Documentation ¶
Index ¶
- Variables
- func CreateCertificateFromRequest(caKey crypto.PrivateKey, ca *x509.Certificate, req *x509.CertificateRequest, ...) (*x509.Certificate, error)
- func CreateECKey(curve elliptic.Curve) (privateKey crypto.PrivateKey, publicKey crypto.PublicKey, err error)
- func CreateRSAKey(strength int) (privateKey crypto.PrivateKey, publicKey crypto.PublicKey, err error)
- func DecodeCertificate(data []byte) (*x509.Certificate, error)
- func DecodeCertificateRequest(d []byte) (*x509.CertificateRequest, error)
- func EncodeCertificate(ca *x509.Certificate) ([]byte, error)
- func EncodeCertificateRequest(ca *x509.CertificateRequest) ([]byte, error)
- func EncodePrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
- func GetPublicKey(key crypto.PrivateKey) (crypto.PrivateKey, error)
- func MakeTLSCertificate(cert *x509.Certificate, privateKey crypto.PrivateKey) (tls.Certificate, error)
- type CertificateAuthority
- func (ca CertificateAuthority) ApproveClientCertificateSigningRequest(req *CertificateRequest, lifeTime time.Duration) error
- func (ca CertificateAuthority) ApproveServerCertificateSigningRequest(req *CertificateRequest, lifeTime time.Duration) error
- func (ca CertificateAuthority) ApproveServerClientCertificateSigningRequest(req *CertificateRequest, lifeTime time.Duration) error
- func (ca CertificateAuthority) CertificateRaw() ([]byte, error)
- func (ca CertificateAuthority) PrivateKeyRaw() ([]byte, error)
- func (ca *CertificateAuthority) TLSCert() (tls.Certificate, error)
- func (ca *CertificateAuthority) TLSCertPool() (*x509.CertPool, error)
- func (ca CertificateAuthority) VerifyCA(cas *x509.Certificate, keyUsage []x509.ExtKeyUsage) error
- type CertificateAuthorityProfile
- type CertificateRequest
- func (ca *CertificateRequest) IsValid(keyUsage []x509.ExtKeyUsage) error
- func (ca CertificateRequest) PrivateKeyRaw() ([]byte, error)
- func (ca CertificateRequest) RequestRaw() ([]byte, error)
- func (ca *CertificateRequest) TLSCert() (tls.Certificate, error)
- func (ca *CertificateRequest) TLSCertPool() (*x509.CertPool, error)
- func (ca *CertificateRequest) TLSClientConfig() (*tls.Config, error)
- func (ca *CertificateRequest) TLSConfigWithClientCA(clientCAPool *x509.CertPool, verifyClient bool) (*tls.Config, error)
- func (ca *CertificateRequest) TLSConfigWithRootCA(rootCAPool *x509.CertPool, verifyClient bool) (*tls.Config, error)
- func (ca *CertificateRequest) TLSServerConfig(verifyClient bool) (*tls.Config, error)
- func (ca *CertificateRequest) ValidateAndAccept(sec SecondaryCertificateAuthority, keyUsage []x509.ExtKeyUsage) error
- type CertificateRequestProfile
- type PrivateKeyType
- type SecondaryCertificateAuthority
Constants ¶
This section is empty.
Variables ¶
var ( ErrFailedToAddCertToPool = errors.New("failed to add certificate to x509.CertPool") ErrExcludedDNSName = errors.New("excluded DNSName") ErrNoCertificate = errors.New("has no certificate") ErrNoRootCACertificate = errors.New("has no root CA certificate") ErrNoCertificateRequest = errors.New("has no certificate request") ErrNoPrivateKey = errors.New("has no private key") ErrWrongSignatureAlgorithmn = errors.New("incorrect signature algorithmn received") ErrInvalidPemBlock = errors.New("pem.Decode found no pem.Block data") ErrInvalidPrivateKey = errors.New("private key is invalid") ErrInvalidCABlockType = errors.New("pem.Block has invalid block header for ca cert") ErrInvalidCAKeyBlockType = errors.New("pem.Block has invalid block header for ca key") ErrEmptyCARawSlice = errors.New("CA Raw slice is empty") ErrInvalidRawLength = errors.New("CA Raw slice length is invalid") ErrInvalidRequestRawLength = errors.New("RequestCA Raw slice length is invalid") ErrInvalidRootCARawLength = errors.New("RootCA Raw slice length is invalid") ErrInvalidRawCertLength = errors.New("Cert raw slice length is invalid") ErrInvalidRawCertKeyLength = errors.New("Cert Key raw slice length is invalid") ErrUnknownPrivateKeyType = errors.New("unknown private key type, only rsa and ec supported") ErrInvalidRSAKey = errors.New("type is not a *rsa.PrivateKey") ErrInvalidECDSAKey = errors.New("type is not a *ecdsa.PrivateKey") )
errors ...
var ( // ModernCiphers defines a list of modern tls cipher suites. ModernCiphers = []uint16{ tls.TLS_FALLBACK_SCSV, tls.TLS_RSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, } )
Functions ¶
func CreateCertificateFromRequest ¶
func CreateCertificateFromRequest(caKey crypto.PrivateKey, ca *x509.Certificate, req *x509.CertificateRequest, lifeTime time.Duration, usages []x509.ExtKeyUsage) (*x509.Certificate, error)
CreateCertificateFromRequest creates a x509.Certificate template which will be signed by ca.
func CreateECKey ¶
func CreateECKey(curve elliptic.Curve) (privateKey crypto.PrivateKey, publicKey crypto.PublicKey, err error)
CreateECKey defines a function which will return a private and public key using the ecdsa generator.
func CreateRSAKey ¶
func CreateRSAKey(strength int) (privateKey crypto.PrivateKey, publicKey crypto.PublicKey, err error)
CreateRSAKey defines a function which will return a private and public key, and any error that may occur. It uses the strength argument if the key type is for rsa and uses the curve argument if it's a ecdsa key type.
func DecodeCertificate ¶
func DecodeCertificate(data []byte) (*x509.Certificate, error)
DecodeCertificate returns the raw version of the certificate and any error it encountered. Certificate is encoded into a pem.Block. This will discards the provided extra data found in a pem encoded certificate block.
func DecodeCertificateRequest ¶
func DecodeCertificateRequest(d []byte) (*x509.CertificateRequest, error)
DecodeCertificateRequest returns the raw version of the certificate request and any error it encountered. Certificate is encoded into a pem.Block. This will discards the provided extra data found in a pem encoded certificate request block.
func EncodeCertificate ¶
func EncodeCertificate(ca *x509.Certificate) ([]byte, error)
EncodeCertificate returns the raw version of the certificate and any error it encountered. Certificate is encoded into a pem.Block.
func EncodeCertificateRequest ¶
func EncodeCertificateRequest(ca *x509.CertificateRequest) ([]byte, error)
EncodeCertificateRequest returns the raw version of the certificate request and any error it encountered. Certificate is encoded into a pem.Block.
func EncodePrivateKey ¶
func EncodePrivateKey(privateKey crypto.PrivateKey) ([]byte, error)
EncodePrivateKey returns the raw version of a private key and any error it encountered. Certificate is encoded into a pem.Block.
func GetPublicKey ¶
func GetPublicKey(key crypto.PrivateKey) (crypto.PrivateKey, error)
GetPublicKey returns the public key of the giving private key.
func MakeTLSCertificate ¶
func MakeTLSCertificate(cert *x509.Certificate, privateKey crypto.PrivateKey) (tls.Certificate, error)
MakeTLSCertificate returns a tls.Certificate created from the pem-encoded versions of the provided certificate and private key.
Types ¶
type CertificateAuthority ¶
type CertificateAuthority struct { PrivateKey crypto.PrivateKey PublicKey crypto.PublicKey Certificate *x509.Certificate }
CertificateAuthority defines a struct which contains a generated certificate template with associated private and public keys.
func CreateCertificateAuthority ¶
func CreateCertificateAuthority(cas CertificateAuthorityProfile) (CertificateAuthority, error)
CreateCertificateAuthority returns a new instance of Certificate Authority which implements the the necessary interface to write given certificate data into memory or into a given store.
func (CertificateAuthority) ApproveClientCertificateSigningRequest ¶
func (ca CertificateAuthority) ApproveClientCertificateSigningRequest(req *CertificateRequest, lifeTime time.Duration) error
ApproveClientCertificateSigningRequest processes the provided CertificateRequest returning a new Certificate Authority which has being signed by this root CA. All received signed by this method receive ExtKeyUsageClientAuth alone.
func (CertificateAuthority) ApproveServerCertificateSigningRequest ¶
func (ca CertificateAuthority) ApproveServerCertificateSigningRequest(req *CertificateRequest, lifeTime time.Duration) error
ApproveServerCertificateSigningRequest processes the provided CertificateRequest returning a new Certificate Authority which has being signed by this root CA. All received signed by this method receive ExtKeyUsageServerAuth alone.
func (CertificateAuthority) ApproveServerClientCertificateSigningRequest ¶
func (ca CertificateAuthority) ApproveServerClientCertificateSigningRequest(req *CertificateRequest, lifeTime time.Duration) error
ApproveServerClientCertificateSigningRequest processes the provided CertificateRequest returning a new Certificate Authority which has being signed by this root CA. All received signed by this method receive ExtKeyUsageServerAuth and ExtKeyUsageClientAuth.
func (CertificateAuthority) CertificateRaw ¶
func (ca CertificateAuthority) CertificateRaw() ([]byte, error)
CertificateRaw returns the raw version of the certificate.
func (CertificateAuthority) PrivateKeyRaw ¶
func (ca CertificateAuthority) PrivateKeyRaw() ([]byte, error)
PrivateKeyRaw returns the raw version of the certificate's private key.
func (*CertificateAuthority) TLSCert ¶
func (ca *CertificateAuthority) TLSCert() (tls.Certificate, error)
TLSCert returns a new tls.Certificate made from the certificate and private key of the CA.
func (*CertificateAuthority) TLSCertPool ¶
func (ca *CertificateAuthority) TLSCertPool() (*x509.CertPool, error)
TLSCertPool returns a new CertPool which contains the certificate for the CA which can be used on a Client net.Conn or tls Connection to validate against the usage of the certificate for the request to be valid on the server using the same certificate.
func (CertificateAuthority) VerifyCA ¶
func (ca CertificateAuthority) VerifyCA(cas *x509.Certificate, keyUsage []x509.ExtKeyUsage) error
VerifyCA validates provided Certificate is still valid with CeritifcateAuthority's CA with accordance to usage slice.
type CertificateAuthorityProfile ¶
type CertificateAuthorityProfile struct { Organization string `json:"org"` Country string `json:"country"` Province string `json:"province"` Local string `json:"local"` Address string `json:"address"` Postal string `json:"postal"` CommonName string `json:"common_name"` // ParentCA sets the certificate parent to be used in the // creation of certificate authority, this makes the generated // certificate a sub CA under the parent if provided. ParentCA *x509.Certificate // ParentKey sets the parent CA certificate key which ParentKey crypto.PrivateKey // PrivateKey is for optional generated private to be used // instead of the the generating one for the request profile. // If this is present the PrivateKeyType, ECCurve and RSAKeyStrength // will be ignored. PrivateKey crypto.PrivateKey // PrivateKeyType defines the expected private key to // be used to create the ca key. See private key type // constants. PrivateKeyType PrivateKeyType // ECCurve defines the curve to use for a ECDSA key type. ECCurve elliptic.Curve // RSAStrength defines the strength to the use of the key type. RSAKeyStrength int // Version field of certificate request. // The version number is to be based on the tls version constants. Version int // Lifetime of certificate authority. LifeTime time.Duration KeyUsages []x509.ExtKeyUsage Emails []string IPs []string // General list of DNSNames for certificate. DNSNames []string }
CertificateAuthorityProfile holds authority profile data which are used to annotate a CA.
type CertificateRequest ¶
type CertificateRequest struct { KeyType PrivateKeyType PrivateKey crypto.PrivateKey PublicKey crypto.PublicKey Request *x509.CertificateRequest SecondaryCA SecondaryCertificateAuthority }
CertificateRequest defines a struct which contains a generated certificate request template with associated private and public keys.
func CreateCertificateRequest ¶
func CreateCertificateRequest(cas CertificateRequestProfile) (CertificateRequest, error)
New returns a new instance of Certificate Authority which implements the the necessary interface to write given certificate data into memory or into a given store.
func (*CertificateRequest) IsValid ¶
func (ca *CertificateRequest) IsValid(keyUsage []x509.ExtKeyUsage) error
IsValid validates that Certificate is still valid with rootCA with accordance to usage.
func (CertificateRequest) PrivateKeyRaw ¶
func (ca CertificateRequest) PrivateKeyRaw() ([]byte, error)
PrivateKeyRaw returns the raw version of the certificate's private key.
func (CertificateRequest) RequestRaw ¶
func (ca CertificateRequest) RequestRaw() ([]byte, error)
RequestRaw returns the raw bytes that make up the request.
func (*CertificateRequest) TLSCert ¶
func (ca *CertificateRequest) TLSCert() (tls.Certificate, error)
TLSCert returns a new tls.Certificate made from the certificate and private key of the CAR.
func (*CertificateRequest) TLSCertPool ¶
func (ca *CertificateRequest) TLSCertPool() (*x509.CertPool, error)
TLSCertPool returns a new CertPool which contains the root CA which can be used on a Client net.Conn or tls Connection to validate against the usage of the certificate for the request to be valid.
func (*CertificateRequest) TLSClientConfig ¶
func (ca *CertificateRequest) TLSClientConfig() (*tls.Config, error)
TLSClientConfig returns a tls.Config which contains the certificate for the CertificateRequest and has it's tls.Config.ClientCAs pool set to the root certificate. WARNING: Use this for client connections wishing to use tls certificates. Its a helper method.
func (*CertificateRequest) TLSConfigWithClientCA ¶
func (ca *CertificateRequest) TLSConfigWithClientCA(clientCAPool *x509.CertPool, verifyClient bool) (*tls.Config, error)
TLSConfigWithClientCA returns a tls.Config which receives the tls.Certificate from TLSCert() and uses that for tls authentication and encryption. It uses the provided CertPool has the ClientCA for the tlsConfig returned. Use this to generate tls.Config for the client connecting to a tls Server that requires client certification. Warning: This sets the tls.Config.ClientCA.
func (*CertificateRequest) TLSConfigWithRootCA ¶
func (ca *CertificateRequest) TLSConfigWithRootCA(rootCAPool *x509.CertPool, verifyClient bool) (*tls.Config, error)
TLSConfigWithRootCA returns a tls.Config which receives the tls.Certificate from TLSCert() and uses that for tls authentication and encryption. It uses the provided CertPool has the RootCAs for the tlsConfig returned. Use this to generate tls.Config for the server receiving client connection to ensure client certificate are confirmed. Warning: This sets the tls.Config.RootCA.
func (*CertificateRequest) TLSServerConfig ¶
func (ca *CertificateRequest) TLSServerConfig(verifyClient bool) (*tls.Config, error)
TLSServerConfig returns a tls.Config which contains the certificate for the CertificateRequest and has it's tls.Config.ClientCAs pool set to the root certificate. WARNING: Use this for server connections wishing to use tls certificates. Its a helper method.
func (*CertificateRequest) ValidateAndAccept ¶
func (ca *CertificateRequest) ValidateAndAccept(sec SecondaryCertificateAuthority, keyUsage []x509.ExtKeyUsage) error
ValidateAndAccept takes the provided request response and rootCA, validating the fact that the certifcate comes from the rootCA before setting the certificate has the certificate and setting the rootCA has it's RootCA. You must take care to ensure this incoming ones match the Certificate request data. It uses Sha256
type CertificateRequestProfile ¶
type CertificateRequestProfile struct { Organization string `json:"org"` Country string `json:"country"` Province string `json:"province"` Local string `json:"local"` Address string `json:"address"` Postal string `json:"postal"` CommonName string `json:"common_name"` // PrivateKey is for optional generated private to be used // instead of the the generating one for the request profile. // If this is present the PrivateKeyType, ECCurve and RSAKeyStrength // will be ignored. PrivateKey crypto.PrivateKey // PrivateKeyType defines the expected private key to // be used to create the ca key. See private key type // constants. PrivateKeyType PrivateKeyType // ECCurve defines the curve to use for a ECDSA key type. ECCurve elliptic.Curve // RSAStrength defines the strength to the use of the key type. RSAKeyStrength int ExtKeyUsage []x509.ExtKeyUsage // Version field of certificate request. // The version number is to be based on the tls version constants. Version int // Emails and ip address allowed. Emails []string IPs []string // General list of DNSNames for certificate. DNSNames []string // DNSNames to be excluded. ExDNSNames []string // DNSNames to be permitted. PermDNSNames []string }
CertificateRequestProfile generates a certificate request with associated private key and public key, which can be sent over the wire or directly to a CeritificateAuthority for signing.
type PrivateKeyType ¶
type PrivateKeyType int
PrivateKeyType defines the type of supported private key types.
const ( UnknownType PrivateKeyType = iota RSAKeyType ECDSAKeyType )
private key type constants.
func DecodePrivateKey ¶
func DecodePrivateKey(d []byte) (PrivateKeyType, crypto.PrivateKey, error)
DecodePrivateKey returns the raw version of a private key and any error it encountered. Certificate is encoded into a pem.Block. This will discards the provided extra data found in a pem encoded certificate request block.
func GetPrivateKeyType ¶
func GetPrivateKeyType(privateKey crypto.PrivateKey) PrivateKeyType
GetPrivateKeyType returns the PrivateKeyType type which represents the provided crypto key.
func ToPrivateKeyType ¶
func ToPrivateKeyType(m string) PrivateKeyType
ToPrivateKeyType returns the PrivateKeyType for the giving string. See PrivateKeyType.String for string names.
func (PrivateKeyType) String ¶
func (pk PrivateKeyType) String() string
String returns the lower-case string representation of private key type.
type SecondaryCertificateAuthority ¶
type SecondaryCertificateAuthority struct { RootCA *x509.Certificate Certificate *x509.Certificate }
SecondaryCertificateAuthority defines a certificate authority which is not a CA and is signed by a root CA.
func (SecondaryCertificateAuthority) CertificateRaw ¶
func (sca SecondaryCertificateAuthority) CertificateRaw() ([]byte, error)
CertificateRaw returns the raw version of the certificate.
func (SecondaryCertificateAuthority) RootCertificateRaw ¶
func (sca SecondaryCertificateAuthority) RootCertificateRaw() ([]byte, error)
RootCertificateRaw returns the raw version of the certificate.