Documentation

Overview

    Package tglib contains various helpers to deal with crypto. It entirely rely on standard go crypto libraries.

    Index

    Constants

    View Source
    const (
    	// URIScheme is the URI scheme for Spiffe identities.
    	URIScheme string = "spiffe"
    )

    Variables

    This section is empty.

    Functions

    func BuildCertificatesMaps

    func BuildCertificatesMaps(certs []tls.Certificate) (map[string]tls.Certificate, map[string]tls.Certificate, error)

      BuildCertificatesMaps returns to maps to get what certificate to use for which DNS or IPs. This can be used in a custom tls.Config.GetCertificate function.

      func BuildSANExtension

      func BuildSANExtension(identites []Identity) (*pkix.Extension, error)

        BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.

        func BuildSubjectAltNameExtension

        func BuildSubjectAltNameExtension(hosts []string) (*pkix.Extension, error)

          BuildSubjectAltNameExtension builds the SAN extension for the certificate.

          func CSRFromCertificate

          func CSRFromCertificate(cert *x509.Certificate) *x509.CertificateRequest

            CSRFromCertificate generates a new CSR from the given certificate

            func CertToPEM

            func CertToPEM(cert *x509.Certificate) (*pem.Block, error)

              CertToPEM converts the given *x509.Certificate to *pem.Block .

              func DecryptPrivateKey

              func DecryptPrivateKey(keyBlock *pem.Block, password string) (*pem.Block, error)

                DecryptPrivateKey decrypts the given private key

                func DecryptPrivateKeyPEM

                func DecryptPrivateKeyPEM(key []byte, password string) (*pem.Block, error)

                  DecryptPrivateKeyPEM decrypts the given private key PEM bytes

                  func ECPrivateKeyGenerator

                  func ECPrivateKeyGenerator() (crypto.PrivateKey, error)

                    ECPrivateKeyGenerator generates a ECDSA private key.

                    func EncryptPrivateKey

                    func EncryptPrivateKey(keyBlock *pem.Block, password string) (*pem.Block, error)

                      EncryptPrivateKey encrypts the given private key

                      func EncryptPrivateKeyPEM

                      func EncryptPrivateKeyPEM(key []byte, password string) (*pem.Block, error)

                        EncryptPrivateKeyPEM encrypts the given private key PEM bytes

                        func ExtractIDs

                        func ExtractIDs(exts []pkix.Extension) (map[string]struct{}, error)

                          ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.

                          func ExtractSANExtension

                          func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension

                            ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.

                            func GenerateBase64PKCS12

                            func GenerateBase64PKCS12(cert []byte, key []byte, ca []byte, passphrase string) (string, error)

                              GenerateBase64PKCS12 generates a full PKCS certificate based on the input keys.

                              func GenerateCSR

                              func GenerateCSR(csr *x509.CertificateRequest, privateKey crypto.PrivateKey) ([]byte, error)

                                GenerateCSR generate a CSR using the given parameters.

                                func GenerateCSRwithSANs

                                func GenerateCSRwithSANs(orgs []string, units []string, commonName string, sans []string, privateKey crypto.PrivateKey) ([]byte, error)

                                  GenerateCSRwithSANs generates a SPIFFE certificate CSR.

                                  func GeneratePKCS12

                                  func GeneratePKCS12(cert []byte, key []byte, ca []byte, passphrase string) ([]byte, error)

                                    GeneratePKCS12 generates a pkcs12

                                    func GeneratePKCS12FromFiles

                                    func GeneratePKCS12FromFiles(out, certPath, keyPath, caPath, passphrase string) error

                                      GeneratePKCS12FromFiles generates a full PKCS certificate based on the input keys.

                                      func GenerateSimpleCSR

                                      func GenerateSimpleCSR(orgs []string, units []string, commonName string, emails []string, privateKey crypto.PrivateKey) ([]byte, error)

                                        GenerateSimpleCSR generate a CSR using the given parameters.

                                        func Issue

                                        func Issue(subject pkix.Name, options ...IssueOption) (*pem.Block, *pem.Block, error)

                                          Issue issues a new x509 certificate

                                          func IssueCertiticate

                                          func IssueCertiticate(
                                          	signingCertificate *x509.Certificate,
                                          	signingPrivateKey crypto.PrivateKey,
                                          	keyGen PrivateKeyGenerator,
                                          
                                          	countries []string,
                                          	provinces []string,
                                          	localities []string,
                                          	streetAddresses []string,
                                          	postalCodes []string,
                                          	organizations []string,
                                          	organizationalUnits []string,
                                          	commonName string,
                                          
                                          	dnsNames []string,
                                          	ipAddresses []net.IP,
                                          
                                          	beginning time.Time,
                                          	expiration time.Time,
                                          	keyUsage x509.KeyUsage,
                                          	extKeyUsage []x509.ExtKeyUsage,
                                          	signatureAlgorithm x509.SignatureAlgorithm,
                                          	publicKeyAlgorithm x509.PublicKeyAlgorithm,
                                          	isCA bool,
                                          
                                          	policies []asn1.ObjectIdentifier,
                                          
                                          ) (*pem.Block, *pem.Block, error)

                                            IssueCertiticate issues a new Certificate eventual signed using the signingCertificate and the given keyGen.

                                            func KeyToPEM

                                            func KeyToPEM(key interface{}) (*pem.Block, error)

                                              KeyToPEM converts the given crypto.PrivateKey to *pem.Block .

                                              func LoadCSRs

                                              func LoadCSRs(csrData []byte) ([]*x509.CertificateRequest, error)

                                                LoadCSRs loads the given bytes as an array of Certificate Signing Request.

                                                func PEMToKey

                                                func PEMToKey(keyBlock *pem.Block) (crypto.PrivateKey, error)

                                                  PEMToKey loads a decrypted pem block and returns a crypto.PrivateKey

                                                  func ParseCertificate

                                                  func ParseCertificate(certPemBytes []byte) (*x509.Certificate, error)

                                                    ParseCertificate parse the given PEM bytes and returns the fist *x509.Certificate.

                                                    func ParseCertificatePEM

                                                    func ParseCertificatePEM(path string) (*x509.Certificate, error)

                                                      ParseCertificatePEM reads the PEM certificate at the given path and returns the first *x509.Certificate found

                                                      func ParseCertificatePEMs

                                                      func ParseCertificatePEMs(path string) ([]*x509.Certificate, error)

                                                        ParseCertificatePEMs reads the PEM certificate at the given path and returns the a []*x509.Certificate.

                                                        func ParseCertificates

                                                        func ParseCertificates(certPemBytes []byte) ([]*x509.Certificate, error)

                                                          ParseCertificates parse the given PEM bytes and returns a []*x509.Certificate.

                                                          func RSAPrivateKeyGenerator

                                                          func RSAPrivateKeyGenerator() (crypto.PrivateKey, error)

                                                            RSAPrivateKeyGenerator generates a RSA private key.

                                                            func ReadCertificate

                                                            func ReadCertificate(certPemBytes []byte, keyPemBytes []byte, password string) (*x509.Certificate, crypto.PrivateKey, error)

                                                              ReadCertificate returns a the first *x509.Certificate from the PEM bytes pf a cert and a key and decrypts it with the given password if needed.

                                                              func ReadCertificatePEM

                                                              func ReadCertificatePEM(certPath, keyPath, password string) (*x509.Certificate, crypto.PrivateKey, error)

                                                                ReadCertificatePEM returns a the first *x509.Certificate from the path of a cert, a key in PEM and decrypts it with the given password if needed.

                                                                func ReadCertificatePEMs

                                                                func ReadCertificatePEMs(certPath, keyPath, password string) ([]*x509.Certificate, crypto.PrivateKey, error)

                                                                  ReadCertificatePEMs returns a []*x509.Certificate from the path of a cert, a key in PEM and decrypts it with the given password if needed.

                                                                  func ReadCertificates

                                                                  func ReadCertificates(certPemBytes []byte, keyPemBytes []byte, password string) ([]*x509.Certificate, crypto.PrivateKey, error)

                                                                    ReadCertificates returns a []*x509.Certificate from the PEM bytes pf a cert and a key and decrypts it with the given password if needed.

                                                                    func Sign

                                                                    func Sign(
                                                                    	csr *x509.CertificateRequest,
                                                                    	signingCertificate *x509.Certificate,
                                                                    	signingPrivateKey crypto.PrivateKey,
                                                                    	options ...IssueOption,
                                                                    ) (*pem.Block, string, error)

                                                                      Sign signs the give CSR using the given signer certificate and key and given options.

                                                                      func SignCSR

                                                                      func SignCSR(
                                                                      	csr *x509.CertificateRequest,
                                                                      	signingCertificate *x509.Certificate,
                                                                      	signingPrivateKey crypto.PrivateKey,
                                                                      
                                                                      	beginning time.Time,
                                                                      	expiration time.Time,
                                                                      	keyUsage x509.KeyUsage,
                                                                      	extKeyUsage []x509.ExtKeyUsage,
                                                                      	signatureAlgorithm x509.SignatureAlgorithm,
                                                                      	publicKeyAlgorithm x509.PublicKeyAlgorithm,
                                                                      
                                                                      	isCA bool,
                                                                      	policies []asn1.ObjectIdentifier,
                                                                      ) (*pem.Block, string, error)

                                                                        SignCSR will sign the given CSR with the given signing cert

                                                                        func SplitChain

                                                                        func SplitChain(certData []byte) (cert *x509.Certificate, caChain []*x509.Certificate, err error)

                                                                          SplitChain splits the given certificate data into the actual *x509.Certificate and a list of CA chain in a []*x509.Certificate

                                                                          func SplitChainPEM

                                                                          func SplitChainPEM(certData []byte) ([]byte, []byte)

                                                                            SplitChainPEM splits the given cert PEM []byte as the actual certificate and []byte as the rest of the chain.

                                                                            func SystemCertPool

                                                                            func SystemCertPool() (*x509.CertPool, error)

                                                                              SystemCertPool gets the system cert pool via Go libraries

                                                                              func ToTLSCertificate

                                                                              func ToTLSCertificate(cert *x509.Certificate, key crypto.PrivateKey) (tls.Certificate, error)

                                                                                ToTLSCertificate converts the given cert and private key to a tls.Certificate. The private key must not be encrypted.

                                                                                func ToTLSCertificates

                                                                                func ToTLSCertificates(certs []*x509.Certificate, key crypto.PrivateKey) (tls.Certificate, error)

                                                                                  ToTLSCertificates converts the given certs and private key to a tls.Certificate. The private key must not be encrypted.

                                                                                  func Verify

                                                                                  func Verify(signingCertPEMData []byte, certPEMData []byte, keyUsages []x509.ExtKeyUsage) error

                                                                                    Verify verifies the given certificate is signed by the given other certificate, and that the other certificate has the correct required key usage.

                                                                                    Types

                                                                                    type Identity

                                                                                    type Identity struct {
                                                                                    	Type  IdentityType
                                                                                    	Value []byte
                                                                                    }

                                                                                      Identity is an object holding both the encoded identifier bytes as well as the type of the identity.

                                                                                      func ExtractIDsFromSAN

                                                                                      func ExtractIDsFromSAN(sanExt *pkix.Extension) ([]Identity, error)

                                                                                        ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.

                                                                                        type IdentityType

                                                                                        type IdentityType int

                                                                                          IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension.

                                                                                          const (
                                                                                          	// TypeDNS represents a DNS name.
                                                                                          	TypeDNS IdentityType = iota
                                                                                          	// TypeIP represents an IP address.
                                                                                          	TypeIP
                                                                                          	// TypeURI represents a universal resource identifier.
                                                                                          	TypeURI
                                                                                          )

                                                                                          type IssueOption

                                                                                          type IssueOption func(*issueCfg)

                                                                                            IssueOption represents an issuing option.

                                                                                            func OptIssueAlgorithmECDSA

                                                                                            func OptIssueAlgorithmECDSA() IssueOption

                                                                                              OptIssueAlgorithmECDSA configures the certificate to use ECDSA with SHA384 P256 curve.

                                                                                              func OptIssueAlgorithmRSA

                                                                                              func OptIssueAlgorithmRSA() IssueOption

                                                                                                OptIssueAlgorithmRSA configures the certificate to use 2048-bits RSA with SHA384 signature

                                                                                                func OptIssueDNSSANs

                                                                                                func OptIssueDNSSANs(dns ...string) IssueOption

                                                                                                  OptIssueDNSSANs the IP SANs for the certificate to be issued.

                                                                                                  func OptIssueExtendedKeyUsages

                                                                                                  func OptIssueExtendedKeyUsages(usages ...x509.ExtKeyUsage) IssueOption

                                                                                                    OptIssueExtendedKeyUsages manually sets the extended key usage for the certificate. It will erase any previous extended usage set by options OptIssueType*.

                                                                                                    It is not recommended to use this option unless you know exactly what you are doing.

                                                                                                    func OptIssueIPSANs

                                                                                                    func OptIssueIPSANs(ips ...net.IP) IssueOption

                                                                                                      OptIssueIPSANs sets the IP SANs for the certificate to be issued.

                                                                                                      func OptIssueKeyGenerator

                                                                                                      func OptIssueKeyGenerator(keyGen PrivateKeyGenerator) IssueOption

                                                                                                        OptIssueKeyGenerator sets the private key generator to use. It will erase any previous extended usage set by options OptIssueAlgorithm*.

                                                                                                        It is not recommended to use this option unless you know exactly what you are doing.

                                                                                                        func OptIssueKeyUsage

                                                                                                        func OptIssueKeyUsage(usage x509.KeyUsage) IssueOption

                                                                                                          OptIssueKeyUsage sets the key usage for the certificate. It will erase any previous usage set by options OptIssueType*.

                                                                                                          It is not recommended to use this option unless you know exactly what you are doing.

                                                                                                          func OptIssuePolicies

                                                                                                          func OptIssuePolicies(policies ...asn1.ObjectIdentifier) IssueOption

                                                                                                            OptIssuePolicies sets additional policies OIDs.

                                                                                                            func OptIssuePublicKeyAlgorithm

                                                                                                            func OptIssuePublicKeyAlgorithm(alg x509.PublicKeyAlgorithm) IssueOption

                                                                                                              OptIssuePublicKeyAlgorithm sets the signature algorithm for the public key. It will erase any previous extended usage set by options OptIssueAlgorithm*.

                                                                                                              It is not recommended to use this option unless you know exactly what you are doing.

                                                                                                              func OptIssueSignatureAlgorithm

                                                                                                              func OptIssueSignatureAlgorithm(alg x509.SignatureAlgorithm) IssueOption

                                                                                                                OptIssueSignatureAlgorithm sets the signature algorithm for the certificate. By default, it uses x509.ECDSA.

                                                                                                                It is not recommended to use this option unless you know exactly what you are doing.

                                                                                                                func OptIssueSigner

                                                                                                                func OptIssueSigner(cert *x509.Certificate, key crypto.PrivateKey) IssueOption

                                                                                                                  OptIssueSigner sets the signer for the certificate to be issued. By default, Issue will issue a self-signed certificate.

                                                                                                                  func OptIssueSignerPEMBlock

                                                                                                                  func OptIssueSignerPEMBlock(cert *pem.Block, key *pem.Block, password string) IssueOption

                                                                                                                    OptIssueSignerPEMBlock sets the signer for the certificate to be issued in the PEM format. By default, Issue will issue a self-signed certificate.

                                                                                                                    func OptIssueSignerPEMBytes

                                                                                                                    func OptIssueSignerPEMBytes(cert []byte, key []byte, password string) IssueOption

                                                                                                                      OptIssueSignerPEMBytes sets the signer for the certificate to be issued in the PEM format. By default, Issue will issue a self-signed certificate.

                                                                                                                      func OptIssueTypeCA

                                                                                                                      func OptIssueTypeCA() IssueOption

                                                                                                                        OptIssueTypeCA sets the makes the certificate to be issued to be a Certificate Authority. It automatically applies the correct key usage, unless already set by another option.

                                                                                                                        func OptIssueTypeClientAuth

                                                                                                                        func OptIssueTypeClientAuth() IssueOption

                                                                                                                          OptIssueTypeClientAuth configures the certificate to be issued to be a client certificate. This option can be combined with other OptIssueType*.

                                                                                                                          func OptIssueTypeCodeSigning

                                                                                                                          func OptIssueTypeCodeSigning() IssueOption

                                                                                                                            OptIssueTypeCodeSigning configures the certificate to be issued to be a code signing certificate. This option can be combined with other OptIssueType*.

                                                                                                                            func OptIssueTypeEmailProtection

                                                                                                                            func OptIssueTypeEmailProtection() IssueOption

                                                                                                                              OptIssueTypeEmailProtection configures the certificate to be issued to be a email protection certificate. This option can be combined with other OptIssueType*.

                                                                                                                              func OptIssueTypeServerAuth

                                                                                                                              func OptIssueTypeServerAuth() IssueOption

                                                                                                                                OptIssueTypeServerAuth configures the certificate to be issued to be a server certificate. This option can be combined with other OptIssueType*.

                                                                                                                                func OptIssueValidity

                                                                                                                                func OptIssueValidity(notBefore time.Time, notAfter time.Time) IssueOption

                                                                                                                                  OptIssueValidity sets the validity of the certificate to be issued. By default, the certificate is valid from the time it has been created for 1 year.

                                                                                                                                  type PrivateKeyGenerator

                                                                                                                                  type PrivateKeyGenerator func() (crypto.PrivateKey, error)

                                                                                                                                    PrivateKeyGenerator is the type of function that can generate a crypto.PrivateKey.

                                                                                                                                    Directories

                                                                                                                                    Path Synopsis