Documentation
¶
Overview ¶
Package certgen id set of utilities used to generate ssh certificates
Index ¶
- func ComputePublicKeyKeyID(PublicKey interface{}) ([]byte, error)
- func GenIPRestrictedX509Cert(userName string, userPub interface{}, caCert *x509.Certificate, ...) ([]byte, error)
- func GenSSHCertFileString(username string, userPubKey string, signer ssh.Signer, host_identity string, ...) (string, []byte, error)
- func GenSSHCertFileStringFromSSSDPublicKey(userName string, signer ssh.Signer, hostIdentity string, ...) (string, []byte, error)
- func GenSelfSignedCACert(commonName string, organization string, caPriv crypto.Signer) ([]byte, error)
- func GenUserX509Cert(userName string, userPub interface{}, caCert *x509.Certificate, ...) ([]byte, error)
- func GetSignerFromPEMBytes(privateKey []byte) (crypto.Signer, error)
- func GetUserPubKeyFromSSSD(username string) (string, error)
- func VerifyIPRestrictedX509CertIP(userCert *x509.Certificate, remoteAddr string) (bool, error)
- type IpAdressFamily
- type KRB5PrincipalName
- type KerberosPrincipal
- type PKInitSANAnotherName
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ComputePublicKeyKeyID ¶ added in v1.5.1
ComputePublicKeyKeyID computes the SHA-1 digest of a public Key
func GenIPRestrictedX509Cert ¶ added in v1.5.1
func GenIPRestrictedX509Cert(userName string, userPub interface{}, caCert *x509.Certificate, caPriv crypto.Signer, ipv4Netblocks []net.IPNet, duration time.Duration, crlURL []string, OCPServer []string) ([]byte, error)
GenIPRestrictedX509Cert returns an x509 cert that has the username in the common name, with the allowed netyblocks specified
func GenSSHCertFileString ¶
func GenSSHCertFileString(username string, userPubKey string, signer ssh.Signer, host_identity string, duration time.Duration) (string, []byte, error)
gen_user_cert a username and key, returns a short lived cert for that user
func GenSelfSignedCACert ¶
func GenSelfSignedCACert(commonName string, organization string, caPriv crypto.Signer) ([]byte, error)
return both an internal representation an the pem representation of the string As long as the issuer value matches THEN the serial number can be different every time
func GenUserX509Cert ¶
func GenUserX509Cert(userName string, userPub interface{}, caCert *x509.Certificate, caPriv crypto.Signer, kerberosRealm *string, duration time.Duration, groups []string, organizations []string) ([]byte, error)
returns an x509 cert that has the username in the common name, optionally if a kerberos Realm is present it will also add a kerberos SAN exention for pkinit
func GetUserPubKeyFromSSSD ¶
GetUserPubKeyFromSSSD user authorized keys content based on the running sssd configuration
func VerifyIPRestrictedX509CertIP ¶ added in v1.5.1
func VerifyIPRestrictedX509CertIP(userCert *x509.Certificate, remoteAddr string) (bool, error)
VerifyIPRestrictedX509CertIP takes a x509 cert and verifies that it is valid given an incoming remote address. If the cert does not contain an IP restriction extension the verification is considered failed.
Types ¶
type IpAdressFamily ¶ added in v1.5.1
type KRB5PrincipalName ¶
type KRB5PrincipalName struct {
Realm string `asn1:"explicit,tag:0"`
Principal KerberosPrincipal `asn1:"explicit,tag:1"`
}
From RFC 4556 section 3.2.2 (https://tools.ietf.org/html/rfc4556.html)
type KerberosPrincipal ¶
type KerberosPrincipal struct {
Len int `asn1:"explicit,tag:0"`
Principal []string `asn1:"explicit,tag:1"`
}
From RFC 4120 section 5.2.2 (https://tools.ietf.org/html/rfc4120)
type PKInitSANAnotherName ¶
type PKInitSANAnotherName struct {
Id asn1.ObjectIdentifier
Value KRB5PrincipalName `asn1:"explicit,tag:0"`
}
Source Files