Documentation ¶
Index ¶
- Variables
- func GenerateED25519Key(privateKeyPath string, verbose, encrypt bool, name string) (ed25519.PrivateKey, error)
- func ListAgentKeys(a agent.Agent) error
- func LoadEd25519PrivateKey(keyPath string) (edKey ed25519.PrivateKey, keyPEM []byte, err error)
- func LoadEncryptedEd25519PrivateKey(path string) (decryptedPrivateKey []byte, keyPEM []byte, err error)
- func LoadPrivateKey(path string) (ed25519.PrivateKey, error)
- func RetrieveCAKeysFromAgent(a agent.Agent) ([]ssh.PublicKey, error)
- func RetrieveKeyByComment(a agent.Agent, comment string) (*agent.Key, error)
- func SavePrivateKeyToPathUnderPassphrase(privateKey []byte, path string) error
- func Step1_MakeCertificateAuthority(pathCA string, verbose bool, encrypt bool, validFor time.Duration) (ed25519.PrivateKey, error)
- func Step2_MakeEd25519PrivateKey(name string, odirCert string, verbose, encrypt bool) (privKey ed25519.PrivateKey, err error)
- func Step3_MakeCertSigningRequest(privKey ed25519.PrivateKey, name string, email string, odirCert string)
- func Step4_MakeCertificate(caPrivKey ed25519.PrivateKey, odirCA string, name string, odirCerts string, ...)
- func Step5_ViewCertificate(path string) (cert *x509.Certificate, err error, wasPrivKey bool)
- func Step6_LoadKeyPair(privateKeyPath, certPath string)
- func Step7_VerifyCertIsSignedByCertificateAuthority(verifyMeCertPath, caCertPath string, verbose bool) error
- func StoreEd25519PrivateKey(a agent.Agent, privateKey ed25519.PrivateKey, comment string) error
- func VerifyClientCertificate(caKeys []ssh.PublicKey) func([][]byte, [][]*x509.Certificate) error
- type Creds
- type EncryptionParameters
- type SSHAgentSigner
Constants ¶
This section is empty.
Variables ¶
var DefaultEncryptionParameters = EncryptionParameters{
Iterations: 12,
Memory: 256 * 1024,
Threads: 1,
KeyLength: 32,
CipherSuite: "AES-GCM",
}
DefaultEncryptionParameters provides default settings for Argon2id and encryption.
Functions ¶
func GenerateED25519Key ¶
func GenerateED25519Key(privateKeyPath string, verbose, encrypt bool, name string) (ed25519.PrivateKey, error)
GenerateED25519Key generates an ED25519 key pair and saves the private key to a specified file.
func ListAgentKeys ¶ added in v1.0.56
ListAgentKeys lists all the keys stored in the SSH agent
func LoadEd25519PrivateKey ¶ added in v1.0.128
func LoadEd25519PrivateKey(keyPath string) (edKey ed25519.PrivateKey, keyPEM []byte, err error)
Load and parse the PEM-encoded Ed25519 private key
func LoadEncryptedEd25519PrivateKey ¶ added in v1.0.37
func LoadEncryptedEd25519PrivateKey(path string) (decryptedPrivateKey []byte, keyPEM []byte, err error)
asks for password
func LoadPrivateKey ¶ added in v1.0.56
func LoadPrivateKey(path string) (ed25519.PrivateKey, error)
also exported
func RetrieveCAKeysFromAgent ¶ added in v1.0.56
RetrieveCAKeysFromAgent retrieves all keys from the ssh-agent that can be used as Certificate Authorities (CAs)
func RetrieveKeyByComment ¶ added in v1.0.56
RetrieveKeyByComment retrieves a key based on its comment from the SSH agent
func SavePrivateKeyToPathUnderPassphrase ¶ added in v1.0.37
privateKey should be the output of x509.MarshalPKCS8PrivateKey(priv)
func Step1_MakeCertificateAuthority ¶ added in v1.0.125
func Step1_MakeCertificateAuthority(pathCA string, verbose bool, encrypt bool, validFor time.Duration) (ed25519.PrivateKey, error)
pathCA "my-keep-private-dir" is the default. return the un-encrypted key to be used in subsequent signing steps without having to request the passphrase again.
func Step2_MakeEd25519PrivateKey ¶ added in v1.0.37
func Step2_MakeEd25519PrivateKey(name string, odirCert string, verbose, encrypt bool) (privKey ed25519.PrivateKey, err error)
name might be "client" or "node"; odirCert default might be "static/certs/client".
func Step3_MakeCertSigningRequest ¶ added in v1.0.37
func Step3_MakeCertSigningRequest(privKey ed25519.PrivateKey, name string, email string, odirCert string)
func Step4_MakeCertificate ¶ added in v1.0.37
func Step4_MakeCertificate(caPrivKey ed25519.PrivateKey, odirCA string, name string, odirCerts string, goodForDur time.Duration, verbose bool)
if caPrivKey is provided (to avoid asking for pw), then odirCA/ca.key is assummed to be encrypted and we will use caPrivKey instead.
func Step5_ViewCertificate ¶
func Step5_ViewCertificate(path string) (cert *x509.Certificate, err error, wasPrivKey bool)
optional
func Step6_LoadKeyPair ¶
func Step6_LoadKeyPair(privateKeyPath, certPath string)
typcially:
privateKeyPath = "static/certs/server/node.key" certKeyPath = "static/certs/server/node.crt"
func Step7_VerifyCertIsSignedByCertificateAuthority ¶ added in v1.0.125
func StoreEd25519PrivateKey ¶ added in v1.0.56
StoreEd25519PrivateKey stores the private key in the SSH agent
func VerifyClientCertificate ¶ added in v1.0.56
VerifyClientCertificate uses CA keys from the ssh-agent to verify incoming QUIC client certificates
Types ¶
type Creds ¶ added in v1.1.3
type Creds struct { IsServer bool CaCertPath string NodeCertPath string NodePrivateKeyPath string NodePrivateKey ed25519.PrivateKey NodeCert *x509.Certificate CACert *x509.Certificate CACertPool *x509.CertPool }
type EncryptionParameters ¶ added in v1.0.37
type EncryptionParameters struct { Iterations uint32 // Number of iterations Memory uint32 // Memory usage in KB Threads uint8 // Degree of parallelism KeyLength uint32 // Length of the derived key in bytes Salt []byte // Random salt Nonce []byte // Nonce used in AES-GCM CipherSuite string // Cipher suite used (e.g., AES-GCM) }
EncryptionParameters holds the Argon2id parameters used for key derivation.
type SSHAgentSigner ¶ added in v1.0.56
type SSHAgentSigner struct {
// contains filtered or unexported fields
}
SSHAgentSigner represents a signer that uses the ssh-agent for signing operations
func NewSSHAgentSigner ¶ added in v1.0.56
func NewSSHAgentSigner(a agent.Agent, key ssh.PublicKey) *SSHAgentSigner
NewSSHAgentSigner initializes a new SSHAgentSigner
func (*SSHAgentSigner) Public ¶ added in v1.0.56
func (s *SSHAgentSigner) Public() crypto.PublicKey
Public returns the public key of the signer
func (*SSHAgentSigner) Sign ¶ added in v1.0.56
func (s *SSHAgentSigner) Sign(rand io.Reader, data []byte, opts crypto.SignerOpts) (signature []byte, err error)
Sign signs the given data using the private key stored in the ssh-agent