import "go.aporeto.io/tg/tglib"
Package tglib contains various helpers to deal with crypto. It entirely rely on standard go crypto libraries.
cert.go certpool.go constants.go csr.go deprecated.go doc.go options.go pkcs12.go privatekey.go san.go utils.go
func BuildCertificatesMaps(certs []tls.Certificate) (map[string]tls.Certificate, map[string]tls.Certificate, error)
BuildCertificatesMaps returns to maps to get what certificate to use for which DNS or IPs. This can be used in a custom tls.Config.GetCertificate function.
BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.
BuildSubjectAltNameExtension builds the SAN extension for the certificate.
func CSRFromCertificate(cert *x509.Certificate) *x509.CertificateRequest
CSRFromCertificate generates a new CSR from the given certificate
CertToPEM converts the given *x509.Certificate to *pem.Block .
DecryptPrivateKey decrypts the given private key
DecryptPrivateKeyPEM decrypts the given private key PEM bytes
func ECPrivateKeyGenerator() (crypto.PrivateKey, error)
ECPrivateKeyGenerator generates a ECDSA private key.
EncryptPrivateKey encrypts the given private key
EncryptPrivateKeyPEM encrypts the given private key PEM bytes
ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.
ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.
GenerateBase64PKCS12 generates a full PKCS certificate based on the input keys.
func GenerateCSR(csr *x509.CertificateRequest, privateKey crypto.PrivateKey) ([]byte, error)
GenerateCSR generate a CSR using the given parameters.
func GenerateCSRwithSANs(orgs []string, units []string, commonName string, sans []string, privateKey crypto.PrivateKey) ([]byte, error)
GenerateCSRwithSANs generates a SPIFFE certificate CSR.
GeneratePKCS12 generates a pkcs12
GeneratePKCS12FromFiles generates a full PKCS certificate based on the input keys.
func GenerateSimpleCSR(orgs []string, units []string, commonName string, emails []string, privateKey crypto.PrivateKey) ([]byte, error)
GenerateSimpleCSR generate a CSR using the given parameters.
Issue issues a new x509 certificate
func IssueCertiticate(
signingCertificate *x509.Certificate,
signingPrivateKey crypto.PrivateKey,
keyGen PrivateKeyGenerator,
countries []string,
provinces []string,
localities []string,
streetAddresses []string,
postalCodes []string,
organizations []string,
organizationalUnits []string,
commonName string,
dnsNames []string,
ipAddresses []net.IP,
beginning time.Time,
expiration time.Time,
keyUsage x509.KeyUsage,
extKeyUsage []x509.ExtKeyUsage,
signatureAlgorithm x509.SignatureAlgorithm,
publicKeyAlgorithm x509.PublicKeyAlgorithm,
isCA bool,
policies []asn1.ObjectIdentifier,
) (*pem.Block, *pem.Block, error)IssueCertiticate issues a new Certificate eventual signed using the signingCertificate and the given keyGen.
KeyToPEM converts the given crypto.PrivateKey to *pem.Block .
func LoadCSRs(csrData []byte) ([]*x509.CertificateRequest, error)
LoadCSRs loads the given bytes as an array of Certificate Signing Request.
PEMToKey loads a decrypted pem block and returns a crypto.PrivateKey
func ParseCertificate(certPemBytes []byte) (*x509.Certificate, error)
ParseCertificate parse the given PEM bytes and returns the fist *x509.Certificate.
func ParseCertificatePEM(path string) (*x509.Certificate, error)
ParseCertificatePEM reads the PEM certificate at the given path and returns the first *x509.Certificate found
func ParseCertificatePEMs(path string) ([]*x509.Certificate, error)
ParseCertificatePEMs reads the PEM certificate at the given path and returns the a []*x509.Certificate.
func ParseCertificates(certPemBytes []byte) ([]*x509.Certificate, error)
ParseCertificates parse the given PEM bytes and returns a []*x509.Certificate.
func RSAPrivateKeyGenerator() (crypto.PrivateKey, error)
RSAPrivateKeyGenerator generates a RSA private key.
func ReadCertificate(certPemBytes []byte, keyPemBytes []byte, password string) (*x509.Certificate, crypto.PrivateKey, error)
ReadCertificate returns a the first *x509.Certificate from the PEM bytes pf a cert and a key and decrypts it with the given password if needed.
func ReadCertificatePEM(certPath, keyPath, password string) (*x509.Certificate, crypto.PrivateKey, error)
ReadCertificatePEM returns a the first *x509.Certificate from the path of a cert, a key in PEM and decrypts it with the given password if needed.
func ReadCertificatePEMs(certPath, keyPath, password string) ([]*x509.Certificate, crypto.PrivateKey, error)
ReadCertificatePEMs returns a []*x509.Certificate from the path of a cert, a key in PEM and decrypts it with the given password if needed.
func ReadCertificates(certPemBytes []byte, keyPemBytes []byte, password string) ([]*x509.Certificate, crypto.PrivateKey, error)
ReadCertificates returns a []*x509.Certificate from the PEM bytes pf a cert and a key and decrypts it with the given password if needed.
func Sign(
csr *x509.CertificateRequest,
signingCertificate *x509.Certificate,
signingPrivateKey crypto.PrivateKey,
options ...IssueOption,
) (*pem.Block, string, error)Sign signs the give CSR using the given signer certificate and key and given options.
func SignCSR(
csr *x509.CertificateRequest,
signingCertificate *x509.Certificate,
signingPrivateKey crypto.PrivateKey,
beginning time.Time,
expiration time.Time,
keyUsage x509.KeyUsage,
extKeyUsage []x509.ExtKeyUsage,
signatureAlgorithm x509.SignatureAlgorithm,
publicKeyAlgorithm x509.PublicKeyAlgorithm,
isCA bool,
policies []asn1.ObjectIdentifier,
) (*pem.Block, string, error)SignCSR will sign the given CSR with the given signing cert
func SplitChain(certData []byte) (cert *x509.Certificate, caChain []*x509.Certificate, err error)
SplitChain splits the given certificate data into the actual *x509.Certificate and a list of CA chain in a []*x509.Certificate
SplitChainPEM splits the given cert PEM []byte as the actual certificate and []byte as the rest of the chain.
SystemCertPool gets the system cert pool via Go libraries
func ToTLSCertificate(cert *x509.Certificate, key crypto.PrivateKey) (tls.Certificate, error)
ToTLSCertificate converts the given cert and private key to a tls.Certificate. The private key must not be encrypted.
func ToTLSCertificates(certs []*x509.Certificate, key crypto.PrivateKey) (tls.Certificate, error)
ToTLSCertificates converts the given certs and private key to a tls.Certificate. The private key must not be encrypted.
Verify verifies the given certificate is signed by the given other certificate, and that the other certificate has the correct required key usage.
type Identity struct {
Type IdentityType
Value []byte
}Identity is an object holding both the encoded identifier bytes as well as the type of the identity.
ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.
IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension.
const (
// TypeDNS represents a DNS name.
TypeDNS IdentityType = iota
// TypeIP represents an IP address.
TypeIP
// TypeURI represents a universal resource identifier.
TypeURI
)type IssueOption func(*issueCfg)
IssueOption represents an issuing option.
func OptIssueAlgorithmECDSA() IssueOption
OptIssueAlgorithmECDSA configures the certificate to use ECDSA with SHA384 P256 curve.
func OptIssueAlgorithmRSA() IssueOption
OptIssueAlgorithmRSA configures the certificate to use 2048-bits RSA with SHA384 signature
func OptIssueDNSSANs(dns ...string) IssueOption
OptIssueDNSSANs the IP SANs for the certificate to be issued.
func OptIssueExtendedKeyUsages(usages ...x509.ExtKeyUsage) IssueOption
OptIssueExtendedKeyUsages manually sets the extended key usage for the certificate. It will erase any previous extended usage set by options OptIssueType*.
It is not recommended to use this option unless you know exactly what you are doing.
func OptIssueIPSANs(ips ...net.IP) IssueOption
OptIssueIPSANs sets the IP SANs for the certificate to be issued.
func OptIssueKeyGenerator(keyGen PrivateKeyGenerator) IssueOption
OptIssueKeyGenerator sets the private key generator to use. It will erase any previous extended usage set by options OptIssueAlgorithm*.
It is not recommended to use this option unless you know exactly what you are doing.
func OptIssueKeyUsage(usage x509.KeyUsage) IssueOption
OptIssueKeyUsage sets the key usage for the certificate. It will erase any previous usage set by options OptIssueType*.
It is not recommended to use this option unless you know exactly what you are doing.
func OptIssuePolicies(policies ...asn1.ObjectIdentifier) IssueOption
OptIssuePolicies sets additional policies OIDs.
func OptIssuePublicKeyAlgorithm(alg x509.PublicKeyAlgorithm) IssueOption
OptIssuePublicKeyAlgorithm sets the signature algorithm for the public key. It will erase any previous extended usage set by options OptIssueAlgorithm*.
It is not recommended to use this option unless you know exactly what you are doing.
func OptIssueSignatureAlgorithm(alg x509.SignatureAlgorithm) IssueOption
OptIssueSignatureAlgorithm sets the signature algorithm for the certificate. By default, it uses x509.ECDSA.
It is not recommended to use this option unless you know exactly what you are doing.
func OptIssueSigner(cert *x509.Certificate, key crypto.PrivateKey) IssueOption
OptIssueSigner sets the signer for the certificate to be issued. By default, Issue will issue a self-signed certificate.
OptIssueSignerPEMBlock sets the signer for the certificate to be issued in the PEM format. By default, Issue will issue a self-signed certificate.
func OptIssueSignerPEMBytes(cert []byte, key []byte, password string) IssueOption
OptIssueSignerPEMBytes sets the signer for the certificate to be issued in the PEM format. By default, Issue will issue a self-signed certificate.
func OptIssueTypeCA() IssueOption
OptIssueTypeCA sets the makes the certificate to be issued to be a Certificate Authority. It automatically applies the correct key usage, unless already set by another option.
func OptIssueTypeClientAuth() IssueOption
OptIssueTypeClientAuth configures the certificate to be issued to be a client certificate. This option can be combined with other OptIssueType*.
func OptIssueTypeCodeSigning() IssueOption
OptIssueTypeCodeSigning configures the certificate to be issued to be a code signing certificate. This option can be combined with other OptIssueType*.
func OptIssueTypeEmailProtection() IssueOption
OptIssueTypeEmailProtection configures the certificate to be issued to be a email protection certificate. This option can be combined with other OptIssueType*.
func OptIssueTypeServerAuth() IssueOption
OptIssueTypeServerAuth configures the certificate to be issued to be a server certificate. This option can be combined with other OptIssueType*.
OptIssueValidity sets the validity of the certificate to be issued. By default, the certificate is valid from the time it has been created for 1 year.
type PrivateKeyGenerator func() (crypto.PrivateKey, error)
PrivateKeyGenerator is the type of function that can generate a crypto.PrivateKey.
Package tglib imports 19 packages (graph) and is imported by 7 packages. Updated 2020-01-19. Refresh now. Tools for package owners.