AddExtKeyUsageOids adds custom extended key usage OIDs to certificate.

addKeyUsages adds appropriate key usages to the template given the creation information.

AddPolicyIdentifiers adds certificate policies extension, based on CreationBundle.

ComparePublicKeys compares two public keys and returns true if they match, returns an error if public key types are mismatched, or they are an unsupported key type.

ComparePublicKeysAndType compares two public keys and returns true if they match, false if their types or contents differ, and an error on unsupported key types.

CreateBasicConstraintExtension create a basic constraint extension based on inputs, if isCa is false, an empty value sequence will be returned with maxPath being ignored.

CreateCertificate uses CreationBundle and the default rand.Reader to generate a cert/keypair.

CreateCertificateWithRandomSource uses CreationBundle and a custom io.Reader for randomness to generate a cert/keypair.

CreateCSR creates a CSR with the default rand.Reader to generate a cert/keypair.

CreateCSRWithKeyGenerator creates a CSR with a custom io.Reader for randomness to generate a cert/keypair with the provided private key generator.

CreateCSRWithRandomSource creates a CSR with a custom io.Reader for randomness to generate a cert/keypair.

CreateDeltaCRLIndicatorExt allows creating correctly formed delta CRLs that point back to the last complete CRL that they're based on.

CreateKeyBundle create a KeyBundle struct object which includes a generated key of keyType with keyBits leveraging the randomness from randReader.

CreateKeyBundleWithKeyGenerator create a KeyBundle struct object which includes a generated key of keyType with keyBits leveraging the randomness from randReader and delegates the actual key generation to keyGenerator.

CreatePolicyInformationExtensionFromStorageStrings parses the stored policyIdentifiers, which might be JSON Policy Identifier with Qualifier Entries or String OIDs, and returns an extension if everything parsed correctly, and an error if constructing.

Returns default signature hash bit length for the specified key type and bits, or the present value if hashBits is non-zero.

Returns default key bits for the specified key type, or the present value if keyBits is non-zero.

GeneratePrivateKey generates a private key with the specified type and key bits.

GeneratePrivateKeyWithRandomSource generates a private key with the specified type and key bits.

GenerateSerialNumber generates a serial number suitable for a certificate.

GenerateSerialNumberWithRandomSource generates a serial number suitable for a certificate with custom entropy.

GetHexFormatted returns the byte buffer formatted in hex with the specified separator between bytes.

GetOtherSANsFromX509Extensions is used to find all the extensions which have the identifier (OID) of a SAN (Subject Alternative Name), and then look at each extension to find out if it is one of a set of well-known types (like IP SANs) or "other".

GetPolicyIdentifierFromString parses out the internal structure of a Policy Identifier.

GetPrivateKeyTypeFromPublicKey based on the public key, return the PrivateKeyType that would be associated with it, returning UnknownPrivateKey for unsupported types.

GetPublicKeySize returns the key size in bits for a given arbitrary crypto.PublicKey Returns -1 for an unsupported key type.

GetSubjKeyID returns the subject key ID.

ParseBasicConstraintExtension parses a basic constraint pkix.Extension, useful if attempting to validate CSRs are requesting CA privileges as Go does not expose its implementation.

ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array Returns an error if a certificate could not be parsed, or if the data does not contain any certificates.

ParseHexFormatted returns the raw bytes from a formatted hex string.

ParsePEMBundle takes a string of concatenated PEM-format certificate and private key values and decodes/parses them, checking validity along the way.

ParsePKIJSON takes a JSON-encoded string and returns a ParsedCertBundle.

ParsePKIMap takes a map (for instance, the Secret.Data returned from the PKI backend) and returns a ParsedCertBundle.

ParsePublicKeyPEM is used to parse RSA and ECDSA public keys from PEMs.

SignCertificate performs the heavy lifting of generating a certificate from a CSR.

SignCertificateWithRandomSource generates a certificate from a CSR, using custom randomness from the randReader.

Validates that the combination of keyType, keyBits, and hashBits are valid together; replaces individual calls to ValidateSignatureLength and ValidateKeyTypeLength.

Validates that the length of the hash (in bits) used in the signature calculation is a known, approved value.

Well-known formats.

Well-known PrivateKeyTypes.

Well-known PrivateKeyTypes.

Well-known PrivateKeyTypes.

Well-known formats.

Well-known formats.

Well-known PrivateKeyTypes.

Well-known TLSUsage types.

Well-known TLSUsage types.

Well-known TLSUsage types.

Well-known formats.

Well-known PrivateKeyTypes.

OID for RFC 5280 CRL Number extension.

OID for RFC 5280 Delta CRL Indicator CRL extension.

OID for Extended Key Usage from RFC 5280 : https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12 id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 }.

Mapping of constant values<->constant names for SignatureAlgorithm.

OID for KeyUsage from RFC 2459 : https://www.rfc-editor.org/rfc/rfc2459.html#section-4.2.1.3 > id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }.

OIDs for X.509 SAN Extension.

Mapping of constant names<->constant values for SignatureAlgorithm.

Subject Attribute OIDs.

CertBlock contains the DER-encoded certificate and the PEM block's byte array.

CertBundle contains a key type, a PEM-encoded private key, a PEM-encoded certificate, and a string-encoded serial number, returned from a successful Issue request.

Configuration of the issuer and mount at the time of this request; states the issuer's templated AIA information (falling back to the mount-global config if no per-issuer AIA info is set, the issuer's leaf_not_after_behavior (permit/truncate/err) for TTLs exceeding the issuer's validity period, and the mount's default and max TTL.

Outer request object sent by Vault to the external CIEPS service.

Expected response object from the external CIEPS service.

Structured parameters sent by Vault or explicitly validated by Vault prior to sending.

This can be one of a few key types so the different params may or may not be filled.

CSRBundle contains a key type, a PEM-encoded private key, and a PEM-encoded CSR.

IssueData is a structure that is suitable for marshaling into a request; either via JSON, or into a map[string]interface{} via the structs package.

otherNameRaw describes a name related to a certificate which is not in one of the standard name formats.

ParsedCertBundle contains a key type, a DER-encoded private key, and a DER-encoded certificate.

ParsedCSRBundle contains a key type, a DER-encoded private key, and a DER-encoded certificate request.

PolicyIdentifierWithQualifierEntry Structure for Internal Storage.

Secret is used to attempt to unmarshal a Vault secret JSON response, as a convenience.

ParsedPrivateKeyContainer allows common key setting for certs and CSRs.

BlockType indicates the serialization format of the key.

Source of the issuance request: sign implies that the key material was generated by the user and submitted via a CSR request but only ACL level validation was applied; issue implies that Vault created the key material on behalf of the user with ACL level validation occurring; ACME implies that the user submitted a CSR and that additional ACME validation has occurred before sending the request to the external service for construction.

KeyGenerator Allow us to override how/what generates the private key.

PrivateKeyExtractor extract out a private key from the passed in CertBundle and set the appropriate bits within the ParsedCertBundle.

PrivateKeyType holds a string representation of the type of private key (ec or rsa) referenced in CertBundle and ParsedCertBundle.

TLSUsage controls whether the intended usage of a *tls.Config returned from ParsedCertBundle.getTLSConfig is for server use, client use, or both, which affects which values are set.