Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// DefaultCertValidity is the minimum validity of an end-entity (not root or intermediate) certificate.
	DefaultCertValidity = 24 * time.Hour

	// DefaultTLSMinVersion default minimum version of TLS.
	DefaultTLSMinVersion = TLSVersion(1.2)
	// DefaultTLSMaxVersion default maximum version of TLS.
	DefaultTLSMaxVersion = TLSVersion(1.2)
	// DefaultTLSRenegotiation default TLS connection renegotiation policy.
	DefaultTLSRenegotiation = false // Never regnegotiate.
	// DefaultTLSCipherSuites specifies default step ciphersuite(s).
	DefaultTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
	}
	// ApprovedTLSCipherSuites smallstep approved ciphersuites.
	ApprovedTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
	}
)
View Source
var DefaultIntermediateCertValidity = time.Hour * 24 * 365 * 10

    DefaultIntermediateCertValidity is the default validity of a intermediate certificate in the step PKI.

    View Source
    var DefaultRootCertValidity = time.Hour * 24 * 365 * 10

      DefaultRootCertValidity is the default validity of a root certificate in the step PKI.

      Functions

      func Fingerprint

      func Fingerprint(cert *x509.Certificate) string

        Fingerprint returns the SHA-256 fingerprint of the certificate.

        func GenerateDefaultKeyPair

        func GenerateDefaultKeyPair(p Profile) error

          GenerateDefaultKeyPair generates a new public/private key pair using the default values and sets them in the given profile.

          func LoadCSRFromBytes

          func LoadCSRFromBytes(der []byte) (*x509.CertificateRequest, error)

            LoadCSRFromBytes loads a CSR given the ASN.1 DER format.

            func ReadCertPool

            func ReadCertPool(path string) (*x509.CertPool, error)

              ReadCertPool loads a certificate pool from disk. *path*: a file, a directory, or a comma-separated list of files.

              func SplitSANs

              func SplitSANs(sans []string) (dnsNames []string, ips []net.IP, emails []string)

                SplitSANs splits a slice of Subject Alternative Names into slices of IP Addresses and DNS Names. If an element is not an IP address, then it is bucketed as a DNS Name.

                Types

                type ASN1DN

                type ASN1DN struct {
                	Country            string `json:"country,omitempty" step:"country"`
                	Organization       string `json:"organization,omitempty" step:"organization"`
                	OrganizationalUnit string `json:"organizationalUnit,omitempty" step:"organizationalUnit"`
                	Locality           string `json:"locality,omitempty" step:"locality"`
                	Province           string `json:"province,omitempty" step:"province"`
                	StreetAddress      string `json:"streetAddress,omitempty" step:"streetAddress"`
                	CommonName         string `json:"commonName,omitempty" step:"commonName"`
                }

                  ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.

                  type CipherSuites

                  type CipherSuites []string

                    CipherSuites represents an array of string codes representing the cipher suites.

                    func (CipherSuites) Validate

                    func (c CipherSuites) Validate() error

                      Validate implements models.Validator and checks that a cipher suite is valid.

                      func (CipherSuites) Value

                      func (c CipherSuites) Value() []uint16

                        Value returns an []uint16 for the cipher suites.

                        type Identity

                        type Identity struct {
                        	Crt *x509.Certificate
                        	Key interface{}
                        }

                          Identity contains a public/private x509 certificate/key pair.

                          func LoadIdentityFromDisk

                          func LoadIdentityFromDisk(crtPath, keyPath string, pemOpts ...pemutil.Options) (*Identity, error)

                            LoadIdentityFromDisk load a public certificate and private key (both in PEM format) from disk.

                            func NewIdentity

                            func NewIdentity(c *x509.Certificate, k interface{}) *Identity

                              NewIdentity returns a new Identity.

                              type Intermediate

                              type Intermediate struct {
                              	// contains filtered or unexported fields
                              }

                                Intermediate implements the Profile for a intermediate certificate.

                                func (*Intermediate) AddExtension

                                func (b *Intermediate) AddExtension(ext pkix.Extension)

                                func (*Intermediate) CreateCertificate

                                func (b *Intermediate) CreateCertificate() ([]byte, error)

                                  CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

                                  func (*Intermediate) CreateWriteCertificate

                                  func (b *Intermediate) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

                                    Create Certificate from profile and write the certificate and private key to disk.

                                    func (*Intermediate) DefaultDuration

                                    func (i *Intermediate) DefaultDuration() time.Duration

                                      DefaultDuration returns the default Intermediate Certificate duration.

                                      func (*Intermediate) GenerateDefaultKeyPair

                                      func (b *Intermediate) GenerateDefaultKeyPair() error

                                      func (*Intermediate) GenerateKeyPair

                                      func (b *Intermediate) GenerateKeyPair(kty, crv string, size int) error

                                      func (*Intermediate) Issuer

                                      func (b *Intermediate) Issuer() *x509.Certificate

                                      func (*Intermediate) RemoveExtension

                                      func (b *Intermediate) RemoveExtension(oid asn1.ObjectIdentifier)

                                      func (*Intermediate) SetIssuer

                                      func (b *Intermediate) SetIssuer(iss *x509.Certificate)

                                      func (*Intermediate) SetIssuerPrivateKey

                                      func (b *Intermediate) SetIssuerPrivateKey(priv interface{})

                                      func (*Intermediate) SetSubject

                                      func (b *Intermediate) SetSubject(sub *x509.Certificate)

                                      func (*Intermediate) SetSubjectPrivateKey

                                      func (b *Intermediate) SetSubjectPrivateKey(priv interface{})

                                      func (*Intermediate) SetSubjectPublicKey

                                      func (b *Intermediate) SetSubjectPublicKey(pub interface{})

                                      func (*Intermediate) Subject

                                      func (b *Intermediate) Subject() *x509.Certificate

                                      func (*Intermediate) SubjectPrivateKey

                                      func (b *Intermediate) SubjectPrivateKey() interface{}

                                      func (*Intermediate) SubjectPublicKey

                                      func (b *Intermediate) SubjectPublicKey() interface{}

                                      type Leaf

                                      type Leaf struct {
                                      	// contains filtered or unexported fields
                                      }

                                        Leaf implements the Profile for a leaf certificate.

                                        func (*Leaf) AddExtension

                                        func (b *Leaf) AddExtension(ext pkix.Extension)

                                        func (*Leaf) CreateCertificate

                                        func (b *Leaf) CreateCertificate() ([]byte, error)

                                          CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

                                          func (*Leaf) CreateWriteCertificate

                                          func (b *Leaf) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

                                            Create Certificate from profile and write the certificate and private key to disk.

                                            func (*Leaf) DefaultDuration

                                            func (b *Leaf) DefaultDuration() time.Duration

                                            func (*Leaf) GenerateDefaultKeyPair

                                            func (b *Leaf) GenerateDefaultKeyPair() error

                                            func (*Leaf) GenerateKeyPair

                                            func (b *Leaf) GenerateKeyPair(kty, crv string, size int) error

                                            func (*Leaf) Issuer

                                            func (b *Leaf) Issuer() *x509.Certificate

                                            func (*Leaf) RemoveExtension

                                            func (b *Leaf) RemoveExtension(oid asn1.ObjectIdentifier)

                                            func (*Leaf) SetIssuer

                                            func (b *Leaf) SetIssuer(iss *x509.Certificate)

                                            func (*Leaf) SetIssuerPrivateKey

                                            func (b *Leaf) SetIssuerPrivateKey(priv interface{})

                                            func (*Leaf) SetSubject

                                            func (b *Leaf) SetSubject(sub *x509.Certificate)

                                            func (*Leaf) SetSubjectPrivateKey

                                            func (b *Leaf) SetSubjectPrivateKey(priv interface{})

                                            func (*Leaf) SetSubjectPublicKey

                                            func (b *Leaf) SetSubjectPublicKey(pub interface{})

                                            func (*Leaf) Subject

                                            func (b *Leaf) Subject() *x509.Certificate

                                            func (*Leaf) SubjectPrivateKey

                                            func (b *Leaf) SubjectPrivateKey() interface{}

                                            func (*Leaf) SubjectPublicKey

                                            func (b *Leaf) SubjectPublicKey() interface{}

                                            type Profile

                                            type Profile interface {
                                            	Issuer() *x509.Certificate
                                            	Subject() *x509.Certificate
                                            	SubjectPrivateKey() interface{}
                                            	SubjectPublicKey() interface{}
                                            	SetIssuer(*x509.Certificate)
                                            	SetSubject(*x509.Certificate)
                                            	SetSubjectPrivateKey(interface{})
                                            	SetSubjectPublicKey(interface{})
                                            	SetIssuerPrivateKey(interface{})
                                            	CreateCertificate() ([]byte, error)
                                            	GenerateKeyPair(string, string, int) error
                                            	DefaultDuration() time.Duration
                                            	CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)
                                            	AddExtension(pkix.Extension)
                                            	RemoveExtension(asn1.ObjectIdentifier)
                                            }

                                              Profile is an interface that certificate profiles (e.g. leaf, intermediate, root) must implement.

                                              func NewIntermediateProfile

                                              func NewIntermediateProfile(name string, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

                                                NewIntermediateProfile returns a new intermediate x509 Certificate profile.

                                                func NewLeafProfile

                                                func NewLeafProfile(cn string, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

                                                  NewLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.

                                                  func NewLeafProfileWithCSR

                                                  func NewLeafProfileWithCSR(csr *x509.CertificateRequest, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

                                                    NewLeafProfileWithCSR returns a new leaf x509 Certificate Profile with Subject Certificate fields populated directly from the CSR. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the CSR.

                                                    func NewLeafProfileWithTemplate

                                                    func NewLeafProfileWithTemplate(sub *x509.Certificate, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

                                                      NewLeafProfileWithTemplate returns a new leaf x509 Certificate Profile with Subject Certificate set to the value of the template argument. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the Subject Certificate parameter.

                                                      func NewRootProfile

                                                      func NewRootProfile(name string, withOps ...WithOption) (Profile, error)

                                                        NewRootProfile returns a new root x509 Certificate profile.

                                                        func NewRootProfileWithTemplate

                                                        func NewRootProfileWithTemplate(crt *x509.Certificate, withOps ...WithOption) (Profile, error)

                                                          NewRootProfileWithTemplate returns a new root x509 Certificate profile.

                                                          func NewSelfSignedLeafProfile

                                                          func NewSelfSignedLeafProfile(cn string, withOps ...WithOption) (Profile, error)

                                                            NewSelfSignedLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.

                                                            type Root

                                                            type Root struct {
                                                            	// contains filtered or unexported fields
                                                            }

                                                              Root implements the Profile for a root certificate.

                                                              func (*Root) AddExtension

                                                              func (b *Root) AddExtension(ext pkix.Extension)

                                                              func (*Root) CreateCertificate

                                                              func (b *Root) CreateCertificate() ([]byte, error)

                                                                CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

                                                                func (*Root) CreateWriteCertificate

                                                                func (b *Root) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

                                                                  Create Certificate from profile and write the certificate and private key to disk.

                                                                  func (*Root) DefaultDuration

                                                                  func (r *Root) DefaultDuration() time.Duration

                                                                    DefaultDuration returns the default Root Certificate duration.

                                                                    func (*Root) GenerateDefaultKeyPair

                                                                    func (b *Root) GenerateDefaultKeyPair() error

                                                                    func (*Root) GenerateKeyPair

                                                                    func (b *Root) GenerateKeyPair(kty, crv string, size int) error

                                                                    func (*Root) Issuer

                                                                    func (b *Root) Issuer() *x509.Certificate

                                                                    func (*Root) RemoveExtension

                                                                    func (b *Root) RemoveExtension(oid asn1.ObjectIdentifier)

                                                                    func (*Root) SetIssuer

                                                                    func (b *Root) SetIssuer(iss *x509.Certificate)

                                                                    func (*Root) SetIssuerPrivateKey

                                                                    func (b *Root) SetIssuerPrivateKey(priv interface{})

                                                                    func (*Root) SetSubject

                                                                    func (b *Root) SetSubject(sub *x509.Certificate)

                                                                    func (*Root) SetSubjectPrivateKey

                                                                    func (b *Root) SetSubjectPrivateKey(priv interface{})

                                                                    func (*Root) SetSubjectPublicKey

                                                                    func (b *Root) SetSubjectPublicKey(pub interface{})

                                                                    func (*Root) Subject

                                                                    func (b *Root) Subject() *x509.Certificate

                                                                    func (*Root) SubjectPrivateKey

                                                                    func (b *Root) SubjectPrivateKey() interface{}

                                                                    func (*Root) SubjectPublicKey

                                                                    func (b *Root) SubjectPublicKey() interface{}

                                                                    type TLSVersion

                                                                    type TLSVersion float64

                                                                      TLSVersion represents a TLS version number.

                                                                      func (TLSVersion) String

                                                                      func (v TLSVersion) String() string

                                                                        String returns the Go constant for the TLSVersion.

                                                                        func (TLSVersion) Validate

                                                                        func (v TLSVersion) Validate() error

                                                                          Validate implements models.Validator and checks that a cipher suite is valid.

                                                                          func (TLSVersion) Value

                                                                          func (v TLSVersion) Value() uint16

                                                                            Value returns the Go constant for the TLSVersion.

                                                                            type WithOption

                                                                            type WithOption func(Profile) error

                                                                              WithOption is a modifier function on base.

                                                                              func GenerateKeyPair

                                                                              func GenerateKeyPair(kty, crv string, size int) WithOption

                                                                                GenerateKeyPair returns a Profile modifier that generates a public/private key pair for a profile.

                                                                                func WithCTPoison

                                                                                func WithCTPoison() WithOption

                                                                                  WithCTPoison returns a Profile modifier that adds the CT poison extension defined in RFC6962.

                                                                                  func WithDNSNames

                                                                                  func WithDNSNames(dns []string) WithOption

                                                                                    WithDNSNames returns a Profile modifier which sets the DNS Names that will be bound to the subject alternative name extension of the Certificate.

                                                                                    func WithEmailAddresses

                                                                                    func WithEmailAddresses(emails []string) WithOption

                                                                                      WithEmailAddresses returns a Profile modifier which sets the Email Addresses that will be bound to the subject alternative name extension of the Certificate.

                                                                                      func WithHosts

                                                                                      func WithHosts(hosts string) WithOption

                                                                                        WithHosts returns a Profile modifier which sets the DNS Names and IP Addresses that will be bound to the subject Certificate.

                                                                                        `hosts` should be a comma separated string of DNS Names and IP Addresses. e.g. `127.0.0.1,internal.smallstep.com,blog.smallstep.com,1.1.1.1`.

                                                                                        func WithIPAddresses

                                                                                        func WithIPAddresses(ips []net.IP) WithOption

                                                                                          WithIPAddresses returns a Profile modifier which sets the IP Addresses that will be bound to the subject alternative name extension of the Certificate.

                                                                                          func WithIssuer

                                                                                          func WithIssuer(iss pkix.Name) WithOption

                                                                                            WithIssuer returns a Profile modifier that sets the Subject for a x509 Certificate.

                                                                                            func WithNotBeforeAfterDuration

                                                                                            func WithNotBeforeAfterDuration(nb, na time.Time, d time.Duration) WithOption

                                                                                              WithNotBeforeAfterDuration returns a Profile modifier that sets the `NotBefore` and `NotAfter` attributes of the subject x509 Certificate.

                                                                                              func WithPublicKey

                                                                                              func WithPublicKey(pub interface{}) WithOption

                                                                                                WithPublicKey returns a Profile modifier that sets the public key for a profile.

                                                                                                func WithSubject

                                                                                                func WithSubject(sub pkix.Name) WithOption

                                                                                                  WithSubject returns a Profile modifier that sets the Subject for a x509 Certificate.