x509util

package
Version: v0.17.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 14, 2022 License: Apache-2.0 Imports: 24 Imported by: 17

Documentation

Overview

Package x509util implements utilities to build X.509 certificates based on JSON templates.

Index

Constants

View Source
const (
	MD2WithRSA       = "MD2-RSA"
	MD5WithRSA       = "MD5-RSA"
	SHA1WithRSA      = "SHA1-RSA"
	SHA256WithRSA    = "SHA256-RSA"
	SHA384WithRSA    = "SHA384-RSA"
	SHA512WithRSA    = "SHA512-RSA"
	DSAWithSHA1      = "DSA-SHA1"
	DSAWithSHA256    = "DSA-SHA256"
	ECDSAWithSHA1    = "ECDSA-SHA1"
	ECDSAWithSHA256  = "ECDSA-SHA256"
	ECDSAWithSHA384  = "ECDSA-SHA384"
	ECDSAWithSHA512  = "ECDSA-SHA512"
	SHA256WithRSAPSS = "SHA256-RSAPSS"
	SHA384WithRSAPSS = "SHA384-RSAPSS"
	SHA512WithRSAPSS = "SHA512-RSAPSS"
	PureEd25519      = "Ed25519"
)

List of signature algorithms.

View Source
const (
	AutoType  = "auto"
	DNSType   = "dns"
	EmailType = "email"
	IPType    = "ip"
	URIType   = "uri"
)

Names used and SubjectAlternativeNames types.

View Source
const (
	SubjectKey            = "Subject"
	SANsKey               = "SANs"
	TokenKey              = "Token"
	InsecureKey           = "Insecure"
	UserKey               = "User"
	CertificateRequestKey = "CR"
	AuthorizationCrtKey   = "AuthorizationCrt"
	AuthorizationChainKey = "AuthorizationChain"
)

Variables used to hold template data.

View Source
const CertificateRequestTemplate = `{{ toJson .Insecure.CR }}`

CertificateRequestTemplate is a template that will sign the given certificate request.

View Source
const DefaultAdminLeafTemplate = `` /* 470-byte string literal not displayed */

DefaultAdminLeafTemplate is a template used by default by K8sSA and admin-OIDC provisioners. This template takes all the SANs and subject from the certificate request.

View Source
const DefaultCertificateRequestTemplate = `{
	"subject": {{ toJson .Subject }},
	"sans": {{ toJson .SANs }}
}`

DefaultCertificateRequestTemplate is the templated used by default when creating a new certificate request.

View Source
const DefaultIIDLeafTemplate = `` /* 565-byte string literal not displayed */

DefaultIIDLeafTemplate is the template used by default on instance identity provisioners like AWS, GCP or Azure. By default, those provisioners allow the SANs provided in the certificate request, but the option `DisableCustomSANs` can be provided to force only the verified domains, if the option is true `.SANs` will be set with the verified domains.

View Source
const DefaultIntermediateTemplate = `` /* 136-byte string literal not displayed */

DefaultIntermediateTemplate is a template that can be used to generate an intermediate certificate.

View Source
const DefaultLeafTemplate = `` /* 281-byte string literal not displayed */

DefaultLeafTemplate is the default template used to generate a leaf certificate.

View Source
const DefaultRootTemplate = `` /* 170-byte string literal not displayed */

DefaultRootTemplate is a template that can be used to generate a root certificate.

Variables

View Source
var (
	KeyUsageDigitalSignature  = convertName("DigitalSignature")
	KeyUsageContentCommitment = convertName("ContentCommitment")
	KeyUsageKeyEncipherment   = convertName("KeyEncipherment")
	KeyUsageDataEncipherment  = convertName("DataEncipherment")
	KeyUsageKeyAgreement      = convertName("KeyAgreement")
	KeyUsageCertSign          = convertName("CertSign")
	KeyUsageCRLSign           = convertName("CRLSign")
	KeyUsageEncipherOnly      = convertName("EncipherOnly")
	KeyUsageDecipherOnly      = convertName("DecipherOnly")
)

Names used for key usages.

View Source
var (
	ExtKeyUsageAny                            = convertName("Any")
	ExtKeyUsageServerAuth                     = convertName("ServerAuth")
	ExtKeyUsageClientAuth                     = convertName("ClientAuth")
	ExtKeyUsageCodeSigning                    = convertName("CodeSigning")
	ExtKeyUsageEmailProtection                = convertName("EmailProtection")
	ExtKeyUsageIPSECEndSystem                 = convertName("IPSECEndSystem")
	ExtKeyUsageIPSECTunnel                    = convertName("IPSECTunnel")
	ExtKeyUsageIPSECUser                      = convertName("IPSECUser")
	ExtKeyUsageTimeStamping                   = convertName("TimeStamping")
	ExtKeyUsageOCSPSigning                    = convertName("OCSPSigning")
	ExtKeyUsageMicrosoftServerGatedCrypto     = convertName("MicrosoftServerGatedCrypto")
	ExtKeyUsageNetscapeServerGatedCrypto      = convertName("NetscapeServerGatedCrypto")
	ExtKeyUsageMicrosoftCommercialCodeSigning = convertName("MicrosoftCommercialCodeSigning")
	ExtKeyUsageMicrosoftKernelCodeSigning     = convertName("MicrosoftKernelCodeSigning")
)

Names used for extended key usages.

Functions

func CreateCertificate

func CreateCertificate(template, parent *x509.Certificate, pub crypto.PublicKey, signer crypto.Signer) (*x509.Certificate, error)

CreateCertificate signs the given template using the parent private key and returns it.

func CreateCertificateRequest

func CreateCertificateRequest(commonName string, sans []string, signer crypto.Signer) (*x509.CertificateRequest, error)

CreateCertificateRequest creates a simple X.509 certificate request with the given common name and sans.

func CreateCertificateTemplate added in v0.7.0

func CreateCertificateTemplate(cr *x509.CertificateRequest) (*x509.Certificate, error)

CreateCertificateTemplate creates a X.509 certificate template from the given certificate request.

func EncodedFingerprint added in v0.1.1

func EncodedFingerprint(cert *x509.Certificate, encoding FingerprintEncoding) string

EncodedFingerprint returns an encoded the SHA-256 fingerprint of the certificate using the specified encoding. In an invalid encoding is passed, the return value will be an empty string.

func Fingerprint added in v0.1.1

func Fingerprint(cert *x509.Certificate) string

Fingerprint returns the SHA-256 fingerprint of the certificate.

func ReadCertPool added in v0.8.2

func ReadCertPool(path string) (*x509.CertPool, error)

ReadCertPool loads a certificate pool from disk. The given path can be a file, a directory, or a comma-separated list of files.

func SplitSANs

func SplitSANs(sans []string) (dnsNames []string, ips []net.IP, emails []string, uris []*url.URL)

SplitSANs splits a slice of Subject Alternative Names into slices of IP Addresses and DNS Names. If an element is not an IP address, then it is bucketed as a DNS Name.

Types

type AuthorityKeyID

type AuthorityKeyID []byte

AuthorityKeyID represents the binary value of the authority key identifier extension. It should be the subject key identifier of the parent certificate. In JSON this value should be a base64-encoded string, and in most cases it should not be set, as it will be automatically provided.

func (AuthorityKeyID) Set

func (id AuthorityKeyID) Set(c *x509.Certificate)

Set sets the authority key identifier to the given certificate.

type BasicConstraints

type BasicConstraints struct {
	IsCA       bool `json:"isCA"`
	MaxPathLen int  `json:"maxPathLen"`
}

BasicConstraints represents the X509 basic constraints extension and defines if a certificate is a CA and then maximum depth of valid certification paths that include the certificate. A MaxPathLen of zero indicates that no non- self-issued intermediate CA certificates may follow in a valid certification path. To do not impose a limit the MaxPathLen should be set to -1.

func (BasicConstraints) Set

func (b BasicConstraints) Set(c *x509.Certificate)

Set sets the basic constraints to the given certificate.

type CRLDistributionPoints

type CRLDistributionPoints MultiString

CRLDistributionPoints contains the list of CRL distribution points that will be encoded in the CRL distribution points extension.

func (CRLDistributionPoints) Set

Set sets the CRL distribution points to the given certificate.

func (*CRLDistributionPoints) UnmarshalJSON

func (u *CRLDistributionPoints) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface in CRLDistributionPoints.

type Certificate

type Certificate struct {
	Version               int                      `json:"version"`
	Subject               Subject                  `json:"subject"`
	Issuer                Issuer                   `json:"issuer"`
	SerialNumber          SerialNumber             `json:"serialNumber"`
	DNSNames              MultiString              `json:"dnsNames"`
	EmailAddresses        MultiString              `json:"emailAddresses"`
	IPAddresses           MultiIP                  `json:"ipAddresses"`
	URIs                  MultiURL                 `json:"uris"`
	SANs                  []SubjectAlternativeName `json:"sans"`
	Extensions            []Extension              `json:"extensions"`
	KeyUsage              KeyUsage                 `json:"keyUsage"`
	ExtKeyUsage           ExtKeyUsage              `json:"extKeyUsage"`
	UnknownExtKeyUsage    UnknownExtKeyUsage       `json:"unknownExtKeyUsage"`
	SubjectKeyID          SubjectKeyID             `json:"subjectKeyId"`
	AuthorityKeyID        AuthorityKeyID           `json:"authorityKeyId"`
	OCSPServer            OCSPServer               `json:"ocspServer"`
	IssuingCertificateURL IssuingCertificateURL    `json:"issuingCertificateURL"`
	CRLDistributionPoints CRLDistributionPoints    `json:"crlDistributionPoints"`
	PolicyIdentifiers     PolicyIdentifiers        `json:"policyIdentifiers"`
	BasicConstraints      *BasicConstraints        `json:"basicConstraints"`
	NameConstraints       *NameConstraints         `json:"nameConstraints"`
	SignatureAlgorithm    SignatureAlgorithm       `json:"signatureAlgorithm"`
	PublicKeyAlgorithm    x509.PublicKeyAlgorithm  `json:"-"`
	PublicKey             interface{}              `json:"-"`
}

Certificate is the JSON representation of a X.509 certificate. It is used to build a certificate from a template.

func NewCertificate

func NewCertificate(cr *x509.CertificateRequest, opts ...Option) (*Certificate, error)

NewCertificate creates a new Certificate from an x509.Certificate request and some template options.

func (*Certificate) GetCertificate

func (c *Certificate) GetCertificate() *x509.Certificate

GetCertificate returns the x509.Certificate representation of the certificate.

type CertificateRequest

type CertificateRequest struct {
	Version            int                      `json:"version"`
	Subject            Subject                  `json:"subject"`
	DNSNames           MultiString              `json:"dnsNames"`
	EmailAddresses     MultiString              `json:"emailAddresses"`
	IPAddresses        MultiIP                  `json:"ipAddresses"`
	URIs               MultiURL                 `json:"uris"`
	SANs               []SubjectAlternativeName `json:"sans"`
	Extensions         []Extension              `json:"extensions"`
	SignatureAlgorithm SignatureAlgorithm       `json:"signatureAlgorithm"`
	PublicKey          interface{}              `json:"-"`
	PublicKeyAlgorithm x509.PublicKeyAlgorithm  `json:"-"`
	Signature          []byte                   `json:"-"`
	Signer             crypto.Signer            `json:"-"`
}

CertificateRequest is the JSON representation of an X.509 certificate. It is used to build a certificate request from a template.

func NewCertificateRequest added in v0.4.0

func NewCertificateRequest(signer crypto.Signer, opts ...Option) (*CertificateRequest, error)

NewCertificateRequest creates a certificate request from a template.

func (*CertificateRequest) GetCertificate

func (c *CertificateRequest) GetCertificate() *Certificate

GetCertificate returns the Certificate representation of the CertificateRequest.

GetCertificate will not specify a SignatureAlgorithm, it's not possible to guarantee that the certificate signer can sign with the CertificateRequest SignatureAlgorithm.

func (*CertificateRequest) GetCertificateRequest added in v0.4.0

func (c *CertificateRequest) GetCertificateRequest() (*x509.CertificateRequest, error)

GetCertificateRequest returns the equivalent x509.CertificateRequest.

func (*CertificateRequest) GetLeafCertificate

func (c *CertificateRequest) GetLeafCertificate() *Certificate

GetLeafCertificate returns the Certificate representation of the CertificateRequest, including KeyUsage and ExtKeyUsage extensions.

GetLeafCertificate will not specify a SignatureAlgorithm, it's not possible to guarantee that the certificate signer can sign with the CertificateRequest SignatureAlgorithm.

type DistinguishedName added in v0.16.1

type DistinguishedName struct {
	Type  ObjectIdentifier `json:"type"`
	Value interface{}      `json:"value"`
}

DistinguishedName mirrors the ASN.1 structure AttributeTypeAndValue in RFC 5280, Section 4.1.2.4.

type ExtKeyUsage

type ExtKeyUsage []x509.ExtKeyUsage

ExtKeyUsage represents a JSON array of extended key usages.

func (ExtKeyUsage) Set

func (k ExtKeyUsage) Set(c *x509.Certificate)

Set sets the extended key usages in the given certificate.

func (*ExtKeyUsage) UnmarshalJSON

func (k *ExtKeyUsage) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface and coverts a string or a list of strings into a list of extended key usages.

type Extension

type Extension struct {
	ID       ObjectIdentifier `json:"id"`
	Critical bool             `json:"critical"`
	Value    []byte           `json:"value"`
}

Extension is the JSON representation of a raw X.509 extensions.

func (Extension) Set

func (e Extension) Set(c *x509.Certificate)

Set adds the extension to the given X509 certificate.

type FingerprintEncoding added in v0.1.1

type FingerprintEncoding int

FingerprintEncoding defines the supported encodigns in certificate fingerprints.

const (
	HexFingerprint FingerprintEncoding = iota
	Base64Fingerprint
	Base64UrlFingerprint
)

Supported fingerprint encodings.

type Issuer

type Issuer Name

Issuer is the JSON representation of the X.509 issuer field.

func (Issuer) Set

func (i Issuer) Set(c *x509.Certificate)

Set sets the issuer in the given certificate.

func (*Issuer) UnmarshalJSON

func (i *Issuer) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshal interface and unmarshals a JSON object in the Issuer struct or a string as just the subject common name.

type IssuingCertificateURL

type IssuingCertificateURL MultiString

IssuingCertificateURL contains the list of the issuing certificate url that will be encoded in the authority information access extension.

func (IssuingCertificateURL) Set

Set sets the list of issuing certificate urls to the given certificate.

func (*IssuingCertificateURL) UnmarshalJSON

func (u *IssuingCertificateURL) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface in IssuingCertificateURL.

type KeyUsage

type KeyUsage x509.KeyUsage

KeyUsage type represents the JSON array used to represent the key usages of a X509 certificate.

func (KeyUsage) Set

func (k KeyUsage) Set(c *x509.Certificate)

Set sets the key usage to the given certificate.

func (*KeyUsage) UnmarshalJSON

func (k *KeyUsage) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface and coverts a string or a list of strings into a key usage.

type MultiIP

type MultiIP []net.IP

MultiIP is a type used to unmarshal a JSON string or an array of strings into a []net.IP.

func (*MultiIP) UnmarshalJSON

func (m *MultiIP) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for MultiIP.

type MultiIPNet

type MultiIPNet []*net.IPNet

MultiIPNet is a type used to unmarshal a JSON string or an array of strings into a []*net.IPNet.

func (MultiIPNet) MarshalJSON

func (m MultiIPNet) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for MultiIPNet.

func (*MultiIPNet) UnmarshalJSON

func (m *MultiIPNet) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for MultiIPNet.

type MultiObjectIdentifier

type MultiObjectIdentifier []asn1.ObjectIdentifier

MultiObjectIdentifier is a type used to unmarshal a JSON string or an array of strings into a []asn1.ObjectIdentifier.

func (MultiObjectIdentifier) MarshalJSON

func (m MultiObjectIdentifier) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for MultiObjectIdentifier.

func (*MultiObjectIdentifier) UnmarshalJSON

func (m *MultiObjectIdentifier) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for MultiObjectIdentifier.

type MultiString

type MultiString []string

MultiString is a type used to unmarshal a JSON string or an array of strings into a []string.

func (*MultiString) UnmarshalJSON

func (m *MultiString) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for MultiString.

type MultiURL

type MultiURL []*url.URL

MultiURL is a type used to unmarshal a JSON string or an array of strings into a []*url.URL.

func (MultiURL) MarshalJSON

func (m MultiURL) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for MultiURL.

func (*MultiURL) UnmarshalJSON

func (m *MultiURL) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for MultiURL.

type Name

type Name struct {
	Country            MultiString         `json:"country,omitempty"`
	Organization       MultiString         `json:"organization,omitempty"`
	OrganizationalUnit MultiString         `json:"organizationalUnit,omitempty"`
	Locality           MultiString         `json:"locality,omitempty"`
	Province           MultiString         `json:"province,omitempty"`
	StreetAddress      MultiString         `json:"streetAddress,omitempty"`
	PostalCode         MultiString         `json:"postalCode,omitempty"`
	SerialNumber       string              `json:"serialNumber,omitempty"`
	CommonName         string              `json:"commonName,omitempty"`
	ExtraNames         []DistinguishedName `json:"extraNames,omitempty"`
}

Name is the JSON representation of X.501 type Name, used in the X.509 subject and issuer fields.

func (*Name) UnmarshalJSON

func (n *Name) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshal interface and unmarshals a JSON object in the Name struct or a string as just the subject common name.

type NameConstraints

type NameConstraints struct {
	Critical                bool        `json:"critical"`
	PermittedDNSDomains     MultiString `json:"permittedDNSDomains"`
	ExcludedDNSDomains      MultiString `json:"excludedDNSDomains"`
	PermittedIPRanges       MultiIPNet  `json:"permittedIPRanges"`
	ExcludedIPRanges        MultiIPNet  `json:"excludedIPRanges"`
	PermittedEmailAddresses MultiString `json:"permittedEmailAddresses"`
	ExcludedEmailAddresses  MultiString `json:"excludedEmailAddresses"`
	PermittedURIDomains     MultiString `json:"permittedURIDomains"`
	ExcludedURIDomains      MultiString `json:"excludedURIDomains"`
}

NameConstraints represents the X509 Name constraints extension and defines a names space within which all subject names in subsequent certificates in a certificate path must be located. The name constraints extension must be used only in a CA.

func (NameConstraints) Set

func (n NameConstraints) Set(c *x509.Certificate)

Set sets the name constraints in the given certificate.

type OCSPServer

type OCSPServer MultiString

OCSPServer contains the list of OSCP servers that will be encoded in the authority information access extension.

func (OCSPServer) Set

func (o OCSPServer) Set(c *x509.Certificate)

Set sets the list of OSCP servers to the given certificate.

func (*OCSPServer) UnmarshalJSON

func (o *OCSPServer) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface in OCSPServer.

type ObjectIdentifier

type ObjectIdentifier asn1.ObjectIdentifier

ObjectIdentifier represents a JSON strings that unmarshals into an ASN1 object identifier or OID.

func (ObjectIdentifier) MarshalJSON

func (o ObjectIdentifier) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface and returns the string version of the asn1.ObjectIdentifier.

func (*ObjectIdentifier) UnmarshalJSON

func (o *ObjectIdentifier) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface and coverts a strings like "2.5.29.17" into an ASN1 object identifier.

type Option

type Option func(cr *x509.CertificateRequest, o *Options) error

Option is the type used as a variadic argument in NewCertificate.

func WithTemplate

func WithTemplate(text string, data TemplateData) Option

WithTemplate is an options that executes the given template text with the given data.

func WithTemplateBase64

func WithTemplateBase64(s string, data TemplateData) Option

WithTemplateBase64 is an options that executes the given template base64 string with the given data.

func WithTemplateFile

func WithTemplateFile(path string, data TemplateData) Option

WithTemplateFile is an options that reads the template file and executes it with the given data.

type Options

type Options struct {
	CertBuffer *bytes.Buffer
}

Options are the options that can be passed to NewCertificate.

type PolicyIdentifiers

type PolicyIdentifiers MultiObjectIdentifier

PolicyIdentifiers represents the list of OIDs to set in the certificate policies extension.

func (PolicyIdentifiers) MarshalJSON

func (p PolicyIdentifiers) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface in PolicyIdentifiers.

func (PolicyIdentifiers) Set

Set sets the policy identifiers to the given certificate.

func (*PolicyIdentifiers) UnmarshalJSON

func (p *PolicyIdentifiers) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface in PolicyIdentifiers.

type SerialNumber

type SerialNumber struct {
	*big.Int
}

SerialNumber is the JSON representation of the X509 serial number.

func (*SerialNumber) MarshalJSON

func (s *SerialNumber) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface, and encodes a SerialNumber using the big.Int marshaler.

func (SerialNumber) Set

func (s SerialNumber) Set(c *x509.Certificate)

Set sets the serial number in the given certificate.

func (*SerialNumber) UnmarshalJSON

func (s *SerialNumber) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshal interface and unmarshals an integer or a string into a serial number. If a string is used, a prefix of “0b” or “0B” selects base 2, “0”, “0o” or “0O” selects base 8, and “0x” or “0X” selects base 16. Otherwise, the selected base is 10 and no prefix is accepted.

type SignatureAlgorithm

type SignatureAlgorithm x509.SignatureAlgorithm

SignatureAlgorithm is the JSON representation of the X509 signature algorithms

func (SignatureAlgorithm) MarshalJSON added in v0.4.0

func (s SignatureAlgorithm) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaller interface.

func (SignatureAlgorithm) Set

Set sets the signature algorithm in the given certificate.

func (*SignatureAlgorithm) UnmarshalJSON

func (s *SignatureAlgorithm) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshal interface and unmarshals and validates a string as a SignatureAlgorithm.

type Subject

type Subject Name

Subject is the JSON representation of the X.509 subject field.

func (Subject) Set

func (s Subject) Set(c *x509.Certificate)

Set sets the subject in the given certificate.

func (*Subject) UnmarshalJSON

func (s *Subject) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshal interface and unmarshals a JSON object in the Subject struct or a string as just the subject common name.

type SubjectAlternativeName

type SubjectAlternativeName struct {
	Type  string `json:"type"`
	Value string `json:"value"`
}

SubjectAlternativeName represents a X.509 subject alternative name. Types supported are "dns", "email", "ip", "uri". A special type "auto" or "" can be used to try to guess the type of the value.

func CreateSANs

func CreateSANs(sans []string) []SubjectAlternativeName

CreateSANs splits the given sans and returns a list of SubjectAlternativeName structs.

func (SubjectAlternativeName) Set

Set sets the subject alternative name in the given x509.Certificate.

type SubjectKeyID

type SubjectKeyID []byte

SubjectKeyID represents the binary value of the subject key identifier extension, this should be the SHA-1 hash of the public key. In JSON this value should be a base64-encoded string, and in most cases it should not be set because it will be automatically generated.

func (SubjectKeyID) Set

func (id SubjectKeyID) Set(c *x509.Certificate)

Set sets the subject key identifier to the given certificate.

type TemplateData

type TemplateData map[string]interface{}

TemplateData is an alias for map[string]interface{}. It represents the data passed to the templates.

func CreateTemplateData

func CreateTemplateData(commonName string, sans []string) TemplateData

CreateTemplateData creates a new TemplateData with the given common name and SANs.

func NewTemplateData

func NewTemplateData() TemplateData

NewTemplateData creates a new map for templates data.

func (TemplateData) Set

func (t TemplateData) Set(key string, v interface{})

Set sets a key-value pair in the template data.

func (TemplateData) SetAuthorizationCertificate added in v0.14.0

func (t TemplateData) SetAuthorizationCertificate(crt interface{})

SetAuthorizationCertificate sets the given certificate in the template. This certificate is generally present in a token header.

func (TemplateData) SetAuthorizationCertificateChain added in v0.14.0

func (t TemplateData) SetAuthorizationCertificateChain(chain interface{})

SetAuthorizationCertificateChain sets a the given certificate chain in the template. These certificates are generally present in a token header.

func (TemplateData) SetCertificateRequest

func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest)

SetCertificateRequest sets the given certificate request in the insecure template data.

func (TemplateData) SetCommonName

func (t TemplateData) SetCommonName(cn string)

SetCommonName sets the given common name in the subject in the template data.

func (TemplateData) SetInsecure

func (t TemplateData) SetInsecure(key string, v interface{})

SetInsecure sets a key-value pair in the insecure template data.

func (TemplateData) SetSANs

func (t TemplateData) SetSANs(sans []string)

SetSANs sets the given SANs in the template data.

func (TemplateData) SetSubject

func (t TemplateData) SetSubject(v Subject)

SetSubject sets the given subject in the template data.

func (TemplateData) SetToken

func (t TemplateData) SetToken(v interface{})

SetToken sets the given token in the template data.

func (TemplateData) SetUserData

func (t TemplateData) SetUserData(v interface{})

SetUserData sets the given user provided object in the insecure template data.

type TemplateError

type TemplateError struct {
	Message string
}

TemplateError represents an error in a template produced by the fail function.

func (*TemplateError) Error

func (e *TemplateError) Error() string

Error implements the error interface and returns the error string when a template executes the `fail "message"` function.

type UnknownExtKeyUsage added in v0.5.0

type UnknownExtKeyUsage MultiObjectIdentifier

UnknownExtKeyUsage represents the list of OIDs of extended key usages unknown to crypto/x509.

func (UnknownExtKeyUsage) MarshalJSON added in v0.5.0

func (u UnknownExtKeyUsage) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface in UnknownExtKeyUsage.

func (UnknownExtKeyUsage) Set added in v0.5.0

Set sets the policy identifiers to the given certificate.

func (*UnknownExtKeyUsage) UnmarshalJSON added in v0.5.0

func (u *UnknownExtKeyUsage) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface in UnknownExtKeyUsage.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL