cert

package
v0.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 12, 2021 License: GPL-3.0 Imports: 27 Imported by: 12

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrInvalidCertificate = core.NewError("failed to decode PEM block containing certificate", false)

ErrWrongPublicKey indicates a wrong certificate format

View Source 
var ErrRsaPubKeyConversion = core.NewError("Unable to convert public key to RSA public key", false)

ErrRsaPubKeyConversion indicates a public key could not be converted to an RSA public key

View Source 
var ErrSANNotFound = errors.New("subject alternative name not found")
View Source 
var ErrWrongPrivateKey = core.NewError("failed to decode PEM block containing private key", false)

ErrWrongPrivateKey indicates a wrong private key format

View Source 
var ErrWrongPublicKey = core.NewError("failed to decode PEM block containing public key, key is of the wrong type", false)

ErrWrongPublicKey indicates a wrong public key format

View Source 
var OIDNuts = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 54851}
View Source 
var OIDNutsDomain = asn12.OIDAppend(OIDNuts, 3)
View Source 
var OIDNutsVendor = asn12.OIDAppend(OIDNuts, 4)
View Source 
var OIDSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17}

Functions

func CSRFromVendorCA added in v0.16.0 

func CSRFromVendorCA(ca *x509.Certificate, existingQualifier string, qualifierReplacement string, publicKey interface{}) (*x509.CertificateRequest, error)

CSRFromVendorCA generates a CSR based upon the VendorCA. It copies any extensions needed as well as the O and C The common name is appended with the qualifier.

func CertificateToJWK added in v0.14.0 

func CertificateToJWK(cert *x509.Certificate) (jwk.Key, error)

CertificateToJWK constructs a new JWK based on the given X.509 certificate.

func CertificateToPEM added in v0.15.0 

func CertificateToPEM(certificate *x509.Certificate) string

func CopySANs added in v0.15.0 

func CopySANs(certificate *x509.Certificate) []pkix.Extension

CopySANs copies the Subject Alternative Name extensions from the certificate and returns them as a new slice.

func DomainFromCertificate added in v0.16.0 

func DomainFromCertificate(certificate *x509.Certificate) (string, error)

DomainFromCertificate finds the Nuts domain without the OID, just the value

func GetActiveCertificates 

func GetActiveCertificates(jwks []interface{}, instant time.Time) []*x509.Certificate

GetActiveCertificates converts the given JWKs to X509 certificates and returns them sorted, longest valid certificate first. Expired certificates aren't returned.

func GetCertificate 

func GetCertificate(jwkAsMap interface{}) *x509.Certificate

GetCertificate converts the given JWK to a X.509 certificate chain, returning the topmost certificate. If the JWK does not contain any certificates, nil is returned.

func GetX509ChainFromHeaders added in v0.14.0 

func GetX509ChainFromHeaders(headers jwkHeaderReader) ([]*x509.Certificate, error)

GetX509ChainFromHeaders tries to retrieve the X.509 certificate chain ("x5c") from the JWK/JWS and parse it. If it doesn't contain the "x5c" header, nil is returned. If the header is present but it couldn't be parsed, an error is returned.

func JwkToMap added in v0.14.0 

func JwkToMap(key jwk.Key) (map[string]interface{}, error)

JwkToMap transforms a Jwk key to a map. Can be used for json serialization

func MapToJwk added in v0.14.0 

func MapToJwk(jwkAsMap map[string]interface{}) (jwk.Key, error)

MapToJwk transforms a Jwk in map structure to a Jwk Key. The map structure is a typical result from json deserialization.

func MapToX509CertChain added in v0.14.0 

func MapToX509CertChain(jwkAsMap map[string]interface{}) ([]*x509.Certificate, error)

func MapsToJwkSet added in v0.14.0 

func MapsToJwkSet(maps []map[string]interface{}) (*jwk.Set, error)

MapsToJwkSet transforms JWKs in map structures to a JWK set, just like MapToJwk.

func MarshalNutsDomain 

func MarshalNutsDomain(domain string) ([]byte, error)

func MarshalOtherSubjectAltName 

func MarshalOtherSubjectAltName(valueType asn1.ObjectIdentifier, value string) ([]byte, error)

func MarshalX509CertChain added in v0.14.0 

func MarshalX509CertChain(chain []*x509.Certificate) []string

func PemToJwk added in v0.14.0 

func PemToJwk(pub []byte) (jwk.Key, error)

PemToJwk transforms pem to jwk for PublicKey

func PemToPublicKey added in v0.14.0 

func PemToPublicKey(pub []byte) (crypto.PublicKey, error)

PemToPublicKey converts a PEM encoded public key to a crypto.PublicKey

func PemToSigner added in v0.16.0 

func PemToSigner(bytes []byte) (signer crypto.Signer, err error)

PemToSigner converts a PEM encoded private key to a Signer interface. It supports EC, RSA and PKIX PEM encoded strings

func PemToX509 added in v0.15.0 

func PemToX509(rawData []byte) (*x509.Certificate, error)

PemToX509 decodes PEM data as bytes to a *x509.Certificate

func PublicKeyToPem added in v0.14.0 

func PublicKeyToPem(pub crypto.PublicKey) (string, error)

PublicKeyToPem converts an rsa.PublicKeyInPEM to PEM encoding

func SerialNumber added in v0.14.0 

func SerialNumber() (*big.Int, error)

SerialNumber generates a random serialNumber Taken from crypto/tls/generate_cert.go

func UnmarshalNutsDomain 

func UnmarshalNutsDomain(data []byte) (string, error)

UnmarshalNutsDomain tries to unmarshal the ASN.1 encoded Nuts Domain extension in a X.509 certificate. It returns the value as a string, or an error if one occurs.

func UnmarshalOtherSubjectAltName 

func UnmarshalOtherSubjectAltName(valueType asn1.ObjectIdentifier, data []byte) (string, error)

UnmarshalOtherSubjectAltName tries to unmarshal an SubjectAlternativeName otherName entry (marshalled by MarshalOtherSubjectAltName) with the given OID type (valueType). It returns the value as string. If an otherName with the given type wasn't found, an empty string is returned. If an errors occurs during unmarshalling, it is returned.

func ValidateCertificate added in v0.15.0 

func ValidateCertificate(certificate *x509.Certificate, validators ...CertificateValidator) error

func ValidateJWK added in v0.14.0 

func ValidateJWK(maps ...interface{}) error

ValidateJWK tests whether the given map (all) can is a parsable representation of a JWK. If not, an error is returned. If nil is returned, all supplied maps are parsable as JWK.

func VendorCertificateRequest added in v0.15.0 

func VendorCertificateRequest(vendorID core.PartyID, vendorName string, qualifier string, domain string) (*x509.CertificateRequest, error)

VendorCertificateRequest creates a CertificateRequest template for issuing a vendor certificate. 

vendorID:      URN-OID-encoded ID of the vendor
vendorName:    Name of the vendor
qualifier:     (optional) Qualifier for the certificate, which will be postfixed to Subject.CommonName
domain:        Domain the vendor operates in, e.g. "healthcare"

func VendorIDFromCertificate added in v0.16.0 

func VendorIDFromCertificate(certificate *x509.Certificate) (core.PartyID, error)

VendorIDFromCertificate returns the Nuts Vendor ID from a certificate.

Types

type CertificateValidator added in v0.15.0 

type CertificateValidator func(*x509.Certificate) error

func IsCA added in v0.15.0 

func IsCA() CertificateValidator

IsCA validator tests whether a certificate is a CA certificate

func MeantForSigning added in v0.15.0 

func MeantForSigning() CertificateValidator

MeantForSigning validates whether the certificate is meant for signing (key usage includes digitalSignature and/or contentCommitment)

func ValidAt added in v0.15.0 

func ValidAt(moment time.Time) CertificateValidator

ValidAt validator tests whether a certificate's validity spans the given moment in time.

func ValidBetween added in v0.15.0 

func ValidBetween(startInclusive time.Time, endInclusive time.Time) CertificateValidator

ValidBetween validator tests whether a certificate's validity spans the given date/time window (bounds are inclusive).

type TrustStore added in v0.14.0 

type TrustStore interface {
	Verifier
	AddCertificate(certificate *x509.Certificate) error
	// GetRoots returns all roots active
	Roots() ([]*x509.Certificate, *x509.CertPool)
	// GetIntermediates returns all intermediates
	Intermediates() ([]*x509.Certificate, *x509.CertPool)
	// GetCertificates returns all certificates signed by given signer chains, active at the given time and if it must be a CA
	// The chain is returned in reverse order, the latest in the chain being the root. This is also the order the certificates in the chain
	// param are expected
	GetCertificates([][]*x509.Certificate, time.Time, bool) [][]*x509.Certificate
}

func NewTrustStore added in v0.14.0 

func NewTrustStore(file string) (TrustStore, error)

type Verifier added in v0.14.0 

type Verifier interface {
	// Verify verifies the given certificate. The validity of the certificate is checked against the given moment in time.
	// for the ExtKeyUsage, x509.ExtKeyUsageAny can be used to match any.
	Verify(*x509.Certificate, time.Time, []x509.ExtKeyUsage) error
	// VerifiedChain verifies the certificate against the truststore and returns the chain of trust as result
	// multiple chains can apply but this should only happen when the VendorCA was renewed (overlapping certs)
	// for the ExtKeyUsage, x509.ExtKeyUsageAny can be used to match any.
	VerifiedChain(*x509.Certificate, time.Time, []x509.ExtKeyUsage) ([][]*x509.Certificate, error)
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.