tglib

package
Version: v1.40.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 25, 2020 License: Apache-2.0 Imports: 19 Imported by: 7

Documentation

Overview

Package tglib contains various helpers to deal with crypto. It entirely rely on standard go crypto libraries.

Index

Constants

View Source
const (
	// URIScheme is the URI scheme for Spiffe identities.
	URIScheme string = "spiffe"
)

Variables

This section is empty.

Functions

func BuildCertificatesMaps

func BuildCertificatesMaps(certs []tls.Certificate) (map[string]tls.Certificate, map[string]tls.Certificate, error)

BuildCertificatesMaps returns to maps to get what certificate to use for which DNS or IPs. This can be used in a custom tls.Config.GetCertificate function.

func BuildSANExtension

func BuildSANExtension(identites []Identity) (*pkix.Extension, error)

BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.

func BuildSubjectAltNameExtension

func BuildSubjectAltNameExtension(hosts []string) (*pkix.Extension, error)

BuildSubjectAltNameExtension builds the SAN extension for the certificate.

func CSRFromCertificate

func CSRFromCertificate(cert *x509.Certificate) *x509.CertificateRequest

CSRFromCertificate generates a new CSR from the given certificate

func CertToPEM

func CertToPEM(cert *x509.Certificate) (*pem.Block, error)

CertToPEM converts the given *x509.Certificate to *pem.Block .

func DecryptPrivateKey

func DecryptPrivateKey(keyBlock *pem.Block, password string) (*pem.Block, error)

DecryptPrivateKey decrypts the given private key

func DecryptPrivateKeyPEM

func DecryptPrivateKeyPEM(key []byte, password string) (*pem.Block, error)

DecryptPrivateKeyPEM decrypts the given private key PEM bytes

func ECPrivateKeyGenerator

func ECPrivateKeyGenerator() (crypto.PrivateKey, error)

ECPrivateKeyGenerator generates a ECDSA private key.

func EncryptPrivateKey

func EncryptPrivateKey(keyBlock *pem.Block, password string) (*pem.Block, error)

EncryptPrivateKey encrypts the given private key

func EncryptPrivateKeyPEM

func EncryptPrivateKeyPEM(key []byte, password string) (*pem.Block, error)

EncryptPrivateKeyPEM encrypts the given private key PEM bytes

func ExtractIDs

func ExtractIDs(exts []pkix.Extension) (map[string]struct{}, error)

ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.

func ExtractSANExtension

func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension

ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.

func GenerateBase64PKCS12

func GenerateBase64PKCS12(cert []byte, key []byte, ca []byte, passphrase string) (string, error)

GenerateBase64PKCS12 generates a full PKCS certificate based on the input keys.

func GenerateCSR

func GenerateCSR(csr *x509.CertificateRequest, privateKey crypto.PrivateKey) ([]byte, error)

GenerateCSR generate a CSR using the given parameters.

func GenerateCSRwithSANs

func GenerateCSRwithSANs(orgs []string, units []string, commonName string, sans []string, privateKey crypto.PrivateKey) ([]byte, error)

GenerateCSRwithSANs generates a SPIFFE certificate CSR.

func GeneratePKCS12

func GeneratePKCS12(cert []byte, key []byte, ca []byte, passphrase string) ([]byte, error)

GeneratePKCS12 generates a pkcs12

func GeneratePKCS12FromFiles

func GeneratePKCS12FromFiles(out, certPath, keyPath, caPath, passphrase string) error

GeneratePKCS12FromFiles generates a full PKCS certificate based on the input keys.

func GenerateSimpleCSR

func GenerateSimpleCSR(orgs []string, units []string, commonName string, emails []string, privateKey crypto.PrivateKey) ([]byte, error)

GenerateSimpleCSR generate a CSR using the given parameters.

func Issue

func Issue(subject pkix.Name, options ...IssueOption) (*pem.Block, *pem.Block, error)

Issue issues a new x509 certificate

func IssueCertiticate

func IssueCertiticate(
	signingCertificate *x509.Certificate,
	signingPrivateKey crypto.PrivateKey,
	keyGen PrivateKeyGenerator,

	countries []string,
	provinces []string,
	localities []string,
	streetAddresses []string,
	postalCodes []string,
	organizations []string,
	organizationalUnits []string,
	commonName string,

	dnsNames []string,
	ipAddresses []net.IP,

	beginning time.Time,
	expiration time.Time,
	keyUsage x509.KeyUsage,
	extKeyUsage []x509.ExtKeyUsage,
	signatureAlgorithm x509.SignatureAlgorithm,
	publicKeyAlgorithm x509.PublicKeyAlgorithm,
	isCA bool,

	policies []asn1.ObjectIdentifier,

) (*pem.Block, *pem.Block, error)

IssueCertiticate issues a new Certificate eventual signed using the signingCertificate and the given keyGen.

func KeyToPEM

func KeyToPEM(key interface{}) (*pem.Block, error)

KeyToPEM converts the given crypto.PrivateKey to *pem.Block .

func LoadCSRs

func LoadCSRs(csrData []byte) ([]*x509.CertificateRequest, error)

LoadCSRs loads the given bytes as an array of Certificate Signing Request.

func PEMToKey

func PEMToKey(keyBlock *pem.Block) (crypto.PrivateKey, error)

PEMToKey loads a decrypted pem block and returns a crypto.PrivateKey

func ParseCertificate

func ParseCertificate(certPemBytes []byte) (*x509.Certificate, error)

ParseCertificate parse the given PEM bytes and returns the fist *x509.Certificate.

func ParseCertificatePEM

func ParseCertificatePEM(path string) (*x509.Certificate, error)

ParseCertificatePEM reads the PEM certificate at the given path and returns the first *x509.Certificate found

func ParseCertificatePEMs

func ParseCertificatePEMs(path string) ([]*x509.Certificate, error)

ParseCertificatePEMs reads the PEM certificate at the given path and returns the a []*x509.Certificate.

func ParseCertificates

func ParseCertificates(certPemBytes []byte) ([]*x509.Certificate, error)

ParseCertificates parse the given PEM bytes and returns a []*x509.Certificate.

func RSAPrivateKeyGenerator

func RSAPrivateKeyGenerator() (crypto.PrivateKey, error)

RSAPrivateKeyGenerator generates a RSA private key.

func ReadCertificate

func ReadCertificate(certPemBytes []byte, keyPemBytes []byte, password string) (*x509.Certificate, crypto.PrivateKey, error)

ReadCertificate returns a the first *x509.Certificate from the PEM bytes pf a cert and a key and decrypts it with the given password if needed.

func ReadCertificatePEM

func ReadCertificatePEM(certPath, keyPath, password string) (*x509.Certificate, crypto.PrivateKey, error)

ReadCertificatePEM returns a the first *x509.Certificate from the path of a cert, a key in PEM and decrypts it with the given password if needed.

func ReadCertificatePEMs

func ReadCertificatePEMs(certPath, keyPath, password string) ([]*x509.Certificate, crypto.PrivateKey, error)

ReadCertificatePEMs returns a []*x509.Certificate from the path of a cert, a key in PEM and decrypts it with the given password if needed.

func ReadCertificates

func ReadCertificates(certPemBytes []byte, keyPemBytes []byte, password string) ([]*x509.Certificate, crypto.PrivateKey, error)

ReadCertificates returns a []*x509.Certificate from the PEM bytes pf a cert and a key and decrypts it with the given password if needed.

func Sign

func Sign(
	csr *x509.CertificateRequest,
	signingCertificate *x509.Certificate,
	signingPrivateKey crypto.PrivateKey,
	options ...IssueOption,
) (*pem.Block, string, error)

Sign signs the give CSR using the given signer certificate and key and given options.

func SignCSR

func SignCSR(
	csr *x509.CertificateRequest,
	signingCertificate *x509.Certificate,
	signingPrivateKey crypto.PrivateKey,

	beginning time.Time,
	expiration time.Time,
	keyUsage x509.KeyUsage,
	extKeyUsage []x509.ExtKeyUsage,
	signatureAlgorithm x509.SignatureAlgorithm,
	publicKeyAlgorithm x509.PublicKeyAlgorithm,

	isCA bool,
	policies []asn1.ObjectIdentifier,
) (*pem.Block, string, error)

SignCSR will sign the given CSR with the given signing cert

func SplitChain

func SplitChain(certData []byte) (cert *x509.Certificate, caChain []*x509.Certificate, err error)

SplitChain splits the given certificate data into the actual *x509.Certificate and a list of CA chain in a []*x509.Certificate

func SplitChainPEM

func SplitChainPEM(certData []byte) ([]byte, []byte)

SplitChainPEM splits the given cert PEM []byte as the actual certificate and []byte as the rest of the chain.

func SystemCertPool added in v1.40.0

func SystemCertPool() (*x509.CertPool, error)

SystemCertPool gets the system cert pool via Go libraries

func ToTLSCertificate

func ToTLSCertificate(cert *x509.Certificate, key crypto.PrivateKey) (tls.Certificate, error)

ToTLSCertificate converts the given cert and private key to a tls.Certificate. The private key must not be encrypted.

func ToTLSCertificates

func ToTLSCertificates(certs []*x509.Certificate, key crypto.PrivateKey) (tls.Certificate, error)

ToTLSCertificates converts the given certs and private key to a tls.Certificate. The private key must not be encrypted.

func Verify

func Verify(signingCertPEMData []byte, certPEMData []byte, keyUsages []x509.ExtKeyUsage) error

Verify verifies the given certificate is signed by the given other certificate, and that the other certificate has the correct required key usage.

Types

type Identity

type Identity struct {
	Type  IdentityType
	Value []byte
}

Identity is an object holding both the encoded identifier bytes as well as the type of the identity.

func ExtractIDsFromSAN

func ExtractIDsFromSAN(sanExt *pkix.Extension) ([]Identity, error)

ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.

type IdentityType

type IdentityType int

IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension.

const (
	// TypeDNS represents a DNS name.
	TypeDNS IdentityType = iota
	// TypeIP represents an IP address.
	TypeIP
	// TypeURI represents a universal resource identifier.
	TypeURI
)

type IssueOption

type IssueOption func(*issueCfg)

IssueOption represents an issuing option.

func OptIssueAlgorithmECDSA

func OptIssueAlgorithmECDSA() IssueOption

OptIssueAlgorithmECDSA configures the certificate to use ECDSA with SHA384 P256 curve.

func OptIssueAlgorithmRSA

func OptIssueAlgorithmRSA() IssueOption

OptIssueAlgorithmRSA configures the certificate to use 2048-bits RSA with SHA384 signature

func OptIssueDNSSANs

func OptIssueDNSSANs(dns ...string) IssueOption

OptIssueDNSSANs the IP SANs for the certificate to be issued.

func OptIssueExtendedKeyUsages

func OptIssueExtendedKeyUsages(usages ...x509.ExtKeyUsage) IssueOption

OptIssueExtendedKeyUsages manually sets the extended key usage for the certificate. It will erase any previous extended usage set by options OptIssueType*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueIPSANs

func OptIssueIPSANs(ips ...net.IP) IssueOption

OptIssueIPSANs sets the IP SANs for the certificate to be issued.

func OptIssueKeyGenerator

func OptIssueKeyGenerator(keyGen PrivateKeyGenerator) IssueOption

OptIssueKeyGenerator sets the private key generator to use. It will erase any previous extended usage set by options OptIssueAlgorithm*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueKeyUsage

func OptIssueKeyUsage(usage x509.KeyUsage) IssueOption

OptIssueKeyUsage sets the key usage for the certificate. It will erase any previous usage set by options OptIssueType*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssuePolicies

func OptIssuePolicies(policies ...asn1.ObjectIdentifier) IssueOption

OptIssuePolicies sets additional policies OIDs.

func OptIssuePublicKeyAlgorithm

func OptIssuePublicKeyAlgorithm(alg x509.PublicKeyAlgorithm) IssueOption

OptIssuePublicKeyAlgorithm sets the signature algorithm for the public key. It will erase any previous extended usage set by options OptIssueAlgorithm*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueSignatureAlgorithm

func OptIssueSignatureAlgorithm(alg x509.SignatureAlgorithm) IssueOption

OptIssueSignatureAlgorithm sets the signature algorithm for the certificate. By default, it uses x509.ECDSA.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueSigner

func OptIssueSigner(cert *x509.Certificate, key crypto.PrivateKey) IssueOption

OptIssueSigner sets the signer for the certificate to be issued. By default, Issue will issue a self-signed certificate.

func OptIssueSignerPEMBlock

func OptIssueSignerPEMBlock(cert *pem.Block, key *pem.Block, password string) IssueOption

OptIssueSignerPEMBlock sets the signer for the certificate to be issued in the PEM format. By default, Issue will issue a self-signed certificate.

func OptIssueSignerPEMBytes

func OptIssueSignerPEMBytes(cert []byte, key []byte, password string) IssueOption

OptIssueSignerPEMBytes sets the signer for the certificate to be issued in the PEM format. By default, Issue will issue a self-signed certificate.

func OptIssueTypeCA

func OptIssueTypeCA() IssueOption

OptIssueTypeCA sets the makes the certificate to be issued to be a Certificate Authority. It automatically applies the correct key usage, unless already set by another option.

func OptIssueTypeClientAuth

func OptIssueTypeClientAuth() IssueOption

OptIssueTypeClientAuth configures the certificate to be issued to be a client certificate. This option can be combined with other OptIssueType*.

func OptIssueTypeCodeSigning

func OptIssueTypeCodeSigning() IssueOption

OptIssueTypeCodeSigning configures the certificate to be issued to be a code signing certificate. This option can be combined with other OptIssueType*.

func OptIssueTypeEmailProtection

func OptIssueTypeEmailProtection() IssueOption

OptIssueTypeEmailProtection configures the certificate to be issued to be a email protection certificate. This option can be combined with other OptIssueType*.

func OptIssueTypeServerAuth

func OptIssueTypeServerAuth() IssueOption

OptIssueTypeServerAuth configures the certificate to be issued to be a server certificate. This option can be combined with other OptIssueType*.

func OptIssueValidity

func OptIssueValidity(notBefore time.Time, notAfter time.Time) IssueOption

OptIssueValidity sets the validity of the certificate to be issued. By default, the certificate is valid from the time it has been created for 1 year.

type PrivateKeyGenerator

type PrivateKeyGenerator func() (crypto.PrivateKey, error)

PrivateKeyGenerator is the type of function that can generate a crypto.PrivateKey.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL