Documentation ¶
Overview ¶
Package certlib contains the implemetation of the custom certifiaction library. The purpose of the library is to parse and generate Staex custom certificates, which will be used in different tools (e.g. bootstrapping a new node or processing CSRs). The library implements methods to create a certificate, create a certificate signing request (CSR), sign a CSR, validate a certificate signature and renewing certificates. It also allows the caller to get metadata information such as the expiration date of the certificate as well as the permissions on it. The library uses the ECC (Elliptic Curve Cryptography) for calculating the signatures with the Curve25519. It is based on a Go implementation in Go’s standard library of the curve: https://godoc.org/golang.org/x/crypto/ed25519. The permissions are contained in a single byte. The library does not validate nor process this field, it simply reads it and stores it and it is up to the library user to interpret it and apply it.
Index ¶
- Constants
- Variables
- func EncodeBase64PrivateKey(privateKey []byte) string
- func ExtractSignature(data []byte) ([]byte, []byte, error)
- func ParsePrivateKey(data []byte) ([]byte, error)
- func ParsePrivateKeyBase64(privKey string) ([]byte, error)
- func SodiumInit() error
- type Certificate
- type CertificateContainer
- func (c *CertificateContainer) Encode() []byte
- func (c *CertificateContainer) EncodeBase64() string
- func (c CertificateContainer) Expiry() time.Time
- func (c *CertificateContainer) HavePermissions(perm Permission) bool
- func (c *CertificateContainer) IsValid(ca Certificate) bool
- func (c *CertificateContainer) Label() string
- func (c *CertificateContainer) Permissions() Permission
- func (c *CertificateContainer) PublicKey() []byte
- func (c *CertificateContainer) SharedSecret(privateKey, pubKey []byte) (*Secret, error)
- func (c *CertificateContainer) SharedSecretCert(privateKey []byte, certificate Certificate) (*Secret, error)
- func (c *CertificateContainer) SignCertRequest(privateKey []byte, cert CertificateRequest, expiry time.Time) (Certificate, error)
- func (c *CertificateContainer) SignData(privateKey []byte, data []byte) ([]byte, error)
- func (c *CertificateContainer) Signature() []byte
- func (c *CertificateContainer) VerifyDataSignature(message []byte, signature []byte) (bool, error)
- func (c *CertificateContainer) VerifySignedData(data []byte) (bool, error)
- type CertificateData
- type CertificateRequest
- type Permission
- type Request
- type RequestData
- type Secret
Constants ¶
const ( // LabelSize represents the size of the label of a certificate LabelSize = 30 // CertificateSize represents the size of a CertificateSize CertificateSize = certificateRequestSize + certlib_ed25519.SignatureSize // PrivateKeySize represents the size of the private key of a certificate PrivateKeySize = certlib_ed25519.PrivateKeySize )
const ( GetValuesPermission Permission = 1 AddValuesPermission = 2 RegisterServicesPermission = 4 LookupServicesPermission = 8 OpenChannelsPermission = 16 RelayPermission = 32 AllPermissions = 255 )
Variables ¶
var ErrDataTooShort = errors.New("data to process is too short")
ErrDataTooShort is the predefined error returned when the given data is equal to or shorter then size of the signature.
var ErrExpired = errors.New("certificate has expired")
ErrExpired is the predefined error returned when the expiration date provided in the request is past.
var ErrInvalidData = errors.New("data has wrong length")
ErrInvalidData is the predefined error returned when provided data is of wrong length.
var ErrInvalidExpDate = errors.New("expiration date must be in future")
ErrInvalidExpDate is the predefined error returned when the expiration date provided is past.
var ErrInvalidLabelSize = errors.New("label has an incorrect size")
ErrInvalidLabelSize is the predefined error returned when the the label has an incorrect size.
var ErrInvalidSignatureSize = errors.New("signature has an incorrect size")
ErrInvalidSignatureSize is the predefined error returned when the the signature has an incorrect size.
var ErrNoData = errors.New("no data to process")
ErrNoData is the predefined error returned when provided data is empty.
var ErrNoPrivateKey = errors.New("no private key")
ErrNoPrivateKey is the predefined error returned when there is no private key included in the request.
var ErrPrivKeyInvalidLen = errors.New("private key has invalid length")
ErrPrivKeyInvalidLen is the predefined error returned when private key has invalid length
Functions ¶
func EncodeBase64PrivateKey ¶
EncodeBase64PrivateKey encodes private key in base64 string.
func ExtractSignature ¶
ExtractSignature separates and returns the message and the signature.
func ParsePrivateKey ¶
func ParsePrivateKeyBase64 ¶
ParsePrivateKeyBase64 will parse the given private key encoded in base64 string
func SodiumInit ¶
func SodiumInit() error
Types ¶
type Certificate ¶
type Certificate interface { //PublicKey returns the public key of this certificate. PublicKey() []byte //Expiry returns the expiry date of this certificate. Expiry() time.Time //Permissions returns the permissions of this certificate. Permissions() Permission //Signature returns the signature of this certificate (the signature of the CA that issued this cert). Signature() []byte //SignData signs a data block and appends the signature at the end. SignData(privateKey []byte, data []byte) ([]byte, error) //VerifySignedData verifies that the signature of a data block is valid and was done by this certificate. VerifySignedData(data []byte) (bool, error) //VerifyDataSignature verifies that the signature is valid for the message and was done by this certificate. VerifyDataSignature(message []byte, signature []byte) (bool, error) //SignCertRequest signs given request and returns a certificate with expiration date //with the public/private key and permissions provided in the request. SignCertRequest(privateKey []byte, cert CertificateRequest, expiry time.Time) (Certificate, error) //Encode encodes the certificate in its binary format. Encode() []byte //EncodeBase64 encodes certificate in base64 string. EncodeBase64() string //IsValid checks that this certificate's signature is valid and was done by the given CA. IsValid(ca Certificate) bool SharedSecretCert(privateKey []byte, certificate Certificate) (*Secret, error) SharedSecret(privateKey []byte, pubKey []byte) (*Secret, error) // HavePermissions checks if certificate has provided permissions. It is possible to check multiple // permissions by applying logical OR on Permissions. HavePermissions(perm Permission) bool //Label returns string representation of the label of this certificate. Label() string }
Certificate represents a certificate, with its public key, permissions and expiry.
func ComposeCertificate ¶
func ComposeCertificate(pubKey []byte, perms Permission, exp uint32, sig []byte, label string) (Certificate, error)
ComposeCertificate creates a certificate struct from given public key, permissions, expiration date, signature and label.
func ParseCert ¶
func ParseCert(data []byte) (Certificate, error)
ParseCert will parse the given certificate in binary format.
func ParseCertBase64 ¶
func ParseCertBase64(cert string) (Certificate, error)
ParseCertBase64 will parse the given certificate encoded in base64 string
type CertificateContainer ¶
type CertificateContainer struct {
// contains filtered or unexported fields
}
CertificateContainer is a struct to instantiate certificate fields and it implements the Certificate interface methods.
func (*CertificateContainer) Encode ¶
func (c *CertificateContainer) Encode() []byte
Encode encodes the certificate in its binary format.
func (*CertificateContainer) EncodeBase64 ¶
func (c *CertificateContainer) EncodeBase64() string
EncodeBase64 encodes certificate in base64 string.
func (CertificateContainer) Expiry ¶
func (c CertificateContainer) Expiry() time.Time
Expiry returns the signature of the Certificate created by signing the contained data.
func (*CertificateContainer) HavePermissions ¶
func (c *CertificateContainer) HavePermissions(perm Permission) bool
HavePermissions checks if certificate has provided permissions. It is possible to check multiple permissions by applying logical OR on Permissions.
func (*CertificateContainer) IsValid ¶
func (c *CertificateContainer) IsValid(ca Certificate) bool
IsValid checks that this certificate's signature is valid and was done by the given CA.
func (*CertificateContainer) Label ¶
func (c *CertificateContainer) Label() string
Label returns string representation of the label of the Certificate.
func (*CertificateContainer) Permissions ¶
func (c *CertificateContainer) Permissions() Permission
Permissions returns the permissions requested in this Certificate.
func (*CertificateContainer) PublicKey ¶
func (c *CertificateContainer) PublicKey() []byte
PublicKey returns the public key of the Certificate.
func (*CertificateContainer) SharedSecret ¶
func (c *CertificateContainer) SharedSecret(privateKey, pubKey []byte) (*Secret, error)
SharedSecret converts the ed25519 private and public keys provided to curve25519. It returns the product private*public key from `c` and `certificate` respectively.
func (*CertificateContainer) SharedSecretCert ¶
func (c *CertificateContainer) SharedSecretCert(privateKey []byte, certificate Certificate) (*Secret, error)
SharedSecretCert converts the ed25519 private and public keys provided to curve25519. It returns the product private*public key from `c` and `certificate` respectively.
func (*CertificateContainer) SignCertRequest ¶
func (c *CertificateContainer) SignCertRequest(privateKey []byte, cert CertificateRequest, expiry time.Time) (Certificate, error)
SignCertRequest signs given request and returns a certificate with expiration date with the public key and permissions provided in the request.
func (*CertificateContainer) SignData ¶
func (c *CertificateContainer) SignData(privateKey []byte, data []byte) ([]byte, error)
SignData signs a data block and appends the signature at the end.
func (*CertificateContainer) Signature ¶
func (c *CertificateContainer) Signature() []byte
Signature returns the signature of the Certificate created by signing the contained data.
func (*CertificateContainer) VerifyDataSignature ¶
func (c *CertificateContainer) VerifyDataSignature(message []byte, signature []byte) (bool, error)
VerifyDataSignature verifies that the signature is valid for the message and was done by this certificate.
func (*CertificateContainer) VerifySignedData ¶
func (c *CertificateContainer) VerifySignedData(data []byte) (bool, error)
VerifySignedData verifies that the signature of a data block is valid and was done by this certificate. It calls ExtractSignature().
type CertificateData ¶
type CertificateData struct { Cert Certificate // contains filtered or unexported fields }
CertificateData is a struct to instantiate certificate data fields. The goal - separate storage for certificate and it's private key
func NewSelfSignedCert ¶
func NewSelfSignedCert(permissions Permission, expiry time.Time, label string) (CertificateData, error)
NewSelfSignedCert creates a new certificate, together with public and private keys and expiry. Finally, it signs the certificate with the same key. This is intended to be used as a CA or a test certificate. An error can be returned when the underlying platform does not support cryptographically safe random number generator.
func (*CertificateData) PrivateKey ¶
func (cd *CertificateData) PrivateKey() ([]byte, error)
PrivateKey returns the private key of the Certificate. If this Certificate does not include a private key, it will return an error.
type CertificateRequest ¶
type CertificateRequest interface { //PublicKey returns the public key of the Certificate Request. PublicKey() []byte //Permissions returns the permissions requested in this Certificate Request. Permissions() Permission //Expiration returns the expiration date requested in this Certificate Request. Expiration() time.Time //Encode encodes the Certificate Request in binary format. Encode() []byte //EncodeBase64 encodes the Certificate Request in base64 string. EncodeBase64() string //Label returns string representation of the label of this Certificate Request. Label() string }
CertificateRequest lists the methods to be implemented to be signed by the CA.
func ComposeRequest ¶
func ComposeRequest(pubKey []byte, perms Permission, expDate time.Time, label string) (CertificateRequest, error)
ComposeRequest creates a request from given keys, permissions, expiration date and label.
func ParseCertRequest ¶
func ParseCertRequest(data []byte) (CertificateRequest, error)
ParseCertRequest parses a certificate request in binary format
func ParseCertRequestBase64 ¶
func ParseCertRequestBase64(cert string) (CertificateRequest, error)
ParseCertRequestBase64 will parse the given request encoded in base64 string
type Permission ¶
type Permission uint8
type Request ¶
type Request struct {
// contains filtered or unexported fields
}
Request is a struct to instantiate certificate request fields and it implements the CertificateRequest lists interface methods.
func (*Request) EncodeBase64 ¶
EncodeBase64 encodes request in base64 string.
func (*Request) Expiration ¶
Expiration returns the expiration date requested in this Certificate Request.
func (*Request) Label ¶
Label returns string representation of the label of the Certificate Request.
func (*Request) Permissions ¶
func (r *Request) Permissions() Permission
Permissions returns the permissions requested in this Certificate Request.
type RequestData ¶
type RequestData struct { Request CertificateRequest // contains filtered or unexported fields }
RequestData is a struct to instantiate certificate request data fields The RequestData may or may not include a private key.
func NewCertRequest ¶
func NewCertRequest(perms Permission, expiry time.Time, label string) (RequestData, error)
NewCertRequest generates a new certificate request, generating also its public and private key, and adding the requested permissions and expiration date to it. The error can be returned by the ed25519 library, e.g. when the platform does not support cryptographically safe random number generator.
func (*RequestData) PrivateKey ¶
func (r *RequestData) PrivateKey() ([]byte, error)
PrivateKey returns the private key of the Certificate Request. If this Certificate Request does not include a private key, it will return an error.