Documentation
¶
Overview ¶
Package certutil contains helper functions that are mostly used with the PKI backend but can be generally useful. Functionality includes helpers for converting a certificate/private key bundle between DER and PEM, printing certificate serial numbers, and more.
Functionality specific to the PKI backend includes some types // and helper methods to make requesting certificates from the // backend easy.
Index ¶
- func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error)
- func GeneratePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyContainer) error
- func GenerateSerialNumber() (*big.Int, error)
- func GetOctalFormatted(buf []byte, sep string) string
- func GetSubjKeyID(privateKey crypto.Signer) ([]byte, error)
- func ParseHexFormatted(in, sep string) []byte
- type BlockType
- type CSRBundle
- type CertBundle
- type InternalError
- type IssueData
- type ParsedCSRBundle
- type ParsedCertBundle
- type ParsedPrivateKeyContainer
- type PrivateKeyType
- type Secret
- type TLSUsage
- type UserError
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ComparePublicKeys ¶ added in v0.4.0
ComparePublicKeys compares two public keys and returns true if they match
func GeneratePrivateKey ¶ added in v0.4.0
func GeneratePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyContainer) error
GeneratePrivateKey generates a private key with the specified type and key bits
func GenerateSerialNumber ¶ added in v0.4.0
GenerateSerialNumber generates a serial number suitable for a certificate
func GetOctalFormatted ¶
GetOctalFormatted returns the byte buffer formatted in octal with the specified separator between bytes. FIXME: where did I originally copy this code from? This ain't octal, it's hex.
func GetSubjKeyID ¶
GetSubjKeyID returns the subject key ID, e.g. the SHA1 sum of the marshaled public key
func ParseHexFormatted ¶ added in v0.4.0
Types ¶
type BlockType ¶ added in v0.5.0
type BlockType string
BlockType indicates the serialization format of the key
type CSRBundle ¶ added in v0.4.0
type CSRBundle struct {
PrivateKeyType PrivateKeyType `json:"private_key_type" structs:"private_key_type" mapstructure:"private_key_type"`
CSR string `json:"csr" structs:"csr" mapstructure:"csr"`
PrivateKey string `json:"private_key" structs:"private_key" mapstructure:"private_key"`
}
CSRBundle contains a key type, a PEM-encoded private key, and a PEM-encoded CSR
func (*CSRBundle) ToParsedCSRBundle ¶ added in v0.4.0
func (c *CSRBundle) ToParsedCSRBundle() (*ParsedCSRBundle, error)
ToParsedCSRBundle converts a string-based CSR bundle to a byte-based raw CSR bundle
type CertBundle ¶
type CertBundle struct {
PrivateKeyType PrivateKeyType `json:"private_key_type" structs:"private_key_type" mapstructure:"private_key_type"`
Certificate string `json:"certificate" structs:"certificate" mapstructure:"certificate"`
IssuingCA string `json:"issuing_ca" structs:"issuing_ca" mapstructure:"issuing_ca"`
PrivateKey string `json:"private_key" structs:"private_key" mapstructure:"private_key"`
SerialNumber string `json:"serial_number" structs:"serial_number" mapstructure:"serial_number"`
}
CertBundle contains a key type, a PEM-encoded private key, a PEM-encoded certificate, and a string-encoded serial number, returned from a successful Issue request
func (*CertBundle) ToParsedCertBundle ¶
func (c *CertBundle) ToParsedCertBundle() (*ParsedCertBundle, error)
ToParsedCertBundle converts a string-based certificate bundle to a byte-based raw certificate bundle
type InternalError ¶
type InternalError struct {
Err string
}
InternalError represents an error generated internally, presumably not due to invalid user input
func (InternalError) Error ¶
func (e InternalError) Error() string
type IssueData ¶
type IssueData struct {
TTL string `json:"ttl" structs:"ttl" mapstructure:"ttl"`
CommonName string `json:"common_name" structs:"common_name" mapstructure:"common_name"`
AltNames string `json:"alt_names" structs:"alt_names" mapstructure:"alt_names"`
IPSANs string `json:"ip_sans" structs:"ip_sans" mapstructure:"ip_sans"`
CSR string `json:"csr" structs:"csr" mapstructure:"csr"`
}
IssueData is a structure that is suitable for marshaling into a request; either via JSON, or into a map[string]interface{} via the structs package
type ParsedCSRBundle ¶ added in v0.4.0
type ParsedCSRBundle struct {
PrivateKeyType PrivateKeyType
PrivateKeyBytes []byte
PrivateKey crypto.Signer
CSRBytes []byte
CSR *x509.CertificateRequest
}
ParsedCSRBundle contains a key type, a DER-encoded private key, and a DER-encoded certificate request
func (*ParsedCSRBundle) SetParsedPrivateKey ¶ added in v0.4.0
func (p *ParsedCSRBundle) SetParsedPrivateKey(privateKey crypto.Signer, privateKeyType PrivateKeyType, privateKeyBytes []byte)
SetParsedPrivateKey sets the private key parameters on the bundle
func (*ParsedCSRBundle) ToCSRBundle ¶ added in v0.4.0
func (p *ParsedCSRBundle) ToCSRBundle() (*CSRBundle, error)
ToCSRBundle converts a byte-based raw DER certificate bundle to a PEM-based string certificate bundle
type ParsedCertBundle ¶
type ParsedCertBundle struct {
PrivateKeyType PrivateKeyType
PrivateKeyFormat BlockType
PrivateKeyBytes []byte
PrivateKey crypto.Signer
IssuingCABytes []byte
IssuingCA *x509.Certificate
CertificateBytes []byte
Certificate *x509.Certificate
}
ParsedCertBundle contains a key type, a DER-encoded private key, and a DER-encoded certificate
func ParsePEMBundle ¶
func ParsePEMBundle(pemBundle string) (*ParsedCertBundle, error)
ParsePEMBundle takes a string of concatenated PEM-format certificate and private key values and decodes/parses them, checking validity along the way. There must be at max two certificates (a certificate and its issuing certificate) and one private key.
func ParsePKIJSON ¶
func ParsePKIJSON(input []byte) (*ParsedCertBundle, error)
ParsePKIJSON takes a JSON-encoded string and returns a ParsedCertBundle.
This can be either the output of an issue call from the PKI backend or just its data member; or, JSON not coming from the PKI backend.
func ParsePKIMap ¶
func ParsePKIMap(data map[string]interface{}) (*ParsedCertBundle, error)
ParsePKIMap takes a map (for instance, the Secret.Data returned from the PKI backend) and returns a ParsedCertBundle.
func (*ParsedCertBundle) GetTLSConfig ¶
func (p *ParsedCertBundle) GetTLSConfig(usage TLSUsage) (*tls.Config, error)
GetTLSConfig returns a TLS config generally suitable for client authentiation. The returned TLS config can be modified slightly to be made suitable for a server requiring client authentication; specifically, you should set the value of ClientAuth in the returned config to match your needs.
func (*ParsedCertBundle) SetParsedPrivateKey ¶ added in v0.4.0
func (p *ParsedCertBundle) SetParsedPrivateKey(privateKey crypto.Signer, privateKeyType PrivateKeyType, privateKeyBytes []byte)
SetParsedPrivateKey sets the private key parameters on the bundle
func (*ParsedCertBundle) ToCertBundle ¶
func (p *ParsedCertBundle) ToCertBundle() (*CertBundle, error)
ToCertBundle converts a byte-based raw DER certificate bundle to a PEM-based string certificate bundle
type ParsedPrivateKeyContainer ¶ added in v0.4.0
type ParsedPrivateKeyContainer interface {
SetParsedPrivateKey(crypto.Signer, PrivateKeyType, []byte)
}
ParsedPrivateKeyContainer allows common key setting for certs and CSRs
type PrivateKeyType ¶ added in v0.4.0
type PrivateKeyType string
PrivateKeyType holds a string representation of the type of private key (ec or rsa) referenced in CertBundle and ParsedCertBundle. This uses colloquial names rather than official names, to eliminate confusion
const ( UnknownPrivateKey PrivateKeyType = "" RSAPrivateKey PrivateKeyType = "rsa" ECPrivateKey PrivateKeyType = "ec" )
Well-known PrivateKeyTypes
type Secret ¶
type Secret struct {
Data map[string]interface{} `json:"data"`
}
Secret is used to attempt to unmarshal a Vault secret JSON response, as a convenience
Source Files