selfcert

package
v1.4.8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 5, 2025 License: BSD-3-Clause Imports: 36 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var DefaultEncryptionParameters = EncryptionParameters{
	Iterations:  12,
	Memory:      256 * 1024,
	Threads:     1,
	KeyLength:   32,
	CipherSuite: "AES-GCM",
}

DefaultEncryptionParameters provides default settings for Argon2id and encryption.

Functions

func GenerateED25519Key

func GenerateED25519Key(privateKeyPath string, verbose, encrypt bool, name string) (ed25519.PrivateKey, error)

GenerateED25519Key generates an ED25519 key pair and saves the private key to a specified file.

func ListAgentKeys added in v1.0.56

func ListAgentKeys(a agent.Agent) error

ListAgentKeys lists all the keys stored in the SSH agent

func LoadEd25519PrivateKey added in v1.0.128

func LoadEd25519PrivateKey(keyPath string) (edKey ed25519.PrivateKey, keyPEM []byte, err error)

Load and parse the PEM-encoded Ed25519 private key

func LoadEncryptedEd25519PrivateKey added in v1.0.37

func LoadEncryptedEd25519PrivateKey(path string) (decryptedPrivateKey []byte, keyPEM []byte, err error)

asks for password

func LoadPrivateKey added in v1.0.56

func LoadPrivateKey(path string) (ed25519.PrivateKey, error)

also exported

func RetrieveKeyByComment added in v1.0.56

func RetrieveKeyByComment(a agent.Agent, comment string) (*agent.Key, error)

RetrieveKeyByComment retrieves a key based on its comment from the SSH agent

func SavePrivateKeyToPathUnderPassphrase added in v1.0.37

func SavePrivateKeyToPathUnderPassphrase(privateKey []byte, path string) error

privateKey should be the output of x509.MarshalPKCS8PrivateKey(priv)

func Step1_MakeCertificateAuthority added in v1.0.125

func Step1_MakeCertificateAuthority(pathCA string, verbose bool, encrypt bool, validFor time.Duration) (ed25519.PrivateKey, error)

pathCA "my-keep-private-dir" is the default. return the un-encrypted key to be used in subsequent signing steps without having to request the passphrase again.

func Step2_MakeEd25519PrivateKey added in v1.0.37

func Step2_MakeEd25519PrivateKey(name string, odirCert string, verbose, encrypt bool) (privKey ed25519.PrivateKey, err error)

name might be "client" or "node"; odirCert default might be "static/certs/client".

func Step3_MakeCertSigningRequest added in v1.0.37

func Step3_MakeCertSigningRequest(privKey ed25519.PrivateKey, name string, email string, odirCert string)

func Step4_MakeCertificate added in v1.0.37

func Step4_MakeCertificate(caPrivKey ed25519.PrivateKey, odirCA string,
	name string, odirCerts string, goodForDur time.Duration, verbose bool)

if caPrivKey is provided (to avoid asking for pw), then odirCA/ca.key is assummed to be encrypted and we will use caPrivKey instead.

func Step5_ViewCertificate

func Step5_ViewCertificate(path string) (cert *x509.Certificate, err error, wasPrivKey bool)

optional

func Step6_LoadKeyPair

func Step6_LoadKeyPair(privateKeyPath, certPath string)

typcially:

privateKeyPath = "static/certs/server/node.key"
certKeyPath = "static/certs/server/node.crt"

func Step7_VerifyCertIsSignedByCertificateAuthority added in v1.0.125

func Step7_VerifyCertIsSignedByCertificateAuthority(verifyMeCertPath, caCertPath string, verbose bool) error

func StoreEd25519PrivateKey added in v1.0.56

func StoreEd25519PrivateKey(a agent.Agent, privateKey ed25519.PrivateKey, comment string) error

StoreEd25519PrivateKey stores the private key in the SSH agent

Types

type Creds added in v1.1.3

type Creds struct {
	IsServer   bool
	CaCertPath string

	NodeCertPath       string
	NodePrivateKeyPath string

	NodePrivateKey ed25519.PrivateKey
	NodeCert       *x509.Certificate

	CACert     *x509.Certificate
	CACertPool *x509.CertPool
}

func LoadNodeTLSConfigProtected added in v1.0.128

func LoadNodeTLSConfigProtected(isServer bool, caCertPath, clientCertPath, privateKeyPath string) (*tls.Config, *Creds, error)

LoadNodeTLSConfigProtected will prompt for the pass-phrase if the key is protected.

type EncryptionParameters added in v1.0.37

type EncryptionParameters struct {
	Iterations  uint32 // Number of iterations
	Memory      uint32 // Memory usage in KB
	Threads     uint8  // Degree of parallelism
	KeyLength   uint32 // Length of the derived key in bytes
	Salt        []byte // Random salt
	Nonce       []byte // Nonce used in AES-GCM
	CipherSuite string // Cipher suite used (e.g., AES-GCM)
}

EncryptionParameters holds the Argon2id parameters used for key derivation.

type SSHAgentSigner added in v1.0.56

type SSHAgentSigner struct {
	// contains filtered or unexported fields
}

SSHAgentSigner represents a signer that uses the ssh-agent for signing operations

func NewSSHAgentSigner added in v1.0.56

func NewSSHAgentSigner(a agent.Agent, key ssh.PublicKey) *SSHAgentSigner

NewSSHAgentSigner initializes a new SSHAgentSigner

func (*SSHAgentSigner) Public added in v1.0.56

func (s *SSHAgentSigner) Public() crypto.PublicKey

Public returns the public key of the signer

func (*SSHAgentSigner) Sign added in v1.0.56

func (s *SSHAgentSigner) Sign(rand io.Reader, data []byte, opts crypto.SignerOpts) (signature []byte, err error)

Sign signs the given data using the private key stored in the ssh-agent

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL