tg: go.aporeto.io/tg/tglib Index | Files

package tglib

import "go.aporeto.io/tg/tglib"

Package tglib contains various helpers to deal with crypto. It entirely rely on standard go crypto libraries.

Index

Package Files

cert.go constants.go csr.go deprecated.go doc.go options.go pkcs12.go privatekey.go san.go utils.go

Constants

const (
    // URIScheme is the URI scheme for Spiffe identities.
    URIScheme string = "spiffe"
)

func BuildCertificatesMaps Uses

func BuildCertificatesMaps(certs []tls.Certificate) (map[string]tls.Certificate, map[string]tls.Certificate, error)

BuildCertificatesMaps returns to maps to get what certificate to use for which DNS or IPs. This can be used in a custom tls.Config.GetCertificate function.

func BuildSANExtension Uses

func BuildSANExtension(identites []Identity) (*pkix.Extension, error)

BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.

func BuildSubjectAltNameExtension Uses

func BuildSubjectAltNameExtension(hosts []string) (*pkix.Extension, error)

BuildSubjectAltNameExtension builds the SAN extension for the certificate.

func CSRFromCertificate Uses

func CSRFromCertificate(cert *x509.Certificate) *x509.CertificateRequest

CSRFromCertificate generates a new CSR from the given certificate

func CertToPEM Uses

func CertToPEM(cert *x509.Certificate) (*pem.Block, error)

CertToPEM converts the given *x509.Certificate to *pem.Block .

func DecryptPrivateKey Uses

func DecryptPrivateKey(keyBlock *pem.Block, password string) (*pem.Block, error)

DecryptPrivateKey decrypts the given private key

func DecryptPrivateKeyPEM Uses

func DecryptPrivateKeyPEM(key []byte, password string) (*pem.Block, error)

DecryptPrivateKeyPEM decrypts the given private key PEM bytes

func ECPrivateKeyGenerator Uses

func ECPrivateKeyGenerator() (crypto.PrivateKey, error)

ECPrivateKeyGenerator generates a ECDSA private key.

func EncryptPrivateKey Uses

func EncryptPrivateKey(keyBlock *pem.Block, password string) (*pem.Block, error)

EncryptPrivateKey encrypts the given private key

func EncryptPrivateKeyPEM Uses

func EncryptPrivateKeyPEM(key []byte, password string) (*pem.Block, error)

EncryptPrivateKeyPEM encrypts the given private key PEM bytes

func ExtractIDs Uses

func ExtractIDs(exts []pkix.Extension) (map[string]struct{}, error)

ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.

func ExtractSANExtension Uses

func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension

ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.

func GenerateBase64PKCS12 Uses

func GenerateBase64PKCS12(cert []byte, key []byte, ca []byte, passphrase string) (string, error)

GenerateBase64PKCS12 generates a full PKCS certificate based on the input keys.

func GenerateCSR Uses

func GenerateCSR(csr *x509.CertificateRequest, privateKey crypto.PrivateKey) ([]byte, error)

GenerateCSR generate a CSR using the given parameters.

func GenerateCSRwithSANs Uses

func GenerateCSRwithSANs(orgs []string, units []string, commonName string, sans []string, privateKey crypto.PrivateKey) ([]byte, error)

GenerateCSRwithSANs generates a SPIFFE certificate CSR.

func GeneratePKCS12 Uses

func GeneratePKCS12(cert []byte, key []byte, ca []byte, passphrase string) ([]byte, error)

GeneratePKCS12 generates a pkcs12

func GeneratePKCS12FromFiles Uses

func GeneratePKCS12FromFiles(out, certPath, keyPath, caPath, passphrase string) error

GeneratePKCS12FromFiles generates a full PKCS certificate based on the input keys.

func GenerateSimpleCSR Uses

func GenerateSimpleCSR(orgs []string, units []string, commonName string, emails []string, privateKey crypto.PrivateKey) ([]byte, error)

GenerateSimpleCSR generate a CSR using the given parameters.

func Issue Uses

func Issue(subject pkix.Name, options ...IssueOption) (*pem.Block, *pem.Block, error)

Issue issues a new x509 certificate

func IssueCertiticate Uses

func IssueCertiticate(
    signingCertificate *x509.Certificate,
    signingPrivateKey crypto.PrivateKey,
    keyGen PrivateKeyGenerator,

    countries []string,
    provinces []string,
    localities []string,
    streetAddresses []string,
    postalCodes []string,
    organizations []string,
    organizationalUnits []string,
    commonName string,

    dnsNames []string,
    ipAddresses []net.IP,

    beginning time.Time,
    expiration time.Time,
    keyUsage x509.KeyUsage,
    extKeyUsage []x509.ExtKeyUsage,
    signatureAlgorithm x509.SignatureAlgorithm,
    publicKeyAlgorithm x509.PublicKeyAlgorithm,
    isCA bool,

    policies []asn1.ObjectIdentifier,

) (*pem.Block, *pem.Block, error)

IssueCertiticate issues a new Certificate eventual signed using the signingCertificate and the given keyGen.

func KeyToPEM Uses

func KeyToPEM(key interface{}) (*pem.Block, error)

KeyToPEM converts the given crypto.PrivateKey to *pem.Block .

func LoadCSRs Uses

func LoadCSRs(csrData []byte) ([]*x509.CertificateRequest, error)

LoadCSRs loads the given bytes as an array of Certificate Signing Request.

func PEMToKey Uses

func PEMToKey(keyBlock *pem.Block) (crypto.PrivateKey, error)

PEMToKey loads a decrypted pem block and returns a crypto.PrivateKey

func ParseCertificate Uses

func ParseCertificate(certPemBytes []byte) (*x509.Certificate, error)

ParseCertificate parse the given PEM bytes and returns the fist *x509.Certificate.

func ParseCertificatePEM Uses

func ParseCertificatePEM(path string) (*x509.Certificate, error)

ParseCertificatePEM reads the PEM certificate at the given path and returns the first *x509.Certificate found

func ParseCertificatePEMs Uses

func ParseCertificatePEMs(path string) ([]*x509.Certificate, error)

ParseCertificatePEMs reads the PEM certificate at the given path and returns the a []*x509.Certificate.

func ParseCertificates Uses

func ParseCertificates(certPemBytes []byte) ([]*x509.Certificate, error)

ParseCertificates parse the given PEM bytes and returns a []*x509.Certificate.

func RSAPrivateKeyGenerator Uses

func RSAPrivateKeyGenerator() (crypto.PrivateKey, error)

RSAPrivateKeyGenerator generates a RSA private key.

func ReadCertificate Uses

func ReadCertificate(certPemBytes []byte, keyPemBytes []byte, password string) (*x509.Certificate, crypto.PrivateKey, error)

ReadCertificate returns a the first *x509.Certificate from the PEM bytes pf a cert and a key and decrypts it with the given password if needed.

func ReadCertificatePEM Uses

func ReadCertificatePEM(certPath, keyPath, password string) (*x509.Certificate, crypto.PrivateKey, error)

ReadCertificatePEM returns a the first *x509.Certificate from the path of a cert, a key in PEM and decrypts it with the given password if needed.

func ReadCertificatePEMs Uses

func ReadCertificatePEMs(certPath, keyPath, password string) ([]*x509.Certificate, crypto.PrivateKey, error)

ReadCertificatePEMs returns a []*x509.Certificate from the path of a cert, a key in PEM and decrypts it with the given password if needed.

func ReadCertificates Uses

func ReadCertificates(certPemBytes []byte, keyPemBytes []byte, password string) ([]*x509.Certificate, crypto.PrivateKey, error)

ReadCertificates returns a []*x509.Certificate from the PEM bytes pf a cert and a key and decrypts it with the given password if needed.

func Sign Uses

func Sign(
    csr *x509.CertificateRequest,
    signingCertificate *x509.Certificate,
    signingPrivateKey crypto.PrivateKey,
    options ...IssueOption,
) (*pem.Block, string, error)

Sign signs the give CSR using the given signer certificate and key and given options.

func SignCSR Uses

func SignCSR(
    csr *x509.CertificateRequest,
    signingCertificate *x509.Certificate,
    signingPrivateKey crypto.PrivateKey,

    beginning time.Time,
    expiration time.Time,
    keyUsage x509.KeyUsage,
    extKeyUsage []x509.ExtKeyUsage,
    signatureAlgorithm x509.SignatureAlgorithm,
    publicKeyAlgorithm x509.PublicKeyAlgorithm,

    isCA bool,
    policies []asn1.ObjectIdentifier,
) (*pem.Block, string, error)

SignCSR will sign the given CSR with the given signing cert

func SplitChain Uses

func SplitChain(certData []byte) (cert *x509.Certificate, caChain []*x509.Certificate, err error)

SplitChain splits the given certificate data into the actual *x509.Certificate and a list of CA chain in a []*x509.Certificate

func SplitChainPEM Uses

func SplitChainPEM(certData []byte) ([]byte, []byte)

SplitChainPEM splits the given cert PEM []byte as the actual certificate and []byte as the rest of the chain.

func ToTLSCertificate Uses

func ToTLSCertificate(cert *x509.Certificate, key crypto.PrivateKey) (tls.Certificate, error)

ToTLSCertificate converts the given cert and private key to a tls.Certificate. The private key must not be encrypted.

func ToTLSCertificates Uses

func ToTLSCertificates(certs []*x509.Certificate, key crypto.PrivateKey) (tls.Certificate, error)

ToTLSCertificates converts the given certs and private key to a tls.Certificate. The private key must not be encrypted.

func Verify Uses

func Verify(signingCertPEMData []byte, certPEMData []byte, keyUsages []x509.ExtKeyUsage) error

Verify verifies the given certificate is signed by the given other certificate, and that the other certificate has the correct required key usage.

type Identity Uses

type Identity struct {
    Type  IdentityType
    Value []byte
}

Identity is an object holding both the encoded identifier bytes as well as the type of the identity.

func ExtractIDsFromSAN Uses

func ExtractIDsFromSAN(sanExt *pkix.Extension) ([]Identity, error)

ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.

type IdentityType Uses

type IdentityType int

IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension.

const (
    // TypeDNS represents a DNS name.
    TypeDNS IdentityType = iota
    // TypeIP represents an IP address.
    TypeIP
    // TypeURI represents a universal resource identifier.
    TypeURI
)

type IssueOption Uses

type IssueOption func(*issueCfg)

IssueOption represents an issuing option.

func OptIssueAlgorithmECDSA Uses

func OptIssueAlgorithmECDSA() IssueOption

OptIssueAlgorithmECDSA configures the certificate to use ECDSA with SHA384 P256 curve.

func OptIssueAlgorithmRSA Uses

func OptIssueAlgorithmRSA() IssueOption

OptIssueAlgorithmRSA configures the certificate to use 2048-bits RSA with SHA384 signature

func OptIssueDNSSANs Uses

func OptIssueDNSSANs(dns ...string) IssueOption

OptIssueDNSSANs the IP SANs for the certificate to be issued.

func OptIssueExtendedKeyUsages Uses

func OptIssueExtendedKeyUsages(usages ...x509.ExtKeyUsage) IssueOption

OptIssueExtendedKeyUsages manually sets the extended key usage for the certificate. It will erase any previous extended usage set by options OptIssueType*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueIPSANs Uses

func OptIssueIPSANs(ips ...net.IP) IssueOption

OptIssueIPSANs sets the IP SANs for the certificate to be issued.

func OptIssueKeyGenerator Uses

func OptIssueKeyGenerator(keyGen PrivateKeyGenerator) IssueOption

OptIssueKeyGenerator sets the private key generator to use. It will erase any previous extended usage set by options OptIssueAlgorithm*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueKeyUsage Uses

func OptIssueKeyUsage(usage x509.KeyUsage) IssueOption

OptIssueKeyUsage sets the key usage for the certificate. It will erase any previous usage set by options OptIssueType*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssuePolicies Uses

func OptIssuePolicies(policies ...asn1.ObjectIdentifier) IssueOption

OptIssuePolicies sets additional policies OIDs.

func OptIssuePublicKeyAlgorithm Uses

func OptIssuePublicKeyAlgorithm(alg x509.PublicKeyAlgorithm) IssueOption

OptIssuePublicKeyAlgorithm sets the signature algorithm for the public key. It will erase any previous extended usage set by options OptIssueAlgorithm*.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueSignatureAlgorithm Uses

func OptIssueSignatureAlgorithm(alg x509.SignatureAlgorithm) IssueOption

OptIssueSignatureAlgorithm sets the signature algorithm for the certificate. By default, it uses x509.ECDSA.

It is not recommended to use this option unless you know exactly what you are doing.

func OptIssueSigner Uses

func OptIssueSigner(cert *x509.Certificate, key crypto.PrivateKey) IssueOption

OptIssueSigner sets the signer for the certificate to be issued. By default, Issue will issue a self-signed certificate.

func OptIssueSignerPEMBlock Uses

func OptIssueSignerPEMBlock(cert *pem.Block, key *pem.Block, password string) IssueOption

OptIssueSignerPEMBlock sets the signer for the certificate to be issued in the PEM format. By default, Issue will issue a self-signed certificate.

func OptIssueSignerPEMBytes Uses

func OptIssueSignerPEMBytes(cert []byte, key []byte, password string) IssueOption

OptIssueSignerPEMBytes sets the signer for the certificate to be issued in the PEM format. By default, Issue will issue a self-signed certificate.

func OptIssueTypeCA Uses

func OptIssueTypeCA() IssueOption

OptIssueTypeCA sets the makes the certificate to be issued to be a Certificate Authority. It automatically applies the correct key usage, unless already set by another option.

func OptIssueTypeClientAuth Uses

func OptIssueTypeClientAuth() IssueOption

OptIssueTypeClientAuth configures the certificate to be issued to be a client certificate. This option can be combined with other OptIssueType*.

func OptIssueTypeCodeSigning Uses

func OptIssueTypeCodeSigning() IssueOption

OptIssueTypeCodeSigning configures the certificate to be issued to be a code signing certificate. This option can be combined with other OptIssueType*.

func OptIssueTypeEmailProtection Uses

func OptIssueTypeEmailProtection() IssueOption

OptIssueTypeEmailProtection configures the certificate to be issued to be a email protection certificate. This option can be combined with other OptIssueType*.

func OptIssueTypeServerAuth Uses

func OptIssueTypeServerAuth() IssueOption

OptIssueTypeServerAuth configures the certificate to be issued to be a server certificate. This option can be combined with other OptIssueType*.

func OptIssueValidity Uses

func OptIssueValidity(notBefore time.Time, notAfter time.Time) IssueOption

OptIssueValidity sets the validity of the certificate to be issued. By default, the certificate is valid from the time it has been created for 1 year.

type PrivateKeyGenerator Uses

type PrivateKeyGenerator func() (crypto.PrivateKey, error)

PrivateKeyGenerator is the type of function that can generate a crypto.PrivateKey.

Package tglib imports 19 packages (graph) and is imported by 6 packages. Updated 2019-11-14. Refresh now. Tools for package owners.