pkiutil

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 8, 2023 License: Apache-2.0 Imports: 33 Imported by: 1

Documentation

Overview

Package x509util includes utility code for working with X.509 certificates from the x509 package.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AppendRootCerts 

func AppendRootCerts(pemCert []byte, rootCertFile string) ([]byte, error)

AppendRootCerts appends root certificates in RootCertFile to the input certificate.

func BuildSANExtension 

func BuildSANExtension(identites []Identity) (*pkix.Extension, error)

BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.

func BuildSubjectAltNameExtension 

func BuildSubjectAltNameExtension(hosts string) (*pkix.Extension, error)

BuildSubjectAltNameExtension builds the SAN extension for the certificate.

func CertificateFromPEM 

func CertificateFromPEM(pemBytes []byte) (*x509.Certificate, error)

CertificateFromPEM takes a certificate in PEM format and returns the corresponding x509.Certificate object.

func CertificateToString 

func CertificateToString(cert *x509.Certificate) string

CertificateToString generates a string describing the given certificate. The output roughly resembles that from openssl x509 -text.

func CertificatesFromPEM 

func CertificatesFromPEM(pemBytes []byte) ([]*x509.Certificate, error)

CertificatesFromPEM parses one or more certificates from the given PEM data. The PEM certificates must be concatenated. This function can be used for parsing PEM-formatted certificate chains, but does not verify that the resulting chain is a valid certificate chain.

func DualUseCommonName 

func DualUseCommonName(host string) (string, error)

DualUseCommonName extracts a valid CommonName from a comma-delimited host string for dual-use certificates.

func ExtractIDs 

func ExtractIDs(exts []pkix.Extension) ([]string, error)

ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.

func ExtractSANExtension 

func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension

ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.

func ExtractSCT 

func ExtractSCT(sctData *x509.SerializedSCT) (*ct.SignedCertificateTimestamp, error)

ExtractSCT deserializes an SCT from a TLS-encoded SCT.

func GenCSR 

func GenCSR(options CertOptions) ([]byte, []byte, error)

GenCSR generates a X.509 certificate sign request and private key with the given options.

func GenCSRTemplate 

func GenCSRTemplate(options CertOptions) (*x509.CertificateRequest, error)

GenCSRTemplate generates a certificateRequest template with the given options.

func GenCertFromCSR 

func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate, publicKey interface{},
	signingKey crypto.PrivateKey, subjectIDs []string, ttl time.Duration, isCA bool) (cert []byte, err error)

GenCertFromCSR generates a X.509 certificate with the given CSR.

func GenCertKeyFromOptions 

func GenCertKeyFromOptions(options CertOptions) (pemCert []byte, pemKey []byte, err error)

GenCertKeyFromOptions generates a X.509 certificate and a private key with the given options.

func GenRootCertFromExistingKey 

func GenRootCertFromExistingKey(options CertOptions) (pemCert []byte, pemKey []byte, err error)

GenRootCertFromExistingKey generates a X.509 certificate using existing CA private key. Only called by a self-signed Citadel.

func GeneralNamesToString 

func GeneralNamesToString(gname *x509.GeneralNames) string

GeneralNamesToString creates a string description of an x509.GeneralNames object.

func GetRSAKeySize 

func GetRSAKeySize(privKey crypto.PrivateKey) (int, error)

GetRSAKeySize returns the size if it is RSA key, otherwise it returns an error.

func IsSupportedECPrivateKey 

func IsSupportedECPrivateKey(privKey *crypto.PrivateKey) bool

IsSupportedECPrivateKey is a predicate returning true if the private key is EC based

func LoadSignerCredsFromFiles 

func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error)

LoadSignerCredsFromFiles loads the signer cert&key from the given files. 

signerCertFile: cert file name
signerPrivFile: private key file name

func MarshalSCTsIntoSCTList 

func MarshalSCTsIntoSCTList(scts []*ct.SignedCertificateTimestamp) (*x509.SignedCertificateTimestampList, error)

MarshalSCTsIntoSCTList serializes SCTs into SCT list.

func NameToString 

func NameToString(name pkix.Name) string

NameToString creates a string description of a pkix.Name object.

func OIDForStandardExtension 

func OIDForStandardExtension(oid asn1.ObjectIdentifier) bool

OIDForStandardExtension indicates whether oid identifies a standard extension. Standard extensions are listed in RFC 5280 (and other RFCs).

func OIDInExtensions 

func OIDInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) (int, bool)

OIDInExtensions checks whether the extension identified by oid is present in extensions and returns how many times it occurs together with an indication of whether any of them are marked critical.

func OtherNameToString 

func OtherNameToString(other x509.OtherName) string

OtherNameToString creates a string description of an x509.OtherName object.

func ParsePemEncodedCSR 

func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error)

ParsePemEncodedCSR constructs a `x509.CertificateRequest` object using the given PEM-encoded certificate signing request.

func ParsePemEncodedCertificate 

func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error)

ParsePemEncodedCertificate constructs a `x509.Certificate` object using the given a PEM-encoded certificate.

func ParsePemEncodedKey 

func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error)

ParsePemEncodedKey takes a PEM-encoded key and parsed the bytes into a `crypto.PrivateKey`.

func ParseSCTsFromCertificate 

func ParseSCTsFromCertificate(certBytes []byte) ([]*ct.SignedCertificateTimestamp, error)

ParseSCTsFromCertificate parses any SCTs that are embedded in the certificate provided. The certificate bytes provided can be either DER or PEM, provided the PEM data starts with the PEM block marker (i.e. has no leading text).

func ParseSCTsFromSCTList 

func ParseSCTsFromSCTList(sctList *x509.SignedCertificateTimestampList) ([]*ct.SignedCertificateTimestamp, error)

ParseSCTsFromSCTList parses each of the SCTs contained within an SCT list.

func TimeBeforeCertExpires 

func TimeBeforeCertExpires(certBytes []byte, now time.Time) (time.Duration, error)

TimeBeforeCertExpires returns the time duration before the cert gets expired. It returns an error if it failed to extract the cert expiration timestamp. The returned time duration could be a negative value indicating the cert has already been expired.

func Verify 

func Verify(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error

Verify that the cert chain, root cert and key/cert match.

func VerifyCertificate 

func VerifyCertificate(privPem []byte, certChainPem []byte, rootCertPem []byte, expectedFields *VerifyFields) error

VerifyCertificate verifies a given PEM encoded certificate by - building one or more chains from the certificate to a root certificate; - checking fields are set as expected.

Types

type CertOptions 

type CertOptions struct {
	// Comma-separated hostnames and IPs to generate a certificate for.
	// This can also be set to the identity running the workload,
	// like kubernetes service account.
	Host string

	// The NotBefore field of the issued certificate.
	NotBefore time.Time

	// TTL of the certificate. NotAfter - NotBefore.
	TTL time.Duration

	// Signer certificate.
	SignerCert *x509.Certificate

	// Signer private key.
	SignerPriv crypto.PrivateKey

	// Signer private key (PEM encoded).
	SignerPrivPem []byte

	// Organization for this certificate.
	Org string

	// The size of RSA private key to be generated.
	RSAKeySize int

	// Whether this certificate is used as signing cert for CA.
	IsCA bool

	// Whether this certificate is self-signed.
	IsSelfSigned bool

	// Whether this certificate is for a client.
	IsClient bool

	// Whether this certificate is for a server.
	IsServer bool

	// Whether this certificate is for dual-use clients (SAN+CN).
	IsDualUse bool

	// If true, the private key is encoded with PKCS#8.
	PKCS8Key bool

	// The type of Elliptical Signature algorithm to use
	// when generating private keys. Currently only ECDSA is supported.
	// If empty, RSA is used, otherwise ECC is used.
	ECSigAlg SupportedECSignatureAlgorithms
}

CertOptions contains options for generating a new certificate.

func GetCertOptionsFromExistingCert 

func GetCertOptionsFromExistingCert(certBytes []byte) (opts CertOptions, err error)

GetCertOptionsFromExistingCert parses cert and generates a CertOptions that contains information about the cert. This is the reverse operation of genCertTemplateFromOptions(), and only called by a self-signed Citadel.

func MergeCertOptions 

func MergeCertOptions(defaultOpts, deltaOpts CertOptions) CertOptions

MergeCertOptions merges deltaOpts into defaultOpts and returns the merged CertOptions. Only called by a self-signed Citadel.

type Identity 

type Identity struct {
	Type  IdentityType
	Value []byte
}

Identity is an object holding both the encoded identifier bytes as well as the type of the identity.

func ExtractIDsFromSAN 

func ExtractIDsFromSAN(sanExt *pkix.Extension) ([]Identity, error)

ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.

type IdentityType 

type IdentityType int

IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension. 

const (
	// TypeDNS represents a DNS name.
	TypeDNS IdentityType = iota
	// TypeIP represents an IP address.
	TypeIP
	// TypeURI represents a universal resource identifier.
	TypeURI
)

type KeyCertBundle 

type KeyCertBundle interface {
	// GetAllPem returns all key/cert PEMs in KeyCertBundle together. Getting all values together avoids inconsistency.
	GetAllPem() (certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte)

	// GetAll returns all key/cert in KeyCertBundle together. Getting all values together avoids inconsistency.
	GetAll() (cert *x509.Certificate, privKey *crypto.PrivateKey, certChainBytes, rootCertBytes []byte)

	// GetCertChainPem returns the certificate chain PEM.
	GetCertChainPem() []byte

	// GetRootCertPem returns the root certificate PEM.
	GetRootCertPem() []byte

	// VerifyAndSetAll verifies the key/certs, and sets all key/certs in KeyCertBundle together.
	// Setting all values together avoids inconsistency.
	VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error

	// CertOptions returns the CertOptions for rotating the current key cert.
	CertOptions() (*CertOptions, error)

	// ExtractRootCertExpiryTimestamp returns the unix timestamp when the root becomes expires.
	// An error indicates the certificate is expired.
	ExtractRootCertExpiryTimestamp() (float64, error)

	// ExtractCACertExpiryTimestamp returns the unix timestamp when the CA cert becomes expires.
	// An error indicates the certificate is expired.
	ExtractCACertExpiryTimestamp() (float64, error)
}

KeyCertBundle stores the cert, private key, cert chain and root cert for an entity. It is thread safe. TODO(myidpt): Remove this interface.

type KeyCertBundleImpl 

type KeyCertBundleImpl struct {
	// contains filtered or unexported fields
}

KeyCertBundleImpl implements the KeyCertBundle interface. The cert and privKey should be a public/private key pair. The cert should be verifiable from the rootCert through the certChain. cert and priveKey are pointers to the cert/key parsed from certBytes/privKeyBytes.

func NewKeyCertBundleWithRootCertFromFile 

func NewKeyCertBundleWithRootCertFromFile(rootCertFile string) (*KeyCertBundleImpl, error)

NewKeyCertBundleWithRootCertFromFile returns a new KeyCertBundle with the root cert without verification.

func NewVerifiedKeyCertBundleFromFile 

func NewVerifiedKeyCertBundleFromFile(certFile, privKeyFile, certChainFile, rootCertFile string) (
	*KeyCertBundleImpl, error)

NewVerifiedKeyCertBundleFromFile returns a new KeyCertBundle, or error if the provided certs failed the verification.

func NewVerifiedKeyCertBundleFromPem 

func NewVerifiedKeyCertBundleFromPem(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) (
	*KeyCertBundleImpl, error)

NewVerifiedKeyCertBundleFromPem returns a new KeyCertBundle, or error if the provided certs failed the verification.

func (*KeyCertBundleImpl) CertOptions 

func (b *KeyCertBundleImpl) CertOptions() (*CertOptions, error)

CertOptions returns the certificate config based on currently stored cert.

func (*KeyCertBundleImpl) ExtractCACertExpiryTimestamp 

func (b *KeyCertBundleImpl) ExtractCACertExpiryTimestamp() (float64, error)

ExtractCACertExpiryTimestamp returns the unix timestamp when the cert chain becomes expires.

func (*KeyCertBundleImpl) ExtractRootCertExpiryTimestamp 

func (b *KeyCertBundleImpl) ExtractRootCertExpiryTimestamp() (float64, error)

ExtractRootCertExpiryTimestamp returns the unix timestamp when the root becomes expires.

func (*KeyCertBundleImpl) GetAll 

func (b *KeyCertBundleImpl) GetAll() (cert *x509.Certificate, privKey *crypto.PrivateKey, certChainBytes,
	rootCertBytes []byte)

GetAll returns all key/cert in KeyCertBundle together. Getting all values together avoids inconsistency. NOTE: Callers should not modify the content of cert and privKey.

func (*KeyCertBundleImpl) GetAllPem 

func (b *KeyCertBundleImpl) GetAllPem() (certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte)

GetAllPem returns all key/cert PEMs in KeyCertBundle together. Getting all values together avoids inconsistency.

func (*KeyCertBundleImpl) GetCertChainPem 

func (b *KeyCertBundleImpl) GetCertChainPem() []byte

GetCertChainPem returns the certificate chain PEM.

func (*KeyCertBundleImpl) GetRootCertPem 

func (b *KeyCertBundleImpl) GetRootCertPem() []byte

GetRootCertPem returns the root certificate PEM.

func (*KeyCertBundleImpl) VerifyAndSetAll 

func (b *KeyCertBundleImpl) VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error

VerifyAndSetAll verifies the key/certs, and sets all key/certs in KeyCertBundle together. Setting all values together avoids inconsistency.

type SupportedECSignatureAlgorithms 

type SupportedECSignatureAlgorithms string

SupportedECSignatureAlgorithms are the types of EC Signature Algorithms to be used in key generation (e.g. ECDSA or ED2551) 

const (
	// only ECDSA using P256 is currently supported
	EcdsaSigAlg SupportedECSignatureAlgorithms = "ECDSA"
)

type VerifyFields 

type VerifyFields struct {
	NotBefore   time.Time
	TTL         time.Duration // NotAfter - NotBefore
	ExtKeyUsage []x509.ExtKeyUsage
	KeyUsage    x509.KeyUsage
	IsCA        bool
	Org         string
	CommonName  string
	Host        string
}

VerifyFields contains the certificate fields to verify in the test.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.