Documentation ¶
Overview ¶
Package cryptoutils implements support for working with encoded certificates, public keys, and private keys
Package cryptoutils contains utilities related to handling cryptographic materials.
Index ¶
- Variables
- func CheckExpiration(cert *x509.Certificate, epoch time.Time) error
- func EqualKeys(first, second crypto.PublicKey) error
- func GeneratePEMEncodedECDSAKeyPair(curve elliptic.Curve, pf PassFunc) (privPEM, pubPEM []byte, err error)
- func GeneratePEMEncodedRSAKeyPair(keyLengthBits int, pf PassFunc) (privPEM, pubPEM []byte, err error)
- func GenerateSerialNumber() (*big.Int, error)
- func GetPasswordFromStdIn(confirm bool) ([]byte, error)
- func GetSubjectAlternateNames(cert *x509.Certificate) []string
- func LoadCertificatesFromPEM(pem io.Reader) ([]*x509.Certificate, error)
- func MarshalCertificateToPEM(cert *x509.Certificate) ([]byte, error)
- func MarshalCertificatesToPEM(certs []*x509.Certificate) ([]byte, error)
- func MarshalOtherNameSAN(name string, critical bool) (*pkix.Extension, error)
- func MarshalPrivateKeyToDER(priv crypto.PrivateKey) ([]byte, error)
- func MarshalPrivateKeyToEncryptedDER(priv crypto.PrivateKey, pf PassFunc) ([]byte, error)
- func MarshalPrivateKeyToPEM(priv crypto.PrivateKey) ([]byte, error)
- func MarshalPublicKeyToDER(pub crypto.PublicKey) ([]byte, error)
- func MarshalPublicKeyToPEM(pub crypto.PublicKey) ([]byte, error)
- func PEMEncode(typeStr PEMType, bytes []byte) []byte
- func ParseCSR(csr []byte) (*x509.CertificateRequest, error)
- func SKID(pub crypto.PublicKey) ([]byte, error)
- func SkipPassword(_ bool) ([]byte, error)
- func UnmarshalCertificatesFromPEM(pemBytes []byte) ([]*x509.Certificate, error)
- func UnmarshalCertificatesFromPEMLimited(pemBytes []byte, iterations int) ([]*x509.Certificate, error)
- func UnmarshalOtherNameSAN(exts []pkix.Extension) (string, error)
- func UnmarshalPEMToPrivateKey(pemBytes []byte, pf PassFunc) (crypto.PrivateKey, error)
- func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error)
- func ValidatePubKey(pub crypto.PublicKey) error
- type OtherName
- type PEMType
- type PassFunc
Constants ¶
This section is empty.
Variables ¶
var ( // OIDOtherName is the OID for the OtherName SAN per RFC 5280 OIDOtherName = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7} // SANOID is the OID for Subject Alternative Name per RFC 5280 SANOID = asn1.ObjectIdentifier{2, 5, 29, 17} )
var Read = readPasswordFn
Read is for fuzzing
Functions ¶
func CheckExpiration ¶
func CheckExpiration(cert *x509.Certificate, epoch time.Time) error
CheckExpiration verifies that epoch is during the validity period of the certificate provided.
It returns nil if issueTime < epoch < expirationTime, and error otherwise.
func EqualKeys ¶
EqualKeys compares two public keys. Supports RSA, ECDSA and ED25519. If not equal, the error message contains hex-encoded SHA1 hashes of the DER-encoded keys
func GeneratePEMEncodedECDSAKeyPair ¶
func GeneratePEMEncodedECDSAKeyPair(curve elliptic.Curve, pf PassFunc) (privPEM, pubPEM []byte, err error)
GeneratePEMEncodedECDSAKeyPair generates an ECDSA keypair, optionally password encrypted using a provided PassFunc, and PEM encoded.
func GeneratePEMEncodedRSAKeyPair ¶
func GeneratePEMEncodedRSAKeyPair(keyLengthBits int, pf PassFunc) (privPEM, pubPEM []byte, err error)
GeneratePEMEncodedRSAKeyPair generates an RSA keypair, optionally password encrypted using a provided PassFunc, and PEM encoded.
func GenerateSerialNumber ¶
GenerateSerialNumber creates a compliant serial number as per RFC 5280 4.1.2.2. Serial numbers must be positive, and can be no longer than 20 bytes. The serial number is generated with 159 bits, so that the first bit will always be 0, resulting in a positive serial number.
func GetPasswordFromStdIn ¶
GetPasswordFromStdIn gathers the password from stdin with an optional confirmation step.
func GetSubjectAlternateNames ¶
func GetSubjectAlternateNames(cert *x509.Certificate) []string
GetSubjectAlternateNames extracts all subject alternative names from the certificate, including email addresses, DNS, IP addresses, URIs, and OtherName SANs
func LoadCertificatesFromPEM ¶
func LoadCertificatesFromPEM(pem io.Reader) ([]*x509.Certificate, error)
LoadCertificatesFromPEM extracts one or more X509 certificates from the provided io.Reader.
func MarshalCertificateToPEM ¶
func MarshalCertificateToPEM(cert *x509.Certificate) ([]byte, error)
MarshalCertificateToPEM converts the provided X509 certificate into PEM format
func MarshalCertificatesToPEM ¶
func MarshalCertificatesToPEM(certs []*x509.Certificate) ([]byte, error)
MarshalCertificatesToPEM converts the provided X509 certificates into PEM format
func MarshalOtherNameSAN ¶
MarshalOtherNameSAN creates a Subject Alternative Name extension with an OtherName sequence. RFC 5280, 4.2.1.6:
SubjectAltName ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE {
otherName [0] OtherName, ... }
func MarshalPrivateKeyToDER ¶
func MarshalPrivateKeyToDER(priv crypto.PrivateKey) ([]byte, error)
MarshalPrivateKeyToDER converts a crypto.PrivateKey into a PKCS8 ASN.1 DER byte slice
func MarshalPrivateKeyToEncryptedDER ¶
func MarshalPrivateKeyToEncryptedDER(priv crypto.PrivateKey, pf PassFunc) ([]byte, error)
MarshalPrivateKeyToEncryptedDER marshals the private key and encrypts the DER-encoded value using the specified password function
func MarshalPrivateKeyToPEM ¶
func MarshalPrivateKeyToPEM(priv crypto.PrivateKey) ([]byte, error)
MarshalPrivateKeyToPEM converts a crypto.PrivateKey into a PKCS#8 PEM-encoded byte slice
func MarshalPublicKeyToDER ¶
MarshalPublicKeyToDER converts a crypto.PublicKey into a PKIX, ASN.1 DER byte slice
func MarshalPublicKeyToPEM ¶
MarshalPublicKeyToPEM converts a crypto.PublicKey into a PEM-encoded byte slice
func PEMEncode ¶
PEMEncode encodes the specified byte slice in PEM format using the provided type string
func ParseCSR ¶
func ParseCSR(csr []byte) (*x509.CertificateRequest, error)
ParseCSR parses a PKCS#10 PEM-encoded CSR.
func SKID ¶
SKID generates a 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits). https://tools.ietf.org/html/rfc5280#section-4.2.1.2
func SkipPassword ¶
SkipPassword is a PassFunc that does not interact with a user, but simply returns nil for both the password result and error struct.
func UnmarshalCertificatesFromPEM ¶
func UnmarshalCertificatesFromPEM(pemBytes []byte) ([]*x509.Certificate, error)
UnmarshalCertificatesFromPEM extracts one or more X509 certificates from the provided byte slice, which is assumed to be in PEM-encoded format.
func UnmarshalCertificatesFromPEMLimited ¶
func UnmarshalCertificatesFromPEMLimited(pemBytes []byte, iterations int) ([]*x509.Certificate, error)
UnmarshalCertificatesFromPEMLimited extracts one or more X509 certificates from the provided byte slice, which is assumed to be in PEM-encoded format. Fails after a specified number of iterations. A reasonable limit is 10 iterations.
func UnmarshalOtherNameSAN ¶
UnmarshalOtherNameSAN extracts a UTF-8 string from the OtherName field in the Subject Alternative Name extension.
func UnmarshalPEMToPrivateKey ¶
func UnmarshalPEMToPrivateKey(pemBytes []byte, pf PassFunc) (crypto.PrivateKey, error)
UnmarshalPEMToPrivateKey converts a PEM-encoded byte slice into a crypto.PrivateKey
func UnmarshalPEMToPublicKey ¶
UnmarshalPEMToPublicKey converts a PEM-encoded byte slice into a crypto.PublicKey
func ValidatePubKey ¶
ValidatePubKey validates the parameters of an RSA, ECDSA, or ED25519 public key.
Types ¶
type OtherName ¶
type OtherName struct { ID asn1.ObjectIdentifier Value string `asn1:"utf8,explicit,tag:0"` }
OtherName describes a name related to a certificate which is not in one of the standard name formats. RFC 5280, 4.2.1.6:
OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id }
OtherName for Fulcio-issued certificates only supports UTF-8 strings as values.
type PEMType ¶
type PEMType string
PEMType is a specific type for string constants used during PEM encoding and decoding
const ( // PrivateKeyPEMType is the string "PRIVATE KEY" to be used during PEM encoding and decoding PrivateKeyPEMType PEMType = "PRIVATE KEY" // ECPrivateKeyPEMType is the string "EC PRIVATE KEY" used to parse SEC 1 EC private keys ECPrivateKeyPEMType PEMType = "EC PRIVATE KEY" // PKCS1PrivateKeyPEMType is the string "RSA PRIVATE KEY" used to parse PKCS#1-encoded private keys PKCS1PrivateKeyPEMType PEMType = "RSA PRIVATE KEY" // EncryptedSigstorePrivateKeyPEMType is the string "ENCRYPTED SIGSTORE PRIVATE KEY" to be used during PEM encoding and decoding EncryptedSigstorePrivateKeyPEMType PEMType = "ENCRYPTED SIGSTORE PRIVATE KEY" )
const ( // CertificatePEMType is the string "CERTIFICATE" to be used during PEM encoding and decoding CertificatePEMType PEMType = "CERTIFICATE" )
type PassFunc ¶
PassFunc is a type of function that takes a boolean (representing whether confirmation is desired) and returns the password as read, along with an error if one occurred
func StaticPasswordFunc ¶
StaticPasswordFunc returns a PassFunc which returns the provided password.