x509pop

package
v1.11.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 12, 2024 License: Apache-2.0 Imports: 14 Imported by: 3

Documentation

Index

Constants

View Source
const (

	// PluginName for X.509 Proof of Possession
	PluginName = "x509pop"
)

Variables

View Source
var DefaultAgentPathTemplate = agentpathtemplate.MustParse("/{{ .PluginName }}/{{ .Fingerprint }}")

DefaultAgentPathTemplate is the default template

Functions

func Fingerprint

func Fingerprint(cert *x509.Certificate) string

func MakeAgentID added in v1.2.0

func MakeAgentID(td spiffeid.TrustDomain, agentPathTemplate *agentpathtemplate.Template, cert *x509.Certificate) (spiffeid.ID, error)

MakeAgentID creates an agent ID from X.509 certificate data.

func SerialNumberHex added in v1.7.1

func SerialNumberHex(serialNumber *big.Int) string

SerialNumberHex returns a certificate serial number represented as lowercase hexadecimal with an even number of characters

func VerifyChallengeResponse

func VerifyChallengeResponse(publicKey any, challenge *Challenge, response *Response) error

func VerifyECDSASignatureResponse

func VerifyECDSASignatureResponse(publicKey *ecdsa.PublicKey, challenge *ECDSASignatureChallenge, response *ECDSASignatureResponse) error

func VerifyRSASignatureResponse

func VerifyRSASignatureResponse(publicKey *rsa.PublicKey, challenge *RSASignatureChallenge, response *RSASignatureResponse) error

Types

type AttestationData

type AttestationData struct {
	// DER encoded x509 certificate chain leading back to the trusted root. The
	// leaf certificate comes first.
	Certificates [][]byte `json:"certificates"`
}

type Challenge

type Challenge struct {
	RSASignature   *RSASignatureChallenge   `json:"rsa_signature"`
	ECDSASignature *ECDSASignatureChallenge `json:"ecdsa_signature"`
}

func GenerateChallenge

func GenerateChallenge(cert *x509.Certificate) (*Challenge, error)

type ECDSASignatureChallenge

type ECDSASignatureChallenge struct {
	// Nonce is the nonce generated by the challenger.
	Nonce []byte `json:"nonce"`
}

func GenerateECDSASignatureChallenge

func GenerateECDSASignatureChallenge() (*ECDSASignatureChallenge, error)

type ECDSASignatureResponse

type ECDSASignatureResponse struct {
	// Nonce is the nonce generated by the responder.
	Nonce []byte `json:"nonce"`

	// R value of the ECDSA signature of the combined challenger and responder
	// nonces.
	R []byte `json:"r"`

	// S value of the ECDSA signature of the combined challenger and responder
	// nonces.
	S []byte `json:"s"`
}

func CalculateECDSASignatureResponse

func CalculateECDSASignatureResponse(privateKey *ecdsa.PrivateKey, challenge *ECDSASignatureChallenge) (*ECDSASignatureResponse, error)

type RSASignatureChallenge

type RSASignatureChallenge struct {
	// Nonce is the nonce generated by the challenger.
	Nonce []byte `json:"nonce"`
}

func GenerateRSASignatureChallenge

func GenerateRSASignatureChallenge() (*RSASignatureChallenge, error)

type RSASignatureResponse

type RSASignatureResponse struct {
	// Nonce is the nonce generated by the responder.
	Nonce []byte `json:"nonce"`

	// Signature is the RSA signature of the combined challenger and responder
	// nonces.
	Signature []byte `json:"signature"`
}

func CalculateRSASignatureResponse

func CalculateRSASignatureResponse(privateKey *rsa.PrivateKey, challenge *RSASignatureChallenge) (*RSASignatureResponse, error)

type Response

type Response struct {
	RSASignature   *RSASignatureResponse   `json:"rsa_signature"`
	ECDSASignature *ECDSASignatureResponse `json:"ecdsa_signature"`
}

func CalculateResponse

func CalculateResponse(privateKey any, challenge *Challenge) (*Response, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL