netcommon

package

v0.0.4 Latest Latest Go to latest Published: May 2, 2022 License: MIT Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

gitlab.com/space55/keyless-tls-terminator

Links

Open Source Insights

Documentation ¶

Overview ¶

netcommon is a suite of common utilities that are used throughout the ecosystem. It mainly handles key and certificate parsing, storage, and marshalling, but has some extra functionality that has been needed by both the clients and the servers.

Index ¶

Constants
func ComputeHashSHA256(data []byte) []byte
func DeferrableClose(file *os.File)
func GenerateDummyCert(domains []string) (*tls.Certificate, error)
func GenerateDummyPairECDSA(domains []string) (*tls.Certificate, *ecdsa.PrivateKey, error)
func GenerateDummyPairEd25519(domains []string) (*tls.Certificate, *ed25519.PrivateKey, error)
func GenerateDummyPairRSA(domains []string) (*tls.Certificate, *rsa.PrivateKey, error)
func GetWildcardIssuer(domain string) string
func LoadCertFromPath(path string) (*x509.Certificate, error)
func LoadKeyPair(certPath, keyPath string) (*tls.Certificate, error)
func LoadTLSCertFromPath(path string) (*tls.Certificate, error)
func MarshalCertToPEM(out io.Writer, cert *x509.Certificate) error
func MarshalPrivateKeyToPEM(out io.Writer, alg x509.PublicKeyAlgorithm, priv any) error
func NewCertPool(certs []string) (*x509.CertPool, error)
func ReadBytes(in io.Reader) ([]byte, error)
func ReadCAPath(path string, certPool *x509.CertPool) error
func ReadPem(in io.Reader) (*pem.Block, error)
func ReadPemWithRest(in io.Reader) (*pem.Block, []byte, error)
func SaveCert(certPath string, cert *x509.Certificate) error
func SaveECDSAKey(keypath string, priv *ecdsa.PrivateKey) error
func SaveECDSAPublicKey(path string, key *ecdsa.PublicKey) error
func SaveTLSCert(certPath, keypath string, cert *tls.Certificate) error
func UnmarshalPEMToCert(in io.Reader) (*x509.Certificate, error)
func UnmarshalPEMToPrivateKey(in io.Reader) (*crypto.PrivateKey, error)
func UnmarshalPEMToTLSCert(in io.Reader) (*tls.Certificate, error)
func Verify(pub crypto.PublicKey, alg x509.PublicKeyAlgorithm, hashFunc crypto.Hash, ...) error
func WritePem(out io.Writer, blockType string, data []byte) error
type InvalidCAPathError
- func (e *InvalidCAPathError) Error() string
type InvalidSignatureError
- func (e *InvalidSignatureError) Error() string
type RemotePrivateKey
- func (k RemotePrivateKey) Public() crypto.PublicKey
- func (k RemotePrivateKey) Sign(rand io.Reader, data []byte, opts crypto.SignerOpts) ([]byte, error)
type RemoteProofFunc
type SigType
- func (s SigType) String() string
type UnknownSigTypeError
- func (e *UnknownSigTypeError) Error() string
Bugs

Constants ¶

View Source

const PEMHeaderCertificate = "CERTIFICATE"

View Source

const PEMHeaderDefaultPriv = "PRIVATE KEY"

View Source

const PEMHeaderECDSAPriv = "EC PRIVATE KEY"

View Source

const PEMHeaderECDSAPub = "PUBLIC KEY"

View Source

const PEMHeaderEd25519Priv = "ED25519 PRIVATE KEY"

View Source

const PEMHeaderEd25519Pub = "PUBLIC KEY"

View Source

const PEMHeaderPub = "PUBLIC KEY"

View Source

const PEMHeaderRSAPriv = "RSA PRIVATE KEY"

View Source

const PEMHeaderRSAPub = "PUBLIC KEY"

Variables ¶

This section is empty.

Functions ¶

func ComputeHashSHA256 ¶

func ComputeHashSHA256(data []byte) []byte

ComputeHashSHA256 is a helper function that returns a slice representation of the SHA256 hash of the given input.

func DeferrableClose ¶ added in v0.0.4

func DeferrableClose(file *os.File)

DeferrableClose is a wrapper to close a file, while catching any potential errors and logging them.

func GenerateDummyCert ¶

func GenerateDummyCert(domains []string) (*tls.Certificate, error)

GenerateDummyCert generates a dummy self-signed *tls.Certificate for a given list of domains, interpreted as SAN records. The certificate it generates will be using ECDSA. It does _not_ return the private key.

func GenerateDummyPairECDSA ¶

func GenerateDummyPairECDSA(domains []string) (*tls.Certificate, *ecdsa.PrivateKey, error)

GenerateDummyPairECDSA generates a dummy self-signed *tls.Certificate for a given list of domains, interpreted as SAN records. It returns the certificate, the private key, and any error that occurred.

func GenerateDummyPairEd25519 ¶ added in v0.0.3

func GenerateDummyPairEd25519(domains []string) (*tls.Certificate, *ed25519.PrivateKey, error)

GenerateDummyPairEd25519 generates a dummy self-signed *tls.Certificate for a given list of domains, interpreted as SAN records. It returns the certificate, the private key, and any error that occurred.

func GenerateDummyPairRSA ¶

func GenerateDummyPairRSA(domains []string) (*tls.Certificate, *rsa.PrivateKey, error)

GenerateDummyPairRSA generates a dummy self-signed *tls.Certificate for a given list of domains, interpreted as SAN records. It returns the certificate, the private key, and any error that occurred.

func GetWildcardIssuer ¶

func GetWildcardIssuer(domain string) string

GetWildcardIssuer will get the string representation of a potential wilcard issuer for a given domain. Note that this stops at top level domains, and will not, for example, return *.com for the given input of example.com. This uses a regex internally.

func LoadCertFromPath ¶

func LoadCertFromPath(path string) (*x509.Certificate, error)

LoadCertFromPath reads an x509 certificate from a given path.

func LoadKeyPair ¶

func LoadKeyPair(certPath, keyPath string) (*tls.Certificate, error)

LoadKeyPair loads a private key and certificate from a given path into a *tls.Certificate struct.

func LoadTLSCertFromPath ¶

func LoadTLSCertFromPath(path string) (*tls.Certificate, error)

LoadTLSCertFrommPath creates a *tls.Certificate struct from a given path

func MarshalCertToPEM ¶ added in v0.0.3

func MarshalCertToPEM(out io.Writer, cert *x509.Certificate) error

MarshalCertToPEM creates a PEM block from a given certificate, and writes it to the specified io.Writer.

func MarshalPrivateKeyToPEM ¶

func MarshalPrivateKeyToPEM(out io.Writer, alg x509.PublicKeyAlgorithm, priv any) error

MarshalPrivateKeyToPEM creates a PEM block from a given private key, using the specified algorithm, and writes it to the specified io.Writer. It will return any error encountered during the process. Note that this function uses the x509.MarshalPKCS8PrivateKey function, and therefore outputs keys in PKCS8 format.

func NewCertPool ¶

func NewCertPool(certs []string) (*x509.CertPool, error)

NewCertPool creates an *x509.CertPool from a list of specified certificates. This is useful for using the native Golang x509 certificate validation, as it can be efficiently checked to see if a certificate is valid.

func ReadBytes ¶

func ReadBytes(in io.Reader) ([]byte, error)

ReadBytes essentially gets the bytes from an io.Reader. It is a helper function used elsewhere, to reduce code duplication.

func ReadCAPath ¶

func ReadCAPath(path string, certPool *x509.CertPool) error

ReadCAPath reads a CA from a given path, and adds it to the given certificate pool.

func ReadPem ¶

func ReadPem(in io.Reader) (*pem.Block, error)

ReadPem reads a PEM block from an io.Reader, and returns the decoded data. It will discard any remaining data after reading the first PEM block.

func ReadPemWithRest ¶

func ReadPemWithRest(in io.Reader) (*pem.Block, []byte, error)

ReadPemWithRest reads a PEM block from an io.Reader, and returns the decoded data, and any remaining data.

func SaveCert ¶

func SaveCert(certPath string, cert *x509.Certificate) error

SaveCert saves the certificate to the given path. It returns any error encountered during processing.

func SaveECDSAKey ¶

func SaveECDSAKey(keypath string, priv *ecdsa.PrivateKey) error

SaveECDSAKey saves the ECDSA private key to the given path. It returns any error encountered during processing.

func SaveECDSAPublicKey ¶

func SaveECDSAPublicKey(path string, key *ecdsa.PublicKey) error

SaveECDSAPublicKey saves the ECDSA public key to the given path. It returns any error encountered during processing.

func SaveTLSCert ¶

func SaveTLSCert(certPath, keypath string, cert *tls.Certificate) error

SaveTLSCert saves the *tls.Certificate and private key to the given paths. It returns any error encountered during processing.

func UnmarshalPEMToCert ¶

func UnmarshalPEMToCert(in io.Reader) (*x509.Certificate, error)

UnmarshalPEMToCert will read from the specified io.Reader, and attempt to unmarshal the data into a certificate. It will return any error encountered during processing, alongside the *x509.Certificate struct.

func UnmarshalPEMToPrivateKey ¶

func UnmarshalPEMToPrivateKey(in io.Reader) (*crypto.PrivateKey, error)

UnmarshalPEMToPrivateKey reads from the specified io.Reader, and attempts to unmarshal the data into a private key. It will return any error it encounters during the processing, alongside the *crypto.PrivateKey object. Note: This function uses the x509.ParsePKCS8PrivateKey function internally, so any private keys that can be read from the io.Reader must be in the PKCS8 format.

func UnmarshalPEMToTLSCert ¶

func UnmarshalPEMToTLSCert(in io.Reader) (*tls.Certificate, error)

UnmarshalPEMToTLSCert will read from the io.Reader, and attempt to marshal the data into a *tls.Certificate. It will return any error it encounters during processing.

func Verify ¶

func Verify(pub crypto.PublicKey, alg x509.PublicKeyAlgorithm, hashFunc crypto.Hash, sigType SigType, challenge []byte, signed []byte) error

Verify verifies that a given challenge matches a given signature. It returns any error encountered during processing. A nil error means the verification was successful.

func WritePem ¶

func WritePem(out io.Writer, blockType string, data []byte) error

WritePem saves a PEM block to an io.Writer, based on the blockType specified in the call.

Types ¶

type InvalidCAPathError ¶

type InvalidCAPathError struct {
	// contains filtered or unexported fields
}

InvalidCAPathError is an error that is returned when the CA path is invalid.

func (*InvalidCAPathError) Error ¶

func (e *InvalidCAPathError) Error() string

Error returns the string representation of an InvalidCAPathError struct.

type InvalidSignatureError ¶

type InvalidSignatureError struct{}

InvalidSignatureError is an error that is returned when the signature is invalid.

func (*InvalidSignatureError) Error ¶

func (e *InvalidSignatureError) Error() string

Error returns the string representation of an InvalidSignatureError struct.

type RemotePrivateKey ¶

type RemotePrivateKey struct {
	// Domain is the domain for which this RemotePrivateKey is associated.
	Domain string
	crypto.Signer
	// RemoteProofFunc is the function that is called whenever it is asked to sign a challenge.
	RemoteProofFunc RemoteProofFunc
	// PublicKey is the public key associated with the private key stored in the NKS
	PublicKey crypto.PublicKey
	// RemoteCert is an x509.Certificate that contains the public key associated with the private key stored in the NKS
	RemoteCert *x509.Certificate
	// RemoteTLSCert is a tls.Certificate that contains the public key associated with the private key stored in the NKS. It does _not_ contain the private key,
	// and as such, cannot be used to sign challenges.
	RemoteTLSCert *tls.Certificate
	// SigType is the type of signature used to sign a challenge. It is used over the wire to identify the type of signature required for the NKS.
	SigType SigType
}

RemotePrivateKey is a wrapper around a crypto.Signer, which enables the private key to be stored on a remote server, and never accessed by the application that stores the RemotePrivateKey struct, while still allowing signature operations to take place.

func (RemotePrivateKey) Public ¶

func (k RemotePrivateKey) Public() crypto.PublicKey

Public gets the public key associated with a RemotePrivateKey.

func (RemotePrivateKey) Sign ¶

func (k RemotePrivateKey) Sign(rand io.Reader, data []byte, opts crypto.SignerOpts) ([]byte, error)

Sign signs the given data with the private key on the NKS server. It returns the signature, and any error that occurred. It calls the RemoteProofFunc function internally.

type RemoteProofFunc ¶

type RemoteProofFunc func(crypto.Hash, SigType, []byte) ([]byte, error)

RemoteProofFunc is a function that performs a proof on a remote server, with the given parameters. It returns the proof, and any error encountered.

type SigType ¶

type SigType uint8

SigType is the type of signature used to sign a challenge. It is used over the wire to identify the type of signature required for the NKS.

const (
	SigType_DEFAULT SigType = iota
	SigType_RSA_PKCS1
	SigType_RSA_PSS
	SigType_ECDSA
	SigType_Ed25519
)

func (SigType) String ¶

func (s SigType) String() string

String gets the string representation for a given SigType

type UnknownSigTypeError ¶

type UnknownSigTypeError struct {
	SigType SigType
}

UnknownSigTypeError is an error that is returned when the signature type is unknown.

func (*UnknownSigTypeError) Error ¶

func (e *UnknownSigTypeError) Error() string

Error returns the string representation of an UnknownSigTypeError struct.

Notes ¶

Bugs ¶

This will not function for two-level TLDs, such as .co.uk.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL