x509util

package
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 7, 2018 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// DefaultCertValidity is the minimum validity of an end-entity (not root or intermediate) certificate.
	DefaultCertValidity = 24 * time.Hour
	// DefaultRootCertValidity is the default validity of a root certificate in the step PKI.
	DefaultRootCertValidity = time.Hour * 24 * 365 * 10
	// DefaultIntermediateCertValidity is the default validity of a root certificate in the step PKI.
	DefaultIntermediateCertValidity = time.Hour * 24 * 365 * 10

	// DefaultTLSMinVersion default minimum version of TLS.
	DefaultTLSMinVersion = TLSVersion(1.2)
	// DefaultTLSMaxVersion default maximum version of TLS.
	DefaultTLSMaxVersion = TLSVersion(1.2)
	// DefaultTLSRenegotiation default TLS connection renegotiation policy.
	DefaultTLSRenegotiation = false // Never regnegotiate.
	// DefaultTLSCipherSuites specifies default step ciphersuite(s).
	DefaultTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
	}
	// ApprovedTLSCipherSuites smallstep approved ciphersuites.
	ApprovedTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
	}
)

Functions

func BasicConstraints 

func BasicConstraints(bcv bool, isCA bool, maxPathLen int) func(*CertTemplate) error

BasicConstraints generates a function that modifies the BasicConstraintsValid, IsCA, MaxPathLen, and MaxPathLenZero fields of a CertTemplate.

If BasicConstraintsValid==true then the next two fields are valid. MaxPathLenZero indicates that BasicConstraintsValid==true and MaxPathLen==0 should be interpreted as an actual maximum path length of zero. Otherwise, that combination is interpreted as MaxPathLen not being set.

func CRLSign 

func CRLSign(c bool) func(*CertTemplate) error

CRLSign generates a function that modifies the KeyUsage bitmap value of a CertTemplate.

func CommonName 

func CommonName(common string) func(*PkixName) error

CommonName generates a function that modifies the CommonName value of a certificate name struct. Takes a pointer to a common name string. Returns a function that will modify, in-place, a CertTemplate.

func Country 

func Country(countries string) func(*PkixName) error

Country generates a function that modifies the Country value of a certificate name struct. Takes a pointer to a comma separated string of countries (e.g. " ecuador,italy,brazil") Returns a function that will modify, in-place, a CertTemplate.

func ExtKeyUsage 

func ExtKeyUsage(eku []x509.ExtKeyUsage) func(*CertTemplate) error

ExtKeyUsage overwrites the extended key usage slice of a CertTemplate

func Hosts 

func Hosts(hosts string) func(*CertTemplate) error

Hosts generates a function that modifies the IPAddresses and DNSNames values of a certificate. Takes a pointer to a comma separated string of hostnames (e.g. "127.0.0.1,smallstep.com,blog.smallstep.com") Returns a function that will modify, in-place, a CertTemplate.

func Issuer 

func Issuer(pn PkixName) func(*CertTemplate) error

Issuer generates a function that modifies the Issuer value of a CertTemplate. Takes an argument that will be used to populate the Issuer pkix.Name. Returns a function that will modify, in-place, a CertTemplate.

func LoadCSRFromBytes 

func LoadCSRFromBytes(der []byte) (*x509.CertificateRequest, error)

LoadCSRFromBytes loads a CSR given the ASN.1 DER format.

func Locality 

func Locality(localities string) func(*PkixName) error

Locality generates a function that modifies the Country value of a certificate name struct. Takes a pointer to a comma separated string of localities (e.g. " ecuador,italy,brazil") Returns a function that will modify, in-place, a CertTemplate.

func MergeASN1DN 

func MergeASN1DN(n *pkix.Name, asn1dn *ASN1DN) error

MergeASN1DN fills empty fields of a pkix.Name with default ASN1DN settings. If the field is already set (with non-empty value) then do not overwrite with default value, otherwise overwrite. TODO: test

func NotBeforeAfter 

func NotBeforeAfter(from time.Time, duration time.Duration) func(*CertTemplate) error

NotBeforeAfter generates a function that modifies the NotBefore and NotAfter values of a certificate. Takes a pair of arguments used to compute the window of time during which the certificate should be valid. Returns a function that will modify, in-place, a CertTemplate.

func Now 

func Now() time.Time

Now is a helper function that returns the current time with the location set to UTC.

func Organization 

func Organization(orgs string) func(*PkixName) error

Organization generates a function that modifies the Organization value of a certificate name struct. Takes a pointer to a comma separated string of organizations (e.g. " ecuador,italy,brazil") Returns a function that will modify, in-place, a CertTemplate.

func ReadCertPool 

func ReadCertPool(path string) (*realx509.CertPool, error)

ReadCertPool loads a certificate pool from disk.

func SerialNumber 

func SerialNumber(sn *string) func(*CertTemplate) error

SerialNumber generates a function that modifies the SerialNumber value of a CertTemplate. Takes an argument that will be used to set the SerialNumber. Returns a function that will modify, in-place, a CertTemplate.

func Subject 

func Subject(pn PkixName) func(*CertTemplate) error

Subject generates a function that modifies the Subject value of a CertTemplate. Takes an argument that will be used to populate the Subject pkix.Name. Returns a function that will modify, in-place, a CertTemplate.

func WriteCertificate 

func WriteCertificate(crt []byte, out string) error

WriteCertificate encodes a x509 Certificate to a file on disk in PEM format.

Types

type ASN1DN 

type ASN1DN struct {
	Country            string `step:"country"`
	Organization       string `step:"organization"`
	OrganizationalUnit string `step:"organizationalUnit"`
	Locality           string `step:"locality"`
	Province           string `step:"province"`
	StreetAddress      string `step:"streetAddress"`
	CommonName         string `step:"commonName"`
}

ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.

type CertTemplate 

type CertTemplate x509.Certificate

CertTemplate allows us to add our own methods to x509.Certificate

func FromCSR 

func FromCSR(csr *x509.CertificateRequest, options ...func(*CertTemplate) error) (*CertTemplate, error)

FromCSR generates a CertTemplate from a x509 certificate signing request.

func FromCert 

func FromCert(cert *x509.Certificate, issuer pkix.Name) (*CertTemplate, error)

FromCert generates a CertTemplate from a x509 certificate.

func NewCertTemplate 

func NewCertTemplate(options ...func(*CertTemplate) error) (*CertTemplate, error)

NewCertTemplate generates and returns a new CertTemplate struct. Takes an arbitrary number of augmenting functions each of which modifies a CertTemplate. A default CertTemplate is created and then the optional augmenter functions are applied one after another in the order in which they were submitted. Returns the address of a new CertTemplate and an error object which will the nil on success and contain the reason and location of the failure.

func (CertTemplate) Compare 

func (ct CertTemplate) Compare(other CertTemplate) error

Compare compares the calling CertTemplate to the one provided as an argument. Returns nil if the two are equal, otherwise returns an error describing the diff. NOTE: this method avoids comparing a number of fields that are inconvenient or difficult to compare for equality. Check the `IgnoreFields` call below to check if the field you would like to check is being ignored.

type CipherSuites 

type CipherSuites []string

CipherSuites represents an array of string codes representing the cipher suites.

func (CipherSuites) Validate 

func (c CipherSuites) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (CipherSuites) Value 

func (c CipherSuites) Value() []uint16

Value returns an []uint16 for the cipher suites.

type Identity 

type Identity struct {
	Crt    *x509.Certificate
	CrtPem *pem.Block
	Key    interface{}
}

Identity contains a public/private x509 certificate/key pair.

func LoadIdentityFromDisk 

func LoadIdentityFromDisk(crtPath, keyPath string, pemOpts ...pemutil.Options) (*Identity, error)

LoadIdentityFromDisk load a public certificate and private key (both in PEM format) from disk.

func NewIdentity 

func NewIdentity(c *x509.Certificate, b *pem.Block, k interface{}) *Identity

NewIdentity returns a new Identity.

type Intermediate 

type Intermediate struct {
	// contains filtered or unexported fields
}

Intermediate implements the Profile for a intermediate certificate.

func NewIntermediateProfile 

func NewIntermediateProfile(name string, iss *x509.Certificate, issPriv interface{}, withOps ...WithOption) (*Intermediate, error)

NewIntermediateProfile returns a new intermediate x509 Certificate profile.

func (*Intermediate) CreateCertificate 

func (b *Intermediate) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Intermediate) CreateWriteCertificate 

func (b *Intermediate) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Intermediate) GenerateDefaultKeyPair 

func (b *Intermediate) GenerateDefaultKeyPair() error

func (*Intermediate) GenerateKeyPair 

func (b *Intermediate) GenerateKeyPair(kty, crv string, size int) error

func (*Intermediate) Issuer 

func (b *Intermediate) Issuer() *x509.Certificate

func (*Intermediate) SetIssuer 

func (b *Intermediate) SetIssuer(iss *x509.Certificate)

func (*Intermediate) SetIssuerPrivateKey 

func (b *Intermediate) SetIssuerPrivateKey(priv interface{})

func (*Intermediate) SetSubject 

func (b *Intermediate) SetSubject(sub *x509.Certificate)

func (*Intermediate) SetSubjectPrivateKey 

func (b *Intermediate) SetSubjectPrivateKey(priv interface{})

func (*Intermediate) SetSubjectPublicKey 

func (b *Intermediate) SetSubjectPublicKey(pub interface{})

func (*Intermediate) Subject 

func (b *Intermediate) Subject() *x509.Certificate

func (*Intermediate) SubjectPrivateKey 

func (b *Intermediate) SubjectPrivateKey() interface{}

func (*Intermediate) SubjectPublicKey 

func (b *Intermediate) SubjectPublicKey() interface{}

type Leaf 

type Leaf struct {
	// contains filtered or unexported fields
}

Leaf implements the Profile for a leaf certificate.

func NewLeafProfile 

func NewLeafProfile(cn string, iss *x509.Certificate, issPriv interface{}, withOps ...WithOption) (*Leaf, error)

NewLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.

func NewLeafProfileWithCSR 

func NewLeafProfileWithCSR(csr *x509.CertificateRequest, iss *x509.Certificate, issPriv interface{}, withOps ...WithOption) (*Leaf, error)

NewLeafProfileWithCSR returns a new leaf x509 Certificate Profile with Subject Certificate fields populated directly from the CSR. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the CSR.

func NewLeafProfileWithTemplate 

func NewLeafProfileWithTemplate(sub *x509.Certificate, iss *x509.Certificate, issPriv interface{}, withOps ...WithOption) (*Leaf, error)

NewLeafProfileWithTemplate returns a new leaf x509 Certificate Profile with Subject Certificate set to the value of the template argument. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the Subject Certificate parameter.

func (*Leaf) CreateCertificate 

func (b *Leaf) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Leaf) CreateWriteCertificate 

func (b *Leaf) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Leaf) GenerateDefaultKeyPair 

func (b *Leaf) GenerateDefaultKeyPair() error

func (*Leaf) GenerateKeyPair 

func (b *Leaf) GenerateKeyPair(kty, crv string, size int) error

func (*Leaf) Issuer 

func (b *Leaf) Issuer() *x509.Certificate

func (*Leaf) SetIssuer 

func (b *Leaf) SetIssuer(iss *x509.Certificate)

func (*Leaf) SetIssuerPrivateKey 

func (b *Leaf) SetIssuerPrivateKey(priv interface{})

func (*Leaf) SetSubject 

func (b *Leaf) SetSubject(sub *x509.Certificate)

func (*Leaf) SetSubjectPrivateKey 

func (b *Leaf) SetSubjectPrivateKey(priv interface{})

func (*Leaf) SetSubjectPublicKey 

func (b *Leaf) SetSubjectPublicKey(pub interface{})

func (*Leaf) Subject 

func (b *Leaf) Subject() *x509.Certificate

func (*Leaf) SubjectPrivateKey 

func (b *Leaf) SubjectPrivateKey() interface{}

func (*Leaf) SubjectPublicKey 

func (b *Leaf) SubjectPublicKey() interface{}

type PkixName 

type PkixName pkix.Name

PkixName allows us to add our own methods to pkix.Name

func NewPkixName 

func NewPkixName(options ...func(*PkixName) error) (*PkixName, error)

NewPkixName generates a new PkixName struct. Takes an arbitrary number of augmenting functions each of which modifies a PkixName. A default PkixName is created and then the optional augmenter functions are applied one after another in the order in which they appear as parameters. Returns the address of a new PkixName and an error object that will be nil on success or contain error data on failure.

type PkixNameBuilder 

type PkixNameBuilder struct {
	Country, Organization, OrganizationalUnit     *string
	Locality, Province, StreetAddress, PostalCode *string
	SerialNumber, CommonName                      *string
}

PkixNameBuilder for organizing pkix fields.

type Profile 

type Profile interface {
	Issuer() *x509.Certificate
	Subject() *x509.Certificate
	SubjectPrivateKey() interface{}
	SubjectPublicKey() interface{}
	SetIssuer(*x509.Certificate)
	SetSubject(*x509.Certificate)
	SetSubjectPrivateKey(interface{})
	SetSubjectPublicKey(interface{})
	SetIssuerPrivateKey(interface{})
	CreateCertificate() ([]byte, error)
	GenerateKeyPair(string, string, int) error
}

Profile is an interface that certificate profiles (e.g. leaf, intermediate, root) must implement.

type Root 

type Root struct {
	// contains filtered or unexported fields
}

Root implements the Profile for a root certificate.

func NewRootProfile 

func NewRootProfile(name string, withOps ...WithOption) (*Root, error)

NewRootProfile returns a new root x509 Certificate profile.

func NewRootProfileWithTemplate 

func NewRootProfileWithTemplate(crt *x509.Certificate, withOps ...WithOption) (*Root, error)

NewRootProfileWithTemplate returns a new root x509 Certificate profile.

func (*Root) CreateCertificate 

func (b *Root) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Root) CreateWriteCertificate 

func (b *Root) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Root) GenerateDefaultKeyPair 

func (b *Root) GenerateDefaultKeyPair() error

func (*Root) GenerateKeyPair 

func (b *Root) GenerateKeyPair(kty, crv string, size int) error

func (*Root) Issuer 

func (b *Root) Issuer() *x509.Certificate

func (*Root) SetIssuer 

func (b *Root) SetIssuer(iss *x509.Certificate)

func (*Root) SetIssuerPrivateKey 

func (b *Root) SetIssuerPrivateKey(priv interface{})

func (*Root) SetSubject 

func (b *Root) SetSubject(sub *x509.Certificate)

func (*Root) SetSubjectPrivateKey 

func (b *Root) SetSubjectPrivateKey(priv interface{})

func (*Root) SetSubjectPublicKey 

func (b *Root) SetSubjectPublicKey(pub interface{})

func (*Root) Subject 

func (b *Root) Subject() *x509.Certificate

func (*Root) SubjectPrivateKey 

func (b *Root) SubjectPrivateKey() interface{}

func (*Root) SubjectPublicKey 

func (b *Root) SubjectPublicKey() interface{}

type TLSVersion 

type TLSVersion float64

TLSVersion represents a TLS version number.

func (TLSVersion) String 

func (v TLSVersion) String() string

String returns the Go constant for the TLSVersion.

func (TLSVersion) Validate 

func (v TLSVersion) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (TLSVersion) Value 

func (v TLSVersion) Value() uint16

Value returns the Go constant for the TLSVersion.

type WithOption 

type WithOption func(Profile) error

WithOption is a modifier function on base.

func GenerateKeyPair 

func GenerateKeyPair(kty, crv string, size int) WithOption

GenerateKeyPair returns a Profile modifier that generates a public/private key pair for a profile.

func WithHosts 

func WithHosts(hosts string) WithOption

WithHosts returns a Profile modifier which sets the DNS Names and IP Addresses that will be bound to the subject Certificate.

`hosts` should be a comma separated string of DNS Names and IP Addresses. e.g. `127.0.0.1,internal.smallstep.com,blog.smallstep.com,1.1.1.1`.

func WithIssuer 

func WithIssuer(iss pkix.Name) WithOption

WithIssuer returns a Profile modifier that sets the Subject for a x509 Certificate.

func WithNotBeforeAfter 

func WithNotBeforeAfter(nb, na time.Time) WithOption

WithNotBeforeAfter returns a Profile modifier that sets the `NotBefore` and `NotAfter` attributes of the subject x509 Certificate.

func WithPublicKey 

func WithPublicKey(pub interface{}) WithOption

WithPublicKey returns a Profile modifier that sets the public key for a profile.

func WithSubject 

func WithSubject(sub pkix.Name) WithOption

WithSubject returns a Profile modifier that sets the Subject for a x509 Certificate.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.