Documentation
¶
Overview ¶
Package scep provides common functionality for encoding and decoding Simple Certificate Enrolment Protocol pki messages as defined by https://tools.ietf.org/html/draft-gutmann-scep-02
Index ¶
- Constants
- func CACerts(data []byte) ([]*x509.Certificate, error)
- func DegenerateCertificates(certs []*x509.Certificate) ([]byte, error)
- type CSRReqMessage
- type CertRepMessage
- type CertsSelector
- type CertsSelectorFunc
- type FailInfo
- type MessageType
- type Option
- type PKIMessage
- func (msg *PKIMessage) DecryptPKIEnvelope(cert *x509.Certificate, key *rsa.PrivateKey) error
- func (msg *PKIMessage) Fail(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKey, info FailInfo) (*PKIMessage, error)
- func (msg *PKIMessage) Success(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKey, crt *x509.Certificate) (*PKIMessage, error)
- type PKIStatus
- type RecipientNonce
- type SenderNonce
- type TransactionID
Constants ¶
const ( CertRep MessageType = "3" RenewalReq = "17" UpdateReq = "18" PKCSReq = "19" CertPoll = "20" GetCert = "21" GetCRL = "22" )
Undefined message types are treated as an error.
const ( SUCCESS PKIStatus = "0" FAILURE = "2" PENDING = "3" )
Undefined pkiStatus attributes are treated as an error
const ( BadAlg FailInfo = "0" BadMessageCheck = "1" BadRequest = "2" BadTime = "3" BadCertID = "4" )
Variables ¶
This section is empty.
Functions ¶
func CACerts ¶
func CACerts(data []byte) ([]*x509.Certificate, error)
CACerts extract CA Certificate or chain from pkcs7 degenerate signed data
func DegenerateCertificates ¶
func DegenerateCertificates(certs []*x509.Certificate) ([]byte, error)
DegenerateCertificates creates degenerate certificates pkcs#7 type
Types ¶
type CSRReqMessage ¶
type CSRReqMessage struct {
RawDecrypted []byte
// PKCS#10 Certificate request inside the envelope
CSR *x509.CertificateRequest
ChallengePassword string
}
CSRReqMessage can be of the type PKCSReq/RenewalReq/UpdateReq and includes a PKCS#10 CSR request. The content of this message is protected by the recipient public key(example CA)
type CertRepMessage ¶
type CertRepMessage struct {
PKIStatus
RecipientNonce
FailInfo
Certificate *x509.Certificate
// contains filtered or unexported fields
}
CertRepMessage is a type of PKIMessage
type CertsSelector ¶
type CertsSelector interface {
SelectCerts([]*x509.Certificate) []*x509.Certificate
}
A CertsSelector filters certificates.
type CertsSelectorFunc ¶
type CertsSelectorFunc func([]*x509.Certificate) []*x509.Certificate
CertsSelectorFunc is a type of function that filters certificates.
func EnciphermentCertsSelector ¶
func EnciphermentCertsSelector() CertsSelectorFunc
A EnciphermentCertsSelector returns a CertsSelectorFunc that selects certificates eligible for key encipherment. This certsSelector can be used to filter PKCSReq recipients.
func FingerprintCertsSelector ¶ added in v2.1.0
func FingerprintCertsSelector(hashType crypto.Hash, hash []byte) CertsSelectorFunc
FingerprintCertsSelector selects a certificate that matches hash using hashType against the digest of the raw certificate DER bytes
func NopCertsSelector ¶
func NopCertsSelector() CertsSelectorFunc
NopCertsSelector returns a CertsSelectorFunc that does not do anything.
func (CertsSelectorFunc) SelectCerts ¶
func (f CertsSelectorFunc) SelectCerts(certs []*x509.Certificate) []*x509.Certificate
type FailInfo ¶
type FailInfo string
FailInfo is a SCEP failInfo attribute
The FailInfo attribute MUST contain one of the following failure reasons:
type MessageType ¶
type MessageType string
The MessageType attribute specifies the type of operation performed by the transaction. This attribute MUST be included in all PKI messages.
The following message types are defined:
func (MessageType) String ¶
func (msg MessageType) String() string
type Option ¶
type Option func(*config)
Option specifies custom configuration for SCEP.
func WithCACerts ¶
func WithCACerts(caCerts []*x509.Certificate) Option
WithCACerts adds option CA certificates to the SCEP operations. Note: This changes the verification behavior of PKCS #7 messages. If this option is specified, only caCerts will be used as expected signers.
func WithCertsSelector ¶
func WithCertsSelector(selector CertsSelector) Option
WithCertsSelector adds the certificates certsSelector option to the SCEP operations. This option is effective when used with NewCSRRequest function. In this case, only certificates selected with the certsSelector will be used as the PKCS #7 message recipients.
func WithLogger ¶
WithLogger adds option logging to the SCEP operations.
type PKIMessage ¶
type PKIMessage struct {
TransactionID
MessageType
SenderNonce
*CertRepMessage
*CSRReqMessage
// DER Encoded PKIMessage
Raw []byte
// Used to encrypt message
Recipients []*x509.Certificate
// Signer info
SignerKey *rsa.PrivateKey
SignerCert *x509.Certificate
// contains filtered or unexported fields
}
PKIMessage defines the possible SCEP message types
func NewCSRRequest ¶
func NewCSRRequest(csr *x509.CertificateRequest, tmpl *PKIMessage, opts ...Option) (*PKIMessage, error)
NewCSRRequest creates a scep PKI PKCSReq/UpdateReq message
func ParsePKIMessage ¶
func ParsePKIMessage(data []byte, opts ...Option) (*PKIMessage, error)
ParsePKIMessage unmarshals a PKCS#7 signed data into a PKI message struct
func (*PKIMessage) DecryptPKIEnvelope ¶
func (msg *PKIMessage) DecryptPKIEnvelope(cert *x509.Certificate, key *rsa.PrivateKey) error
DecryptPKIEnvelope decrypts the pkcs envelopedData inside the SCEP PKIMessage
func (*PKIMessage) Fail ¶
func (msg *PKIMessage) Fail(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKey, info FailInfo) (*PKIMessage, error)
func (*PKIMessage) Success ¶
func (msg *PKIMessage) Success(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKey, crt *x509.Certificate) (*PKIMessage, error)
Success returns a new PKIMessage with CertRep data using an already-issued certificate
type PKIStatus ¶
type PKIStatus string
PKIStatus is a SCEP pkiStatus attribute which holds transaction status information. All SCEP responses MUST include a pkiStatus.
The following pkiStatuses are defined:
type RecipientNonce ¶
type RecipientNonce []byte
The RecipientNonce MUST be copied from the SenderNonce and included in the reply.
type SenderNonce ¶
type SenderNonce []byte
SenderNonce is a random 16 byte number. A sender must include the senderNonce in each transaction to a recipient.
type TransactionID ¶
type TransactionID string
The TransactionID is a text string generated by the client when starting a transaction. The client MUST generate a unique string as the transaction identifier, which MUST be used for all PKI messages exchanged for a given enrolment, encoded as a PrintableString.
Source Files