pki

package module

v1.4.0 Latest Latest Go to latest Published: Aug 6, 2022 License: GPL-3.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

gitlab.com/mjwhitta/pki

Links

README ¶

PKI

🍪 Buy me a cookie

What is this?

A tool to ease the headache of PKI infrastructure generation.

How to install

Open a terminal and run the following:

$ # For library usage
$ go get --ldflags "-s -w" --trimpath -u gitlab.com/mjwhitta/pki
$ # For cli usage
$ go install --ldflags "-s -w" --trimpath \
    gitlab.com/mjwhitta/pki/cmd/certify@latest

Or compile from source:

$ git clone https://gitlab.com/mjwhitta/pki.git
$ cd pki
$ git submodule update --init
$ make

Usage

Note: Regardless of how you use this Go tool, you should be aware that the certificates on disk are used as a database. Moving or removing files can lead to unintended side-effects (failure to revoke, etc...). You have been warned.

CLI

To get started with a simple PKI:

$ mkdir -p .../path/to/pki
$ certify --sample >.../path/to/pki/.cfg
$ # Modify .cfg as needed
$ certify --pki .../path/to/pki

You now have a PKI with a self-signed CA ready to go. If you would like to use your own CA (maybe an intermediate CA signed by a Trusted Root CA), now is the time to overwrite ca/ca.cert.pem and private/ca.key.pem in the PKI directory. You can delete or overwrite the DER files as well. See certify --help for what to do next.

Library

package main

import (
    "crypto/rsa"
    "crypto/x509"

    "gitlab.com/mjwhitta/pki"
)

func main() {
    var c *x509.Certificate
    var ca *x509.Certificate
    var e error
    var k *rsa.PrivateKey
    var p *pki.PKI

    // Create PKI structure
    if p, e = pki.New("/pki/root/dir", pki.NewCfg()); e != nil {
        panic(e)
    }

    // Create CA
    if ca, k, e = p.CreateCA(); e != nil {
        panic(e)
    }

    // Do stuff with your CA
    println(ca.Subject.CommonName)
    println(k.PublicKey.Size())

    // Create server Certificate
    c, k, e = p.CreateCertFor("example.com", pki.ServerCert)
    if e != nil {
        panic(e)
    }

    // Do stuff with your new Certificate
    println(c.Subject.CommonName)
    println(k.PublicKey.Size())

    // Sync the ders and pems directories for convenience
    if e = p.Sync(); e != nil {
        panic(e)
    }
}

Links

Source

TODO

Consider support for intermediary CAs

Documentation ¶

Overview ¶

Package pki provides a platform-independent means of generating PKI infrastructure. It will accept a filepath (directory) and Cfg then create a Certificate Authority (CA) for signing client or server X509 Certificates. Below is some sample code to create a default self-signed PKI:

var e error
var p *pki.PKI

if p, e = pki.New("/pki/root/dir", pki.NewCfg()); e != nil {
    panic(e)
}

From there, client and server Certificates can be created or Certificate Signing Requests (CSRs) can be imported and used to generate a Certificate for a third-party.

The PKI infrastructure contains a built-in database for tracking generated Certificates and if/when they expired or were revoked.

Index ¶

Constants
type CertType
type Cfg
- func CfgFromFile(fn string) (*Cfg, error)
- func NewCfg() *Cfg
type PKI
- func New(root string, cfg *Cfg) (*PKI, error)

Constants ¶

View Source

const Version = "1.4.0"

Version is the package version.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CertType ¶

type CertType int

CertType is an enumeration of supported certificate types.

const (
	CACert CertType = iota
	ClientCert
	ServerCert
)

Certificate types

type Cfg ¶

type Cfg struct {
	CADaysValid   int
	CertDaysValid int
	// contains filtered or unexported fields
}

Cfg contains any relevant configuration options for creating PKI infrastructure.

func CfgFromFile ¶

func CfgFromFile(fn string) (*Cfg, error)

CfgFromFile will parse the specified file and create a new Cfg instance.

func NewCfg ¶

func NewCfg() *Cfg

NewCfg will create a new default instance of Cfg.

func (*Cfg) City ¶

func (cfg *Cfg) City(c string)

City is an alias for Locality().

func (*Cfg) CommonName ¶

func (cfg *Cfg) CommonName(cn string)

CommonName will set the CN in the certificate's subject.

func (*Cfg) Company ¶

func (cfg *Cfg) Company(c string)

Company is an alias for Organization().

func (*Cfg) Country ¶

func (cfg *Cfg) Country(c string)

Country will set the C in the certificate's subject.

func (*Cfg) Locality ¶

func (cfg *Cfg) Locality(l string)

Locality will set the L in the certificate's subject.

func (*Cfg) Organization ¶

func (cfg *Cfg) Organization(o string)

Organization will set the O in the certificate's subject.

func (*Cfg) OrganizationalUnit ¶

func (cfg *Cfg) OrganizationalUnit(ou string)

OrganizationalUnit will set the OU in the certificate's subject.

func (*Cfg) Province ¶

func (cfg *Cfg) Province(p string)

Province will set the ST in the certificate's subject.

func (*Cfg) SetOption ¶

func (cfg *Cfg) SetOption(k, v string) error

SetOption will allow you to set supported configuration options.

func (*Cfg) State ¶

func (cfg *Cfg) State(s string)

State is an alias for Province().

func (*Cfg) String ¶

func (cfg *Cfg) String() string

String will return the string representation of the Cfg instance.

func (*Cfg) Subject ¶

func (cfg *Cfg) Subject(cn ...string) pkix.Name

Subject will return the constructed Subject.

func (*Cfg) Unit ¶

func (cfg *Cfg) Unit(u string)

Unit is an alias for OrganizationalUnit().

type PKI ¶

type PKI struct {
	Cfg     *Cfg
	KeySize int
	Root    string
	// contains filtered or unexported fields
}

PKI is a structure that contains the PKI config, key size for generated Certificates, and the root of the PKI infrastructure.

func New ¶

func New(root string, cfg *Cfg) (*PKI, error)

New will return a pointer to a new PKI instance as well as initialized the PKI infrastructure on disk.

func (*PKI) CreateCA ¶

func (p *PKI) CreateCA() (*x509.Certificate, *rsa.PrivateKey, error)

CreateCA will create a new self-signed CA Certificate and return the Certificate with its associated private key. If a CA and key already exist on disk, they will be parsed and returned instead.

func (*PKI) CreateCSRFor ¶

func (p *PKI) CreateCSRFor(
	cn string, key *rsa.PrivateKey, alts ...string,
) (*x509.CertificateRequest, error)

CreateCSRFor will create a Certificate request for the specified CommonName, signed by the provided private key.

func (*PKI) CreateCertFor ¶

func (p *PKI) CreateCertFor(
	cn string, certType CertType, alts ...string,
) (*x509.Certificate, *rsa.PrivateKey, error)

CreateCertFor will create a Certificate for the specified CommonName, signed by the PKI's CA. The new Certificate and its associated private key will be returned. If a Certificate and key alredy exist on disk, they will be parsed and returned instead. See CertType for supported Certificate types.

func (*PKI) CreateRSAKeyFor ¶

func (p *PKI) CreateRSAKeyFor(cn string) (*rsa.PrivateKey, error)

CreateRSAKeyFor will create an RSA private key for the specified CommonName.

func (*PKI) Erase ¶

func (p *PKI) Erase() error

Erase will erase all PKI related files and directories. Be careful. This is non-reversable.

func (*PKI) Fingerprint ¶ added in v1.1.0

func (p *PKI) Fingerprint(cert *x509.Certificate) string

Fingerprint will return the sha1 hash of the provided Certificate.

func (*PKI) FingerprintFor ¶ added in v1.1.0

func (p *PKI) FingerprintFor(cn string) string

FingerprintFor will return the sha1 hash of the Certificate for the specified CommonName, should it exist. If the Certificate does not exist or is revoked, it will return empty string.

func (*PKI) GetCAFile ¶

func (p *PKI) GetCAFile() string

GetCAFile will return the filepath for the CA. There is no guarantee that the file exists. Use HasCA() first.

func (*PKI) GetCSRFileFor ¶

func (p *PKI) GetCSRFileFor(cn string) string

GetCSRFileFor will return the filepath for the CSR. There is no guarantee that the file exists. Use HasCSRFor() first.

func (*PKI) GetCertFileFor ¶

func (p *PKI) GetCertFileFor(cn string) string

GetCertFileFor will return the filepath for the Certificate. There is no guarantee that the file exists. Use HasCertFor() first.

func (*PKI) GetKeyFileFor ¶

func (p *PKI) GetKeyFileFor(cn string) string

GetKeyFileFor will return the filepath for the private key. There is no guarantee that the file exists. Use HasKeyFor() first.

func (*PKI) HasCA ¶

func (p *PKI) HasCA() bool

HasCA will return whether or not a CA already exists. This only checks if the file exists on disk. It does not validate that the file contains a valid Certificate.

func (*PKI) HasCSRFor ¶

func (p *PKI) HasCSRFor(cn string) bool

HasCSRFor will return whether or not a CSR for the specified CommonName already exists. This only checks if the file exists on disk. It does not validate that the file contains a valid CSR.

func (*PKI) HasCertFor ¶

func (p *PKI) HasCertFor(cn string) bool

HasCertFor will return whether or not a Certificate for the specified CommonName already exists. This only checks if the file exists on disk. It does not validate that the file contains a valid Certificate.

func (*PKI) HasKeyFor ¶

func (p *PKI) HasKeyFor(cn string) bool

HasKeyFor will return whether or not a private key for the specified CommonName already exists. This only checks if the file exists on disk. It does not validate that the file contains a valid private key.

func (*PKI) HasSigned ¶

func (p *PKI) HasSigned(cert *x509.Certificate) bool

HasSigned will return whether or not the provided Certificate has been signed by the PKI's CA.

func (*PKI) ImportCSR ¶

func (p *PKI) ImportCSR(fn string) error

ImportCSR will read the provided CSR and attempt import it into the PKI. If the embedded CommonName already has a Certificate or CSR, an error will be returned.

func (*PKI) IsExpired ¶

func (p *PKI) IsExpired(cert *x509.Certificate) bool

IsExpired will return whether or not the specified Certificate has expired. This takes a Certificate b/c a CommonName is not enough info with "unique_subject = no".

func (*PKI) IsRevoked ¶

func (p *PKI) IsRevoked(cert *x509.Certificate) (bool, error)

IsRevoked will return whether or not the specified Certificate has been revoked. This takes a Certificate b/c a CommonName is not enough info with "unique_subject = no".

func (*PKI) RevokeCert ¶ added in v1.3.0

func (p *PKI) RevokeCert(cert *x509.Certificate) error

RevokeCert will revoke the provided Certificate.

func (*PKI) RevokeCertFor ¶

func (p *PKI) RevokeCertFor(cn string) (*x509.Certificate, error)

RevokeCertFor will revoke the oldest Certificate with the specified CommonName and return it for any post-processing, such as manually maintaining a Certificate Revocation List (CRL).

func (*PKI) Sync ¶

func (p *PKI) Sync() error

Sync will make sure that all ders/pems are mirrored in the associated directories for convienent access.

func (*PKI) Undo ¶

func (p *PKI) Undo() error

Undo will rollback the PKI database and delete the most recently generated Certificate and its associated CSR and private key.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
certify

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL