certificates

package
v0.0.0-...-49c5947 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 2, 2018 License: MIT Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrFailedToAddCertToPool    = errors.New("failed to add certificate to x509.CertPool")
	ErrExcludedDNSName          = errors.New("excluded DNSName")
	ErrNoCertificate            = errors.New("has no certificate")
	ErrNoRootCACertificate      = errors.New("has no root CA certificate")
	ErrNoCertificateRequest     = errors.New("has no certificate request")
	ErrNoPrivateKey             = errors.New("has no private key")
	ErrWrongSignatureAlgorithmn = errors.New("incorrect signature algorithmn received")
	ErrInvalidPemBlock          = errors.New("pem.Decode found no pem.Block data")
	ErrInvalidPrivateKey        = errors.New("private key is invalid")
	ErrInvalidCABlockType       = errors.New("pem.Block has invalid block header for ca cert")
	ErrInvalidCAKeyBlockType    = errors.New("pem.Block has invalid block header for ca key")
	ErrEmptyCARawSlice          = errors.New("CA Raw slice is empty")
	ErrInvalidRawLength         = errors.New("CA Raw slice length is invalid")
	ErrInvalidRequestRawLength  = errors.New("RequestCA Raw slice length is invalid")
	ErrInvalidRootCARawLength   = errors.New("RootCA Raw slice length is invalid")
	ErrInvalidRawCertLength     = errors.New("Cert raw slice length is invalid")
	ErrInvalidRawCertKeyLength  = errors.New("Cert Key raw slice length is invalid")
	ErrUnknownPrivateKeyType    = errors.New("unknown private key type, only rsa and ec supported")
	ErrInvalidRSAKey            = errors.New("type is not a *rsa.PrivateKey")
	ErrInvalidECDSAKey          = errors.New("type is not a *ecdsa.PrivateKey")
)

errors ...

View Source 
var (
	// ModernCiphers defines a list of modern tls cipher suites.
	ModernCiphers = []uint16{
		tls.TLS_FALLBACK_SCSV,
		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
	}
)

Functions

func CreateCertificateFromRequest 

func CreateCertificateFromRequest(caKey crypto.PrivateKey, ca *x509.Certificate, req *x509.CertificateRequest, lifeTime time.Duration, usages []x509.ExtKeyUsage) (*x509.Certificate, error)

CreateCertificateFromRequest creates a x509.Certificate template which will be signed by ca.

func CreateECKey 

func CreateECKey(curve elliptic.Curve) (privateKey crypto.PrivateKey, publicKey crypto.PublicKey, err error)

CreateECKey defines a function which will return a private and public key using the ecdsa generator.

func CreateRSAKey 

func CreateRSAKey(strength int) (privateKey crypto.PrivateKey, publicKey crypto.PublicKey, err error)

CreateRSAKey defines a function which will return a private and public key, and any error that may occur. It uses the strength argument if the key type is for rsa and uses the curve argument if it's a ecdsa key type.

func DecodeCertificate 

func DecodeCertificate(data []byte) (*x509.Certificate, error)

DecodeCertificate returns the raw version of the certificate and any error it encountered. Certificate is encoded into a pem.Block. This will discards the provided extra data found in a pem encoded certificate block.

func DecodeCertificateRequest 

func DecodeCertificateRequest(d []byte) (*x509.CertificateRequest, error)

DecodeCertificateRequest returns the raw version of the certificate request and any error it encountered. Certificate is encoded into a pem.Block. This will discards the provided extra data found in a pem encoded certificate request block.

func EncodeCertificate 

func EncodeCertificate(ca *x509.Certificate) ([]byte, error)

EncodeCertificate returns the raw version of the certificate and any error it encountered. Certificate is encoded into a pem.Block.

func EncodeCertificateRequest 

func EncodeCertificateRequest(ca *x509.CertificateRequest) ([]byte, error)

EncodeCertificateRequest returns the raw version of the certificate request and any error it encountered. Certificate is encoded into a pem.Block.

func EncodePrivateKey 

func EncodePrivateKey(privateKey crypto.PrivateKey) ([]byte, error)

EncodePrivateKey returns the raw version of a private key and any error it encountered. Certificate is encoded into a pem.Block.

func GetPublicKey 

func GetPublicKey(key crypto.PrivateKey) (crypto.PrivateKey, error)

GetPublicKey returns the public key of the giving private key.

func MakeTLSCertificate 

func MakeTLSCertificate(cert *x509.Certificate, privateKey crypto.PrivateKey) (tls.Certificate, error)

MakeTLSCertificate returns a tls.Certificate created from the pem-encoded versions of the provided certificate and private key.

Types

type CertificateAuthority 

type CertificateAuthority struct {
	PrivateKey  crypto.PrivateKey
	PublicKey   crypto.PublicKey
	Certificate *x509.Certificate
}

CertificateAuthority defines a struct which contains a generated certificate template with associated private and public keys.

func CreateCertificateAuthority 

func CreateCertificateAuthority(cas CertificateAuthorityProfile) (CertificateAuthority, error)

CreateCertificateAuthority returns a new instance of Certificate Authority which implements the the necessary interface to write given certificate data into memory or into a given store.

func (CertificateAuthority) ApproveClientCertificateSigningRequest 

func (ca CertificateAuthority) ApproveClientCertificateSigningRequest(req *CertificateRequest, lifeTime time.Duration) error

ApproveClientCertificateSigningRequest processes the provided CertificateRequest returning a new Certificate Authority which has being signed by this root CA. All received signed by this method receive ExtKeyUsageClientAuth alone.

func (CertificateAuthority) ApproveServerCertificateSigningRequest 

func (ca CertificateAuthority) ApproveServerCertificateSigningRequest(req *CertificateRequest, lifeTime time.Duration) error

ApproveServerCertificateSigningRequest processes the provided CertificateRequest returning a new Certificate Authority which has being signed by this root CA. All received signed by this method receive ExtKeyUsageServerAuth alone.

func (CertificateAuthority) ApproveServerClientCertificateSigningRequest 

func (ca CertificateAuthority) ApproveServerClientCertificateSigningRequest(req *CertificateRequest, lifeTime time.Duration) error

ApproveServerClientCertificateSigningRequest processes the provided CertificateRequest returning a new Certificate Authority which has being signed by this root CA. All received signed by this method receive ExtKeyUsageServerAuth and ExtKeyUsageClientAuth.

func (CertificateAuthority) CertificateRaw 

func (ca CertificateAuthority) CertificateRaw() ([]byte, error)

CertificateRaw returns the raw version of the certificate.

func (CertificateAuthority) PrivateKeyRaw 

func (ca CertificateAuthority) PrivateKeyRaw() ([]byte, error)

PrivateKeyRaw returns the raw version of the certificate's private key.

func (*CertificateAuthority) TLSCert 

func (ca *CertificateAuthority) TLSCert() (tls.Certificate, error)

TLSCert returns a new tls.Certificate made from the certificate and private key of the CA.

func (*CertificateAuthority) TLSCertPool 

func (ca *CertificateAuthority) TLSCertPool() (*x509.CertPool, error)

TLSCertPool returns a new CertPool which contains the certificate for the CA which can be used on a Client net.Conn or tls Connection to validate against the usage of the certificate for the request to be valid on the server using the same certificate.

func (CertificateAuthority) VerifyCA 

func (ca CertificateAuthority) VerifyCA(cas *x509.Certificate, keyUsage []x509.ExtKeyUsage) error

VerifyCA validates provided Certificate is still valid with CeritifcateAuthority's CA with accordance to usage slice.

type CertificateAuthorityProfile 

type CertificateAuthorityProfile struct {
	Organization string `json:"org"`
	Country      string `json:"country"`
	Province     string `json:"province"`
	Local        string `json:"local"`
	Address      string `json:"address"`
	Postal       string `json:"postal"`
	CommonName   string `json:"common_name"`

	// ParentCA sets the certificate parent to be used in the
	// creation of certificate authority, this makes the generated
	// certificate a sub CA under the parent if provided.
	ParentCA *x509.Certificate

	// ParentKey sets the parent CA certificate key which
	ParentKey crypto.PrivateKey

	// PrivateKey is for optional generated private to be used
	// instead of the the generating one for the request profile.
	// If this is present the PrivateKeyType, ECCurve and RSAKeyStrength
	// will be ignored.
	PrivateKey crypto.PrivateKey

	// PrivateKeyType defines the expected private key to
	// be used to create the ca key. See private key type
	// constants.
	PrivateKeyType PrivateKeyType

	// ECCurve defines the curve to use for a ECDSA key type.
	ECCurve elliptic.Curve

	// RSAStrength defines the strength to the use of the key type.
	RSAKeyStrength int

	// Version field of certificate request.
	// The version number is to be based on the tls version constants.
	Version int

	// Lifetime of certificate authority.
	LifeTime time.Duration

	KeyUsages []x509.ExtKeyUsage
	Emails    []string
	IPs       []string

	// General list of DNSNames for certificate.
	DNSNames []string
}

CertificateAuthorityProfile holds authority profile data which are used to annotate a CA.

type CertificateRequest 

type CertificateRequest struct {
	KeyType     PrivateKeyType
	PrivateKey  crypto.PrivateKey
	PublicKey   crypto.PublicKey
	Request     *x509.CertificateRequest
	SecondaryCA SecondaryCertificateAuthority
}

CertificateRequest defines a struct which contains a generated certificate request template with associated private and public keys.

func CreateCertificateRequest 

func CreateCertificateRequest(cas CertificateRequestProfile) (CertificateRequest, error)

New returns a new instance of Certificate Authority which implements the the necessary interface to write given certificate data into memory or into a given store.

func (*CertificateRequest) IsValid 

func (ca *CertificateRequest) IsValid(keyUsage []x509.ExtKeyUsage) error

IsValid validates that Certificate is still valid with rootCA with accordance to usage.

func (CertificateRequest) PrivateKeyRaw 

func (ca CertificateRequest) PrivateKeyRaw() ([]byte, error)

PrivateKeyRaw returns the raw version of the certificate's private key.

func (CertificateRequest) RequestRaw 

func (ca CertificateRequest) RequestRaw() ([]byte, error)

RequestRaw returns the raw bytes that make up the request.

func (*CertificateRequest) TLSCert 

func (ca *CertificateRequest) TLSCert() (tls.Certificate, error)

TLSCert returns a new tls.Certificate made from the certificate and private key of the CAR.

func (*CertificateRequest) TLSCertPool 

func (ca *CertificateRequest) TLSCertPool() (*x509.CertPool, error)

TLSCertPool returns a new CertPool which contains the root CA which can be used on a Client net.Conn or tls Connection to validate against the usage of the certificate for the request to be valid.

func (*CertificateRequest) TLSClientConfig 

func (ca *CertificateRequest) TLSClientConfig() (*tls.Config, error)

TLSClientConfig returns a tls.Config which contains the certificate for the CertificateRequest and has it's tls.Config.ClientCAs pool set to the root certificate. WARNING: Use this for client connections wishing to use tls certificates. Its a helper method.

func (*CertificateRequest) TLSConfigWithClientCA 

func (ca *CertificateRequest) TLSConfigWithClientCA(clientCAPool *x509.CertPool, verifyClient bool) (*tls.Config, error)

TLSConfigWithClientCA returns a tls.Config which receives the tls.Certificate from TLSCert() and uses that for tls authentication and encryption. It uses the provided CertPool has the ClientCA for the tlsConfig returned. Use this to generate tls.Config for the client connecting to a tls Server that requires client certification. Warning: This sets the tls.Config.ClientCA.

func (*CertificateRequest) TLSConfigWithRootCA 

func (ca *CertificateRequest) TLSConfigWithRootCA(rootCAPool *x509.CertPool, verifyClient bool) (*tls.Config, error)

TLSConfigWithRootCA returns a tls.Config which receives the tls.Certificate from TLSCert() and uses that for tls authentication and encryption. It uses the provided CertPool has the RootCAs for the tlsConfig returned. Use this to generate tls.Config for the server receiving client connection to ensure client certificate are confirmed. Warning: This sets the tls.Config.RootCA.

func (*CertificateRequest) TLSServerConfig 

func (ca *CertificateRequest) TLSServerConfig(verifyClient bool) (*tls.Config, error)

TLSServerConfig returns a tls.Config which contains the certificate for the CertificateRequest and has it's tls.Config.ClientCAs pool set to the root certificate. WARNING: Use this for server connections wishing to use tls certificates. Its a helper method.

func (*CertificateRequest) ValidateAndAccept 

func (ca *CertificateRequest) ValidateAndAccept(sec SecondaryCertificateAuthority, keyUsage []x509.ExtKeyUsage) error

ValidateAndAccept takes the provided request response and rootCA, validating the fact that the certifcate comes from the rootCA before setting the certificate has the certificate and setting the rootCA has it's RootCA. You must take care to ensure this incoming ones match the Certificate request data. It uses Sha256

type CertificateRequestProfile 

type CertificateRequestProfile struct {
	Organization string `json:"org"`
	Country      string `json:"country"`
	Province     string `json:"province"`
	Local        string `json:"local"`
	Address      string `json:"address"`
	Postal       string `json:"postal"`
	CommonName   string `json:"common_name"`

	// PrivateKey is for optional generated private to be used
	// instead of the the generating one for the request profile.
	// If this is present the PrivateKeyType, ECCurve and RSAKeyStrength
	// will be ignored.
	PrivateKey crypto.PrivateKey

	// PrivateKeyType defines the expected private key to
	// be used to create the ca key. See private key type
	// constants.
	PrivateKeyType PrivateKeyType

	// ECCurve defines the curve to use for a ECDSA key type.
	ECCurve elliptic.Curve

	// RSAStrength defines the strength to the use of the key type.
	RSAKeyStrength int

	ExtKeyUsage []x509.ExtKeyUsage

	// Version field of certificate request.
	// The version number is to be based on the tls version constants.
	Version int

	// Emails and ip address allowed.
	Emails []string
	IPs    []string

	// General list of DNSNames for certificate.
	DNSNames []string

	// DNSNames to be excluded.
	ExDNSNames []string

	// DNSNames to be permitted.
	PermDNSNames []string
}

CertificateRequestProfile generates a certificate request with associated private key and public key, which can be sent over the wire or directly to a CeritificateAuthority for signing.

type PrivateKeyType 

type PrivateKeyType int

PrivateKeyType defines the type of supported private key types. 

const (
	UnknownType PrivateKeyType = iota
	RSAKeyType
	ECDSAKeyType
)

private key type constants.

func DecodePrivateKey 

func DecodePrivateKey(d []byte) (PrivateKeyType, crypto.PrivateKey, error)

DecodePrivateKey returns the raw version of a private key and any error it encountered. Certificate is encoded into a pem.Block. This will discards the provided extra data found in a pem encoded certificate request block.

func GetPrivateKeyType 

func GetPrivateKeyType(privateKey crypto.PrivateKey) PrivateKeyType

GetPrivateKeyType returns the PrivateKeyType type which represents the provided crypto key.

func ToPrivateKeyType 

func ToPrivateKeyType(m string) PrivateKeyType

ToPrivateKeyType returns the PrivateKeyType for the giving string. See PrivateKeyType.String for string names.

func (PrivateKeyType) String 

func (pk PrivateKeyType) String() string

String returns the lower-case string representation of private key type.

type SecondaryCertificateAuthority 

type SecondaryCertificateAuthority struct {
	RootCA      *x509.Certificate
	Certificate *x509.Certificate
}

SecondaryCertificateAuthority defines a certificate authority which is not a CA and is signed by a root CA.

func (SecondaryCertificateAuthority) CertificateRaw 

func (sca SecondaryCertificateAuthority) CertificateRaw() ([]byte, error)

CertificateRaw returns the raw version of the certificate.

func (SecondaryCertificateAuthority) RootCertificateRaw 

func (sca SecondaryCertificateAuthority) RootCertificateRaw() ([]byte, error)

RootCertificateRaw returns the raw version of the certificate.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.