rootcerts

package

v1.0.5009-c19e16a Latest Latest Go to latest Published: Nov 26, 2022 License: MIT Imports: 9 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/circleci/ex

Documentation ¶

Overview ¶

Package rootcerts exists to support creating Docker images `FROM scratch`.

For a Go binary to be able to run in a `FROM scratch` image, it needs a few things: 1. It must be compiled with `CGO_ENABLED=0`. 2. It must have access to timezone data (if it handles time data). 3. It must have access to a CA trust store.

The first two are easy, and natively supported by the Go runtime, but third is not.

This package provides a vendored set of root certificates downloaded from Mozilla, embedded into Go source files. CI will check if this list is up-to-date, and fail the lint job if it is not.

For most use-cases, calling rootcerts.UpdateDefaultTransport will be all you need to do from consuming code (e.g. using Go's HTTP client).

Some systems (like the Go AWS SDK) require passing the results of rootcerts.DERReader to setup the trust store there.

Index ¶

func DERReader() (io.Reader, error)
func ServerCertPool() *x509.CertPool
func UpdateDefaultTransport() error
type Cert
- func Certs() []Cert
- func CertsByTrust(t TrustLevel) (result []Cert)
- func (c *Cert) X509Cert() *x509.Certificate
type TrustLevel

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func DERReader ¶

func DERReader() (io.Reader, error)

func ServerCertPool ¶

func ServerCertPool() *x509.CertPool

ServerCertPool returns a pool containing all root CA certificates that are trusted for issuing server certificates.

func UpdateDefaultTransport ¶

func UpdateDefaultTransport() error

UpdateDefaultTransport updates the configuration for http.DefaultTransport to use the root CA certificates defined here when used as an HTTP client.

It will return an error if the DefaultTransport is not actually an *http.Transport.

Types ¶

type Cert ¶

type Cert struct {
	Label  string
	Serial string
	Trust  TrustLevel
	DER    []byte
}

A Cert defines a single unparsed certificate.

func Certs ¶

func Certs() []Cert

Certs returns all trusted certificates extracted from certdata.txt.

func CertsByTrust ¶

func CertsByTrust(t TrustLevel) (result []Cert)

CertsByTrust returns only those certificates that match all bits of the specified TrustLevel.

func (*Cert) X509Cert ¶

func (c *Cert) X509Cert() *x509.Certificate

X509Cert parses the certificate into a *x509.Certificate.

type TrustLevel ¶

type TrustLevel int

TrustLevel defines for which purposes the certificate is trusted to issue certificates (ie. to act as a CA)

const (
	ServerTrustedDelegator TrustLevel = 1 << iota // Trusted for issuing server certificates
	EmailTrustedDelegator                         // Trusted for issuing email certificates
	CodeTrustedDelegator                          // Trusted for issuing code signing certificates
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL