cert

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 5, 2025 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package cert includes all necessary functions and data structures for certificate generation. It handles everything regarding ASN.1, PEM and crypto. It is designed to becompletely oblivious to any configuration or database. It just serves as a general-purpose generator for keys and certificates.

Unsigned certificates and keys are bundled in a cert.CertificateContext. CertificateContexts are able to sign their data to yield a cert.Certificate.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ExpectOid added in v0.4.0 

func ExpectOid(i ExtensionOid) asn1.ObjectIdentifier

func GetExtendedKeyUsage 

func GetExtendedKeyUsage(k ExtKeyUsage) (asn1.ObjectIdentifier, bool)

func GetOid 

func GetOid(i ExtensionOid) (asn1.ObjectIdentifier, bool)

Returns the appropriate OID object. If the provided index is out of bounds, the bool return will be false.

func MarshalPKCS8PrivateKey added in v0.4.0 

func MarshalPKCS8PrivateKey(key any) ([]byte, error)

MarshalPKCS8PrivateKey converts a private key to PKCS #8, ASN.1 DER form.

The following key types are currently supported: *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey (not a pointer), and *ecdh.PrivateKey. Unsupported key types result in an error.

This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". Taken and adapted from the official x509 package

func NewAdmission added in v0.1.0 

func NewAdmission(critical bool, admission Admission) (*pkix.Extension, error)

Create Admission Extension conforming to Common PKI V2.0_02

func NewAdmissionFromProfessionItems added in v0.1.0 

func NewAdmissionFromProfessionItems(critical bool, professionItems []string, professionOids []asn1.ObjectIdentifier, registrationNumber string) (*pkix.Extension, error)

func NewAuthorityInfoAccess 

func NewAuthorityInfoAccess(critical bool, accessInfo []AccessDescription) (*pkix.Extension, error)

Create an Authority Information Access Extension according to RFC5280. It takes care of resolving the provided AccessMethods to the corresponding OIDs. It will fail, if an access method is not known.

func NewAuthorityKeyIdentifierFromStruct 

func NewAuthorityKeyIdentifierFromStruct(critical bool, rawAuthkeyId AuthorityKeyIdentifier) (*pkix.Extension, error)

Create an Authority Key Identifier Extension according to RFC5280. This function allows to set the ID to any arbitrary value the struct allows.

func NewAuthorityKeyIdentifierHash 

func NewAuthorityKeyIdentifierHash(critical bool, ctx *CertificateContext) (*pkix.Extension, error)

Create an Authority Key Identifier Extension according to RFC5280. This function generates the ID by calculating the SHA-1 hash of the provided public key of the IssuerContext.

func NewBasicConstraints 

func NewBasicConstraints(critical bool, isCa bool, pathLen int) pkix.Extension

Create a Subject Alternative Name according to RFC5280. There are no bounds on the pathLen, so it will never fail.

func NewCertificatePolicies 

func NewCertificatePolicies(critical bool, policyIds []PolicyInfo) (*pkix.Extension, error)

Create a Certificate Policies Extension according to RFC5280.

func NewExtendedKeyUsage 

func NewExtendedKeyUsage(critical bool, usages []asn1.ObjectIdentifier) (*pkix.Extension, error)

Create an Extended Key Usage Extension according to RFC5280.

func NewKeyUsage 

func NewKeyUsage(critical bool, flags KeyUsage) pkix.Extension

Create a Key Usage Extension according to RFC5280. It will ensure that the flaglist is always valid, effectively ignoring the least significant bit of flags by zeroing it.

func NewOcspNoCheck added in v0.4.0 

func NewOcspNoCheck(critical bool) pkix.Extension

func NewSubjectAlternativeName 

func NewSubjectAlternativeName(critical bool, names []GeneralName) (*pkix.Extension, error)

Create a Subject Alternative Name according to RFC5280.

func NewSubjectKeyIdentifier 

func NewSubjectKeyIdentifier(critical bool, ctx *CertificateContext) (*pkix.Extension, error)

Create a Subject Key Identifier Extension according to RFC5280. The identifier will be the SHA-1 hash of the subject's raw public key in the provided cert.CertificateContext. It returns an error, if the context or the public key is nil.

func OidFromString 

func OidFromString(s string) (asn1.ObjectIdentifier, error)

Converts an OID in dotted decimal form into a asn1.ObjectIdentifier.

func ParsePKCS8PrivateKey added in v0.4.0 

func ParsePKCS8PrivateKey(der []byte) (key any, err error)

ParsePKCS8PrivateKey parses an unencrypted private key in PKCS #8, ASN.1 DER form.

It returns a *rsa.PrivateKey, an *ecdsa.PrivateKey, an [ed25519.PrivateKey] (not a pointer), or an *ecdh.PrivateKey (for X25519). More types might be supported in the future.

This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY". Taken and adapted from the official x509 package

func WritePrivateKeyToPem 

func WritePrivateKeyToPem(prk crypto.PrivateKey, w io.Writer) error

Writes the given crypto.PublicKey into an unencrypted PKCS#8 PEM file. For simplicities' sake PEM files are currently assumed to contain only one block. It fails when either x509.MarshalPKCS8PrivateKey or pem.Encode return an error.

Types

type AccessDescription 

type AccessDescription struct {
	AccessMethod
	AccessLocation GeneralName
}

Contains one Access Description for the AIA extension.

type AccessMethod 

type AccessMethod int
const (
	Ocsp AccessMethod = iota
)

type Admission added in v0.1.0 

type Admission struct {
	AdmissionAuthority GeneralName `asn1:"optional"`
	Contents           []Admissions
}

type Admissions added in v0.1.0 

type Admissions struct {
	AdmissionAuthority GeneralName `asn1:"optional,explicit"`
	NamingAuthority    `asn1:"tag:1,optional,explicit"`
	ProfessionInfos    []ProfessionInfo `omitempty,asn1:"optional"`
}

type AuthorityKeyIdentifier 

type AuthorityKeyIdentifier struct {
	KeyIdentifier []byte `asn1:"tag:0,optional"`
}

type Certificate 

type Certificate struct {
	TBSCertificate     TbsCertificate
	SignatureAlgorithm pkix.AlgorithmIdentifier
	SignatureValue     asn1.BitString
}

Certificate data structure that can be serialized via asn1.Unmarshal

func (Certificate) WritePem 

func (c Certificate) WritePem(w io.Writer) error

Writes the given cert.Certificate into a PEM file. For simplicities' sake PEM files are currently assumed to contain only one block. It fails when either asn1.Unmarshal or pem.Encode return an error.

type CertificateContext 

type CertificateContext struct {
	*TbsCertificate
	crypto.PrivateKey
	Issuer     *IssuerContext
	Extensions []ExtensionBuilder
}

Represents all information about an entity prior to signing. This includes the entities' private key, certificate data and issuer information.

func NewCertificateContext 

func NewCertificateContext(subject pkix.RDNSequence, ext []ExtensionBuilder, validNotBefore time.Time, validNotAfter time.Time) *CertificateContext

This is the intended way to generate a new cert.CertificateContext. It always generates a new key corresponding to the keyAlg argument.

The function applies the following defaults: - SerialNumber is always random - If subject is nil, it will be set to "CN=DummyCertificate" - The context is built to be self-signed. If this is not intended, issuer context should be changed afterwards accordingly. - The alias is set to a hexadecimal representation of the serial number - Time values are converted to UTC - The extensions will be generated after calling the cert.Sign function

func (*CertificateContext) GeneratePrivateKey 

func (ctx *CertificateContext) GeneratePrivateKey(keyAlg KeyAlgorithm) error

func (*CertificateContext) SetIssuer 

func (ctx *CertificateContext) SetIssuer(issuerCtx IssuerContext)

func (*CertificateContext) SetPrivateKey 

func (ctx *CertificateContext) SetPrivateKey(key crypto.PrivateKey) error

func (*CertificateContext) Sign 

func (c *CertificateContext) Sign(alg SignatureAlgorithm) (*Certificate, error)

Sign the provided information to finally yield a certificate. This is also the point, where the extensions will be generated through the provided Builder interfaces.

This function will also populate some certificate prior to signing: - Signature Algorithm will be set according to alg. - Issuer will be set according to the provided cert.IssuerContext - All extensions will be overwritten with the builder's outputs.

type CertificateRequest added in v0.3.0 

type CertificateRequest struct {
	TbsCsr             TbsCertificateRequest
	SignatureAlgorithm pkix.AlgorithmIdentifier
	SignatureValue     asn1.BitString
}

func (*CertificateRequest) WritePem added in v0.3.0 

func (c *CertificateRequest) WritePem(w io.Writer) error

type ExtKeyUsage 

type ExtKeyUsage uint
const (
	//Set explicitly, since these correspond to array indicies.
	ServerAuth      ExtKeyUsage = 0
	ClientAuth      ExtKeyUsage = 1
	CodeSigning     ExtKeyUsage = 2
	EmailProtection ExtKeyUsage = 3
	TimeStamping    ExtKeyUsage = 4
	OcspSigning     ExtKeyUsage = 5
)

type ExtensionBuilder 

type ExtensionBuilder interface {
	Compile(ctx *CertificateContext) (*pkix.Extension, error)
}

Interface that is used to build X.509 extensions lazily. A lot of information might still be unknown, when a [config.CertificateContent] is built initially. Things like issuer information might be available much later and this interface ensures that external parties have enough time to manipulate their cert.CertificateContext before the extensions are built.

type ExtensionOid 

type ExtensionOid int
const (
	OidExtensionSubjectKeyId ExtensionOid = iota
	OidExtensionKeyUsage
	OidExtensionExtendedKeyUsage
	OidExtensionAuthorityKeyId
	OidExtensionBasicConstraints
	OidExtensionSubjectAltName
	OidExtensionCertificatePolicies
	OidExtensionNameConstraints
	OidExtensionCRLDistributionPoints
	OidExtensionAuthorityInfoAccess
	OidExtensionCRLNumber
	OidExtensionAdmission
	OidExtensionOcspNoCheck
)

type GeneralName 

type GeneralName interface {
	// contains filtered or unexported methods
}

Interface used to generate the correct GeneralName structre with the appropriate tags. Each implementation should be easy to create, preferably via primitive data types.

type GeneralNameDNS 

type GeneralNameDNS string

type GeneralNameIP 

type GeneralNameIP [4]byte

type GeneralNameRFC822 

type GeneralNameRFC822 string

type GeneralNameURI 

type GeneralNameURI string

type IssuerContext 

type IssuerContext struct {
	crypto.PrivateKey
	PublicKeyRaw []byte
	IssuerDn     pkix.RDNSequence
}

Structure for all issuer related information. This includes everything needed for signing, as well as information, that extensions might need. For example, an AuthorityKeyIdentifier extension could use the raw public key of the issuer to calculate a hash.

func AsIssuer 

func AsIssuer(c CertificateContext) IssuerContext

Syntactic sugar to yield a [config.IssuerContext] from a [config.CertificateContext].

type KeyAlgorithm 

type KeyAlgorithm uint
const (
	RSA1024 KeyAlgorithm = iota
	RSA2048
	RSA4096
	RSA8192
	P224
	P256
	P384
	P521
	BrainpoolP256r1
	BrainpoolP384r1
	BrainpoolP512r1
	BrainpoolP256t1
	BrainpoolP384t1
	BrainpoolP512t1
	KEY_ALG_LEN // this must always be the last entry
)

type KeyUsage 

type KeyUsage uint8
const (
	DigitalSignature KeyUsage = 128
	NonRepudiation   KeyUsage = 64
	KeyEncipherment  KeyUsage = 32
	DataEncipherment KeyUsage = 16
	KeyAgreement     KeyUsage = 8
	KeyCertSign      KeyUsage = 4
	CRLSign          KeyUsage = 2
)

type NamingAuthority added in v0.1.0 

type NamingAuthority struct {
	Oid  asn1.ObjectIdentifier `asn1:"optional"`
	URL  string                `asn1:"ia5,optional"`
	Text string                `asn1:"utf8,optional"`
}

type NoticeReference 

type NoticeReference struct {
	Organization  string `asn1:"utf8"`
	NoticeNumbers []int
}

type PemFileContent added in v0.3.0 

type PemFileContent struct {
	Certificate *Certificate
	PrivateKey  crypto.PrivateKey
	Request     *CertificateRequest
}

func ReadPem added in v0.3.0 

func ReadPem(pemBytes []byte) (PemFileContent, error)

type PolicyInfo 

type PolicyInfo struct {
	asn1.ObjectIdentifier
	Qualifiers []PolicyQualifier `asn1:"optional"`
}

PolicyInfo for the Certificate Policies Extension.

type PolicyQualifier 

type PolicyQualifier struct {
	QualifierId asn1.ObjectIdentifier
	Cps         string `asn1:"optional,ia5"`
	UserNotice  `asn1:"optional"`
}

type ProfessionInfo added in v0.1.0 

type ProfessionInfo struct {
	NamingAuthority    `asn1:"tag:0,explicit,optional"`
	ProfessionItems    []string                `asn1:"omitempty,optional"`
	ProfessionOids     []asn1.ObjectIdentifier `asn1:"omitempty,optional"`
	RegistrationNumber string                  `asn1:"printable,optional"`
	AddProfessionInfo  []byte                  `asn1:"omitempty,optional"`
}

type PublicKeyInfo added in v0.2.0 

type PublicKeyInfo struct {
	Algorithm pkix.AlgorithmIdentifier
	PublicKey asn1.BitString
}

type SignatureAlgorithm 

type SignatureAlgorithm uint
const (
	RSAwithSHA1 SignatureAlgorithm = iota
	RSAwithSHA256
	RSAwithSHA384
	RSAwithSHA512
	ECDSAwithSHA1
	ECDSAwithSHA256
	ECDSAwithSHA384
	ECDSAwithSHA512
)

type TbsCertificate 

type TbsCertificate struct {
	Version            int `asn1:"optional,explicit,default:0,tag:0"`
	SerialNumber       *big.Int
	SignatureAlgorithm pkix.AlgorithmIdentifier
	Issuer             pkix.RDNSequence
	Validity           validity
	Subject            pkix.RDNSequence
	PublicKey          PublicKeyInfo
	IssuerUniqueId     asn1.BitString   `asn1:"optional,tag:1"`
	SubjectUniqueId    asn1.BitString   `asn1:"optional,tag:2"`
	Extensions         []pkix.Extension `asn1:"omitempty,optional,explicit,tag:3"`
}

Unsigned certificate structure that can be serialized via asn1.Unmarshal

type TbsCertificateRequest added in v0.3.0 

type TbsCertificateRequest struct {
	Version       int
	Subject       asn1.RawValue
	PublicKey     PublicKeyInfo
	RawAttributes []asn1.RawValue `asn1:"tag:0"`
}

These structures reflect the ASN.1 structure of X.509 certificate signature requests (see RFC 2986):

type UserNotice 

type UserNotice struct {
	NoticeRef    NoticeReference `asn1:"optional"`
	ExplicitText string          `asn1:"optional,utf8"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.