Cryptographic and Security Functions
Sprig provides a couple of advanced cryptographic functions.
sha1sum
The sha1sum function receives a string, and computes it’s SHA1 digest.
sha1sum "Hello world!"
sha256sum
The sha256sum function receives a string, and computes it’s SHA256 digest.
sha256sum "Hello world!"
The above will compute the SHA 256 sum in an “ASCII armored” format that is safe to print.
sha512sum
The sha512sum function receives a string, and computes it’s SHA512 digest.
sha512sum "Hello world!"
The above will compute the SHA 512 sum in an “ASCII armored” format that is safe to print.
adler32sum
The adler32sum function receives a string, and computes its Adler-32 checksum.
adler32sum "Hello world!"
bcrypt
The bcrypt function receives a string, and generates its bcrypt hash.
bcrypt "myPassword"
htpasswd
The htpasswd function takes a username, a password, and a hashAlgorithm and generates a bcrypt (recommended) or a base64 encoded and prefixed sha hash of the password. hashAlgorithm is optional and defaults to bcrypt. The result can be used for basic authentication on an Apache HTTP Server.
htpasswd "myUser" "myPassword" ["bcrypt"|"sha"]
Note that it is insecure to store the password directly in the template.
randBytes
The randBytes function accepts a count N and generates a cryptographically
secure (uses crypto/rand) random sequence of N bytes. The sequence is
returned as a base64 encoded string.
randBytes 24
derivePassword
The derivePassword function can be used to derive a specific password based on
some shared “master password” constraints. The algorithm for this is
well specified.
derivePassword 1 "long" "password" "user" "example.com"
Note that it is considered insecure to store the parts directly in the template.
genPrivateKey
The genPrivateKey function generates a new private key encoded into a PEM
block.
It takes one of the values for its first param:
ecdsa: Generate an elliptic curve DSA key (P256)dsa: Generate a DSA key (L2048N256)rsa: Generate an RSA 4096 keyed25519: Generate an Ed25519 key
buildCustomCert
The buildCustomCert function allows customizing the certificate.
It takes the following string parameters:
- A base64 encoded PEM format certificate
- A base64 encoded PEM format private key
It returns a certificate object with the following attributes:
Cert: A PEM-encoded certificateKey: A PEM-encoded private key
Example:
$ca := buildCustomCert "base64-encoded-ca-crt" "base64-encoded-ca-key"
Note that the returned object can be passed to the genSignedCert function
to sign a certificate using this CA.
genCA
The genCA function generates a new, self-signed x509 certificate authority using a
2048-bit RSA private key.
It takes the following parameters:
- Subject’s common name (cn)
- Cert validity duration in days
It returns an object with the following attributes:
Cert: A PEM-encoded certificateKey: A PEM-encoded private key
Example:
$ca := genCA "foo-ca" 365
Note that the returned object can be passed to the genSignedCert function
to sign a certificate using this CA.
genCAWithKey
The genCAWithKey function generates a new, self-signed x509 certificate authority using a
given private key.
It takes the following parameters:
- Subject’s common name (cn)
- Cert validity duration in days
- Private key (PEM-encoded); DSA keys are not supported
It returns an object with the following attributes:
Cert: A PEM-encoded certificateKey: A PEM-encoded private key
Example:
$ca := genCAWithKey "foo-ca" 365 (genPrivateKey "rsa")
Note that the returned object can be passed to the genSignedCert function
to sign a certificate using this CA.
genSelfSignedCert
The genSelfSignedCert function generates a new, self-signed x509 certificate using a
2048-bit RSA private key.
It takes the following parameters:
- Subject’s common name (cn)
- Optional list of IPs; may be nil
- Optional list of alternate DNS names; may be nil
- Cert validity duration in days
It returns an object with the following attributes:
Cert: A PEM-encoded certificateKey: A PEM-encoded private key
Example:
$cert := genSelfSignedCert "foo.com" (list "10.0.0.1" "10.0.0.2") (list "bar.com" "bat.com") 365
genSelfSignedCertWithKey
The genSelfSignedCertWithKey function generates a new, self-signed x509 certificate using a
given private key.
It takes the following parameters:
- Subject’s common name (cn)
- Optional list of IPs; may be nil
- Optional list of alternate DNS names; may be nil
- Cert validity duration in days
- Private key (PEM-encoded); DSA keys are not supported
It returns an object with the following attributes:
Cert: A PEM-encoded certificateKey: A PEM-encoded private key
Example:
$cert := genSelfSignedCertWithKey "foo.com" (list "10.0.0.1" "10.0.0.2") (list "bar.com" "bat.com") 365 (genPrivateKey "ecdsa")
genSignedCert
The genSignedCert function generates a new, x509 certificate signed by the
specified CA, using a 2048-bit RSA private key.
It takes the following parameters:
- Subject’s common name (cn)
- Optional list of IPs; may be nil
- Optional list of alternate DNS names; may be nil
- Cert validity duration in days
- CA (see
genCA)
Example:
$ca := genCA "foo-ca" 365
$cert := genSignedCert "foo.com" (list "10.0.0.1" "10.0.0.2") (list "bar.com" "bat.com") 365 $ca
genSignedCertWithKey
The genSignedCertWithKey function generates a new, x509 certificate signed by the
specified CA, using a given private key.
It takes the following parameters:
- Subject’s common name (cn)
- Optional list of IPs; may be nil
- Optional list of alternate DNS names; may be nil
- Cert validity duration in days
- CA (see
genCA) - Private key (PEM-encoded); DSA keys are not supported
Example:
$ca := genCA "foo-ca" 365
$cert := genSignedCert "foo.com" (list "10.0.0.1" "10.0.0.2") (list "bar.com" "bat.com") 365 $ca (genPrivateKey "ed25519")
encryptAES
The encryptAES function encrypts text with AES-256 CBC and returns a base64 encoded string.
encryptAES "secretkey" "plaintext"
decryptAES
The decryptAES function receives a base64 string encoded by the AES-256 CBC
algorithm and returns the decoded text.
"30tEfhuJSVRhpG97XCuWgz2okj7L8vQ1s6V9zVUPeDQ=" | decryptAES "secretkey"