Documentation ¶
Index ¶
- Variables
- func CheckCertificateRequestSignature(csr *x509.CertificateRequest) error
- func Fingerprint(cert *x509.Certificate) string
- func GenerateDefaultKeyPair(p Profile) error
- func LoadCSRFromBytes(der []byte) (*x509.CertificateRequest, error)
- func ParseCertificate(asn1Data []byte) (*x509.Certificate, error)
- func ParseCertificateRequest(asn1Data []byte) (*x509.CertificateRequest, error)
- func ReadCertPool(path string) (*x509.CertPool, error)
- func SplitSANs(sans []string) (dnsNames []string, ips []net.IP, emails []string)
- func ToStepX509Certificate(cert *x509.Certificate) *stepx509.Certificate
- func ToStepX509CertificateRequest(csr *x509.CertificateRequest) *stepx509.CertificateRequest
- func ToX509Certificate(cert *stepx509.Certificate) *x509.Certificate
- func ToX509CertificateRequest(csr *stepx509.CertificateRequest) *x509.CertificateRequest
- type ASN1DN
- type CipherSuites
- type Identity
- type Intermediate
- func (b *Intermediate) CreateCertificate() ([]byte, error)
- func (b *Intermediate) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)
- func (i *Intermediate) DefaultDuration() time.Duration
- func (b *Intermediate) GenerateDefaultKeyPair() error
- func (b *Intermediate) GenerateKeyPair(kty, crv string, size int) error
- func (b *Intermediate) Issuer() *x509.Certificate
- func (b *Intermediate) SetIssuer(iss *x509.Certificate)
- func (b *Intermediate) SetIssuerPrivateKey(priv interface{})
- func (b *Intermediate) SetSubject(sub *x509.Certificate)
- func (b *Intermediate) SetSubjectPrivateKey(priv interface{})
- func (b *Intermediate) SetSubjectPublicKey(pub interface{})
- func (b *Intermediate) Subject() *x509.Certificate
- func (b *Intermediate) SubjectPrivateKey() interface{}
- func (b *Intermediate) SubjectPublicKey() interface{}
- type Leaf
- func (b *Leaf) CreateCertificate() ([]byte, error)
- func (b *Leaf) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)
- func (b *Leaf) DefaultDuration() time.Duration
- func (b *Leaf) GenerateDefaultKeyPair() error
- func (b *Leaf) GenerateKeyPair(kty, crv string, size int) error
- func (b *Leaf) Issuer() *x509.Certificate
- func (b *Leaf) SetIssuer(iss *x509.Certificate)
- func (b *Leaf) SetIssuerPrivateKey(priv interface{})
- func (b *Leaf) SetSubject(sub *x509.Certificate)
- func (b *Leaf) SetSubjectPrivateKey(priv interface{})
- func (b *Leaf) SetSubjectPublicKey(pub interface{})
- func (b *Leaf) Subject() *x509.Certificate
- func (b *Leaf) SubjectPrivateKey() interface{}
- func (b *Leaf) SubjectPublicKey() interface{}
- type Profile
- func NewIntermediateProfile(name string, iss *x509.Certificate, issPriv crypto.PrivateKey, ...) (Profile, error)
- func NewLeafProfile(cn string, iss *x509.Certificate, issPriv crypto.PrivateKey, ...) (Profile, error)
- func NewLeafProfileWithCSR(csr *x509.CertificateRequest, iss *x509.Certificate, issPriv crypto.PrivateKey, ...) (Profile, error)
- func NewLeafProfileWithTemplate(sub *x509.Certificate, iss *x509.Certificate, issPriv crypto.PrivateKey, ...) (Profile, error)
- func NewRootProfile(name string, withOps ...WithOption) (Profile, error)
- func NewRootProfileWithTemplate(crt *x509.Certificate, withOps ...WithOption) (Profile, error)
- func NewSelfSignedLeafProfile(cn string, withOps ...WithOption) (Profile, error)
- type Root
- func (b *Root) CreateCertificate() ([]byte, error)
- func (b *Root) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)
- func (r *Root) DefaultDuration() time.Duration
- func (b *Root) GenerateDefaultKeyPair() error
- func (b *Root) GenerateKeyPair(kty, crv string, size int) error
- func (b *Root) Issuer() *x509.Certificate
- func (b *Root) SetIssuer(iss *x509.Certificate)
- func (b *Root) SetIssuerPrivateKey(priv interface{})
- func (b *Root) SetSubject(sub *x509.Certificate)
- func (b *Root) SetSubjectPrivateKey(priv interface{})
- func (b *Root) SetSubjectPublicKey(pub interface{})
- func (b *Root) Subject() *x509.Certificate
- func (b *Root) SubjectPrivateKey() interface{}
- func (b *Root) SubjectPublicKey() interface{}
- type TLSVersion
- type WithOption
- func GenerateKeyPair(kty, crv string, size int) WithOption
- func WithDNSNames(dns []string) WithOption
- func WithEmailAddresses(emails []string) WithOption
- func WithHosts(hosts string) WithOption
- func WithIPAddresses(ips []net.IP) WithOption
- func WithIssuer(iss pkix.Name) WithOption
- func WithNotBeforeAfterDuration(nb, na time.Time, d time.Duration) WithOption
- func WithPublicKey(pub interface{}) WithOption
- func WithSubject(sub pkix.Name) WithOption
Constants ¶
This section is empty.
Variables ¶
var ( // DefaultCertValidity is the minimum validity of an end-entity (not root or intermediate) certificate. DefaultCertValidity = 24 * time.Hour // DefaultTLSMinVersion default minimum version of TLS. DefaultTLSMinVersion = TLSVersion(1.2) // DefaultTLSMaxVersion default maximum version of TLS. DefaultTLSMaxVersion = TLSVersion(1.2) // DefaultTLSRenegotiation default TLS connection renegotiation policy. DefaultTLSRenegotiation = false // Never regnegotiate. // DefaultTLSCipherSuites specifies default step ciphersuite(s). DefaultTLSCipherSuites = CipherSuites{ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", } // ApprovedTLSCipherSuites smallstep approved ciphersuites. ApprovedTLSCipherSuites = CipherSuites{ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", } )
var DefaultIntermediateCertValidity = time.Hour * 24 * 365 * 10
DefaultIntermediateCertValidity is the default validity of a intermediate certificate in the step PKI.
var DefaultRootCertValidity = time.Hour * 24 * 365 * 10
DefaultRootCertValidity is the default validity of a root certificate in the step PKI.
Functions ¶
func CheckCertificateRequestSignature ¶ added in v0.9.0
func CheckCertificateRequestSignature(csr *x509.CertificateRequest) error
CheckCertificateRequestSignature verifies that signature is a valid signature over signed from csr's public key.
CheckCertificateRequestSignature reports whether the signature on csr is valid.
func Fingerprint ¶ added in v0.9.0
func Fingerprint(cert *x509.Certificate) string
Fingerprint returns the SHA-256 fingerprint of the certificate.
func GenerateDefaultKeyPair ¶ added in v0.8.4
GenerateDefaultKeyPair generates a new public/private key pair using the default values and sets them in the given profile.
func LoadCSRFromBytes ¶
func LoadCSRFromBytes(der []byte) (*x509.CertificateRequest, error)
LoadCSRFromBytes loads a CSR given the ASN.1 DER format.
func ParseCertificate ¶ added in v0.9.0
func ParseCertificate(asn1Data []byte) (*x509.Certificate, error)
ParseCertificate parses a single certificate from the given ASN.1 DER data.
func ParseCertificateRequest ¶ added in v0.9.0
func ParseCertificateRequest(asn1Data []byte) (*x509.CertificateRequest, error)
ParseCertificateRequest parses a single certificate request from the given ASN.1 DER data.
func ReadCertPool ¶
ReadCertPool loads a certificate pool from disk. *path*: a file, a directory, or a comma-separated list of files.
func SplitSANs ¶ added in v0.8.4
SplitSANs splits a slice of Subject Alternative Names into slices of IP Addresses and DNS Names. If an element is not an IP address, then it is bucketed as a DNS Name.
func ToStepX509Certificate ¶ added in v0.9.0
func ToStepX509Certificate(cert *x509.Certificate) *stepx509.Certificate
ToStepX509Certificate converts a x509.Certificate from the standard library to the step version of the x509.Certificate.
func ToStepX509CertificateRequest ¶ added in v0.9.0
func ToStepX509CertificateRequest(csr *x509.CertificateRequest) *stepx509.CertificateRequest
ToStepX509CertificateRequest converts a x509.CertificateRequest from the standard library to the step version of the x509.CertificateRequest.
func ToX509Certificate ¶ added in v0.9.0
func ToX509Certificate(cert *stepx509.Certificate) *x509.Certificate
ToX509Certificate converts a x509.Certificate from the internal package to the standard version of the x509.Certificate.
func ToX509CertificateRequest ¶ added in v0.9.0
func ToX509CertificateRequest(csr *stepx509.CertificateRequest) *x509.CertificateRequest
ToX509CertificateRequest converts a x509.CertificateRequest from the internal package to the standard version of the x509.CertificateRequest.
Types ¶
type ASN1DN ¶
type ASN1DN struct { Country string `json:"country,omitempty" step:"country"` Organization string `json:"organization,omitempty" step:"organization"` OrganizationalUnit string `json:"organizationalUnit,omitempty" step:"organizationalUnit"` Locality string `json:"locality,omitempty" step:"locality"` Province string `json:"province,omitempty" step:"province"` StreetAddress string `json:"streetAddress,omitempty" step:"streetAddress"` CommonName string `json:"commonName,omitempty" step:"commonName"` }
ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.
type CipherSuites ¶
type CipherSuites []string
CipherSuites represents an array of string codes representing the cipher suites.
func (CipherSuites) Validate ¶
func (c CipherSuites) Validate() error
Validate implements models.Validator and checks that a cipher suite is valid.
func (CipherSuites) Value ¶
func (c CipherSuites) Value() []uint16
Value returns an []uint16 for the cipher suites.
type Identity ¶
type Identity struct { Crt *x509.Certificate Key interface{} }
Identity contains a public/private x509 certificate/key pair.
func LoadIdentityFromDisk ¶
LoadIdentityFromDisk load a public certificate and private key (both in PEM format) from disk.
func NewIdentity ¶
func NewIdentity(c *x509.Certificate, k interface{}) *Identity
NewIdentity returns a new Identity.
type Intermediate ¶
type Intermediate struct {
// contains filtered or unexported fields
}
Intermediate implements the Profile for a intermediate certificate.
func (*Intermediate) CreateCertificate ¶
CreateCertificate creates an x509 Certificate using the configuration stored in the profile.
func (*Intermediate) CreateWriteCertificate ¶
Create Certificate from profile and write the certificate and private key to disk.
func (*Intermediate) DefaultDuration ¶ added in v0.8.4
func (i *Intermediate) DefaultDuration() time.Duration
DefaultDuration returns the default Intermediate Certificate duration.
func (*Intermediate) GenerateDefaultKeyPair ¶
func (b *Intermediate) GenerateDefaultKeyPair() error
func (*Intermediate) GenerateKeyPair ¶
func (*Intermediate) Issuer ¶
func (b *Intermediate) Issuer() *x509.Certificate
func (*Intermediate) SetIssuer ¶
func (b *Intermediate) SetIssuer(iss *x509.Certificate)
func (*Intermediate) SetIssuerPrivateKey ¶
func (b *Intermediate) SetIssuerPrivateKey(priv interface{})
func (*Intermediate) SetSubject ¶
func (b *Intermediate) SetSubject(sub *x509.Certificate)
func (*Intermediate) SetSubjectPrivateKey ¶
func (b *Intermediate) SetSubjectPrivateKey(priv interface{})
func (*Intermediate) SetSubjectPublicKey ¶
func (b *Intermediate) SetSubjectPublicKey(pub interface{})
func (*Intermediate) Subject ¶
func (b *Intermediate) Subject() *x509.Certificate
func (*Intermediate) SubjectPrivateKey ¶
func (b *Intermediate) SubjectPrivateKey() interface{}
func (*Intermediate) SubjectPublicKey ¶
func (b *Intermediate) SubjectPublicKey() interface{}
type Leaf ¶
type Leaf struct {
// contains filtered or unexported fields
}
Leaf implements the Profile for a leaf certificate.
func (*Leaf) CreateCertificate ¶
CreateCertificate creates an x509 Certificate using the configuration stored in the profile.
func (*Leaf) CreateWriteCertificate ¶
Create Certificate from profile and write the certificate and private key to disk.
func (*Leaf) DefaultDuration ¶ added in v0.8.4
func (*Leaf) GenerateDefaultKeyPair ¶
func (b *Leaf) GenerateDefaultKeyPair() error
func (*Leaf) GenerateKeyPair ¶
func (*Leaf) Issuer ¶
func (b *Leaf) Issuer() *x509.Certificate
func (*Leaf) SetIssuer ¶
func (b *Leaf) SetIssuer(iss *x509.Certificate)
func (*Leaf) SetIssuerPrivateKey ¶
func (b *Leaf) SetIssuerPrivateKey(priv interface{})
func (*Leaf) SetSubject ¶
func (b *Leaf) SetSubject(sub *x509.Certificate)
func (*Leaf) SetSubjectPrivateKey ¶
func (b *Leaf) SetSubjectPrivateKey(priv interface{})
func (*Leaf) SetSubjectPublicKey ¶
func (b *Leaf) SetSubjectPublicKey(pub interface{})
func (*Leaf) Subject ¶
func (b *Leaf) Subject() *x509.Certificate
func (*Leaf) SubjectPrivateKey ¶
func (b *Leaf) SubjectPrivateKey() interface{}
func (*Leaf) SubjectPublicKey ¶
func (b *Leaf) SubjectPublicKey() interface{}
type Profile ¶
type Profile interface { Issuer() *x509.Certificate Subject() *x509.Certificate SubjectPrivateKey() interface{} SubjectPublicKey() interface{} SetIssuer(*x509.Certificate) SetSubject(*x509.Certificate) SetSubjectPrivateKey(interface{}) SetSubjectPublicKey(interface{}) SetIssuerPrivateKey(interface{}) CreateCertificate() ([]byte, error) GenerateKeyPair(string, string, int) error DefaultDuration() time.Duration CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error) }
Profile is an interface that certificate profiles (e.g. leaf, intermediate, root) must implement.
func NewIntermediateProfile ¶
func NewIntermediateProfile(name string, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)
NewIntermediateProfile returns a new intermediate x509 Certificate profile.
func NewLeafProfile ¶
func NewLeafProfile(cn string, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)
NewLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.
func NewLeafProfileWithCSR ¶
func NewLeafProfileWithCSR(csr *x509.CertificateRequest, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)
NewLeafProfileWithCSR returns a new leaf x509 Certificate Profile with Subject Certificate fields populated directly from the CSR. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the CSR.
func NewLeafProfileWithTemplate ¶
func NewLeafProfileWithTemplate(sub *x509.Certificate, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)
NewLeafProfileWithTemplate returns a new leaf x509 Certificate Profile with Subject Certificate set to the value of the template argument. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the Subject Certificate parameter.
func NewRootProfile ¶
func NewRootProfile(name string, withOps ...WithOption) (Profile, error)
NewRootProfile returns a new root x509 Certificate profile.
func NewRootProfileWithTemplate ¶
func NewRootProfileWithTemplate(crt *x509.Certificate, withOps ...WithOption) (Profile, error)
NewRootProfileWithTemplate returns a new root x509 Certificate profile.
func NewSelfSignedLeafProfile ¶ added in v0.11.0
func NewSelfSignedLeafProfile(cn string, withOps ...WithOption) (Profile, error)
NewSelfSignedLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.
type Root ¶
type Root struct {
// contains filtered or unexported fields
}
Root implements the Profile for a root certificate.
func (*Root) CreateCertificate ¶
CreateCertificate creates an x509 Certificate using the configuration stored in the profile.
func (*Root) CreateWriteCertificate ¶
Create Certificate from profile and write the certificate and private key to disk.
func (*Root) DefaultDuration ¶ added in v0.8.4
DefaultDuration returns the default Root Certificate duration.
func (*Root) GenerateDefaultKeyPair ¶
func (b *Root) GenerateDefaultKeyPair() error
func (*Root) GenerateKeyPair ¶
func (*Root) Issuer ¶
func (b *Root) Issuer() *x509.Certificate
func (*Root) SetIssuer ¶
func (b *Root) SetIssuer(iss *x509.Certificate)
func (*Root) SetIssuerPrivateKey ¶
func (b *Root) SetIssuerPrivateKey(priv interface{})
func (*Root) SetSubject ¶
func (b *Root) SetSubject(sub *x509.Certificate)
func (*Root) SetSubjectPrivateKey ¶
func (b *Root) SetSubjectPrivateKey(priv interface{})
func (*Root) SetSubjectPublicKey ¶
func (b *Root) SetSubjectPublicKey(pub interface{})
func (*Root) Subject ¶
func (b *Root) Subject() *x509.Certificate
func (*Root) SubjectPrivateKey ¶
func (b *Root) SubjectPrivateKey() interface{}
func (*Root) SubjectPublicKey ¶
func (b *Root) SubjectPublicKey() interface{}
type TLSVersion ¶
type TLSVersion float64
TLSVersion represents a TLS version number.
func (TLSVersion) String ¶
func (v TLSVersion) String() string
String returns the Go constant for the TLSVersion.
func (TLSVersion) Validate ¶
func (v TLSVersion) Validate() error
Validate implements models.Validator and checks that a cipher suite is valid.
func (TLSVersion) Value ¶
func (v TLSVersion) Value() uint16
Value returns the Go constant for the TLSVersion.
type WithOption ¶
WithOption is a modifier function on base.
func GenerateKeyPair ¶
func GenerateKeyPair(kty, crv string, size int) WithOption
GenerateKeyPair returns a Profile modifier that generates a public/private key pair for a profile.
func WithDNSNames ¶ added in v0.8.4
func WithDNSNames(dns []string) WithOption
WithDNSNames returns a Profile modifier which sets the DNS Names that will be bound to the subject alternative name extension of the Certificate.
func WithEmailAddresses ¶ added in v0.11.0
func WithEmailAddresses(emails []string) WithOption
WithEmailAddresses returns a Profile modifier which sets the Email Addresses that will be bound to the subject alternative name extension of the Certificate.
func WithHosts ¶
func WithHosts(hosts string) WithOption
WithHosts returns a Profile modifier which sets the DNS Names and IP Addresses that will be bound to the subject Certificate.
`hosts` should be a comma separated string of DNS Names and IP Addresses. e.g. `127.0.0.1,internal.smallstep.com,blog.smallstep.com,1.1.1.1`.
func WithIPAddresses ¶ added in v0.8.4
func WithIPAddresses(ips []net.IP) WithOption
WithIPAddresses returns a Profile modifier which sets the IP Addresses that will be bound to the subject alternative name extension of the Certificate.
func WithIssuer ¶
func WithIssuer(iss pkix.Name) WithOption
WithIssuer returns a Profile modifier that sets the Subject for a x509 Certificate.
func WithNotBeforeAfterDuration ¶ added in v0.8.4
func WithNotBeforeAfterDuration(nb, na time.Time, d time.Duration) WithOption
WithNotBeforeAfterDuration returns a Profile modifier that sets the `NotBefore` and `NotAfter` attributes of the subject x509 Certificate.
func WithPublicKey ¶
func WithPublicKey(pub interface{}) WithOption
WithPublicKey returns a Profile modifier that sets the public key for a profile.
func WithSubject ¶
func WithSubject(sub pkix.Name) WithOption
WithSubject returns a Profile modifier that sets the Subject for a x509 Certificate.