Documentation ¶
Index ¶
- Constants
- Variables
- func JoinPEMs(pems ...string) string
- func ResolveCertOptions(createOptions *CertOptions, options ...CertOption) error
- type CertBundle
- func CreateCertificateAuthority(options ...CertOption) (*CertBundle, error)
- func CreateClient(commonName string, ca *CertBundle, options ...CertOption) (*CertBundle, error)
- func CreateServer(commonName string, ca *CertBundle, options ...CertOption) (*CertBundle, error)
- func NewCertBundle(keyPair KeyPair) (*CertBundle, error)
- func (cb CertBundle) CertPEM() ([]byte, error)
- func (cb CertBundle) CertPool() (*x509.CertPool, error)
- func (cb CertBundle) CommonNames() ([]string, error)
- func (cb *CertBundle) GenerateKeyPair() (output KeyPair, err error)
- func (cb CertBundle) KeyPEM() ([]byte, error)
- func (cb *CertBundle) MustGenerateKeyPair() KeyPair
- func (cb CertBundle) TLSConfig() (*tls.Config, error)
- func (cb *CertBundle) WithParent(parent *CertBundle)
- func (cb CertBundle) WriteCertChainPem(w io.Writer) error
- func (cb CertBundle) WriteCertPartialPem(w io.Writer) error
- func (cb CertBundle) WriteCertPem(w io.Writer) error
- func (cb CertBundle) WriteCertPemPath(path string) error
- func (cb CertBundle) WriteKeyPem(w io.Writer) error
- func (cb CertBundle) WriteKeyPemPath(path string) error
- type CertOption
- func OptAddDNSNames(dnsNames ...string) CertOption
- func OptDNSNames(dnsNames ...string) CertOption
- func OptIPSANs(ipAddresses ...string) CertOption
- func OptIsCA(isCA bool) CertOption
- func OptIssuerCommonName(commonName string) CertOption
- func OptIssuerCountry(country ...string) CertOption
- func OptIssuerLocality(locality ...string) CertOption
- func OptIssuerOrganization(organization ...string) CertOption
- func OptIssuerOrganizationalUnit(organizationalUnits ...string) CertOption
- func OptIssuerProvince(province ...string) CertOption
- func OptKeyUsage(keyUsage x509.KeyUsage) CertOption
- func OptNotAfter(notAfter time.Time) CertOption
- func OptNotBefore(notBefore time.Time) CertOption
- func OptPrivateKey(privateKey *rsa.PrivateKey) CertOption
- func OptPrivateKeyFromPath(path string) CertOption
- func OptSerialNumber(serialNumber *big.Int) CertOption
- func OptSubjectCommonName(commonName string) CertOption
- func OptSubjectCountry(country ...string) CertOption
- func OptSubjectKeyID(keyID []byte) CertOption
- func OptSubjectLocality(locality ...string) CertOption
- func OptSubjectOrganization(organization ...string) CertOption
- func OptSubjectOrganizationalUnit(organizationalUnits ...string) CertOption
- func OptSubjectProvince(province ...string) CertOption
- type CertOptions
- type KeyPair
- func (kp KeyPair) CertBytes() ([]byte, error)
- func (kp KeyPair) IsCertPath() bool
- func (kp KeyPair) IsKeyPath() bool
- func (kp KeyPair) IsZero() bool
- func (kp KeyPair) KeyBytes() ([]byte, error)
- func (kp KeyPair) String() (output string)
- func (kp KeyPair) TLSCertificate() (cert tls.Certificate, err error)
- func (kp KeyPair) TLSCertificateWithLeaf() (cert tls.Certificate, err error)
- func (kp KeyPair) TLSConfig() (*tls.Config, error)
Constants ¶
const ( BlockTypeCertificate = "CERTIFICATE" BlockTypeRSAPrivateKey = "RSA PRIVATE KEY" )
BlockTypes
const ( DefaultCANotAfterYears = 10 DefaultClientNotAfterYears = 1 DefaultServerNotAfterYears = 5 )
Not After defaults.
Variables ¶
var DefaultOptionsCertificateAuthority = CertOptions{ Certificate: x509.Certificate{ IsCA: true, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, }, NotAfterProvider: func() time.Time { return time.Now().UTC().AddDate(DefaultCANotAfterYears, 0, 0) }, }
DefaultOptionsCertificateAuthority are the default options for certificate authorities.
var DefaultOptionsClient = CertOptions{ Certificate: x509.Certificate{ ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, KeyUsage: x509.KeyUsageDigitalSignature, }, NotAfterProvider: func() time.Time { return time.Now().UTC().AddDate(DefaultClientNotAfterYears, 0, 0) }, }
DefaultOptionsClient are the default create cert options for client certificates.
var DefaultOptionsServer = CertOptions{ Certificate: x509.Certificate{ ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageDigitalSignature, }, NotAfterProvider: func() time.Time { return time.Now().UTC().AddDate(DefaultServerNotAfterYears, 0, 0) }, }
DefaultOptionsServer are the default create cert options for server certificates.
Functions ¶
func JoinPEMs ¶
JoinPEMs appends pem blocks together with newlines.
Each pem block will have `strings.TrimSpace()` called on it.
Usage note: you should add pems in the following order: - leaf - intermediate - root It's a little baffling, basically the other way around from what you'd thing probably.
func ResolveCertOptions ¶
func ResolveCertOptions(createOptions *CertOptions, options ...CertOption) error
ResolveCertOptions resolves the common create cert options.
Types ¶
type CertBundle ¶
type CertBundle struct { PrivateKey *rsa.PrivateKey PublicKey *rsa.PublicKey Certificates []x509.Certificate CertificateDERs [][]byte }
CertBundle is the packet of information for a certificate.
func CreateCertificateAuthority ¶
func CreateCertificateAuthority(options ...CertOption) (*CertBundle, error)
CreateCertificateAuthority creates a ca cert bundle from a given set of options. The cert bundle can be used to generate client and server certificates.
func CreateClient ¶
func CreateClient(commonName string, ca *CertBundle, options ...CertOption) (*CertBundle, error)
CreateClient creates a client cert bundle associated with a given common name.
The CA must be passed in as a CertBundle.
Example:
ca, err := certutil.NewCertBundle(certutil.KeyPairFromPaths("ca.crt", "ca.key")) if err != nil { return err } client, err := CreateClient("foo.bar.com", ca)
func CreateServer ¶
func CreateServer(commonName string, ca *CertBundle, options ...CertOption) (*CertBundle, error)
CreateServer creates a ca cert bundle.
func NewCertBundle ¶
func NewCertBundle(keyPair KeyPair) (*CertBundle, error)
NewCertBundle returns a new cert bundle from a given key pair, which can denote the raw PEM encoded contents of the public and private key portions of the cert, or paths to files. The CertBundle itself is the parsed public key, private key, and individual certificates for the pair.
func (CertBundle) CertPEM ¶
func (cb CertBundle) CertPEM() ([]byte, error)
CertPEM returns the cert portion of the certificate DERs as a byte array.
func (CertBundle) CertPool ¶
func (cb CertBundle) CertPool() (*x509.CertPool, error)
CertPool returns the bundle as a cert pool.
func (CertBundle) CommonNames ¶
func (cb CertBundle) CommonNames() ([]string, error)
CommonNames returns the cert bundle common name(s).
func (*CertBundle) GenerateKeyPair ¶
func (cb *CertBundle) GenerateKeyPair() (output KeyPair, err error)
GenerateKeyPair returns a serialized key pair for the cert bundle.
func (CertBundle) KeyPEM ¶
func (cb CertBundle) KeyPEM() ([]byte, error)
KeyPEM returns the cert portion of the certificate DERs as a byte array.
func (*CertBundle) MustGenerateKeyPair ¶
func (cb *CertBundle) MustGenerateKeyPair() KeyPair
MustGenerateKeyPair returns a serialized version of the bundle as a key pair and panics if there is an error.
func (CertBundle) TLSConfig ¶
func (cb CertBundle) TLSConfig() (*tls.Config, error)
TLSConfig returns a tls.Config for this bundle as a server certificate.
func (*CertBundle) WithParent ¶
func (cb *CertBundle) WithParent(parent *CertBundle)
WithParent adds a parent certificate to the certificate chain. It is used typically to add the certificate authority.
func (CertBundle) WriteCertChainPem ¶
func (cb CertBundle) WriteCertChainPem(w io.Writer) error
WriteCertChainPem writes the public key portion of the cert to a given writer.
func (CertBundle) WriteCertPartialPem ¶
func (cb CertBundle) WriteCertPartialPem(w io.Writer) error
WriteCertPartialPem writes the public key portion of the cert to a given writer.
func (CertBundle) WriteCertPem ¶
func (cb CertBundle) WriteCertPem(w io.Writer) error
WriteCertPem writes the public key portion of the cert to a given writer.
func (CertBundle) WriteCertPemPath ¶
func (cb CertBundle) WriteCertPemPath(path string) error
WriteCertPemPath writes the public key portion of the cert to a given path.
func (CertBundle) WriteKeyPem ¶
func (cb CertBundle) WriteKeyPem(w io.Writer) error
WriteKeyPem writes the certificate key as a pem to a given writer.
func (CertBundle) WriteKeyPemPath ¶
func (cb CertBundle) WriteKeyPemPath(path string) error
WriteKeyPemPath writes the certificate key as a pem to a given path.
type CertOption ¶
type CertOption func(*CertOptions) error
CertOption is an option for creating certs.
func OptAddDNSNames ¶
func OptAddDNSNames(dnsNames ...string) CertOption
OptAddDNSNames adds valid dns names for the cert.
func OptDNSNames ¶
func OptDNSNames(dnsNames ...string) CertOption
OptDNSNames sets valid dns names for the cert.
func OptIPSANs ¶
func OptIPSANs(ipAddresses ...string) CertOption
OptIPSANs sets valid ip subject alternate names for the cert.
func OptIssuerCommonName ¶
func OptIssuerCommonName(commonName string) CertOption
OptIssuerCommonName sets the subject common name.
func OptIssuerCountry ¶
func OptIssuerCountry(country ...string) CertOption
OptIssuerCountry sets the subject country names.
func OptIssuerLocality ¶
func OptIssuerLocality(locality ...string) CertOption
OptIssuerLocality sets the subject locality names.
func OptIssuerOrganization ¶
func OptIssuerOrganization(organization ...string) CertOption
OptIssuerOrganization sets the subject organization names.
func OptIssuerOrganizationalUnit ¶
func OptIssuerOrganizationalUnit(organizationalUnits ...string) CertOption
OptIssuerOrganization sets the subject organization names.
func OptIssuerProvince ¶
func OptIssuerProvince(province ...string) CertOption
OptIssuerProvince sets the subject province names.
func OptKeyUsage ¶
func OptKeyUsage(keyUsage x509.KeyUsage) CertOption
OptKeyUsage sets the key usage flags.
func OptNotAfter ¶
func OptNotAfter(notAfter time.Time) CertOption
OptNotAfter sets the not after time.
func OptNotBefore ¶
func OptNotBefore(notBefore time.Time) CertOption
OptNotBefore sets the not before time.
func OptPrivateKey ¶
func OptPrivateKey(privateKey *rsa.PrivateKey) CertOption
OptPrivateKey sets the private key to use when generating the certificate. If this option isn't provided, a new one is generated.
func OptPrivateKeyFromPath ¶
func OptPrivateKeyFromPath(path string) CertOption
OptPrivateKeyFromPath reads a private key from a given path and parses it as PKCS1PrivateKey.
func OptSerialNumber ¶
func OptSerialNumber(serialNumber *big.Int) CertOption
OptSerialNumber sets the serial number for the certificate. If this option isn't provided, a random one is generated.
func OptSubjectCommonName ¶
func OptSubjectCommonName(commonName string) CertOption
OptSubjectCommonName sets the subject common name.
func OptSubjectCountry ¶
func OptSubjectCountry(country ...string) CertOption
OptSubjectCountry sets the subject country names.
func OptSubjectKeyID ¶
func OptSubjectKeyID(keyID []byte) CertOption
OptSubjectKeyID sets the subject key id.
func OptSubjectLocality ¶
func OptSubjectLocality(locality ...string) CertOption
OptSubjectLocality sets the subject locality names.
func OptSubjectOrganization ¶
func OptSubjectOrganization(organization ...string) CertOption
OptSubjectOrganization sets the subject organization names.
func OptSubjectOrganizationalUnit ¶
func OptSubjectOrganizationalUnit(organizationalUnits ...string) CertOption
OptSubjectOrganizationalUnit sets the subject organization names.
func OptSubjectProvince ¶
func OptSubjectProvince(province ...string) CertOption
OptSubjectProvince sets the subject province names.
type CertOptions ¶
type CertOptions struct { x509.Certificate PrivateKey *rsa.PrivateKey NotBeforeProvider func() time.Time NotAfterProvider func() time.Time }
CertOptions are required arguments when creating certificates.
type KeyPair ¶
type KeyPair struct { Cert string `json:"cert,omitempty" yaml:"cert,omitempty"` CertBase64 string `json:"certBase64,omitempty" yaml:"certBase64,omitempty"` CertPath string `json:"certPath,omitempty" yaml:"certPath,omitempty"` Key string `json:"key,omitempty" yaml:"key,omitempty"` KeyBase64 string `json:"keyBase64,omitempty" yaml:"keyBase64,omitempty"` KeyPath string `json:"keyPath,omitempty" yaml:"keyPath,omitempty"` }
KeyPair is an x509 pem key pair as strings.
func NewKeyPairFromPaths ¶
NewKeyPairFromPaths returns a key pair from paths.
func (KeyPair) IsCertPath ¶
IsCertPath returns if the keypair cert is a path.
func (KeyPair) TLSCertificate ¶
func (kp KeyPair) TLSCertificate() (cert tls.Certificate, err error)
TLSCertificate returns the KeyPair as a tls.Certificate.
func (KeyPair) TLSCertificateWithLeaf ¶
func (kp KeyPair) TLSCertificateWithLeaf() (cert tls.Certificate, err error)
TLSCertificateWithLeaf returns the KeyPair as a tls.Certificate.