certlib

package
v0.0.0-...-aa4210d Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 2, 2024 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package certlib provides functionality for generating and managing X.509 certificates and their corresponding private keys. It supports creating different types of certificates including root CAs, intermediate CAs, server certificates, and client certificates.

Package certlib provides functionality for handling TLS certificates and credentials for both client and server applications. It supports loading certificates from files or raw bytes, and configuring TLS settings with proper security defaults.

Package certlib provides functionality for handling TLS certificates and credentials for both client and server applications. It supports loading certificates from files or raw bytes, and configuring TLS settings with proper security defaults.

Index

Constants

View Source
const DefaultKeySize = 2048

DefaultKeySize defines the default RSA key size in bits used for certificate generation

View Source
const MinKeySize = 2048

MinKeySize defines the minimum allowed RSA key size in bits

Variables

This section is empty.

Functions

func CreateClientTLSConfig

func CreateClientTLSConfig(args ClientTLSConfigBytes) (*tls.Config, error)

CreateClientTLSConfig creates TLS credentials from raw certificate data. It validates the input configuration and creates a TLS configuration suitable for client connections. The certificates and key must be PEM encoded. Returns an error if any validation fails or if the certificates are invalid.

func CreateServerTLSConfig

func CreateServerTLSConfig(args ServerTLSConfigBytes) (res *tls.Config, err error)

CreateServerTLSConfig creates TLS credentials from raw certificate data. The certificates and key must be PEM encoded. This function enforces client authentication, requiring clients to present valid certificates that can be verified against the provided CA. Returns an error if the certificates are invalid or cannot be loaded.

func EncodeCertificateToPEM

func EncodeCertificateToPEM(cert *x509.Certificate) (certPEMBytes []byte, err error)

EncodeCertificateToPEM encodes an X.509 certificate to PEM format Returns the PEM-encoded certificate as a byte slice

func EncodePrivateKeyToPEM

func EncodePrivateKeyToPEM(key *rsa.PrivateKey) (keyPEMBytes []byte, err error)

EncodePrivateKeyToPEM encodes an RSA private key to PEM format using PKCS8 Returns the PEM-encoded private key as a byte slice

func EncodePublicKeyToPEM

func EncodePublicKeyToPEM(key *rsa.PublicKey) (keyPEMBytes []byte, err error)

EncodePublicKeyToPEM encodes an RSA public key to PEM format using PKIX Returns the PEM-encoded public key as a byte slice

func EncodeRSAPrivateKeyToPEM

func EncodeRSAPrivateKeyToPEM(key *rsa.PrivateKey) (keyPEMBytes []byte, err error)

EncodeRSAPrivateKeyToPEM encodes an RSA private key to PEM format using PKCS1 Returns the PEM-encoded RSA private key as a byte slice

func EncodeRSAPublicKeyToPEM

func EncodeRSAPublicKeyToPEM(key *rsa.PublicKey) (keyPEMBytes []byte, err error)

EncodeRSAPublicKeyToPEM encodes an RSA public key to PEM format using PKCS1 Returns the PEM-encoded RSA public key as a byte slice

func LoadClientTLSConfig

func LoadClientTLSConfig(args ClientTLSConfigFiles) (*tls.Config, error)

LoadClientTLSConfig creates TLS credentials by loading certificates from files. It validates the input configuration, reads the certificate files, and creates a TLS configuration suitable for client connections. The files must contain PEM encoded certificates and keys. Returns an error if any validation fails or if the files cannot be read.

func LoadServerTLSConfig

func LoadServerTLSConfig(args ServerTLSConfigFiles) (res *tls.Config, err error)

LoadServerTLSConfig creates TLS credentials by loading certificates from files. The files must contain PEM encoded certificates and keys. This function enforces client authentication, requiring clients to present valid certificates that can be verified against the provided CA certificate. Returns an error if any of the files cannot be read or contain invalid certificates.

func ParseCertificateFromFile

func ParseCertificateFromFile(path string) (cert *x509.Certificate, err error)

ParseCertificateFromFile reads and parses an X.509 certificate from a PEM file Returns the parsed certificate or an error if the file is invalid or parsing fails

func ParseCertificateFromPEM

func ParseCertificateFromPEM(certPEMBytes []byte) (cert *x509.Certificate, err error)

ParseCertificateFromPEM decodes a PEM-encoded X.509 certificate Returns the parsed certificate or an error if the PEM block is invalid or parsing fails

func ParsePrivateKeyFromFile

func ParsePrivateKeyFromFile(path string) (key *rsa.PrivateKey, err error)

ParsePrivateKeyFromFile reads and parses an RSA private key from a PEM file Returns the parsed private key or an error if the file is invalid or parsing fails

func ParsePrivateKeyFromPEM

func ParsePrivateKeyFromPEM(keyPEMBytes []byte) (key *rsa.PrivateKey, err error)

ParsePrivateKeyFromPEM decodes a PEM-encoded private key in either PKCS1 or PKCS8 format Returns the parsed RSA private key or an error if the PEM block is invalid or parsing fails

func VerifyCertificate

func VerifyCertificate(args VerifyCertificateArgs) (err error)

VerifyCertificate performs comprehensive validation of a certificate. It checks: - Certificate validity period - Certificate chain verification - Certificate type-specific requirements (e.g., DNS names for server certificates) - Certificate authority status for CA certificates

Types

type CertKey

type CertKey struct {
	Cert *x509.Certificate
	Key  *rsa.PrivateKey
}

CertKey holds a certificate and its corresponding private key

func GenerateCertificate

func GenerateCertificate(certType CertificateType, args CertificateArgs) (res CertKey, err error)

GenerateCertificate generates a certificate and its corresponding private key based on the given parameters

func (*CertKey) PublicKey

func (c *CertKey) PublicKey() *rsa.PublicKey

PublicKey returns the public key portion of the private key

func (*CertKey) TLSCertificate

func (c *CertKey) TLSCertificate() *tls.Certificate

TLSCertificate converts the certificate and key pair into a tls.Certificate

type CertificateArgs

type CertificateArgs struct {
	// Serial is the certificate's serial number
	Serial *big.Int
	// Subject contains the certificate subject information
	Subject pkix.Name
	// Extensions contains additional X.509 extensions
	Extensions []pkix.Extension
	// Issuer is the certificate and key that will sign this certificate
	Issuer CertKey
	// NotBefore is the time when the certificate becomes valid
	NotBefore time.Time
	// Duration specifies how long the certificate will be valid
	Duration time.Duration
	// EmailAddresses contains email addresses to include in the certificate
	EmailAddresses []string
	// DNSNames contains DNS names to include in the certificate
	DNSNames []string
	// IPAddresses contains IP addresses to include in the certificate
	IPAddresses []net.IP
	// KeySize specifies the size of the RSA key to generate
	KeySize int
}

CertificateArgs contains the parameters needed to generate a certificate

type CertificateType

type CertificateType int

CertificateType represents the type of certificate to be generated

const (
	// CertificateTypeRootCA represents a root Certificate Authority
	CertificateTypeRootCA CertificateType = iota
	// CertificateTypeIntermediateCA represents an intermediate Certificate Authority
	CertificateTypeIntermediateCA
	// CertificateTypeServer represents a server certificate
	CertificateTypeServer
	// CertificateTypeClient represents a client certificate
	CertificateTypeClient
)

type ClientTLSConfigBytes

type ClientTLSConfigBytes struct {
	// Cert is the client's certificate (PEM encoded)
	Cert []byte `validate:"required"`

	// Key is the client's private key (PEM encoded)
	Key []byte `validate:"required"`

	// CA is the certificate authority's certificate (PEM encoded)
	CA []byte `validate:"required"`

	// ServerName is the expected server name for verification
	ServerName string `validate:"required"`
}

ClientTLSConfigBytes holds the configuration parameters for creating client TLS credentials from raw certificate data. All fields are required and validated using the validator package.

type ClientTLSConfigFiles

type ClientTLSConfigFiles struct {
	// CertFile is the path to the client's certificate (PEM encoded)
	CertFile string `validate:"required,filepath"`

	// KeyFile is the path to the client's private key (PEM encoded)
	KeyFile string `validate:"required,filepath"`

	// CAFile is the path to the certificate authority's certificate (PEM encoded)
	CAFile string `validate:"required,filepath"`

	// ServerName is the expected server name for verification
	ServerName string `validate:"required"`
}

ClientTLSConfigFiles holds the configuration parameters for creating client TLS credentials from files. All paths must be valid and accessible, and are validated using the validator package.

type ServerTLSConfigBytes

type ServerTLSConfigBytes struct {
	// Cert is the server's certificate (PEM encoded)
	Cert []byte `validate:"required"`
	// Key is the server's private key (PEM encoded)
	Key []byte `validate:"required"`
	// CA is the client CA certificate for client authentication (PEM encoded)
	CA []byte `validate:"required"`
}

ServerTLSConfigBytes holds the configuration parameters for creating server TLS credentials from raw certificate data. All fields are required and must contain valid PEM encoded certificates.

type ServerTLSConfigFiles

type ServerTLSConfigFiles struct {
	// CertFile is the server's certificate (PEM encoded)
	CertFile string `validate:"required,filepath"`
	// KeyFile is the server's private key (PEM encoded)
	KeyFile string `validate:"required,filepath"`
	// CAFile is the client CA certificate for client authentication (PEM encoded)
	CAFile string `validate:"required,filepath"`
}

ServerTLSConfigFiles holds the configuration parameters for creating server TLS credentials from files. All paths must be valid and accessible. The files must contain valid PEM encoded certificates.

type VerifyCertificateArgs

type VerifyCertificateArgs struct {
	// Type specifies the expected certificate type (server, client, CA)
	Type CertificateType
	// Cert is the certificate to verify
	Cert *x509.Certificate
	// DNSName is the expected DNS name for server certificates
	DNSName string
	// Intermediates is the list of intermediate CA certificates
	Intermediates []*x509.Certificate
	// Roots is the list of root CA certificates
	Roots []*x509.Certificate
}

VerifyCertificateArgs holds the parameters needed to verify a certificate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL