x509util

package
v0.13.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 30, 2019 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// DefaultCertValidity is the minimum validity of an end-entity (not root or intermediate) certificate.
	DefaultCertValidity = 24 * time.Hour

	// DefaultTLSMinVersion default minimum version of TLS.
	DefaultTLSMinVersion = TLSVersion(1.2)
	// DefaultTLSMaxVersion default maximum version of TLS.
	DefaultTLSMaxVersion = TLSVersion(1.2)
	// DefaultTLSRenegotiation default TLS connection renegotiation policy.
	DefaultTLSRenegotiation = false // Never regnegotiate.
	// DefaultTLSCipherSuites specifies default step ciphersuite(s).
	DefaultTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
	}
	// ApprovedTLSCipherSuites smallstep approved ciphersuites.
	ApprovedTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
	}
)
View Source 
var DefaultIntermediateCertValidity = time.Hour * 24 * 365 * 10

DefaultIntermediateCertValidity is the default validity of a intermediate certificate in the step PKI.

View Source 
var DefaultRootCertValidity = time.Hour * 24 * 365 * 10

DefaultRootCertValidity is the default validity of a root certificate in the step PKI.

Functions

func CheckCertificateRequestSignature added in v0.9.0 

func CheckCertificateRequestSignature(csr *x509.CertificateRequest) error

CheckCertificateRequestSignature verifies that signature is a valid signature over signed from csr's public key.

CheckCertificateRequestSignature reports whether the signature on csr is valid.

func Fingerprint added in v0.9.0 

func Fingerprint(cert *x509.Certificate) string

Fingerprint returns the SHA-256 fingerprint of the certificate.

func GenerateDefaultKeyPair added in v0.8.4 

func GenerateDefaultKeyPair(p Profile) error

GenerateDefaultKeyPair generates a new public/private key pair using the default values and sets them in the given profile.

func LoadCSRFromBytes 

func LoadCSRFromBytes(der []byte) (*x509.CertificateRequest, error)

LoadCSRFromBytes loads a CSR given the ASN.1 DER format.

func ParseCertificate added in v0.9.0 

func ParseCertificate(asn1Data []byte) (*x509.Certificate, error)

ParseCertificate parses a single certificate from the given ASN.1 DER data.

func ParseCertificateRequest added in v0.9.0 

func ParseCertificateRequest(asn1Data []byte) (*x509.CertificateRequest, error)

ParseCertificateRequest parses a single certificate request from the given ASN.1 DER data.

func ReadCertPool 

func ReadCertPool(path string) (*x509.CertPool, error)

ReadCertPool loads a certificate pool from disk. *path*: a file, a directory, or a comma-separated list of files.

func SplitSANs added in v0.8.4 

func SplitSANs(sans []string) (dnsNames []string, ips []net.IP, emails []string)

SplitSANs splits a slice of Subject Alternative Names into slices of IP Addresses and DNS Names. If an element is not an IP address, then it is bucketed as a DNS Name.

func ToStepX509Certificate added in v0.9.0 

func ToStepX509Certificate(cert *x509.Certificate) *stepx509.Certificate

ToStepX509Certificate converts a x509.Certificate from the standard library to the step version of the x509.Certificate.

func ToStepX509CertificateRequest added in v0.9.0 

func ToStepX509CertificateRequest(csr *x509.CertificateRequest) *stepx509.CertificateRequest

ToStepX509CertificateRequest converts a x509.CertificateRequest from the standard library to the step version of the x509.CertificateRequest.

func ToX509Certificate added in v0.9.0 

func ToX509Certificate(cert *stepx509.Certificate) *x509.Certificate

ToX509Certificate converts a x509.Certificate from the internal package to the standard version of the x509.Certificate.

func ToX509CertificateRequest added in v0.9.0 

func ToX509CertificateRequest(csr *stepx509.CertificateRequest) *x509.CertificateRequest

ToX509CertificateRequest converts a x509.CertificateRequest from the internal package to the standard version of the x509.CertificateRequest.

Types

type ASN1DN 

type ASN1DN struct {
	Country            string `json:"country,omitempty" step:"country"`
	Organization       string `json:"organization,omitempty" step:"organization"`
	OrganizationalUnit string `json:"organizationalUnit,omitempty" step:"organizationalUnit"`
	Locality           string `json:"locality,omitempty" step:"locality"`
	Province           string `json:"province,omitempty" step:"province"`
	StreetAddress      string `json:"streetAddress,omitempty" step:"streetAddress"`
	CommonName         string `json:"commonName,omitempty" step:"commonName"`
}

ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.

type CipherSuites 

type CipherSuites []string

CipherSuites represents an array of string codes representing the cipher suites.

func (CipherSuites) Validate 

func (c CipherSuites) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (CipherSuites) Value 

func (c CipherSuites) Value() []uint16

Value returns an []uint16 for the cipher suites.

type Identity 

type Identity struct {
	Crt *x509.Certificate
	Key interface{}
}

Identity contains a public/private x509 certificate/key pair.

func LoadIdentityFromDisk 

func LoadIdentityFromDisk(crtPath, keyPath string, pemOpts ...pemutil.Options) (*Identity, error)

LoadIdentityFromDisk load a public certificate and private key (both in PEM format) from disk.

func NewIdentity 

func NewIdentity(c *x509.Certificate, k interface{}) *Identity

NewIdentity returns a new Identity.

type Intermediate 

type Intermediate struct {
	// contains filtered or unexported fields
}

Intermediate implements the Profile for a intermediate certificate.

func (*Intermediate) CreateCertificate 

func (b *Intermediate) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Intermediate) CreateWriteCertificate 

func (b *Intermediate) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Intermediate) DefaultDuration added in v0.8.4 

func (i *Intermediate) DefaultDuration() time.Duration

DefaultDuration returns the default Intermediate Certificate duration.

func (*Intermediate) GenerateDefaultKeyPair 

func (b *Intermediate) GenerateDefaultKeyPair() error

func (*Intermediate) GenerateKeyPair 

func (b *Intermediate) GenerateKeyPair(kty, crv string, size int) error

func (*Intermediate) Issuer 

func (b *Intermediate) Issuer() *x509.Certificate

func (*Intermediate) SetIssuer 

func (b *Intermediate) SetIssuer(iss *x509.Certificate)

func (*Intermediate) SetIssuerPrivateKey 

func (b *Intermediate) SetIssuerPrivateKey(priv interface{})

func (*Intermediate) SetSubject 

func (b *Intermediate) SetSubject(sub *x509.Certificate)

func (*Intermediate) SetSubjectPrivateKey 

func (b *Intermediate) SetSubjectPrivateKey(priv interface{})

func (*Intermediate) SetSubjectPublicKey 

func (b *Intermediate) SetSubjectPublicKey(pub interface{})

func (*Intermediate) Subject 

func (b *Intermediate) Subject() *x509.Certificate

func (*Intermediate) SubjectPrivateKey 

func (b *Intermediate) SubjectPrivateKey() interface{}

func (*Intermediate) SubjectPublicKey 

func (b *Intermediate) SubjectPublicKey() interface{}

type Leaf 

type Leaf struct {
	// contains filtered or unexported fields
}

Leaf implements the Profile for a leaf certificate.

func (*Leaf) CreateCertificate 

func (b *Leaf) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Leaf) CreateWriteCertificate 

func (b *Leaf) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Leaf) DefaultDuration added in v0.8.4 

func (b *Leaf) DefaultDuration() time.Duration

func (*Leaf) GenerateDefaultKeyPair 

func (b *Leaf) GenerateDefaultKeyPair() error

func (*Leaf) GenerateKeyPair 

func (b *Leaf) GenerateKeyPair(kty, crv string, size int) error

func (*Leaf) Issuer 

func (b *Leaf) Issuer() *x509.Certificate

func (*Leaf) SetIssuer 

func (b *Leaf) SetIssuer(iss *x509.Certificate)

func (*Leaf) SetIssuerPrivateKey 

func (b *Leaf) SetIssuerPrivateKey(priv interface{})

func (*Leaf) SetSubject 

func (b *Leaf) SetSubject(sub *x509.Certificate)

func (*Leaf) SetSubjectPrivateKey 

func (b *Leaf) SetSubjectPrivateKey(priv interface{})

func (*Leaf) SetSubjectPublicKey 

func (b *Leaf) SetSubjectPublicKey(pub interface{})

func (*Leaf) Subject 

func (b *Leaf) Subject() *x509.Certificate

func (*Leaf) SubjectPrivateKey 

func (b *Leaf) SubjectPrivateKey() interface{}

func (*Leaf) SubjectPublicKey 

func (b *Leaf) SubjectPublicKey() interface{}

type Profile 

type Profile interface {
	Issuer() *x509.Certificate
	Subject() *x509.Certificate
	SubjectPrivateKey() interface{}
	SubjectPublicKey() interface{}
	SetIssuer(*x509.Certificate)
	SetSubject(*x509.Certificate)
	SetSubjectPrivateKey(interface{})
	SetSubjectPublicKey(interface{})
	SetIssuerPrivateKey(interface{})
	CreateCertificate() ([]byte, error)
	GenerateKeyPair(string, string, int) error
	DefaultDuration() time.Duration
	CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)
}

Profile is an interface that certificate profiles (e.g. leaf, intermediate, root) must implement.

func NewIntermediateProfile 

func NewIntermediateProfile(name string, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

NewIntermediateProfile returns a new intermediate x509 Certificate profile.

func NewLeafProfile 

func NewLeafProfile(cn string, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

NewLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.

func NewLeafProfileWithCSR 

func NewLeafProfileWithCSR(csr *x509.CertificateRequest, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

NewLeafProfileWithCSR returns a new leaf x509 Certificate Profile with Subject Certificate fields populated directly from the CSR. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the CSR.

func NewLeafProfileWithTemplate 

func NewLeafProfileWithTemplate(sub *x509.Certificate, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

NewLeafProfileWithTemplate returns a new leaf x509 Certificate Profile with Subject Certificate set to the value of the template argument. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the Subject Certificate parameter.

func NewRootProfile 

func NewRootProfile(name string, withOps ...WithOption) (Profile, error)

NewRootProfile returns a new root x509 Certificate profile.

func NewRootProfileWithTemplate 

func NewRootProfileWithTemplate(crt *x509.Certificate, withOps ...WithOption) (Profile, error)

NewRootProfileWithTemplate returns a new root x509 Certificate profile.

func NewSelfSignedLeafProfile added in v0.11.0 

func NewSelfSignedLeafProfile(cn string, withOps ...WithOption) (Profile, error)

NewSelfSignedLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.

type Root 

type Root struct {
	// contains filtered or unexported fields
}

Root implements the Profile for a root certificate.

func (*Root) CreateCertificate 

func (b *Root) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Root) CreateWriteCertificate 

func (b *Root) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Root) DefaultDuration added in v0.8.4 

func (r *Root) DefaultDuration() time.Duration

DefaultDuration returns the default Root Certificate duration.

func (*Root) GenerateDefaultKeyPair 

func (b *Root) GenerateDefaultKeyPair() error

func (*Root) GenerateKeyPair 

func (b *Root) GenerateKeyPair(kty, crv string, size int) error

func (*Root) Issuer 

func (b *Root) Issuer() *x509.Certificate

func (*Root) SetIssuer 

func (b *Root) SetIssuer(iss *x509.Certificate)

func (*Root) SetIssuerPrivateKey 

func (b *Root) SetIssuerPrivateKey(priv interface{})

func (*Root) SetSubject 

func (b *Root) SetSubject(sub *x509.Certificate)

func (*Root) SetSubjectPrivateKey 

func (b *Root) SetSubjectPrivateKey(priv interface{})

func (*Root) SetSubjectPublicKey 

func (b *Root) SetSubjectPublicKey(pub interface{})

func (*Root) Subject 

func (b *Root) Subject() *x509.Certificate

func (*Root) SubjectPrivateKey 

func (b *Root) SubjectPrivateKey() interface{}

func (*Root) SubjectPublicKey 

func (b *Root) SubjectPublicKey() interface{}

type TLSVersion 

type TLSVersion float64

TLSVersion represents a TLS version number.

func (TLSVersion) String 

func (v TLSVersion) String() string

String returns the Go constant for the TLSVersion.

func (TLSVersion) Validate 

func (v TLSVersion) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (TLSVersion) Value 

func (v TLSVersion) Value() uint16

Value returns the Go constant for the TLSVersion.

type WithOption 

type WithOption func(Profile) error

WithOption is a modifier function on base.

func GenerateKeyPair 

func GenerateKeyPair(kty, crv string, size int) WithOption

GenerateKeyPair returns a Profile modifier that generates a public/private key pair for a profile.

func WithDNSNames added in v0.8.4 

func WithDNSNames(dns []string) WithOption

WithDNSNames returns a Profile modifier which sets the DNS Names that will be bound to the subject alternative name extension of the Certificate.

func WithEmailAddresses added in v0.11.0 

func WithEmailAddresses(emails []string) WithOption

WithEmailAddresses returns a Profile modifier which sets the Email Addresses that will be bound to the subject alternative name extension of the Certificate.

func WithHosts 

func WithHosts(hosts string) WithOption

WithHosts returns a Profile modifier which sets the DNS Names and IP Addresses that will be bound to the subject Certificate.

`hosts` should be a comma separated string of DNS Names and IP Addresses. e.g. `127.0.0.1,internal.smallstep.com,blog.smallstep.com,1.1.1.1`.

func WithIPAddresses added in v0.8.4 

func WithIPAddresses(ips []net.IP) WithOption

WithIPAddresses returns a Profile modifier which sets the IP Addresses that will be bound to the subject alternative name extension of the Certificate.

func WithIssuer 

func WithIssuer(iss pkix.Name) WithOption

WithIssuer returns a Profile modifier that sets the Subject for a x509 Certificate.

func WithNotBeforeAfterDuration added in v0.8.4 

func WithNotBeforeAfterDuration(nb, na time.Time, d time.Duration) WithOption

WithNotBeforeAfterDuration returns a Profile modifier that sets the `NotBefore` and `NotAfter` attributes of the subject x509 Certificate.

func WithPublicKey 

func WithPublicKey(pub interface{}) WithOption

WithPublicKey returns a Profile modifier that sets the public key for a profile.

func WithSubject 

func WithSubject(sub pkix.Name) WithOption

WithSubject returns a Profile modifier that sets the Subject for a x509 Certificate.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.