Documentation
¶
Index ¶
- func ExportBundles(ctx context.Context, cfgs []BundleConfig, outDir string, db *DB, ...) error
- func FormatInspectResults(results []InspectResult, format string) (string, error)
- func FormatVerifyResult(r *VerifyResult) string
- func GenerateKey(algorithm string, bits int, curve string) (crypto.Signer, error)
- func LoadPasswordsFromFile(filename string) ([]string, error)
- func ParseLogLevel(level string) slog.Level
- func ProcessFile(path string, cfg *Config) error
- func ProcessPasswords(passwordList []string, passwordFile string) ([]string, error)
- func SetupLogger(level string)
- type BundleConfig
- type BundlesYAML
- type CSROptions
- type CSRResult
- type CertificateRecord
- type Config
- type DB
- func (db *DB) DumpDB() error
- func (db *DB) GetAllKeys() ([]KeyRecord, error)
- func (db *DB) GetCert(serial, aki string) (*CertificateRecord, error)
- func (db *DB) GetCertBySKID(skid string) (*CertificateRecord, error)
- func (db *DB) GetKey(skid string) (*KeyRecord, error)
- func (db *DB) GetScanSummary() (*ScanSummary, error)
- func (db *DB) InsertCertificate(cert CertificateRecord) error
- func (db *DB) InsertKey(key KeyRecord) error
- func (db *DB) ResolveAKIs() error
- type InspectResult
- type K8sMetadata
- type K8sSecret
- type KeyRecord
- type KeygenOptions
- type KeygenResult
- type ScanSummary
- type SubjectConfig
- type VerifyResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ExportBundles ¶
func ExportBundles(ctx context.Context, cfgs []BundleConfig, outDir string, db *DB, forceBundle bool, duplicates bool) error
ExportBundles iterates over all key records in the database, finds the matching certificate record, builds a certificate bundle using certkit.Bundle, and writes out the bundle files into a folder.
func FormatInspectResults ¶
func FormatInspectResults(results []InspectResult, format string) (string, error)
FormatInspectResults formats inspection results as text or JSON.
func FormatVerifyResult ¶
func FormatVerifyResult(r *VerifyResult) string
FormatVerifyResult formats a verify result as human-readable text.
func GenerateKey ¶
GenerateKey creates a new crypto.Signer based on algorithm, bits, and curve.
func LoadPasswordsFromFile ¶
LoadPasswordsFromFile loads passwords from a file, one password per line
func ParseLogLevel ¶
ParseLogLevel converts a string log level name to a slog.Level. Recognized values: "debug", "info", "warning"/"warn", "error". Defaults to slog.LevelInfo for unrecognized values.
func ProcessFile ¶
ProcessFile reads a file (or stdin when cfg.InputPath is "-") and ingests any certificates, keys, or CSRs it contains into the database.
func ProcessPasswords ¶
ProcessPasswords handles all password loading logic
func SetupLogger ¶
func SetupLogger(level string)
SetupLogger configures the default slog logger with the given level string.
Types ¶
type BundleConfig ¶
type BundleConfig struct {
CommonNames []string `yaml:"commonNames"`
BundleName string `yaml:"bundleName"`
Subject *SubjectConfig `yaml:"subject,omitempty"`
}
BundleConfig represents one bundle configuration entry from the YAML file.
func LoadBundleConfigs ¶
func LoadBundleConfigs(path string) ([]BundleConfig, error)
LoadBundleConfigs loads bundle configuration from the specified YAML file.
type BundlesYAML ¶
type BundlesYAML struct {
DefaultSubject *SubjectConfig `yaml:"defaultSubject,omitempty"`
Bundles []BundleConfig `yaml:"bundles"`
}
BundlesYAML represents the full YAML structure with defaults and bundles
type CSROptions ¶
type CSROptions struct {
TemplatePath string // JSON template file
CertPath string // PEM cert as template
CSRPath string // PEM CSR as template
KeyPath string // Existing key (PEM)
Algorithm string // rsa, ecdsa, ed25519 (default: ecdsa)
Bits int // RSA bits (default: 4096)
Curve string // ECDSA curve (default: P-256)
OutPath string // Output directory (default: ".")
Passwords []string // Passwords for encrypted keys
}
CSROptions holds parameters for CSR generation from various sources.
type CSRResult ¶
CSRResult holds the paths of files generated by GenerateCSRFiles.
func GenerateCSRFiles ¶
func GenerateCSRFiles(opts CSROptions) (*CSRResult, error)
GenerateCSRFiles generates a CSR from the specified source and writes csr.pem and optionally key.pem to the output directory.
type CertificateRecord ¶
type CertificateRecord struct {
SerialNumber string `db:"serial_number"`
SubjectKeyIdentifier string `db:"subject_key_identifier"`
AuthorityKeyIdentifier string `db:"authority_key_identifier"`
CertType string `db:"cert_type"`
KeyType string `db:"key_type"`
Expiry time.Time `db:"expiry"`
PEM string `db:"pem"`
NotBefore *time.Time `db:"not_before"`
MetadataJSON types.JSONText `db:"metadata"`
SANsJSON types.JSONText `db:"sans"`
CommonName sql.NullString `db:"common_name"`
BundleName string `db:"bundle_name"`
}
CertificateRecord encodes a certificate and its metadata
type Config ¶
type Config struct {
InputPath string
Passwords []string
DB *DB
ExportBundles bool
ForceExport bool
BundleConfigs []BundleConfig
OutDir string
}
Config holds the runtime application configuration
type DB ¶
DB represents the database connection.
func (*DB) GetAllKeys ¶
GetAllKeys returns all key records from the database.
func (*DB) GetCert ¶
func (db *DB) GetCert(serial, aki string) (*CertificateRecord, error)
GetCert returns the certificate record matching the given serial number and authority key identifier.
func (*DB) GetCertBySKID ¶
func (db *DB) GetCertBySKID(skid string) (*CertificateRecord, error)
GetCertBySKID returns the certificate record matching the given subject key identifier.
func (*DB) GetScanSummary ¶
func (db *DB) GetScanSummary() (*ScanSummary, error)
GetScanSummary queries the database for aggregate counts.
func (*DB) InsertCertificate ¶
func (db *DB) InsertCertificate(cert CertificateRecord) error
InsertCertificate inserts a new certificate record into the database.
func (*DB) ResolveAKIs ¶
ResolveAKIs updates non-root certificate AKIs to use the issuer's computed RFC 7093 M1 SKI. It builds a multi-hash lookup (RFC 7093 M1 + legacy SHA-1) from all CA certs, then for each non-root cert, matches its embedded AKI against any variant to find the issuer.
type InspectResult ¶
type InspectResult struct {
Type string `json:"type"`
Subject string `json:"subject,omitempty"`
Issuer string `json:"issuer,omitempty"`
Serial string `json:"serial,omitempty"`
NotBefore string `json:"not_before,omitempty"`
NotAfter string `json:"not_after,omitempty"`
CertType string `json:"cert_type,omitempty"`
KeyAlgo string `json:"key_algorithm,omitempty"`
KeySize string `json:"key_size,omitempty"`
SANs []string `json:"sans,omitempty"`
SHA256 string `json:"sha256_fingerprint,omitempty"`
SHA1 string `json:"sha1_fingerprint,omitempty"`
SKID string `json:"subject_key_id,omitempty"`
AKID string `json:"authority_key_id,omitempty"`
SigAlg string `json:"signature_algorithm,omitempty"`
KeyType string `json:"key_type,omitempty"`
CSRSubject string `json:"csr_subject,omitempty"`
CSRDNSNames []string `json:"csr_dns_names,omitempty"`
}
InspectResult holds the inspection details for a file.
func InspectFile ¶
func InspectFile(path string, passwords []string) ([]InspectResult, error)
InspectFile reads a file and returns inspection results for all objects found.
type K8sMetadata ¶
type K8sMetadata struct {
Name string `yaml:"name"`
Annotations map[string]string `yaml:"annotations,omitempty"`
}
K8sMetadata represents Kubernetes resource metadata
type K8sSecret ¶
type K8sSecret struct {
APIVersion string `yaml:"apiVersion"`
Kind string `yaml:"kind"`
Type string `yaml:"type"`
Metadata K8sMetadata `yaml:"metadata"`
Data map[string]string `yaml:"data"`
}
K8sSecret represents a Kubernetes TLS secret
type KeyRecord ¶
type KeyRecord struct {
SubjectKeyIdentifier string `db:"subject_key_identifier"`
KeyType string `db:"key_type"`
BitLength int `db:"bit_length"`
PublicExponent int `db:"public_exponent"`
Modulus string `db:"modulus"`
Curve string `db:"curve"`
KeyData []byte `db:"key_data"`
}
KeyRecord encodes a key and its metadata
type KeygenOptions ¶
type KeygenOptions struct {
Algorithm string
Bits int
Curve string
OutPath string
CN string
SANs []string
}
KeygenOptions holds parameters for key and CSR generation.
type KeygenResult ¶
type KeygenResult struct {
KeyFile string
PubFile string
CSRFile string // empty if no CSR generated
}
KeygenResult holds the paths of files generated by GenerateKeyFiles.
func GenerateKeyFiles ¶
func GenerateKeyFiles(opts KeygenOptions) (*KeygenResult, error)
GenerateKeyFiles generates a key pair and optionally a CSR, writing them to the output path.
type ScanSummary ¶
type ScanSummary struct {
Roots int
Intermediates int
Leaves int
Keys int
Matched int // keys that have a matching certificate
}
ScanSummary holds aggregate counts from a scan.
type SubjectConfig ¶
type SubjectConfig struct {
Country []string `yaml:"country,omitempty"` // C
Province []string `yaml:"province,omitempty"` // ST
Locality []string `yaml:"locality,omitempty"` // L
Organization []string `yaml:"organization,omitempty"` // O
OrganizationalUnit []string `yaml:"organizationalUnit,omitempty"` // OU
}
SubjectConfig represents the X.509 subject fields for certificates
type VerifyResult ¶
type VerifyResult struct {
KeyMatch *bool `json:"key_match,omitempty"`
KeyMatchErr string `json:"key_match_error,omitempty"`
ChainValid *bool `json:"chain_valid,omitempty"`
ChainErr string `json:"chain_error,omitempty"`
Expiry *bool `json:"expires_within,omitempty"`
ExpiryInfo string `json:"expiry_info,omitempty"`
Subject string `json:"subject"`
NotAfter string `json:"not_after"`
Errors []string `json:"errors,omitempty"`
}
VerifyResult holds the results of certificate verification checks.
Source Files