certs

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 27, 2022 License: MIT Imports: 19 Imported by: 0

Documentation

Overview

Package certs provides common/shared utility code to support applications in this module which process certificates.

Index

Constants

View Source 
const CertCheckOneLineSummaryExpiredTmpl string = "%s: %s cert %q expired %s (on %s) %s"

CertCheckOneLineSummaryExpiredTmpl is a shared template string used for emitting one-line service check status output for certificate chains with expired certificates.

View Source 
const CertCheckOneLineSummaryTmpl string = "%s: %s cert %q expires next with %s (until %s) %s"

CertCheckOneLineSummaryTmpl is a shared template string used for emitting one-line service check status output for certificate chains whose certificates have not expired yet.

View Source 
const CertValidityDateLayout string = "2006-01-02 15:04:05 -0700 MST"

CertValidityDateLayout is the chosen date layout for displaying certificate validity date/time values across our application.

View Source 
const X509CertReliesOnCommonName string = "x509: certificate relies on legacy Common Name field, use SANs instead"

X509CertReliesOnCommonName mirrors the unexported error string emitted by the HostnameError.Error() method from the x509 package.

This error string is emitted when a certificate is missing Subject Alternate Names (SANs) AND a specified hostname matches the Common Name field.

Variables

This section is empty.

Functions

func ChainPosition 

func ChainPosition(cert *x509.Certificate, certChain []*x509.Certificate) string

ChainPosition receives a cert and the cert chain that it belongs to and returns a string indicating what position or "role" it occurpies in the certificate chain.

https://en.wikipedia.org/wiki/X.509 https://tools.ietf.org/html/rfc5280

func CheckSANsEntries 

func CheckSANsEntries(cert *x509.Certificate, certChain []*x509.Certificate, expectedEntries []string) (int, error)

CheckSANsEntries receives a x509 certificate, the x509 certificate chain it is a part of and a list of expected SANs entries that should be present for the certificate. The number of unmatched SANs entries is returned along with an error if validation failed.

func ExpirationStatus 

func ExpirationStatus(cert *x509.Certificate, ageCritical time.Time, ageWarning time.Time) string

ExpirationStatus receives a certificate and the expiration threshold values for CRITICAL and WARNING states and returns a human-readable string indicating the overall status at a glance.

func FormatCertSerialNumber 

func FormatCertSerialNumber(sn *big.Int) string

FormatCertSerialNumber receives a certificate serial number in its native type and formats it in the text format used by OpenSSL (and many other tools).

Example: DE:FD:50:2B:C5:7F:79:F4

func FormattedExpiration 

func FormattedExpiration(expireTime time.Time) string

FormattedExpiration receives a Time value and converts it to a string representing the largest useful whole units of time in days and hours. For example, if a certificate has 1 year, 2 days and 3 hours remaining until expiration, this function will return the string '367d 3h remaining', but if only 3 hours remain then '3h remaining' will be returned. If a certificate has expired, the 'ago' suffix will be used instead. For example, if a certificate has expired 3 hours ago, '3h ago' will be returned.

func GenerateCertsReport 

func GenerateCertsReport(chainStatus ChainStatus, verboseDetails bool) string

GenerateCertsReport receives the current certificate chain status generates a formatted report suitable for display on the console or (potentially) via Microsoft Teams provided suitable conversion is performed on the output. If specified, additional details are provided such as certificate fingerprint and key IDs.

func GetCertsFromFile 

func GetCertsFromFile(filename string) ([]*x509.Certificate, []byte, error)

GetCertsFromFile is a helper function for retrieving a certificate chain from a specified PEM formatted certificate file. An error is returned if the file cannot be decoded and parsed (e.g., empty file, not PEM formatted). Any leading non-PEM formatted data is skipped while any trailing non-PEM formatted data is returned for potential further evaluation.

func HasExpiredCert 

func HasExpiredCert(certChain []*x509.Certificate) bool

HasExpiredCert receives a slice of x509 certificates and indicates whether any of the certificates in the chain have expired.

func HasExpiringCert 

func HasExpiringCert(certChain []*x509.Certificate, ageCritical time.Time, ageWarning time.Time) bool

HasExpiringCert receives a slice of x509 certificates, CRITICAL age threshold and WARNING age threshold values and ignoring any certificates already expired, uses the provided thresholds to determine if any certificates are about to expire. A boolean value is returned to indicate the results of this check.

func IsExpiredCert 

func IsExpiredCert(cert *x509.Certificate) bool

IsExpiredCert receives a x509 certificate and returns a boolean value indicating whether the cert has expired.

func IsExpiringCert 

func IsExpiringCert(cert *x509.Certificate, ageCritical time.Time, ageWarning time.Time) bool

IsExpiringCert receives a x509 certificate, CRITICAL age threshold and WARNING age threshold values and uses the provided thresholds to determine if the certificate is about to expire. A boolean value is returned to indicate the results of this check.

func NextToExpire 

func NextToExpire(certChain []*x509.Certificate, excludeExpired bool) *x509.Certificate

NextToExpire receives a slice of x509 certificates and a boolean flag indicating whether already expired certificates should be excluded. If not excluded, the first expired certificate is returned, otherwise the first certificate out of the pool set to expire next is returned.

func NumExpiredCerts 

func NumExpiredCerts(certChain []*x509.Certificate) int

NumExpiredCerts receives a slice of x509 certificates and returns a count of how many certificates have expired.

func NumExpiringCerts 

func NumExpiringCerts(certChain []*x509.Certificate, ageCritical time.Time, ageWarning time.Time) int

NumExpiringCerts receives a slice of x509 certificates, CRITICAL age threshold and WARNING age threshold values and ignoring any certificates already expired, uses the provided thresholds to determine if any certificates are about to expire. A count of expiring certificates is returned.

func OneLineCheckSummary 

func OneLineCheckSummary(certsStatus ChainStatus, includeSummary bool) string

OneLineCheckSummary receives the current certificate chain status and a flag indicating whether a summary of the certs which have expired, are expiring or will soon expire should be included, then generates a one-line summary of the check results for display and notification purposes.

Types

type ChainStatus 

type ChainStatus struct {

	// HasExpiredCerts indicates whether the certificate chain has any
	// expired certificates.
	HasExpiredCerts bool

	// HasExpiringCerts indicates whether the certificate chain has any
	// certificates set to expire before the WARNING or CRITICAL age
	// thresholds.
	HasExpiringCerts bool

	// ExpiredCertsCount is the number of expired certificates in the chain.
	ExpiredCertsCount int

	// ExpiringCertsCount is the number of certificates expiring before one of
	// the WARNING or CRITICAL age thresholds.
	ExpiringCertsCount int

	// ValidCertsCount is the number of certificates not yet expired or
	// expiring
	ValidCertsCount int

	// TotalCertsCount is the total number of certificates in a chain
	TotalCertsCount int

	// Summary is a high-level overview of the number of expired, expiring and
	// certificates not yet crossing over a WARNING or CRITICAL age threshold.
	// This is commonly used as the lead-out text for a one-line summary.
	Summary string

	// AgeWarningThreshold is the specified age threshold for when
	// certificates in the chain with an expiration less than this value are
	// considered to be in a WARNING state.
	AgeWarningThreshold time.Time

	// AgeCriticalThreshold is the specified age threshold for when
	// certificates in the chain with an expiration less than this value are
	// considered to be in a CRITICAL state.
	AgeCriticalThreshold time.Time

	// CertChain is the collection of certificates under evaluation.
	CertChain []*x509.Certificate
}

ChainStatus provides a quick status overview of the certificates in a provided certificate chain.

func ChainSummary 

func ChainSummary(
	certChain []*x509.Certificate,
	certsExpireAgeCritical time.Time,
	certsExpireAgeWarning time.Time,
) ChainStatus

ChainSummary receives a certificate chain, the critical age threshold and the warning age threshold and generates a summary of certificate details.

func (ChainStatus) IsCriticalState added in v0.4.3 

func (cs ChainStatus) IsCriticalState() bool

IsCriticalState indicates whether a ChainStatus has been determined to be in a CRITICAL state. This returns false if the ChainStatus is in an OK or WARNING state, true otherwise.

func (ChainStatus) IsOKState added in v0.4.3 

func (cs ChainStatus) IsOKState() bool

IsOKState indicates whether a ChainStatus has been determined to be in an OK state, without expired or expiring certificates.

func (ChainStatus) IsWarningState added in v0.4.3 

func (cs ChainStatus) IsWarningState() bool

IsWarningState indicates whether a ChainStatus has been determined to be in a WARNING state. This returns false if the ChainStatus is in an OK or CRITICAL state, true otherwise.

func (ChainStatus) ServiceState added in v0.4.3 

func (cs ChainStatus) ServiceState() nagios.ServiceState

ServiceState returns the appropriate Service Check Status label and exit code for the evaluated certificate chain.

type DiscoveredCertChain 

type DiscoveredCertChain struct {
	// Name is the hostname or FQDN of a system where a certificate chain was
	// retrieved. Depending on how scan targets were specified, this value may
	// not be populated.
	Name string

	// IPAddress is the IP Address where a certificate chain was discovered.
	// This value should always be populated.
	IPAddress string

	// Port is the TCP port where a certificate chain was retrieved.
	Port int

	// Certs is the certificate chain associated with a host.
	Certs []*x509.Certificate
}

DiscoveredCertChain represents the certificate chain found on a specific host along with that host's IP/Name and port.

type DiscoveredCertChains 

type DiscoveredCertChains []DiscoveredCertChain

DiscoveredCertChains is a collection of discovered certificate chains for specified hosts and ports.

func (DiscoveredCertChains) HasProblems 

func (dcc DiscoveredCertChains) HasProblems(
	certsExpireAgeCritical time.Time,
	certsExpireAgeWarning time.Time) bool

HasProblems asserts that no evaluated certificates are expired or expiring soon.

func (DiscoveredCertChains) NumProblems 

func (dcc DiscoveredCertChains) NumProblems(
	certsExpireAgeCritical time.Time,
	certsExpireAgeWarning time.Time) int

NumProblems indicates how many evaluated certificates are expired or expiring soon.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.