x509util

package
v0.54.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 14, 2024 License: Apache-2.0 Imports: 29 Imported by: 47

Documentation

Overview

Package x509util implements utilities to build X.509 certificates based on JSON templates.

Index

Constants

View Source 
const (
	MD2WithRSA       = "MD2-RSA"
	MD5WithRSA       = "MD5-RSA"
	SHA1WithRSA      = "SHA1-RSA"
	SHA256WithRSA    = "SHA256-RSA"
	SHA384WithRSA    = "SHA384-RSA"
	SHA512WithRSA    = "SHA512-RSA"
	DSAWithSHA1      = "DSA-SHA1"
	DSAWithSHA256    = "DSA-SHA256"
	ECDSAWithSHA1    = "ECDSA-SHA1"
	ECDSAWithSHA256  = "ECDSA-SHA256"
	ECDSAWithSHA384  = "ECDSA-SHA384"
	ECDSAWithSHA512  = "ECDSA-SHA512"
	SHA256WithRSAPSS = "SHA256-RSAPSS"
	SHA384WithRSAPSS = "SHA384-RSAPSS"
	SHA512WithRSAPSS = "SHA512-RSAPSS"
	PureEd25519      = "Ed25519"
)

List of signature algorithms.

View Source 
const (
	KeyUsageDigitalSignature  = "digitalSignature"
	KeyUsageContentCommitment = "contentCommitment"
	KeyUsageKeyEncipherment   = "keyEncipherment"
	KeyUsageDataEncipherment  = "dataEncipherment"
	KeyUsageKeyAgreement      = "keyAgreement"
	KeyUsageCertSign          = "certSign"
	KeyUsageCRLSign           = "crlSign"
	KeyUsageEncipherOnly      = "encipherOnly"
	KeyUsageDecipherOnly      = "decipherOnly"
)

Names used for key usages.

View Source 
const (
	ExtKeyUsageAny                            = "any"
	ExtKeyUsageServerAuth                     = "serverAuth"
	ExtKeyUsageClientAuth                     = "clientAuth"
	ExtKeyUsageCodeSigning                    = "codeSigning"
	ExtKeyUsageEmailProtection                = "emailProtection"
	ExtKeyUsageIPSECEndSystem                 = "ipsecEndSystem"
	ExtKeyUsageIPSECTunnel                    = "ipsecTunnel"
	ExtKeyUsageIPSECUser                      = "ipsecUser"
	ExtKeyUsageTimeStamping                   = "timeStamping"
	ExtKeyUsageOCSPSigning                    = "ocspSigning"
	ExtKeyUsageMicrosoftServerGatedCrypto     = "microsoftServerGatedCrypto"
	ExtKeyUsageNetscapeServerGatedCrypto      = "netscapeServerGatedCrypto"
	ExtKeyUsageMicrosoftCommercialCodeSigning = "microsoftCommercialCodeSigning"
	ExtKeyUsageMicrosoftKernelCodeSigning     = "microsoftKernelCodeSigning"
)

Names used for extended key usages.

View Source 
const (
	AutoType                = "auto"
	EmailType               = "email" // also known as 'rfc822Name' in RFC 5280
	DNSType                 = "dns"
	X400AddressType         = "x400Address"
	DirectoryNameType       = "dn"
	EDIPartyNameType        = "ediPartyName"
	URIType                 = "uri"
	IPType                  = "ip"
	RegisteredIDType        = "registeredID"
	PermanentIdentifierType = "permanentIdentifier"
	HardwareModuleNameType  = "hardwareModuleName"
	UserPrincipalNameType   = "userPrincipalName"
)

Names used and SubjectAlternativeNames types.

View Source 
const (
	// DefaultFingerprint represents the hex encoding of the fingerprint.
	DefaultFingerprint = FingerprintEncoding(0)
	// HexFingerprint represents the hex encoding of the fingerprint.
	HexFingerprint = fingerprint.HexFingerprint
	// Base64Fingerprint represents the base64 encoding of the fingerprint.
	Base64Fingerprint = fingerprint.Base64Fingerprint
	// Base64URLFingerprint represents the base64URL encoding of the fingerprint.
	Base64URLFingerprint = fingerprint.Base64URLFingerprint
	// Base64RawFingerprint represents the base64RawStd encoding of the fingerprint.
	Base64RawFingerprint = fingerprint.Base64RawFingerprint
	// Base64RawURLFingerprint represents the base64RawURL encoding of the fingerprint.
	Base64RawURLFingerprint = fingerprint.Base64RawURLFingerprint
	// EmojiFingerprint represents the emoji encoding of the fingerprint.
	EmojiFingerprint = fingerprint.EmojiFingerprint
)

Supported fingerprint encodings.

View Source 
const (
	SubjectKey            = "Subject"
	SANsKey               = "SANs"
	TokenKey              = "Token"
	InsecureKey           = "Insecure"
	UserKey               = "User"
	CertificateRequestKey = "CR"
	AuthorizationCrtKey   = "AuthorizationCrt"
	AuthorizationChainKey = "AuthorizationChain"
	WebhooksKey           = "Webhooks"
)

Variables used to hold template data.

View Source 
const CertificateRequestTemplate = `{{ toJson .Insecure.CR }}`

CertificateRequestTemplate is a template that will sign the given certificate request.

View Source 
const DefaultAdminLeafTemplate = `` /* 470-byte string literal not displayed */

DefaultAdminLeafTemplate is a template used by default by K8sSA and admin-OIDC provisioners. This template takes all the SANs and subject from the certificate request.

View Source 
const DefaultAttestedLeafTemplate = `` /* 267-byte string literal not displayed */

DefaultAttestedLeafTemplate is the default template used to generate a leaf certificate from an attestation certificate. The main difference with "DefaultLeafTemplate" is that the extended key usage is limited to "clientAuth".

View Source 
const DefaultCertificateRequestTemplate = `{
	"subject": {{ toJson .Subject }},
	"sans": {{ toJson .SANs }}
}`

DefaultCertificateRequestTemplate is the templated used by default when creating a new certificate request.

View Source 
const DefaultIIDLeafTemplate = `` /* 565-byte string literal not displayed */

DefaultIIDLeafTemplate is the template used by default on instance identity provisioners like AWS, GCP or Azure. By default, those provisioners allow the SANs provided in the certificate request, but the option `DisableCustomSANs` can be provided to force only the verified domains, if the option is true `.SANs` will be set with the verified domains.

View Source 
const DefaultIntermediateTemplate = `` /* 136-byte string literal not displayed */

DefaultIntermediateTemplate is a template that can be used to generate an intermediate certificate.

View Source 
const DefaultLeafTemplate = `` /* 281-byte string literal not displayed */

DefaultLeafTemplate is the default template used to generate a leaf certificate.

View Source 
const DefaultRootTemplate = `` /* 170-byte string literal not displayed */

DefaultRootTemplate is a template that can be used to generate a root certificate.

Variables

This section is empty.

Functions

func CreateCertificate 

func CreateCertificate(template, parent *x509.Certificate, pub crypto.PublicKey, signer crypto.Signer) (*x509.Certificate, error)

CreateCertificate signs the given template using the parent private key and returns it.

func CreateCertificateRequest 

func CreateCertificateRequest(commonName string, sans []string, signer crypto.Signer) (*x509.CertificateRequest, error)

CreateCertificateRequest creates a simple X.509 certificate request with the given common name and sans.

func CreateCertificateTemplate added in v0.7.0 

func CreateCertificateTemplate(cr *x509.CertificateRequest) (*x509.Certificate, error)

CreateCertificateTemplate creates a X.509 certificate template from the given certificate request.

func EncodedFingerprint added in v0.1.1 

func EncodedFingerprint(cert *x509.Certificate, encoding FingerprintEncoding) string

EncodedFingerprint returns the SHA-256 hash of the certificate using the specified encoding. If an invalid encoding is passed, the return value will be an empty string.

func Fingerprint added in v0.1.1 

func Fingerprint(cert *x509.Certificate) string

Fingerprint returns the SHA-256 fingerprint of the certificate.

func GetFuncMap added in v0.34.0 

func GetFuncMap() template.FuncMap

GetFuncMap returns the list of functions used by the templates. It will return all the functions supported by "sprig.TxtFuncMap()" but exclude "env" and "expandenv", removed to avoid the leak of information. It will also add the following functions to encode data using ASN.1:

  • asn1Enc: encodes the given string to ASN.1. By default, it will use the PrintableString format but it can be change using the suffix ":<format>". Supported formats are: "printable", "utf8", "ia5", "numeric", "int", "oid", "utc", "generalized", and "raw".
  • asn1Marshal: encodes the given string with the given params using Go's asn1.MarshalWithParams.
  • asn1Seq: encodes a sequence of the given ASN.1 data.
  • asn1Set: encodes a set of the given ASN.1 data.

func ReadCertPool added in v0.8.2 

func ReadCertPool(path string) (*x509.CertPool, error)

ReadCertPool loads a certificate pool from disk. The given path can be a file, a directory, or a comma-separated list of files.

func SanitizeName added in v0.17.1 

func SanitizeName(domain string) (string, error)

SanitizeName converts the given domain to its ASCII form.

func SplitSANs 

func SplitSANs(sans []string) (dnsNames []string, ips []net.IP, emails []string, uris []*url.URL)

SplitSANs splits a slice of Subject Alternative Names into slices of IP Addresses and DNS Names. If an element is not an IP address, then it is bucketed as a DNS Name.

func ValidateTemplate added in v0.18.0 

func ValidateTemplate(text []byte) error

ValidateTemplate validates a text template.

func ValidateTemplateData added in v0.18.0 

func ValidateTemplateData(data []byte) error

ValidateTemplateData validates that template data is valid JSON.

Types

type AuthorityKeyID 

type AuthorityKeyID []byte

AuthorityKeyID represents the binary value of the authority key identifier extension. It should be the subject key identifier of the parent certificate. In JSON this value should be a base64-encoded string, and in most cases it should not be set, as it will be automatically provided.

func (AuthorityKeyID) Set 

func (id AuthorityKeyID) Set(c *x509.Certificate)

Set sets the authority key identifier to the given certificate.

type BasicConstraints 

type BasicConstraints struct {
	IsCA       bool `json:"isCA"`
	MaxPathLen int  `json:"maxPathLen"`
}

BasicConstraints represents the X509 basic constraints extension and defines if a certificate is a CA and then maximum depth of valid certification paths that include the certificate. A MaxPathLen of zero indicates that no non- self-issued intermediate CA certificates may follow in a valid certification path. To do not impose a limit the MaxPathLen should be set to -1.

func (BasicConstraints) Set 

func (b BasicConstraints) Set(c *x509.Certificate)

Set sets the basic constraints to the given certificate.

type CRLDistributionPoints 

type CRLDistributionPoints MultiString

CRLDistributionPoints contains the list of CRL distribution points that will be encoded in the CRL distribution points extension.

func (CRLDistributionPoints) Set 

func (u CRLDistributionPoints) Set(c *x509.Certificate)

Set sets the CRL distribution points to the given certificate.

func (*CRLDistributionPoints) UnmarshalJSON 

func (u *CRLDistributionPoints) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface in CRLDistributionPoints.

type Certificate 

type Certificate struct {
	Version               int                      `json:"version"`
	Subject               Subject                  `json:"subject"`
	RawSubject            []byte                   `json:"rawSubject"`
	Issuer                Issuer                   `json:"issuer"`
	SerialNumber          SerialNumber             `json:"serialNumber"`
	DNSNames              MultiString              `json:"dnsNames"`
	EmailAddresses        MultiString              `json:"emailAddresses"`
	IPAddresses           MultiIP                  `json:"ipAddresses"`
	URIs                  MultiURL                 `json:"uris"`
	SANs                  []SubjectAlternativeName `json:"sans"`
	NotBefore             time.Time                `json:"notBefore"`
	NotAfter              time.Time                `json:"notAfter"`
	Extensions            []Extension              `json:"extensions"`
	KeyUsage              KeyUsage                 `json:"keyUsage"`
	ExtKeyUsage           ExtKeyUsage              `json:"extKeyUsage"`
	UnknownExtKeyUsage    UnknownExtKeyUsage       `json:"unknownExtKeyUsage"`
	SubjectKeyID          SubjectKeyID             `json:"subjectKeyId"`
	AuthorityKeyID        AuthorityKeyID           `json:"authorityKeyId"`
	OCSPServer            OCSPServer               `json:"ocspServer"`
	IssuingCertificateURL IssuingCertificateURL    `json:"issuingCertificateURL"`
	CRLDistributionPoints CRLDistributionPoints    `json:"crlDistributionPoints"`
	PolicyIdentifiers     PolicyIdentifiers        `json:"policyIdentifiers"`
	BasicConstraints      *BasicConstraints        `json:"basicConstraints"`
	NameConstraints       *NameConstraints         `json:"nameConstraints"`
	SignatureAlgorithm    SignatureAlgorithm       `json:"signatureAlgorithm"`
	PublicKeyAlgorithm    x509.PublicKeyAlgorithm  `json:"-"`
	PublicKey             interface{}              `json:"-"`
}

Certificate is the JSON representation of a X.509 certificate. It is used to build a certificate from a template.

func NewCertificate 

func NewCertificate(cr *x509.CertificateRequest, opts ...Option) (*Certificate, error)

NewCertificate creates a new Certificate from an x509.CertificateRequest and will apply some template options.

func NewCertificateFromX509 added in v0.31.1 

func NewCertificateFromX509(template *x509.Certificate, opts ...Option) (*Certificate, error)

NewCertificateFromX509 creates a new Certificate from an x509.Certificate and will apply template options. A new (unsigned) x509.CertificateRequest is created, with data from the x509.Certificate template. This function is primarily useful when signing a certificate for a key that can't sign a CSR or when the private key is not available.

func (*Certificate) GetCertificate 

func (c *Certificate) GetCertificate() *x509.Certificate

GetCertificate returns the x509.Certificate representation of the certificate.

type CertificateRequest 

type CertificateRequest struct {
	Version            int                      `json:"version"`
	Subject            Subject                  `json:"subject"`
	RawSubject         []byte                   `json:"rawSubject"`
	DNSNames           MultiString              `json:"dnsNames"`
	EmailAddresses     MultiString              `json:"emailAddresses"`
	IPAddresses        MultiIP                  `json:"ipAddresses"`
	URIs               MultiURL                 `json:"uris"`
	SANs               []SubjectAlternativeName `json:"sans"`
	Extensions         []Extension              `json:"extensions"`
	SignatureAlgorithm SignatureAlgorithm       `json:"signatureAlgorithm"`
	ChallengePassword  string                   `json:"-"`
	PublicKey          interface{}              `json:"-"`
	PublicKeyAlgorithm x509.PublicKeyAlgorithm  `json:"-"`
	Signature          []byte                   `json:"-"`
	Signer             crypto.Signer            `json:"-"`
}

CertificateRequest is the JSON representation of an X.509 certificate. It is used to build a certificate request from a template.

func NewCertificateRequest added in v0.4.0 

func NewCertificateRequest(signer crypto.Signer, opts ...Option) (*CertificateRequest, error)

NewCertificateRequest creates a certificate request from a template.

func NewCertificateRequestFromX509 added in v0.20.0 

func NewCertificateRequestFromX509(cr *x509.CertificateRequest) *CertificateRequest

NewCertificateRequestFromX509 creates a CertificateRequest from an x509.CertificateRequest.

This method is used to create the template variable .Insecure.CR or to initialize the Certificate when no templates are used. NewCertificateRequestFromX509 will always ignore the SignatureAlgorithm because we cannot guarantee that the signer will be able to sign a certificate template if Certificate.SignatureAlgorithm is set.

func (*CertificateRequest) GetCertificate 

func (c *CertificateRequest) GetCertificate() *Certificate

GetCertificate returns the Certificate representation of the CertificateRequest.

GetCertificate will not specify a SignatureAlgorithm, it's not possible to guarantee that the certificate signer can sign with the CertificateRequest SignatureAlgorithm.

func (*CertificateRequest) GetCertificateRequest added in v0.4.0 

func (c *CertificateRequest) GetCertificateRequest() (*x509.CertificateRequest, error)

GetCertificateRequest returns the signed x509.CertificateRequest.

func (*CertificateRequest) GetLeafCertificate 

func (c *CertificateRequest) GetLeafCertificate() *Certificate

GetLeafCertificate returns the Certificate representation of the CertificateRequest, including KeyUsage and ExtKeyUsage extensions.

GetLeafCertificate will not specify a SignatureAlgorithm, it's not possible to guarantee that the certificate signer can sign with the CertificateRequest SignatureAlgorithm.

type DistinguishedName added in v0.16.1 

type DistinguishedName struct {
	Type  ObjectIdentifier `json:"type"`
	Value interface{}      `json:"value"`
}

DistinguishedName mirrors the ASN.1 structure AttributeTypeAndValue in RFC 5280, Section 4.1.2.4.

func NewExtraNames added in v0.43.0 

func NewExtraNames(atvs []pkix.AttributeTypeAndValue) []DistinguishedName

NewExtraNames returns a list of DistinguishedName with the attributes not present in attributeTypeNames.

type ExtKeyUsage 

type ExtKeyUsage []x509.ExtKeyUsage

ExtKeyUsage represents a JSON array of extended key usages.

func (ExtKeyUsage) MarshalJSON added in v0.20.0 

func (k ExtKeyUsage) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface and converts a list of extended key usages to a list of strings

func (ExtKeyUsage) Set 

func (k ExtKeyUsage) Set(c *x509.Certificate)

Set sets the extended key usages in the given certificate.

func (*ExtKeyUsage) UnmarshalJSON 

func (k *ExtKeyUsage) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface and coverts a string or a list of strings into a list of extended key usages.

type Extension 

type Extension struct {
	ID       ObjectIdentifier `json:"id"`
	Critical bool             `json:"critical"`
	Value    []byte           `json:"value"`
}

Extension is the JSON representation of a raw X.509 extensions.

func (Extension) Set 

func (e Extension) Set(c *x509.Certificate)

Set adds the extension to the given X509 certificate.

type FingerprintEncoding added in v0.1.1 

type FingerprintEncoding = fingerprint.Encoding

FingerprintEncoding defines the supported encodings in certificate fingerprints.

type HardwareModuleName added in v0.17.3 

type HardwareModuleName struct {
	Type         ObjectIdentifier `json:"type"`
	SerialNumber []byte           `json:"serialNumber"`
}

HardwareModuleName is defined in RFC 4108 as an optional feature that by be used to identify a hardware module.

The OID defined for this SAN is "1.3.6.1.5.5.7.8.4".

See https://www.rfc-editor.org/rfc/rfc4108#section-5 

HardwareModuleName ::= SEQUENCE {
  hwType OBJECT IDENTIFIER,
  hwSerialNum OCTET STRING
}

type Issuer 

type Issuer Name

Issuer is the JSON representation of the X.509 issuer field.

func (Issuer) Set 

func (i Issuer) Set(c *x509.Certificate)

Set sets the issuer in the given certificate.

func (*Issuer) UnmarshalJSON 

func (i *Issuer) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshal interface and unmarshals a JSON object in the Issuer struct or a string as just the subject common name.

type IssuingCertificateURL 

type IssuingCertificateURL MultiString

IssuingCertificateURL contains the list of the issuing certificate url that will be encoded in the authority information access extension.

func (IssuingCertificateURL) Set 

func (u IssuingCertificateURL) Set(c *x509.Certificate)

Set sets the list of issuing certificate urls to the given certificate.

func (*IssuingCertificateURL) UnmarshalJSON 

func (u *IssuingCertificateURL) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface in IssuingCertificateURL.

type KeyUsage 

type KeyUsage x509.KeyUsage

KeyUsage type represents the JSON array used to represent the key usages of a X509 certificate.

func (KeyUsage) MarshalJSON added in v0.20.0 

func (k KeyUsage) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface and converts a key usage into a list of strings.

func (KeyUsage) Set 

func (k KeyUsage) Set(c *x509.Certificate)

Set sets the key usage to the given certificate.

func (*KeyUsage) UnmarshalJSON 

func (k *KeyUsage) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface and coverts a string or a list of strings into a key usage.

type MultiIP 

type MultiIP []net.IP

MultiIP is a type used to unmarshal a JSON string or an array of strings into a []net.IP.

func (*MultiIP) UnmarshalJSON 

func (m *MultiIP) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for MultiIP.

type MultiIPNet 

type MultiIPNet []*net.IPNet

MultiIPNet is a type used to unmarshal a JSON string or an array of strings into a []*net.IPNet.

func (MultiIPNet) MarshalJSON 

func (m MultiIPNet) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for MultiIPNet.

func (*MultiIPNet) UnmarshalJSON 

func (m *MultiIPNet) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for MultiIPNet.

type MultiObjectIdentifier 

type MultiObjectIdentifier []asn1.ObjectIdentifier

MultiObjectIdentifier is a type used to unmarshal a JSON string or an array of strings into a []asn1.ObjectIdentifier.

func (MultiObjectIdentifier) MarshalJSON 

func (m MultiObjectIdentifier) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for MultiObjectIdentifier.

func (*MultiObjectIdentifier) UnmarshalJSON 

func (m *MultiObjectIdentifier) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for MultiObjectIdentifier.

type MultiString 

type MultiString []string

MultiString is a type used to unmarshal a JSON string or an array of strings into a []string.

func (*MultiString) UnmarshalJSON 

func (m *MultiString) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for MultiString.

type MultiURL 

type MultiURL []*url.URL

MultiURL is a type used to unmarshal a JSON string or an array of strings into a []*url.URL.

func (MultiURL) MarshalJSON 

func (m MultiURL) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for MultiURL.

func (*MultiURL) UnmarshalJSON 

func (m *MultiURL) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for MultiURL.

type Name 

type Name struct {
	Country            MultiString         `json:"country,omitempty"`
	Organization       MultiString         `json:"organization,omitempty"`
	OrganizationalUnit MultiString         `json:"organizationalUnit,omitempty"`
	Locality           MultiString         `json:"locality,omitempty"`
	Province           MultiString         `json:"province,omitempty"`
	StreetAddress      MultiString         `json:"streetAddress,omitempty"`
	PostalCode         MultiString         `json:"postalCode,omitempty"`
	SerialNumber       string              `json:"serialNumber,omitempty"`
	CommonName         string              `json:"commonName,omitempty"`
	ExtraNames         []DistinguishedName `json:"extraNames,omitempty"`
}

Name is the JSON representation of X.501 type Name, used in the X.509 subject and issuer fields.

func (*Name) UnmarshalJSON 

func (n *Name) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshal interface and unmarshals a JSON object in the Name struct or a string as just the subject common name.

type NameConstraints 

type NameConstraints struct {
	Critical                bool        `json:"critical"`
	PermittedDNSDomains     MultiString `json:"permittedDNSDomains"`
	ExcludedDNSDomains      MultiString `json:"excludedDNSDomains"`
	PermittedIPRanges       MultiIPNet  `json:"permittedIPRanges"`
	ExcludedIPRanges        MultiIPNet  `json:"excludedIPRanges"`
	PermittedEmailAddresses MultiString `json:"permittedEmailAddresses"`
	ExcludedEmailAddresses  MultiString `json:"excludedEmailAddresses"`
	PermittedURIDomains     MultiString `json:"permittedURIDomains"`
	ExcludedURIDomains      MultiString `json:"excludedURIDomains"`
}

NameConstraints represents the X509 Name constraints extension and defines a names space within which all subject names in subsequent certificates in a certificate path must be located. The name constraints extension must be used only in a CA.

func (NameConstraints) Set 

func (n NameConstraints) Set(c *x509.Certificate)

Set sets the name constraints in the given certificate.

type OCSPServer 

type OCSPServer MultiString

OCSPServer contains the list of OSCP servers that will be encoded in the authority information access extension.

func (OCSPServer) Set 

func (o OCSPServer) Set(c *x509.Certificate)

Set sets the list of OSCP servers to the given certificate.

func (*OCSPServer) UnmarshalJSON 

func (o *OCSPServer) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface in OCSPServer.

type ObjectIdentifier 

type ObjectIdentifier asn1.ObjectIdentifier

ObjectIdentifier represents a JSON strings that unmarshals into an ASN1 object identifier or OID.

func (ObjectIdentifier) Equal added in v0.17.1 

func (o ObjectIdentifier) Equal(v ObjectIdentifier) bool

Equal reports whether o and v represent the same identifier.

func (ObjectIdentifier) MarshalJSON 

func (o ObjectIdentifier) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface and returns the string version of the asn1.ObjectIdentifier.

func (*ObjectIdentifier) UnmarshalJSON 

func (o *ObjectIdentifier) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface and coverts a strings like "2.5.29.17" into an ASN1 object identifier.

type Option 

type Option func(cr *x509.CertificateRequest, o *Options) error

Option is the type used as a variadic argument in NewCertificate.

func WithTemplate 

func WithTemplate(text string, data TemplateData) Option

WithTemplate is an options that executes the given template text with the given data.

func WithTemplateBase64 

func WithTemplateBase64(s string, data TemplateData) Option

WithTemplateBase64 is an options that executes the given template base64 string with the given data.

func WithTemplateFile 

func WithTemplateFile(path string, data TemplateData) Option

WithTemplateFile is an options that reads the template file and executes it with the given data.

type Options 

type Options struct {
	CertBuffer *bytes.Buffer
}

Options are the options that can be passed to NewCertificate.

type PermanentIdentifier added in v0.17.1 

type PermanentIdentifier struct {
	Identifier string           `json:"identifier,omitempty"`
	Assigner   ObjectIdentifier `json:"assigner,omitempty"`
}

PermanentIdentifier is defined in RFC 4043 as an optional feature that may be used by a CA to indicate that two or more certificates relate to the same entity.

In device attestation this SAN will contain the UDID (Unique Device IDentifier) or serial number of the device.

See https://tools.ietf.org/html/rfc4043 

PermanentIdentifier ::= SEQUENCE {
  identifierValue    UTF8String OPTIONAL,
  assigner           OBJECT IDENTIFIER OPTIONAL
}

type PolicyIdentifiers 

type PolicyIdentifiers MultiObjectIdentifier

PolicyIdentifiers represents the list of OIDs to set in the certificate policies extension.

func (PolicyIdentifiers) MarshalJSON 

func (p PolicyIdentifiers) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface in PolicyIdentifiers.

func (PolicyIdentifiers) Set 

func (p PolicyIdentifiers) Set(c *x509.Certificate)

Set sets the policy identifiers to the given certificate.

func (*PolicyIdentifiers) UnmarshalJSON 

func (p *PolicyIdentifiers) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface in PolicyIdentifiers.

type SerialNumber 

type SerialNumber struct {
	*big.Int
}

SerialNumber is the JSON representation of the X509 serial number.

func (*SerialNumber) MarshalJSON 

func (s *SerialNumber) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface, and encodes a SerialNumber using the big.Int marshaler.

func (SerialNumber) Set 

func (s SerialNumber) Set(c *x509.Certificate)

Set sets the serial number in the given certificate.

func (*SerialNumber) UnmarshalJSON 

func (s *SerialNumber) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshal interface and unmarshals an integer or a string into a serial number. If a string is used, a prefix of “0b” or “0B” selects base 2, “0”, “0o” or “0O” selects base 8, and “0x” or “0X” selects base 16. Otherwise, the selected base is 10 and no prefix is accepted.

type SignatureAlgorithm 

type SignatureAlgorithm x509.SignatureAlgorithm

SignatureAlgorithm is the JSON representation of the X509 signature algorithms

func (SignatureAlgorithm) MarshalJSON added in v0.4.0 

func (s SignatureAlgorithm) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaller interface.

func (SignatureAlgorithm) Set 

func (s SignatureAlgorithm) Set(c *x509.Certificate)

Set sets the signature algorithm in the given certificate.

func (*SignatureAlgorithm) UnmarshalJSON 

func (s *SignatureAlgorithm) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshal interface and unmarshals and validates a string as a SignatureAlgorithm.

type Subject 

type Subject Name

Subject is the JSON representation of the X.509 subject field.

func (Subject) IsEmpty added in v0.17.1 

func (s Subject) IsEmpty() bool

IsEmpty returns if the subject is empty. Certificates with an empty subject must have the subjectAltName extension mark as critical.

func (Subject) Set 

func (s Subject) Set(c *x509.Certificate)

Set sets the subject in the given certificate.

func (*Subject) UnmarshalJSON 

func (s *Subject) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshal interface and unmarshals a JSON object in the Subject struct or a string as just the subject common name.

type SubjectAlternativeName 

type SubjectAlternativeName struct {
	Type      string          `json:"type"`
	Value     string          `json:"value"`
	ASN1Value json.RawMessage `json:"asn1Value,omitempty"`
}

SubjectAlternativeName represents a X.509 subject alternative name. Types supported are "dns", "email", "ip", "uri". A special type "auto" or "" can be used to try to guess the type of the value.

ASN1Value can only be used for those types where the string value cannot contain enough information to encode the value.

func CreateSANs 

func CreateSANs(sans []string) []SubjectAlternativeName

CreateSANs splits the given sans and returns a list of SubjectAlternativeName structs.

func (SubjectAlternativeName) RawValue added in v0.17.1 

func (s SubjectAlternativeName) RawValue() (asn1.RawValue, error)

RawValue returns the undecoded ASN.1 object for the SAN.

func (SubjectAlternativeName) Set 

func (s SubjectAlternativeName) Set(c *x509.Certificate)

Set sets the subject alternative name in the given x509.Certificate.

type SubjectAlternativeNames added in v0.29.0 

type SubjectAlternativeNames struct {
	DNSNames             []string
	EmailAddresses       []string
	IPAddresses          []net.IP
	URIs                 []*url.URL
	PermanentIdentifiers []PermanentIdentifier
	HardwareModuleNames  []HardwareModuleName
	TPMHardwareDetails   TPMHardwareDetails
}

SubjectAlternativeNames is a container for names extracted from the X.509 Subject Alternative Names extension.

func ParseSubjectAlternativeNames added in v0.29.0 

func ParseSubjectAlternativeNames(c *x509.Certificate) (sans SubjectAlternativeNames, err error)

ParseSubjectAlternativeNames parses the Subject Alternative Names from the X.509 certificate `c`. SAN types supported by the Go stdlib, including DNS names, IP addresses, email addresses and URLs, are copied to the result first. After that, the raw extension bytes are parsed to extract PermanentIdentifiers and HardwareModuleNames SANs.

type SubjectKeyID 

type SubjectKeyID []byte

SubjectKeyID represents the binary value of the subject key identifier extension, this should be the SHA-1 hash of the public key. In JSON this value should be a base64-encoded string, and in most cases it should not be set because it will be automatically generated.

func (SubjectKeyID) Set 

func (id SubjectKeyID) Set(c *x509.Certificate)

Set sets the subject key identifier to the given certificate.

type TPMHardwareDetails added in v0.29.0 

type TPMHardwareDetails struct {
	Manufacturer string // TODO(hs): use Manufacturer from TPM package? Need to fix import cycle, though
	Model        string
	Version      string
}

TPMHardwareDetails is a container for some details for TPM hardware.

type TemplateData 

type TemplateData map[string]interface{}

TemplateData is an alias for map[string]interface{}. It represents the data passed to the templates.

func CreateTemplateData 

func CreateTemplateData(commonName string, sans []string) TemplateData

CreateTemplateData creates a new TemplateData with the given common name and SANs.

func NewTemplateData 

func NewTemplateData() TemplateData

NewTemplateData creates a new map for templates data.

func (TemplateData) Set 

func (t TemplateData) Set(key string, v interface{})

Set sets a key-value pair in the template data.

func (TemplateData) SetAuthorizationCertificate added in v0.14.0 

func (t TemplateData) SetAuthorizationCertificate(crt interface{})

SetAuthorizationCertificate sets the given certificate in the template. This certificate is generally present in a token header.

func (TemplateData) SetAuthorizationCertificateChain added in v0.14.0 

func (t TemplateData) SetAuthorizationCertificateChain(chain interface{})

SetAuthorizationCertificateChain sets a the given certificate chain in the template. These certificates are generally present in a token header.

func (TemplateData) SetCertificateRequest 

func (t TemplateData) SetCertificateRequest(cr *x509.CertificateRequest)

SetCertificateRequest sets the given certificate request in the insecure template data.

func (TemplateData) SetCommonName 

func (t TemplateData) SetCommonName(cn string)

SetCommonName sets the given common name in the subject in the template data.

func (TemplateData) SetInsecure 

func (t TemplateData) SetInsecure(key string, v interface{})

SetInsecure sets a key-value pair in the insecure template data.

func (TemplateData) SetSANs 

func (t TemplateData) SetSANs(sans []string)

SetSANs sets the given SANs in the template data.

func (TemplateData) SetSubject 

func (t TemplateData) SetSubject(v Subject)

SetSubject sets the given subject in the template data.

func (TemplateData) SetSubjectAlternativeNames added in v0.19.0 

func (t TemplateData) SetSubjectAlternativeNames(sans ...SubjectAlternativeName)

SetSubjectAlternativeNames sets the given sans in the template data.

func (TemplateData) SetToken 

func (t TemplateData) SetToken(v interface{})

SetToken sets the given token in the template data.

func (TemplateData) SetUserData 

func (t TemplateData) SetUserData(v interface{})

SetUserData sets the given user provided object in the insecure template data.

func (TemplateData) SetWebhook added in v0.20.0 

func (t TemplateData) SetWebhook(webhookName string, data interface{})

SetWebhook sets the given webhook response in the webhooks template data.

type TemplateError 

type TemplateError struct {
	Message string
}

TemplateError represents an error in a template produced by the fail function.

func (*TemplateError) Error 

func (e *TemplateError) Error() string

Error implements the error interface and returns the error string when a template executes the `fail "message"` function.

type UnknownExtKeyUsage added in v0.5.0 

type UnknownExtKeyUsage MultiObjectIdentifier

UnknownExtKeyUsage represents the list of OIDs of extended key usages unknown to crypto/x509.

func (UnknownExtKeyUsage) MarshalJSON added in v0.5.0 

func (u UnknownExtKeyUsage) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface in UnknownExtKeyUsage.

func (UnknownExtKeyUsage) Set added in v0.5.0 

func (u UnknownExtKeyUsage) Set(c *x509.Certificate)

Set sets the policy identifiers to the given certificate.

func (*UnknownExtKeyUsage) UnmarshalJSON added in v0.5.0 

func (u *UnknownExtKeyUsage) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface in UnknownExtKeyUsage.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.