Documentation ¶
Overview ¶
Package utils contains tuf related utility functions however this file is hard forked from https://github.com/youmark/pkcs8 package. It has been further modified based on the requirements of Notary. For converting keys into PKCS#8 format, original package expected *crypto.PrivateKey interface, which then type inferred to either *rsa.PrivateKey or *ecdsa.PrivateKey depending on the need and later converted to ASN.1 DER encoded form, this whole process was superfluous here as keys are already being kept in ASN.1 DER format wrapped in data.PrivateKey structure. With these changes, package has became tightly coupled with notary as most of the method signatures have been updated. Moreover support for ED25519 keys has been added as well. License for original package is following:
The MIT License (MIT)
Copyright (c) 2014 youmark ¶
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Index ¶
- func CanonicalKeyID(k data.PublicKey) (string, error)
- func CertBundleToKey(leafCert *x509.Certificate, intCerts []*x509.Certificate) (data.PublicKey, error)
- func CertChainToPEM(certChain []*x509.Certificate) ([]byte, error)
- func CertToKey(cert *x509.Certificate) data.PublicKey
- func CertToPEM(cert *x509.Certificate) []byte
- func CertsToKeys(leafCerts map[string]*x509.Certificate, ...) map[string]data.PublicKey
- func ConsistentName(role string, hashSHA256 []byte) string
- func ConvertPrivateKeyToPKCS8(key data.PrivateKey, role data.RoleName, gun data.GUN, passphrase string) ([]byte, error)
- func ConvertTUFKeyToPKCS8(priv data.PrivateKey, password []byte) ([]byte, error)
- func DoHash(alg string, d []byte) []byte
- func ECDSAToPrivateKey(ecdsaPrivKey *ecdsa.PrivateKey) (data.PrivateKey, error)
- func ED25519ToPrivateKey(privKeyBytes []byte) (data.PrivateKey, error)
- func ExtractPrivateKeyAttributes(pemBytes []byte) (data.RoleName, data.GUN, error)
- func FindRoleIndex(rs []*data.Role, name data.RoleName) int
- func GenerateECDSAKey(random io.Reader) (data.PrivateKey, error)
- func GenerateED25519Key(random io.Reader) (data.PrivateKey, error)
- func GenerateKey(algorithm string) (data.PrivateKey, error)
- func GetIntermediateCerts(certs []*x509.Certificate) []*x509.Certificate
- func GetLeafCerts(certs []*x509.Certificate) []*x509.Certificate
- func LoadCertBundleFromFile(filename string) ([]*x509.Certificate, error)
- func LoadCertBundleFromPEM(pemBytes []byte) ([]*x509.Certificate, error)
- func LoadCertFromFile(filename string) (*x509.Certificate, error)
- func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error)
- func NewCertificate(commonName string, startTime, endTime time.Time) (*x509.Certificate, error)
- func ParsePEMPrivateKey(pemBytes []byte, passphrase string) (data.PrivateKey, error)
- func ParsePEMPublicKey(pubKeyBytes []byte) (data.PublicKey, error)
- func ParsePKCS8ToTufKey(der []byte, password []byte) (data.PrivateKey, error)
- func RSAToPrivateKey(rsaPrivKey *rsa.PrivateKey) (data.PrivateKey, error)
- func RemoveUnusedKeys(t *data.SignedTargets)
- func RoleNameSliceContains(ss []data.RoleName, s data.RoleName) bool
- func RoleNameSliceRemove(ss []data.RoleName, s data.RoleName) []data.RoleName
- func StrSliceContains(ss []string, s string) bool
- func UnusedDelegationKeys(t data.SignedTargets) []string
- func ValidateCertificate(c *x509.Certificate, checkExpiry bool) error
- func X509PublicKeyID(certPubKey data.PublicKey) (string, error)
- type ErrBadTypeCast
- type ErrEmptyStack
- type NoopCloser
- type RoleList
- type Stack
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CanonicalKeyID ¶
CanonicalKeyID returns the ID of the public bytes version of a TUF key. On regular RSA/ECDSA TUF keys, this is just the key ID. On X509 RSA/ECDSA TUF keys, this is the key ID of the public key part of the key in the leaf cert
func CertBundleToKey ¶ added in v0.4.0
func CertBundleToKey(leafCert *x509.Certificate, intCerts []*x509.Certificate) (data.PublicKey, error)
CertBundleToKey creates a TUF key from a leaf certs and a list of intermediates
func CertChainToPEM ¶ added in v0.4.0
func CertChainToPEM(certChain []*x509.Certificate) ([]byte, error)
CertChainToPEM is a utility function returns a PEM encoded chain of x509 Certificates, in the order they are passed
func CertToKey ¶ added in v0.4.0
func CertToKey(cert *x509.Certificate) data.PublicKey
CertToKey transforms a single input certificate into its corresponding PublicKey
func CertToPEM ¶ added in v0.4.0
func CertToPEM(cert *x509.Certificate) []byte
CertToPEM is a utility function returns a PEM encoded x509 Certificate
func CertsToKeys ¶ added in v0.4.0
func CertsToKeys(leafCerts map[string]*x509.Certificate, intCerts map[string][]*x509.Certificate) map[string]data.PublicKey
CertsToKeys transforms each of the input certificate chains into its corresponding PublicKey
func ConsistentName ¶
ConsistentName generates the appropriate HTTP URL path for the role, based on whether the repo is marked as consistent. The RemoteStore is responsible for adding file extensions.
func ConvertPrivateKeyToPKCS8 ¶ added in v0.5.1
func ConvertPrivateKeyToPKCS8(key data.PrivateKey, role data.RoleName, gun data.GUN, passphrase string) ([]byte, error)
ConvertPrivateKeyToPKCS8 converts a data.PrivateKey to PKCS#8 Format
func ConvertTUFKeyToPKCS8 ¶ added in v0.5.1
func ConvertTUFKeyToPKCS8(priv data.PrivateKey, password []byte) ([]byte, error)
ConvertTUFKeyToPKCS8 converts a private key (data.Private) to PKCS#8 and returns in DER format if password is not nil, it would convert the Private Key to Encrypted PKCS#8.
func ECDSAToPrivateKey ¶ added in v0.4.0
func ECDSAToPrivateKey(ecdsaPrivKey *ecdsa.PrivateKey) (data.PrivateKey, error)
ECDSAToPrivateKey converts an ecdsa.Private key to a TUF data.PrivateKey type
func ED25519ToPrivateKey ¶ added in v0.4.0
func ED25519ToPrivateKey(privKeyBytes []byte) (data.PrivateKey, error)
ED25519ToPrivateKey converts a serialized ED25519 key to a TUF data.PrivateKey type
func ExtractPrivateKeyAttributes ¶ added in v0.5.1
ExtractPrivateKeyAttributes extracts role and gun values from private key bytes
func FindRoleIndex ¶
FindRoleIndex returns the index of the role named <name> or -1 if no matching role is found.
func GenerateECDSAKey ¶ added in v0.4.0
func GenerateECDSAKey(random io.Reader) (data.PrivateKey, error)
GenerateECDSAKey generates an ECDSA Private key and returns a TUF PrivateKey
func GenerateED25519Key ¶ added in v0.4.0
func GenerateED25519Key(random io.Reader) (data.PrivateKey, error)
GenerateED25519Key generates an ED25519 private key and returns a TUF PrivateKey. The serialization format we use is just the public key bytes followed by the private key bytes
func GenerateKey ¶ added in v0.5.1
func GenerateKey(algorithm string) (data.PrivateKey, error)
GenerateKey returns a new private key using the provided algorithm or an error detailing why the key could not be generated
func GetIntermediateCerts ¶ added in v0.4.0
func GetIntermediateCerts(certs []*x509.Certificate) []*x509.Certificate
GetIntermediateCerts parses a list of x509 Certificates and returns all of the ones marked as a CA, to be used as intermediates
func GetLeafCerts ¶ added in v0.4.0
func GetLeafCerts(certs []*x509.Certificate) []*x509.Certificate
GetLeafCerts parses a list of x509 Certificates and returns all of them that aren't CA
func LoadCertBundleFromFile ¶ added in v0.4.0
func LoadCertBundleFromFile(filename string) ([]*x509.Certificate, error)
LoadCertBundleFromFile loads certificates from the []byte provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"
func LoadCertBundleFromPEM ¶ added in v0.4.0
func LoadCertBundleFromPEM(pemBytes []byte) ([]*x509.Certificate, error)
LoadCertBundleFromPEM loads certificates from the []byte provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"
func LoadCertFromFile ¶ added in v0.4.0
func LoadCertFromFile(filename string) (*x509.Certificate, error)
LoadCertFromFile loads the first certificate from the file provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"
func LoadCertFromPEM ¶ added in v0.4.0
func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error)
LoadCertFromPEM returns the first certificate found in a bunch of bytes or error if nothing is found. Taken from https://golang.org/src/crypto/x509/cert_pool.go#L85.
func NewCertificate ¶ added in v0.4.0
NewCertificate returns an X509 Certificate following a template, given a Common Name and validity interval.
func ParsePEMPrivateKey ¶ added in v0.4.0
func ParsePEMPrivateKey(pemBytes []byte, passphrase string) (data.PrivateKey, error)
ParsePEMPrivateKey returns a data.PrivateKey from a PEM encoded private key. It supports PKCS#8 as well as RSA/ECDSA (PKCS#1) only in non-FIPS mode and attempts to decrypt using the passphrase, if encrypted.
func ParsePEMPublicKey ¶ added in v0.4.0
ParsePEMPublicKey returns a data.PublicKey from a PEM encoded public key or certificate.
func ParsePKCS8ToTufKey ¶ added in v0.5.1
func ParsePKCS8ToTufKey(der []byte, password []byte) (data.PrivateKey, error)
ParsePKCS8ToTufKey requires PKCS#8 key in DER format and returns data.PrivateKey Password should be provided in case of Encrypted PKCS#8 key, else it should be nil.
func RSAToPrivateKey ¶ added in v0.4.0
func RSAToPrivateKey(rsaPrivKey *rsa.PrivateKey) (data.PrivateKey, error)
RSAToPrivateKey converts an rsa.Private key to a TUF data.PrivateKey type
func RemoveUnusedKeys ¶
func RemoveUnusedKeys(t *data.SignedTargets)
RemoveUnusedKeys determines which keys in the slice of IDs are no longer used in the given targets file and removes them from the delegated keys map
func RoleNameSliceContains ¶ added in v0.5.1
RoleNameSliceContains checks if the given string appears in the slice
func RoleNameSliceRemove ¶ added in v0.5.1
RoleNameSliceRemove removes the given RoleName from the slice, returning a new slice
func StrSliceContains ¶
StrSliceContains checks if the given string appears in the slice
func UnusedDelegationKeys ¶
func UnusedDelegationKeys(t data.SignedTargets) []string
UnusedDelegationKeys prunes a list of keys, returning those that are no longer in use for a given targets file
func ValidateCertificate ¶ added in v0.4.0
func ValidateCertificate(c *x509.Certificate, checkExpiry bool) error
ValidateCertificate returns an error if the certificate is not valid for notary Currently this is only ensuring the public key has a large enough modulus if RSA, using a non SHA1 signature algorithm, and an optional time expiry check
Types ¶
type ErrBadTypeCast ¶
type ErrBadTypeCast struct{}
ErrBadTypeCast is used by PopX functions when the item cannot be typed to X
func (ErrBadTypeCast) Error ¶
func (err ErrBadTypeCast) Error() string
type ErrEmptyStack ¶
type ErrEmptyStack struct {
// contains filtered or unexported fields
}
ErrEmptyStack is used when an action that requires some content is invoked and the stack is empty
func (ErrEmptyStack) Error ¶
func (err ErrEmptyStack) Error() string
type NoopCloser ¶
NoopCloser is a simple Reader wrapper that does nothing when Close is called
type RoleList ¶
type RoleList []string
RoleList is a list of roles
type Stack ¶
type Stack struct {
// contains filtered or unexported fields
}
Stack is a simple type agnostic stack implementation
func (*Stack) Pop ¶
Pop removes and returns the top item on the stack, or returns ErrEmptyStack if the stack has no content