Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| e1cb7efbf1 | |||
| 925e0a7124 | |||
| 659f636d01 |
@@ -488,6 +488,8 @@ linters:
|
|||||||
linters: [ exhaustive, mnd, revive ]
|
linters: [ exhaustive, mnd, revive ]
|
||||||
- path: 'backoff/backoff_test.go'
|
- path: 'backoff/backoff_test.go'
|
||||||
linters: [ testpackage ]
|
linters: [ testpackage ]
|
||||||
|
- path: "cmd/kgz/main.go"
|
||||||
|
linters: [ unconvert ]
|
||||||
- path: 'dbg/dbg_test.go'
|
- path: 'dbg/dbg_test.go'
|
||||||
linters: [ testpackage ]
|
linters: [ testpackage ]
|
||||||
- path: 'log/logger.go'
|
- path: 'log/logger.go'
|
||||||
|
|||||||
11
CHANGELOG
11
CHANGELOG
@@ -1,5 +1,16 @@
|
|||||||
CHANGELOG
|
CHANGELOG
|
||||||
|
|
||||||
|
v1.19.0 - 2026-02-12
|
||||||
|
|
||||||
|
Added:
|
||||||
|
- certlib/dump: DisplayCSR function for dumping Certificate Signing Request information.
|
||||||
|
- certlib: MatchKeysCSR function for testing if a CSR's public key matches a private key.
|
||||||
|
|
||||||
|
v1.18.0 - 2025-11-21
|
||||||
|
|
||||||
|
Changed:
|
||||||
|
- disable unconvert for kgz, as various platforms complain about it.
|
||||||
|
|
||||||
v1.17.2 - 2025-11-21
|
v1.17.2 - 2025-11-21
|
||||||
|
|
||||||
Note: 1.17.2 was a mangled release.
|
Note: 1.17.2 was a mangled release.
|
||||||
|
|||||||
@@ -165,6 +165,28 @@ func certPublic(cert *x509.Certificate) string {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func csrPublic(csr *x509.CertificateRequest) string {
|
||||||
|
switch pub := csr.PublicKey.(type) {
|
||||||
|
case *rsa.PublicKey:
|
||||||
|
return fmt.Sprintf("RSA-%d", pub.N.BitLen())
|
||||||
|
case *ecdsa.PublicKey:
|
||||||
|
switch pub.Curve {
|
||||||
|
case elliptic.P256():
|
||||||
|
return "ECDSA-prime256v1"
|
||||||
|
case elliptic.P384():
|
||||||
|
return "ECDSA-secp384r1"
|
||||||
|
case elliptic.P521():
|
||||||
|
return "ECDSA-secp521r1"
|
||||||
|
default:
|
||||||
|
return "ECDSA (unknown curve)"
|
||||||
|
}
|
||||||
|
case *dsa.PublicKey:
|
||||||
|
return "DSA"
|
||||||
|
default:
|
||||||
|
return "Unknown"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func DisplayName(name pkix.Name) string {
|
func DisplayName(name pkix.Name) string {
|
||||||
var ns []string
|
var ns []string
|
||||||
|
|
||||||
@@ -333,3 +355,36 @@ func DisplayCert(w io.Writer, cert *x509.Certificate, showHash bool) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func DisplayCSR(w io.Writer, csr *x509.CertificateRequest, showHash bool) {
|
||||||
|
fmt.Fprintln(w, "CERTIFICATE REQUEST")
|
||||||
|
if showHash {
|
||||||
|
fmt.Fprintln(w, wrap(fmt.Sprintf("SHA256: %x", sha256.Sum256(csr.Raw)), 0))
|
||||||
|
}
|
||||||
|
|
||||||
|
fmt.Fprintln(w, wrap("Subject: "+DisplayName(csr.Subject), 0))
|
||||||
|
fmt.Fprintf(w, "\tSignature algorithm: %s / %s\n", sigAlgoPK(csr.SignatureAlgorithm),
|
||||||
|
sigAlgoHash(csr.SignatureAlgorithm))
|
||||||
|
fmt.Fprintln(w, "Details:")
|
||||||
|
wrapPrint("Public key: "+csrPublic(csr), 1)
|
||||||
|
|
||||||
|
validNames := make([]string, 0, len(csr.DNSNames)+len(csr.EmailAddresses)+len(csr.IPAddresses)+len(csr.URIs))
|
||||||
|
for i := range csr.DNSNames {
|
||||||
|
validNames = append(validNames, "dns:"+csr.DNSNames[i])
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := range csr.EmailAddresses {
|
||||||
|
validNames = append(validNames, "email:"+csr.EmailAddresses[i])
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := range csr.IPAddresses {
|
||||||
|
validNames = append(validNames, "ip:"+csr.IPAddresses[i].String())
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := range csr.URIs {
|
||||||
|
validNames = append(validNames, "uri:"+csr.URIs[i].String())
|
||||||
|
}
|
||||||
|
|
||||||
|
sans := fmt.Sprintf("SANs (%d): %s\n", len(validNames), strings.Join(validNames, ", "))
|
||||||
|
wrapPrint(sans, 1)
|
||||||
|
}
|
||||||
|
|||||||
@@ -133,3 +133,48 @@ func MatchKeys(cert *x509.Certificate, priv crypto.Signer) (bool, string) {
|
|||||||
return false, fmt.Sprintf("unrecognised private key type: %T", priv.Public())
|
return false, fmt.Sprintf("unrecognised private key type: %T", priv.Public())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// MatchKeysCSR determines whether the CSR's public key matches the given private key.
|
||||||
|
// It returns true if they match; otherwise, it returns false and a human-friendly reason.
|
||||||
|
func MatchKeysCSR(csr *x509.CertificateRequest, priv crypto.Signer) (bool, string) {
|
||||||
|
switch keyPub := priv.Public().(type) {
|
||||||
|
case *rsa.PublicKey:
|
||||||
|
switch csrPub := csr.PublicKey.(type) {
|
||||||
|
case *rsa.PublicKey:
|
||||||
|
if matchRSA(csrPub, keyPub) {
|
||||||
|
return true, ""
|
||||||
|
}
|
||||||
|
return false, "public keys don't match"
|
||||||
|
case *ecdsa.PublicKey:
|
||||||
|
return false, "RSA private key, EC public key"
|
||||||
|
default:
|
||||||
|
return false, fmt.Sprintf("unsupported CSR public key type: %T", csr.PublicKey)
|
||||||
|
}
|
||||||
|
case *ecdsa.PublicKey:
|
||||||
|
switch csrPub := csr.PublicKey.(type) {
|
||||||
|
case *ecdsa.PublicKey:
|
||||||
|
if matchECDSA(csrPub, keyPub) {
|
||||||
|
return true, ""
|
||||||
|
}
|
||||||
|
// Determine a more precise reason
|
||||||
|
kc := getECCurve(keyPub)
|
||||||
|
cc := getECCurve(csrPub)
|
||||||
|
if kc == curveInvalid {
|
||||||
|
return false, "invalid private key curve"
|
||||||
|
}
|
||||||
|
if cc == curveRSA {
|
||||||
|
return false, "private key is EC, CSR is RSA"
|
||||||
|
}
|
||||||
|
if kc != cc {
|
||||||
|
return false, "EC curves don't match"
|
||||||
|
}
|
||||||
|
return false, "public keys don't match"
|
||||||
|
case *rsa.PublicKey:
|
||||||
|
return false, "private key is EC, CSR is RSA"
|
||||||
|
default:
|
||||||
|
return false, fmt.Sprintf("unsupported CSR public key type: %T", csr.PublicKey)
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
return false, fmt.Sprintf("unrecognised private key type: %T", priv.Public())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user