rootcerts

package
v1.0.13575-ba45679 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 14, 2025 License: MIT Imports: 11 Imported by: 2

Documentation

Overview

Package rootcerts exists to support creating Docker images `FROM scratch`.

For a Go binary to be able to run in a `FROM scratch` image, it needs a few things: 1. It must be compiled with `CGO_ENABLED=0`. 2. It must have access to timezone data (if it handles time data). 3. It must have access to a CA trust store.

The first two are easy, and natively supported by the Go runtime, but third is not.

This package provides a vendored set of root certificates downloaded from Mozilla, embedded into Go source files. CI will check if this list is up-to-date, and fail the lint job if it is not.

For most use-cases, calling rootcerts.UpdateDefaultTransport will be all you need to do from consuming code (e.g. using Go's HTTP client).

Some systems (like the Go AWS SDK) require passing the results of rootcerts.DERReader to setup the trust store there.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddBase64PEM

func AddBase64PEM(base64PemCert []byte) error

AddBase64PEM Adds a the supplied base64 PEM formatted Certificate to the set of certs used by Rootcerts. This is useful when an individual CA needs to be added to the trust chain.

AddPEM only support Certificates, it doesn't support Private keys.

func AddPEM

func AddPEM(pemCert []byte) error

AddPEM Adds a the supplied PEM formatted Certificate to the set of certs used by Rootcerts. This is useful when an individual CA needs to be added to the trust chain.

AddPEM only support Certificates, it doesn't support Private keys.

func DERReader

func DERReader() (io.Reader, error)

func ServerCertPool

func ServerCertPool() *x509.CertPool

ServerCertPool returns a pool containing all root CA certificates that are trusted for issuing server certificates.

func UpdateDefaultTransport

func UpdateDefaultTransport() error

UpdateDefaultTransport updates the configuration for http.DefaultTransport to use the root CA certificates defined here when used as an HTTP client.

It will return an error if the DefaultTransport is not actually an *http.Transport.

Types

type Cert

type Cert struct {
	Label  string
	Serial string
	Trust  TrustLevel
	DER    []byte
}

A Cert defines a single unparsed certificate.

func Certs

func Certs() []Cert

Certs returns all trusted certificates extracted from certdata.txt.

func CertsByTrust

func CertsByTrust(t TrustLevel) (result []Cert)

CertsByTrust returns only those certificates that match all bits of the specified TrustLevel.

func (*Cert) X509Cert

func (c *Cert) X509Cert() *x509.Certificate

X509Cert parses the certificate into a *x509.Certificate.

type TrustLevel

type TrustLevel int

TrustLevel defines for which purposes the certificate is trusted to issue certificates (ie. to act as a CA)

const (
	ServerTrustedDelegator TrustLevel = 1 << iota // Trusted for issuing server certificates
	EmailTrustedDelegator                         // Trusted for issuing email certificates
	CodeTrustedDelegator                          // Trusted for issuing code signing certificates
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL