x509util

package
v0.13.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 30, 2019 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// DefaultCertValidity is the minimum validity of an end-entity (not root or intermediate) certificate.
	DefaultCertValidity = 24 * time.Hour

	// DefaultTLSMinVersion default minimum version of TLS.
	DefaultTLSMinVersion = TLSVersion(1.2)
	// DefaultTLSMaxVersion default maximum version of TLS.
	DefaultTLSMaxVersion = TLSVersion(1.2)
	// DefaultTLSRenegotiation default TLS connection renegotiation policy.
	DefaultTLSRenegotiation = false // Never regnegotiate.
	// DefaultTLSCipherSuites specifies default step ciphersuite(s).
	DefaultTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
	}
	// ApprovedTLSCipherSuites smallstep approved ciphersuites.
	ApprovedTLSCipherSuites = CipherSuites{
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
	}
)
View Source
var DefaultIntermediateCertValidity = time.Hour * 24 * 365 * 10

DefaultIntermediateCertValidity is the default validity of a intermediate certificate in the step PKI.

View Source
var DefaultRootCertValidity = time.Hour * 24 * 365 * 10

DefaultRootCertValidity is the default validity of a root certificate in the step PKI.

Functions

func CheckCertificateRequestSignature added in v0.9.0

func CheckCertificateRequestSignature(csr *x509.CertificateRequest) error

CheckCertificateRequestSignature verifies that signature is a valid signature over signed from csr's public key.

CheckCertificateRequestSignature reports whether the signature on csr is valid.

func Fingerprint added in v0.9.0

func Fingerprint(cert *x509.Certificate) string

Fingerprint returns the SHA-256 fingerprint of the certificate.

func GenerateDefaultKeyPair added in v0.8.4

func GenerateDefaultKeyPair(p Profile) error

GenerateDefaultKeyPair generates a new public/private key pair using the default values and sets them in the given profile.

func LoadCSRFromBytes

func LoadCSRFromBytes(der []byte) (*x509.CertificateRequest, error)

LoadCSRFromBytes loads a CSR given the ASN.1 DER format.

func ParseCertificate added in v0.9.0

func ParseCertificate(asn1Data []byte) (*x509.Certificate, error)

ParseCertificate parses a single certificate from the given ASN.1 DER data.

func ParseCertificateRequest added in v0.9.0

func ParseCertificateRequest(asn1Data []byte) (*x509.CertificateRequest, error)

ParseCertificateRequest parses a single certificate request from the given ASN.1 DER data.

func ReadCertPool

func ReadCertPool(path string) (*x509.CertPool, error)

ReadCertPool loads a certificate pool from disk. *path*: a file, a directory, or a comma-separated list of files.

func SplitSANs added in v0.8.4

func SplitSANs(sans []string) (dnsNames []string, ips []net.IP, emails []string)

SplitSANs splits a slice of Subject Alternative Names into slices of IP Addresses and DNS Names. If an element is not an IP address, then it is bucketed as a DNS Name.

func ToStepX509Certificate added in v0.9.0

func ToStepX509Certificate(cert *x509.Certificate) *stepx509.Certificate

ToStepX509Certificate converts a x509.Certificate from the standard library to the step version of the x509.Certificate.

func ToStepX509CertificateRequest added in v0.9.0

func ToStepX509CertificateRequest(csr *x509.CertificateRequest) *stepx509.CertificateRequest

ToStepX509CertificateRequest converts a x509.CertificateRequest from the standard library to the step version of the x509.CertificateRequest.

func ToX509Certificate added in v0.9.0

func ToX509Certificate(cert *stepx509.Certificate) *x509.Certificate

ToX509Certificate converts a x509.Certificate from the internal package to the standard version of the x509.Certificate.

func ToX509CertificateRequest added in v0.9.0

func ToX509CertificateRequest(csr *stepx509.CertificateRequest) *x509.CertificateRequest

ToX509CertificateRequest converts a x509.CertificateRequest from the internal package to the standard version of the x509.CertificateRequest.

Types

type ASN1DN

type ASN1DN struct {
	Country            string `json:"country,omitempty" step:"country"`
	Organization       string `json:"organization,omitempty" step:"organization"`
	OrganizationalUnit string `json:"organizationalUnit,omitempty" step:"organizationalUnit"`
	Locality           string `json:"locality,omitempty" step:"locality"`
	Province           string `json:"province,omitempty" step:"province"`
	StreetAddress      string `json:"streetAddress,omitempty" step:"streetAddress"`
	CommonName         string `json:"commonName,omitempty" step:"commonName"`
}

ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer x509 Certificate blocks.

type CipherSuites

type CipherSuites []string

CipherSuites represents an array of string codes representing the cipher suites.

func (CipherSuites) Validate

func (c CipherSuites) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (CipherSuites) Value

func (c CipherSuites) Value() []uint16

Value returns an []uint16 for the cipher suites.

type Identity

type Identity struct {
	Crt *x509.Certificate
	Key interface{}
}

Identity contains a public/private x509 certificate/key pair.

func LoadIdentityFromDisk

func LoadIdentityFromDisk(crtPath, keyPath string, pemOpts ...pemutil.Options) (*Identity, error)

LoadIdentityFromDisk load a public certificate and private key (both in PEM format) from disk.

func NewIdentity

func NewIdentity(c *x509.Certificate, k interface{}) *Identity

NewIdentity returns a new Identity.

type Intermediate

type Intermediate struct {
	// contains filtered or unexported fields
}

Intermediate implements the Profile for a intermediate certificate.

func (*Intermediate) CreateCertificate

func (b *Intermediate) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Intermediate) CreateWriteCertificate

func (b *Intermediate) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Intermediate) DefaultDuration added in v0.8.4

func (i *Intermediate) DefaultDuration() time.Duration

DefaultDuration returns the default Intermediate Certificate duration.

func (*Intermediate) GenerateDefaultKeyPair

func (b *Intermediate) GenerateDefaultKeyPair() error

func (*Intermediate) GenerateKeyPair

func (b *Intermediate) GenerateKeyPair(kty, crv string, size int) error

func (*Intermediate) Issuer

func (b *Intermediate) Issuer() *x509.Certificate

func (*Intermediate) SetIssuer

func (b *Intermediate) SetIssuer(iss *x509.Certificate)

func (*Intermediate) SetIssuerPrivateKey

func (b *Intermediate) SetIssuerPrivateKey(priv interface{})

func (*Intermediate) SetSubject

func (b *Intermediate) SetSubject(sub *x509.Certificate)

func (*Intermediate) SetSubjectPrivateKey

func (b *Intermediate) SetSubjectPrivateKey(priv interface{})

func (*Intermediate) SetSubjectPublicKey

func (b *Intermediate) SetSubjectPublicKey(pub interface{})

func (*Intermediate) Subject

func (b *Intermediate) Subject() *x509.Certificate

func (*Intermediate) SubjectPrivateKey

func (b *Intermediate) SubjectPrivateKey() interface{}

func (*Intermediate) SubjectPublicKey

func (b *Intermediate) SubjectPublicKey() interface{}

type Leaf

type Leaf struct {
	// contains filtered or unexported fields
}

Leaf implements the Profile for a leaf certificate.

func (*Leaf) CreateCertificate

func (b *Leaf) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Leaf) CreateWriteCertificate

func (b *Leaf) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Leaf) DefaultDuration added in v0.8.4

func (b *Leaf) DefaultDuration() time.Duration

func (*Leaf) GenerateDefaultKeyPair

func (b *Leaf) GenerateDefaultKeyPair() error

func (*Leaf) GenerateKeyPair

func (b *Leaf) GenerateKeyPair(kty, crv string, size int) error

func (*Leaf) Issuer

func (b *Leaf) Issuer() *x509.Certificate

func (*Leaf) SetIssuer

func (b *Leaf) SetIssuer(iss *x509.Certificate)

func (*Leaf) SetIssuerPrivateKey

func (b *Leaf) SetIssuerPrivateKey(priv interface{})

func (*Leaf) SetSubject

func (b *Leaf) SetSubject(sub *x509.Certificate)

func (*Leaf) SetSubjectPrivateKey

func (b *Leaf) SetSubjectPrivateKey(priv interface{})

func (*Leaf) SetSubjectPublicKey

func (b *Leaf) SetSubjectPublicKey(pub interface{})

func (*Leaf) Subject

func (b *Leaf) Subject() *x509.Certificate

func (*Leaf) SubjectPrivateKey

func (b *Leaf) SubjectPrivateKey() interface{}

func (*Leaf) SubjectPublicKey

func (b *Leaf) SubjectPublicKey() interface{}

type Profile

type Profile interface {
	Issuer() *x509.Certificate
	Subject() *x509.Certificate
	SubjectPrivateKey() interface{}
	SubjectPublicKey() interface{}
	SetIssuer(*x509.Certificate)
	SetSubject(*x509.Certificate)
	SetSubjectPrivateKey(interface{})
	SetSubjectPublicKey(interface{})
	SetIssuerPrivateKey(interface{})
	CreateCertificate() ([]byte, error)
	GenerateKeyPair(string, string, int) error
	DefaultDuration() time.Duration
	CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)
}

Profile is an interface that certificate profiles (e.g. leaf, intermediate, root) must implement.

func NewIntermediateProfile

func NewIntermediateProfile(name string, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

NewIntermediateProfile returns a new intermediate x509 Certificate profile.

func NewLeafProfile

func NewLeafProfile(cn string, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

NewLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.

func NewLeafProfileWithCSR

func NewLeafProfileWithCSR(csr *x509.CertificateRequest, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

NewLeafProfileWithCSR returns a new leaf x509 Certificate Profile with Subject Certificate fields populated directly from the CSR. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the CSR.

func NewLeafProfileWithTemplate

func NewLeafProfileWithTemplate(sub *x509.Certificate, iss *x509.Certificate, issPriv crypto.PrivateKey, withOps ...WithOption) (Profile, error)

NewLeafProfileWithTemplate returns a new leaf x509 Certificate Profile with Subject Certificate set to the value of the template argument. A public/private keypair **WILL NOT** be generated for this profile because the public key will be populated from the Subject Certificate parameter.

func NewRootProfile

func NewRootProfile(name string, withOps ...WithOption) (Profile, error)

NewRootProfile returns a new root x509 Certificate profile.

func NewRootProfileWithTemplate

func NewRootProfileWithTemplate(crt *x509.Certificate, withOps ...WithOption) (Profile, error)

NewRootProfileWithTemplate returns a new root x509 Certificate profile.

func NewSelfSignedLeafProfile added in v0.11.0

func NewSelfSignedLeafProfile(cn string, withOps ...WithOption) (Profile, error)

NewSelfSignedLeafProfile returns a new leaf x509 Certificate profile. A new public/private key pair will be generated for the Profile if not set in the `withOps` profile modifiers.

type Root

type Root struct {
	// contains filtered or unexported fields
}

Root implements the Profile for a root certificate.

func (*Root) CreateCertificate

func (b *Root) CreateCertificate() ([]byte, error)

CreateCertificate creates an x509 Certificate using the configuration stored in the profile.

func (*Root) CreateWriteCertificate

func (b *Root) CreateWriteCertificate(crtOut, keyOut, pass string) ([]byte, error)

Create Certificate from profile and write the certificate and private key to disk.

func (*Root) DefaultDuration added in v0.8.4

func (r *Root) DefaultDuration() time.Duration

DefaultDuration returns the default Root Certificate duration.

func (*Root) GenerateDefaultKeyPair

func (b *Root) GenerateDefaultKeyPair() error

func (*Root) GenerateKeyPair

func (b *Root) GenerateKeyPair(kty, crv string, size int) error

func (*Root) Issuer

func (b *Root) Issuer() *x509.Certificate

func (*Root) SetIssuer

func (b *Root) SetIssuer(iss *x509.Certificate)

func (*Root) SetIssuerPrivateKey

func (b *Root) SetIssuerPrivateKey(priv interface{})

func (*Root) SetSubject

func (b *Root) SetSubject(sub *x509.Certificate)

func (*Root) SetSubjectPrivateKey

func (b *Root) SetSubjectPrivateKey(priv interface{})

func (*Root) SetSubjectPublicKey

func (b *Root) SetSubjectPublicKey(pub interface{})

func (*Root) Subject

func (b *Root) Subject() *x509.Certificate

func (*Root) SubjectPrivateKey

func (b *Root) SubjectPrivateKey() interface{}

func (*Root) SubjectPublicKey

func (b *Root) SubjectPublicKey() interface{}

type TLSVersion

type TLSVersion float64

TLSVersion represents a TLS version number.

func (TLSVersion) String

func (v TLSVersion) String() string

String returns the Go constant for the TLSVersion.

func (TLSVersion) Validate

func (v TLSVersion) Validate() error

Validate implements models.Validator and checks that a cipher suite is valid.

func (TLSVersion) Value

func (v TLSVersion) Value() uint16

Value returns the Go constant for the TLSVersion.

type WithOption

type WithOption func(Profile) error

WithOption is a modifier function on base.

func GenerateKeyPair

func GenerateKeyPair(kty, crv string, size int) WithOption

GenerateKeyPair returns a Profile modifier that generates a public/private key pair for a profile.

func WithDNSNames added in v0.8.4

func WithDNSNames(dns []string) WithOption

WithDNSNames returns a Profile modifier which sets the DNS Names that will be bound to the subject alternative name extension of the Certificate.

func WithEmailAddresses added in v0.11.0

func WithEmailAddresses(emails []string) WithOption

WithEmailAddresses returns a Profile modifier which sets the Email Addresses that will be bound to the subject alternative name extension of the Certificate.

func WithHosts

func WithHosts(hosts string) WithOption

WithHosts returns a Profile modifier which sets the DNS Names and IP Addresses that will be bound to the subject Certificate.

`hosts` should be a comma separated string of DNS Names and IP Addresses. e.g. `127.0.0.1,internal.smallstep.com,blog.smallstep.com,1.1.1.1`.

func WithIPAddresses added in v0.8.4

func WithIPAddresses(ips []net.IP) WithOption

WithIPAddresses returns a Profile modifier which sets the IP Addresses that will be bound to the subject alternative name extension of the Certificate.

func WithIssuer

func WithIssuer(iss pkix.Name) WithOption

WithIssuer returns a Profile modifier that sets the Subject for a x509 Certificate.

func WithNotBeforeAfterDuration added in v0.8.4

func WithNotBeforeAfterDuration(nb, na time.Time, d time.Duration) WithOption

WithNotBeforeAfterDuration returns a Profile modifier that sets the `NotBefore` and `NotAfter` attributes of the subject x509 Certificate.

func WithPublicKey

func WithPublicKey(pub interface{}) WithOption

WithPublicKey returns a Profile modifier that sets the public key for a profile.

func WithSubject

func WithSubject(sub pkix.Name) WithOption

WithSubject returns a Profile modifier that sets the Subject for a x509 Certificate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL