3Na9pqW9WjfZ++mgwCgYIKoZIzj0EAwIw\nTDELMAkGA1UEBhMCVVMxEzARBgN"
},
{
"path": "bundler/testdata/client-auth/leaf-client-csr.json",
"chars": 171,
"preview": "{\n\t\"label\":\"client\",\n\t\"request\":{\n\t\t\"names\":[\n\t\t\t{\n\t\t\t\t\"C\":\"US\",\n\t\t\t\t\"ST\":\"California\",\n\t\t\t\t\"L\":\"San Francisco\",\n\t\t\t\t\"O\""
},
{
"path": "bundler/testdata/client-auth/leaf-client.pem",
"chars": 501,
"preview": "-----BEGIN CERTIFICATE-----\nMIIBRTCB7KADAgECAhQkohme3ew65nA12dLsCP0HbB10dTAKBggqhkjOPQQDAjAA\nMB4XDTI1MDIwODIxNTEwMFoXDTM"
},
{
"path": "bundler/testdata/client-auth/leaf-server-csr.json",
"chars": 171,
"preview": "{\n\t\"label\":\"server\",\n\t\"request\":{\n\t\t\"names\":[\n\t\t\t{\n\t\t\t\t\"C\":\"US\",\n\t\t\t\t\"ST\":\"California\",\n\t\t\t\t\"L\":\"San Francisco\",\n\t\t\t\t\"O\""
},
{
"path": "bundler/testdata/client-auth/leaf-server.pem",
"chars": 501,
"preview": "-----BEGIN CERTIFICATE-----\nMIIBRDCB7KADAgECAhQodna3/WiA0mgCI09unScTMUF5sDAKBggqhkjOPQQDAjAA\nMB4XDTI1MDIwODIxNTEwMFoXDTM"
},
{
"path": "bundler/testdata/client-auth/root-config.json",
"chars": 144,
"preview": "{\n\t\"signing\": {\n\t\t\"default\": {\n\t\t\t\"ca_constraint\": {\n\t\t\t\t\"is_ca\": true\n },\n\t\t\t\"usages\": [\"cert sign\"],\n\t\t\t\"ex"
},
{
"path": "bundler/testdata/client-auth/root-csr.json",
"chars": 226,
"preview": "{\n \"key\": {\n \"algo\": \"ecdsa\",\n \"size\": 256\n },\n \"names\": [\n {\n \"C\": \"US\",\n "
},
{
"path": "bundler/testdata/client-auth/root.pem",
"chars": 704,
"preview": "-----BEGIN CERTIFICATE-----\nMIIB3DCCAYKgAwIBAgIUe9lCrcENqlcuEIfCjz5sYf6G55swCgYIKoZIzj0EAwIw\nTDELMAkGA1UEBhMCVVMxEzARBgN"
},
{
"path": "bundler/testdata/dsa2048.key",
"chars": 1192,
"preview": "-----BEGIN DSA PRIVATE KEY-----\nMIIDPQIBAAKCAQEA27xa+d5kAGDnxWkmZON9rNHw73/M4cwKpKGMpxGEdMt+u7wB\nNt6tCH0v6dHo6726L6YUopx"
},
{
"path": "bundler/testdata/dsa2048.pem",
"chars": 1952,
"preview": "-----BEGIN CERTIFICATE-----\nMIIFdTCCBTWgAwIBAgIJAJfyK94Nz1yPMAkGByqGSM44BAMwcDELMAkGA1UEBhMC\nVVMxCzAJBgNVBAgTAkNBMRYwFAY"
},
{
"path": "bundler/testdata/empty.pem",
"chars": 0,
"preview": ""
},
{
"path": "bundler/testdata/forcebundle.pem",
"chars": 3400,
"preview": "-----BEGIN CERTIFICATE-----\r\nMIIFBDCCA+ygAwIBAgISESFHHMk7S+UhnJWGZxPSC9ovMA0GCSqGSIb3DQEBBQUA\r\nMFcxCzAJBgNVBAYTAkJFMRkwF"
},
{
"path": "bundler/testdata/froyo.pem",
"chars": 83876,
"preview": "-----BEGIN CERTIFICATE-----\nMIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMx\nFzAVBgNVBAoTDlZ"
},
{
"path": "bundler/testdata/int-bundle.pem",
"chars": 2681110,
"preview": "-----BEGIN CERTIFICATE-----\nMIIHaDCCBlCgAwIBAgIQIL094GkEPSU+HAucglL0IjANBgkqhkiG9w0BAQUFADCB\n8zELMAkGA1UEBhMCRVMxOzA5BgN"
},
{
"path": "bundler/testdata/inter-L1-expired.pem",
"chars": 1635,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEizCCA/agAwIBAgIISfg49he9h+AwCwYJKoZIhvcNAQELMH0xCzAJBgNVBAYT\nAlVTMRMwEQYDVQQIDApDYWxpZm9"
},
{
"path": "bundler/testdata/inter-L1-sha1.pem",
"chars": 1627,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEhDCCA++gAwIBAgIIQsTa4VjjFPswCwYJKoZIhvcNAQEFMH0xCzAJBgNVBAYT\nAlVTMRMwEQYDVQQIDApDYWxpZm9"
},
{
"path": "bundler/testdata/inter-L1.csr",
"chars": 1846,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIFGzCCAwUCAQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl\nMRwwGgYDVQQLExNTeXN"
},
{
"path": "bundler/testdata/inter-L1.key",
"chars": 3243,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKAIBAAKCAgEA5Qp1fr49LFT8vEqhywJSPscJz4VoM49lXrw+jc9WbtQXkOZu\ncuAlgn/hpkRkz+/mvwuddBc"
},
{
"path": "bundler/testdata/inter-L1.pem",
"chars": 1619,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEfzCCA+igAwIBAgIUEvxiFE387bDlHt8NSYEYLPYpJwIwDQYJKoZIhvcNAQEF\nBQAwfTELMAkGA1UEBhMCVVMxEzA"
},
{
"path": "bundler/testdata/inter-L2-direct.pem",
"chars": 1033,
"preview": "-----BEGIN CERTIFICATE-----\nMIICzzCCAjigAwIBAgIUfJGxbzjhmIdNEUxPBZWFlCGJ8XAwDQYJKoZIhvcNAQEF\nBQAwfTELMAkGA1UEBhMCVVMxEzA"
},
{
"path": "bundler/testdata/inter-L2.csr",
"chars": 708,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIB0jCCAVcCAQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpDbG91ZEZsYXJl\nMRwwGgYDVQQLExNTeXN"
},
{
"path": "bundler/testdata/inter-L2.key",
"chars": 288,
"preview": "-----BEGIN EC PRIVATE KEY-----\nMIGkAgEBBDAVVKPnV+KoCmQRq1zGg6n5PjjBFZdVPcKi9fNe78ZqMAMfLSfycPcS\ne6HJVt8ylCegBwYFK4EEACKh"
},
{
"path": "bundler/testdata/inter-L2.pem",
"chars": 1577,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEYDCCAkigAwIBAgIUGkS6ZR3pGG1whBdM98/+hASRNpEwDQYJKoZIhvcNAQEN\nBQAwgYwxCzAJBgNVBAYTAlVTMRM"
},
{
"path": "bundler/testdata/intermediates.crt",
"chars": 3196,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEfzCCA+igAwIBAgIUEvxiFE387bDlHt8NSYEYLPYpJwIwDQYJKoZIhvcNAQEF\nBQAwfTELMAkGA1UEBhMCVVMxEzA"
},
{
"path": "bundler/testdata/nss.pem",
"chars": 289573,
"preview": "# This Source Code Form is subject to the terms of the Mozilla Public\n# License, v. 2.0. If a copy of the MPL was not di"
},
{
"path": "bundler/testdata/osx.pem",
"chars": 343376,
"preview": "-----BEGIN CERTIFICATE-----\nMIIDXTCCAkWgAwIBAgIDAOJCMA0GCSqGSIb3DQEBBQUAMFUxCzAJBgNVBAYTAkFU\nMRAwDgYDVQQKEwdBLVRydXN0MRk"
},
{
"path": "bundler/testdata/partial-bundle.pem",
"chars": 2590,
"preview": "-----BEGIN CERTIFICATE-----\nMIICvzCCAkSgAwIBAgIUEOTb+fwacUOxBc1ryZ3YHHR7hYIwCgYIKoZIzj0EAwMw\ngYwxCzAJBgNVBAYTAlVTMRMwEQY"
},
{
"path": "bundler/testdata/reverse-partial-bundle.pem",
"chars": 2590,
"preview": "-----BEGIN CERTIFICATE-----\nMIIEYDCCAkigAwIBAgIUGkS6ZR3pGG1whBdM98/+hASRNpEwDQYJKoZIhvcNAQEN\nBQAwgYwxCzAJBgNVBAYTAlVTMRM"
},
{
"path": "certdb/README.md",
"chars": 2047,
"preview": "# certdb usage\n\nUsing a database enables additional functionality for existing commands when a\ndb config is provided:\n\n "
},
{
"path": "certdb/certdb.go",
"chars": 2891,
"preview": "package certdb\n\nimport (\n\t\"database/sql\"\n\t\"encoding/json\"\n\t\"time\"\n\n\t\"github.com/jmoiron/sqlx/types\"\n)\n\n// CertificateRec"
},
{
"path": "certdb/dbconf/db_config.go",
"chars": 1561,
"preview": "package dbconf\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"os\"\n\n\tcferr \"github.com/cloudflare/cfssl/errors\"\n\t\"github.com/clou"
},
{
"path": "certdb/dbconf/db_config_test.go",
"chars": 912,
"preview": "package dbconf\n\nimport (\n\t\"testing\"\n\n\t_ \"github.com/mattn/go-sqlite3\" // import just to initialize SQLite testing\n)\n\nfun"
},
{
"path": "certdb/dbconf/testdata/bad-db-config.json",
"chars": 45,
"preview": "{\"driver\":\"invalid\",\"data_source\":\"invalid\"}\n"
},
{
"path": "certdb/dbconf/testdata/db-config.json",
"chars": 46,
"preview": "{\"driver\":\"sqlite3\",\"data_source\":\"certs.db\"}\n"
},
{
"path": "certdb/dbconf/testdata/memory_db.json",
"chars": 46,
"preview": "{\"driver\":\"sqlite3\",\"data_source\":\":memory:\"}\n"
},
{
"path": "certdb/mysql/dbconf.yml",
"chars": 363,
"preview": "development:\n driver: mysql\n open: root@tcp(localhost:3306)/certdb_development?parseTime=true\n\ntest:\n driver: mysql\n "
},
{
"path": "certdb/mysql/migrations/001_CreateCertificates.sql",
"chars": 1038,
"preview": "-- +goose Up\n-- SQL in section 'Up' is executed when this migration is applied\n\nCREATE TABLE certificates (\n serial_num"
},
{
"path": "certdb/mysql/migrations/002_AddMetadataToCertificates.sql",
"chars": 558,
"preview": "-- +goose Up\n-- SQL in section 'Up' is executed when this migration is applied\nALTER TABLE certificates\nADD COLUMN issue"
},
{
"path": "certdb/ocspstapling/ocspstapling.go",
"chars": 3634,
"preview": "// Package ocspstapling implements OCSP stapling of Signed Certificate\n// Timestamps (SCTs) into OCSP responses in a dat"
},
{
"path": "certdb/ocspstapling/ocspstapling_test.go",
"chars": 4140,
"preview": "package ocspstapling\n\nimport (\n\t\"bytes\"\n\t\"crypto\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t\"enco"
},
{
"path": "certdb/pg/dbconf.yml",
"chars": 321,
"preview": "development:\n driver: postgres\n open: dbname=certdb_development sslmode=disable user=postgres\n\ntest:\n driver: postgre"
},
{
"path": "certdb/pg/migrations/001_CreateCertificates.sql",
"chars": 1000,
"preview": "-- +goose Up\n-- SQL in section 'Up' is executed when this migration is applied\n\nCREATE TABLE certificates (\n serial_num"
},
{
"path": "certdb/pg/migrations/002_AddMetadataToCertificates.sql",
"chars": 504,
"preview": "-- +goose Up\n-- SQL in section 'Up' is executed when this migration is applied\nALTER TABLE certificates\nADD COLUMN issue"
},
{
"path": "certdb/sql/database_accessor.go",
"chars": 11502,
"preview": "package sql\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"time\"\n\n\t\"github.com/cloudflare/cfssl/certdb\"\n\tcferr \"github.com/cloudflare/cfss"
},
{
"path": "certdb/sql/sql_mysql_test.go",
"chars": 265,
"preview": "//go:build mysql\n// +build mysql\n\npackage sql\n\nimport (\n\t\"testing\"\n\n\t\"github.com/cloudflare/cfssl/certdb/testdb\"\n)\n\nfunc"
},
{
"path": "certdb/sql/sql_pq_test.go",
"chars": 285,
"preview": "//go:build postgresql\n// +build postgresql\n\npackage sql\n\nimport (\n\t\"testing\"\n\n\t\"github.com/cloudflare/cfssl/certdb/testd"
},
{
"path": "certdb/sql/sql_test.go",
"chars": 12296,
"preview": "package sql\n\nimport (\n\t\"math\"\n\t\"reflect\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/cloudflare/cfssl/certdb\"\n\t\"github.com/cloudfla"
},
{
"path": "certdb/sqlite/dbconf.yml",
"chars": 243,
"preview": "development:\n driver: sqlite3\n open: ./certstore_development.db\n\ntest:\n driver: sqlite3\n open: ./certstore_test.db\n\n"
},
{
"path": "certdb/sqlite/migrations/001_CreateCertificates.sql",
"chars": 988,
"preview": "-- +goose Up\n-- SQL in section 'Up' is executed when this migration is applied\n\nCREATE TABLE certificates (\n serial_num"
},
{
"path": "certdb/sqlite/migrations/002_AddMetadataToCertificates.sql",
"chars": 475,
"preview": "-- +goose Up\n-- SQL in section 'Up' is executed when this migration is applied\n\nALTER TABLE certificates ADD COLUMN \"iss"
},
{
"path": "certdb/testdb/testdb.go",
"chars": 2260,
"preview": "package testdb\n\nimport (\n\t\"os\"\n\t\"strings\"\n\n\t_ \"github.com/go-sql-driver/mysql\" // register mysql driver\n\t\"github.com/jmo"
},
{
"path": "certinfo/certinfo.go",
"chars": 5744,
"preview": "package certinfo\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"strings\"\n\t\"t"
},
{
"path": "certinfo/certinfo_test.go",
"chars": 3271,
"preview": "package certinfo\n\nimport (\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t\"encoding/pem\"\n\t\"ma"
},
{
"path": "cli/bundle/bundle.go",
"chars": 2503,
"preview": "// Package bundle implements the bundle command.\npackage bundle\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\n\t\"github.com/cloudflare/cfss"
},
{
"path": "cli/bundle/bundle_test.go",
"chars": 15,
"preview": "package bundle\n"
},
{
"path": "cli/certinfo/certinfo.go",
"chars": 2716,
"preview": "// Package certinfo implements the certinfo command\npackage certinfo\n\nimport (\n\t\"crypto/x509\"\n\t\"encoding/json\"\n\t\"errors\""
},
{
"path": "cli/cli.go",
"chars": 5423,
"preview": "// Package cli provides the template for adding new cfssl commands\npackage cli\n\n/*\ncfssl is the command line tool to iss"
},
{
"path": "cli/cli_test.go",
"chars": 2981,
"preview": "package cli\n\nimport (\n\t\"flag\"\n\t\"os\"\n\t\"testing\"\n)\n\nvar cfsslFlagSet = flag.NewFlagSet(\"cfssl\", flag.ExitOnError)\n\n// The "
},
{
"path": "cli/config.go",
"chars": 7367,
"preview": "package cli\n\nimport (\n\t\"flag\"\n\t\"time\"\n\n\t\"github.com/cloudflare/cfssl/config\"\n\t\"github.com/cloudflare/cfssl/helpers\"\n\t\"gi"
},
{
"path": "cli/crl/crl.go",
"chars": 2320,
"preview": "// Package crl implements the crl command\npackage crl\n\nimport (\n\t\"os\"\n\n\t\"github.com/cloudflare/cfssl/certdb/dbconf\"\n\tcer"
},
{
"path": "cli/crl/crl_test.go",
"chars": 2136,
"preview": "package crl\n\nimport (\n\t\"crypto/x509\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/cloudflare/cfssl/certdb\"\n\t\"github.com/cloudflare/c"
},
{
"path": "cli/gencert/gencert.go",
"chars": 4323,
"preview": "// Package gencert implements the gencert command.\npackage gencert\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\n\t\"github.com/cl"
},
{
"path": "cli/gencert/gencert_test.go",
"chars": 4690,
"preview": "package gencert\n\nimport (\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/cloudflare/cfssl/cli\"\n)\n\nfunc TestGencertMain(t *tes"
},
{
"path": "cli/gencrl/gencrl.go",
"chars": 1915,
"preview": "// Package gencrl implements the gencrl command\npackage gencrl\n\nimport (\n\t\"github.com/cloudflare/cfssl/cli\"\n\t\"github.com"
},
{
"path": "cli/gencrl/gencrl_test.go",
"chars": 470,
"preview": "package gencrl\n\nimport (\n\t\"testing\"\n\n\t\"github.com/cloudflare/cfssl/cli\"\n)\n\nfunc TestGencrl(t *testing.T) {\n\n\tvar err err"
},
{
"path": "cli/gencrl/testdata/ca-keyTwo.pem",
"chars": 1679,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEA3VWwbwHztFoVqQOZfyRtHs97tUfrdaurLs9p4KeD8VqsJ95h\npQohNpiKgKQf1Sm3XeQPlQq"
},
{
"path": "cli/gencrl/testdata/caTwo.pem",
"chars": 1407,
"preview": "-----BEGIN CERTIFICATE-----\nMIID4jCCAsqgAwIBAgIIMijYd8KfFrswDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE\nBhMCVVMxFTATBgNVBAoTDFRlc3Q"
},
{
"path": "cli/gencrl/testdata/serialList",
"chars": 7,
"preview": "1\n2\n3\n4"
},
{
"path": "cli/gencsr/gencsr.go",
"chars": 2247,
"preview": "// Package gencsr implements the gencsr command.\npackage gencsr\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\n\t\"github.com/cloud"
},
{
"path": "cli/gencsr/gencsr_test.go",
"chars": 1949,
"preview": "package gencsr\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"io\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/cloudflare/cfssl/cli\"\n)\n\nconst "
},
{
"path": "cli/gencsr/testdata/csr.json",
"chars": 346,
"preview": "{\n \"hosts\": [\n \"cloudflare.com\",\n \"www.cloudflare.com\"\n ],\n \"key\": {\n \"algo\": \"rsa\",\n "
},
{
"path": "cli/gencsr/testdata/test-key.pem",
"chars": 1679,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA1ZdFFYhVAGNGQqnT1TEynFboX1tzqHOXU80ctSHFpCduuwzV\nZESuh4qQJXfUS2BwAT+2sw2"
},
{
"path": "cli/genkey/genkey.go",
"chars": 1758,
"preview": "// Package genkey implements the genkey command.\npackage genkey\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\n\t\"github.com/cloud"
},
{
"path": "cli/genkey/genkey_test.go",
"chars": 1519,
"preview": "package genkey\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"io\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/cloudflare/cfssl/cli\"\n)\n\ntype s"
},
{
"path": "cli/genkey/testdata/csr.json",
"chars": 346,
"preview": "{\n \"hosts\": [\n \"cloudflare.com\",\n \"www.cloudflare.com\"\n ],\n \"key\": {\n \"algo\": \"rsa\",\n "
},
{
"path": "cli/info/info.go",
"chars": 2281,
"preview": "// Package info implements the info command.\npackage info\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/cloudflare/cfs"
},
{
"path": "cli/ocspdump/ocspdump.go",
"chars": 1285,
"preview": "// Package ocspdump implements the ocspdump command.\npackage ocspdump\n\nimport (\n\t\"encoding/base64\"\n\t\"errors\"\n\t\"fmt\"\n\n\t\"g"
},
{
"path": "cli/ocsprefresh/ocsprefresh.go",
"chars": 3124,
"preview": "// Package ocsprefresh implements the ocsprefresh command.\npackage ocsprefresh\n\nimport (\n\t\"encoding/hex\"\n\t\"errors\"\n\t\"tim"
},
{
"path": "cli/ocsprefresh/ocsprefresh_test.go",
"chars": 2609,
"preview": "package ocsprefresh\n\nimport (\n\t\"encoding/hex\"\n\t\"os\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/cloudflare/cfssl/certdb\"\n\t\"github.c"
},
{
"path": "cli/ocspserve/ocspserve.go",
"chars": 1929,
"preview": "// Package ocspserve implements the ocspserve function.\npackage ocspserve\n\nimport (\n\t\"errors\"\n\t\"net\"\n\t\"net/http\"\n\t\"strco"
},
{
"path": "cli/ocspsign/ocspsign.go",
"chars": 2534,
"preview": "// Package ocspsign implements the ocspsign command.\npackage ocspsign\n\nimport (\n\t\"os\"\n\t\"time\"\n\n\t\"github.com/cloudflare/c"
},
{
"path": "cli/printdefault/defaults.go",
"chars": 938,
"preview": "package printdefaults\n\nvar defaults = map[string]string{\n\t\"config\": `{\n \"signing\": {\n \"default\": {\n "
},
{
"path": "cli/printdefault/printdefault.go",
"chars": 947,
"preview": "package printdefaults\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/cloudflare/cfssl/cli\"\n)\n\nvar printDefaultsUsage = `cfssl print-defa"
},
{
"path": "cli/revoke/revoke.go",
"chars": 1564,
"preview": "// Package revoke implements the revoke command.\npackage revoke\n\nimport (\n\t\"errors\"\n\n\t\"github.com/cloudflare/cfssl/certd"
},
{
"path": "cli/revoke/revoke_test.go",
"chars": 3218,
"preview": "package revoke\n\nimport (\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/cloudflare/cfssl/certdb\"\n\t\"github.com/cloudflare/cfssl/certdb/"
},
{
"path": "cli/scan/scan.go",
"chars": 2655,
"preview": "package scan\n\nimport (\n\t\"encoding/csv\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"sync\"\n\n\t\"github.com/cloudflare/cfssl/cli\"\n\t"
},
{
"path": "cli/scan/scan_test.go",
"chars": 365,
"preview": "package scan\n\nimport (\n\t\"testing\"\n\n\t\"github.com/cloudflare/cfssl/cli\"\n)\n\nvar hosts = []string{\"www.cloudflare.com\", \"goo"
},
{
"path": "cli/selfsign/selfsign.go",
"chars": 2717,
"preview": "// Package selfsign implements the selfsign command.\npackage selfsign\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n"
},
{
"path": "cli/selfsign/selfsign_test.go",
"chars": 731,
"preview": "package selfsign\n\nimport (\n\t\"testing\"\n\n\t\"github.com/cloudflare/cfssl/cli\"\n)\n\nfunc TestSelfSignMain(t *testing.T) {\n\terr "
},
{
"path": "cli/serve/README.md",
"chars": 268,
"preview": "## Compiling and serving static files using esc\n\n```\ngo install github.com/mjibson/esc\n\n# Compile changes to static file"
},
{
"path": "cli/serve/serve.go",
"chars": 11144,
"preview": "// Package serve implements the serve command for CFSSL's API.\npackage serve\n\nimport (\n\t\"crypto/tls\"\n\t\"embed\"\n\t\"errors\"\n"
},
{
"path": "cli/serve/serve_test.go",
"chars": 1936,
"preview": "package serve\n\nimport (\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n\n\t\"github.com/cloudflare/cfssl/cli\"\n)\n\nfunc TestServ"
},
{
"path": "cli/serve/static/assets/cfssl.js",
"chars": 22995,
"preview": "(function() {\n 'use strict';\n /* globals m */\n\n // > framework extensions\n m.deferred.resolve = function (value) {\n "
},
{
"path": "cli/serve/static/index.html",
"chars": 639,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n <title>CFSSL</title>\n <link href=\"https://cdnjs.cloudf"
},
{
"path": "cli/sign/sign.go",
"chars": 5090,
"preview": "// Package sign implements the sign command.\npackage sign\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"os\"\n\n\t\"github.com/cloud"
},
{
"path": "cli/sign/sign_test.go",
"chars": 1654,
"preview": "package sign\n\nimport (\n\t\"testing\"\n\n\t\"github.com/cloudflare/cfssl/certdb/sql\"\n\t\"github.com/cloudflare/cfssl/certdb/testdb"
},
{
"path": "cli/testdata/bad_csr.json",
"chars": 23,
"preview": "this is a bad csr json\n"
},
{
"path": "cli/testdata/bad_oid_csr.json",
"chars": 410,
"preview": "{\n \"hosts\": [\n \"cloudflare.com\",\n \"www.cloudflare.com\"\n ],\n \"key\": {\n \"algo\": \"rsa\",\n "
},
{
"path": "cli/testdata/ca-key.pem",
"chars": 1679,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA0IxFva4iCa87V2fxJas5h7oBXM8lHnUci9K8Lw5GSw6J+qUe\nxyNVWCjCgTaAVUBztCQhMOR"
}
]
// ... and 2040 more files (download for full content)
About this extraction
This page contains the full source code of the cloudflare/cfssl GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 2240 files (34.6 MB), approximately 9.2M tokens, and a symbol index with 115198 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.