Documentation ¶
Index ¶
- Constants
- func ExpandWithTrustDomains(spiffeIdentities, trustDomainAliases []string) map[string]struct{}
- func GenSpiffeURI(ns, serviceAccount string) (string, error)
- func GetTrustDomain() string
- func GetTrustDomainFromURISAN(uriSan string) (string, error)
- func MustGenSpiffeURI(ns, serviceAccount string) string
- func RetrieveSpiffeBundleRootCerts(config map[string]string, caCertPool *x509.CertPool, ...) (map[string][]*x509.Certificate, error)
- func RetrieveSpiffeBundleRootCertsFromStringInput(inputString string, extraTrustedCerts []*x509.Certificate) (map[string][]*x509.Certificate, error)
- func SetTrustDomain(value string)
- type Identity
- type PeerCertVerifier
- func (v *PeerCertVerifier) AddMapping(trustDomain string, certs []*x509.Certificate)
- func (v *PeerCertVerifier) AddMappingFromPEM(trustDomain string, rootCertBytes []byte) error
- func (v *PeerCertVerifier) AddMappings(certMap map[string][]*x509.Certificate)
- func (v *PeerCertVerifier) GetGeneralCertPool() *x509.CertPool
- func (v *PeerCertVerifier) VerifyPeerCert(rawCerts [][]byte, _ [][]*x509.Certificate) error
Constants ¶
const ( Scheme = "spiffe" URIPrefix = Scheme + "://" URIPrefixLen = len(URIPrefix) ServiceAccountSegment = "sa" NamespaceSegment = "ns" )
Variables ¶
This section is empty.
Functions ¶
func ExpandWithTrustDomains ¶
ExpandWithTrustDomains expands a given spiffe identities, plus a list of truts domain aliases. We ensure the returned list does not contain duplicates; the original input is always retained. For example, ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/def"}, {"td1", "td2"}) returns
{"spiffe://td1/ns/def/sa/def", "spiffe://td2/ns/def/sa/def"}.
ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/a", "spiffe://td1/ns/def/sa/b"}, {"td2"}) returns
{"spiffe://td1/ns/def/sa/a", "spiffe://td2/ns/def/sa/a", "spiffe://td1/ns/def/sa/b", "spiffe://td2/ns/def/sa/b"}.
func GenSpiffeURI ¶
GenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate.
func GetTrustDomain ¶
func GetTrustDomain() string
func GetTrustDomainFromURISAN ¶
GetTrustDomainFromURISAN extracts the trust domain part from the URI SAN in the X.509 certificate.
func MustGenSpiffeURI ¶
MustGenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate and logs if there was an error.
func RetrieveSpiffeBundleRootCerts ¶
func RetrieveSpiffeBundleRootCerts(config map[string]string, caCertPool *x509.CertPool, retryTimeout time.Duration) ( map[string][]*x509.Certificate, error)
RetrieveSpiffeBundleRootCerts retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints.
func RetrieveSpiffeBundleRootCertsFromStringInput ¶
func RetrieveSpiffeBundleRootCertsFromStringInput(inputString string, extraTrustedCerts []*x509.Certificate) ( map[string][]*x509.Certificate, error)
RetrieveSpiffeBundleRootCertsFromStringInput retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints. The input endpointTuples should be in the format of: "foo|URL1||bar|URL2||baz|URL3..."
func SetTrustDomain ¶
func SetTrustDomain(value string)
Types ¶
type Identity ¶
func ParseIdentity ¶
type PeerCertVerifier ¶
type PeerCertVerifier struct {
// contains filtered or unexported fields
}
PeerCertVerifier is an instance to verify the peer certificate in the SPIFFE way using the retrieved root certificates.
func NewPeerCertVerifier ¶
func NewPeerCertVerifier() *PeerCertVerifier
NewPeerCertVerifier returns a new PeerCertVerifier.
func (*PeerCertVerifier) AddMapping ¶
func (v *PeerCertVerifier) AddMapping(trustDomain string, certs []*x509.Certificate)
AddMapping adds a new trust domain to certificates mapping to the certPools map.
func (*PeerCertVerifier) AddMappingFromPEM ¶
func (v *PeerCertVerifier) AddMappingFromPEM(trustDomain string, rootCertBytes []byte) error
AddMappingFromPEM adds multiple RootCA's to the spiffe Trust bundle in the trustDomain namespace
func (*PeerCertVerifier) AddMappings ¶
func (v *PeerCertVerifier) AddMappings(certMap map[string][]*x509.Certificate)
AddMappings merges a trust domain to certs map to the certPools map.
func (*PeerCertVerifier) GetGeneralCertPool ¶
func (v *PeerCertVerifier) GetGeneralCertPool() *x509.CertPool
GetGeneralCertPool returns generalCertPool containing all root certs.
func (*PeerCertVerifier) VerifyPeerCert ¶
func (v *PeerCertVerifier) VerifyPeerCert(rawCerts [][]byte, _ [][]*x509.Certificate) error
VerifyPeerCert is an implementation of tls.Config.VerifyPeerCertificate. It verifies the peer certificate using the root certificates associated with its trust domain.