cryptic

package module
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 29, 2023 License: MIT Imports: 29 Imported by: 0

README

go-cryptic

go-cryptic is a collection of types and methods that wrap crypto/x509 (and other) PKI-related packages. go-cryptic offers many useful interrogative features, such as a fluent-style CSR builder as well as simplified signatory capabilities.

ADVISORY

This package is experimental and should absolutely not be used in production at this time.

Documentation

Overview

Package cryptic provides a plethora of simplified methods and interfaces that wrap various built-in cryptographic packages such as crypto/x509, et al.

Advisory

This package is highly experimental, and is absolutely not appropriate for production at this time. Although it will be maintained as effectively as possible, there is absolutely no warranty in effect. See the LICENSE file for details.

Benefits

One of the benefits of this package is added "interrogative" features. For example, an *x509.Certificate stores certain values, such as Key Usages, in a manner that cannot easily be "queried" without bitshifting the values manually, which may be tedious or unclear for some users. To solve this situation, simple boolean methods were added, allowing KeyUsages to be tested for certain bit values in a more intuitive manner.

Other features are more down-to-earth, such as built-in PEM() and DER() methods for all eligible types.

Error Handling

All major types (Certificate, PrivateKey, CertificateRequest) enclose an instance of error internally. Users need not handle an explicit 'err' instance. Certain critical functions in this package also check for an enclosed (non-nil) error, thereby preventing reckless forward movement. Errors can be tested via the IsError and Error methods as documented.

Index

Constants

View Source 
const (
	R1024  rsaBitSize  // No longer viable! Won't work if selected!
	R2048              // minimum supported RSA Private Key bit size
	R3072              // recommended bit size for use beyond 2030
	R4096              // recommended bit size for Dig. Sig, CAs or paranoia
	R8192  = R4096 * 2 // common app-leveraged max bit size
	R16384 = R8192 * 2 // equivalent to ECC521
)

RSA bitsize constants

View Source 
const (
	E224 eccBitSize = 28 << 3
	E256 eccBitSize = 32 << 3
	E384 eccBitSize = 48 << 3

	// See https://tools.ietf.org/html/rfc8422#section-5.4.1
	// subtraction is for removal of left-over padding (66 octets = 528 bits)
	E521 eccBitSize = 66<<3 - 7 // equivalent to RSA 16384
)

ECC bitsize constants

View Source 
const (
	PKCS1 // PKCS#1 - Legacy Public Key Cryptography Standard

	PKCS8 // PKCS#8 - Modern Public Key Cryptography Standard

)

Public Key Cryptography Standards index constants

View Source 
const (
	CertificateHeader = `CERTIFICATE`
	PrivateKeyHeader  = `PRIVATE KEY`
	RequestHeader     = `CERTIFICATE REQUEST`
)

Convenient PEM block header value constants.

View Source 
const (
	PEMEncoding int = iota
	DEREncoding
)

x509.Certificate and x509.CertificateRequest encoding schemes

View Source 
const ED64 ed25519BitSize = ed25519.PrivateKeySize

ED25519 bitsize constants

Variables

This section is empty.

Functions

func ObjectIdentifierMap 

func ObjectIdentifierMap() (x oid.ObjectIdentifierMap)

ObjectIdentifierMap returns a pre-populated oid.ObjectIdentifierMap instance (a type defined in github.com/JesseCoretta/go-oid), which can be leveraged as-is. This is merely a convenience method and is not required by the user for any functionality elsewhere in this package.

Types

type Certificate 

type Certificate struct {
	// contains filtered or unexported fields
}

Certificate contains an embedded instance of *x509.Certificate, which eases interaction through use of simplified extended methods.

func NewCertificate 

func NewCertificate() *Certificate

NewCertificate returns an initialized but unpopulated instance of *Certificate, which embeds an instance of *x509.Certificate.

func ParseCertificate 

func ParseCertificate(cert []byte) (certificate *Certificate)

ParseCertificate returns an instance of *x509.Certificate and an error. The cert bytes provided must either be raw ASN.1 DER format OR PEM-encoded, else the attempt to parse the content shall fail.

The input content should have been read from a file by some means.

func ReadCertificateFile 

func ReadCertificateFile(cert string) (certificate *Certificate)

ReadCertificate reads the provided fully-qualified path and filename (cert) and attempts to marshal it into an instance of *Certificate, which is returned.

func (Certificate) AuthorityKeyID 

func (c Certificate) AuthorityKeyID() string

AuthorityKeyID returns the X.509 certificate's AuthorityKeyId field value, but with hexadecimal encoding and proper delimitation included.

func (Certificate) DER 

func (c Certificate) DER() []byte

DER returns the raw ASN.1 DER component of the embedded *x509.Certificate instance, or an empty byte slice. Note that this method returns non-printing characters.

func (Certificate) Error 

func (c Certificate) Error() error

Error returns the enclosed error instance, whether nil or not.

func (Certificate) Instance 

func (c Certificate) Instance() *x509.Certificate

Instance returns the embedded *x509.Certificate instance from within the receiver.

func (Certificate) IsCA 

func (c Certificate) IsCA() bool

IsCA returns the embedded *x509.Certificate instance's IsCA boolean value.

func (Certificate) IsError 

func (c Certificate) IsError() bool

IsError returns a boolean value indicative of whether the receiver is in an aberrant state.

func (Certificate) IsIntermediateCA 

func (c Certificate) IsIntermediateCA() bool

IsIntermediateCA makes a determination as to whether the embedded instance of *x509.Certificate in the receiver is considered a non-Root Intermediate Issuing Certificate Authority. To that end, a boolean value is returned.

func (Certificate) IsLeafNode 

func (c Certificate) IsLeafNode() bool

IsLeafNode makes a determination as to whether the embedded instance of *x509.Certificate in the receiver is considered a leaf-node certificate (and not a CA of any kind). To that end, a boolean value is returned.

func (Certificate) IsRootCA 

func (c Certificate) IsRootCA() bool

IsRootCA makes a determination as to whether the embedded instance of *x509.Certificate in the receiver is considered a Root Issuing Certificate Authority. To that end, a boolean value is returned.

func (Certificate) IsZero 

func (c Certificate) IsZero() bool

IsZero returns a boolean value indicative of whether the embedded instance of *x509.Certificate is zero (nil).

func (Certificate) Issuer 

func (c Certificate) Issuer() string

Issuer returns the string form of the pkix.Name instance assigned as the Issuer DN.

func (Certificate) KeyPurposes 

func (c Certificate) KeyPurposes() KeyPurposes

KeyPurposes reads the ExtKeyUsage field from the underlying *x509.Certificate instance, associates the stored integer values with a known (and supported) asn1.ObjectIdentifier values, and adds each each eligible instance as a slice in the return value.

func (Certificate) KeyUsage 

func (c Certificate) KeyUsage() KeyUsage

KeyUsage returns an instance of KeyUsage as derived from the embedded *x509.Certificate instance's KeyUsage field.

func (Certificate) Modulus 

func (c Certificate) Modulus() string

Modulus returns the hex-encoded public bytes of the embedded *x509.Certificate instance.

func (Certificate) ModulusMatch 

func (c Certificate) ModulusMatch(modulus string) bool

ModulusMatch returns a boolean value indicative of whether the provided string modulus matches that of the embedded *x509.Certificate instance.

func (Certificate) PEM 

func (c Certificate) PEM() []byte

PEM returns the Privacy-Enhanced Mail encoding of the embedded *x509.Certificate instance, or an empty byte slice.

func (Certificate) PublicBytes 

func (c Certificate) PublicBytes() (b []byte)

PublicBytes returns slices of bytes that comprise the public key's bytes derived from the embedded *x509.Certificate instance.

func (*Certificate) SetSignatory 

func (c *Certificate) SetSignatory(priv any) (sig *SigningCertificate)

SetSignatory creates and returns new instance of *SigningCertificate based upon the (sane) state of the receiver. This method requires the following:

  • The appropriate signing key for the receiver is provided as the sole argument
  • The KeyUsageCRLSign and KeyUsageCertSign x509.KeyUsage bits "enabled" in the receiver
  • The receiver (as a certificate) is in good standing (is actually a CA, is not expired, is non-nil)

This is a destuctive method, but only if it is successful. In a successful "upgrade" of the receiver *Certificate instance, a valid instance of *SigningCertificate is provided, and the original *Certificate instance is obliterated.

func (Certificate) SignatureAlgorithm 

func (c Certificate) SignatureAlgorithm() string

SignatureAlgorithm returns the x509.SignatureAlgorithm instance as a string from the embedded *x509.Certificate.

func (Certificate) Subject 

func (c Certificate) Subject() string

Subject returns the string form of the pkix.Name instance assigned as the Subject DN.

func (Certificate) SubjectKeyID 

func (c Certificate) SubjectKeyID() string

SubjectKeyID returns the X.509 certificate's SubjectKeyId field value, but with hexadecimal encoding and proper delimitation included.

func (Certificate) Thumbprint 

func (c Certificate) Thumbprint() []byte

Thumbprint returns a []byte form of the hexadecimal encoded SHA256 sum result based upon the embedded *x509.Certificate Raw struct field value.

This is a simple means to uniquely identifying a given Certificate with (virtually) no chance of "collision", even if the same public key as a previous (and identically named) incarnation were recklessly used.

This is a simplified alternative to the "official" X.509 procedure of unique certificate identification, which involves the more complex process of combining the issuer name with the serial number of the certificate in question. Such a scenario may be problematic in rare cases where the issuer name is EMPTY in lieu of SubjectAltName field usage, which IS a valid condition if a little odd.

This method will return a zero length []byte instance if the receiver has not been committed yet.

func (Certificate) TimeRemaining 

func (c Certificate) TimeRemaining() time.Duration

TimeRemaining returns the time.Duration value that reflects the remaining time the receiver has until expiration.

A negative time.Duration value indicates that expiration has since passed.

func (Certificate) Write 

func (c Certificate) Write(path string, enc ...int) (err error)

Write returns an error instance after attempting to write the embedded *x509.Certificate instance in the requested (or implied) encoding scheme as a file at the prescribed path. The default encoding scheme is PEM, and the os.FileMode shall always be 0444.

type CertificateRequest 

type CertificateRequest struct {
	// contains filtered or unexported fields
}

CertificateRequest contains an embedded instance of *x509.CertificateRequest, which eases interaction through use of simplified extended methods.

func NewCertificateRequest 

func NewCertificateRequest() (r *CertificateRequest)

NewCertificateRequest initializes and returns an instance of *CertificateRequest.

Within this returned instance are embedded values for *x509.CertificateRequest and (a template) *x509.Certificate.

All methods extended by the *CertificateRequest type that are prefixed with 'Set' will allow further configuration in "fluent" style. When ready for the issuer signing process, the CommitCheck and Commit methods should be run respectively to ensure sanity.

func ParseCertificateRequest 

func ParseCertificateRequest(req []byte) (r *CertificateRequest)

ParseCertificateRequest returns an instance of *CertificateRequest and an error. The request provided must either be raw ASN.1 DER format OR PEM-encoded, else the attempt to parse the content shall fail.

The input content should have been read from a file by some means.

func ReadCertificateRequestFile 

func ReadCertificateRequestFile(req string) (request *CertificateRequest)

ReadCertificateRequestFile returns an instance of *CertificateRequest based on an attempt to parse the given request path/filename (req).

func (CertificateRequest) AuthorityKeyID 

func (r CertificateRequest) AuthorityKeyID() string

AuthorityKeyID returns the X.509 certificate request's Authority Key Identifier value from the embedded *x509.CertificateRequest's Extensions field, but with hexadecimal encoding and proper delimitation included.

func (*CertificateRequest) Commit 

func (r *CertificateRequest) Commit(priv any) (err error)

Commit returns an error following an attempt to finalize the state of the receiver, ostensibly before an attempt at signage.

Successful runs of this method shall result in the inability to make any further changes or alterations to the receiver. Therefore, Commit should only be run once all details have been confirmed to be copacetic.

Typically, one should run CommitCheck just prior to running Commit, assuming CommitCheck returned no errors.

func (CertificateRequest) CommitCheck 

func (r CertificateRequest) CommitCheck() (err error)

CommitCheck returns an error indicative of whether the receiver is eligible for committal (finalization) via the Commit method.

A variety of procedural checks are conducted, including but not limited to:

  • PublicKey viability
  • PublicKeyAlgorithm validity
  • SignatureAlgorithm validity

func (CertificateRequest) DER 

func (r CertificateRequest) DER() []byte

DER returns the raw ASN.1 DER component of the embedded *x509.Certificate instance, or an empty byte slice. Note that this method returns non-printing characters.

func (CertificateRequest) Error 

func (r CertificateRequest) Error() error

Error returns the enclosed error instance, whether nil or not.

func (CertificateRequest) Instance 

func (r CertificateRequest) Instance() *x509.CertificateRequest

Instance returns the embedded *x509.CertificateRequest instance from within the receiver.

func (CertificateRequest) IsCommitted 

func (r CertificateRequest) IsCommitted() bool

IsCommitted returns a boolean value indicative of whether the receiver has been "finalized" through use of the Commit method. Committal indicates no further changes are allowed, but that the receiver is eligible for signing.

func (CertificateRequest) IsError 

func (r CertificateRequest) IsError() bool

IsError returns a boolean value indicative of whether the receiver is in an aberrant state.

func (CertificateRequest) IsZero 

func (r CertificateRequest) IsZero() bool

IsZero returns a boolean value indicative of whether the embedded instance of *x509.CertificateRequest is zero (nil).

func (CertificateRequest) KeyPurposes 

func (r CertificateRequest) KeyPurposes() (kps KeyPurposes)

KeyPurposes returns an instance of KeyPurposes as derived from the embedded *x509.CertificateRequest instance's ExtraExtentions field.

func (CertificateRequest) KeyUsage 

func (r CertificateRequest) KeyUsage() KeyUsage

KeyUsage returns an instance of KeyUsage as derived from the embedded *x509.CertificateRequest instance's ExtraExtentions field.

func (CertificateRequest) Modulus 

func (r CertificateRequest) Modulus() string

Modulus returns the hex-encoded public bytes of the embedded *x509.CertificateRequest instance, or a zero-length string if the request has not been assigned a public key yet.

func (CertificateRequest) ModulusMatch 

func (r CertificateRequest) ModulusMatch(modulus string) bool

ModulusMatch returns a boolean value indicative of whether the provided string modulus matches that of the embedded *x509.CertificateRequest instance.

func (CertificateRequest) PEM 

func (r CertificateRequest) PEM() []byte

PEM returns the Privacy-Enhanced Mail encoding of the embedded *x509.Certificate instance, or an empty byte slice.

func (CertificateRequest) PublicBytes 

func (r CertificateRequest) PublicBytes() (b []byte)

PublicBytes returns slices of bytes that comprise the public key's bytes derived from the embedded *x509.Certificate instance.

func (*CertificateRequest) SelfSign 

func (r *CertificateRequest) SelfSign(priv any, policies ...any) (root *SigningCertificate)

SelfSign returns an instance of SigningCertificate containing a self-signed root issuing certificate and private key. The issuer certificate will be based upon the contents of the embedded *x509.CertificateRequest and *x509.Certificate instances.

The input private key (priv) may be one of *rsa.PrivateKey, *ecdsa.PrivateKey, *ed25519.PrivateKey or, naturally, cryptic.Key. This is required.

The policies variadic expression is optional, and will assign the specified objectIdentifiers to the PolicyIdentifiers struct field of the certificate to be generated by this method. Due to the nature of self-signing, there is no verification of the OIDs input by the user, thus no guarantees can be made as to the sanity of the resultant root CA. Use wisely and at your own risk.

func (*CertificateRequest) SetAuthorityKeyID 

func (r *CertificateRequest) SetAuthorityKeyID(aki []byte) *CertificateRequest

SetAuthorityKeyID assigns the provided byte slices as the AuthorityKeyId value (id-ce-authorityKeyIdentifier, OID:2.5.29.35) within both the embedded *x509.CertificateRequest and template *x509.Certificate instances. The input value would be derived from the intended issuer certificate's SubjectKeyId field (id-ce-subjectKeyIdentifier, OID:2.5.29.14), if present.

In no way does this guarantee the actual (Issuer-stamped) authority key identifier within the signed certificate will reflect the input value. This is merely a means for issuers to attempt to ascertain the appropriate signing certificate to be used in the issuance process. Use this method would require the user have forehand knowledge as to the correct value (i.e.: the correct signing certificate is both available and readable by the user in advance).

By no means is the issuer required to follow this procedure, and users of this package should not expect such.

func (*CertificateRequest) SetDNSNames 

func (r *CertificateRequest) SetDNSNames(fqdns ...string) *CertificateRequest

SetDNSNames appends the provided FQDN string value(s) to the embedded *x509.CertificateRequest's DNSNames field, if unique.

func (*CertificateRequest) SetEmailAddresses 

func (r *CertificateRequest) SetEmailAddresses(emails ...string) *CertificateRequest

SetEmailAddresses appends the provided email address string value(s) to the embedded *x509.CertificateRequest's EmailAddresses field, if unique.

func (*CertificateRequest) SetIPAddresses 

func (r *CertificateRequest) SetIPAddresses(ips ...string) *CertificateRequest

SetIPAddresses appends the provided net.IP value(s) to the embedded *x509.CertificateRequest's IPAddresses field, if unique.

func (*CertificateRequest) SetIsCA 

func (r *CertificateRequest) SetIsCA(mpl ...int) *CertificateRequest

SetIsCA shall declare the receiver instance of *CertificateRequest as a Certificate Issuer (as opposed to a Leaf Node).

This method also provides the opportunity to set a MaxPathLen value both in the embedded template *x509.Certificate instance as well as within the *x509.CertificateRequest (as a *pkix.Extension). If no value is provided, -1 is implied (meaning no path length constraint is configured).

func (*CertificateRequest) SetKeyPurposes 

func (r *CertificateRequest) SetKeyPurposes(kp KeyPurposes) *CertificateRequest

SetKeyPurposes assigns the provided KeyPurposes instance to the embedded *x509.CertificateRequest and template *x509.Certificate instances.

func (*CertificateRequest) SetKeyUsage 

func (r *CertificateRequest) SetKeyUsage(ku KeyUsage) *CertificateRequest

SetKeyUsage assigns the provided KeyUsage instance to the embedded *x509.CertificateRequest and template *x509.Certificate instances.

func (*CertificateRequest) SetPublicKey 

func (r *CertificateRequest) SetPublicKey(pub crypto.PublicKey) *CertificateRequest

SetPublicKey sets the appropriate (non-nil) crypto.PublicKey instance to the underlying *x509.CertificateRequest and *x509.Certificate values within the receiver.

This method performs an assertion test upon the public key to determine its true type (RSA, ECDSA or ED25519). Given a successful assertion, the PublicKeyAlgorithm field within the underlying *x509.CertificateRequest shall be set. Any attempt to set a key type not listed above will result in an error value being set within the return value.

func (*CertificateRequest) SetSignatureAlgorithm 

func (r *CertificateRequest) SetSignatureAlgorithm(sig int) *CertificateRequest

SetSignatureAlgorithm casts the provided signature algorithm integer identifier as an instance of x509.SignatureAlgorithm and assigns it to the embedded template *x509.Certificate and *x509.CertificateRequest instances.

func (*CertificateRequest) SetSubject 

func (r *CertificateRequest) SetSubject(sub Subject) *CertificateRequest

SetSubject shall assign the provided instance of Subject to the embedded *x509.CertificateRequest and template *x509.Certificate instances.

func (*CertificateRequest) SetURIs 

func (r *CertificateRequest) SetURIs(uris ...string) *CertificateRequest

SetURIs appends the provided url.URL value(s) to the embedded *x509.CertificateRequest's URLs field, if unique.

func (*CertificateRequest) SetValidity 

func (r *CertificateRequest) SetValidity(lifespan time.Duration) *CertificateRequest

SetValidity will accept parameters for the PROPOSED period of validity for the requested certificate.

In no way is observance of these values guaranteed. This is merely a means to store a potentially valid user-elected validity period for the issuer to consider.

Other than checking for empty time.Time values, no parsing is done here. This would be up to the issuer, assuming they check at all.

Not setting this option should never impede successful signing on its own.

func (CertificateRequest) Subject 

func (r CertificateRequest) Subject() string

Subject returns the string form of the pkix.Name instance assigned as the Subject DN.

func (CertificateRequest) SubjectKeyID 

func (r CertificateRequest) SubjectKeyID() string

SubjectKeyID returns the X.509 certificate request's Subject Key Identifier value from the embedded *x509.CertificateRequest's Extensions field, but with hexadecimal encoding and proper delimitation included.

func (CertificateRequest) Thumbprint 

func (r CertificateRequest) Thumbprint() []byte

Thumbprint returns a []byte form of the hexadecimal encoded SHA256 sum result based upon the embedded *x509.CertificateRequest Raw struct field value.

This is a simple means to uniquely identifying a given Certificate with (virtually) no chance of "collision", even if the same public key as a previous (and identically named) incarnation were recklessly used.

This is a simplified alternative to the "official" X.509 procedure of unique certificate identification, which involves the more complex process of combining the issuer name with the serial number of the certificate in question. Such a scenario may be problematic in rare cases where the issuer name is EMPTY in lieu of SubjectAltName field usage, which IS a valid condition if a little odd.

This method will return a zero length []byte instance if the receiver has not been committed yet.

func (CertificateRequest) Validity 

func (r CertificateRequest) Validity() (lifespan time.Duration)

Validity returns the remaining lifespan of the receiver as a time.Duration value.

Please note this value is returned whether it was set or not, therefore it should be sanity-checked in advance of its use. See the SetValidity method for the receiver.

func (CertificateRequest) Write 

func (r CertificateRequest) Write(path string, enc ...int) (err error)

Write returns an error instance after attempting to write the embedded *x509.CertificateRequest instance in the requested (or implied) encoding scheme as a file at the prescribed path. The default encoding scheme is PEM, and the os.FileMode shall always be 0444.

type Extension 

type Extension struct {
	// contains filtered or unexported fields
}

Extension circumscribes the native *pkix.Extension and, if applicable, a non-nil instance of error.

func NewExtension 

func NewExtension() (ext *Extension)

NewExtension allocates and returns a new instance of *Extension.

func (*Extension) Bytes 

func (ext *Extension) Bytes() (b []byte)

Bytes returns slices of ASN.1 encoded bytes found within the receiver's embedded instance of *pkix.Extension, if present.

func (*Extension) Equal 

func (ext *Extension) Equal(id any) (eq bool)

Equal returns a boolean value indicative of whether the provided object identifier (id) is equal to the receiver's object identifier.

This is not a "deep equal" method, as neither the criticality nor the raw ASN.1 byte value are checked. Only the OID is compared.

func (*Extension) Error 

func (ext *Extension) Error() error

Error returns the embedded error instance from within the receiver if it is non-nil.

func (*Extension) Instance 

func (ext *Extension) Instance() *pkix.Extension

Instance returns the native *pkix.Extension, assuming it is present and valid, from within the receiver.

func (*Extension) IsCritical 

func (ext *Extension) IsCritical() (is bool)

IsCritical returns the boolean value assigned to the embedded *pkix.Extension instance's Critical struct field if the receiver is valid.

func (*Extension) IsError 

func (ext *Extension) IsError() (is bool)

IsError returns a boolean value indicative of whether the receiver is in an erroneous or otherwise aberrant state.

func (*Extension) IsZero 

func (ext *Extension) IsZero() bool

IsZero returns a boolean value indicative of whether the receiver is considered unpopulated or otherwise uninitialized.

func (*Extension) Marshal 

func (ext *Extension) Marshal(id, value any, critical ...bool)

NewExtension returns an instance of *Extension, which embeds an instance of *pkix.Extension bearing the provided id, critical and value instances.

A value of false is implied if critical is not defined as input.

func (*Extension) OID 

func (ext *Extension) OID() (o asn1.ObjectIdentifier)

OID returns the asn1.ObjectIdentifier assigned to the embedded *pkix.Extension instance.

func (*Extension) Unmarshal 

func (ext *Extension) Unmarshal(val any) (rest []byte, err error)

Unmarshal shall attempt an asn1.Unmarshal upon the embedded pkix.Extension's Value ([]byte) instance and store it within the provided val instance (which must be a pointer reference to an initialized object).

If any bytes remaining after the process will be returned alongside an error.

func (*Extension) Valid 

func (ext *Extension) Valid() (valid bool)

Valid returns a boolean value indicative of whether the receiver contains the required non-nil values within the embedded *pkix.Extension instance.

type Extensions 

type Extensions []*Extension

Extensions contains slices of *Extension instances.

func NewExtensions 

func NewExtensions() Extensions

NewExtensions allocates an instance of []*Extension and returns it.

func (*Extensions) Append 

func (exts *Extensions) Append(e any)

Append shall append the provided *Extension value, if it is both valid and unique, to the receiver.

Input types accepted are []pkix.Extension, pkix.Extension, *pkix.Extension, *Extensions and *Extension. Invalid or non-unique append attempts are silently discarded.

func (Extensions) Contains 

func (exts Extensions) Contains(id any) (contains bool)

Contains returns a boolean value indicative of whether an instance of *Extension resides within the receiver matching the provided object identifier value.

func (*Extensions) Delete 

func (exts *Extensions) Delete(e any)

func (Extensions) Get 

func (exts Extensions) Get(id any) (ext *Extension)

Get returns an instance of *Extension that matches the provided object identifier, if present, from within the receiver.

func (Extensions) IsZero 

func (exts Extensions) IsZero() bool

IsZero returns a boolean value indicative of whether the receiver is empty.

func (Extensions) Len 

func (exts Extensions) Len() int

Len returns the integer length of the receiver.

func (Extensions) Valid 

func (exts Extensions) Valid() (valid bool)

Valid returns a boolean indicative of whether the receiver is of a non-zero length and that all slice instances of *Extension are valid.

type Key 

type Key interface {
	// RSAPrivateKey returns the internal instance of
	// *rsa.PrivateKey if present, else nil. This is
	// considered PKCS#1.
	RSAPrivateKey() *rsa.PrivateKey

	// ECCPrivateKey returns the internal instance of
	// *ecdsa.PrivateKey if present, else nil. This is
	// considered PKCS#1.
	ECCPrivateKey() *ecdsa.PrivateKey

	// ED25519PrivateKey returns the internal instance
	// of ed25519.PrivateKey if present else nil. This
	// is considered PKCS#1.
	ED25519PrivateKey() ed25519.PrivateKey

	// PrivateBytes returns the defined private PKCS bytes
	// and an error if something went wrong. The only valid
	// (and meaningful) optional argument is with the PKCS1
	// constant. This will only work if the type of key is
	// *rsa.PrivateKey. All other types require PKCS8, which
	// is preferred over PKCS1. PKCS8 is the default and need
	// not be specified. If PKCS1 is elected, but the key type
	// is not *rsa.PrivateKey and/or the attempt to assert to
	// this type fails, PKCS8 will be used instead.
	PrivateBytes(...int) ([]byte, error)

	// PublicBytes returns the defined public PKCS bytes and
	// an error if something went wrong. The only valid (and
	// meaningful) optional argument is with the PKCS1 const.
	// This will only work *rsa.PublicKey. All other types
	// require PKCS8, which is preferred over PKCS1. PKCS8
	// is the default and need not be specified. If PKCS1 is
	// elected, but the key type is not *rsa.PublicKey and/or
	// the attempt to assert to this type fails, PKCS8 will
	// be used instead.
	PublicBytes(...int) ([]byte, error)

	// Write will write the PEM private key to the input path
	// using the specified encoding flag (0 for PEM, 1 for DER).
	Write(string, ...int) error

	// Modulus returns the octets of Key.PublicBytes() as a hex
	// encoded, upper-case normalized string. If any errors are
	// encountered during retrieval of the public bytes, a null
	// string is returned.
	Modulus() string

	// PublicKey returns the instance of crypto.PublicKey
	// derived from the core private key type.
	Public() crypto.PublicKey

	// Type returns the type-identifying integer of this
	// instance of PrivateKey (0).
	Type() KeyType

	// Sign will sign the provided msg data with the private
	// key embedded in the receiver.
	Sign([]byte, crypto.Hash) ([]byte, error)

	// Verify shall verify signature (sig) against the hashed
	// message (msghash).
	Verify([]byte, []byte, crypto.Hash) error

	// Size will return the byte size of the key in question
	// as an integer. Note that in the case of RSA, this value
	// should be multiplied by 8 to get its bit size, e.g.:
	// 2048 from 256.
	Size() int

	// Error will return an embedded error if non nil.
	Error() error

	// IsError returns a boolean value indicative of whether
	// the receiver is in an aberrant state.
	IsError() bool

	// IsZero returns a boolean value indicative of whether
	// the receiver is effectively nil.
	IsZero() bool

	// String will return the KeyType string value and the
	// appropriate bit Size() output as a string in the
	// format: NAME:BITSIZE. RSA multiplication by eight is
	// handled automatically.
	String() string

	// Interface returns the embedded instance of a supported
	// private key as an interface{} type (any).
	Interface() any

	// PEM will return the Privacy-Enhanced Mail encoding
	// of the private key as slices of bytes ([]byte).
	PEM() []byte

	// DER will return the ASN.1 distinguished encoding
	// of the private key as slices of bytes ([]byte).
	DER() []byte
	// contains filtered or unexported methods
}

PrivateKey encompasses all PrivateKey types supported by this package, and affords methods to manipulate a Private Key -regardless of type- in identical manners.

func NewKey 

func NewKey(i any) Key

NewKey produces a new instance of the interface Key, and an error if the creation of this object fails in some way.

Valid input arguments are: key identifiers such as cryptic.R2048, cryptic.E521, etc. Alternatively, an actual instance of a supported private key type, which must be one of *rsa.PrivateKey, *ecdsa.PrivateKey or ed25519.PrivateKey.

Be sure to check the resultant key using key.IsError() and key.Error() as appropriate.

func ParsePrivateKey 

func ParsePrivateKey(raw []byte) Key

ParsePrivateKey parses the raw bytes and attempts a marshal into an instance of PrivateKey, which is returned alongside an error.

func ReadPrivateKeyFile 

func ReadPrivateKeyFile(key string) Key

ReadPrivateKeyFile reads the specified path/filename into bytes, and parses those bytes to be marshaled into an instance of PrivateKey, which is returned alongside an error.

type KeyPurpose 

type KeyPurpose []asn1.ObjectIdentifier

KeyPurpose contains slices of oid.ObjectIdentifier values. 

var StandardLeafNodeExtKeyUsages KeyPurpose

StandardLeafNodeExtKeyUsages is a convenient global variable that can be used to quickly assign leafnode-typical X.509 Extended Key Usages to a *Certificate or *CertificateRequest instance. This is merely an alternative to doing it manually, which is also fine.

The contents of this variable are as follows:

  • 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
  • 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)

func (KeyPurpose) IsSet 

func (ek KeyPurpose) IsSet(o any) bool

IsSet returns a boolean value indicative of whether the given OID integer slices are present within KeyPurpose.

func (KeyPurpose) Len 

func (ek KeyPurpose) Len() int

func (*KeyPurpose) Marshal 

func (ek *KeyPurpose) Marshal(c ...bool) (*pkix.Extension, error)

Marshal returns an pkix.Extension instance (populated with our Key Usage choices), and an error. An optional Criticality flag allows for the override of the default boolean value of true (though this is generally not a recommended action).

This instance of pkix.Extension shall be properly populated with the needed ASN.1 Id (OID) for Extended Key Usage, the Criticality flag and ultimate ASN.1 value (our encoded array of oid.ObjectIdentifier instances).

func (*KeyPurpose) Set 

func (ek *KeyPurpose) Set(o any) *KeyPurpose

Set will assign the given OID (in raw []int or oid.ObjectIdentifier form) to the receiver instance of *KeyPurpose. Uniqueness will be silently preserved, should a duplicate Set attempt occur.

func (KeyPurpose) String 

func (ek KeyPurpose) String() string

func (*KeyPurpose) Unset 

func (ek *KeyPurpose) Unset(o any) *KeyPurpose

Unset will trim the given OID (in raw []int or oid.ObjectIdentifier form) from the receiver instance of *KeyPurpose. Uniqueness will be silently preserved, should a nonexistent Unset attempt occur.

type KeyPurposes 

type KeyPurposes interface {

	// Set will append  the given OID  (in either raw []int or
	// oid.ObjectIdentifier form) to the receiver KeyPurpose
	// instance if not already present.
	Set(any) *KeyPurpose

	// Unset will trim the given OID  (in either raw []int or
	// oid.ObjectIdentifier form) from the receiver instance
	// of KeyPurpose if present.
	Unset(any) *KeyPurpose

	// Marshal returns an pkix.Extension instance and an error.
	// An optional Criticality boolean argument may be provided
	// to override the default Criticality of true, if needed.
	// Also see the base function UnmarshalKeyPurpose(), which
	// will allow the reverse this method.
	Marshal(...bool) (*pkix.Extension, error)

	// String returns a comma-delimited sequence of OID names
	// that are active KeyPurposes.
	String() string

	// Len returns the number of OIDs encoded within the receiver.
	Len() int

	// IsSet returns a boolean value indicative of whether the
	// specified ASN.1 Object Identifier value is present within
	// the given receiver instance of KeyPurpose.
	IsSet(any) bool
}

KeyPurposes provides unified interfaces for constructing a valid instance of KeyPurpose containing one or more OIDs subordinate to the id-kp OID branch.

Use of this interface allows, among other things, the addition of popularly used OIDs, such as id-kp-serverAuth, to an X.509 Certificate Signing Request.

func NewKeyPurposes 

func NewKeyPurposes() KeyPurposes

NewKeyPurposes produces an extended instance of []oid.ObjectIdentifier with a maximum length of 40 (non-padded). As new KeyPurposes are introduced to the world, this limit may need to increase!

func UnmarshalKeyPurpose 

func UnmarshalKeyPurpose(ext pkix.Extension) (KeyPurposes, error)

UnmarshalKeyPurpose takes a precomposed pkix.Extension object instance and attempts to unmarshal the asn1.RawValue bytes into an instance of KeyPurposes. This object may then be used identically to its predecessor as if it were never Marshaled in the first place.

type KeyType 

type KeyType int

KeyType identifies the type of key in question. 

const (
	// KeyNil instance indicates an invalid or key of failed composition.
	// When checked, this value causes a return of -1 indicating failure.
	KeyNil KeyType = iota + -1

	// KeyRSA instance indicates an *rsa.PrivateKey represents the key
	// in question. When checked, this value causes a return of 0.
	KeyRSA

	// KeyECC instance indicates an *ecdsa.PrivateKey represents the key
	// in question. When checked, this value causes a return of 1.
	KeyECC

	// KeyED25519 instance indicates an ed25519.PrivateKey represents the key
	// in question. When checked, this value causes a return of 2.
	KeyED25519
)

func (KeyType) String 

func (k KeyType) String() string

String is a stringer method that returns the name of the key type in use.

type KeyUsage 

type KeyUsage struct {
	// contains filtered or unexported fields
}

KeyUsage is a struct-based type containing a raw 16-bit unsigned integer type (uint16) meant to represent a valid x509.KeyUsage bitpacked value. 

var StandardIssuerKeyUsages KeyUsage = KeyUsage{/* contains filtered or unexported fields */}

StandardIssuerKeyUsages is a convenient global variable that can be used to quickly assign the CA-typical X.509 Key Usages to a *Certificate or *CertificateRequest instance. This is merely an alternative to doing it manually, which is also fine.

The value of this variable is uint16(97), which represents the following "bit shifted" (additive) values:

  • DigitalSignature(1)
  • CertSign(32)
  • CRLSign(64)
var StandardLeafNodeKeyUsages KeyUsage = KeyUsage{/* contains filtered or unexported fields */}

StandardLeafNodeKeyUsages is a convenient global variable that can be used to quickly assign the leafnode-typical X.509 Key Usages to a *Certificate or *CertificateRequest instance. This is merely an alternative to doing it manually, which is also fine.

The value of this variable is uint16(13), which represents the following "bit shifted" (additive) values:

  • DigitalSignature(1)
  • KeyEncipherment(4)
  • DataEncipherment(8)

func (*KeyUsage) CRLSign 

func (ku *KeyUsage) CRLSign(state bool) *KeyUsage

CRLSign uses the given boolean as an instructor for whether the KeyUsageCRLSign bit is to be set on or off.

func (*KeyUsage) CertSign 

func (ku *KeyUsage) CertSign(state bool) *KeyUsage

CertSign uses the given boolean as an instructor for whether the KeyUsageCertSign bit is to be set on or off.

func (*KeyUsage) ContentCommitment 

func (ku *KeyUsage) ContentCommitment(state bool) *KeyUsage

ContentCommitment uses the given boolean as an instructor for whether the KeyUsageContentCommitment bit is to be set on or off.

This x509.KeyUsage value was once also known as KeyUsageNonRepudiation.

func (*KeyUsage) DataEncipherment 

func (ku *KeyUsage) DataEncipherment(state bool) *KeyUsage

DataEncipherment uses the given boolean as an instructor for whether the KeyUsageDataEncipherment bit is to be set on or off.

func (*KeyUsage) DecipherOnly 

func (ku *KeyUsage) DecipherOnly(state bool) *KeyUsage

DecipherOnly uses the given boolean as an instructor for whether the KeyUsageDecipherOnly bit is to be set on or off.

func (*KeyUsage) DigitalSignature 

func (ku *KeyUsage) DigitalSignature(state bool) *KeyUsage

DigitalSignature uses the given boolean as an instructor for whether the KeyUsageDigitalSignature bit is to be set on or off.

func (*KeyUsage) EncipherOnly 

func (ku *KeyUsage) EncipherOnly(state bool) *KeyUsage

EncipherOnly uses the given boolean as an instructor for whether the KeyUsageEncipherOnly bit is to be set on or off.

func (*KeyUsage) KeyAgreement 

func (ku *KeyUsage) KeyAgreement(state bool) *KeyUsage

KeyAgreement uses the given boolean as an instructor for whether the KeyUsageKeyAgreement bit is to be set on or off.

func (*KeyUsage) KeyEncipherment 

func (ku *KeyUsage) KeyEncipherment(state bool) *KeyUsage

KeyEncipherment uses the given boolean as an instructor for whether the KeyEncipherment bit is to be set on or off.

func (KeyUsage) Marshal 

func (ku KeyUsage) Marshal() (*pkix.Extension, error)

Marshal returns an pkix.Extension instance (populated with our Key Usage choices), and an error.

This instance of pkix.Extension shall be properly populated with the needed ASN.1 Id (OID), Criticality flag and ultimate Value (an ASN.1 BitString).

func (KeyUsage) State 

func (ku KeyUsage) State(kc x509.KeyUsage) bool

State returns a boolean value indicative of whether the specified x509.KeyUsage value is considered "enabled" due to its bit presence within the receiver.

func (KeyUsage) String 

func (ku KeyUsage) String() string

String returns the string name of the KeyUsage.

func (KeyUsage) Uint16 

func (ku KeyUsage) Uint16() uint16

Uint16 returns the uint16 value of the receiver, which represents the bit shifted Key Usages state.

type KeyUsages 

type KeyUsages interface {
	// Uint16 returns the uint16 value of the receiver, which
	// represents the bit shifted Key Usages state.
	Uint16() uint16

	// ContentCommitment uses the given boolean as an instructor
	// for whether the KeyUsageContentCommitment bit is to be set
	// on or off.
	ContentCommitment(bool) *KeyUsage

	// KeyAgreement uses the given boolean as an instructor
	// for whether the KeyUsageKeyAgreement bit is to be set
	// on or off.
	KeyAgreement(bool) *KeyUsage

	// DigitalSignature uses the given boolean as an instructor
	// for whether the KeyUsageDigitalSignature bit is to be set
	// on or off.
	DigitalSignature(bool) *KeyUsage

	// DataEncipherment uses the given boolean as an instructor
	// for whether the KeyUsageDataEncipherment bit is to be set
	// on or off.
	DataEncipherment(bool) *KeyUsage

	// KeyEncipherment uses the given boolean as an instructor
	// for whether the KeyUsageKeyEncipherment bit is to be set
	// on or off.
	KeyEncipherment(bool) *KeyUsage

	// DecipherOnly uses the given boolean as an instructor
	// for whether the KeyUsageDecipherOnly bit is to be set
	// on or off.
	DecipherOnly(bool) *KeyUsage

	// EncipherOnly uses the given boolean as an instructor
	// for whether the KeyUsageEncipherOnly bit is to be set
	// on or off.
	EncipherOnly(bool) *KeyUsage

	// CertSign uses the given boolean as an instructor
	// for whether the KeyUsageCertSign bit is to be set
	// on or off.
	CertSign(bool) *KeyUsage

	// CRLSign uses the given boolean as an instructor
	// for whether the KeyUsageCRLSign bit is to be set
	// on or off.
	CRLSign(bool) *KeyUsage

	// String returns the string form of present KeyUsage
	// values.
	String() string

	// Marshal returns an pkix.Extension instance and an error.
	// Also see the base function UnmarshalKeyUsage(), which will
	// allow the reverse this method.
	Marshal() (*pkix.Extension, error)

	// State returns a boolean value indicative of whether the
	// specified x509.KeyUsage value is considered "enabled"
	// due to its bit presence within the receiver.
	State(x509.KeyUsage) bool
}

KeyUsages provides unified interfaces for constructing a valid instance of the uint16 KeyUsageSet for eventual use in CSR templating.

func NewKeyUsages 

func NewKeyUsages() KeyUsages

NewSubject produces an instance of Subject, which was asserted from an any type value of *pkix.Name{}.

func UnmarshalKeyUsage 

func UnmarshalKeyUsage(ext pkix.Extension) (KeyUsages, error)

UnmarshalKeyUsage takes a precomposed pkix.Extension object instance and attempts to unmarshal the asn1.RawValue bytes into an instance of uint16. This object may then be used identically to its predecessor as if it were never Marshaled in the first place.

type Name 

type Name pkix.Name

Name is an extensible alias for pkix.Name.

func (Name) GetCommonName 

func (n Name) GetCommonName() string

GetCommonName returns the Common Name (2.5.4.3) from within the *pkix.Name value embedded in the receiver.

func (Name) GetCountry 

func (n Name) GetCountry() []string

GetCountry returns the Country Code (2.5.4.6) from within the *pkix.Name value embedded in the receiver.

func (Name) GetEmailAddress 

func (n Name) GetEmailAddress() string

GetEmailAddress returns the emailAddress (1.2.840.113549.1.9.1) from within the *pkix.Name value embedded in the receiver, if present, else a zero-length string.

func (Name) GetExtraNames 

func (n Name) GetExtraNames() []string

GetExtraNames returns slices of stringified pkix.AttributeTypeAndValue instances, detailing the value and the OID.

func (Name) GetGenerationQualifier 

func (n Name) GetGenerationQualifier() string

GetGenerationQualifier returns the generationQualifier (2.5.4.44) from within the *pkix.Name value embedded in the receiver, if present, else a zero-length string.

func (Name) GetGivenName 

func (n Name) GetGivenName() string

GetGivenName returns the givenName (2.5.4.42) from within the *pkix.Name value embedded in the receiver, if present, else a zero-length string.

func (Name) GetInitials 

func (n Name) GetInitials() string

GetInitials returns the initials (2.5.4.43) from within the *pkix.Name value embedded in the receiver, if present, else a zero-length string.

func (Name) GetLocality 

func (n Name) GetLocality() []string

GetLocality returns the Locality (2.5.4.7) from within the *pkix.Name value embedded in the receiver.

func (Name) GetOrg 

func (n Name) GetOrg() []string

GetOrg returns the Organization Name (2.5.4.10) from within the *pkix.Name value embedded in the receiver.

func (Name) GetOrgUnit 

func (n Name) GetOrgUnit() []string

GetOrgUnit returns the Organizational Unit Name (2.5.4.11) from within the *pkix.Name value embedded in the receiver.

func (Name) GetPostalCode 

func (n Name) GetPostalCode() []string

GetPostalCode returns the Postal Code (2.5.4.17) from within the *pkix.Name value embedded in the receiver.

func (Name) GetProvince 

func (n Name) GetProvince() []string

GetProvince returns the Province (2.5.4.8) from within the *pkix.Name value embedded in the receiver.

func (Name) GetPseudonym 

func (n Name) GetPseudonym() string

GetPseudonym returns the pseudonym (2.5.4.65) from within the *pkix.Name value embedded in the receiver, if present, else a zero-length string.

func (Name) GetSerialNumber 

func (n Name) GetSerialNumber() string

GetSerialNumber returns the Serial Number (2.5.4.5) from within the *pkix.Name value embedded in the receiver.

func (Name) GetStreetAddress 

func (n Name) GetStreetAddress() []string

GetStreetAddress returns the Street Address (2.5.4.9) from within the *pkix.Name value embedded in the receiver.

func (Name) GetSurname 

func (n Name) GetSurname() string

GetSurname returns the surname (2.5.4.4) from within the *pkix.Name value embedded in the receiver, if present, else a zero-length string.

func (Name) GetTitle 

func (n Name) GetTitle() string

GetTitle returns the title (2.5.4.12) from within the *pkix.Name value embedded in the receiver, if present, else a zero-length string.

func (Name) Marshal 

func (n Name) Marshal() (*pkix.Name, error)

Marshal returns a *pkix.Name instance based on the generic interface Name type. The type instance produced is suitable for use with pkg/x509 among others. One situation that will require this kind of object is during CSR templating.

This is a suitable place for prelaunch checks. Currently, we are only ensuring the CommonName, Country, Organization, and Locality attributes are populated. While this satisfies the base specs, it may be insufficient for you. Be certain as to which field(s) are wanted or unwanted.

func (*Name) SetCommonName 

func (n *Name) SetCommonName(cn string) *Name

SetCommonName sets the pkix.Name.CommonName (2.5.4.3) value within the interface receiver instance of Name.

func (*Name) SetCountry 

func (n *Name) SetCountry(co ...string) *Name

SetCountry sets the pkix.Name.Country (2.5.4.6) value(s) within the interface receiver instance of Name.

func (*Name) SetEmailAddress 

func (n *Name) SetEmailAddress(mail string) *Name

SetEmailAddress is a convenient wrapper for SetExtraNames with regards to assigning an emailAddress (1.2.840.113549.1.9.1) to the underlying pkix.Name instance.

func (*Name) SetExtraNames 

func (n *Name) SetExtraNames(en ...pkix.AttributeTypeAndValue) *Name

SetExtraNames sets the pkix.[]AttributeTypeAndValue value with the given instance(s) of AttributeTypeAndValue. Multiple values may be provided via variadic assignment (val, val, ...).

Each supplied AttributeTypeAndValue slice must contain an ASN.1 type (via the Type field attribute) which itself will accept slices of int values ([]int) which represents an OID. This AttributeTypeAndValue must also contain an ASN.1 Value (via the Value field attribute) that contains the actual data associated with the above OID.

If the pkix.Name is parsed during CSR templating, these values shall override any preexisting default values. For example, if one set the country code (via SetCountryCode()) as "US", and then a subsequent value of AttributeTypeAndValue contains the OID integer sequence for the joint-iso-itu-t country code (2, 5, 4, 6) and a value of "CA", the product of the CSR template will reflect "CA" as the principal country code.

Duplicate append attempts are filtered by OID integer sequence, not by value. This occurs silently.

func (*Name) SetGenerationQualifier 

func (n *Name) SetGenerationQualifier(gen string) *Name

SetGenerationQualifier sets a printableString value for generationQualifier (2.5.4.44) within the *pkix.Name value embedded in the receiver.

func (*Name) SetGivenName 

func (n *Name) SetGivenName(gn string) *Name

SetGivenName sets a printableString value for givenName (2.5.4.42) within the *pkix.Name value embedded in the receiver.

func (*Name) SetInitials 

func (n *Name) SetInitials(in string) *Name

SetInitials sets a printableString value for initials (2.5.4.43) within the *pkix.Name value embedded in the receiver.

func (*Name) SetLocality 

func (n *Name) SetLocality(loc ...string) *Name

SetLocality sets the pkix.Name.Locality (2.5.4.7) value(s) within the interface receiver instance of Name.

func (*Name) SetOrg 

func (n *Name) SetOrg(org ...string) *Name

SetOrg sets the pkix.Name.Organization (2.5.4.10) value(s) within the interface receiver instance of Name.

func (*Name) SetOrgUnit 

func (n *Name) SetOrgUnit(ou ...string) *Name

SetOrgUnit sets the pkix.Name.OrganizationalUnit (2.5.4.11) value(s) within the interface receiver instance of Name.

func (*Name) SetPostalCode 

func (n *Name) SetPostalCode(z ...string) *Name

SetPostalAddress sets the pkix.Name.PostalCode (2.5.4.17) value(s) within the interface receiver instance of Name.

func (*Name) SetProvince 

func (n *Name) SetProvince(p ...string) *Name

SetProvince sets the pkix.Name.Province (2.5.4.8) value(s) within the interface receiver instance of Name.

func (*Name) SetPseudonym 

func (n *Name) SetPseudonym(ps string) *Name

SetPseudonym sets a printableString value for pseudonym (2.5.4.65) within the *pkix.Name value embedded in the receiver.

func (*Name) SetSerialNumber 

func (n *Name) SetSerialNumber(sn string) *Name

SetSerialNumber sets the pkix.Name.SerialNumber (2.5.4.5) value(s) within the interface receiver instance of Name.

func (*Name) SetStreetAddress 

func (n *Name) SetStreetAddress(sa ...string) *Name

SetStreetAddress sets the pkix.Name.StreetAddress (2.5.4.9) value(s) within the interface receiver instance of Name.

func (*Name) SetSurname 

func (n *Name) SetSurname(sn string) *Name

SetSurname sets a printableString value for surname (2.5.4.4) within the *pkix.Name value embedded in the receiver.

func (*Name) SetTitle 

func (n *Name) SetTitle(t string) *Name

SetTitle sets a printableString value for title (2.5.4.12) within the *pkix.Name value embedded in the receiver.

type PrivateKey 

type PrivateKey struct {
	// contains filtered or unexported fields
}

PrivateKey contains an any value for a private key type.

func (PrivateKey) DER 

func (x PrivateKey) DER() []byte

DER returns the ASN.1 distinguished encoding of the private key. Note that this will return non-printing characters and should never be written to a terminal.

func (PrivateKey) ECCPrivateKey 

func (x PrivateKey) ECCPrivateKey() *ecdsa.PrivateKey

ECCPrivateKey returns the internal instance of *ecdsa.PrivateKey if present, else nil.

func (PrivateKey) ED25519PrivateKey 

func (x PrivateKey) ED25519PrivateKey() ed25519.PrivateKey

ED25519PrivateKey returns the internal instance of ed25519.PrivateKey if present, else nil.

func (PrivateKey) Error 

func (x PrivateKey) Error() error

Error returns the enclosed error instance, whether nil or not.

func (PrivateKey) Interface 

func (x PrivateKey) Interface() any

Interface returns the unasserted private key as an interface type (any).

func (PrivateKey) IsError 

func (x PrivateKey) IsError() bool

IsError returns a boolean value indicative of whether the receiver is in an aberrant state.

func (PrivateKey) IsZero 

func (x PrivateKey) IsZero() bool

IsZero returns a boolean value indicative of whether the receiver is effectively nil.

func (PrivateKey) Modulus 

func (x PrivateKey) Modulus() string

Modulus returns the PrivateKey.PublicBytes() octets as a hex-encoded, upper-case normalized string. If an error is encountered during retrieval of the public bytes, a null string is returned.

func (PrivateKey) PEM 

func (x PrivateKey) PEM() []byte

PEM returns the Privacy-Enhanced Mail encoding of the private key.

func (PrivateKey) PrivateBytes 

func (x PrivateKey) PrivateBytes(s ...int) ([]byte, error)

PrivateBytes returns a slice of private byte values ([]byte) and an error. Given an optional argument of PKCS1, the legacy byte format shall be returned, and is not recommended. By default, PKCS8 is used.

func (PrivateKey) Public 

func (x PrivateKey) Public() crypto.PublicKey

Public returns the instance of crypto.PublicKey derived from the core private key type.

func (PrivateKey) PublicBytes 

func (x PrivateKey) PublicBytes(s ...int) ([]byte, error)

PublicBytes returns a slice of public byte values ([]byte) and an error. Given an optional argument of PKCS1, the legacy byte format shall be returned, and is not recommended. By default, PKCS8 is used.

func (PrivateKey) RSAPrivateKey 

func (x PrivateKey) RSAPrivateKey() *rsa.PrivateKey

RSAPrivateKey returns the internal instance of *rsa.PrivateKey if present, else nil.

func (PrivateKey) Sign 

func (x PrivateKey) Sign(msghash []byte, h crypto.Hash) ([]byte, error)

Sign will sign the hashed message (msghash) using crypto.Hash h and return the signature alongside an error.

func (PrivateKey) Size 

func (x PrivateKey) Size() int

Size will return the byte size of the key in question as an integer.

func (PrivateKey) String 

func (x PrivateKey) String() string

String returns the NAME:BITSIZE string of the receiver.

func (PrivateKey) Type 

func (x PrivateKey) Type() KeyType

Type returns the type-identifying integer of this instance of PrivateKey (0).

func (PrivateKey) Verify 

func (x PrivateKey) Verify(msghash, sig []byte, h crypto.Hash) error

Verify shall verify signature (sig) against the hashed message (msghash). An error is returned if the verification process fails.

func (PrivateKey) Write 

func (x PrivateKey) Write(path string, enc ...int) (err error)

Write will write the PEM private key to the input path using the specified encoding flag (0 for PEM, 1 for DER).

type SigningCertificate 

type SigningCertificate struct {
	// contains filtered or unexported fields
}

SigningCertificate is a struct type containing an issuer certificate AND its associated private key. The sole purpose of this type is to sign/revoke certificates issued by the enclosed certificate identity.

This type is wholly distinct from 3rd party issuers which simply manifest as *Certificate instances like any other, and exists only for verification purposes.

See CertificateRequest.SelfSign and Certificate.SetSignatory for ways of producing instances of this time.

func (SigningCertificate) AuthorityKeyID 

func (sig SigningCertificate) AuthorityKeyID() string

SubjectKeyID returns the X.509 certificate request's Subject Key Identifier value from the embedded *x509.Certificate's AuthorityKeyId struct field, but with hexadecimal encoding and proper delimitation included.

func (SigningCertificate) DER 

func (sig SigningCertificate) DER() []byte

DER returns the raw ASN.1 DER component of the embedded *x509.Certificate instance, or an empty byte slice. Note that this method returns non-printing characters.

func (SigningCertificate) Error 

func (sig SigningCertificate) Error() error

Error returns the enclosed error instance, whether nil or not.

func (SigningCertificate) GetAllowedPolicies 

func (sig SigningCertificate) GetAllowedPolicies() []asn1.ObjectIdentifier

GetAllowedPolicies returns slices of asn1.ObjectIdentifier values, each representing a distinct certificate policy that is allowed by the receiver during the signing process.

func (SigningCertificate) IsError 

func (sig SigningCertificate) IsError() bool

IsError returns a boolean value indicative of whether the receiver is in an aberrant state.

func (SigningCertificate) IsZero 

func (sig SigningCertificate) IsZero() bool

func (SigningCertificate) KeyPurposes 

func (sig SigningCertificate) KeyPurposes() KeyPurposes

KeyPurposes reads the ExtKeyUsage field from the underlying *x509.Certificate instance, associates the stored integer values with a known (and supported) asn1.ObjectIdentifier values, and adds each each eligible instance as a slice in the return value.

func (SigningCertificate) KeyUsage 

func (sig SigningCertificate) KeyUsage() KeyUsage

KeyUsage returns an instance of KeyUsage as derived from the embedded *x509.Certificate instance's KeyUsage field.

func (SigningCertificate) PEM 

func (sig SigningCertificate) PEM() []byte

PEM returns the Privacy-Enhanced Mail encoding of the embedded *x509.Certificate instance, or an empty byte slice.

func (*SigningCertificate) SetAllowedPolicies 

func (sig *SigningCertificate) SetAllowedPolicies(policies ...any) *SigningCertificate

SetAllowedPolicies allows the issuer to set one or more ASN.1 object identifiers representing official certificate policies that MAY be applied to subsequent certificate signings.

func (*SigningCertificate) SetMaxLifespan 

func (sig *SigningCertificate) SetMaxLifespan(life time.Duration) *SigningCertificate

SetMaxLifespan allows the issuer to set a maximum allowed lifespan for any certificate signed by the receiver. This can be changed at any time.

Users may REQUEST certain lifespans through use of the CertificateRequest.SetValidity method. The user-provided time.Duration value is compared to the time.Duration maximum set by the issuer through this method to ensure sanity.

Negative lifespans will be silently discarded.

All lifespans commence at time.Now().UTC() (i.e.: at the moment of signing).

If an issuer does not set a maximum lifespan, a default of one (1) year is imposed.

func (*SigningCertificate) Sign 

func (sig *SigningCertificate) Sign(req *CertificateRequest, policies ...any) (signed *Certificate)

Sign returns a boolean value indicative of whether the signing attempt was successful.

In normal situations, Sign will sign the value req (*CertificateRequest) into ptr, which must be an initialized instance of *Certificate.

If an error is encountered, it is recorded within the ptr instance and a boolean value of false is returned indicative of failure.

This method will fail outright if the receiver is not assigned its appropriate signing private key. See the SetSignatory and SetIsCA methods for details.

Executors of this method MAY, at their discretion, impose certificate policies upon issued certificates. These are represented via object identifiers and can be provided through use of the variadic 'policies' assignment var. Note that policy OIDs must first be "whitelisted" through use of the 'policies' variadic assignment through the SetSignatory method extended by the *Certificate type.

func (SigningCertificate) SubjectKeyID 

func (sig SigningCertificate) SubjectKeyID() string

SubjectKeyID returns the X.509 certificate request's Subject Key Identifier value from the embedded *x509.Certificate's SubjectKeyId struct field, but with hexadecimal encoding and proper delimitation included.

func (SigningCertificate) Thumbprint 

func (sig SigningCertificate) Thumbprint() []byte

Thumbprint returns a []byte form of the hexadecimal encoded SHA256 sum result based upon the embedded *x509.Certificate Raw struct field value.

This is a simple means to uniquely identifying a given Certificate with (virtually) no chance of "collision", even if the same public key as a previous (and identically named) incarnation were recklessly used.

This is a simplified alternative to the "official" X.509 procedure of unique certificate identification, which involves the more complex process of combining the issuer name with the serial number of the certificate in question. Such a scenario may be problematic in rare cases where the issuer name is EMPTY in lieu of SubjectAltName field usage, which IS a valid condition if a little odd.

This method will return a zero length []byte instance if the receiver has not been committed yet.

func (SigningCertificate) TimeRemaining 

func (sig SigningCertificate) TimeRemaining() time.Duration

TimeRemaining returns the time.Duration value that reflects the remaining time the receiver has until expiration.

A negative time.Duration value indicates that expiration has since passed.

func (SigningCertificate) Write 

func (sig SigningCertificate) Write(path string, enc ...int) (err error)

Write returns an error instance after attempting to write the embedded *x509.Certificate instance in the requested (or implied) encoding scheme as a file at the prescribed path. The default encoding scheme is PEM, and the os.FileMode shall always be 0444.

type Subject 

type Subject interface {
	SetEmailAddress(string) *Name
	GetEmailAddress() string

	SetGivenName(string) *Name
	GetGivenName() string

	SetSurname(string) *Name
	GetSurname() string

	SetTitle(string) *Name
	GetTitle() string

	SetInitials(string) *Name
	GetInitials() string

	SetPseudonym(string) *Name
	GetPseudonym() string

	SetGenerationQualifier(string) *Name
	GetGenerationQualifier() string

	SetCommonName(string) *Name
	GetCommonName() string

	SetSerialNumber(string) *Name
	GetSerialNumber() string

	SetCountry(...string) *Name
	GetCountry() []string

	SetOrg(...string) *Name
	GetOrg() []string

	SetOrgUnit(...string) *Name
	GetOrgUnit() []string

	SetLocality(...string) *Name
	GetLocality() []string

	SetProvince(...string) *Name
	GetProvince() []string

	SetStreetAddress(...string) *Name
	GetStreetAddress() []string

	SetPostalCode(...string) *Name
	GetPostalCode() []string

	SetExtraNames(...pkix.AttributeTypeAndValue) *Name
	GetExtraNames() []string
	Marshal() (*pkix.Name, error)
}

Subject provides unified interfaces for constructing a valid instance of pkix.Name suitable for the task of populating a CSR's Subject.

func NewSubject 

func NewSubject() Subject

NewSubject produces an instance of Subject, which was asserted from an any type value of *pkix.Name{}.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.