Documentation
¶
Overview ¶
Package pem provides utility functions for safely decoding PEM data, placing upper limits on the size of data that will be processed. It functions as an extension to the standard library "encoding/pem" functions.
Index ¶
- Variables
- func SafeDecodeCSR(b []byte) (*stdpem.Block, []byte, error)
- func SafeDecodeMultipleCertificates(b []byte) (*stdpem.Block, []byte, error)
- func SafeDecodePrivateKey(b []byte) (*stdpem.Block, []byte, error)
- func SafeDecodeSingleCertificate(b []byte) (*stdpem.Block, []byte, error)
- type ErrPEMDataTooLarge
Constants ¶
This section is empty.
Variables ¶
var ( // ErrNoPEMData is returned when the given data contained no PEM ErrNoPEMData = errors.New("no PEM data was found in given input") )
Functions ¶
func SafeDecodeCSR ¶
SafeDecodeCSR calls encoding/pem.Decode on the given input as long as it's within a sensible range for how large we expect a single PEM-encoded PKCS#10 CSR to be. We assume that a PKCS#12 CSR is smaller than a single certificate because our assumptions are that a certificate has a large public key and a large signature, which is roughly the case for a CSR. We also assume that we'd only ever decode one CSR which is the case in practice.
func SafeDecodeMultipleCertificates ¶
SafeDecodeMultipleCertificates calls encoding/pem.Decode on the given input as long as it's within a sensible range for how large we expect a reasonable-length PEM-encoded X.509 certificate chain to be. The baseline is several 16k-bit RSA certificates, all signed by 16k-bit RSA keys, which is larger than the maximum supported by cert-manager for key generation. The maximum number of chains supported by this function is not reflective of the maximum chain length supported by cert-manager; a larger chain of smaller certificate should be supported.
func SafeDecodePrivateKey ¶
SafeDecodePrivateKey calls encoding/pem.Decode on the given input as long as it's within a sensible range for how large we expect a private key to be. The baseline is a 16k-bit RSA private key, which is larger than the maximum supported by cert-manager for key generation.
func SafeDecodeSingleCertificate ¶
SafeDecodeSingleCertificate calls encoding/pem.Decode on the given input as long as it's within a sensible range for how large we expect a single PEM-encoded X.509 certificate to be. The baseline is a 16k-bit RSA certificate signed by a different 16k-bit RSA CA, which is larger than the maximum supported by cert-manager for key generation.
Types ¶
type ErrPEMDataTooLarge ¶
type ErrPEMDataTooLarge int
ErrPEMDataTooLarge is returned when the given data is larger than the maximum allowed
func (ErrPEMDataTooLarge) Error ¶
func (e ErrPEMDataTooLarge) Error() string
Error returns an error string
Source Files