scep

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 31, 2020 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package scep provides common functionality for encoding and decoding Simple Certificate Enrolment Protocol pki messages as defined by https://tools.ietf.org/html/draft-gutmann-scep-02

Index

Constants

View Source 
const (
	CertRep    MessageType = "3"
	RenewalReq             = "17"
	UpdateReq              = "18"
	PKCSReq                = "19"
	CertPoll               = "20"
	GetCert                = "21"
	GetCRL                 = "22"
)

Undefined message types are treated as an error.

View Source 
const (
	SUCCESS PKIStatus = "0"
	FAILURE           = "2"
	PENDING           = "3"
)

Undefined pkiStatus attributes are treated as an error

View Source 
const (
	BadAlg          FailInfo = "0"
	BadMessageCheck          = "1"
	BadRequest               = "2"
	BadTime                  = "3"
	BadCertID                = "4"
)

Variables

This section is empty.

Functions

func CACerts 

func CACerts(data []byte) ([]*x509.Certificate, error)

CACerts extract CA Certificate or chain from pkcs7 degenerate signed data

func DegenerateCertificates 

func DegenerateCertificates(certs []*x509.Certificate) ([]byte, error)

DegenerateCertificates creates degenerate certificates pkcs#7 type

Types

type CSRReqMessage 

type CSRReqMessage struct {
	RawDecrypted []byte

	// PKCS#10 Certificate request inside the envelope
	CSR *x509.CertificateRequest

	ChallengePassword string
}

CSRReqMessage can be of the type PKCSReq/RenewalReq/UpdateReq and includes a PKCS#10 CSR request. The content of this message is protected by the recipient public key(example CA)

type CertRepMessage 

type CertRepMessage struct {
	PKIStatus
	RecipientNonce
	FailInfo

	Certificate *x509.Certificate
	// contains filtered or unexported fields
}

CertRepMessage is a type of PKIMessage

type FailInfo 

type FailInfo string

FailInfo is a SCEP failInfo attribute

The FailInfo attribute MUST contain one of the following failure reasons:

func (FailInfo) String added in v1.0.2 

func (info FailInfo) String() string

type MessageType 

type MessageType string

The MessageType attribute specifies the type of operation performed by the transaction. This attribute MUST be included in all PKI messages.

The following message types are defined:

func (MessageType) String added in v1.0.2 

func (msg MessageType) String() string

type Option added in v1.0.2 

type Option func(*config)

Option specifies custom configuration for SCEP.

func WithLogger added in v1.0.2 

func WithLogger(logger log.Logger) Option

WithLogger adds option logging to the SCEP operations.

type PKIMessage 

type PKIMessage struct {
	TransactionID
	MessageType
	SenderNonce
	*CertRepMessage
	*CSRReqMessage

	// DER Encoded PKIMessage
	Raw []byte

	// Used to sign message
	Recipients []*x509.Certificate

	// Signer info
	SignerKey  *rsa.PrivateKey
	SignerCert *x509.Certificate

	SCEPEncryptionAlgorithm int
	// contains filtered or unexported fields
}

PKIMessage defines the possible SCEP message types

func NewCSRRequest 

func NewCSRRequest(csr *x509.CertificateRequest, tmpl *PKIMessage, opts ...Option) (*PKIMessage, error)

NewCSRRequest creates a scep PKI PKCSReq/UpdateReq message

func ParsePKIMessage 

func ParsePKIMessage(data []byte, opts ...Option) (*PKIMessage, error)

ParsePKIMessage unmarshals a PKCS#7 signed data into a PKI message struct

func (*PKIMessage) DecryptPKIEnvelope 

func (msg *PKIMessage) DecryptPKIEnvelope(cert *x509.Certificate, key *crypto.PrivateKey) error

DecryptPKIEnvelope decrypts the pkcs envelopedData inside the SCEP PKIMessage

func (*PKIMessage) Fail added in v1.0.2 

func (msg *PKIMessage) Fail(crtAuth *x509.Certificate, keyAuth *crypto.PrivateKey, info FailInfo) (*PKIMessage, error)

func (*PKIMessage) SignCSR 

func (msg *PKIMessage) SignCSR(crtAuth *x509.Certificate, keyAuth *crypto.PrivateKey, template *x509.Certificate) (*PKIMessage, error)

SignCSR creates an x509.Certificate based on a template and Cert Authority credentials returns a new PKIMessage with CertRep data

type PKIStatus 

type PKIStatus string

PKIStatus is a SCEP pkiStatus attribute which holds transaction status information. All SCEP responses MUST include a pkiStatus.

The following pkiStatuses are defined:

type RecipientNonce 

type RecipientNonce []byte

The RecipientNonce MUST be copied from the SenderNonce and included in the reply.

type SenderNonce 

type SenderNonce []byte

SenderNonce is a random 16 byte number. A sender must include the senderNonce in each transaction to a recipient.

type TransactionID 

type TransactionID string

The TransactionID is a text string generated by the client when starting a transaction. The client MUST generate a unique string as the transaction identifier, which MUST be used for all PKI messages exchanged for a given enrolment, encoded as a PrintableString.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.