internal

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 12, 2026 License: MIT Imports: 31 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ExportBundles 

func ExportBundles(ctx context.Context, cfgs []BundleConfig, outDir string, db *DB, forceBundle bool, duplicates bool) error

ExportBundles iterates over all key records in the database, finds the matching certificate record, builds a certificate bundle using certkit.Bundle, and writes out the bundle files into a folder.

func FormatInspectResults 

func FormatInspectResults(results []InspectResult, format string) (string, error)

FormatInspectResults formats inspection results as text or JSON.

func FormatVerifyResult 

func FormatVerifyResult(r *VerifyResult) string

FormatVerifyResult formats a verify result as human-readable text.

func GenerateKey 

func GenerateKey(algorithm string, bits int, curve string) (crypto.Signer, error)

GenerateKey creates a new crypto.Signer based on algorithm, bits, and curve.

func LoadPasswordsFromFile 

func LoadPasswordsFromFile(filename string) ([]string, error)

LoadPasswordsFromFile loads passwords from a file, one password per line

func ParseLogLevel 

func ParseLogLevel(level string) slog.Level

ParseLogLevel converts a string log level name to a slog.Level. Recognized values: "debug", "info", "warning"/"warn", "error". Defaults to slog.LevelInfo for unrecognized values.

func ProcessFile 

func ProcessFile(path string, cfg *Config) error

ProcessFile reads a file (or stdin when cfg.InputPath is "-") and ingests any certificates, keys, or CSRs it contains into the database.

func ProcessPasswords 

func ProcessPasswords(passwordList []string, passwordFile string) ([]string, error)

ProcessPasswords handles all password loading logic

func SetupLogger 

func SetupLogger(level string)

SetupLogger configures the default slog logger with the given level string.

Types

type BundleConfig 

type BundleConfig struct {
	CommonNames []string       `yaml:"commonNames"`
	BundleName  string         `yaml:"bundleName"`
	Subject     *SubjectConfig `yaml:"subject,omitempty"`
}

BundleConfig represents one bundle configuration entry from the YAML file.

func LoadBundleConfigs 

func LoadBundleConfigs(path string) ([]BundleConfig, error)

LoadBundleConfigs loads bundle configuration from the specified YAML file.

type BundlesYAML 

type BundlesYAML struct {
	DefaultSubject *SubjectConfig `yaml:"defaultSubject,omitempty"`
	Bundles        []BundleConfig `yaml:"bundles"`
}

BundlesYAML represents the full YAML structure with defaults and bundles

type CSROptions 

type CSROptions struct {
	TemplatePath string // JSON template file
	CertPath     string // PEM cert as template
	CSRPath      string // PEM CSR as template

	KeyPath   string // Existing key (PEM)
	Algorithm string // rsa, ecdsa, ed25519 (default: ecdsa)
	Bits      int    // RSA bits (default: 4096)
	Curve     string // ECDSA curve (default: P-256)

	OutPath   string   // Output directory (default: ".")
	Passwords []string // Passwords for encrypted keys
}

CSROptions holds parameters for CSR generation from various sources.

type CSRResult 

type CSRResult struct {
	CSRPEM  string
	KeyPEM  string // empty if existing key was provided
	CSRFile string // empty in stdout mode
	KeyFile string // empty in stdout mode
}

CSRResult holds the PEM output and optional file paths from GenerateCSRFiles. When OutPath is empty, only PEM fields are populated (stdout mode). When OutPath is set, files are written and file path fields are populated.

func GenerateCSRFiles 

func GenerateCSRFiles(opts CSROptions) (*CSRResult, error)

GenerateCSRFiles generates a CSR from the specified source and writes csr.pem and optionally key.pem to the output directory.

type CertificateRecord 

type CertificateRecord struct {
	SerialNumber           string         `db:"serial_number"`
	SubjectKeyIdentifier   string         `db:"subject_key_identifier"`
	AuthorityKeyIdentifier string         `db:"authority_key_identifier"`
	CertType               string         `db:"cert_type"`
	KeyType                string         `db:"key_type"`
	Expiry                 time.Time      `db:"expiry"`
	PEM                    string         `db:"pem"`
	NotBefore              *time.Time     `db:"not_before"`
	MetadataJSON           types.JSONText `db:"metadata"`
	SANsJSON               types.JSONText `db:"sans"`
	CommonName             sql.NullString `db:"common_name"`
	BundleName             string         `db:"bundle_name"`
}

CertificateRecord encodes a certificate and its metadata

type ChainCert added in v0.3.5 

type ChainCert struct {
	Subject string
	Expiry  string
	SKI     string
	IsRoot  bool
}

ChainCert holds display information for one certificate in the chain.

type Config 

type Config struct {
	InputPath      string
	Passwords      []string
	DB             *DB
	ExportBundles  bool
	ForceExport    bool
	BundleConfigs  []BundleConfig
	OutDir         string
	IncludeExpired bool
}

Config holds the runtime application configuration

type ContainerContents added in v0.3.4 

type ContainerContents struct {
	Leaf       *x509.Certificate
	Key        crypto.PrivateKey
	ExtraCerts []*x509.Certificate
}

ContainerContents holds the parsed contents of a certificate container file.

func LoadContainerFile added in v0.3.4 

func LoadContainerFile(path string, passwords []string) (*ContainerContents, error)

LoadContainerFile reads a file and attempts to parse it as PKCS#12, JKS, PKCS#7, PEM, or DER. Returns the leaf certificate, optional private key, and any extra certificates (intermediates/CA certs).

func ParseContainerData added in v0.3.4 

func ParseContainerData(data []byte, passwords []string) (*ContainerContents, error)

ParseContainerData attempts to parse raw data as PKCS#12, JKS, PKCS#7, PEM, or DER. Returns the leaf certificate, optional private key, and any extra certificates.

type DB 

type DB struct {
	*sqlx.DB
}

DB represents the database connection.

func NewDB 

func NewDB(dbPath string) (*DB, error)

NewDB creates and initializes a new database connection.

func (*DB) DumpDB 

func (db *DB) DumpDB() error

DumpDB logs all certificates and keys in the database at debug level.

func (*DB) GetAllCerts added in v0.3.0 

func (db *DB) GetAllCerts() ([]CertificateRecord, error)

GetAllCerts returns all certificate records from the database.

func (*DB) GetAllKeys 

func (db *DB) GetAllKeys() ([]KeyRecord, error)

GetAllKeys returns all key records from the database.

func (*DB) GetCert 

func (db *DB) GetCert(serial, aki string) (*CertificateRecord, error)

GetCert returns the certificate record matching the given serial number and authority key identifier.

func (*DB) GetCertBySKI added in v0.2.1 

func (db *DB) GetCertBySKI(ski string) (*CertificateRecord, error)

GetCertBySKI returns the certificate record matching the given subject key identifier.

func (*DB) GetKey 

func (db *DB) GetKey(ski string) (*KeyRecord, error)

GetKey returns the key record matching the given subject key identifier.

func (*DB) GetScanSummary 

func (db *DB) GetScanSummary() (*ScanSummary, error)

GetScanSummary queries the database for aggregate counts.

func (*DB) InsertCertificate 

func (db *DB) InsertCertificate(cert CertificateRecord) error

InsertCertificate inserts a new certificate record into the database.

func (*DB) InsertKey 

func (db *DB) InsertKey(key KeyRecord) error

InsertKey inserts a new key record into the database, ignoring duplicates.

func (*DB) ResolveAKIs 

func (db *DB) ResolveAKIs() error

ResolveAKIs updates non-root certificate AKIs to use the issuer's computed RFC 7093 M1 SKI. It builds a multi-hash lookup (RFC 7093 M1 + legacy SHA-1) from all CA certs, then for each non-root cert, matches its embedded AKI against any variant to find the issuer.

type InspectResult 

type InspectResult struct {
	Type        string   `json:"type"`
	Subject     string   `json:"subject,omitempty"`
	Issuer      string   `json:"issuer,omitempty"`
	Serial      string   `json:"serial,omitempty"`
	NotBefore   string   `json:"not_before,omitempty"`
	NotAfter    string   `json:"not_after,omitempty"`
	CertType    string   `json:"cert_type,omitempty"`
	KeyAlgo     string   `json:"key_algorithm,omitempty"`
	KeySize     string   `json:"key_size,omitempty"`
	SANs        []string `json:"sans,omitempty"`
	SHA256      string   `json:"sha256_fingerprint,omitempty"`
	SHA1        string   `json:"sha1_fingerprint,omitempty"`
	SKI         string   `json:"subject_key_id,omitempty"`
	SKILegacy   string   `json:"subject_key_id_sha1,omitempty"`
	AKI         string   `json:"authority_key_id,omitempty"`
	SigAlg      string   `json:"signature_algorithm,omitempty"`
	KeyType     string   `json:"key_type,omitempty"`
	CSRSubject  string   `json:"csr_subject,omitempty"`
	CSRDNSNames []string `json:"csr_dns_names,omitempty"`
}

InspectResult holds the inspection details for a file.

func InspectFile 

func InspectFile(path string, passwords []string) ([]InspectResult, error)

InspectFile reads a file and returns inspection results for all objects found.

type K8sMetadata 

type K8sMetadata struct {
	Name        string            `yaml:"name"`
	Annotations map[string]string `yaml:"annotations,omitempty"`
}

K8sMetadata represents Kubernetes resource metadata

type K8sSecret 

type K8sSecret struct {
	APIVersion string            `yaml:"apiVersion"`
	Kind       string            `yaml:"kind"`
	Type       string            `yaml:"type"`
	Metadata   K8sMetadata       `yaml:"metadata"`
	Data       map[string]string `yaml:"data"`
}

K8sSecret represents a Kubernetes TLS secret

type KeyRecord 

type KeyRecord struct {
	SubjectKeyIdentifier string `db:"subject_key_identifier"`
	KeyType              string `db:"key_type"`
	BitLength            int    `db:"bit_length"`
	PublicExponent       int    `db:"public_exponent"`
	Modulus              string `db:"modulus"`
	Curve                string `db:"curve"`
	KeyData              []byte `db:"key_data"`
}

KeyRecord encodes a key and its metadata

type KeygenOptions 

type KeygenOptions struct {
	Algorithm string
	Bits      int
	Curve     string
	OutPath   string
	CN        string
	SANs      []string
}

KeygenOptions holds parameters for key and CSR generation.

type KeygenResult 

type KeygenResult struct {
	KeyPEM  string
	PubPEM  string
	CSRPEM  string // empty if no CSR generated
	KeyFile string // empty in stdout mode
	PubFile string // empty in stdout mode
	CSRFile string // empty in stdout mode
}

KeygenResult holds the PEM output and optional file paths from GenerateKeyFiles. When OutPath is empty, only PEM fields are populated (stdout mode). When OutPath is set, files are written and file path fields are populated.

func GenerateKeyFiles 

func GenerateKeyFiles(opts KeygenOptions) (*KeygenResult, error)

GenerateKeyFiles generates a key pair and optionally a CSR, writing them to the output path.

type ScanSummary 

type ScanSummary struct {
	Roots         int
	Intermediates int
	Leaves        int
	Keys          int
	Matched       int // keys that have a matching certificate
}

ScanSummary holds aggregate counts from a scan.

type SubjectConfig 

type SubjectConfig struct {
	Country            []string `yaml:"country,omitempty"`            // C
	Province           []string `yaml:"province,omitempty"`           // ST
	Locality           []string `yaml:"locality,omitempty"`           // L
	Organization       []string `yaml:"organization,omitempty"`       // O
	OrganizationalUnit []string `yaml:"organizationalUnit,omitempty"` // OU
}

SubjectConfig represents the X.509 subject fields for certificates

type VerifyInput added in v0.3.4 

type VerifyInput struct {
	Cert           *x509.Certificate
	Key            crypto.PrivateKey
	ExtraCerts     []*x509.Certificate
	CustomRoots    []*x509.Certificate
	CheckKeyMatch  bool
	CheckChain     bool
	ExpiryDuration time.Duration
	TrustStore     string
}

VerifyInput holds the parsed certificate data and verification options.

type VerifyResult 

type VerifyResult struct {
	Subject     string      `json:"subject"`
	SANs        []string    `json:"sans,omitempty"`
	NotAfter    string      `json:"not_after"`
	SKI         string      `json:"ski,omitempty"`
	KeyMatch    *bool       `json:"key_match,omitempty"`
	KeyMatchErr string      `json:"key_match_error,omitempty"`
	KeyInfo     string      `json:"key_info,omitempty"`
	ChainValid  *bool       `json:"chain_valid,omitempty"`
	ChainErr    string      `json:"chain_error,omitempty"`
	Chain       []ChainCert `json:"chain,omitempty"`
	Expiry      *bool       `json:"expires_within,omitempty"`
	ExpiryInfo  string      `json:"expiry_info,omitempty"`
	Errors      []string    `json:"errors,omitempty"`
}

VerifyResult holds the results of certificate verification checks.

func VerifyCert 

func VerifyCert(ctx context.Context, input *VerifyInput) (*VerifyResult, error)

VerifyCert verifies a certificate with optional key matching, chain validation, and expiry checking.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.