certgen

package

v1.8.2 Latest Latest Go to latest Published: Mar 12, 2021 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sidgod/keymaster

Links

Open Source Insights

Documentation ¶

Overview ¶

Package certgen id set of utilities used to generate ssh certificates

Index ¶

func ComputePublicKeyKeyID(PublicKey interface{}) ([]byte, error)
func GenIPRestrictedX509Cert(userName string, userPub interface{}, caCert *x509.Certificate, ...) ([]byte, error)
func GenSSHCertFileString(username string, userPubKey string, signer ssh.Signer, host_identity string, ...) (certString string, cert ssh.Certificate, err error)
func GenSSHCertFileStringFromSSSDPublicKey(userName string, signer ssh.Signer, hostIdentity string, ...) (certString string, cert ssh.Certificate, err error)
func GenSelfSignedCACert(commonName string, organization string, caPriv crypto.Signer) ([]byte, error)
func GenUserX509Cert(userName string, userPub interface{}, caCert *x509.Certificate, ...) ([]byte, error)
func GetSignerFromPEMBytes(privateKey []byte) (crypto.Signer, error)
func GetUserPubKeyFromSSSD(username string) (string, error)
func ValidatePublicKeyStrength(pub interface{}) (bool, error)
func VerifyIPRestrictedX509CertIP(userCert *x509.Certificate, remoteAddr string) (bool, error)
type IpAdressFamily
type KRB5PrincipalName
type KerberosPrincipal
type PKInitSANAnotherName

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ComputePublicKeyKeyID ¶ added in v1.5.1

func ComputePublicKeyKeyID(PublicKey interface{}) ([]byte, error)

ComputePublicKeyKeyID computes the SHA-1 digest of a public Key

func GenIPRestrictedX509Cert ¶ added in v1.5.1

func GenIPRestrictedX509Cert(userName string, userPub interface{},
	caCert *x509.Certificate, caPriv crypto.Signer,
	ipv4Netblocks []net.IPNet, duration time.Duration,
	crlURL []string, OCPServer []string) ([]byte, error)

GenIPRestrictedX509Cert returns an x509 cert that has the username in the common name, with the allowed netyblocks specified

func GenSSHCertFileString ¶

func GenSSHCertFileString(username string, userPubKey string, signer ssh.Signer, host_identity string, duration time.Duration) (certString string, cert ssh.Certificate, err error)

gen_user_cert a username and key, returns a short lived cert for that user

func GenSSHCertFileStringFromSSSDPublicKey ¶

func GenSSHCertFileStringFromSSSDPublicKey(userName string, signer ssh.Signer, hostIdentity string, duration time.Duration) (certString string, cert ssh.Certificate, err error)

func GenSelfSignedCACert ¶

func GenSelfSignedCACert(commonName string, organization string, caPriv crypto.Signer) ([]byte, error)

return both an internal representation an the pem representation of the string As long as the issuer value matches THEN the serial number can be different every time

func GenUserX509Cert ¶

func GenUserX509Cert(userName string, userPub interface{},
	caCert *x509.Certificate, caPriv crypto.Signer,
	kerberosRealm *string, duration time.Duration,
	groups []string, organizations []string) ([]byte, error)

returns an x509 cert that has the username in the common name, optionally if a kerberos Realm is present it will also add a kerberos SAN exention for pkinit

func GetSignerFromPEMBytes ¶

func GetSignerFromPEMBytes(privateKey []byte) (crypto.Signer, error)

func GetUserPubKeyFromSSSD ¶

func GetUserPubKeyFromSSSD(username string) (string, error)

GetUserPubKeyFromSSSD user authorized keys content based on the running sssd configuration

func ValidatePublicKeyStrength ¶ added in v1.8.0

func ValidatePublicKeyStrength(pub interface{}) (bool, error)

ValidatePublicKeyStrenght checks if the "strength" of the key is good enough to be considered secure At this moment it checks for sizes of parameters only. For RSA it means bits>=2041 && exponent>=65537, For EC curves it means bitsize>=256. ec25519 is considered secure. All other public keys are not considered secure.

func VerifyIPRestrictedX509CertIP ¶ added in v1.5.1

func VerifyIPRestrictedX509CertIP(userCert *x509.Certificate, remoteAddr string) (bool, error)

VerifyIPRestrictedX509CertIP takes a x509 cert and verifies that it is valid given an incoming remote address. If the cert does not contain an IP restriction extension the verification is considered failed.

Types ¶

type IpAdressFamily ¶ added in v1.5.1

type IpAdressFamily struct {
	AddressFamily []byte
	Addresses     []asn1.BitString
}

type KRB5PrincipalName ¶

type KRB5PrincipalName struct {
	Realm     string            `asn1:"explicit,tag:0"`
	Principal KerberosPrincipal `asn1:"explicit,tag:1"`
}

From RFC 4556 section 3.2.2 (https://tools.ietf.org/html/rfc4556.html)

type KerberosPrincipal ¶

type KerberosPrincipal struct {
	Len       int      `asn1:"explicit,tag:0"`
	Principal []string `asn1:"explicit,tag:1"`
}

From RFC 4120 section 5.2.2 (https://tools.ietf.org/html/rfc4120)

type PKInitSANAnotherName ¶

type PKInitSANAnotherName struct {
	Id    asn1.ObjectIdentifier
	Value KRB5PrincipalName `asn1:"explicit,tag:0"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL