certlib

package

v0.0.0-...-260af11 Latest Latest Go to latest Published: Nov 24, 2024 License: MIT Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

Documentation ¶

Overview ¶

Package certlib provides functionality for generating and managing X.509 certificates and their corresponding private keys. It supports creating different types of certificates including root CAs, intermediate CAs, server certificates, and client certificates.

Package certlib provides functionality for handling TLS certificates and credentials for both client and server applications. It supports loading certificates from files or raw bytes, and configuring TLS settings with proper security defaults.

Index ¶

Constants
func CreateClientTLSConfig(args ClientTLSConfigBytes) (*tls.Config, error)
func CreateServerTLSConfig(args ServerTLSConfigBytes) (res *tls.Config, err error)
func EncodeCertificateToPEM(cert *x509.Certificate) (certPEMBytes []byte, err error)
func EncodePrivateKeyToPEM(key *rsa.PrivateKey) (keyPEMBytes []byte, err error)
func EncodePublicKeyToPEM(key *rsa.PublicKey) (keyPEMBytes []byte, err error)
func EncodeRSAPrivateKeyToPEM(key *rsa.PrivateKey) (keyPEMBytes []byte, err error)
func EncodeRSAPublicKeyToPEM(key *rsa.PublicKey) (keyPEMBytes []byte, err error)
func LoadClientTLSConfig(args ClientTLSConfigFiles) (*tls.Config, error)
func LoadServerTLSConfig(args ServerTLSConfigFiles) (res *tls.Config, err error)
func ParseCertificateFromFile(path string) (cert *x509.Certificate, err error)
func ParseCertificateFromPEM(certPEMBytes []byte) (cert *x509.Certificate, err error)
func ParsePrivateKeyFromFile(path string) (key *rsa.PrivateKey, err error)
func ParsePrivateKeyFromPEM(keyPEMBytes []byte) (key *rsa.PrivateKey, err error)
func VerifyCertificate(args VerifyCertificateArgs) (err error)
type CertKey
- func GenerateCertificate(certType CertificateType, args CertificateArgs) (res CertKey, err error)
- func (c *CertKey) PublicKey() *rsa.PublicKey
- func (c *CertKey) TLSCertificate() *tls.Certificate
type CertificateArgs
type CertificateType
type ClientTLSConfigBytes
type ClientTLSConfigFiles
type ServerTLSConfigBytes
type ServerTLSConfigFiles
type VerifyCertificateArgs

Constants ¶

View Source

const DefaultKeySize = 2048

DefaultKeySize defines the default RSA key size in bits used for certificate generation

View Source

const MinKeySize = 2048

MinKeySize defines the minimum allowed RSA key size in bits

Variables ¶

This section is empty.

Functions ¶

func CreateClientTLSConfig ¶

func CreateClientTLSConfig(args ClientTLSConfigBytes) (*tls.Config, error)

CreateClientTLSConfig creates TLS credentials from raw certificate data. It validates the input configuration and creates a TLS configuration suitable for client connections. The certificates and key must be PEM encoded. Returns an error if any validation fails or if the certificates are invalid.

func CreateServerTLSConfig ¶

func CreateServerTLSConfig(args ServerTLSConfigBytes) (res *tls.Config, err error)

CreateServerTLSConfig creates TLS credentials from raw certificate data. The certificates and key must be PEM encoded. This function enforces client authentication, requiring clients to present valid certificates that can be verified against the provided CA. Returns an error if the certificates are invalid or cannot be loaded.

func EncodeCertificateToPEM ¶

func EncodeCertificateToPEM(cert *x509.Certificate) (certPEMBytes []byte, err error)

EncodeCertificateToPEM encodes an X.509 certificate to PEM format Returns the PEM-encoded certificate as a byte slice

func EncodePrivateKeyToPEM ¶

func EncodePrivateKeyToPEM(key *rsa.PrivateKey) (keyPEMBytes []byte, err error)

EncodePrivateKeyToPEM encodes an RSA private key to PEM format using PKCS8 Returns the PEM-encoded private key as a byte slice

func EncodePublicKeyToPEM ¶

func EncodePublicKeyToPEM(key *rsa.PublicKey) (keyPEMBytes []byte, err error)

EncodePublicKeyToPEM encodes an RSA public key to PEM format using PKIX Returns the PEM-encoded public key as a byte slice

func EncodeRSAPrivateKeyToPEM ¶

func EncodeRSAPrivateKeyToPEM(key *rsa.PrivateKey) (keyPEMBytes []byte, err error)

EncodeRSAPrivateKeyToPEM encodes an RSA private key to PEM format using PKCS1 Returns the PEM-encoded RSA private key as a byte slice

func EncodeRSAPublicKeyToPEM ¶

func EncodeRSAPublicKeyToPEM(key *rsa.PublicKey) (keyPEMBytes []byte, err error)

EncodeRSAPublicKeyToPEM encodes an RSA public key to PEM format using PKCS1 Returns the PEM-encoded RSA public key as a byte slice

func LoadClientTLSConfig ¶

func LoadClientTLSConfig(args ClientTLSConfigFiles) (*tls.Config, error)

LoadClientTLSConfig creates TLS credentials by loading certificates from files. It validates the input configuration, reads the certificate files, and creates a TLS configuration suitable for client connections. The files must contain PEM encoded certificates and keys. Returns an error if any validation fails or if the files cannot be read.

func LoadServerTLSConfig ¶

func LoadServerTLSConfig(args ServerTLSConfigFiles) (res *tls.Config, err error)

LoadServerTLSConfig creates TLS credentials by loading certificates from files. The files must contain PEM encoded certificates and keys. This function enforces client authentication, requiring clients to present valid certificates that can be verified against the provided CA certificate. Returns an error if any of the files cannot be read or contain invalid certificates.

func ParseCertificateFromFile ¶

func ParseCertificateFromFile(path string) (cert *x509.Certificate, err error)

ParseCertificateFromFile reads and parses an X.509 certificate from a PEM file Returns the parsed certificate or an error if the file is invalid or parsing fails

func ParseCertificateFromPEM ¶

func ParseCertificateFromPEM(certPEMBytes []byte) (cert *x509.Certificate, err error)

ParseCertificateFromPEM decodes a PEM-encoded X.509 certificate Returns the parsed certificate or an error if the PEM block is invalid or parsing fails

func ParsePrivateKeyFromFile ¶

func ParsePrivateKeyFromFile(path string) (key *rsa.PrivateKey, err error)

ParsePrivateKeyFromFile reads and parses an RSA private key from a PEM file Returns the parsed private key or an error if the file is invalid or parsing fails

func ParsePrivateKeyFromPEM ¶

func ParsePrivateKeyFromPEM(keyPEMBytes []byte) (key *rsa.PrivateKey, err error)

ParsePrivateKeyFromPEM decodes a PEM-encoded private key in either PKCS1 or PKCS8 format Returns the parsed RSA private key or an error if the PEM block is invalid or parsing fails

func VerifyCertificate ¶

func VerifyCertificate(args VerifyCertificateArgs) (err error)

VerifyCertificate performs comprehensive validation of a certificate. It checks: - Certificate validity period - Certificate chain verification - Certificate type-specific requirements (e.g., DNS names for server certificates) - Certificate authority status for CA certificates

Types ¶

type CertKey ¶

type CertKey struct {
	Cert *x509.Certificate
	Key  *rsa.PrivateKey
}

CertKey holds a certificate and its corresponding private key

func GenerateCertificate ¶

func GenerateCertificate(certType CertificateType, args CertificateArgs) (res CertKey, err error)

GenerateCertificate generates a certificate and its corresponding private key based on the given parameters

func (*CertKey) PublicKey ¶

func (c *CertKey) PublicKey() *rsa.PublicKey

PublicKey returns the public key portion of the private key

func (*CertKey) TLSCertificate ¶

func (c *CertKey) TLSCertificate() *tls.Certificate

TLSCertificate converts the certificate and key pair into a tls.Certificate

type CertificateArgs ¶

type CertificateArgs struct {
	// Serial is the certificate's serial number
	Serial *big.Int
	// Subject contains the certificate subject information
	Subject pkix.Name
	// Extensions contains additional X.509 extensions
	Extensions []pkix.Extension
	// Issuer is the certificate and key that will sign this certificate
	Issuer CertKey
	// NotBefore is the time when the certificate becomes valid
	NotBefore time.Time
	// Duration specifies how long the certificate will be valid
	Duration time.Duration
	// EmailAddresses contains email addresses to include in the certificate
	EmailAddresses []string
	// DNSNames contains DNS names to include in the certificate
	DNSNames []string
	// IPAddresses contains IP addresses to include in the certificate
	IPAddresses []net.IP
	// KeySize specifies the size of the RSA key to generate
	KeySize int
}

CertificateArgs contains the parameters needed to generate a certificate

type CertificateType ¶

type CertificateType int

CertificateType represents the type of certificate to be generated

const (
	// CertificateTypeRootCA represents a root Certificate Authority
	CertificateTypeRootCA CertificateType = iota
	// CertificateTypeIntermediateCA represents an intermediate Certificate Authority
	CertificateTypeIntermediateCA
	// CertificateTypeServer represents a server certificate
	CertificateTypeServer
	// CertificateTypeClient represents a client certificate
	CertificateTypeClient
)

type ClientTLSConfigBytes ¶

type ClientTLSConfigBytes struct {
	// Cert is the client's certificate (PEM encoded)
	Cert []byte `validate:"required"`

	// Key is the client's private key (PEM encoded)
	Key []byte `validate:"required"`

	// CA is the certificate authority's certificate (PEM encoded)
	CA []byte `validate:"required"`

	// ServerName is the expected server name for verification
	ServerName string `validate:"required"`
}

ClientTLSConfigBytes holds the configuration parameters for creating client TLS credentials from raw certificate data. All fields are required and validated using the validator package.

type ClientTLSConfigFiles ¶

type ClientTLSConfigFiles struct {
	// CertFile is the path to the client's certificate (PEM encoded)
	CertFile string `validate:"required,filepath"`

	// KeyFile is the path to the client's private key (PEM encoded)
	KeyFile string `validate:"required,filepath"`

	// CAFile is the path to the certificate authority's certificate (PEM encoded)
	CAFile string `validate:"required,filepath"`

	// ServerName is the expected server name for verification
	ServerName string `validate:"required"`
}

ClientTLSConfigFiles holds the configuration parameters for creating client TLS credentials from files. All paths must be valid and accessible, and are validated using the validator package.

type ServerTLSConfigBytes ¶

type ServerTLSConfigBytes struct {
	// Cert is the server's certificate (PEM encoded)
	Cert []byte `validate:"required"`
	// Key is the server's private key (PEM encoded)
	Key []byte `validate:"required"`
	// CA is the client CA certificate for client authentication (PEM encoded)
	CA []byte `validate:"required"`
}

ServerTLSConfigBytes holds the configuration parameters for creating server TLS credentials from raw certificate data. All fields are required and must contain valid PEM encoded certificates.

type ServerTLSConfigFiles ¶

type ServerTLSConfigFiles struct {
	// CertFile is the server's certificate (PEM encoded)
	CertFile string `validate:"required,filepath"`
	// KeyFile is the server's private key (PEM encoded)
	KeyFile string `validate:"required,filepath"`
	// CAFile is the client CA certificate for client authentication (PEM encoded)
	CAFile string `validate:"required,filepath"`
}

ServerTLSConfigFiles holds the configuration parameters for creating server TLS credentials from files. All paths must be valid and accessible. The files must contain valid PEM encoded certificates.

type VerifyCertificateArgs ¶

type VerifyCertificateArgs struct {
	// Type specifies the expected certificate type (server, client, CA)
	Type CertificateType
	// Cert is the certificate to verify
	Cert *x509.Certificate
	// DNSName is the expected DNS name for server certificates
	DNSName string
	// Intermediates is the list of intermediate CA certificates
	Intermediates []*x509.Certificate
	// Roots is the list of root CA certificates
	Roots []*x509.Certificate
}

VerifyCertificateArgs holds the parameters needed to verify a certificate.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL