x509

package
v0.4.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2024 License: MPL-2.0 Imports: 20 Imported by: 19

Documentation

Overview

Package x509 provides wrapper around standard crypto/* packages.

Index

Constants

View Source 
const (
	PEMTypeRSAPrivate     = "RSA PRIVATE KEY"
	PEMTypeRSAPublic      = "PUBLIC KEY"
	PEMTypeECPrivate      = "EC PRIVATE KEY"
	PEMTypeECPublic       = "EC PUBLIC KEY"
	PEMTypeEd25519Private = "ED25519 PRIVATE KEY"
	PEMTypeEd25519Public  = "ED25519 PUBLIC KEY"

	PEMTypeCertificate        = "CERTIFICATE"
	PEMTypeCertificateRequest = "CERTIFICATE REQUEST"
)

PEM Block Header Types.

View Source 
const DefaultCertificateValidityDuration = 24 * time.Hour

DefaultCertificateValidityDuration is a default certificate lifetime.

View Source 
const Redacted = "******"

Redacted is a special string that is used to indicate that a private key should be YAML-marshaled without the base64 encoding.

If the value of a private key is exactly this string (in bytes), it will be marshaled as-is into YAML, without the base64 encoding.

Variables

This section is empty.

Functions

func Hash 

func Hash(crt *x509.Certificate) string

Hash calculates the SHA-256 hash of the Subject Public Key Information (SPKI) object in an x509 certificate (in DER encoding). It returns the full hash as a hex encoded string (suitable for passing to Set.Allow). See https://github.com/kubernetes/kubernetes/blob/f557e0f7e3ee9089769ed3f03187fdd4acbb9ac1/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go

func MatchSPKIFingerprints 

func MatchSPKIFingerprints(fingerprints ...Fingerprint) func(tls.ConnectionState) error

MatchSPKIFingerprints can be injected as tls.Config.VerifyConnection handler to deny connection if peer certificates don't match the fingerprints.

func NewECDSACSRAndIdentity 

func NewECDSACSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)

NewECDSACSRAndIdentity generates and PEM encoded certificate and key, along with a CSR for the generated key.

func NewEd25519CSRAndIdentity 

func NewEd25519CSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)

NewEd25519CSRAndIdentity generates and PEM encoded certificate and key, along with a CSR for the generated key.

func NewRSACSRAndIdentity 

func NewRSACSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)

NewRSACSRAndIdentity generates and PEM encoded certificate and key, along with a CSR for the generated key.

func NewSerialNumber 

func NewSerialNumber() (*big.Int, error)

NewSerialNumber generates a random serial number for an X.509 certificate.

Types

type Certificate 

type Certificate struct {
	X509Certificate    *x509.Certificate
	X509CertificatePEM []byte
}

Certificate represents an X.509 certificate.

func NewCertificateFromCSR 

func NewCertificateFromCSR(ca *x509.Certificate, key interface{}, csr *x509.CertificateRequest, setters ...Option) (*Certificate, error)

NewCertificateFromCSR creates and signs X.509 certificate using the provided CSR.

func NewCertificateFromCSRBytes 

func NewCertificateFromCSRBytes(ca, key, csr []byte, setters ...Option) (*Certificate, error)

NewCertificateFromCSRBytes creates a signed certificate using the provided certificate, key, and CSR.

type CertificateAuthority 

type CertificateAuthority struct {
	Crt    *x509.Certificate
	CrtPEM []byte
	Key    interface{}
	KeyPEM []byte
}

CertificateAuthority represents a CA.

func ECDSACertificateAuthority 

func ECDSACertificateAuthority(template *x509.Certificate) (*CertificateAuthority, error)

ECDSACertificateAuthority creates an ECDSA CA.

func Ed25519CertificateAuthority 

func Ed25519CertificateAuthority(template *x509.Certificate) (*CertificateAuthority, error)

Ed25519CertificateAuthority creates an Ed25519 CA.

func NewCertificateAuthorityFromCertificateAndKey 

func NewCertificateAuthorityFromCertificateAndKey(p *PEMEncodedCertificateAndKey) (*CertificateAuthority, error)

NewCertificateAuthorityFromCertificateAndKey builds CertificateAuthority from PEMEncodedCertificateAndKey.

func NewSelfSignedCertificateAuthority 

func NewSelfSignedCertificateAuthority(setters ...Option) (*CertificateAuthority, error)

NewSelfSignedCertificateAuthority creates a self-signed CA configured for server and client authentication.

func RSACertificateAuthority 

func RSACertificateAuthority(template *x509.Certificate, opts *Options) (*CertificateAuthority, error)

RSACertificateAuthority creates an RSA CA.

type CertificateSigningRequest 

type CertificateSigningRequest struct {
	X509CertificateRequest    *x509.CertificateRequest
	X509CertificateRequestPEM []byte
}

CertificateSigningRequest represents a CSR.

func NewCertificateSigningRequest 

func NewCertificateSigningRequest(key interface{}, setters ...Option) (*CertificateSigningRequest, error)

NewCertificateSigningRequest creates a CSR. If the IPAddresses or DNSNames options are not specified, the CSR will be generated with the default values set in NewDefaultOptions.

type ECDSAKey 

type ECDSAKey struct {
	KeyPEM       []byte
	PublicKeyPEM []byte
	// contains filtered or unexported fields
}

ECDSAKey represents an ECDSA key.

func NewECDSAKey 

func NewECDSAKey() (*ECDSAKey, error)

NewECDSAKey generates an ECDSA key pair.

func (*ECDSAKey) GetPrivateKeyPEM 

func (k *ECDSAKey) GetPrivateKeyPEM() []byte

GetPrivateKeyPEM implements Key interface.

func (*ECDSAKey) GetPublicKeyPEM 

func (k *ECDSAKey) GetPublicKeyPEM() []byte

GetPublicKeyPEM implements Key interface.

type Ed25519Key 

type Ed25519Key struct {
	PublicKey     ed25519.PublicKey
	PrivateKey    ed25519.PrivateKey
	PublicKeyPEM  []byte
	PrivateKeyPEM []byte
}

Ed25519Key represents an Ed25519 key.

func NewEd25519Key 

func NewEd25519Key() (*Ed25519Key, error)

NewEd25519Key generates an Ed25519 key pair.

func (*Ed25519Key) GetPrivateKeyPEM 

func (k *Ed25519Key) GetPrivateKeyPEM() []byte

GetPrivateKeyPEM implements Key interface.

func (*Ed25519Key) GetPublicKeyPEM 

func (k *Ed25519Key) GetPublicKeyPEM() []byte

GetPublicKeyPEM implements Key interface.

type Fingerprint 

type Fingerprint []byte

Fingerprint represents SPKI certificate fingerprint.

func ParseFingerprint 

func ParseFingerprint(s string) (Fingerprint, error)

ParseFingerprint parses string representation of the fingerprint.

func SPKIFingerprint 

func SPKIFingerprint(cert *x509.Certificate) Fingerprint

SPKIFingerprint computes SPKI certificate fingerprint.

func SPKIFingerprintFromDER 

func SPKIFingerprintFromDER(certDER []byte) (Fingerprint, error)

SPKIFingerprintFromDER computes SPKI certificate fingerprint from ASN.1 DER representation of the x509 certificate.

func SPKIFingerprintFromPEM 

func SPKIFingerprintFromPEM(certPEM []byte) (Fingerprint, error)

SPKIFingerprintFromPEM computes SPKI certificate fingerprint from PEM representation of the x509 certificate.

func (Fingerprint) Equal 

func (f Fingerprint) Equal(other Fingerprint) bool

Equal checks is Fingerprints match.

func (Fingerprint) String 

func (f Fingerprint) String() string

type Key 

type Key interface {
	GetPrivateKeyPEM() []byte
	GetPublicKeyPEM() []byte
}

Key is a common interface implemented by RSAKey, ECDSAKey and Ed25519Key.

type KeyPair 

type KeyPair struct {
	*tls.Certificate

	CrtPEM []byte
	KeyPEM []byte
}

KeyPair represents a certificate and key pair.

func NewKeyPair 

func NewKeyPair(ca *CertificateAuthority, setters ...Option) (*KeyPair, error)

NewKeyPair generates a certificate signed by the provided CA, and a private key. The certifcate and private key are then used to create a tls.X509KeyPair.

type Option 

type Option func(*Options)

Option is the functional option func.

func Bits 

func Bits(o int) Option

Bits sets the bit size of the RSA key pair.

func CommonName 

func CommonName(o string) Option

CommonName sets the common name of the certificate.

func DNSNames 

func DNSNames(o []string) Option

DNSNames sets the value for the DNS Names in Subject Alternate Name of the certificate.

func ECDSA 

func ECDSA(o bool) Option

ECDSA sets a flag for indicating that the requested operation should be performed under the context of ECDSA instead of the default Ed25519.

func ECDSASHA512 

func ECDSASHA512(o bool) Option

ECDSASHA512 sets a flag for indicating that the requested operation should be performed under the context of ECDSA with SHA512 instead of the default Ed25519.

Note: this is only used for compatibility with previous version of the library, new code should always use ECDSA(true).

func ExtKeyUsage 

func ExtKeyUsage(o []x509.ExtKeyUsage) Option

ExtKeyUsage sets the ExtKeyUsage* constants.

func IPAddresses 

func IPAddresses(o []net.IP) Option

IPAddresses sets the value for the IP addresses in Subject Alternate Name of the certificate.

func KeyUsage 

func KeyUsage(o x509.KeyUsage) Option

KeyUsage sets the bitmap of the KeyUsage* constants.

func NotAfter 

func NotAfter(o time.Time) Option

NotAfter sets the validity bound describing when a certificate expires.

func NotBefore 

func NotBefore(o time.Time) Option

NotBefore sets the validity bound describing when a certificate becomes valid.

func Organization 

func Organization(o ...string) Option

Organization sets the subject organizations of the certificate.

func OverrideSubject 

func OverrideSubject(f func(*pkix.Name)) Option

OverrideSubject sets the option to override fields in the certificate subject when signing a CSR.

func RSA 

func RSA(o bool) Option

RSA sets a flag for indicating that the requested operation should be performed under the context of RSA-SHA512 instead of the default Ed25519.

func SignatureAlgorithm 

func SignatureAlgorithm(o x509.SignatureAlgorithm) Option

SignatureAlgorithm sets the hash algorithm used to sign the SSL certificate.

type Options 

type Options struct {
	CommonName         string
	Organizations      []string
	SignatureAlgorithm x509.SignatureAlgorithm
	IPAddresses        []net.IP
	DNSNames           []string
	Bits               int
	NotAfter           time.Time
	NotBefore          time.Time
	KeyUsage           x509.KeyUsage
	ExtKeyUsage        []x509.ExtKeyUsage

	// Used with CSR signing process to override fields in the certificate subject.
	OverrideSubject func(*pkix.Name)
}

Options is the functional options struct.

func NewDefaultOptions 

func NewDefaultOptions(setters ...Option) *Options

NewDefaultOptions initializes the Options struct with default values.

type PEMEncodedCertificate added in v0.4.3 

type PEMEncodedCertificate struct {
	Crt []byte `json:"Crt"`
}

PEMEncodedCertificate represents a PEM encoded certificate.

func (*PEMEncodedCertificate) DeepCopy added in v0.4.3 

func (p *PEMEncodedCertificate) DeepCopy() *PEMEncodedCertificate

DeepCopy implements DeepCopy interface.

func (*PEMEncodedCertificate) DeepCopyInto added in v0.4.3 

func (p *PEMEncodedCertificate) DeepCopyInto(out *PEMEncodedCertificate)

DeepCopyInto implements DeepCopy interface.

func (*PEMEncodedCertificate) GetCert added in v0.4.3 

func (p *PEMEncodedCertificate) GetCert() (*x509.Certificate, error)

GetCert parses PEM-encoded certificate as x509.Certificate.

func (*PEMEncodedCertificate) MarshalYAML added in v0.4.3 

func (p *PEMEncodedCertificate) MarshalYAML() (interface{}, error)

MarshalYAML implements the yaml.Marshaler interface for PEMEncodedCertificate. It is expected that the Crt is a base64 encoded string in the YAML file. This function encodes the byte slices into strings.

func (*PEMEncodedCertificate) UnmarshalYAML added in v0.4.3 

func (p *PEMEncodedCertificate) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements the yaml.Unmarshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt is a base64 encoded string in the YAML file. This function decodes the strings into byte slices.

type PEMEncodedCertificateAndKey 

type PEMEncodedCertificateAndKey struct {
	Crt []byte `json:"Crt"`
	Key []byte `json:"Key"`
}

PEMEncodedCertificateAndKey represents a PEM encoded certificate and private key pair.

func NewCertficateAndKey deprecated 

func NewCertficateAndKey(crt *x509.Certificate, key interface{}, setters ...Option) (*PEMEncodedCertificateAndKey, error)

NewCertficateAndKey is the NewCertificateAndKey with a typo in the name.

Deprecated: use NewCertificateAndKey instead.

func NewCertificateAndKey 

func NewCertificateAndKey(crt *x509.Certificate, key interface{}, setters ...Option) (*PEMEncodedCertificateAndKey, error)

NewCertificateAndKey generates a new key and certificate signed by a CA.

func NewCertificateAndKeyFromCertificateAuthority 

func NewCertificateAndKeyFromCertificateAuthority(ca *CertificateAuthority) *PEMEncodedCertificateAndKey

NewCertificateAndKeyFromCertificateAuthority initializes and returns a PEMEncodedCertificateAndKey from the CertificateAuthority.

func NewCertificateAndKeyFromFiles 

func NewCertificateAndKeyFromFiles(crt, key string) (*PEMEncodedCertificateAndKey, error)

NewCertificateAndKeyFromFiles initializes and returns a PEMEncodedCertificateAndKey from the path to a crt and key.

func NewCertificateAndKeyFromKeyPair 

func NewCertificateAndKeyFromKeyPair(keyPair *KeyPair) *PEMEncodedCertificateAndKey

NewCertificateAndKeyFromKeyPair initializes and returns a PEMEncodedCertificateAndKey from the KeyPair.

func (*PEMEncodedCertificateAndKey) DeepCopy 

func (p *PEMEncodedCertificateAndKey) DeepCopy() *PEMEncodedCertificateAndKey

DeepCopy implements DeepCopy interface.

func (*PEMEncodedCertificateAndKey) DeepCopyInto 

func (p *PEMEncodedCertificateAndKey) DeepCopyInto(out *PEMEncodedCertificateAndKey)

DeepCopyInto implements DeepCopy interface.

func (*PEMEncodedCertificateAndKey) GetCert 

func (p *PEMEncodedCertificateAndKey) GetCert() (*x509.Certificate, error)

GetCert parses PEM-encoded certificate as x509.Certificate.

func (*PEMEncodedCertificateAndKey) GetECDSAKey 

func (p *PEMEncodedCertificateAndKey) GetECDSAKey() (*ecdsa.PrivateKey, error)

GetECDSAKey parses PEM-encoded ECDSA key.

func (*PEMEncodedCertificateAndKey) GetEd25519Key 

func (p *PEMEncodedCertificateAndKey) GetEd25519Key() (ed25519.PrivateKey, error)

GetEd25519Key parses PEM-encoded Ed25519 key.

func (*PEMEncodedCertificateAndKey) GetKey 

func (p *PEMEncodedCertificateAndKey) GetKey() (interface{}, error)

GetKey parses either RSA or Ed25519 PEM-encoded key.

func (*PEMEncodedCertificateAndKey) GetRSAKey 

func (p *PEMEncodedCertificateAndKey) GetRSAKey() (*rsa.PrivateKey, error)

GetRSAKey parses PEM-encoded RSA key.

func (*PEMEncodedCertificateAndKey) MarshalYAML 

func (p *PEMEncodedCertificateAndKey) MarshalYAML() (interface{}, error)

MarshalYAML implements the yaml.Marshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt and Key are a base64 encoded string in the YAML file. This function encodes the byte slices into strings.

func (*PEMEncodedCertificateAndKey) UnmarshalYAML 

func (p *PEMEncodedCertificateAndKey) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements the yaml.Unmarshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt and Key are a base64 encoded string in the YAML file. This function decodes the strings into byte slices.

type PEMEncodedKey 

type PEMEncodedKey struct {
	Key []byte `json:"Key"`
}

PEMEncodedKey represents a PEM encoded private key.

func NewKeyFromFile added in v0.4.1 

func NewKeyFromFile(keyPath string) (*PEMEncodedKey, error)

NewKeyFromFile loads a PEM-encoded key from a file.

func (*PEMEncodedKey) DeepCopy 

func (p *PEMEncodedKey) DeepCopy() *PEMEncodedKey

DeepCopy implements DeepCopy interface.

func (*PEMEncodedKey) DeepCopyInto 

func (p *PEMEncodedKey) DeepCopyInto(out *PEMEncodedKey)

DeepCopyInto implements DeepCopy interface.

func (*PEMEncodedKey) GetECDSAKey 

func (p *PEMEncodedKey) GetECDSAKey() (*ECDSAKey, error)

GetECDSAKey parses PEM-encoded ECDSA key.

func (*PEMEncodedKey) GetEd25519Key 

func (p *PEMEncodedKey) GetEd25519Key() (*Ed25519Key, error)

GetEd25519Key parses PEM-encoded Ed25519 key.

func (*PEMEncodedKey) GetKey 

func (p *PEMEncodedKey) GetKey() (Key, error)

GetKey parses one of RSAKey, ECDSAKey or Ed25519Key.

func (*PEMEncodedKey) GetRSAKey 

func (p *PEMEncodedKey) GetRSAKey() (*RSAKey, error)

GetRSAKey parses PEM-encoded RSA key.

func (*PEMEncodedKey) MarshalYAML 

func (p *PEMEncodedKey) MarshalYAML() (interface{}, error)

MarshalYAML implements the yaml.Marshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt and Key are a base64 encoded string in the YAML file. This function encodes the byte slices into strings.

func (*PEMEncodedKey) UnmarshalYAML 

func (p *PEMEncodedKey) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements the yaml.Unmarshaler interface for PEMEncodedKey. It is expected that the Key is a base64 encoded string in the YAML file. This function decodes the strings into byte slices.

type RSAKey 

type RSAKey struct {
	KeyPEM       []byte
	PublicKeyPEM []byte
	// contains filtered or unexported fields
}

RSAKey represents an RSA key.

func NewRSAKey 

func NewRSAKey() (*RSAKey, error)

NewRSAKey generates an RSA key pair.

func (*RSAKey) GetPrivateKeyPEM 

func (k *RSAKey) GetPrivateKeyPEM() []byte

GetPrivateKeyPEM implements Key interface.

func (*RSAKey) GetPublicKeyPEM 

func (k *RSAKey) GetPublicKeyPEM() []byte

GetPublicKeyPEM implements Key interface.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.