Documentation
¶
Overview ¶
Package certs with managing certificates for testing
Package certs with functions to load CA and client certificates for use by the protocol binding in the Consumed Thing factory or other clients.
Index ¶
- Constants
- func CreateCA(cn string, validityDays int) (cert *x509.Certificate, key keys.IHiveKey, err error)
- func CreateClientCert(cn string, ou string, validityDays int, pubKey keys.IHiveKey, ...) (cert *x509.Certificate, err error)
- func CreateServerCert(serverID string, ou string, validityDays int, serverKey keys.IHiveKey, ...) (x509Cert *x509.Certificate, err error)
- func LoadTLSCertFromPEM(certPEMPath, keyPEMPath string) (cert *tls.Certificate, err error)
- func LoadX509CertFromPEM(pemPath string) (cert *x509.Certificate, err error)
- func PublicKeyFromCert(cert *x509.Certificate) *ecdsa.PublicKey
- func SaveTLSCertToPEM(cert *tls.Certificate, certPEMPath, keyPEMPath string) error
- func SaveX509CertToPEM(cert *x509.Certificate, pemPath string) error
- func VerifyCert(certPEM string, caCert *x509.Certificate) (string, error)
- func X509CertFromPEM(certPEM string) (*x509.Certificate, error)
- func X509CertToPEM(cert *x509.Certificate) string
- func X509CertToTLS(cert *x509.Certificate, privKey keys.IHiveKey) *tls.Certificate
- type TestCertBundle
Constants ¶
const ( //OUAdmin lets a client approve things provisioning (postOOB), add and remove users // Provision API permissions: GetDirectory, ProvisionRequest, GetStatus, PostOOB OUAdmin = "admin" // OUNone is the default OU with no API access permissions OUNone = "unauth" // OUUser for consumers with mutual authentication OUUser = "user" // OUIoTDevice for IoT devices with mutual authentication OUIoTDevice = "device" // OUService for Hub services with mutual authentication // By default, services have access to other services // Provision API permissions: Any OUService = "service" )
Certificate Organization Unit for client certificate based authorization
const CertOrgLocality = "HiveOT zone"
const CertOrgName = "HiveOT"
const DefaultCaCertFile = "caCert.pem"
const DefaultCaKeyFile = "caKey.pem"
const DefaultClientCertValidityDays = 366
DefaultClientCertValidityDays with validity of generated service certificates
const DefaultServerCertValidityDays = 100
DefaultServerCertValidityDays with validity of generated service certificates
const ServerAddress = "127.0.0.1"
const TestClientID = "client1"
const TestServerID = "server1"
Variables ¶
This section is empty.
Functions ¶
func CreateCA ¶
CreateCA creates a CA certificate with an private key for self-signed server certificates. Browsers don't support ed25519 keys so use ecdsa for the certificate. Source: https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
func CreateClientCert ¶
func CreateClientCert(cn string, ou string, validityDays int, pubKey keys.IHiveKey, caCert *x509.Certificate, caKeys keys.IHiveKey) (cert *x509.Certificate, err error)
CreateClientCert generates a x509 client certificate with keys, signed by the CA intended for testing, not for production
cn is the certificate common name, usually the client ID ou the organization. pubKey is the owner public key for this certificate caKeys is the signing CA's key pair validityDays
func CreateServerCert ¶
func CreateServerCert( serverID string, ou string, validityDays int, serverKey keys.IHiveKey, names []string, caCert *x509.Certificate, caKey keys.IHiveKey) ( x509Cert *x509.Certificate, err error)
CreateServerCert create a server certificate, signed by the given CA, for use in hiveot services.
The provided x509 certificate can be converted to a PEM text with:
certPEM = certs.X509CertToPEM(cert) * serviceID is the unique service ID used as the CN. for example hostname-serviceName * ou is the organizational unit of the certificate * validityDays is the duration the cert is valid for. Use 0 for default. * serverKey contains the server's public key (use ecdsa keys for browser certificates) * names are the SAN names to include with the certificate, localhost and 127.0.0.1 are always added * caCert is the CA certificate used to sign the certificate * caKey is the CA private key used to sign certificate
func LoadTLSCertFromPEM ¶
func LoadTLSCertFromPEM(certPEMPath, keyPEMPath string) (cert *tls.Certificate, err error)
LoadTLSCertFromPEM loads the TLS certificate from PEM formatted file. TLS certificates are a container for both X509 certificate and private key.
Intended to load the certificate and key for servers, or for clients such as IoT devices that use client certificate authentication. The idprov service issues this type of certificate during IoT device provisioning.
This is simply a wrapper around tls.LoadX509KeyPair. See also SaveTLSCertToPEM.
If loading fails, this returns nil as certificate pointer
func LoadX509CertFromPEM ¶
func LoadX509CertFromPEM(pemPath string) (cert *x509.Certificate, err error)
LoadX509CertFromPEM loads the x509 certificate from a PEM file format.
Intended to load the CA certificate to validate server and broker.
pemPath is the full path to the X509 PEM file.
func PublicKeyFromCert ¶
func PublicKeyFromCert(cert *x509.Certificate) *ecdsa.PublicKey
PublicKeyFromCert extracts an ECDSA public key from x509 certificate Returns nil if certificate doesn't hold a ECDSA public key
func SaveTLSCertToPEM ¶
func SaveTLSCertToPEM(cert *tls.Certificate, certPEMPath, keyPEMPath string) error
SaveTLSCertToPEM saves the x509 certificate and private key to separate files in PEM format
Intended for saving a certificate received from provisioning or created for testing.
cert is the obtained TLS certificate whose parts to save certPEMPath the file to save the X509 certificate to in PEM format keyPEMPath the file to save the private key to in PEM format
func SaveX509CertToPEM ¶
func SaveX509CertToPEM(cert *x509.Certificate, pemPath string) error
SaveX509CertToPEM saves the x509 certificate to file in PEM format. Clients that receive a client certificate from provisioning can use this to save the provided certificate to file.
func VerifyCert ¶
func VerifyCert(certPEM string, caCert *x509.Certificate) (string, error)
VerifyCert verifies whether the given certificate is a valid client certificate This returns the certificate CN as the clientID
func X509CertFromPEM ¶
func X509CertFromPEM(certPEM string) (*x509.Certificate, error)
X509CertFromPEM converts a X509 certificate in PEM format to an X509 instance
func X509CertToPEM ¶
func X509CertToPEM(cert *x509.Certificate) string
X509CertToPEM converts the x509 certificate to PEM format
func X509CertToTLS ¶
func X509CertToTLS(cert *x509.Certificate, privKey keys.IHiveKey) *tls.Certificate
X509CertToTLS combines a x509 certificate and private key into a TLS certificate
Types ¶
type TestCertBundle ¶
type TestCertBundle struct {
CaCert *x509.Certificate
CaKey keys.IHiveKey
// server certificate
ServerAddr string
ServerKey keys.IHiveKey
ServerCert *tls.Certificate
// client cert auth
ClientKey keys.IHiveKey
ClientCert *tls.Certificate
}
TestCertBundle creates a set of CA, server and client certificates intended for testing
func CreateTestCertBundle ¶
func CreateTestCertBundle() TestCertBundle
CreateTestCertBundle creates a bundle of ca, server certificates and keys for testing. The server cert is valid for the 127.0.0.1, localhost and os.hostname.
Source Files