README
¶
TL;DR
This is an opinionated single-file OpenVPN TLS certificate library. It has no dependencies on any other external tool such as openssl.
Features
- Uses a single boltdb instance to store the certificates and keys.
- All data strored in the database is encrypted with keys derived from a user supplied CA passphrase.
- Support for issuing & revoking:
- Server Certs (optionally signed by intermediate CAs)
- Client Certs (optionally signed by intermediate CAs)
- Intermediate CA certs (optionally signed by other intermediate CAs)
- Flexible CRL generation
- The certificates and keys are opinionated:
- All CA cert private keys are Secp521r1
- Client & Servers cert private keys are Secp256k1
- "SSL-Server" attribute set on server certificates (nsCertType)
- "SSL-Client" attribute set on client certificates (nsCertType)
- ECDSA with SHA512 is used as the signature algorithm of encryption to thwart DoS attacks.
Who uses this?
Two tools use this:
- ovpn-tool - an opnionated PKI and OpenVPN Configuration manager
- certik - an example CLI program that uses this library
How to use this?
You will need a fairly recent golang toolchain (>1.10). go-pki is
modules ready. You just import the code in your project as:
import (
"github.com/opencoff/go-pki"
)
Documentation
¶
Overview ¶
Package pki abstracts creating an opinionated PKI. The certs and keys are stored in a boltDB instance. The private keys are stored in encrypted form. The CA passphrase is used in a KDF to derive the encryption keys. User (client) certs are also encrypted - but with user provided passphrase.
Index ¶
- Constants
- Variables
- func CertificateRequestText(csr *x509.CertificateRequest) (string, error)
- func CertificateText(cert *x509.Certificate) (string, error)
- type CA
- func (ca *CA) CRL(crlValidDays int) ([]byte, error)
- func (ca *CA) Chain() ([]*CA, error)
- func (ca *CA) ChainFor(c *Cert) ([]*CA, error)
- func (ca *CA) Close() error
- func (ca *CA) ExportJSON(wr io.Writer) error
- func (ca *CA) Find(cn string) (*Cert, error)
- func (ca *CA) FindCA(cn string) (*CA, error)
- func (ca *CA) FindClient(cn string) (*Cert, error)
- func (ca *CA) FindServer(cn string) (*Cert, error)
- func (ca *CA) GetAllRevoked() (*pkix.CertificateList, error)
- func (ca *CA) GetCAs() ([]*CA, error)
- func (ca *CA) GetClients() ([]*Cert, error)
- func (ca *CA) GetServers() ([]*Cert, error)
- func (ca *CA) IsRevokedCA(xca *CA) (bool, error)
- func (ca *CA) IsValid() bool
- func (ca *CA) ListRevoked() (map[string]Revoked, error)
- func (ca *CA) NewClientCert(ci *CertInfo, pw string) (*Cert, error)
- func (ca *CA) NewIntermediateCA(ci *CertInfo) (*CA, error)
- func (ca *CA) NewServerCert(ci *CertInfo, pw string) (*Cert, error)
- func (ca *CA) PEM() []byte
- func (ca *CA) Rekey(newpw string) error
- func (ca *CA) RevokeCA(cn string) error
- func (ca *CA) RevokeClient(cn string) error
- func (ca *CA) RevokeServer(cn string) error
- func (ca *CA) SignCert(csr *x509.Certificate) (*x509.Certificate, error)
- type Cert
- type CertInfo
- type Config
- type Revoked
- type Storage
Constants ¶
const DBVersion uint32 = 1
DB Version. This must be updated whenever we change the schema
Variables ¶
Functions ¶
func CertificateRequestText ¶
func CertificateRequestText(csr *x509.CertificateRequest) (string, error)
CertificateRequestText returns a human-readable string representation of the certificate request csr. The format is similar (but not identical) to the OpenSSL way of printing certificates.
func CertificateText ¶
func CertificateText(cert *x509.Certificate) (string, error)
CertificateText returns a human-readable string representation of the certificate cert. The format is similar (but not identical) to the OpenSSL way of printing certificates.
Types ¶
type CA ¶
type CA struct {
*x509.Certificate
Expired bool
CARevoked bool
// contains filtered or unexported fields
}
CA is a special type of Credential that also has a CSR in it.
func NewFromJSON ¶
NewFromJSON creates a new PKI CA instance with storage backed by boltDB in 'dbname' with initial contents coming from the JSON blob
func NewWithStorage ¶
NewWithStorage creates a new RootCA with the given storage engine
func (*CA) ChainFor ¶
Return chain of signing certs for the named cert. This function operates on the global namespace; i.e., it is NOT dependent on the specific instance of 'ca' (which may be an intermediate CA).
func (*CA) Find ¶
Find _all_ entities in the system: client certs, server certs and intermediate certs
func (*CA) FindCA ¶
Find the CA with the given name. This operates on the global "namespace". i.e., even if 'ca' is an intermediate CA, it will search in the parent namespaces till a match is found.
func (*CA) FindClient ¶
FindClient returns the given client cert
func (*CA) FindServer ¶
FindServer returns the given server cert
func (*CA) GetAllRevoked ¶
func (ca *CA) GetAllRevoked() (*pkix.CertificateList, error)
Return list of revoked certs
func (*CA) IsRevokedCA ¶
Return true if 'xca' is revoked. This looks in the global namespace and not just the CAs signed by 'ca'.
func (*CA) NewClientCert ¶
NewClientCert issues a new client certificate
func (*CA) NewIntermediateCA ¶
Create and issue a new intermediate CA cert
func (*CA) NewServerCert ¶
NewServerCert issues a new server certificate
func (*CA) RevokeCA ¶
RevokeCA revokes a given intermediate CA We don't allow for the root-ca to be revoked.
func (*CA) RevokeClient ¶
RevokeClient revokes the given client
func (*CA) RevokeServer ¶
RevokeServer revokes the given server
func (*CA) SignCert ¶
func (ca *CA) SignCert(csr *x509.Certificate) (*x509.Certificate, error)
Sign the given CSR with the provided CA
type Cert ¶
type Cert struct {
*x509.Certificate
Key *ecdsa.PrivateKey
Rawkey []byte
IsServer bool
IsCA bool
Expired bool
CARevoked bool
// Additional info provided when cert was created
Additional []byte
}
Cert represents a client or server certificate
type CertInfo ¶
type CertInfo struct {
Subject pkix.Name
Validity time.Duration
EmailAddresses []string
DNSNames []string
// We only support exactly _one_ IP address
IPAddresses []net.IP
// Additional info stored in the DB against this certificate
// This info is *NOT* in the x509 object.
Additional []byte
}
Information needed to create a certificate
type Config ¶
type Config struct {
// Passphrase to encrypt the CA credentials
Passwd string
// Root-CA subject name; also used for all intermediate CAs
Subject pkix.Name
// Validity of the root-CA
Validity time.Duration
}
Config holds the initial info needed to setup a CA
type Storage ¶
type Storage interface {
Rekey(newpw string) error
Close() error
// Get the Root CA
GetRootCA() (*Cert, error)
// Store root CA
StoreRootCA(*Cert) error
// Return current serial#
GetSerial() *big.Int
// increment serial#, update db and return new serial#
NewSerial() (*big.Int, error)
// get intermediate CA
GetICA(nm string) (*Cert, error)
// Fetch client cert
GetClientCert(nm string, pw string) (*Cert, error)
// Fetch server cert
GetServerCert(nm string, pw string) (*Cert, error)
// Store intermediate CA
StoreICA(c *Cert) error
// Store client cert
StoreClientCert(c *Cert, pw string) error
// Store server cert
StoreServerCert(c *Cert, pw string) error
// Delete a given CA -- revocation
DeleteICA(cn string) error
// Delete client cert
DeleteClientCert(cn string) error
// delete server cert
DeleteServerCert(cn string) error
// Export DB in portable JSON
ExportJSON() (string, error)
// - Iterators -
MapICA(func(*Cert) error) error
MapClientCerts(func(*Cert) error) error
MapServerCerts(func(*Cert) error) error
MapRevoked(func(time.Time, *Cert)) error
FindRevoked(skid []byte) (time.Time, *Cert, error)
}
Storage abstracts the underlying persistent storage provider.
Source Files