modulepackage
0.0.0-20240214080410-892e41795b99
Repository: https://github.com/smallstep/scep.git
Documentation: pkg.go.dev
# README
scep
scep is a Golang implementation of the Simple Certificate Enrollment Protocol (SCEP).
This package started its life as part of micromdm/scep. The core SCEP protocol was extracted from it and is now being maintained by smallstep.
Usage
go get github.com/smallstep/scep
The package can be used for both client and server operations.
For detailed usage, see the Go Reference.
Example server:
// read a request body containing SCEP message
body, err := ioutil.ReadAll(r.Body)
if err != nil {
// handle err
}
// parse the SCEP message
msg, err := scep.ParsePKIMessage(body)
if err != nil {
// handle err
}
// do something with msg
fmt.Println(msg.MessageType)
// extract encrypted pkiEnvelope
err := msg.DecryptPKIEnvelope(CAcert, CAkey)
if err != nil {
// handle err
}
// use the CSR from decrypted PKCS request and sign
// MyCSRSigner returns an *x509.Certificate here
crt, err := MyCSRSigner(msg.CSRReqMessage.CSR)
if err != nil {
// handle err
}
// create a CertRep message from the original
certRep, err := msg.Success(CAcert, CAkey, crt)
if err != nil {
// handle err
}
// send response back
// w is a http.ResponseWriter
w.Write(certRep.Raw)
# Functions
CACerts extract CA Certificate or chain from PKCS#7 degenerate signed data.
DegenerateCertificates creates degenerate certificates PKCS#7 type.
A EnciphermentCertsSelector returns a CertsSelectorFunc that selects certificates eligible for key encipherment.
FingerprintCertsSelector selects a certificate that matches hash using hashType against the digest of the raw certificate DER bytes.
NewCSRRequest creates a scep PKI PKCSReq/UpdateReq message.
NopCertsSelector returns a CertsSelectorFunc that does not do anything.
ParsePKIMessage unmarshals a PKCS#7 signed data into a PKI message struct.
WithCACerts adds option CA certificates to the SCEP operations.
WithCertsSelector adds the certificates certsSelector option to the SCEP operations.
WithLogger adds option logging to the SCEP operations.
# Constants
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Undefined message types are treated as an error.
Undefined message types are treated as an error.
Undefined pkiStatus attributes are treated as an error.
Undefined message types are treated as an error.
Undefined message types are treated as an error.
Undefined pkiStatus attributes are treated as an error.
Undefined message types are treated as an error.
Undefined message types are treated as an error.
Undefined pkiStatus attributes are treated as an error.
Undefined message types are treated as an error.
# Structs
CertRepMessage is a type of PKIMessage.
CSRReqMessage can be of the type PKCSReq/RenewalReq/UpdateReq and includes a PKCS#10 CSR request.
PKIMessage defines the possible SCEP message types.
# Interfaces
A CertsSelector filters certificates.
Logger is the fundamental interface for all SCEP logging operations.
# Type aliases
CertsSelectorFunc is a type of function that filters certificates.
FailInfo is a SCEP failInfo attribute
The FailInfo attribute MUST contain one of the following failure reasons:.
The MessageType attribute specifies the type of operation performed by the transaction.
Option specifies custom configuration for SCEP.
PKIStatus is a SCEP pkiStatus attribute which holds transaction status information.
The RecipientNonce MUST be copied from the SenderNonce and included in the reply.
SenderNonce is a random 16 byte number.
The TransactionID is a text string generated by the client when starting a transaction.