Documentation
¶
Overview ¶
Package scep provides common functionality for encoding and decoding Simple Certificate Enrolment Protocol pki messages as defined by https://tools.ietf.org/html/draft-gutmann-scep-02
Index ¶
Constants ¶
const ( CertRep MessageType = "3" RenewalReq = "17" UpdateReq = "18" PKCSReq = "19" CertPoll = "20" GetCert = "21" GetCRL = "22" )
Undefined message types are treated as an error.
const ( SUCCESS PKIStatus = "0" FAILURE = "2" PENDING = "3" )
Undefined pkiStatus attributes are treated as an error
const ( BadAlg FailInfo = "0" BadMessageCheck = "1" BadRequest = "2" BadTime = "3" BadCertID = "4" )
Variables ¶
This section is empty.
Functions ¶
func CACerts ¶
func CACerts(data []byte) ([]*x509.Certificate, error)
CACerts extract CA Certificate or chain from pkcs7 degenerate signed data
func DegenerateCertificates ¶
func DegenerateCertificates(certs []*x509.Certificate) ([]byte, error)
DegenerateCertificates creates degenerate certificates pkcs#7 type
Types ¶
type CSRReqMessage ¶
type CSRReqMessage struct {
// PKCS#10 Certificate request inside the envelope
CSR *x509.CertificateRequest
ChallengePassword string
}
CSRReqMessage can be of the type PKCSReq/RenewalReq/UpdateReq and includes a PKCS#10 CSR request. The content of this message is protected by the recipient public key(example CA)
type CertRepMessage ¶
type CertRepMessage struct {
PKIStatus
RecipientNonce
FailInfo
Certificate *x509.Certificate
// contains filtered or unexported fields
}
CertRepMessage is a type of PKIMessage
type FailInfo ¶
type FailInfo string
FailInfo is a SCEP failInfo attribute
The FailInfo attribute MUST contain one of the following failure reasons:
type MessageType ¶
type MessageType string
The MessageType attribute specifies the type of operation performed by the transaction. This attribute MUST be included in all PKI messages.
The following message types are defined:
type PKIMessage ¶
type PKIMessage struct {
TransactionID
MessageType
SenderNonce
*CertRepMessage
*CSRReqMessage
// DER Encoded PKIMessage
Raw []byte
// Used to sign message
Recipients []*x509.Certificate
// Signer info
SignerKey *rsa.PrivateKey
SignerCert *x509.Certificate
// contains filtered or unexported fields
}
PKIMessage defines the possible SCEP message types
func NewCSRRequest ¶
func NewCSRRequest(csr *x509.CertificateRequest, tmpl *PKIMessage) (*PKIMessage, error)
NewCSRRequest creates a scep PKI PKCSReq/UpdateReq message
func ParsePKIMessage ¶
func ParsePKIMessage(data []byte) (*PKIMessage, error)
ParsePKIMessage unmarshals a PKCS#7 signed data into a PKI message struct
func (*PKIMessage) DecryptPKIEnvelope ¶
func (msg *PKIMessage) DecryptPKIEnvelope(cert *x509.Certificate, key *rsa.PrivateKey) error
DecryptPKIEnvelope decrypts the pkcs envelopedData inside the SCEP PKIMessage
func (*PKIMessage) SignCSR ¶
func (msg *PKIMessage) SignCSR(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKey, template *x509.Certificate) (*PKIMessage, error)
SignCSR creates an x509.Certificate based on a template and Cert Authority credentials returns a new PKIMessage with CertRep data
type PKIStatus ¶
type PKIStatus string
PKIStatus is a SCEP pkiStatus attribute which holds transaction status information. All SCEP responses MUST include a pkiStatus.
The following pkiStatuses are defined:
type RecipientNonce ¶
type RecipientNonce []byte
The RecipientNonce MUST be copied from the SenderNonce and included in the reply.
type SenderNonce ¶
type SenderNonce []byte
SenderNonce is a random 16 byte number. A sender must include the senderNonce in each transaction to a recipient.
type TransactionID ¶
type TransactionID string
The TransactionID is a text string generated by the client when starting a transaction. The client MUST generate a unique string as the transaction identifier, which MUST be used for all PKI messages exchanged for a given enrolment, encoded as a PrintableString.
Source Files
Directories