csr

package
v0.19.155 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 29, 2024 License: Apache-2.0 Imports: 26 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	// CurveP256 specifies curve P-256 for ESDCA
	CurveP256 = 256

	// CurveP384 specifies curve P-384 for ESDCA
	CurveP384 = 384

	// CurveP521 specifies curve P-521 for ESDCA
	CurveP521 = 521
)
View Source 
const (
	// UserNoticeQualifierType defines id-qt-unotice
	UserNoticeQualifierType = "id-qt-unotice"
	// CpsQualifierType defines id-qt-cps
	CpsQualifierType = "id-qt-cps"

	// OneYear duration
	OneYear = Duration(8760 * time.Hour)
)

Variables

This section is empty.

Functions

func DecodeCDP added in v0.5.0 

func DecodeCDP(val []byte) ([]string, error)

DecodeCDP returns list of CDP

func DefaultSigAlgo 

func DefaultSigAlgo(priv crypto.Signer) x509.SignatureAlgorithm

DefaultSigAlgo returns an appropriate X.509 signature algorithm given the CA's private key.

func EncodeCDP added in v0.5.0 

func EncodeCDP(cdp []string) (*pkix.Extension, error)

EncodeCDP returns CRLDP

func EncodeCDPFull added in v0.13.0 

func EncodeCDPFull(cdp []string, issuer asn1.RawValue) (*pkix.Extension, error)

EncodeCDP returns CRLDP

func FindAttr added in v0.3.0 

func FindAttr(attrs []pkix.AttributeTypeAndValue, id asn1.ObjectIdentifier) *pkix.AttributeTypeAndValue

FindAttr returns attribute

func Parse 

func Parse(csrBytes []byte) (*x509.Certificate, error)

Parse takes an incoming certificate request and builds a certificate template from it.

func ParseObjectIdentifier 

func ParseObjectIdentifier(oidString string) (oid asn1.ObjectIdentifier, err error)

ParseObjectIdentifier returns OID

func ParsePEM 

func ParsePEM(csrPEM []byte) (*x509.Certificate, error)

ParsePEM takes an incoming certificate request and builds a certificate template from it.

func PopulateName 

func PopulateName(raSubject *X509Subject, csrSubject pkix.Name) pkix.Name

PopulateName has functionality similar to Name, except it fills the fields of the resulting pkix.Name with req's if the subject's corresponding fields are empty

func SetSAN 

func SetSAN(template *x509.Certificate, SAN []string)

SetSAN fills template's IPAddresses, EmailAddresses, and DNSNames with the content of SAN, if it is not nil.

func SigAlgo 

func SigAlgo(algo string, size int) x509.SignatureAlgorithm

SigAlgo returns signature algorithm for the given algorithm name and key size TODO: use oid pkg

Types

type AllowedFields 

type AllowedFields struct {
	Subject        bool `json:"subject" yaml:"subject"`
	DNSNames       bool `json:"dns" yaml:"dns"`
	IPAddresses    bool `json:"ip" yaml:"ip"`
	EmailAddresses bool `json:"email" yaml:"email"`
	URIs           bool `json:"uri" yaml:"uri"`
}

AllowedFields provides booleans for fields in the CSR. If a AllowedFields is not present in a CertProfile, all of these fields may be copied from the CSR into the signed certificate. If a AllowedFields *is* present in a CertProfile, only those fields with a `true` value in the AllowedFields may be copied from the CSR to the signed certificate. Note that some of these fields, like Subject, can be provided or partially provided through the API. Since API clients are expected to be trusted, but CSRs are not, fields provided through the API are not subject to validation through this mechanism.

type BasicConstraints 

type BasicConstraints struct {
	IsCA       bool `asn1:"optional"`
	MaxPathLen int  `asn1:"optional,default:-1"`
}

BasicConstraints CSR information RFC 5280, 4.2.1.9

type CertificatePolicy 

type CertificatePolicy struct {
	ID         OID                          `json:"oid" yaml:"oid"`
	Qualifiers []CertificatePolicyQualifier `json:"qualifiers" yaml:"qualifiers"`
}

CertificatePolicy represents the ASN.1 PolicyInformation structure from https://tools.ietf.org/html/rfc3280.html#page-106. Valid values of Type are "id-qt-unotice" and "id-qt-cps"

type CertificatePolicyQualifier 

type CertificatePolicyQualifier struct {
	Type  string `json:"type" yaml:"type"`
	Value string `json:"value" yaml:"value"`
}

CertificatePolicyQualifier represents a single qualifier from an ASN.1 PolicyInformation structure.

type CertificateRequest 

type CertificateRequest struct {
	// CommonName of the Subject
	CommonName string `json:"common_name" yaml:"common_name"`
	// Names of the Subject
	Names []X509Name `json:"names" yaml:"names"`
	// SerialNumber of the Subject
	SerialNumber string `json:"serial_number,omitempty" yaml:"serial_number,omitempty"`
	// SAN is Subject Alt Names
	SAN []string `json:"san" yaml:"san"`
	// KeyRequest for generated key
	KeyRequest *KeyRequest `json:"key,omitempty" yaml:"key,omitempty"`
	// Extensions for the cert
	Extensions []X509Extension `json:"extensions,omitempty" yaml:"extensions,omitempty"`
}

A CertificateRequest encapsulates the API interface to the certificate request functionality.

func (*CertificateRequest) AddSAN added in v0.3.0 

func (r *CertificateRequest) AddSAN(s string)

AddSAN adds a SAN value to the request

func (*CertificateRequest) Name 

func (r *CertificateRequest) Name() pkix.Name

Name returns the PKIX name for the request.

func (*CertificateRequest) Validate 

func (r *CertificateRequest) Validate() error

Validate provides the default validation logic for certificate authority certificates. The only requirement here is that the certificate have a non-empty subject field.

type DistributionPoint added in v0.5.0 

type DistributionPoint struct {
	DistributionPoint DistributionPointName `asn1:"optional,tag:0"`
	Reason            asn1.BitString        `asn1:"optional,tag:1"`
	CRLIssuer         asn1.RawValue         `asn1:"optional,tag:2"`
}

DistributionPoint defines CDP as per RFC 5280, 4.2.1.14

type DistributionPointName added in v0.5.0 

type DistributionPointName struct {
	FullName     []asn1.RawValue  `asn1:"optional,tag:0"`
	RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
}

DistributionPointName is a part of DistributionPoint

type Duration 

type Duration time.Duration

Duration represents a period of time, its the same as time.Duration but supports better marshalling from json

func (Duration) MarshalJSON 

func (d Duration) MarshalJSON() ([]byte, error)

MarshalJSON encodes our custom Duration value as a quoted version of its underlying value's String() output this means you get a duration with a trailing units indicator, e.g. "10m0s"

func (Duration) String 

func (d Duration) String() string

String returns a string formatted version of the duration in a valueUnits format, e.g. 5m0s for 5 minutes

func (Duration) TimeDuration 

func (d Duration) TimeDuration() time.Duration

TimeDuration returns this duration in a time.Duration type

func (*Duration) UnmarshalJSON 

func (d *Duration) UnmarshalJSON(b []byte) error

UnmarshalJSON handles decoding our custom json serialization for Durations json values that are numbers are treated as seconds json values that are strings, can use the standard time.Duration units indicators e.g. this can decode val:100 as well as val:"10m"

func (*Duration) UnmarshalYAML 

func (d *Duration) UnmarshalYAML(unmarshal func(any) error) error

UnmarshalYAML handles decoding our custom json serialization for Durations

type GeneralName added in v0.13.0 

type GeneralName struct {
	Raw           asn1.RawValue
	DNSName       string
	DirectoryName pkix.RDNSequence
	EmailAddres   string
	IPAddres      net.IP
	URI           *url.URL
}

GeneralNames represents a General Names sequence as defined in RFC 5820 section 4.2.1.6.

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 

GeneralName ::= CHOICE {
     otherName                       [0]     OtherName,
     rfc822Name                      [1]     IA5String,
     dNSName                         [2]     IA5String,
     x400Address                     [3]     ORAddress,
     directoryName                   [4]     Name,
     ediPartyName                    [5]     EDIPartyName,
     uniformResourceIdentifier       [6]     IA5String,
     iPAddress                       [7]     OCTET STRING,
     registeredID                    [8]     OBJECT IDENTIFIER }

OtherName ::= SEQUENCE {
     type-id    OBJECT IDENTIFIER,
     value      [0] EXPLICIT ANY DEFINED BY type-id }

EDIPartyName ::= SEQUENCE {
     nameAssigner            [0]     DirectoryString OPTIONAL,
     partyName               [1]     DirectoryString }

func DecodeCDPFull added in v0.13.0 

func DecodeCDPFull(val []byte) ([]string, []GeneralName, error)

DecodeCDP returns list of CDP

func (*GeneralName) Parse added in v0.13.0 

func (e *GeneralName) Parse(raw asn1.RawValue) error

Unmarshal parses an DER-encoded ASN.1 data structure and stores the result in the object.

type KeyPurpose 

type KeyPurpose int

KeyPurpose declares the purpose for keys 

const (
	// Undefined purpose of key
	Undefined KeyPurpose = 0
	// SigningKey specifies the purpose of key to be used in signing/verification operations
	SigningKey KeyPurpose = 1
	// EncryptionKey specifies the purpose of key to be used in encryption/decryption operations
	EncryptionKey KeyPurpose = 2
)

type KeyRequest 

type KeyRequest struct {
	L string     `json:"label" yaml:"label"`
	A string     `json:"algo"  yaml:"algo"`
	S int        `json:"size"  yaml:"size"`
	P KeyPurpose `json:"purpose"  yaml:"purpose"`
	// contains filtered or unexported fields
}

KeyRequest contains the algorithm and key size for a new private key.

func NewKeyRequest 

func NewKeyRequest(prov cryptoprov.Provider, label, algo string, keySize int, purpose KeyPurpose) *KeyRequest

NewKeyRequest returns KeyRequest from given parameters

func (*KeyRequest) Algo 

func (kr *KeyRequest) Algo() string

Algo returns the requested key algorithm represented as a string.

func (*KeyRequest) Generate 

func (kr *KeyRequest) Generate() (crypto.PrivateKey, error)

Generate generates a key as specified in the request. Currently, only ECDSA and RSA are supported.

func (*KeyRequest) Label 

func (kr *KeyRequest) Label() string

Label returns the requested key label.

func (*KeyRequest) Purpose 

func (kr *KeyRequest) Purpose() int

Purpose returns the purpose of the key .

func (*KeyRequest) SigAlgo 

func (kr *KeyRequest) SigAlgo() x509.SignatureAlgorithm

SigAlgo returns an appropriate X.509 signature algorithm given the key request's type and size.

func (*KeyRequest) Size 

func (kr *KeyRequest) Size() int

Size returns the requested key size.

type KeyRequestGen 

type KeyRequestGen interface {
	Algo() string
	Label() string
	Size() int
	Generate() (crypto.PrivateKey, error)
	SigAlgo() x509.SignatureAlgorithm
	Purpose() int
}

KeyRequestGen contains the algorithm and key size for a new private key.

type OID 

type OID asn1.ObjectIdentifier

OID is the asn1's ObjectIdentifier, provide a custom JSON marshal / unmarshal.

func (OID) Equal 

func (oid OID) Equal(other OID) bool

Equal reports whether oi and other represent the same identifier.

func (OID) MarshalJSON 

func (oid OID) MarshalJSON() ([]byte, error)

MarshalJSON marshals an oid into a JSON string.

func (OID) String 

func (oid OID) String() string

func (*OID) UnmarshalJSON 

func (oid *OID) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON unmarshals a JSON string into an OID.

func (*OID) UnmarshalYAML 

func (oid *OID) UnmarshalYAML(unmarshal func(any) error) error

UnmarshalYAML unmarshals a YAML string into an OID.

type Provider 

type Provider struct {
	// contains filtered or unexported fields
}

Provider extends cryptoprov.Crypto functionality to support CSP procesing and certificate signing

func NewProvider 

func NewProvider(provider cryptoprov.Provider) *Provider

NewProvider returns an instance of CSR provider

func (*Provider) CreateRequestAndExportKey 

func (c *Provider) CreateRequestAndExportKey(req *CertificateRequest) (csrPEM, key []byte, keyID string, pub crypto.PublicKey, err error)

CreateRequestAndExportKey takes a certificate request and generates a key and CSR from it.

func (*Provider) GenerateKeyAndRequest 

func (c *Provider) GenerateKeyAndRequest(req *CertificateRequest) (csrPEM []byte, priv crypto.PrivateKey, keyID string, err error)

GenerateKeyAndRequest takes a certificate request and generates a key and CSR from it.

func (*Provider) NewKeyRequest 

func (c *Provider) NewKeyRequest(label, algo string, keySize int, purpose KeyPurpose) *KeyRequest

NewKeyRequest returns KeyRequest from given parameters

func (*Provider) NewSigningCertificateRequest 

func (c *Provider) NewSigningCertificateRequest(
	keyLabel, algo string, keySize int,
	CN string,
	names []X509Name,
	san []string,
) *CertificateRequest

NewSigningCertificateRequest creates new request for signing certificate

func (*Provider) SignRequest added in v0.7.0 

func (c *Provider) SignRequest(priv crypto.PrivateKey, req *CertificateRequest) (csrPEM []byte, err error)

SignRequest signs a certificate request

type SignRequest 

type SignRequest struct {
	SAN          []string        `json:"san" yaml:"san"`
	Request      string          `json:"certificate_request" yaml:"certificate_request"`
	Subject      *X509Subject    `json:"subject,omitempty" yaml:"subject,omitempty"`
	Profile      string          `json:"profile" yaml:"profile"`
	SerialNumber *big.Int        `json:"serial_number,omitempty" yaml:"serial_number,omitempty"`
	Extensions   []X509Extension `json:"extensions,omitempty" yaml:"extensions,omitempty"`

	// If provided, NotBefore will be used without modification (except
	// for canonicalization) as the value of the notBefore field of the
	// certificate. In particular no backdating adjustment will be made
	// when NotBefore is provided.
	NotBefore time.Time `json:"-" yaml:"-"`
	// If provided, NotAfter will be used without modification (except
	// for canonicalization) as the value of the notAfter field of the
	// certificate.
	NotAfter time.Time `json:"-" yaml:"-"`
}

SignRequest stores a signature request, which contains the SAN, the pen-encoded CSR, optional subject information, and the signature profile.

Extensions provided in the request are copied into the certificate, as long as they are in the allowed list for the issuer's policy. Extensions requested in the CSR are ignored, except for those processed by CreateCSR (mainly subjectAltName).

func (*SignRequest) ExtensionsIDs added in v0.3.0 

func (r *SignRequest) ExtensionsIDs() []string

ExtensionsIDs returns list of extension IDs in the request

func (*SignRequest) SubjectCommonName added in v0.3.0 

func (r *SignRequest) SubjectCommonName() string

SubjectCommonName returns CN in the request

type Signer 

type Signer interface {
	SignCertificate(req SignRequest) (cert []byte, err error)
}

Signer interface to sign CSR

type X509Extension 

type X509Extension struct {
	ID       OID    `json:"id" yaml:"id"`
	Critical bool   `json:"critical" yaml:"critical"`
	Value    string `json:"value" yaml:"value"`
}

X509Extension represents a raw extension to be included in the certificate. The "value" field must be hex encoded.

func (X509Extension) GetValue added in v0.2.0 

func (ext X509Extension) GetValue() ([]byte, error)

GetValue returns raw value. if prefix is hex or base64, then it's decoded, otherwise hex decoding is tried first then base64

type X509Name 

type X509Name struct {
	Country            string `json:"c" yaml:"c"`
	Province           string `json:"st" yaml:"st"`
	Locality           string `json:"l" yaml:"l"`
	Organization       string `json:"o" yaml:"o"`
	OrganizationalUnit string `json:"ou" yaml:"ou"`
	EmailAddress       string `json:"email" yaml:"email"` // 1.2.840.113549.1.9.1
	SerialNumber       string `json:"serial_number" yaml:"serial_number"`
}

X509Name contains the SubjectInfo fields.

type X509Subject 

type X509Subject struct {
	CommonName   string     `json:"common_name" yaml:"common_name"`
	Names        []X509Name `json:"names" yaml:"names"`
	SerialNumber string     `json:"serial_number" yaml:"serial_number"`
}

X509Subject contains the information that should be used to override the subject information when signing a certificate.

func (*X509Subject) Name 

func (s *X509Subject) Name() pkix.Name

Name returns the PKIX name for the subject.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.