Documentation ¶
Index ¶
- Constants
- func BuildSANExtension(identites []Identity) (*pkix.Extension, error)
- func BuildSubjectAltNameExtension(hosts string) (*pkix.Extension, error)
- func ExtractIDs(exts []pkix.Extension) ([]string, error)
- func ExtractSANExtension(exts []pkix.Extension) *pkix.Extension
- func GenCSR(options CertOptions) ([]byte, []byte, error)
- func GenCSRTemplate(options CertOptions) (*x509.CertificateRequest, error)
- func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate, ...) (cert []byte, err error)
- func GenCertKeyFromOptions(options CertOptions) (pemCert []byte, pemKey []byte, err error)
- func GetRSAKeySize(privKey crypto.PrivateKey) (int, error)
- func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error)
- func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error)
- func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error)
- func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error)
- func RetrieveID(b KeyCertBundle) string
- func VerifyCertificate(privPem []byte, certChainPem []byte, rootCertPem []byte, host string, ...) error
- type CertOptions
- type Identity
- type IdentityType
- type KeyCertBundle
- type KeyCertBundleImpl
- func NewKeyCertBundleWithRootCertFromFile(rootCertFile string) (*KeyCertBundleImpl, error)
- func NewVerifiedKeyCertBundleFromFile(certFile, privKeyFile, certChainFile, rootCertFile string) (*KeyCertBundleImpl, error)
- func NewVerifiedKeyCertBundleFromPem(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) (*KeyCertBundleImpl, error)
- func (b *KeyCertBundleImpl) CertOptions() (*CertOptions, error)
- func (b *KeyCertBundleImpl) GetAll() (cert *x509.Certificate, privKey *crypto.PrivateKey, ...)
- func (b *KeyCertBundleImpl) GetAllPem() (certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte)
- func (b *KeyCertBundleImpl) VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error
- type VerifyFields
Constants ¶
const ( // URIScheme is the URI scheme for Istio identities. URIScheme string = "spiffe" )
Variables ¶
This section is empty.
Functions ¶
func BuildSANExtension ¶
BuildSANExtension builds a `pkix.Extension` of type "Subject Alternative Name" based on the given identities.
func BuildSubjectAltNameExtension ¶
BuildSubjectAltNameExtension builds the SAN extension for the certificate.
func ExtractIDs ¶
ExtractIDs first finds the SAN extension from the given extension set, then extract identities from the SAN extension.
func ExtractSANExtension ¶
ExtractSANExtension extracts the "Subject Alternative Name" externsion from the given PKIX extension set.
func GenCSR ¶
func GenCSR(options CertOptions) ([]byte, []byte, error)
GenCSR generates a X.509 certificate sign request and private key with the given options.
func GenCSRTemplate ¶
func GenCSRTemplate(options CertOptions) (*x509.CertificateRequest, error)
GenCSRTemplate generates a certificateRequest template with the given options.
func GenCertFromCSR ¶
func GenCertFromCSR(csr *x509.CertificateRequest, signingCert *x509.Certificate, publicKey interface{}, signingKey crypto.PrivateKey, ttl time.Duration, isCA bool) (cert []byte, err error)
GenCertFromCSR generates a X.509 certificate with the given CSR.
func GenCertKeyFromOptions ¶
func GenCertKeyFromOptions(options CertOptions) (pemCert []byte, pemKey []byte, err error)
GenCertKeyFromOptions generates a X.509 certificate and a private key with the given options.
func GetRSAKeySize ¶
func GetRSAKeySize(privKey crypto.PrivateKey) (int, error)
GetRSAKeySize returns the size if it is RSA key, otherwise it returns an error.
func LoadSignerCredsFromFiles ¶
func LoadSignerCredsFromFiles(signerCertFile string, signerPrivFile string) (*x509.Certificate, crypto.PrivateKey, error)
LoadSignerCredsFromFiles loads the signer cert&key from the given files.
signerCertFile: cert file name signerPrivFile: private key file name
func ParsePemEncodedCSR ¶
func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error)
ParsePemEncodedCSR constructs a `x509.CertificateRequest` object using the given PEM-encoded certificate signing request.
func ParsePemEncodedCertificate ¶
func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error)
ParsePemEncodedCertificate constructs a `x509.Certificate` object using the given a PEM-encoded certificate.
func ParsePemEncodedKey ¶
func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error)
ParsePemEncodedKey takes a PEM-encoded key and parsed the bytes into a `crypto.PrivateKey`.
func RetrieveID ¶
func RetrieveID(b KeyCertBundle) string
RetrieveID returns the service account from the KeyCertBundle. TODO: implement this later as a KeyCertBundle's method.
func VerifyCertificate ¶
func VerifyCertificate(privPem []byte, certChainPem []byte, rootCertPem []byte, host string, expectedFields *VerifyFields) error
VerifyCertificate verifies a given PEM encoded certificate by - building one or more chains from the certificate to a root certificate; - checking fields are set as expected.
Types ¶
type CertOptions ¶
type CertOptions struct { // Comma-separated hostnames and IPs to generate a certificate for. // This can also be set to the identity running the workload, // like kubernetes service account. Host string // The NotBefore field of the issued certificate. NotBefore time.Time // TTL of the certificate. NotAfter - NotBefore. TTL time.Duration // Signer certificate (PEM encoded). SignerCert *x509.Certificate // Signer private key (PEM encoded). SignerPriv crypto.PrivateKey // Organization for this certificate. Org string // Whether this certificate is used as signing cert for CA. IsCA bool // Whether this cerificate is self-signed. IsSelfSigned bool // Whether this certificate is for a client. IsClient bool // Whether this certificate is for a server. IsServer bool // The size of RSA private key to be generated. RSAKeySize int }
CertOptions contains options for generating a new certificate.
type Identity ¶
type Identity struct { Type IdentityType Value []byte }
Identity is an object holding both the encoded identifier bytes as well as the type of the identity.
func ExtractIDsFromSAN ¶
ExtractIDsFromSAN takes a SAN extension and extracts the identities. The logic is mostly borrowed from https://github.com/golang/go/blob/master/src/crypto/x509/x509.go, with the addition of supporting extracting URIs.
type IdentityType ¶
type IdentityType int
IdentityType represents type of an identity. This is used to properly encode an identity into a SAN extension.
const ( // TypeDNS represents a DNS name. TypeDNS IdentityType = iota // TypeIP represents an IP address. TypeIP // TypeURI represents a universal resource identifier. TypeURI )
type KeyCertBundle ¶
type KeyCertBundle interface { // GetAllPem returns all key/cert PEMs in KeyCertBundle together. Getting all values together avoids inconsistency. GetAllPem() (certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) // GetAll returns all key/cert in KeyCertBundle together. Getting all values together avoids inconsistency. GetAll() (cert *x509.Certificate, privKey *crypto.PrivateKey, certChainBytes, rootCertBytes []byte) // VerifyAndSetAll verifies the key/certs, and sets all key/certs in KeyCertBundle together. // Setting all values together avoids inconsistency. VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error // CertOptions returns the CertOptions for rotating the current key cert. CertOptions() (*CertOptions, error) }
KeyCertBundle stores the cert, private key, cert chain and root cert for an entity. It is thread safe.
type KeyCertBundleImpl ¶
type KeyCertBundleImpl struct {
// contains filtered or unexported fields
}
KeyCertBundleImpl implements the KeyCertBundle interface. The cert and privKey should be a public/private key pair. The cert should be verifiable from the rootCert through the certChain. cert and priveKey are pointers to the cert/key parsed from certBytes/privKeyBytes.
func NewKeyCertBundleWithRootCertFromFile ¶
func NewKeyCertBundleWithRootCertFromFile(rootCertFile string) (*KeyCertBundleImpl, error)
NewKeyCertBundleWithRootCertFromFile returns a new KeyCertBundle with the root cert without verification.
func NewVerifiedKeyCertBundleFromFile ¶
func NewVerifiedKeyCertBundleFromFile(certFile, privKeyFile, certChainFile, rootCertFile string) ( *KeyCertBundleImpl, error)
NewVerifiedKeyCertBundleFromFile returns a new KeyCertBundle, or error if if the provided certs failed the verification.
func NewVerifiedKeyCertBundleFromPem ¶
func NewVerifiedKeyCertBundleFromPem(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) ( *KeyCertBundleImpl, error)
NewVerifiedKeyCertBundleFromPem returns a new KeyCertBundle, or error if if the provided certs failed the verification.
func (*KeyCertBundleImpl) CertOptions ¶
func (b *KeyCertBundleImpl) CertOptions() (*CertOptions, error)
CertOptions returns the certificate config based on currently stored cert.
func (*KeyCertBundleImpl) GetAll ¶
func (b *KeyCertBundleImpl) GetAll() (cert *x509.Certificate, privKey *crypto.PrivateKey, certChainBytes, rootCertBytes []byte)
GetAll returns all key/cert in KeyCertBundle together. Getting all values together avoids inconsistency. NOTE: Callers should not modify the content of cert and privKey.
func (*KeyCertBundleImpl) GetAllPem ¶
func (b *KeyCertBundleImpl) GetAllPem() (certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte)
GetAllPem returns all key/cert PEMs in KeyCertBundle together. Getting all values together avoids inconsistency.
func (*KeyCertBundleImpl) VerifyAndSetAll ¶
func (b *KeyCertBundleImpl) VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes []byte) error
VerifyAndSetAll verifies the key/certs, and sets all key/certs in KeyCertBundle together. Setting all values together avoids inconsistency.