pkix

package

v1.3.0 Latest Latest Go to latest Published: Jul 1, 2022 License: Apache-2.0 Imports: 20 Imported by: 66

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/square/certstrap

Links

Open Source Insights

Documentation ¶

Index ¶

func GenerateSubjectKeyID(pub crypto.PublicKey) ([]byte, error)
func ParseAndValidateIPs(ipList string) (res []net.IP, err error)
func ParseAndValidateURIs(uriList string) (res []*url.URL, err error)
func WithPathlenOption(pathlen int, excludePathlen bool) func(template *x509.Certificate)
type Certificate
- func CreateCertificateAuthority(key *Key, organizationalUnit string, expiry time.Time, organization string, ...) (*Certificate, error)
- func CreateCertificateAuthorityWithOptions(key *Key, organizationalUnit string, expiry time.Time, organization string, ...) (*Certificate, error)
- func CreateCertificateHost(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, ...) (*Certificate, error)
- func CreateIntermediateCertificateAuthority(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, ...) (*Certificate, error)
- func CreateIntermediateCertificateAuthorityWithOptions(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, ...) (*Certificate, error)
- func NewCertificateFromDER(derBytes []byte) *Certificate
- func NewCertificateFromPEM(data []byte) (c *Certificate, err error)
- func (c *Certificate) CheckAuthority() error
- func (c *Certificate) Export() ([]byte, error)
- func (c *Certificate) GetExpirationDuration() time.Duration
- func (c *Certificate) GetRawCertificate() (*x509.Certificate, error)
- func (c *Certificate) VerifyHost(hostCert *Certificate, name string) error
type CertificateAuthorityInfo
- func NewCertificateAuthorityInfo(serialNumber int64) *CertificateAuthorityInfo
- func NewCertificateAuthorityInfoFromJSON(data []byte) (*CertificateAuthorityInfo, error)
- func (n *CertificateAuthorityInfo) Export() ([]byte, error)
- func (n *CertificateAuthorityInfo) IncSerialNumber()
type CertificateRevocationList
- func CreateCertificateRevocationList(key *Key, ca *Certificate, expiry time.Time) (*CertificateRevocationList, error)
- func NewCertificateRevocationListFromDER(derBytes []byte) *CertificateRevocationList
- func NewCertificateRevocationListFromPEM(data []byte) (*CertificateRevocationList, error)
- func (c *CertificateRevocationList) DERBytes() []byte
- func (c *CertificateRevocationList) Export() ([]byte, error)
type CertificateSigningRequest
- func CreateCertificateSigningRequest(key *Key, organizationalUnit string, ipList []net.IP, domainList []string, ...) (*CertificateSigningRequest, error)
- func NewCertificateSigningRequestFromDER(derBytes []byte) *CertificateSigningRequest
- func NewCertificateSigningRequestFromPEM(data []byte) (*CertificateSigningRequest, error)
- func (c *CertificateSigningRequest) CheckSignature() error
- func (c *CertificateSigningRequest) Export() ([]byte, error)
- func (c *CertificateSigningRequest) GetRawCertificateSigningRequest() (*x509.CertificateRequest, error)
type Key
- func CreateECDSAKey(c elliptic.Curve) (*Key, error)
- func CreateEd25519Key() (*Key, error)
- func CreateRSAKey(rsaBits int) (*Key, error)
- func NewKey(pub crypto.PublicKey, priv crypto.PrivateKey) *Key
- func NewKeyFromEncryptedPrivateKeyPEM(data []byte, password []byte) (*Key, error)
- func NewKeyFromPrivateKeyPEM(data []byte) (*Key, error)
- func NewKeyFromSigner(signer crypto.Signer) *Key
- func (k *Key) ExportEncryptedPrivate(password []byte) ([]byte, error)
- func (k *Key) ExportPrivate() ([]byte, error)
type Option

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GenerateSubjectKeyID ¶

func GenerateSubjectKeyID(pub crypto.PublicKey) ([]byte, error)

GenerateSubjectKeyID generates SubjectKeyId used in Certificate Id is 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey

func ParseAndValidateIPs ¶

func ParseAndValidateIPs(ipList string) (res []net.IP, err error)

ParseAndValidateIPs parses a comma-delimited list of IP addresses into an array of IP addresses

func ParseAndValidateURIs ¶ added in v1.2.0

func ParseAndValidateURIs(uriList string) (res []*url.URL, err error)

ParseAndValidateURIs parses a comma-delimited list of URIs into an array of url.URLs

func WithPathlenOption ¶ added in v1.3.0

func WithPathlenOption(pathlen int, excludePathlen bool) func(template *x509.Certificate)

WithPathlenOption will check if the certificate should have `pathlen` or not.

Types ¶

type Certificate ¶

type Certificate struct {
	// contains filtered or unexported fields
}

Certificate is a wrapper around a x509 Certificate and its DER-formatted bytes

func CreateCertificateAuthority ¶

func CreateCertificateAuthority(key *Key, organizationalUnit string, expiry time.Time, organization string, country string, province string, locality string, commonName string, permitDomains []string) (*Certificate, error)

CreateCertificateAuthority creates Certificate Authority using existing key. CertificateAuthorityInfo returned is the extra infomation required by Certificate Authority.

func CreateCertificateAuthorityWithOptions ¶ added in v1.3.0

func CreateCertificateAuthorityWithOptions(key *Key, organizationalUnit string, expiry time.Time, organization string, country string, province string, locality string, commonName string, permitDomains []string, opts ...Option) (*Certificate, error)

CreateCertificateAuthorityWithOptions creates Certificate Authority using existing key with options. CertificateAuthorityInfo returned is the extra infomation required by Certificate Authority.

func CreateCertificateHost ¶

func CreateCertificateHost(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time) (*Certificate, error)

CreateCertificateHost creates certificate for host. The arguments include CA certificate, CA key, certificate request.

func CreateIntermediateCertificateAuthority ¶ added in v1.1.0

func CreateIntermediateCertificateAuthority(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time) (*Certificate, error)

CreateIntermediateCertificateAuthority creates an intermediate CA certificate signed by the given authority.

func CreateIntermediateCertificateAuthorityWithOptions ¶ added in v1.3.0

func CreateIntermediateCertificateAuthorityWithOptions(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time, opts ...Option) (*Certificate, error)

CreateIntermediateCertificateAuthorityWithOptions creates an intermediate with options. CA certificate signed by the given authority.

func NewCertificateFromDER ¶

func NewCertificateFromDER(derBytes []byte) *Certificate

NewCertificateFromDER inits Certificate from DER-format bytes

func NewCertificateFromPEM ¶

func NewCertificateFromPEM(data []byte) (c *Certificate, err error)

NewCertificateFromPEM inits Certificate from PEM-format bytes data should contain at most one certificate

func (*Certificate) CheckAuthority ¶

func (c *Certificate) CheckAuthority() error

CheckAuthority checks the authority of certificate against itself. It only ensures that certificate is self-explanatory, and cannot promise the validity and security.

func (*Certificate) Export ¶

func (c *Certificate) Export() ([]byte, error)

Export returns PEM-format bytes

func (*Certificate) GetExpirationDuration ¶

func (c *Certificate) GetExpirationDuration() time.Duration

GetExpirationDuration gets time duration before expiration

func (*Certificate) GetRawCertificate ¶

func (c *Certificate) GetRawCertificate() (*x509.Certificate, error)

GetRawCertificate returns a copy of this certificate as an x509.Certificate

func (*Certificate) VerifyHost ¶

func (c *Certificate) VerifyHost(hostCert *Certificate, name string) error

VerifyHost verifies the host certificate using host name. Only certificate of authority could call this function successfully. Current implementation allows one CA and direct hosts only, so the organization is always this:

       CA
host1 host2 host3

type CertificateAuthorityInfo ¶

type CertificateAuthorityInfo struct {
	// SerialNumber that has been used so far
	// Recorded to ensure all serial numbers issued by the CA are different
	SerialNumber *big.Int
}

CertificateAuthorityInfo includes extra information required for CA

func NewCertificateAuthorityInfo ¶

func NewCertificateAuthorityInfo(serialNumber int64) *CertificateAuthorityInfo

NewCertificateAuthorityInfo creates a new CertifaceAuthorityInfo with the given serial number

func NewCertificateAuthorityInfoFromJSON ¶

func NewCertificateAuthorityInfoFromJSON(data []byte) (*CertificateAuthorityInfo, error)

NewCertificateAuthorityInfoFromJSON creates a new CertifaceAuthorityInfo with the given JSON information

func (*CertificateAuthorityInfo) Export ¶

func (n *CertificateAuthorityInfo) Export() ([]byte, error)

Export transfers the serial number to a JSON format

func (*CertificateAuthorityInfo) IncSerialNumber ¶

func (n *CertificateAuthorityInfo) IncSerialNumber()

IncSerialNumber increments the given CA Info's serial number

type CertificateRevocationList ¶

type CertificateRevocationList struct {
	// contains filtered or unexported fields
}

CertificateSigningRequest is a wrapper around a x509 CertificateRequest and its DER-formatted bytes

func CreateCertificateRevocationList ¶

func CreateCertificateRevocationList(key *Key, ca *Certificate, expiry time.Time) (*CertificateRevocationList, error)

func NewCertificateRevocationListFromDER ¶

func NewCertificateRevocationListFromDER(derBytes []byte) *CertificateRevocationList

NewCertificateRevocationListFromDER inits CertificateRevocationList from DER-format bytes

func NewCertificateRevocationListFromPEM ¶

func NewCertificateRevocationListFromPEM(data []byte) (*CertificateRevocationList, error)

NewCertificateRevocationListFromPEM inits CertificateRevocationList from PEM-format bytes

func (*CertificateRevocationList) DERBytes ¶ added in v1.2.0

func (c *CertificateRevocationList) DERBytes() []byte

DERBytes returns DER-formatted bytes of the CRL.

func (*CertificateRevocationList) Export ¶

func (c *CertificateRevocationList) Export() ([]byte, error)

Export returns PEM-format bytes

type CertificateSigningRequest ¶

type CertificateSigningRequest struct {
	// contains filtered or unexported fields
}

CertificateSigningRequest is a wrapper around a x509 CertificateRequest and its DER-formatted bytes

func CreateCertificateSigningRequest ¶

func CreateCertificateSigningRequest(key *Key, organizationalUnit string, ipList []net.IP, domainList []string, uriList []*url.URL, organization string, country string, province string, locality string, commonName string) (*CertificateSigningRequest, error)

CreateCertificateSigningRequest sets up a request to create a csr file with the given parameters

func NewCertificateSigningRequestFromDER ¶

func NewCertificateSigningRequestFromDER(derBytes []byte) *CertificateSigningRequest

NewCertificateSigningRequestFromDER inits CertificateSigningRequest from DER-format bytes

func NewCertificateSigningRequestFromPEM ¶

func NewCertificateSigningRequestFromPEM(data []byte) (*CertificateSigningRequest, error)

NewCertificateSigningRequestFromPEM inits CertificateSigningRequest from PEM-format bytes data should contain at most one certificate

func (*CertificateSigningRequest) CheckSignature ¶

func (c *CertificateSigningRequest) CheckSignature() error

CheckSignature verifies that the signature is a valid signature using the public key in CertificateSigningRequest.

func (*CertificateSigningRequest) Export ¶

func (c *CertificateSigningRequest) Export() ([]byte, error)

Export returns PEM-format bytes

func (*CertificateSigningRequest) GetRawCertificateSigningRequest ¶

func (c *CertificateSigningRequest) GetRawCertificateSigningRequest() (*x509.CertificateRequest, error)

GetRawCertificateSigningRequest returns a copy of this certificate request as an x509.CertificateRequest.

type Key ¶

type Key struct {
	Public  crypto.PublicKey
	Private crypto.PrivateKey
}

Key contains a public-private keypair

func CreateECDSAKey ¶ added in v1.3.0

func CreateECDSAKey(c elliptic.Curve) (*Key, error)

CreateECDSAKey creates a new ECDSA key on the given curve

func CreateEd25519Key ¶ added in v1.3.0

func CreateEd25519Key() (*Key, error)

CreateEd25519Key creates a new Ed25519 key

func CreateRSAKey ¶

func CreateRSAKey(rsaBits int) (*Key, error)

CreateRSAKey creates a new Key using RSA algorithm

func NewKey ¶

func NewKey(pub crypto.PublicKey, priv crypto.PrivateKey) *Key

NewKey returns a new public-private keypair Key type

func NewKeyFromEncryptedPrivateKeyPEM ¶

func NewKeyFromEncryptedPrivateKeyPEM(data []byte, password []byte) (*Key, error)

NewKeyFromEncryptedPrivateKeyPEM inits Key from encrypted PEM-format private key bytes

func NewKeyFromPrivateKeyPEM ¶

func NewKeyFromPrivateKeyPEM(data []byte) (*Key, error)

NewKeyFromPrivateKeyPEM inits Key from PEM-format rsa private key bytes

func NewKeyFromSigner ¶ added in v1.3.0

func NewKeyFromSigner(signer crypto.Signer) *Key

func (*Key) ExportEncryptedPrivate ¶

func (k *Key) ExportEncryptedPrivate(password []byte) ([]byte, error)

ExportEncryptedPrivate exports encrypted PEM-format private key

func (*Key) ExportPrivate ¶

func (k *Key) ExportPrivate() ([]byte, error)

ExportPrivate exports PEM-format private key. RSA keys are exported as PKCS#1, ECDSA and Ed25519 keys are exported as PKCS#8.

type Option ¶ added in v1.3.0

type Option func(*x509.Certificate)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL