CertificateToolbox

package module
v0.0.0-...-bfe33b6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 4, 2024 License: MIT Imports: 20 Imported by: 3

README

This repository is archived, find the current repository here: https://gitlab.kit.edu/kit/kit-ca/CertificateToolbox

Documentation

Index

Constants

View Source 
const (
	OnlyCN = 1 << iota
	Any    = 1 << iota
	All    = 1 << iota
)
View Source 
const CertDFNG1 = `` /* 1735-byte string literal not displayed */
View Source 
const CertDFNG2 = `` /* 1817-byte string literal not displayed */
View Source 
const CertKITG1 = `` /* 1995-byte string literal not displayed */
View Source 
const CertKITG2 = `` /* 2008-byte string literal not displayed */
View Source 
const (
	HttpClientTimeout = time.Second * 10
)

Variables

View Source 
var (
	MatchSubjectPNEXT  = regexp.MustCompile(`^(?:PN|EXT)\s*(?:[:-])`)
	MatchSubjectNoMail = regexp.MustCompile(`(?i)(API|Teilnehmerservice|Login|Sign|Test|Demo|Apple)`)
	DFNIntermediates   = x509.NewCertPool()
)
View Source 
var (
	// DFN: 802.1X User + User
	FilterIsProfileUser = And(
		KeyUsageFilter(x509.KeyUsageContentCommitment, x509.KeyUsageDigitalSignature, x509.KeyUsageKeyEncipherment),
		ExtKeyUsageFilter(x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageEmailProtection),
		UnknownExtKeyUsageFilter())
	FilterIsProfileX8021XUser = FilterIsProfileUser
	// DNF: Code Signing
	FilterIsProfileCodeSigning = And(
		KeyUsageFilter(x509.KeyUsageDigitalSignature),
		ExtKeyUsageFilter(x509.ExtKeyUsageCodeSigning),
		UnknownExtKeyUsageFilter())
	// DFN: RA-Operator
	FilterIsProfileRAOperator = And(
		KeyUsageFilter(x509.KeyUsageContentCommitment, x509.KeyUsageDigitalSignature, x509.KeyUsageKeyEncipherment),
		ExtKeyUsageFilter(x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageEmailProtection),
		UnknownExtKeyUsageFilter(ExtKeyUsageMicrosoftSmartcardLogon))
	// DNF: User Sign Only
	FilterIsProfileUserSign = And(
		KeyUsageFilter(x509.KeyUsageContentCommitment, x509.KeyUsageDigitalSignature),
		ExtKeyUsageFilter(x509.ExtKeyUsageEmailProtection),
		UnknownExtKeyUsageFilter())
	// DNF: User Sign and Logon
	FilterIsProfileUserSignAndLogon = And(
		KeyUsageFilter(x509.KeyUsageContentCommitment, x509.KeyUsageDigitalSignature),
		ExtKeyUsageFilter(x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageEmailProtection),
		UnknownExtKeyUsageFilter())
	// DFN: User Encryption Only
	FilterIsProfileUserEncryption = And(
		KeyUsageFilter(x509.KeyUsageKeyEncipherment),
		ExtKeyUsageFilter(x509.ExtKeyUsageEmailProtection),
		UnknownExtKeyUsageFilter())
	// DFN: 802.1X Client
	FilterIsProfileX8021XClient = And(
		KeyUsageFilter(x509.KeyUsageDigitalSignature, x509.KeyUsageKeyEncipherment),
		ExtKeyUsageFilter(x509.ExtKeyUsageClientAuth),
		UnknownExtKeyUsageFilter())
	// DFN: LDAP Server, Mail Server, Radius Server, Shibboleth IdP SP, VoIP Server
	FilterIsProfileLDAPServer = And(
		KeyUsageFilter(x509.KeyUsageDigitalSignature, x509.KeyUsageKeyEncipherment),
		ExtKeyUsageFilter(x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth),
		UnknownExtKeyUsageFilter())
	FilterIsProfileMailServer            = FilterIsProfileLDAPServer
	FilterIsProfileRadiusServer          = FilterIsProfileLDAPServer
	FilterIsProfileShibbolethIdPSPServer = FilterIsProfileLDAPServer
	FilterIsProfileVoIPServer            = FilterIsProfileLDAPServer
	// DFN: VPN Server, Web Server
	FilterIsProfileVPNServer = And(
		KeyUsageFilter(x509.KeyUsageDigitalSignature, x509.KeyUsageKeyEncipherment),
		ExtKeyUsageFilter(x509.ExtKeyUsageServerAuth),
		UnknownExtKeyUsageFilter(),
		Not(ExtensionPresentFilter(asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24})))
	FilterIsProfileWebServer = FilterIsProfileVPNServer
	// DFN: Web Server Must Staple
	FilterIsProfileWebServerMustStaple = And(
		KeyUsageFilter(x509.KeyUsageDigitalSignature, x509.KeyUsageKeyEncipherment),
		ExtKeyUsageFilter(x509.ExtKeyUsageServerAuth),
		UnknownExtKeyUsageFilter(),
		ExtensionPresentFilter(asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24}))
	FilterIsProfileDomainController = And(
		KeyUsageFilter(x509.KeyUsageDigitalSignature, x509.KeyUsageKeyEncipherment),
		ExtKeyUsageFilter(x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth),
		UnknownExtKeyUsageFilter(ExtKeyUsageMicrosoftSmartcardLogon, ExtKeyUsageKDCAuth),
		ExtensionPresentFilter(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 2}))
	FilterIsProfileExchangeServer = And(
		KeyUsageFilter(x509.KeyUsageDigitalSignature, x509.KeyUsageKeyEncipherment),
		ExtKeyUsageFilter(x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageEmailProtection),
		UnknownExtKeyUsageFilter())
)

Test for DFN profiles

View Source 
var (
	FilterIsServer = Or(
		FilterIsProfileX8021XClient,
		FilterIsProfileLDAPServer,
		FilterIsProfileVPNServer,
		FilterIsProfileWebServerMustStaple,
		FilterIsProfileDomainController,
		FilterIsProfileExchangeServer)
	FilterIsNutzer = Or(
		FilterIsProfileUser,
		FilterIsProfileCodeSigning,
		FilterIsProfileRAOperator,
		FilterIsProfileUserSign,
		FilterIsProfileUserSignAndLogon,
		FilterIsProfileUserEncryption)
	FilterIsPseudonym = CommonNameRegexpMatch("^PN {0,1}(:|-)")
	FilterIsGroup     = CommonNameRegexpMatch("^GRP {0,1}(:|-)")
	FilterIsExternal  = CommonNameRegexpMatch("^EXT {0,1}(:|-)")
)

Test for DFN classes

View Source 
var (
	ExtKeyUsageMicrosoftSmartcardLogon = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 2, 2}
	ExtKeyUsageKDCAuth                 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 2, 3, 5}
)

Functions

func AlwaysMatch 

func AlwaysMatch(*x509.Certificate) bool

true and false

func CheckCRL 

func CheckCRL(cert *x509.Certificate) (int, error)

Check a certificate's validity against its CRL

func CheckOCSP 

func CheckOCSP(cert *x509.Certificate) (int, error)

func CreatePublicationFilter 

func CreatePublicationFilter(whitelist, blacklist ExceptionMaps) func(cert *x509.Certificate) bool

CreatePublicationFilter creates a filter with some very opinionated views on what should be published to the Active Directory

func ExtKeyUsageStringer 

func ExtKeyUsageStringer(ExtKeyUsage []x509.ExtKeyUsage) string

func Filter 

func Filter(cs CertSelector, certs []*x509.Certificate) []*x509.Certificate

Filter an array of certificates using a CertSelector function

func FilterOCSPLax 

func FilterOCSPLax(cert *x509.Certificate) bool

good until proven otherwise

func FilterOCSPStrict 

func FilterOCSPStrict(cert *x509.Certificate) bool

bad until proven otherwise

func KeyUsageStringer 

func KeyUsageStringer(KeyUsage x509.KeyUsage) string

func NeverMatch 

func NeverMatch(*x509.Certificate) bool

func ParseCertificate 

func ParseCertificate(input []byte) []*x509.Certificate

Parse certificate blob as PEM or DER, return all certificates. Non-certificates are silently ignored.

func ProfileStringer 

func ProfileStringer(c x509.Certificate) string

func ReadCertificates 

func ReadCertificates(filenames ...string) []*x509.Certificate

Parse certificates from filenames

func ReadDirectory 

func ReadDirectory(path string) []*x509.Certificate

Parse certificates from all files in path

func Readrecursive 

func Readrecursive(fileorpath, ignorepath []string) []*x509.Certificate

Parse certificates for files or paths, recursively descending into directories, ignoring most errors

func RetrieveChain 

func RetrieveChain(cert *x509.Certificate) (chains []*x509.Certificate, err error)

untested…

func Split 

func Split(cs CertSelector, certs []*x509.Certificate) (match []*x509.Certificate, nonMatch []*x509.Certificate)

Divide a list of certificates into two lists: matching and non-matching

func UnknownExtKeyUsageStringer 

func UnknownExtKeyUsageStringer(UnknownExtKeyUsage []asn1.ObjectIdentifier) string

Types

type CertSelector 

type CertSelector func(*x509.Certificate) bool

func And 

func And(cs ...CertSelector) CertSelector

combine multiple CertSelectors via logical AND

func CommonNameRegexpMatch 

func CommonNameRegexpMatch(regex string) CertSelector

test if certificate's common name matches a regular expression

func ExtKeyUsageFilter 

func ExtKeyUsageFilter(usage ...x509.ExtKeyUsage) CertSelector

build selector function for certain extended key usages

func ExtensionPresentFilter 

func ExtensionPresentFilter(extension ...asn1.ObjectIdentifier) CertSelector

Build selector function for certain certificate extensions. This filter only checks if the extension is present, value and critical-flag are ignored

func KeyUsageFilter 

func KeyUsageFilter(usage ...x509.KeyUsage) CertSelector

build selector function for certain KeyUsage combinations

func Not 

func Not(cs CertSelector) CertSelector

invert selector (NOT)

func Or 

func Or(cs ...CertSelector) CertSelector

combine multiple CertSelectors via logical OR

func SignatureAlgorithmFilter 

func SignatureAlgorithmFilter(SignatureAlgorithm x509.SignatureAlgorithm) CertSelector

filter by signing algorithm

func UnknownExtKeyUsageFilter 

func UnknownExtKeyUsageFilter(usage ...asn1.ObjectIdentifier) CertSelector

build selector function for extended key usages that Go does not know about

func ValidAt 

func ValidAt(t time.Time) CertSelector

test if certificate is valid at time t

func ValidDNSFilter 

func ValidDNSFilter(which int) CertSelector

test if certificate names are found in DNS

type ExceptionMaps 

type ExceptionMaps struct {
	Serial map[string]bool
	Email  map[string]bool
}

func NewExceptionMaps 

func NewExceptionMaps(serial, mail []string) ExceptionMaps

NewExceptionMaps creates new a new ExceptionMaps from arrays of serial numbers & mail addresses

func (*ExceptionMaps) MatchExceptions 

func (lists *ExceptionMaps) MatchExceptions(cert *x509.Certificate) bool

Source Files

View all Source files

Directories

Path Synopsis
cmd
DeleteInvalidCertificates
example
splitcertificates
x509chains

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.