certutils

package module
v0.0.0-...-3ad7590 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 30, 2025 License: Apache-2.0 Imports: 23 Imported by: 0

README

Test Coverage Status Go Reference Go Report Card

certutils

This is an extracted library of common certificate functions which are useful for implementing various bits of x509 certificate handling.

Notably it implements functions suitable for handling the basic CSR -> Certificate flow in a way which sticks with a set of sane defaults, including parsing certificate usages out of CSR requests.

Documentation

Index

Constants

View Source 
const (
	// CertificateBlockType is a possible value for pem.Block.Type.
	CertificateBlockType        = "CERTIFICATE"
	RSAKeyBlockType             = "RSA PRIVATE KEY"
	ECKeyBlockType              = "EC PRIVATE KEY"
	CertificateRequestBlockType = "CERTIFICATE REQUEST"
)
View Source 
const CACertificateMaxDuration = ((time.Hour * 8760) * 25) - (2 * time.Hour)

25 years (- 1 hour)

View Source 
const CertificateMaxDuration = (time.Hour * 24 * 398) - (2 * time.Hour)

398 days (- 1 second)

Variables

View Source 
var ErrCouldNotParsePemCertificateBytes = errors.New("Could not parse bytes as PEM certificate")
View Source 
var ErrCouldNotParsePemCertificateSigningRequestBytes = errors.New("Could not parse bytes as PEM certificate signing request")
View Source 
var ErrInvalidPrivateKeyType = fmt.Errorf("not a valid PrivateKeyType, try [%s]", strings.Join(_PrivateKeyTypeNames, ", "))
View Source 
var ErrUnknownTypeForKey = errors.New("unknown type for encoding key")

Functions

func CACertificateNotAfter 

func CACertificateNotAfter(duration time.Duration) time.Time

CACertificateNotAfter is the same as CertificateNotAfter but follows the Microsoft Root trust program guideline (no more then 25 years).

func CertificateNotAfter 

func CertificateNotAfter(duration time.Duration, authorities ...*x509.Certificate) time.Time

CertificateNotAfter generates a sensible not-after value - specifically, if time.Duration is zero, then it will set it to the accepted max duration of 398 days (- 2 hours). It also optionally takes a list of authority certificates - if set, the returned time will be constrained to not exceed the earliest expiry.

func CertificateNotBefore 

func CertificateNotBefore() time.Time

CertificateNotBefore generates a sensible not-before value (this value will be two hours prior to the current time, which provides a window for systems using daylight savings badly).

func CommonNameToFileName 

func CommonNameToFileName(cn string) string

CommonNameToFileName converts an FQDN into a more unambiguous form for representation as a filename.

func CsrToCertificateTemplate 

func CsrToCertificateTemplate(csr *x509.CertificateRequest, parameters SigningParameters) *x509.Certificate

CsrToCertificateTemplate converts a certificate signing request to a certificate template ready to be signed.

func EncodeCertificates 

func EncodeCertificates(certs ...*x509.Certificate) ([]byte, error)

EncodeCertificates returns the PEM-encoded byte array that represents by the specified certs. https://github.com/kubernetes/client-go/blob/master/util/cert/pem.go

func EncodeKeys 

func EncodeKeys(keys ...interface{}) ([]byte, error)

EncodeKeys returns the PEM-encoded byte array that represents the specified key types

func EncodeRequest 

func EncodeRequest(csrs ...*x509.CertificateRequest) ([]byte, error)

EncodeCertificates returns the PEM-encoded byte array that represents by the specified certs. https://github.com/kubernetes/client-go/blob/master/util/cert/pem.go

func ExtKeyUsageToOid 

func ExtKeyUsageToOid(usage x509.ExtKeyUsage) (oid asn1.ObjectIdentifier, found bool)

ExtKeyUsageToOid is a helper to convert Golang x509 ExtKeyUsages to OIDs

func GenerateCSR 

func GenerateCSR(subject pkix.Name, parameters CSRParameters, key interface{}, hosts ...string) (*x509.CertificateRequest, error)

GenerateCSR generates a certificate for the given hosts. Parameters are common template parameters, key is the private key associated with the certificate.

func GeneratePrivateKey 

func GeneratePrivateKey(keyType PrivateKeyType) (interface{}, error)

GeneratePrivateKey generates a new secure private key based on the type requested.

func ListExtKeyUsage 

func ListExtKeyUsage() []string

ListExtKeyUsage outputs the list of known extended key usages as strings

func ListKeyUsage 

func ListKeyUsage() []string

ListExtKeyUsage outputs the list of known extended key usages as strings

func LoadCertificatesFromPem 

func LoadCertificatesFromPem(pemCerts []byte) ([]*x509.Certificate, error)

LoadCertificatesFromPem will read 1 or more PEM encoded x509 certificates

func LoadPrivateKeysFromPem 

func LoadPrivateKeysFromPem(pemKeys []byte) ([]interface{}, error)

LoadPrivateKeysFromPem will read 1 or more PEM encoded private keys

func LoadRequestsFromPem 

func LoadRequestsFromPem(pemRequests []byte) ([]*x509.CertificateRequest, error)

LoadRequestsFromPem will read 1 or more PEM encoded certificate signing requests

func LoadX509KeyPair 

func LoadX509KeyPair(fs afero.Fs, certFile, keyFile string) (tls.Certificate, error)

LoadX509KeyPair implements tls.LoadX509KeyPair but accepts an afero filesystem override.

func OIDToExtKeyUsage 

func OIDToExtKeyUsage(oid asn1.ObjectIdentifier) (usage x509.ExtKeyUsage, found bool)

OIDToExtKeyUsage converts an asn1.ObjectIdentifier to a Golang x509.ExtKeyUsage type

func ParseExtKeyUsage 

func ParseExtKeyUsage(s string) (x509.ExtKeyUsage, error)

ParseExtKeyUsage parses a string representation of extended key usage to the type.

func ParseKeyUsage 

func ParseKeyUsage(s string) (x509.KeyUsage, error)

ParseKeyUsage parses a string representation of extended key usage to the type.

func PrivateKeyTypeNames 

func PrivateKeyTypeNames() []string

PrivateKeyTypeNames returns a list of possible string values of PrivateKeyType.

func PublicKey 

func PublicKey(priv interface{}) interface{}

PublicKey detects the type of key and returns its PublicKey.

func RequestTLSCertificate 

func RequestTLSCertificate(authority *x509.Certificate, authorityKey interface{},
	parameters SigningParameters, keyType PrivateKeyType, hosts ...string) *tls.Certificate

RequestTLSCertificate generates and signs a certificate for the given hostname using defaults derived from the CA certificate. The returns *tls.Certificate contains the private key of the generated certificate. This will be a server certificate suitable for typical host verification.

func RequestTLSCertificateWithUsages 

func RequestTLSCertificateWithUsages(authority *x509.Certificate, authorityKey interface{},
	parameters SigningParameters, keyType PrivateKeyType, usage x509.KeyUsage, extUsage []x509.ExtKeyUsage, isCA bool, hosts ...string) *tls.Certificate

RequestTLSCertificate generates and signs a certificate for the given hostname using defaults derived from the CA certificate. The returns *tls.Certificate contains the private key of the generated certificate.

func SignCertificate 

func SignCertificate(csr *x509.CertificateRequest, authority *x509.Certificate, authorityKey interface{}, parameters SigningParameters) (*x509.Certificate, error)

SignCertificate signs a CSR for use as a TLS server certificate

Types

type CSRParameters 

type CSRParameters struct {
	KeyUsage    x509.KeyUsage
	ExtKeyUsage []x509.ExtKeyUsage
	IsCA        bool
	MaxPathLen  int
	// This parameter is used by some CAs (i.e. ADCS) to determine which template
	// to apply. So we should support it.
	CertificateTemplate string
}

CSRParameters sets parameters for generating a CSR

type CertificateTypeExtension 

type CertificateTypeExtension struct {
	Name string `asn1:"printable"`
}

func (CertificateTypeExtension) Marshal 

func (e CertificateTypeExtension) Marshal() (pkix.Extension, error)

Marshal returns a pkix.Extension.

func (*CertificateTypeExtension) Unmarshal 

func (e *CertificateTypeExtension) Unmarshal(ext pkix.Extension) error

Unmarshal parses a pkix.Extension and stores the result in the object.

type ErrPrivateKeyGeneration 

type ErrPrivateKeyGeneration struct {
	Reason string
}

func (ErrPrivateKeyGeneration) Error 

func (e ErrPrivateKeyGeneration) Error() string

type ErrUnknownPrivateKey 

type ErrUnknownPrivateKey struct {
}

func (ErrUnknownPrivateKey) Error 

func (e ErrUnknownPrivateKey) Error() string

type PrivateKeyType 

type PrivateKeyType string

PrivateKeyType is the list of allowable RSA bit lengths ENUM(rsa2048, rsa3076, rsa4096, ecp256, ecp384, ecp521) 

const (
	// PrivateKeyTypeRsa2048 is a PrivateKeyType of type rsa2048.
	PrivateKeyTypeRsa2048 PrivateKeyType = "rsa2048"
	// PrivateKeyTypeRsa3076 is a PrivateKeyType of type rsa3076.
	PrivateKeyTypeRsa3076 PrivateKeyType = "rsa3076"
	// PrivateKeyTypeRsa4096 is a PrivateKeyType of type rsa4096.
	PrivateKeyTypeRsa4096 PrivateKeyType = "rsa4096"
	// PrivateKeyTypeEcp256 is a PrivateKeyType of type ecp256.
	PrivateKeyTypeEcp256 PrivateKeyType = "ecp256"
	// PrivateKeyTypeEcp384 is a PrivateKeyType of type ecp384.
	PrivateKeyTypeEcp384 PrivateKeyType = "ecp384"
	// PrivateKeyTypeEcp521 is a PrivateKeyType of type ecp521.
	PrivateKeyTypeEcp521 PrivateKeyType = "ecp521"
)

func GetPrivateKeyType 

func GetPrivateKeyType(priv interface{}) (PrivateKeyType, error)

GetPrivateKeyType returns the type of private key according to the known types in this package, or an error if it does not match.

func ParsePrivateKeyType 

func ParsePrivateKeyType(name string) (PrivateKeyType, error)

ParsePrivateKeyType attempts to convert a string to a PrivateKeyType.

func (PrivateKeyType) IsValid 

func (x PrivateKeyType) IsValid() bool

IsValid provides a quick way to determine if the typed value is part of the allowed enumerated values

func (PrivateKeyType) String 

func (x PrivateKeyType) String() string

String implements the Stringer interface.

type SigningParameters 

type SigningParameters struct {
	SerialNumber int64
	NotBefore    time.Time
	NotAfter     time.Time
}

SigningParameters sets parameters determined by the authority signing

type X509ExtKeyUsage 

type X509ExtKeyUsage struct {
	x509.ExtKeyUsage
}

func (*X509ExtKeyUsage) UnmarshalText 

func (x *X509ExtKeyUsage) UnmarshalText(text []byte) (err error)

type X509KeyUsage 

type X509KeyUsage struct {
	x509.KeyUsage
}

func (*X509KeyUsage) UnmarshalText 

func (x *X509KeyUsage) UnmarshalText(text []byte) (err error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.