csr

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 8, 2022 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// CurveP256 specifies curve P-256 for ESDCA
	CurveP256 = 256

	// CurveP384 specifies curve P-384 for ESDCA
	CurveP384 = 384

	// CurveP521 specifies curve P-521 for ESDCA
	CurveP521 = 521
)
View Source 
const (
	// UserNoticeQualifierType defines id-qt-unotice
	UserNoticeQualifierType = "id-qt-unotice"
	// CpsQualifierType defines id-qt-cps
	CpsQualifierType = "id-qt-cps"

	// OneYear duration
	OneYear = Duration(8760 * time.Hour)
)

Variables

View Source 
var BasicConstraintsOID = asn1.ObjectIdentifier{2, 5, 29, 19}

BasicConstraintsOID specifies OID for BasicConstraints

View Source 
var ExtKeyUsage = map[string]x509.ExtKeyUsage{
	"any":              x509.ExtKeyUsageAny,
	"server auth":      x509.ExtKeyUsageServerAuth,
	"client auth":      x509.ExtKeyUsageClientAuth,
	"code signing":     x509.ExtKeyUsageCodeSigning,
	"email protection": x509.ExtKeyUsageEmailProtection,
	"s/mime":           x509.ExtKeyUsageEmailProtection,
	"ipsec end system": x509.ExtKeyUsageIPSECEndSystem,
	"ipsec tunnel":     x509.ExtKeyUsageIPSECTunnel,
	"ipsec user":       x509.ExtKeyUsageIPSECUser,
	"timestamping":     x509.ExtKeyUsageTimeStamping,
	"ocsp signing":     x509.ExtKeyUsageOCSPSigning,
	"microsoft sgc":    x509.ExtKeyUsageMicrosoftServerGatedCrypto,
	"netscape sgc":     x509.ExtKeyUsageNetscapeServerGatedCrypto,
}

ExtKeyUsage contains a mapping of string names to extended key usages.

View Source 
var KeyUsage = map[string]x509.KeyUsage{
	"signing":            x509.KeyUsageDigitalSignature,
	"digital signature":  x509.KeyUsageDigitalSignature,
	"content commitment": x509.KeyUsageContentCommitment,
	"key encipherment":   x509.KeyUsageKeyEncipherment,
	"key agreement":      x509.KeyUsageKeyAgreement,
	"data encipherment":  x509.KeyUsageDataEncipherment,
	"cert sign":          x509.KeyUsageCertSign,
	"crl sign":           x509.KeyUsageCRLSign,
	"encipher only":      x509.KeyUsageEncipherOnly,
	"decipher only":      x509.KeyUsageDecipherOnly,
}

KeyUsage contains a mapping of string names to key usages.

Functions

func DefaultSigAlgo 

func DefaultSigAlgo(priv crypto.Signer) x509.SignatureAlgorithm

DefaultSigAlgo returns an appropriate X.509 signature algorithm given the CA's private key.

func Parse 

func Parse(csrBytes []byte) (*x509.Certificate, error)

Parse takes an incoming certificate request and builds a certificate template from it.

func ParsePEM 

func ParsePEM(csrPEM []byte) (*x509.Certificate, error)

ParsePEM takes an incoming certificate request and builds a certificate template from it.

func PopulateName 

func PopulateName(s *X509Subject, req pkix.Name) pkix.Name

PopulateName has functionality similar to Name, except it fills the fields of the resulting pkix.Name with req's if the subject's corresponding fields are empty

func SetSAN 

func SetSAN(template *x509.Certificate, SAN []string)

SetSAN fills template's IPAddresses, EmailAddresses, and DNSNames with the content of SAN, if it is not nil.

func SigAlgo 

func SigAlgo(algo string, size int) x509.SignatureAlgorithm

SigAlgo returns signature algorithm for the given algorithm name and key size TODO: use oid pkg

Types

type AllowedFields 

type AllowedFields struct {
	Subject        bool `json:"subject" yaml:"subject"`
	DNSNames       bool `json:"dns" yaml:"dns"`
	IPAddresses    bool `json:"ip" yaml:"ip"`
	EmailAddresses bool `json:"email" yaml:"email"`
	URIs           bool `json:"uri" yaml:"uri"`
}

AllowedFields provides booleans for fields in the CSR. If a AllowedFields is not present in a CertProfile, all of these fields may be copied from the CSR into the signed certificate. If a AllowedFields *is* present in a CertProfile, only those fields with a `true` value in the AllowedFields may be copied from the CSR to the signed certificate. Note that some of these fields, like Subject, can be provided or partially provided through the API. Since API clients are expected to be trusted, but CSRs are not, fields provided through the API are not subject to validation through this mechanism.

type BasicConstraints 

type BasicConstraints struct {
	IsCA       bool `asn1:"optional"`
	MaxPathLen int  `asn1:"optional,default:-1"`
}

BasicConstraints CSR information RFC 5280, 4.2.1.9

type CertificatePolicy 

type CertificatePolicy struct {
	ID         OID                          `json:"oid" yaml:"oid"`
	Qualifiers []CertificatePolicyQualifier `json:"qualifiers" yaml:"qualifiers"`
}

CertificatePolicy represents the ASN.1 PolicyInformation structure from https://tools.ietf.org/html/rfc3280.html#page-106. Valid values of Type are "id-qt-unotice" and "id-qt-cps"

type CertificatePolicyQualifier 

type CertificatePolicyQualifier struct {
	Type  string `json:"type" yaml:"type"`
	Value string `json:"value" yaml:"value"`
}

CertificatePolicyQualifier represents a single qualifier from an ASN.1 PolicyInformation structure.

type CertificateRequest 

type CertificateRequest struct {
	// CommonName of the Subject
	CommonName string `json:"common_name" yaml:"common_name"`
	// Names of the Subject
	Names []X509Name `json:"names" yaml:"names"`
	// SerialNumber of the Subject
	SerialNumber string `json:"serial_number,omitempty" yaml:"serial_number,omitempty"`
	// SAN is Subject Alt Names
	SAN []string `json:"san" yaml:"san"`
	// KeyRequest for generated key
	KeyRequest KeyRequest `json:"key,omitempty" yaml:"key,omitempty"`
}

A CertificateRequest encapsulates the API interface to the certificate request functionality.

func (*CertificateRequest) Name 

func (r *CertificateRequest) Name() pkix.Name

Name returns the PKIX name for the request.

func (*CertificateRequest) Validate 

func (r *CertificateRequest) Validate() error

Validate provides the default validation logic for certificate authority certificates. The only requirement here is that the certificate have a non-empty subject field.

type Duration 

type Duration time.Duration

Duration represents a period of time, its the same as time.Duration but supports better marshalling from json

func (Duration) MarshalJSON 

func (d Duration) MarshalJSON() ([]byte, error)

MarshalJSON encodes our custom Duration value as a quoted version of its underlying value's String() output this means you get a duration with a trailing units indicator, e.g. "10m0s"

func (Duration) String 

func (d Duration) String() string

String returns a string formatted version of the duration in a valueUnits format, e.g. 5m0s for 5 minutes

func (Duration) TimeDuration 

func (d Duration) TimeDuration() time.Duration

TimeDuration returns this duration in a time.Duration type

func (*Duration) UnmarshalJSON 

func (d *Duration) UnmarshalJSON(b []byte) error

UnmarshalJSON handles decoding our custom json serialization for Durations json values that are numbers are treated as seconds json values that are strings, can use the standard time.Duration units indicators e.g. this can decode val:100 as well as val:"10m"

func (*Duration) UnmarshalYAML 

func (d *Duration) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML handles decoding our custom json serialization for Durations

type KeyPurpose 

type KeyPurpose int

KeyPurpose declares the purpose for keys 

const (
	// Undefined purpose of key
	Undefined KeyPurpose = 0
	// SigningKey specifies the purpose of key to be used in signing/verification operations
	SigningKey KeyPurpose = 1
	// EncryptionKey specifies the purpose of key to be used in encryption/decryption operations
	EncryptionKey KeyPurpose = 2
)

type KeyRequest 

type KeyRequest interface {
	Algo() string
	Label() string
	Size() int
	Generate() (crypto.PrivateKey, error)
	SigAlgo() x509.SignatureAlgorithm
	Purpose() int
}

KeyRequest contains the algorithm and key size for a new private key.

func NewKeyRequest 

func NewKeyRequest(prov cryptoprov.Provider, label, algo string, keySize int, purpose KeyPurpose) KeyRequest

NewKeyRequest returns KeyRequest from given parameters

type OID 

type OID asn1.ObjectIdentifier

OID is the asn1's ObjectIdentifier, provide a custom JSON marshal / unmarshal.

func (OID) Equal 

func (oid OID) Equal(other OID) bool

Equal reports whether oi and other represent the same identifier.

func (OID) MarshalJSON 

func (oid OID) MarshalJSON() ([]byte, error)

MarshalJSON marshals an oid into a JSON string.

func (OID) String 

func (oid OID) String() string

func (*OID) UnmarshalJSON 

func (oid *OID) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON unmarshals a JSON string into an OID.

func (*OID) UnmarshalYAML 

func (oid *OID) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML unmarshals a YAML string into an OID.

type Provider 

type Provider struct {
	// contains filtered or unexported fields
}

Provider extends cryptoprov.Crypto functionality to support CSP procesing and certificate signing

func NewProvider 

func NewProvider(provider cryptoprov.Provider) *Provider

NewProvider returns an instance of CSR provider

func (*Provider) CreateRequestAndExportKey 

func (c *Provider) CreateRequestAndExportKey(req *CertificateRequest) (csrPEM, key []byte, keyID string, pub crypto.PublicKey, err error)

CreateRequestAndExportKey takes a certificate request and generates a key and CSR from it.

func (*Provider) GenerateKeyAndRequest 

func (c *Provider) GenerateKeyAndRequest(req *CertificateRequest) (csrPEM []byte, priv crypto.PrivateKey, keyID string, err error)

GenerateKeyAndRequest takes a certificate request and generates a key and CSR from it.

func (*Provider) NewKeyRequest 

func (c *Provider) NewKeyRequest(label, algo string, keySize int, purpose KeyPurpose) KeyRequest

NewKeyRequest returns KeyRequest from given parameters

func (*Provider) NewSigningCertificateRequest 

func (c *Provider) NewSigningCertificateRequest(
	keyLabel, algo string, keySize int,
	CN string,
	names []X509Name,
	san []string,
) *CertificateRequest

NewSigningCertificateRequest creates new request for signing certificate

type SignRequest 

type SignRequest struct {
	SAN          []string        `json:"san" yaml:"san"`
	Request      string          `json:"certificate_request" yaml:"certificate_request"`
	Subject      *X509Subject    `json:"subject,omitempty" yaml:"subject,omitempty"`
	Profile      string          `json:"profile" yaml:"profile"`
	SerialNumber *big.Int        `json:"serial_number,omitempty" yaml:"serial_number,omitempty"`
	Extensions   []X509Extension `json:"extensions,omitempty" yaml:"extensions,omitempty"`

	// If provided, NotBefore will be used without modification (except
	// for canonicalization) as the value of the notBefore field of the
	// certificate. In particular no backdating adjustment will be made
	// when NotBefore is provided.
	NotBefore time.Time `json:"-" yaml:"-"`
	// If provided, NotAfter will be used without modification (except
	// for canonicalization) as the value of the notAfter field of the
	// certificate.
	NotAfter time.Time `json:"-" yaml:"-"`
}

SignRequest stores a signature request, which contains the SAN, the pen-encoded CSR, optional subject information, and the signature profile.

Extensions provided in the request are copied into the certificate, as long as they are in the allowed list for the issuer's policy. Extensions requested in the CSR are ignored, except for those processed by CreateCSR (mainly subjectAltName).

type Signer 

type Signer interface {
	SignCertificate(req SignRequest) (cert []byte, err error)
}

Signer interface to sign CSR

type X509Extension 

type X509Extension struct {
	ID       OID    `json:"id" yaml:"id"`
	Critical bool   `json:"critical" yaml:"critical"`
	Value    string `json:"value" yaml:"value"`
}

X509Extension represents a raw extension to be included in the certificate. The "value" field must be hex encoded.

type X509Name 

type X509Name struct {
	C            string `json:"c" yaml:"c"`   // Country
	ST           string `json:"st" yaml:"st"` // State
	L            string `json:"l" yaml:"l"`   // Locality
	O            string `json:"o" yaml:"o"`   // OrganisationName
	OU           string `json:"ou" yaml:"ou"` // OrganisationalUnitName
	SerialNumber string `json:"serial_number" yaml:"serial_number"`
}

X509Name contains the SubjectInfo fields.

type X509Subject 

type X509Subject struct {
	CommonName   string     `json:"common_name" yaml:"common_name"`
	Names        []X509Name `json:"names" yaml:"names"`
	SerialNumber string     `json:"serial_number" yaml:"serial_number"`
}

X509Subject contains the information that should be used to override the subject information when signing a certificate.

func (*X509Subject) Name 

func (s *X509Subject) Name() pkix.Name

Name returns the PKIX name for the subject.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.