cki

package
v0.0.0-...-c94e5b3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 16, 2023 License: MIT Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	//PEMCertHeader PEM block header for certificates
	PEMCertHeader = "OCS CERTIFICATE"
	//PEMPrivKeyHeader PEM block header for private keys
	PEMPrivKeyHeader = "OCS PRIVATE KEY"
	//PEMEncPrivKeyHeader PEM block header for encrypted private keys
	PEMEncPrivKeyHeader = "OCS ENCRYPTED PRIVATE KEY"
)
View Source 
const (
	//UnknownTrust represents an unknown or incomplete state of trust
	UnknownTrust = iota
	//NotTrusted represents a explicitly untrusted certificate
	NotTrusted
	//IndirectlyTrusted represents a certificate which is not immediate trusted, but is trusted by another certificate the system trusts (WOT)
	IndirectlyTrusted
	//Trusted represents a certificate the system trusts, but not a certificate the immediate system created
	Trusted
	//UltimatelyTrusted represents a certificate the system that the local system has created
	UltimatelyTrusted
)

Variables

View Source 
var (
	//ErrAlreadySigned already signed by this key
	ErrAlreadySigned = errors.New("already signed by this key")
	//ErrNoMatchingSignatures no matching signatures
	ErrNoMatchingSignatures = errors.New("no matching signatures")
	//ErrTooManySignatures too many signatures
	ErrTooManySignatures = errors.New("too many signatures")
	//ErrUnknownPEMType unknown PEM block header type
	ErrUnknownPEMType = errors.New("unknown PEM block header type")
)
View Source 
var (
	//ErrUntrustedCertificate when a certificate is untrusted explicitly
	ErrUntrustedCertificate = errors.New("certificate is not trusted")
	//ErrRevoked when a certificate either immediately or in the chain is revoked
	ErrRevoked = errors.New("certificate has been marked as revoked")
)
View Source 
var (
	//ErrUnknownKeyAlgorithm unknown key algorithm
	ErrUnknownKeyAlgorithm = errors.New("unknown key algorithm")
)

Functions

func GenerateCRYSTALSDilithiumKey 

func GenerateCRYSTALSDilithiumKey(level int) (*CRYSTALSDilithiumPublic, *CRYSTALSDilithiumPrivate, error)

GenerateCRYSTALSDilithiumKey generates a CRYSTALS Dilithium key pair at the given security of 2, 3 or 5

func GenerateECKey 

func GenerateECKey(a Algorithm) (*SecpPublicKey, *SecpPrivateKey, error)

GenerateECKey generates a new private/public key from a given accepted OCS curve based algorithm

func GenerateEd25519Key 

func GenerateEd25519Key() (Ed25519Public, *Ed25519Private, error)

GenerateEd25519Key generates a new Ed25519 based public/private key

func GenerateRSAKey 

func GenerateRSAKey(bits int) (*RSAPublicKey, *RSAPrivateKey, error)

GenerateRSAKey generates a new RSA public/private key

func MarshalEncryptedPrivateKey 

func MarshalEncryptedPrivateKey(pk PrivateKey, key []byte) ([]byte, error)

MarshalEncryptedPrivateKey encodes and encryps a private key with AES-256-GCM

func MarshalPEMPrivateKey 

func MarshalPEMPrivateKey(d []byte) []byte

MarshalPEMPrivateKey encodes a private key to PEM format

func MarshalPEMRawPrivateKey 

func MarshalPEMRawPrivateKey(d []byte, w io.Writer, encrypted bool) error

MarshalPEMRawPrivateKey encodes a marshalled private key to PEM format

func MarshalPrivateKey 

func MarshalPrivateKey(pk PrivateKey) ([]byte, error)

MarshalPrivateKey encodes a private key into msgpack encoding

func MatchesSubject 

func MatchesSubject(c *Certificate, s string) error

func ParsePEMPrivateKey 

func ParsePEMPrivateKey(d []byte) ([]byte, error)

ParsePEMPrivateKey parses a non-encrypted PEM encoded file

Types

type Algorithm 

type Algorithm uint16

Algorithm available cryptographic algorithms 

const (
	//UnknownAlgo unknown or not set
	UnknownAlgo Algorithm = iota
	//ED25519 Ed25519/curve25519
	ED25519
	//ECDSAsecp256r1 secp256k1 or NIST P-256
	ECDSAsecp256r1
	//ECDSAsecp384r1 secp384r1 or NIST P-384
	ECDSAsecp384r1
	//RSA2048 RSA 2048 bits
	RSA2048
	//RSA4096 RSA 4096 bits
	RSA4096
	//CRYSTALS-DILITHIUM-2
	CRYSTALSDilithium2
	//CRYSTALS-DILITHIUM-3
	CRYSTALSDilithium3
	//CRYSTALS-DILITHIUM-5
	CRYSTALSDilithium5
)

func (Algorithm) String 

func (a Algorithm) String() string

type CRYSTALSDilithiumPrivate 

type CRYSTALSDilithiumPrivate struct {
	dilithium.PrivateKey
	// contains filtered or unexported fields
}

CRYSTALSDilithiumPrivate CRYSTALS Dilithium Private Key

func (*CRYSTALSDilithiumPrivate) Bytes 

func (sk *CRYSTALSDilithiumPrivate) Bytes() ([]byte, error)

Bytes return the packed CRYSTALS Dilithium private key

func (*CRYSTALSDilithiumPrivate) Public 

func (sk *CRYSTALSDilithiumPrivate) Public() PublicKey

func (*CRYSTALSDilithiumPrivate) Sign 

func (sk *CRYSTALSDilithiumPrivate) Sign(_ io.Reader, msg []byte, _ crypto.SignerOpts) ([]byte, error)

Sign signs then give message with the private key

type CRYSTALSDilithiumPublic 

type CRYSTALSDilithiumPublic struct {
	dilithium.PublicKey
	// contains filtered or unexported fields
}

CRYSTALSDilithiumPublic CRYSTALS Dilithium Public Key

func (*CRYSTALSDilithiumPublic) Bytes 

func (pk *CRYSTALSDilithiumPublic) Bytes() ([]byte, error)

Bytes return the packed publick key bytes

func (*CRYSTALSDilithiumPublic) Verify 

func (pk *CRYSTALSDilithiumPublic) Verify(msg []byte, sig []byte) bool

Verify verifies the given CRYSTALS Dilithium Signature using the public key and original message

type CertFinder 

type CertFinder interface {
	FindCertificate(id, ref []byte) (*Certificate, error)
}

CertFinder finds certificates from IDs

type CertPool 

type CertPool interface {
	CertFinder
	CertTrustStore
	CertRevokeChecker
}

CertPool provides a means of validating certificates

func SystemRootsPool 

func SystemRootsPool() CertPool

type CertRevokeChecker 

type CertRevokeChecker interface {
	IsRevoked(id []byte) error
}

CertRevokeChecker checks if a certificate is revoked by ID

type CertTrustStore 

type CertTrustStore interface {
	TrustLevel(id []byte) (TrustLevel, error)
}

CertTrustStore provides system trust levels on a given certificate by ID

type Certificate 

type Certificate struct {
	Raw        []byte          `msgpack:"-"`
	Version    uint8           `msgpack:"v"`
	CertType   CertificateType `msgpack:"t"`
	Algo       Algorithm       `msgpack:"a"`
	ID         []byte          `msgpack:"c"`
	IsCA       bool            `msgpack:"ca,omitempty"`
	PublicKey  []byte          `msgpack:"pk"`
	NotBefore  time.Time       `msgpack:"nb"`
	NotAfter   time.Time       `msgpack:"na"`
	Revoke     bool            `msgpack:"r,omitempty"`
	Subject    string          `msgpack:"sb"`
	Entity     *Entity         `msgpack:"e,omitempty"`
	Signatures []Signature     `msgpack:"s"`
	Extensions []Extension     `msgpack:"x,omitempty"`
	// contains filtered or unexported fields
}

Certificate an OCS certificate representation

func NewCertificate 

func NewCertificate(template Certificate, pub PublicKey, issuer *Certificate, priv PrivateKey) (*Certificate, error)

NewCertificate generates a new OCS certificate based on a template, a public certificate and a signing private certificate

The following template fields are preserved:

  • Subject
  • Entity and all child values
  • Revoked
  • NotAfter if is not zero and is not over 365 days in the future from the current time

func ParseCertificate 

func ParseCertificate(d []byte) (*Certificate, error)

ParseCertificate decodes a msgpack encoded certificate

func ParsePEMCertificate 

func ParsePEMCertificate(d []byte) (*Certificate, []byte, error)

ParsePEMCertificate parses a certificate from a PEM block format also returning the next PEM block if available

func (*Certificate) AddSignature 

func (cert *Certificate) AddSignature(issuer *Certificate, privk PrivateKey, pubRef []byte) error

AddSignature adds a new signature to the certificate

func (*Certificate) Bytes 

func (cert *Certificate) Bytes() ([]byte, error)

Bytes provides a raw msgpack encoded certificate

func (*Certificate) GetPublicKey 

func (cert *Certificate) GetPublicKey() (PublicKey, error)

GetPublicKey provides a parsed version of the certificates public key

func (*Certificate) Marshal 

func (cert *Certificate) Marshal() ([]byte, error)

Marshal returns the certificate in msgpack encoding

func (*Certificate) PEM 

func (cert *Certificate) PEM() ([]byte, error)

PEM encodes the certificate and the returned slice in a PEM block encoding

func (*Certificate) Verify 

func (c *Certificate) Verify(p CertPool) error

Verify verifies the certificates signators over a given cert pool

func (*Certificate) VerifySignatureOnly 

func (cert *Certificate) VerifySignatureOnly(pkID []byte, pubk PublicKey) error

VerifySignatureOnly verifies the only 1 signature exists and that that signature matches the given public key

type CertificateType 

type CertificateType uint8

CertificateType the type of certificate chain verifying/signing infrastructure 

const (
	//UnknownCertType unknown or not set
	UnknownCertType CertificateType = iota
	//PKI general single CA
	PKI
	//WOT Web of trust
	WOT
	//MultiPKI multiple CAs
	MultiPKI
)

func (CertificateType) String 

func (ct CertificateType) String() string

type ECDSASignature 

type ECDSASignature struct {
	Algo Algorithm `msgpack:"a"`
	R    []byte    `msgpack:"r"`
	S    []byte    `msgpack:"s"`
}

ECDSASignature representation of a unpacked ECDSA signature

func (*ECDSASignature) Marshal 

func (sig *ECDSASignature) Marshal() ([]byte, error)

Marshal encode the signature into msgpack encoding

func (*ECDSASignature) Unmarshal 

func (sig *ECDSASignature) Unmarshal(d []byte) error

Unmarshal deecode the signature from msgpack encoding

type Ed25519Private 

type Ed25519Private struct {
	// contains filtered or unexported fields
}

Ed25519Private wrapper of a Ed25519 pub/priv key

func (*Ed25519Private) Bytes 

func (ed *Ed25519Private) Bytes() ([]byte, error)

Bytes raw private key bytes

func (*Ed25519Private) Public 

func (ed *Ed25519Private) Public() PublicKey

Public provides the Ed25519 public key

func (*Ed25519Private) Sign 

func (ed *Ed25519Private) Sign(_ io.Reader, d []byte, _ crypto.SignerOpts) ([]byte, error)

Sign a msg using the Ed25519 private key

type Ed25519Public 

type Ed25519Public []byte

Ed25519Public wrapper of Ed25519 public key

func ParseED25519PublicKey 

func ParseED25519PublicKey(a Algorithm, d []byte) (Ed25519Public, error)

ParseED25519PublicKey decodes an ED25519 public key

func (Ed25519Public) Bytes 

func (ed Ed25519Public) Bytes() ([]byte, error)

Bytes raw public key bytes

func (Ed25519Public) Verify 

func (ed Ed25519Public) Verify(msg, sig []byte) bool

Verify a signature using Ed25519 given the message and signature

type Entity 

type Entity struct {
	Name     string `msgpack:"o,omitempty"`
	Unit     string `msgpack:"ou,omitempty"`
	Locality string `msgpack:"l,omitempty"`
	State    string `msgpack:"st,omitempty"`
	Country  string `msgpack:"c,omitempty"`
	Email    string `msgpack:"e,omitempty"`
}

Entity provides personal or businses information in the certificate

type Extension 

type Extension struct {
	Type ExtensionType `msgpack:"t"`
	Data []byte        `msgpack:"d"`
}

Extension certificate extensions

type ExtensionType 

type ExtensionType uint16

ExtensionType extension type reference 

const (
	UnknownExtensionType ExtensionType = iota
	AdditionalSubject
	Serial
)

func (ExtensionType) String 

func (et ExtensionType) String() string

type InMemCertPool 

type InMemCertPool struct {
	// contains filtered or unexported fields
}

InMemCertPool an in-memory certificate pool useful for tests

func NewInMemCertPool 

func NewInMemCertPool() *InMemCertPool

NewInMemCertPool inits a new in-memory cert pool

func (*InMemCertPool) AddCert 

func (incp *InMemCertPool) AddCert(c *Certificate, t TrustLevel)

AddCert adds a certificate to the pool with an associated trust level

func (*InMemCertPool) FindCertificate 

func (incp *InMemCertPool) FindCertificate(id, _ []byte) (*Certificate, error)

FindCertificate provides the certificate for an ID in the pool

func (*InMemCertPool) IsRevoked 

func (incp *InMemCertPool) IsRevoked(id []byte) error

IsRevoked checks if a certificate has been revoked

func (*InMemCertPool) Reset 

func (incp *InMemCertPool) Reset()

Reset clears all stored certificates, revokes and trust levels

func (*InMemCertPool) Revoke 

func (incp *InMemCertPool) Revoke(c *Certificate)

Revoke adds a certificate to the revoked list

func (*InMemCertPool) TrustLevel 

func (incp *InMemCertPool) TrustLevel(id []byte) (TrustLevel, error)

TrustLevel provides the trust level of a stored certificate. If the certificate is not in the pool, it will have an unknown trust level

type IntermCertPool 

type IntermCertPool struct {
	// contains filtered or unexported fields
}

func NewIntermCertPool 

func NewIntermCertPool(parent CertPool, certs map[string]*Certificate) *IntermCertPool

func (*IntermCertPool) AddCert 

func (escp *IntermCertPool) AddCert(c *Certificate)

func (*IntermCertPool) FindCertificate 

func (escp *IntermCertPool) FindCertificate(id, ref []byte) (*Certificate, error)

func (*IntermCertPool) IsRevoked 

func (escp *IntermCertPool) IsRevoked(id []byte) error

func (*IntermCertPool) TrustLevel 

func (escp *IntermCertPool) TrustLevel(id []byte) (TrustLevel, error)

type PrivateKey 

type PrivateKey interface {
	crypto.PrivateKey

	Sign(io.Reader, []byte, crypto.SignerOpts) ([]byte, error)
	Bytes() ([]byte, error)
	Public() PublicKey
}

PrivateKey to create signatures

func ParseEncryptedPrivateKey 

func ParseEncryptedPrivateKey(d []byte, key []byte) (PrivateKey, error)

ParseEncryptedPrivateKey decrypts and decodes a private key using AES256-GCM

func ParsePrivateKey 

func ParsePrivateKey(d []byte) (PrivateKey, error)

ParsePrivateKey unmarshals the private key raw data

type PublicKey 

type PublicKey interface {
	crypto.PublicKey

	Verify(msg []byte, sig []byte) bool
	Bytes() ([]byte, error)
}

PublicKey an OCS compatible public key

func ParsePublicKey 

func ParsePublicKey(a Algorithm, d []byte) (PublicKey, error)

ParsePublicKey unmarshals a public key

type RSAPrivateKey 

type RSAPrivateKey struct {
	*rsa.PrivateKey
}

RSAPrivateKey representation of a RSA pivatekey

func (*RSAPrivateKey) Bytes 

func (privk *RSAPrivateKey) Bytes() ([]byte, error)

Bytes encodes the private key into ANSI.1

func (*RSAPrivateKey) Public 

func (privk *RSAPrivateKey) Public() PublicKey

Public provides the RSA public key

func (*RSAPrivateKey) Sign 

func (privk *RSAPrivateKey) Sign(_ io.Reader, d []byte, _ crypto.SignerOpts) ([]byte, error)

Sign creates a PKCS1v15 RSA signature of the given byte slice over a SHA2-384 hash

type RSAPublicKey 

type RSAPublicKey struct {
	rsa.PublicKey
}

RSAPublicKey representation of an RSA public key

func ParseRSAPublicKey 

func ParseRSAPublicKey(a Algorithm, d []byte) (*RSAPublicKey, error)

ParseRSAPublicKey decodes a RSA public key TODO(tcfw) - decode using msgpack intead of ANSI.1

func (*RSAPublicKey) Bytes 

func (pubk *RSAPublicKey) Bytes() ([]byte, error)

Bytes encodes the RSA public key to... TODO(tcfw) - encode using msgpack intead of ANSI.1

func (*RSAPublicKey) Verify 

func (pubk *RSAPublicKey) Verify(msg []byte, sig []byte) bool

Verify validates an RSA PKCS1v15 signature based on SHA2-384

type SecpPrivateKey 

type SecpPrivateKey struct {
	ecdsa.PrivateKey
	Algo Algorithm
}

SecpPrivateKey wrapper for ECDSA private keys

func (*SecpPrivateKey) Bytes 

func (secpk *SecpPrivateKey) Bytes() ([]byte, error)

Bytes marshals the private key into a compressed ANSI x9.62 encoding

func (*SecpPrivateKey) Public 

func (secpk *SecpPrivateKey) Public() PublicKey

Public provides the EC public key

func (*SecpPrivateKey) Sign 

func (secpk *SecpPrivateKey) Sign(_ io.Reader, d []byte, _ crypto.SignerOpts) ([]byte, error)

Sign a msg using ECDSA using the key

type SecpPublicKey 

type SecpPublicKey struct {
	ecdsa.PublicKey
	// contains filtered or unexported fields
}

SecpPublicKey wrapper for a ECDSA public key

func ParseECPublicKey 

func ParseECPublicKey(a Algorithm, d []byte) (*SecpPublicKey, error)

ParseECPublicKey decodes an elliptical curve based public key

func (*SecpPublicKey) Bytes 

func (secppk *SecpPublicKey) Bytes() ([]byte, error)

Bytes encodes the public key into ANSI X9.62 encoding

func (*SecpPublicKey) ID 

func (secppk *SecpPublicKey) ID() []byte

ID public ID matching the private key PublicID - SHA3-384

func (*SecpPublicKey) Verify 

func (secppk *SecpPublicKey) Verify(msg []byte, sig []byte) bool

Verify a signature against a given message using the public key the signature must be in the ECDSASignature msgpack encoding

type Signature 

type Signature struct {
	ID        []byte    `msgpack:"c"`
	Algo      Algorithm `msgpack:"a"`
	Signature []byte    `msgpack:"s"`
	PublicRef []byte    `msgpack:"p,omitempty"`
}

Signature signatures provided by peers or CAs

type SystemCertPool 

type SystemCertPool struct {
	// contains filtered or unexported fields
}

func (*SystemCertPool) AppendCertsFromPEM 

func (scp *SystemCertPool) AppendCertsFromPEM(pemCerts []byte) bool

func (*SystemCertPool) FindCertificate 

func (scp *SystemCertPool) FindCertificate(id, _ []byte) (*Certificate, error)

func (*SystemCertPool) IsRevoked 

func (scp *SystemCertPool) IsRevoked(id []byte) error

IsRevoked checks if a certificate is revoked or not and returns an error if it is. Since these are read from the system, it is assumed no certificates are inherently revoked

func (*SystemCertPool) TrustLevel 

func (scp *SystemCertPool) TrustLevel(id []byte) (TrustLevel, error)

TrustLevel returns the level of trust associated with a certificate. Since these are read from the system, we assume that all certificates are at least trusted

type TrustLevel 

type TrustLevel uint8

TrustLevel represents a user specified or system level of trust on a certificste

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.