cryptoutils

package

v1.8.3 Latest Latest Go to latest Published: Mar 29, 2024 License: Apache-2.0 Imports: 23 Imported by: 126

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sigstore/sigstore

Links

Open Source Insights

Documentation ¶

Overview ¶

Package cryptoutils implements support for working with encoded certificates, public keys, and private keys

Package cryptoutils contains utilities related to handling cryptographic materials.

Index ¶

Variables
func CheckExpiration(cert *x509.Certificate, epoch time.Time) error
func EqualKeys(first, second crypto.PublicKey) error
func GeneratePEMEncodedECDSAKeyPair(curve elliptic.Curve, pf PassFunc) (privPEM, pubPEM []byte, err error)
func GeneratePEMEncodedRSAKeyPair(keyLengthBits int, pf PassFunc) (privPEM, pubPEM []byte, err error)
func GenerateSerialNumber() (*big.Int, error)
func GetPasswordFromStdIn(confirm bool) ([]byte, error)
func GetSubjectAlternateNames(cert *x509.Certificate) []string
func LoadCertificatesFromPEM(pem io.Reader) ([]*x509.Certificate, error)
func MarshalCertificateToPEM(cert *x509.Certificate) ([]byte, error)
func MarshalCertificatesToPEM(certs []*x509.Certificate) ([]byte, error)
func MarshalOtherNameSAN(name string, critical bool) (*pkix.Extension, error)
func MarshalPrivateKeyToDER(priv crypto.PrivateKey) ([]byte, error)
func MarshalPrivateKeyToEncryptedDER(priv crypto.PrivateKey, pf PassFunc) ([]byte, error)
func MarshalPrivateKeyToPEM(priv crypto.PrivateKey) ([]byte, error)
func MarshalPublicKeyToDER(pub crypto.PublicKey) ([]byte, error)
func MarshalPublicKeyToPEM(pub crypto.PublicKey) ([]byte, error)
func PEMEncode(typeStr PEMType, bytes []byte) []byte
func ParseCSR(csr []byte) (*x509.CertificateRequest, error)
func SKID(pub crypto.PublicKey) ([]byte, error)
func SkipPassword(_ bool) ([]byte, error)
func UnmarshalCertificatesFromPEM(pemBytes []byte) ([]*x509.Certificate, error)
func UnmarshalCertificatesFromPEMLimited(pemBytes []byte, iterations int) ([]*x509.Certificate, error)
func UnmarshalOtherNameSAN(exts []pkix.Extension) (string, error)
func UnmarshalPEMToPrivateKey(pemBytes []byte, pf PassFunc) (crypto.PrivateKey, error)
func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error)
func ValidatePubKey(pub crypto.PublicKey) error
type OtherName
type PEMType
type PassFunc
- func StaticPasswordFunc(pw []byte) PassFunc

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// OIDOtherName is the OID for the OtherName SAN per RFC 5280
	OIDOtherName = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
	// SANOID is the OID for Subject Alternative Name per RFC 5280
	SANOID = asn1.ObjectIdentifier{2, 5, 29, 17}
)

View Source

var Read = readPasswordFn

Read is for fuzzing

Functions ¶

func CheckExpiration ¶

func CheckExpiration(cert *x509.Certificate, epoch time.Time) error

CheckExpiration verifies that epoch is during the validity period of the certificate provided.

It returns nil if issueTime < epoch < expirationTime, and error otherwise.

func EqualKeys ¶ added in v1.2.0

func EqualKeys(first, second crypto.PublicKey) error

EqualKeys compares two public keys. Supports RSA, ECDSA and ED25519. If not equal, the error message contains hex-encoded SHA1 hashes of the DER-encoded keys

func GeneratePEMEncodedECDSAKeyPair ¶

func GeneratePEMEncodedECDSAKeyPair(curve elliptic.Curve, pf PassFunc) (privPEM, pubPEM []byte, err error)

GeneratePEMEncodedECDSAKeyPair generates an ECDSA keypair, optionally password encrypted using a provided PassFunc, and PEM encoded.

func GeneratePEMEncodedRSAKeyPair ¶

func GeneratePEMEncodedRSAKeyPair(keyLengthBits int, pf PassFunc) (privPEM, pubPEM []byte, err error)

GeneratePEMEncodedRSAKeyPair generates an RSA keypair, optionally password encrypted using a provided PassFunc, and PEM encoded.

func GenerateSerialNumber ¶ added in v1.3.0

func GenerateSerialNumber() (*big.Int, error)

GenerateSerialNumber creates a compliant serial number as per RFC 5280 4.1.2.2. Serial numbers must be positive, and can be no longer than 20 bytes. The serial number is generated with 159 bits, so that the first bit will always be 0, resulting in a positive serial number.

func GetPasswordFromStdIn ¶

func GetPasswordFromStdIn(confirm bool) ([]byte, error)

GetPasswordFromStdIn gathers the password from stdin with an optional confirmation step.

func GetSubjectAlternateNames ¶ added in v1.5.0

func GetSubjectAlternateNames(cert *x509.Certificate) []string

GetSubjectAlternateNames extracts all subject alternative names from the certificate, including email addresses, DNS, IP addresses, URIs, and OtherName SANs

func LoadCertificatesFromPEM ¶

func LoadCertificatesFromPEM(pem io.Reader) ([]*x509.Certificate, error)

LoadCertificatesFromPEM extracts one or more X509 certificates from the provided io.Reader.

func MarshalCertificateToPEM ¶

func MarshalCertificateToPEM(cert *x509.Certificate) ([]byte, error)

MarshalCertificateToPEM converts the provided X509 certificate into PEM format

func MarshalCertificatesToPEM ¶

func MarshalCertificatesToPEM(certs []*x509.Certificate) ([]byte, error)

MarshalCertificatesToPEM converts the provided X509 certificates into PEM format

func MarshalOtherNameSAN ¶ added in v1.5.0

func MarshalOtherNameSAN(name string, critical bool) (*pkix.Extension, error)

MarshalOtherNameSAN creates a Subject Alternative Name extension with an OtherName sequence. RFC 5280, 4.2.1.6:

SubjectAltName ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE {

otherName                       [0]     OtherName,
... }

func MarshalPrivateKeyToDER ¶

func MarshalPrivateKeyToDER(priv crypto.PrivateKey) ([]byte, error)

MarshalPrivateKeyToDER converts a crypto.PrivateKey into a PKCS8 ASN.1 DER byte slice

func MarshalPrivateKeyToEncryptedDER ¶

func MarshalPrivateKeyToEncryptedDER(priv crypto.PrivateKey, pf PassFunc) ([]byte, error)

MarshalPrivateKeyToEncryptedDER marshals the private key and encrypts the DER-encoded value using the specified password function

func MarshalPrivateKeyToPEM ¶

func MarshalPrivateKeyToPEM(priv crypto.PrivateKey) ([]byte, error)

MarshalPrivateKeyToPEM converts a crypto.PrivateKey into a PKCS#8 PEM-encoded byte slice

func MarshalPublicKeyToDER ¶

func MarshalPublicKeyToDER(pub crypto.PublicKey) ([]byte, error)

MarshalPublicKeyToDER converts a crypto.PublicKey into a PKIX, ASN.1 DER byte slice

func MarshalPublicKeyToPEM ¶

func MarshalPublicKeyToPEM(pub crypto.PublicKey) ([]byte, error)

MarshalPublicKeyToPEM converts a crypto.PublicKey into a PEM-encoded byte slice

func PEMEncode ¶

func PEMEncode(typeStr PEMType, bytes []byte) []byte

PEMEncode encodes the specified byte slice in PEM format using the provided type string

func ParseCSR ¶ added in v1.3.0

func ParseCSR(csr []byte) (*x509.CertificateRequest, error)

ParseCSR parses a PKCS#10 PEM-encoded CSR.

func SKID ¶ added in v1.2.0

func SKID(pub crypto.PublicKey) ([]byte, error)

SKID generates a 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits). https://tools.ietf.org/html/rfc5280#section-4.2.1.2

func SkipPassword ¶

func SkipPassword(_ bool) ([]byte, error)

SkipPassword is a PassFunc that does not interact with a user, but simply returns nil for both the password result and error struct.

func UnmarshalCertificatesFromPEM ¶

func UnmarshalCertificatesFromPEM(pemBytes []byte) ([]*x509.Certificate, error)

UnmarshalCertificatesFromPEM extracts one or more X509 certificates from the provided byte slice, which is assumed to be in PEM-encoded format.

func UnmarshalCertificatesFromPEMLimited ¶ added in v1.3.0

func UnmarshalCertificatesFromPEMLimited(pemBytes []byte, iterations int) ([]*x509.Certificate, error)

UnmarshalCertificatesFromPEMLimited extracts one or more X509 certificates from the provided byte slice, which is assumed to be in PEM-encoded format. Fails after a specified number of iterations. A reasonable limit is 10 iterations.

func UnmarshalOtherNameSAN ¶ added in v1.5.0

func UnmarshalOtherNameSAN(exts []pkix.Extension) (string, error)

UnmarshalOtherNameSAN extracts a UTF-8 string from the OtherName field in the Subject Alternative Name extension.

func UnmarshalPEMToPrivateKey ¶

func UnmarshalPEMToPrivateKey(pemBytes []byte, pf PassFunc) (crypto.PrivateKey, error)

UnmarshalPEMToPrivateKey converts a PEM-encoded byte slice into a crypto.PrivateKey

func UnmarshalPEMToPublicKey ¶

func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error)

UnmarshalPEMToPublicKey converts a PEM-encoded byte slice into a crypto.PublicKey

func ValidatePubKey ¶ added in v1.3.0

func ValidatePubKey(pub crypto.PublicKey) error

ValidatePubKey validates the parameters of an RSA, ECDSA, or ED25519 public key.

Types ¶

type OtherName ¶ added in v1.5.0

type OtherName struct {
	ID    asn1.ObjectIdentifier
	Value string `asn1:"utf8,explicit,tag:0"`
}

OtherName describes a name related to a certificate which is not in one of the standard name formats. RFC 5280, 4.2.1.6:

OtherName ::= SEQUENCE {
     type-id    OBJECT IDENTIFIER,
     value      [0] EXPLICIT ANY DEFINED BY type-id }

OtherName for Fulcio-issued certificates only supports UTF-8 strings as values.

type PEMType ¶

type PEMType string

PEMType is a specific type for string constants used during PEM encoding and decoding

const (
	// PrivateKeyPEMType is the string "PRIVATE KEY" to be used during PEM encoding and decoding
	PrivateKeyPEMType PEMType = "PRIVATE KEY"
	// ECPrivateKeyPEMType is the string "EC PRIVATE KEY" used to parse SEC 1 EC private keys
	ECPrivateKeyPEMType PEMType = "EC PRIVATE KEY"
	// PKCS1PrivateKeyPEMType is the string "RSA PRIVATE KEY" used to parse PKCS#1-encoded private keys
	PKCS1PrivateKeyPEMType PEMType = "RSA PRIVATE KEY"

	// EncryptedSigstorePrivateKeyPEMType is the string "ENCRYPTED SIGSTORE PRIVATE KEY" to be used during PEM encoding and decoding
	EncryptedSigstorePrivateKeyPEMType PEMType = "ENCRYPTED SIGSTORE PRIVATE KEY"
)

const (
	// PublicKeyPEMType is the string "PUBLIC KEY" to be used during PEM encoding and decoding
	PublicKeyPEMType PEMType = "PUBLIC KEY"
	// PKCS1PublicKeyPEMType is the string "RSA PUBLIC KEY" used to parse PKCS#1-encoded public keys
	PKCS1PublicKeyPEMType PEMType = "RSA PUBLIC KEY"
)

const (
	// CertificatePEMType is the string "CERTIFICATE" to be used during PEM encoding and decoding
	CertificatePEMType PEMType = "CERTIFICATE"
)

type PassFunc ¶

type PassFunc func(bool) ([]byte, error)

PassFunc is a type of function that takes a boolean (representing whether confirmation is desired) and returns the password as read, along with an error if one occurred

func StaticPasswordFunc ¶

func StaticPasswordFunc(pw []byte) PassFunc

StaticPasswordFunc returns a PassFunc which returns the provided password.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL