or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

acme.mdencryption.mdhashing.mdindex.mdnacl.mdopenpgp.mdpublic-key.mdssh.mdutilities.md
tile.json

index.mddocs/

golang.org/x/crypto

Supplementary cryptographic packages for Go that provide modern cryptographic primitives including ACME certificate management, password hashing algorithms, symmetric and asymmetric encryption, SSH protocol implementation, OpenPGP support, and various cryptographic utilities. This package extends Go's standard crypto library with additional algorithms and protocols.

Package Information

  • Package Name: golang.org/x/crypto
  • Package Type: golang
  • Language: Go
  • Version: 0.45.0
  • Installation: go get golang.org/x/crypto@v0.45.0

Core Imports

import (
    "golang.org/x/crypto/acme"
    "golang.org/x/crypto/acme/autocert"
    "golang.org/x/crypto/argon2"
    "golang.org/x/crypto/bcrypt"
    "golang.org/x/crypto/blake2b"
    "golang.org/x/crypto/blake2s"
    "golang.org/x/crypto/chacha20"
    "golang.org/x/crypto/chacha20poly1305"
    "golang.org/x/crypto/curve25519"
    "golang.org/x/crypto/ed25519"
    "golang.org/x/crypto/nacl/box"
    "golang.org/x/crypto/nacl/secretbox"
    "golang.org/x/crypto/ssh"
    "golang.org/x/crypto/ssh/agent"
)

Basic Usage

package main

import (
    "fmt"
    "golang.org/x/crypto/bcrypt"
    "golang.org/x/crypto/chacha20poly1305"
    "golang.org/x/crypto/ssh"
)

func main() {
    // Password hashing with bcrypt
    password := []byte("my-secure-password")
    hash, _ := bcrypt.GenerateFromPassword(password, bcrypt.DefaultCost)
    err := bcrypt.CompareHashAndPassword(hash, password)
    fmt.Println("Password valid:", err == nil)

    // Authenticated encryption with ChaCha20-Poly1305
    key := make([]byte, chacha20poly1305.KeySize)
    aead, _ := chacha20poly1305.New(key)
    nonce := make([]byte, aead.NonceSize())
    plaintext := []byte("secret message")
    ciphertext := aead.Seal(nil, nonce, plaintext, nil)
    fmt.Printf("Encrypted: %x\n", ciphertext)

    // SSH client connection
    config := &ssh.ClientConfig{
        User: "username",
        Auth: []ssh.AuthMethod{
            ssh.Password("password"),
        },
        HostKeyCallback: ssh.InsecureIgnoreHostKey(),
    }
    client, _ := ssh.Dial("tcp", "example.com:22", config)
    defer client.Close()
}

Capabilities

ACME Certificate Management

Automated certificate acquisition and management for Let's Encrypt and other ACME-compliant Certificate Authorities.

import "golang.org/x/crypto/acme"

type Client struct {
    Key          crypto.Signer
    HTTPClient   *http.Client
    DirectoryURL string
}

func (c *Client) AuthorizeOrder(ctx context.Context, id []AuthzID, opt ...OrderOption) (*Order, error)
func (c *Client) CreateOrderCert(ctx context.Context, url string, csr []byte, bundle bool) (der [][]byte, certURL string, err error)
func (c *Client) WaitOrder(ctx context.Context, url string) (*Order, error)

ACME Documentation

Password Hashing & Key Derivation

Modern and legacy password hashing algorithms including Argon2, bcrypt, scrypt, and PBKDF2, plus general-purpose key derivation functions.

import "golang.org/x/crypto/argon2"

func IDKey(password, salt []byte, time, memory uint32, threads uint8, keyLen uint32) []byte

import "golang.org/x/crypto/bcrypt"

func GenerateFromPassword(password []byte, cost int) ([]byte, error)
func CompareHashAndPassword(hashedPassword, password []byte) error

import "golang.org/x/crypto/scrypt"

func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error)

Password Hashing & Key Derivation Documentation

Modern Cryptographic Hash Functions

BLAKE2b, BLAKE2s, SHA-3, and SHAKE extendable output functions for high-performance hashing.

import "golang.org/x/crypto/blake2b"

func Sum256(data []byte) [32]byte
func Sum512(data []byte) [64]byte
func New512(key []byte) (hash.Hash, error)

import "golang.org/x/crypto/sha3"

func Sum256(data []byte) [32]byte
func Sum512(data []byte) [64]byte
func NewShake256() ShakeHash

Cryptographic Hash Functions Documentation

Symmetric Encryption

Modern stream ciphers including ChaCha20, ChaCha20-Poly1305, Salsa20, and legacy block ciphers for compatibility.

import "golang.org/x/crypto/chacha20poly1305"

func New(key []byte) (cipher.AEAD, error)
func NewX(key []byte) (cipher.AEAD, error)

import "golang.org/x/crypto/chacha20"

type Cipher struct { }
func NewUnauthenticatedCipher(key, nonce []byte) (*Cipher, error)
func (s *Cipher) XORKeyStream(dst, src []byte)

Symmetric Encryption Documentation

Public Key Cryptography

Modern elliptic curve implementations including Curve25519, Ed25519, and Poly1305.

import "golang.org/x/crypto/curve25519"

func X25519(scalar, point []byte) ([]byte, error)
func ScalarBaseMult(dst, scalar *[32]byte)

import "golang.org/x/crypto/ed25519"

func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error)
func Sign(privateKey PrivateKey, message []byte) []byte
func Verify(publicKey PublicKey, message, sig []byte) bool

Public Key Cryptography Documentation

NaCl Cryptographic Library

High-level, easy-to-use cryptographic operations based on Daniel J. Bernstein's NaCl library.

import "golang.org/x/crypto/nacl/box"

func GenerateKey(rand io.Reader) (publicKey, privateKey *[32]byte, err error)
func Seal(out, message []byte, nonce *[24]byte, peersPublicKey, privateKey *[32]byte) []byte
func Open(out, box []byte, nonce *[24]byte, peersPublicKey, privateKey *[32]byte) ([]byte, bool)

import "golang.org/x/crypto/nacl/secretbox"

func Seal(out, message []byte, nonce *[24]byte, key *[32]byte) []byte
func Open(out, box []byte, nonce *[24]byte, key *[32]byte) ([]byte, bool)

NaCl Cryptographic Library Documentation

SSH Client and Server

Complete SSH protocol implementation supporting both client and server operations, agent protocol, and terminal management.

import "golang.org/x/crypto/ssh"

type ClientConfig struct {
    User            string
    Auth            []AuthMethod
    HostKeyCallback HostKeyCallback
}

func Dial(network, addr string, config *ClientConfig) (*Client, error)
func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error)

type Session struct { }
func (c *Client) NewSession() (*Session, error)
func (s *Session) Run(cmd string) error

SSH Documentation

OpenPGP

OpenPGP implementation for encryption, signing, and key management. Note: All OpenPGP packages are deprecated and unmaintained except for security fixes.

import "golang.org/x/crypto/openpgp"

type Entity struct {
    PrimaryKey  *packet.PublicKey
    PrivateKey  *packet.PrivateKey
    Identities  map[string]*Identity
}

func ReadKeyRing(r io.Reader) (EntityList, error)
func ReadArmoredKeyRing(r io.Reader) (EntityList, error)
func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error)
func ReadMessage(r io.Reader, keyring KeyRing, prompt PromptFunction, config *packet.Config) (md *MessageDetails, err error)

OpenPGP Documentation

Cryptographic Utilities

Low-level utilities for ASN.1 encoding/decoding, OCSP certificate validation, PKCS#12 certificate handling, and more.

import "golang.org/x/crypto/cryptobyte"

type Builder struct { }
func NewBuilder(buffer []byte) *Builder
func (b *Builder) AddASN1(tag asn1.Tag, f BuilderContinuation)
func (b *Builder) Bytes() []byte

import "golang.org/x/crypto/ocsp"

func CreateRequest(cert, issuer *x509.Certificate, opts *RequestOptions) ([]byte, error)
func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error)

Cryptographic Utilities Documentation

Architecture

The golang.org/x/crypto package is organized into functional groups:

  1. High-level protocols: ACME, SSH, OpenPGP provide complete protocol implementations
  2. Password hashing: CPU and memory-hard functions designed for password storage
  3. Symmetric primitives: Stream ciphers and AEAD constructions for data encryption
  4. Asymmetric primitives: Modern elliptic curves for key exchange and signatures
  5. Hash functions: Modern hash algorithms and extendable output functions
  6. Utilities: Low-level building blocks for custom cryptographic protocols

Many packages include both modern recommended algorithms and legacy algorithms marked as deprecated, maintained for compatibility with existing systems.

Security Notes

  • Deprecation Warnings: Many packages contain deprecated algorithms (MD4, RIPEMD-160, DSA, legacy ciphers). These should only be used for compatibility with legacy systems.
  • Modern Recommendations: For new applications, use ChaCha20-Poly1305 or AES-GCM for encryption, Ed25519 for signatures, X25519 for key exchange, SHA-256 or SHA-3 for hashing, and Argon2 or bcrypt for passwords.
  • OpenPGP Status: All OpenPGP packages are deprecated and receive only security fixes. Consider alternative solutions for new projects.
  • Block Cipher Caution: Ciphers with 8-byte block sizes (Blowfish, CAST5, TEA, XTEA) are vulnerable to birthday attacks (Sweet32).
  • AEAD Modes: Always use authenticated encryption modes (AEAD) to protect both confidentiality and integrity.