tglib

package
v1.50.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 18, 2023 License: Apache-2.0 Imports: 19 Imported by: 11

Documentation

Overview

Package tglib contains various helpers to deal with crypto. It entirely rely on standard go crypto libraries.

Index

Constants

View Source 
const (
	// URIScheme is the URI scheme for Spiffe identities.
	URIScheme string = "spiffe"
)

Variables

This section is empty.

Functions

func BuildCertificatesMaps 

func BuildCertificatesMaps(certs []tls.Certificate) (map[string]tls.Certificate, map[string]tls.Certificate, error)

BuildCertificatesMaps returns to maps to get what certificate to use for which DNS or IPs. This can be used in a custom tls.Config.GetCertificate function.

func BuildSANExtension 

func BuildSANExtension(identites []Identity) (*pkix.Extension, error)

BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.

func BuildSubjectAltNameExtension 

func BuildSubjectAltNameExtension(hosts []string) (*pkix.Extension, error)

BuildSubjectAltNameExtension builds the SAN extension for the certificate.

func CSRFromCertificate 

func CSRFromCertificate(cert *x509.Certificate) *x509.CertificateRequest

CSRFromCertificate generates a new CSR from the given certificate

func CertToPEM 

func CertToPEM(cert *x509.Certificate) (*pem.Block, error)

CertToPEM converts the given *x509.Certificate to *pem.Block .

func DecryptPrivateKey 

func DecryptPrivateKey(keyBlock *pem.Block, password string) (*pem.Block, error)

DecryptPrivateKey decrypts the given private key

func DecryptPrivateKeyPEM 

func DecryptPrivateKeyPEM(key []byte, password string) (*pem.Block, error)

DecryptPrivateKeyPEM decrypts the given private key PEM bytes

func ECPrivateKeyGenerator 

func ECPrivateKeyGenerator() (crypto.PrivateKey, error)

ECPrivateKeyGenerator generates a ECDSA private key.

func EncryptPrivateKey 

func EncryptPrivateKey(keyBlock *pem.Block, password string) (*pem.Block, error)

EncryptPrivateKey encrypts the given private key

func EncryptPrivateKeyPEM 

func EncryptPrivateKeyPEM(key []byte, password string) (*pem.Block, error)

EncryptPrivateKeyPEM encrypts the given private key PEM bytes

func ExtractIDs 

func ExtractIDs(exts []pkix.Extension) (map[string]struct{}, error)

ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.

func ExtractSANExtension 

func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension

ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.

func GenerateBase64PKCS12 

func GenerateBase64PKCS12(cert []byte, key []byte, ca []byte, passphrase string) (string, error)

GenerateBase64PKCS12 generates a full PKCS certificate based on the input keys.

func GenerateCSR 

func GenerateCSR(csr *x509.CertificateRequest, privateKey crypto.PrivateKey) ([]byte, error)

GenerateCSR generate a CSR using the given parameters.

func GenerateCSRwithSANs 

func GenerateCSRwithSANs(orgs []string, units []string, commonName string, sans []string, privateKey crypto.PrivateKey) ([]byte, error)

GenerateCSRwithSANs generates a SPIFFE certificate CSR.

func GeneratePKCS12 

func GeneratePKCS12(cert []byte, key []byte, ca []byte, passphrase string) ([]byte, error)

GeneratePKCS12 generates a pkcs12

func GeneratePKCS12FromFiles 

func GeneratePKCS12FromFiles(out, certPath, keyPath, caPath, passphrase string) error

GeneratePKCS12FromFiles generates a full PKCS certificate based on the input keys.

func GenerateSimpleCSR 

func GenerateSimpleCSR(orgs []string, units []string, commonName string, emails []string, privateKey crypto.PrivateKey) ([]byte, error)

GenerateSimpleCSR generate a CSR using the given parameters.

func Issue 

func Issue(subject pkix.Name, options ...IssueOption) (*pem.Block, *pem.Block, error)

Issue issues a new x509 certificate

func IssueCertiticate 

func IssueCertiticate(
	signingCertificate *x509.Certificate,
	signingPrivateKey crypto.PrivateKey,
	keyGen PrivateKeyGenerator,

	countries []string,
	provinces []string,
	localities []string,
	streetAddresses []string,
	postalCodes []string,
	organizations []string,
	organizationalUnits []string,
	commonName string,

	dnsNames []string,
	ipAddresses []net.IP,

	beginning time.Time,
	expiration time.Time,
	keyUsage x509.KeyUsage,
	extKeyUsage []x509.ExtKeyUsage,
	signatureAlgorithm x509.SignatureAlgorithm,
	publicKeyAlgorithm x509.PublicKeyAlgorithm,
	isCA bool,

	policies []asn1.ObjectIdentifier,

) (*pem.Block, *pem.Block, error)

IssueCertiticate issues a new Certificate eventual signed using the signingCertificate and the given keyGen.

func KeyToPEM 

func KeyToPEM(key interface{}) (*pem.Block, error)

KeyToPEM converts the given crypto.PrivateKey to *pem.Block .

func LoadCSRs 

func LoadCSRs(csrData []byte) ([]*x509.CertificateRequest, error)

LoadCSRs loads the given bytes as an array of Certificate Signing Request.

func PEMToKey 

func PEMToKey(keyBlock *pem.Block) (crypto.PrivateKey, error)

PEMToKey loads a decrypted pem block and returns a crypto.PrivateKey

func ParseCertificate 

func ParseCertificate(certPemBytes []byte) (*x509.Certificate, error)

ParseCertificate parse the given PEM bytes and returns the fist *x509.Certificate.

func ParseCertificatePEM 

func ParseCertificatePEM(path string) (*x509.Certificate, error)

ParseCertificatePEM reads the PEM certificate at the given path and returns the first *x509.Certificate found

func ParseCertificatePEMs 

func ParseCertificatePEMs(path string) ([]*x509.Certificate, error)

ParseCertificatePEMs reads the PEM certificate at the given path and returns the a []*x509.Certificate.

func ParseCertificates 

func ParseCertificates(certPemBytes []byte) ([]*x509.Certificate, error)

ParseCertificates parse the given PEM bytes and returns a []*x509.Certificate.

func RSAPrivateKeyGenerator 

func RSAPrivateKeyGenerator() (crypto.PrivateKey, error)

RSAPrivateKeyGenerator generates a RSA private key.

func ReadCertificate 

func ReadCertificate(certPemBytes []byte, keyPemBytes []byte, password string) (*x509.Certificate, crypto.PrivateKey, error)

ReadCertificate returns a the first *x509.Certificate from the PEM bytes pf a cert and a key and decrypts it with the given password if needed.

func ReadCertificatePEM 

func ReadCertificatePEM(certPath, keyPath, password string) (*x509.Certificate, crypto.PrivateKey, error)

ReadCertificatePEM returns a the first *x509.Certificate from the path of a cert, a key in PEM and decrypts it with the given password if needed.

func ReadCertificatePEMs 

func ReadCertificatePEMs(certPath, keyPath, password string) ([]*x509.Certificate, crypto.PrivateKey, error)

ReadCertificatePEMs returns a []*x509.Certificate from the path of a cert, a key in PEM and decrypts it with the given password if needed.

func ReadCertificates 

func ReadCertificates(certPemBytes []byte, keyPemBytes []byte, password string) ([]*x509.Certificate, crypto.PrivateKey, error)

ReadCertificates returns a []*x509.Certificate from the PEM bytes pf a cert and a key and decrypts it with the given password if needed.

func Sign 

func Sign(
	csr *x509.CertificateRequest,
	signingCertificate *x509.Certificate,
	signingPrivateKey crypto.PrivateKey,
	options ...IssueOption,
) (*pem.Block, string, error)

Sign signs the give CSR using the given signer certificate and key and given options.

func SignCSR 

func SignCSR(
	csr *x509.CertificateRequest,
	signingCertificate *x509.Certificate,
	signingPrivateKey crypto.PrivateKey,

	beginning time.Time,
	expiration time.Time,
	keyUsage x509.KeyUsage,
	extKeyUsage []x509.ExtKeyUsage,
	signatureAlgorithm x509.SignatureAlgorithm,
	publicKeyAlgorithm x509.PublicKeyAlgorithm,

	isCA bool,
	policies []asn1.ObjectIdentifier,
) (*pem.Block, string, error)

SignCSR will sign the given CSR with the given signing cert

func SplitChain 

func SplitChain(certData []byte) (cert *x509.Certificate, caChain []*x509.Certificate, err error)

SplitChain splits the given certificate data into the actual *x509.Certificate and a list of CA chain in a []*x509.Certificate

func SplitChainPEM 

func SplitChainPEM(certData []byte) ([]byte, []byte)

SplitChainPEM splits the given cert PEM []byte as the actual certificate and []byte as the rest of the chain.

func SystemCertPool added in v1.40.0 

func SystemCertPool() (*x509.CertPool, error)

SystemCertPool gets the system cert pool via Go libraries

func ToTLSCertificate 

func ToTLSCertificate(cert *x509.Certificate, key crypto.PrivateKey) (tls.Certificate, error)

ToTLSCertificate converts the given cert and private key to a tls.Certificate. The private key must not be encrypted.

func ToTLSCertificates 

func ToTLSCertificates(certs []*x509.Certificate, key crypto.PrivateKey) (tls.Certificate, error)

ToTLSCertificates converts the given certs and private key to a tls.Certificate. The private key must not be encrypted.

func Verify 

func Verify(signingCertPEMData []byte, certPEMData []byte, keyUsages []x509.ExtKeyUsage) error

Verify verifies the given certificate is signed by the given other certificate, and that the other certificate has the correct required key usage.

Types

type Identity 

type Identity struct {
	Type  IdentityType
	Value []byte
}

Identity is an object holding both the encoded identifier bytes as well as the type of the identity.

func ExtractIDsFromSAN 

func ExtractIDsFromSAN(sanExt *pkix.Extension) ([]Identity, error)

ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.

type IdentityType 

type IdentityType int

IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension. 

const (
	// TypeDNS represents a DNS name.
	TypeDNS IdentityType = iota
	// TypeIP represents an IP address.
	TypeIP
	// TypeURI represents a universal resource identifier.
	TypeURI
)

type IssueOption 

type IssueOption func(*issueCfg)

IssueOption represents an issuing option.

func OptIssueAlgorithmECDSA 

func OptIssueAlgorithmECDSA() IssueOption

OptIssueAlgorithmECDSA configures the certificate to use ECDSA with SHA384 P256 curve.

func OptIssueAlgorithmRSA 

func OptIssueAlgorithmRSA() IssueOption

OptIssueAlgorithmRSA configures the certificate to use 2048-bits RSA with SHA384 signature

func OptIssueDNSSANs 

func OptIssueDNSSANs(dns ...string) IssueOption

OptIssueDNSSANs the IP SANs for the certificate to be issued.

func OptIssueEmailAddresses added in v1.50.0 

func OptIssueEmailAddresses(emails []string) IssueOption

OptIssueEmailAddresses sets the email addresses for the certificates to be issued.

func OptIssueExtendedKeyUsages 

func OptIssueExtendedKeyUsages(usages ...x509.ExtKeyUsage) IssueOption

OptIssueExtendedKeyUsages manually sets the extended key usage for the certificate. It will erase any previous extended usage set by options OptIssueType*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueExtraExtensions added in v1.50.0 

func OptIssueExtraExtensions(exts []pkix.Extension) IssueOption

OptIssueExtraExtensions sets the extra pkix.Extensions to use in the certificate.

func OptIssueIPSANs 

func OptIssueIPSANs(ips ...net.IP) IssueOption

OptIssueIPSANs sets the IP SANs for the certificate to be issued.

func OptIssueKeyGenerator 

func OptIssueKeyGenerator(keyGen PrivateKeyGenerator) IssueOption

OptIssueKeyGenerator sets the private key generator to use. It will erase any previous extended usage set by options OptIssueAlgorithm*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueKeyUsage 

func OptIssueKeyUsage(usage x509.KeyUsage) IssueOption

OptIssueKeyUsage sets the key usage for the certificate. It will erase any previous usage set by options OptIssueType*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssuePolicies 

func OptIssuePolicies(policies ...asn1.ObjectIdentifier) IssueOption

OptIssuePolicies sets additional policies OIDs.

func OptIssuePublicKeyAlgorithm 

func OptIssuePublicKeyAlgorithm(alg x509.PublicKeyAlgorithm) IssueOption

OptIssuePublicKeyAlgorithm sets the signature algorithm for the public key. It will erase any previous extended usage set by options OptIssueAlgorithm*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueSerialNumber added in v1.50.0 

func OptIssueSerialNumber(sn *big.Int) IssueOption

OptIssueSerialNumber sets the serial number to use for the certificate.

func OptIssueSignatureAlgorithm 

func OptIssueSignatureAlgorithm(alg x509.SignatureAlgorithm) IssueOption

OptIssueSignatureAlgorithm sets the signature algorithm for the certificate. By default, it uses x509.ECDSA.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueSigner 

func OptIssueSigner(cert *x509.Certificate, key crypto.PrivateKey) IssueOption

OptIssueSigner sets the signer for the certificate to be issued. By default, Issue will issue a self-signed certificate.

func OptIssueSignerPEMBlock 

func OptIssueSignerPEMBlock(cert *pem.Block, key *pem.Block, password string) IssueOption

OptIssueSignerPEMBlock sets the signer for the certificate to be issued in the PEM format. By default, Issue will issue a self-signed certificate.

func OptIssueSignerPEMBytes 

func OptIssueSignerPEMBytes(cert []byte, key []byte, password string) IssueOption

OptIssueSignerPEMBytes sets the signer for the certificate to be issued in the PEM format. By default, Issue will issue a self-signed certificate.

func OptIssueTypeCA 

func OptIssueTypeCA() IssueOption

OptIssueTypeCA sets the makes the certificate to be issued to be a Certificate Authority. It automatically applies the correct key usage, unless already set by another option.

func OptIssueTypeClientAuth 

func OptIssueTypeClientAuth() IssueOption

OptIssueTypeClientAuth configures the certificate to be issued to be a client certificate. This option can be combined with other OptIssueType*.

func OptIssueTypeCodeSigning 

func OptIssueTypeCodeSigning() IssueOption

OptIssueTypeCodeSigning configures the certificate to be issued to be a code signing certificate. This option can be combined with other OptIssueType*.

func OptIssueTypeEmailProtection 

func OptIssueTypeEmailProtection() IssueOption

OptIssueTypeEmailProtection configures the certificate to be issued to be a email protection certificate. This option can be combined with other OptIssueType*.

func OptIssueTypeServerAuth 

func OptIssueTypeServerAuth() IssueOption

OptIssueTypeServerAuth configures the certificate to be issued to be a server certificate. This option can be combined with other OptIssueType*.

func OptIssueValidity 

func OptIssueValidity(notBefore time.Time, notAfter time.Time) IssueOption

OptIssueValidity sets the validity of the certificate to be issued. By default, the certificate is valid from the time it has been created for 1 year.

type PrivateKeyGenerator 

type PrivateKeyGenerator func() (crypto.PrivateKey, error)

PrivateKeyGenerator is the type of function that can generate a crypto.PrivateKey.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.