README
¶
go-crypto
A Go module for simplifying cryptographic operations
Table of Contents
👁️ Overview
go-crypto is a Go module which can be utilized by applications to simplify cryptographic operations such as manipulating certificate stores. It includes detailed logging through the use of the go-logger library.
Please review the module documentation for details on how to properly utilize it.
✅ Requirements
This module is supported for Go v1.14 and later.
📃 License
This module is distributed under the MIT License.
❓ Questions, Issues and Feature Requests
This project is not supported through the official Imperva Support channels. It is supported through the Imperva Technical Marketing Team on a best-effort basis. There are no warranties, SLAs or guarantees on support for this project.
If you have questions about this project, find a bug or wish to submit a feature request, please submit an issue.
Documentation
¶
Overview ¶
Package crypto contains functionality for dealing with X509 certificates and cryptography.
Logging is performed through the use of the go.imperva.dev/logger module. This module utilizes the global logger object to log messages.
Index ¶
- func DecodePEMBlockFromFile(file string) (*pem.Block, error)
- func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error)
- func DecryptString(ciphertext, key string) (string, error)
- func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error)
- func EncryptString(plaintext, key string) (string, error)
- func IsEncryptedPEMBlock(b *pem.Block) bool
- func NewSelfSignedCertificateKeyPair(template *x509.Certificate, keyBits int) ([]byte, []byte, error)
- func ParsePEMCertificateBytes(contents []byte) ([]*x509.Certificate, error)
- func ParsePEMCertificateFile(file string) ([]*x509.Certificate, error)
- func ParsePEMPrivateKeyBytes(contents []byte, password []byte) (*rsa.PrivateKey, error)
- func ParsePEMPrivateKeyFile(file string, password []byte) (*rsa.PrivateKey, error)
- func ParsePublicKeyFromCertificate(cert *x509.Certificate) (*rsa.PublicKey, error)
- func Sign(contents []byte, privateKey *rsa.PrivateKey) ([]byte, error)
- func ValidateCertificate(cert *x509.Certificate, roots *CertificatePool, intermediates *CertificatePool, ...) error
- func Verify(contents, signature []byte, publicKey *rsa.PublicKey) error
- type CertificatePool
- type PEMCipher
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DecodePEMBlockFromFile ¶
DecodePEMBlockFromFile loads a file into memory and decodes any PEM data from it.
func DecryptPEMBlock ¶
DecryptPEMBlock takes a PEM block encrypted according to RFC 1423 and the password used to encrypt it and returns a slice of decrypted DER encoded bytes.
It inspects the DEK-Info header to determine the algorithm used for decryption. If no DEK-Info header is present, an error is returned. If an incorrect password is detected an IncorrectPasswordError is returned. Because of deficiencies in the format, it's not always possible to detect an incorrect password. In these cases no error will be returned but the decrypted DER bytes will be random noise.
func DecryptString ¶
DecryptString decrypts the given block of ciphertext that was encrypted using the EncryptString() function.
If the string was encrypted using a random key generated by EncryptString(), leave the key empty.
func EncryptPEMBlock ¶
func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error)
EncryptPEMBlock returns a PEM block of the specified type holding the given DER encoded data encrypted with the specified algorithm and password according to RFC 1423.
func EncryptString ¶
EncryptString encrypts the given string using the given key.
If the key is empty, a random key is generated and stored with the ciphertext.
func IsEncryptedPEMBlock ¶
IsEncryptedPEMBlock returns whether the PEM block is password encrypted according to RFC 1423.
func NewSelfSignedCertificateKeyPair ¶ added in v0.1.1
func NewSelfSignedCertificateKeyPair(template *x509.Certificate, keyBits int) ([]byte, []byte, error)
NewSelfSignedCertificateKeyPair creates a new self-signed certificate using the given template and returns the public certificate and private key, respectively, on success.
func ParsePEMCertificateBytes ¶
func ParsePEMCertificateBytes(contents []byte) ([]*x509.Certificate, error)
ParsePEMCertificateBytes takes a PEM-formatted byte string and converts it into one or more X509 certificates.
func ParsePEMCertificateFile ¶
func ParsePEMCertificateFile(file string) ([]*x509.Certificate, error)
ParsePEMCertificateFile takes a PEM-formatted file and converts it into one or more X509 certificates.
func ParsePEMPrivateKeyBytes ¶
func ParsePEMPrivateKeyBytes(contents []byte, password []byte) (*rsa.PrivateKey, error)
ParsePEMPrivateKeyBytes takes a PEM-formatted byte string and converts it into an RSA private key.
If the private key is encrypted, be sure to include a password or else this function will return an error. If no password is required, you can safely pass nil for the password.
func ParsePEMPrivateKeyFile ¶
func ParsePEMPrivateKeyFile(file string, password []byte) (*rsa.PrivateKey, error)
ParsePEMPrivateKeyFile takes a PEM-formatted file and converts it into an RSA private key.
If the private key is encrypted, be sure to include a password or else this function will return an error. If no password is required, you can safely pass nil for the password.
func ParsePublicKeyFromCertificate ¶
func ParsePublicKeyFromCertificate(cert *x509.Certificate) (*rsa.PublicKey, error)
ParsePublicKeyFromCertificate parses the RSA public key portion from an X509 certificate.
func Sign ¶
func Sign(contents []byte, privateKey *rsa.PrivateKey) ([]byte, error)
Sign takes the content and generates a signature using a private key certificate.
Use the DecodePEMData() function to convert a PEM-formatted certificate into a PEM block. If the private key is encrypted, use the DecryptPEMBlock() function to decrypt it first.
Use the Verify() function to verify the signature produced for the content.
func ValidateCertificate ¶
func ValidateCertificate(cert *x509.Certificate, roots *CertificatePool, intermediates *CertificatePool, keyUsages []x509.ExtKeyUsage, cn string) error
ValidateCertificate verifies the given certificate is completely trusted.
If the certificate was signed with a key that is not trusted by the default system certificate pool, be sure to specify a root CA certificate pool and, if necessary, an intermediate pool containing the certificates required to verify the chain.
If you wish to match against specific X509 extended key usages such as verifying the signing key has the Code Signing key usage, pass those fields in the keyUsages parameter.
If you wish to verify the common name (CN) field of the public key passed in, specify a non-empty string for the cn parameter. This match is case-sensitive.
func Verify ¶
Verify validates that the given contents have not been altered by checking them against the signature and public key provided.
Use the Sign() function to create the signature used by this function to ensure the same hashing algorithm is applied.
Types ¶
type CertificatePool ¶
CertificatePool stores X509 certificates.
func NewCertificatePool ¶
func NewCertificatePool(emptyPool bool) (*CertificatePool, error)
NewCertificatePool creates a new CertificatePool object.
If empty is true, return an empty certificate pool instead of a pool containing a copy of all of the system's trusted root certificates.
func (*CertificatePool) AddPEMCertificatesFromFile ¶
func (p *CertificatePool) AddPEMCertificatesFromFile(file string) error
AddPEMCertificatesFromFile adds one or more PEM-formatted certificates from a file to the certificate pool.
Source Files