Documentation ¶
Overview ¶
Package certutil contains helper functions that are mostly used with the PKI backend but can be generally useful. Functionality includes helpers for converting a certificate/private key bundle between DER and PEM, printing certificate serial numbers, and more.
Functionality specific to the PKI backend includes some types and helper methods to make requesting certificates from the backend easy.
Index ¶
- func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error)
- func GeneratePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyContainer) error
- func GenerateSerialNumber() (*big.Int, error)
- func GetHexFormatted(buf []byte, sep string) string
- func GetSubjKeyID(privateKey crypto.Signer) ([]byte, error)
- func MarshalPKCS8PrivateKey(key interface{}) ([]byte, error)
- func ParseHexFormatted(in, sep string) []byte
- type BlockType
- type CSRBundle
- type CertBlock
- type CertBundle
- type IssueData
- type ParsedCSRBundle
- type ParsedCertBundle
- func (p *ParsedCertBundle) GetCertificatePath() []*CertBlock
- func (p *ParsedCertBundle) GetTLSConfig(usage TLSUsage) (*tls.Config, error)
- func (p *ParsedCertBundle) SetParsedPrivateKey(privateKey crypto.Signer, privateKeyType PrivateKeyType, ...)
- func (p *ParsedCertBundle) ToCertBundle() (*CertBundle, error)
- func (p *ParsedCertBundle) Verify() error
- type ParsedPrivateKeyContainer
- type PrivateKeyType
- type Secret
- type TLSUsage
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ComparePublicKeys ¶ added in v0.4.0
ComparePublicKeys compares two public keys and returns true if they match
func GeneratePrivateKey ¶ added in v0.4.0
func GeneratePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyContainer) error
GeneratePrivateKey generates a private key with the specified type and key bits
func GenerateSerialNumber ¶ added in v0.4.0
GenerateSerialNumber generates a serial number suitable for a certificate
func GetHexFormatted ¶ added in v0.6.2
GetHexFormatted returns the byte buffer formatted in hex with the specified separator between bytes.
func GetSubjKeyID ¶
GetSubjKeyID returns the subject key ID, e.g. the SHA1 sum of the marshaled public key
func MarshalPKCS8PrivateKey ¶ added in v0.9.0
MarshalPKCS8PrivateKey converts a private key to PKCS#8 encoded form. The following key types are supported: *rsa.PrivateKey, *ecdsa.PublicKey. Unsupported key types result in an error.
See RFC 5208.
func ParseHexFormatted ¶ added in v0.4.0
ParseHexFormatted returns the raw bytes from a formatted hex string
Types ¶
type BlockType ¶ added in v0.5.0
type BlockType string
BlockType indicates the serialization format of the key
type CSRBundle ¶ added in v0.4.0
type CSRBundle struct { PrivateKeyType PrivateKeyType `json:"private_key_type" structs:"private_key_type" mapstructure:"private_key_type"` CSR string `json:"csr" structs:"csr" mapstructure:"csr"` PrivateKey string `json:"private_key" structs:"private_key" mapstructure:"private_key"` }
CSRBundle contains a key type, a PEM-encoded private key, and a PEM-encoded CSR
func (*CSRBundle) ToParsedCSRBundle ¶ added in v0.4.0
func (c *CSRBundle) ToParsedCSRBundle() (*ParsedCSRBundle, error)
ToParsedCSRBundle converts a string-based CSR bundle to a byte-based raw CSR bundle
type CertBlock ¶ added in v0.6.2
type CertBlock struct { Certificate *x509.Certificate Bytes []byte }
CertBlock contains the DER-encoded certificate and the PEM block's byte array
type CertBundle ¶
type CertBundle struct { PrivateKeyType PrivateKeyType `json:"private_key_type" structs:"private_key_type" mapstructure:"private_key_type"` Certificate string `json:"certificate" structs:"certificate" mapstructure:"certificate"` IssuingCA string `json:"issuing_ca" structs:"issuing_ca" mapstructure:"issuing_ca"` CAChain []string `json:"ca_chain" structs:"ca_chain" mapstructure:"ca_chain"` PrivateKey string `json:"private_key" structs:"private_key" mapstructure:"private_key"` SerialNumber string `json:"serial_number" structs:"serial_number" mapstructure:"serial_number"` }
CertBundle contains a key type, a PEM-encoded private key, a PEM-encoded certificate, and a string-encoded serial number, returned from a successful Issue request
func (*CertBundle) ToPEMBundle ¶ added in v0.6.2
func (c *CertBundle) ToPEMBundle() string
ToPEMBundle converts a string-based certificate bundle to a PEM-based string certificate bundle in trust path order, leaf certificate first
func (*CertBundle) ToParsedCertBundle ¶
func (c *CertBundle) ToParsedCertBundle() (*ParsedCertBundle, error)
ToParsedCertBundle converts a string-based certificate bundle to a byte-based raw certificate bundle
type IssueData ¶
type IssueData struct { TTL string `json:"ttl" structs:"ttl" mapstructure:"ttl"` CommonName string `json:"common_name" structs:"common_name" mapstructure:"common_name"` OU string `json:"ou" structs:"ou" mapstructure:"ou"` AltNames string `json:"alt_names" structs:"alt_names" mapstructure:"alt_names"` IPSANs string `json:"ip_sans" structs:"ip_sans" mapstructure:"ip_sans"` CSR string `json:"csr" structs:"csr" mapstructure:"csr"` }
IssueData is a structure that is suitable for marshaling into a request; either via JSON, or into a map[string]interface{} via the structs package
type ParsedCSRBundle ¶ added in v0.4.0
type ParsedCSRBundle struct { PrivateKeyType PrivateKeyType PrivateKeyBytes []byte PrivateKey crypto.Signer CSRBytes []byte CSR *x509.CertificateRequest }
ParsedCSRBundle contains a key type, a DER-encoded private key, and a DER-encoded certificate request
func (*ParsedCSRBundle) SetParsedPrivateKey ¶ added in v0.4.0
func (p *ParsedCSRBundle) SetParsedPrivateKey(privateKey crypto.Signer, privateKeyType PrivateKeyType, privateKeyBytes []byte)
SetParsedPrivateKey sets the private key parameters on the bundle
func (*ParsedCSRBundle) ToCSRBundle ¶ added in v0.4.0
func (p *ParsedCSRBundle) ToCSRBundle() (*CSRBundle, error)
ToCSRBundle converts a byte-based raw DER certificate bundle to a PEM-based string certificate bundle
type ParsedCertBundle ¶
type ParsedCertBundle struct { PrivateKeyType PrivateKeyType PrivateKeyFormat BlockType PrivateKeyBytes []byte PrivateKey crypto.Signer CertificateBytes []byte Certificate *x509.Certificate CAChain []*CertBlock SerialNumber *big.Int }
ParsedCertBundle contains a key type, a DER-encoded private key, and a DER-encoded certificate
func ParsePEMBundle ¶
func ParsePEMBundle(pemBundle string) (*ParsedCertBundle, error)
ParsePEMBundle takes a string of concatenated PEM-format certificate and private key values and decodes/parses them, checking validity along the way. The first certificate must be the subject certificate and issuing certificates may follow. There must be at most one private key.
func ParsePKIJSON ¶
func ParsePKIJSON(input []byte) (*ParsedCertBundle, error)
ParsePKIJSON takes a JSON-encoded string and returns a ParsedCertBundle.
This can be either the output of an issue call from the PKI backend or just its data member; or, JSON not coming from the PKI backend.
func ParsePKIMap ¶
func ParsePKIMap(data map[string]interface{}) (*ParsedCertBundle, error)
ParsePKIMap takes a map (for instance, the Secret.Data returned from the PKI backend) and returns a ParsedCertBundle.
func (*ParsedCertBundle) GetCertificatePath ¶ added in v0.6.2
func (p *ParsedCertBundle) GetCertificatePath() []*CertBlock
GetCertificatePath returns a slice of certificates making up a path, pulled from the parsed cert bundle
func (*ParsedCertBundle) GetTLSConfig ¶
func (p *ParsedCertBundle) GetTLSConfig(usage TLSUsage) (*tls.Config, error)
GetTLSConfig returns a TLS config generally suitable for client authentication. The returned TLS config can be modified slightly to be made suitable for a server requiring client authentication; specifically, you should set the value of ClientAuth in the returned config to match your needs.
func (*ParsedCertBundle) SetParsedPrivateKey ¶ added in v0.4.0
func (p *ParsedCertBundle) SetParsedPrivateKey(privateKey crypto.Signer, privateKeyType PrivateKeyType, privateKeyBytes []byte)
SetParsedPrivateKey sets the private key parameters on the bundle
func (*ParsedCertBundle) ToCertBundle ¶
func (p *ParsedCertBundle) ToCertBundle() (*CertBundle, error)
ToCertBundle converts a byte-based raw DER certificate bundle to a PEM-based string certificate bundle
func (*ParsedCertBundle) Verify ¶ added in v0.6.2
func (p *ParsedCertBundle) Verify() error
Verify checks if the parsed bundle is valid. It validates the public key of the certificate to the private key and checks the certificate trust chain for path issues.
type ParsedPrivateKeyContainer ¶ added in v0.4.0
type ParsedPrivateKeyContainer interface {
SetParsedPrivateKey(crypto.Signer, PrivateKeyType, []byte)
}
ParsedPrivateKeyContainer allows common key setting for certs and CSRs
type PrivateKeyType ¶ added in v0.4.0
type PrivateKeyType string
PrivateKeyType holds a string representation of the type of private key (ec or rsa) referenced in CertBundle and ParsedCertBundle. This uses colloquial names rather than official names, to eliminate confusion
const ( UnknownPrivateKey PrivateKeyType = "" RSAPrivateKey PrivateKeyType = "rsa" ECPrivateKey PrivateKeyType = "ec" )
Well-known PrivateKeyTypes
type Secret ¶
type Secret struct {
Data map[string]interface{} `json:"data"`
}
Secret is used to attempt to unmarshal a Vault secret JSON response, as a convenience