Sprig provides a couple of advanced cryptographic functions.
The sha1sum function receives a string, and computes it's SHA1 digest.
sha1sum "Hello world!"
The sha256sum function receives a string, and computes it's SHA256 digest.
sha256sum "Hello world!"
The above will compute the SHA 256 sum in an "ASCII armored" format that is safe to print.
The sha512sum function receives a string, and computes it's SHA512 digest.
sha512sum "Hello world!"
The above will compute the SHA 512 sum in an "ASCII armored" format that is safe to print.
The adler32sum function receives a string, and computes its Adler-32 checksum.
adler32sum "Hello world!"
The bcrypt function takes a input, and a cost and generates a bcrypt hash. cost is optional and defaults to bcrypt_lib.DefaultCost (10).
bcrypt "myPassword"
The htpasswd function takes a username, a password, and a hashAlgorithm and generates a bcrypt (recommended) or a base64 encoded and prefixed sha hash of the password. hashAlgorithm is optional and defaults to bcrypt. The result can be used for basic authentication on an Apache HTTP Server.
htpasswd "myUser" "myPassword" ["bcrypt"|"sha"]
Note that it is insecure to store the password directly in the template.
The randBytes function accepts a count N and generates a cryptographically
secure (uses crypto/rand) random sequence of N bytes. The sequence is
returned as a base64 encoded string.
randBytes 24
The derivePassword function can be used to derive a specific password based on
some shared "master password" constraints. The algorithm for this is
well specified.
derivePassword 1 "long" "password" "user" "example.com"
Note that it is considered insecure to store the parts directly in the template.
The genPrivateKey function generates a new private key encoded into a PEM
block.
It takes one of the values for its first param:
ecdsa: Generate an elliptic curve DSA key (P256)dsa: Generate a DSA key (L2048N256)rsa: Generate an RSA 4096 keyed25519: Generate an Ed25519 key
The buildCustomCert function allows customizing the certificate.
It takes the following string parameters:
- A base64 encoded PEM format certificate
- A base64 encoded PEM format private key
It returns a certificate object with the following attributes:
Cert: A PEM-encoded certificateKey: A PEM-encoded private key
Example:
$ca := buildCustomCert "base64-encoded-ca-crt" "base64-encoded-ca-key"
Note that the returned object can be passed to the genSignedCert function
to sign a certificate using this CA.
The genCA function generates a new, self-signed x509 certificate authority using a
2048-bit RSA private key.
It takes the following parameters:
- Subject's common name (cn)
- Cert validity duration in days
It returns an object with the following attributes:
Cert: A PEM-encoded certificateKey: A PEM-encoded private key
Example:
$ca := genCA "foo-ca" 365
Note that the returned object can be passed to the genSignedCert function
to sign a certificate using this CA.
The genCAWithKey function generates a new, self-signed x509 certificate authority using a
given private key.
It takes the following parameters:
- Subject's common name (cn)
- Cert validity duration in days
- Private key (PEM-encoded); DSA keys are not supported
It returns an object with the following attributes:
Cert: A PEM-encoded certificateKey: A PEM-encoded private key
Example:
$ca := genCAWithKey "foo-ca" 365 (genPrivateKey "rsa")
Note that the returned object can be passed to the genSignedCert function
to sign a certificate using this CA.
The genSelfSignedCert function generates a new, self-signed x509 certificate using a
2048-bit RSA private key.
It takes the following parameters:
- Subject's common name (cn)
- Optional list of IPs; may be nil
- Optional list of alternate DNS names; may be nil
- Cert validity duration in days
It returns an object with the following attributes:
Cert: A PEM-encoded certificateKey: A PEM-encoded private key
Example:
$cert := genSelfSignedCert "foo.com" (list "10.0.0.1" "10.0.0.2") (list "bar.com" "bat.com") 365
The genSelfSignedCertWithKey function generates a new, self-signed x509 certificate using a
given private key.
It takes the following parameters:
- Subject's common name (cn)
- Optional list of IPs; may be nil
- Optional list of alternate DNS names; may be nil
- Cert validity duration in days
- Private key (PEM-encoded); DSA keys are not supported
It returns an object with the following attributes:
Cert: A PEM-encoded certificateKey: A PEM-encoded private key
Example:
$cert := genSelfSignedCertWithKey "foo.com" (list "10.0.0.1" "10.0.0.2") (list "bar.com" "bat.com") 365 (genPrivateKey "ecdsa")
The genSignedCert function generates a new, x509 certificate signed by the
specified CA, using a 2048-bit RSA private key.
It takes the following parameters:
- Subject's common name (cn)
- Optional list of IPs; may be nil
- Optional list of alternate DNS names; may be nil
- Cert validity duration in days
- CA (see
genCA)
Example:
$ca := genCA "foo-ca" 365
$cert := genSignedCert "foo.com" (list "10.0.0.1" "10.0.0.2") (list "bar.com" "bat.com") 365 $ca
The genSignedCertWithKey function generates a new, x509 certificate signed by the
specified CA, using a given private key.
It takes the following parameters:
- Subject's common name (cn)
- Optional list of IPs; may be nil
- Optional list of alternate DNS names; may be nil
- Cert validity duration in days
- CA (see
genCA) - Private key (PEM-encoded); DSA keys are not supported
Example:
$ca := genCA "foo-ca" 365
$cert := genSignedCert "foo.com" (list "10.0.0.1" "10.0.0.2") (list "bar.com" "bat.com") 365 $ca (genPrivateKey "ed25519")
The encryptAES function encrypts text with AES-256 CBC and returns a base64 encoded string.
encryptAES "secretkey" "plaintext"
The decryptAES function receives a base64 string encoded by the AES-256 CBC
algorithm and returns the decoded text.
"30tEfhuJSVRhpG97XCuWgz2okj7L8vQ1s6V9zVUPeDQ=" | decryptAES "secretkey"