certgenerate

package

v3.1.0 Latest Latest Go to latest Published: Jul 17, 2023 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/apache/dubbo-go

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func AppendCertByte(pemCert []byte, rootCert []byte) []byte
func AppendRootCerts(pemCert []byte, rootCertFile string) ([]byte, error)
func BuildSANExtension(identites []Identity) (*pkix.Extension, error)
func BuildSubjectAltNameExtension(hosts string) (*pkix.Extension, error)
func DualUseCommonName(host string) (string, error)
func ExtractIDs(exts []pkix.Extension) ([]string, error)
func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension
func GenCSR(options CertOptions) ([]byte, []byte, error)
func GenCSRTemplate(options CertOptions) (*x509.CertificateRequest, error)
func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate, ...) (cert []byte, err error)
func GenCertKeyFromOptions(options CertOptions) (pemCert []byte, pemKey []byte, err error)
func GenRootCertFromExistingKey(options CertOptions) (pemCert []byte, pemKey []byte, err error)
func GetRSAKeySize(privKey crypto.PrivateKey) (int, error)
func IsSupportedECPrivateKey(privKey *crypto.PrivateKey) bool
func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error)
func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error)
func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error)
func ParsePemEncodedCertificateChain(certBytes []byte) ([]*x509.Certificate, error)
func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error)
func PemCertBytestoString(caCerts []byte) []string
type CertOptions
- func GetCertOptionsFromExistingCert(certBytes []byte) (opts CertOptions, err error)
- func MergeCertOptions(defaultOpts, deltaOpts CertOptions) CertOptions
type Identity
- func ExtractIDsFromSAN(sanExt *pkix.Extension) ([]Identity, error)
type IdentityType
type SupportedECSignatureAlgorithms

Constants ¶

View Source

const (
	// TypeDNS represents a DNS name.
	TypeDNS IdentityType = iota
	// TypeIP represents an IP address.
	TypeIP
	// TypeURI represents a universal resource identifier.
	TypeURI

	Scheme       = "spiffe"
	URIPrefix    = Scheme + "://"
	URIPrefixLen = len(URIPrefix)
)

View Source

const ClockSkewGracePeriod = time.Minute * 2

ClockSkewGracePeriod defines the period of time a certificate will be valid before its creation. This is meant to handle cases where we have clock skew between the CA and workloads.

Variables ¶

This section is empty.

Functions ¶

func AppendCertByte ¶

func AppendCertByte(pemCert []byte, rootCert []byte) []byte

AppendCertByte: Append x.509 rootCert in bytes to existing certificate chain (in bytes)

func AppendRootCerts ¶

func AppendRootCerts(pemCert []byte, rootCertFile string) ([]byte, error)

AppendRootCerts appends root certificates in RootCertFile to the input certificate.

func BuildSANExtension ¶

func BuildSANExtension(identites []Identity) (*pkix.Extension, error)

BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.

func BuildSubjectAltNameExtension ¶

func BuildSubjectAltNameExtension(hosts string) (*pkix.Extension, error)

BuildSubjectAltNameExtension builds the SAN extension for the certificate.

func DualUseCommonName ¶

func DualUseCommonName(host string) (string, error)

DualUseCommonName extracts a valid CommonName from a comma-delimited host string for dual-use certificates.

func ExtractIDs ¶

func ExtractIDs(exts []pkix.Extension) ([]string, error)

ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.

func ExtractSANExtension ¶

func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension

ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.

func GenCSR ¶

func GenCSR(options CertOptions) ([]byte, []byte, error)

GenCSR generates a X.509 certificate sign request and private key with the given options.

func GenCSRTemplate ¶

func GenCSRTemplate(options CertOptions) (*x509.CertificateRequest, error)

GenCSRTemplate generates a certificateRequest template with the given options.

func GenCertFromCSR ¶

func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate, publicKey interface{},
	signingKey crypto.PrivateKey, subjectIDs []string, ttl time.Duration, isCA bool,
) (cert []byte, err error)

GenCertFromCSR generates a X.509 certificate with the given CSR.

func GenCertKeyFromOptions ¶

func GenCertKeyFromOptions(options CertOptions) (pemCert []byte, pemKey []byte, err error)

GenCertKeyFromOptions generates a X.509 certificate and a private key with the given options.

func GenRootCertFromExistingKey ¶

func GenRootCertFromExistingKey(options CertOptions) (pemCert []byte, pemKey []byte, err error)

GenRootCertFromExistingKey generates a X.509 certificate using existing CA private key. Only called by a self-signed Citadel.

func GetRSAKeySize ¶

func GetRSAKeySize(privKey crypto.PrivateKey) (int, error)

GetRSAKeySize returns the size if it is RSA key, otherwise it returns an error.

func IsSupportedECPrivateKey ¶

func IsSupportedECPrivateKey(privKey *crypto.PrivateKey) bool

IsSupportedECPrivateKey is a predicate returning true if the private key is EC based

func LoadSignerCredsFromFiles ¶

func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error)

LoadSignerCredsFromFiles loads the signer cert&key from the given files.

signerCertFile: cert file name
signerPrivFile: private key file name

func ParsePemEncodedCSR ¶

func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error)

ParsePemEncodedCSR constructs a `x509.CertificateRequest` object using the given PEM-encoded certificate signing request.

func ParsePemEncodedCertificate ¶

func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error)

ParsePemEncodedCertificate constructs a `x509.Certificate` object using the given a PEM-encoded certificate.

func ParsePemEncodedCertificateChain ¶

func ParsePemEncodedCertificateChain(certBytes []byte) ([]*x509.Certificate, error)

ParsePemEncodedCertificateChain constructs a slice of `x509.Certificate` objects using the given a PEM-encoded certificate chain.

func ParsePemEncodedKey ¶

func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error)

ParsePemEncodedKey takes a PEM-encoded key and parsed the bytes into a `crypto.PrivateKey`.

func PemCertBytestoString ¶

func PemCertBytestoString(caCerts []byte) []string

PemCertBytestoString: takes an array of PEM certs in bytes and returns a string array in the same order with trailing newline characters removed

Types ¶

type CertOptions ¶

type CertOptions struct {
	// Comma-separated hostnames and IPs to generate a certificate for.
	// This can also be set to the identity running the workload,
	// like kubernetes service account.
	Host string

	// The NotBefore field of the issued certificate.
	NotBefore time.Time

	// TTL of the certificate. NotAfter - NotBefore.
	TTL time.Duration

	// Signer certificate.
	SignerCert *x509.Certificate

	// Signer private key.
	SignerPriv crypto.PrivateKey

	// Signer private key (PEM encoded).
	SignerPrivPem []byte

	// Organization for this certificate.
	Org string

	// The size of RSA private key to be generated.
	RSAKeySize int

	// Whether this certificate is used as signing cert for CA.
	IsCA bool

	// Whether this certificate is self-signed.
	IsSelfSigned bool

	// Whether this certificate is for a client.
	IsClient bool

	// Whether this certificate is for a server.
	IsServer bool

	// Whether this certificate is for dual-use clients (SAN+CN).
	IsDualUse bool

	// If true, the private key is encoded with PKCS#8.
	PKCS8Key bool

	// The type of Elliptical Signature algorithm to use
	// when generating private keys. Currently only ECDSA is supported.
	// If empty, RSA is used, otherwise ECC is used.
	ECSigAlg SupportedECSignatureAlgorithms

	// Subjective Alternative Name values.
	DNSNames string
}

CertOptions contains options for generating a new certificate.

func GetCertOptionsFromExistingCert ¶

func GetCertOptionsFromExistingCert(certBytes []byte) (opts CertOptions, err error)

GetCertOptionsFromExistingCert parses cert and generates a CertOptions that contains information about the cert. This is the reverse operation of genCertTemplateFromOptions(), and only called by a self-signed Citadel.

func MergeCertOptions ¶

func MergeCertOptions(defaultOpts, deltaOpts CertOptions) CertOptions

MergeCertOptions merges deltaOpts into defaultOpts and returns the merged CertOptions. Only called by a self-signed Citadel.

type Identity ¶

type Identity struct {
	Type  IdentityType
	Value []byte
}

Identity is an object holding both the encoded identifier bytes as well as the type of the identity.

func ExtractIDsFromSAN ¶

func ExtractIDsFromSAN(sanExt *pkix.Extension) ([]Identity, error)

ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.

type IdentityType ¶

type IdentityType int

IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension.

type SupportedECSignatureAlgorithms ¶

type SupportedECSignatureAlgorithms string

SupportedECSignatureAlgorithms are the types of EC Signature Algorithms to be used in key generation (e.g. ECDSA or ED2551)

const (
	// only ECDSA using P256 is currently supported
	EcdsaSigAlg SupportedECSignatureAlgorithms = "ECDSA"
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL