Documentation
¶
Index ¶
- func ArchiveFormat(path string) string
- func AssignBundleNames(store *certstore.MemStore, configs []BundleConfig)
- func ExportBundles(ctx context.Context, cfgs []BundleConfig, outDir string, ...) error
- func FormatInspectResults(results []InspectResult, format string) (string, error)
- func FormatVerifyResult(r *VerifyResult) string
- func GenerateKey(algorithm string, bits int, curve string) (crypto.Signer, error)
- func IsArchive(path string) bool
- func IsSkippableDir(name string) bool
- func LoadPasswordsFromFile(filename string) ([]string, error)
- func ParseLogLevel(level string) slog.Level
- func ProcessArchive(input ProcessArchiveInput) (int, error)
- func ProcessData(data []byte, virtualPath string, store *certstore.MemStore, passwords []string) error
- func ProcessFile(path string, store *certstore.MemStore, passwords []string) error
- func ProcessPasswords(passwordList []string, passwordFile string) ([]string, error)
- func SetupLogger(level string)
- type ArchiveLimits
- type BundleConfig
- type BundlesYAML
- type CSROptions
- type CSRResult
- type ChainCert
- type ContainerContents
- type InspectResult
- type K8sMetadata
- type K8sSecret
- type KeygenOptions
- type KeygenResult
- type ProcessArchiveInput
- type SubjectConfig
- type VerifyInput
- type VerifyResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ArchiveFormat ¶ added in v0.6.0
ArchiveFormat returns the archive format for the given path based on its extension, or "" if the path is not a recognized archive. Handles compound extensions like ".tar.gz" before checking single extensions.
func AssignBundleNames ¶ added in v0.7.0
func AssignBundleNames(store *certstore.MemStore, configs []BundleConfig)
AssignBundleNames iterates all certificates in the store and assigns bundle names based on the provided bundle configurations. Call this after ingestion is complete to avoid per-cert overhead during scanning.
func ExportBundles ¶
func ExportBundles(ctx context.Context, cfgs []BundleConfig, outDir string, store *certstore.MemStore, forceBundle bool, duplicates bool) error
ExportBundles iterates over bundle names in the store, finds matching certificates and keys, builds certificate bundles, and writes output files.
func FormatInspectResults ¶
func FormatInspectResults(results []InspectResult, format string) (string, error)
FormatInspectResults formats inspection results as text or JSON.
func FormatVerifyResult ¶
func FormatVerifyResult(r *VerifyResult) string
FormatVerifyResult formats a verify result as human-readable text.
func GenerateKey ¶
GenerateKey creates a new crypto.Signer based on algorithm, bits, and curve.
func IsArchive ¶ added in v0.6.0
IsArchive reports whether the given path has a recognized archive extension.
func IsSkippableDir ¶ added in v0.6.0
IsSkippableDir reports whether the given directory name should be skipped during scanning because it cannot contain useful certificate or key files.
func LoadPasswordsFromFile ¶
LoadPasswordsFromFile loads passwords from a file, one password per line.
func ParseLogLevel ¶
ParseLogLevel converts a string log level name to a slog.Level. Recognized values: "debug", "info", "warning"/"warn", "error". Defaults to slog.LevelInfo for unrecognized values.
func ProcessArchive ¶ added in v0.6.0
func ProcessArchive(input ProcessArchiveInput) (int, error)
ProcessArchive extracts entries from an archive and processes each one for certificates, keys, and CSRs. Returns the number of entries processed and any error. Archives inside archives are not recursed into (depth 1 only).
func ProcessData ¶ added in v0.6.0
func ProcessData(data []byte, virtualPath string, store *certstore.MemStore, passwords []string) error
ProcessData ingests certificates, keys, or CSRs from in-memory data. The virtualPath identifies the data source for logging (may be a real path or a synthetic path like "archive.zip:certs/server.pem"). All certificates are ingested regardless of expiry — expired filtering is an output concern.
func ProcessFile ¶
ProcessFile reads a file (or stdin when path is "-") and ingests any certificates, keys, or CSRs it contains into the store.
func ProcessPasswords ¶
ProcessPasswords loads passwords from CLI flags and optional file, merges with defaults, and deduplicates. Delegates core logic to certkit.DeduplicatePasswords.
func SetupLogger ¶
func SetupLogger(level string)
SetupLogger configures the default slog logger with the given level string.
Types ¶
type ArchiveLimits ¶ added in v0.6.0
type ArchiveLimits struct {
// MaxDecompressionRatio is the maximum allowed ratio of uncompressed to
// compressed size for a single ZIP entry. TAR entries are not ratio-checked
// because TAR stores uncompressed data. A ratio of 100 means a 1KB
// compressed entry may decompress to at most 100KB.
MaxDecompressionRatio int64
// MaxTotalSize is the maximum total bytes that may be extracted from a
// single archive across all entries.
MaxTotalSize int64
// MaxEntryCount is the maximum number of entries that will be processed
// from a single archive. Legitimate certificate archives rarely exceed
// a few hundred entries.
MaxEntryCount int
// MaxEntrySize is the maximum allowed size of a single decompressed entry.
// Entries exceeding this are skipped. Typically set from --max-file-size.
MaxEntrySize int64
}
ArchiveLimits controls zip bomb protection thresholds.
func DefaultArchiveLimits ¶ added in v0.6.0
func DefaultArchiveLimits() ArchiveLimits
DefaultArchiveLimits returns conservative defaults for archive extraction.
type BundleConfig ¶
type BundleConfig struct {
CommonNames []string `yaml:"commonNames"`
BundleName string `yaml:"bundleName"`
Subject *SubjectConfig `yaml:"subject,omitempty"`
}
BundleConfig represents one bundle configuration entry from the YAML file.
func LoadBundleConfigs ¶
func LoadBundleConfigs(path string) ([]BundleConfig, error)
LoadBundleConfigs loads bundle configuration from the specified YAML file.
type BundlesYAML ¶
type BundlesYAML struct {
DefaultSubject *SubjectConfig `yaml:"defaultSubject,omitempty"`
Bundles []BundleConfig `yaml:"bundles"`
}
BundlesYAML represents the full YAML structure with defaults and bundles
type CSROptions ¶
type CSROptions struct {
TemplatePath string // JSON template file
CertPath string // PEM cert as template
CSRPath string // PEM CSR as template
KeyPath string // Existing key (PEM)
Algorithm string // rsa, ecdsa, ed25519 (default: ecdsa)
Bits int // RSA bits (default: 4096)
Curve string // ECDSA curve (default: P-256)
OutPath string // Output directory (default: ".")
Passwords []string // Passwords for encrypted keys
}
CSROptions holds parameters for CSR generation from various sources.
type CSRResult ¶
type CSRResult struct {
CSRPEM string
KeyPEM string // empty if existing key was provided
CSRFile string // empty in stdout mode
KeyFile string // empty in stdout mode
}
CSRResult holds the PEM output and optional file paths from GenerateCSRFiles. When OutPath is empty, only PEM fields are populated (stdout mode). When OutPath is set, files are written and file path fields are populated.
func GenerateCSRFiles ¶
func GenerateCSRFiles(opts CSROptions) (*CSRResult, error)
GenerateCSRFiles generates a CSR from the specified source and writes csr.pem and optionally key.pem to the output directory.
type ChainCert ¶ added in v0.3.5
type ChainCert struct {
Subject string `json:"subject"`
Expiry string `json:"expiry"`
SKI string `json:"subject_key_id,omitempty"`
IsRoot bool `json:"is_root,omitempty"`
}
ChainCert holds display information for one certificate in the chain.
type ContainerContents ¶ added in v0.3.4
type ContainerContents = certstore.ContainerContents
ContainerContents is an alias for certstore.ContainerContents.
func LoadContainerFile ¶ added in v0.3.4
func LoadContainerFile(path string, passwords []string) (*ContainerContents, error)
LoadContainerFile reads a file and attempts to parse it as PKCS#12, JKS, PKCS#7, PEM, or DER. Returns the leaf certificate, optional private key, and any extra certificates (intermediates/CA certs).
type InspectResult ¶
type InspectResult struct {
Type string `json:"type"`
Subject string `json:"subject,omitempty"`
Issuer string `json:"issuer,omitempty"`
Serial string `json:"serial,omitempty"`
NotBefore string `json:"not_before,omitempty"`
NotAfter string `json:"not_after,omitempty"`
CertType string `json:"cert_type,omitempty"`
KeyAlgo string `json:"key_algorithm,omitempty"`
KeySize string `json:"key_size,omitempty"`
SANs []string `json:"sans,omitempty"`
SHA256 string `json:"sha256_fingerprint,omitempty"`
SHA1 string `json:"sha1_fingerprint,omitempty"`
SKI string `json:"subject_key_id,omitempty"`
SKILegacy string `json:"subject_key_id_sha1,omitempty"`
AKI string `json:"authority_key_id,omitempty"`
SigAlg string `json:"signature_algorithm,omitempty"`
KeyType string `json:"key_type,omitempty"`
CSRSubject string `json:"csr_subject,omitempty"`
CSRDNSNames []string `json:"csr_dns_names,omitempty"`
}
InspectResult holds the inspection details for a file.
func InspectFile ¶
func InspectFile(path string, passwords []string) ([]InspectResult, error)
InspectFile reads a file and returns inspection results for all objects found.
type K8sMetadata ¶
type K8sMetadata = certstore.K8sMetadata
K8sMetadata is an alias for certstore.K8sMetadata.
type KeygenOptions ¶
type KeygenOptions struct {
Algorithm string
Bits int
Curve string
OutPath string
CN string
SANs []string
}
KeygenOptions holds parameters for key and CSR generation.
type KeygenResult ¶
type KeygenResult struct {
KeyPEM string
PubPEM string
CSRPEM string // empty if no CSR generated
KeyFile string // empty in stdout mode
PubFile string // empty in stdout mode
CSRFile string // empty in stdout mode
}
KeygenResult holds the PEM output and optional file paths from GenerateKeyFiles. When OutPath is empty, only PEM fields are populated (stdout mode). When OutPath is set, files are written and file path fields are populated.
func GenerateKeyFiles ¶
func GenerateKeyFiles(opts KeygenOptions) (*KeygenResult, error)
GenerateKeyFiles generates a key pair and optionally a CSR, writing them to the output path.
type ProcessArchiveInput ¶ added in v0.6.0
type ProcessArchiveInput struct {
ArchivePath string
Data []byte
Format string
Limits ArchiveLimits
Store *certstore.MemStore
Passwords []string
}
ProcessArchiveInput holds the parameters for archive processing.
type SubjectConfig ¶
type SubjectConfig struct {
Country []string `yaml:"country,omitempty"` // C
Province []string `yaml:"province,omitempty"` // ST
Locality []string `yaml:"locality,omitempty"` // L
Organization []string `yaml:"organization,omitempty"` // O
OrganizationalUnit []string `yaml:"organizationalUnit,omitempty"` // OU
}
SubjectConfig represents the X.509 subject fields for certificates
type VerifyInput ¶ added in v0.3.4
type VerifyInput struct {
Cert *x509.Certificate
Key crypto.PrivateKey
ExtraCerts []*x509.Certificate
CustomRoots []*x509.Certificate
CheckKeyMatch bool
CheckChain bool
ExpiryDuration time.Duration
TrustStore string
}
VerifyInput holds the parsed certificate data and verification options.
type VerifyResult ¶
type VerifyResult struct {
Subject string `json:"subject"`
SANs []string `json:"sans,omitempty"`
NotAfter string `json:"not_after"`
SKI string `json:"subject_key_id,omitempty"`
KeyMatch *bool `json:"key_match,omitempty"`
KeyMatchErr string `json:"key_match_error,omitempty"`
KeyInfo string `json:"key_info,omitempty"`
ChainValid *bool `json:"chain_valid,omitempty"`
ChainErr string `json:"chain_error,omitempty"`
Chain []ChainCert `json:"chain,omitempty"`
Expiry *bool `json:"expires_within,omitempty"`
ExpiryInfo string `json:"expiry_info,omitempty"`
Errors []string `json:"errors,omitempty"`
}
VerifyResult holds the results of certificate verification checks.
func VerifyCert ¶
func VerifyCert(ctx context.Context, input *VerifyInput) (*VerifyResult, error)
VerifyCert verifies a certificate with optional key matching, chain validation, and expiry checking.
Source Files
Directories