Documentation ¶
Index ¶
- Variables
- func CertToPEM(cert *x509.Certificate) []byte
- func CertsToKeys(certs []*x509.Certificate) map[string]data.PublicKey
- func CreateDirectory(dir string) error
- func CreatePrivateDirectory(dir string) error
- func ECDSAToPrivateKey(ecdsaPrivKey *ecdsa.PrivateKey) (data.PrivateKey, error)
- func ED25519ToPrivateKey(privKeyBytes []byte) (data.PrivateKey, error)
- func EncryptPrivateKey(key data.PrivateKey, passphrase string) ([]byte, error)
- func FingerprintCert(cert *x509.Certificate) (string, error)
- func GenerateECDSAKey(random io.Reader) (data.PrivateKey, error)
- func GenerateED25519Key(random io.Reader) (data.PrivateKey, error)
- func GenerateRSAKey(random io.Reader, bits int) (data.PrivateKey, error)
- func GetCertFromURL(urlStr string) (*x509.Certificate, error)
- func GetIntermediateCerts(certs []*x509.Certificate) (intCerts []*x509.Certificate)
- func GetLeafCerts(certs []*x509.Certificate) []*x509.Certificate
- func KeyToPEM(privKey data.PrivateKey) ([]byte, error)
- func LoadCertBundleFromFile(filename string) ([]*x509.Certificate, error)
- func LoadCertBundleFromPEM(pemBytes []byte) ([]*x509.Certificate, error)
- func LoadCertFromFile(filename string) (*x509.Certificate, error)
- func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error)
- func NewCertificate(gun string) (*x509.Certificate, error)
- func ParsePEMPrivateKey(pemBytes []byte, passphrase string) (data.PrivateKey, error)
- func RSAToPrivateKey(rsaPrivKey *rsa.PrivateKey) (data.PrivateKey, error)
- func Verify(s X509Store, dnsName string, certList []*x509.Certificate) error
- type CertID
- type ErrAttemptsExceeded
- type ErrBadCertificateStore
- type ErrCertExists
- type ErrCertValidation
- type ErrKeyNotFound
- type ErrNoCertificatesFound
- type ErrPasswordInvalid
- type FileStore
- type KeyFileStore
- type KeyMemoryStore
- type KeyStore
- type LimitedFileStore
- type MemoryFileStore
- type SimpleFileStore
- func (f *SimpleFileStore) Add(name string, data []byte) error
- func (f *SimpleFileStore) BaseDir() string
- func (f *SimpleFileStore) Get(name string) ([]byte, error)
- func (f *SimpleFileStore) GetPath(name string) (string, error)
- func (f *SimpleFileStore) Link(oldname, newname string) error
- func (f *SimpleFileStore) ListDir(name string, symlinks bool) []string
- func (f *SimpleFileStore) ListFiles(symlinks bool) []string
- func (f *SimpleFileStore) Remove(name string) error
- func (f *SimpleFileStore) RemoveDir(name string) error
- type Validator
- type ValidatorFunc
- type X509FileStore
- func (s *X509FileStore) AddCert(cert *x509.Certificate) error
- func (s *X509FileStore) AddCertFromFile(filename string) error
- func (s X509FileStore) AddCertFromPEM(pemBytes []byte) error
- func (s *X509FileStore) GetCertificateByCertID(certID string) (*x509.Certificate, error)
- func (s *X509FileStore) GetCertificatePool() *x509.CertPool
- func (s *X509FileStore) GetCertificates() []*x509.Certificate
- func (s *X509FileStore) GetCertificatesByCN(cn string) ([]*x509.Certificate, error)
- func (s *X509FileStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)
- func (s *X509FileStore) RemoveAll() error
- func (s *X509FileStore) RemoveCert(cert *x509.Certificate) error
- type X509MemStore
- func (s *X509MemStore) AddCert(cert *x509.Certificate) error
- func (s *X509MemStore) AddCertFromFile(originFilname string) error
- func (s *X509MemStore) AddCertFromPEM(pemBytes []byte) error
- func (s *X509MemStore) GetCertificateByCertID(certID string) (*x509.Certificate, error)
- func (s *X509MemStore) GetCertificatePool() *x509.CertPool
- func (s *X509MemStore) GetCertificates() []*x509.Certificate
- func (s *X509MemStore) GetCertificatesByCN(cn string) ([]*x509.Certificate, error)
- func (s *X509MemStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)
- func (s *X509MemStore) RemoveAll() error
- func (s *X509MemStore) RemoveCert(cert *x509.Certificate) error
- type X509Store
Constants ¶
This section is empty.
Variables ¶
var ErrMemFileNotFound = errors.New("key not found in memory file store")
ErrMemFileNotFound is returned for a nonexistent "file" in the memory file store
var ( // ErrPathOutsideStore indicates that the returned path would be // outside the store ErrPathOutsideStore = errors.New("path outside file store") )
Functions ¶
func CertToPEM ¶
func CertToPEM(cert *x509.Certificate) []byte
CertToPEM is an utility function returns a PEM encoded x509 Certificate
func CertsToKeys ¶
func CertsToKeys(certs []*x509.Certificate) map[string]data.PublicKey
CertsToKeys transforms each of the input certificates into it's corresponding PublicKey
func CreateDirectory ¶
CreateDirectory uses createDirectory to create a chmod 755 Directory
func CreatePrivateDirectory ¶
CreatePrivateDirectory uses createDirectory to create a chmod 700 Directory
func ECDSAToPrivateKey ¶
func ECDSAToPrivateKey(ecdsaPrivKey *ecdsa.PrivateKey) (data.PrivateKey, error)
ECDSAToPrivateKey converts an rsa.Private key to a TUF data.PrivateKey type
func ED25519ToPrivateKey ¶
func ED25519ToPrivateKey(privKeyBytes []byte) (data.PrivateKey, error)
ED25519ToPrivateKey converts a serialized ED25519 key to a TUF data.PrivateKey type
func EncryptPrivateKey ¶
func EncryptPrivateKey(key data.PrivateKey, passphrase string) ([]byte, error)
EncryptPrivateKey returns an encrypted PEM key given a Privatekey and a passphrase
func FingerprintCert ¶
func FingerprintCert(cert *x509.Certificate) (string, error)
FingerprintCert returns a TUF compliant fingerprint for a X509 Certificate
func GenerateECDSAKey ¶
func GenerateECDSAKey(random io.Reader) (data.PrivateKey, error)
GenerateECDSAKey generates an ECDSA Private key and returns a TUF PrivateKey
func GenerateED25519Key ¶
func GenerateED25519Key(random io.Reader) (data.PrivateKey, error)
GenerateED25519Key generates an ED25519 private key and returns a TUF PrivateKey. The serialization format we use is just the public key bytes followed by the private key bytes
func GenerateRSAKey ¶
GenerateRSAKey generates an RSA private key and returns a TUF PrivateKey
func GetCertFromURL ¶
func GetCertFromURL(urlStr string) (*x509.Certificate, error)
GetCertFromURL tries to get a X509 certificate given a HTTPS URL
func GetIntermediateCerts ¶
func GetIntermediateCerts(certs []*x509.Certificate) (intCerts []*x509.Certificate)
GetIntermediateCerts parses a list of x509 Certificates and returns all of the ones marked as a CA, to be used as intermediates
func GetLeafCerts ¶
func GetLeafCerts(certs []*x509.Certificate) []*x509.Certificate
GetLeafCerts parses a list of x509 Certificates and returns all of them that aren't CA
func KeyToPEM ¶
func KeyToPEM(privKey data.PrivateKey) ([]byte, error)
KeyToPEM returns a PEM encoded key from a Private Key
func LoadCertBundleFromFile ¶
func LoadCertBundleFromFile(filename string) ([]*x509.Certificate, error)
LoadCertBundleFromFile loads certificates from the []byte provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"
func LoadCertBundleFromPEM ¶
func LoadCertBundleFromPEM(pemBytes []byte) ([]*x509.Certificate, error)
LoadCertBundleFromPEM loads certificates from the []byte provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"
func LoadCertFromFile ¶
func LoadCertFromFile(filename string) (*x509.Certificate, error)
LoadCertFromFile loads the first certificate from the file provided. The data is expected to be PEM Encoded and contain one of more certificates with PEM type "CERTIFICATE"
func LoadCertFromPEM ¶
func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error)
LoadCertFromPEM returns the first certificate found in a bunch of bytes or error if nothing is found. Taken from https://golang.org/src/crypto/x509/cert_pool.go#L85.
func NewCertificate ¶
func NewCertificate(gun string) (*x509.Certificate, error)
NewCertificate returns an X509 Certificate following a template, given a GUN.
func ParsePEMPrivateKey ¶
func ParsePEMPrivateKey(pemBytes []byte, passphrase string) (data.PrivateKey, error)
ParsePEMPrivateKey returns a data.PrivateKey from a PEM encoded private key. It only supports RSA (PKCS#1) and attempts to decrypt using the passphrase, if encrypted.
func RSAToPrivateKey ¶
func RSAToPrivateKey(rsaPrivKey *rsa.PrivateKey) (data.PrivateKey, error)
RSAToPrivateKey converts an rsa.Private key to a TUF data.PrivateKey type
func Verify ¶
func Verify(s X509Store, dnsName string, certList []*x509.Certificate) error
Verify operates on an X509Store and validates the existence of a chain of trust between a leafCertificate and a CA present inside of the X509 Store. It requires at least two certificates in certList, a leaf Certificate and an intermediate CA certificate.
Types ¶
type ErrAttemptsExceeded ¶
type ErrAttemptsExceeded struct{}
ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key
func (ErrAttemptsExceeded) Error ¶
func (err ErrAttemptsExceeded) Error() string
ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key
type ErrBadCertificateStore ¶
type ErrBadCertificateStore struct { }
ErrBadCertificateStore is returned when there is an internal inconsistency in our x509 store
func (ErrBadCertificateStore) Error ¶
func (err ErrBadCertificateStore) Error() string
ErrBadCertificateStore is returned when there is an internal inconsistency in our x509 store
type ErrCertExists ¶
type ErrCertExists struct { }
ErrCertExists is returned when a Certificate already exists in the key store
func (ErrCertExists) Error ¶
func (err ErrCertExists) Error() string
ErrCertExists is returned when a Certificate already exists in the key store
type ErrCertValidation ¶
type ErrCertValidation struct { }
ErrCertValidation is returned when a certificate doesn't pass the store specific validations
func (ErrCertValidation) Error ¶
func (err ErrCertValidation) Error() string
ErrCertValidation is returned when a certificate doesn't pass the store specific validations
type ErrKeyNotFound ¶
type ErrKeyNotFound struct {
KeyID string
}
ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.
func (ErrKeyNotFound) Error ¶
func (err ErrKeyNotFound) Error() string
ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.
type ErrNoCertificatesFound ¶
type ErrNoCertificatesFound struct {
// contains filtered or unexported fields
}
ErrNoCertificatesFound is returned when no certificates are found for a GetCertificatesBy*
func (ErrNoCertificatesFound) Error ¶
func (err ErrNoCertificatesFound) Error() string
ErrNoCertificatesFound is returned when no certificates are found for a GetCertificatesBy*
type ErrPasswordInvalid ¶
type ErrPasswordInvalid struct{}
ErrPasswordInvalid is returned when signing fails. It could also mean the signing key file was corrupted, but we have no way to distinguish.
func (ErrPasswordInvalid) Error ¶
func (err ErrPasswordInvalid) Error() string
ErrPasswordInvalid is returned when signing fails. It could also mean the signing key file was corrupted, but we have no way to distinguish.
type FileStore ¶
type FileStore interface { LimitedFileStore RemoveDir(directoryName string) error GetPath(fileName string) (string, error) ListDir(directoryName string, symlinks bool) []string Link(src, dst string) error BaseDir() string }
FileStore is the interface for full-featured FileStores
type KeyFileStore ¶
type KeyFileStore struct { sync.Mutex SimpleFileStore passphrase.Retriever // contains filtered or unexported fields }
KeyFileStore persists and manages private keys on disk
func NewKeyFileStore ¶
func NewKeyFileStore(baseDir string, passphraseRetriever passphrase.Retriever) (*KeyFileStore, error)
NewKeyFileStore returns a new KeyFileStore creating a private directory to hold the keys.
func (*KeyFileStore) AddKey ¶
func (s *KeyFileStore) AddKey(name, alias string, privKey data.PrivateKey) error
AddKey stores the contents of a PEM-encoded private key as a PEM block
func (*KeyFileStore) GetKey ¶
func (s *KeyFileStore) GetKey(name string) (data.PrivateKey, string, error)
GetKey returns the PrivateKey given a KeyID
func (*KeyFileStore) ListKeys ¶
func (s *KeyFileStore) ListKeys() map[string]string
ListKeys returns a list of unique PublicKeys present on the KeyFileStore. There might be symlinks associating Certificate IDs to Public Keys, so this method only returns the IDs that aren't symlinks
func (*KeyFileStore) RemoveKey ¶
func (s *KeyFileStore) RemoveKey(name string) error
RemoveKey removes the key from the keyfilestore
type KeyMemoryStore ¶
type KeyMemoryStore struct { sync.Mutex MemoryFileStore passphrase.Retriever // contains filtered or unexported fields }
KeyMemoryStore manages private keys in memory
func NewKeyMemoryStore ¶
func NewKeyMemoryStore(passphraseRetriever passphrase.Retriever) *KeyMemoryStore
NewKeyMemoryStore returns a new KeyMemoryStore which holds keys in memory
func (*KeyMemoryStore) AddKey ¶
func (s *KeyMemoryStore) AddKey(name, alias string, privKey data.PrivateKey) error
AddKey stores the contents of a PEM-encoded private key as a PEM block
func (*KeyMemoryStore) GetKey ¶
func (s *KeyMemoryStore) GetKey(name string) (data.PrivateKey, string, error)
GetKey returns the PrivateKey given a KeyID
func (*KeyMemoryStore) ListKeys ¶
func (s *KeyMemoryStore) ListKeys() map[string]string
ListKeys returns a list of unique PublicKeys present on the KeyFileStore. There might be symlinks associating Certificate IDs to Public Keys, so this method only returns the IDs that aren't symlinks
func (*KeyMemoryStore) RemoveKey ¶
func (s *KeyMemoryStore) RemoveKey(name string) error
RemoveKey removes the key from the keystore
type KeyStore ¶
type KeyStore interface { AddKey(name, alias string, privKey data.PrivateKey) error GetKey(name string) (data.PrivateKey, string, error) ListKeys() map[string]string RemoveKey(name string) error }
KeyStore is a generic interface for private key storage
type LimitedFileStore ¶
type LimitedFileStore interface { Add(fileName string, data []byte) error Remove(fileName string) error Get(fileName string) ([]byte, error) ListFiles(symlinks bool) []string }
LimitedFileStore implements the bare bones primitives (no symlinks or hierarchy)
type MemoryFileStore ¶
MemoryFileStore is an implementation of LimitedFileStore that keeps the contents in memory.
func NewMemoryFileStore ¶
func NewMemoryFileStore() *MemoryFileStore
NewMemoryFileStore creates a MemoryFileStore
func (*MemoryFileStore) Add ¶
func (f *MemoryFileStore) Add(name string, data []byte) error
Add writes data to a file with a given name
func (*MemoryFileStore) Get ¶
func (f *MemoryFileStore) Get(name string) ([]byte, error)
Get returns the data given a file name
func (*MemoryFileStore) ListFiles ¶
func (f *MemoryFileStore) ListFiles(symlinks bool) []string
ListFiles lists all the files inside of a store
func (*MemoryFileStore) Remove ¶
func (f *MemoryFileStore) Remove(name string) error
Remove removes a file identified by name
type SimpleFileStore ¶
type SimpleFileStore struct {
// contains filtered or unexported fields
}
SimpleFileStore implements FileStore
func NewPrivateSimpleFileStore ¶
func NewPrivateSimpleFileStore(baseDir string, fileExt string) (*SimpleFileStore, error)
NewPrivateSimpleFileStore creates a directory with 700 permissions
func NewSimpleFileStore ¶
func NewSimpleFileStore(baseDir string, fileExt string) (*SimpleFileStore, error)
NewSimpleFileStore creates a directory with 755 permissions
func (*SimpleFileStore) Add ¶
func (f *SimpleFileStore) Add(name string, data []byte) error
Add writes data to a file with a given name
func (*SimpleFileStore) BaseDir ¶
func (f *SimpleFileStore) BaseDir() string
BaseDir returns the base directory of the filestore
func (*SimpleFileStore) Get ¶
func (f *SimpleFileStore) Get(name string) ([]byte, error)
Get returns the data given a file name
func (*SimpleFileStore) GetPath ¶
func (f *SimpleFileStore) GetPath(name string) (string, error)
GetPath returns the full final path of a file with a given name
func (*SimpleFileStore) Link ¶
func (f *SimpleFileStore) Link(oldname, newname string) error
Link creates a symlink between the ID of the certificate used by a repository and the ID of the root key that is being used. We use full path for the source and local for the destination to use relative path for the symlink
func (*SimpleFileStore) ListDir ¶
func (f *SimpleFileStore) ListDir(name string, symlinks bool) []string
ListDir lists all the files inside of a directory identified by a name
func (*SimpleFileStore) ListFiles ¶
func (f *SimpleFileStore) ListFiles(symlinks bool) []string
ListFiles lists all the files inside of a store
func (*SimpleFileStore) Remove ¶
func (f *SimpleFileStore) Remove(name string) error
Remove removes a file identified by name
func (*SimpleFileStore) RemoveDir ¶
func (f *SimpleFileStore) RemoveDir(name string) error
RemoveDir removes the directory identified by name
type Validator ¶
type Validator interface {
Validate(cert *x509.Certificate) bool
}
Validator is a convenience type to create validating function that filters certificates that get added to the store
type ValidatorFunc ¶
type ValidatorFunc func(cert *x509.Certificate) bool
ValidatorFunc is a convenience type to create functions that implement the Validator interface
func (ValidatorFunc) Validate ¶
func (vf ValidatorFunc) Validate(cert *x509.Certificate) bool
Validate implements the Validator interface to allow for any func() bool method to be passed as a Validator
type X509FileStore ¶
type X509FileStore struct {
// contains filtered or unexported fields
}
X509FileStore implements X509Store that persists on disk
func NewX509FileStore ¶
func NewX509FileStore(directory string) (*X509FileStore, error)
NewX509FileStore returns a new X509FileStore.
func NewX509FilteredFileStore ¶
func NewX509FilteredFileStore(directory string, validate func(*x509.Certificate) bool) (*X509FileStore, error)
NewX509FilteredFileStore returns a new X509FileStore that validates certificates that are added.
func (*X509FileStore) AddCert ¶
func (s *X509FileStore) AddCert(cert *x509.Certificate) error
AddCert creates a filename for a given cert and adds a certificate with that name
func (*X509FileStore) AddCertFromFile ¶
func (s *X509FileStore) AddCertFromFile(filename string) error
AddCertFromFile tries to adds a X509 certificate to the store given a filename
func (X509FileStore) AddCertFromPEM ¶
func (s X509FileStore) AddCertFromPEM(pemBytes []byte) error
AddCertFromPEM adds the first certificate that it finds in the byte[], returning an error if no Certificates are found
func (*X509FileStore) GetCertificateByCertID ¶
func (s *X509FileStore) GetCertificateByCertID(certID string) (*x509.Certificate, error)
GetCertificateByCertID returns the certificate that matches a certain certID
func (*X509FileStore) GetCertificatePool ¶
func (s *X509FileStore) GetCertificatePool() *x509.CertPool
GetCertificatePool returns an x509 CertPool loaded with all the certificates in the store.
func (*X509FileStore) GetCertificates ¶
func (s *X509FileStore) GetCertificates() []*x509.Certificate
GetCertificates returns an array with all of the current X509 Certificates.
func (*X509FileStore) GetCertificatesByCN ¶
func (s *X509FileStore) GetCertificatesByCN(cn string) ([]*x509.Certificate, error)
GetCertificatesByCN returns all the certificates that match a specific CommonName
func (*X509FileStore) GetVerifyOptions ¶
func (s *X509FileStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)
GetVerifyOptions returns VerifyOptions with the certificates within the KeyStore as part of the roots list. This never allows the use of system roots, returning an error if there are no root CAs.
func (*X509FileStore) RemoveAll ¶
func (s *X509FileStore) RemoveAll() error
RemoveAll removes all the certificates from the store
func (*X509FileStore) RemoveCert ¶
func (s *X509FileStore) RemoveCert(cert *x509.Certificate) error
RemoveCert removes a certificate from a X509FileStore.
type X509MemStore ¶
type X509MemStore struct {
// contains filtered or unexported fields
}
X509MemStore implements X509Store as an in-memory object with no persistence
func NewX509FilteredMemStore ¶
func NewX509FilteredMemStore(validate func(*x509.Certificate) bool) *X509MemStore
NewX509FilteredMemStore returns a new X509Memstore that validates certificates that are added.
func NewX509MemStore ¶
func NewX509MemStore() *X509MemStore
NewX509MemStore returns a new X509MemStore.
func (*X509MemStore) AddCert ¶
func (s *X509MemStore) AddCert(cert *x509.Certificate) error
AddCert adds a certificate to the store
func (*X509MemStore) AddCertFromFile ¶
func (s *X509MemStore) AddCertFromFile(originFilname string) error
AddCertFromFile tries to adds a X509 certificate to the store given a filename
func (*X509MemStore) AddCertFromPEM ¶
func (s *X509MemStore) AddCertFromPEM(pemBytes []byte) error
AddCertFromPEM adds a certificate to the store from a PEM blob
func (*X509MemStore) GetCertificateByCertID ¶
func (s *X509MemStore) GetCertificateByCertID(certID string) (*x509.Certificate, error)
GetCertificateByCertID returns the certificate that matches a certain certID
func (*X509MemStore) GetCertificatePool ¶
func (s *X509MemStore) GetCertificatePool() *x509.CertPool
GetCertificatePool returns an x509 CertPool loaded with all the certificates in the store.
func (*X509MemStore) GetCertificates ¶
func (s *X509MemStore) GetCertificates() []*x509.Certificate
GetCertificates returns an array with all of the current X509 Certificates.
func (*X509MemStore) GetCertificatesByCN ¶
func (s *X509MemStore) GetCertificatesByCN(cn string) ([]*x509.Certificate, error)
GetCertificatesByCN returns all the certificates that match a specific CommonName
func (*X509MemStore) GetVerifyOptions ¶
func (s *X509MemStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)
GetVerifyOptions returns VerifyOptions with the certificates within the KeyStore as part of the roots list. This never allows the use of system roots, returning an error if there are no root CAs.
func (*X509MemStore) RemoveAll ¶
func (s *X509MemStore) RemoveAll() error
RemoveAll removes all the certificates from the store
func (*X509MemStore) RemoveCert ¶
func (s *X509MemStore) RemoveCert(cert *x509.Certificate) error
RemoveCert removes a certificate from a X509MemStore.
type X509Store ¶
type X509Store interface { AddCert(cert *x509.Certificate) error AddCertFromPEM(pemCerts []byte) error AddCertFromFile(filename string) error RemoveCert(cert *x509.Certificate) error RemoveAll() error GetCertificateByCertID(certID string) (*x509.Certificate, error) GetCertificatesByCN(cn string) ([]*x509.Certificate, error) GetCertificates() []*x509.Certificate GetCertificatePool() *x509.CertPool GetVerifyOptions(dnsName string) (x509.VerifyOptions, error) }
X509Store is the interface for all X509Stores