cryptoutils

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 15, 2023 License: Apache-2.0 Imports: 23 Imported by: 2

Documentation

Overview

Package cryptoutils implements support for working with encoded certificates, public keys, and private keys

Package cryptoutils contains utilities related to handling cryptographic materials.

Index

Constants

This section is empty.

Variables

View Source
var (
	// OIDOtherName is the OID for the OtherName SAN per RFC 5280
	OIDOtherName = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
	// SANOID is the OID for Subject Alternative Name per RFC 5280
	SANOID = asn1.ObjectIdentifier{2, 5, 29, 17}
)
View Source
var Read = readPasswordFn

Read is for fuzzing

Functions

func CheckExpiration

func CheckExpiration(cert *x509.Certificate, epoch time.Time) error

CheckExpiration verifies that epoch is during the validity period of the certificate provided.

It returns nil if issueTime < epoch < expirationTime, and error otherwise.

func EqualKeys

func EqualKeys(first, second crypto.PublicKey) error

EqualKeys compares two public keys. Supports RSA, ECDSA and ED25519. If not equal, the error message contains hex-encoded SHA1 hashes of the DER-encoded keys

func GeneratePEMEncodedECDSAKeyPair

func GeneratePEMEncodedECDSAKeyPair(curve elliptic.Curve, pf PassFunc) (privPEM, pubPEM []byte, err error)

GeneratePEMEncodedECDSAKeyPair generates an ECDSA keypair, optionally password encrypted using a provided PassFunc, and PEM encoded.

func GeneratePEMEncodedRSAKeyPair

func GeneratePEMEncodedRSAKeyPair(keyLengthBits int, pf PassFunc) (privPEM, pubPEM []byte, err error)

GeneratePEMEncodedRSAKeyPair generates an RSA keypair, optionally password encrypted using a provided PassFunc, and PEM encoded.

func GenerateSerialNumber

func GenerateSerialNumber() (*big.Int, error)

GenerateSerialNumber creates a compliant serial number as per RFC 5280 4.1.2.2. Serial numbers must be positive, and can be no longer than 20 bytes. The serial number is generated with 159 bits, so that the first bit will always be 0, resulting in a positive serial number.

func GetPasswordFromStdIn

func GetPasswordFromStdIn(confirm bool) ([]byte, error)

GetPasswordFromStdIn gathers the password from stdin with an optional confirmation step.

func GetSubjectAlternateNames

func GetSubjectAlternateNames(cert *x509.Certificate) []string

GetSubjectAlternateNames extracts all subject alternative names from the certificate, including email addresses, DNS, IP addresses, URIs, and OtherName SANs

func LoadCertificatesFromPEM

func LoadCertificatesFromPEM(pem io.Reader) ([]*x509.Certificate, error)

LoadCertificatesFromPEM extracts one or more X509 certificates from the provided io.Reader.

func MarshalCertificateToPEM

func MarshalCertificateToPEM(cert *x509.Certificate) ([]byte, error)

MarshalCertificateToPEM converts the provided X509 certificate into PEM format

func MarshalCertificatesToPEM

func MarshalCertificatesToPEM(certs []*x509.Certificate) ([]byte, error)

MarshalCertificatesToPEM converts the provided X509 certificates into PEM format

func MarshalOtherNameSAN

func MarshalOtherNameSAN(name string, critical bool) (*pkix.Extension, error)

MarshalOtherNameSAN creates a Subject Alternative Name extension with an OtherName sequence. RFC 5280, 4.2.1.6:

SubjectAltName ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE {

otherName                       [0]     OtherName,
... }

func MarshalPrivateKeyToDER

func MarshalPrivateKeyToDER(priv crypto.PrivateKey) ([]byte, error)

MarshalPrivateKeyToDER converts a crypto.PrivateKey into a PKCS8 ASN.1 DER byte slice

func MarshalPrivateKeyToEncryptedDER

func MarshalPrivateKeyToEncryptedDER(priv crypto.PrivateKey, pf PassFunc) ([]byte, error)

MarshalPrivateKeyToEncryptedDER marshals the private key and encrypts the DER-encoded value using the specified password function

func MarshalPrivateKeyToPEM

func MarshalPrivateKeyToPEM(priv crypto.PrivateKey) ([]byte, error)

MarshalPrivateKeyToPEM converts a crypto.PrivateKey into a PKCS#8 PEM-encoded byte slice

func MarshalPublicKeyToDER

func MarshalPublicKeyToDER(pub crypto.PublicKey) ([]byte, error)

MarshalPublicKeyToDER converts a crypto.PublicKey into a PKIX, ASN.1 DER byte slice

func MarshalPublicKeyToPEM

func MarshalPublicKeyToPEM(pub crypto.PublicKey) ([]byte, error)

MarshalPublicKeyToPEM converts a crypto.PublicKey into a PEM-encoded byte slice

func PEMEncode

func PEMEncode(typeStr PEMType, bytes []byte) []byte

PEMEncode encodes the specified byte slice in PEM format using the provided type string

func ParseCSR

func ParseCSR(csr []byte) (*x509.CertificateRequest, error)

ParseCSR parses a PKCS#10 PEM-encoded CSR.

func SKID

func SKID(pub crypto.PublicKey) ([]byte, error)

SKID generates a 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits). https://tools.ietf.org/html/rfc5280#section-4.2.1.2

func SkipPassword

func SkipPassword(_ bool) ([]byte, error)

SkipPassword is a PassFunc that does not interact with a user, but simply returns nil for both the password result and error struct.

func UnmarshalCertificatesFromPEM

func UnmarshalCertificatesFromPEM(pemBytes []byte) ([]*x509.Certificate, error)

UnmarshalCertificatesFromPEM extracts one or more X509 certificates from the provided byte slice, which is assumed to be in PEM-encoded format.

func UnmarshalCertificatesFromPEMLimited

func UnmarshalCertificatesFromPEMLimited(pemBytes []byte, iterations int) ([]*x509.Certificate, error)

UnmarshalCertificatesFromPEMLimited extracts one or more X509 certificates from the provided byte slice, which is assumed to be in PEM-encoded format. Fails after a specified number of iterations. A reasonable limit is 10 iterations.

func UnmarshalOtherNameSAN

func UnmarshalOtherNameSAN(exts []pkix.Extension) (string, error)

UnmarshalOtherNameSAN extracts a UTF-8 string from the OtherName field in the Subject Alternative Name extension.

func UnmarshalPEMToPrivateKey

func UnmarshalPEMToPrivateKey(pemBytes []byte, pf PassFunc) (crypto.PrivateKey, error)

UnmarshalPEMToPrivateKey converts a PEM-encoded byte slice into a crypto.PrivateKey

func UnmarshalPEMToPublicKey

func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error)

UnmarshalPEMToPublicKey converts a PEM-encoded byte slice into a crypto.PublicKey

func ValidatePubKey

func ValidatePubKey(pub crypto.PublicKey) error

ValidatePubKey validates the parameters of an RSA, ECDSA, or ED25519 public key.

Types

type OtherName

type OtherName struct {
	ID    asn1.ObjectIdentifier
	Value string `asn1:"utf8,explicit,tag:0"`
}

OtherName describes a name related to a certificate which is not in one of the standard name formats. RFC 5280, 4.2.1.6:

OtherName ::= SEQUENCE {
     type-id    OBJECT IDENTIFIER,
     value      [0] EXPLICIT ANY DEFINED BY type-id }

OtherName for Fulcio-issued certificates only supports UTF-8 strings as values.

type PEMType

type PEMType string

PEMType is a specific type for string constants used during PEM encoding and decoding

const (
	// PrivateKeyPEMType is the string "PRIVATE KEY" to be used during PEM encoding and decoding
	PrivateKeyPEMType PEMType = "PRIVATE KEY"
	// ECPrivateKeyPEMType is the string "EC PRIVATE KEY" used to parse SEC 1 EC private keys
	ECPrivateKeyPEMType PEMType = "EC PRIVATE KEY"
	// PKCS1PrivateKeyPEMType is the string "RSA PRIVATE KEY" used to parse PKCS#1-encoded private keys
	PKCS1PrivateKeyPEMType PEMType = "RSA PRIVATE KEY"

	// EncryptedSigstorePrivateKeyPEMType is the string "ENCRYPTED SIGSTORE PRIVATE KEY" to be used during PEM encoding and decoding
	EncryptedSigstorePrivateKeyPEMType PEMType = "ENCRYPTED SIGSTORE PRIVATE KEY"
)
const (
	// PublicKeyPEMType is the string "PUBLIC KEY" to be used during PEM encoding and decoding
	PublicKeyPEMType PEMType = "PUBLIC KEY"
	// PKCS1PublicKeyPEMType is the string "RSA PUBLIC KEY" used to parse PKCS#1-encoded public keys
	PKCS1PublicKeyPEMType PEMType = "RSA PUBLIC KEY"
)
const (
	// CertificatePEMType is the string "CERTIFICATE" to be used during PEM encoding and decoding
	CertificatePEMType PEMType = "CERTIFICATE"
)

type PassFunc

type PassFunc func(bool) ([]byte, error)

PassFunc is a type of function that takes a boolean (representing whether confirmation is desired) and returns the password as read, along with an error if one occurred

func StaticPasswordFunc

func StaticPasswordFunc(pw []byte) PassFunc

StaticPasswordFunc returns a PassFunc which returns the provided password.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL