scep

package module
v0.0.0-...-892e417 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 14, 2024 License: MIT Imports: 13 Imported by: 2

README

scep

scep is a Golang implementation of the Simple Certificate Enrollment Protocol (SCEP).

This package started its life as part of micromdm/scep. The core SCEP protocol was extracted from it and is now being maintained by smallstep.

Usage

go get github.com/smallstep/scep

The package can be used for both client and server operations.

For detailed usage, see the Go Reference.

Example server:

// read a request body containing SCEP message
body, err := ioutil.ReadAll(r.Body)
if err != nil {
    // handle err
}

// parse the SCEP message
msg, err := scep.ParsePKIMessage(body)
if err != nil {
    // handle err
}

// do something with msg
fmt.Println(msg.MessageType)

// extract encrypted pkiEnvelope
err := msg.DecryptPKIEnvelope(CAcert, CAkey)
if err != nil {
    // handle err
}

// use the CSR from decrypted PKCS request and sign
// MyCSRSigner returns an *x509.Certificate here
crt, err := MyCSRSigner(msg.CSRReqMessage.CSR)
if err != nil {
    // handle err
}

// create a CertRep message from the original
certRep, err := msg.Success(CAcert, CAkey, crt)
if err != nil {
    // handle err
}

// send response back
// w is a http.ResponseWriter
w.Write(certRep.Raw)

Documentation

Overview

Package scep provides common functionality for encoding and decoding Simple Certificate Enrolment Protocol pki messages as defined by https://tools.ietf.org/html/draft-gutmann-scep-02

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CACerts 

func CACerts(data []byte) ([]*x509.Certificate, error)

CACerts extract CA Certificate or chain from PKCS#7 degenerate signed data

func DegenerateCertificates 

func DegenerateCertificates(certs []*x509.Certificate) ([]byte, error)

DegenerateCertificates creates degenerate certificates PKCS#7 type

Types

type CSRReqMessage 

type CSRReqMessage struct {
	RawDecrypted []byte

	// PKCS#10 Certificate request inside the envelope
	CSR *x509.CertificateRequest

	ChallengePassword string
}

CSRReqMessage can be of the type PKCSReq/RenewalReq/UpdateReq and includes a PKCS#10 CSR request. The content of this message is protected by the recipient public key(example CA)

type CertRepMessage 

type CertRepMessage struct {
	PKIStatus
	RecipientNonce
	FailInfo

	Certificate *x509.Certificate
	// contains filtered or unexported fields
}

CertRepMessage is a type of PKIMessage

type CertsSelector 

type CertsSelector interface {
	SelectCerts([]*x509.Certificate) []*x509.Certificate
}

A CertsSelector filters certificates.

type CertsSelectorFunc 

type CertsSelectorFunc func([]*x509.Certificate) []*x509.Certificate

CertsSelectorFunc is a type of function that filters certificates.

func EnciphermentCertsSelector 

func EnciphermentCertsSelector() CertsSelectorFunc

A EnciphermentCertsSelector returns a CertsSelectorFunc that selects certificates eligible for key encipherment. This certsSelector can be used to filter PKCSReq recipients.

func FingerprintCertsSelector 

func FingerprintCertsSelector(hashType crypto.Hash, hash []byte) CertsSelectorFunc

FingerprintCertsSelector selects a certificate that matches hash using hashType against the digest of the raw certificate DER bytes

func NopCertsSelector 

func NopCertsSelector() CertsSelectorFunc

NopCertsSelector returns a CertsSelectorFunc that does not do anything.

func (CertsSelectorFunc) SelectCerts 

func (f CertsSelectorFunc) SelectCerts(certs []*x509.Certificate) []*x509.Certificate

type FailInfo 

type FailInfo string

FailInfo is a SCEP failInfo attribute

The FailInfo attribute MUST contain one of the following failure reasons: 

const (
	BadAlg          FailInfo = "0"
	BadMessageCheck FailInfo = "1"
	BadRequest      FailInfo = "2"
	BadTime         FailInfo = "3"
	BadCertID       FailInfo = "4"
)

func (FailInfo) String 

func (info FailInfo) String() string

type Logger 

type Logger interface {
	Log(keyvals ...interface{}) error
}

Logger is the fundamental interface for all SCEP logging operations. It has the same signature as the `github.com/go-kit/kit/log` interface, to allow for interop between the two. Log creates a log event from keyvals, a variadic sequence of alternating keys and values. Implementations must be safe for concurrent use by multiple goroutines. In particular, any implementation of Logger that appends to keyvals or modifies or retains any of its elements must make a copy first.

type MessageType 

type MessageType string

The MessageType attribute specifies the type of operation performed by the transaction. This attribute MUST be included in all PKI messages.

The following message types are defined: 

const (
	CertRep    MessageType = "3"
	RenewalReq MessageType = "17"
	UpdateReq  MessageType = "18"
	PKCSReq    MessageType = "19"
	CertPoll   MessageType = "20"
	GetCert    MessageType = "21"
	GetCRL     MessageType = "22"
)

Undefined message types are treated as an error.

func (MessageType) String 

func (msg MessageType) String() string

type Option 

type Option func(*config)

Option specifies custom configuration for SCEP.

func WithCACerts 

func WithCACerts(caCerts []*x509.Certificate) Option

WithCACerts adds option CA certificates to the SCEP operations. Note: This changes the verification behavior of PKCS#7 messages. If this option is specified, only caCerts will be used as expected signers.

func WithCertsSelector 

func WithCertsSelector(selector CertsSelector) Option

WithCertsSelector adds the certificates certsSelector option to the SCEP operations. This option is effective when used with NewCSRRequest function. In this case, only certificates selected with the certsSelector will be used as the PKCS#7 message recipients.

func WithLogger 

func WithLogger(logger Logger) Option

WithLogger adds option logging to the SCEP operations.

type PKIMessage 

type PKIMessage struct {
	TransactionID
	MessageType
	SenderNonce
	*CertRepMessage
	*CSRReqMessage

	// DER Encoded PKIMessage
	Raw []byte

	// Used to encrypt message
	Recipients []*x509.Certificate

	// Signer info
	SignerKey  crypto.PrivateKey
	SignerCert *x509.Certificate
	// contains filtered or unexported fields
}

PKIMessage defines the possible SCEP message types

func NewCSRRequest 

func NewCSRRequest(csr *x509.CertificateRequest, tmpl *PKIMessage, opts ...Option) (*PKIMessage, error)

NewCSRRequest creates a scep PKI PKCSReq/UpdateReq message

func ParsePKIMessage 

func ParsePKIMessage(data []byte, opts ...Option) (*PKIMessage, error)

ParsePKIMessage unmarshals a PKCS#7 signed data into a PKI message struct

func (*PKIMessage) DecryptPKIEnvelope 

func (msg *PKIMessage) DecryptPKIEnvelope(cert *x509.Certificate, key crypto.PrivateKey) error

DecryptPKIEnvelope decrypts the PKCS#7 envelopedData inside the SCEP PKIMessage

func (*PKIMessage) Fail 

func (msg *PKIMessage) Fail(crtAuth *x509.Certificate, keyAuth crypto.PrivateKey, info FailInfo) (*PKIMessage, error)

Fail returns a new PKIMessage with CertRep data indicating a failure

func (*PKIMessage) Success 

func (msg *PKIMessage) Success(crtAuth *x509.Certificate, keyAuth crypto.PrivateKey, crt *x509.Certificate) (*PKIMessage, error)

Success returns a new PKIMessage with CertRep data using an already-issued certificate

type PKIStatus 

type PKIStatus string

PKIStatus is a SCEP pkiStatus attribute which holds transaction status information. All SCEP responses MUST include a pkiStatus.

The following pkiStatuses are defined: 

const (
	SUCCESS PKIStatus = "0"
	FAILURE PKIStatus = "2"
	PENDING PKIStatus = "3"
)

Undefined pkiStatus attributes are treated as an error

type RecipientNonce 

type RecipientNonce []byte

The RecipientNonce MUST be copied from the SenderNonce and included in the reply.

type SenderNonce 

type SenderNonce []byte

SenderNonce is a random 16 byte number. A sender must include the senderNonce in each transaction to a recipient.

type TransactionID 

type TransactionID string

The TransactionID is a text string generated by the client when starting a transaction. The client MUST generate a unique string as the transaction identifier, which MUST be used for all PKI messages exchanged for a given enrolment, encoded as a PrintableString.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.