.github/workflows/test.yaml

@@ -4,7 +4,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.12.x, 1.13.x, 1.14.x]
+        go-version: [1.13.x, 1.14.x, 1.15.x]
         platform: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.platform }}
     steps:

CHANGELOG.md

@@ -1,5 +1,35 @@
 # Changelog
 
+## Release 3.2.0 (2020-12-14)
+
+### Added
+
+- #211: Added randInt function (thanks @kochurovro)
+- #223: Added fromJson and mustFromJson functions (thanks @mholt)
+- #242: Added a bcrypt function (thanks @robbiet480)
+- #253: Added randBytes function (thanks @MikaelSmith)
+- #254: Added dig function for dicts (thanks @nyarly)
+- #257: Added regexQuoteMeta for quoting regex metadata (thanks @rheaton)
+- #261: Added filepath functions osBase, osDir, osExt, osClean, osIsAbs (thanks @zugl)
+- #268: Added and and all functions for testing conditions (thanks @phuslu)
+- #181: Added float64 arithmetic addf, add1f, subf, divf, mulf, maxf, and minf
+  (thanks @andrewmostello)
+- #265: Added chunk function to split array into smaller arrays (thanks @karelbilek)
+- #270: Extend certificate functions to handle non-RSA keys + add support for
+  ed25519 keys (thanks @misberner)
+
+### Changed
+
+- Removed testing and support for Go 1.12. ed25519 support requires Go 1.13 or newer
+- Using semver 3.1.1 and mergo 0.3.11
+
+### Fixed
+
+- #249: Fix htmlDateInZone example (thanks @spawnia)
+
+NOTE: The dependency github.com/imdario/mergo reverted the breaking change in
+0.3.9 via 0.3.10 release.
+
 ## Release 3.1.0 (2020-04-16)
 
 NOTE: The dependency github.com/imdario/mergo made a behavior change in 0.3.9

crypto.go

@@ -2,10 +2,12 @@ package sprig
 
 import (
 	"bytes"
+	"crypto"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/dsa"
 	"crypto/ecdsa"
+	"crypto/ed25519"
 	"crypto/elliptic"
 	"crypto/hmac"
 	"crypto/rand"
@@ -30,7 +32,7 @@ import (
 	"strings"
 
 	"github.com/google/uuid"
-	"golang.org/x/crypto/bcrypt"
+	bcrypt_lib "golang.org/x/crypto/bcrypt"
 	"golang.org/x/crypto/scrypt"
 )
 
@@ -49,15 +51,28 @@ func adler32sum(input string) string {
 	return fmt.Sprintf("%d", hash)
 }
 
+func bcrypt(input string) string {
+	hash, err := bcrypt_lib.GenerateFromPassword([]byte(input), bcrypt_lib.DefaultCost)
+	if err != nil {
+		return fmt.Sprintf("failed to encrypt string with bcrypt: %s", err)
+	}
+
+	return string(hash)
+}
+
 func htpasswd(username string, password string) string {
 	if strings.Contains(username, ":") {
 		return fmt.Sprintf("invalid username: %s", username)
 	}
-	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
-	if err != nil {
-		return fmt.Sprintf("failed to create htpasswd: %s", err)
+	return fmt.Sprintf("%s:%s", username, bcrypt(password))
+}
+
+func randBytes(count int) (string, error) {
+	buf := make([]byte, count)
+	if _, err := rand.Read(buf); err != nil {
+		return "", err
 	}
-	return fmt.Sprintf("%s:%s", username, hash)
+	return base64.StdEncoding.EncodeToString(buf), nil
 }
 
 // uuidv4 provides a safe and secure UUID v4 implementation
@@ -147,6 +162,8 @@ func generatePrivateKey(typ string) string {
 	case "ecdsa":
 		// again, good enough for government work
 		priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	case "ed25519":
+		_, priv, err = ed25519.GenerateKey(rand.Reader)
 	default:
 		return "Unknown type " + typ
 	}
@@ -179,7 +196,73 @@ func pemBlockForKey(priv interface{}) *pem.Block {
 		b, _ := x509.MarshalECPrivateKey(k)
 		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
 	default:
-		return nil
+		// attempt PKCS#8 format for all other keys
+		b, err := x509.MarshalPKCS8PrivateKey(k)
+		if err != nil {
+			return nil
+		}
+		return &pem.Block{Type: "PRIVATE KEY", Bytes: b}
+	}
+}
+
+func parsePrivateKeyPEM(pemBlock string) (crypto.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(pemBlock))
+	if block == nil {
+		return nil, errors.New("no PEM data in input")
+	}
+
+	if block.Type == "PRIVATE KEY" {
+		priv, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("decoding PEM as PKCS#8: %s", err)
+		}
+		return priv, nil
+	} else if !strings.HasSuffix(block.Type, " PRIVATE KEY") {
+		return nil, fmt.Errorf("no private key data in PEM block of type %s", block.Type)
+	}
+
+	switch block.Type[:len(block.Type)-12] { // strip " PRIVATE KEY"
+	case "RSA":
+		priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("parsing RSA private key from PEM: %s", err)
+		}
+		return priv, nil
+	case "EC":
+		priv, err := x509.ParseECPrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("parsing EC private key from PEM: %s", err)
+		}
+		return priv, nil
+	case "DSA":
+		var k DSAKeyFormat
+		_, err := asn1.Unmarshal(block.Bytes, &k)
+		if err != nil {
+			return nil, fmt.Errorf("parsing DSA private key from PEM: %s", err)
+		}
+		priv := &dsa.PrivateKey{
+			PublicKey: dsa.PublicKey{
+				Parameters: dsa.Parameters{
+					P: k.P, Q: k.Q, G: k.G,
+				},
+				Y: k.Y,
+			},
+			X: k.X,
+		}
+		return priv, nil
+	default:
+		return nil, fmt.Errorf("invalid private key type %s", block.Type)
+	}
+}
+
+func getPublicKey(priv crypto.PrivateKey) (crypto.PublicKey, error) {
+	switch k := priv.(type) {
+	case interface{ Public() crypto.PublicKey }:
+		return k.Public(), nil
+	case *dsa.PrivateKey:
+		return &k.PublicKey, nil
+	default:
+		return nil, fmt.Errorf("unable to get public key for type %T", priv)
 	}
 }
 
@@ -213,14 +296,10 @@ func buildCustomCertificate(b64cert string, b64key string) (certificate, error)
 		)
 	}
 
-	decodedKey, _ := pem.Decode(key)
-	if decodedKey == nil {
-		return crt, errors.New("unable to decode key")
-	}
-	_, err = x509.ParsePKCS1PrivateKey(decodedKey.Bytes)
+	_, err = parsePrivateKeyPEM(string(key))
 	if err != nil {
 		return crt, fmt.Errorf(
-			"error parsing prive key: decodedKey.Bytes: %s",
+			"error parsing private key: %s",
 			err,
 		)
 	}
@@ -234,6 +313,31 @@ func buildCustomCertificate(b64cert string, b64key string) (certificate, error)
 func generateCertificateAuthority(
 	cn string,
 	daysValid int,
+) (certificate, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return certificate{}, fmt.Errorf("error generating rsa key: %s", err)
+	}
+
+	return generateCertificateAuthorityWithKeyInternal(cn, daysValid, priv)
+}
+
+func generateCertificateAuthorityWithPEMKey(
+	cn string,
+	daysValid int,
+	privPEM string,
+) (certificate, error) {
+	priv, err := parsePrivateKeyPEM(privPEM)
+	if err != nil {
+		return certificate{}, fmt.Errorf("parsing private key: %s", err)
+	}
+	return generateCertificateAuthorityWithKeyInternal(cn, daysValid, priv)
+}
+
+func generateCertificateAuthorityWithKeyInternal(
+	cn string,
+	daysValid int,
+	priv crypto.PrivateKey,
 ) (certificate, error) {
 	ca := certificate{}
 
@@ -247,11 +351,6 @@ func generateCertificateAuthority(
 		x509.KeyUsageCertSign
 	template.IsCA = true
 
-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return ca, fmt.Errorf("error generating rsa key: %s", err)
-	}
-
 	ca.Cert, ca.Key, err = getCertAndKey(template, priv, template, priv)
 
 	return ca, err
@@ -263,16 +362,39 @@ func generateSelfSignedCertificate(
 	alternateDNS []interface{},
 	daysValid int,
 ) (certificate, error) {
-	cert := certificate{}
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return certificate{}, fmt.Errorf("error generating rsa key: %s", err)
+	}
+	return generateSelfSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, priv)
+}
 
-	template, err := getBaseCertTemplate(cn, ips, alternateDNS, daysValid)
+func generateSelfSignedCertificateWithPEMKey(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	privPEM string,
+) (certificate, error) {
+	priv, err := parsePrivateKeyPEM(privPEM)
 	if err != nil {
-		return cert, err
+		return certificate{}, fmt.Errorf("parsing private key: %s", err)
 	}
+	return generateSelfSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, priv)
+}
 
-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+func generateSelfSignedCertificateWithKeyInternal(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	priv crypto.PrivateKey,
+) (certificate, error) {
+	cert := certificate{}
+
+	template, err := getBaseCertTemplate(cn, ips, alternateDNS, daysValid)
 	if err != nil {
-		return cert, fmt.Errorf("error generating rsa key: %s", err)
+		return cert, err
 	}
 
 	cert.Cert, cert.Key, err = getCertAndKey(template, priv, template, priv)
@@ -286,6 +408,36 @@ func generateSignedCertificate(
 	alternateDNS []interface{},
 	daysValid int,
 	ca certificate,
+) (certificate, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return certificate{}, fmt.Errorf("error generating rsa key: %s", err)
+	}
+	return generateSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, ca, priv)
+}
+
+func generateSignedCertificateWithPEMKey(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	ca certificate,
+	privPEM string,
+) (certificate, error) {
+	priv, err := parsePrivateKeyPEM(privPEM)
+	if err != nil {
+		return certificate{}, fmt.Errorf("parsing private key: %s", err)
+	}
+	return generateSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, ca, priv)
+}
+
+func generateSignedCertificateWithKeyInternal(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	ca certificate,
+	priv crypto.PrivateKey,
 ) (certificate, error) {
 	cert := certificate{}
 
@@ -300,14 +452,10 @@ func generateSignedCertificate(
 			err,
 		)
 	}
-	decodedSignerKey, _ := pem.Decode([]byte(ca.Key))
-	if decodedSignerKey == nil {
-		return cert, errors.New("unable to decode key")
-	}
-	signerKey, err := x509.ParsePKCS1PrivateKey(decodedSignerKey.Bytes)
+	signerKey, err := parsePrivateKeyPEM(ca.Key)
 	if err != nil {
 		return cert, fmt.Errorf(
-			"error parsing prive key: decodedSignerKey.Bytes: %s",
+			"error parsing private key: %s",
 			err,
 		)
 	}
@@ -317,11 +465,6 @@ func generateSignedCertificate(
 		return cert, err
 	}
 
-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return cert, fmt.Errorf("error generating rsa key: %s", err)
-	}
-
 	cert.Cert, cert.Key, err = getCertAndKey(
 		template,
 		priv,
@@ -334,15 +477,19 @@ func generateSignedCertificate(
 
 func getCertAndKey(
 	template *x509.Certificate,
-	signeeKey *rsa.PrivateKey,
+	signeeKey crypto.PrivateKey,
 	parent *x509.Certificate,
-	signingKey *rsa.PrivateKey,
+	signingKey crypto.PrivateKey,
 ) (string, string, error) {
+	signeePubKey, err := getPublicKey(signeeKey)
+	if err != nil {
+		return "", "", fmt.Errorf("error retrieving public key from signee key: %s", err)
+	}
 	derBytes, err := x509.CreateCertificate(
 		rand.Reader,
 		template,
 		parent,
-		&signeeKey.PublicKey,
+		signeePubKey,
 		signingKey,
 	)
 	if err != nil {
@@ -360,10 +507,7 @@ func getCertAndKey(
 	keyBuffer := bytes.Buffer{}
 	if err := pem.Encode(
 		&keyBuffer,
-		&pem.Block{
-			Type:  "RSA PRIVATE KEY",
-			Bytes: x509.MarshalPKCS1PrivateKey(signeeKey),
-		},
+		pemBlockForKey(signeeKey),
 	); err != nil {
 		return "", "", fmt.Errorf("error pem-encoding key: %s", err)
 	}