netcommon

package
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2022 License: MIT Imports: 20 Imported by: 0

Documentation

Overview

netcommon is a suite of common utilities that are used throughout the ecosystem. It mainly handles key and certificate parsing, storage, and marshalling, but has some extra functionality that has been needed by both the clients and the servers.

Index

Constants

View Source 
const PEMHeaderCertificate = "CERTIFICATE"
View Source 
const PEMHeaderDefaultPriv = "PRIVATE KEY"
View Source 
const PEMHeaderECDSAPriv = "EC PRIVATE KEY"
View Source 
const PEMHeaderECDSAPub = "PUBLIC KEY"
View Source 
const PEMHeaderEd25519Priv = "ED25519 PRIVATE KEY"
View Source 
const PEMHeaderEd25519Pub = "PUBLIC KEY"
View Source 
const PEMHeaderPub = "PUBLIC KEY"
View Source 
const PEMHeaderRSAPriv = "RSA PRIVATE KEY"
View Source 
const PEMHeaderRSAPub = "PUBLIC KEY"

Variables

This section is empty.

Functions

func ComputeHashSHA256 

func ComputeHashSHA256(data []byte) []byte

ComputeHashSHA256 is a helper function that returns a slice representation of the SHA256 hash of the given input.

func DeferrableClose added in v0.0.4 

func DeferrableClose(file *os.File)

DeferrableClose is a wrapper to close a file, while catching any potential errors and logging them.

func GenerateDummyCert 

func GenerateDummyCert(domains []string) (*tls.Certificate, error)

GenerateDummyCert generates a dummy self-signed *tls.Certificate for a given list of domains, interpreted as SAN records. The certificate it generates will be using ECDSA. It does _not_ return the private key.

func GenerateDummyPairECDSA 

func GenerateDummyPairECDSA(domains []string) (*tls.Certificate, *ecdsa.PrivateKey, error)

GenerateDummyPairECDSA generates a dummy self-signed *tls.Certificate for a given list of domains, interpreted as SAN records. It returns the certificate, the private key, and any error that occurred.

func GenerateDummyPairEd25519 added in v0.0.3 

func GenerateDummyPairEd25519(domains []string) (*tls.Certificate, *ed25519.PrivateKey, error)

GenerateDummyPairEd25519 generates a dummy self-signed *tls.Certificate for a given list of domains, interpreted as SAN records. It returns the certificate, the private key, and any error that occurred.

func GenerateDummyPairRSA 

func GenerateDummyPairRSA(domains []string) (*tls.Certificate, *rsa.PrivateKey, error)

GenerateDummyPairRSA generates a dummy self-signed *tls.Certificate for a given list of domains, interpreted as SAN records. It returns the certificate, the private key, and any error that occurred.

func GetWildcardIssuer 

func GetWildcardIssuer(domain string) string

GetWildcardIssuer will get the string representation of a potential wilcard issuer for a given domain. Note that this stops at top level domains, and will not, for example, return *.com for the given input of example.com. This uses a regex internally.

func LoadCertFromPath 

func LoadCertFromPath(path string) (*x509.Certificate, error)

LoadCertFromPath reads an x509 certificate from a given path.

func LoadKeyPair 

func LoadKeyPair(certPath, keyPath string) (*tls.Certificate, error)

LoadKeyPair loads a private key and certificate from a given path into a *tls.Certificate struct.

func LoadTLSCertFromPath 

func LoadTLSCertFromPath(path string) (*tls.Certificate, error)

LoadTLSCertFrommPath creates a *tls.Certificate struct from a given path

func MarshalCertToPEM added in v0.0.3 

func MarshalCertToPEM(out io.Writer, cert *x509.Certificate) error

MarshalCertToPEM creates a PEM block from a given certificate, and writes it to the specified io.Writer.

func MarshalPrivateKeyToPEM 

func MarshalPrivateKeyToPEM(out io.Writer, alg x509.PublicKeyAlgorithm, priv any) error

MarshalPrivateKeyToPEM creates a PEM block from a given private key, using the specified algorithm, and writes it to the specified io.Writer. It will return any error encountered during the process. Note that this function uses the x509.MarshalPKCS8PrivateKey function, and therefore outputs keys in PKCS8 format.

func NewCertPool 

func NewCertPool(certs []string) (*x509.CertPool, error)

NewCertPool creates an *x509.CertPool from a list of specified certificates. This is useful for using the native Golang x509 certificate validation, as it can be efficiently checked to see if a certificate is valid.

func ReadBytes 

func ReadBytes(in io.Reader) ([]byte, error)

ReadBytes essentially gets the bytes from an io.Reader. It is a helper function used elsewhere, to reduce code duplication.

func ReadCAPath 

func ReadCAPath(path string, certPool *x509.CertPool) error

ReadCAPath reads a CA from a given path, and adds it to the given certificate pool.

func ReadPem 

func ReadPem(in io.Reader) (*pem.Block, error)

ReadPem reads a PEM block from an io.Reader, and returns the decoded data. It will discard any remaining data after reading the first PEM block.

func ReadPemWithRest 

func ReadPemWithRest(in io.Reader) (*pem.Block, []byte, error)

ReadPemWithRest reads a PEM block from an io.Reader, and returns the decoded data, and any remaining data.

func SaveCert 

func SaveCert(certPath string, cert *x509.Certificate) error

SaveCert saves the certificate to the given path. It returns any error encountered during processing.

func SaveECDSAKey 

func SaveECDSAKey(keypath string, priv *ecdsa.PrivateKey) error

SaveECDSAKey saves the ECDSA private key to the given path. It returns any error encountered during processing.

func SaveECDSAPublicKey 

func SaveECDSAPublicKey(path string, key *ecdsa.PublicKey) error

SaveECDSAPublicKey saves the ECDSA public key to the given path. It returns any error encountered during processing.

func SaveTLSCert 

func SaveTLSCert(certPath, keypath string, cert *tls.Certificate) error

SaveTLSCert saves the *tls.Certificate and private key to the given paths. It returns any error encountered during processing.

func UnmarshalPEMToCert 

func UnmarshalPEMToCert(in io.Reader) (*x509.Certificate, error)

UnmarshalPEMToCert will read from the specified io.Reader, and attempt to unmarshal the data into a certificate. It will return any error encountered during processing, alongside the *x509.Certificate struct.

func UnmarshalPEMToPrivateKey 

func UnmarshalPEMToPrivateKey(in io.Reader) (*crypto.PrivateKey, error)

UnmarshalPEMToPrivateKey reads from the specified io.Reader, and attempts to unmarshal the data into a private key. It will return any error it encounters during the processing, alongside the *crypto.PrivateKey object. Note: This function uses the x509.ParsePKCS8PrivateKey function internally, so any private keys that can be read from the io.Reader must be in the PKCS8 format.

func UnmarshalPEMToTLSCert 

func UnmarshalPEMToTLSCert(in io.Reader) (*tls.Certificate, error)

UnmarshalPEMToTLSCert will read from the io.Reader, and attempt to marshal the data into a *tls.Certificate. It will return any error it encounters during processing.

func Verify 

func Verify(pub crypto.PublicKey, alg x509.PublicKeyAlgorithm, hashFunc crypto.Hash, sigType SigType, challenge []byte, signed []byte) error

Verify verifies that a given challenge matches a given signature. It returns any error encountered during processing. A nil error means the verification was successful.

func WritePem 

func WritePem(out io.Writer, blockType string, data []byte) error

WritePem saves a PEM block to an io.Writer, based on the blockType specified in the call.

Types

type InvalidCAPathError 

type InvalidCAPathError struct {
	// contains filtered or unexported fields
}

InvalidCAPathError is an error that is returned when the CA path is invalid.

func (*InvalidCAPathError) Error 

func (e *InvalidCAPathError) Error() string

Error returns the string representation of an InvalidCAPathError struct.

type InvalidSignatureError 

type InvalidSignatureError struct{}

InvalidSignatureError is an error that is returned when the signature is invalid.

func (*InvalidSignatureError) Error 

func (e *InvalidSignatureError) Error() string

Error returns the string representation of an InvalidSignatureError struct.

type RemotePrivateKey 

type RemotePrivateKey struct {
	// Domain is the domain for which this RemotePrivateKey is associated.
	Domain string
	crypto.Signer
	// RemoteProofFunc is the function that is called whenever it is asked to sign a challenge.
	RemoteProofFunc RemoteProofFunc
	// PublicKey is the public key associated with the private key stored in the NKS
	PublicKey crypto.PublicKey
	// RemoteCert is an x509.Certificate that contains the public key associated with the private key stored in the NKS
	RemoteCert *x509.Certificate
	// RemoteTLSCert is a tls.Certificate that contains the public key associated with the private key stored in the NKS. It does _not_ contain the private key,
	// and as such, cannot be used to sign challenges.
	RemoteTLSCert *tls.Certificate
	// SigType is the type of signature used to sign a challenge. It is used over the wire to identify the type of signature required for the NKS.
	SigType SigType
}

RemotePrivateKey is a wrapper around a crypto.Signer, which enables the private key to be stored on a remote server, and never accessed by the application that stores the RemotePrivateKey struct, while still allowing signature operations to take place.

func (RemotePrivateKey) Public 

func (k RemotePrivateKey) Public() crypto.PublicKey

Public gets the public key associated with a RemotePrivateKey.

func (RemotePrivateKey) Sign 

func (k RemotePrivateKey) Sign(rand io.Reader, data []byte, opts crypto.SignerOpts) ([]byte, error)

Sign signs the given data with the private key on the NKS server. It returns the signature, and any error that occurred. It calls the RemoteProofFunc function internally.

type RemoteProofFunc 

type RemoteProofFunc func(crypto.Hash, SigType, []byte) ([]byte, error)

RemoteProofFunc is a function that performs a proof on a remote server, with the given parameters. It returns the proof, and any error encountered.

type SigType 

type SigType uint8

SigType is the type of signature used to sign a challenge. It is used over the wire to identify the type of signature required for the NKS. 

const (
	SigType_DEFAULT SigType = iota
	SigType_RSA_PKCS1
	SigType_RSA_PSS
	SigType_ECDSA
	SigType_Ed25519
)

func (SigType) String 

func (s SigType) String() string

String gets the string representation for a given SigType

type UnknownSigTypeError 

type UnknownSigTypeError struct {
	SigType SigType
}

UnknownSigTypeError is an error that is returned when the signature type is unknown.

func (*UnknownSigTypeError) Error 

func (e *UnknownSigTypeError) Error() string

Error returns the string representation of an UnknownSigTypeError struct.

Notes

Bugs

  • This will not function for two-level TLDs, such as .co.uk.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.