Documentation ¶
Index ¶
- Constants
- Variables
- func BuildCertManagerKeyUsages(ku x509.KeyUsage, eku []x509.ExtKeyUsage) []v1.KeyUsage
- func BuildKeyUsages(usages []v1.KeyUsage, isCA bool) (ku x509.KeyUsage, eku []x509.ExtKeyUsage, err error)
- func BuildKeyUsagesKube(usages []certificatesv1.KeyUsage) (x509.KeyUsage, []x509.ExtKeyUsage, error)
- func DNSNamesForCertificate(crt *v1.Certificate) ([]string, error)
- func DecodePKCS1PrivateKeyBytes(keyBytes []byte) (*rsa.PrivateKey, error)
- func DecodePrivateKeyBytes(keyBytes []byte) (crypto.Signer, error)
- func DecodeX509CertificateBytes(certBytes []byte) (*x509.Certificate, error)
- func DecodeX509CertificateChainBytes(certBytes []byte) ([]*x509.Certificate, error)
- func DecodeX509CertificateRequestBytes(csrBytes []byte) (*x509.CertificateRequest, error)
- func DurationFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) (time.Duration, error)
- func EncodeCSR(template *x509.CertificateRequest, key crypto.Signer) ([]byte, error)
- func EncodeECPrivateKey(pk *ecdsa.PrivateKey) ([]byte, error)
- func EncodePKCS1PrivateKey(pk *rsa.PrivateKey) []byte
- func EncodePKCS8PrivateKey(pk interface{}) ([]byte, error)
- func EncodePrivateKey(pk crypto.PrivateKey, keyEncoding v1.PrivateKeyEncoding) ([]byte, error)
- func EncodeX509(cert *x509.Certificate) ([]byte, error)
- func EncodeX509Chain(certs []*x509.Certificate) ([]byte, error)
- func ExtKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku x509.ExtKeyUsage, ok bool)
- func GenerateCSR(crt *v1.Certificate) (*x509.CertificateRequest, error)
- func GenerateECPrivateKey(keySize int) (*ecdsa.PrivateKey, error)
- func GenerateEd25519PrivateKey() (ed25519.PrivateKey, error)
- func GeneratePrivateKeyForCertificate(crt *v1.Certificate) (crypto.Signer, error)
- func GenerateRSAPrivateKey(keySize int) (*rsa.PrivateKey, error)
- func GenerateTemplate(crt *v1.Certificate) (*x509.Certificate, error)
- func GenerateTemplateFromCSRPEM(csrPEM []byte, duration time.Duration, isCA bool) (*x509.Certificate, error)
- func GenerateTemplateFromCSRPEMWithUsages(csrPEM []byte, duration time.Duration, isCA bool, keyUsage x509.KeyUsage, ...) (*x509.Certificate, error)
- func GenerateTemplateFromCertificateRequest(cr *v1.CertificateRequest) (*x509.Certificate, error)
- func GenerateTemplateFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) (*x509.Certificate, error)
- func IPAddressesForCertificate(crt *v1.Certificate) []net.IP
- func IPAddressesToString(ipAddresses []net.IP) []string
- func OIDFromExtKeyUsage(eku x509.ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool)
- func OrganizationForCertificate(crt *v1.Certificate) []string
- func ParseSubjectStringToRawDerBytes(subject string) ([]byte, error)
- func ParseSubjectStringToRdnSequence(subject string) (pkix.RDNSequence, error)
- func PublicKeyForPrivateKey(pk crypto.PrivateKey) (crypto.PublicKey, error)
- func PublicKeyMatchesCSR(check crypto.PublicKey, csr *x509.CertificateRequest) (bool, error)
- func PublicKeyMatchesCertificate(check crypto.PublicKey, crt *x509.Certificate) (bool, error)
- func PublicKeysEqual(a, b crypto.PublicKey) (bool, error)
- func SignCertificate(template *x509.Certificate, issuerCert *x509.Certificate, ...) ([]byte, *x509.Certificate, error)
- func SignatureAlgorithm(crt *v1.Certificate) (x509.PublicKeyAlgorithm, x509.SignatureAlgorithm, error)
- func SubjectForCertificate(crt *v1.Certificate) v1.X509Subject
- func URIsForCertificate(crt *v1.Certificate) ([]*url.URL, error)
- func URLsFromStrings(urlStrs []string) ([]*url.URL, error)
- func URLsToString(uris []*url.URL) []string
- type PEMBundle
Constants ¶
const ( // MinRSAKeySize is the minimum RSA keysize allowed to be generated by the // generator functions in this package. MinRSAKeySize = 2048 // MaxRSAKeySize is the maximum RSA keysize allowed to be generated by the // generator functions in this package. MaxRSAKeySize = 8192 // ECCurve256 represents a secp256r1 / prime256v1 / NIST P-256 ECDSA key. ECCurve256 = 256 // ECCurve384 represents a secp384r1 / NIST P-384 ECDSA key. ECCurve384 = 384 // ECCurve521 represents a secp521r1 / NIST P-521 ECDSA key. ECCurve521 = 521 )
Variables ¶
var ( OIDExtensionKeyUsage = []int{2, 5, 29, 15} OIDExtensionExtendedKeyUsage = []int{2, 5, 29, 37} )
Copied from x509.go
var OIDConstants = struct { Country []int Organization []int OrganizationalUnit []int CommonName []int SerialNumber []int Locality []int Province []int StreetAddress []int }{ Country: []int{2, 5, 4, 6}, Organization: []int{2, 5, 4, 10}, OrganizationalUnit: []int{2, 5, 4, 11}, CommonName: []int{2, 5, 4, 3}, SerialNumber: []int{2, 5, 4, 5}, Locality: []int{2, 5, 4, 7}, Province: []int{2, 5, 4, 8}, StreetAddress: []int{2, 5, 4, 9}, }
Functions ¶
func BuildCertManagerKeyUsages ¶ added in v1.8.0
func BuildKeyUsages ¶ added in v1.8.0
func BuildKeyUsagesKube ¶ added in v1.8.0
func BuildKeyUsagesKube(usages []certificatesv1.KeyUsage) (x509.KeyUsage, []x509.ExtKeyUsage, error)
BuildKeyUsagesKube returns a key usage and extended key usage of the x509 certificate
func DNSNamesForCertificate ¶
func DNSNamesForCertificate(crt *v1.Certificate) ([]string, error)
func DecodePKCS1PrivateKeyBytes ¶
func DecodePKCS1PrivateKeyBytes(keyBytes []byte) (*rsa.PrivateKey, error)
DecodePKCS1PrivateKeyBytes will decode a PEM encoded RSA private key.
func DecodePrivateKeyBytes ¶
DecodePrivateKeyBytes will decode a PEM encoded private key into a crypto.Signer. It supports ECDSA and RSA private keys only. All other types will return err.
func DecodeX509CertificateBytes ¶
func DecodeX509CertificateBytes(certBytes []byte) (*x509.Certificate, error)
DecodeX509CertificateBytes will decode a PEM encoded x509 Certificate.
func DecodeX509CertificateChainBytes ¶ added in v0.6.0
func DecodeX509CertificateChainBytes(certBytes []byte) ([]*x509.Certificate, error)
DecodeX509CertificateChainBytes will decode a PEM encoded x509 Certificate chain.
func DecodeX509CertificateRequestBytes ¶ added in v1.8.0
func DecodeX509CertificateRequestBytes(csrBytes []byte) (*x509.CertificateRequest, error)
DecodeX509CertificateRequestBytes will decode a PEM encoded x509 Certificate Request.
func DurationFromCertificateSigningRequest ¶ added in v1.8.0
func DurationFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) (time.Duration, error)
DurationFromCertificateSigningRequest returns the duration that the user may have requested using the annotation "experimental.cert-manager.io/request-duration" or via the CSR spec.expirationSeconds field (the annotation is preferred since it predates the field which is only available in Kubernetes v1.22+). Returns the cert-manager default certificate duration when the user hasn't provided the annotation or spec.expirationSeconds.
func EncodeCSR ¶
EncodeCSR calls x509.CreateCertificateRequest to sign the given CSR template. It returns a DER encoded signed CSR.
func EncodeECPrivateKey ¶
func EncodeECPrivateKey(pk *ecdsa.PrivateKey) ([]byte, error)
EncodeECPrivateKey will marshal an ECDSA private key into x509 PEM format.
func EncodePKCS1PrivateKey ¶
func EncodePKCS1PrivateKey(pk *rsa.PrivateKey) []byte
EncodePKCS1PrivateKey will marshal a RSA private key into x509 PEM format.
func EncodePKCS8PrivateKey ¶ added in v0.7.0
EncodePKCS8PrivateKey will marshal a private key into x509 PEM format.
func EncodePrivateKey ¶
func EncodePrivateKey(pk crypto.PrivateKey, keyEncoding v1.PrivateKeyEncoding) ([]byte, error)
EncodePrivateKey will encode a given crypto.PrivateKey by first inspecting the type of key encoding and then inspecting the type of key provided. It only supports encoding RSA or ECDSA keys.
func EncodeX509 ¶
func EncodeX509(cert *x509.Certificate) ([]byte, error)
EncodeX509 will encode a single *x509.Certificate into PEM format.
func EncodeX509Chain ¶ added in v0.6.0
func EncodeX509Chain(certs []*x509.Certificate) ([]byte, error)
EncodeX509Chain will encode a list of *x509.Certificates into a PEM format chain. Self-signed certificates are not included as per https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2 Certificates are output in the order they're given; if the input is not ordered as specified in RFC5246 section 7.4.2, the resulting chain might not be valid for use in TLS.
func ExtKeyUsageFromOID ¶ added in v1.8.0
func ExtKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku x509.ExtKeyUsage, ok bool)
func GenerateCSR ¶
func GenerateCSR(crt *v1.Certificate) (*x509.CertificateRequest, error)
GenerateCSR will generate a new *x509.CertificateRequest template to be used by issuers that utilise CSRs to obtain Certificates. The CSR will not be signed, and should be passed to either EncodeCSR or to the x509.CreateCertificateRequest function.
func GenerateECPrivateKey ¶
func GenerateECPrivateKey(keySize int) (*ecdsa.PrivateKey, error)
GenerateECPrivateKey will generate an ECDSA private key of the given size. It can be used to generate 256, 384 and 521 sized keys.
func GenerateEd25519PrivateKey ¶ added in v1.8.0
func GenerateEd25519PrivateKey() (ed25519.PrivateKey, error)
GenerateEd25519PrivateKey will generate an Ed25519 private key
func GeneratePrivateKeyForCertificate ¶
func GeneratePrivateKeyForCertificate(crt *v1.Certificate) (crypto.Signer, error)
GeneratePrivateKeyForCertificate will generate a private key suitable for the provided cert-manager Certificate resource, taking into account the parameters on the provided resource. The returned key will either be RSA or ECDSA.
func GenerateRSAPrivateKey ¶
func GenerateRSAPrivateKey(keySize int) (*rsa.PrivateKey, error)
GenerateRSAPrivateKey will generate a RSA private key of the given size. It places restrictions on the minimum and maximum RSA keysize.
func GenerateTemplate ¶
func GenerateTemplate(crt *v1.Certificate) (*x509.Certificate, error)
GenerateTemplate will create a x509.Certificate for the given Certificate resource. This should create a Certificate template that is equivalent to the CertificateRequest generated by GenerateCSR. The PublicKey field must be populated by the caller.
func GenerateTemplateFromCSRPEM ¶ added in v1.8.0
func GenerateTemplateFromCSRPEMWithUsages ¶ added in v1.8.0
func GenerateTemplateFromCertificateRequest ¶ added in v1.8.0
func GenerateTemplateFromCertificateRequest(cr *v1.CertificateRequest) (*x509.Certificate, error)
GenerateTemplate will create a x509.Certificate for the given CertificateRequest resource
func GenerateTemplateFromCertificateSigningRequest ¶ added in v1.8.0
func GenerateTemplateFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) (*x509.Certificate, error)
GenerateTemplateFromCertificateSigningRequest will create an *x509.Certificate from the given CertificateSigningRequest resource
func IPAddressesForCertificate ¶ added in v0.7.0
func IPAddressesForCertificate(crt *v1.Certificate) []net.IP
func IPAddressesToString ¶ added in v0.7.0
func OIDFromExtKeyUsage ¶ added in v1.8.0
func OIDFromExtKeyUsage(eku x509.ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool)
OIDFromExtKeyUsage returns the ASN1 Identifier for a x509.ExtKeyUsage
func OrganizationForCertificate ¶
func OrganizationForCertificate(crt *v1.Certificate) []string
OrganizationForCertificate will return the Organization to set for the Certificate resource. If an Organization is not specifically set, a default will be used.
func ParseSubjectStringToRawDerBytes ¶ added in v1.9.0
func ParseSubjectStringToRdnSequence ¶ added in v1.9.0
func ParseSubjectStringToRdnSequence(subject string) (pkix.RDNSequence, error)
func PublicKeyForPrivateKey ¶
func PublicKeyForPrivateKey(pk crypto.PrivateKey) (crypto.PublicKey, error)
PublicKeyForPrivateKey will return the crypto.PublicKey for the given crypto.PrivateKey. It only supports RSA and ECDSA keys.
func PublicKeyMatchesCSR ¶
PublicKeyMatchesCSR can be used to verify the given public key matches the public key in the given x509.CertificateRequest. Returns false and no error if the given public key is *not* the same as the CSR's key Returns true and no error if the given public key *is* the same as the CSR's key Returns an error if the CSR's key type cannot be determined (i.e. non RSA/ECDSA keys)
func PublicKeyMatchesCertificate ¶
PublicKeyMatchesCertificate checks whether the given public key matches the public key in the given x509.Certificate. Returns false and no error if the public key is *not* the same as the certificate's key Returns true and no error if the public key *is* the same as the certificate's key Returns an error if the certificate's key type cannot be determined (i.e. non RSA/ECDSA keys)
func PublicKeysEqual ¶ added in v1.8.0
PublicKeysEqual compares two given public keys for equality. The definition of "equality" depends on the type of the public keys. Returns true if the keys are the same, false if they differ or an error if the key type of `a` cannot be determined.
func SignCertificate ¶
func SignCertificate(template *x509.Certificate, issuerCert *x509.Certificate, publicKey crypto.PublicKey, signerKey interface{}) ([]byte, *x509.Certificate, error)
SignCertificate returns a signed *x509.Certificate given a template *x509.Certificate crt and an issuer. publicKey is the public key of the signee, and signerKey is the private key of the signer. It returns a PEM encoded copy of the Certificate as well as a *x509.Certificate which can be used for reading the encoded values.
func SignatureAlgorithm ¶
func SignatureAlgorithm(crt *v1.Certificate) (x509.PublicKeyAlgorithm, x509.SignatureAlgorithm, error)
SignatureAlgorithm will determine the appropriate signature algorithm for the given certificate. Adapted from https://github.com/cloudflare/cfssl/blob/master/csr/csr.go#L102
func SubjectForCertificate ¶ added in v1.8.0
func SubjectForCertificate(crt *v1.Certificate) v1.X509Subject
SubjectForCertificate will return the Subject from the Certificate resource or an empty one if it is not set
func URIsForCertificate ¶ added in v1.8.0
func URIsForCertificate(crt *v1.Certificate) ([]*url.URL, error)
func URLsToString ¶ added in v1.8.0
Types ¶
type PEMBundle ¶ added in v1.8.0
PEMBundle includes the PEM encoded X.509 certificate chain and CA. CAPEM contains either 1 CA certificate, or is empty if only a single certificate exists in the chain.
func ParseSingleCertificateChain ¶ added in v1.8.0
func ParseSingleCertificateChain(certs []*x509.Certificate) (PEMBundle, error)
ParseSingleCertificateChain returns the PEM-encoded chain of certificates as well as the PEM-encoded CA certificate. The certificate chain contains the leaf certificate first.
The CA may not be a true root, but the highest intermediate certificate. The returned CA may be empty if a single certificate was passed.
This function removes duplicate certificate entries as well as comments and unnecessary white space.
An error is returned if the passed bundle is not a valid flat tree chain, the bundle is malformed, or the chain is broken.
func ParseSingleCertificateChainPEM ¶ added in v1.8.0
ParseSingleCertificateChainPEM decodes a PEM encoded certificate chain before calling ParseSingleCertificateChainPEM
func SignCSRTemplate ¶ added in v1.8.0
func SignCSRTemplate(caCerts []*x509.Certificate, caKey crypto.Signer, template *x509.Certificate) (PEMBundle, error)
SignCSRTemplate signs a certificate template usually based upon a CSR. This function expects all fields to be present in the certificate template, including it's public key. It returns the PEM bundle containing certificate data and the CA data, encoded in PEM format.