certs

package

v0.0.0-...-147f0cf Latest Latest Go to latest Published: Oct 27, 2023 License: MIT Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hiveot/hub

Documentation ¶

Overview ¶

Package testenv with managing certificates for testing

Package certs with key management for clients (and server) certificates ¶

Package certs with functions to load CA and client certificates for use by the protocol binding in the Consumed Thing factory or other clients.

Index ¶

Constants
func CreateCA(cn string, validityDays int) (cert *x509.Certificate, key *ecdsa.PrivateKey, err error)
func CreateClientCert(cn string, ou string, validityDays int, pubKey *ecdsa.PublicKey, ...) (cert *x509.Certificate, err error)
func CreateECDSAKeys() (*ecdsa.PrivateKey, string)
func CreateServerCert(serverID string, ou string, validityDays int, serverPubKey *ecdsa.PublicKey, ...) (x509Cert *x509.Certificate, err error)
func LoadKeysFromPEM(pemPath string) (privateKey *ecdsa.PrivateKey, err error)
func LoadPublicKeyFromPEM(pemPath string) (publicKey *ecdsa.PublicKey, err error)
func LoadTLSCertFromPEM(certPEMPath, keyPEMPath string) (cert *tls.Certificate, err error)
func LoadX509CertFromPEM(pemPath string) (cert *x509.Certificate, err error)
func PrivateKeyFromPEM(pemEncodedKey string) (privateKey *ecdsa.PrivateKey, err error)
func PrivateKeyToPEM(privateKey interface{}) (string, error)
func PublicKeyFromCert(cert *x509.Certificate) *ecdsa.PublicKey
func PublicKeyFromPEM(pemEncodedPub string) (publicKey *ecdsa.PublicKey, err error)
func PublicKeyToPEM(publicKey interface{}) (string, error)
func SaveKeysToPEM(privateKey interface{}, pemPath string) error
func SavePublicKeyToPEM(pubKey interface{}, pemPath string) error
func SaveTLSCertToPEM(cert *tls.Certificate, certPEMPath, keyPEMPath string) error
func SaveX509CertToPEM(cert *x509.Certificate, pemPath string) error
func VerifyCert(certPEM string, caCert *x509.Certificate) (string, error)
func X509CertFromPEM(certPEM string) (*x509.Certificate, error)
func X509CertToPEM(cert *x509.Certificate) string
func X509CertToTLS(cert *x509.Certificate, privKey *ecdsa.PrivateKey) *tls.Certificate
type TestCertBundle
- func CreateTestCertBundle() TestCertBundle

Constants ¶

View Source

const (
	//OUAdmin lets a client approve thing provisioning (postOOB), add and remove users
	// Provision API permissions: GetDirectory, ProvisionRequest, GetStatus, PostOOB
	OUAdmin = "admin"

	// OUNone is the default OU with no API access permissions
	OUNone = "unauth"

	// OUUser for consumers with mutual authentication
	OUUser = "user"

	// OUIoTDevice for IoT devices with mutual authentication
	OUIoTDevice = "device"

	// OUService for Hub services with mutual authentication
	// By default, services have access to other services
	// Provision API permissions: Any
	OUService = "service"
)

Certificate Organization Unit for client certificate based authorization

View Source

const CertOrgLocality = "HiveOT zone"

View Source

const CertOrgName = "HiveOT"

View Source

const DefaultCaCertFile = "caCert.pem"

View Source

const DefaultCaKeyFile = "caKey.pem"

View Source

const DefaultClientCertValidityDays = 366

DefaultClientCertValidityDays with validity of generated service certificates

View Source

const DefaultServerCertValidityDays = 100

DefaultServerCertValidityDays with validity of generated service certificates

View Source

const ServerAddress = "127.0.0.1"

View Source

const TestClientID = "client1"

View Source

const TestServerID = "server1"

Variables ¶

This section is empty.

Functions ¶

func CreateCA ¶

func CreateCA(cn string, validityDays int) (cert *x509.Certificate, key *ecdsa.PrivateKey, err error)

CreateCA creates a CA certificate with private key for self-signed server certificates Source: https://shaneutt.com/blog/golang-ca-and-signed-cert-go/

func CreateClientCert ¶

func CreateClientCert(cn string, ou string, validityDays int, pubKey *ecdsa.PublicKey,
	caCert *x509.Certificate, caKey *ecdsa.PrivateKey) (cert *x509.Certificate, err error)

CreateClientCert generates a x509 client certificate with keys, signed by the CA intended for testing, not for production

cn is the certificate common name, usually the client ID
ou the organization.
pubKey is the owner public key for this certificate
caCert and caKey is the signing CA
validityDays

func CreateECDSAKeys ¶

func CreateECDSAKeys() (*ecdsa.PrivateKey, string)

CreateECDSAKeys creates a asymmetric key set. This returns the private key and a base64 encoded public key string.

func CreateServerCert ¶

func CreateServerCert(
	serverID string, ou string, validityDays int,
	serverPubKey *ecdsa.PublicKey, names []string,
	caCert *x509.Certificate, caKey *ecdsa.PrivateKey) (
	x509Cert *x509.Certificate, err error)

CreateServerCert create a server certificate, signed by the given CA, for use in hiveot services.

The provided x509 certificate can be converted to a PEM text with:

  certPEM = certs.X509CertToPEM(cert)

* serviceID is the unique service ID used as the CN. for example hostname-serviceName
* ou is the organizational unit of the certificate
* validityDays is the duration the cert is valid for. Use 0 for default.
* serverPubKey is the server's public key
* names are the SAN names to include with the certificate, localhost and 127.0.0.1 are always added
* caCert is the CA certificate used to sign the certificate
* caKey is the CA private key used to sign certificate

func LoadKeysFromPEM ¶

func LoadKeysFromPEM(pemPath string) (privateKey *ecdsa.PrivateKey, err error)

LoadKeysFromPEM loads ECDSA public/private key pair from PEM file

func LoadPublicKeyFromPEM ¶

func LoadPublicKeyFromPEM(pemPath string) (publicKey *ecdsa.PublicKey, err error)

LoadPublicKeyFromPEM loads ECDSA public key from file

func LoadTLSCertFromPEM ¶

func LoadTLSCertFromPEM(certPEMPath, keyPEMPath string) (cert *tls.Certificate, err error)

LoadTLSCertFromPEM loads the TLS certificate from PEM formatted file. TLS certificates are a container for both X509 certificate and private key.

Intended to load the certificate and key for servers, or for clients such as IoT devices that use client certificate authentication. The idprov service issues this type of certificate during IoT device provisioning.

This is simply a wrapper around tls.LoadX509KeyPair. See also SaveTLSCertToPEM.

If loading fails, this returns nil as certificate pointer

func LoadX509CertFromPEM ¶

func LoadX509CertFromPEM(pemPath string) (cert *x509.Certificate, err error)

LoadX509CertFromPEM loads the x509 certificate from a PEM file format.

Intended to load the CA certificate to validate server and broker.

pemPath is the full path to the X509 PEM file.

func PrivateKeyFromPEM ¶

func PrivateKeyFromPEM(pemEncodedKey string) (privateKey *ecdsa.PrivateKey, err error)

PrivateKeyFromPEM converts a PEM encoded private key into a ECDSA private key object Intended to decode the public key portion of a certificate. This can be used to encrypt messages to the certificate holder.

func PrivateKeyToPEM ¶

func PrivateKeyToPEM(privateKey interface{}) (string, error)

PrivateKeyToPEM converts the private/public key set to PEM formatted string. Returns error in case the private key is invalid

func PublicKeyFromCert ¶

func PublicKeyFromCert(cert *x509.Certificate) *ecdsa.PublicKey

PublicKeyFromCert extracts an ECDSA public key from x509 certificate Returns nil if certificate doesn't hold a ECDSA public key

func PublicKeyFromPEM ¶

func PublicKeyFromPEM(pemEncodedPub string) (publicKey *ecdsa.PublicKey, err error)

PublicKeyFromPEM converts a PEM encoded public key into a ECDSA or RSA public key object Intended to decode the public key portion of a certificate. This can be used to encrypt messages to the certificate holder.

func PublicKeyToPEM ¶

func PublicKeyToPEM(publicKey interface{}) (string, error)

PublicKeyToPEM converts a public key into PEM encoded format. Intended to send someone the public key in a transmissible format. See also PublicKeyFromPem for its counterpart

publicKey is the *rsa.PublicKey, *ecdsa.PublicKey or edd25519.PublicKey

func SaveKeysToPEM ¶

func SaveKeysToPEM(privateKey interface{}, pemPath string) error

SaveKeysToPEM saves the private/public key set to file in PEM format. The file permissions are set to 0600, current user only, read-write permissions.

privateKey is the *rsa.PrivateKey, *ecdsa.PrivateKey, or *edd25519.PrivateKey
Returns error in case the key is invalid or file cannot be written.

func SavePublicKeyToPEM ¶

func SavePublicKeyToPEM(pubKey interface{}, pemPath string) error

SavePublicKeyToPEM saves the public key to file in PEM format. The file permissions are set to 0644, current user can write, rest can read.

publicKey is the *rsa.PublicKey, *ecdsa.PublicKey or edd25519.PublicKey
Returns error in case the public key is invalid or file cannot be written.

func SaveTLSCertToPEM ¶

func SaveTLSCertToPEM(cert *tls.Certificate, certPEMPath, keyPEMPath string) error

SaveTLSCertToPEM saves the x509 certificate and private key to separate files in PEM format

Intended for saving a certificate received from provisioning or created for testing.

cert is the obtained TLS certificate whose parts to save
certPEMPath the file to save the X509 certificate to in PEM format
keyPEMPath the file to save the private key to in PEM format

func SaveX509CertToPEM ¶

func SaveX509CertToPEM(cert *x509.Certificate, pemPath string) error

SaveX509CertToPEM saves the x509 certificate to file in PEM format. Clients that receive a client certificate from provisioning can use this to save the provided certificate to file.

func VerifyCert ¶

func VerifyCert(certPEM string, caCert *x509.Certificate) (string, error)

VerifyCert verifies whether the given certificate is a valid client certificate This returns the certificate CN as the clientID

func X509CertFromPEM ¶

func X509CertFromPEM(certPEM string) (*x509.Certificate, error)

X509CertFromPEM converts a X509 certificate in PEM format to an X509 instance

func X509CertToPEM ¶

func X509CertToPEM(cert *x509.Certificate) string

X509CertToPEM converts the x509 certificate to PEM format

func X509CertToTLS ¶

func X509CertToTLS(cert *x509.Certificate, privKey *ecdsa.PrivateKey) *tls.Certificate

X509CertToTLS combines a x509 certificate and private key into a TLS certificate

Types ¶

type TestCertBundle ¶

type TestCertBundle struct {
	CaCert *x509.Certificate
	CaKey  *ecdsa.PrivateKey

	// server certificate
	ServerKey  *ecdsa.PrivateKey
	ServerCert *tls.Certificate

	// client cert auth
	ClientKey  *ecdsa.PrivateKey
	ClientCert *tls.Certificate
}

TestCertBundle creates a set of CA, server and client certificates intended for testing

func CreateTestCertBundle ¶

func CreateTestCertBundle() TestCertBundle

CreateTestCertBundle creates a bundle of ca, server certificates and keys for testing. The server cert is valid for the 127.0.0.1, localhost and os.hostname.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL