cat

package module
v0.2.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 17, 2024 License: ISC Imports: 17 Imported by: 0

README

go-cat

go reference pipeline status coverage report

This package implements a set of shorthand/utility functions for performing CA tasks during testing, such as:

  • generating private keys and passphrases,
  • generating chains of one or more CA certificates,
  • issuing server and client certificates from those chains,
  • marshaling private keys to/from files/buffers with/without encryption,
  • marshaling certificates and certificate chains to/from files/buffers.

Need to generate a self-signed server certificate pair with an RSA private key, write it to a file, and don't want to deal with error handling?

cat.GenerateServerChainP([]*cat.Template{{
  KeyFormat: cat.RSA_2048_PKCS8,
  Certificate: x509.Certificate{
    Subject:  pkix.Name{CommonName: "example.com"},
    DNSNames: []string{"example.com"},
  }
}}).WriteFileP("test.pem", 0600, true)

How about multiple versions of that same certificate pair, issued across a range of private key algorithms and encodings?

for _, kf := range cat.KeyFormat{
  cat.RSA_2048_PKCS1,
  cat.RSA_4096_PKCS8,
  cat.ECDSA_P384_SEC1,
  cat.ECDSA_P521_PKCS8,
  cat.ED25519_PKCS8
} {
  cat.GenerateServerChainP([]*cat.Template{{
    KeyFormat: kf,
    Certificate: x509.Certificate{
      Subject:  pkix.Name{CommonName: "example.com"},
      DNSNames: []string{"example.com"},
    }
  }}).WriteFileP(fmt.Sprintf("test_%s.pem", kf), 0600, true)
}

How about a both a client and a server certificate issued from the same CA chain, with the root CA certificate, server chain, and client chain each written to separate files, and each one using a different private key algorithm, and the client private key encrypted?

ch := cat.GenerateChainP([]*cat.Template{{
  KeyFormat: cat.RSA_2048_PKCS8,
  Certificate: x509.Certificate{Subject: pkix.Name{CommonName: "Test Root"}},
}, {
  Certificate: x509.Certificate{Subject: pkix.Name{CommonName: "Test Intermediate"}},
})
ch[1:].WriteFileP("root.crt", 0600, false)
ch.IssueServerChainP([]*cat.Template{{
  KeyFormat: cat.ECDSA_P384_PKCS8,
  Certificate: x509.Certificate{
    Subject:  pkix.Name{CommonName: "example.com"},
    DNSNames: []string{"example.com"},
  }
}})[:2].WriteFileP("server.pem", 0600, true)
ch.IssueClientChainP([]*cat.Template{{
  KeyFormat: cat.ED25519_PKCS8,
  Certificate: x509.Certificate{
    Subject: pkix.Name{CommonName: "Test Client"},
  }
}})[:2].WriteEncryptedFileP("client.pem", 0600, x509.PEMCipherAES256, []byte("password"))

You get the idea.

If it looks overwrought, that's because it is. All of the functionality provided here already exists in the Go standard libraries, this package exists purely as a shorthand for that functionality in scenarios where the tasks being performed are not the most important part of the code you're writing, e.g. dynamically generating test keys and certificates as part of unit testing something else.

The idea is to allow for as concise an expression of intent as possible, and to that end most functions implemented in this package are provided in multiple flavours (including panic-on-error variants for everything) to hopefully minimise the number of function calls required to accomplish a task.

Documentation

Overview

Package cat implements a set of shorthand/utility functions for performing CA tasks during testing.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ParseDurationP 

func ParseDurationP(value string) time.Duration

Alternate version of time.ParseDuration that panics on error.

func ParseTimeP 

func ParseTimeP(layout, value string) time.Time

Alternate version of time.Parse that panics on error.

func RandBytes added in v0.1.1 

func RandBytes(len int) ([]byte, error)

Return a slice of len random bytes from rand.Read.

func RandBytesP added in v0.1.1 

func RandBytesP(len int) []byte

Alternate version of RandBytes that panics on error.

func RandHexBytes added in v0.1.1 

func RandHexBytes(len int) ([]byte, error)

Return a slice of len hex-encoded random bytes from rand.Read.

func RandHexBytesP added in v0.1.1 

func RandHexBytesP(len int) []byte

Alternate version of RandHexBytes that panics on error.

func RandInt added in v0.1.1 

func RandInt(bitMax uint) (*big.Int, error)

Return a random big.Int from rand.Int in [0, 1 << bitMax).

func RandIntP added in v0.1.1 

func RandIntP(bitMax uint) *big.Int

Alternate version of RandInt that panics on error.

Types

type Chain 

type Chain []*Pair

Represents a generated chain of certificate pairs, ordered leaf-first.

func DecodeChain added in v0.1.2 

func DecodeChain(data, pass []byte) (Chain, error)

Decode a chain of PEM-encoded certificate pairs.

This function attempts to consume the entire input, and will return an error if it does not find at least one PEM-encoded certificate or certificate pair, or if it encounters any unrecognised PEM blocks. If pass is not nil it will be used as a passphrase to attempt to decrypt private keys, otherwise encrypted keys will be rejected.

func DecodeChainP added in v0.1.2 

func DecodeChainP(data, pass []byte) Chain

Alternate version of DecodeChain that panics on error.

func GenerateChain 

func GenerateChain(tmps []*Template) (Chain, error)

Generate a certificate chain according to the provided templates. The first template is assumed to represent a self-signed root CA, and any subsequent templates are assumed to represent intermediate CAs issued in sequence from that root.

If Key field in the template is populated it will be used as private key for that pair, otherwise a new private key is generated according to the value of the KeyFormat field. If neither Key or KeyFormat are populated the template will inherit the KeyFormat of its parent template and a new private key will be generated.

The contents of the Certificate struct in each template are parsed identically to (and ultimately by) x509.CreateCertificate, but with some additional logic allowing them to be automatically populated beforehand if left unset:

  • If the SerialNumber field is unpopulated it will either inherit the serial number of the parent template (incremented by one), or be set to 1 if no parent exists.
  • If both NotBefore and NotAfter are unpopulated they will either inherit the validity period of the parent template, or be set to a 24-hour period starting from the current time if no parent exists.
  • If all of KeyUsage, ExtKeyUsage, IsCA, BasicConstraintsValid, MaxPathLen, and MaxPathLenZero are unpopulated then the template will be configured as a CA certificate with unlimited path length.
  • If MaxPathLen or MaxPathLenZero are populated but all of KeyUsage, ExtKeyUsage, IsCA, and BasicConstraintsValid are not then the template will be configured as a CA certificate with the specified path length.

The resulting certificate chain is returned in reverse order relative to the templates, starting with the leaf-most certificate pair.

func GenerateChainP 

func GenerateChainP(tmps []*Template) Chain

Alternate version of GenerateChain that panics on error.

func GenerateClientChain 

func GenerateClientChain(tmps []*Template) (Chain, error)

Generate a certificate chain ending with a client end-entity certificate, according to the provided templates.

This function behaves identically to GenerateChain, save for the fact that the leaf-most certificate in the chain will be configured as a client end-entity certificate rather than a CA certificate if none of its KeyUsage, ExtKeyUsage, IsCA, MaxPathLen, MaxPathLenZero, or BasicConstraintsValid fields are populated in the template.

If the provided chain consists of a single template, a single self-signed client end-entity certificate pair will be produced.

func GenerateClientChainP 

func GenerateClientChainP(tmps []*Template) Chain

Alternate version of GenerateClientChain that panics on error.

func GenerateServerChain 

func GenerateServerChain(tmps []*Template) (Chain, error)

Generate a certificate chain ending with a server end-entity certificate, according to the provided templates.

This function behaves identically to GenerateChain, save for the fact that the leaf-most certificate in the chain will be configured as a server end-entity certificate rather than a CA certificate if none of its KeyUsage, ExtKeyUsage, IsCA, MaxPathLen, MaxPathLenZero, or BasicConstraintsValid fields are populated in the template.

If the provided chain consists of a single template, a single self-signed server end-entity certificate pair will be produced.

func GenerateServerChainP 

func GenerateServerChainP(tmps []*Template) Chain

Alternate version of GenerateServerChain that panics on error.

func ReadChainFile added in v0.1.2 

func ReadChainFile(name string, pass []byte) (Chain, error)

Read and decode a chain of PEM-encoded certificate pairs from a file

This function attempts to consume the entire file, and will return an error if it does not find at least one PEM-encoded certificate or certificate pair, or if it encounters any unrecognised PEM blocks. If pass is not nil it will be used as a passphrase to attempt to decrypt private keys, otherwise encrypted keys will be rejected.

func ReadChainFileP added in v0.1.2 

func ReadChainFileP(name string, pass []byte) Chain

Alternate version of ReadChainFile that panics on error.

func (Chain) CertPool added in v0.2.0 

func (ch Chain) CertPool() *x509.CertPool

Return an x509.CertPool instance containing the root-most certificate in this chain.

func (Chain) Encode 

func (ch Chain) Encode(withKey bool) ([]byte, error)

Encode certificate chain as PEM, optionally preceded by a plain-text copy of the leaf certificate private key.

func (Chain) EncodeP 

func (ch Chain) EncodeP(withKey bool) []byte

Alternate version of Encode that panics on error.

func (Chain) Encrypt 

func (ch Chain) Encrypt(alg x509.PEMCipher, pass []byte) ([]byte, error)

Encode certificate chain as PEM, preceded by a passphrase-encrypted copy of the leaf certificate private key.

func (Chain) EncryptP 

func (ch Chain) EncryptP(alg x509.PEMCipher, pass []byte) []byte

Alternate version of Encrypt that panics on error.

func (Chain) Head 

func (ch Chain) Head(num int) Chain

Returns a slice from the front of the chain; non-negative values specify how many pairs to keep, negative values specify how many pairs to drop.

func (Chain) IssueChain 

func (ch Chain) IssueChain(tmps []*Template) (Chain, error)

Generate a new certificate chain according to the provided templates, using this chain as the issuing CA.

This function behaves identically to GenerateChain, save for the fact that the leaf-most certificate in this chain will be used as the issuing CA for the new chain, rather than it beginning with a self-signed root.

The resulting certificate chain will be a concatenation of the two, starting with the leaf-most certificate pair.

func (Chain) IssueChainP 

func (ch Chain) IssueChainP(tmps []*Template) Chain

Alternate version of IssueChain that panics on error.

func (Chain) IssueClientChain 

func (ch Chain) IssueClientChain(tmps []*Template) (Chain, error)

Generate a new certificate chain according to the provided templates, ending with a client end-entity certificate, and using this chain as the issuing CA.

This function behaves identically to GenerateClientChain, save for the fact that the leaf-most certificate in this chain will be used as the issuing CA for the new chain, rather than it beginning with a self-signed root.

The resulting certificate chain will be a concatenation of the two, starting with the leaf-most certificate pair.

func (Chain) IssueClientChainP 

func (ch Chain) IssueClientChainP(tmps []*Template) Chain

Alternate version of IssueClientChain that panics on error.

func (Chain) IssueServerChain 

func (ch Chain) IssueServerChain(tmps []*Template) (Chain, error)

Generate a new certificate chain according to the provided templates, ending with a server end-entity certificate, and using this chain as the issuing CA.

This function behaves identically to GenerateServerChain, save for the fact that the leaf-most certificate in this chain will be used as the issuing CA for the new chain, rather than it beginning with a self-signed root.

The resulting certificate chain will be a concatenation of the two, starting with the leaf-most certificate pair.

func (Chain) IssueServerChainP 

func (ch Chain) IssueServerChainP(tmps []*Template) Chain

Alternate version of IssueServerChain that panics on error.

func (Chain) SelfSigned added in v0.2.0 

func (ch Chain) SelfSigned() bool

Returns true if the root-most certificate in this chain is self-signed.

func (Chain) String 

func (ch Chain) String() string

Returns a string representation of this certificate chain.

func (Chain) TLS added in v0.2.0 

func (ch Chain) TLS() *tls.Certificate

Return a tls.Certificate instance created from this chain.

func (Chain) Tail 

func (ch Chain) Tail(num int) Chain

Returns a slice from the back of the chain; non-negative values specify how many pairs to keep, negative values specify how many pairs to drop.

func (Chain) Write 

func (ch Chain) Write(out io.Writer, withKey bool) error

Encode certificate chain as PEM, optionally preceded by a plain-text copy of the leaf certificate private key, then write it to a stream.

func (Chain) WriteEncrypted 

func (ch Chain) WriteEncrypted(out io.Writer, alg x509.PEMCipher, pass []byte) error

Encode certificate chain as PEM, preceded by a passphrase-encrypted copy of the leaf certificate private key, then write it to a stream.

func (Chain) WriteEncryptedFile 

func (ch Chain) WriteEncryptedFile(name string, mode os.FileMode, alg x509.PEMCipher, pass []byte) error

Encode certificate chain as PEM, preceded by a passphrase-encrypted copy of the leaf certificate private key, then write it to a file.

func (Chain) WriteEncryptedFileP 

func (ch Chain) WriteEncryptedFileP(name string, mode os.FileMode, alg x509.PEMCipher, pass []byte)

Alternate version of WriteEncryptedFile that panics on error.

func (Chain) WriteEncryptedP 

func (ch Chain) WriteEncryptedP(out io.Writer, alg x509.PEMCipher, pass []byte)

Alternate version of WriteEncrypted that panics on error.

func (Chain) WriteFile 

func (ch Chain) WriteFile(name string, mode os.FileMode, withKey bool) error

Encode certificate chain as PEM, optionally preceded by a plain-text copy of the leaf certificate private key, then write it to a file.

func (Chain) WriteFileP 

func (ch Chain) WriteFileP(name string, mode os.FileMode, withKey bool)

Alternate version of WriteFile that panics on error.

func (Chain) WriteP 

func (ch Chain) WriteP(out io.Writer, withKey bool)

Alternate version of Write that panics on error.

func (Chain) X509 added in v0.2.0 

func (ch Chain) X509() []*x509.Certificate

Returns this chain as an x509.Certificate array.

type Key 

type Key struct {
	crypto.PrivateKey
	crypto.Signer

	Key    any       // The actual private key object wrapped by this one.
	Format KeyFormat // The associated format for this private key.
}

Represents a combination of a private key and associated format information.

Implements crypto.PrivateKey and crypto.Signer so it can be used directly with most functions expecting a standard Go private key.

func DecodeKey added in v0.1.2 

func DecodeKey(data, pass []byte) (*Key, []byte, error)

Decode a PEM-encoded private key and return it alongside any unconsumed bytes.

Returns an error if the provided data contains no PEM blocks, or if the first PEM block found cannot be decoded as a private key. If pass is not nil it will be used as a passphrase to attempt to decrypt private keys, otherwise encrypted keys will be rejected.

func DecodeKeyP added in v0.1.2 

func DecodeKeyP(data, pass []byte) (*Key, []byte)

Alternate version of DecodeKey that panics on error.

func GenerateKey 

func GenerateKey(kf KeyFormat) (*Key, error)

Generate a new private key according to the specified format.

func GenerateKeyP 

func GenerateKeyP(kf KeyFormat) *Key

Alternate version of GenerateKey that panics on error.

func ReadKeyFile added in v0.1.2 

func ReadKeyFile(name string, pass []byte) (*Key, error)

Read and decode a PEM-encoded private key from a file.

Returns an error if the provided file contains no PEM blocks, or if the first PEM block found cannot be decoded as a private key. If pass is not nil it will be used as a passphrase to attempt to decrypt private keys, otherwise encrypted keys will be rejected.

func ReadKeyFileP added in v0.1.2 

func ReadKeyFileP(name string, pass []byte) *Key

Alternate version of ReadKeyFile that panics on error.

func (*Key) Encode 

func (k *Key) Encode() ([]byte, error)

Encode private key as PEM according to its associated key format.

func (*Key) EncodeP 

func (k *Key) EncodeP() []byte

Alternate version of Encode that panics on error.

func (*Key) EncodePublic added in v0.2.1 

func (k *Key) EncodePublic() ([]byte, error)

Encode public portion of key as PEM according to its associated key format.

Most private key formats defined in this library do not have a directly equivalent public key format. RSA+PKCS1 formats will encode public keys using PKCS1; all other formats use PKIX, a.k.a SubjectPublicKeyInfo.

func (*Key) EncodePublicP added in v0.2.1 

func (k *Key) EncodePublicP() []byte

Alternate version of EncodePublic that panics on error.

func (*Key) Encrypt 

func (k *Key) Encrypt(alg x509.PEMCipher, pass []byte) ([]byte, error)

Encode private key as passphrase-encrypted PEM according to its associated key format.

func (*Key) EncryptP 

func (k *Key) EncryptP(alg x509.PEMCipher, pass []byte) []byte

Alternate version of Encrypt that panics on error.

func (*Key) Equal 

func (k *Key) Equal(x crypto.PrivateKey) bool

Implements crypto.PrivateKey.Equal; equality comparison between this private key and another.

func (*Key) Public 

func (k *Key) Public() crypto.PublicKey

Implements crypto.PrivateKey.Public; returns the public key for this private key.

func (*Key) Sign 

func (k *Key) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error)

Implements crypto.Signer.Sign; signs a digest with this private key.

func (*Key) Write 

func (k *Key) Write(out io.Writer) error

Encode private key as PEM according to its associated key format, then write it to a stream.

func (*Key) WriteEncrypted 

func (k *Key) WriteEncrypted(out io.Writer, alg x509.PEMCipher, pass []byte) error

Encode private key as passphrase-encrypted PEM according to its associated key format, then write it to a stream.

func (*Key) WriteEncryptedFile 

func (k *Key) WriteEncryptedFile(name string, mode os.FileMode, alg x509.PEMCipher, pass []byte) error

Encode private key as passphrase-encrypted PEM according to its associated key format, then write it to a file.

func (*Key) WriteEncryptedFileP 

func (k *Key) WriteEncryptedFileP(name string, mode os.FileMode, alg x509.PEMCipher, pass []byte)

Alternate version of WriteEncryptedFile that panics on error.

func (*Key) WriteEncryptedP 

func (k *Key) WriteEncryptedP(out io.Writer, alg x509.PEMCipher, pass []byte)

Alternate version of WriteEncrypted that panics on error.

func (*Key) WriteFile 

func (k *Key) WriteFile(name string, mode os.FileMode) error

Encode private key as PEM according to its associated key format, then write it to a file.

func (*Key) WriteFileP 

func (k *Key) WriteFileP(name string, mode os.FileMode)

Alternate version of WriteFile that panics on error.

func (*Key) WriteP 

func (k *Key) WriteP(out io.Writer)

Alternate version of Write that panics on error.

func (*Key) WritePublic added in v0.2.1 

func (k *Key) WritePublic(out io.Writer) error

Encode public portion of key as PEM according to its associated key format, then write it to a stream.

Most private key formats defined in this library do not have a directly equivalent public key format. RSA+PKCS1 formats will encode public keys using PKCS1; all other formats use PKIX, a.k.a SubjectPublicKeyInfo.

func (*Key) WritePublicFile added in v0.2.1 

func (k *Key) WritePublicFile(name string, mode os.FileMode) error

Encode public portion of a key as PEM according to its associated key format, then write it to a file.

Most private key formats defined in this library do not have a directly equivalent public key format. RSA+PKCS1 formats will encode public keys using PKCS1; all other formats use PKIX, a.k.a SubjectPublicKeyInfo.

func (*Key) WritePublicFileP added in v0.2.1 

func (k *Key) WritePublicFileP(name string, mode os.FileMode)

Alternate version of WritePublicFile that panics on error.

func (*Key) WritePublicP added in v0.2.1 

func (k *Key) WritePublicP(out io.Writer)

Alternate version of WritePublic that panics on error.

type KeyFormat 

type KeyFormat int

Represents a combination of a private key algorithm, generation parameters such as key size or elliptic curve, and marshaling/encoding parameters. 

const (
	// Portion of a KeyFormat that describes private key algorithm and parameters.
	KeyTypeMask KeyFormat = 0x00ffff
	// Portion of a KeyFormat that describes private key encoding format.
	KeyEncodingMask KeyFormat = 0xff0000
)
const (
	// RSA key.
	RSA KeyFormat = 0x000001 << iota
	// ECDSA key.
	ECDSA
	// Ed25519 key.
	ED25519
)
const (
	// 1024-bit RSA key.
	RSA_1024 KeyFormat = RSA | 0x000100<<iota
	// 2048-bit RSA key.
	RSA_2048
	// 3072-bit RSA key.
	RSA_3072
	// 4096-bit RSA key.
	RSA_4096
)
const (
	// ECDSA key using NIST P-224.
	ECDSA_P224 KeyFormat = ECDSA | 0x000100<<iota
	// ECDSA key using NIST P-256.
	ECDSA_P256
	// ECDSA key using NIST P-384.
	ECDSA_P384
	// ECDSA key using NIST P-521.
	ECDSA_P521
)
const (
	// Marshal with PKCS #1.
	PKCS1 KeyFormat = 0x010000 << iota
	// Marshal with PKCS #8.
	PKCS8
	// Marshal with SEC 1.
	SEC1
)
const (
	// 1024-bit RSA key marshaled using PKCS #1.
	RSA_1024_PKCS1 KeyFormat = RSA_1024 | PKCS1
	// 2048-bit RSA key marshaled using PKCS #1.
	RSA_2048_PKCS1 KeyFormat = RSA_2048 | PKCS1
	// 3072-bit RSA key marshaled using PKCS #1.
	RSA_3072_PKCS1 KeyFormat = RSA_3072 | PKCS1
	// 4096-bit RSA key marshaled using PKCS #1.
	RSA_4096_PKCS1 KeyFormat = RSA_4096 | PKCS1
	// 1024-bit RSA key marshaled using PKCS #8.
	RSA_1024_PKCS8 KeyFormat = RSA_1024 | PKCS8
	// 2048-bit RSA key marshaled using PKCS #8.
	RSA_2048_PKCS8 KeyFormat = RSA_2048 | PKCS8
	// 3072-bit RSA key marshaled using PKCS #8.
	RSA_3072_PKCS8 KeyFormat = RSA_3072 | PKCS8
	// 4096-bit RSA key marshaled using PKCS #8.
	RSA_4096_PKCS8 KeyFormat = RSA_4096 | PKCS8
	// ECDSA key using NIST P-224 marshaled using SEC 1.
	ECDSA_P224_SEC1 KeyFormat = ECDSA_P224 | SEC1
	// ECDSA key using NIST P-256 marshaled using SEC 1.
	ECDSA_P256_SEC1 KeyFormat = ECDSA_P256 | SEC1
	// ECDSA key using NIST P-384 marshaled using SEC 1.
	ECDSA_P384_SEC1 KeyFormat = ECDSA_P384 | SEC1
	// ECDSA key using NIST P-521 marshaled using SEC 1.
	ECDSA_P521_SEC1 KeyFormat = ECDSA_P521 | SEC1
	// ECDSA key using NIST P-224 marshaled using PKCS #8.
	ECDSA_P224_PKCS8 KeyFormat = ECDSA_P224 | PKCS8
	// ECDSA key using NIST P-256 marshaled using PKCS #8.
	ECDSA_P256_PKCS8 KeyFormat = ECDSA_P256 | PKCS8
	// ECDSA key using NIST P-384 marshaled using PKCS #8.
	ECDSA_P384_PKCS8 KeyFormat = ECDSA_P384 | PKCS8
	// ECDSA key using NIST P-521 marshaled using PKCS #8.
	ECDSA_P521_PKCS8 KeyFormat = ECDSA_P521 | PKCS8
	// Ed25519 key marshaled using PKCS #8.
	ED25519_PKCS8 KeyFormat = ED25519 | PKCS8
)

Private key type and encoding combinations.

func IdentifyKey 

func IdentifyKey(key any) (KeyFormat, error)

Determine the key format for the given private key.

func IdentifyKeyP 

func IdentifyKeyP(key any) KeyFormat

Alternate version of IdentifyKey that panics on error.

func (KeyFormat) String 

func (kf KeyFormat) String() string

type Pair 

type Pair struct {
	Key  *Key
	Cert *x509.Certificate
}

Represents a generated certificate with its associated private key.

func DecodePair added in v0.1.2 

func DecodePair(data, pass []byte) (*Pair, []byte, error)

Decode a PEM-encoded certificate pair and return it alongside any unconsumed bytes.

Returns an error if the provided data does not contain either a PEM-encoded certificate, or a PEM-encoded private key followed by a certificate. If pass is not nil it will be used as a passphrase to attempt to decrypt private keys, otherwise encrypted keys will be rejected.

func DecodePairP added in v0.1.2 

func DecodePairP(data, pass []byte) (*Pair, []byte)

Alternate version of DecodePair that panics on error.

func ReadPairFile added in v0.1.2 

func ReadPairFile(name string, pass []byte) (*Pair, error)

Read and decode a PEM-encoded certificate pair key from a file.

Returns an error if the provided file does not contain either a PEM-encoded certificate, or a PEM-encoded private key followed by a certificate. If pass is not nil it will be used as a passphrase to attempt to decrypt private keys, otherwise encrypted keys will be rejected.

func ReadPairFileP added in v0.1.2 

func ReadPairFileP(name string, pass []byte) *Pair

Alternate version of ReadPairFile that panics on error.

func (*Pair) CertPool 

func (p *Pair) CertPool() *x509.CertPool

Return an x509.CertPool instance containing this certificate.

func (*Pair) Encode 

func (p *Pair) Encode(withKey bool) ([]byte, error)

Encode certificate as PEM, optionally preceded by a plain-text copy of its private key.

func (*Pair) EncodeP 

func (p *Pair) EncodeP(withKey bool) []byte

Alternate version of Encode that panics on error.

func (*Pair) Encrypt 

func (p *Pair) Encrypt(alg x509.PEMCipher, pass []byte) ([]byte, error)

Encode certificate as PEM, preceded by a passphrase-encrypted copy of its private key.

func (*Pair) EncryptP 

func (p *Pair) EncryptP(alg x509.PEMCipher, pass []byte) []byte

Alternate version of Encrypt that panics on error.

func (*Pair) SelfSigned 

func (p *Pair) SelfSigned() bool

Returns true if this certificate is self-signed.

func (*Pair) String 

func (p *Pair) String() string

Returns a string representation of this certificate pair.

func (*Pair) TLS 

func (p *Pair) TLS() *tls.Certificate

Return a tls.Certificate instance created from this certifcate pair.

func (*Pair) Write 

func (p *Pair) Write(out io.Writer, withKey bool) error

Encode certificate as PEM, optionally preceded by a plain-text copy of its private key, then write it to a stream.

func (*Pair) WriteEncrypted 

func (p *Pair) WriteEncrypted(out io.Writer, alg x509.PEMCipher, pass []byte) error

Encode certificate as PEM, preceded by a passphrase-encrypted copy of its private key, then write it to a stream.

func (*Pair) WriteEncryptedFile 

func (p *Pair) WriteEncryptedFile(name string, mode os.FileMode, alg x509.PEMCipher, pass []byte) error

Encode certificate as PEM, preceded by a passphrase-encrypted copy of its private key, then write it to a file.

func (*Pair) WriteEncryptedFileP 

func (p *Pair) WriteEncryptedFileP(name string, mode os.FileMode, alg x509.PEMCipher, pass []byte)

Alternate version of WriteEncryptedFile that panics on error.

func (*Pair) WriteEncryptedP 

func (p *Pair) WriteEncryptedP(out io.Writer, alg x509.PEMCipher, pass []byte)

Alternate version of WriteEncrypted that panics on error.

func (*Pair) WriteFile 

func (p *Pair) WriteFile(name string, mode os.FileMode, withKey bool) error

Encode certificate as PEM, optionally preceded by a plain-text copy of its private key, then write it to a file.

func (*Pair) WriteFileP 

func (p *Pair) WriteFileP(name string, mode os.FileMode, withKey bool)

Alternate version of WriteFile that panics on error.

func (*Pair) WriteP 

func (p *Pair) WriteP(out io.Writer, withKey bool)

Alternate version of Write that panics on error.

type Template 

type Template struct {
	x509.Certificate

	Key       *Key      // Private key for this certificate pair.
	KeyFormat KeyFormat // Private key format to generate for this certificate pair if Key is nil.
}

Represents an X.509 certificate pair to be generated.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.