gopki

command module
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 1, 2023 License: Apache-2.0 Imports: 1 Imported by: 0

README

gopki

Design certificate hierarchies witout pain.

Motivation

Creating lots of Certificate Authorities with lots of Subscribers can be a lot of trouble in testing environments. There is usually extensive configuration necessary and the generation involves a multi-step-process including Key Generation, CSR generation and Certificate issuance. And while this may fit production environments, test environment needs to be flexible allowing for a wide range of manipulations.

This is what gopki is for.

How it works

For each entity you supply a config file. Gopki then goes through these config files and generates the appropriate certificates/keys in one single step.

Getting started

Creating a minimal config for a root certificate may looks like this:

version: 1
subject: CN=My Root CA
validity:
    duration: 25y
extensions:
    - basicConstraints:
        critical: yes
        content:
            ca: true
    - keyUsage:
        critical: yes
        content:
            - keyCertSign

Assuming this file is located in foo/root.yaml, you can then generate your certificate with

gopki sign foo/

and have your certificate and private key generated under foo/root.pem.

More sophisticated examples can be found in the examples folder.

Features

Generic certificate profiles

When a lot of subscribers need similar certificates, you can define certificate profiles that pre-set your extensions and allow validation against the subject DN.

Define arbitrary extensions

To really test your edge-cases you can define custom extensions like this:

extensions:
    - custom:
        critical: yes
        oid: 1.2.2.4
        raw: "!binary:AQIDBA=="

Disclaimer

This software must not be used for certificates in production environments. It makes no effort to generate/store/wipe secrets in a secure way.

Documentation

Overview

gopki by David Vogels

This is the main package that initializes the command line interface. For more information about this project, see the README.

Directories

Path Synopsis
Package generator acts as the front-end for certificate generation and should always be the way external packages generate certificates.
Package generator acts as the front-end for certificate generation and should always be the way external packages generate certificates.
cert
Package cert includes all necessary functions and data structures for certificate generation.
Package cert includes all necessary functions and data structures for certificate generation.
config/v1
Implements version 1 of the configuration parser.
Implements version 1 of the configuration parser.
db
Generic certificate database package
Generic certificate database package
db/filesystem
Database implementation for filesystems.
Database implementation for filesystems.
dcrypto/ecdsa
Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as defined in FIPS 186-4 and SEC 1, Version 2.0.
Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as defined in FIPS 186-4 and SEC 1, Version 2.0.
dcrypto/internal/nistec
Package nistec implements the NIST P elliptic curves from FIPS 186-4.
Package nistec implements the NIST P elliptic curves from FIPS 186-4.
dcrypto/rsa
Package rsa implements RSA encryption as specified in PKCS #1 and RFC 8017.
Package rsa implements RSA encryption as specified in PKCS #1 and RFC 8017.
Provide application-wide logging with pre-defined log levels.
Provide application-wide logging with pre-defined log levels.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL