x509

package
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 4, 2024 License: MPL-2.0 Imports: 20 Imported by: 20

Documentation

Overview

Package x509 provides wrapper around standard crypto/* packages.

Index

Constants

View Source
const (
	PEMTypeRSAPrivate     = "RSA PRIVATE KEY"
	PEMTypeRSAPublic      = "PUBLIC KEY"
	PEMTypeECPrivate      = "EC PRIVATE KEY"
	PEMTypeECPublic       = "EC PUBLIC KEY"
	PEMTypeEd25519Private = "ED25519 PRIVATE KEY"
	PEMTypeEd25519Public  = "ED25519 PUBLIC KEY"

	PEMTypeCertificate        = "CERTIFICATE"
	PEMTypeCertificateRequest = "CERTIFICATE REQUEST"
)

PEM Block Header Types.

View Source
const DefaultCertificateValidityDuration = 24 * time.Hour

DefaultCertificateValidityDuration is a default certificate lifetime.

View Source
const Redacted = "******"

Redacted is a special string that is used to indicate that a private key should be YAML-marshaled without the base64 encoding.

If the value of a private key is exactly this string (in bytes), it will be marshaled as-is into YAML, without the base64 encoding.

Variables

This section is empty.

Functions

func Hash

func Hash(crt *x509.Certificate) string

Hash calculates the SHA-256 hash of the Subject Public Key Information (SPKI) object in an x509 certificate (in DER encoding). It returns the full hash as a hex encoded string (suitable for passing to Set.Allow). See https://github.com/kubernetes/kubernetes/blob/f557e0f7e3ee9089769ed3f03187fdd4acbb9ac1/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go

func MatchSPKIFingerprints

func MatchSPKIFingerprints(fingerprints ...Fingerprint) func(tls.ConnectionState) error

MatchSPKIFingerprints can be injected as tls.Config.VerifyConnection handler to deny connection if peer certificates don't match the fingerprints.

func NewECDSACSRAndIdentity

func NewECDSACSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)

NewECDSACSRAndIdentity generates and PEM encoded certificate and key, along with a CSR for the generated key.

func NewEd25519CSRAndIdentity

func NewEd25519CSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)

NewEd25519CSRAndIdentity generates and PEM encoded certificate and key, along with a CSR for the generated key.

func NewRSACSRAndIdentity

func NewRSACSRAndIdentity(setters ...Option) (*CertificateSigningRequest, *PEMEncodedCertificateAndKey, error)

NewRSACSRAndIdentity generates and PEM encoded certificate and key, along with a CSR for the generated key.

func NewSerialNumber

func NewSerialNumber() (*big.Int, error)

NewSerialNumber generates a random serial number for an X.509 certificate.

Types

type Certificate

type Certificate struct {
	X509Certificate    *x509.Certificate
	X509CertificatePEM []byte
}

Certificate represents an X.509 certificate.

func NewCertificateFromCSR

func NewCertificateFromCSR(ca *x509.Certificate, key interface{}, csr *x509.CertificateRequest, setters ...Option) (*Certificate, error)

NewCertificateFromCSR creates and signs X.509 certificate using the provided CSR.

func NewCertificateFromCSRBytes

func NewCertificateFromCSRBytes(ca, key, csr []byte, setters ...Option) (*Certificate, error)

NewCertificateFromCSRBytes creates a signed certificate using the provided certificate, key, and CSR.

type CertificateAuthority

type CertificateAuthority struct {
	Crt    *x509.Certificate
	CrtPEM []byte
	Key    interface{}
	KeyPEM []byte
}

CertificateAuthority represents a CA.

func ECDSACertificateAuthority

func ECDSACertificateAuthority(template *x509.Certificate) (*CertificateAuthority, error)

ECDSACertificateAuthority creates an ECDSA CA.

func Ed25519CertificateAuthority

func Ed25519CertificateAuthority(template *x509.Certificate) (*CertificateAuthority, error)

Ed25519CertificateAuthority creates an Ed25519 CA.

func NewCertificateAuthorityFromCertificateAndKey

func NewCertificateAuthorityFromCertificateAndKey(p *PEMEncodedCertificateAndKey) (*CertificateAuthority, error)

NewCertificateAuthorityFromCertificateAndKey builds CertificateAuthority from PEMEncodedCertificateAndKey.

func NewSelfSignedCertificateAuthority

func NewSelfSignedCertificateAuthority(setters ...Option) (*CertificateAuthority, error)

NewSelfSignedCertificateAuthority creates a self-signed CA configured for server and client authentication.

func RSACertificateAuthority

func RSACertificateAuthority(template *x509.Certificate, opts *Options) (*CertificateAuthority, error)

RSACertificateAuthority creates an RSA CA.

type CertificateSigningRequest

type CertificateSigningRequest struct {
	X509CertificateRequest    *x509.CertificateRequest
	X509CertificateRequestPEM []byte
}

CertificateSigningRequest represents a CSR.

func NewCertificateSigningRequest

func NewCertificateSigningRequest(key interface{}, setters ...Option) (*CertificateSigningRequest, error)

NewCertificateSigningRequest creates a CSR. If the IPAddresses or DNSNames options are not specified, the CSR will be generated with the default values set in NewDefaultOptions.

type ECDSAKey

type ECDSAKey struct {
	KeyPEM       []byte
	PublicKeyPEM []byte
	// contains filtered or unexported fields
}

ECDSAKey represents an ECDSA key.

func NewECDSAKey

func NewECDSAKey() (*ECDSAKey, error)

NewECDSAKey generates an ECDSA key pair.

func (*ECDSAKey) GetPrivateKeyPEM

func (k *ECDSAKey) GetPrivateKeyPEM() []byte

GetPrivateKeyPEM implements Key interface.

func (*ECDSAKey) GetPublicKeyPEM

func (k *ECDSAKey) GetPublicKeyPEM() []byte

GetPublicKeyPEM implements Key interface.

type Ed25519Key

type Ed25519Key struct {
	PublicKey     ed25519.PublicKey
	PrivateKey    ed25519.PrivateKey
	PublicKeyPEM  []byte
	PrivateKeyPEM []byte
}

Ed25519Key represents an Ed25519 key.

func NewEd25519Key

func NewEd25519Key() (*Ed25519Key, error)

NewEd25519Key generates an Ed25519 key pair.

func (*Ed25519Key) GetPrivateKeyPEM

func (k *Ed25519Key) GetPrivateKeyPEM() []byte

GetPrivateKeyPEM implements Key interface.

func (*Ed25519Key) GetPublicKeyPEM

func (k *Ed25519Key) GetPublicKeyPEM() []byte

GetPublicKeyPEM implements Key interface.

type Fingerprint

type Fingerprint []byte

Fingerprint represents SPKI certificate fingerprint.

func ParseFingerprint

func ParseFingerprint(s string) (Fingerprint, error)

ParseFingerprint parses string representation of the fingerprint.

func SPKIFingerprint

func SPKIFingerprint(cert *x509.Certificate) Fingerprint

SPKIFingerprint computes SPKI certificate fingerprint.

func SPKIFingerprintFromDER

func SPKIFingerprintFromDER(certDER []byte) (Fingerprint, error)

SPKIFingerprintFromDER computes SPKI certificate fingerprint from ASN.1 DER representation of the x509 certificate.

func SPKIFingerprintFromPEM

func SPKIFingerprintFromPEM(certPEM []byte) (Fingerprint, error)

SPKIFingerprintFromPEM computes SPKI certificate fingerprint from PEM representation of the x509 certificate.

func (Fingerprint) Equal

func (f Fingerprint) Equal(other Fingerprint) bool

Equal checks is Fingerprints match.

func (Fingerprint) String

func (f Fingerprint) String() string

type Key

type Key interface {
	GetPrivateKeyPEM() []byte
	GetPublicKeyPEM() []byte
}

Key is a common interface implemented by RSAKey, ECDSAKey and Ed25519Key.

type KeyPair

type KeyPair struct {
	*tls.Certificate

	CrtPEM []byte
	KeyPEM []byte
}

KeyPair represents a certificate and key pair.

func NewKeyPair

func NewKeyPair(ca *CertificateAuthority, setters ...Option) (*KeyPair, error)

NewKeyPair generates a certificate signed by the provided CA, and a private key. The certifcate and private key are then used to create a tls.X509KeyPair.

type Option

type Option func(*Options)

Option is the functional option func.

func Bits

func Bits(o int) Option

Bits sets the bit size of the RSA key pair.

func CommonName

func CommonName(o string) Option

CommonName sets the common name of the certificate.

func DNSNames

func DNSNames(o []string) Option

DNSNames sets the value for the DNS Names in Subject Alternate Name of the certificate.

func ECDSA

func ECDSA(o bool) Option

ECDSA sets a flag for indicating that the requested operation should be performed under the context of ECDSA instead of the default Ed25519.

func ECDSASHA512

func ECDSASHA512(o bool) Option

ECDSASHA512 sets a flag for indicating that the requested operation should be performed under the context of ECDSA with SHA512 instead of the default Ed25519.

Note: this is only used for compatibility with previous version of the library, new code should always use ECDSA(true).

func ExtKeyUsage

func ExtKeyUsage(o []x509.ExtKeyUsage) Option

ExtKeyUsage sets the ExtKeyUsage* constants.

func IPAddresses

func IPAddresses(o []net.IP) Option

IPAddresses sets the value for the IP addresses in Subject Alternate Name of the certificate.

func KeyUsage

func KeyUsage(o x509.KeyUsage) Option

KeyUsage sets the bitmap of the KeyUsage* constants.

func NotAfter

func NotAfter(o time.Time) Option

NotAfter sets the validity bound describing when a certificate expires.

func NotBefore

func NotBefore(o time.Time) Option

NotBefore sets the validity bound describing when a certificate becomes valid.

func Organization

func Organization(o ...string) Option

Organization sets the subject organizations of the certificate.

func OverrideSubject

func OverrideSubject(f func(*pkix.Name)) Option

OverrideSubject sets the option to override fields in the certificate subject when signing a CSR.

func RSA

func RSA(o bool) Option

RSA sets a flag for indicating that the requested operation should be performed under the context of RSA-SHA512 instead of the default Ed25519.

func SignatureAlgorithm

func SignatureAlgorithm(o x509.SignatureAlgorithm) Option

SignatureAlgorithm sets the hash algorithm used to sign the SSL certificate.

type Options

type Options struct {
	CommonName         string
	Organizations      []string
	SignatureAlgorithm x509.SignatureAlgorithm
	IPAddresses        []net.IP
	DNSNames           []string
	Bits               int
	NotAfter           time.Time
	NotBefore          time.Time
	KeyUsage           x509.KeyUsage
	ExtKeyUsage        []x509.ExtKeyUsage

	// Used with CSR signing process to override fields in the certificate subject.
	OverrideSubject func(*pkix.Name)
}

Options is the functional options struct.

func NewDefaultOptions

func NewDefaultOptions(setters ...Option) *Options

NewDefaultOptions initializes the Options struct with default values.

type PEMEncodedCertificate added in v0.4.3

type PEMEncodedCertificate struct {
	Crt []byte `json:"Crt"`
}

PEMEncodedCertificate represents a PEM encoded certificate.

func (*PEMEncodedCertificate) DeepCopy added in v0.4.3

DeepCopy implements DeepCopy interface.

func (*PEMEncodedCertificate) DeepCopyInto added in v0.4.3

func (p *PEMEncodedCertificate) DeepCopyInto(out *PEMEncodedCertificate)

DeepCopyInto implements DeepCopy interface.

func (*PEMEncodedCertificate) GetCert added in v0.4.3

func (p *PEMEncodedCertificate) GetCert() (*x509.Certificate, error)

GetCert parses PEM-encoded certificate as x509.Certificate.

func (*PEMEncodedCertificate) MarshalYAML added in v0.4.3

func (p *PEMEncodedCertificate) MarshalYAML() (interface{}, error)

MarshalYAML implements the yaml.Marshaler interface for PEMEncodedCertificate. It is expected that the Crt is a base64 encoded string in the YAML file. This function encodes the byte slices into strings.

func (*PEMEncodedCertificate) UnmarshalYAML added in v0.4.3

func (p *PEMEncodedCertificate) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements the yaml.Unmarshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt is a base64 encoded string in the YAML file. This function decodes the strings into byte slices.

type PEMEncodedCertificateAndKey

type PEMEncodedCertificateAndKey struct {
	Crt []byte `json:"Crt"`
	Key []byte `json:"Key"`
}

PEMEncodedCertificateAndKey represents a PEM encoded certificate and private key pair.

func NewCertficateAndKey deprecated

func NewCertficateAndKey(crt *x509.Certificate, key interface{}, setters ...Option) (*PEMEncodedCertificateAndKey, error)

NewCertficateAndKey is the NewCertificateAndKey with a typo in the name.

Deprecated: use NewCertificateAndKey instead.

func NewCertificateAndKey

func NewCertificateAndKey(crt *x509.Certificate, key interface{}, setters ...Option) (*PEMEncodedCertificateAndKey, error)

NewCertificateAndKey generates a new key and certificate signed by a CA.

func NewCertificateAndKeyFromCertificateAuthority

func NewCertificateAndKeyFromCertificateAuthority(ca *CertificateAuthority) *PEMEncodedCertificateAndKey

NewCertificateAndKeyFromCertificateAuthority initializes and returns a PEMEncodedCertificateAndKey from the CertificateAuthority.

func NewCertificateAndKeyFromFiles

func NewCertificateAndKeyFromFiles(crt, key string) (*PEMEncodedCertificateAndKey, error)

NewCertificateAndKeyFromFiles initializes and returns a PEMEncodedCertificateAndKey from the path to a crt and key.

func NewCertificateAndKeyFromKeyPair

func NewCertificateAndKeyFromKeyPair(keyPair *KeyPair) *PEMEncodedCertificateAndKey

NewCertificateAndKeyFromKeyPair initializes and returns a PEMEncodedCertificateAndKey from the KeyPair.

func (*PEMEncodedCertificateAndKey) DeepCopy

DeepCopy implements DeepCopy interface.

func (*PEMEncodedCertificateAndKey) DeepCopyInto

DeepCopyInto implements DeepCopy interface.

func (*PEMEncodedCertificateAndKey) GetCert

GetCert parses PEM-encoded certificate as x509.Certificate.

func (*PEMEncodedCertificateAndKey) GetECDSAKey

func (p *PEMEncodedCertificateAndKey) GetECDSAKey() (*ecdsa.PrivateKey, error)

GetECDSAKey parses PEM-encoded ECDSA key.

func (*PEMEncodedCertificateAndKey) GetEd25519Key

func (p *PEMEncodedCertificateAndKey) GetEd25519Key() (ed25519.PrivateKey, error)

GetEd25519Key parses PEM-encoded Ed25519 key.

func (*PEMEncodedCertificateAndKey) GetKey

func (p *PEMEncodedCertificateAndKey) GetKey() (interface{}, error)

GetKey parses either RSA or Ed25519 PEM-encoded key.

func (*PEMEncodedCertificateAndKey) GetRSAKey

func (p *PEMEncodedCertificateAndKey) GetRSAKey() (*rsa.PrivateKey, error)

GetRSAKey parses PEM-encoded RSA key.

func (*PEMEncodedCertificateAndKey) MarshalYAML

func (p *PEMEncodedCertificateAndKey) MarshalYAML() (interface{}, error)

MarshalYAML implements the yaml.Marshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt and Key are a base64 encoded string in the YAML file. This function encodes the byte slices into strings.

func (*PEMEncodedCertificateAndKey) UnmarshalYAML

func (p *PEMEncodedCertificateAndKey) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements the yaml.Unmarshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt and Key are a base64 encoded string in the YAML file. This function decodes the strings into byte slices.

type PEMEncodedKey

type PEMEncodedKey struct {
	Key []byte `json:"Key"`
}

PEMEncodedKey represents a PEM encoded private key.

func NewKeyFromFile added in v0.4.1

func NewKeyFromFile(keyPath string) (*PEMEncodedKey, error)

NewKeyFromFile loads a PEM-encoded key from a file.

func (*PEMEncodedKey) DeepCopy

func (p *PEMEncodedKey) DeepCopy() *PEMEncodedKey

DeepCopy implements DeepCopy interface.

func (*PEMEncodedKey) DeepCopyInto

func (p *PEMEncodedKey) DeepCopyInto(out *PEMEncodedKey)

DeepCopyInto implements DeepCopy interface.

func (*PEMEncodedKey) GetECDSAKey

func (p *PEMEncodedKey) GetECDSAKey() (*ECDSAKey, error)

GetECDSAKey parses PEM-encoded ECDSA key.

func (*PEMEncodedKey) GetEd25519Key

func (p *PEMEncodedKey) GetEd25519Key() (*Ed25519Key, error)

GetEd25519Key parses PEM-encoded Ed25519 key.

func (*PEMEncodedKey) GetKey

func (p *PEMEncodedKey) GetKey() (Key, error)

GetKey parses one of RSAKey, ECDSAKey or Ed25519Key.

func (*PEMEncodedKey) GetRSAKey

func (p *PEMEncodedKey) GetRSAKey() (*RSAKey, error)

GetRSAKey parses PEM-encoded RSA key.

func (*PEMEncodedKey) MarshalYAML

func (p *PEMEncodedKey) MarshalYAML() (interface{}, error)

MarshalYAML implements the yaml.Marshaler interface for PEMEncodedCertificateAndKey. It is expected that the Crt and Key are a base64 encoded string in the YAML file. This function encodes the byte slices into strings.

func (*PEMEncodedKey) UnmarshalYAML

func (p *PEMEncodedKey) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements the yaml.Unmarshaler interface for PEMEncodedKey. It is expected that the Key is a base64 encoded string in the YAML file. This function decodes the strings into byte slices.

type RSAKey

type RSAKey struct {
	KeyPEM       []byte
	PublicKeyPEM []byte
	// contains filtered or unexported fields
}

RSAKey represents an RSA key.

func NewRSAKey

func NewRSAKey() (*RSAKey, error)

NewRSAKey generates an RSA key pair.

func (*RSAKey) GetPrivateKeyPEM

func (k *RSAKey) GetPrivateKeyPEM() []byte

GetPrivateKeyPEM implements Key interface.

func (*RSAKey) GetPublicKeyPEM

func (k *RSAKey) GetPublicKeyPEM() []byte

GetPublicKeyPEM implements Key interface.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL