certgen

package

v1.8.2 Latest Latest Go to latest Published: Mar 12, 2021 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sidgod/keymaster

Links

Open Source Insights

Documentation ¶

Overview ¶

Package certgen id set of utilities used to generate ssh certificates

Index ¶

func ComputePublicKeyKeyID(PublicKey interface{}) ([]byte, error)
func GenIPRestrictedX509Cert(userName string, userPub interface{}, caCert *x509.Certificate, ...) ([]byte, error)
func GenSSHCertFileString(username string, userPubKey string, signer ssh.Signer, host_identity string, ...) (certString string, cert ssh.Certificate, err error)
func GenSSHCertFileStringFromSSSDPublicKey(userName string, signer ssh.Signer, hostIdentity string, ...) (certString string, cert ssh.Certificate, err error)
func GenSelfSignedCACert(commonName string, organization string, caPriv crypto.Signer) ([]byte, error)
func GenUserX509Cert(userName string, userPub interface{}, caCert *x509.Certificate, ...) ([]byte, error)
func GetSignerFromPEMBytes(privateKey []byte) (crypto.Signer, error)
func GetUserPubKeyFromSSSD(username string) (string, error)
func ValidatePublicKeyStrength(pub interface{}) (bool, error)
func VerifyIPRestrictedX509CertIP(userCert *x509.Certificate, remoteAddr string) (bool, error)
type IpAdressFamily
type KRB5PrincipalName
type KerberosPrincipal
type PKInitSANAnotherName

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ComputePublicKeyKeyID ¶ added in v1.5.1

func ComputePublicKeyKeyID(PublicKey interface{}) ([]byte, error)

ComputePublicKeyKeyID computes the SHA-1 digest of a public Key

func GenIPRestrictedX509Cert ¶ added in v1.5.1

func GenIPRestrictedX509Cert(userName string, userPub interface{},
	caCert *x509.Certificate, caPriv crypto.Signer,
	ipv4Netblocks []net.IPNet, duration time.Duration,
	crlURL []string, OCPServer []string) ([]byte, error)

GenIPRestrictedX509Cert returns an x509 cert that has the username in the common name, with the allowed netyblocks specified

func GenSSHCertFileString ¶

func GenSSHCertFileString(username string, userPubKey string, signer ssh.Signer, host_identity string, duration time.Duration) (certString string, cert ssh.Certificate, err error)

gen_user_cert a username and key, returns a short lived cert for that user

func GenSSHCertFileStringFromSSSDPublicKey ¶

func GenSSHCertFileStringFromSSSDPublicKey(userName string, signer ssh.Signer, hostIdentity string, duration time.Duration) (certString string, cert ssh.Certificate, err error)

func GenSelfSignedCACert ¶

func GenSelfSignedCACert(commonName string, organization string, caPriv crypto.Signer) ([]byte, error)

return both an internal representation an the pem representation of the string As long as the issuer value matches THEN the serial number can be different every time

func GenUserX509Cert ¶

func GenUserX509Cert(userName string, userPub interface{},
	caCert *x509.Certificate, caPriv crypto.Signer,
	kerberosRealm *string, duration time.Duration,
	groups []string, organizations []string) ([]byte, error)

returns an x509 cert that has the username in the common name, optionally if a kerberos Realm is present it will also add a kerberos SAN exention for pkinit

func GetSignerFromPEMBytes ¶

func GetSignerFromPEMBytes(privateKey []byte) (crypto.Signer, error)

func GetUserPubKeyFromSSSD ¶

func GetUserPubKeyFromSSSD(username string) (string, error)

GetUserPubKeyFromSSSD user authorized keys content based on the running sssd configuration

func ValidatePublicKeyStrength ¶ added in v1.8.0

func ValidatePublicKeyStrength(pub interface{}) (bool, error)

ValidatePublicKeyStrenght checks if the "strength" of the key is good enough to be considered secure At this moment it checks for sizes of parameters only. For RSA it means bits>=2041 && exponent>=65537, For EC curves it means bitsize>=256. ec25519 is considered secure. All other public keys are not considered secure.

func VerifyIPRestrictedX509CertIP ¶ added in v1.5.1

func VerifyIPRestrictedX509CertIP(userCert *x509.Certificate, remoteAddr string) (bool, error)

VerifyIPRestrictedX509CertIP takes a x509 cert and verifies that it is valid given an incoming remote address. If the cert does not contain an IP restriction extension the verification is considered failed.

Types ¶

type IpAdressFamily ¶ added in v1.5.1

type IpAdressFamily struct {
	AddressFamily []byte
	Addresses     []asn1.BitString
}

type KRB5PrincipalName ¶

type KRB5PrincipalName struct {
	Realm     string            `asn1:"explicit,tag:0"`
	Principal KerberosPrincipal `asn1:"explicit,tag:1"`
}

From RFC 4556 section 3.2.2 (https://tools.ietf.org/html/rfc4556.html)

type KerberosPrincipal ¶

type KerberosPrincipal struct {
	Len       int      `asn1:"explicit,tag:0"`
	Principal []string `asn1:"explicit,tag:1"`
}

From RFC 4120 section 5.2.2 (https://tools.ietf.org/html/rfc4120)

type PKInitSANAnotherName ¶

type PKInitSANAnotherName struct {
	Id    asn1.ObjectIdentifier
	Value KRB5PrincipalName `asn1:"explicit,tag:0"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL