(assoc-cert! keystore alias cert)
Inputs: [keystore :- KeyStore alias :- schema/Str cert :- X509Certificate] Returns: KeyStore
Add a certificate to a keystore. Arguments:
keystore
: the KeyStore
to add the certificate to
alias
: a String alias to associate with the certificate
cert
: an X509Certificate
to add to the keystore
Inputs: [keystore :- KeyStore alias :- schema/Str cert :- X509Certificate] Returns: KeyStore Add a certificate to a keystore. Arguments: `keystore`: the `KeyStore` to add the certificate to `alias`: a String alias to associate with the certificate `cert`: an `X509Certificate` to add to the keystore
Alias for assoc-certs-from-reader!
for backwards compatibility.
Alias for `assoc-certs-from-reader!` for backwards compatibility.
(assoc-certs-from-reader! keystore prefix pem)
Inputs: [keystore :- KeyStore prefix :- schema/Str pem :- Readerable] Returns: KeyStore
Add all certificates from a PEM file to a keystore. Arguments:
keystore
: the KeyStore
to add certificates to
prefix
: an alias to associate with the certificates. each
certificate will have a numeric index appended to
its alias, starting with '-0'
pem
: the path to a PEM file containing the certificate
(or some other object supported by clojure's reader
)
Inputs: [keystore :- KeyStore prefix :- schema/Str pem :- Readerable] Returns: KeyStore Add all certificates from a PEM file to a keystore. Arguments: `keystore`: the `KeyStore` to add certificates to `prefix`: an alias to associate with the certificates. each certificate will have a numeric index appended to its alias, starting with '-0' `pem`: the path to a PEM file containing the certificate (or some other object supported by clojure's `reader`)
(assoc-private-key! keystore alias private-key pw certs)
Inputs: [keystore :- KeyStore alias :- schema/Str private-key :- PrivateKey pw :- schema/Str certs :- (schema/maybe (schema/cond-pre [X509Certificate] X509Certificate))] Returns: KeyStore
Add a private key to a keystore. Arguments:
keystore
: the KeyStore
to add the private key to
alias
: a String alias to associate with the private key
private-key
: the PrivateKey
to add to the keystore
pw
: a password to use to protect the key in the keystore
certs
: the X509Certificate
or a list of X509Certificate
s for the
private key; a private key cannot be added to a keystore
without at least one signed certificate.
Inputs: [keystore :- KeyStore alias :- schema/Str private-key :- PrivateKey pw :- schema/Str certs :- (schema/maybe (schema/cond-pre [X509Certificate] X509Certificate))] Returns: KeyStore Add a private key to a keystore. Arguments: `keystore`: the `KeyStore` to add the private key to `alias`: a String alias to associate with the private key `private-key`: the `PrivateKey` to add to the keystore `pw`: a password to use to protect the key in the keystore `certs`: the `X509Certificate` or a list of `X509Certificate`s for the private key; a private key cannot be added to a keystore without at least one signed certificate.
Alias for assoc-private-key-from-reader!
for backwards compatibility.
Alias for `assoc-private-key-from-reader!` for backwards compatibility.
(assoc-private-key-from-reader! keystore alias pem-private-key pw pem-cert)
Inputs: [keystore :- KeyStore alias :- schema/Str pem-private-key :- Readerable pw :- schema/Str pem-cert :- Readerable] Returns: KeyStore
Add a private key to a keystore. Arguments:
keystore
: the KeyStore
to add the private key to
alias
: a String alias to associate with the private key
pem-private-key
: the path to a PEM file containing the private key to add to
the keystore (or some other object supported by clojure's reader
)
pw
: a password to use to protect the key in the keystore
pem-cert
: the path to a PEM file (or some other object supported by clojure's reader
)
containing the certificate for the private key; a private key cannot be added
to a keystore without a signed certificate.
Inputs: [keystore :- KeyStore alias :- schema/Str pem-private-key :- Readerable pw :- schema/Str pem-cert :- Readerable] Returns: KeyStore Add a private key to a keystore. Arguments: `keystore`: the `KeyStore` to add the private key to `alias`: a String alias to associate with the private key `pem-private-key`: the path to a PEM file containing the private key to add to the keystore (or some other object supported by clojure's `reader`) `pw`: a password to use to protect the key in the keystore `pem-cert`: the path to a PEM file (or some other object supported by clojure's `reader`) containing the certificate for the private key; a private key cannot be added to a keystore without a signed certificate.
AuthorityKeyIdentifier OID 2.5.29.35
AuthorityKeyIdentifier OID 2.5.29.35
(authority-key-identifier-options cert)
(authority-key-identifier-options public-key critical)
(authority-key-identifier-options issuer-dn serial critical)
(authority-key-identifier-options public-key issuer-dn serial critical)
Inputs: ([cert] [public-key critical] [issuer-dn serial critical] [public-key :- PublicKey issuer-dn :- ValidX500Name serial :- schema/Int critical :- Object]) Returns: SSLExtension
Create an Authority Key Identifier
extension from a PublicKey
object or
copy the existing SubjectKeyIdentifier
from a certificate. This function is
intended to be passed into sign-certificate
and generate-certificate-request
.
PublicKey details: A type 1 identifier will be computed from the public key.
Certificate details:
An X509Certificate
can be used instead of a PublicKey
. The
SubjectKeyIdentifier
of the certificate is copied and used for the
AuthorityKeyIdentifier
for the certificate about to be signed. When a
certificate is used, no hash computation takes place.
Inputs: ([cert] [public-key critical] [issuer-dn serial critical] [public-key :- PublicKey issuer-dn :- ValidX500Name serial :- schema/Int critical :- Object]) Returns: SSLExtension Create an `Authority Key Identifier` extension from a `PublicKey` object or copy the existing `SubjectKeyIdentifier` from a certificate. This function is intended to be passed into `sign-certificate` and `generate-certificate-request`. PublicKey details: A type 1 identifier will be computed from the public key. Certificate details: An `X509Certificate` can be used instead of a `PublicKey`. The `SubjectKeyIdentifier`of the certificate is copied and used for the `AuthorityKeyIdentifier` for the certificate about to be signed. When a certificate is used, no hash computation takes place.
(basic-constraints-for-ca)
(basic-constraints-for-ca max-path-len)
Inputs: ([] [max-path-len :- schema/Int]) Returns: SSLExtension
Create a Basic Constraints
extension for a CA certificate. max-path-len
refers to the maximum number of non-self-issued intermediate certificates that
may follow the CA certificate in a valid certification path. If max-path-len
is not specified, no limit will be imposed.
Inputs: ([] [max-path-len :- schema/Int]) Returns: SSLExtension Create a `Basic Constraints` extension for a CA certificate. `max-path-len` refers to the maximum number of non-self-issued intermediate certificates that may follow the CA certificate in a valid certification path. If `max-path-len` is not specified, no limit will be imposed.
(basic-constraints-for-non-ca critical)
Inputs: [critical :- Object] Returns: SSLExtension
Create a Basic Constraints
extension for a non-CA certificate.
Inputs: [critical :- Object] Returns: SSLExtension Create a `Basic Constraints` extension for a non-CA certificate.
(ca-cert-and-crl-pems->ssl-context ca-cert crls)
Inputs: [ca-cert :- Readerable crls :- Readerable] Returns: SSLContext
Given a pem for a CA certificate and one or more CRLs, creates an in-memory SSLContext initialized with a TrustStore generated from the input CA cert and enabled for revocation checking against the CRLs.
ca-cert
must be an object suitable for use with clojure's reader
and
reference a PEM that contains the CA cert.
crls
must be an object suitable for use with clojure's reader
and
reference a PEM that contains one or more CRLs.
Returns the SSLContext instance.
Inputs: [ca-cert :- Readerable crls :- Readerable] Returns: SSLContext Given a pem for a CA certificate and one or more CRLs, creates an in-memory SSLContext initialized with a TrustStore generated from the input CA cert and enabled for revocation checking against the CRLs. `ca-cert` must be an object suitable for use with clojure's `reader` and reference a PEM that contains the CA cert. `crls` must be an object suitable for use with clojure's `reader` and reference a PEM that contains one or more CRLs. Returns the SSLContext instance.
(ca-cert-pem->ssl-context ca-cert)
Inputs: [ca-cert :- Readerable] Returns: SSLContext
Given a pem for a CA certificate, creates an in-memory SSLContext initialized with a TrustStore generated from the input CA cert.
ca-cert
must be an object suitable for use with clojure's reader
, and
reference a PEM that contains the CA cert.
Returns the SSLContext instance.
Inputs: [ca-cert :- Readerable] Returns: SSLContext Given a pem for a CA certificate, creates an in-memory SSLContext initialized with a TrustStore generated from the input CA cert. `ca-cert` must be an object suitable for use with clojure's `reader`, and reference a PEM that contains the CA cert. Returns the SSLContext instance.
(cert->pem! cert pem)
Inputs: [cert :- X509Certificate pem :- Writerable]
Encodes a certificate to PEM format, and writes it to a file (or other stream). Arguments:
cert
: the X509Certificate
to encode and write
pem
: the file path to write the PEM output to
(or some other object supported by clojure's writer
)
Inputs: [cert :- X509Certificate pem :- Writerable] Encodes a certificate to PEM format, and writes it to a file (or other stream). Arguments: `cert`: the `X509Certificate` to encode and write `pem`: the file path to write the PEM output to (or some other object supported by clojure's `writer`)
(certificate-list? x)
Returns true if the given data structure is a list that contains certificates.
Returns true if the given data structure is a list that contains certificates.
(certificate-request? x)
Returns true if x is an instance of PKCS10CertificationRequest
(see generate-certificate-request
).
Returns true if x is an instance of `PKCS10CertificationRequest` (see `generate-certificate-request`).
(certificate-revocation-list? x)
Returns true if x is an instance of X509CRL
(see generate-crl
).
Returns true if x is an instance of `X509CRL` (see `generate-crl`).
(certificate? x)
Returns true if x is an instance of X509Certificate
(see sign-certificate-request
).
Returns true if x is an instance of `X509Certificate` (see `sign-certificate-request`).
(clojureize data-structure)
Convert a Java data structure returned from a Java utility method into a Clojure data structure.
Convert a Java data structure returned from a Java utility method into a Clojure data structure.
(cn common-name)
Inputs: [common-name :- schema/Str] Returns: ValidX500Name
Given a common name, generate an X.500 RDN from it
Inputs: [common-name :- schema/Str] Returns: ValidX500Name Given a common name, generate an X.500 RDN from it
(convertToSSLMultiValueAttribute attr)
Inputs: [attr :- ExtensionsUtils$AttributeDescriptor] Returns: SSLMultiValueAttribute
Inputs: [attr :- ExtensionsUtils$AttributeDescriptor] Returns: SSLMultiValueAttribute
(create-ca-extensions issuer-public-key ca-public-key)
(create-ca-extensions ca-name ca-serial ca-public-key)
Inputs: ([issuer-public-key :- (schema/pred public-key?) ca-public-key :- (schema/pred public-key?)] [ca-name :- (schema/pred valid-x500-name?) ca-serial :- (schema/pred number?) ca-public-key :- (schema/pred public-key?)]) Returns: (schema/pred extension-list?)
Create a list of extensions to be added to the CA certificate.
Inputs: ([issuer-public-key :- (schema/pred public-key?) ca-public-key :- (schema/pred public-key?)] [ca-name :- (schema/pred valid-x500-name?) ca-serial :- (schema/pred number?) ca-public-key :- (schema/pred public-key?)]) Returns: (schema/pred extension-list?) Create a list of extensions to be added to the CA certificate.
(crl->pem! crl pem)
Inputs: [crl :- X509CRL pem :- Writerable]
Encodes a CRL to PEM format, and writes it to a file (or other stream). Arguments:
crl
: the X509CRL
to encode
pem
: the file path to write the PEM output to
(or some other object supported by clojure's writer
)
Inputs: [crl :- X509CRL pem :- Writerable] Encodes a CRL to PEM format, and writes it to a file (or other stream). Arguments: `crl`: the `X509CRL` to encode `pem`: the file path to write the PEM output to (or some other object supported by clojure's `writer`)
(crl-issued-by-cert? crl cert)
Inputs: [crl :- X509CRL cert :- X509Certificate] Returns: schema/Bool
Given a CRL and a certificate, determine whether the CRL was issued by the certificate.
Inputs: [crl :- X509CRL cert :- X509Certificate] Returns: schema/Bool Given a CRL and a certificate, determine whether the CRL was issued by the certificate.
(crl-number number)
Inputs: [number :- schema/Int] Returns: SSLExtension
Create a CRL Number
extension
Inputs: [number :- schema/Int] Returns: SSLExtension Create a `CRL Number` extension
The default key length to use when generating a keypair.
The default key length to use when generating a keypair.
(delta-crl-indicator base-crl-number)
Inputs: [base-crl-number :- BigInteger] Returns: SSLExtension
Create a Delta CRL Indicator
extension.
Inputs: [base-crl-number :- BigInteger] Returns: SSLExtension Create a `Delta CRL Indicator` extension.
DeltaCRLIndicator OID 2.5.29.27
DeltaCRLIndicator OID 2.5.29.27
(delta-crl? crl)
Inputs: [crl :- X509CRL] Returns: schema/Bool
Inputs: [crl :- X509CRL] Returns: schema/Bool
(dn rdns)
Inputs: [rdns :- (schema/pred (fn* [p1__4627#] (and (sequential? p1__4627#) (even? (count p1__4627#)) (not-empty p1__4627#))))] Returns: ValidX500Name
Given a sequence of attribute names and value pairs, generate an X.500 DN string. For example, [:cn "common" :o "org"] would return "CN=common,O=org"
Inputs: [rdns :- (schema/pred (fn* [p1__4627#] (and (sequential? p1__4627#) (even? (count p1__4627#)) (not-empty p1__4627#))))] Returns: ValidX500Name Given a sequence of attribute names and value pairs, generate an X.500 DN string. For example, [:cn "common" :o "org"] would return "CN=common,O=org"
(ext-key-usages oid-list critical)
Inputs: [oid-list :- [schema/Str] critical :- Object] Returns: SSLExtension
Create an Extended Key Usages
extensions from a list of OIDs.
Inputs: [oid-list :- [schema/Str] critical :- Object] Returns: SSLExtension Create an `Extended Key Usages` extensions from a list of OIDs.
(extension-list? x)
Returns true if the given data structure is a list that contains extensions.
Returns true if the given data structure is a list that contains extensions.
(extension? x)
Returns true if the given map contains all the fields required to define an extension.
Returns true if the given map contains all the fields required to define an extension.
A schema for all the things that can hold an SSL extension.
A schema for all the things that can hold an SSL extension.
(fingerprint c digest)
Inputs: [c :- CertOrCSR digest :- schema/Str] Returns: schema/Str
Given a certificate or CSR, hash the object using the digest algorithm and return it as a hex string. The digest algorithm is expected to be one of SHA-1, SHA-256, or SHA-512.
Inputs: [c :- CertOrCSR digest :- schema/Str] Returns: schema/Str Given a certificate or CSR, hash the object using the digest algorithm and return it as a hex string. The digest algorithm is expected to be one of SHA-1, SHA-256, or SHA-512.
(generate-certificate-request keypair subject-dn)
(generate-certificate-request keypair subject-dn extensions)
(generate-certificate-request keypair subject-dn extensions attributes)
Inputs: ([keypair subject-dn] [keypair :- KeyPair subject-dn :- ValidX500Name extensions :- SSLExtensionList] [keypair :- KeyPair subject-dn :- ValidX500Name extensions :- SSLExtensionList attributes :- SSLAttributeList]) Returns: PKCS10CertificationRequest
Given the subject's keypair and name, create and return a certificate signing request (CSR). Arguments:
keypair
: subject's public & private keys
subject-name
: subject's X500 distinguished name
extensions
: an optional collection of Extension
objects to add to the certificate request
See sign-certificate-request
, obj->pem!
, and pem->csr
to sign & read/write CSRs.
Inputs: ([keypair subject-dn] [keypair :- KeyPair subject-dn :- ValidX500Name extensions :- SSLExtensionList] [keypair :- KeyPair subject-dn :- ValidX500Name extensions :- SSLExtensionList attributes :- SSLAttributeList]) Returns: PKCS10CertificationRequest Given the subject's keypair and name, create and return a certificate signing request (CSR). Arguments: `keypair`: subject's public & private keys `subject-name`: subject's X500 distinguished name `extensions`: an optional collection of `Extension` objects to add to the certificate request See `sign-certificate-request`, `obj->pem!`, and `pem->csr` to sign & read/write CSRs.
(generate-crl issuer issuer-private-key issuer-public-key)
(generate-crl issuer
issuer-private-key
issuer-public-key
this-update
next-update
crl-number
extensions)
Inputs: ([issuer :- X500Principal issuer-private-key :- PrivateKey issuer-public-key :- PublicKey] [issuer :- X500Principal issuer-private-key :- PrivateKey issuer-public-key :- PublicKey this-update :- Date next-update :- Date crl-number :- BigInteger extensions :- SSLExtensionList]) Returns: X509CRL
Given the certificate authority's principal identifier and private & public
keys, create and return a X509CRL
certificate revocation list (CRL).
The CRL will have an AuthorityKeyIdentifier and CRLNumber extensions. Typical
usage of this will be with the 3 argument arity; the fuller arity is exposed
here for testing purposes.
Arguments:
issuer
: the issuer's X500Principal
issuer-private-key
: the issuer's PrivateKey
issuer-public-key
: the issuer's PublicKey
this-update
: date for when this crl is created
next-update
: when to fetch the rcl next
crl-number
: number to start revocation count at
extensions
: any extensions to sign onto the crl
Inputs: ([issuer :- X500Principal issuer-private-key :- PrivateKey issuer-public-key :- PublicKey] [issuer :- X500Principal issuer-private-key :- PrivateKey issuer-public-key :- PublicKey this-update :- Date next-update :- Date crl-number :- BigInteger extensions :- SSLExtensionList]) Returns: X509CRL Given the certificate authority's principal identifier and private & public keys, create and return a `X509CRL` certificate revocation list (CRL). The CRL will have an AuthorityKeyIdentifier and CRLNumber extensions. Typical usage of this will be with the 3 argument arity; the fuller arity is exposed here for testing purposes. Arguments: `issuer`: the issuer's `X500Principal` `issuer-private-key`: the issuer's `PrivateKey` `issuer-public-key`: the issuer's `PublicKey` `this-update`: date for when this crl is created `next-update`: when to fetch the rcl next `crl-number`: number to start revocation count at `extensions`: any extensions to sign onto the crl
(generate-key-pair)
(generate-key-pair key-length)
Inputs: ([] [key-length :- schema/Int]) Returns: KeyPair
Given a key length (defaults to 4096), generate a new public & private key pair.
Inputs: ([] [key-length :- schema/Int]) Returns: KeyPair Given a key length (defaults to 4096), generate a new public & private key pair.
(generate-ssl-context options)
Inputs: [options :- SSLContextOptions] Returns: (schema/maybe SSLContext)
Given a map of options, extracts the SSL Options and attempts to create an SSLContext.
This function grabs five keys from a map, all of which are optional: :ssl-context, :ssl-key,
:ssl-ca-cert, :ssl-cert, and :ssl-ca-crl. The value stored at :ssl-context, if present, should
be an instance of an SSLContext object. The other keys should be objects suitable for use with
clojure's reader
and reference PEMs that contain the proper cert/key/crl list.
If the :ssl-context key is present, returns the value stored at that key.
Otherwise, if the :ssl-cert, :ssl-key, and :ssl-ca-cert keys are all present, returns an SSLContext constructed from those pems.
Otherwise, if the :ssl-ca-cert and :ssl-ca-crl keys are present, returns an SSLContext constructed from those pems.
Otherwise, if the :ssl-ca-cert key is present, returns an SSLContext constructed from the ca-cert pem.
If none of the :ssl-cert, :ssl-key, :ssl-ca-cert, :ssl-ca-crl, or :ssl-context keys are present, returns nil.
If the :ssl-context and :ssl-ca-cert keys are both missing, an exception will be thrown.
Inputs: [options :- SSLContextOptions] Returns: (schema/maybe SSLContext) Given a map of options, extracts the SSL Options and attempts to create an SSLContext. This function grabs five keys from a map, all of which are optional: :ssl-context, :ssl-key, :ssl-ca-cert, :ssl-cert, and :ssl-ca-crl. The value stored at :ssl-context, if present, should be an instance of an SSLContext object. The other keys should be objects suitable for use with clojure's `reader` and reference PEMs that contain the proper cert/key/crl list. If the :ssl-context key is present, returns the value stored at that key. Otherwise, if the :ssl-cert, :ssl-key, and :ssl-ca-cert keys are all present, returns an SSLContext constructed from those pems. Otherwise, if the :ssl-ca-cert and :ssl-ca-crl keys are present, returns an SSLContext constructed from those pems. Otherwise, if the :ssl-ca-cert key is present, returns an SSLContext constructed from the ca-cert pem. If none of the :ssl-cert, :ssl-key, :ssl-ca-cert, :ssl-ca-crl, or :ssl-context keys are present, returns nil. If the :ssl-context and :ssl-ca-cert keys are both missing, an exception will be thrown.
(get-attributes csr)
Inputs: [csr :- PKCS10CertificationRequest] Returns: SSLMultiValueAttributeList
Given a CSR, retrieve a list of maps of all attributes. Each map in the list contains the following keys:
oid
: The OID of the extension
values
: An array of values for the oid
Inputs: [csr :- PKCS10CertificationRequest] Returns: SSLMultiValueAttributeList Given a CSR, retrieve a list of maps of all attributes. Each map in the list contains the following keys: `oid` : The OID of the extension `values` : An array of values for the oid
(get-cn-from-x500-principal x500-principal)
Inputs: [x500-principal :- X500Principal] Returns: schema/Str
Given an X500Principal object, retrieve the common name (CN).
Inputs: [x500-principal :- X500Principal] Returns: schema/Str Given an X500Principal object, retrieve the common name (CN).
(get-cn-from-x509-certificate x509-certificate)
Inputs: [x509-certificate :- X509Certificate] Returns: schema/Str
Given an X509Certificate object, retrieve its common name (CN).
Inputs: [x509-certificate :- X509Certificate] Returns: schema/Str Given an X509Certificate object, retrieve its common name (CN).
(get-crl-number crl)
Inputs: [crl :- X509CRL] Returns: (schema/maybe BigInteger)
Given a CRL, return the value of the CRL Number extension, or nil if the extension is not present.
Inputs: [crl :- X509CRL] Returns: (schema/maybe BigInteger) Given a CRL, return the value of the CRL Number extension, or nil if the extension is not present.
(get-extension ext-container oid)
Inputs: [ext-container :- ExtensionContainer oid :- schema/Str] Returns: SSLExtension
Given a X509 certificate object, CRL, CSR, or a list of extensions
returned by get-extensions
, return a map describing the value and
criticality of the extension described by its OID.
Inputs: [ext-container :- ExtensionContainer oid :- schema/Str] Returns: SSLExtension Given a X509 certificate object, CRL, CSR, or a list of extensions returned by `get-extensions`, return a map describing the value and criticality of the extension described by its OID.
(get-extension-value ext-container oid)
Inputs: [ext-container :- ExtensionContainer oid :- schema/Str] Returns: schema/Any
Given a X509 certificate object, CRL, CSR or a list of extensions returned by
get-extensions
, return the value of an extension by its OID. If the OID
doesn't exist on the provided object, then nil is returned.
Inputs: [ext-container :- ExtensionContainer oid :- schema/Str] Returns: schema/Any Given a X509 certificate object, CRL, CSR or a list of extensions returned by `get-extensions`, return the value of an extension by its OID. If the OID doesn't exist on the provided object, then nil is returned.
(get-extensions ext-container)
Inputs: [ext-container :- (schema/cond-pre X509Certificate PKCS10CertificationRequest X509CRL)] Returns: SSLExtensionList
Given an object containing X509 extensions, retrieve a list of maps of all extensions. Each map in the list contains the following keys:
oid
: The OID of the extension
value
: The value of the extensions
critical
: True if this is a critical extensions, false if it is not.
Inputs: [ext-container :- (schema/cond-pre X509Certificate PKCS10CertificationRequest X509CRL)] Returns: SSLExtensionList Given an object containing X509 extensions, retrieve a list of maps of all extensions. Each map in the list contains the following keys: `oid` : The OID of the extension `value` : The value of the extensions `critical` : True if this is a critical extensions, false if it is not.
(get-key-manager-factory {:keys [keystore keystore-pw]})
Inputs: [{:keys [keystore keystore-pw]} :- {:keystore KeyStore, :keystore-pw schema/Str}] Returns: KeyManagerFactory
Given a map containing a KeyStore and keystore password (e.g. as generated by pems->key-and-trust-stores), return a KeyManagerFactory that contains the KeyStore.
Inputs: [{:keys [keystore keystore-pw]} :- {:keystore KeyStore, :keystore-pw schema/Str}] Returns: KeyManagerFactory Given a map containing a KeyStore and keystore password (e.g. as generated by pems->key-and-trust-stores), return a KeyManagerFactory that contains the KeyStore.
(get-private-key key-object)
Inputs: [key-object :- KeyPair] Returns: PrivateKey
Given an object which contains a private key, extract and return it.
Inputs: [key-object :- KeyPair] Returns: PrivateKey Given an object which contains a private key, extract and return it.
(get-public-key key-object)
Inputs: [key-object :- (schema/cond-pre KeyPair PKCS10CertificationRequest)] Returns: PublicKey
Given an object which contains a public key, extract the public key and return it.
Inputs: [key-object :- (schema/cond-pre KeyPair PKCS10CertificationRequest)] Returns: PublicKey Given an object which contains a public key, extract the public key and return it.
(get-serial cert)
Inputs: [cert :- X509Certificate] Returns: BigInteger
Given an X509 certificate, return the serial number from it.
Inputs: [cert :- X509Certificate] Returns: BigInteger Given an X509 certificate, return the serial number from it.
(get-subject-dns-alt-names cert-or-csr)
Inputs: [cert-or-csr :- CertOrCSR] Returns: (schema/maybe [schema/Str])
Given a certificate or CSR, return the list of DNS alternative names on the Subject Alternative Names extension, or nil if the extension is not present.
Inputs: [cert-or-csr :- CertOrCSR] Returns: (schema/maybe [schema/Str]) Given a certificate or CSR, return the list of DNS alternative names on the Subject Alternative Names extension, or nil if the extension is not present.
(get-subject-from-x509-certificate x509-certificate)
Inputs: [x509-certificate :- X509Certificate] Returns: schema/Str
Given an X509Certificate object, retrieve its subject.
Inputs: [x509-certificate :- X509Certificate] Returns: schema/Str Given an X509Certificate object, retrieve its subject.
(get-subject-ip-alt-names cert-or-csr)
Inputs: [cert-or-csr :- CertOrCSR] Returns: (schema/maybe [schema/Str])
Given a certificate or CSR, return the list of IP alternative names on the Subject Alternative Names extension, or nil if the extension is not present.
Inputs: [cert-or-csr :- CertOrCSR] Returns: (schema/maybe [schema/Str]) Given a certificate or CSR, return the list of IP alternative names on the Subject Alternative Names extension, or nil if the extension is not present.
(get-trust-manager-factory {:keys [truststore]})
Inputs: [{:keys [truststore]} :- {:truststore KeyStore}] Returns: TrustManagerFactory
Given a map containing a trust store (e.g. as generated by pems->key-and-trust-stores), return a TrustManagerFactory that contains the trust store.
Inputs: [{:keys [truststore]} :- {:truststore KeyStore}] Returns: TrustManagerFactory Given a map containing a trust store (e.g. as generated by pems->key-and-trust-stores), return a TrustManagerFactory that contains the trust store.
(javaize data-structure)
Convert a Clojure data structure passed into a function by a user into a Java data structure suitable for passing into a Java utility method.
Convert a Clojure data structure passed into a function by a user into a Java data structure suitable for passing into a Java utility method.
(key->pem! key pem)
Inputs: [key :- Key pem :- Writerable]
Encodes a public or private key to PEM format, and writes it to a file (or other stream). Arguments:
key
: the key to encode and write; usually an instance of PrivateKey
or PublicKey
pem
: the file path to write the PEM output to (or some other object supported by clojure's writer
)
Inputs: [key :- Key pem :- Writerable] Encodes a public or private key to PEM format, and writes it to a file (or other stream). Arguments: `key`: the key to encode and write; usually an instance of `PrivateKey` or `PublicKey` `pem`: the file path to write the PEM output to (or some other object supported by clojure's `writer`)
(key-usage flag-set critical)
Inputs: [flag-set :- #{Object} critical :- Object] Returns: SSLExtension
Create a Key Usage
extension from a set of flags to enable. See the
README.md for the keys supported.
Inputs: [flag-set :- #{Object} critical :- Object] Returns: SSLExtension Create a `Key Usage` extension from a set of flags to enable. See the README.md for the keys supported.
(keylength key)
Inputs: [key :- PublicOrPrivateKey] Returns: schema/Int
Given a key, return the length key length that was used when generating it.
Inputs: [key :- PublicOrPrivateKey] Returns: schema/Int Given a key, return the length key length that was used when generating it.
(keypair? x)
Returns true if x is a keypair (see generate-key-pair
).
Returns true if x is a keypair (see `generate-key-pair`).
(keystore)
Inputs: [] Returns: KeyStore
Create an empty in-memory Java KeyStore object.
Inputs: [] Returns: KeyStore Create an empty in-memory Java KeyStore object.
(netscape-comment comment)
Inputs: [comment :- schema/Str] Returns: SSLExtension
Create a Netscape Certificate Comment
extension.
Inputs: [comment :- schema/Str] Returns: SSLExtension Create a `Netscape Certificate Comment` extension.
(obj->pem! obj pem)
Inputs: [obj :- Object pem :- Writerable]
Encodes an object in PEM format, and writes it to a file (or other stream). Arguments:
obj
: the object to encode and write. Must be of a type that can be encoded
to PEM; usually this is limited to certain types from the java.security
packages.
pem
: the file path to write the PEM output to (or some other object supported by clojure's writer
)
Inputs: [obj :- Object pem :- Writerable] Encodes an object in PEM format, and writes it to a file (or other stream). Arguments: `obj`: the object to encode and write. Must be of a type that can be encoded to PEM; usually this is limited to certain types from the `java.security` packages. `pem`: the file path to write the PEM output to (or some other object supported by clojure's `writer`)
(obj->private-key obj)
Inputs: [obj :- Object] Returns: PrivateKey
Decodes the given object (read from a .pem via pem->objs
) into an instance of PrivateKey
.
Inputs: [obj :- Object] Returns: PrivateKey Decodes the given object (read from a .pem via `pem->objs`) into an instance of `PrivateKey`.
(objs->pem! objs buf)
Inputs: [objs :- [Object] buf :- Writerable]
Adds one or more cert related objects, PEM encoded, to the supplied writer
Inputs: [objs :- [Object] buf :- Writerable] Adds one or more cert related objects, PEM encoded, to the supplied writer
(pem->ca-cert cert-chain-pem key-or-keypair-pem)
Inputs: [cert-chain-pem :- Readerable key-or-keypair-pem :- Readerable] Returns: X509Certificate
Given a CA certificate chain and key pair, extract and verify the certificate matching the key pair.
Inputs: [cert-chain-pem :- Readerable key-or-keypair-pem :- Readerable] Returns: X509Certificate Given a CA certificate chain and key pair, extract and verify the certificate matching the key pair.
(pem->ca-crl crl-chain ca-cert)
Inputs: [crl-chain :- Readerable ca-cert :- X509Certificate] Returns: X509CRL
Given a CRL chain and CA certificate, extract the CRL issued by the certificate
Inputs: [crl-chain :- Readerable ca-cert :- X509Certificate] Returns: X509CRL Given a CRL chain and CA certificate, extract the CRL issued by the certificate
(pem->cert pem)
Inputs: [pem :- Readerable] Returns: X509Certificate
Given the path to a PEM file (or some other object supported by clojure's reader
),
decodes the contents into an X509Certificate
.
Inputs: [pem :- Readerable] Returns: X509Certificate Given the path to a PEM file (or some other object supported by clojure's `reader`), decodes the contents into an `X509Certificate`.
(pem->certs pem)
Inputs: [pem :- Readerable] Returns: [X509Certificate]
Given the path to a PEM file (or some other object supported by clojure's reader
),
decodes the contents into a collection of X509Certificate
instances.
Inputs: [pem :- Readerable] Returns: [X509Certificate] Given the path to a PEM file (or some other object supported by clojure's `reader`), decodes the contents into a collection of `X509Certificate` instances.
(pem->crl pem)
Inputs: [pem :- Readerable] Returns: X509CRL
Given the path to a PEM file (or some other object supported by clojure's reader
),
decode the contents into a X509CRL
.
See crl->pem!
to PEM-encode a certificate revocation list.
Inputs: [pem :- Readerable] Returns: X509CRL Given the path to a PEM file (or some other object supported by clojure's `reader`), decode the contents into a `X509CRL`. See `crl->pem!` to PEM-encode a certificate revocation list.
(pem->crls pem)
Inputs: [pem :- Readerable] Returns: [X509CRL]
Given the path to a PEM file (or some other object supported by clojure's
reader
), decode the contents into a collection of X509CRL
instances.
Inputs: [pem :- Readerable] Returns: [X509CRL] Given the path to a PEM file (or some other object supported by clojure's `reader`), decode the contents into a collection of `X509CRL` instances.
(pem->csr pem)
Inputs: [pem :- Readerable] Returns: PKCS10CertificationRequest
Given the path to a PEM file (or some other object supported by clojure's reader
),
decode the contents into a PKCS10CertificationRequest
.
See obj->pem!
to PEM-encode a certificate signing request.
Inputs: [pem :- Readerable] Returns: PKCS10CertificationRequest Given the path to a PEM file (or some other object supported by clojure's `reader`), decode the contents into a `PKCS10CertificationRequest`. See `obj->pem!` to PEM-encode a certificate signing request.
(pem->objs pem)
Inputs: [pem :- Readerable] Returns: [Object]
Given a file path (or some other object supported by clojure's reader
), reads
PEM-encoded objects and returns a collection of objects of the corresponding
type from java.security
.
Inputs: [pem :- Readerable] Returns: [Object] Given a file path (or some other object supported by clojure's `reader`), reads PEM-encoded objects and returns a collection of objects of the corresponding type from `java.security`.
(pem->private-key pem)
Inputs: [pem :- Readerable] Returns: PrivateKey
Given the path to a PEM file (or some other object supported by clojure's reader
),
decode the contents into a PrivateKey
instance. Throws an exception if multiple keys
are found in the PEM.
See key->pem!
and pem->private-keys
to write/read keys.
Inputs: [pem :- Readerable] Returns: PrivateKey Given the path to a PEM file (or some other object supported by clojure's `reader`), decode the contents into a `PrivateKey` instance. Throws an exception if multiple keys are found in the PEM. See `key->pem!` and `pem->private-keys` to write/read keys.
(pem->private-keys pem)
Inputs: [pem :- Readerable] Returns: [PrivateKey]
Given the path to a PEM file (or some other object supported by clojure's reader
),
decodes the contents into a collection of PrivateKey
instances.
Inputs: [pem :- Readerable] Returns: [PrivateKey] Given the path to a PEM file (or some other object supported by clojure's `reader`), decodes the contents into a collection of `PrivateKey` instances.
(pem->public-key pem)
Inputs: [pem :- Readerable] Returns: PublicKey
Given the path to a PEM file (or some other object supported by clojure's reader
),
decode the contents into a PublicKey
instance. Throws an exception if multiple
keys are found in the PEM.
See key->pem!
to write public keys.
Inputs: [pem :- Readerable] Returns: PublicKey Given the path to a PEM file (or some other object supported by clojure's `reader`), decode the contents into a `PublicKey` instance. Throws an exception if multiple keys are found in the PEM. See `key->pem!` to write public keys.
(pems->key-and-trust-stores cert private-key ca-cert)
Inputs: [cert :- Readerable private-key :- Readerable ca-cert :- Readerable] Returns: KeyAndTrustStore
Given pems for a certificate, private key, and CA certificate, creates an in-memory KeyStore and TrustStore.
Argument should be a map containing the keys :cert
, :key
, and :ca-cert
.
Each value must be an object suitable for use with clojure's reader
, and
reference a PEM that contains the appropriate cert/key.
Returns a map containing the following keys:
:keystore
- an instance of KeyStore initialized with the cert and private key
:keystore-pw
- a string containing a dynamically generated password for the KeyStore
:truststore
- an instance of KeyStore containing the CA cert.
Inputs: [cert :- Readerable private-key :- Readerable ca-cert :- Readerable] Returns: KeyAndTrustStore Given pems for a certificate, private key, and CA certificate, creates an in-memory KeyStore and TrustStore. Argument should be a map containing the keys `:cert`, `:key`, and `:ca-cert`. Each value must be an object suitable for use with clojure's `reader`, and reference a PEM that contains the appropriate cert/key. Returns a map containing the following keys: `:keystore` - an instance of KeyStore initialized with the cert and private key `:keystore-pw` - a string containing a dynamically generated password for the KeyStore `:truststore` - an instance of KeyStore containing the CA cert.
(pems->ssl-context cert private-key ca-cert)
(pems->ssl-context cert private-key ca-cert crls)
Inputs: ([cert private-key ca-cert] [cert :- Readerable private-key :- Readerable ca-cert :- Readerable crls :- (schema/maybe Readerable)]) Returns: SSLContext
Given pems for a certificate, private key, and CA certificate, creates an in-memory SSLContext initialized with a KeyStore/TrustStore generated from the input certs/key. If an optional argument containing CRLs is provided, the SSLContext is also enabled for revocation checking against the CRLs.
Each argument must be an object suitable for use with clojure's reader
, and
reference a PEM that contains the appropriate cert/key/crl list.
Returns the SSLContext instance.
Inputs: ([cert private-key ca-cert] [cert :- Readerable private-key :- Readerable ca-cert :- Readerable crls :- (schema/maybe Readerable)]) Returns: SSLContext Given pems for a certificate, private key, and CA certificate, creates an in-memory SSLContext initialized with a KeyStore/TrustStore generated from the input certs/key. If an optional argument containing CRLs is provided, the SSLContext is also enabled for revocation checking against the CRLs. Each argument must be an object suitable for use with clojure's `reader`, and reference a PEM that contains the appropriate cert/key/crl list. Returns the SSLContext instance.
(private-key? x)
Returns true if x is a private key (see generate-key-pair
).
Returns true if x is a private key (see `generate-key-pair`).
(public-key? x)
Returns true if x is a public key (see generate-key-pair
).
Returns true if x is a public key (see `generate-key-pair`).
(puppet-node-image-name name critical)
Inputs: [name :- schema/Str critical :- Object] Returns: SSLExtension
Create a Puppet Node Image Name
extension.
Inputs: [name :- schema/Str critical :- Object] Returns: SSLExtension Create a `Puppet Node Image Name` extension.
(puppet-node-instance-id id critical)
Inputs: [id :- schema/Str critical :- Object] Returns: SSLExtension
Create a Puppet Node Instance ID
extension.
Inputs: [id :- schema/Str critical :- Object] Returns: SSLExtension Create a `Puppet Node Instance ID` extension.
(puppet-node-preshared-key key critical)
Inputs: [key :- schema/Str critical :- Object] Returns: SSLExtension
Create a Puppet Node Preshared Key
extension.
Inputs: [key :- schema/Str critical :- Object] Returns: SSLExtension Create a `Puppet Node Preshared Key` extension.
(puppet-node-uid uid critical)
Inputs: [uid :- schema/Str critical :- Object] Returns: SSLExtension
Create a Puppet Node UID
extension.
Inputs: [uid :- schema/Str critical :- Object] Returns: SSLExtension Create a `Puppet Node UID` extension.
Schema for anything that can be handed off to clojure's reader function.
Schema for anything that can be handed off to clojure's reader function.
(revoke crl issuer-private-key issuer-public-key cert-serial)
Inputs: [crl :- X509CRL issuer-private-key :- PrivateKey issuer-public-key :- PublicKey cert-serial :- schema/Int] Returns: X509CRL
Given a certificate revocation list and certificate serial number, revoke the certificate by adding its serial number to the list and return the updated CRL. The issuer keys should be the same ones that were used when generating the CRL.
The CRLNumber extension on the CRL will be incremented by 1, or the extension will be added if it doesn't already exist.
The AuthorityKeyIdentifier extension will be added to the CRL if it doesn't already exist.
Inputs: [crl :- X509CRL issuer-private-key :- PrivateKey issuer-public-key :- PublicKey cert-serial :- schema/Int] Returns: X509CRL Given a certificate revocation list and certificate serial number, revoke the certificate by adding its serial number to the list and return the updated CRL. The issuer keys should be the same ones that were used when generating the CRL. The CRLNumber extension on the CRL will be incremented by 1, or the extension will be added if it doesn't already exist. The AuthorityKeyIdentifier extension will be added to the CRL if it doesn't already exist.
(revoke-multiple crl issuer-private-key issuer-public-key cert-serials)
Inputs: [crl :- X509CRL issuer-private-key :- PrivateKey issuer-public-key :- PublicKey cert-serials :- [schema/Int]] Returns: X509CRL
Given a certificate revocation list and a list of certificate serial numbers, revoke the certificates by adding their serial numbers to the list and returning the updated CRL. The issuer keys should be the same ones that were used when generating the CRL.
The CRLNumber extension on the CRL will be incremented by 1, or the extension will be added if it doesn't already exist.
The AuthorityKeyIdentifier extension will be added to the CRL if it doesn't already exist.
Inputs: [crl :- X509CRL issuer-private-key :- PrivateKey issuer-public-key :- PublicKey cert-serials :- [schema/Int]] Returns: X509CRL Given a certificate revocation list and a list of certificate serial numbers, revoke the certificates by adding their serial numbers to the list and returning the updated CRL. The issuer keys should be the same ones that were used when generating the CRL. The CRLNumber extension on the CRL will be incremented by 1, or the extension will be added if it doesn't already exist. The AuthorityKeyIdentifier extension will be added to the CRL if it doesn't already exist.
(revoked? crl certificate)
Inputs: [crl :- X509CRL certificate :- X509Certificate] Returns: schema/Bool
Given a certificate revocation list and certificate, test if the certificate has been revoked.
Note that if the certificate and CRL have different issuers, false will be returned even if the certificate's serial number is on the CRL (i.e. previously revoked).
Inputs: [crl :- X509CRL certificate :- X509Certificate] Returns: schema/Bool Given a certificate revocation list and certificate, test if the certificate has been revoked. Note that if the certificate and CRL have different issuers, false will be returned even if the certificate's serial number is on the CRL (i.e. previously revoked).
(sign-certificate issuer-dn
issuer-priv-key
serial
not-before
not-after
subject-dn
subject-pub-key)
(sign-certificate issuer-dn
issuer-priv-key
serial
not-before
not-after
subject-dn
subject-pub-key
extensions)
Inputs: ([issuer-dn issuer-priv-key serial not-before not-after subject-dn subject-pub-key] [issuer-dn :- ValidX500Name issuer-priv-key :- PrivateKey serial :- schema/Int not-before :- Date not-after :- Date subject-dn :- ValidX500Name subject-pub-key :- PublicKey extensions :- SSLExtensionList]) Returns: X509Certificate
Given a subject, certificate authority information and other certificate info,
return a signed X509Certificate
object.
Arguments:
issuer-dn
: a string containing the issuer's DN.
issuer-priv-key
: the issuer's private key.
serial
: an arbitrary serial number integer.
not-before
: the certificate's 'not before' date.
not-after
: the certificate's 'not after' date.
subject-dn
: the subject's DN
subject-pub-key
: the subject's public key
extensions
: an optional list of X509 extensions, each of which is
a map with an oid
, value
and critical
flag. The
value format is dependent upon the oid.
Inputs: ([issuer-dn issuer-priv-key serial not-before not-after subject-dn subject-pub-key] [issuer-dn :- ValidX500Name issuer-priv-key :- PrivateKey serial :- schema/Int not-before :- Date not-after :- Date subject-dn :- ValidX500Name subject-pub-key :- PublicKey extensions :- SSLExtensionList]) Returns: X509Certificate Given a subject, certificate authority information and other certificate info, return a signed `X509Certificate` object. Arguments: `issuer-dn`: a string containing the issuer's DN. `issuer-priv-key`: the issuer's private key. `serial`: an arbitrary serial number integer. `not-before`: the certificate's 'not before' date. `not-after`: the certificate's 'not after' date. `subject-dn`: the subject's DN `subject-pub-key`: the subject's public key `extensions`: an optional list of X509 extensions, each of which is a map with an `oid`, `value` and `critical` flag. The value format is dependent upon the oid.
(signature-valid? csr)
Inputs: [csr :- PKCS10CertificationRequest] Returns: schema/Bool
Does the given CSR have a valid signature on it? i.e., was it signed by the private key corresponding to the public key included in the CSR?
Inputs: [csr :- PKCS10CertificationRequest] Returns: schema/Bool Does the given CSR have a valid signature on it? i.e., was it signed by the private key corresponding to the public key included in the CSR?
Schema for the options map that generate-ssl-context requires.
Schema for the options map that generate-ssl-context requires.
A map containing all the fields required to define an extension. This is not the actual SSL Extension itself but the required oid, critical boolean, and value for the Extension. Use the optional :options to to modify how the extension is created in ExtensionsUtils.
A map containing all the fields required to define an extension. This is not the actual SSL Extension itself but the required oid, critical boolean, and value for the Extension. Use the optional :options to to modify how the extension is created in ExtensionsUtils.
SubjectAlternativeName OID 2.5.29.17
SubjectAlternativeName OID 2.5.29.17
(subject-alt-names alt-names-hashmap critical)
Inputs: [alt-names-hashmap :- #:schema{Keyword [schema/Str]} critical :- Object] Returns: SSLExtension
Create a Subject Alternative Names extensions (OID=2.5.29.17) which contains
a list of DNS and/maybe IP names as alternative names. The critical
argument sets the
criticality flag of this extension.
Inputs: [alt-names-hashmap :- #:schema{Keyword [schema/Str]} critical :- Object] Returns: SSLExtension Create a Subject Alternative Names extensions (OID=2.5.29.17) which contains a list of DNS and/maybe IP names as alternative names. The `critical` argument sets the criticality flag of this extension.
(subject-dns-alt-names alt-names-list critical)
Inputs: [alt-names-list :- [schema/Str] critical :- Object] Returns: SSLExtension
Create a Subject Alternative Names extensions (OID=2.5.29.17) which contains
a list of DNS names as alternative names. The critical
argument sets the
criticality flag of this extension.
Inputs: [alt-names-list :- [schema/Str] critical :- Object] Returns: SSLExtension Create a Subject Alternative Names extensions (OID=2.5.29.17) which contains a list of DNS names as alternative names. The `critical` argument sets the criticality flag of this extension.
(subject-key-identifier public-key critical)
Inputs: [public-key :- PublicKey critical :- Object] Returns: SSLExtension
Create a Subject Key Identifier
extension from a PublicKey
object. The
extension created by this function is intended to be passed into
sign-certificate
and generate-certificate-request
, at which time the key's
hash will be computed and stored in the resulting object.
Inputs: [public-key :- PublicKey critical :- Object] Returns: SSLExtension Create a `Subject Key Identifier` extension from a `PublicKey` object. The extension created by this function is intended to be passed into `sign-certificate` and `generate-certificate-request`, at which time the key's hash will be computed and stored in the resulting object.
SubjectKeyIdentifier OID 2.5.29.14
SubjectKeyIdentifier OID 2.5.29.14
(subtree-of? parent-oid oid)
Inputs: [parent-oid :- schema/Str oid :- schema/Str] Returns: schema/Bool
Given an OID and a a parent tree OID return true if the OID is within the subtree of the parent OID.
Inputs: [parent-oid :- schema/Str oid :- schema/Str] Returns: schema/Bool Given an OID and a a parent tree OID return true if the OID is within the subtree of the parent OID.
(valid-x500-name? x)
Returns true if x is a valid X500 name string.
Returns true if x is a valid X500 name string.
(validate-cert-chain cert-chain crl-chain)
Inputs: [cert-chain :- [X509Certificate] crl-chain :- [X509CRL]]
Given a list of certificates and a list of CRLs, validate the certificate chain, i.e. ensure that none of the certs have been revoked by checking the appropriate CRL, which must be present and currently valid. Returns nil if successful.
Inputs: [cert-chain :- [X509Certificate] crl-chain :- [X509CRL]] Given a list of certificates and a list of CRLs, validate the certificate chain, i.e. ensure that none of the certs have been revoked by checking the appropriate CRL, which must be present and currently valid. Returns nil if successful.
Schema for anything that can be handed off to clojure's writer function.
Schema for anything that can be handed off to clojure's writer function.
(x500-name->CN x500-name)
Inputs: [x500-name :- ValidX500Name] Returns: schema/Str
Given an X500 name, return the common name from it.
Inputs: [x500-name :- ValidX500Name] Returns: schema/Str Given an X500 name, return the common name from it.
(x500-principal? x)
Returns true if x is an instance of 'X500Principal'.
Returns true if x is an instance of 'X500Principal'.
(x509-extension? x)
Returns true if the given object contains X509 extensions, this generally
refers to X509Certificate
and X509CRL
objects.
Returns true if the given object contains X509 extensions, this generally refers to `X509Certificate` and `X509CRL` objects.
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close