Documentation ¶
Index ¶
- Variables
- func EncodedFingerprint(cert *x509.Certificate, encoding FingerprintEncoding) string
- func Fingerprint(cert *x509.Certificate) string
- func GenerateDefaultKeyPair(p Profile) error
- func LoadCSRFromBytes(der []byte) (*x509.CertificateRequest, error)
- func ReadCertPool(path string) (*x509.CertPool, error)
- func SplitSANs(sans []string) (dnsNames []string, ips []net.IP, emails []string, uris []*url.URL)
- type ASN1DN
- type CipherSuites
- type FingerprintEncoding
- type Identity
- type Intermediate
- func (b *Intermediate) AddExtension(ext pkix.Extension)
- func (b *Intermediate) CreateCertificate() ([]byte, error)
- func (b *Intermediate) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)
- func (i *Intermediate) DefaultDuration() time.Duration
- func (b *Intermediate) GenerateDefaultKeyPair() error
- func (b *Intermediate) GenerateKeyPair(kty, crv string, size int) error
- func (b *Intermediate) Issuer() *x509.Certificate
- func (b *Intermediate) RemoveExtension(oid asn1.ObjectIdentifier)
- func (b *Intermediate) SetIssuer(iss *x509.Certificate)
- func (b *Intermediate) SetIssuerPrivateKey(priv interface{})
- func (b *Intermediate) SetSubject(sub *x509.Certificate)
- func (b *Intermediate) SetSubjectPrivateKey(priv interface{})
- func (b *Intermediate) SetSubjectPublicKey(pub interface{})
- func (b *Intermediate) Subject() *x509.Certificate
- func (b *Intermediate) SubjectPrivateKey() interface{}
- func (b *Intermediate) SubjectPublicKey() interface{}
- type Leaf
- func (b *Leaf) AddExtension(ext pkix.Extension)
- func (b *Leaf) CreateCertificate() ([]byte, error)
- func (b *Leaf) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)
- func (b *Leaf) DefaultDuration() time.Duration
- func (b *Leaf) GenerateDefaultKeyPair() error
- func (b *Leaf) GenerateKeyPair(kty, crv string, size int) error
- func (b *Leaf) Issuer() *x509.Certificate
- func (b *Leaf) RemoveExtension(oid asn1.ObjectIdentifier)
- func (b *Leaf) SetIssuer(iss *x509.Certificate)
- func (b *Leaf) SetIssuerPrivateKey(priv interface{})
- func (b *Leaf) SetSubject(sub *x509.Certificate)
- func (b *Leaf) SetSubjectPrivateKey(priv interface{})
- func (b *Leaf) SetSubjectPublicKey(pub interface{})
- func (b *Leaf) Subject() *x509.Certificate
- func (b *Leaf) SubjectPrivateKey() interface{}
- func (b *Leaf) SubjectPublicKey() interface{}
- type Profile
- func NewIntermediateProfile(name string, iss *x509.Certificate, issPriv crypto.PrivateKey, ...) (Profile, error)
- func NewLeafProfile(cn string, iss *x509.Certificate, issPriv crypto.PrivateKey, ...) (Profile, error)
- func NewLeafProfileWithCSR(csr *x509.CertificateRequest, iss *x509.Certificate, issPriv crypto.PrivateKey, ...) (Profile, error)
- func NewLeafProfileWithTemplate(sub *x509.Certificate, iss *x509.Certificate, issPriv crypto.PrivateKey, ...) (Profile, error)
- func NewRootProfile(name string, withOps ...WithOption) (Profile, error)
- func NewRootProfileWithTemplate(crt *x509.Certificate, withOps ...WithOption) (Profile, error)
- func NewSelfSignedLeafProfile(cn string, withOps ...WithOption) (Profile, error)
- type Root
- func (b *Root) AddExtension(ext pkix.Extension)
- func (b *Root) CreateCertificate() ([]byte, error)
- func (b *Root) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)
- func (r *Root) DefaultDuration() time.Duration
- func (b *Root) GenerateDefaultKeyPair() error
- func (b *Root) GenerateKeyPair(kty, crv string, size int) error
- func (b *Root) Issuer() *x509.Certificate
- func (b *Root) RemoveExtension(oid asn1.ObjectIdentifier)
- func (b *Root) SetIssuer(iss *x509.Certificate)
- func (b *Root) SetIssuerPrivateKey(priv interface{})
- func (b *Root) SetSubject(sub *x509.Certificate)
- func (b *Root) SetSubjectPrivateKey(priv interface{})
- func (b *Root) SetSubjectPublicKey(pub interface{})
- func (b *Root) Subject() *x509.Certificate
- func (b *Root) SubjectPrivateKey() interface{}
- func (b *Root) SubjectPublicKey() interface{}
- type TLSVersion
- type WithOption
- func GenerateKeyPair(kty, crv string, size int) WithOption
- func WithCTPoison() WithOption
- func WithDNSNames(dns []string) WithOption
- func WithEmailAddresses(emails []string) WithOption
- func WithHosts(hosts string) WithOption
- func WithIPAddresses(ips []net.IP) WithOption
- func WithIssuer(iss pkix.Name) WithOption
- func WithNotBeforeAfterDuration(nb, na time.Time, d time.Duration) WithOption
- func WithPublicKey(pub interface{}) WithOption
- func WithSANs(sans []string) WithOption
- func WithSubject(sub pkix.Name) WithOption
- func WithURIs(uris []*url.URL) WithOption
Constants ¶
This section is empty.
Variables ¶
var ( // DefaultCertValidity is the minimum validity of an end-entity (not root or intermediate) certificate. DefaultCertValidity = 24 * time.Hour // DefaultTLSMinVersion default minimum version of TLS. DefaultTLSMinVersion = TLSVersion(1.2) // DefaultTLSMaxVersion default maximum version of TLS. DefaultTLSMaxVersion = TLSVersion(1.2) // DefaultTLSRenegotiation default TLS connection renegotiation policy. DefaultTLSRenegotiation = false // Never regnegotiate. // DefaultTLSCipherSuites specifies default step ciphersuite(s). DefaultTLSCipherSuites = CipherSuites{ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", } // ApprovedTLSCipherSuites smallstep approved ciphersuites. ApprovedTLSCipherSuites = CipherSuites{ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", } )
var DefaultIntermediateCertValidity = time.Hour * 24 * 365 * 10
DefaultIntermediateCertValidity is the default validity of a intermediate certificate in the step PKI.
var DefaultRootCertValidity = time.Hour * 24 * 365 * 10
DefaultRootCertValidity is the default validity of a root certificate in the step PKI.
Functions ¶
func EncodedFingerprint ¶ added in v0.15.0
func EncodedFingerprint(cert *x509.Certificate, encoding FingerprintEncoding) string
EncodedFingerprint returns an encoded the SHA-256 fingerprint of the certificate. Defaults to hex encoding
func Fingerprint ¶ added in v0.9.0
func Fingerprint(cert *x509.Certificate) string
Fingerprint returns the SHA-256 fingerprint of the certificate.
func GenerateDefaultKeyPair ¶ added in v0.8.3
GenerateDefaultKeyPair generates a new public/private key pair using the default values and sets them in the given profile.
func LoadCSRFromBytes ¶
func LoadCSRFromBytes(der []byte) (*x509.CertificateRequest, error)
LoadCSRFromBytes loads a CSR given the ASN.1 DER format.
func ReadCertPool ¶
ReadCertPool loads a certificate pool from disk. *path*: a file, a directory, or a comma-separated list of files.
Types ¶
type ASN1DN ¶
type ASN1DN struct { Country string `json:"country,omitempty" step:"country"` Organization string `json:"organization,omitempty" step:"organization"` OrganizationalUnit string `json:"organizationalUnit,omitempty" step:"organizationalUnit"` Locality string `json:"locality,omitempty" step:"locality"` Province string `json:"province,omitempty" step:"province"` StreetAddress string `json:"streetAddress,omitempty" step:"streetAddress"` CommonName string `json:"commonName,omitempty" step:"commonName"` }
ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.
type CipherSuites ¶
type CipherSuites []string
CipherSuites represents an array of string codes representing the cipher suites.
func (CipherSuites) Validate ¶
func (c CipherSuites) Validate() error
Validate implements models.Validator and checks that a cipher suite is valid.
func (CipherSuites) Value ¶
func (c CipherSuites) Value() []uint16
Value returns an []uint16 for the cipher suites.
type FingerprintEncoding ¶ added in v0.15.0
type FingerprintEncoding int
FingerprintEncoding represents the fingerprint encoding type.
const ( // HexFingerprint represents hex encoding of fingerprint. HexFingerprint FingerprintEncoding = iota // Base64Fingerprint represents base64 encoding of fingerprint. Base64Fingerprint // Base64URLFingerprint represents base64URL encoding of fingerprint. Base64URLFingerprint )
type Identity ¶
type Identity struct { Crt *x509.Certificate Key interface{} }
Identity contains a public/private x509 certificate/key pair.
func LoadIdentityFromDisk ¶
LoadIdentityFromDisk load a public certificate and private key (both in PEM format) from disk.
func NewIdentity ¶
func NewIdentity(c *x509.Certificate, k interface{}) *Identity
NewIdentity returns a new Identity.
type Intermediate ¶
type Intermediate struct {
// contains filtered or unexported fields
}
Intermediate implements the Profile for a intermediate certificate.
func (*Intermediate) AddExtension ¶ added in v0.14.0
func (*Intermediate) CreateCertificate ¶
CreateCertificate creates an x509 Certificate using the configuration stored in the profile.
func (*Intermediate) CreateWriteCertificate ¶
Create Certificate from profile and write the certificate and private key to disk.
func (*Intermediate) DefaultDuration ¶ added in v0.8.1
func (i *Intermediate) DefaultDuration() time.Duration
DefaultDuration returns the default Intermediate Certificate duration.
func (*Intermediate) GenerateDefaultKeyPair ¶
func (b *Intermediate) GenerateDefaultKeyPair() error
func (*Intermediate) GenerateKeyPair ¶
func (*Intermediate) Issuer ¶
func (b *Intermediate) Issuer() *x509.Certificate
func (*Intermediate) RemoveExtension ¶ added in v0.14.0
func (b *Intermediate) RemoveExtension(oid asn1.ObjectIdentifier)
func (*Intermediate) SetIssuer ¶
func (b *Intermediate) SetIssuer(iss *x509.Certificate)
func (*Intermediate) SetIssuerPrivateKey ¶
func (b *Intermediate) SetIssuerPrivateKey(priv interface{})
func (*Intermediate) SetSubject ¶
func (b *Intermediate) SetSubject(sub *x509.Certificate)
func (*Intermediate) SetSubjectPrivateKey ¶
func (b *Intermediate) SetSubjectPrivateKey(priv interface{})
func (*Intermediate) SetSubjectPublicKey ¶
func (b *Intermediate) SetSubjectPublicKey(pub interface{})
func (*Intermediate) Subject ¶
func (b *Intermediate) Subject() *x509.Certificate
func (*Intermediate) SubjectPrivateKey ¶
func (b *Intermediate) SubjectPrivateKey() interface{}
func (*Intermediate) SubjectPublicKey ¶
func (b *Intermediate) SubjectPublicKey() interface{}
type Leaf ¶
type Leaf struct {
// contains filtered or unexported fields
}
Leaf implements the Profile for a leaf certificate.
func (*Leaf) AddExtension ¶ added in v0.14.0
func (*Leaf) CreateCertificate ¶
CreateCertificate creates an x509 Certificate using the configuration stored in the profile.
func (*Leaf) CreateWriteCertificate ¶
Create Certificate from profile and write the certificate and private key to disk.
func (*Leaf) DefaultDuration ¶ added in v0.8.1
func (*Leaf) GenerateDefaultKeyPair ¶
func (b *Leaf) GenerateDefaultKeyPair() error
func (*Leaf) GenerateKeyPair ¶
func (*Leaf) Issuer ¶
func (b *Leaf) Issuer() *x509.Certificate
func (*Leaf) RemoveExtension ¶ added in v0.14.0
func (b *Leaf) RemoveExtension(oid asn1.ObjectIdentifier)
func (*Leaf) SetIssuer ¶
func (b *Leaf) SetIssuer(iss *x509.Certificate)
func (*Leaf) SetIssuerPrivateKey ¶
func (b *Leaf) SetIssuerPrivateKey(priv interface{})
func (*Leaf) SetSubject ¶
func (b *Leaf) SetSubject(sub *x509.Certificate)
func (*Leaf) SetSubjectPrivateKey ¶
func (b *Leaf) SetSubjectPrivateKey(priv interface{})
func (*Leaf) SetSubjectPublicKey ¶
func (b *Leaf) SetSubjectPublicKey(pub interface{})
func (*Leaf) Subject ¶
func (b *Leaf) Subject() *x509.Certificate
func (*Leaf) SubjectPrivateKey ¶
func (b *Leaf) SubjectPrivateKey() interface{}
func (*Leaf) SubjectPublicKey ¶
func (b *Leaf) SubjectPublicKey() interface{}
type Profile ¶
type Profile interface { Issuer() *x509.Certificate Subject() *x509.Certificate SubjectPrivateKey() interface{} SubjectPublicKey() interface{} SetIssuer(*x509.Certificate) SetSubject(*x509.Certificate) SetSubjectPrivateKey(interface{}) SetSubjectPublicKey(interface{}) SetIssuerPrivateKey(interface{}) CreateCertificate() ([]byte, error) GenerateKeyPair(string, string, int) error DefaultDuration() time.Duration CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error) AddExtension(pkix.Extension) RemoveExtension(asn1.ObjectIdentifier) }
Profile is an interface that certificate profiles (e.g. leaf, intermediate, root) must implement.
func NewIntermediateProfile ¶
func NewIntermediateProfile(name string, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)
NewIntermediateProfile returns a new intermediate x509 Certificate profile.
func NewLeafProfile ¶
func NewLeafProfile(cn string, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)
NewLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.
func NewLeafProfileWithCSR ¶
func NewLeafProfileWithCSR(csr *x509.CertificateRequest, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)
NewLeafProfileWithCSR returns a new leaf x509 Certificate Profile with Subject Certificate fields populated directly from the CSR. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the CSR.
func NewLeafProfileWithTemplate ¶
func NewLeafProfileWithTemplate(sub *x509.Certificate, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)
NewLeafProfileWithTemplate returns a new leaf x509 Certificate Profile with Subject Certificate set to the value of the template argument. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the Subject Certificate parameter.
func NewRootProfile ¶
func NewRootProfile(name string, withOps ...WithOption) (Profile, error)
NewRootProfile returns a new root x509 Certificate profile.
func NewRootProfileWithTemplate ¶
func NewRootProfileWithTemplate(crt *x509.Certificate, withOps ...WithOption) (Profile, error)
NewRootProfileWithTemplate returns a new root x509 Certificate profile.
func NewSelfSignedLeafProfile ¶ added in v0.11.0
func NewSelfSignedLeafProfile(cn string, withOps ...WithOption) (Profile, error)
NewSelfSignedLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.
type Root ¶
type Root struct {
// contains filtered or unexported fields
}
Root implements the Profile for a root certificate.
func (*Root) AddExtension ¶ added in v0.14.0
func (*Root) CreateCertificate ¶
CreateCertificate creates an x509 Certificate using the configuration stored in the profile.
func (*Root) CreateWriteCertificate ¶
Create Certificate from profile and write the certificate and private key to disk.
func (*Root) DefaultDuration ¶ added in v0.8.1
DefaultDuration returns the default Root Certificate duration.
func (*Root) GenerateDefaultKeyPair ¶
func (b *Root) GenerateDefaultKeyPair() error
func (*Root) GenerateKeyPair ¶
func (*Root) Issuer ¶
func (b *Root) Issuer() *x509.Certificate
func (*Root) RemoveExtension ¶ added in v0.14.0
func (b *Root) RemoveExtension(oid asn1.ObjectIdentifier)
func (*Root) SetIssuer ¶
func (b *Root) SetIssuer(iss *x509.Certificate)
func (*Root) SetIssuerPrivateKey ¶
func (b *Root) SetIssuerPrivateKey(priv interface{})
func (*Root) SetSubject ¶
func (b *Root) SetSubject(sub *x509.Certificate)
func (*Root) SetSubjectPrivateKey ¶
func (b *Root) SetSubjectPrivateKey(priv interface{})
func (*Root) SetSubjectPublicKey ¶
func (b *Root) SetSubjectPublicKey(pub interface{})
func (*Root) Subject ¶
func (b *Root) Subject() *x509.Certificate
func (*Root) SubjectPrivateKey ¶
func (b *Root) SubjectPrivateKey() interface{}
func (*Root) SubjectPublicKey ¶
func (b *Root) SubjectPublicKey() interface{}
type TLSVersion ¶
type TLSVersion float64
TLSVersion represents a TLS version number.
func (TLSVersion) String ¶
func (v TLSVersion) String() string
String returns the Go constant for the TLSVersion.
func (TLSVersion) Validate ¶
func (v TLSVersion) Validate() error
Validate implements models.Validator and checks that a cipher suite is valid.
func (TLSVersion) Value ¶
func (v TLSVersion) Value() uint16
Value returns the Go constant for the TLSVersion.
type WithOption ¶
WithOption is a modifier function on base.
func GenerateKeyPair ¶
func GenerateKeyPair(kty, crv string, size int) WithOption
GenerateKeyPair returns a Profile modifier that generates a public/private key pair for a profile.
func WithCTPoison ¶ added in v0.14.0
func WithCTPoison() WithOption
WithCTPoison returns a Profile modifier that adds the CT poison extension defined in RFC6962.
func WithDNSNames ¶ added in v0.8.4
func WithDNSNames(dns []string) WithOption
WithDNSNames returns a Profile modifier which sets the DNS Names that will be bound to the subject alternative name extension of the Certificate.
func WithEmailAddresses ¶ added in v0.11.0
func WithEmailAddresses(emails []string) WithOption
WithEmailAddresses returns a Profile modifier which sets the Email Addresses that will be bound to the subject alternative name extension of the Certificate.
func WithHosts ¶
func WithHosts(hosts string) WithOption
WithHosts returns a Profile modifier which sets the DNS Names and IP Addresses that will be bound to the subject Certificate.
`hosts` should be a comma separated string of DNS Names and IP Addresses. e.g. `127.0.0.1,internal.smallstep.com,blog.smallstep.com,1.1.1.1`.
func WithIPAddresses ¶ added in v0.8.4
func WithIPAddresses(ips []net.IP) WithOption
WithIPAddresses returns a Profile modifier which sets the IP Addresses that will be bound to the subject alternative name extension of the Certificate.
func WithIssuer ¶
func WithIssuer(iss pkix.Name) WithOption
WithIssuer returns a Profile modifier that sets the Subject for a x509 Certificate.
func WithNotBeforeAfterDuration ¶ added in v0.8.1
func WithNotBeforeAfterDuration(nb, na time.Time, d time.Duration) WithOption
WithNotBeforeAfterDuration returns a Profile modifier that sets the `NotBefore` and `NotAfter` attributes of the subject x509 Certificate.
func WithPublicKey ¶
func WithPublicKey(pub interface{}) WithOption
WithPublicKey returns a Profile modifier that sets the public key for a profile.
func WithSANs ¶ added in v0.14.5
func WithSANs(sans []string) WithOption
WithSANs returns a profile modifier which set the dnsNames, emailAddresses, ipAddresses, and URIs attributes of the Certificate.
func WithSubject ¶
func WithSubject(sub pkix.Name) WithOption
WithSubject returns a Profile modifier that sets the Subject for a x509 Certificate.
func WithURIs ¶ added in v0.14.5
func WithURIs(uris []*url.URL) WithOption
WithURIs returns a Profile modifier which sets the URIs that will be bound to the subject alternative name extension of the Certificate.