pki

package
v1.13.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2024 License: Apache-2.0 Imports: 30 Imported by: 31

Documentation

Index

Constants

View Source 
const (
	// MinRSAKeySize is the minimum RSA keysize allowed to be generated by the
	// generator functions in this package.
	MinRSAKeySize = 2048

	// MaxRSAKeySize is the maximum RSA keysize allowed to be generated by the
	// generator functions in this package.
	MaxRSAKeySize = 8192

	// ECCurve256 represents a secp256r1 / prime256v1 / NIST P-256 ECDSA key.
	ECCurve256 = 256
	// ECCurve384 represents a secp384r1 / NIST P-384 ECDSA key.
	ECCurve384 = 384
	// ECCurve521 represents a secp521r1 / NIST P-521 ECDSA key.
	ECCurve521 = 521
)

Variables

View Source 
var (
	OIDExtensionKeyUsage         = []int{2, 5, 29, 15}
	OIDExtensionExtendedKeyUsage = []int{2, 5, 29, 37}
)

Copied from x509.go

View Source 
var CertificateTemplateFromCertificateRequest = makeCertificateTemplateFromCertificateRequestFunc(false)

CertificateTemplateFromCertificateRequest will create a x509.Certificate for the given CertificateRequest resource

View Source 
var DeprecatedCertificateTemplateFromCertificateRequestAndAllowInsecureCSRUsageDefinition = makeCertificateTemplateFromCertificateRequestFunc(true)

Deprecated: Use CertificateTemplateFromCertificateRequest instead.

View Source 
var OIDConstants = struct {
	Country            []int
	Organization       []int
	OrganizationalUnit []int
	CommonName         []int
	SerialNumber       []int
	Locality           []int
	Province           []int
	StreetAddress      []int
	DomainComponent    []int
	UniqueIdentifier   []int
}{
	Country:            []int{2, 5, 4, 6},
	Organization:       []int{2, 5, 4, 10},
	OrganizationalUnit: []int{2, 5, 4, 11},
	CommonName:         []int{2, 5, 4, 3},
	SerialNumber:       []int{2, 5, 4, 5},
	Locality:           []int{2, 5, 4, 7},
	Province:           []int{2, 5, 4, 8},
	StreetAddress:      []int{2, 5, 4, 9},
	DomainComponent:    []int{0, 9, 2342, 19200300, 100, 1, 25},
	UniqueIdentifier:   []int{0, 9, 2342, 19200300, 100, 1, 1},
}
View Source 
var (
	OIDExtensionBasicConstraints = []int{2, 5, 29, 19}
)

Copied from x509.go

Functions

func BuildCertManagerKeyUsages added in v1.8.0 

func BuildCertManagerKeyUsages(ku x509.KeyUsage, eku []x509.ExtKeyUsage) []v1.KeyUsage

func BuildKeyUsagesKube added in v1.8.0 

func BuildKeyUsagesKube(usages []certificatesv1.KeyUsage) (x509.KeyUsage, []x509.ExtKeyUsage, error)

BuildKeyUsagesKube returns a key usage and extended key usage of the x509 certificate

func CertificateTemplateFromCSR added in v1.13.0 

func CertificateTemplateFromCSR(csr *x509.CertificateRequest, validatorMutators ...CertificateTemplateValidatorMutator) (*x509.Certificate, error)

CertificateTemplateFromCSR will create a x509.Certificate for the given *x509.CertificateRequest.

func CertificateTemplateFromCSRPEM added in v1.13.0 

func CertificateTemplateFromCSRPEM(csrPEM []byte, validatorMutators ...CertificateTemplateValidatorMutator) (*x509.Certificate, error)

CertificateTemplateFromCSRPEM will create a x509.Certificate for the given csrPEM.

func CertificateTemplateFromCertificate added in v1.13.0 

func CertificateTemplateFromCertificate(crt *v1.Certificate) (*x509.Certificate, error)

CertificateTemplateFromCertificate will create a x509.Certificate for the given Certificate resource

func CertificateTemplateFromCertificateSigningRequest added in v1.13.0 

func CertificateTemplateFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) (*x509.Certificate, error)

CertificateTemplateFromCertificateSigningRequest will create a x509.Certificate for the given CertificateSigningRequest resource

func DNSNamesForCertificate 

func DNSNamesForCertificate(crt *v1.Certificate) ([]string, error)

func DecodePKCS1PrivateKeyBytes 

func DecodePKCS1PrivateKeyBytes(keyBytes []byte) (*rsa.PrivateKey, error)

DecodePKCS1PrivateKeyBytes will decode a PEM encoded RSA private key.

func DecodePrivateKeyBytes 

func DecodePrivateKeyBytes(keyBytes []byte) (crypto.Signer, error)

DecodePrivateKeyBytes will decode a PEM encoded private key into a crypto.Signer. It supports ECDSA and RSA private keys only. All other types will return err.

func DecodeX509CertificateBytes 

func DecodeX509CertificateBytes(certBytes []byte) (*x509.Certificate, error)

DecodeX509CertificateBytes will decode a PEM encoded x509 Certificate.

func DecodeX509CertificateChainBytes added in v0.6.0 

func DecodeX509CertificateChainBytes(certBytes []byte) ([]*x509.Certificate, error)

DecodeX509CertificateChainBytes will decode a PEM encoded x509 Certificate chain.

func DecodeX509CertificateRequestBytes added in v1.8.0 

func DecodeX509CertificateRequestBytes(csrBytes []byte) (*x509.CertificateRequest, error)

DecodeX509CertificateRequestBytes will decode a PEM encoded x509 Certificate Request.

func DecodeX509CertificateSetBytes added in v1.12.9 

func DecodeX509CertificateSetBytes(certBytes []byte) ([]*x509.Certificate, error)

DecodeX509CertificateSetBytes will decode a concatenated set of PEM encoded x509 Certificates.

func DurationFromCertificateSigningRequest added in v1.8.0 

func DurationFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) (time.Duration, error)

DurationFromCertificateSigningRequest returns the duration that the user may have requested using the annotation "experimental.cert-manager.io/request-duration" or via the CSR spec.expirationSeconds field (the annotation is preferred since it predates the field which is only available in Kubernetes v1.22+). Returns the cert-manager default certificate duration when the user hasn't provided the annotation or spec.expirationSeconds.

func EncodeCSR 

func EncodeCSR(template *x509.CertificateRequest, key crypto.Signer) ([]byte, error)

EncodeCSR calls x509.CreateCertificateRequest to sign the given CSR template. It returns a DER encoded signed CSR.

func EncodeECPrivateKey 

func EncodeECPrivateKey(pk *ecdsa.PrivateKey) ([]byte, error)

EncodeECPrivateKey will marshal an ECDSA private key into x509 PEM format.

func EncodePKCS1PrivateKey 

func EncodePKCS1PrivateKey(pk *rsa.PrivateKey) []byte

EncodePKCS1PrivateKey will marshal a RSA private key into x509 PEM format.

func EncodePKCS8PrivateKey added in v0.7.0 

func EncodePKCS8PrivateKey(pk interface{}) ([]byte, error)

EncodePKCS8PrivateKey will marshal a private key into x509 PEM format.

func EncodePrivateKey 

func EncodePrivateKey(pk crypto.PrivateKey, keyEncoding v1.PrivateKeyEncoding) ([]byte, error)

EncodePrivateKey will encode a given crypto.PrivateKey by first inspecting the type of key encoding and then inspecting the type of key provided. It only supports encoding RSA or ECDSA keys.

func EncodeX509 

func EncodeX509(cert *x509.Certificate) ([]byte, error)

EncodeX509 will encode a single *x509.Certificate into PEM format.

func EncodeX509Chain added in v0.6.0 

func EncodeX509Chain(certs []*x509.Certificate) ([]byte, error)

EncodeX509Chain will encode a list of *x509.Certificates into a PEM format chain. Self-signed certificates are not included as per https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2 Certificates are output in the order they're given; if the input is not ordered as specified in RFC5246 section 7.4.2, the resulting chain might not be valid for use in TLS.

func ExtKeyUsageFromOID added in v1.8.0 

func ExtKeyUsageFromOID(oid asn1.ObjectIdentifier) (eku x509.ExtKeyUsage, ok bool)

func GenerateCSR 

func GenerateCSR(crt *v1.Certificate, optFuncs ...GenerateCSROption) (*x509.CertificateRequest, error)

GenerateCSR will generate a new *x509.CertificateRequest template to be used by issuers that utilise CSRs to obtain Certificates. The CSR will not be signed, and should be passed to either EncodeCSR or to the x509.CreateCertificateRequest function.

func GenerateECPrivateKey 

func GenerateECPrivateKey(keySize int) (*ecdsa.PrivateKey, error)

GenerateECPrivateKey will generate an ECDSA private key of the given size. It can be used to generate 256, 384 and 521 sized keys.

func GenerateEd25519PrivateKey added in v1.8.0 

func GenerateEd25519PrivateKey() (ed25519.PrivateKey, error)

GenerateEd25519PrivateKey will generate an Ed25519 private key

func GenerateLocallySignedTemporaryCertificate added in v1.12.0 

func GenerateLocallySignedTemporaryCertificate(crt *cmapi.Certificate, pkData []byte) ([]byte, error)

GenerateLocallySignedTemporaryCertificate signs a temporary certificate for the given certificate resource using a one-use temporary CA that is then discarded afterwards. This is to mitigate a potential attack against x509 certificates that use a predictable serial number and weak MD5 hashing algorithms. In practice, this shouldn't really be a concern anyway.

func GeneratePrivateKeyForCertificate 

func GeneratePrivateKeyForCertificate(crt *v1.Certificate) (crypto.Signer, error)

GeneratePrivateKeyForCertificate will generate a private key suitable for the provided cert-manager Certificate resource, taking into account the parameters on the provided resource. The returned key will either be RSA or ECDSA.

func GenerateRSAPrivateKey 

func GenerateRSAPrivateKey(keySize int) (*rsa.PrivateKey, error)

GenerateRSAPrivateKey will generate a RSA private key of the given size. It places restrictions on the minimum and maximum RSA keysize.

func GenerateTemplate deprecated 

func GenerateTemplate(crt *v1.Certificate) (*x509.Certificate, error)

Deprecated: use CertificateTemplateFromCertificate instead.

func GenerateTemplateFromCSRPEM deprecated added in v1.8.0 

func GenerateTemplateFromCSRPEM(csrPEM []byte, duration time.Duration, isCA bool) (*x509.Certificate, error)

Deprecated: use CertificateTemplateFromCSRPEM instead.

func GenerateTemplateFromCSRPEMWithUsages deprecated added in v1.8.0 

func GenerateTemplateFromCSRPEMWithUsages(csrPEM []byte, duration time.Duration, isCA bool, keyUsage x509.KeyUsage, extKeyUsage []x509.ExtKeyUsage) (*x509.Certificate, error)

Deprecated: use CertificateTemplateFromCSRPEM instead.

func GenerateTemplateFromCertificateRequest deprecated added in v1.8.0 

func GenerateTemplateFromCertificateRequest(cr *v1.CertificateRequest) (*x509.Certificate, error)

Deprecated: use CertificateTemplateFromCertificateRequest instead.

func GenerateTemplateFromCertificateSigningRequest deprecated added in v1.8.0 

func GenerateTemplateFromCertificateSigningRequest(csr *certificatesv1.CertificateSigningRequest) (*x509.Certificate, error)

Deprecated: use CertificateTemplateFromCertificateSigningRequest instead.

func IPAddressesForCertificate added in v0.7.0 

func IPAddressesForCertificate(crt *v1.Certificate) []net.IP

func IPAddressesToString added in v0.7.0 

func IPAddressesToString(ipAddresses []net.IP) []string

IPAddressesToString converts a slice of IP addresses to strings, which can be useful for printing a list of addresses but MUST NOT be used for comparing two slices of IP addresses.

func KeyUsagesForCertificateOrCertificateRequest added in v1.12.0 

func KeyUsagesForCertificateOrCertificateRequest(usages []v1.KeyUsage, isCA bool) (ku x509.KeyUsage, eku []x509.ExtKeyUsage, err error)

func MarshalBasicConstraints added in v1.12.0 

func MarshalBasicConstraints(isCA bool, maxPathLen *int) (pkix.Extension, error)

Adapted from x509.go

func MarshalExtKeyUsage added in v1.12.0 

func MarshalExtKeyUsage(extUsages []x509.ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier) (pkix.Extension, error)

Adapted from x509.go

func MarshalKeyUsage added in v1.12.0 

func MarshalKeyUsage(usage x509.KeyUsage) (pkix.Extension, error)

Adapted from x509.go

func MarshalRDNSequenceToRawDERBytes added in v1.12.0 

func MarshalRDNSequenceToRawDERBytes(rdnSequence pkix.RDNSequence) ([]byte, error)

func OIDFromExtKeyUsage added in v1.8.0 

func OIDFromExtKeyUsage(eku x509.ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool)

OIDFromExtKeyUsage returns the ASN1 Identifier for a x509.ExtKeyUsage

func OrganizationForCertificate 

func OrganizationForCertificate(crt *v1.Certificate) []string

OrganizationForCertificate will return the Organization to set for the Certificate resource. If an Organization is not specifically set, a default will be used.

func ParseSubjectStringToRawDERBytes added in v1.12.0 

func ParseSubjectStringToRawDERBytes(subject string) ([]byte, error)

func PrivateKeyMatchesSpec added in v1.12.0 

func PrivateKeyMatchesSpec(pk crypto.PrivateKey, spec cmapi.CertificateSpec) ([]string, error)

PrivateKeyMatchesSpec returns an error if the private key bit size doesn't match the provided spec. RSA, Ed25519 and ECDSA are supported. If any error is returned, a list of violations will also be returned.

func PublicKeyForPrivateKey 

func PublicKeyForPrivateKey(pk crypto.PrivateKey) (crypto.PublicKey, error)

PublicKeyForPrivateKey will return the crypto.PublicKey for the given crypto.PrivateKey. It only supports RSA and ECDSA keys.

func PublicKeyMatchesCSR 

func PublicKeyMatchesCSR(check crypto.PublicKey, csr *x509.CertificateRequest) (bool, error)

PublicKeyMatchesCSR can be used to verify the given public key matches the public key in the given x509.CertificateRequest. Returns false and no error if the given public key is *not* the same as the CSR's key Returns true and no error if the given public key *is* the same as the CSR's key Returns an error if the CSR's key type cannot be determined (i.e. non RSA/ECDSA keys)

func PublicKeyMatchesCertificate 

func PublicKeyMatchesCertificate(check crypto.PublicKey, crt *x509.Certificate) (bool, error)

PublicKeyMatchesCertificate checks whether the given public key matches the public key in the given x509.Certificate. Returns false and no error if the public key is *not* the same as the certificate's key Returns true and no error if the public key *is* the same as the certificate's key Returns an error if the certificate's key type cannot be determined (i.e. non RSA/ECDSA keys)

func PublicKeysEqual added in v1.8.0 

func PublicKeysEqual(a, b crypto.PublicKey) (bool, error)

PublicKeysEqual compares two given public keys for equality. The definition of "equality" depends on the type of the public keys. Returns true if the keys are the same, false if they differ or an error if the key type of `a` cannot be determined.

func RenewalTime added in v1.12.0 

func RenewalTime(notBefore, notAfter time.Time, renewBeforeOverride *metav1.Duration) *metav1.Time

RenewalTime calculates renewal time for a certificate. Default renewal time is 2/3 through certificate's lifetime. If user has configured spec.renewBefore, renewal time will be renewBefore period before expiry (unless that is after the expiry).

func RequestMatchesSpec added in v1.12.0 

func RequestMatchesSpec(req *cmapi.CertificateRequest, spec cmapi.CertificateSpec) ([]string, error)

RequestMatchesSpec compares a CertificateRequest with a CertificateSpec and returns a list of field names on the Certificate that do not match their counterpart fields on the CertificateRequest. If decoding the x509 certificate request fails, an error will be returned.

func SecretDataAltNamesMatchSpec added in v1.12.0 

func SecretDataAltNamesMatchSpec(secret *corev1.Secret, spec cmapi.CertificateSpec) ([]string, error)

SecretDataAltNamesMatchSpec will compare a Secret resource containing certificate data to a CertificateSpec and return a list of 'violations' for any fields that do not match their counterparts. This is a purposely less comprehensive check than RequestMatchesSpec as some issuers override/force certain fields.

func SignCertificate 

func SignCertificate(template *x509.Certificate, issuerCert *x509.Certificate, publicKey crypto.PublicKey, signerKey interface{}) ([]byte, *x509.Certificate, error)

SignCertificate returns a signed *x509.Certificate given a template *x509.Certificate crt and an issuer. publicKey is the public key of the signee, and signerKey is the private key of the signer. It returns a PEM encoded copy of the Certificate as well as a *x509.Certificate which can be used for reading the encoded values.

func SignatureAlgorithm 

func SignatureAlgorithm(crt *v1.Certificate) (x509.PublicKeyAlgorithm, x509.SignatureAlgorithm, error)

SignatureAlgorithm will determine the appropriate signature algorithm for the given certificate. Adapted from https://github.com/cloudflare/cfssl/blob/master/csr/csr.go#L102

func SubjectForCertificate added in v1.8.0 

func SubjectForCertificate(crt *v1.Certificate) v1.X509Subject

SubjectForCertificate will return the Subject from the Certificate resource or an empty one if it is not set

func URIsForCertificate added in v1.8.0 

func URIsForCertificate(crt *v1.Certificate) ([]*url.URL, error)

func URLsFromStrings added in v1.8.0 

func URLsFromStrings(urlStrs []string) ([]*url.URL, error)

func URLsToString added in v1.8.0 

func URLsToString(uris []*url.URL) []string

func UnmarshalBasicConstraints added in v1.13.0 

func UnmarshalBasicConstraints(value []byte) (isCA bool, maxPathLen *int, err error)

Adapted from x509.go

func UnmarshalExtKeyUsage added in v1.13.0 

func UnmarshalExtKeyUsage(value []byte) (extUsages []x509.ExtKeyUsage, unknownUsages []asn1.ObjectIdentifier, err error)

func UnmarshalKeyUsage added in v1.13.0 

func UnmarshalKeyUsage(value []byte) (usage x509.KeyUsage, err error)

func UnmarshalRawDerBytesToRDNSequence added in v1.12.0 

func UnmarshalRawDerBytesToRDNSequence(der []byte) (rdnSequence pkix.RDNSequence, err error)

func UnmarshalSubjectStringToRDNSequence added in v1.12.0 

func UnmarshalSubjectStringToRDNSequence(subject string) (pkix.RDNSequence, error)

Types

type CertificateTemplateValidatorMutator added in v1.13.0 

type CertificateTemplateValidatorMutator func(*x509.CertificateRequest, *x509.Certificate) error

func CertificateTemplateOverrideDuration added in v1.13.0 

func CertificateTemplateOverrideDuration(duration time.Duration) CertificateTemplateValidatorMutator

CertificateTemplateOverrideDuration returns a CertificateTemplateValidatorMutator that overrides the certificate duration.

func CertificateTemplateValidateAndOverrideBasicConstraints added in v1.13.0 

func CertificateTemplateValidateAndOverrideBasicConstraints(isCA bool, maxPathLen *int) CertificateTemplateValidatorMutator

CertificateTemplateValidateAndOverrideBasicConstraints returns a CertificateTemplateValidatorMutator that overrides the certificate basic constraints.

func CertificateTemplateValidateAndOverrideKeyUsages added in v1.13.0 

func CertificateTemplateValidateAndOverrideKeyUsages(keyUsage x509.KeyUsage, extKeyUsage []x509.ExtKeyUsage) CertificateTemplateValidatorMutator

CertificateTemplateValidateAndOverrideKeyUsages returns a CertificateTemplateValidatorMutator that overrides the certificate key usages.

type GenerateCSROption added in v1.13.0 

type GenerateCSROption func(*generateCSROptions)

func WithEncodeBasicConstraintsInRequest added in v1.13.0 

func WithEncodeBasicConstraintsInRequest(encode bool) GenerateCSROption

WithEncodeBasicConstraintsInRequest determines whether the BasicConstraints extension should be encoded in the CSR. NOTE: this is a temporary option that will be removed in a future release.

func WithUseLiteralSubject added in v1.13.0 

func WithUseLiteralSubject(useLiteralSubject bool) GenerateCSROption

type PEMBundle added in v1.8.0 

type PEMBundle struct {
	CAPEM    []byte
	ChainPEM []byte
}

PEMBundle includes the PEM encoded X.509 certificate chain and CA. CAPEM contains either 1 CA certificate, or is empty if only a single certificate exists in the chain.

func ParseSingleCertificateChain added in v1.8.0 

func ParseSingleCertificateChain(certs []*x509.Certificate) (PEMBundle, error)

ParseSingleCertificateChain returns the PEM-encoded chain of certificates as well as the PEM-encoded CA certificate.

The CA (CAPEM) may not be a true root, but the highest intermediate certificate. The certificate is chosen as follows:

  • If the chain has a self-signed root, the root certificate.
  • If the chain has no self-signed root and has > 1 certificates, the highest certificate in the chain.
  • If the chain has no self-signed root and has == 1 certificate, nil.

The certificate chain (ChainPEM) starts with the leaf certificate and ends with the highest certificate in the chain which is not self-signed. Self-signed certificates are not included in the chain because we are certain they are known and trusted by the client already.

This function removes duplicate certificate entries as well as comments and unnecessary white space.

An error is returned if the passed bundle is not a valid single chain, the bundle is malformed, or the chain is broken.

func ParseSingleCertificateChainPEM added in v1.8.0 

func ParseSingleCertificateChainPEM(pembundle []byte) (PEMBundle, error)

ParseSingleCertificateChainPEM decodes a PEM encoded certificate chain before calling ParseSingleCertificateChainPEM

func SignCSRTemplate added in v1.8.0 

func SignCSRTemplate(caCerts []*x509.Certificate, caKey crypto.Signer, template *x509.Certificate) (PEMBundle, error)

SignCSRTemplate signs a certificate template usually based upon a CSR. This function expects all fields to be present in the certificate template, including it's public key. It returns the PEM bundle containing certificate data and the CA data, encoded in PEM format.

type RenewalTimeFunc added in v1.12.0 

type RenewalTimeFunc func(time.Time, time.Time, *metav1.Duration) *metav1.Time

RenewalTimeFunc is a custom function type for calculating renewal time of a certificate.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.