x509util

package
v0.0.2-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 8, 2018 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// DefaultCertValidity is the minimum validity of an end-entity (not root or intermediate) certificate.
	DefaultCertValidity = 24 * time.Hour
	// DefaultRootCertValidity is the default validity of a root certificate in the step PKI.
	DefaultRootCertValidity = time.Hour * 24 * 365 * 10
	// DefaultIntermediateCertValidity is the default validity of a root certificate in the step PKI.
	DefaultIntermediateCertValidity = time.Hour * 24 * 365 * 10

	// DefaultTLSMinVersion default minimum version of TLS.
	DefaultTLSMinVersion = TLSVersion(1.2)
	// DefaultTLSMaxVersion default maximum version of TLS.
	DefaultTLSMaxVersion = TLSVersion(1.2)
	// DefaultTLSRenegotiation default TLS connection renegotiation policy.
	DefaultTLSRenegotiation = false // Never regnegotiate.
	// DefaultTLSCipherSuites specifies default step ciphersuite(s).
	DefaultTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
	}
	// ApprovedTLSCipherSuites smallstep approved ciphersuites.
	ApprovedTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
	}
)

Functions

func BasicConstraints

func BasicConstraints(bcv bool, isCA bool, maxPathLen int) func(*CertTemplate) error

BasicConstraints generates a function that modifies the BasicConstraintsValid, IsCA, MaxPathLen, and MaxPathLenZero fields of a CertTemplate.

If BasicConstraintsValid==true then the next two fields are valid. MaxPathLenZero indicates that BasicConstraintsValid==true and MaxPathLen==0 should be interpreted as an actual maximum path length of zero. Otherwise, that combination is interpreted as MaxPathLen not being set.

func CRLSign

func CRLSign(c bool) func(*CertTemplate) error

CRLSign generates a function that modifies the KeyUsage bitmap value of a CertTemplate.

func CommonName

func CommonName(common string) func(*PkixName) error

CommonName generates a function that modifies the CommonName value of a certificate name struct. Takes a pointer to a common name string. Returns a function that will modify, in-place, a CertTemplate.

func Country

func Country(countries string) func(*PkixName) error

Country generates a function that modifies the Country value of a certificate name struct. Takes a pointer to a comma separated string of countries (e.g. " ecuador,italy,brazil") Returns a function that will modify, in-place, a CertTemplate.

func ExtKeyUsage

func ExtKeyUsage(eku []x509.ExtKeyUsage) func(*CertTemplate) error

ExtKeyUsage overwrites the extended key usage slice of a CertTemplate

func Hosts

func Hosts(hosts string) func(*CertTemplate) error

Hosts generates a function that modifies the IPAddresses and DNSNames values of a certificate. Takes a pointer to a comma separated string of hostnames (e.g. "127.0.0.1,smallstep.com,blog.smallstep.com") Returns a function that will modify, in-place, a CertTemplate.

func Issuer

func Issuer(pn PkixName) func(*CertTemplate) error

Issuer generates a function that modifies the Issuer value of a CertTemplate. Takes an argument that will be used to populate the Issuer pkix.Name. Returns a function that will modify, in-place, a CertTemplate.

func LoadCSRFromBytes

func LoadCSRFromBytes(der []byte) (*x509.CertificateRequest, error)

LoadCSRFromBytes loads a CSR given the ASN.1 DER format.

func Locality

func Locality(localities string) func(*PkixName) error

Locality generates a function that modifies the Country value of a certificate name struct. Takes a pointer to a comma separated string of localities (e.g. " ecuador,italy,brazil") Returns a function that will modify, in-place, a CertTemplate.

func MergeASN1DN

func MergeASN1DN(n *pkix.Name, asn1dn *ASN1DN) error

MergeASN1DN fills empty fields of a pkix.Name with default ASN1DN settings. If the field is already set (with non-empty value) then do not overwrite with default value, otherwise overwrite. TODO: test

func NotBeforeAfter

func NotBeforeAfter(from time.Time, duration time.Duration) func(*CertTemplate) error

NotBeforeAfter generates a function that modifies the NotBefore and NotAfter values of a certificate. Takes a pair of arguments used to compute the window of time during which the certificate should be valid. Returns a function that will modify, in-place, a CertTemplate.

func Now

func Now() time.Time

Now is a helper function that returns the current time with the location set to UTC.

func Organization

func Organization(orgs string) func(*PkixName) error

Organization generates a function that modifies the Organization value of a certificate name struct. Takes a pointer to a comma separated string of organizations (e.g. " ecuador,italy,brazil") Returns a function that will modify, in-place, a CertTemplate.

func ReadCertPool

func ReadCertPool(path string) (*realx509.CertPool, error)

ReadCertPool loads a certificate pool from disk.

func SerialNumber

func SerialNumber(sn *string) func(*CertTemplate) error

SerialNumber generates a function that modifies the SerialNumber value of a CertTemplate. Takes an argument that will be used to set the SerialNumber. Returns a function that will modify, in-place, a CertTemplate.

func Subject

func Subject(pn PkixName) func(*CertTemplate) error

Subject generates a function that modifies the Subject value of a CertTemplate. Takes an argument that will be used to populate the Subject pkix.Name. Returns a function that will modify, in-place, a CertTemplate.

func WriteCertificate

func WriteCertificate(crt []byte, out string) error

WriteCertificate encodes a x509 Certificate to a file on disk in PEM format.

Types

type ASN1DN

type ASN1DN struct {
	Country            string `step:"country"`
	Organization       string `step:"organization"`
	OrganizationalUnit string `step:"organizationalUnit"`
	Locality           string `step:"locality"`
	Province           string `step:"province"`
	StreetAddress      string `step:"streetAddress"`
	CommonName         string `step:"commonName"`
}

ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.

type CertTemplate

type CertTemplate x509.Certificate

CertTemplate allows us to add our own methods to x509.Certificate

func FromCSR

func FromCSR(csr *x509.CertificateRequest, options ...func(*CertTemplate) error) (*CertTemplate, error)

FromCSR generates a CertTemplate from a x509 certificate signing request.

func FromCert

func FromCert(cert *x509.Certificate, issuer pkix.Name) (*CertTemplate, error)

FromCert generates a CertTemplate from a x509 certificate.

func NewCertTemplate

func NewCertTemplate(options ...func(*CertTemplate) error) (*CertTemplate, error)

NewCertTemplate generates and returns a new CertTemplate struct. Takes an arbitrary number of augmenting functions each of which modifies a CertTemplate. A default CertTemplate is created and then the optional augmenter functions are applied one after another in the order in which they were submitted. Returns the address of a new CertTemplate and an error object which will the nil on success and contain the reason and location of the failure.

func (CertTemplate) Compare

func (ct CertTemplate) Compare(other CertTemplate) error

Compare compares the calling CertTemplate to the one provided as an argument. Returns nil if the two are equal, otherwise returns an error describing the diff. NOTE: this method avoids comparing a number of fields that are inconvenient or difficult to compare for equality. Check the `IgnoreFields` call below to check if the field you would like to check is being ignored.

type CipherSuites

type CipherSuites []string

CipherSuites represents an array of string codes representing the cipher suites.

func (CipherSuites) Validate

func (c CipherSuites) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (CipherSuites) Value

func (c CipherSuites) Value() []uint16

Value returns an []uint16 for the cipher suites.

type Identity

type Identity struct {
	Crt    *x509.Certificate
	CrtPem *pem.Block
	Key    interface{}
}

Identity contains a public/private x509 certificate/key pair.

func LoadIdentityFromDisk

func LoadIdentityFromDisk(crtPath, keyPath string, pemOpts ...pemutil.Options) (*Identity, error)

LoadIdentityFromDisk load a public certificate and private key (both in PEM format) from disk.

func NewIdentity

func NewIdentity(c *x509.Certificate, b *pem.Block, k interface{}) *Identity

NewIdentity returns a new Identity.

type Intermediate

type Intermediate struct {
	// contains filtered or unexported fields
}

Intermediate implements the Profile for a intermediate certificate.

func NewIntermediateProfile

func NewIntermediateProfile(name string, iss *x509.Certificate, issPriv interface{}, withOps ...WithOption) (*Intermediate, error)

NewIntermediateProfile returns a new intermediate x509 Certificate profile.

func (*Intermediate) CreateCertificate

func (b *Intermediate) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Intermediate) CreateWriteCertificate

func (b *Intermediate) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Intermediate) GenerateDefaultKeyPair

func (b *Intermediate) GenerateDefaultKeyPair() error

func (*Intermediate) GenerateKeyPair

func (b *Intermediate) GenerateKeyPair(kty, crv string, size int) error

func (*Intermediate) Issuer

func (b *Intermediate) Issuer() *x509.Certificate

func (*Intermediate) SetIssuer

func (b *Intermediate) SetIssuer(iss *x509.Certificate)

func (*Intermediate) SetIssuerPrivateKey

func (b *Intermediate) SetIssuerPrivateKey(priv interface{})

func (*Intermediate) SetSubject

func (b *Intermediate) SetSubject(sub *x509.Certificate)

func (*Intermediate) SetSubjectPrivateKey

func (b *Intermediate) SetSubjectPrivateKey(priv interface{})

func (*Intermediate) SetSubjectPublicKey

func (b *Intermediate) SetSubjectPublicKey(pub interface{})

func (*Intermediate) Subject

func (b *Intermediate) Subject() *x509.Certificate

func (*Intermediate) SubjectPrivateKey

func (b *Intermediate) SubjectPrivateKey() interface{}

func (*Intermediate) SubjectPublicKey

func (b *Intermediate) SubjectPublicKey() interface{}

type Leaf

type Leaf struct {
	// contains filtered or unexported fields
}

Leaf implements the Profile for a leaf certificate.

func NewLeafProfile

func NewLeafProfile(cn string, iss *x509.Certificate, issPriv interface{}, withOps ...WithOption) (*Leaf, error)

NewLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.

func NewLeafProfileWithCSR

func NewLeafProfileWithCSR(csr *x509.CertificateRequest, iss *x509.Certificate, issPriv interface{}, withOps ...WithOption) (*Leaf, error)

NewLeafProfileWithCSR returns a new leaf x509 Certificate Profile with Subject Certificate fields populated directly from the CSR. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the CSR.

func NewLeafProfileWithTemplate

func NewLeafProfileWithTemplate(sub *x509.Certificate, iss *x509.Certificate, issPriv interface{}, withOps ...WithOption) (*Leaf, error)

NewLeafProfileWithTemplate returns a new leaf x509 Certificate Profile with Subject Certificate set to the value of the template argument. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the Subject Certificate parameter.

func (*Leaf) CreateCertificate

func (b *Leaf) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Leaf) CreateWriteCertificate

func (b *Leaf) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Leaf) GenerateDefaultKeyPair

func (b *Leaf) GenerateDefaultKeyPair() error

func (*Leaf) GenerateKeyPair

func (b *Leaf) GenerateKeyPair(kty, crv string, size int) error

func (*Leaf) Issuer

func (b *Leaf) Issuer() *x509.Certificate

func (*Leaf) SetIssuer

func (b *Leaf) SetIssuer(iss *x509.Certificate)

func (*Leaf) SetIssuerPrivateKey

func (b *Leaf) SetIssuerPrivateKey(priv interface{})

func (*Leaf) SetSubject

func (b *Leaf) SetSubject(sub *x509.Certificate)

func (*Leaf) SetSubjectPrivateKey

func (b *Leaf) SetSubjectPrivateKey(priv interface{})

func (*Leaf) SetSubjectPublicKey

func (b *Leaf) SetSubjectPublicKey(pub interface{})

func (*Leaf) Subject

func (b *Leaf) Subject() *x509.Certificate

func (*Leaf) SubjectPrivateKey

func (b *Leaf) SubjectPrivateKey() interface{}

func (*Leaf) SubjectPublicKey

func (b *Leaf) SubjectPublicKey() interface{}

type PkixName

type PkixName pkix.Name

PkixName allows us to add our own methods to pkix.Name

func NewPkixName

func NewPkixName(options ...func(*PkixName) error) (*PkixName, error)

NewPkixName generates a new PkixName struct. Takes an arbitrary number of augmenting functions each of which modifies a PkixName. A default PkixName is created and then the optional augmenter functions are applied one after another in the order in which they appear as parameters. Returns the address of a new PkixName and an error object that will be nil on success or contain error data on failure.

type PkixNameBuilder

type PkixNameBuilder struct {
	Country, Organization, OrganizationalUnit     *string
	Locality, Province, StreetAddress, PostalCode *string
	SerialNumber, CommonName                      *string
}

PkixNameBuilder for organizing pkix fields.

type Profile

type Profile interface {
	Issuer() *x509.Certificate
	Subject() *x509.Certificate
	SubjectPrivateKey() interface{}
	SubjectPublicKey() interface{}
	SetIssuer(*x509.Certificate)
	SetSubject(*x509.Certificate)
	SetSubjectPrivateKey(interface{})
	SetSubjectPublicKey(interface{})
	SetIssuerPrivateKey(interface{})
	CreateCertificate() ([]byte, error)
	GenerateKeyPair(string, string, int) error
}

Profile is an interface that certificate profiles (e.g. leaf, intermediate, root) must implement.

type Root

type Root struct {
	// contains filtered or unexported fields
}

Root implements the Profile for a root certificate.

func NewRootProfile

func NewRootProfile(name string, withOps ...WithOption) (*Root, error)

NewRootProfile returns a new root x509 Certificate profile.

func NewRootProfileWithTemplate

func NewRootProfileWithTemplate(crt *x509.Certificate, withOps ...WithOption) (*Root, error)

NewRootProfileWithTemplate returns a new root x509 Certificate profile.

func (*Root) CreateCertificate

func (b *Root) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Root) CreateWriteCertificate

func (b *Root) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Root) GenerateDefaultKeyPair

func (b *Root) GenerateDefaultKeyPair() error

func (*Root) GenerateKeyPair

func (b *Root) GenerateKeyPair(kty, crv string, size int) error

func (*Root) Issuer

func (b *Root) Issuer() *x509.Certificate

func (*Root) SetIssuer

func (b *Root) SetIssuer(iss *x509.Certificate)

func (*Root) SetIssuerPrivateKey

func (b *Root) SetIssuerPrivateKey(priv interface{})

func (*Root) SetSubject

func (b *Root) SetSubject(sub *x509.Certificate)

func (*Root) SetSubjectPrivateKey

func (b *Root) SetSubjectPrivateKey(priv interface{})

func (*Root) SetSubjectPublicKey

func (b *Root) SetSubjectPublicKey(pub interface{})

func (*Root) Subject

func (b *Root) Subject() *x509.Certificate

func (*Root) SubjectPrivateKey

func (b *Root) SubjectPrivateKey() interface{}

func (*Root) SubjectPublicKey

func (b *Root) SubjectPublicKey() interface{}

type TLSVersion

type TLSVersion float64

TLSVersion represents a TLS version number.

func (TLSVersion) String

func (v TLSVersion) String() string

String returns the Go constant for the TLSVersion.

func (TLSVersion) Validate

func (v TLSVersion) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (TLSVersion) Value

func (v TLSVersion) Value() uint16

Value returns the Go constant for the TLSVersion.

type WithOption

type WithOption func(Profile) error

WithOption is a modifier function on base.

func GenerateKeyPair

func GenerateKeyPair(kty, crv string, size int) WithOption

GenerateKeyPair returns a Profile modifier that generates a public/private key pair for a profile.

func WithHosts

func WithHosts(hosts string) WithOption

WithHosts returns a Profile modifier which sets the DNS Names and IP Addresses that will be bound to the subject Certificate.

`hosts` should be a comma separated string of DNS Names and IP Addresses. e.g. `127.0.0.1,internal.smallstep.com,blog.smallstep.com,1.1.1.1`.

func WithIssuer

func WithIssuer(iss pkix.Name) WithOption

WithIssuer returns a Profile modifier that sets the Subject for a x509 Certificate.

func WithNotBeforeAfter

func WithNotBeforeAfter(nb, na time.Time) WithOption

WithNotBeforeAfter returns a Profile modifier that sets the `NotBefore` and `NotAfter` attributes of the subject x509 Certificate.

func WithPublicKey

func WithPublicKey(pub interface{}) WithOption

WithPublicKey returns a Profile modifier that sets the public key for a profile.

func WithSubject

func WithSubject(sub pkix.Name) WithOption

WithSubject returns a Profile modifier that sets the Subject for a x509 Certificate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL